837 files changed, 53161 insertions, 81767 deletions

diff --git a/secure/lib/libcrypto/man/man3/ADMISSIONS.3 b/secure/lib/libcrypto/man/man3/ADMISSIONS.3
index 1c20e00e6b67..2403a9b885af 100644
--- a/secure/lib/libcrypto/man/man3/ADMISSIONS.3
+++ b/secure/lib/libcrypto/man/man3/ADMISSIONS.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ADMISSIONS 3ossl"
-.TH ADMISSIONS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ADMISSIONS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ADMISSIONS,
 ADMISSIONS_get0_admissionAuthority,
 ADMISSIONS_get0_namingAuthority,
@@ -169,7 +93,7 @@ PROFESSION_INFO_set0_professionItems,
 PROFESSION_INFO_set0_professionOIDs,
 PROFESSION_INFO_set0_registrationNumber
 \&\- Accessors and settors for ADMISSION_SYNTAX
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 5
 \& typedef struct NamingAuthority_st NAMING_AUTHORITY;
@@ -228,23 +152,23 @@ PROFESSION_INFO_set0_registrationNumber
 \& void PROFESSION_INFO_set0_registrationNumber(
 \&     PROFESSION_INFO *pi, ASN1_PRINTABLESTRING *rn);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \fB\s-1PROFESSION_INFOS\s0\fR, \fB\s-1ADMISSION_SYNTAX\s0\fR, \fB\s-1ADMISSIONS\s0\fR, and
-\&\fB\s-1PROFESSION_INFO\s0\fR types are opaque structures representing the
-analogous types defined in the Common \s-1PKI\s0 Specification published
+The \fBPROFESSION_INFOS\fR, \fBADMISSION_SYNTAX\fR, \fBADMISSIONS\fR, and
+\&\fBPROFESSION_INFO\fR types are opaque structures representing the
+analogous types defined in the Common PKI Specification published
 by <https://www.t7ev.org>.
 Knowledge of those structures and their semantics is assumed.
 .PP
-The conventional routines to convert between \s-1DER\s0 and the local format
+The conventional routines to convert between DER and the local format
 are described in \fBd2i_X509\fR\|(3).
 The conventional routines to allocate and free the types are defined
 in \fBX509_dup\fR\|(3).
 .PP
-The \fB\s-1PROFESSION_INFOS\s0\fR type is a stack of \fB\s-1PROFESSION_INFO\s0\fR; see
-\&\s-1\fBDEFINE_STACK_OF\s0\fR\|(3) for details.
+The \fBPROFESSION_INFOS\fR type is a stack of \fBPROFESSION_INFO\fR; see
+\&\fBDEFINE_STACK_OF\fR\|(3) for details.
 .PP
-The \fB\s-1NAMING_AUTHORITY\s0\fR type has an authority \s-1ID\s0 and \s-1URL,\s0 and text fields.
+The \fBNAMING_AUTHORITY\fR type has an authority ID and URL, and text fields.
 The \fBNAMING_AUTHORITY_get0_authorityId()\fR,
 \&\fBNAMING_AUTHORITY_get0_get0_authorityURL()\fR, and
 \&\fBNAMING_AUTHORITY_get0_get0_authorityText()\fR, functions return pointers
@@ -254,8 +178,8 @@ The \fBNAMING_AUTHORITY_set0_authorityId()\fR,
 \&\fBNAMING_AUTHORITY_set0_get0_authorityText()\fR,
 functions free any existing value and set the pointer to the specified value.
 .PP
-The \fB\s-1ADMISSION_SYNTAX\s0\fR type has an authority name and a stack of
-\&\fB\s-1ADMISSION\s0\fR objects.
+The \fBADMISSION_SYNTAX\fR type has an authority name and a stack of
+\&\fBADMISSION\fR objects.
 The \fBADMISSION_SYNTAX_get0_admissionAuthority()\fR
 and \fBADMISSION_SYNTAX_get0_contentsOfAdmissions()\fR functions return pointers
 to those values within the object.
@@ -264,8 +188,8 @@ The
 \&\fBADMISSION_SYNTAX_set0_contentsOfAdmissions()\fR
 functions free any existing value and set the pointer to the specified value.
 .PP
-The \fB\s-1ADMISSION\s0\fR type has an authority name, authority object, and a
-stack of \fB\s-1PROFESSION_INFO\s0\fR items.
+The \fBADMISSION\fR type has an authority name, authority object, and a
+stack of \fBPROFESSION_INFO\fR items.
 The \fBADMISSIONS_get0_admissionAuthority()\fR, \fBADMISSIONS_get0_namingAuthority()\fR,
 and \fBADMISSIONS_get0_professionInfos()\fR
 functions return pointers to those values within the object.
@@ -275,7 +199,7 @@ The
 \&\fBADMISSIONS_set0_professionInfos()\fR
 functions free any existing value and set the pointer to the specified value.
 .PP
-The \fB\s-1PROFESSION_INFO\s0\fR type has a name authority, stacks of
+The \fBPROFESSION_INFO\fR type has a name authority, stacks of
 profession Items and OIDs, a registration number, and additional
 profession info.
 The functions \fBPROFESSION_INFO_get0_addProfessionInfo()\fR,
@@ -299,11 +223,11 @@ structure and must not be freed.
 .IX Header "SEE ALSO"
 \&\fBX509_dup\fR\|(3),
 \&\fBd2i_X509\fR\|(3),
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ASN1_EXTERN_FUNCS.3 b/secure/lib/libcrypto/man/man3/ASN1_EXTERN_FUNCS.3
index b78e25eafad1..0e7c3ac0dd0a 100644
--- a/secure/lib/libcrypto/man/man3/ASN1_EXTERN_FUNCS.3
+++ b/secure/lib/libcrypto/man/man3/ASN1_EXTERN_FUNCS.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ASN1_EXTERN_FUNCS 3ossl"
-.TH ASN1_EXTERN_FUNCS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ASN1_EXTERN_FUNCS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ASN1_EXTERN_FUNCS, ASN1_ex_d2i, ASN1_ex_d2i_ex, ASN1_ex_i2d, ASN1_ex_new_func,
 ASN1_ex_new_ex_func, ASN1_ex_free_func, ASN1_ex_print_func,
 IMPLEMENT_EXTERN_ASN1
 \&\- ASN.1 external function support
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/asn1t.h>
@@ -178,120 +102,120 @@ IMPLEMENT_EXTERN_ASN1
 \&
 \& #define IMPLEMENT_EXTERN_ASN1(sname, tag, fptrs)
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\s-1ASN.1\s0 data structures templates are typically defined in OpenSSL using a series
-of macros such as \s-1\fBASN1_SEQUENCE\s0()\fR, \s-1\fBASN1_SEQUENCE_END\s0()\fR and so on. Instead
+ASN.1 data structures templates are typically defined in OpenSSL using a series
+of macros such as \fBASN1_SEQUENCE()\fR, \fBASN1_SEQUENCE_END()\fR and so on. Instead
 templates can also be defined based entirely on external functions. These
 external functions are called to perform operations such as creating a new
-\&\fB\s-1ASN1_VALUE\s0\fR or converting an \fB\s-1ASN1_VALUE\s0\fR to or from \s-1DER\s0 encoding.
+\&\fBASN1_VALUE\fR or converting an \fBASN1_VALUE\fR to or from DER encoding.
 .PP
-The macro \s-1\fBIMPLEMENT_EXTERN_ASN1\s0()\fR can be used to create such an externally
+The macro \fBIMPLEMENT_EXTERN_ASN1()\fR can be used to create such an externally
 defined structure. The name of the structure should be supplied in the \fIsname\fR
 parameter. The tag for the structure (e.g. typically \fBV_ASN1_SEQUENCE\fR) should
 be supplied in the \fItag\fR parameter. Finally a pointer to an
-\&\fB\s-1ASN1_EXTERN_FUNCS\s0\fR structure should be supplied in the \fIfptrs\fR parameter.
+\&\fBASN1_EXTERN_FUNCS\fR structure should be supplied in the \fIfptrs\fR parameter.
 .PP
-The \fB\s-1ASN1_EXTERN_FUNCS\s0\fR structure has the following entries.
-.IP "\fIapp_data\fR" 4
+The \fBASN1_EXTERN_FUNCS\fR structure has the following entries.
+.IP \fIapp_data\fR 4
 .IX Item "app_data"
 A pointer to arbitrary application specific data.
-.IP "\fIasn1_ex_new\fR" 4
+.IP \fIasn1_ex_new\fR 4
 .IX Item "asn1_ex_new"
-A \*(L"new\*(R" function responsible for constructing a new \fB\s-1ASN1_VALUE\s0\fR object. The
+A "new" function responsible for constructing a new \fBASN1_VALUE\fR object. The
 newly constructed value should be stored in \fI*pval\fR. The \fIit\fR parameter is a
-pointer to the \fB\s-1ASN1_ITEM\s0\fR template object created via the
-\&\s-1\fBIMPLEMENT_EXTERN_ASN1\s0()\fR macro.
+pointer to the \fBASN1_ITEM\fR template object created via the
+\&\fBIMPLEMENT_EXTERN_ASN1()\fR macro.
 .Sp
 Returns a positive value on success or 0 on error.
-.IP "\fIasn1_ex_free\fR" 4
+.IP \fIasn1_ex_free\fR 4
 .IX Item "asn1_ex_free"
-A \*(L"free\*(R" function responsible for freeing the \fB\s-1ASN1_VALUE\s0\fR passed in \fI*pval\fR
-that was previously allocated via a \*(L"new\*(R" function. The \fIit\fR parameter is a
-pointer to the \fB\s-1ASN1_ITEM\s0\fR template object created via the
-\&\s-1\fBIMPLEMENT_EXTERN_ASN1\s0()\fR macro.
-.IP "\fIasn1_ex_clear\fR" 4
+A "free" function responsible for freeing the \fBASN1_VALUE\fR passed in \fI*pval\fR
+that was previously allocated via a "new" function. The \fIit\fR parameter is a
+pointer to the \fBASN1_ITEM\fR template object created via the
+\&\fBIMPLEMENT_EXTERN_ASN1()\fR macro.
+.IP \fIasn1_ex_clear\fR 4
 .IX Item "asn1_ex_clear"
-A \*(L"clear\*(R" function responsible for clearing any data in the \fB\s-1ASN1_VALUE\s0\fR passed
+A "clear" function responsible for clearing any data in the \fBASN1_VALUE\fR passed
 in \fI*pval\fR and making it suitable for reuse. The \fIit\fR parameter is a pointer
-to the \fB\s-1ASN1_ITEM\s0\fR template object created via the \s-1\fBIMPLEMENT_EXTERN_ASN1\s0()\fR
+to the \fBASN1_ITEM\fR template object created via the \fBIMPLEMENT_EXTERN_ASN1()\fR
 macro.
-.IP "\fIasn1_ex_d2i\fR" 4
+.IP \fIasn1_ex_d2i\fR 4
 .IX Item "asn1_ex_d2i"
-A \*(L"d2i\*(R" function responsible for converting \s-1DER\s0 data with the tag \fItag\fR and
-class \fIclass\fR into an \fB\s-1ASN1_VALUE\s0\fR. If \fI*pval\fR is non-NULL then the
-\&\fB\s-1ASN_VALUE\s0\fR it points to should be reused. Otherwise a new \fB\s-1ASN1_VALUE\s0\fR
-should be allocated and stored in \fI*pval\fR. \fI*in\fR points to the \s-1DER\s0 data to be
+A "d2i" function responsible for converting DER data with the tag \fItag\fR and
+class \fIclass\fR into an \fBASN1_VALUE\fR. If \fI*pval\fR is non-NULL then the
+\&\fBASN_VALUE\fR it points to should be reused. Otherwise a new \fBASN1_VALUE\fR
+should be allocated and stored in \fI*pval\fR. \fI*in\fR points to the DER data to be
 decoded and \fIlen\fR is the length of that data. After decoding \fI*in\fR should be
-updated to point at the next byte after the decoded data. If the \fB\s-1ASN1_VALUE\s0\fR
+updated to point at the next byte after the decoded data. If the \fBASN1_VALUE\fR
 is considered optional in this context then \fIopt\fR will be nonzero. Otherwise
-it will be zero. The \fIit\fR parameter is a pointer to the \fB\s-1ASN1_ITEM\s0\fR template
-object created via the \s-1\fBIMPLEMENT_EXTERN_ASN1\s0()\fR macro. A pointer to the current
-\&\fB\s-1ASN1_TLC\s0\fR context (which may be required for other \s-1ASN1\s0 function calls) is
+it will be zero. The \fIit\fR parameter is a pointer to the \fBASN1_ITEM\fR template
+object created via the \fBIMPLEMENT_EXTERN_ASN1()\fR macro. A pointer to the current
+\&\fBASN1_TLC\fR context (which may be required for other ASN1 function calls) is
 passed in the \fIctx\fR parameter.
 .Sp
-The \fIasn1_ex_d2i\fR entry may be \s-1NULL\s0 if \fIasn1_ex_d2i_ex\fR has been specified
+The \fIasn1_ex_d2i\fR entry may be NULL if \fIasn1_ex_d2i_ex\fR has been specified
 instead.
 .Sp
 Returns <= 0 on error or a positive value on success.
-.IP "\fIasn1_ex_i2d\fR" 4
+.IP \fIasn1_ex_i2d\fR 4
 .IX Item "asn1_ex_i2d"
-An \*(L"i2d\*(R" function responsible for converting an \fB\s-1ASN1_VALUE\s0\fR into \s-1DER\s0 encoding.
-On entry \fI*pval\fR will contain the \fB\s-1ASN1_VALUE\s0\fR to be encoded. If default
+An "i2d" function responsible for converting an \fBASN1_VALUE\fR into DER encoding.
+On entry \fI*pval\fR will contain the \fBASN1_VALUE\fR to be encoded. If default
 tagging is to be used then \fItag\fR will be \-1 on entry. Otherwise if implicit
 tagging should be used then \fItag\fR and \fIaclass\fR will be the tag and associated
 class.
 .Sp
-If \fIout\fR is not \s-1NULL\s0 then this function should write the \s-1DER\s0 encoded data to
+If \fIout\fR is not NULL then this function should write the DER encoded data to
 the buffer in \fI*out\fR, and then increment \fI*out\fR to point to immediately after
 the data just written.
 .Sp
-If \fIout\fR is \s-1NULL\s0 then no data should be written but the length calculated and
+If \fIout\fR is NULL then no data should be written but the length calculated and
 returned as if it were.
 .Sp
-The \fIasn1_ex_i2d\fR entry may be \s-1NULL\s0 if \fIasn1_ex_i2d_ex\fR has been specified
+The \fIasn1_ex_i2d\fR entry may be NULL if \fIasn1_ex_i2d_ex\fR has been specified
 instead.
 .Sp
 The return value should be negative if a fatal error occurred, or 0 if a
 non-fatal error occurred. Otherwise it should return the length of the encoded
 data.
-.IP "\fIasn1_ex_print\fR" 4
+.IP \fIasn1_ex_print\fR 4
 .IX Item "asn1_ex_print"
-A \*(L"print\*(R" function. \fIout\fR is the \s-1BIO\s0 to print the output to. \fI*pval\fR is the
-\&\fB\s-1ASN1_VALUE\s0\fR to be printed. \fIindent\fR is the number of spaces of indenting to
+A "print" function. \fIout\fR is the BIO to print the output to. \fI*pval\fR is the
+\&\fBASN1_VALUE\fR to be printed. \fIindent\fR is the number of spaces of indenting to
 be printed before any data is printed. \fIfname\fR is currently unused and is
-always "". \fIpctx\fR is a pointer to the \fB\s-1ASN1_PCTX\s0\fR for the print operation.
+always "". \fIpctx\fR is a pointer to the \fBASN1_PCTX\fR for the print operation.
 .Sp
 Returns 0 on error or a positive value on success. If the return value is 2 then
 an additional newline will be printed after the data printed by this function.
-.IP "\fIasn1_ex_new_ex\fR" 4
+.IP \fIasn1_ex_new_ex\fR 4
 .IX Item "asn1_ex_new_ex"
 This is the same as \fIasn1_ex_new\fR except that it is additionally passed the
-\&\s-1OSSL_LIB_CTX\s0 to be used in \fIlibctx\fR and any property query string to be used
+OSSL_LIB_CTX to be used in \fIlibctx\fR and any property query string to be used
 for algorithm fetching in the \fIpropq\fR parameter. See
-\&\*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7) for further details. If \fIasn1_ex_new_ex\fR is
-non \s-1NULL,\s0 then it will always be called in preference to \fIasn1_ex_new\fR.
-.IP "\fIasn1_ex_d2i_ex\fR" 4
+"ALGORITHM FETCHING" in \fBcrypto\fR\|(7) for further details. If \fIasn1_ex_new_ex\fR is
+non NULL, then it will always be called in preference to \fIasn1_ex_new\fR.
+.IP \fIasn1_ex_d2i_ex\fR 4
 .IX Item "asn1_ex_d2i_ex"
 This is the same as \fIasn1_ex_d2i\fR except that it is additionally passed the
-\&\s-1OSSL_LIB_CTX\s0 to be used in \fIlibctx\fR and any property query string to be used
+OSSL_LIB_CTX to be used in \fIlibctx\fR and any property query string to be used
 for algorithm fetching in the \fIpropq\fR parameter. See
-\&\*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7) for further details. If \fIasn1_ex_d2i_ex\fR is
-non \s-1NULL,\s0 then it will always be called in preference to \fIasn1_ex_d2i\fR.
+"ALGORITHM FETCHING" in \fBcrypto\fR\|(7) for further details. If \fIasn1_ex_d2i_ex\fR is
+non NULL, then it will always be called in preference to \fIasn1_ex_d2i\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 Return values for the various callbacks are as described above.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBASN1_item_new_ex\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fIasn1_ex_new_ex\fR and \fIasn1_ex_d2i_ex\fR callbacks were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ASN1_INTEGER_get_int64.3 b/secure/lib/libcrypto/man/man3/ASN1_INTEGER_get_int64.3
index 8f57a9bd7b53..9b3081be9d1b 100644
--- a/secure/lib/libcrypto/man/man3/ASN1_INTEGER_get_int64.3
+++ b/secure/lib/libcrypto/man/man3/ASN1_INTEGER_get_int64.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ASN1_INTEGER_GET_INT64 3ossl"
-.TH ASN1_INTEGER_GET_INT64 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ASN1_INTEGER_GET_INT64 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ASN1_INTEGER_get_uint64, ASN1_INTEGER_set_uint64,
 ASN1_INTEGER_get_int64, ASN1_INTEGER_get, ASN1_INTEGER_set_int64, ASN1_INTEGER_set, BN_to_ASN1_INTEGER, ASN1_INTEGER_to_BN, ASN1_ENUMERATED_get_int64, ASN1_ENUMERATED_get, ASN1_ENUMERATED_set_int64, ASN1_ENUMERATED_set, BN_to_ASN1_ENUMERATED, ASN1_ENUMERATED_to_BN
 \&\- ASN.1 INTEGER and ENUMERATED utilities
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/asn1.h>
@@ -166,12 +90,12 @@ ASN1_INTEGER_get_int64, ASN1_INTEGER_get, ASN1_INTEGER_set_int64, ASN1_INTEGER_s
 \& ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(const BIGNUM *bn, ASN1_ENUMERATED *ai);
 \& BIGNUM *ASN1_ENUMERATED_to_BN(const ASN1_ENUMERATED *ai, BIGNUM *bn);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-These functions convert to and from \fB\s-1ASN1_INTEGER\s0\fR and \fB\s-1ASN1_ENUMERATED\s0\fR
+These functions convert to and from \fBASN1_INTEGER\fR and \fBASN1_ENUMERATED\fR
 structures.
 .PP
-\&\fBASN1_INTEGER_get_int64()\fR converts an \fB\s-1ASN1_INTEGER\s0\fR into an \fBint64_t\fR type
+\&\fBASN1_INTEGER_get_int64()\fR converts an \fBASN1_INTEGER\fR into an \fBint64_t\fR type
 If successful it returns 1 and sets \fI*pr\fR to the value of \fIa\fR. If it fails
 (due to invalid type or the value being too big to fit into an \fBint64_t\fR type)
 it returns 0.
@@ -181,44 +105,44 @@ converts to a \fBuint64_t\fR type and an error is returned if the passed integer
 is negative.
 .PP
 \&\fBASN1_INTEGER_get()\fR also returns the value of \fIa\fR but it returns 0 if \fIa\fR is
-\&\s-1NULL\s0 and \-1 on error (which is ambiguous because \-1 is a legitimate value for
-an \fB\s-1ASN1_INTEGER\s0\fR). New applications should use \fBASN1_INTEGER_get_int64()\fR
+NULL and \-1 on error (which is ambiguous because \-1 is a legitimate value for
+an \fBASN1_INTEGER\fR). New applications should use \fBASN1_INTEGER_get_int64()\fR
 instead.
 .PP
-\&\fBASN1_INTEGER_set_int64()\fR sets the value of \fB\s-1ASN1_INTEGER\s0\fR \fIa\fR to the
+\&\fBASN1_INTEGER_set_int64()\fR sets the value of \fBASN1_INTEGER\fR \fIa\fR to the
 \&\fBint64_t\fR value \fIr\fR.
 .PP
-\&\fBASN1_INTEGER_set_uint64()\fR sets the value of \fB\s-1ASN1_INTEGER\s0\fR \fIa\fR to the
+\&\fBASN1_INTEGER_set_uint64()\fR sets the value of \fBASN1_INTEGER\fR \fIa\fR to the
 \&\fBuint64_t\fR value \fIr\fR.
 .PP
-\&\fBASN1_INTEGER_set()\fR sets the value of \fB\s-1ASN1_INTEGER\s0\fR \fIa\fR to the \fIlong\fR value
+\&\fBASN1_INTEGER_set()\fR sets the value of \fBASN1_INTEGER\fR \fIa\fR to the \fIlong\fR value
 \&\fIv\fR.
 .PP
-\&\fBBN_to_ASN1_INTEGER()\fR converts \fB\s-1BIGNUM\s0\fR \fIbn\fR to an \fB\s-1ASN1_INTEGER\s0\fR. If \fIai\fR
-is \s-1NULL\s0 a new \fB\s-1ASN1_INTEGER\s0\fR structure is returned. If \fIai\fR is not \s-1NULL\s0 then
+\&\fBBN_to_ASN1_INTEGER()\fR converts \fBBIGNUM\fR \fIbn\fR to an \fBASN1_INTEGER\fR. If \fIai\fR
+is NULL a new \fBASN1_INTEGER\fR structure is returned. If \fIai\fR is not NULL then
 the existing structure will be used instead.
 .PP
-\&\fBASN1_INTEGER_to_BN()\fR converts \s-1ASN1_INTEGER\s0 \fIai\fR into a \fB\s-1BIGNUM\s0\fR. If \fIbn\fR is
-\&\s-1NULL\s0 a new \fB\s-1BIGNUM\s0\fR structure is returned. If \fIbn\fR is not \s-1NULL\s0 then the
+\&\fBASN1_INTEGER_to_BN()\fR converts ASN1_INTEGER \fIai\fR into a \fBBIGNUM\fR. If \fIbn\fR is
+NULL a new \fBBIGNUM\fR structure is returned. If \fIbn\fR is not NULL then the
 existing structure will be used instead.
 .PP
 \&\fBASN1_ENUMERATED_get_int64()\fR, \fBASN1_ENUMERATED_set_int64()\fR,
 \&\fBASN1_ENUMERATED_set()\fR, \fBBN_to_ASN1_ENUMERATED()\fR and \fBASN1_ENUMERATED_to_BN()\fR
-behave in an identical way to their \s-1ASN1_INTEGER\s0 counterparts except they
-operate on an \fB\s-1ASN1_ENUMERATED\s0\fR value.
+behave in an identical way to their ASN1_INTEGER counterparts except they
+operate on an \fBASN1_ENUMERATED\fR value.
 .PP
 \&\fBASN1_ENUMERATED_get()\fR returns the value of \fIa\fR in a similar way to
 \&\fBASN1_INTEGER_get()\fR but it returns \fB0xffffffffL\fR if the value of \fIa\fR will not
 fit in a long type. New applications should use \fBASN1_ENUMERATED_get_int64()\fR
 instead.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-In general an \fB\s-1ASN1_INTEGER\s0\fR or \fB\s-1ASN1_ENUMERATED\s0\fR type can contain an
+In general an \fBASN1_INTEGER\fR or \fBASN1_ENUMERATED\fR type can contain an
 integer of almost arbitrary size and so cannot always be represented by a C
 \&\fBint64_t\fR type. However, in many cases (for example version numbers) they
 represent small integers which can be more easily manipulated if converted to
 an appropriate C integer type.
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
 The ambiguous return values of \fBASN1_INTEGER_get()\fR and \fBASN1_ENUMERATED_get()\fR
 mean these functions should be avoided if possible. They are retained for
@@ -235,26 +159,26 @@ and 0 for failure. They will fail if the passed type is incorrect (this will
 only happen if there is a programming error) or if the value exceeds the range
 of an \fBint64_t\fR type.
 .PP
-\&\fBBN_to_ASN1_INTEGER()\fR and \fBBN_to_ASN1_ENUMERATED()\fR return an \fB\s-1ASN1_INTEGER\s0\fR or
-\&\fB\s-1ASN1_ENUMERATED\s0\fR structure respectively or \s-1NULL\s0 if an error occurs. They will
+\&\fBBN_to_ASN1_INTEGER()\fR and \fBBN_to_ASN1_ENUMERATED()\fR return an \fBASN1_INTEGER\fR or
+\&\fBASN1_ENUMERATED\fR structure respectively or NULL if an error occurs. They will
 only fail due to a memory allocation error.
 .PP
-\&\fBASN1_INTEGER_to_BN()\fR and \fBASN1_ENUMERATED_to_BN()\fR return a \fB\s-1BIGNUM\s0\fR structure
-of \s-1NULL\s0 if an error occurs. They can fail if the passed type is incorrect
+\&\fBASN1_INTEGER_to_BN()\fR and \fBASN1_ENUMERATED_to_BN()\fR return a \fBBIGNUM\fR structure
+of NULL if an error occurs. They can fail if the passed type is incorrect
 (due to programming error) or due to a memory allocation failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBASN1_INTEGER_set_int64()\fR, \fBASN1_INTEGER_get_int64()\fR,
 \&\fBASN1_ENUMERATED_set_int64()\fR and \fBASN1_ENUMERATED_get_int64()\fR
 were added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2015\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ASN1_INTEGER_new.3 b/secure/lib/libcrypto/man/man3/ASN1_INTEGER_new.3
index ecc1b8e221b2..fd618a558254 100644
--- a/secure/lib/libcrypto/man/man3/ASN1_INTEGER_new.3
+++ b/secure/lib/libcrypto/man/man3/ASN1_INTEGER_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ASN1_INTEGER_NEW 3ossl"
-.TH ASN1_INTEGER_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ASN1_INTEGER_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ASN1_INTEGER_new, ASN1_INTEGER_free \- ASN1_INTEGER allocation functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/asn1.h>
@@ -146,27 +70,28 @@ ASN1_INTEGER_new, ASN1_INTEGER_free \- ASN1_INTEGER allocation functions
 \& ASN1_INTEGER *ASN1_INTEGER_new(void);
 \& void ASN1_INTEGER_free(ASN1_INTEGER *a);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBASN1_INTEGER_new()\fR returns an allocated \fB\s-1ASN1_INTEGER\s0\fR structure.
+\&\fBASN1_INTEGER_new()\fR returns an allocated \fBASN1_INTEGER\fR structure.
 .PP
-\&\fBASN1_INTEGER_free()\fR frees up a single \fB\s-1ASN1_INTEGER\s0\fR object.
+\&\fBASN1_INTEGER_free()\fR frees up a single \fBASN1_INTEGER\fR object.
+If the argument is NULL, nothing is done.
 .PP
-\&\fB\s-1ASN1_INTEGER\s0\fR structure representing the \s-1ASN.1 INTEGER\s0 type
+\&\fBASN1_INTEGER\fR structure representing the ASN.1 INTEGER type
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBASN1_INTEGER_new()\fR return a valid \fB\s-1ASN1_INTEGER\s0\fR structure or \s-1NULL\s0
+\&\fBASN1_INTEGER_new()\fR return a valid \fBASN1_INTEGER\fR structure or NULL
 if an error occurred.
 .PP
 \&\fBASN1_INTEGER_free()\fR does not return a value.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ASN1_ITEM_lookup.3 b/secure/lib/libcrypto/man/man3/ASN1_ITEM_lookup.3
index bad8a53f3b4d..c98e4fe03999 100644
--- a/secure/lib/libcrypto/man/man3/ASN1_ITEM_lookup.3
+++ b/secure/lib/libcrypto/man/man3/ASN1_ITEM_lookup.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ASN1_ITEM_LOOKUP 3ossl"
-.TH ASN1_ITEM_LOOKUP 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ASN1_ITEM_LOOKUP 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ASN1_ITEM_lookup, ASN1_ITEM_get \- lookup ASN.1 structures
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/asn1.h>
@@ -146,24 +70,24 @@ ASN1_ITEM_lookup, ASN1_ITEM_get \- lookup ASN.1 structures
 \& const ASN1_ITEM *ASN1_ITEM_lookup(const char *name);
 \& const ASN1_ITEM *ASN1_ITEM_get(size_t i);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBASN1_ITEM_lookup()\fR returns the \fB\s-1ASN1_ITEM\s0\fR named \fIname\fR.
+\&\fBASN1_ITEM_lookup()\fR returns the \fBASN1_ITEM\fR named \fIname\fR.
 .PP
-\&\fBASN1_ITEM_get()\fR returns the \fB\s-1ASN1_ITEM\s0\fR with index \fIi\fR. This function
-returns \s-1NULL\s0 if the index \fIi\fR is out of range.
+\&\fBASN1_ITEM_get()\fR returns the \fBASN1_ITEM\fR with index \fIi\fR. This function
+returns NULL if the index \fIi\fR is out of range.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBASN1_ITEM_lookup()\fR and \fBASN1_ITEM_get()\fR return a valid \fB\s-1ASN1_ITEM\s0\fR structure
-or \s-1NULL\s0 if an error occurred.
+\&\fBASN1_ITEM_lookup()\fR and \fBASN1_ITEM_get()\fR return a valid \fBASN1_ITEM\fR structure
+or NULL if an error occurred.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ASN1_OBJECT_new.3 b/secure/lib/libcrypto/man/man3/ASN1_OBJECT_new.3
index aa8514b09699..5ae02b26c8ca 100644
--- a/secure/lib/libcrypto/man/man3/ASN1_OBJECT_new.3
+++ b/secure/lib/libcrypto/man/man3/ASN1_OBJECT_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ASN1_OBJECT_NEW 3ossl"
-.TH ASN1_OBJECT_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ASN1_OBJECT_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ASN1_OBJECT_new, ASN1_OBJECT_free \- object allocation functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/asn1.h>
@@ -146,23 +70,23 @@ ASN1_OBJECT_new, ASN1_OBJECT_free \- object allocation functions
 \& ASN1_OBJECT *ASN1_OBJECT_new(void);
 \& void ASN1_OBJECT_free(ASN1_OBJECT *a);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \fB\s-1ASN1_OBJECT\s0\fR allocation routines, allocate and free an
-\&\fB\s-1ASN1_OBJECT\s0\fR structure, which represents an \s-1ASN1 OBJECT IDENTIFIER.\s0
+The \fBASN1_OBJECT\fR allocation routines, allocate and free an
+\&\fBASN1_OBJECT\fR structure, which represents an ASN1 OBJECT IDENTIFIER.
 .PP
-\&\fBASN1_OBJECT_new()\fR allocates and initializes an \fB\s-1ASN1_OBJECT\s0\fR structure.
+\&\fBASN1_OBJECT_new()\fR allocates and initializes an \fBASN1_OBJECT\fR structure.
 .PP
-\&\fBASN1_OBJECT_free()\fR frees up the \fB\s-1ASN1_OBJECT\s0\fR structure \fIa\fR.
-If \fIa\fR is \s-1NULL,\s0 nothing is done.
-.SH "NOTES"
+\&\fBASN1_OBJECT_free()\fR frees up the \fBASN1_OBJECT\fR structure \fIa\fR.
+If \fIa\fR is NULL, nothing is done.
+.SH NOTES
 .IX Header "NOTES"
-Although \fBASN1_OBJECT_new()\fR allocates a new \fB\s-1ASN1_OBJECT\s0\fR structure it
-is almost never used in applications. The \s-1ASN1\s0 object utility functions
+Although \fBASN1_OBJECT_new()\fR allocates a new \fBASN1_OBJECT\fR structure it
+is almost never used in applications. The ASN1 object utility functions
 such as \fBOBJ_nid2obj()\fR are used instead.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-If the allocation fails, \fBASN1_OBJECT_new()\fR returns \s-1NULL\s0 and sets an error
+If the allocation fails, \fBASN1_OBJECT_new()\fR returns NULL and sets an error
 code that can be obtained by \fBERR_get_error\fR\|(3).
 Otherwise it returns a pointer to the newly allocated structure.
 .PP
@@ -170,11 +94,11 @@ Otherwise it returns a pointer to the newly allocated structure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3), \fBd2i_ASN1_OBJECT\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2002\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ASN1_STRING_TABLE_add.3 b/secure/lib/libcrypto/man/man3/ASN1_STRING_TABLE_add.3
index a9a8808c0d2f..2cf8cbb757e7 100644
--- a/secure/lib/libcrypto/man/man3/ASN1_STRING_TABLE_add.3
+++ b/secure/lib/libcrypto/man/man3/ASN1_STRING_TABLE_add.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ASN1_STRING_TABLE_ADD 3ossl"
-.TH ASN1_STRING_TABLE_ADD 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ASN1_STRING_TABLE_ADD 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ASN1_STRING_TABLE, ASN1_STRING_TABLE_add, ASN1_STRING_TABLE_get,
 ASN1_STRING_TABLE_cleanup \- ASN1_STRING_TABLE manipulation functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/asn1.h>
@@ -151,44 +75,44 @@ ASN1_STRING_TABLE_cleanup \- ASN1_STRING_TABLE manipulation functions
 \& ASN1_STRING_TABLE *ASN1_STRING_TABLE_get(int nid);
 \& void ASN1_STRING_TABLE_cleanup(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-.SS "Types"
+.SS Types
 .IX Subsection "Types"
-\&\fB\s-1ASN1_STRING_TABLE\s0\fR is a table which holds string information
-(basically minimum size, maximum size, type and etc) for a \s-1NID\s0 object.
-.SS "Functions"
+\&\fBASN1_STRING_TABLE\fR is a table which holds string information
+(basically minimum size, maximum size, type and etc) for a NID object.
+.SS Functions
 .IX Subsection "Functions"
-\&\fBASN1_STRING_TABLE_add()\fR adds a new \fB\s-1ASN1_STRING_TABLE\s0\fR item into the
-local \s-1ASN1\s0 string table based on the \fInid\fR along with other parameters.
+\&\fBASN1_STRING_TABLE_add()\fR adds a new \fBASN1_STRING_TABLE\fR item into the
+local ASN1 string table based on the \fInid\fR along with other parameters.
 .PP
-If the item is already in the table, fields of \fB\s-1ASN1_STRING_TABLE\s0\fR are
+If the item is already in the table, fields of \fBASN1_STRING_TABLE\fR are
 updated (depending on the values of those parameters, e.g., \fIminsize\fR
 and \fImaxsize\fR >= 0, \fImask\fR and \fIflags\fR != 0). If the \fInid\fR is standard,
-a copy of the standard \fB\s-1ASN1_STRING_TABLE\s0\fR is created and updated with
+a copy of the standard \fBASN1_STRING_TABLE\fR is created and updated with
 other parameters.
 .PP
-\&\fBASN1_STRING_TABLE_get()\fR searches for an \fB\s-1ASN1_STRING_TABLE\s0\fR item based
+\&\fBASN1_STRING_TABLE_get()\fR searches for an \fBASN1_STRING_TABLE\fR item based
 on \fInid\fR. It will search the local table first, then the standard one.
 .PP
-\&\fBASN1_STRING_TABLE_cleanup()\fR frees all \fB\s-1ASN1_STRING_TABLE\s0\fR items added
+\&\fBASN1_STRING_TABLE_cleanup()\fR frees all \fBASN1_STRING_TABLE\fR items added
 by \fBASN1_STRING_TABLE_add()\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBASN1_STRING_TABLE_add()\fR returns 1 on success, 0 if an error occurred.
 .PP
-\&\fBASN1_STRING_TABLE_get()\fR returns a valid \fB\s-1ASN1_STRING_TABLE\s0\fR structure
-or \s-1NULL\s0 if nothing is found.
+\&\fBASN1_STRING_TABLE_get()\fR returns a valid \fBASN1_STRING_TABLE\fR structure
+or NULL if nothing is found.
 .PP
 \&\fBASN1_STRING_TABLE_cleanup()\fR does not return a value.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ASN1_STRING_length.3 b/secure/lib/libcrypto/man/man3/ASN1_STRING_length.3
index e8a6e1feee84..a8062ba6de3f 100644
--- a/secure/lib/libcrypto/man/man3/ASN1_STRING_length.3
+++ b/secure/lib/libcrypto/man/man3/ASN1_STRING_length.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ASN1_STRING_LENGTH 3ossl"
-.TH ASN1_STRING_LENGTH 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ASN1_STRING_LENGTH 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ASN1_STRING_dup, ASN1_STRING_cmp, ASN1_STRING_set, ASN1_STRING_length,
 ASN1_STRING_type, ASN1_STRING_get0_data, ASN1_STRING_data,
 ASN1_STRING_to_UTF8 \- ASN1_STRING utility functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/asn1.h>
@@ -159,15 +83,15 @@ ASN1_STRING_to_UTF8 \- ASN1_STRING utility functions
 \&
 \& int ASN1_STRING_to_UTF8(unsigned char **out, const ASN1_STRING *in);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-These functions allow an \fB\s-1ASN1_STRING\s0\fR structure to be manipulated.
+These functions allow an \fBASN1_STRING\fR structure to be manipulated.
 .PP
-\&\fBASN1_STRING_length()\fR returns the length of the content of \fIx\fR.
+\&\fBASN1_STRING_length()\fR returns the length of the content of \fIx\fR. \fIx\fR \fBMUST NOT\fR be NULL.
 .PP
 \&\fBASN1_STRING_get0_data()\fR returns an internal pointer to the data of \fIx\fR.
 Since this is an internal pointer it should \fBnot\fR be freed or
-modified in any way.
+modified in any way. \fIx\fR \fBMUST NOT\fR be NULL.
 .PP
 \&\fBASN1_STRING_data()\fR is similar to \fBASN1_STRING_get0_data()\fR except the
 returned value is not constant. This function is deprecated:
@@ -185,28 +109,28 @@ is \-1 then the length is determined by strlen(data).
 \&\fBASN1_STRING_type()\fR returns the type of \fIx\fR, using standard constants
 such as \fBV_ASN1_OCTET_STRING\fR.
 .PP
-\&\fBASN1_STRING_to_UTF8()\fR converts the string \fIin\fR to \s-1UTF8\s0 format, the
+\&\fBASN1_STRING_to_UTF8()\fR converts the string \fIin\fR to UTF8 format, the
 converted data is allocated in a buffer in \fI*out\fR. The length of
 \&\fIout\fR is returned or a negative error code. The buffer \fI*out\fR
 should be freed using \fBOPENSSL_free()\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-Almost all \s-1ASN1\s0 types in OpenSSL are represented as an \fB\s-1ASN1_STRING\s0\fR
-structure. Other types such as \fB\s-1ASN1_OCTET_STRING\s0\fR are simply typedef'ed
-to \fB\s-1ASN1_STRING\s0\fR and the functions call the \fB\s-1ASN1_STRING\s0\fR equivalents.
-\&\fB\s-1ASN1_STRING\s0\fR is also used for some \fB\s-1CHOICE\s0\fR types which consist
+Almost all ASN1 types in OpenSSL are represented as an \fBASN1_STRING\fR
+structure. Other types such as \fBASN1_OCTET_STRING\fR are simply typedef'ed
+to \fBASN1_STRING\fR and the functions call the \fBASN1_STRING\fR equivalents.
+\&\fBASN1_STRING\fR is also used for some \fBCHOICE\fR types which consist
 entirely of primitive string types such as \fBDirectoryString\fR and
 \&\fBTime\fR.
 .PP
-These functions should \fBnot\fR be used to examine or modify \fB\s-1ASN1_INTEGER\s0\fR
-or \fB\s-1ASN1_ENUMERATED\s0\fR types: the relevant \fB\s-1INTEGER\s0\fR or \fB\s-1ENUMERATED\s0\fR
+These functions should \fBnot\fR be used to examine or modify \fBASN1_INTEGER\fR
+or \fBASN1_ENUMERATED\fR types: the relevant \fBINTEGER\fR or \fBENUMERATED\fR
 utility functions should be used instead.
 .PP
 In general it cannot be assumed that the data returned by \fBASN1_STRING_data()\fR
 is null terminated or does not contain embedded nulls. The actual format
 of the data will depend on the actual string type itself: for example
-for an IA5String the data will be \s-1ASCII,\s0 for a BMPString two bytes per
-character in big endian format, and for a UTF8String it will be in \s-1UTF8\s0 format.
+for an IA5String the data will be ASCII, for a BMPString two bytes per
+character in big endian format, and for a UTF8String it will be in UTF8 format.
 .PP
 Similar care should be take to ensure the data is in the correct format
 when calling \fBASN1_STRING_set()\fR.
@@ -217,7 +141,7 @@ when calling \fBASN1_STRING_set()\fR.
 \&\fBASN1_STRING_get0_data()\fR and \fBASN1_STRING_data()\fR return an internal pointer to
 the data of \fIx\fR.
 .PP
-\&\fBASN1_STRING_dup()\fR returns a valid \fB\s-1ASN1_STRING\s0\fR structure or \s-1NULL\s0 if an
+\&\fBASN1_STRING_dup()\fR returns a valid \fBASN1_STRING\fR structure or NULL if an
 error occurred.
 .PP
 \&\fBASN1_STRING_cmp()\fR returns an integer greater than, equal to, or less than 0,
@@ -232,11 +156,11 @@ negative value if an error occurred.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2002\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ASN1_STRING_new.3 b/secure/lib/libcrypto/man/man3/ASN1_STRING_new.3
index a10c04d6026d..e12517824059 100644
--- a/secure/lib/libcrypto/man/man3/ASN1_STRING_new.3
+++ b/secure/lib/libcrypto/man/man3/ASN1_STRING_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ASN1_STRING_NEW 3ossl"
-.TH ASN1_STRING_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ASN1_STRING_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ASN1_STRING_new, ASN1_STRING_type_new, ASN1_STRING_free \-
 ASN1_STRING allocation functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/asn1.h>
@@ -148,34 +72,34 @@ ASN1_STRING allocation functions
 \& ASN1_STRING *ASN1_STRING_type_new(int type);
 \& void ASN1_STRING_free(ASN1_STRING *a);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBASN1_STRING_new()\fR returns an allocated \fB\s-1ASN1_STRING\s0\fR structure. Its type
+\&\fBASN1_STRING_new()\fR returns an allocated \fBASN1_STRING\fR structure. Its type
 is undefined.
 .PP
-\&\fBASN1_STRING_type_new()\fR returns an allocated \fB\s-1ASN1_STRING\s0\fR structure of
+\&\fBASN1_STRING_type_new()\fR returns an allocated \fBASN1_STRING\fR structure of
 type \fItype\fR.
 .PP
 \&\fBASN1_STRING_free()\fR frees up \fIa\fR.
-If \fIa\fR is \s-1NULL\s0 nothing is done.
-.SH "NOTES"
+If \fIa\fR is NULL nothing is done.
+.SH NOTES
 .IX Header "NOTES"
-Other string types call the \fB\s-1ASN1_STRING\s0\fR functions. For example
+Other string types call the \fBASN1_STRING\fR functions. For example
 \&\fBASN1_OCTET_STRING_new()\fR calls ASN1_STRING_type_new(V_ASN1_OCTET_STRING).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBASN1_STRING_new()\fR and \fBASN1_STRING_type_new()\fR return a valid
-\&\fB\s-1ASN1_STRING\s0\fR structure or \s-1NULL\s0 if an error occurred.
+\&\fBASN1_STRING\fR structure or NULL if an error occurred.
 .PP
 \&\fBASN1_STRING_free()\fR does not return a value.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2002\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ASN1_STRING_print_ex.3 b/secure/lib/libcrypto/man/man3/ASN1_STRING_print_ex.3
index 844daeb5662d..281a01e11d5e 100644
--- a/secure/lib/libcrypto/man/man3/ASN1_STRING_print_ex.3
+++ b/secure/lib/libcrypto/man/man3/ASN1_STRING_print_ex.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ASN1_STRING_PRINT_EX 3ossl"
-.TH ASN1_STRING_PRINT_EX 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ASN1_STRING_PRINT_EX 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ASN1_tag2str, ASN1_STRING_print_ex, ASN1_STRING_print_ex_fp, ASN1_STRING_print
 \&\- ASN1_STRING output routines
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/asn1.h>
@@ -150,78 +74,78 @@ ASN1_tag2str, ASN1_STRING_print_ex, ASN1_STRING_print_ex_fp, ASN1_STRING_print
 \&
 \& const char *ASN1_tag2str(int tag);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-These functions output an \fB\s-1ASN1_STRING\s0\fR structure. \fB\s-1ASN1_STRING\s0\fR is used to
-represent all the \s-1ASN1\s0 string types.
+These functions output an \fBASN1_STRING\fR structure. \fBASN1_STRING\fR is used to
+represent all the ASN1 string types.
 .PP
 \&\fBASN1_STRING_print_ex()\fR outputs \fIstr\fR to \fIout\fR, the format is determined by
 the options \fIflags\fR. \fBASN1_STRING_print_ex_fp()\fR is identical except it outputs
 to \fIfp\fR instead.
 .PP
 \&\fBASN1_STRING_print()\fR prints \fIstr\fR to \fIout\fR but using a different format to
-\&\fBASN1_STRING_print_ex()\fR. It replaces unprintable characters (other than \s-1CR, LF\s0)
+\&\fBASN1_STRING_print_ex()\fR. It replaces unprintable characters (other than CR, LF)
 with '.'.
 .PP
-\&\fBASN1_tag2str()\fR returns a human-readable name of the specified \s-1ASN.1\s0 \fItag\fR.
-.SH "NOTES"
+\&\fBASN1_tag2str()\fR returns a human-readable name of the specified ASN.1 \fItag\fR.
+.SH NOTES
 .IX Header "NOTES"
 \&\fBASN1_STRING_print()\fR is a deprecated function which should be avoided; use
 \&\fBASN1_STRING_print_ex()\fR instead.
 .PP
-Although there are a large number of options frequently \fB\s-1ASN1_STRFLGS_RFC2253\s0\fR is
-suitable, or on \s-1UTF8\s0 terminals \fB\s-1ASN1_STRFLGS_RFC2253 &\s0 ~ASN1_STRFLGS_ESC_MSB\fR.
+Although there are a large number of options frequently \fBASN1_STRFLGS_RFC2253\fR is
+suitable, or on UTF8 terminals \fBASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB\fR.
 .PP
 The complete set of supported options for \fIflags\fR is listed below.
 .PP
-Various characters can be escaped. If \fB\s-1ASN1_STRFLGS_ESC_2253\s0\fR is set the characters
-determined by \s-1RFC2253\s0 are escaped. If \fB\s-1ASN1_STRFLGS_ESC_CTRL\s0\fR is set control
-characters are escaped. If \fB\s-1ASN1_STRFLGS_ESC_MSB\s0\fR is set characters with the
-\&\s-1MSB\s0 set are escaped: this option should \fBnot\fR be used if the terminal correctly
-interprets \s-1UTF8\s0 sequences.
+Various characters can be escaped. If \fBASN1_STRFLGS_ESC_2253\fR is set the characters
+determined by RFC2253 are escaped. If \fBASN1_STRFLGS_ESC_CTRL\fR is set control
+characters are escaped. If \fBASN1_STRFLGS_ESC_MSB\fR is set characters with the
+MSB set are escaped: this option should \fBnot\fR be used if the terminal correctly
+interprets UTF8 sequences.
 .PP
 Escaping takes several forms.
 .PP
-If the character being escaped is a 16 bit character then the form \*(L"\eUXXXX\*(R" is used
+If the character being escaped is a 16 bit character then the form "\eUXXXX" is used
 using exactly four characters for the hex representation. If it is 32 bits then
-\&\*(L"\eWXXXXXXXX\*(R" is used using eight characters of its hex representation. These forms
-will only be used if \s-1UTF8\s0 conversion is not set (see below).
+"\eWXXXXXXXX" is used using eight characters of its hex representation. These forms
+will only be used if UTF8 conversion is not set (see below).
 .PP
 Printable characters are normally escaped using the backslash '\e' character. If
-\&\fB\s-1ASN1_STRFLGS_ESC_QUOTE\s0\fR is set then the whole string is instead surrounded by
+\&\fBASN1_STRFLGS_ESC_QUOTE\fR is set then the whole string is instead surrounded by
 double quote characters: this is arguably more readable than the backslash
-notation. Other characters use the \*(L"\eXX\*(R" using exactly two characters of the hex
+notation. Other characters use the "\eXX" using exactly two characters of the hex
 representation.
 .PP
-If \fB\s-1ASN1_STRFLGS_UTF8_CONVERT\s0\fR is set then characters are converted to \s-1UTF8\s0
-format first. If the terminal supports the display of \s-1UTF8\s0 sequences then this
+If \fBASN1_STRFLGS_UTF8_CONVERT\fR is set then characters are converted to UTF8
+format first. If the terminal supports the display of UTF8 sequences then this
 option will correctly display multi byte characters.
 .PP
-If \fB\s-1ASN1_STRFLGS_IGNORE_TYPE\s0\fR is set then the string type is not interpreted at
+If \fBASN1_STRFLGS_IGNORE_TYPE\fR is set then the string type is not interpreted at
 all: everything is assumed to be one byte per character. This is primarily for
 debugging purposes and can result in confusing output in multi character strings.
 .PP
-If \fB\s-1ASN1_STRFLGS_SHOW_TYPE\s0\fR is set then the string type itself is printed out
-before its value (for example \*(L"\s-1BMPSTRING\*(R"\s0), this actually uses \fBASN1_tag2str()\fR.
+If \fBASN1_STRFLGS_SHOW_TYPE\fR is set then the string type itself is printed out
+before its value (for example "BMPSTRING"), this actually uses \fBASN1_tag2str()\fR.
 .PP
-The content of a string instead of being interpreted can be \*(L"dumped\*(R": this just
+The content of a string instead of being interpreted can be "dumped": this just
 outputs the value of the string using the form #XXXX using hex format for each
 octet.
 .PP
-If \fB\s-1ASN1_STRFLGS_DUMP_ALL\s0\fR is set then any type is dumped.
+If \fBASN1_STRFLGS_DUMP_ALL\fR is set then any type is dumped.
 .PP
-Normally non character string types (such as \s-1OCTET STRING\s0) are assumed to be
-one byte per character, if \fB\s-1ASN1_STRFLGS_DUMP_UNKNOWN\s0\fR is set then they will
+Normally non character string types (such as OCTET STRING) are assumed to be
+one byte per character, if \fBASN1_STRFLGS_DUMP_UNKNOWN\fR is set then they will
 be dumped instead.
 .PP
 When a type is dumped normally just the content octets are printed, if
-\&\fB\s-1ASN1_STRFLGS_DUMP_DER\s0\fR is set then the complete encoding is dumped
+\&\fBASN1_STRFLGS_DUMP_DER\fR is set then the complete encoding is dumped
 instead (including tag and length octets).
 .PP
-\&\fB\s-1ASN1_STRFLGS_RFC2253\s0\fR includes all the flags required by \s-1RFC2253.\s0 It is
+\&\fBASN1_STRFLGS_RFC2253\fR includes all the flags required by RFC2253. It is
 equivalent to:
- \s-1ASN1_STRFLGS_ESC_2253\s0 | \s-1ASN1_STRFLGS_ESC_CTRL\s0 | \s-1ASN1_STRFLGS_ESC_MSB\s0 |
- \s-1ASN1_STRFLGS_UTF8_CONVERT\s0 | \s-1ASN1_STRFLGS_DUMP_UNKNOWN ASN1_STRFLGS_DUMP_DER\s0
+ ASN1_STRFLGS_ESC_2253 | ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB |
+ ASN1_STRFLGS_UTF8_CONVERT | ASN1_STRFLGS_DUMP_UNKNOWN ASN1_STRFLGS_DUMP_DER
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBASN1_STRING_print_ex()\fR and \fBASN1_STRING_print_ex_fp()\fR return the number of
@@ -229,16 +153,16 @@ characters written or \-1 if an error occurred.
 .PP
 \&\fBASN1_STRING_print()\fR returns 1 on success or 0 on error.
 .PP
-\&\fBASN1_tag2str()\fR returns a human-readable name of the specified \s-1ASN.1\s0 \fItag\fR.
+\&\fBASN1_tag2str()\fR returns a human-readable name of the specified ASN.1 \fItag\fR.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBX509_NAME_print_ex\fR\|(3),
 \&\fBASN1_tag2str\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2002\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ASN1_TIME_set.3 b/secure/lib/libcrypto/man/man3/ASN1_TIME_set.3
index 8529522d18c3..4ebb7adc7de5 100644
--- a/secure/lib/libcrypto/man/man3/ASN1_TIME_set.3
+++ b/secure/lib/libcrypto/man/man3/ASN1_TIME_set.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ASN1_TIME_SET 3ossl"
-.TH ASN1_TIME_SET 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ASN1_TIME_SET 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ASN1_TIME_set, ASN1_UTCTIME_set, ASN1_GENERALIZEDTIME_set,
 ASN1_TIME_adj, ASN1_UTCTIME_adj, ASN1_GENERALIZEDTIME_adj,
 ASN1_TIME_check, ASN1_UTCTIME_check, ASN1_GENERALIZEDTIME_check,
@@ -150,7 +74,7 @@ ASN1_TIME_cmp_time_t, ASN1_UTCTIME_cmp_time_t,
 ASN1_TIME_compare,
 ASN1_TIME_to_generalizedtime,
 ASN1_TIME_dup, ASN1_UTCTIME_dup, ASN1_GENERALIZEDTIME_dup \- ASN.1 Time functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 4
 \& ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t);
@@ -199,60 +123,60 @@ ASN1_TIME_dup, ASN1_UTCTIME_dup, ASN1_GENERALIZEDTIME_dup \- ASN.1 Time function
 \& ASN1_UTCTIME *ASN1_UTCTIME_dup(const ASN1_UTCTIME *t);
 \& ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_dup(const ASN1_GENERALIZEDTIME *t);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The \fBASN1_TIME_set()\fR, \fBASN1_UTCTIME_set()\fR and \fBASN1_GENERALIZEDTIME_set()\fR
 functions set the structure \fIs\fR to the time represented by the time_t
-value \fIt\fR. If \fIs\fR is \s-1NULL\s0 a new time structure is allocated and returned.
+value \fIt\fR. If \fIs\fR is NULL a new time structure is allocated and returned.
 .PP
 The \fBASN1_TIME_adj()\fR, \fBASN1_UTCTIME_adj()\fR and \fBASN1_GENERALIZEDTIME_adj()\fR
 functions set the time structure \fIs\fR to the time represented
 by the time \fIoffset_day\fR and \fIoffset_sec\fR after the time_t value \fIt\fR.
 The values of \fIoffset_day\fR or \fIoffset_sec\fR can be negative to set a
 time before \fIt\fR. The \fIoffset_sec\fR value can also exceed the number of
-seconds in a day. If \fIs\fR is \s-1NULL\s0 a new structure is allocated
+seconds in a day. If \fIs\fR is NULL a new structure is allocated
 and returned.
 .PP
 The \fBASN1_TIME_set_string()\fR, \fBASN1_UTCTIME_set_string()\fR and
 \&\fBASN1_GENERALIZEDTIME_set_string()\fR functions set the time structure \fIs\fR
-to the time represented by string \fIstr\fR which must be in appropriate \s-1ASN.1\s0
-time format (for example \s-1YYMMDDHHMMSSZ\s0 or \s-1YYYYMMDDHHMMSSZ\s0). If \fIs\fR is \s-1NULL\s0
+to the time represented by string \fIstr\fR which must be in appropriate ASN.1
+time format (for example YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ). If \fIs\fR is NULL
 this function performs a format check on \fIstr\fR only. The string \fIstr\fR
 is copied into \fIs\fR.
 .PP
-\&\fBASN1_TIME_set_string_X509()\fR sets \fB\s-1ASN1_TIME\s0\fR structure \fIs\fR to the time
+\&\fBASN1_TIME_set_string_X509()\fR sets \fBASN1_TIME\fR structure \fIs\fR to the time
 represented by string \fIstr\fR which must be in appropriate time format
-that \s-1RFC 5280\s0 requires, which means it only allows \s-1YYMMDDHHMMSSZ\s0 and
-\&\s-1YYYYMMDDHHMMSSZ\s0 (leap second is rejected), all other \s-1ASN.1\s0 time format
-are not allowed. If \fIs\fR is \s-1NULL\s0 this function performs a format check
+that RFC 5280 requires, which means it only allows YYMMDDHHMMSSZ and
+YYYYMMDDHHMMSSZ (leap second is rejected), all other ASN.1 time format
+are not allowed. If \fIs\fR is NULL this function performs a format check
 on \fIstr\fR only.
 .PP
-The \fBASN1_TIME_normalize()\fR function converts an \fB\s-1ASN1_GENERALIZEDTIME\s0\fR or
-\&\fB\s-1ASN1_UTCTIME\s0\fR into a time value that can be used in a certificate. It
+The \fBASN1_TIME_normalize()\fR function converts an \fBASN1_GENERALIZEDTIME\fR or
+\&\fBASN1_UTCTIME\fR into a time value that can be used in a certificate. It
 should be used after the \fBASN1_TIME_set_string()\fR functions and before
-\&\fBASN1_TIME_print()\fR functions to get consistent (i.e. \s-1GMT\s0) results.
+\&\fBASN1_TIME_print()\fR functions to get consistent (i.e. GMT) results.
 .PP
 The \fBASN1_TIME_check()\fR, \fBASN1_UTCTIME_check()\fR and \fBASN1_GENERALIZEDTIME_check()\fR
 functions check the syntax of the time structure \fIs\fR.
 .PP
 The \fBASN1_TIME_print()\fR, \fBASN1_UTCTIME_print()\fR and \fBASN1_GENERALIZEDTIME_print()\fR
-functions print the time structure \fIs\fR to \s-1BIO\s0 \fIb\fR in human readable
-format. It will be of the format \s-1MMM DD HH:MM:SS YYYY\s0 [\s-1GMT\s0], for example
-\&\*(L"Feb  3 00:55:52 2015 \s-1GMT\*(R",\s0 which does not include a newline.
-If the time structure has invalid format it prints out \*(L"Bad time value\*(R" and
+functions print the time structure \fIs\fR to BIO \fIb\fR in human readable
+format. It will be of the format MMM DD HH:MM:SS[.s*] YYYY GMT, for example
+"Feb  3 00:55:52 2015 GMT", which does not include a newline.
+If the time structure has invalid format it prints out "Bad time value" and
 returns an error. The output for generalized time may include a fractional part
 following the second.
 .PP
 \&\fBASN1_TIME_print_ex()\fR provides \fIflags\fR to specify the output format of the
-datetime. This can be either \fB\s-1ASN1_DTFLGS_RFC822\s0\fR or \fB\s-1ASN1_DTFLGS_ISO8601\s0\fR.
+datetime. This can be either \fBASN1_DTFLGS_RFC822\fR or \fBASN1_DTFLGS_ISO8601\fR.
 .PP
 \&\fBASN1_TIME_to_tm()\fR converts the time \fIs\fR to the standard \fItm\fR structure.
-If \fIs\fR is \s-1NULL,\s0 then the current time is converted. The output time is \s-1GMT.\s0
+If \fIs\fR is NULL, then the current time is converted. The output time is GMT.
 The \fItm_sec\fR, \fItm_min\fR, \fItm_hour\fR, \fItm_mday\fR, \fItm_wday\fR, \fItm_yday\fR,
 \&\fItm_mon\fR and \fItm_year\fR fields of \fItm\fR structure are set to proper values,
-whereas all other fields are set to 0. If \fItm\fR is \s-1NULL\s0 this function performs
+whereas all other fields are set to 0. If \fItm\fR is NULL this function performs
 a format check on \fIs\fR only. If \fIs\fR is in Generalized format with fractional
-seconds, e.g. \s-1YYYYMMDDHHMMSS.SSSZ,\s0 the fractional seconds will be lost while
+seconds, e.g. YYYYMMDDHHMMSS.SSSZ, the fractional seconds will be lost while
 converting \fIs\fR to \fItm\fR structure.
 .PP
 \&\fBASN1_TIME_diff()\fR sets \fI*pday\fR and \fI*psec\fR to the time difference between
@@ -263,7 +187,7 @@ one or both of \fI*pday\fR and \fI*psec\fR will be negative. If \fIto\fR and \fI
 represent the same time then \fI*pday\fR and \fI*psec\fR will both be zero.
 If both \fI*pday\fR and \fI*psec\fR are nonzero they will always have the same
 sign. The value of \fI*psec\fR will always be less than the number of seconds
-in a day. If \fIfrom\fR or \fIto\fR is \s-1NULL\s0 the current time is used.
+in a day. If \fIfrom\fR or \fIto\fR is NULL the current time is used.
 .PP
 The \fBASN1_TIME_cmp_time_t()\fR and \fBASN1_UTCTIME_cmp_time_t()\fR functions compare
 the two times represented by the time structure \fIs\fR and the time_t \fIt\fR.
@@ -271,29 +195,29 @@ the two times represented by the time structure \fIs\fR and the time_t \fIt\fR.
 The \fBASN1_TIME_compare()\fR function compares the two times represented by the
 time structures \fIa\fR and \fIb\fR.
 .PP
-The \fBASN1_TIME_to_generalizedtime()\fR function converts an \fB\s-1ASN1_TIME\s0\fR to an
-\&\fB\s-1ASN1_GENERALIZEDTIME\s0\fR, regardless of year. If either \fIout\fR or
-\&\fI*out\fR are \s-1NULL,\s0 then a new object is allocated and must be freed after use.
+The \fBASN1_TIME_to_generalizedtime()\fR function converts an \fBASN1_TIME\fR to an
+\&\fBASN1_GENERALIZEDTIME\fR, regardless of year. If either \fIout\fR or
+\&\fI*out\fR are NULL, then a new object is allocated and must be freed after use.
 .PP
 The \fBASN1_TIME_dup()\fR, \fBASN1_UTCTIME_dup()\fR and \fBASN1_GENERALIZEDTIME_dup()\fR functions
 duplicate the time structure \fIt\fR and return the duplicated result
 correspondingly.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-The \fB\s-1ASN1_TIME\s0\fR structure corresponds to the \s-1ASN.1\s0 structure \fBTime\fR
-defined in \s-1RFC5280\s0 et al. The time setting functions obey the rules outlined
-in \s-1RFC5280:\s0 if the date can be represented by UTCTime it is used, else
+The \fBASN1_TIME\fR structure corresponds to the ASN.1 structure \fBTime\fR
+defined in RFC5280 et al. The time setting functions obey the rules outlined
+in RFC5280: if the date can be represented by UTCTime it is used, else
 GeneralizedTime is used.
 .PP
-The \fB\s-1ASN1_TIME\s0\fR, \fB\s-1ASN1_UTCTIME\s0\fR and \fB\s-1ASN1_GENERALIZEDTIME\s0\fR structures are
-represented as an \fB\s-1ASN1_STRING\s0\fR internally and can be freed up using
+The \fBASN1_TIME\fR, \fBASN1_UTCTIME\fR and \fBASN1_GENERALIZEDTIME\fR structures are
+represented as an \fBASN1_STRING\fR internally and can be freed up using
 \&\fBASN1_STRING_free()\fR.
 .PP
-The \fB\s-1ASN1_TIME\s0\fR structure can represent years from 0000 to 9999 but no attempt
+The \fBASN1_TIME\fR structure can represent years from 0000 to 9999 but no attempt
 is made to correct ancient calendar changes (for example from Julian to
 Gregorian calendars).
 .PP
-\&\fB\s-1ASN1_UTCTIME\s0\fR is limited to a year range of 1950 through 2049.
+\&\fBASN1_UTCTIME\fR is limited to a year range of 1950 through 2049.
 .PP
 Some applications add offset times directly to a time_t value and pass the
 results to \fBASN1_TIME_set()\fR (or equivalent). This can cause problems as the
@@ -302,33 +226,37 @@ New applications should use \fBASN1_TIME_adj()\fR instead and pass the offset va
 in the \fIoffset_sec\fR and \fIoffset_day\fR parameters instead of directly
 manipulating a time_t value.
 .PP
-\&\fBASN1_TIME_adj()\fR may change the type from \fB\s-1ASN1_GENERALIZEDTIME\s0\fR to
-\&\fB\s-1ASN1_UTCTIME\s0\fR, or vice versa, based on the resulting year.
+\&\fBASN1_TIME_adj()\fR may change the type from \fBASN1_GENERALIZEDTIME\fR to
+\&\fBASN1_UTCTIME\fR, or vice versa, based on the resulting year.
 \&\fBASN1_GENERALIZEDTIME_adj()\fR and \fBASN1_UTCTIME_adj()\fR will not modify the type
 of the return structure.
 .PP
-It is recommended that functions starting with \fB\s-1ASN1_TIME\s0\fR be used instead of
-those starting with \fB\s-1ASN1_UTCTIME\s0\fR or \fB\s-1ASN1_GENERALIZEDTIME\s0\fR. The functions
-starting with \fB\s-1ASN1_UTCTIME\s0\fR and \fB\s-1ASN1_GENERALIZEDTIME\s0\fR act only on that
-specific time format. The functions starting with \fB\s-1ASN1_TIME\s0\fR will operate on
+It is recommended that functions starting with \fBASN1_TIME\fR be used instead of
+those starting with \fBASN1_UTCTIME\fR or \fBASN1_GENERALIZEDTIME\fR. The functions
+starting with \fBASN1_UTCTIME\fR and \fBASN1_GENERALIZEDTIME\fR act only on that
+specific time format. The functions starting with \fBASN1_TIME\fR will operate on
 either format.
-.SH "BUGS"
+.PP
+Users familiar with RFC822 should note that when specifying the flag
+\&\fBASN1_DTFLGS_RFC822\fR the year will be formatted as documented above,
+i.e., using 4 digits, not 2 as specified in RFC822.
+.SH BUGS
 .IX Header "BUGS"
 \&\fBASN1_TIME_print()\fR, \fBASN1_UTCTIME_print()\fR and \fBASN1_GENERALIZEDTIME_print()\fR do
-not print out the timezone: it either prints out \*(L"\s-1GMT\*(R"\s0 or nothing. But all
-certificates complying with \s-1RFC5280\s0 et al use \s-1GMT\s0 anyway.
+not print out the timezone: it either prints out "GMT" or nothing. But all
+certificates complying with RFC5280 et al use GMT anyway.
 .PP
 \&\fBASN1_TIME_print()\fR, \fBASN1_TIME_print_ex()\fR, \fBASN1_UTCTIME_print()\fR and
 \&\fBASN1_GENERALIZEDTIME_print()\fR do not distinguish if they fail because
 of an I/O error or invalid time format.
 .PP
 Use the \fBASN1_TIME_normalize()\fR function to normalize the time value before
-printing to get \s-1GMT\s0 results.
+printing to get GMT results.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBASN1_TIME_set()\fR, \fBASN1_UTCTIME_set()\fR, \fBASN1_GENERALIZEDTIME_set()\fR,
 \&\fBASN1_TIME_adj()\fR, \fBASN1_UTCTIME_adj()\fR and \fBASN1_GENERALIZEDTIME_set()\fR return
-a pointer to a time structure or \s-1NULL\s0 if an error occurred.
+a pointer to a time structure or NULL if an error occurred.
 .PP
 \&\fBASN1_TIME_set_string()\fR, \fBASN1_UTCTIME_set_string()\fR,
 \&\fBASN1_GENERALIZEDTIME_set_string()\fR and \fBASN1_TIME_set_string_X509()\fR return
@@ -357,11 +285,11 @@ on error.
 or 1 if \fIa\fR is after \fIb\fR. \-2 is returned on error.
 .PP
 \&\fBASN1_TIME_to_generalizedtime()\fR returns a pointer to the appropriate time
-structure on success or \s-1NULL\s0 if an error occurred.
+structure on success or NULL if an error occurred.
 .PP
 \&\fBASN1_TIME_dup()\fR, \fBASN1_UTCTIME_dup()\fR and \fBASN1_GENERALIZEDTIME_dup()\fR return a
-pointer to a time structure or \s-1NULL\s0 if an error occurred.
-.SH "EXAMPLES"
+pointer to a time structure or NULL if an error occurred.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 Set a time structure to one hour after the current time and print it out:
 .PP
@@ -396,18 +324,18 @@ Determine if one time is later or sooner than the current time:
 \& else
 \&     printf("Same\en");
 .Ve
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBASN1_TIME_to_tm()\fR function was added in OpenSSL 1.1.1.
 The \fBASN1_TIME_set_string_X509()\fR function was added in OpenSSL 1.1.1.
 The \fBASN1_TIME_normalize()\fR function was added in OpenSSL 1.1.1.
 The \fBASN1_TIME_cmp_time_t()\fR function was added in OpenSSL 1.1.1.
 The \fBASN1_TIME_compare()\fR function was added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2015\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ASN1_TYPE_get.3 b/secure/lib/libcrypto/man/man3/ASN1_TYPE_get.3
index c85eb62faf53..a083ece83e53 100644
--- a/secure/lib/libcrypto/man/man3/ASN1_TYPE_get.3
+++ b/secure/lib/libcrypto/man/man3/ASN1_TYPE_get.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ASN1_TYPE_GET 3ossl"
-.TH ASN1_TYPE_GET 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ASN1_TYPE_GET 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ASN1_TYPE_get, ASN1_TYPE_set, ASN1_TYPE_set1, ASN1_TYPE_cmp, ASN1_TYPE_unpack_sequence, ASN1_TYPE_pack_sequence \- ASN1_TYPE utility
 functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/asn1.h>
@@ -153,11 +77,11 @@ functions
 \& ASN1_TYPE *ASN1_TYPE_pack_sequence(const ASN1_ITEM *it, void *s,
 \&                                    ASN1_TYPE **t);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-These functions allow an \fB\s-1ASN1_TYPE\s0\fR structure to be manipulated. The
-\&\fB\s-1ASN1_TYPE\s0\fR structure can contain any \s-1ASN.1\s0 type or constructed type
-such as a \s-1SEQUENCE:\s0 it is effectively equivalent to the \s-1ASN.1 ANY\s0 type.
+These functions allow an \fBASN1_TYPE\fR structure to be manipulated. The
+\&\fBASN1_TYPE\fR structure can contain any ASN.1 type or constructed type
+such as a SEQUENCE: it is effectively equivalent to the ASN.1 ANY type.
 .PP
 \&\fBASN1_TYPE_get()\fR returns the type of \fIa\fR or 0 if it fails.
 .PP
@@ -167,48 +91,48 @@ up after the call.
 .PP
 \&\fBASN1_TYPE_set1()\fR sets the value of \fIa\fR to \fItype\fR a copy of \fIvalue\fR.
 .PP
-\&\fBASN1_TYPE_cmp()\fR compares \s-1ASN.1\s0 types \fIa\fR and \fIb\fR and returns 0 if
+\&\fBASN1_TYPE_cmp()\fR compares ASN.1 types \fIa\fR and \fIb\fR and returns 0 if
 they are identical and nonzero otherwise.
 .PP
-\&\fBASN1_TYPE_unpack_sequence()\fR attempts to parse the \s-1SEQUENCE\s0 present in
-\&\fIt\fR using the \s-1ASN.1\s0 structure \fIit\fR. If successful it returns a pointer
-to the \s-1ASN.1\s0 structure corresponding to \fIit\fR which must be freed by the
-caller. If it fails it return \s-1NULL.\s0
+\&\fBASN1_TYPE_unpack_sequence()\fR attempts to parse the SEQUENCE present in
+\&\fIt\fR using the ASN.1 structure \fIit\fR. If successful it returns a pointer
+to the ASN.1 structure corresponding to \fIit\fR which must be freed by the
+caller. If it fails it return NULL.
 .PP
-\&\fBASN1_TYPE_pack_sequence()\fR attempts to encode the \s-1ASN.1\s0 structure \fIs\fR
-corresponding to \fIit\fR into an \fB\s-1ASN1_TYPE\s0\fR. If successful the encoded
-\&\fB\s-1ASN1_TYPE\s0\fR is returned. If \fIt\fR and \fI*t\fR are not \s-1NULL\s0 the encoded type
-is written to \fIt\fR overwriting any existing data. If \fIt\fR is not \s-1NULL\s0
-but \fI*t\fR is \s-1NULL\s0 the returned \fB\s-1ASN1_TYPE\s0\fR is written to \fI*t\fR.
-.SH "NOTES"
+\&\fBASN1_TYPE_pack_sequence()\fR attempts to encode the ASN.1 structure \fIs\fR
+corresponding to \fIit\fR into an \fBASN1_TYPE\fR. If successful the encoded
+\&\fBASN1_TYPE\fR is returned. If \fIt\fR and \fI*t\fR are not NULL the encoded type
+is written to \fIt\fR overwriting any existing data. If \fIt\fR is not NULL
+but \fI*t\fR is NULL the returned \fBASN1_TYPE\fR is written to \fI*t\fR.
+.SH NOTES
 .IX Header "NOTES"
 The type and meaning of the \fIvalue\fR parameter for \fBASN1_TYPE_set()\fR and
 \&\fBASN1_TYPE_set1()\fR is determined by the \fItype\fR parameter.
 If \fItype\fR is \fBV_ASN1_NULL\fR \fIvalue\fR is ignored. If \fItype\fR is
 \&\fBV_ASN1_BOOLEAN\fR
-then the boolean is set to \s-1TRUE\s0 if \fIvalue\fR is not \s-1NULL.\s0 If \fItype\fR is
-\&\fBV_ASN1_OBJECT\fR then value is an \fB\s-1ASN1_OBJECT\s0\fR structure. Otherwise \fItype\fR
-is and \fB\s-1ASN1_STRING\s0\fR structure. If \fItype\fR corresponds to a primitive type
-(or a string type) then the contents of the \fB\s-1ASN1_STRING\s0\fR contain the content
+then the boolean is set to TRUE if \fIvalue\fR is not NULL. If \fItype\fR is
+\&\fBV_ASN1_OBJECT\fR then value is an \fBASN1_OBJECT\fR structure. Otherwise \fItype\fR
+is and \fBASN1_STRING\fR structure. If \fItype\fR corresponds to a primitive type
+(or a string type) then the contents of the \fBASN1_STRING\fR contain the content
 octets of the type. If \fItype\fR corresponds to a constructed type or
 a tagged type (\fBV_ASN1_SEQUENCE\fR, \fBV_ASN1_SET\fR or \fBV_ASN1_OTHER\fR) then the
-\&\fB\s-1ASN1_STRING\s0\fR contains the entire \s-1ASN.1\s0 encoding verbatim (including tag and
+\&\fBASN1_STRING\fR contains the entire ASN.1 encoding verbatim (including tag and
 length octets).
 .PP
 \&\fBASN1_TYPE_cmp()\fR may not return zero if two types are equivalent but have
-different encodings. For example the single content octet of the boolean \s-1TRUE\s0
-value under \s-1BER\s0 can have any nonzero encoding but \fBASN1_TYPE_cmp()\fR will
+different encodings. For example the single content octet of the boolean TRUE
+value under BER can have any nonzero encoding but \fBASN1_TYPE_cmp()\fR will
 only return zero if the values are the same.
 .PP
-If either or both of the parameters passed to \fBASN1_TYPE_cmp()\fR is \s-1NULL\s0 the
-return value is nonzero. Technically if both parameters are \s-1NULL\s0 the two
-types could be absent \s-1OPTIONAL\s0 fields and so should match, however, passing
-\&\s-1NULL\s0 values could also indicate a programming error (for example an
-unparsable type which returns \s-1NULL\s0) for types which do \fBnot\fR match. So
+If either or both of the parameters passed to \fBASN1_TYPE_cmp()\fR is NULL the
+return value is nonzero. Technically if both parameters are NULL the two
+types could be absent OPTIONAL fields and so should match, however, passing
+NULL values could also indicate a programming error (for example an
+unparsable type which returns NULL) for types which do \fBnot\fR match. So
 applications should handle the case of two absent values separately.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBASN1_TYPE_get()\fR returns the type of the \fB\s-1ASN1_TYPE\s0\fR argument.
+\&\fBASN1_TYPE_get()\fR returns the type of the \fBASN1_TYPE\fR argument.
 .PP
 \&\fBASN1_TYPE_set()\fR does not return a value.
 .PP
@@ -216,16 +140,16 @@ applications should handle the case of two absent values separately.
 .PP
 \&\fBASN1_TYPE_cmp()\fR returns 0 if the types are identical and nonzero otherwise.
 .PP
-\&\fBASN1_TYPE_unpack_sequence()\fR returns a pointer to an \s-1ASN.1\s0 structure or
-\&\s-1NULL\s0 on failure.
+\&\fBASN1_TYPE_unpack_sequence()\fR returns a pointer to an ASN.1 structure or
+NULL on failure.
 .PP
-\&\fBASN1_TYPE_pack_sequence()\fR return an \fB\s-1ASN1_TYPE\s0\fR structure if it succeeds or
-\&\s-1NULL\s0 on failure.
-.SH "COPYRIGHT"
+\&\fBASN1_TYPE_pack_sequence()\fR return an \fBASN1_TYPE\fR structure if it succeeds or
+NULL on failure.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2015\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ASN1_aux_cb.3 b/secure/lib/libcrypto/man/man3/ASN1_aux_cb.3
index 347d5ebcc502..da51ae972b3a 100644
--- a/secure/lib/libcrypto/man/man3/ASN1_aux_cb.3
+++ b/secure/lib/libcrypto/man/man3/ASN1_aux_cb.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ASN1_AUX_CB 3ossl"
-.TH ASN1_AUX_CB 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ASN1_AUX_CB 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ASN1_AUX, ASN1_PRINT_ARG, ASN1_STREAM_ARG, ASN1_aux_cb, ASN1_aux_const_cb
 \&\- ASN.1 auxiliary data
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/asn1t.h>
@@ -174,175 +98,175 @@ ASN1_AUX, ASN1_PRINT_ARG, ASN1_STREAM_ARG, ASN1_aux_cb, ASN1_aux_const_cb
 \& typedef int ASN1_aux_const_cb(int operation, const ASN1_VALUE **in,
 \&                               const ASN1_ITEM *it, void *exarg);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\s-1ASN.1\s0 data structures can be associated with an \fB\s-1ASN1_AUX\s0\fR object to supply
-additional information about the \s-1ASN.1\s0 structure. An \fB\s-1ASN1_AUX\s0\fR structure is
-associated with the structure during the definition of the \s-1ASN.1\s0 template. For
-example an \fB\s-1ASN1_AUX\s0\fR structure will be associated by using one of the various
-\&\s-1ASN.1\s0 template definition macros that supply auxiliary information such as
+ASN.1 data structures can be associated with an \fBASN1_AUX\fR object to supply
+additional information about the ASN.1 structure. An \fBASN1_AUX\fR structure is
+associated with the structure during the definition of the ASN.1 template. For
+example an \fBASN1_AUX\fR structure will be associated by using one of the various
+ASN.1 template definition macros that supply auxiliary information such as
 \&\fBASN1_SEQUENCE_enc()\fR, \fBASN1_SEQUENCE_ref()\fR, \fBASN1_SEQUENCE_cb_const_cb()\fR,
 \&\fBASN1_SEQUENCE_const_cb()\fR, \fBASN1_SEQUENCE_cb()\fR or \fBASN1_NDEF_SEQUENCE_cb()\fR.
 .PP
-An \fB\s-1ASN1_AUX\s0\fR structure contains the following information.
-.IP "\fIapp_data\fR" 4
+An \fBASN1_AUX\fR structure contains the following information.
+.IP \fIapp_data\fR 4
 .IX Item "app_data"
 Arbitrary application data
-.IP "\fIflags\fR" 4
+.IP \fIflags\fR 4
 .IX Item "flags"
 Flags which indicate the auxiliarly functionality supported.
 .Sp
-The \fB\s-1ASN1_AFLG_REFCOUNT\s0\fR flag indicates that objects support reference counting.
+The \fBASN1_AFLG_REFCOUNT\fR flag indicates that objects support reference counting.
 .Sp
-The \fB\s-1ASN1_AFLG_ENCODING\s0\fR flag indicates that the original encoding of the
+The \fBASN1_AFLG_ENCODING\fR flag indicates that the original encoding of the
 object will be saved.
 .Sp
-The \fB\s-1ASN1_AFLG_BROKEN\s0\fR flag is a work around for broken encoders where the
+The \fBASN1_AFLG_BROKEN\fR flag is a work around for broken encoders where the
 sequence length value may not be correct. This should generally not be used.
 .Sp
-The \fB\s-1ASN1_AFLG_CONST_CB\s0\fR flag indicates that the \*(L"const\*(R" form of the
-\&\fB\s-1ASN1_AUX\s0\fR callback should be used in preference to the non-const form.
-.IP "\fIref_offset\fR" 4
+The \fBASN1_AFLG_CONST_CB\fR flag indicates that the "const" form of the
+\&\fBASN1_AUX\fR callback should be used in preference to the non-const form.
+.IP \fIref_offset\fR 4
 .IX Item "ref_offset"
-If the \fB\s-1ASN1_AFLG_REFCOUNT\s0\fR flag is set then this value is assumed to be an
-offset into the \fB\s-1ASN1_VALUE\s0\fR structure where a \fB\s-1CRYPTO_REF_COUNT\s0\fR may be
+If the \fBASN1_AFLG_REFCOUNT\fR flag is set then this value is assumed to be an
+offset into the \fBASN1_VALUE\fR structure where a \fBCRYPTO_REF_COUNT\fR may be
 found for the purposes of reference counting.
-.IP "\fIref_lock\fR" 4
+.IP \fIref_lock\fR 4
 .IX Item "ref_lock"
-If the \fB\s-1ASN1_AFLG_REFCOUNT\s0\fR flag is set then this value is assumed to be an
-offset into the \fB\s-1ASN1_VALUE\s0\fR structure where a \fB\s-1CRYPTO_RWLOCK\s0\fR may be
+If the \fBASN1_AFLG_REFCOUNT\fR flag is set then this value is assumed to be an
+offset into the \fBASN1_VALUE\fR structure where a \fBCRYPTO_RWLOCK\fR may be
 found for the purposes of reference counting.
-.IP "\fIasn1_cb\fR" 4
+.IP \fIasn1_cb\fR 4
 .IX Item "asn1_cb"
 A callback that will be invoked at various points during the processing of
-the the \fB\s-1ASN1_VALLUE\s0\fR. See below for further details.
-.IP "\fIenc_offset\fR" 4
+the \fBASN1_VALUE\fR. See below for further details.
+.IP \fIenc_offset\fR 4
 .IX Item "enc_offset"
-Offset into the \fB\s-1ASN1_VALUE\s0\fR object where the original encoding of the object
-will be saved if the \fB\s-1ASN1_AFLG_ENCODING\s0\fR flag has been set.
-.IP "\fIasn1_const_cb\fR" 4
+Offset into the \fBASN1_VALUE\fR object where the original encoding of the object
+will be saved if the \fBASN1_AFLG_ENCODING\fR flag has been set.
+.IP \fIasn1_const_cb\fR 4
 .IX Item "asn1_const_cb"
 A callback that will be invoked at various points during the processing of
-the the \fB\s-1ASN1_VALLUE\s0\fR. This is used in preference to the \fIasn1_cb\fR callback if
-the \fB\s-1ASN1_AFLG_CONST_CB\s0\fR flag is set. See below for further details.
+the \fBASN1_VALUE\fR. This is used in preference to the \fIasn1_cb\fR callback if
+the \fBASN1_AFLG_CONST_CB\fR flag is set. See below for further details.
 .PP
-During the processing of an \fB\s-1ASN1_VALUE\s0\fR object the callbacks set via
+During the processing of an \fBASN1_VALUE\fR object the callbacks set via
 \&\fIasn1_cb\fR or \fIasn1_const_cb\fR will be invoked as a result of various events
 indicated via the \fIoperation\fR parameter. The value of \fI*in\fR will be the
-\&\fB\s-1ASN1_VALUE\s0\fR object being processed based on the template in \fIit\fR. An
+\&\fBASN1_VALUE\fR object being processed based on the template in \fIit\fR. An
 additional operation specific parameter may be passed in \fIexarg\fR. The currently
 supported operations are as follows. The callbacks should return a positive
 value on success or zero on error, unless otherwise noted below.
-.IP "\fB\s-1ASN1_OP_NEW_PRE\s0\fR" 4
+.IP \fBASN1_OP_NEW_PRE\fR 4
 .IX Item "ASN1_OP_NEW_PRE"
-Invoked when processing a \fB\s-1CHOICE\s0\fR, \fB\s-1SEQUENCE\s0\fR or \fB\s-1NDEF_SEQUENCE\s0\fR structure
-prior to an \fB\s-1ASN1_VALUE\s0\fR object being allocated. The callback may allocate the
-\&\fB\s-1ASN1_VALUE\s0\fR itself and store it in \fI*pval\fR. If it does so it should return 2
+Invoked when processing a \fBCHOICE\fR, \fBSEQUENCE\fR or \fBNDEF_SEQUENCE\fR structure
+prior to an \fBASN1_VALUE\fR object being allocated. The callback may allocate the
+\&\fBASN1_VALUE\fR itself and store it in \fI*pval\fR. If it does so it should return 2
 from the callback. On error it should return 0.
-.IP "\fB\s-1ASN1_OP_NEW_POST\s0\fR" 4
+.IP \fBASN1_OP_NEW_POST\fR 4
 .IX Item "ASN1_OP_NEW_POST"
-Invoked when processing a \fB\s-1CHOICE\s0\fR, \fB\s-1SEQUENCE\s0\fR or \fB\s-1NDEF_SEQUENCE\s0\fR structure
-after an \fB\s-1ASN1_VALUE\s0\fR object has been allocated. The allocated object is in
+Invoked when processing a \fBCHOICE\fR, \fBSEQUENCE\fR or \fBNDEF_SEQUENCE\fR structure
+after an \fBASN1_VALUE\fR object has been allocated. The allocated object is in
 \&\fI*pval\fR.
-.IP "\fB\s-1ASN1_OP_FREE_PRE\s0\fR" 4
+.IP \fBASN1_OP_FREE_PRE\fR 4
 .IX Item "ASN1_OP_FREE_PRE"
-Invoked when processing a \fB\s-1CHOICE\s0\fR, \fB\s-1SEQUENCE\s0\fR or \fB\s-1NDEF_SEQUENCE\s0\fR structure
-immediately before an \fB\s-1ASN1_VALUE\s0\fR is freed. If the callback originally
-constructed the \fB\s-1ASN1_VALUE\s0\fR via \fB\s-1ASN1_OP_NEW_PRE\s0\fR then it should free it at
+Invoked when processing a \fBCHOICE\fR, \fBSEQUENCE\fR or \fBNDEF_SEQUENCE\fR structure
+immediately before an \fBASN1_VALUE\fR is freed. If the callback originally
+constructed the \fBASN1_VALUE\fR via \fBASN1_OP_NEW_PRE\fR then it should free it at
 this point and return 2 from the callback. Otherwise it should return 1 for
 success or 0 on error.
-.IP "\fB\s-1ASN1_OP_FREE_POST\s0\fR" 4
+.IP \fBASN1_OP_FREE_POST\fR 4
 .IX Item "ASN1_OP_FREE_POST"
-Invoked when processing a \fB\s-1CHOICE\s0\fR, \fB\s-1SEQUENCE\s0\fR or \fB\s-1NDEF_SEQUENCE\s0\fR structure
-immediately after \fB\s-1ASN1_VALUE\s0\fR sub-structures are freed.
-.IP "\fB\s-1ASN1_OP_D2I_PRE\s0\fR" 4
+Invoked when processing a \fBCHOICE\fR, \fBSEQUENCE\fR or \fBNDEF_SEQUENCE\fR structure
+immediately after \fBASN1_VALUE\fR sub-structures are freed.
+.IP \fBASN1_OP_D2I_PRE\fR 4
 .IX Item "ASN1_OP_D2I_PRE"
-Invoked when processing a \fB\s-1CHOICE\s0\fR, \fB\s-1SEQUENCE\s0\fR or \fB\s-1NDEF_SEQUENCE\s0\fR structure
-immediately before a \*(L"d2i\*(R" operation for the \fB\s-1ASN1_VALUE\s0\fR.
-.IP "\fB\s-1ASN1_OP_D2I_POST\s0\fR" 4
+Invoked when processing a \fBCHOICE\fR, \fBSEQUENCE\fR or \fBNDEF_SEQUENCE\fR structure
+immediately before a "d2i" operation for the \fBASN1_VALUE\fR.
+.IP \fBASN1_OP_D2I_POST\fR 4
 .IX Item "ASN1_OP_D2I_POST"
-Invoked when processing a \fB\s-1CHOICE\s0\fR, \fB\s-1SEQUENCE\s0\fR or \fB\s-1NDEF_SEQUENCE\s0\fR structure
-immediately after a \*(L"d2i\*(R" operation for the \fB\s-1ASN1_VALUE\s0\fR.
-.IP "\fB\s-1ASN1_OP_I2D_PRE\s0\fR" 4
+Invoked when processing a \fBCHOICE\fR, \fBSEQUENCE\fR or \fBNDEF_SEQUENCE\fR structure
+immediately after a "d2i" operation for the \fBASN1_VALUE\fR.
+.IP \fBASN1_OP_I2D_PRE\fR 4
 .IX Item "ASN1_OP_I2D_PRE"
-Invoked when processing a \fB\s-1CHOICE\s0\fR, \fB\s-1SEQUENCE\s0\fR or \fB\s-1NDEF_SEQUENCE\s0\fR structure
-immediately before a \*(L"i2d\*(R" operation for the \fB\s-1ASN1_VALUE\s0\fR.
-.IP "\fB\s-1ASN1_OP_I2D_POST\s0\fR" 4
+Invoked when processing a \fBCHOICE\fR, \fBSEQUENCE\fR or \fBNDEF_SEQUENCE\fR structure
+immediately before a "i2d" operation for the \fBASN1_VALUE\fR.
+.IP \fBASN1_OP_I2D_POST\fR 4
 .IX Item "ASN1_OP_I2D_POST"
-Invoked when processing a \fB\s-1CHOICE\s0\fR, \fB\s-1SEQUENCE\s0\fR or \fB\s-1NDEF_SEQUENCE\s0\fR structure
-immediately after a \*(L"i2d\*(R" operation for the \fB\s-1ASN1_VALUE\s0\fR.
-.IP "\fB\s-1ASN1_OP_PRINT_PRE\s0\fR" 4
+Invoked when processing a \fBCHOICE\fR, \fBSEQUENCE\fR or \fBNDEF_SEQUENCE\fR structure
+immediately after a "i2d" operation for the \fBASN1_VALUE\fR.
+.IP \fBASN1_OP_PRINT_PRE\fR 4
 .IX Item "ASN1_OP_PRINT_PRE"
-Invoked when processing a \fB\s-1SEQUENCE\s0\fR or \fB\s-1NDEF_SEQUENCE\s0\fR structure immediately
-before printing the \fB\s-1ASN1_VALUE\s0\fR. The \fIexarg\fR argument will be a pointer to an
-\&\fB\s-1ASN1_PRINT_ARG\s0\fR structure (see below).
-.IP "\fB\s-1ASN1_OP_PRINT_POST\s0\fR" 4
+Invoked when processing a \fBSEQUENCE\fR or \fBNDEF_SEQUENCE\fR structure immediately
+before printing the \fBASN1_VALUE\fR. The \fIexarg\fR argument will be a pointer to an
+\&\fBASN1_PRINT_ARG\fR structure (see below).
+.IP \fBASN1_OP_PRINT_POST\fR 4
 .IX Item "ASN1_OP_PRINT_POST"
-Invoked when processing a \fB\s-1SEQUENCE\s0\fR or \fB\s-1NDEF_SEQUENCE\s0\fR structure immediately
-after printing the \fB\s-1ASN1_VALUE\s0\fR. The \fIexarg\fR argument will be a pointer to an
-\&\fB\s-1ASN1_PRINT_ARG\s0\fR structure (see below).
-.IP "\fB\s-1ASN1_OP_STREAM_PRE\s0\fR" 4
+Invoked when processing a \fBSEQUENCE\fR or \fBNDEF_SEQUENCE\fR structure immediately
+after printing the \fBASN1_VALUE\fR. The \fIexarg\fR argument will be a pointer to an
+\&\fBASN1_PRINT_ARG\fR structure (see below).
+.IP \fBASN1_OP_STREAM_PRE\fR 4
 .IX Item "ASN1_OP_STREAM_PRE"
-Invoked immediately prior to streaming the \fB\s-1ASN1_VALUE\s0\fR data using indefinite
-length encoding. The \fIexarg\fR argument will be a pointer to a \fB\s-1ASN1_STREAM_ARG\s0\fR
+Invoked immediately prior to streaming the \fBASN1_VALUE\fR data using indefinite
+length encoding. The \fIexarg\fR argument will be a pointer to a \fBASN1_STREAM_ARG\fR
 structure (see below).
-.IP "\fB\s-1ASN1_OP_STREAM_POST\s0\fR" 4
+.IP \fBASN1_OP_STREAM_POST\fR 4
 .IX Item "ASN1_OP_STREAM_POST"
-Invoked immediately after streaming the \fB\s-1ASN1_VALUE\s0\fR data using indefinite
-length encoding. The \fIexarg\fR argument will be a pointer to a \fB\s-1ASN1_STREAM_ARG\s0\fR
+Invoked immediately after streaming the \fBASN1_VALUE\fR data using indefinite
+length encoding. The \fIexarg\fR argument will be a pointer to a \fBASN1_STREAM_ARG\fR
 structure (see below).
-.IP "\fB\s-1ASN1_OP_DETACHED_PRE\s0\fR" 4
+.IP \fBASN1_OP_DETACHED_PRE\fR 4
 .IX Item "ASN1_OP_DETACHED_PRE"
-Invoked immediately prior to processing the \fB\s-1ASN1_VALUE\s0\fR data as a \*(L"detached\*(R"
-value (as used in \s-1CMS\s0 and \s-1PKCS7\s0). The \fIexarg\fR argument will be a pointer to a
-\&\fB\s-1ASN1_STREAM_ARG\s0\fR structure (see below).
-.IP "\fB\s-1ASN1_OP_DETACHED_POST\s0\fR" 4
+Invoked immediately prior to processing the \fBASN1_VALUE\fR data as a "detached"
+value (as used in CMS and PKCS7). The \fIexarg\fR argument will be a pointer to a
+\&\fBASN1_STREAM_ARG\fR structure (see below).
+.IP \fBASN1_OP_DETACHED_POST\fR 4
 .IX Item "ASN1_OP_DETACHED_POST"
-Invoked immediately after processing the \fB\s-1ASN1_VALUE\s0\fR data as a \*(L"detached\*(R"
-value (as used in \s-1CMS\s0 and \s-1PKCS7\s0). The \fIexarg\fR argument will be a pointer to a
-\&\fB\s-1ASN1_STREAM_ARG\s0\fR structure (see below).
-.IP "\fB\s-1ASN1_OP_DUP_PRE\s0\fR" 4
+Invoked immediately after processing the \fBASN1_VALUE\fR data as a "detached"
+value (as used in CMS and PKCS7). The \fIexarg\fR argument will be a pointer to a
+\&\fBASN1_STREAM_ARG\fR structure (see below).
+.IP \fBASN1_OP_DUP_PRE\fR 4
 .IX Item "ASN1_OP_DUP_PRE"
-Invoked immediate prior to an \s-1ASN1_VALUE\s0 being duplicated via a call to
+Invoked immediate prior to an ASN1_VALUE being duplicated via a call to
 \&\fBASN1_item_dup()\fR.
-.IP "\fB\s-1ASN1_OP_DUP_POST\s0\fR" 4
+.IP \fBASN1_OP_DUP_POST\fR 4
 .IX Item "ASN1_OP_DUP_POST"
-Invoked immediate after to an \s-1ASN1_VALUE\s0 has been duplicated via a call to
+Invoked immediate after to an ASN1_VALUE has been duplicated via a call to
 \&\fBASN1_item_dup()\fR.
-.IP "\fB\s-1ASN1_OP_GET0_LIBCTX\s0\fR" 4
+.IP \fBASN1_OP_GET0_LIBCTX\fR 4
 .IX Item "ASN1_OP_GET0_LIBCTX"
-Invoked in order to obtain the \fB\s-1OSSL_LIB_CTX\s0\fR associated with an \fB\s-1ASN1_VALUE\s0\fR
-if any. A pointer to an \fB\s-1OSSL_LIB_CTX\s0\fR should be stored in \fI*exarg\fR if such
+Invoked in order to obtain the \fBOSSL_LIB_CTX\fR associated with an \fBASN1_VALUE\fR
+if any. A pointer to an \fBOSSL_LIB_CTX\fR should be stored in \fI*exarg\fR if such
 a value exists.
-.IP "\fB\s-1ASN1_OP_GET0_PROPQ\s0\fR" 4
+.IP \fBASN1_OP_GET0_PROPQ\fR 4
 .IX Item "ASN1_OP_GET0_PROPQ"
 Invoked in order to obtain the property query string associated with an
-\&\fB\s-1ASN1_VALUE\s0\fR if any. A pointer to the property query string should be stored in
+\&\fBASN1_VALUE\fR if any. A pointer to the property query string should be stored in
 \&\fI*exarg\fR if such a value exists.
 .PP
-An \fB\s-1ASN1_PRINT_ARG\s0\fR object is used during processing of \fB\s-1ASN1_OP_PRINT_PRE\s0\fR
-and \fB\s-1ASN1_OP_PRINT_POST\s0\fR callback operations. It contains the following
+An \fBASN1_PRINT_ARG\fR object is used during processing of \fBASN1_OP_PRINT_PRE\fR
+and \fBASN1_OP_PRINT_POST\fR callback operations. It contains the following
 information.
-.IP "\fIout\fR" 4
+.IP \fIout\fR 4
 .IX Item "out"
-The \fB\s-1BIO\s0\fR being used to print the data out.
-.IP "\fIndef_bio\fR" 4
+The \fBBIO\fR being used to print the data out.
+.IP \fIndef_bio\fR 4
 .IX Item "ndef_bio"
 The current number of indent spaces that should be used for printing this data.
-.IP "\fIpctx\fR" 4
+.IP \fIpctx\fR 4
 .IX Item "pctx"
-The context for the \fB\s-1ASN1_PCTX\s0\fR operation.
+The context for the \fBASN1_PCTX\fR operation.
 .PP
-An \fB\s-1ASN1_STREAM_ARG\s0\fR object is used during processing of \fB\s-1ASN1_OP_STREAM_PRE\s0\fR,
-\&\fB\s-1ASN1_OP_STREAM_POST\s0\fR, \fB\s-1ASN1_OP_DETACHED_PRE\s0\fR and \fB\s-1ASN1_OP_DETACHED_POST\s0\fR
+An \fBASN1_STREAM_ARG\fR object is used during processing of \fBASN1_OP_STREAM_PRE\fR,
+\&\fBASN1_OP_STREAM_POST\fR, \fBASN1_OP_DETACHED_PRE\fR and \fBASN1_OP_DETACHED_POST\fR
 callback operations. It contains the following information.
-.IP "\fIout\fR" 4
+.IP \fIout\fR 4
 .IX Item "out"
-The \fB\s-1BIO\s0\fR to stream through
-.IP "\fIndef_bio\fR" 4
+The \fBBIO\fR to stream through
+.IP \fIndef_bio\fR 4
 .IX Item "ndef_bio"
-The \fB\s-1BIO\s0\fR with filters appended
-.IP "\fIboundary\fR" 4
+The \fBBIO\fR with filters appended
+.IP \fIboundary\fR 4
 .IX Item "boundary"
 The streaming I/O boundary.
 .SH "RETURN VALUES"
@@ -352,15 +276,15 @@ require specific positive success values as noted above.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBASN1_item_new_ex\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-The \fBASN1_aux_const_cb()\fR callback and the \fB\s-1ASN1_OP_GET0_LIBCTX\s0\fR and
-\&\fB\s-1ASN1_OP_GET0_PROPQ\s0\fR operation types were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The \fBASN1_aux_const_cb()\fR callback and the \fBASN1_OP_GET0_LIBCTX\fR and
+\&\fBASN1_OP_GET0_PROPQ\fR operation types were added in OpenSSL 3.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2021\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ASN1_generate_nconf.3 b/secure/lib/libcrypto/man/man3/ASN1_generate_nconf.3
index 0cbbcef69a96..76b831c711b1 100644
--- a/secure/lib/libcrypto/man/man3/ASN1_generate_nconf.3
+++ b/secure/lib/libcrypto/man/man3/ASN1_generate_nconf.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ASN1_GENERATE_NCONF 3ossl"
-.TH ASN1_GENERATE_NCONF 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ASN1_GENERATE_NCONF 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ASN1_generate_nconf, ASN1_generate_v3 \- ASN1 string generation functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/asn1.h>
@@ -146,24 +70,24 @@ ASN1_generate_nconf, ASN1_generate_v3 \- ASN1 string generation functions
 \& ASN1_TYPE *ASN1_generate_nconf(const char *str, CONF *nconf);
 \& ASN1_TYPE *ASN1_generate_v3(const char *str, X509V3_CTX *cnf);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-These functions generate the \s-1ASN1\s0 encoding of a string
-in an \fB\s-1ASN1_TYPE\s0\fR structure.
+These functions generate the ASN1 encoding of a string
+in an \fBASN1_TYPE\fR structure.
 .PP
 \&\fIstr\fR contains the string to encode. \fInconf\fR or \fIcnf\fR contains
 the optional configuration information where additional strings
 will be read from. \fInconf\fR will typically come from a config
 file whereas \fIcnf\fR is obtained from an \fBX509V3_CTX\fR structure,
 which will typically be used by X509 v3 certificate extension
-functions. \fIcnf\fR or \fInconf\fR can be set to \s-1NULL\s0 if no additional
+functions. \fIcnf\fR or \fInconf\fR can be set to NULL if no additional
 configuration will be used.
 .SH "GENERATION STRING FORMAT"
 .IX Header "GENERATION STRING FORMAT"
 The actual data encoded is determined by the string \fIstr\fR and
 the configuration information. The general format of the string
 is:
-.IP "[\fImodifier\fR,]\fItype\fR[:\fIvalue\fR]" 4
+.IP [\fImodifier\fR,]\fItype\fR[:\fIvalue\fR] 4
 .IX Item "[modifier,]type[:value]"
 .PP
 That is zero or more comma separated modifiers followed by a type
@@ -173,103 +97,103 @@ followed by an optional colon and a value. The formats of \fItype\fR,
 .IX Subsection "Supported Types"
 The supported types are listed below.
 Case is not significant in the type names.
-Unless otherwise specified only the \fB\s-1ASCII\s0\fR format is permissible.
-.IP "\fB\s-1BOOLEAN\s0\fR, \fB\s-1BOOL\s0\fR" 4
+Unless otherwise specified only the \fBASCII\fR format is permissible.
+.IP "\fBBOOLEAN\fR, \fBBOOL\fR" 4
 .IX Item "BOOLEAN, BOOL"
 This encodes a boolean type. The \fIvalue\fR string is mandatory and
-should be \fB\s-1TRUE\s0\fR or \fB\s-1FALSE\s0\fR. Additionally \fB\s-1TRUE\s0\fR, \fBtrue\fR, \fBY\fR,
-\&\fBy\fR, \fB\s-1YES\s0\fR, \fByes\fR, \fB\s-1FALSE\s0\fR, \fBfalse\fR, \fBN\fR, \fBn\fR, \fB\s-1NO\s0\fR and \fBno\fR
+should be \fBTRUE\fR or \fBFALSE\fR. Additionally \fBTRUE\fR, \fBtrue\fR, \fBY\fR,
+\&\fBy\fR, \fBYES\fR, \fByes\fR, \fBFALSE\fR, \fBfalse\fR, \fBN\fR, \fBn\fR, \fBNO\fR and \fBno\fR
 are acceptable.
-.IP "\fB\s-1NULL\s0\fR" 4
+.IP \fBNULL\fR 4
 .IX Item "NULL"
-Encode the \fB\s-1NULL\s0\fR type, the \fIvalue\fR string must not be present.
-.IP "\fB\s-1INTEGER\s0\fR, \fB\s-1INT\s0\fR" 4
+Encode the \fBNULL\fR type, the \fIvalue\fR string must not be present.
+.IP "\fBINTEGER\fR, \fBINT\fR" 4
 .IX Item "INTEGER, INT"
-Encodes an \s-1ASN1\s0 \fB\s-1INTEGER\s0\fR type. The \fIvalue\fR string represents
+Encodes an ASN1 \fBINTEGER\fR type. The \fIvalue\fR string represents
 the value of the integer, it can be prefaced by a minus sign and
 is normally interpreted as a decimal value unless the prefix \fB0x\fR
 is included.
-.IP "\fB\s-1ENUMERATED\s0\fR, \fB\s-1ENUM\s0\fR" 4
+.IP "\fBENUMERATED\fR, \fBENUM\fR" 4
 .IX Item "ENUMERATED, ENUM"
-Encodes the \s-1ASN1\s0 \fB\s-1ENUMERATED\s0\fR type, it is otherwise identical to
-\&\fB\s-1INTEGER\s0\fR.
-.IP "\fB\s-1OBJECT\s0\fR, \fB\s-1OID\s0\fR" 4
+Encodes the ASN1 \fBENUMERATED\fR type, it is otherwise identical to
+\&\fBINTEGER\fR.
+.IP "\fBOBJECT\fR, \fBOID\fR" 4
 .IX Item "OBJECT, OID"
-Encodes an \s-1ASN1\s0 \fB\s-1OBJECT IDENTIFIER\s0\fR, the \fIvalue\fR string can be
+Encodes an ASN1 \fBOBJECT IDENTIFIER\fR, the \fIvalue\fR string can be
 a short name, a long name or numerical format.
-.IP "\fB\s-1UTCTIME\s0\fR, \fB\s-1UTC\s0\fR" 4
+.IP "\fBUTCTIME\fR, \fBUTC\fR" 4
 .IX Item "UTCTIME, UTC"
-Encodes an \s-1ASN1\s0 \fBUTCTime\fR structure, the value should be in
-the format \fB\s-1YYMMDDHHMMSSZ\s0\fR.
-.IP "\fB\s-1GENERALIZEDTIME\s0\fR, \fB\s-1GENTIME\s0\fR" 4
+Encodes an ASN1 \fBUTCTime\fR structure, the value should be in
+the format \fBYYMMDDHHMMSSZ\fR.
+.IP "\fBGENERALIZEDTIME\fR, \fBGENTIME\fR" 4
 .IX Item "GENERALIZEDTIME, GENTIME"
-Encodes an \s-1ASN1\s0 \fBGeneralizedTime\fR structure, the value should be in
-the format \fB\s-1YYYYMMDDHHMMSSZ\s0\fR.
-.IP "\fB\s-1OCTETSTRING\s0\fR, \fB\s-1OCT\s0\fR" 4
+Encodes an ASN1 \fBGeneralizedTime\fR structure, the value should be in
+the format \fBYYYYMMDDHHMMSSZ\fR.
+.IP "\fBOCTETSTRING\fR, \fBOCT\fR" 4
 .IX Item "OCTETSTRING, OCT"
-Encodes an \s-1ASN1\s0 \fB\s-1OCTET STRING\s0\fR. \fIvalue\fR represents the contents
-of this structure, the format strings \fB\s-1ASCII\s0\fR and \fB\s-1HEX\s0\fR can be
+Encodes an ASN1 \fBOCTET STRING\fR. \fIvalue\fR represents the contents
+of this structure, the format strings \fBASCII\fR and \fBHEX\fR can be
 used to specify the format of \fIvalue\fR.
-.IP "\fB\s-1BITSTRING\s0\fR, \fB\s-1BITSTR\s0\fR" 4
+.IP "\fBBITSTRING\fR, \fBBITSTR\fR" 4
 .IX Item "BITSTRING, BITSTR"
-Encodes an \s-1ASN1\s0 \fB\s-1BIT STRING\s0\fR. \fIvalue\fR represents the contents
-of this structure, the format strings \fB\s-1ASCII\s0\fR, \fB\s-1HEX\s0\fR and \fB\s-1BITLIST\s0\fR
+Encodes an ASN1 \fBBIT STRING\fR. \fIvalue\fR represents the contents
+of this structure, the format strings \fBASCII\fR, \fBHEX\fR and \fBBITLIST\fR
 can be used to specify the format of \fIvalue\fR.
 .Sp
-If the format is anything other than \fB\s-1BITLIST\s0\fR the number of unused
+If the format is anything other than \fBBITLIST\fR the number of unused
 bits is set to zero.
-.IP "\fB\s-1UNIVERSALSTRING\s0\fR, \fB\s-1UNIV\s0\fR, \fB\s-1IA5\s0\fR, \fB\s-1IA5STRING\s0\fR, \fB\s-1UTF8\s0\fR, \fBUTF8String\fR, \fB\s-1BMP\s0\fR, \fB\s-1BMPSTRING\s0\fR, \fB\s-1VISIBLESTRING\s0\fR, \fB\s-1VISIBLE\s0\fR, \fB\s-1PRINTABLESTRING\s0\fR, \fB\s-1PRINTABLE\s0\fR, \fBT61\fR, \fBT61STRING\fR, \fB\s-1TELETEXSTRING\s0\fR, \fBGeneralString\fR, \fB\s-1NUMERICSTRING\s0\fR, \fB\s-1NUMERIC\s0\fR" 4
+.IP "\fBUNIVERSALSTRING\fR, \fBUNIV\fR, \fBIA5\fR, \fBIA5STRING\fR, \fBUTF8\fR, \fBUTF8String\fR, \fBBMP\fR, \fBBMPSTRING\fR, \fBVISIBLESTRING\fR, \fBVISIBLE\fR, \fBPRINTABLESTRING\fR, \fBPRINTABLE\fR, \fBT61\fR, \fBT61STRING\fR, \fBTELETEXSTRING\fR, \fBGeneralString\fR, \fBNUMERICSTRING\fR, \fBNUMERIC\fR" 4
 .IX Item "UNIVERSALSTRING, UNIV, IA5, IA5STRING, UTF8, UTF8String, BMP, BMPSTRING, VISIBLESTRING, VISIBLE, PRINTABLESTRING, PRINTABLE, T61, T61STRING, TELETEXSTRING, GeneralString, NUMERICSTRING, NUMERIC"
 These encode the corresponding string types. \fIvalue\fR represents the
-contents of this structure. The format can be \fB\s-1ASCII\s0\fR or \fB\s-1UTF8\s0\fR.
-.IP "\fB\s-1SEQUENCE\s0\fR, \fB\s-1SEQ\s0\fR, \fB\s-1SET\s0\fR" 4
+contents of this structure. The format can be \fBASCII\fR or \fBUTF8\fR.
+.IP "\fBSEQUENCE\fR, \fBSEQ\fR, \fBSET\fR" 4
 .IX Item "SEQUENCE, SEQ, SET"
-Formats the result as an \s-1ASN1\s0 \fB\s-1SEQUENCE\s0\fR or \fB\s-1SET\s0\fR type. \fIvalue\fR
+Formats the result as an ASN1 \fBSEQUENCE\fR or \fBSET\fR type. \fIvalue\fR
 should be a section name which will contain the contents. The
 field names in the section are ignored and the values are in the
-generated string format. If \fIvalue\fR is absent then an empty \s-1SEQUENCE\s0
+generated string format. If \fIvalue\fR is absent then an empty SEQUENCE
 will be encoded.
-.SS "Modifiers"
+.SS Modifiers
 .IX Subsection "Modifiers"
 Modifiers affect the following structure, they can be used to
-add \s-1EXPLICIT\s0 or \s-1IMPLICIT\s0 tagging, add wrappers or to change
+add EXPLICIT or IMPLICIT tagging, add wrappers or to change
 the string format of the final type and value. The supported
 formats are documented below.
-.IP "\fB\s-1EXPLICIT\s0\fR, \fB\s-1EXP\s0\fR" 4
+.IP "\fBEXPLICIT\fR, \fBEXP\fR" 4
 .IX Item "EXPLICIT, EXP"
 Add an explicit tag to the following structure. This string
 should be followed by a colon and the tag value to use as a
 decimal value.
 .Sp
-By following the number with \fBU\fR, \fBA\fR, \fBP\fR or \fBC\fR \s-1UNIVERSAL,
-APPLICATION, PRIVATE\s0 or \s-1CONTEXT SPECIFIC\s0 tagging can be used,
-the default is \s-1CONTEXT SPECIFIC.\s0
-.IP "\fB\s-1IMPLICIT\s0\fR, \fB\s-1IMP\s0\fR" 4
+By following the number with \fBU\fR, \fBA\fR, \fBP\fR or \fBC\fR UNIVERSAL,
+APPLICATION, PRIVATE or CONTEXT SPECIFIC tagging can be used,
+the default is CONTEXT SPECIFIC.
+.IP "\fBIMPLICIT\fR, \fBIMP\fR" 4
 .IX Item "IMPLICIT, IMP"
-This is the same as \fB\s-1EXPLICIT\s0\fR except \s-1IMPLICIT\s0 tagging is used
+This is the same as \fBEXPLICIT\fR except IMPLICIT tagging is used
 instead.
-.IP "\fB\s-1OCTWRAP\s0\fR, \fB\s-1SEQWRAP\s0\fR, \fB\s-1SETWRAP\s0\fR, \fB\s-1BITWRAP\s0\fR" 4
+.IP "\fBOCTWRAP\fR, \fBSEQWRAP\fR, \fBSETWRAP\fR, \fBBITWRAP\fR" 4
 .IX Item "OCTWRAP, SEQWRAP, SETWRAP, BITWRAP"
-The following structure is surrounded by an \s-1OCTET STRING,\s0 a \s-1SEQUENCE,\s0
-a \s-1SET\s0 or a \s-1BIT STRING\s0 respectively. For a \s-1BIT STRING\s0 the number of unused
+The following structure is surrounded by an OCTET STRING, a SEQUENCE,
+a SET or a BIT STRING respectively. For a BIT STRING the number of unused
 bits is set to zero.
-.IP "\fB\s-1FORMAT\s0\fR" 4
+.IP \fBFORMAT\fR 4
 .IX Item "FORMAT"
 This specifies the format of the ultimate value. It should be followed
-by a colon and one of the strings \fB\s-1ASCII\s0\fR, \fB\s-1UTF8\s0\fR, \fB\s-1HEX\s0\fR or \fB\s-1BITLIST\s0\fR.
+by a colon and one of the strings \fBASCII\fR, \fBUTF8\fR, \fBHEX\fR or \fBBITLIST\fR.
 .Sp
-If no format specifier is included then \fB\s-1ASCII\s0\fR is used. If \fB\s-1UTF8\s0\fR is
-specified then the value string must be a valid \fB\s-1UTF8\s0\fR string. For \fB\s-1HEX\s0\fR the
-output must be a set of hex digits. \fB\s-1BITLIST\s0\fR (which is only valid for a \s-1BIT
-STRING\s0) is a comma separated list of the indices of the set bits, all other
+If no format specifier is included then \fBASCII\fR is used. If \fBUTF8\fR is
+specified then the value string must be a valid \fBUTF8\fR string. For \fBHEX\fR the
+output must be a set of hex digits. \fBBITLIST\fR (which is only valid for a BIT
+STRING) is a comma separated list of the indices of the set bits, all other
 bits are zero.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBASN1_generate_nconf()\fR and \fBASN1_generate_v3()\fR return the encoded
-data as an \fB\s-1ASN1_TYPE\s0\fR structure or \s-1NULL\s0 if an error occurred.
+data as an \fBASN1_TYPE\fR structure or NULL if an error occurred.
 .PP
 The error codes that can be obtained by \fBERR_get_error\fR\|(3).
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 A simple IA5String:
 .PP
@@ -283,20 +207,20 @@ An IA5String explicitly tagged:
 \& EXPLICIT:0,IA5STRING:Hello World
 .Ve
 .PP
-An IA5String explicitly tagged using \s-1APPLICATION\s0 tagging:
+An IA5String explicitly tagged using APPLICATION tagging:
 .PP
 .Vb 1
 \& EXPLICIT:0A,IA5STRING:Hello World
 .Ve
 .PP
-A \s-1BITSTRING\s0 with bits 1 and 5 set and all others zero:
+A BITSTRING with bits 1 and 5 set and all others zero:
 .PP
 .Vb 1
 \& FORMAT:BITLIST,BITSTRING:1,5
 .Ve
 .PP
 A more complex example using a config file to produce a
-\&\s-1SEQUENCE\s0 consisting of a \s-1BOOL\s0 an \s-1OID\s0 and a UTF8String:
+SEQUENCE consisting of a BOOL an OID and a UTF8String:
 .PP
 .Vb 1
 \& asn1 = SEQUENCE:seq_section
@@ -370,11 +294,11 @@ structure:
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2002\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ASN1_item_d2i_bio.3 b/secure/lib/libcrypto/man/man3/ASN1_item_d2i_bio.3
index 7e2c1e13e3e7..66f98beeac2b 100644
--- a/secure/lib/libcrypto/man/man3/ASN1_item_d2i_bio.3
+++ b/secure/lib/libcrypto/man/man3/ASN1_item_d2i_bio.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ASN1_ITEM_D2I_BIO 3ossl"
-.TH ASN1_ITEM_D2I_BIO 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ASN1_ITEM_D2I_BIO 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ASN1_item_d2i_ex, ASN1_item_d2i, ASN1_item_d2i_bio_ex, ASN1_item_d2i_bio,
-ASN1_item_d2i_fp_ex, ASN1_item_d2i_fp, ASN1_item_i2d_mem_bio
+ASN1_item_d2i_fp_ex, ASN1_item_d2i_fp, ASN1_item_i2d_mem_bio,
+ASN1_item_pack, ASN1_item_unpack_ex, ASN1_item_unpack
 \&\- decode and encode DER\-encoded ASN.1 structures
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/asn1.h>
@@ -160,59 +85,85 @@ ASN1_item_d2i_fp_ex, ASN1_item_d2i_fp, ASN1_item_i2d_mem_bio
 \& void *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x);
 \&
 \& BIO *ASN1_item_i2d_mem_bio(const ASN1_ITEM *it, const ASN1_VALUE *val);
+\&
+\& ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_STRING **oct);
+\&
+\& void *ASN1_item_unpack(const ASN1_STRING *oct, const ASN1_ITEM *it);
+\&
+\& void *ASN1_item_unpack_ex(const ASN1_STRING *oct, const ASN1_ITEM *it,
+\&                          OSSL_LIB_CTX *libctx, const char *propq);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBASN1_item_d2i_ex()\fR decodes the contents of the data stored in \fI*in\fR of length
-\&\fIlen\fR which must be a DER-encoded \s-1ASN.1\s0 structure, using the \s-1ASN.1\s0 template
-\&\fIit\fR. It places the result in \fI*pval\fR unless \fIpval\fR is \s-1NULL.\s0 If \fI*pval\fR is
-non-NULL on entry then the \fB\s-1ASN1_VALUE\s0\fR present there will be reused. Otherwise
-a new \fB\s-1ASN1_VALUE\s0\fR will be allocated. If any algorithm fetches are required
-during the process then they will use the \fB\s-1OSSL_LIB_CTX\s0\fRprovided in the
+\&\fIlen\fR which must be a DER-encoded ASN.1 structure, using the ASN.1 template
+\&\fIit\fR. It places the result in \fI*pval\fR unless \fIpval\fR is NULL. If \fI*pval\fR is
+non-NULL on entry then the \fBASN1_VALUE\fR present there will be reused. Otherwise
+a new \fBASN1_VALUE\fR will be allocated. If any algorithm fetches are required
+during the process then they will use the \fBOSSL_LIB_CTX\fRprovided in the
 \&\fIlibctx\fR parameter and the property query string in \fIpropq\fR. See
-\&\*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7) for more information about algorithm fetching.
+"ALGORITHM FETCHING" in \fBcrypto\fR\|(7) for more information about algorithm fetching.
 On exit \fI*in\fR will be updated to point to the next byte in the buffer after the
 decoded structure.
 .PP
 \&\fBASN1_item_d2i()\fR is the same as \fBASN1_item_d2i_ex()\fR except that the default
-\&\s-1OSSL_LIB_CTX\s0 is used (i.e. \s-1NULL\s0) and with a \s-1NULL\s0 property query string.
+OSSL_LIB_CTX is used (i.e. NULL) and with a NULL property query string.
 .PP
-\&\fBASN1_item_d2i_bio_ex()\fR decodes the contents of its input \s-1BIO\s0 \fIin\fR,
-which must be a DER-encoded \s-1ASN.1\s0 structure, using the \s-1ASN.1\s0 template \fIit\fR
-and places the result in \fI*pval\fR unless \fIpval\fR is \s-1NULL.\s0
-If \fIin\fR is \s-1NULL\s0 it returns \s-1NULL,\s0 else a pointer to the parsed structure. If any
+\&\fBASN1_item_d2i_bio_ex()\fR decodes the contents of its input BIO \fIin\fR,
+which must be a DER-encoded ASN.1 structure, using the ASN.1 template \fIit\fR
+and places the result in \fI*pval\fR unless \fIpval\fR is NULL.
+If \fIin\fR is NULL it returns NULL, else a pointer to the parsed structure. If any
 algorithm fetches are required during the process then they will use the
-\&\fB\s-1OSSL_LIB_CTX\s0\fR provided in the \fIlibctx\fR parameter and the property query
-string in \fIpropq\fR. See \*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7) for more information
+\&\fBOSSL_LIB_CTX\fR provided in the \fIlibctx\fR parameter and the property query
+string in \fIpropq\fR. See "ALGORITHM FETCHING" in \fBcrypto\fR\|(7) for more information
 about algorithm fetching.
 .PP
 \&\fBASN1_item_d2i_bio()\fR is the same as \fBASN1_item_d2i_bio_ex()\fR except that the
-default \fB\s-1OSSL_LIB_CTX\s0\fR is used (i.e. \s-1NULL\s0) and with a \s-1NULL\s0 property query
+default \fBOSSL_LIB_CTX\fR is used (i.e. NULL) and with a NULL property query
 string.
 .PP
-\&\fBASN1_item_d2i_fp_ex()\fR is the same as \fBASN1_item_d2i_bio_ex()\fR except that a \s-1FILE\s0
-pointer is provided instead of a \s-1BIO.\s0
+\&\fBASN1_item_d2i_fp_ex()\fR is the same as \fBASN1_item_d2i_bio_ex()\fR except that a FILE
+pointer is provided instead of a BIO.
 .PP
 \&\fBASN1_item_d2i_fp()\fR is the same as \fBASN1_item_d2i_fp_ex()\fR except that the
-default \fB\s-1OSSL_LIB_CTX\s0\fR is used (i.e. \s-1NULL\s0) and with a \s-1NULL\s0 property query
+default \fBOSSL_LIB_CTX\fR is used (i.e. NULL) and with a NULL property query
 string.
 .PP
-\&\fBASN1_item_i2d_mem_bio()\fR encodes the given \s-1ASN.1\s0 value \fIval\fR
-using the \s-1ASN.1\s0 template \fIit\fR and returns the result in a memory \s-1BIO.\s0
+\&\fBASN1_item_i2d_mem_bio()\fR encodes the given ASN.1 value \fIval\fR
+using the ASN.1 template \fIit\fR and returns the result in a memory BIO.
+.PP
+\&\fBASN1_item_pack()\fR encodes the given ASN.1 value in \fIobj\fR using the
+ASN.1 template \fIit\fR and returns an \fBASN1_STRING\fR object. If the passed in
+\&\fI*oct\fR is not NULL then this is used to store the returned result, otherwise
+a new \fBASN1_STRING\fR object is created. If \fIoct\fR is not NULL and \fI*oct\fR is NULL
+then the returned return is also set into \fI*oct\fR. If there is an error the optional
+passed in \fBASN1_STRING\fR will not be freed, but the previous value may be cleared when
+ASN1_STRING_set0(*oct, NULL, 0) is called internally.
+.PP
+\&\fBASN1_item_unpack()\fR uses \fBASN1_item_d2i()\fR to decode the DER-encoded \fBASN1_STRING\fR
+\&\fIoct\fR using the ASN.1 template \fIit\fR.
+.PP
+\&\fBASN1_item_unpack_ex()\fR is similar to \fBASN1_item_unpack()\fR, but uses \fBASN1_item_d2i_ex()\fR so
+that the \fIlibctx\fR and \fIpropq\fR can be used when doing algorithm fetching.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBASN1_item_d2i_bio()\fR returns a pointer to an \fB\s-1ASN1_VALUE\s0\fR or \s-1NULL.\s0
+\&\fBASN1_item_d2i_bio()\fR, \fBASN1_item_unpack_ex()\fR and \fBASN1_item_unpack()\fR return a pointer to
+an \fBASN1_VALUE\fR or NULL on error.
+.PP
+\&\fBASN1_item_i2d_mem_bio()\fR returns a pointer to a memory BIO or NULL on error.
 .PP
-\&\fBASN1_item_i2d_mem_bio()\fR returns a pointer to a memory \s-1BIO\s0 or \s-1NULL\s0 on error.
-.SH "HISTORY"
+\&\fBASN1_item_pack()\fR returns a pointer to an \fBASN1_STRING\fR or NULL on error.
+.SH HISTORY
 .IX Header "HISTORY"
 The functions \fBASN1_item_d2i_ex()\fR, \fBASN1_item_d2i_bio_ex()\fR, \fBASN1_item_d2i_fp_ex()\fR
 and \fBASN1_item_i2d_mem_bio()\fR were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.PP
+The function \fBASN1_item_unpack_ex()\fR was added in OpenSSL 3.2.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ASN1_item_new.3 b/secure/lib/libcrypto/man/man3/ASN1_item_new.3
index cdbfaa0b7fd5..732019c5d93c 100644
--- a/secure/lib/libcrypto/man/man3/ASN1_item_new.3
+++ b/secure/lib/libcrypto/man/man3/ASN1_item_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ASN1_ITEM_NEW 3ossl"
-.TH ASN1_ITEM_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ASN1_ITEM_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ASN1_item_new_ex, ASN1_item_new
 \&\- create new ASN.1 values
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/asn1.h>
@@ -148,28 +72,28 @@ ASN1_item_new_ex, ASN1_item_new
 \&                              const char *propq);
 \& ASN1_VALUE *ASN1_item_new(const ASN1_ITEM *it);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBASN1_item_new_ex()\fR creates a new \fB\s-1ASN1_VALUE\s0\fR structure based on the
-\&\fB\s-1ASN1_ITEM\s0\fR template given in the \fIit\fR parameter. If any algorithm fetches are
-required during the process then they will use the \fB\s-1OSSL_LIB_CTX\s0\fR provided in
+\&\fBASN1_item_new_ex()\fR creates a new \fBASN1_VALUE\fR structure based on the
+\&\fBASN1_ITEM\fR template given in the \fIit\fR parameter. If any algorithm fetches are
+required during the process then they will use the \fBOSSL_LIB_CTX\fR provided in
 the \fIlibctx\fR parameter and the property query string in \fIpropq\fR. See
-\&\*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7) for more information about algorithm fetching.
+"ALGORITHM FETCHING" in \fBcrypto\fR\|(7) for more information about algorithm fetching.
 .PP
 \&\fBASN1_item_new()\fR is the same as \fBASN1_item_new_ex()\fR except that the default
-\&\fB\s-1OSSL_LIB_CTX\s0\fR is used (i.e. \s-1NULL\s0) and with a \s-1NULL\s0 property query string.
+\&\fBOSSL_LIB_CTX\fR is used (i.e. NULL) and with a NULL property query string.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBASN1_item_new_ex()\fR and \fBASN1_item_new()\fR return a pointer to the newly created
-\&\fB\s-1ASN1_VALUE\s0\fR or \s-1NULL\s0 on error.
-.SH "HISTORY"
+\&\fBASN1_VALUE\fR or NULL on error.
+.SH HISTORY
 .IX Header "HISTORY"
 The function \fBASN1_item_new_ex()\fR was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ASN1_item_sign.3 b/secure/lib/libcrypto/man/man3/ASN1_item_sign.3
index 913c5d2516d3..a42a102df3d9 100644
--- a/secure/lib/libcrypto/man/man3/ASN1_item_sign.3
+++ b/secure/lib/libcrypto/man/man3/ASN1_item_sign.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ASN1_ITEM_SIGN 3ossl"
-.TH ASN1_ITEM_SIGN 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ASN1_ITEM_SIGN 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ASN1_item_sign, ASN1_item_sign_ex, ASN1_item_sign_ctx,
 ASN1_item_verify, ASN1_item_verify_ex, ASN1_item_verify_ctx \-
 ASN1 sign and verify
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
@@ -172,30 +96,30 @@ ASN1 sign and verify
 \&                          const ASN1_BIT_STRING *signature, const void *data,
 \&                          EVP_MD_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBASN1_item_sign_ex()\fR is used to sign arbitrary \s-1ASN1\s0 data using a data object
-\&\fIdata\fR, the \s-1ASN.1\s0 structure \fIit\fR, private key \fIpkey\fR and message digest \fImd\fR.
+\&\fBASN1_item_sign_ex()\fR is used to sign arbitrary ASN1 data using a data object
+\&\fIdata\fR, the ASN.1 structure \fIit\fR, private key \fIpkey\fR and message digest \fImd\fR.
 The data that is signed is formed by taking the data object in \fIdata\fR and
-converting it to der format using the \s-1ASN.1\s0 structure \fIit\fR.
+converting it to der format using the ASN.1 structure \fIit\fR.
 The \fIdata\fR that will be signed, and a structure containing the signature may
 both have a copy of the \fBX509_ALGOR\fR. The \fBASN1_item_sign_ex()\fR function will
 write the correct \fBX509_ALGOR\fR to the structs based on the algorithms and
 parameters that have been set up. If one of \fIalgor1\fR or \fIalgor2\fR points to the
 \&\fBX509_ALGOR\fR of the \fIdata\fR to be signed, then that \fBX509_ALGOR\fR will first be
 written before the signature is generated.
-Examples of valid values that can be used by the \s-1ASN.1\s0 structure \fIit\fR are
+Examples of valid values that can be used by the ASN.1 structure \fIit\fR are
 ASN1_ITEM_rptr(X509_CINF), ASN1_ITEM_rptr(X509_REQ_INFO) and
 ASN1_ITEM_rptr(X509_CRL_INFO).
-The \fB\s-1OSSL_LIB_CTX\s0\fR specified in \fIlibctx\fR and the property query string
+The \fBOSSL_LIB_CTX\fR specified in \fIlibctx\fR and the property query string
 specified in \fIprops\fR are used when searching for algorithms in providers.
 The generated signature is set into \fIsignature\fR.
-The optional parameter \fIid\fR can be \s-1NULL,\s0 but can be set for special key types.
+The optional parameter \fIid\fR can be NULL, but can be set for special key types.
 See \fBEVP_PKEY_CTX_set1_id()\fR for further info. The output parameters <algor1> and
-\&\fIalgor2\fR are ignored if they are \s-1NULL.\s0
+\&\fIalgor2\fR are ignored if they are NULL.
 .PP
 \&\fBASN1_item_sign()\fR is similar to \fBASN1_item_sign_ex()\fR but uses default values of
-\&\s-1NULL\s0 for the \fIid\fR, \fIlibctx\fR and \fIpropq\fR.
+NULL for the \fIid\fR, \fIlibctx\fR and \fIpropq\fR.
 .PP
 \&\fBASN1_item_sign_ctx()\fR is similar to \fBASN1_item_sign()\fR but uses the parameters
 contained in digest context \fIctx\fR.
@@ -203,14 +127,14 @@ contained in digest context \fIctx\fR.
 \&\fBASN1_item_verify_ex()\fR is used to verify the signature \fIsignature\fR of internal
 data \fIdata\fR using the public key \fIpkey\fR and algorithm identifier \fIalg\fR.
 The data that is verified is formed by taking the data object in \fIdata\fR and
-converting it to der format using the \s-1ASN.1\s0 structure \fIit\fR.
-The \fB\s-1OSSL_LIB_CTX\s0\fR specified in \fIlibctx\fR and the property query string
+converting it to der format using the ASN.1 structure \fIit\fR.
+The \fBOSSL_LIB_CTX\fR specified in \fIlibctx\fR and the property query string
 specified in \fIprops\fR are used when searching for algorithms in providers.
-The optional parameter \fIid\fR can be \s-1NULL,\s0 but can be set for special key types.
+The optional parameter \fIid\fR can be NULL, but can be set for special key types.
 See \fBEVP_PKEY_CTX_set1_id()\fR for further info.
 .PP
 \&\fBASN1_item_verify()\fR is similar to \fBASN1_item_verify_ex()\fR but uses default values of
-\&\s-1NULL\s0 for the \fIid\fR, \fIlibctx\fR and \fIpropq\fR.
+NULL for the \fIid\fR, \fIlibctx\fR and \fIpropq\fR.
 .PP
 \&\fBASN1_item_verify_ctx()\fR is similar to \fBASN1_item_verify()\fR but uses the parameters
 contained in digest context \fIctx\fR.
@@ -222,11 +146,11 @@ zero for failure.
 All verify functions return 1 if the signature is valid and 0 if the signature
 check fails. If the signature could not be checked at all because it was
 ill-formed or some other error occurred then \-1 is returned.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 In the following example a 'MyObject' object is signed using the key contained
-in an \s-1EVP_MD_CTX.\s0 The signature is written to MyObject.signature. The object is
-then output in \s-1DER\s0 format and then loaded back in and verified.
+in an EVP_MD_CTX. The signature is written to MyObject.signature. The object is
+then output in DER format and then loaded back in and verified.
 .PP
 .Vb 2
 \& #include <openssl/x509.h>
@@ -342,14 +266,14 @@ then output in \s-1DER\s0 format and then loaded back in and verified.
 .IX Header "SEE ALSO"
 \&\fBX509_sign\fR\|(3),
 \&\fBX509_verify\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBASN1_item_sign_ex()\fR and \fBASN1_item_verify_ex()\fR were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ASYNC_WAIT_CTX_new.3 b/secure/lib/libcrypto/man/man3/ASYNC_WAIT_CTX_new.3
index 875e7d1ef64b..4f111fcd7d3d 100644
--- a/secure/lib/libcrypto/man/man3/ASYNC_WAIT_CTX_new.3
+++ b/secure/lib/libcrypto/man/man3/ASYNC_WAIT_CTX_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ASYNC_WAIT_CTX_NEW 3ossl"
-.TH ASYNC_WAIT_CTX_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ASYNC_WAIT_CTX_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ASYNC_WAIT_CTX_new, ASYNC_WAIT_CTX_free, ASYNC_WAIT_CTX_set_wait_fd,
 ASYNC_WAIT_CTX_get_fd, ASYNC_WAIT_CTX_get_all_fds,
 ASYNC_WAIT_CTX_get_changed_fds, ASYNC_WAIT_CTX_clear_fd,
@@ -145,7 +69,7 @@ ASYNC_WAIT_CTX_set_status, ASYNC_WAIT_CTX_get_status, ASYNC_callback_fn,
 ASYNC_STATUS_UNSUPPORTED, ASYNC_STATUS_ERR, ASYNC_STATUS_OK,
 ASYNC_STATUS_EAGAIN
 \&\- functions to manage waiting for asynchronous jobs to complete
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/async.h>
@@ -179,28 +103,28 @@ ASYNC_STATUS_EAGAIN
 \& int ASYNC_WAIT_CTX_set_status(ASYNC_WAIT_CTX *ctx, int status);
 \& int ASYNC_WAIT_CTX_get_status(ASYNC_WAIT_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 For an overview of how asynchronous operations are implemented in OpenSSL see
-\&\fBASYNC_start_job\fR\|(3). An \fB\s-1ASYNC_WAIT_CTX\s0\fR object represents an asynchronous
-\&\*(L"session\*(R", i.e. a related set of crypto operations. For example in \s-1SSL\s0 terms
-this would have a one-to-one correspondence with an \s-1SSL\s0 connection.
+\&\fBASYNC_start_job\fR\|(3). An \fBASYNC_WAIT_CTX\fR object represents an asynchronous
+"session", i.e. a related set of crypto operations. For example in SSL terms
+this would have a one-to-one correspondence with an SSL connection.
 .PP
-Application code must create an \fB\s-1ASYNC_WAIT_CTX\s0\fR using the \fBASYNC_WAIT_CTX_new()\fR
+Application code must create an \fBASYNC_WAIT_CTX\fR using the \fBASYNC_WAIT_CTX_new()\fR
 function prior to calling \fBASYNC_start_job()\fR (see \fBASYNC_start_job\fR\|(3)). When
-the job is started it is associated with the \fB\s-1ASYNC_WAIT_CTX\s0\fR for the duration
-of that job. An \fB\s-1ASYNC_WAIT_CTX\s0\fR should only be used for one \fB\s-1ASYNC_JOB\s0\fR at
-any one time, but can be reused after an \fB\s-1ASYNC_JOB\s0\fR has finished for a
-subsequent \fB\s-1ASYNC_JOB\s0\fR. When the session is complete (e.g. the \s-1SSL\s0 connection
+the job is started it is associated with the \fBASYNC_WAIT_CTX\fR for the duration
+of that job. An \fBASYNC_WAIT_CTX\fR should only be used for one \fBASYNC_JOB\fR at
+any one time, but can be reused after an \fBASYNC_JOB\fR has finished for a
+subsequent \fBASYNC_JOB\fR. When the session is complete (e.g. the SSL connection
 is closed), application code cleans up with \fBASYNC_WAIT_CTX_free()\fR.
 .PP
-\&\fB\s-1ASYNC_WAIT_CTX\s0\fRs can have \*(L"wait\*(R" file descriptors associated with them.
+\&\fBASYNC_WAIT_CTX\fRs can have "wait" file descriptors associated with them.
 Calling \fBASYNC_WAIT_CTX_get_all_fds()\fR and passing in a pointer to an
-\&\fB\s-1ASYNC_WAIT_CTX\s0\fR in the \fIctx\fR parameter will return the wait file descriptors
+\&\fBASYNC_WAIT_CTX\fR in the \fIctx\fR parameter will return the wait file descriptors
 associated with that job in \fI*fd\fR. The number of file descriptors returned will
 be stored in \fI*numfds\fR. It is the caller's responsibility to ensure that
 sufficient memory has been allocated in \fI*fd\fR to receive all the file
-descriptors. Calling \fBASYNC_WAIT_CTX_get_all_fds()\fR with a \s-1NULL\s0 \fIfd\fR value will
+descriptors. Calling \fBASYNC_WAIT_CTX_get_all_fds()\fR with a NULL \fIfd\fR value will
 return no file descriptors but will still populate \fI*numfds\fR. Therefore,
 application code is typically expected to call this function twice: once to get
 the number of fds, and then again when sufficient memory has been allocated. If
@@ -209,26 +133,26 @@ ever return one fd. If multiple asynchronous engines are being used then more
 could be returned.
 .PP
 The function \fBASYNC_WAIT_CTX_get_changed_fds()\fR can be used to detect if any fds
-have changed since the last call time \fBASYNC_start_job()\fR returned \fB\s-1ASYNC_PAUSE\s0\fR
-(or since the \fB\s-1ASYNC_WAIT_CTX\s0\fR was created if no \fB\s-1ASYNC_PAUSE\s0\fR result has
+have changed since the last call time \fBASYNC_start_job()\fR returned \fBASYNC_PAUSE\fR
+(or since the \fBASYNC_WAIT_CTX\fR was created if no \fBASYNC_PAUSE\fR result has
 been received). The \fInumaddfds\fR and \fInumdelfds\fR parameters will be populated
 with the number of fds added or deleted respectively. \fI*addfd\fR and \fI*delfd\fR
 will be populated with the list of added and deleted fds respectively. Similarly
-to \fBASYNC_WAIT_CTX_get_all_fds()\fR either of these can be \s-1NULL,\s0 but if they are not
-\&\s-1NULL\s0 then the caller is responsible for ensuring sufficient memory is allocated.
+to \fBASYNC_WAIT_CTX_get_all_fds()\fR either of these can be NULL, but if they are not
+NULL then the caller is responsible for ensuring sufficient memory is allocated.
 .PP
 Implementers of async aware code (e.g. engines) are encouraged to return a
-stable fd for the lifetime of the \fB\s-1ASYNC_WAIT_CTX\s0\fR in order to reduce the
-\&\*(L"churn\*(R" of regularly changing fds \- although no guarantees of this are provided
+stable fd for the lifetime of the \fBASYNC_WAIT_CTX\fR in order to reduce the
+"churn" of regularly changing fds \- although no guarantees of this are provided
 to applications.
 .PP
-Applications can wait for the file descriptor to be ready for \*(L"read\*(R" using a
-system function call such as select or poll (being ready for \*(L"read\*(R" indicates
+Applications can wait for the file descriptor to be ready for "read" using a
+system function call such as select or poll (being ready for "read" indicates
 that the job should be resumed). If no file descriptor is made available then an
-application will have to periodically \*(L"poll\*(R" the job by attempting to restart it
+application will have to periodically "poll" the job by attempting to restart it
 to see if it is ready to continue.
 .PP
-Async aware code (e.g. engines) can get the current \fB\s-1ASYNC_WAIT_CTX\s0\fR from the
+Async aware code (e.g. engines) can get the current \fBASYNC_WAIT_CTX\fR from the
 job via \fBASYNC_get_wait_ctx\fR\|(3) and provide a file descriptor to use for
 waiting on by calling \fBASYNC_WAIT_CTX_set_wait_fd()\fR. Typically this would be done
 by an engine immediately prior to calling \fBASYNC_pause_job()\fR and not by end user
@@ -236,29 +160,29 @@ code. An existing association with a file descriptor can be obtained using
 \&\fBASYNC_WAIT_CTX_get_fd()\fR and cleared using \fBASYNC_WAIT_CTX_clear_fd()\fR. Both of
 these functions requires a \fIkey\fR value which is unique to the async aware
 code.  This could be any unique value but a good candidate might be the
-\&\fB\s-1ENGINE\s0 *\fR for the engine. The \fIcustom_data\fR parameter can be any value, and
+\&\fBENGINE *\fR for the engine. The \fIcustom_data\fR parameter can be any value, and
 will be returned in a subsequent call to \fBASYNC_WAIT_CTX_get_fd()\fR. The
-\&\fBASYNC_WAIT_CTX_set_wait_fd()\fR function also expects a pointer to a \*(L"cleanup\*(R"
-routine. This can be \s-1NULL\s0 but if provided will automatically get called when
-the \fB\s-1ASYNC_WAIT_CTX\s0\fR is freed, and gives the engine the opportunity to close
-the fd or any other resources. Note: The \*(L"cleanup\*(R" routine does not get called
+\&\fBASYNC_WAIT_CTX_set_wait_fd()\fR function also expects a pointer to a "cleanup"
+routine. This can be NULL but if provided will automatically get called when
+the \fBASYNC_WAIT_CTX\fR is freed, and gives the engine the opportunity to close
+the fd or any other resources. Note: The "cleanup" routine does not get called
 if the fd is cleared directly via a call to \fBASYNC_WAIT_CTX_clear_fd()\fR.
 .PP
 An example of typical usage might be an async capable engine. User code would
 initiate cryptographic operations. The engine would initiate those operations
 asynchronously and then call \fBASYNC_WAIT_CTX_set_wait_fd()\fR followed by
 \&\fBASYNC_pause_job()\fR to return control to the user code. The user code can then
-perform other tasks or wait for the job to be ready by calling \*(L"select\*(R" or other
+perform other tasks or wait for the job to be ready by calling "select" or other
 similar function on the wait file descriptor. The engine can signal to the user
 code that the job should be resumed by making the wait file descriptor
-\&\*(L"readable\*(R". Once resumed the engine should clear the wake signal on the wait
+"readable". Once resumed the engine should clear the wake signal on the wait
 file descriptor.
 .PP
 As well as a file descriptor, user code may also be notified via a callback. The
-callback and data pointers are stored within the \fB\s-1ASYNC_WAIT_CTX\s0\fR along with an
+callback and data pointers are stored within the \fBASYNC_WAIT_CTX\fR along with an
 additional status field that can be used for the notification of retries from an
 engine. This additional method can be used when the user thinks that a file
-descriptor is too costly in terms of \s-1CPU\s0 cycles or in some context where a file
+descriptor is too costly in terms of CPU cycles or in some context where a file
 descriptor is not appropriate.
 .PP
 \&\fBASYNC_WAIT_CTX_set_callback()\fR sets the callback and the callback argument. The
@@ -267,31 +191,31 @@ cryptography operation. It is a requirement that the callback function is small
 and nonblocking as it will be run in the context of a polling mechanism or an
 interrupt.
 .PP
-\&\fBASYNC_WAIT_CTX_get_callback()\fR returns the callback set in the \fB\s-1ASYNC_WAIT_CTX\s0\fR
+\&\fBASYNC_WAIT_CTX_get_callback()\fR returns the callback set in the \fBASYNC_WAIT_CTX\fR
 structure.
 .PP
 \&\fBASYNC_WAIT_CTX_set_status()\fR allows an engine to set the current engine status.
 The possible status values are the following:
-.IP "\fB\s-1ASYNC_STATUS_UNSUPPORTED\s0\fR" 4
+.IP \fBASYNC_STATUS_UNSUPPORTED\fR 4
 .IX Item "ASYNC_STATUS_UNSUPPORTED"
 The engine does not support the callback mechanism. This is the default value.
 The engine must call \fBASYNC_WAIT_CTX_set_status()\fR to set the status to some value
-other than \fB\s-1ASYNC_STATUS_UNSUPPORTED\s0\fR if it intends to enable the callback
+other than \fBASYNC_STATUS_UNSUPPORTED\fR if it intends to enable the callback
 mechanism.
-.IP "\fB\s-1ASYNC_STATUS_ERR\s0\fR" 4
+.IP \fBASYNC_STATUS_ERR\fR 4
 .IX Item "ASYNC_STATUS_ERR"
 The engine has a fatal problem with this request. The user code should clean up
 this session.
-.IP "\fB\s-1ASYNC_STATUS_OK\s0\fR" 4
+.IP \fBASYNC_STATUS_OK\fR 4
 .IX Item "ASYNC_STATUS_OK"
 The request has been successfully submitted.
-.IP "\fB\s-1ASYNC_STATUS_EAGAIN\s0\fR" 4
+.IP \fBASYNC_STATUS_EAGAIN\fR 4
 .IX Item "ASYNC_STATUS_EAGAIN"
 The engine has some problem which will be recovered soon, such as a buffer is
 full, so user code should resume the job.
 .PP
 \&\fBASYNC_WAIT_CTX_get_status()\fR allows user code to obtain the current status value.
-If the status is any value other than \fB\s-1ASYNC_STATUS_OK\s0\fR then the user code
+If the status is any value other than \fBASYNC_STATUS_OK\fR then the user code
 should not expect to receive a callback from the engine even if one has been
 set.
 .PP
@@ -303,17 +227,20 @@ that, user code can perform other tasks. When the hardware completes the
 operation, normally it is detected by a polling function or an interrupt, as the
 user code set a callback by calling \fBASYNC_WAIT_CTX_set_callback()\fR previously,
 then the registered callback will be called.
+.PP
+\&\fBASYNC_WAIT_CTX_free()\fR frees up a single \fBASYNC_WAIT_CTX\fR object.
+If the argument is NULL, nothing is done.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBASYNC_WAIT_CTX_new()\fR returns a pointer to the newly allocated \fB\s-1ASYNC_WAIT_CTX\s0\fR
-or \s-1NULL\s0 on error.
+\&\fBASYNC_WAIT_CTX_new()\fR returns a pointer to the newly allocated \fBASYNC_WAIT_CTX\fR
+or NULL on error.
 .PP
 ASYNC_WAIT_CTX_set_wait_fd, ASYNC_WAIT_CTX_get_fd, ASYNC_WAIT_CTX_get_all_fds,
 ASYNC_WAIT_CTX_get_changed_fds, ASYNC_WAIT_CTX_clear_fd,
 ASYNC_WAIT_CTX_set_callback, ASYNC_WAIT_CTX_get_callback and
 ASYNC_WAIT_CTX_set_status all return 1 on success or 0 on error.
 \&\fBASYNC_WAIT_CTX_get_status()\fR returns the engine status.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 On Windows platforms the \fI<openssl/async.h>\fR header is dependent on some
 of the types customarily made available by including \fI<windows.h>\fR. The
@@ -324,7 +251,7 @@ it is defined as an application developer's responsibility to include
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBcrypto\fR\|(7), \fBASYNC_start_job\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBASYNC_WAIT_CTX_new()\fR, \fBASYNC_WAIT_CTX_free()\fR, \fBASYNC_WAIT_CTX_set_wait_fd()\fR,
 \&\fBASYNC_WAIT_CTX_get_fd()\fR, \fBASYNC_WAIT_CTX_get_all_fds()\fR,
@@ -334,11 +261,11 @@ were added in OpenSSL 1.1.0.
 \&\fBASYNC_WAIT_CTX_set_callback()\fR, \fBASYNC_WAIT_CTX_get_callback()\fR,
 \&\fBASYNC_WAIT_CTX_set_status()\fR, and \fBASYNC_WAIT_CTX_get_status()\fR
 were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ASYNC_start_job.3 b/secure/lib/libcrypto/man/man3/ASYNC_start_job.3
index bc05f0a9e957..0dcc0036ea5d 100644
--- a/secure/lib/libcrypto/man/man3/ASYNC_start_job.3
+++ b/secure/lib/libcrypto/man/man3/ASYNC_start_job.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ASYNC_START_JOB 3ossl"
-.TH ASYNC_START_JOB 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ASYNC_START_JOB 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ASYNC_get_wait_ctx,
 ASYNC_init_thread, ASYNC_cleanup_thread, ASYNC_start_job, ASYNC_pause_job,
-ASYNC_get_current_job, ASYNC_block_pause, ASYNC_unblock_pause, ASYNC_is_capable
+ASYNC_get_current_job, ASYNC_block_pause, ASYNC_unblock_pause, ASYNC_is_capable,
+ASYNC_stack_alloc_fn, ASYNC_stack_free_fn, ASYNC_set_mem_functions, ASYNC_get_mem_functions
 \&\- asynchronous job management functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/async.h>
@@ -159,15 +84,23 @@ ASYNC_get_current_job, ASYNC_block_pause, ASYNC_unblock_pause, ASYNC_is_capable
 \& void ASYNC_unblock_pause(void);
 \&
 \& int ASYNC_is_capable(void);
+\&
+\& typedef void *(*ASYNC_stack_alloc_fn)(size_t *num);
+\& typedef void (*ASYNC_stack_free_fn)(void *addr);
+\& int ASYNC_set_mem_functions(ASYNC_stack_alloc_fn alloc_fn,
+\&                             ASYNC_stack_free_fn free_fn);
+\& void ASYNC_get_mem_functions(ASYNC_stack_alloc_fn *alloc_fn,
+\&                              ASYNC_stack_free_fn *free_fn);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-OpenSSL implements asynchronous capabilities through an \fB\s-1ASYNC_JOB\s0\fR. This
+OpenSSL implements asynchronous capabilities through an \fBASYNC_JOB\fR. This
 represents code that can be started and executes until some event occurs. At
 that point the code can be paused and control returns to user code until some
-subsequent event indicates that the job can be resumed.
+subsequent event indicates that the job can be resumed. It's OpenSSL
+specific implementation of cooperative multitasking.
 .PP
-The creation of an \fB\s-1ASYNC_JOB\s0\fR is a relatively expensive operation. Therefore,
+The creation of an \fBASYNC_JOB\fR is a relatively expensive operation. Therefore,
 for efficiency reasons, jobs can be created up front and reused many times. They
 are held in a pool until they are needed, at which point they are removed from
 the pool, used, and then returned to the pool when the job completes. If the
@@ -179,73 +112,76 @@ initiated by using \fBASYNC_cleanup_thread()\fR. No asynchronous jobs must be
 outstanding for the thread when \fBASYNC_cleanup_thread()\fR is called. Failing to
 ensure this will result in memory leaks.
 .PP
-The \fImax_size\fR argument limits the number of \fB\s-1ASYNC_JOB\s0\fRs that will be held in
+The \fImax_size\fR argument limits the number of \fBASYNC_JOB\fRs that will be held in
 the pool. If \fImax_size\fR is set to 0 then no upper limit is set. When an
-\&\fB\s-1ASYNC_JOB\s0\fR is needed but there are none available in the pool already then one
-will be automatically created, as long as the total of \fB\s-1ASYNC_JOB\s0\fRs managed by
+\&\fBASYNC_JOB\fR is needed but there are none available in the pool already then one
+will be automatically created, as long as the total of \fBASYNC_JOB\fRs managed by
 the pool does not exceed \fImax_size\fR. When the pool is first initialised
-\&\fIinit_size\fR \fB\s-1ASYNC_JOB\s0\fRs will be created immediately. If \fBASYNC_init_thread()\fR
+\&\fIinit_size\fR \fBASYNC_JOB\fRs will be created immediately. If \fBASYNC_init_thread()\fR
 is not called before the pool is first used then it will be called automatically
 with a \fImax_size\fR of 0 (no upper limit) and an \fIinit_size\fR of 0 (no
-\&\fB\s-1ASYNC_JOB\s0\fRs created up front).
+\&\fBASYNC_JOB\fRs created up front).
 .PP
 An asynchronous job is started by calling the \fBASYNC_start_job()\fR function.
-Initially \fI*job\fR should be \s-1NULL.\s0 \fIctx\fR should point to an \fB\s-1ASYNC_WAIT_CTX\s0\fR
+Initially \fI*job\fR should be NULL. \fIctx\fR should point to an \fBASYNC_WAIT_CTX\fR
 object created through the \fBASYNC_WAIT_CTX_new\fR\|(3) function. \fIret\fR should
 point to a location where the return value of the asynchronous function should
 be stored on completion of the job. \fIfunc\fR represents the function that should
 be started asynchronously. The data pointed to by \fIargs\fR and of size \fIsize\fR
 will be copied and then passed as an argument to \fIfunc\fR when the job starts.
 ASYNC_start_job will return one of the following values:
-.IP "\fB\s-1ASYNC_ERR\s0\fR" 4
+.IP \fBASYNC_ERR\fR 4
 .IX Item "ASYNC_ERR"
 An error occurred trying to start the job. Check the OpenSSL error queue (e.g.
 see \fBERR_print_errors\fR\|(3)) for more details.
-.IP "\fB\s-1ASYNC_NO_JOBS\s0\fR" 4
+.IP \fBASYNC_NO_JOBS\fR 4
 .IX Item "ASYNC_NO_JOBS"
 There are no jobs currently available in the pool. This call can be retried
 again at a later time.
-.IP "\fB\s-1ASYNC_PAUSE\s0\fR" 4
+.IP \fBASYNC_PAUSE\fR 4
 .IX Item "ASYNC_PAUSE"
-The job was successfully started but was \*(L"paused\*(R" before it completed (see
+The job was successfully started but was "paused" before it completed (see
 \&\fBASYNC_pause_job()\fR below). A handle to the job is placed in \fI*job\fR. Other work
 can be performed (if desired) and the job restarted at a later time. To restart
 a job call \fBASYNC_start_job()\fR again passing the job handle in \fI*job\fR. The
 \&\fIfunc\fR, \fIargs\fR and \fIsize\fR parameters will be ignored when restarting a job.
 When restarting a job \fBASYNC_start_job()\fR \fBmust\fR be called from the same thread
-that the job was originally started from.
-.IP "\fB\s-1ASYNC_FINISH\s0\fR" 4
+that the job was originally started from. \fBASYNC_WAIT_CTX\fR is used to
+know when a job is ready to be restarted.
+.IP \fBASYNC_FINISH\fR 4
 .IX Item "ASYNC_FINISH"
-The job completed. \fI*job\fR will be \s-1NULL\s0 and the return value from \fIfunc\fR will
+The job completed. \fI*job\fR will be NULL and the return value from \fIfunc\fR will
 be placed in \fI*ret\fR.
 .PP
 At any one time there can be a maximum of one job actively running per thread
 (you can have many that are paused). \fBASYNC_get_current_job()\fR can be used to get
-a pointer to the currently executing \fB\s-1ASYNC_JOB\s0\fR. If no job is currently
-executing then this will return \s-1NULL.\s0
+a pointer to the currently executing \fBASYNC_JOB\fR. If no job is currently
+executing then this will return NULL.
 .PP
 If executing within the context of a job (i.e. having been called directly or
-indirectly by the function \*(L"func\*(R" passed as an argument to \fBASYNC_start_job()\fR)
+indirectly by the function "func" passed as an argument to \fBASYNC_start_job()\fR)
 then \fBASYNC_pause_job()\fR will immediately return control to the calling
-application with \fB\s-1ASYNC_PAUSE\s0\fR returned from the \fBASYNC_start_job()\fR call. A
-subsequent call to ASYNC_start_job passing in the relevant \fB\s-1ASYNC_JOB\s0\fR in the
+application with \fBASYNC_PAUSE\fR returned from the \fBASYNC_start_job()\fR call. A
+subsequent call to ASYNC_start_job passing in the relevant \fBASYNC_JOB\fR in the
 \&\fI*job\fR parameter will resume execution from the \fBASYNC_pause_job()\fR call. If
 \&\fBASYNC_pause_job()\fR is called whilst not within the context of a job then no
 action is taken and \fBASYNC_pause_job()\fR returns immediately.
 .PP
-\&\fBASYNC_get_wait_ctx()\fR can be used to get a pointer to the \fB\s-1ASYNC_WAIT_CTX\s0\fR
-for the \fIjob\fR. \fB\s-1ASYNC_WAIT_CTX\s0\fRs contain two different ways to notify
-applications that a job is ready to be resumed. One is a \*(L"wait\*(R" file
-descriptor, and the other is a \*(L"callback\*(R" mechanism.
+\&\fBASYNC_get_wait_ctx()\fR can be used to get a pointer to the \fBASYNC_WAIT_CTX\fR
+for the \fIjob\fR (see \fBASYNC_WAIT_CTX_new\fR\|(3)).
+\&\fBASYNC_WAIT_CTX\fRs contain two different ways to notify
+applications that a job is ready to be resumed. One is a "wait" file
+descriptor, and the other is a "callback" mechanism.
 .PP
-The \*(L"wait\*(R" file descriptor associated with \fB\s-1ASYNC_WAIT_CTX\s0\fR is used for
-applications to wait for the file descriptor to be ready for \*(L"read\*(R" using a
-system function call such as select or poll (being ready for \*(L"read\*(R" indicates
+The "wait" file descriptor associated with \fBASYNC_WAIT_CTX\fR is used for
+applications to wait for the file descriptor to be ready for "read" using a
+system function call such as \fBselect\fR\|(2) or \fBpoll\fR\|(2) (being ready for "read"
+indicates
 that the job should be resumed). If no file descriptor is made available then
-an application will have to periodically \*(L"poll\*(R" the job by attempting to restart
+an application will have to periodically "poll" the job by attempting to restart
 it to see if it is ready to continue.
 .PP
-\&\fB\s-1ASYNC_WAIT_CTX\s0\fRs also have a \*(L"callback\*(R" mechanism to notify applications. The
+\&\fBASYNC_WAIT_CTX\fRs also have a "callback" mechanism to notify applications. The
 callback is set by an application, and it will be automatically called when an
 engine completes a cryptography operation, so that the application can resume
 the paused work flow without polling. An engine could be written to look whether
@@ -261,10 +197,10 @@ pausing. The block will remain in place until a subsequent call to
 \&\fBASYNC_block_pause()\fR twice then you must call \fBASYNC_unblock_pause()\fR twice in
 order to re-enable pausing. If these functions are called while there is no
 currently active job then they have no effect. This functionality can be useful
-to avoid deadlock scenarios. For example during the execution of an \fB\s-1ASYNC_JOB\s0\fR
+to avoid deadlock scenarios. For example during the execution of an \fBASYNC_JOB\fR
 an application acquires a lock. It then calls some cryptographic function which
 invokes \fBASYNC_pause_job()\fR. This returns control back to the code that created
-the \fB\s-1ASYNC_JOB\s0\fR. If that code then attempts to acquire the same lock before
+the \fBASYNC_JOB\fR. If that code then attempts to acquire the same lock before
 resuming the original job then a deadlock can occur. By calling
 \&\fBASYNC_block_pause()\fR immediately after acquiring the lock and
 \&\fBASYNC_unblock_pause()\fR immediately before releasing it then this situation cannot
@@ -272,25 +208,37 @@ occur.
 .PP
 Some platforms cannot support async operations. The \fBASYNC_is_capable()\fR function
 can be used to detect whether the current platform is async capable or not.
+.PP
+Custom memory allocation functions are supported for the POSIX platform.
+Custom memory allocation functions allow alternative methods of allocating
+stack memory such as mmap, or using stack memory from the current thread.
+Using an ASYNC_stack_alloc_fn callback also allows manipulation of the stack
+size, which defaults to 32k.
+The stack size can be altered by allocating a stack of a size different to
+the requested size, and passing back the new stack size in the callback's \fI*num\fR
+parameter.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 ASYNC_init_thread returns 1 on success or 0 otherwise.
 .PP
-ASYNC_start_job returns one of \fB\s-1ASYNC_ERR\s0\fR, \fB\s-1ASYNC_NO_JOBS\s0\fR, \fB\s-1ASYNC_PAUSE\s0\fR or
-\&\fB\s-1ASYNC_FINISH\s0\fR as described above.
+ASYNC_start_job returns one of \fBASYNC_ERR\fR, \fBASYNC_NO_JOBS\fR, \fBASYNC_PAUSE\fR or
+\&\fBASYNC_FINISH\fR as described above.
 .PP
 ASYNC_pause_job returns 0 if an error occurred or 1 on success. If called when
-not within the context of an \fB\s-1ASYNC_JOB\s0\fR then this is counted as success so 1
+not within the context of an \fBASYNC_JOB\fR then this is counted as success so 1
 is returned.
 .PP
-ASYNC_get_current_job returns a pointer to the currently executing \fB\s-1ASYNC_JOB\s0\fR
-or \s-1NULL\s0 if not within the context of a job.
+ASYNC_get_current_job returns a pointer to the currently executing \fBASYNC_JOB\fR
+or NULL if not within the context of a job.
 .PP
-\&\fBASYNC_get_wait_ctx()\fR returns a pointer to the \fB\s-1ASYNC_WAIT_CTX\s0\fR for the job.
+\&\fBASYNC_get_wait_ctx()\fR returns a pointer to the \fBASYNC_WAIT_CTX\fR for the job.
 .PP
 \&\fBASYNC_is_capable()\fR returns 1 if the current platform is async capable or 0
 otherwise.
-.SH "NOTES"
+.PP
+ASYNC_set_mem_functions returns 1 if custom stack allocators are supported by
+the current platform and no allocations have already occurred or 0 otherwise.
+.SH NOTES
 .IX Header "NOTES"
 On Windows platforms the \fI<openssl/async.h>\fR header is dependent on some
 of the types customarily made available by including \fI<windows.h>\fR. The
@@ -298,7 +246,7 @@ application developer is likely to require control over when the latter
 is included, commonly as one of the first included headers. Therefore,
 it is defined as an application developer's responsibility to include
 \&\fI<windows.h>\fR prior to \fI<openssl/async.h>\fR.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 The following example demonstrates how to use most of the core async APIs:
 .PP
@@ -341,6 +289,13 @@ The following example demonstrates how to use most of the core async APIs:
 \&     msg = (unsigned char *)arg;
 \&     printf("Passed in message is: %s\en", msg);
 \&
+\&     /*
+\&      * Create a way to inform the calling thread when this job is ready
+\&      * to resume, in this example we\*(Aqre using file descriptors.
+\&      * For offloading the task to an asynchronous ENGINE it\*(Aqs not necessary,
+\&      * the ENGINE should handle that internally.
+\&      */
+\&
 \&     if (pipe(pipefds) != 0) {
 \&         printf("Failed to create pipe\en");
 \&         return 0;
@@ -355,17 +310,23 @@ The following example demonstrates how to use most of the core async APIs:
 \&                                pipefds[0], wptr, cleanup);
 \&
 \&     /*
-\&      * Normally some external event would cause this to happen at some
+\&      * Normally some external event (like a network read being ready,
+\&      * disk access being finished, or some hardware offload operation
+\&      * completing) would cause this to happen at some
 \&      * later point \- but we do it here for demo purposes, i.e.
 \&      * immediately signalling that the job is ready to be woken up after
 \&      * we return to main via ASYNC_pause_job().
 \&      */
 \&     write(pipefds[1], &buf, 1);
 \&
-\&     /* Return control back to main */
+\&     /*
+\&      * Return control back to main just before calling a blocking
+\&      * method. The main thread will wait until pipefds[0] is ready
+\&      * for reading before returning control to this thread.
+\&      */
 \&     ASYNC_pause_job();
 \&
-\&     /* Clear the wake signal */
+\&     /* Perform the blocking call (it won\*(Aqt block with this example code) */
 \&     read(pipefds[0], &buf, 1);
 \&
 \&     printf ("Resumed the job after a pause\en");
@@ -405,7 +366,9 @@ The following example demonstrates how to use most of the core async APIs:
 \&             goto end;
 \&         }
 \&
-\&         /* Wait for the job to be woken */
+\&         /* Get the file descriptor we can use to wait for the job
+\&          * to be ready to be woken up
+\&          */
 \&         printf("Waiting for the job to be woken up\en");
 \&
 \&         if (!ASYNC_WAIT_CTX_get_all_fds(ctx, NULL, &numfds)
@@ -416,6 +379,8 @@ The following example demonstrates how to use most of the core async APIs:
 \&         ASYNC_WAIT_CTX_get_all_fds(ctx, &waitfd, &numfds);
 \&         FD_ZERO(&waitfdset);
 \&         FD_SET(waitfd, &waitfdset);
+\&
+\&         /* Wait for the job to be ready for wakeup */
 \&         select(waitfd + 1, &waitfdset, NULL, NULL, NULL);
 \&     }
 \&
@@ -442,17 +407,19 @@ The expected output from executing the above example program is:
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBcrypto\fR\|(7), \fBERR_print_errors\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 ASYNC_init_thread, ASYNC_cleanup_thread,
 ASYNC_start_job, ASYNC_pause_job, ASYNC_get_current_job, \fBASYNC_get_wait_ctx()\fR,
 \&\fBASYNC_block_pause()\fR, \fBASYNC_unblock_pause()\fR and \fBASYNC_is_capable()\fR were first
 added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+\&\fBASYNC_set_mem_functions()\fR, \fBASYNC_get_mem_functions()\fR were added
+in OpenSSL 3.2.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2015\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BF_encrypt.3 b/secure/lib/libcrypto/man/man3/BF_encrypt.3
index 852362bc6428..9af8662b7420 100644
--- a/secure/lib/libcrypto/man/man3/BF_encrypt.3
+++ b/secure/lib/libcrypto/man/man3/BF_encrypt.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,85 +52,25 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BF_ENCRYPT 3ossl"
-.TH BF_ENCRYPT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BF_ENCRYPT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BF_set_key, BF_encrypt, BF_decrypt, BF_ecb_encrypt, BF_cbc_encrypt,
 BF_cfb64_encrypt, BF_ofb64_encrypt, BF_options \- Blowfish encryption
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/blowfish.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
@@ -168,7 +92,7 @@ see \fBopenssl_user_macros\fR\|(7):
 \& void BF_encrypt(BF_LONG *data, const BF_KEY *key);
 \& void BF_decrypt(BF_LONG *data, const BF_KEY *key);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated. Applications should
 instead use \fBEVP_EncryptInit_ex\fR\|(3), \fBEVP_EncryptUpdate\fR\|(3) and
@@ -180,20 +104,20 @@ by Counterpane (see http://www.counterpane.com/blowfish.html ).
 Blowfish is a block cipher that operates on 64 bit (8 byte) blocks of data.
 It uses a variable size key, but typically, 128 bit (16 byte) keys are
 considered good for strong encryption.  Blowfish can be used in the same
-modes as \s-1DES\s0 (see \fBdes_modes\fR\|(7)).  Blowfish is currently one
-of the faster block ciphers.  It is quite a bit faster than \s-1DES,\s0 and much
-faster than \s-1IDEA\s0 or \s-1RC2.\s0
+modes as DES (see \fBdes_modes\fR\|(7)).  Blowfish is currently one
+of the faster block ciphers.  It is quite a bit faster than DES, and much
+faster than IDEA or RC2.
 .PP
 Blowfish consists of a key setup phase and the actual encryption or decryption
 phase.
 .PP
-\&\fBBF_set_key()\fR sets up the \fB\s-1BF_KEY\s0\fR \fBkey\fR using the \fBlen\fR bytes long key
+\&\fBBF_set_key()\fR sets up the \fBBF_KEY\fR \fBkey\fR using the \fBlen\fR bytes long key
 at \fBdata\fR.
 .PP
 \&\fBBF_ecb_encrypt()\fR is the basic Blowfish encryption and decryption function.
 It encrypts or decrypts the first 64 bits of \fBin\fR using the key \fBkey\fR,
-putting the result in \fBout\fR.  \fBenc\fR decides if encryption (\fB\s-1BF_ENCRYPT\s0\fR)
-or decryption (\fB\s-1BF_DECRYPT\s0\fR) shall be performed.  The vector pointed at by
+putting the result in \fBout\fR.  \fBenc\fR decides if encryption (\fBBF_ENCRYPT\fR)
+or decryption (\fBBF_DECRYPT\fR) shall be performed.  The vector pointed at by
 \&\fBin\fR and \fBout\fR must be 64 bits in length, no less.  If they are larger,
 everything after the first 64 bits is ignored.
 .PP
@@ -202,7 +126,7 @@ all operate on variable length data.  They all take an initialization vector
 \&\fBivec\fR which needs to be passed along into the next call of the same function
 for the same message.  \fBivec\fR may be initialized with anything, but the
 recipient needs to know what it was initialized with, or it won't be able
-to decrypt.  Some programs and protocols simplify this, like \s-1SSH,\s0 where
+to decrypt.  Some programs and protocols simplify this, like SSH, where
 \&\fBivec\fR is simply initialized to zero.
 \&\fBBF_cbc_encrypt()\fR operates on data that is a multiple of 8 bytes long, while
 \&\fBBF_cfb64_encrypt()\fR and \fBBF_ofb64_encrypt()\fR are used to encrypt a variable
@@ -214,18 +138,18 @@ to zero when \fBivec\fR is initialized.
 .PP
 \&\fBBF_cbc_encrypt()\fR is the Cipher Block Chaining function for Blowfish.  It
 encrypts or decrypts the 64 bits chunks of \fBin\fR using the key \fBschedule\fR,
-putting the result in \fBout\fR.  \fBenc\fR decides if encryption (\s-1BF_ENCRYPT\s0) or
-decryption (\s-1BF_DECRYPT\s0) shall be performed.  \fBivec\fR must point at an 8 byte
+putting the result in \fBout\fR.  \fBenc\fR decides if encryption (BF_ENCRYPT) or
+decryption (BF_DECRYPT) shall be performed.  \fBivec\fR must point at an 8 byte
 long initialization vector.
 .PP
-\&\fBBF_cfb64_encrypt()\fR is the \s-1CFB\s0 mode for Blowfish with 64 bit feedback.
+\&\fBBF_cfb64_encrypt()\fR is the CFB mode for Blowfish with 64 bit feedback.
 It encrypts or decrypts the bytes in \fBin\fR using the key \fBschedule\fR,
-putting the result in \fBout\fR.  \fBenc\fR decides if encryption (\fB\s-1BF_ENCRYPT\s0\fR)
-or decryption (\fB\s-1BF_DECRYPT\s0\fR) shall be performed.  \fBivec\fR must point at an
+putting the result in \fBout\fR.  \fBenc\fR decides if encryption (\fBBF_ENCRYPT\fR)
+or decryption (\fBBF_DECRYPT\fR) shall be performed.  \fBivec\fR must point at an
 8 byte long initialization vector. \fBnum\fR must point at an integer which must
 be initially zero.
 .PP
-\&\fBBF_ofb64_encrypt()\fR is the \s-1OFB\s0 mode for Blowfish with 64 bit feedback.
+\&\fBBF_ofb64_encrypt()\fR is the OFB mode for Blowfish with 64 bit feedback.
 It uses the same parameters as \fBBF_cfb64_encrypt()\fR, which must be initialized
 the same way.
 .PP
@@ -239,7 +163,7 @@ platforms and big-endian on big-endian ones.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 None of the functions presented here return any value.
-.SH "NOTE"
+.SH NOTE
 .IX Header "NOTE"
 Applications should use the higher level functions
 \&\fBEVP_EncryptInit\fR\|(3) etc. instead of calling these
@@ -248,14 +172,14 @@ functions directly.
 .IX Header "SEE ALSO"
 \&\fBEVP_EncryptInit\fR\|(3),
 \&\fBdes_modes\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_ADDR.3 b/secure/lib/libcrypto/man/man3/BIO_ADDR.3
index a6aa0110a7f7..380d4a7ac937 100644
--- a/secure/lib/libcrypto/man/man3/BIO_ADDR.3
+++ b/secure/lib/libcrypto/man/man3/BIO_ADDR.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_ADDR 3ossl"
-.TH BIO_ADDR 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_ADDR 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
-BIO_ADDR, BIO_ADDR_new, BIO_ADDR_clear, BIO_ADDR_free, BIO_ADDR_rawmake,
+.SH NAME
+BIO_ADDR, BIO_ADDR_new, BIO_ADDR_copy, BIO_ADDR_dup, BIO_ADDR_clear,
+BIO_ADDR_free, BIO_ADDR_rawmake,
 BIO_ADDR_family, BIO_ADDR_rawaddress, BIO_ADDR_rawport,
 BIO_ADDR_hostname_string, BIO_ADDR_service_string,
 BIO_ADDR_path_string \- BIO_ADDR routines
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 2
 \& #include <sys/types.h>
@@ -150,7 +75,9 @@ BIO_ADDR_path_string \- BIO_ADDR routines
 \& typedef union bio_addr_st BIO_ADDR;
 \&
 \& BIO_ADDR *BIO_ADDR_new(void);
-\& void BIO_ADDR_free(BIO_ADDR *);
+\& int BIO_ADDR_copy(BIO_ADDR *dst, const BIO_ADDR *src);
+\& BIO_ADDR *BIO_ADDR_dup(const BIO_ADDR *ap);
+\& void BIO_ADDR_free(BIO_ADDR *ap);
 \& void BIO_ADDR_clear(BIO_ADDR *ap);
 \& int BIO_ADDR_rawmake(BIO_ADDR *ap, int family,
 \&                      const void *where, size_t wherelen, unsigned short port);
@@ -161,94 +88,106 @@ BIO_ADDR_path_string \- BIO_ADDR routines
 \& char *BIO_ADDR_service_string(const BIO_ADDR *ap, int numeric);
 \& char *BIO_ADDR_path_string(const BIO_ADDR *ap);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \fB\s-1BIO_ADDR\s0\fR type is a wrapper around all types of socket
+The \fBBIO_ADDR\fR type is a wrapper around all types of socket
 addresses that OpenSSL deals with, currently transparently
-supporting \s-1AF_INET, AF_INET6\s0 and \s-1AF_UNIX\s0 according to what's
+supporting AF_INET, AF_INET6 and AF_UNIX according to what's
 available on the platform at hand.
 .PP
-\&\fBBIO_ADDR_new()\fR creates a new unfilled \fB\s-1BIO_ADDR\s0\fR, to be used
+\&\fBBIO_ADDR_new()\fR creates a new unfilled \fBBIO_ADDR\fR, to be used
 with routines that will fill it with information, such as
 \&\fBBIO_accept_ex()\fR.
 .PP
-\&\fBBIO_ADDR_free()\fR frees a \fB\s-1BIO_ADDR\s0\fR created with \fBBIO_ADDR_new()\fR.
+\&\fBBIO_ADDR_copy()\fR copies the contents of \fBsrc\fR into \fBdst\fR. Neither \fBsrc\fR or
+\&\fBdst\fR can be NULL.
+.PP
+\&\fBBIO_ADDR_dup()\fR creates a new \fBBIO_ADDR\fR, with a copy of the
+address data in \fBap\fR.
 .PP
-\&\fBBIO_ADDR_clear()\fR clears any data held within the provided \fB\s-1BIO_ADDR\s0\fR and sets
+\&\fBBIO_ADDR_free()\fR frees a \fBBIO_ADDR\fR created with \fBBIO_ADDR_new()\fR
+or \fBBIO_ADDR_dup()\fR. If the argument is NULL, nothing is done.
+.PP
+\&\fBBIO_ADDR_clear()\fR clears any data held within the provided \fBBIO_ADDR\fR and sets
 it back to an uninitialised state.
 .PP
 \&\fBBIO_ADDR_rawmake()\fR takes a protocol \fBfamily\fR, a byte array of
 size \fBwherelen\fR with an address in network byte order pointed at
 by \fBwhere\fR and a port number in network byte order in \fBport\fR (except
-for the \fB\s-1AF_UNIX\s0\fR protocol family, where \fBport\fR is meaningless and
-therefore ignored) and populates the given \fB\s-1BIO_ADDR\s0\fR with them.
-In case this creates a \fB\s-1AF_UNIX\s0\fR \fB\s-1BIO_ADDR\s0\fR, \fBwherelen\fR is expected
+for the \fBAF_UNIX\fR protocol family, where \fBport\fR is meaningless and
+therefore ignored) and populates the given \fBBIO_ADDR\fR with them.
+In case this creates a \fBAF_UNIX\fR \fBBIO_ADDR\fR, \fBwherelen\fR is expected
 to be the length of the path string (not including the terminating
-\&\s-1NUL,\s0 such as the result of a call to \fBstrlen()\fR).
-Read on about the addresses in \*(L"\s-1RAW ADDRESSES\*(R"\s0 below.
+NUL, such as the result of a call to \fBstrlen()\fR).
+Read on about the addresses in "RAW ADDRESSES" below.
 .PP
 \&\fBBIO_ADDR_family()\fR returns the protocol family of the given
-\&\fB\s-1BIO_ADDR\s0\fR.  The possible non-error results are one of the
-constants \s-1AF_INET, AF_INET6\s0 and \s-1AF_UNIX.\s0 It will also return \s-1AF_UNSPEC\s0 if the
-\&\s-1BIO_ADDR\s0 has not been initialised.
+\&\fBBIO_ADDR\fR.  The possible non-error results are one of the
+constants AF_INET, AF_INET6 and AF_UNIX. It will also return AF_UNSPEC if the
+BIO_ADDR has not been initialised.
 .PP
 \&\fBBIO_ADDR_rawaddress()\fR will write the raw address of the given
-\&\fB\s-1BIO_ADDR\s0\fR in the area pointed at by \fBp\fR if \fBp\fR is non-NULL,
+\&\fBBIO_ADDR\fR in the area pointed at by \fBp\fR if \fBp\fR is non-NULL,
 and will set \fB*l\fR to be the amount of bytes the raw address
 takes up if \fBl\fR is non-NULL.
 A technique to only find out the size of the address is a call
-with \fBp\fR set to \fB\s-1NULL\s0\fR.  The raw address will be in network byte
+with \fBp\fR set to \fBNULL\fR.  The raw address will be in network byte
 order, most significant byte first.
-In case this is a \fB\s-1AF_UNIX\s0\fR \fB\s-1BIO_ADDR\s0\fR, \fBl\fR gets the length of the
-path string (not including the terminating \s-1NUL,\s0 such as the result of
+In case this is a \fBAF_UNIX\fR \fBBIO_ADDR\fR, \fBl\fR gets the length of the
+path string (not including the terminating NUL, such as the result of
 a call to \fBstrlen()\fR).
-Read on about the addresses in \*(L"\s-1RAW ADDRESSES\*(R"\s0 below.
+Read on about the addresses in "RAW ADDRESSES" below.
 .PP
-\&\fBBIO_ADDR_rawport()\fR returns the raw port of the given \fB\s-1BIO_ADDR\s0\fR.
+\&\fBBIO_ADDR_rawport()\fR returns the raw port of the given \fBBIO_ADDR\fR.
 The raw port will be in network byte order.
 .PP
 \&\fBBIO_ADDR_hostname_string()\fR returns a character string with the
-hostname of the given \fB\s-1BIO_ADDR\s0\fR.  If \fBnumeric\fR is 1, the string
+hostname of the given \fBBIO_ADDR\fR.  If \fBnumeric\fR is 1, the string
 will contain the numerical form of the address.  This only works for
-\&\fB\s-1BIO_ADDR\s0\fR of the protocol families \s-1AF_INET\s0 and \s-1AF_INET6.\s0  The
+\&\fBBIO_ADDR\fR of the protocol families AF_INET and AF_INET6.  The
 returned string has been allocated on the heap and must be freed
 with \fBOPENSSL_free()\fR.
 .PP
 \&\fBBIO_ADDR_service_string()\fR returns a character string with the
-service name of the port of the given \fB\s-1BIO_ADDR\s0\fR.  If \fBnumeric\fR
+service name of the port of the given \fBBIO_ADDR\fR.  If \fBnumeric\fR
 is 1, the string will contain the port number.  This only works
-for \fB\s-1BIO_ADDR\s0\fR of the protocol families \s-1AF_INET\s0 and \s-1AF_INET6.\s0  The
+for \fBBIO_ADDR\fR of the protocol families AF_INET and AF_INET6.  The
 returned string has been allocated on the heap and must be freed
 with \fBOPENSSL_free()\fR.
 .PP
 \&\fBBIO_ADDR_path_string()\fR returns a character string with the path
-of the given \fB\s-1BIO_ADDR\s0\fR.  This only works for \fB\s-1BIO_ADDR\s0\fR of the
-protocol family \s-1AF_UNIX.\s0  The returned string has been allocated
+of the given \fBBIO_ADDR\fR.  This only works for \fBBIO_ADDR\fR of the
+protocol family AF_UNIX.  The returned string has been allocated
 on the heap and must be freed with \fBOPENSSL_free()\fR.
 .SH "RAW ADDRESSES"
 .IX Header "RAW ADDRESSES"
 Both \fBBIO_ADDR_rawmake()\fR and \fBBIO_ADDR_rawaddress()\fR take a pointer to a
 network byte order address of a specific site.  Internally, those are
-treated as a pointer to \fBstruct in_addr\fR (for \fB\s-1AF_INET\s0\fR), \fBstruct
-in6_addr\fR (for \fB\s-1AF_INET6\s0\fR) or \fBchar *\fR (for \fB\s-1AF_UNIX\s0\fR), all
+treated as a pointer to \fBstruct in_addr\fR (for \fBAF_INET\fR), \fBstruct
+in6_addr\fR (for \fBAF_INET6\fR) or \fBchar *\fR (for \fBAF_UNIX\fR), all
 depending on the protocol family the address is for.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The string producing functions \fBBIO_ADDR_hostname_string()\fR,
 \&\fBBIO_ADDR_service_string()\fR and \fBBIO_ADDR_path_string()\fR will
-return \fB\s-1NULL\s0\fR on error and leave an error indication on the
+return \fBNULL\fR on error and leave an error indication on the
 OpenSSL error stack.
 .PP
-All other functions described here return 0 or \fB\s-1NULL\s0\fR when the
+\&\fBBIO_ADDR_copy()\fR returns 1 on success or 0 on error.
+.PP
+All other functions described here return 0 or \fBNULL\fR when the
 information they should return isn't available.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBBIO_connect\fR\|(3), \fBBIO_s_connect\fR\|(3)
-.SH "COPYRIGHT"
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBBIO_ADDR_copy()\fR and \fBBIO_ADDR_dup()\fR were added in OpenSSL 3.2.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_ADDRINFO.3 b/secure/lib/libcrypto/man/man3/BIO_ADDRINFO.3
index fcb802beb59d..753a656efbe1 100644
--- a/secure/lib/libcrypto/man/man3/BIO_ADDRINFO.3
+++ b/secure/lib/libcrypto/man/man3/BIO_ADDRINFO.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_ADDRINFO 3ossl"
-.TH BIO_ADDRINFO 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_ADDRINFO 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_lookup_type,
 BIO_ADDRINFO, BIO_ADDRINFO_next, BIO_ADDRINFO_free,
 BIO_ADDRINFO_family, BIO_ADDRINFO_socktype, BIO_ADDRINFO_protocol,
@@ -144,7 +68,7 @@ BIO_ADDRINFO_address,
 BIO_lookup_ex,
 BIO_lookup
 \&\- BIO_ADDRINFO type and routines
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 2
 \& #include <sys/types.h>
@@ -169,74 +93,74 @@ BIO_lookup
 \& const BIO_ADDR *BIO_ADDRINFO_address(const BIO_ADDRINFO *bai);
 \& void BIO_ADDRINFO_free(BIO_ADDRINFO *bai);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \fB\s-1BIO_ADDRINFO\s0\fR type is a wrapper for address information
+The \fBBIO_ADDRINFO\fR type is a wrapper for address information
 types provided on your platform.
 .PP
-\&\fB\s-1BIO_ADDRINFO\s0\fR normally forms a chain of several that can be
+\&\fBBIO_ADDRINFO\fR normally forms a chain of several that can be
 picked at one by one.
 .PP
 \&\fBBIO_lookup_ex()\fR looks up a specified \fBhost\fR and \fBservice\fR, and
 uses \fBlookup_type\fR to determine what the default address should
-be if \fBhost\fR is \fB\s-1NULL\s0\fR. \fBfamily\fR, \fBsocktype\fR and \fBprotocol\fR are used to
+be if \fBhost\fR is \fBNULL\fR. \fBfamily\fR, \fBsocktype\fR and \fBprotocol\fR are used to
 determine what protocol family, socket type and protocol should be used for
-the lookup.  \fBfamily\fR can be any of \s-1AF_INET, AF_INET6, AF_UNIX\s0 and
-\&\s-1AF_UNSPEC.\s0 \fBsocktype\fR can be \s-1SOCK_STREAM, SOCK_DGRAM\s0 or 0. Specifying 0
+the lookup.  \fBfamily\fR can be any of AF_INET, AF_INET6, AF_UNIX and
+AF_UNSPEC. \fBsocktype\fR can be SOCK_STREAM, SOCK_DGRAM or 0. Specifying 0
 indicates that any type can be used. \fBprotocol\fR specifies a protocol such as
-\&\s-1IPPROTO_TCP, IPPROTO_UDP\s0 or \s-1IPPORTO_SCTP.\s0 If set to 0 than any protocol can be
-used. \fBres\fR points at a pointer to hold the start of a \fB\s-1BIO_ADDRINFO\s0\fR
+IPPROTO_TCP, IPPROTO_UDP or IPPORTO_SCTP. If set to 0 than any protocol can be
+used. \fBres\fR points at a pointer to hold the start of a \fBBIO_ADDRINFO\fR
 chain.
 .PP
-For the family \fB\s-1AF_UNIX\s0\fR, \fBBIO_lookup_ex()\fR will ignore the \fBservice\fR
+For the family \fBAF_UNIX\fR, \fBBIO_lookup_ex()\fR will ignore the \fBservice\fR
 parameter and expects the \fBhost\fR parameter to hold the path to the socket file.
 .PP
 \&\fBBIO_lookup()\fR does the same as \fBBIO_lookup_ex()\fR but does not provide the ability
 to select based on the protocol (any protocol may be returned).
 .PP
 \&\fBBIO_ADDRINFO_family()\fR returns the family of the given
-\&\fB\s-1BIO_ADDRINFO\s0\fR.  The result will be one of the constants
-\&\s-1AF_INET, AF_INET6\s0 and \s-1AF_UNIX.\s0
+\&\fBBIO_ADDRINFO\fR.  The result will be one of the constants
+AF_INET, AF_INET6 and AF_UNIX.
 .PP
 \&\fBBIO_ADDRINFO_socktype()\fR returns the socket type of the given
-\&\fB\s-1BIO_ADDRINFO\s0\fR.  The result will be one of the constants
-\&\s-1SOCK_STREAM\s0 and \s-1SOCK_DGRAM.\s0
+\&\fBBIO_ADDRINFO\fR.  The result will be one of the constants
+SOCK_STREAM and SOCK_DGRAM.
 .PP
 \&\fBBIO_ADDRINFO_protocol()\fR returns the protocol id of the given
-\&\fB\s-1BIO_ADDRINFO\s0\fR.  The result will be one of the constants
-\&\s-1IPPROTO_TCP\s0 and \s-1IPPROTO_UDP.\s0
+\&\fBBIO_ADDRINFO\fR.  The result will be one of the constants
+IPPROTO_TCP and IPPROTO_UDP.
 .PP
-\&\fBBIO_ADDRINFO_address()\fR returns the underlying \fB\s-1BIO_ADDR\s0\fR
-of the given \fB\s-1BIO_ADDRINFO\s0\fR.
+\&\fBBIO_ADDRINFO_address()\fR returns the underlying \fBBIO_ADDR\fR
+of the given \fBBIO_ADDRINFO\fR.
 .PP
-\&\fBBIO_ADDRINFO_next()\fR returns the next \fB\s-1BIO_ADDRINFO\s0\fR in the chain
+\&\fBBIO_ADDRINFO_next()\fR returns the next \fBBIO_ADDRINFO\fR in the chain
 from the given one.
 .PP
-\&\fBBIO_ADDRINFO_free()\fR frees the chain of \fB\s-1BIO_ADDRINFO\s0\fR starting
-with the given one.
+\&\fBBIO_ADDRINFO_free()\fR frees the chain of \fBBIO_ADDRINFO\fR starting
+with the given one. If the argument is NULL, nothing is done.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBBIO_lookup_ex()\fR and \fBBIO_lookup()\fR return 1 on success and 0 when an error
 occurred, and will leave an error indication on the OpenSSL error stack in that
 case.
 .PP
-All other functions described here return 0 or \fB\s-1NULL\s0\fR when the
+All other functions described here return 0 or \fBNULL\fR when the
 information they should return isn't available.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The \fBBIO_lookup_ex()\fR implementation uses the platform provided \fBgetaddrinfo()\fR
 function. On Linux it is known that specifying 0 for the protocol will not
-return any \s-1SCTP\s0 based addresses when calling \fBgetaddrinfo()\fR. Therefore, if an \s-1SCTP\s0
+return any SCTP based addresses when calling \fBgetaddrinfo()\fR. Therefore, if an SCTP
 address is required then the \fBprotocol\fR parameter to \fBBIO_lookup_ex()\fR should be
-explicitly set to \s-1IPPROTO_SCTP.\s0 The same may be true on other platforms.
-.SH "HISTORY"
+explicitly set to IPPROTO_SCTP. The same may be true on other platforms.
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBBIO_lookup_ex()\fR function was added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_connect.3 b/secure/lib/libcrypto/man/man3/BIO_connect.3
index 411811a49e15..6e2a4430a900 100644
--- a/secure/lib/libcrypto/man/man3/BIO_connect.3
+++ b/secure/lib/libcrypto/man/man3/BIO_connect.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_CONNECT 3ossl"
-.TH BIO_CONNECT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_CONNECT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_socket, BIO_bind, BIO_connect, BIO_listen, BIO_accept_ex, BIO_closesocket \- BIO
 socket communication setup routines
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bio.h>
@@ -151,7 +75,7 @@ socket communication setup routines
 \& int BIO_accept_ex(int accept_sock, BIO_ADDR *peer, int options);
 \& int BIO_closesocket(int sock);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBBIO_socket()\fR creates a socket in the domain \fBdomain\fR, of type
 \&\fBsocktype\fR and \fBprotocol\fR.  Socket \fBoptions\fR are currently unused,
@@ -159,47 +83,55 @@ but is present for future use.
 .PP
 \&\fBBIO_bind()\fR binds the source address and service to a socket and
 may be useful before calling \fBBIO_connect()\fR.  The options may include
-\&\fB\s-1BIO_SOCK_REUSEADDR\s0\fR, which is described in \*(L"\s-1FLAGS\*(R"\s0 below.
+\&\fBBIO_SOCK_REUSEADDR\fR, which is described in "FLAGS" below.
 .PP
 \&\fBBIO_connect()\fR connects \fBsock\fR to the address and service given by
 \&\fBaddr\fR.  Connection \fBoptions\fR may be zero or any combination of
-\&\fB\s-1BIO_SOCK_KEEPALIVE\s0\fR, \fB\s-1BIO_SOCK_NONBLOCK\s0\fR and \fB\s-1BIO_SOCK_NODELAY\s0\fR.
-The flags are described in \*(L"\s-1FLAGS\*(R"\s0 below.
+\&\fBBIO_SOCK_KEEPALIVE\fR, \fBBIO_SOCK_NONBLOCK\fR and \fBBIO_SOCK_NODELAY\fR.
+The flags are described in "FLAGS" below.
 .PP
 \&\fBBIO_listen()\fR has \fBsock\fR start listening on the address and service
 given by \fBaddr\fR.  Connection \fBoptions\fR may be zero or any
-combination of \fB\s-1BIO_SOCK_KEEPALIVE\s0\fR, \fB\s-1BIO_SOCK_NONBLOCK\s0\fR,
-\&\fB\s-1BIO_SOCK_NODELAY\s0\fR, \fB\s-1BIO_SOCK_REUSEADDR\s0\fR and \fB\s-1BIO_SOCK_V6_ONLY\s0\fR.
-The flags are described in \*(L"\s-1FLAGS\*(R"\s0 below.
+combination of \fBBIO_SOCK_KEEPALIVE\fR, \fBBIO_SOCK_NONBLOCK\fR,
+\&\fBBIO_SOCK_NODELAY\fR, \fBBIO_SOCK_REUSEADDR\fR and \fBBIO_SOCK_V6_ONLY\fR.
+The flags are described in "FLAGS" below.
 .PP
 \&\fBBIO_accept_ex()\fR waits for an incoming connections on the given
 socket \fBaccept_sock\fR.  When it gets a connection, the address and
 port of the peer gets stored in \fBpeer\fR if that one is non-NULL.
-Accept \fBoptions\fR may be zero or \fB\s-1BIO_SOCK_NONBLOCK\s0\fR, and is applied
-on the accepted socket.  The flags are described in \*(L"\s-1FLAGS\*(R"\s0 below.
+Accept \fBoptions\fR may be zero or \fBBIO_SOCK_NONBLOCK\fR, and is applied
+on the accepted socket.  The flags are described in "FLAGS" below.
 .PP
 \&\fBBIO_closesocket()\fR closes \fBsock\fR.
-.SH "FLAGS"
+.SH FLAGS
 .IX Header "FLAGS"
-.IP "\s-1BIO_SOCK_KEEPALIVE\s0" 4
+.IP BIO_SOCK_KEEPALIVE 4
 .IX Item "BIO_SOCK_KEEPALIVE"
 Enables regular sending of keep-alive messages.
-.IP "\s-1BIO_SOCK_NONBLOCK\s0" 4
+.IP BIO_SOCK_NONBLOCK 4
 .IX Item "BIO_SOCK_NONBLOCK"
 Sets the socket to nonblocking mode.
-.IP "\s-1BIO_SOCK_NODELAY\s0" 4
+.IP BIO_SOCK_NODELAY 4
 .IX Item "BIO_SOCK_NODELAY"
-Corresponds to \fB\s-1TCP_NODELAY\s0\fR, and disables the Nagle algorithm.  With
+Corresponds to \fBTCP_NODELAY\fR, and disables the Nagle algorithm.  With
 this set, any data will be sent as soon as possible instead of being
 buffered until there's enough for the socket to send out in one go.
-.IP "\s-1BIO_SOCK_REUSEADDR\s0" 4
+.IP BIO_SOCK_REUSEADDR 4
 .IX Item "BIO_SOCK_REUSEADDR"
 Try to reuse the address and port combination for a recently closed
 port.
-.IP "\s-1BIO_SOCK_V6_ONLY\s0" 4
+.IP BIO_SOCK_V6_ONLY 4
 .IX Item "BIO_SOCK_V6_ONLY"
 When creating an IPv6 socket, make it only listen for IPv6 addresses
 and not IPv4 addresses mapped to IPv6.
+.IP BIO_SOCK_TFO 4
+.IX Item "BIO_SOCK_TFO"
+Enables TCP Fast Open on the socket. Uses appropriate APIs on
+supported operating systems, including Linux, macOS and FreeBSD. Can
+be used with \fBBIO_connect()\fR, \fBBIO_set_conn_mode()\fR, \fBBIO_set_bind_mode()\fR,
+and \fBBIO_listen()\fR.
+On Linux kernels before 4.14, use \fBBIO_set_conn_address()\fR to specify
+the peer address before starting the TLS handshake.
 .PP
 These flags are bit flags, so they are to be combined with the
 \&\f(CW\*(C`|\*(C'\fR operator, for example:
@@ -209,7 +141,7 @@ These flags are bit flags, so they are to be combined with the
 .Ve
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBBIO_socket()\fR returns the socket number on success or \fB\s-1INVALID_SOCKET\s0\fR
+\&\fBBIO_socket()\fR returns the socket number on success or \fBINVALID_SOCKET\fR
 (\-1) on error.  When an error has occurred, the OpenSSL error stack
 will hold the error data and errno has the system error.
 .PP
@@ -218,22 +150,22 @@ When an error has occurred, the OpenSSL error stack will hold the error
 data and errno has the system error.
 .PP
 \&\fBBIO_accept_ex()\fR returns the accepted socket on success or
-\&\fB\s-1INVALID_SOCKET\s0\fR (\-1) on error.  When an error has occurred, the
+\&\fBINVALID_SOCKET\fR (\-1) on error.  When an error has occurred, the
 OpenSSL error stack will hold the error data and errno has the system
 error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBBIO_ADDR\s0\fR\|(3)
-.SH "HISTORY"
+\&\fBBIO_ADDR\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBBIO_gethostname()\fR, \fBBIO_get_port()\fR, \fBBIO_get_host_ip()\fR,
 \&\fBBIO_get_accept_socket()\fR and \fBBIO_accept()\fR were deprecated in OpenSSL 1.1.0.
 Use the functions described above instead.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_ctrl.3 b/secure/lib/libcrypto/man/man3/BIO_ctrl.3
index f7f9863289c6..67e6e9d10da7 100644
--- a/secure/lib/libcrypto/man/man3/BIO_ctrl.3
+++ b/secure/lib/libcrypto/man/man3/BIO_ctrl.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,82 +52,22 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_CTRL 3ossl"
-.TH BIO_CTRL 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_CTRL 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_ctrl, BIO_callback_ctrl, BIO_ptr_ctrl, BIO_int_ctrl, BIO_reset,
 BIO_seek, BIO_tell, BIO_flush, BIO_eof, BIO_set_close, BIO_get_close,
 BIO_pending, BIO_wpending, BIO_ctrl_pending, BIO_ctrl_wpending,
 BIO_get_info_callback, BIO_set_info_callback, BIO_info_cb, BIO_get_ktls_send,
-BIO_get_ktls_recv
+BIO_get_ktls_recv, BIO_set_conn_mode, BIO_get_conn_mode, BIO_set_tfo
 \&\- BIO control operations
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bio.h>
@@ -172,36 +96,41 @@ BIO_get_ktls_recv
 \&
 \& int BIO_get_ktls_send(BIO *b);
 \& int BIO_get_ktls_recv(BIO *b);
+\&
+\& int BIO_set_conn_mode(BIO *b, int mode);
+\& int BIO_get_conn_mode(BIO *b);
+\&
+\& int BIO_set_tfo(BIO *b, int onoff);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBBIO_ctrl()\fR, \fBBIO_callback_ctrl()\fR, \fBBIO_ptr_ctrl()\fR and \fBBIO_int_ctrl()\fR
-are \s-1BIO\s0 \*(L"control\*(R" operations taking arguments of various types.
+are BIO "control" operations taking arguments of various types.
 These functions are not normally called directly, various macros
 are used instead. The standard macros are described below, macros
-specific to a particular type of \s-1BIO\s0 are described in the specific
+specific to a particular type of BIO are described in the specific
 BIOs manual page as well as any special features of the standard
 calls.
 .PP
-\&\fBBIO_reset()\fR typically resets a \s-1BIO\s0 to some initial state, in the case
+\&\fBBIO_reset()\fR typically resets a BIO to some initial state, in the case
 of file related BIOs for example it rewinds the file pointer to the
 start of the file.
 .PP
-\&\fBBIO_seek()\fR resets a file related \s-1BIO\s0's (that is file descriptor and
-\&\s-1FILE\s0 BIOs) file position pointer to \fBofs\fR bytes from start of file.
+\&\fBBIO_seek()\fR resets a file related BIO's (that is file descriptor and
+FILE BIOs) file position pointer to \fBofs\fR bytes from start of file.
 .PP
-\&\fBBIO_tell()\fR returns the current file position of a file related \s-1BIO.\s0
+\&\fBBIO_tell()\fR returns the current file position of a file related BIO.
 .PP
 \&\fBBIO_flush()\fR normally writes out any internally buffered data, in some
-cases it is used to signal \s-1EOF\s0 and that no more data will be written.
+cases it is used to signal EOF and that no more data will be written.
 .PP
-\&\fBBIO_eof()\fR returns 1 if the \s-1BIO\s0 has read \s-1EOF,\s0 the precise meaning of
-\&\*(L"\s-1EOF\*(R"\s0 varies according to the \s-1BIO\s0 type.
+\&\fBBIO_eof()\fR returns 1 if the BIO has read EOF, the precise meaning of
+"EOF" varies according to the BIO type.
 .PP
-\&\fBBIO_set_close()\fR sets the \s-1BIO\s0 \fBb\fR close flag to \fBflag\fR. \fBflag\fR can
-take the value \s-1BIO_CLOSE\s0 or \s-1BIO_NOCLOSE.\s0 Typically \s-1BIO_CLOSE\s0 is used
-in a source/sink \s-1BIO\s0 to indicate that the underlying I/O stream should
-be closed when the \s-1BIO\s0 is freed.
+\&\fBBIO_set_close()\fR sets the BIO \fBb\fR close flag to \fBflag\fR. \fBflag\fR can
+take the value BIO_CLOSE or BIO_NOCLOSE. Typically BIO_CLOSE is used
+in a source/sink BIO to indicate that the underlying I/O stream should
+be closed when the BIO is freed.
 .PP
 \&\fBBIO_get_close()\fR returns the BIOs close flag.
 .PP
@@ -211,10 +140,17 @@ Not all BIOs support these calls. \fBBIO_ctrl_pending()\fR and \fBBIO_ctrl_wpend
 return a size_t type and are functions, \fBBIO_pending()\fR and \fBBIO_wpending()\fR are
 macros which call \fBBIO_ctrl()\fR.
 .PP
-\&\fBBIO_get_ktls_send()\fR returns 1 if the \s-1BIO\s0 is using the Kernel \s-1TLS\s0 data-path for
+\&\fBBIO_get_ktls_send()\fR returns 1 if the BIO is using the Kernel TLS data-path for
 sending. Otherwise, it returns zero.
-\&\fBBIO_get_ktls_recv()\fR returns 1 if the \s-1BIO\s0 is using the Kernel \s-1TLS\s0 data-path for
+\&\fBBIO_get_ktls_recv()\fR returns 1 if the BIO is using the Kernel TLS data-path for
 receiving. Otherwise, it returns zero.
+.PP
+\&\fBBIO_get_conn_mode()\fR returns the BIO connection mode. \fBBIO_set_conn_mode()\fR sets
+the BIO connection mode.
+.PP
+\&\fBBIO_set_tfo()\fR disables TCP Fast Open when \fBonoff\fR is 0, and enables TCP Fast
+Open when \fBonoff\fR is nonzero. Setting the value to 1 is equivalent to setting
+\&\fBBIO_SOCK_TFO\fR in \fBBIO_set_conn_mode()\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBBIO_reset()\fR normally returns 1 for success and <=0 for failure. File
@@ -226,11 +162,11 @@ for success and \-1 for failure.
 .PP
 \&\fBBIO_flush()\fR returns 1 for success and <=0 for failure.
 .PP
-\&\fBBIO_eof()\fR returns 1 if \s-1EOF\s0 has been reached, 0 if not, or negative values for failure.
+\&\fBBIO_eof()\fR returns 1 if EOF has been reached, 0 if not, or negative values for failure.
 .PP
 \&\fBBIO_set_close()\fR returns 1 on success or <=0 for failure.
 .PP
-\&\fBBIO_get_close()\fR returns the close flag value: \s-1BIO_CLOSE\s0 or \s-1BIO_NOCLOSE.\s0 It also
+\&\fBBIO_get_close()\fR returns the close flag value: BIO_CLOSE or BIO_NOCLOSE. It also
 returns other negative values if an error occurs.
 .PP
 \&\fBBIO_pending()\fR, \fBBIO_ctrl_pending()\fR, \fBBIO_wpending()\fR and \fBBIO_ctrl_wpending()\fR
@@ -238,11 +174,26 @@ return the amount of pending data. \fBBIO_pending()\fR and \fBBIO_wpending()\fR
 negative value or 0 on error. \fBBIO_ctrl_pending()\fR and \fBBIO_ctrl_wpending()\fR return
 0 on error.
 .PP
-\&\fBBIO_get_ktls_send()\fR returns 1 if the \s-1BIO\s0 is using the Kernel \s-1TLS\s0 data-path for
+\&\fBBIO_get_ktls_send()\fR returns 1 if the BIO is using the Kernel TLS data-path for
 sending. Otherwise, it returns zero.
-\&\fBBIO_get_ktls_recv()\fR returns 1 if the \s-1BIO\s0 is using the Kernel \s-1TLS\s0 data-path for
+\&\fBBIO_get_ktls_recv()\fR returns 1 if the BIO is using the Kernel TLS data-path for
 receiving. Otherwise, it returns zero.
-.SH "NOTES"
+.PP
+\&\fBBIO_set_conn_mode()\fR returns 1 for success and 0 for failure. \fBBIO_get_conn_mode()\fR
+returns the current connection mode. Which may contain the bitwise-or of the
+following flags:
+.PP
+.Vb 6
+\& BIO_SOCK_REUSEADDR
+\& BIO_SOCK_V6_ONLY
+\& BIO_SOCK_KEEPALIVE
+\& BIO_SOCK_NONBLOCK
+\& BIO_SOCK_NODELAY
+\& BIO_SOCK_TFO
+.Ve
+.PP
+\&\fBBIO_set_tfo()\fR returns 1 for success, and 0 for failure.
+.SH NOTES
 .IX Header "NOTES"
 \&\fBBIO_flush()\fR, because it can write data may return 0 or \-1 indicating
 that the call should be retried later in a similar manner to \fBBIO_write_ex()\fR.
@@ -251,39 +202,42 @@ is the call fails.
 .PP
 The return values of \fBBIO_pending()\fR and \fBBIO_wpending()\fR may not reliably
 determine the amount of pending data in all cases. For example in the
-case of a file \s-1BIO\s0 some data may be available in the \s-1FILE\s0 structures
+case of a file BIO some data may be available in the FILE structures
 internal buffers but it is not possible to determine this in a
-portably way. For other types of \s-1BIO\s0 they may not be supported.
+portably way. For other types of BIO they may not be supported.
 .PP
 Filter BIOs if they do not internally handle a particular \fBBIO_ctrl()\fR
-operation usually pass the operation to the next \s-1BIO\s0 in the chain.
-This often means there is no need to locate the required \s-1BIO\s0 for
+operation usually pass the operation to the next BIO in the chain.
+This often means there is no need to locate the required BIO for
 a particular operation, it can be called on a chain and it will
-be automatically passed to the relevant \s-1BIO.\s0 However, this can cause
+be automatically passed to the relevant BIO. However, this can cause
 unexpected results: for example no current filter BIOs implement
-\&\fBBIO_seek()\fR, but this may still succeed if the chain ends in a \s-1FILE\s0
-or file descriptor \s-1BIO.\s0
+\&\fBBIO_seek()\fR, but this may still succeed if the chain ends in a FILE
+or file descriptor BIO.
 .PP
 Source/sink BIOs return an 0 if they do not recognize the \fBBIO_ctrl()\fR
 operation.
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
 Some of the return values are ambiguous and care should be taken. In
 particular a return value of 0 can be returned if an operation is not
-supported, if an error occurred, if \s-1EOF\s0 has not been reached and in
-the case of \fBBIO_seek()\fR on a file \s-1BIO\s0 for a successful operation.
+supported, if an error occurred, if EOF has not been reached and in
+the case of \fBBIO_seek()\fR on a file BIO for a successful operation.
 .PP
 In older versions of OpenSSL the \fBBIO_ctrl_pending()\fR and
-\&\fBBIO_ctrl_wpending()\fR could return values greater than \s-1INT_MAX\s0 on error.
-.SH "HISTORY"
+\&\fBBIO_ctrl_wpending()\fR could return values greater than INT_MAX on error.
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBBIO_get_ktls_send()\fR and \fBBIO_get_ktls_recv()\fR macros were added in
 OpenSSL 3.0. They were modified to never return \-1 in OpenSSL 3.0.4.
-.SH "COPYRIGHT"
+.PP
+The \fBBIO_get_conn_mode()\fR, \fBBIO_set_conn_mode()\fR and \fBBIO_set_tfo()\fR functions
+were added in OpenSSL 3.2.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_f_base64.3 b/secure/lib/libcrypto/man/man3/BIO_f_base64.3
index 8dbaf3e81a22..ac52e063cb0b 100644
--- a/secure/lib/libcrypto/man/man3/BIO_f_base64.3
+++ b/secure/lib/libcrypto/man/man3/BIO_f_base64.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_F_BASE64 3ossl"
-.TH BIO_F_BASE64 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_F_BASE64 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_f_base64 \- base64 BIO filter
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 2
 \& #include <openssl/bio.h>
@@ -146,43 +70,58 @@ BIO_f_base64 \- base64 BIO filter
 \&
 \& const BIO_METHOD *BIO_f_base64(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBBIO_f_base64()\fR returns the base64 \s-1BIO\s0 method. This is a filter
-\&\s-1BIO\s0 that base64 encodes any data written through it and decodes
+\&\fBBIO_f_base64()\fR returns the base64 BIO method. This is a filter
+BIO that base64 encodes any data written through it and decodes
 any data read through it.
 .PP
 Base64 BIOs do not support \fBBIO_gets()\fR or \fBBIO_puts()\fR.
 .PP
-For writing, output is by default divided to lines of length 64
-characters and there is always a newline at the end of output.
+For writing, by default output is divided to lines of length 64
+characters and there is a newline at the end of output.
+This behavior can be changed with \fBBIO_FLAGS_BASE64_NO_NL\fR flag.
+.PP
+For reading, the first line of base64 content should be at most 1024 bytes long
+including newline unless the flag \fBBIO_FLAGS_BASE64_NO_NL\fR is set.
+Subsequent input lines can be of any length (i.e., newlines may appear anywhere
+in the input) and a newline at the end of input is not needed.
 .PP
-For reading, first line should be at most 1024
-characters long. If it is longer then it is ignored completely.
-Other input lines can be of any length. There must be a newline
-at the end of input.
+Also when reading, unless the flag \fBBIO_FLAGS_BASE64_NO_NL\fR is set, initial
+lines that contain non\-base64 content (whitespace is tolerated and ignored) are
+skipped, as are lines longer than 1024 bytes.
+Decoding starts with the first line that is shorter than 1024 bytes (including
+the newline) and consists of only (at least one) valid base64 characters plus
+optional whitespace.
+Decoding stops when base64 padding is encountered, a soft end-of-input
+character (\fB\-\fR, see \fBEVP_DecodeUpdate\fR\|(3)) occurs as the first byte after a
+complete group of 4 valid base64 characters is decoded, or when an error occurs
+(e.g. due to input characters other than valid base64 or whitespace).
 .PP
-This behavior can be changed with \s-1BIO_FLAGS_BASE64_NO_NL\s0 flag.
+If decoding stops as a result of an error, the first \fBBIO_read\fR\|(3) that
+returns no decoded data will typically return a negative result, rather
+than 0 (which indicates normal end of input).
+However, a negative return value can also occur if the underlying BIO
+supports retries, see \fBBIO_should_read\fR\|(3) and \fBBIO_set_mem_eof_return\fR\|(3).
 .PP
-\&\fBBIO_flush()\fR on a base64 \s-1BIO\s0 that is being written through is
+\&\fBBIO_flush()\fR on a base64 BIO that is being written through is
 used to signal that no more data is to be encoded: this is used
-to flush the final block through the \s-1BIO.\s0
+to flush the final block through the BIO.
 .PP
-The flag \s-1BIO_FLAGS_BASE64_NO_NL\s0 can be set with \fBBIO_set_flags()\fR.
+The flag \fBBIO_FLAGS_BASE64_NO_NL\fR can be set with \fBBIO_set_flags()\fR.
 For writing, it causes all data to be written on one line without
 newline at the end.
-For reading, it expects the data to be all on one line (with or
-without a trailing newline).
-.SH "NOTES"
+For reading, it removes all expectations on newlines in the input data.
+.SH NOTES
 .IX Header "NOTES"
 Because of the format of base64 encoding the end of the encoded
 block cannot always be reliably determined.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBBIO_f_base64()\fR returns the base64 \s-1BIO\s0 method.
-.SH "EXAMPLES"
+\&\fBBIO_f_base64()\fR returns the base64 BIO method.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-Base64 encode the string \*(L"Hello World\en\*(R" and write the result
+Base64 encode the string "Hello World\en" and write the result
 to standard output:
 .PP
 .Vb 2
@@ -198,7 +137,7 @@ to standard output:
 \& BIO_free_all(b64);
 .Ve
 .PP
-Read Base64 encoded data from standard input and write the decoded
+Read base64 encoded data from standard input and write the decoded
 data to standard output:
 .PP
 .Vb 3
@@ -216,18 +155,35 @@ data to standard output:
 \& BIO_flush(bio_out);
 \& BIO_free_all(b64);
 .Ve
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
-The ambiguity of \s-1EOF\s0 in base64 encoded data can cause additional
-data following the base64 encoded block to be misinterpreted.
+The hyphen character (\fB\-\fR) is treated as an ad hoc soft end-of-input
+character when it occurs at the start of a base64 group of 4 encoded
+characters.
+.PP
+This heuristic works to detect the ends of base64 blocks in PEM or
+multi-part MIME, provided there are no stray hyphens in the middle
+input.
+But it is just a heuristic, and sufficiently unusual input could produce
+unexpected results.
+.PP
+There should perhaps be some way of specifying a test that the BIO can perform
+to reliably determine EOF (for example a MIME boundary).
 .PP
-There should be some way of specifying a test that the \s-1BIO\s0 can perform
-to reliably determine \s-1EOF\s0 (for example a \s-1MIME\s0 boundary).
-.SH "COPYRIGHT"
+It may be possible for \fBBIO_read\fR\|(3) to return zero, rather than \-1, even if
+an error has been detected, more tests are needed to cover all the potential
+error paths.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBBIO_read\fR\|(3),
+\&\fBBIO_should_read\fR\|(3),
+\&\fBBIO_set_mem_eof_return\fR\|(3),
+\&\fBEVP_DecodeUpdate\fR\|(3).
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_f_buffer.3 b/secure/lib/libcrypto/man/man3/BIO_f_buffer.3
index 699d16c9e0d1..767fb56cf58c 100644
--- a/secure/lib/libcrypto/man/man3/BIO_f_buffer.3
+++ b/secure/lib/libcrypto/man/man3/BIO_f_buffer.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_F_BUFFER 3ossl"
-.TH BIO_F_BUFFER 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_F_BUFFER 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_get_buffer_num_lines,
 BIO_set_read_buffer_size,
 BIO_set_write_buffer_size,
@@ -144,7 +68,7 @@ BIO_set_buffer_size,
 BIO_set_buffer_read_data,
 BIO_f_buffer
 \&\- buffering BIO
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bio.h>
@@ -157,55 +81,55 @@ BIO_f_buffer
 \& long BIO_set_buffer_size(BIO *b, long size);
 \& long BIO_set_buffer_read_data(BIO *b, void *buf, long num);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBBIO_f_buffer()\fR returns the buffering \s-1BIO\s0 method.
+\&\fBBIO_f_buffer()\fR returns the buffering BIO method.
 .PP
-Data written to a buffering \s-1BIO\s0 is buffered and periodically written
-to the next \s-1BIO\s0 in the chain. Data read from a buffering \s-1BIO\s0 comes from
-an internal buffer which is filled from the next \s-1BIO\s0 in the chain.
+Data written to a buffering BIO is buffered and periodically written
+to the next BIO in the chain. Data read from a buffering BIO comes from
+an internal buffer which is filled from the next BIO in the chain.
 Both \fBBIO_gets()\fR and \fBBIO_puts()\fR are supported.
 .PP
-Calling \fBBIO_reset()\fR on a buffering \s-1BIO\s0 clears any buffered data.
+Calling \fBBIO_reset()\fR on a buffering BIO clears any buffered data.
 .PP
 \&\fBBIO_get_buffer_num_lines()\fR returns the number of lines currently buffered.
 .PP
 \&\fBBIO_set_read_buffer_size()\fR, \fBBIO_set_write_buffer_size()\fR and \fBBIO_set_buffer_size()\fR
 set the read, write or both read and write buffer sizes to \fBsize\fR. The initial
-buffer size is \s-1DEFAULT_BUFFER_SIZE,\s0 currently 4096. Any attempt to reduce the
-buffer size below \s-1DEFAULT_BUFFER_SIZE\s0 is ignored. Any buffered data is cleared
+buffer size is DEFAULT_BUFFER_SIZE, currently 4096. Any attempt to reduce the
+buffer size below DEFAULT_BUFFER_SIZE is ignored. Any buffered data is cleared
 when the buffer is resized.
 .PP
 \&\fBBIO_set_buffer_read_data()\fR clears the read buffer and fills it with \fBnum\fR
 bytes of \fBbuf\fR. If \fBnum\fR is larger than the current buffer size the buffer
 is expanded.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 These functions, other than \fBBIO_f_buffer()\fR, are implemented as macros.
 .PP
 Buffering BIOs implement \fBBIO_read_ex()\fR and \fBBIO_gets()\fR by using
-\&\fBBIO_read_ex()\fR operations on the next \s-1BIO\s0 in the chain and storing the
+\&\fBBIO_read_ex()\fR operations on the next BIO in the chain and storing the
 result in an internal buffer, from which bytes are given back to the
 caller as appropriate for the call; a \fBBIO_gets()\fR is guaranteed to give
 the caller a whole line, and \fBBIO_read_ex()\fR is guaranteed to give the
 caller the number of bytes it asks for, unless there's an error or end
-of communication is reached in the next \s-1BIO.\s0  By prepending a
-buffering \s-1BIO\s0 to a chain it is therefore possible to provide
+of communication is reached in the next BIO.  By prepending a
+buffering BIO to a chain it is therefore possible to provide
 \&\fBBIO_gets()\fR or exact size \fBBIO_read_ex()\fR functionality if the following
 BIOs do not support it.
 .PP
-Do not add more than one \fBBIO_f_buffer()\fR to a \s-1BIO\s0 chain.  The result of
+Do not add more than one \fBBIO_f_buffer()\fR to a BIO chain.  The result of
 doing so will force a full read of the size of the internal buffer of
 the top \fBBIO_f_buffer()\fR, which is 4 KiB at a minimum.
 .PP
-Data is only written to the next \s-1BIO\s0 in the chain when the write buffer fills
+Data is only written to the next BIO in the chain when the write buffer fills
 or when \fBBIO_flush()\fR is called. It is therefore important to call \fBBIO_flush()\fR
 whenever any pending data should be written such as when removing a buffering
-\&\s-1BIO\s0 using \fBBIO_pop()\fR. \fBBIO_flush()\fR may need to be retried if the ultimate
-source/sink \s-1BIO\s0 is non blocking.
+BIO using \fBBIO_pop()\fR. \fBBIO_flush()\fR may need to be retried if the ultimate
+source/sink BIO is non blocking.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBBIO_f_buffer()\fR returns the buffering \s-1BIO\s0 method.
+\&\fBBIO_f_buffer()\fR returns the buffering BIO method.
 .PP
 \&\fBBIO_get_buffer_num_lines()\fR returns the number of lines buffered (may be 0) or
 a negative value in case of errors.
@@ -222,11 +146,11 @@ there was an error.
 \&\fBBIO_flush\fR\|(3),
 \&\fBBIO_pop\fR\|(3),
 \&\fBBIO_ctrl\fR\|(3).
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_f_cipher.3 b/secure/lib/libcrypto/man/man3/BIO_f_cipher.3
index 416a23792cda..cf070f5aa26f 100644
--- a/secure/lib/libcrypto/man/man3/BIO_f_cipher.3
+++ b/secure/lib/libcrypto/man/man3/BIO_f_cipher.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_F_CIPHER 3ossl"
-.TH BIO_F_CIPHER 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_F_CIPHER 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_f_cipher, BIO_set_cipher, BIO_get_cipher_status, BIO_get_cipher_ctx \- cipher BIO filter
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 2
 \& #include <openssl/bio.h>
@@ -150,48 +74,48 @@ BIO_f_cipher, BIO_set_cipher, BIO_get_cipher_status, BIO_get_cipher_ctx \- ciphe
 \& int BIO_get_cipher_status(BIO *b);
 \& int BIO_get_cipher_ctx(BIO *b, EVP_CIPHER_CTX **pctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBBIO_f_cipher()\fR returns the cipher \s-1BIO\s0 method. This is a filter
-\&\s-1BIO\s0 that encrypts any data written through it, and decrypts any data
-read from it. It is a \s-1BIO\s0 wrapper for the cipher routines
+\&\fBBIO_f_cipher()\fR returns the cipher BIO method. This is a filter
+BIO that encrypts any data written through it, and decrypts any data
+read from it. It is a BIO wrapper for the cipher routines
 \&\fBEVP_CipherInit()\fR, \fBEVP_CipherUpdate()\fR and \fBEVP_CipherFinal()\fR.
 .PP
 Cipher BIOs do not support \fBBIO_gets()\fR or \fBBIO_puts()\fR.
 .PP
-\&\fBBIO_flush()\fR on an encryption \s-1BIO\s0 that is being written through is
+\&\fBBIO_flush()\fR on an encryption BIO that is being written through is
 used to signal that no more data is to be encrypted: this is used
-to flush and possibly pad the final block through the \s-1BIO.\s0
+to flush and possibly pad the final block through the BIO.
 .PP
-\&\fBBIO_set_cipher()\fR sets the cipher of \s-1BIO\s0 \fBb\fR to \fBcipher\fR using key \fBkey\fR
-and \s-1IV\s0 \fBiv\fR. \fBenc\fR should be set to 1 for encryption and zero for
+\&\fBBIO_set_cipher()\fR sets the cipher of BIO \fBb\fR to \fBcipher\fR using key \fBkey\fR
+and IV \fBiv\fR. \fBenc\fR should be set to 1 for encryption and zero for
 decryption.
 .PP
-When reading from an encryption \s-1BIO\s0 the final block is automatically
-decrypted and checked when \s-1EOF\s0 is detected. \fBBIO_get_cipher_status()\fR
+When reading from an encryption BIO the final block is automatically
+decrypted and checked when EOF is detected. \fBBIO_get_cipher_status()\fR
 is a \fBBIO_ctrl()\fR macro which can be called to determine whether the
 decryption operation was successful.
 .PP
 \&\fBBIO_get_cipher_ctx()\fR is a \fBBIO_ctrl()\fR macro which retrieves the internal
-\&\s-1BIO\s0 cipher context. The retrieved context can be used in conjunction
+BIO cipher context. The retrieved context can be used in conjunction
 with the standard cipher routines to set it up. This is useful when
 \&\fBBIO_set_cipher()\fR is not flexible enough for the applications needs.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 When encrypting \fBBIO_flush()\fR \fBmust\fR be called to flush the final block
-through the \s-1BIO.\s0 If it is not then the final block will fail a subsequent
+through the BIO. If it is not then the final block will fail a subsequent
 decrypt.
 .PP
 When decrypting an error on the final block is signaled by a zero
 return value from the read operation. A successful decrypt followed
-by \s-1EOF\s0 will also return zero for the final read. \fBBIO_get_cipher_status()\fR
+by EOF will also return zero for the final read. \fBBIO_get_cipher_status()\fR
 should be called to determine if the decrypt was successful.
 .PP
 As always, if \fBBIO_gets()\fR or \fBBIO_puts()\fR support is needed then it can
-be achieved by preceding the cipher \s-1BIO\s0 with a buffering \s-1BIO.\s0
+be achieved by preceding the cipher BIO with a buffering BIO.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBBIO_f_cipher()\fR returns the cipher \s-1BIO\s0 method.
+\&\fBBIO_f_cipher()\fR returns the cipher BIO method.
 .PP
 \&\fBBIO_set_cipher()\fR returns 1 for success and 0 for failure.
 .PP
@@ -199,11 +123,11 @@ be achieved by preceding the cipher \s-1BIO\s0 with a buffering \s-1BIO.\s0
 for failure.
 .PP
 \&\fBBIO_get_cipher_ctx()\fR returns 1 for success and <=0 for failure.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_f_md.3 b/secure/lib/libcrypto/man/man3/BIO_f_md.3
index 41d5027419b9..a70a3765a5e6 100644
--- a/secure/lib/libcrypto/man/man3/BIO_f_md.3
+++ b/secure/lib/libcrypto/man/man3/BIO_f_md.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_F_MD 3ossl"
-.TH BIO_F_MD 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_F_MD 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_f_md, BIO_set_md, BIO_get_md, BIO_get_md_ctx \- message digest BIO filter
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 2
 \& #include <openssl/bio.h>
@@ -149,31 +73,31 @@ BIO_f_md, BIO_set_md, BIO_get_md, BIO_get_md_ctx \- message digest BIO filter
 \& int BIO_get_md(BIO *b, EVP_MD **mdp);
 \& int BIO_get_md_ctx(BIO *b, EVP_MD_CTX **mdcp);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBBIO_f_md()\fR returns the message digest \s-1BIO\s0 method. This is a filter
-\&\s-1BIO\s0 that digests any data passed through it, it is a \s-1BIO\s0 wrapper
+\&\fBBIO_f_md()\fR returns the message digest BIO method. This is a filter
+BIO that digests any data passed through it.  It is a BIO wrapper
 for the digest routines \fBEVP_DigestInit()\fR, \fBEVP_DigestUpdate()\fR
 and \fBEVP_DigestFinal()\fR.
 .PP
-Any data written or read through a digest \s-1BIO\s0 using \fBBIO_read_ex()\fR and
+Any data written or read through a digest BIO using \fBBIO_read_ex()\fR and
 \&\fBBIO_write_ex()\fR is digested.
 .PP
 \&\fBBIO_gets()\fR, if its \fBsize\fR parameter is large enough finishes the
 digest calculation and returns the digest value. \fBBIO_puts()\fR is
 not supported.
 .PP
-\&\fBBIO_reset()\fR reinitialises a digest \s-1BIO.\s0
+\&\fBBIO_reset()\fR reinitialises a digest BIO.
 .PP
-\&\fBBIO_set_md()\fR sets the message digest of \s-1BIO\s0 \fBb\fR to \fBmd\fR: this
-must be called to initialize a digest \s-1BIO\s0 before any data is
+\&\fBBIO_set_md()\fR sets the message digest of BIO \fBb\fR to \fBmd\fR: this
+must be called to initialize a digest BIO before any data is
 passed through it. It is a \fBBIO_ctrl()\fR macro.
 .PP
-\&\fBBIO_get_md()\fR places the a pointer to the digest BIOs digest method
-in \fBmdp\fR, it is a \fBBIO_ctrl()\fR macro.
+\&\fBBIO_get_md()\fR places a pointer to the digest BIOs digest method
+in \fBmdp\fR.  It is a \fBBIO_ctrl()\fR macro.
 .PP
 \&\fBBIO_get_md_ctx()\fR returns the digest BIOs context into \fBmdcp\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The context returned by \fBBIO_get_md_ctx()\fR can be used in calls
 to \fBEVP_DigestFinal()\fR and also the signature routines \fBEVP_SignFinal()\fR
@@ -181,30 +105,30 @@ and \fBEVP_VerifyFinal()\fR.
 .PP
 The context returned by \fBBIO_get_md_ctx()\fR is an internal context
 structure. Changes made to this context will affect the digest
-\&\s-1BIO\s0 itself and the context pointer will become invalid when the digest
-\&\s-1BIO\s0 is freed.
+BIO itself and the context pointer will become invalid when the digest
+BIO is freed.
 .PP
-After the digest has been retrieved from a digest \s-1BIO\s0 it must be
+After the digest has been retrieved from a digest BIO it must be
 reinitialized by calling \fBBIO_reset()\fR, or \fBBIO_set_md()\fR before any more
 data is passed through it.
 .PP
 If an application needs to call \fBBIO_gets()\fR or \fBBIO_puts()\fR through
 a chain containing digest BIOs then this can be done by prepending
-a buffering \s-1BIO.\s0
+a buffering BIO.
 .PP
-Calling \fBBIO_get_md_ctx()\fR will return the context and initialize the \s-1BIO\s0
+Calling \fBBIO_get_md_ctx()\fR will return the context and initialize the BIO
 state. This allows applications to initialize the context externally
 if the standard calls such as \fBBIO_set_md()\fR are not sufficiently flexible.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBBIO_f_md()\fR returns the digest \s-1BIO\s0 method.
+\&\fBBIO_f_md()\fR returns the digest BIO method.
 .PP
 \&\fBBIO_set_md()\fR, \fBBIO_get_md()\fR and \fBBIO_md_ctx()\fR return 1 for success and
 <=0 for failure.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-The following example creates a \s-1BIO\s0 chain containing an \s-1SHA1\s0 and \s-1MD5\s0
-digest \s-1BIO\s0 and passes the string \*(L"Hello World\*(R" through it. Error
+The following example creates a BIO chain containing an SHA1 and MD5
+digest BIO and passes the string "Hello World" through it. Error
 checking has been omitted for clarity.
 .PP
 .Vb 2
@@ -246,7 +170,7 @@ The next example digests data by reading through a chain instead:
 \& } while (rdlen > 0);
 .Ve
 .PP
-This next example retrieves the message digests from a \s-1BIO\s0 chain and
+This next example retrieves the message digests from a BIO chain and
 outputs them. This could be used with the examples above.
 .PP
 .Vb 4
@@ -272,22 +196,22 @@ outputs them. This could be used with the examples above.
 \&
 \& BIO_free_all(bio);
 .Ve
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
 The lack of support for \fBBIO_puts()\fR and the non standard behaviour of
 \&\fBBIO_gets()\fR could be regarded as anomalous. It could be argued that \fBBIO_gets()\fR
-and \fBBIO_puts()\fR should be passed to the next \s-1BIO\s0 in the chain and digest
+and \fBBIO_puts()\fR should be passed to the next BIO in the chain and digest
 the data passed through and that digests should be retrieved using a
 separate \fBBIO_ctrl()\fR call.
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 Before OpenSSL 1.0.0., the call to \fBBIO_get_md_ctx()\fR would only work if the
-\&\s-1BIO\s0 was initialized first.
-.SH "COPYRIGHT"
+BIO was initialized first.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_f_null.3 b/secure/lib/libcrypto/man/man3/BIO_f_null.3
index f709017fcc71..1f260ee6f4eb 100644
--- a/secure/lib/libcrypto/man/man3/BIO_f_null.3
+++ b/secure/lib/libcrypto/man/man3/BIO_f_null.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,102 +52,42 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_F_NULL 3ossl"
-.TH BIO_F_NULL 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_F_NULL 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_f_null \- null filter
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bio.h>
 \&
 \& const BIO_METHOD *BIO_f_null(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBBIO_f_null()\fR returns the null filter \s-1BIO\s0 method. This is a filter \s-1BIO\s0
+\&\fBBIO_f_null()\fR returns the null filter BIO method. This is a filter BIO
 that does nothing.
 .PP
-All requests to a null filter \s-1BIO\s0 are passed through to the next \s-1BIO\s0 in
-the chain: this means that a \s-1BIO\s0 chain containing a null filter \s-1BIO\s0
-behaves just as though the \s-1BIO\s0 was not there.
-.SH "NOTES"
+All requests to a null filter BIO are passed through to the next BIO in
+the chain: this means that a BIO chain containing a null filter BIO
+behaves just as though the BIO was not there.
+.SH NOTES
 .IX Header "NOTES"
-As may be apparent a null filter \s-1BIO\s0 is not particularly useful.
+As may be apparent a null filter BIO is not particularly useful.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBBIO_f_null()\fR returns the null filter \s-1BIO\s0 method.
-.SH "COPYRIGHT"
+\&\fBBIO_f_null()\fR returns the null filter BIO method.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_f_prefix.3 b/secure/lib/libcrypto/man/man3/BIO_f_prefix.3
index 107a3e0d1059..437598e00228 100644
--- a/secure/lib/libcrypto/man/man3/BIO_f_prefix.3
+++ b/secure/lib/libcrypto/man/man3/BIO_f_prefix.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_F_PREFIX 3ossl"
-.TH BIO_F_PREFIX 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_F_PREFIX 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_f_prefix, BIO_set_prefix, BIO_set_indent, BIO_get_indent
 \&\- prefix BIO filter
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bio.h>
@@ -149,9 +73,9 @@ BIO_f_prefix, BIO_set_prefix, BIO_set_indent, BIO_get_indent
 \& long BIO_set_indent(BIO *b, long indent);
 \& long BIO_get_indent(BIO *b);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBBIO_f_cipher()\fR returns the prefix \s-1BIO\s0 method. This is a filter for
+\&\fBBIO_f_cipher()\fR returns the prefix BIO method. This is a filter for
 text output, where each line gets automatically prefixed and indented
 according to user input.
 .PP
@@ -163,21 +87,21 @@ itself.
 By default, there is no prefix, and indentation is set to 0.
 .PP
 \&\fBBIO_set_prefix()\fR sets the prefix to be used for future lines of
-text, using \fIprefix\fR.  \fIprefix\fR may be \s-1NULL,\s0 signifying that there
-should be no prefix.  If \fIprefix\fR isn't \s-1NULL,\s0 this function makes a
+text, using \fIprefix\fR.  \fIprefix\fR may be NULL, signifying that there
+should be no prefix.  If \fIprefix\fR isn't NULL, this function makes a
 copy of it.
 .PP
 \&\fBBIO_set_indent()\fR sets the indentation to be used for future lines of
 text, using \fIindent\fR.  Negative values are not allowed.
 .PP
 \&\fBBIO_get_indent()\fR gets the current indentation.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 \&\fBBIO_set_prefix()\fR, \fBBIO_set_indent()\fR and \fBBIO_get_indent()\fR are
 implemented as macros.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBBIO_f_prefix()\fR returns the prefix \s-1BIO\s0 method.
+\&\fBBIO_f_prefix()\fR returns the prefix BIO method.
 .PP
 \&\fBBIO_set_prefix()\fR returns 1 if the prefix was correctly set, or <=0 on
 failure.
@@ -189,11 +113,11 @@ failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBbio\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_f_readbuffer.3 b/secure/lib/libcrypto/man/man3/BIO_f_readbuffer.3
index 028edd27a8b0..5bfc1ab83c64 100644
--- a/secure/lib/libcrypto/man/man3/BIO_f_readbuffer.3
+++ b/secure/lib/libcrypto/man/man3/BIO_f_readbuffer.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,111 +52,51 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_F_READBUFFER 3ossl"
-.TH BIO_F_READBUFFER 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_F_READBUFFER 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_f_readbuffer
 \&\- read only buffering BIO that supports BIO_tell() and BIO_seek()
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bio.h>
 \&
 \& const BIO_METHOD *BIO_f_readbuffer(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBBIO_f_readbuffer()\fR returns the read buffering \s-1BIO\s0 method.
+\&\fBBIO_f_readbuffer()\fR returns the read buffering BIO method.
 .PP
-This \s-1BIO\s0 filter can be inserted on top of \s-1BIO\s0's that do not support \fBBIO_tell()\fR
-or \fBBIO_seek()\fR (e.g. A file \s-1BIO\s0 that uses stdin).
+This BIO filter can be inserted on top of BIO's that do not support \fBBIO_tell()\fR
+or \fBBIO_seek()\fR (e.g. A file BIO that uses stdin).
 .PP
-Data read from a read buffering \s-1BIO\s0 comes from an internal buffer which is
-filled from the next \s-1BIO\s0 in the chain.
+Data read from a read buffering BIO comes from an internal buffer which is
+filled from the next BIO in the chain.
 .PP
 \&\fBBIO_gets()\fR is supported for read buffering BIOs.
-Writing data to a read buffering \s-1BIO\s0 is not supported.
+Writing data to a read buffering BIO is not supported.
 .PP
-Calling \fBBIO_reset()\fR on a read buffering \s-1BIO\s0 does not clear any buffered data.
-.SH "NOTES"
+Calling \fBBIO_reset()\fR on a read buffering BIO does not clear any buffered data.
+.SH NOTES
 .IX Header "NOTES"
 Read buffering BIOs implement \fBBIO_read_ex()\fR by using \fBBIO_read_ex()\fR operations
-on the next \s-1BIO\s0 (e.g. a file \s-1BIO\s0) in the chain and storing the result in an
+on the next BIO (e.g. a file BIO) in the chain and storing the result in an
 internal buffer, from which bytes are given back to the caller as appropriate
 for the call. \fBBIO_read_ex()\fR is guaranteed to give the caller the number of bytes
 it asks for, unless there's an error or end of communication is reached in the
-next \s-1BIO.\s0 The internal buffer can grow to cache the entire contents of the next
-\&\s-1BIO\s0 in the chain. \fBBIO_seek()\fR uses the internal buffer, so that it can only seek
+next BIO. The internal buffer can grow to cache the entire contents of the next
+BIO in the chain. \fBBIO_seek()\fR uses the internal buffer, so that it can only seek
 into data that is already read.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBBIO_f_readbuffer()\fR returns the read buffering \s-1BIO\s0 method.
+\&\fBBIO_f_readbuffer()\fR returns the read buffering BIO method.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBbio\fR\|(7),
@@ -180,11 +104,11 @@ into data that is already read.
 \&\fBBIO_gets\fR\|(3),
 \&\fBBIO_reset\fR\|(3),
 \&\fBBIO_ctrl\fR\|(3).
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_f_ssl.3 b/secure/lib/libcrypto/man/man3/BIO_f_ssl.3
index 61ae97df6ed5..352c7c151631 100644
--- a/secure/lib/libcrypto/man/man3/BIO_f_ssl.3
+++ b/secure/lib/libcrypto/man/man3/BIO_f_ssl.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,82 +52,22 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_F_SSL 3ossl"
-.TH BIO_F_SSL 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_F_SSL 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_do_handshake,
 BIO_f_ssl, BIO_set_ssl, BIO_get_ssl, BIO_set_ssl_mode,
 BIO_set_ssl_renegotiate_bytes,
 BIO_get_num_renegotiates, BIO_set_ssl_renegotiate_timeout, BIO_new_ssl,
 BIO_new_ssl_connect, BIO_new_buffer_ssl_connect, BIO_ssl_copy_session_id,
 BIO_ssl_shutdown \- SSL BIO
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 2
 \& #include <openssl/bio.h>
@@ -166,94 +90,94 @@ BIO_ssl_shutdown \- SSL BIO
 \&
 \& long BIO_do_handshake(BIO *b);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBBIO_f_ssl()\fR returns the \s-1SSL BIO\s0 method. This is a filter \s-1BIO\s0 which
-is a wrapper round the OpenSSL \s-1SSL\s0 routines adding a \s-1BIO\s0 \*(L"flavour\*(R" to
-\&\s-1SSL I/O.\s0
+\&\fBBIO_f_ssl()\fR returns the SSL BIO method. This is a filter BIO which
+is a wrapper round the OpenSSL SSL routines adding a BIO "flavour" to
+SSL I/O.
 .PP
-I/O performed on an \s-1SSL BIO\s0 communicates using the \s-1SSL\s0 protocol with
-the SSLs read and write BIOs. If an \s-1SSL\s0 connection is not established
+I/O performed on an SSL BIO communicates using the SSL protocol with
+the SSLs read and write BIOs. If an SSL connection is not established
 then an attempt is made to establish one on the first I/O call.
 .PP
-If a \s-1BIO\s0 is appended to an \s-1SSL BIO\s0 using \fBBIO_push()\fR it is automatically
-used as the \s-1SSL\s0 BIOs read and write BIOs.
+If a BIO is appended to an SSL BIO using \fBBIO_push()\fR it is automatically
+used as the SSL BIOs read and write BIOs.
 .PP
-Calling \fBBIO_reset()\fR on an \s-1SSL BIO\s0 closes down any current \s-1SSL\s0 connection
-by calling \fBSSL_shutdown()\fR. \fBBIO_reset()\fR is then sent to the next \s-1BIO\s0 in
+Calling \fBBIO_reset()\fR on an SSL BIO closes down any current SSL connection
+by calling \fBSSL_shutdown()\fR. \fBBIO_reset()\fR is then sent to the next BIO in
 the chain: this will typically disconnect the underlying transport.
-The \s-1SSL BIO\s0 is then reset to the initial accept or connect state.
+The SSL BIO is then reset to the initial accept or connect state.
 .PP
-If the close flag is set when an \s-1SSL BIO\s0 is freed then the internal
-\&\s-1SSL\s0 structure is also freed using \fBSSL_free()\fR.
+If the close flag is set when an SSL BIO is freed then the internal
+SSL structure is also freed using \fBSSL_free()\fR.
 .PP
-\&\fBBIO_set_ssl()\fR sets the internal \s-1SSL\s0 pointer of \s-1SSL BIO\s0 \fBb\fR to \fBssl\fR using
+\&\fBBIO_set_ssl()\fR sets the internal SSL pointer of SSL BIO \fBb\fR to \fBssl\fR using
 the close flag \fBc\fR.
 .PP
-\&\fBBIO_get_ssl()\fR retrieves the \s-1SSL\s0 pointer of \s-1SSL BIO\s0 \fBb\fR, it can then be
-manipulated using the standard \s-1SSL\s0 library functions.
+\&\fBBIO_get_ssl()\fR retrieves the SSL pointer of SSL BIO \fBb\fR, it can then be
+manipulated using the standard SSL library functions.
 .PP
-\&\fBBIO_set_ssl_mode()\fR sets the \s-1SSL BIO\s0 mode to \fBclient\fR. If \fBclient\fR
+\&\fBBIO_set_ssl_mode()\fR sets the SSL BIO mode to \fBclient\fR. If \fBclient\fR
 is 1 client mode is set. If \fBclient\fR is 0 server mode is set.
 .PP
-\&\fBBIO_set_ssl_renegotiate_bytes()\fR sets the renegotiate byte count of \s-1SSL BIO\s0 \fBb\fR
+\&\fBBIO_set_ssl_renegotiate_bytes()\fR sets the renegotiate byte count of SSL BIO \fBb\fR
 to \fBnum\fR. When set after every \fBnum\fR bytes of I/O (read and write)
-the \s-1SSL\s0 session is automatically renegotiated. \fBnum\fR must be at
+the SSL session is automatically renegotiated. \fBnum\fR must be at
 least 512 bytes.
 .PP
-\&\fBBIO_set_ssl_renegotiate_timeout()\fR sets the renegotiate timeout of \s-1SSL BIO\s0 \fBb\fR
+\&\fBBIO_set_ssl_renegotiate_timeout()\fR sets the renegotiate timeout of SSL BIO \fBb\fR
 to \fBseconds\fR.
 When the renegotiate timeout elapses the session is automatically renegotiated.
 .PP
 \&\fBBIO_get_num_renegotiates()\fR returns the total number of session
-renegotiations due to I/O or timeout of \s-1SSL BIO\s0 \fBb\fR.
+renegotiations due to I/O or timeout of SSL BIO \fBb\fR.
 .PP
-\&\fBBIO_new_ssl()\fR allocates an \s-1SSL BIO\s0 using \s-1SSL_CTX\s0 \fBctx\fR and using
+\&\fBBIO_new_ssl()\fR allocates an SSL BIO using SSL_CTX \fBctx\fR and using
 client mode if \fBclient\fR is non zero.
 .PP
-\&\fBBIO_new_ssl_connect()\fR creates a new \s-1BIO\s0 chain consisting of an
-\&\s-1SSL BIO\s0 (using \fBctx\fR) followed by a connect \s-1BIO.\s0
+\&\fBBIO_new_ssl_connect()\fR creates a new BIO chain consisting of an
+SSL BIO (using \fBctx\fR) followed by a connect BIO.
 .PP
-\&\fBBIO_new_buffer_ssl_connect()\fR creates a new \s-1BIO\s0 chain consisting
-of a buffering \s-1BIO,\s0 an \s-1SSL BIO\s0 (using \fBctx\fR), and a connect \s-1BIO.\s0
+\&\fBBIO_new_buffer_ssl_connect()\fR creates a new BIO chain consisting
+of a buffering BIO, an SSL BIO (using \fBctx\fR), and a connect BIO.
 .PP
-\&\fBBIO_ssl_copy_session_id()\fR copies an \s-1SSL\s0 session id between
-\&\s-1BIO\s0 chains \fBfrom\fR and \fBto\fR. It does this by locating the
-\&\s-1SSL\s0 BIOs in each chain and calling \fBSSL_copy_session_id()\fR on
-the internal \s-1SSL\s0 pointer.
+\&\fBBIO_ssl_copy_session_id()\fR copies an SSL session id between
+BIO chains \fBfrom\fR and \fBto\fR. It does this by locating the
+SSL BIOs in each chain and calling \fBSSL_copy_session_id()\fR on
+the internal SSL pointer.
 .PP
-\&\fBBIO_ssl_shutdown()\fR closes down an \s-1SSL\s0 connection on \s-1BIO\s0
-chain \fBbio\fR. It does this by locating the \s-1SSL BIO\s0 in the
-chain and calling \fBSSL_shutdown()\fR on its internal \s-1SSL\s0
+\&\fBBIO_ssl_shutdown()\fR closes down an SSL connection on BIO
+chain \fBbio\fR. It does this by locating the SSL BIO in the
+chain and calling \fBSSL_shutdown()\fR on its internal SSL
 pointer.
 .PP
-\&\fBBIO_do_handshake()\fR attempts to complete an \s-1SSL\s0 handshake on the
-supplied \s-1BIO\s0 and establish the \s-1SSL\s0 connection.
-For non-SSL BIOs the connection is done typically at \s-1TCP\s0 level.
-If domain name resolution yields multiple \s-1IP\s0 addresses all of them are tried
+\&\fBBIO_do_handshake()\fR attempts to complete an SSL handshake on the
+supplied BIO and establish the SSL connection.
+For non-SSL BIOs the connection is done typically at TCP level.
+If domain name resolution yields multiple IP addresses all of them are tried
 after \fBconnect()\fR failures.
 The function returns 1 if the connection was established successfully.
 A zero or negative value is returned if the connection could not be established.
 The call \fBBIO_should_retry()\fR should be used for nonblocking connect BIOs
 to determine if the call should be retried.
 If a connection has already been established this call has no effect.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-\&\s-1SSL\s0 BIOs are exceptional in that if the underlying transport
+SSL BIOs are exceptional in that if the underlying transport
 is non blocking they can still request a retry in exceptional
 circumstances. Specifically this will happen if a session
 renegotiation takes place during a \fBBIO_read_ex()\fR operation, one
 case where this happens is when step up occurs.
 .PP
-The \s-1SSL\s0 flag \s-1SSL_AUTO_RETRY\s0 can be
+The SSL flag SSL_AUTO_RETRY can be
 set to disable this behaviour. That is when this flag is set
-an \s-1SSL BIO\s0 using a blocking transport will never request a
+an SSL BIO using a blocking transport will never request a
 retry.
 .PP
 Since unknown \fBBIO_ctrl()\fR operations are sent through filter
 BIOs the servers name and port can be set using \fBBIO_set_host()\fR
-on the \s-1BIO\s0 returned by \fBBIO_new_ssl_connect()\fR without having
-to locate the connect \s-1BIO\s0 first.
+on the BIO returned by \fBBIO_new_ssl_connect()\fR without having
+to locate the connect BIO first.
 .PP
 Applications do not have to call \fBBIO_do_handshake()\fR but may wish
 to do so to separate the handshake process from other I/O
@@ -262,25 +186,29 @@ processing.
 \&\fBBIO_set_ssl()\fR, \fBBIO_get_ssl()\fR, \fBBIO_set_ssl_mode()\fR,
 \&\fBBIO_set_ssl_renegotiate_bytes()\fR, \fBBIO_set_ssl_renegotiate_timeout()\fR,
 \&\fBBIO_get_num_renegotiates()\fR, and \fBBIO_do_handshake()\fR are implemented as macros.
+.PP
+\&\fBBIO_ssl_copy_session_id()\fR is not currently supported on QUIC SSL objects and
+fails if called on such an object.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBBIO_f_ssl()\fR returns the \s-1SSL\s0 \fB\s-1BIO_METHOD\s0\fR structure.
+\&\fBBIO_f_ssl()\fR returns the SSL \fBBIO_METHOD\fR structure.
 .PP
 \&\fBBIO_set_ssl()\fR, \fBBIO_get_ssl()\fR, \fBBIO_set_ssl_mode()\fR, \fBBIO_set_ssl_renegotiate_bytes()\fR,
 \&\fBBIO_set_ssl_renegotiate_timeout()\fR and \fBBIO_get_num_renegotiates()\fR return 1 on
 success or a value which is less than or equal to 0 if an error occurred.
 .PP
 \&\fBBIO_new_ssl()\fR, \fBBIO_new_ssl_connect()\fR and \fBBIO_new_buffer_ssl_connect()\fR return
-a valid \fB\s-1BIO\s0\fR structure on success or \fB\s-1NULL\s0\fR if an error occurred.
+a valid \fBBIO\fR structure on success or \fBNULL\fR if an error occurred.
 .PP
-\&\fBBIO_ssl_copy_session_id()\fR returns 1 on success or 0 on error.
+\&\fBBIO_ssl_copy_session_id()\fR returns 1 on success or 0 on error, or if called
+on a QUIC SSL object.
 .PP
 \&\fBBIO_do_handshake()\fR returns 1 if the connection was established successfully.
 A zero or negative value is returned if the connection could not be established.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-This \s-1SSL/TLS\s0 client example attempts to retrieve a page from an
-\&\s-1SSL/TLS\s0 web server. The I/O routines are identical to those of the
+This SSL/TLS client example attempts to retrieve a page from an
+SSL/TLS web server. The I/O routines are identical to those of the
 unencrypted example in \fBBIO_s_connect\fR\|(3).
 .PP
 .Vb 5
@@ -330,7 +258,7 @@ unencrypted example in \fBBIO_s_connect\fR\|(3).
 .Ve
 .PP
 Here is a simple server example. It makes use of a buffering
-\&\s-1BIO\s0 to allow lines to be read from the \s-1SSL BIO\s0 using BIO_gets.
+BIO to allow lines to be read from the SSL BIO using BIO_gets.
 It creates a pseudo web page containing the actual request from
 a client and also echoes the request to standard output.
 .PP
@@ -386,7 +314,7 @@ a client and also echoes the request to standard output.
 .PP
 /* Second call to \fBBIO_do_accept()\fR waits for incoming connection */
  if (BIO_do_accept(acpt) <= 0) {
-    fprintf(stderr, \*(L"Error accepting connection\en\*(R");
+    fprintf(stderr, "Error accepting connection\en");
     ERR_print_errors_fp(stderr);
     \fBexit\fR\|(1);
  }
@@ -422,19 +350,19 @@ a client and also echoes the request to standard output.
 \& BIO_flush(sbio);
 \& BIO_free_all(sbio);
 .Ve
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 In OpenSSL before 1.0.0 the \fBBIO_pop()\fR call was handled incorrectly,
-the I/O \s-1BIO\s0 reference count was incorrectly incremented (instead of
-decremented) and dissociated with the \s-1SSL BIO\s0 even if the \s-1SSL BIO\s0 was not
+the I/O BIO reference count was incorrectly incremented (instead of
+decremented) and dissociated with the SSL BIO even if the SSL BIO was not
 explicitly being popped (e.g. a pop higher up the chain). Applications which
 included workarounds for this bug (e.g. freeing BIOs more than once) should
-be modified to handle this fix or they may free up an already freed \s-1BIO.\s0
-.SH "COPYRIGHT"
+be modified to handle this fix or they may free up an already freed BIO.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_find_type.3 b/secure/lib/libcrypto/man/man3/BIO_find_type.3
index 9ab1e9061948..d32980e96905 100644
--- a/secure/lib/libcrypto/man/man3/BIO_find_type.3
+++ b/secure/lib/libcrypto/man/man3/BIO_find_type.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_FIND_TYPE 3ossl"
-.TH BIO_FIND_TYPE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_FIND_TYPE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_find_type, BIO_next, BIO_method_type \- BIO chain traversal
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bio.h>
@@ -147,33 +71,33 @@ BIO_find_type, BIO_next, BIO_method_type \- BIO chain traversal
 \& BIO *BIO_next(BIO *b);
 \& int BIO_method_type(const BIO *b);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \fBBIO_find_type()\fR searches for a \s-1BIO\s0 of a given type in a chain, starting
-at \s-1BIO\s0 \fBb\fR. If \fBtype\fR is a specific type (such as \fB\s-1BIO_TYPE_MEM\s0\fR) then a search
-is made for a \s-1BIO\s0 of that type. If \fBtype\fR is a general type (such as
-\&\fB\s-1BIO_TYPE_SOURCE_SINK\s0\fR) then the next matching \s-1BIO\s0 of the given general type is
-searched for. \fBBIO_find_type()\fR returns the next matching \s-1BIO\s0 or \s-1NULL\s0 if none is
-found.
+The \fBBIO_find_type()\fR searches for a \fBBIO\fR of a given type in a chain, starting
+at \fBBIO\fR \fIb\fR. If \fItype\fR is a specific type (such as \fBBIO_TYPE_MEM\fR) then a
+search is made for a \fBBIO\fR of that type. If \fItype\fR is a general type (such as
+\&\fBBIO_TYPE_SOURCE_SINK\fR) then the next matching \fBBIO\fR of the given general type is
+searched for. \fBBIO_find_type()\fR returns the next matching \fBBIO\fR or NULL if none is
+found. If \fItype\fR is \fBBIO_TYPE_NONE\fR it will not find a match.
 .PP
 The following general types are defined:
-\&\fB\s-1BIO_TYPE_DESCRIPTOR\s0\fR, \fB\s-1BIO_TYPE_FILTER\s0\fR, and \fB\s-1BIO_TYPE_SOURCE_SINK\s0\fR.
+\&\fBBIO_TYPE_DESCRIPTOR\fR, \fBBIO_TYPE_FILTER\fR, and \fBBIO_TYPE_SOURCE_SINK\fR.
 .PP
 For a list of the specific types, see the \fI<openssl/bio.h>\fR header file.
 .PP
-\&\fBBIO_next()\fR returns the next \s-1BIO\s0 in a chain. It can be used to traverse all BIOs
+\&\fBBIO_next()\fR returns the next BIO in a chain. It can be used to traverse all BIOs
 in a chain or used in conjunction with \fBBIO_find_type()\fR to find all BIOs of a
 certain type.
 .PP
-\&\fBBIO_method_type()\fR returns the type of a \s-1BIO.\s0
+\&\fBBIO_method_type()\fR returns the type of a BIO.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBBIO_find_type()\fR returns a matching \s-1BIO\s0 or \s-1NULL\s0 for no match.
+\&\fBBIO_find_type()\fR returns a matching BIO or NULL for no match.
 .PP
-\&\fBBIO_next()\fR returns the next \s-1BIO\s0 in a chain.
+\&\fBBIO_next()\fR returns the next BIO in a chain.
 .PP
-\&\fBBIO_method_type()\fR returns the type of the \s-1BIO\s0 \fBb\fR.
-.SH "EXAMPLES"
+\&\fBBIO_method_type()\fR returns the type of the BIO \fIb\fR.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 Traverse a chain looking for digest BIOs:
 .PP
@@ -191,11 +115,11 @@ Traverse a chain looking for digest BIOs:
 \&     btmp = BIO_next(btmp);
 \& } while (btmp);
 .Ve
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_get_data.3 b/secure/lib/libcrypto/man/man3/BIO_get_data.3
index d13b78316306..7759f4d3338f 100644
--- a/secure/lib/libcrypto/man/man3/BIO_get_data.3
+++ b/secure/lib/libcrypto/man/man3/BIO_get_data.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_GET_DATA 3ossl"
-.TH BIO_GET_DATA 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_GET_DATA 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_set_data, BIO_get_data, BIO_set_init, BIO_get_init, BIO_set_shutdown,
 BIO_get_shutdown \- functions for managing BIO state information
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bio.h>
@@ -151,44 +75,44 @@ BIO_get_shutdown \- functions for managing BIO state information
 \& void BIO_set_shutdown(BIO *a, int shut);
 \& int BIO_get_shutdown(BIO *a);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-These functions are mainly useful when implementing a custom \s-1BIO.\s0
+These functions are mainly useful when implementing a custom BIO.
 .PP
 The \fBBIO_set_data()\fR function associates the custom data pointed to by \fBptr\fR with
-the \s-1BIO.\s0 This data can subsequently be retrieved via a call to \fBBIO_get_data()\fR.
+the BIO. This data can subsequently be retrieved via a call to \fBBIO_get_data()\fR.
 This can be used by custom BIOs for storing implementation specific information.
 .PP
-The \fBBIO_set_init()\fR function sets the value of the \s-1BIO\s0's \*(L"init\*(R" flag to indicate
-whether initialisation has been completed for this \s-1BIO\s0 or not. A nonzero value
+The \fBBIO_set_init()\fR function sets the value of the BIO's "init" flag to indicate
+whether initialisation has been completed for this BIO or not. A nonzero value
 indicates that initialisation is complete, whilst zero indicates that it is not.
-Often initialisation will complete during initial construction of the \s-1BIO.\s0 For
+Often initialisation will complete during initial construction of the BIO. For
 some BIOs however, initialisation may not complete until after additional steps
 have occurred (for example through calling custom ctrls). The \fBBIO_get_init()\fR
-function returns the value of the \*(L"init\*(R" flag.
+function returns the value of the "init" flag.
 .PP
 The \fBBIO_set_shutdown()\fR and \fBBIO_get_shutdown()\fR functions set and get the state of
-this \s-1BIO\s0's shutdown (i.e. \s-1BIO_CLOSE\s0) flag. If set then the underlying resource
-is also closed when the \s-1BIO\s0 is freed.
+this BIO's shutdown (i.e. BIO_CLOSE) flag. If set then the underlying resource
+is also closed when the BIO is freed.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBBIO_get_data()\fR returns a pointer to the implementation specific custom data
-associated with this \s-1BIO,\s0 or \s-1NULL\s0 if none has been set.
+associated with this BIO, or NULL if none has been set.
 .PP
-\&\fBBIO_get_init()\fR returns the state of the \s-1BIO\s0's init flag.
+\&\fBBIO_get_init()\fR returns the state of the BIO's init flag.
 .PP
-\&\fBBIO_get_shutdown()\fR returns the stat of the \s-1BIO\s0's shutdown (i.e. \s-1BIO_CLOSE\s0) flag.
+\&\fBBIO_get_shutdown()\fR returns the stat of the BIO's shutdown (i.e. BIO_CLOSE) flag.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBbio\fR\|(7), \fBBIO_meth_new\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The functions described here were added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_get_ex_new_index.3 b/secure/lib/libcrypto/man/man3/BIO_get_ex_new_index.3
index 8baa4e841bcc..13a5145e52a6 100644
--- a/secure/lib/libcrypto/man/man3/BIO_get_ex_new_index.3
+++ b/secure/lib/libcrypto/man/man3/BIO_get_ex_new_index.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_GET_EX_NEW_INDEX 3ossl"
-.TH BIO_GET_EX_NEW_INDEX 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_GET_EX_NEW_INDEX 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_get_ex_new_index, BIO_set_ex_data, BIO_get_ex_data,
 BIO_set_app_data, BIO_get_app_data,
 DH_get_ex_new_index, DH_set_ex_data, DH_get_ex_data,
@@ -159,7 +83,7 @@ X509_STORE_CTX_set_app_data, X509_STORE_CTX_get_app_data,
 X509_STORE_get_ex_new_index, X509_STORE_set_ex_data, X509_STORE_get_ex_data,
 X509_get_ex_new_index, X509_set_ex_data, X509_get_ex_data
 \&\- application\-specific data
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
@@ -178,7 +102,7 @@ X509_get_ex_new_index, X509_set_ex_data, X509_get_ex_data
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 10
@@ -205,16 +129,16 @@ see \fBopenssl_user_macros\fR\|(7):
 \& int ENGINE_set_ex_data(ENGINE *type, int idx, void *arg);
 \& void *ENGINE_get_ex_data(ENGINE *type, int idx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-In the description here, \fI\s-1TYPE\s0\fR is used a placeholder
+In the description here, \fITYPE\fR is used a placeholder
 for any of the OpenSSL datatypes listed in \fBCRYPTO_get_ex_new_index\fR\|(3).
 .PP
-All functions with a \fI\s-1TYPE\s0\fR of \fB\s-1DH\s0\fR, \fB\s-1DSA\s0\fR, \fB\s-1RSA\s0\fR and \fB\s-1EC_KEY\s0\fR are deprecated.
+All functions with a \fITYPE\fR of \fBDH\fR, \fBDSA\fR, \fBRSA\fR and \fBEC_KEY\fR are deprecated.
 Applications should instead use \fBEVP_PKEY_set_ex_data()\fR,
 \&\fBEVP_PKEY_get_ex_data()\fR and \fBEVP_PKEY_get_ex_new_index()\fR.
 .PP
-All functions with a \fI\s-1TYPE\s0\fR of \fB\s-1ENGINE\s0\fR are deprecated.
+All functions with a \fITYPE\fR of \fBENGINE\fR are deprecated.
 Applications using engines should be replaced by providers.
 .PP
 These functions handle application-specific data for OpenSSL data
@@ -224,13 +148,13 @@ structures.
 with the correct \fBindex\fR value.
 .PP
 \&\fBTYPE_set_ex_data()\fR is a function that calls \fBCRYPTO_set_ex_data()\fR with
-an offset into the opaque exdata part of the \s-1TYPE\s0 object.
+an offset into the opaque exdata part of the TYPE object. \fId\fR \fBMUST NOT\fR be NULL.
 .PP
 \&\fBTYPE_get_ex_data()\fR is a function that calls \fBCRYPTO_get_ex_data()\fR with
-an offset into the opaque exdata part of the \s-1TYPE\s0 object.
+an offset into the opaque exdata part of the TYPE object. \fId\fR \fBMUST NOT\fR be NULL.
 .PP
 For compatibility with previous releases, the exdata index of zero is
-reserved for \*(L"application data.\*(R" There are two convenience functions for
+reserved for "application data." There are two convenience functions for
 this.
 \&\fBTYPE_set_app_data()\fR is a macro that invokes \fBTYPE_set_ex_data()\fR with
 \&\fBidx\fR set to zero.
@@ -242,11 +166,11 @@ this.
 .PP
 \&\fBTYPE_set_ex_data()\fR returns 1 on success or 0 on error.
 .PP
-\&\fBTYPE_get_ex_data()\fR returns the application data or \s-1NULL\s0 if an error occurred.
+\&\fBTYPE_get_ex_data()\fR returns the application data or NULL if an error occurred.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBCRYPTO_get_ex_new_index\fR\|(3).
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The functions \fBDH_get_ex_new_index()\fR, \fBDH_set_ex_data()\fR, \fBDH_get_ex_data()\fR,
 \&\fBDSA_get_ex_new_index()\fR, \fBDSA_set_ex_data()\fR, \fBDSA_get_ex_data()\fR,
@@ -254,11 +178,11 @@ The functions \fBDH_get_ex_new_index()\fR, \fBDH_set_ex_data()\fR, \fBDH_get_ex_
 \&\fBENGINE_get_ex_new_index()\fR, \fBENGINE_set_ex_data()\fR, \fBENGINE_get_ex_data()\fR,
 \&\fBRSA_get_ex_new_index()\fR, \fBRSA_set_ex_data()\fR, \fBRSA_get_ex_data()\fR,
 \&\fBRSA_set_app_data()\fR and \fBRSA_get_app_data()\fR were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2015\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_get_rpoll_descriptor.3 b/secure/lib/libcrypto/man/man3/BIO_get_rpoll_descriptor.3
new file mode 100644
index 000000000000..e903d5283628
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/BIO_get_rpoll_descriptor.3
@@ -0,0 +1,158 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "BIO_GET_RPOLL_DESCRIPTOR 3ossl"
+.TH BIO_GET_RPOLL_DESCRIPTOR 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+BIO_get_rpoll_descriptor, BIO_get_wpoll_descriptor \- obtain a structure which
+can be used to determine when a BIO object can next be read or written
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/bio.h>
+\&
+\& typedef struct bio_poll_descriptor_st {
+\&     uint32_t type;
+\&     union {
+\&         int        fd;
+\&         void       *custom;
+\&         uintptr_t  custom_ui;
+\&     } value;
+\& } BIO_POLL_DESCRIPTOR;
+\&
+\& int BIO_get_rpoll_descriptor(BIO *b, BIO_POLL_DESCRIPTOR *desc);
+\& int BIO_get_wpoll_descriptor(BIO *b, BIO_POLL_DESCRIPTOR *desc);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBBIO_get_rpoll_descriptor()\fR and \fBBIO_get_wpoll_descriptor()\fR, on success, fill
+\&\fI*desc\fR with a poll descriptor. A poll descriptor is a tagged union structure
+which represents some kind of OS or non-OS resource which can be used to
+synchronise on I/O availability events.
+.PP
+\&\fBBIO_get_rpoll_descriptor()\fR outputs a descriptor which can be used to determine
+when the BIO can (potentially) next be read, and \fBBIO_get_wpoll_descriptor()\fR
+outputs a descriptor which can be used to determine when the BIO can
+(potentially) next be written.
+.PP
+It is permissible for \fBBIO_get_rpoll_descriptor()\fR and \fBBIO_get_wpoll_descriptor()\fR
+to output the same descriptor.
+.PP
+Poll descriptors can represent different kinds of information. A typical kind of
+resource which might be represented by a poll descriptor is an OS file
+descriptor which can be used with APIs such as \fBselect()\fR.
+.PP
+The kinds of poll descriptor defined by OpenSSL are:
+.IP BIO_POLL_DESCRIPTOR_TYPE_NONE 4
+.IX Item "BIO_POLL_DESCRIPTOR_TYPE_NONE"
+Represents the absence of a valid poll descriptor. It may be used by
+\&\fBBIO_get_rpoll_descriptor()\fR or \fBBIO_get_wpoll_descriptor()\fR to indicate that the
+BIO is not pollable for readability or writeability respectively.
+.Sp
+For this type, no field within the \fIvalue\fR field of the \fBBIO_POLL_DESCRIPTOR\fR
+is valid.
+.IP BIO_POLL_DESCRIPTOR_TYPE_SOCK_FD 4
+.IX Item "BIO_POLL_DESCRIPTOR_TYPE_SOCK_FD"
+The poll descriptor represents an OS socket resource. The field \fIvalue.fd\fR
+in the \fBBIO_POLL_DESCRIPTOR\fR is valid if it is not set to \-1.
+.Sp
+The resource is whatever kind of handle is used by a given OS to represent
+sockets, which may vary by OS. For example, on Windows, the value is a \fBSOCKET\fR
+for use with the Winsock API. On POSIX-like platforms, it is a file descriptor.
+.Sp
+Where a poll descriptor of this type is output by \fBBIO_get_rpoll_descriptor()\fR, it
+should be polled for readability to determine when the BIO might next be able to
+successfully complete a \fBBIO_read()\fR operation; likewise, where a poll descriptor
+of this type is output by \fBBIO_get_wpoll_descriptor()\fR, it should be polled for
+writeability to determine when the BIO might next be able to successfully
+complete a \fBBIO_write()\fR operation.
+.IP BIO_POLL_DESCRIPTOR_CUSTOM_START 4
+.IX Item "BIO_POLL_DESCRIPTOR_CUSTOM_START"
+Type values beginning with this value (inclusive) are reserved for application
+allocation for custom poll descriptor types. Any of the definitions in the union
+field \fIvalue\fR can be used by the application arbitrarily as opaque values.
+.PP
+Because poll descriptors are a tagged union structure, they can represent
+different kinds of information. New types of poll descriptor may be defined,
+including by applications, according to their needs.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+The functions \fBBIO_get_rpoll_descriptor()\fR and \fBBIO_get_wpoll_descriptor()\fR return 1
+on success and 0 on failure.
+.PP
+These functions are permitted to succeed and initialise \fI*desc\fR with a poll
+descriptor of type \fBBIO_POLL_DESCRIPTOR_TYPE_NONE\fR to indicate that the BIO is
+not pollable for readability or writeability respectively.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBSSL_handle_events\fR\|(3), \fBSSL_get_event_timeout\fR\|(3), \fBSSL_get_rpoll_descriptor\fR\|(3),
+\&\fBSSL_get_wpoll_descriptor\fR\|(3), \fBbio\fR\|(7)
+.SH HISTORY
+.IX Header "HISTORY"
+The \fBBIO_get_rpoll_descriptor()\fR and \fBBIO_get_wpoll_descriptor()\fR functions were
+added in OpenSSL 3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2022\-2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_meth_new.3 b/secure/lib/libcrypto/man/man3/BIO_meth_new.3
index 71464300a24e..192d090cd8f4 100644
--- a/secure/lib/libcrypto/man/man3/BIO_meth_new.3
+++ b/secure/lib/libcrypto/man/man3/BIO_meth_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_METH_NEW 3ossl"
-.TH BIO_METH_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_METH_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_get_new_index,
 BIO_meth_new, BIO_meth_free, BIO_meth_get_read_ex, BIO_meth_set_read_ex,
 BIO_meth_get_write_ex, BIO_meth_set_write_ex, BIO_meth_get_write,
@@ -144,8 +68,9 @@ BIO_meth_set_write, BIO_meth_get_read, BIO_meth_set_read, BIO_meth_get_puts,
 BIO_meth_set_puts, BIO_meth_get_gets, BIO_meth_set_gets, BIO_meth_get_ctrl,
 BIO_meth_set_ctrl, BIO_meth_get_create, BIO_meth_set_create,
 BIO_meth_get_destroy, BIO_meth_set_destroy, BIO_meth_get_callback_ctrl,
-BIO_meth_set_callback_ctrl \- Routines to build up BIO methods
-.SH "SYNOPSIS"
+BIO_meth_set_callback_ctrl, BIO_meth_set_sendmmsg, BIO_meth_get_sendmmsg,
+BIO_meth_set_recvmmsg, BIO_meth_get_recvmmsg \- Routines to build up BIO methods
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bio.h>
@@ -156,65 +81,95 @@ BIO_meth_set_callback_ctrl \- Routines to build up BIO methods
 \&
 \& void BIO_meth_free(BIO_METHOD *biom);
 \&
-\& int (*BIO_meth_get_write_ex(const BIO_METHOD *biom))(BIO *, const char *, size_t,
-\&                                                size_t *);
-\& int (*BIO_meth_get_write(const BIO_METHOD *biom))(BIO *, const char *, int);
 \& int BIO_meth_set_write_ex(BIO_METHOD *biom,
 \&                           int (*bwrite)(BIO *, const char *, size_t, size_t *));
 \& int BIO_meth_set_write(BIO_METHOD *biom,
 \&                        int (*write)(BIO *, const char *, int));
 \&
-\& int (*BIO_meth_get_read_ex(const BIO_METHOD *biom))(BIO *, char *, size_t, size_t *);
-\& int (*BIO_meth_get_read(const BIO_METHOD *biom))(BIO *, char *, int);
 \& int BIO_meth_set_read_ex(BIO_METHOD *biom,
 \&                          int (*bread)(BIO *, char *, size_t, size_t *));
 \& int BIO_meth_set_read(BIO_METHOD *biom, int (*read)(BIO *, char *, int));
 \&
-\& int (*BIO_meth_get_puts(const BIO_METHOD *biom))(BIO *, const char *);
 \& int BIO_meth_set_puts(BIO_METHOD *biom, int (*puts)(BIO *, const char *));
-\&
-\& int (*BIO_meth_get_gets(const BIO_METHOD *biom))(BIO *, char *, int);
 \& int BIO_meth_set_gets(BIO_METHOD *biom,
 \&                       int (*gets)(BIO *, char *, int));
 \&
-\& long (*BIO_meth_get_ctrl(const BIO_METHOD *biom))(BIO *, int, long, void *);
 \& int BIO_meth_set_ctrl(BIO_METHOD *biom,
 \&                       long (*ctrl)(BIO *, int, long, void *));
 \&
-\& int (*BIO_meth_get_create(const BIO_METHOD *bion))(BIO *);
 \& int BIO_meth_set_create(BIO_METHOD *biom, int (*create)(BIO *));
-\&
-\& int (*BIO_meth_get_destroy(const BIO_METHOD *biom))(BIO *);
 \& int BIO_meth_set_destroy(BIO_METHOD *biom, int (*destroy)(BIO *));
 \&
-\& long (*BIO_meth_get_callback_ctrl(const BIO_METHOD *biom))(BIO *, int, BIO_info_cb *);
 \& int BIO_meth_set_callback_ctrl(BIO_METHOD *biom,
 \&                                long (*callback_ctrl)(BIO *, int, BIO_info_cb *));
+\&
+\& int BIO_meth_set_sendmmsg(BIO_METHOD *biom,
+\&                           ossl_ssize_t (*f) (BIO *, BIO_MSG *, size_t,
+\&                                              size_t, uint64_t));
+\& int BIO_meth_set_recvmmsg(BIO_METHOD *biom,
+\&                           ossl_ssize_t (*f) (BIO *, BIO_MSG *, size_t,
+\&                                              size_t, uint64_t));
+.Ve
+.PP
+The following functions have been deprecated since OpenSSL 3.5:
+.PP
+.Vb 3
+\& int (*BIO_meth_get_write_ex(const BIO_METHOD *biom))(BIO *, const char *, size_t,
+\&                                                size_t *);
+\& int (*BIO_meth_get_write(const BIO_METHOD *biom))(BIO *, const char *, int);
+\&
+\& int (*BIO_meth_get_read_ex(const BIO_METHOD *biom))(BIO *, char *, size_t, size_t *);
+\& int (*BIO_meth_get_read(const BIO_METHOD *biom))(BIO *, char *, int);
+\&
+\& int (*BIO_meth_get_puts(const BIO_METHOD *biom))(BIO *, const char *);
+\& int (*BIO_meth_get_gets(const BIO_METHOD *biom))(BIO *, char *, int);
+\&
+\& long (*BIO_meth_get_ctrl(const BIO_METHOD *biom))(BIO *, int, long, void *);
+\&
+\& int (*BIO_meth_get_create(const BIO_METHOD *bion))(BIO *);
+\& int (*BIO_meth_get_destroy(const BIO_METHOD *biom))(BIO *);
+\&
+\& long (*BIO_meth_get_callback_ctrl(const BIO_METHOD *biom))(BIO *, int, BIO_info_cb *);
+\&
+\& ossl_ssize_t (*BIO_meth_get_sendmmsg(const BIO_METHOD *biom))(BIO *,
+\&                                                               BIO_MSG *,
+\&                                                               size_t,
+\&                                                               size_t,
+\&                                                               uint64_t);
+\& ossl_ssize_t (*BIO_meth_get_recvmmsg(const BIO_METHOD *biom))(BIO *,
+\&                                                               BIO_MSG *,
+\&                                                               size_t,
+\&                                                               size_t,
+\&                                                               uint64_t);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \fB\s-1BIO_METHOD\s0\fR type is a structure used for the implementation of new \s-1BIO\s0
+The \fBBIO_METHOD\fR type is a structure used for the implementation of new BIO
 types. It provides a set of functions used by OpenSSL for the implementation
-of the various \s-1BIO\s0 capabilities. See the \fBbio\fR\|(7) page for more information.
+of the various BIO capabilities. See the \fBbio\fR\|(7) page for more information.
 .PP
-\&\fBBIO_meth_new()\fR creates a new \fB\s-1BIO_METHOD\s0\fR structure. It should be given a
-unique integer \fBtype\fR and a string that represents its \fBname\fR.
-Use \fBBIO_get_new_index()\fR to get the value for \fBtype\fR.
+\&\fBBIO_meth_new()\fR creates a new \fBBIO_METHOD\fR structure that contains a type
+identifier \fItype\fR and a string that represents its \fBname\fR.
+\&\fBtype\fR can be set to either \fBBIO_TYPE_NONE\fR or via \fBBIO_get_new_index()\fR if
+a unique type is required for searching (See \fBBIO_find_type\fR\|(3))
+.PP
+Note that \fBBIO_get_new_index()\fR can only be used 127 times before it returns an
+error.
 .PP
 The set of
-standard OpenSSL provided \s-1BIO\s0 types is provided in \fI<openssl/bio.h>\fR.
-Some examples include \fB\s-1BIO_TYPE_BUFFER\s0\fR and \fB\s-1BIO_TYPE_CIPHER\s0\fR. Filter BIOs
-should have a type which have the \*(L"filter\*(R" bit set (\fB\s-1BIO_TYPE_FILTER\s0\fR).
-Source/sink BIOs should have the \*(L"source/sink\*(R" bit set (\fB\s-1BIO_TYPE_SOURCE_SINK\s0\fR).
+standard OpenSSL provided BIO types is provided in \fI<openssl/bio.h>\fR.
+Some examples include \fBBIO_TYPE_BUFFER\fR and \fBBIO_TYPE_CIPHER\fR. Filter BIOs
+should have a type which have the "filter" bit set (\fBBIO_TYPE_FILTER\fR).
+Source/sink BIOs should have the "source/sink" bit set (\fBBIO_TYPE_SOURCE_SINK\fR).
 File descriptor based BIOs (e.g. socket, fd, connect, accept etc) should
-additionally have the \*(L"descriptor\*(R" bit set (\fB\s-1BIO_TYPE_DESCRIPTOR\s0\fR). See the
+additionally have the "descriptor" bit set (\fBBIO_TYPE_DESCRIPTOR\fR). See the
 \&\fBBIO_find_type\fR\|(3) page for more information.
 .PP
-\&\fBBIO_meth_free()\fR destroys a \fB\s-1BIO_METHOD\s0\fR structure and frees up any memory
-associated with it.
+\&\fBBIO_meth_free()\fR destroys a \fBBIO_METHOD\fR structure and frees up any memory
+associated with it. If the argument is NULL, nothing is done.
 .PP
 \&\fBBIO_meth_get_write_ex()\fR and \fBBIO_meth_set_write_ex()\fR get and set the function
-used for writing arbitrary length data to the \s-1BIO\s0 respectively. This function
+used for writing arbitrary length data to the BIO respectively. This function
 will be called in response to the application calling \fBBIO_write_ex()\fR or
 \&\fBBIO_write()\fR. The parameters for the function have the same meaning as for
 \&\fBBIO_write_ex()\fR. Older code may call \fBBIO_meth_get_write()\fR and
@@ -223,7 +178,7 @@ will be called in response to the application calling \fBBIO_write_ex()\fR or
 when the function was set with \fBBIO_meth_set_write_ex()\fR.
 .PP
 \&\fBBIO_meth_get_read_ex()\fR and \fBBIO_meth_set_read_ex()\fR get and set the function used
-for reading arbitrary length data from the \s-1BIO\s0 respectively. This function will
+for reading arbitrary length data from the BIO respectively. This function will
 be called in response to the application calling \fBBIO_read_ex()\fR or \fBBIO_read()\fR.
 The parameters for the function have the same meaning as for \fBBIO_read_ex()\fR.
 Older code may call \fBBIO_meth_get_read()\fR and \fBBIO_meth_set_read()\fR instead.
@@ -232,65 +187,88 @@ or call \fBBIO_meth_get_read()\fR when the function was set with
 \&\fBBIO_meth_set_read_ex()\fR.
 .PP
 \&\fBBIO_meth_get_puts()\fR and \fBBIO_meth_set_puts()\fR get and set the function used for
-writing a \s-1NULL\s0 terminated string to the \s-1BIO\s0 respectively. This function will be
+writing a NULL terminated string to the BIO respectively. This function will be
 called in response to the application calling \fBBIO_puts()\fR. The parameters for
 the function have the same meaning as for \fBBIO_puts()\fR.
 .PP
 \&\fBBIO_meth_get_gets()\fR and \fBBIO_meth_set_gets()\fR get and set the function typically
-used for reading a line of data from the \s-1BIO\s0 respectively (see the \fBBIO_gets\fR\|(3)
+used for reading a line of data from the BIO respectively (see the \fBBIO_gets\fR\|(3)
 page for more information). This function will be called in response to the
 application calling \fBBIO_gets()\fR. The parameters for the function have the same
 meaning as for \fBBIO_gets()\fR.
 .PP
 \&\fBBIO_meth_get_ctrl()\fR and \fBBIO_meth_set_ctrl()\fR get and set the function used for
-processing ctrl messages in the \s-1BIO\s0 respectively. See the \fBBIO_ctrl\fR\|(3) page for
+processing ctrl messages in the BIO respectively. See the \fBBIO_ctrl\fR\|(3) page for
 more information. This function will be called in response to the application
 calling \fBBIO_ctrl()\fR. The parameters for the function have the same meaning as for
 \&\fBBIO_ctrl()\fR.
 .PP
 \&\fBBIO_meth_get_create()\fR and \fBBIO_meth_set_create()\fR get and set the function used
-for creating a new instance of the \s-1BIO\s0 respectively. This function will be
+for creating a new instance of the BIO respectively. This function will be
 called in response to the application calling \fBBIO_new()\fR and passing
-in a pointer to the current \s-1BIO_METHOD.\s0 The \fBBIO_new()\fR function will allocate the
-memory for the new \s-1BIO,\s0 and a pointer to this newly allocated structure will
+in a pointer to the current BIO_METHOD. The \fBBIO_new()\fR function will allocate the
+memory for the new BIO, and a pointer to this newly allocated structure will
 be passed as a parameter to the function. If a create function is set,
-\&\fBBIO_new()\fR will not mark the \s-1BIO\s0 as initialised on allocation.
+\&\fBBIO_new()\fR will not mark the BIO as initialised on allocation.
 \&\fBBIO_set_init\fR\|(3) must then be called either by the create function, or later,
-by a \s-1BIO\s0 ctrl function, once \s-1BIO\s0 initialisation is complete.
+by a BIO ctrl function, once BIO initialisation is complete.
 .PP
 \&\fBBIO_meth_get_destroy()\fR and \fBBIO_meth_set_destroy()\fR get and set the function used
-for destroying an instance of a \s-1BIO\s0 respectively. This function will be
-called in response to the application calling \fBBIO_free()\fR. A pointer to the \s-1BIO\s0
+for destroying an instance of a BIO respectively. This function will be
+called in response to the application calling \fBBIO_free()\fR. A pointer to the BIO
 to be destroyed is passed as a parameter. The destroy function should be used
-for \s-1BIO\s0 specific clean up. The memory for the \s-1BIO\s0 itself should not be freed by
+for BIO specific clean up. The memory for the BIO itself should not be freed by
 this function.
 .PP
 \&\fBBIO_meth_get_callback_ctrl()\fR and \fBBIO_meth_set_callback_ctrl()\fR get and set the
-function used for processing callback ctrl messages in the \s-1BIO\s0 respectively. See
+function used for processing callback ctrl messages in the BIO respectively. See
 the \fBBIO_callback_ctrl\fR\|(3) page for more information. This function will be called
 in response to the application calling \fBBIO_callback_ctrl()\fR. The parameters for
 the function have the same meaning as for \fBBIO_callback_ctrl()\fR.
+.PP
+\&\fBBIO_meth_get_sendmmsg()\fR, \fBBIO_meth_set_sendmmsg()\fR, \fBBIO_meth_get_recvmmsg()\fR and
+\&\fBBIO_meth_set_recvmmsg()\fR get and set the functions used for handling
+\&\fBBIO_sendmmsg()\fR and \fBBIO_recvmmsg()\fR calls respectively. See \fBBIO_sendmmsg\fR\|(3) for
+more information.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBBIO_get_new_index()\fR returns the new \s-1BIO\s0 type value or \-1 if an error occurred.
+\&\fBBIO_get_new_index()\fR returns the new BIO type value or \-1 if an error occurred.
 .PP
-BIO_meth_new(int type, const char *name) returns a valid \fB\s-1BIO_METHOD\s0\fR or \s-1NULL\s0
+BIO_meth_new(int type, const char *name) returns a valid \fBBIO_METHOD\fR or NULL
 if an error occurred.
 .PP
 The \fBBIO_meth_set\fR functions return 1 on success or 0 on error.
 .PP
 The \fBBIO_meth_get\fR functions return the corresponding function pointers.
+.SH BUGS
+.IX Header "BUGS"
+It is not safe to use \f(CW\*(C`BIO_meth_get_\*(C'\fR functions to reuse the \fBBIO\fR
+implementation of \fBBIO\fRs implemented by OpenSSL itself with
+application-implemented \fBBIO\fRs. Instead either the applications ought to
+implement these functions themselves or they should implement a filter BIO.
+.PP
+For more details please see <https://github.com/openssl/openssl/issues/26047>.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBbio\fR\|(7), \fBBIO_find_type\fR\|(3), \fBBIO_ctrl\fR\|(3), \fBBIO_read_ex\fR\|(3), \fBBIO_new\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-The functions described here were added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+The functions \fBBIO_meth_get_sendmmsg()\fR, \fBBIO_meth_set_sendmmsg()\fR,
+\&\fBBIO_meth_get_recvmmsg()\fR and \fBBIO_meth_set_recvmmsg()\fR were added in OpenSSL 3.2.
+.PP
+All the other functions described here were added in OpenSSL 1.1.0.
+.PP
+The functions \fBBIO_meth_get_read_ex()\fR, \fBBIO_meth_get_write_ex()\fR,
+\&\fBBIO_meth_get_write()\fR, \fBBIO_meth_get_read()\fR, \fBBIO_meth_get_puts()\fR,
+\&\fBBIO_meth_get_gets()\fR, \fBBIO_meth_get_ctrl()\fR, \fBBIO_meth_get_create()\fR,
+\&\fBBIO_meth_get_destroy()\fR, \fBBIO_meth_get_callback_ctrl()\fR,
+\&\fBBIO_meth_get_sendmmsg()\fR and \fBBIO_meth_get_recvmmsg()\fR are deprecated since
+OpenSSL 3.5.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_new.3 b/secure/lib/libcrypto/man/man3/BIO_new.3
index 4c1feac4ae99..9855f9b5c87e 100644
--- a/secure/lib/libcrypto/man/man3/BIO_new.3
+++ b/secure/lib/libcrypto/man/man3/BIO_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_NEW 3ossl"
-.TH BIO_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_new_ex, BIO_new, BIO_up_ref, BIO_free, BIO_vfree, BIO_free_all
 \&\- BIO allocation and freeing functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bio.h>
@@ -151,59 +75,59 @@ BIO_new_ex, BIO_new, BIO_up_ref, BIO_free, BIO_vfree, BIO_free_all
 \& void BIO_vfree(BIO *a);
 \& void BIO_free_all(BIO *a);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \fBBIO_new_ex()\fR function returns a new \s-1BIO\s0 using method \fBtype\fR associated with
-the library context \fIlibctx\fR (see \s-1\fBOSSL_LIB_CTX\s0\fR\|(3)). The library context may be
-\&\s-1NULL\s0 to indicate the default library context.
+The \fBBIO_new_ex()\fR function returns a new BIO using method \fBtype\fR associated with
+the library context \fIlibctx\fR (see \fBOSSL_LIB_CTX\fR\|(3)). The library context may be
+NULL to indicate the default library context. \fItype\fR \fBMUST NOT\fR be NULL.
 .PP
 The \fBBIO_new()\fR is the same as \fBBIO_new_ex()\fR except the default library context is
 always used.
 .PP
-\&\fBBIO_up_ref()\fR increments the reference count associated with the \s-1BIO\s0 object.
+\&\fBBIO_up_ref()\fR increments the reference count associated with the BIO object.
 .PP
-\&\fBBIO_free()\fR frees up a single \s-1BIO,\s0 \fBBIO_vfree()\fR also frees up a single \s-1BIO\s0
+\&\fBBIO_free()\fR frees up a single BIO, \fBBIO_vfree()\fR also frees up a single BIO
 but it does not return a value.
-If \fBa\fR is \s-1NULL\s0 nothing is done.
+If \fBa\fR is NULL nothing is done.
 Calling \fBBIO_free()\fR may also have some effect
 on the underlying I/O structure, for example it may close the file being
 referred to under certain circumstances. For more details see the individual
-\&\s-1BIO_METHOD\s0 descriptions.
+BIO_METHOD descriptions.
 .PP
-\&\fBBIO_free_all()\fR frees up an entire \s-1BIO\s0 chain, it does not halt if an error
-occurs freeing up an individual \s-1BIO\s0 in the chain.
-If \fBa\fR is \s-1NULL\s0 nothing is done.
+\&\fBBIO_free_all()\fR frees up an entire BIO chain, it does not halt if an error
+occurs freeing up an individual BIO in the chain.
+If \fBa\fR is NULL nothing is done.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBBIO_new_ex()\fR and \fBBIO_new()\fR return a newly created \s-1BIO\s0 or \s-1NULL\s0 if the call fails.
+\&\fBBIO_new_ex()\fR and \fBBIO_new()\fR return a newly created BIO or NULL if the call fails.
 .PP
 \&\fBBIO_up_ref()\fR and \fBBIO_free()\fR return 1 for success and 0 for failure.
 .PP
 \&\fBBIO_free_all()\fR and \fBBIO_vfree()\fR do not return values.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-If \fBBIO_free()\fR is called on a \s-1BIO\s0 chain it will only free one \s-1BIO\s0 resulting
+If \fBBIO_free()\fR is called on a BIO chain it will only free one BIO resulting
 in a memory leak.
 .PP
-Calling \fBBIO_free_all()\fR on a single \s-1BIO\s0 has the same effect as calling \fBBIO_free()\fR
+Calling \fBBIO_free_all()\fR on a single BIO has the same effect as calling \fBBIO_free()\fR
 on it other than the discarded return value.
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-\&\fBBIO_set()\fR was removed in OpenSSL 1.1.0 as \s-1BIO\s0 type is now opaque.
+\&\fBBIO_set()\fR was removed in OpenSSL 1.1.0 as BIO type is now opaque.
 .PP
 \&\fBBIO_new_ex()\fR was added in OpenSSL 3.0.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-Create a memory \s-1BIO:\s0
+Create a memory BIO:
 .PP
 .Vb 1
 \& BIO *mem = BIO_new(BIO_s_mem());
 .Ve
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_new_CMS.3 b/secure/lib/libcrypto/man/man3/BIO_new_CMS.3
index 59b7a623a1f1..05079fd05edc 100644
--- a/secure/lib/libcrypto/man/man3/BIO_new_CMS.3
+++ b/secure/lib/libcrypto/man/man3/BIO_new_CMS.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,97 +52,37 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_NEW_CMS 3ossl"
-.TH BIO_NEW_CMS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_NEW_CMS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_new_CMS \- CMS streaming filter BIO
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cms.h>
 \&
 \& BIO *BIO_new_CMS(BIO *out, CMS_ContentInfo *cms);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBBIO_new_CMS()\fR returns a streaming filter \s-1BIO\s0 chain based on \fBcms\fR. The output
+\&\fBBIO_new_CMS()\fR returns a streaming filter BIO chain based on \fBcms\fR. The output
 of the filter is written to \fBout\fR. Any data written to the chain is
-automatically translated to a \s-1BER\s0 format \s-1CMS\s0 structure of the appropriate type.
-.SH "NOTES"
+automatically translated to a BER format CMS structure of the appropriate type.
+.SH NOTES
 .IX Header "NOTES"
-The chain returned by this function behaves like a standard filter \s-1BIO.\s0 It
+The chain returned by this function behaves like a standard filter BIO. It
 supports non blocking I/O. Content is processed and streamed on the fly and not
 all held in memory at once: so it is possible to encode very large structures.
 After all content has been written through the chain \fBBIO_flush()\fR must be called
 to finalise the structure.
 .PP
-The \fB\s-1CMS_STREAM\s0\fR flag must be included in the corresponding \fBflags\fR
+The \fBCMS_STREAM\fR flag must be included in the corresponding \fBflags\fR
 parameter of the \fBcms\fR creation function.
 .PP
 If an application wishes to write additional data to \fBout\fR BIOs should be
@@ -175,28 +99,28 @@ responsibility to set the inner content type of any outer CMS_ContentInfo
 structures.
 .PP
 Large numbers of small writes through the chain should be avoided as this will
-produce an output consisting of lots of \s-1OCTET STRING\s0 structures. Prepending
-a \fBBIO_f_buffer()\fR buffering \s-1BIO\s0 will prevent this.
-.SH "BUGS"
+produce an output consisting of lots of OCTET STRING structures. Prepending
+a \fBBIO_f_buffer()\fR buffering BIO will prevent this.
+.SH BUGS
 .IX Header "BUGS"
-There is currently no corresponding inverse \s-1BIO:\s0 i.e. one which can decode
-a \s-1CMS\s0 structure on the fly.
+There is currently no corresponding inverse BIO: i.e. one which can decode
+a CMS structure on the fly.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBBIO_new_CMS()\fR returns a \s-1BIO\s0 chain when successful or \s-1NULL\s0 if an error
+\&\fBBIO_new_CMS()\fR returns a BIO chain when successful or NULL if an error
 occurred. The error can be obtained from \fBERR_get_error\fR\|(3).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3), \fBCMS_sign\fR\|(3),
 \&\fBCMS_encrypt\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBBIO_new_CMS()\fR function was added in OpenSSL 1.0.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_parse_hostserv.3 b/secure/lib/libcrypto/man/man3/BIO_parse_hostserv.3
index 955bbc79eeab..4e6816946e83 100644
--- a/secure/lib/libcrypto/man/man3/BIO_parse_hostserv.3
+++ b/secure/lib/libcrypto/man/man3/BIO_parse_hostserv.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_PARSE_HOSTSERV 3ossl"
-.TH BIO_PARSE_HOSTSERV 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_PARSE_HOSTSERV 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_hostserv_priorities,
 BIO_parse_hostserv
 \&\- utility routines to parse a standard host and service string
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bio.h>
@@ -151,7 +75,7 @@ BIO_parse_hostserv
 \& int BIO_parse_hostserv(const char *hostserv, char **host, char **service,
 \&                        enum BIO_hostserv_priorities hostserv_prio);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBBIO_parse_hostserv()\fR will parse the information given in \fBhostserv\fR,
 create strings with the hostname and service name and give those
@@ -172,8 +96,8 @@ The syntax the \fBBIO_parse_hostserv()\fR recognises is:
 \& service
 .Ve
 .PP
-The host part can be a name or an \s-1IP\s0 address.  If it's a IPv6
-address, it \s-1MUST\s0 be enclosed in brackets, such as '[::1]'.
+The host part can be a name or an IP address.  If it's a IPv6
+address, it MUST be enclosed in brackets, such as '[::1]'.
 .PP
 The service part can be a service name or its port number.  A service name
 will be mapped to a port number using the system function \fBgetservbyname()\fR.
@@ -202,12 +126,12 @@ and \fBhostserv_prio\fR, as follows:
 \&\fBBIO_parse_hostserv()\fR returns 1 on success or 0 on error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBBIO_ADDRINFO\s0\fR\|(3)
-.SH "COPYRIGHT"
+\&\fBBIO_ADDRINFO\fR\|(3)
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2016\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_printf.3 b/secure/lib/libcrypto/man/man3/BIO_printf.3
index 3bb8e1c8a1e4..f43cd72dcf6b 100644
--- a/secure/lib/libcrypto/man/man3/BIO_printf.3
+++ b/secure/lib/libcrypto/man/man3/BIO_printf.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_PRINTF 3ossl"
-.TH BIO_PRINTF 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_PRINTF 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_printf, BIO_vprintf, BIO_snprintf, BIO_vsnprintf
 \&\- formatted output to a BIO
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bio.h>
@@ -150,14 +74,14 @@ BIO_printf, BIO_vprintf, BIO_snprintf, BIO_vsnprintf
 \& int BIO_snprintf(char *buf, size_t n, const char *format, ...);
 \& int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBBIO_printf()\fR is similar to the standard C \fBprintf()\fR function, except that
-the output is sent to the specified \s-1BIO,\s0 \fIbio\fR, rather than standard
+the output is sent to the specified BIO, \fIbio\fR, rather than standard
 output.  All common format specifiers are supported.
 .PP
 \&\fBBIO_vprintf()\fR is similar to the \fBvprintf()\fR function found on many platforms,
-the output is sent to the specified \s-1BIO,\s0 \fIbio\fR, rather than standard
+the output is sent to the specified BIO, \fIbio\fR, rather than standard
 output.  All common format specifiers are supported. The argument
 list \fIargs\fR is a stdarg argument list.
 .PP
@@ -171,17 +95,17 @@ specifies the size of the output buffer.
 All functions return the number of bytes written, or \-1 on error.
 For \fBBIO_snprintf()\fR and \fBBIO_vsnprintf()\fR this includes when the output
 buffer is too small.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 Except when \fIn\fR is 0, both \fBBIO_snprintf()\fR and \fBBIO_vsnprintf()\fR always
 terminate their output with \f(CW\*(Aq\e0\*(Aq\fR.  This includes cases where \-1 is
 returned, such as when there is insufficient space to output the whole
 string.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_push.3 b/secure/lib/libcrypto/man/man3/BIO_push.3
index fab0c72af7dd..3f3297836baf 100644
--- a/secure/lib/libcrypto/man/man3/BIO_push.3
+++ b/secure/lib/libcrypto/man/man3/BIO_push.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_PUSH 3ossl"
-.TH BIO_PUSH 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_PUSH 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_push, BIO_pop, BIO_set_next \- add and remove BIOs from a chain
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bio.h>
@@ -147,44 +71,44 @@ BIO_push, BIO_pop, BIO_set_next \- add and remove BIOs from a chain
 \& BIO *BIO_pop(BIO *b);
 \& void BIO_set_next(BIO *b, BIO *next);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBBIO_push()\fR pushes \fIb\fR on \fInext\fR.
-If \fIb\fR is \s-1NULL\s0 the function does nothing and returns \fInext\fR.
-Otherwise it prepends \fIb\fR, which may be a single \s-1BIO\s0 or a chain of BIOs,
-to \fInext\fR (unless \fInext\fR is \s-1NULL\s0).
+If \fIb\fR is NULL the function does nothing and returns \fInext\fR.
+Otherwise it prepends \fIb\fR, which may be a single BIO or a chain of BIOs,
+to \fInext\fR (unless \fInext\fR is NULL).
 It then makes a control call on \fIb\fR and returns \fIb\fR.
 .PP
-\&\fBBIO_pop()\fR removes the \s-1BIO\s0 \fIb\fR from any chain is is part of.
-If \fIb\fR is \s-1NULL\s0 the function does nothing and returns \s-1NULL.\s0
+\&\fBBIO_pop()\fR removes the BIO \fIb\fR from any chain is is part of.
+If \fIb\fR is NULL the function does nothing and returns NULL.
 Otherwise it makes a control call on \fIb\fR and
-returns the next \s-1BIO\s0 in the chain, or \s-1NULL\s0 if there is no next \s-1BIO.\s0
-The removed \s-1BIO\s0 becomes a single \s-1BIO\s0 with no association with
+returns the next BIO in the chain, or NULL if there is no next BIO.
+The removed BIO becomes a single BIO with no association with
 the original chain, it can thus be freed or be made part of a different chain.
 .PP
-\&\fBBIO_set_next()\fR replaces the existing next \s-1BIO\s0 in a chain with the \s-1BIO\s0 pointed to
+\&\fBBIO_set_next()\fR replaces the existing next BIO in a chain with the BIO pointed to
 by \fInext\fR. The new chain may include some of the same BIOs from the old chain
 or it may be completely different.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The names of these functions are perhaps a little misleading. \fBBIO_push()\fR
-joins two \s-1BIO\s0 chains whereas \fBBIO_pop()\fR deletes a single \s-1BIO\s0 from a chain,
-the deleted \s-1BIO\s0 does not need to be at the end of a chain.
+joins two BIO chains whereas \fBBIO_pop()\fR deletes a single BIO from a chain,
+the deleted BIO does not need to be at the end of a chain.
 .PP
-The process of calling \fBBIO_push()\fR and \fBBIO_pop()\fR on a \s-1BIO\s0 may have additional
+The process of calling \fBBIO_push()\fR and \fBBIO_pop()\fR on a BIO may have additional
 consequences (a control call is made to the affected BIOs).
 Any effects will be noted in the descriptions of individual BIOs.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBBIO_push()\fR returns the head of the chain,
-which usually is \fIb\fR, or \fInext\fR if \fIb\fR is \s-1NULL.\s0
+which usually is \fIb\fR, or \fInext\fR if \fIb\fR is NULL.
 .PP
-\&\fBBIO_pop()\fR returns the next \s-1BIO\s0 in the chain,
-or \s-1NULL\s0 if there is no next \s-1BIO.\s0
-.SH "EXAMPLES"
+\&\fBBIO_pop()\fR returns the next BIO in the chain,
+or NULL if there is no next BIO.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 For these examples suppose \fImd1\fR and \fImd2\fR are digest BIOs,
-\&\fIb64\fR is a base64 \s-1BIO\s0 and \fIf\fR is a file \s-1BIO.\s0
+\&\fIb64\fR is a base64 BIO and \fIf\fR is a file BIO.
 .PP
 If the call:
 .PP
@@ -218,14 +142,14 @@ except that \fImd2\fR will no more be applied.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBbio\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBBIO_set_next()\fR function was added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_read.3 b/secure/lib/libcrypto/man/man3/BIO_read.3
index 563ad4a1cd90..9e690ec707ac 100644
--- a/secure/lib/libcrypto/man/man3/BIO_read.3
+++ b/secure/lib/libcrypto/man/man3/BIO_read.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_READ 3ossl"
-.TH BIO_READ 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_READ 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_read_ex, BIO_write_ex, BIO_read, BIO_write,
 BIO_gets, BIO_get_line, BIO_puts
 \&\- BIO I/O functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bio.h>
@@ -154,40 +78,40 @@ BIO_gets, BIO_get_line, BIO_puts
 \& int BIO_write(BIO *b, const void *data, int dlen);
 \& int BIO_puts(BIO *b, const char *buf);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBBIO_read_ex()\fR attempts to read \fIdlen\fR bytes from \s-1BIO\s0 \fIb\fR and places the data
+\&\fBBIO_read_ex()\fR attempts to read \fIdlen\fR bytes from BIO \fIb\fR and places the data
 in \fIdata\fR. If any bytes were successfully read then the number of bytes read is
 stored in \fI*readbytes\fR.
 .PP
-\&\fBBIO_write_ex()\fR attempts to write \fIdlen\fR bytes from \fIdata\fR to \s-1BIO\s0 \fIb\fR.
+\&\fBBIO_write_ex()\fR attempts to write \fIdlen\fR bytes from \fIdata\fR to BIO \fIb\fR.
 If successful then the number of bytes written is stored in \fI*written\fR
-unless \fIwritten\fR is \s-1NULL.\s0
+unless \fIwritten\fR is NULL.
 .PP
-\&\fBBIO_read()\fR attempts to read \fIlen\fR bytes from \s-1BIO\s0 \fIb\fR and places
+\&\fBBIO_read()\fR attempts to read \fIlen\fR bytes from BIO \fIb\fR and places
 the data in \fIbuf\fR.
 .PP
-\&\fBBIO_gets()\fR performs the BIOs \*(L"gets\*(R" operation and places the data
+\&\fBBIO_gets()\fR performs the BIOs "gets" operation and places the data
 in \fIbuf\fR. Usually this operation will attempt to read a line of data
-from the \s-1BIO\s0 of maximum length \fIsize\-1\fR. There are exceptions to this,
-however; for example, \fBBIO_gets()\fR on a digest \s-1BIO\s0 will calculate and
+from the BIO of maximum length \fIsize\-1\fR. There are exceptions to this,
+however; for example, \fBBIO_gets()\fR on a digest BIO will calculate and
 return the digest and other BIOs may not support \fBBIO_gets()\fR at all.
 The returned string is always NUL-terminated and the '\en' is preserved
 if present in the input data.
-On binary input there may be \s-1NUL\s0 characters within the string;
+On binary input there may be NUL characters within the string;
 in this case the return value (if nonnegative) may give an incorrect length.
 .PP
-\&\fBBIO_get_line()\fR attempts to read from \s-1BIO\s0 \fIb\fR a line of data up to the next '\en'
+\&\fBBIO_get_line()\fR attempts to read from BIO \fIb\fR a line of data up to the next '\en'
 or the maximum length \fIsize\-1\fR is reached and places the data in \fIbuf\fR.
 The returned string is always NUL-terminated and the '\en' is preserved
 if present in the input data.
-On binary input there may be \s-1NUL\s0 characters within the string;
+On binary input there may be NUL characters within the string;
 in this case the return value (if nonnegative) gives the actual length read.
 For implementing this, unfortunately the data needs to be read byte-by-byte.
 .PP
-\&\fBBIO_write()\fR attempts to write \fIlen\fR bytes from \fIbuf\fR to \s-1BIO\s0 \fIb\fR.
+\&\fBBIO_write()\fR attempts to write \fIlen\fR bytes from \fIbuf\fR to BIO \fIb\fR.
 .PP
-\&\fBBIO_puts()\fR attempts to write a NUL-terminated string \fIbuf\fR to \s-1BIO\s0 \fIb\fR.
+\&\fBBIO_puts()\fR attempts to write a NUL-terminated string \fIbuf\fR to BIO \fIb\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBBIO_read_ex()\fR returns 1 if data was successfully read, and 0 otherwise.
@@ -195,24 +119,24 @@ For implementing this, unfortunately the data needs to be read byte-by-byte.
 \&\fBBIO_write_ex()\fR returns 1 if no error was encountered writing data, 0 otherwise.
 Requesting to write 0 bytes is not considered an error.
 .PP
-\&\fBBIO_write()\fR returns \-2 if the \*(L"write\*(R" operation is not implemented by the \s-1BIO\s0
+\&\fBBIO_write()\fR returns \-2 if the "write" operation is not implemented by the BIO
 or \-1 on other errors.
 Otherwise it returns the number of bytes written.
-This may be 0 if the \s-1BIO\s0 \fIb\fR is \s-1NULL\s0 or \fIdlen <= 0\fR.
+This may be 0 if the BIO \fIb\fR is NULL or \fIdlen <= 0\fR.
 .PP
-\&\fBBIO_gets()\fR returns \-2 if the \*(L"gets\*(R" operation is not implemented by the \s-1BIO\s0
+\&\fBBIO_gets()\fR returns \-2 if the "gets" operation is not implemented by the BIO
 or \-1 on other errors.
 Otherwise it typically returns the amount of data read,
 but depending on the implementation it may return only the length up to
-the first \s-1NUL\s0 character contained in the data read.
-In any case the trailing \s-1NUL\s0 that is added after the data read
+the first NUL character contained in the data read.
+In any case the trailing NUL that is added after the data read
 is not included in the length returned.
 .PP
 All other functions return either the amount of data successfully read or
 written (if the return value is positive) or that no data was successfully
 read or written if the result is 0 or \-1. If the return value is \-2 then
-the operation is not implemented in the specific \s-1BIO\s0 type.
-.SH "NOTES"
+the operation is not implemented in the specific BIO type.
+.SH NOTES
 .IX Header "NOTES"
 A 0 or \-1 return is not necessarily an indication of an error. In
 particular when the source/sink is nonblocking or of a certain type
@@ -224,7 +148,7 @@ One technique sometimes used with blocking sockets is to use a system call
 and then call \fBread()\fR to read the data. The equivalent with BIOs (that is call
 \&\fBselect()\fR on the underlying I/O structure and then call \fBBIO_read()\fR to
 read the data) should \fBnot\fR be used because a single call to \fBBIO_read()\fR
-can cause several reads (and writes in the case of \s-1SSL\s0 BIOs) on the underlying
+can cause several reads (and writes in the case of SSL BIOs) on the underlying
 I/O structure and may block as a result. Instead \fBselect()\fR (or equivalent)
 should be combined with non blocking I/O so successive reads will request
 a retry instead of blocking.
@@ -232,26 +156,26 @@ a retry instead of blocking.
 See \fBBIO_should_retry\fR\|(3) for details of how to
 determine the cause of a retry and other I/O issues.
 .PP
-If the \*(L"gets\*(R" method is not supported by a \s-1BIO\s0 then \fBBIO_get_line()\fR can be used.
-It is also possible to make \fBBIO_gets()\fR usable even if the \*(L"gets\*(R" method is not
-supported by adding a buffering \s-1BIO\s0 \fBBIO_f_buffer\fR\|(3) to the chain.
+If the "gets" method is not supported by a BIO then \fBBIO_get_line()\fR can be used.
+It is also possible to make \fBBIO_gets()\fR usable even if the "gets" method is not
+supported by adding a buffering BIO \fBBIO_f_buffer\fR\|(3) to the chain.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBBIO_should_retry\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-\&\fBBIO_gets()\fR on 1.1.0 and older when called on \fBBIO_fd()\fR based \s-1BIO\s0 did not
+\&\fBBIO_gets()\fR on 1.1.0 and older when called on \fBBIO_fd()\fR based BIO did not
 keep the '\en' at the end of the line in the buffer.
 .PP
 \&\fBBIO_get_line()\fR was added in OpenSSL 3.0.
 .PP
 \&\fBBIO_write_ex()\fR returns 1 if the size of the data to write is 0 and the
-\&\fIwritten\fR parameter of the function can be \s-1NULL\s0 since OpenSSL 3.0.
-.SH "COPYRIGHT"
+\&\fIwritten\fR parameter of the function can be NULL since OpenSSL 3.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_s_accept.3 b/secure/lib/libcrypto/man/man3/BIO_s_accept.3
index 89e7a0d34aff..6773b3c11bfd 100644
--- a/secure/lib/libcrypto/man/man3/BIO_s_accept.3
+++ b/secure/lib/libcrypto/man/man3/BIO_s_accept.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_S_ACCEPT 3ossl"
-.TH BIO_S_ACCEPT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_S_ACCEPT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_s_accept, BIO_set_accept_name, BIO_set_accept_port, BIO_get_accept_name,
-BIO_get_accept_port, BIO_new_accept, BIO_set_nbio_accept, BIO_set_accept_bios,
+BIO_get_accept_port, BIO_new_accept, BIO_set_nbio_accept, BIO_set_tfo_accept, BIO_set_accept_bios,
 BIO_get_peer_name, BIO_get_peer_port,
 BIO_get_accept_ip_family, BIO_set_accept_ip_family,
 BIO_set_bind_mode, BIO_get_bind_mode, BIO_do_accept \- accept BIO
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bio.h>
@@ -158,6 +82,7 @@ BIO_set_bind_mode, BIO_get_bind_mode, BIO_do_accept \- accept BIO
 \& BIO *BIO_new_accept(char *host_port);
 \&
 \& long BIO_set_nbio_accept(BIO *b, int n);
+\& long BIO_set_tfo_accept(BIO *b, int n);
 \& long BIO_set_accept_bios(BIO *b, char *bio);
 \&
 \& char *BIO_get_peer_name(BIO *b);
@@ -170,45 +95,45 @@ BIO_set_bind_mode, BIO_get_bind_mode, BIO_do_accept \- accept BIO
 \&
 \& int BIO_do_accept(BIO *b);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBBIO_s_accept()\fR returns the accept \s-1BIO\s0 method. This is a wrapper
-round the platform's \s-1TCP/IP\s0 socket accept routines.
+\&\fBBIO_s_accept()\fR returns the accept BIO method. This is a wrapper
+round the platform's TCP/IP socket accept routines.
 .PP
-Using accept BIOs, \s-1TCP/IP\s0 connections can be accepted and data
-transferred using only \s-1BIO\s0 routines. In this way any platform
-specific operations are hidden by the \s-1BIO\s0 abstraction.
+Using accept BIOs, TCP/IP connections can be accepted and data
+transferred using only BIO routines. In this way any platform
+specific operations are hidden by the BIO abstraction.
 .PP
-Read and write operations on an accept \s-1BIO\s0 will perform I/O
+Read and write operations on an accept BIO will perform I/O
 on the underlying connection. If no connection is established
-and the port (see below) is set up properly then the \s-1BIO\s0
+and the port (see below) is set up properly then the BIO
 waits for an incoming connection.
 .PP
 Accept BIOs support \fBBIO_puts()\fR but not \fBBIO_gets()\fR.
 .PP
-If the close flag is set on an accept \s-1BIO\s0 then any active
+If the close flag is set on an accept BIO then any active
 connection on that chain is shutdown and the socket closed when
-the \s-1BIO\s0 is freed.
+the BIO is freed.
 .PP
-Calling \fBBIO_reset()\fR on an accept \s-1BIO\s0 will close any active
-connection and reset the \s-1BIO\s0 into a state where it awaits another
+Calling \fBBIO_reset()\fR on an accept BIO will close any active
+connection and reset the BIO into a state where it awaits another
 incoming connection.
 .PP
 \&\fBBIO_get_fd()\fR and \fBBIO_set_fd()\fR can be called to retrieve or set
 the accept socket. See \fBBIO_s_fd\fR\|(3)
 .PP
 \&\fBBIO_set_accept_name()\fR uses the string \fBname\fR to set the accept
-name. The name is represented as a string of the form \*(L"host:port\*(R",
-where \*(L"host\*(R" is the interface to use and \*(L"port\*(R" is the port.
-The host can be \*(L"*\*(R" or empty which is interpreted as meaning
+name. The name is represented as a string of the form "host:port",
+where "host" is the interface to use and "port" is the port.
+The host can be "*" or empty which is interpreted as meaning
 any interface.  If the host is an IPv6 address, it has to be
-enclosed in brackets, for example \*(L"[::1]:https\*(R".  \*(L"port\*(R" has the
+enclosed in brackets, for example "[::1]:https".  "port" has the
 same syntax as the port specified in \fBBIO_set_conn_port()\fR for
 connect BIOs, that is it can be a numerical port string or a
 string to lookup using \fBgetservbyname()\fR and a string table.
 .PP
 \&\fBBIO_set_accept_port()\fR uses the string \fBport\fR to set the accept
-port of \s-1BIO\s0 \fIb\fR.  \*(L"port\*(R" has the same syntax as the port specified in
+port of BIO \fIb\fR.  "port" has the same syntax as the port specified in
 \&\fBBIO_set_conn_port()\fR for connect BIOs, that is it can be a numerical
 port string or a string to lookup using \fBgetservbyname()\fR and a string
 table.
@@ -216,58 +141,65 @@ If the given port is \f(CW0\fR then a random available port is chosen.
 It may be queried using \fBBIO_sock_info()\fR and \fBBIO_ADDR_service_string\fR\|(3).
 .PP
 \&\fBBIO_new_accept()\fR combines \fBBIO_new()\fR and \fBBIO_set_accept_name()\fR into
-a single call: that is it creates a new accept \s-1BIO\s0 with port
+a single call: that is it creates a new accept BIO with port
 \&\fBhost_port\fR.
 .PP
 \&\fBBIO_set_nbio_accept()\fR sets the accept socket to blocking mode
 (the default) if \fBn\fR is 0 or non blocking mode if \fBn\fR is 1.
 .PP
+\&\fBBIO_set_tfo_accept()\fR enables TCP Fast Open on the accept socket
+if \fBn\fR is 1 or disables TCP Fast Open if \fBn\fR is 0 (the default).
+Setting the value to 1 is equivalent to setting \fBBIO_SOCK_TFO\fR
+in \fBBIO_set_bind_mode()\fR.
+.PP
 \&\fBBIO_set_accept_bios()\fR can be used to set a chain of BIOs which
 will be duplicated and prepended to the chain when an incoming
 connection is received. This is useful if, for example, a
-buffering or \s-1SSL BIO\s0 is required for each connection. The
+buffering or SSL BIO is required for each connection. The
 chain of BIOs must not be freed after this call, they will
-be automatically freed when the accept \s-1BIO\s0 is freed.
+be automatically freed when the accept BIO is freed.
 .PP
-\&\fBBIO_get_accept_ip_family()\fR returns the \s-1IP\s0 family accepted by the \s-1BIO\s0 \fIb\fR,
-which may be \fB\s-1BIO_FAMILY_IPV4\s0\fR, \fB\s-1BIO_FAMILY_IPV6\s0\fR, or \fB\s-1BIO_FAMILY_IPANY\s0\fR.
+\&\fBBIO_get_accept_ip_family()\fR returns the IP family accepted by the BIO \fIb\fR,
+which may be \fBBIO_FAMILY_IPV4\fR, \fBBIO_FAMILY_IPV6\fR, or \fBBIO_FAMILY_IPANY\fR.
 .PP
-\&\fBBIO_set_accept_ip_family()\fR sets the \s-1IP\s0 family \fIfamily\fR accepted by \s-1BIO\s0 \fIb\fR.
-The default is \fB\s-1BIO_FAMILY_IPANY\s0\fR.
+\&\fBBIO_set_accept_ip_family()\fR sets the IP family \fIfamily\fR accepted by BIO \fIb\fR.
+The default is \fBBIO_FAMILY_IPANY\fR.
 .PP
 \&\fBBIO_set_bind_mode()\fR and \fBBIO_get_bind_mode()\fR set and retrieve
-the current bind mode. If \fB\s-1BIO_BIND_NORMAL\s0\fR (the default) is set
+the current bind mode. If \fBBIO_BIND_NORMAL\fR (the default) is set
 then another socket cannot be bound to the same port. If
-\&\fB\s-1BIO_BIND_REUSEADDR\s0\fR is set then other sockets can bind to the
-same port. If \fB\s-1BIO_BIND_REUSEADDR_IF_UNUSED\s0\fR is set then and
-attempt is first made to use \s-1BIO_BIN_NORMAL,\s0 if this fails
+\&\fBBIO_BIND_REUSEADDR\fR is set then other sockets can bind to the
+same port. If \fBBIO_BIND_REUSEADDR_IF_UNUSED\fR is set then and
+attempt is first made to use BIO_BIN_NORMAL, if this fails
 and the port is not in use then a second attempt is made
-using \fB\s-1BIO_BIND_REUSEADDR\s0\fR.
+using \fBBIO_BIND_REUSEADDR\fR. If \fBBIO_SOCK_TFO\fR is set, then
+the socket will be configured to accept TCP Fast Open
+connections.
 .PP
 \&\fBBIO_do_accept()\fR serves two functions. When it is first
-called, after the accept \s-1BIO\s0 has been setup, it will attempt
+called, after the accept BIO has been setup, it will attempt
 to create the accept socket and bind an address to it. Second
 and subsequent calls to \fBBIO_do_accept()\fR will await an incoming
 connection, or request a retry in non blocking mode.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-When an accept \s-1BIO\s0 is at the end of a chain it will await an
+When an accept BIO is at the end of a chain it will await an
 incoming connection before processing I/O calls. When an accept
-\&\s-1BIO\s0 is not at then end of a chain it passes I/O calls to the next
-\&\s-1BIO\s0 in the chain.
+BIO is not at then end of a chain it passes I/O calls to the next
+BIO in the chain.
 .PP
-When a connection is established a new socket \s-1BIO\s0 is created for
+When a connection is established a new socket BIO is created for
 the connection and appended to the chain. That is the chain is now
 accept\->socket. This effectively means that attempting I/O on
 an initial accept socket will await an incoming connection then
 perform I/O on it.
 .PP
 If any additional BIOs have been set using \fBBIO_set_accept_bios()\fR
-then they are placed between the socket and the accept \s-1BIO,\s0
+then they are placed between the socket and the accept BIO,
 that is the chain will be accept\->otherbios\->socket.
 .PP
 If a server wishes to process multiple connections (as is normally
-the case) then the accept \s-1BIO\s0 must be made available for further
+the case) then the accept BIO must be made available for further
 incoming connections. This can be done by waiting for a connection and
 then calling:
 .PP
@@ -275,21 +207,21 @@ then calling:
 \& connection = BIO_pop(accept);
 .Ve
 .PP
-After this call \fBconnection\fR will contain a \s-1BIO\s0 for the recently
-established connection and \fBaccept\fR will now be a single \s-1BIO\s0
+After this call \fBconnection\fR will contain a BIO for the recently
+established connection and \fBaccept\fR will now be a single BIO
 again which can be used to await further incoming connections.
 If no further connections will be accepted the \fBaccept\fR can
 be freed using \fBBIO_free()\fR.
 .PP
 If only a single connection will be processed it is possible to
-perform I/O using the accept \s-1BIO\s0 itself. This is often undesirable
-however because the accept \s-1BIO\s0 will still accept additional incoming
+perform I/O using the accept BIO itself. This is often undesirable
+however because the accept BIO will still accept additional incoming
 connections. This can be resolved by using \fBBIO_pop()\fR (see above)
-and freeing up the accept \s-1BIO\s0 after the initial connection.
+and freeing up the accept BIO after the initial connection.
 .PP
 If the underlying accept socket is nonblocking and \fBBIO_do_accept()\fR is
 called to await an incoming connection it is possible for
-\&\fBBIO_should_io_special()\fR with the reason \s-1BIO_RR_ACCEPT.\s0 If this happens
+\&\fBBIO_should_io_special()\fR with the reason BIO_RR_ACCEPT. If this happens
 then it is an indication that an accept attempt would block: the application
 should take appropriate action to wait until the underlying socket has
 accepted a connection and retry the call.
@@ -304,19 +236,19 @@ accepted a connection and retry the call.
 \&\fBBIO_do_accept()\fR,
 \&\fBBIO_set_accept_name()\fR, \fBBIO_set_accept_port()\fR, \fBBIO_set_nbio_accept()\fR,
 \&\fBBIO_set_accept_bios()\fR, \fBBIO_set_accept_ip_family()\fR, and \fBBIO_set_bind_mode()\fR
-return 1 for success and <=0 for failure.
+return 1 for success and <= 0 for failure.
 .PP
-\&\fBBIO_get_accept_name()\fR returns the accept name or \s-1NULL\s0 on error.
-\&\fBBIO_get_peer_name()\fR returns the peer name or \s-1NULL\s0 on error.
+\&\fBBIO_get_accept_name()\fR returns the accept name or NULL on error.
+\&\fBBIO_get_peer_name()\fR returns the peer name or NULL on error.
 .PP
-\&\fBBIO_get_accept_port()\fR returns the accept port as a string or \s-1NULL\s0 on error.
-\&\fBBIO_get_peer_port()\fR returns the peer port as a string or \s-1NULL\s0 on error.
-\&\fBBIO_get_accept_ip_family()\fR returns the \s-1IP\s0 family or <=0 on error.
+\&\fBBIO_get_accept_port()\fR returns the accept port as a string or NULL on error.
+\&\fBBIO_get_peer_port()\fR returns the peer port as a string or NULL on error.
+\&\fBBIO_get_accept_ip_family()\fR returns the IP family or <= 0 on error.
 .PP
-\&\fBBIO_get_bind_mode()\fR returns the set of \fB\s-1BIO_BIND\s0\fR flags, or <=0 on failure.
+\&\fBBIO_get_bind_mode()\fR returns the set of \fBBIO_BIND\fR flags, or <= 0 on failure.
 .PP
-\&\fBBIO_new_accept()\fR returns a \s-1BIO\s0 or \s-1NULL\s0 on error.
-.SH "EXAMPLES"
+\&\fBBIO_new_accept()\fR returns a BIO or NULL on error.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 This example accepts two connections on port 4444, sends messages
 down each and finally closes both down.
@@ -365,11 +297,14 @@ down each and finally closes both down.
 \& BIO_free(cbio);
 \& BIO_free(cbio2);
 .Ve
-.SH "COPYRIGHT"
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBBIO_set_tfo_accept()\fR was added in OpenSSL 3.2.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_s_bio.3 b/secure/lib/libcrypto/man/man3/BIO_s_bio.3
index f89a1762a5c5..a7fd20ae6da7 100644
--- a/secure/lib/libcrypto/man/man3/BIO_s_bio.3
+++ b/secure/lib/libcrypto/man/man3/BIO_s_bio.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_S_BIO 3ossl"
-.TH BIO_S_BIO 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_S_BIO 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_s_bio, BIO_make_bio_pair, BIO_destroy_bio_pair, BIO_shutdown_wr,
 BIO_set_write_buf_size, BIO_get_write_buf_size, BIO_new_bio_pair,
 BIO_get_write_guarantee, BIO_ctrl_get_write_guarantee, BIO_get_read_request,
 BIO_ctrl_get_read_request, BIO_ctrl_reset_read_request \- BIO pair BIO
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bio.h>
@@ -163,20 +87,20 @@ BIO_ctrl_get_read_request, BIO_ctrl_reset_read_request \- BIO pair BIO
 \& size_t BIO_ctrl_get_read_request(BIO *b);
 \& int BIO_ctrl_reset_read_request(BIO *b);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBBIO_s_bio()\fR returns the method for a \s-1BIO\s0 pair. A \s-1BIO\s0 pair is a pair of source/sink
+\&\fBBIO_s_bio()\fR returns the method for a BIO pair. A BIO pair is a pair of source/sink
 BIOs where data written to either half of the pair is buffered and can be read from
 the other half. Both halves must usually by handled by the same application thread
 since no locking is done on the internal data structures.
 .PP
-Since \s-1BIO\s0 chains typically end in a source/sink \s-1BIO\s0 it is possible to make this
-one half of a \s-1BIO\s0 pair and have all the data processed by the chain under application
+Since BIO chains typically end in a source/sink BIO it is possible to make this
+one half of a BIO pair and have all the data processed by the chain under application
 control.
 .PP
-One typical use of \s-1BIO\s0 pairs is to place \s-1TLS/SSL I/O\s0 under application control, this
+One typical use of BIO pairs is to place TLS/SSL I/O under application control, this
 can be used when the application wishes to use a non standard transport for
-\&\s-1TLS/SSL\s0 or the normal socket routines are inappropriate.
+TLS/SSL or the normal socket routines are inappropriate.
 .PP
 Calls to \fBBIO_read_ex()\fR will read data from the buffer or request a retry if no
 data is available.
@@ -194,14 +118,14 @@ determine the amount of pending data in the read or write buffer.
 \&\fBBIO_destroy_pair()\fR destroys the association between two connected BIOs. Freeing
 up any half of the pair will automatically destroy the association.
 .PP
-\&\fBBIO_shutdown_wr()\fR is used to close down a \s-1BIO\s0 \fBb\fR. After this call no further
-writes on \s-1BIO\s0 \fBb\fR are allowed (they will return an error). Reads on the other
-half of the pair will return any pending data or \s-1EOF\s0 when all pending data has
+\&\fBBIO_shutdown_wr()\fR is used to close down a BIO \fBb\fR. After this call no further
+writes on BIO \fBb\fR are allowed (they will return an error). Reads on the other
+half of the pair will return any pending data or EOF when all pending data has
 been read.
 .PP
-\&\fBBIO_set_write_buf_size()\fR sets the write buffer size of \s-1BIO\s0 \fBb\fR to \fBsize\fR.
+\&\fBBIO_set_write_buf_size()\fR sets the write buffer size of BIO \fBb\fR to \fBsize\fR.
 If the size is not initialized a default value is used. This is currently
-17K, sufficient for a maximum size \s-1TLS\s0 record.
+17K, sufficient for a maximum size TLS record.
 .PP
 \&\fBBIO_get_write_buf_size()\fR returns the size of the write buffer.
 .PP
@@ -209,21 +133,21 @@ If the size is not initialized a default value is used. This is currently
 \&\fBBIO_set_write_buf_size()\fR to create a connected pair of BIOs \fBbio1\fR, \fBbio2\fR
 with write buffer sizes \fBwritebuf1\fR and \fBwritebuf2\fR. If either size is
 zero then the default size is used.  \fBBIO_new_bio_pair()\fR does not check whether
-\&\fBbio1\fR or \fBbio2\fR do point to some other \s-1BIO,\s0 the values are overwritten,
+\&\fBbio1\fR or \fBbio2\fR do point to some other BIO, the values are overwritten,
 \&\fBBIO_free()\fR is not called.
 .PP
 \&\fBBIO_get_write_guarantee()\fR and \fBBIO_ctrl_get_write_guarantee()\fR return the maximum
-length of data that can be currently written to the \s-1BIO.\s0 Writes larger than this
+length of data that can be currently written to the BIO. Writes larger than this
 value will return a value from \fBBIO_write_ex()\fR less than the amount requested or
 if the buffer is full request a retry. \fBBIO_ctrl_get_write_guarantee()\fR is a
 function whereas \fBBIO_get_write_guarantee()\fR is a macro.
 .PP
 \&\fBBIO_get_read_request()\fR and \fBBIO_ctrl_get_read_request()\fR return the
 amount of data requested, or the buffer size if it is less, if the
-last read attempt at the other half of the \s-1BIO\s0 pair failed due to an
+last read attempt at the other half of the BIO pair failed due to an
 empty buffer.  This can be used to determine how much data should be
-written to the \s-1BIO\s0 so the next read will succeed: this is most useful
-in \s-1TLS/SSL\s0 applications where the amount of data read is usually
+written to the BIO so the next read will succeed: this is most useful
+in TLS/SSL applications where the amount of data read is usually
 meaningful rather than just a buffer size. After a successful read
 this call will return zero.  It also will return zero once new data
 has been written satisfying the read request or part of it.
@@ -232,12 +156,12 @@ than that returned by \fBBIO_get_write_guarantee()\fR.
 .PP
 \&\fBBIO_ctrl_reset_read_request()\fR can also be used to reset the value returned by
 \&\fBBIO_get_read_request()\fR to zero.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-Both halves of a \s-1BIO\s0 pair should be freed. That is even if one half is implicit
+Both halves of a BIO pair should be freed. That is even if one half is implicit
 freed due to a \fBBIO_free_all()\fR or \fBSSL_free()\fR call the other half needs to be freed.
 .PP
-When used in bidirectional applications (such as \s-1TLS/SSL\s0) care should be taken to
+When used in bidirectional applications (such as TLS/SSL) care should be taken to
 flush any data in the write buffer. This can be done by calling \fBBIO_pending()\fR
 on the other half of the pair and, if any data is pending, reading it and sending
 it to the underlying transport. This must be done before any normal processing
@@ -245,13 +169,13 @@ it to the underlying transport. This must be done before any normal processing
 .PP
 To see why this is important consider a case where a request is sent using
 \&\fBBIO_write_ex()\fR and a response read with \fBBIO_read_ex()\fR, this can occur during an
-\&\s-1TLS/SSL\s0 handshake for example. \fBBIO_write_ex()\fR will succeed and place data in the
+TLS/SSL handshake for example. \fBBIO_write_ex()\fR will succeed and place data in the
 write buffer. \fBBIO_read_ex()\fR will initially fail and \fBBIO_should_read()\fR will be
 true. If the application then waits for data to be available on the underlying
 transport before flushing the write buffer it will never succeed because the
 request was never sent!
 .PP
-\&\fBBIO_eof()\fR is true if no data is in the peer \s-1BIO\s0 and the peer \s-1BIO\s0 has been
+\&\fBBIO_eof()\fR is true if no data is in the peer BIO and the peer BIO has been
 shutdown.
 .PP
 \&\fBBIO_make_bio_pair()\fR, \fBBIO_destroy_bio_pair()\fR, \fBBIO_shutdown_wr()\fR,
@@ -261,13 +185,13 @@ as macros.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBBIO_new_bio_pair()\fR returns 1 on success, with the new BIOs available in
-\&\fBbio1\fR and \fBbio2\fR, or 0 on failure, with \s-1NULL\s0 pointers stored into the
+\&\fBbio1\fR and \fBbio2\fR, or 0 on failure, with NULL pointers stored into the
 locations for \fBbio1\fR and \fBbio2\fR. Check the error stack for more information.
 .PP
-[\s-1XXXXX:\s0 More return values need to be added here]
-.SH "EXAMPLES"
+[XXXXX: More return values need to be added here]
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-The \s-1BIO\s0 pair can be used to have full control over the network access of an
+The BIO pair can be used to have full control over the network access of an
 application. The application can call \fBselect()\fR on the socket as required
 without having to go through the SSL-interface.
 .PP
@@ -300,18 +224,18 @@ without having to go through the SSL-interface.
 \&  ...
 .Ve
 .PP
-As the \s-1BIO\s0 pair will only buffer the data and never directly access the
+As the BIO pair will only buffer the data and never directly access the
 connection, it behaves nonblocking and will return as soon as the write
 buffer is full or the read buffer is drained. Then the application has to
 flush the write buffer and/or fill the read buffer.
 .PP
-Use the \fBBIO_ctrl_pending()\fR, to find out whether data is buffered in the \s-1BIO\s0
+Use the \fBBIO_ctrl_pending()\fR, to find out whether data is buffered in the BIO
 and must be transferred to the network. Use \fBBIO_ctrl_get_read_request()\fR to
 find out, how many bytes must be written into the buffer before the
 \&\fBSSL_operation()\fR can successfully be continued.
-.SH "WARNINGS"
+.SH WARNINGS
 .IX Header "WARNINGS"
-As the data is buffered, \fBSSL_operation()\fR may return with an \s-1ERROR_SSL_WANT_READ\s0
+As the data is buffered, \fBSSL_operation()\fR may return with an ERROR_SSL_WANT_READ
 condition, but there is still data in the write buffer. An application must
 not rely on the error value of \fBSSL_operation()\fR but must assure that the
 write buffer is always flushed first. Otherwise a deadlock may occur as
@@ -320,11 +244,11 @@ the peer might be waiting for the data before being able to continue.
 .IX Header "SEE ALSO"
 \&\fBSSL_set_bio\fR\|(3), \fBssl\fR\|(7), \fBbio\fR\|(7),
 \&\fBBIO_should_retry\fR\|(3), \fBBIO_read_ex\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_s_connect.3 b/secure/lib/libcrypto/man/man3/BIO_s_connect.3
index 27e32a87b5c2..ebec8514c049 100644
--- a/secure/lib/libcrypto/man/man3/BIO_s_connect.3
+++ b/secure/lib/libcrypto/man/man3/BIO_s_connect.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,82 +52,23 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_S_CONNECT 3ossl"
-.TH BIO_S_CONNECT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_S_CONNECT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_s_connect, BIO_new_connect,
 BIO_set_conn_hostname, BIO_set_conn_port,
 BIO_set_conn_address, BIO_set_conn_ip_family,
 BIO_get_conn_hostname, BIO_get_conn_port,
 BIO_get_conn_address, BIO_get_conn_ip_family,
-BIO_set_nbio, BIO_do_connect \- connect BIO
-.SH "SYNOPSIS"
+BIO_set_nbio, BIO_set_sock_type, BIO_get_sock_type, BIO_get0_dgram_bio,
+BIO_do_connect \- connect BIO
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bio.h>
@@ -163,61 +88,65 @@ BIO_set_nbio, BIO_do_connect \- connect BIO
 \&
 \& long BIO_set_nbio(BIO *b, long n);
 \&
+\& int BIO_set_sock_type(BIO *b, int sock_type);
+\& int BIO_get_sock_type(BIO *b);
+\& int BIO_get0_dgram_bio(BIO *B, BIO **dgram_bio);
+\&
 \& long BIO_do_connect(BIO *b);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBBIO_s_connect()\fR returns the connect \s-1BIO\s0 method. This is a wrapper
-round the platform's \s-1TCP/IP\s0 socket connection routines.
+\&\fBBIO_s_connect()\fR returns the connect BIO method. This is a wrapper
+round the platform's TCP/IP socket connection routines.
 .PP
-Using connect BIOs, \s-1TCP/IP\s0 connections can be made and data
-transferred using only \s-1BIO\s0 routines. In this way any platform
-specific operations are hidden by the \s-1BIO\s0 abstraction.
+Using connect BIOs, TCP/IP connections can be made and data
+transferred using only BIO routines. In this way any platform
+specific operations are hidden by the BIO abstraction.
 .PP
-Read and write operations on a connect \s-1BIO\s0 will perform I/O
+Read and write operations on a connect BIO will perform I/O
 on the underlying connection. If no connection is established
 and the port and hostname (see below) is set up properly then
 a connection is established first.
 .PP
-Connect BIOs support \fBBIO_puts()\fR but not \fBBIO_gets()\fR.
+Connect BIOs support \fBBIO_puts()\fR and \fBBIO_gets()\fR.
 .PP
-If the close flag is set on a connect \s-1BIO\s0 then any active
-connection is shutdown and the socket closed when the \s-1BIO\s0
+If the close flag is set on a connect BIO then any active
+connection is shutdown and the socket closed when the BIO
 is freed.
 .PP
-Calling \fBBIO_reset()\fR on a connect \s-1BIO\s0 will close any active
-connection and reset the \s-1BIO\s0 into a state where it can connect
+Calling \fBBIO_reset()\fR on a connect BIO will close any active
+connection and reset the BIO into a state where it can connect
 to the same host again.
 .PP
 \&\fBBIO_new_connect()\fR combines \fBBIO_new()\fR and \fBBIO_set_conn_hostname()\fR into
-a single call: that is it creates a new connect \s-1BIO\s0 with hostname \fBname\fR.
+a single call: that is it creates a new connect BIO with hostname \fBname\fR.
 .PP
 \&\fBBIO_set_conn_hostname()\fR uses the string \fBname\fR to set the hostname.
-The hostname can be an \s-1IP\s0 address; if the address is an IPv6 one, it
-must be enclosed with brackets \f(CW\*(C`[\*(C'\fR and \f(CW\*(C`]\*(C'\fR.
+The hostname can be an IP address; if the address is an IPv6 one, it
+must be enclosed in brackets \f(CW\*(C`[\*(C'\fR and \f(CW\*(C`]\*(C'\fR.
 The hostname can also include the port in the form hostname:port;
 see \fBBIO_parse_hostserv\fR\|(3) and \fBBIO_set_conn_port()\fR for details.
 .PP
 \&\fBBIO_set_conn_port()\fR sets the port to \fBport\fR. \fBport\fR can be the
-numerical form or a service string such as \*(L"http\*(R", which
+numerical form or a service string such as "http", which
 will be mapped to a port number using the system function \fBgetservbyname()\fR.
 .PP
 \&\fBBIO_set_conn_address()\fR sets the address and port information using
-a \s-1\fBBIO_ADDR\s0\fR\|(3ssl).
+a \fBBIO_ADDR\fR\|(3ssl).
 .PP
-\&\fBBIO_set_conn_ip_family()\fR sets the \s-1IP\s0 family.
+\&\fBBIO_set_conn_ip_family()\fR sets the IP family.
 .PP
-\&\fBBIO_get_conn_hostname()\fR returns the hostname of the connect \s-1BIO\s0 or
-\&\s-1NULL\s0 if the \s-1BIO\s0 is initialized but no hostname is set.
+\&\fBBIO_get_conn_hostname()\fR returns the hostname of the connect BIO or
+NULL if the BIO is initialized but no hostname is set.
 This return value is an internal pointer which should not be modified.
 .PP
 \&\fBBIO_get_conn_port()\fR returns the port as a string.
 This return value is an internal pointer which should not be modified.
 .PP
-\&\fBBIO_get_conn_address()\fR returns the address information as a \s-1BIO_ADDR.\s0
+\&\fBBIO_get_conn_address()\fR returns the address information as a BIO_ADDR.
 This return value is an internal pointer which should not be modified.
 .PP
-\&\fBBIO_get_conn_ip_family()\fR returns the \s-1IP\s0 family of the connect \s-1BIO.\s0
+\&\fBBIO_get_conn_ip_family()\fR returns the IP family of the connect BIO.
 .PP
 \&\fBBIO_set_nbio()\fR sets the non blocking I/O flag to \fBn\fR. If \fBn\fR is
 zero then blocking I/O is set. If \fBn\fR is 1 then non blocking I/O
@@ -225,17 +154,30 @@ is set. Blocking I/O is the default. The call to \fBBIO_set_nbio()\fR
 should be made before the connection is established because
 non blocking I/O is set during the connect process.
 .PP
-\&\fBBIO_do_connect()\fR attempts to connect the supplied \s-1BIO.\s0
-This performs an \s-1SSL/TLS\s0 handshake as far as supported by the \s-1BIO.\s0
-For non-SSL BIOs the connection is done typically at \s-1TCP\s0 level.
-If domain name resolution yields multiple \s-1IP\s0 addresses all of them are tried
+\&\fBBIO_do_connect()\fR attempts to connect the supplied BIO.
+This performs an SSL/TLS handshake as far as supported by the BIO.
+For non-SSL BIOs the connection is done typically at TCP level.
+If domain name resolution yields multiple IP addresses all of them are tried
 after \fBconnect()\fR failures.
 The function returns 1 if the connection was established successfully.
 A zero or negative value is returned if the connection could not be established.
 The call \fBBIO_should_retry()\fR should be used for non blocking connect BIOs
 to determine if the call should be retried.
 If a connection has already been established this call has no effect.
-.SH "NOTES"
+.PP
+\&\fBBIO_set_sock_type()\fR can be used to set a socket type value as would be passed in
+a call to \fBsocket\fR\|(2). The only currently supported values are \fBSOCK_STREAM\fR (the
+default) and \fBSOCK_DGRAM\fR. If \fBSOCK_DGRAM\fR is configured, the connection
+created is a UDP datagram socket handled via \fBBIO_s_datagram\fR\|(3).
+I/O calls such as \fBBIO_read\fR\|(3) and \fBBIO_write\fR\|(3) are forwarded transparently
+to an internal \fBBIO_s_datagram\fR\|(3) instance. The created \fBBIO_s_datagram\fR\|(3)
+instance can be retrieved using \fBBIO_get0_dgram_bio()\fR if desired, which writes
+a pointer to the \fBBIO_s_datagram\fR\|(3) instance to \fI*dgram_bio\fR. The lifetime
+of the internal \fBBIO_s_datagram\fR\|(3) is managed by \fBBIO_s_connect()\fR and does not
+need to be freed by the caller.
+.PP
+\&\fBBIO_get_sock_type()\fR retrieves the value set using \fBBIO_set_sock_type()\fR.
+.SH NOTES
 .IX Header "NOTES"
 If blocking I/O is set then a non positive return value from any
 I/O call is caused by an error condition, although a zero return
@@ -260,7 +202,7 @@ If non blocking I/O is set then retries will be requested as appropriate.
 .PP
 It addition to \fBBIO_should_read()\fR and \fBBIO_should_write()\fR it is also
 possible for \fBBIO_should_io_special()\fR to be true during the initial
-connection process with the reason \s-1BIO_RR_CONNECT.\s0 If this is returned
+connection process with the reason BIO_RR_CONNECT. If this is returned
 then this is an indication that a connection attempt would block,
 the application should then take appropriate action to wait until
 the underlying socket has connected and retry the call.
@@ -271,29 +213,35 @@ the underlying socket has connected and retry the call.
 \&\fBBIO_set_nbio()\fR, and \fBBIO_do_connect()\fR are macros.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBBIO_s_connect()\fR returns the connect \s-1BIO\s0 method.
+\&\fBBIO_s_connect()\fR returns the connect BIO method.
 .PP
 \&\fBBIO_set_conn_address()\fR, \fBBIO_set_conn_port()\fR, and \fBBIO_set_conn_ip_family()\fR
 return 1 or <=0 if an error occurs.
 .PP
 \&\fBBIO_set_conn_hostname()\fR returns 1 on success and <=0 on failure.
 .PP
-\&\fBBIO_get_conn_address()\fR returns the address information or \s-1NULL\s0 if none
+\&\fBBIO_get_conn_address()\fR returns the address information or NULL if none
 was set.
 .PP
-\&\fBBIO_get_conn_hostname()\fR returns the connected hostname or \s-1NULL\s0 if
+\&\fBBIO_get_conn_hostname()\fR returns the connected hostname or NULL if
 none was set.
 .PP
 \&\fBBIO_get_conn_ip_family()\fR returns the address family or \-1 if none was set.
 .PP
 \&\fBBIO_get_conn_port()\fR returns a string representing the connected
-port or \s-1NULL\s0 if not set.
+port or NULL if not set.
 .PP
 \&\fBBIO_set_nbio()\fR returns 1 or <=0 if an error occurs.
 .PP
 \&\fBBIO_do_connect()\fR returns 1 if the connection was successfully
 established and <=0 if the connection failed.
-.SH "EXAMPLES"
+.PP
+\&\fBBIO_set_sock_type()\fR returns 1 on success or 0 on failure.
+.PP
+\&\fBBIO_get_sock_type()\fR returns a socket type or 0 if the call is not supported.
+.PP
+\&\fBBIO_get0_dgram_bio()\fR returns 1 on success or 0 on failure.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 This is example connects to a webserver on the local host and attempts
 to retrieve a page and copy the result to standard output.
@@ -322,17 +270,19 @@ to retrieve a page and copy the result to standard output.
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBBIO_ADDR\s0\fR\|(3), \fBBIO_parse_hostserv\fR\|(3)
-.SH "HISTORY"
+\&\fBBIO_ADDR\fR\|(3), \fBBIO_parse_hostserv\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBBIO_set_conn_int_port()\fR, \fBBIO_get_conn_int_port()\fR, \fBBIO_set_conn_ip()\fR, and \fBBIO_get_conn_ip()\fR
 were removed in OpenSSL 1.1.0.
 Use \fBBIO_set_conn_address()\fR and \fBBIO_get_conn_address()\fR instead.
-.SH "COPYRIGHT"
+.PP
+Connect BIOs support \fBBIO_gets()\fR since OpenSSL 3.2.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_s_core.3 b/secure/lib/libcrypto/man/man3/BIO_s_core.3
index 38b16b407266..6d004b68521a 100644
--- a/secure/lib/libcrypto/man/man3/BIO_s_core.3
+++ b/secure/lib/libcrypto/man/man3/BIO_s_core.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_S_CORE 3ossl"
-.TH BIO_S_CORE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_S_CORE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_s_core, BIO_new_from_core_bio \- OSSL_CORE_BIO functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bio.h>
@@ -147,38 +71,38 @@ BIO_s_core, BIO_new_from_core_bio \- OSSL_CORE_BIO functions
 \&
 \& BIO *BIO_new_from_core_bio(OSSL_LIB_CTX *libctx, OSSL_CORE_BIO *corebio);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBBIO_s_core()\fR returns the core \s-1BIO\s0 method function.
+\&\fBBIO_s_core()\fR returns the core BIO method function.
 .PP
-A core \s-1BIO\s0 is treated as source/sink \s-1BIO\s0 which communicates to some external
-\&\s-1BIO.\s0 This is primarily useful to provider authors. A number of calls from
-libcrypto into a provider supply an \s-1OSSL_CORE_BIO\s0 parameter. This represents
-a \s-1BIO\s0 within libcrypto, but cannot be used directly by a provider. Instead it
+A core BIO is treated as source/sink BIO which communicates to some external
+BIO. This is primarily useful to provider authors. A number of calls from
+libcrypto into a provider supply an OSSL_CORE_BIO parameter. This represents
+a BIO within libcrypto, but cannot be used directly by a provider. Instead it
 should be wrapped using a \fBBIO_s_core()\fR.
 .PP
-Once a \s-1BIO\s0 is constructed based on \fBBIO_s_core()\fR, the associated \s-1OSSL_CORE_BIO\s0
-object should be set on it using \fBBIO_set_data\fR\|(3). Note that the \s-1BIO\s0 will only
+Once a BIO is constructed based on \fBBIO_s_core()\fR, the associated OSSL_CORE_BIO
+object should be set on it using \fBBIO_set_data\fR\|(3). Note that the BIO will only
 operate correctly if it is associated with a library context constructed using
-\&\fBOSSL_LIB_CTX_new_from_dispatch\fR\|(3). To associate the \s-1BIO\s0 with a library context
+\&\fBOSSL_LIB_CTX_new_from_dispatch\fR\|(3). To associate the BIO with a library context
 construct it using \fBBIO_new_ex\fR\|(3).
 .PP
-\&\fBBIO_new_from_core_bio()\fR is a convenience function that constructs a new \s-1BIO\s0
+\&\fBBIO_new_from_core_bio()\fR is a convenience function that constructs a new BIO
 based on \fBBIO_s_core()\fR and that is associated with the given library context. It
-then also sets the \s-1OSSL_CORE_BIO\s0 object on the \s-1BIO\s0 using \fBBIO_set_data\fR\|(3).
+then also sets the OSSL_CORE_BIO object on the BIO using \fBBIO_set_data\fR\|(3).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBBIO_s_core()\fR return a core \s-1BIO\s0 \fB\s-1BIO_METHOD\s0\fR structure.
+\&\fBBIO_s_core()\fR return a core BIO \fBBIO_METHOD\fR structure.
 .PP
-\&\fBBIO_new_from_core_bio()\fR returns a \s-1BIO\s0 structure on success or \s-1NULL\s0 on failure.
+\&\fBBIO_new_from_core_bio()\fR returns a BIO structure on success or NULL on failure.
 A failure will most commonly be because the library context was not constructed
 using \fBOSSL_LIB_CTX_new_from_dispatch\fR\|(3).
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBBIO_s_core()\fR and \fBBIO_new_from_core_bio()\fR were added in OpenSSL 3.0.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-Create a core \s-1BIO\s0 and write some data to it:
+Create a core BIO and write some data to it:
 .PP
 .Vb 2
 \& int some_function(OSSL_LIB_CTX *libctx, OSSL_CORE_BIO *corebio) {
@@ -193,11 +117,11 @@ Create a core \s-1BIO\s0 and write some data to it:
 \&     return 1;
 \& }
 .Ve
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2021\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_s_datagram.3 b/secure/lib/libcrypto/man/man3/BIO_s_datagram.3
index 755d96e08f81..4a0fdabde68a 100644
--- a/secure/lib/libcrypto/man/man3/BIO_s_datagram.3
+++ b/secure/lib/libcrypto/man/man3/BIO_s_datagram.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_S_DATAGRAM 3ossl"
-.TH BIO_S_DATAGRAM 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_S_DATAGRAM 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_s_datagram, BIO_new_dgram,
 BIO_ctrl_dgram_connect,
 BIO_ctrl_set_connected,
@@ -144,8 +68,9 @@ BIO_dgram_recv_timedout,
 BIO_dgram_send_timedout,
 BIO_dgram_get_peer,
 BIO_dgram_set_peer,
+BIO_dgram_detect_peer_addr,
 BIO_dgram_get_mtu_overhead \- Network BIO with datagram semantics
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bio.h>
@@ -160,100 +85,126 @@ BIO_dgram_get_mtu_overhead \- Network BIO with datagram semantics
 \& int BIO_dgram_get_peer(BIO *bio, BIO_ADDR *peer);
 \& int BIO_dgram_set_peer(BIO *bio, const BIO_ADDR *peer);
 \& int BIO_dgram_get_mtu_overhead(BIO *bio);
+\& int BIO_dgram_detect_peer_addr(BIO *bio, BIO_ADDR *peer);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBBIO_s_datagram()\fR is a \s-1BIO\s0 implementation designed for use with network sockets
-which provide datagram semantics, such as \s-1UDP\s0 sockets. It is suitable for use
-with DTLSv1.
+\&\fBBIO_s_datagram()\fR is a BIO implementation designed for use with network sockets
+which provide datagram semantics, such as UDP sockets. It is suitable for use
+with DTLSv1 or QUIC.
 .PP
 Because \fBBIO_s_datagram()\fR has datagram semantics, a single \fBBIO_write()\fR call sends
 a single datagram and a single \fBBIO_read()\fR call receives a single datagram. If
 the size of the buffer passed to \fBBIO_read()\fR is inadequate, the datagram is
 silently truncated.
 .PP
+For a memory-based BIO which provides datagram semantics identical to those of
+\&\fBBIO_s_datagram()\fR, see \fBBIO_s_dgram_pair\fR\|(3).
+.PP
+This BIO supports the \fBBIO_sendmmsg\fR\|(3) and \fBBIO_recvmmsg\fR\|(3) functions.
+.PP
 When using \fBBIO_s_datagram()\fR, it is important to note that:
-.IP "\(bu" 4
-This \s-1BIO\s0 can be used with either a connected or unconnected network socket. A
+.IP \(bu 4
+This BIO can be used with either a connected or unconnected network socket. A
 connected socket is a network socket which has had \fBBIO_connect\fR\|(3) or a
 similar OS-specific function called on it. Such a socket can only receive
 datagrams from the specified peer. Any other socket is an unconnected socket and
 can receive datagrams from any host.
-.IP "\(bu" 4
+.IP \(bu 4
 Despite their naming,
 neither \fBBIO_ctrl_dgram_connect()\fR nor \fBBIO_ctrl_set_connected()\fR cause a socket
-to become connected. These controls are provided to indicate to the \s-1BIO\s0 how
+to become connected. These controls are provided to indicate to the BIO how
 the underlying socket is configured and how it is to be used; see below.
-.IP "\(bu" 4
+.IP \(bu 4
 Use of \fBBIO_s_datagram()\fR with an unconnected network socket is hazardous hecause
 any successful call to \fBBIO_read()\fR results in the peer address used for any
 subsequent call to \fBBIO_write()\fR being set to the source address of the datagram
 received by that call to \fBBIO_read()\fR. Thus, unless the caller calls
 \&\fBBIO_dgram_set_peer()\fR immediately prior to every call to \fBBIO_write()\fR, or never
 calls \fBBIO_read()\fR, any host on the network may cause future datagrams written to
-be redirected to that host. Therefore, it is recommended that users use
-\&\fBBIO_s_dgram()\fR only with a connected socket. An exception is where
+be redirected to that host. Therefore, it is recommended that users either use
+\&\fBBIO_s_dgram()\fR only with a connected socket, or, if using \fBBIO_s_dgram()\fR with an
+unconnected socket, to use the \fBBIO_sendmmsg\fR\|(3) and \fBBIO_recvmmsg\fR\|(3) methods
+only and forego use of \fBBIO_read\fR\|(3) and \fBBIO_write\fR\|(3). An exception is where
 \&\fBDTLSv1_listen\fR\|(3) must be used; see \fBDTLSv1_listen\fR\|(3) for further
 discussion.
+.IP \(bu 4
+Unlike \fBBIO_read\fR\|(3) and \fBBIO_write\fR\|(3), the \fBBIO_sendmmsg\fR\|(3) and
+\&\fBBIO_recvmmsg\fR\|(3) methods are stateless and do not cause the internal state of
+the \fBBIO_s_datagram()\fR to change.
 .PP
 Various controls are available for configuring the \fBBIO_s_datagram()\fR using
 \&\fBBIO_ctrl\fR\|(3):
-.IP "BIO_ctrl_dgram_connect (\s-1BIO_CTRL_DGRAM_CONNECT\s0)" 4
+.IP "BIO_ctrl_dgram_connect (BIO_CTRL_DGRAM_CONNECT)" 4
 .IX Item "BIO_ctrl_dgram_connect (BIO_CTRL_DGRAM_CONNECT)"
 This is equivalent to calling \fBBIO_dgram_set_peer\fR\|(3).
 .Sp
 Despite its name, this function does not cause the underlying socket to become
 connected.
-.IP "BIO_ctrl_set_connected (\s-1BIO_CTRL_SET_CONNECTED\s0)" 4
+.IP "BIO_ctrl_set_connected (BIO_CTRL_SET_CONNECTED)" 4
 .IX Item "BIO_ctrl_set_connected (BIO_CTRL_SET_CONNECTED)"
 This informs the \fBBIO_s_datagram()\fR whether the underlying socket has been
 connected, and therefore how the \fBBIO_s_datagram()\fR should attempt to use the
 socket.
 .Sp
 If the \fIpeer\fR argument is non-NULL, \fBBIO_s_datagram()\fR assumes that the
-underlying socket has been connected and will attempt to use the socket using \s-1OS\s0
+underlying socket has been connected and will attempt to use the socket using OS
 APIs which do not specify peer addresses (for example, \fBsend\fR\|(3) and \fBrecv\fR\|(3) or
 similar). The \fIpeer\fR argument should specify the peer address to which the socket
 is connected.
 .Sp
-If the \fIpeer\fR argument is \s-1NULL,\s0 \fBBIO_s_datagram()\fR assumes that the underlying
-socket is not connected and will attempt to use the socket using an \s-1OS\s0 APIs
+If the \fIpeer\fR argument is NULL, \fBBIO_s_datagram()\fR assumes that the underlying
+socket is not connected and will attempt to use the socket using an OS APIs
 which specify peer addresses (for example, \fBsendto\fR\|(3) and \fBrecvfrom\fR\|(3)).
-.IP "BIO_dgram_get_peer (\s-1BIO_CTRL_DGRAM_GET_PEER\s0)" 4
+.Sp
+This control does not affect the operation of \fBBIO_sendmmsg\fR\|(3) or
+\&\fBBIO_recvmmsg\fR\|(3).
+.IP "BIO_dgram_get_peer (BIO_CTRL_DGRAM_GET_PEER)" 4
 .IX Item "BIO_dgram_get_peer (BIO_CTRL_DGRAM_GET_PEER)"
-This outputs a \fB\s-1BIO_ADDR\s0\fR which specifies one of the following values,
+This outputs a \fBBIO_ADDR\fR which specifies one of the following values,
 whichever happened most recently:
 .RS 4
-.IP "\(bu" 4
+.IP \(bu 4
 The peer address last passed to \fBBIO_dgram_set_peer()\fR, \fBBIO_ctrl_dgram_connect()\fR
 or \fBBIO_ctrl_set_connected()\fR.
-.IP "\(bu" 4
+.IP \(bu 4
 The peer address of the datagram last received by a call to \fBBIO_read()\fR.
 .RE
 .RS 4
 .RE
-.IP "BIO_dgram_set_peer (\s-1BIO_CTRL_DGRAM_SET_PEER\s0)" 4
+.IP "BIO_dgram_set_peer (BIO_CTRL_DGRAM_SET_PEER)" 4
 .IX Item "BIO_dgram_set_peer (BIO_CTRL_DGRAM_SET_PEER)"
-Sets the peer address to be used for subsequent writes to this \s-1BIO.\s0
+Sets the peer address to be used for subsequent writes to this BIO.
 .Sp
 Warning: When used with an unconnected network socket, the value set may be
 modified by future calls to \fBBIO_read\fR\|(3), making use of \fBBIO_s_datagram()\fR
 hazardous when used with unconnected network sockets; see above.
-.IP "BIO_dgram_recv_timeout (\s-1BIO_CTRL_DGRAM_GET_RECV_TIMER_EXP\s0)" 4
+.Sp
+This does not affect the operation of \fBBIO_sendmmsg\fR\|(3).
+\&\fBBIO_recvmmsg\fR\|(3) does not affect the value set by \fBBIO_dgram_set_peer()\fR.
+.IP "BIO_dgram_detect_peer_addr (BIO_CTRL_DGRAM_DETECT_PEER_ADDR)" 4
+.IX Item "BIO_dgram_detect_peer_addr (BIO_CTRL_DGRAM_DETECT_PEER_ADDR)"
+This is similar to \fBBIO_dgram_get_peer()\fR except that if the peer address has not
+been set on the BIO object, an OS call such as \fBgetpeername\fR\|(2) will be attempted
+to try and autodetect the peer address to which the underlying socket is
+connected. Other BIOs may also implement this control if they are capable of
+sensing a peer address, without necessarily also implementing
+\&\fBBIO_dgram_set_peer()\fR and \fBBIO_dgram_get_peer()\fR.
+.IP "BIO_dgram_recv_timeout (BIO_CTRL_DGRAM_GET_RECV_TIMER_EXP)" 4
 .IX Item "BIO_dgram_recv_timeout (BIO_CTRL_DGRAM_GET_RECV_TIMER_EXP)"
-Returns 1 if the last I/O operation performed on the \s-1BIO\s0 (for example, via a
+Returns 1 if the last I/O operation performed on the BIO (for example, via a
 call to \fBBIO_read\fR\|(3)) may have been caused by a receive timeout.
-.IP "BIO_dgram_send_timedout (\s-1BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP\s0)" 4
+.IP "BIO_dgram_send_timedout (BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP)" 4
 .IX Item "BIO_dgram_send_timedout (BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP)"
-Returns 1 if the last I/O operation performed on the \s-1BIO\s0 (for example, via a
+Returns 1 if the last I/O operation performed on the BIO (for example, via a
 call to \fBBIO_write\fR\|(3)) may have been caused by a send timeout.
-.IP "BIO_dgram_get_mtu_overhead (\s-1BIO_CTRL_DGRAM_GET_MTU_OVERHEAD\s0)" 4
+.IP "BIO_dgram_get_mtu_overhead (BIO_CTRL_DGRAM_GET_MTU_OVERHEAD)" 4
 .IX Item "BIO_dgram_get_mtu_overhead (BIO_CTRL_DGRAM_GET_MTU_OVERHEAD)"
 Returns a quantity in bytes which is a rough estimate of the number of bytes of
 overhead which should typically be added to a datagram payload size in order to
-estimate the final size of the Layer 3 (e.g. \s-1IP\s0) packet which will contain the
+estimate the final size of the Layer 3 (e.g. IP) packet which will contain the
 datagram. In most cases, the maximum datagram payload size which can be
-transmitted can be determined by determining the link \s-1MTU\s0 in bytes and
+transmitted can be determined by determining the link MTU in bytes and
 subtracting the value returned by this call.
 .Sp
 The value returned by this call depends on the network layer protocol being
@@ -262,58 +213,64 @@ used.
 The value returned is not fully reliable because datagram overheads can be
 higher in atypical network configurations, for example where IPv6 extension
 headers or IPv4 options are used.
-.IP "\s-1BIO_CTRL_DGRAM_SET_DONT_FRAG\s0" 4
+.IP BIO_CTRL_DGRAM_SET_DONT_FRAG 4
 .IX Item "BIO_CTRL_DGRAM_SET_DONT_FRAG"
 If \fInum\fR is nonzero, configures the underlying network socket to enable Don't
-Fragment mode, in which datagrams will be set with the \s-1IP\s0 Don't Fragment (\s-1DF\s0)
+Fragment mode, in which datagrams will be set with the IP Don't Fragment (DF)
 bit set. If \fInum\fR is zero, Don't Fragment mode is disabled.
-.IP "\s-1BIO_CTRL_DGRAM_QUERY_MTU\s0" 4
+.IP BIO_CTRL_DGRAM_QUERY_MTU 4
 .IX Item "BIO_CTRL_DGRAM_QUERY_MTU"
-Queries the \s-1OS\s0 for its assessment of the Path \s-1MTU\s0 for the destination to which
-the underlying network socket, and returns that Path \s-1MTU\s0 in bytes. This control
+Queries the OS for its assessment of the Path MTU for the destination to which
+the underlying network socket, and returns that Path MTU in bytes. This control
 can only be used with a connected socket.
 .Sp
-This is not supported on all platforms and depends on \s-1OS\s0 support being
+This is not supported on all platforms and depends on OS support being
 available. Returns 0 on failure.
-.IP "\s-1BIO_CTRL_DGRAM_MTU_DISCOVER\s0" 4
+.IP BIO_CTRL_DGRAM_MTU_DISCOVER 4
 .IX Item "BIO_CTRL_DGRAM_MTU_DISCOVER"
-This control requests that Path \s-1MTU\s0 discovery be enabled on the underlying
+This control requests that Path MTU discovery be enabled on the underlying
 network socket.
-.IP "\s-1BIO_CTRL_DGRAM_GET_FALLBACK_MTU\s0" 4
+.IP BIO_CTRL_DGRAM_GET_FALLBACK_MTU 4
 .IX Item "BIO_CTRL_DGRAM_GET_FALLBACK_MTU"
 Returns the estimated minimum size of datagram payload which should always be
-supported on the \s-1BIO.\s0 This size is determined by the minimum \s-1MTU\s0 required to be
+supported on the BIO. This size is determined by the minimum MTU required to be
 supported by the applicable underlying network layer. Use of datagrams of this
 size may lead to suboptimal performance, but should be routable in all
 circumstances. The value returned is the datagram payload size in bytes and does
 not include the size of layer 3 or layer 4 protocol headers.
-.IP "\s-1BIO_CTRL_DGRAM_MTU_EXCEEDED\s0" 4
+.IP BIO_CTRL_DGRAM_MTU_EXCEEDED 4
 .IX Item "BIO_CTRL_DGRAM_MTU_EXCEEDED"
-Returns 1 if the last attempted write to the \s-1BIO\s0 failed due to the size of the
-attempted write exceeding the applicable \s-1MTU.\s0
-.IP "\s-1BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT\s0" 4
+Returns 1 if the last attempted write to the BIO failed due to the size of the
+attempted write exceeding the applicable MTU.
+.IP BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT 4
 .IX Item "BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT"
 Accepts a pointer to a \fBstruct timeval\fR. If the time specified is zero,
 disables receive timeouts. Otherwise, configures the specified time interval as
 the receive timeout for the socket for the purposes of future \fBBIO_read\fR\|(3)
 calls.
-.IP "\s-1BIO_CTRL_DGRAM_SET_PEEK_MODE\s0" 4
+.IP BIO_CTRL_DGRAM_SET_PEEK_MODE 4
 .IX Item "BIO_CTRL_DGRAM_SET_PEEK_MODE"
 If \fBnum\fR is nonzero, enables peek mode; otherwise, disables peek mode. Where
 peek mode is enabled, calls to \fBBIO_read\fR\|(3) read datagrams from the underlying
 network socket in peek mode, meaning that a future call to \fBBIO_read\fR\|(3) will
 yield the same datagram until peek mode is disabled.
+.Sp
+\&\fBBIO_recvmmsg\fR\|(3) is not affected by this control.
 .PP
 \&\fBBIO_new_dgram()\fR is a helper function which instantiates a \fBBIO_s_datagram()\fR and
-sets the \s-1BIO\s0 to use the socket given in \fIfd\fR by calling \fBBIO_set_fd()\fR.
+sets the BIO to use the socket given in \fIfd\fR by calling \fBBIO_set_fd()\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBBIO_s_datagram()\fR returns a \s-1BIO\s0 method.
+\&\fBBIO_s_datagram()\fR returns a BIO method.
+.PP
+\&\fBBIO_new_dgram()\fR returns a BIO on success and NULL on failure.
 .PP
-\&\fBBIO_new_dgram()\fR returns a \s-1BIO\s0 on success and \s-1NULL\s0 on failure.
+\&\fBBIO_ctrl_dgram_connect()\fR, \fBBIO_ctrl_set_connected()\fR and \fBBIO_dgram_set_peer()\fR
+return 1 on success and 0 on failure.
 .PP
-\&\fBBIO_ctrl_dgram_connect()\fR, \fBBIO_ctrl_set_connected()\fR,
-\&\fBBIO_dgram_get_peer()\fR, \fBBIO_dgram_set_peer()\fR return 1 on success and 0 on failure.
+\&\fBBIO_dgram_get_peer()\fR and \fBBIO_dgram_detect_peer_addr()\fR return 0 on failure and
+the number of bytes for the outputted address representation (a positive value)
+on success.
 .PP
 \&\fBBIO_dgram_recv_timedout()\fR and \fBBIO_dgram_send_timedout()\fR return 0 or 1 depending
 on the circumstance; see discussion above.
@@ -321,12 +278,12 @@ on the circumstance; see discussion above.
 \&\fBBIO_dgram_get_mtu_overhead()\fR returns a value in bytes.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBDTLSv1_listen\fR\|(3), \fBbio\fR\|(7)
-.SH "COPYRIGHT"
+\&\fBBIO_sendmmsg\fR\|(3), \fBBIO_s_dgram_pair\fR\|(3), \fBDTLSv1_listen\fR\|(3), \fBbio\fR\|(7)
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2022\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_s_dgram_pair.3 b/secure/lib/libcrypto/man/man3/BIO_s_dgram_pair.3
new file mode 100644
index 000000000000..1f102ebe3be1
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/BIO_s_dgram_pair.3
@@ -0,0 +1,280 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "BIO_S_DGRAM_PAIR 3ossl"
+.TH BIO_S_DGRAM_PAIR 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+BIO_s_dgram_pair, BIO_new_bio_dgram_pair, BIO_dgram_set_no_trunc,
+BIO_dgram_get_no_trunc, BIO_dgram_get_effective_caps, BIO_dgram_get_caps,
+BIO_dgram_set_caps, BIO_dgram_set_mtu, BIO_dgram_get_mtu,
+BIO_dgram_set0_local_addr \- datagram pair BIO
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/bio.h>
+\&
+\& const BIO_METHOD *BIO_s_dgram_pair(void);
+\&
+\& int BIO_new_bio_dgram_pair(BIO **bio1, size_t writebuf1,
+\&                            BIO **bio2, size_t writebuf2);
+\& int BIO_dgram_set_no_trunc(BIO *bio, int enable);
+\& int BIO_dgram_get_no_trunc(BIO *bio);
+\& uint32_t BIO_dgram_get_effective_caps(BIO *bio);
+\& uint32_t BIO_dgram_get_caps(BIO *bio);
+\& int BIO_dgram_set_caps(BIO *bio, uint32_t caps);
+\& int BIO_dgram_set_mtu(BIO *bio, unsigned int mtu);
+\& unsigned int BIO_dgram_get_mtu(BIO *bio);
+\& int BIO_dgram_set0_local_addr(BIO *bio, BIO_ADDR *addr);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBBIO_s_dgram_pair()\fR returns the method for a BIO datagram pair. A BIO datagram
+pair is similar to a BIO pair (see \fBBIO_s_bio\fR\|(3)) but has datagram semantics.
+Broadly, this means that the length of the buffer passed to a write call will
+match that retrieved by a read call. If the buffer passed to a read call is too
+short, the datagram is truncated or the read fails, depending on how the BIO is
+configured.
+.PP
+The BIO datagram pair attaches certain metadata to each write, such as source
+and destination addresses. This information may be retrieved on read.
+.PP
+A typical application of a BIO datagram pair is to allow an application to keep
+all datagram network I/O requested by libssl under application control.
+.PP
+The BIO datagram pair is designed to support multithreaded use where certain
+restrictions are observed; see THREADING.
+.PP
+The BIO datagram pair allows each half of a pair to signal to the other half
+whether they support certain capabilities; see CAPABILITY INDICATION.
+.PP
+\&\fBBIO_new_bio_dgram_pair()\fR combines the calls to \fBBIO_new\fR\|(3),
+\&\fBBIO_make_bio_pair\fR\|(3) and \fBBIO_set_write_buf_size\fR\|(3) to create a connected
+pair of BIOs \fBbio1\fR, \fBbio2\fR with write buffer sizes \fBwritebuf1\fR and
+\&\fBwritebuf2\fR. If either size is zero then the default size is used.
+.PP
+\&\fBBIO_make_bio_pair\fR\|(3) may be used to join two datagram pair BIOs into a pair.
+The two BIOs must both use the method returned by \fBBIO_s_dgram_pair()\fR and neither
+of the BIOs may currently be associated in a pair.
+.PP
+\&\fBBIO_destroy_bio_pair\fR\|(3) destroys the association between two connected BIOs.
+Freeing either half of the pair will automatically destroy the association.
+.PP
+\&\fBBIO_reset\fR\|(3) clears any data in the write buffer of the given BIO. This means
+that the opposite BIO in the pair will no longer have any data waiting to be
+read.
+.PP
+The BIO maintains a fixed size internal write buffer. When the buffer is full,
+further writes will fail until the buffer is drained via calls to
+\&\fBBIO_read\fR\|(3). The size of the buffer can be changed using
+\&\fBBIO_set_write_buf_size\fR\|(3) and queried using \fBBIO_get_write_buf_size\fR\|(3).
+.PP
+Note that the write buffer is partially consumed by metadata stored internally
+which is attached to each datagram, such as source and destination addresses.
+The size of this overhead is undefined and may change between releases.
+.PP
+The standard \fBBIO_ctrl_pending\fR\|(3) call has modified behaviour and returns the
+size of the next datagram waiting to be read in bytes. An application can use
+this function to ensure it provides an adequate buffer to a subsequent read
+call. If no datagram is waiting to be read, zero is returned.
+.PP
+This BIO does not support sending or receiving zero-length datagrams. Passing a
+zero-length buffer to BIO_write is treated as a no-op.
+.PP
+\&\fBBIO_eof\fR\|(3) returns 1 only if the given BIO datagram pair BIO is not currently
+connected to a peer BIO.
+.PP
+\&\fBBIO_get_write_guarantee\fR\|(3) and \fBBIO_ctrl_get_write_guarantee\fR\|(3) return how
+large a datagram the next call to \fBBIO_write\fR\|(3) can accept. If there is not
+enough space in the write buffer to accept another datagram equal in size to the
+configured MTU, zero is returned (see below). This is intended to avoid a
+situation where an application attempts to read a datagram from a network
+intending to write it to a BIO datagram pair, but where the received datagram
+ends up being too large to write to the BIO datagram pair.
+.PP
+\&\fBBIO_dgram_set_no_trunc()\fR and \fBBIO_ctrl_get_no_trunc()\fR set and retrieve the
+truncation mode for the given half of a BIO datagram pair. When no-truncate mode
+is enabled, \fBBIO_read()\fR will fail if the buffer provided is inadequate to hold
+the next datagram to be read. If no-truncate mode is disabled (the default), the
+datagram will be silently truncated. This default behaviour maintains
+compatibility with the semantics of the Berkeley sockets API.
+.PP
+\&\fBBIO_dgram_set_mtu()\fR and \fBBIO_dgram_get_mtu()\fR may be used to set an informational
+MTU value on the BIO datagram pair. If \fBBIO_dgram_set_mtu()\fR is used on a BIO
+which is currently part of a BIO datagram pair, the MTU value is set on both
+halves of the pair. The value does not affect the operation of the BIO datagram
+pair (except for \fBBIO_get_write_guarantee()\fR; see above) but may be used by other
+code to determine a requested MTU. When a BIO datagram pair BIO is created, the
+MTU is set to an unspecified but valid value.
+.PP
+\&\fBBIO_dgram_set0_local_addr()\fR can be used to set the local BIO_ADDR to be used
+when sending a datagram via a BIO datagram pair. This becomes the peer address
+when receiving on the other half of the pair. If the BIO is used in a call to
+\&\fBBIO_sendmmsg\fR\|(3) and a local address is explicitly specified, then the
+explicitly specified local address takes precedence. The reference to the
+BIO_ADDR is passed to the BIO by this call and will be freed automatically when
+the BIO is freed.
+.PP
+\&\fBBIO_flush\fR\|(3) is a no-op.
+.SH NOTES
+.IX Header "NOTES"
+The halves of a BIO datagram pair have independent lifetimes and must be
+separately freed.
+.SH THREADING
+.IX Header "THREADING"
+\&\fBBIO_recvmmsg\fR\|(3), \fBBIO_sendmmsg\fR\|(3), \fBBIO_read\fR\|(3), \fBBIO_write\fR\|(3),
+\&\fBBIO_pending\fR\|(3), \fBBIO_get_write_guarantee\fR\|(3) and \fBBIO_flush\fR\|(3) may be used
+by multiple threads simultaneously on the same BIO datagram pair. Specific
+\&\fBBIO_ctrl\fR\|(3) operations (namely BIO_CTRL_PENDING, BIO_CTRL_FLUSH and
+BIO_C_GET_WRITE_GUARANTEE) may also be used. Invoking any other BIO call, or any
+other \fBBIO_ctrl\fR\|(3) operation, on either half of a BIO datagram pair while any
+other BIO call is also in progress to either half of the same BIO datagram pair
+results in undefined behaviour.
+.SH "CAPABILITY INDICATION"
+.IX Header "CAPABILITY INDICATION"
+The BIO datagram pair can be used to enqueue datagrams which have source and
+destination addresses attached. It is important that the component consuming one
+side of a BIO datagram pair understand whether the other side of the pair will
+honour any source and destination addresses it attaches to each datagram. For
+example, if datagrams are queued with destination addresses set but simply read
+by simple calls to \fBBIO_read\fR\|(3), the destination addresses will be discarded.
+.PP
+Each half of a BIO datagram pair can have capability flags set on it which
+indicate whether source and destination addresses will be honoured by the reader
+and whether they will be provided by the writer. These capability flags should
+be set via a call to \fBBIO_dgram_set_caps()\fR, and these capabilities will be
+reflected in the value returned by \fBBIO_dgram_get_effective_caps()\fR on the
+opposite BIO. If necessary, the capability value previously set can be retrieved
+using \fBBIO_dgram_get_caps()\fR. Note that \fBBIO_dgram_set_caps()\fR on a given BIO
+controls the capabilities advertised to the peer, and
+\&\fBBIO_dgram_get_effective_caps()\fR on a given BIO determines the capabilities
+advertised by the peer of that BIO.
+.PP
+The following capabilities are available:
+.IP \fBBIO_DGRAM_CAP_HANDLES_SRC_ADDR\fR 4
+.IX Item "BIO_DGRAM_CAP_HANDLES_SRC_ADDR"
+The user of the datagram pair BIO promises to honour source addresses provided
+with datagrams written to the BIO pair.
+.IP \fBBIO_DGRAM_CAP_HANDLES_DST_ADDR\fR 4
+.IX Item "BIO_DGRAM_CAP_HANDLES_DST_ADDR"
+The user of the datagram pair BIO promises to honour destination addresses provided
+with datagrams written to the BIO pair.
+.IP \fBBIO_DGRAM_CAP_PROVIDES_SRC_ADDR\fR 4
+.IX Item "BIO_DGRAM_CAP_PROVIDES_SRC_ADDR"
+The user of the datagram pair BIO advertises the fact that it will provide source
+addressing information with future writes to the BIO pair, where available.
+.IP \fBBIO_DGRAM_CAP_PROVIDES_DST_ADDR\fR 4
+.IX Item "BIO_DGRAM_CAP_PROVIDES_DST_ADDR"
+The user of the datagram pair BIO advertises the fact that it will provide
+destination addressing information with future writes to the BIO pair, where
+available.
+.PP
+If a caller attempts to specify a destination address (for example, using
+\&\fBBIO_sendmmsg\fR\|(3)) and the peer has not advertised the
+\&\fBBIO_DGRAM_CAP_HANDLES_DST_ADDR\fR capability, the operation fails. Thus,
+capability negotiation is mandatory.
+.PP
+If a caller attempts to specify a source address when writing, or requests a
+destination address when receiving, and local address support has not been
+enabled, the operation fails; see \fBBIO_dgram_set_local_addr_enable\fR\|(3).
+.PP
+If a caller attempts to enable local address support using
+\&\fBBIO_dgram_set_local_addr_enable\fR\|(3) and \fBBIO_dgram_get_local_addr_cap\fR\|(3)
+does not return 1 (meaning that the peer has not advertised both the
+\&\fBBIO_DGRAM_CAP_HANDLES_SRC_ADDR\fR and the \fBBIO_DGRAM_CAP_PROVIDES_DST_ADDR\fR
+capability), the operation fails.
+.PP
+\&\fBBIO_DGRAM_CAP_PROVIDES_SRC_ADDR\fR and \fBBIO_DGRAM_CAP_PROVIDES_DST_ADDR\fR
+indicate that the application using that half of a BIO datagram pair promises to
+provide source and destination addresses respectively when writing datagrams to
+that half of the BIO datagram pair. However, these capability flags do not
+affect the behaviour of the BIO datagram pair.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBBIO_new_bio_dgram_pair()\fR returns 1 on success, with the new BIOs available in
+\&\fBbio1\fR and \fBbio2\fR, or 0 on failure, with NULL pointers stored into the
+locations for \fBbio1\fR and \fBbio2\fR. Check the error stack for more information.
+.PP
+\&\fBBIO_dgram_set_no_trunc()\fR, \fBBIO_dgram_set_caps()\fR and \fBBIO_dgram_set_mtu()\fR return 1
+on success and 0 on failure.
+.PP
+\&\fBBIO_dgram_get_no_trunc()\fR returns 1 if no-truncate mode is enabled on a BIO, or 0
+if no-truncate mode is not enabled or not supported on a given BIO.
+.PP
+\&\fBBIO_dgram_get_effective_caps()\fR and \fBBIO_dgram_get_caps()\fR return zero if no
+capabilities are supported.
+.PP
+\&\fBBIO_dgram_get_mtu()\fR returns the MTU value configured on the BIO, or zero if the
+operation is not supported.
+.PP
+\&\fBBIO_dgram_set0_local_addr()\fR returns 1 on success and <= 0 otherwise.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBBIO_s_bio\fR\|(3), \fBbio\fR\|(7)
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBBIO_s_dgram_pair()\fR, \fBBIO_new_bio_dgram_pair()\fR were added in OpenSSL 3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2022\-2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_s_fd.3 b/secure/lib/libcrypto/man/man3/BIO_s_fd.3
index a3f040af8093..b229668751bf 100644
--- a/secure/lib/libcrypto/man/man3/BIO_s_fd.3
+++ b/secure/lib/libcrypto/man/man3/BIO_s_fd.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_S_FD 3ossl"
-.TH BIO_S_FD 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_S_FD 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_s_fd, BIO_set_fd, BIO_get_fd, BIO_new_fd \- file descriptor BIO
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bio.h>
@@ -150,16 +74,16 @@ BIO_s_fd, BIO_set_fd, BIO_get_fd, BIO_new_fd \- file descriptor BIO
 \&
 \& BIO *BIO_new_fd(int fd, int close_flag);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBBIO_s_fd()\fR returns the file descriptor \s-1BIO\s0 method. This is a wrapper
+\&\fBBIO_s_fd()\fR returns the file descriptor BIO method. This is a wrapper
 round the platforms file descriptor routines such as \fBread()\fR and \fBwrite()\fR.
 .PP
 \&\fBBIO_read_ex()\fR and \fBBIO_write_ex()\fR read or write the underlying descriptor.
 \&\fBBIO_puts()\fR is supported but \fBBIO_gets()\fR is not.
 .PP
 If the close flag is set then \fBclose()\fR is called on the underlying
-file descriptor when the \s-1BIO\s0 is freed.
+file descriptor when the BIO is freed.
 .PP
 \&\fBBIO_reset()\fR attempts to change the file pointer to the start of file
 such as by using \fBlseek(fd, 0, 0)\fR.
@@ -170,18 +94,18 @@ such as by using \fBlseek(fd, ofs, 0)\fR.
 \&\fBBIO_tell()\fR returns the current file position such as by calling
 \&\fBlseek(fd, 0, 1)\fR.
 .PP
-\&\fBBIO_set_fd()\fR sets the file descriptor of \s-1BIO\s0 \fBb\fR to \fBfd\fR and the close
+\&\fBBIO_set_fd()\fR sets the file descriptor of BIO \fBb\fR to \fBfd\fR and the close
 flag to \fBc\fR.
 .PP
-\&\fBBIO_get_fd()\fR places the file descriptor of \s-1BIO\s0 \fBb\fR in \fBc\fR if it is not \s-1NULL.\s0
+\&\fBBIO_get_fd()\fR places the file descriptor of BIO \fBb\fR in \fBc\fR if it is not NULL.
 It also returns the file descriptor.
 .PP
-\&\fBBIO_new_fd()\fR returns a file descriptor \s-1BIO\s0 using \fBfd\fR and \fBclose_flag\fR.
-.SH "NOTES"
+\&\fBBIO_new_fd()\fR returns a file descriptor BIO using \fBfd\fR and \fBclose_flag\fR.
+.SH NOTES
 .IX Header "NOTES"
 The behaviour of \fBBIO_read_ex()\fR and \fBBIO_write_ex()\fR depends on the behavior of the
 platforms \fBread()\fR and \fBwrite()\fR calls on the descriptor. If the underlying
-file descriptor is in a non blocking mode then the \s-1BIO\s0 will behave in the
+file descriptor is in a non blocking mode then the BIO will behave in the
 manner described in the \fBBIO_read_ex\fR\|(3) and \fBBIO_should_retry\fR\|(3)
 manual pages.
 .PP
@@ -191,18 +115,18 @@ instead.
 \&\fBBIO_set_fd()\fR and \fBBIO_get_fd()\fR are implemented as macros.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBBIO_s_fd()\fR returns the file descriptor \s-1BIO\s0 method.
+\&\fBBIO_s_fd()\fR returns the file descriptor BIO method.
 .PP
 \&\fBBIO_set_fd()\fR returns 1 on success or <=0 for failure.
 .PP
-\&\fBBIO_get_fd()\fR returns the file descriptor or \-1 if the \s-1BIO\s0 has not
+\&\fBBIO_get_fd()\fR returns the file descriptor or \-1 if the BIO has not
 been initialized. It also returns zero and negative values if other error occurs.
 .PP
-\&\fBBIO_new_fd()\fR returns the newly allocated \s-1BIO\s0 or \s-1NULL\s0 is an error
+\&\fBBIO_new_fd()\fR returns the newly allocated BIO or NULL is an error
 occurred.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-This is a file descriptor \s-1BIO\s0 version of \*(L"Hello World\*(R":
+This is a file descriptor BIO version of "Hello World":
 .PP
 .Vb 1
 \& BIO *out;
@@ -218,11 +142,11 @@ This is a file descriptor \s-1BIO\s0 version of \*(L"Hello World\*(R":
 \&\fBBIO_write_ex\fR\|(3), \fBBIO_puts\fR\|(3),
 \&\fBBIO_gets\fR\|(3), \fBBIO_printf\fR\|(3),
 \&\fBBIO_set_close\fR\|(3), \fBBIO_get_close\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_s_file.3 b/secure/lib/libcrypto/man/man3/BIO_s_file.3
index 76ed24a86e46..fe8d5c1247c4 100644
--- a/secure/lib/libcrypto/man/man3/BIO_s_file.3
+++ b/secure/lib/libcrypto/man/man3/BIO_s_file.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_S_FILE 3ossl"
-.TH BIO_S_FILE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_S_FILE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_s_file, BIO_new_file, BIO_new_fp, BIO_set_fp, BIO_get_fp,
 BIO_read_filename, BIO_write_filename, BIO_append_filename,
 BIO_rw_filename \- FILE bio
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bio.h>
@@ -157,16 +81,16 @@ BIO_rw_filename \- FILE bio
 \& int BIO_append_filename(BIO *b, char *name);
 \& int BIO_rw_filename(BIO *b, char *name);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBBIO_s_file()\fR returns the \s-1BIO\s0 file method. As its name implies it
-is a wrapper round the stdio \s-1FILE\s0 structure and it is a
-source/sink \s-1BIO.\s0
+\&\fBBIO_s_file()\fR returns the BIO file method. As its name implies it
+is a wrapper round the stdio FILE structure and it is a
+source/sink BIO.
 .PP
 Calls to \fBBIO_read_ex()\fR and \fBBIO_write_ex()\fR read and write data to the
 underlying stream. \fBBIO_gets()\fR and \fBBIO_puts()\fR are supported on file BIOs.
 .PP
-\&\fBBIO_flush()\fR on a file \s-1BIO\s0 calls the \fBfflush()\fR function on the wrapped
+\&\fBBIO_flush()\fR on a file BIO calls the \fBfflush()\fR function on the wrapped
 stream.
 .PP
 \&\fBBIO_reset()\fR attempts to change the file pointer to the start of file
@@ -177,22 +101,22 @@ using fseek(stream, ofs, 0).
 .PP
 \&\fBBIO_eof()\fR calls \fBfeof()\fR.
 .PP
-Setting the \s-1BIO_CLOSE\s0 flag calls \fBfclose()\fR on the stream when the \s-1BIO\s0
+Setting the BIO_CLOSE flag calls \fBfclose()\fR on the stream when the BIO
 is freed.
 .PP
-\&\fBBIO_new_file()\fR creates a new file \s-1BIO\s0 with mode \fBmode\fR the meaning
-of \fBmode\fR is the same as the stdio function \fBfopen()\fR. The \s-1BIO_CLOSE\s0
-flag is set on the returned \s-1BIO.\s0
+\&\fBBIO_new_file()\fR creates a new file BIO with mode \fBmode\fR the meaning
+of \fBmode\fR is the same as the stdio function \fBfopen()\fR. The BIO_CLOSE
+flag is set on the returned BIO.
 .PP
-\&\fBBIO_new_fp()\fR creates a file \s-1BIO\s0 wrapping \fBstream\fR. Flags can be:
-\&\s-1BIO_CLOSE, BIO_NOCLOSE\s0 (the close flag) \s-1BIO_FP_TEXT\s0 (sets the underlying
+\&\fBBIO_new_fp()\fR creates a file BIO wrapping \fBstream\fR. Flags can be:
+BIO_CLOSE, BIO_NOCLOSE (the close flag) BIO_FP_TEXT (sets the underlying
 stream to text mode, default is binary: this only has any effect under
 Win32).
 .PP
-\&\fBBIO_set_fp()\fR sets the fp of a file \s-1BIO\s0 to \fBfp\fR. \fBflags\fR has the same
+\&\fBBIO_set_fp()\fR sets the fp of a file BIO to \fBfp\fR. \fBflags\fR has the same
 meaning as in \fBBIO_new_fp()\fR, it is a macro.
 .PP
-\&\fBBIO_get_fp()\fR retrieves the fp of a file \s-1BIO,\s0 it is a macro.
+\&\fBBIO_get_fp()\fR retrieves the fp of a file BIO, it is a macro.
 .PP
 \&\fBBIO_seek()\fR is a macro that sets the position pointer to \fBoffset\fR bytes
 from the start of file.
@@ -200,24 +124,24 @@ from the start of file.
 \&\fBBIO_tell()\fR returns the value of the position pointer.
 .PP
 \&\fBBIO_read_filename()\fR, \fBBIO_write_filename()\fR, \fBBIO_append_filename()\fR and
-\&\fBBIO_rw_filename()\fR set the file \s-1BIO\s0 \fBb\fR to use file \fBname\fR for
+\&\fBBIO_rw_filename()\fR set the file BIO \fBb\fR to use file \fBname\fR for
 reading, writing, append or read write respectively.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 When wrapping stdout, stdin or stderr the underlying stream should not
-normally be closed so the \s-1BIO_NOCLOSE\s0 flag should be set.
+normally be closed so the BIO_NOCLOSE flag should be set.
 .PP
-Because the file \s-1BIO\s0 calls the underlying stdio functions any quirks
-in stdio behaviour will be mirrored by the corresponding \s-1BIO.\s0
+Because the file BIO calls the underlying stdio functions any quirks
+in stdio behaviour will be mirrored by the corresponding BIO.
 .PP
 On Windows BIO_new_files reserves for the filename argument to be
-\&\s-1UTF\-8\s0 encoded. In other words if you have to make it work in multi\-
-lingual environment, encode filenames in \s-1UTF\-8.\s0
+UTF\-8 encoded. In other words if you have to make it work in multi\-
+lingual environment, encode filenames in UTF\-8.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBBIO_s_file()\fR returns the file \s-1BIO\s0 method.
+\&\fBBIO_s_file()\fR returns the file BIO method.
 .PP
-\&\fBBIO_new_file()\fR and \fBBIO_new_fp()\fR return a file \s-1BIO\s0 or \s-1NULL\s0 if an error
+\&\fBBIO_new_file()\fR and \fBBIO_new_fp()\fR return a file BIO or NULL if an error
 occurred.
 .PP
 \&\fBBIO_set_fp()\fR and \fBBIO_get_fp()\fR return 1 for success or <=0 for failure
@@ -228,10 +152,11 @@ occurred.
 \&\fBBIO_tell()\fR returns the current file position or negative values for failure.
 .PP
 \&\fBBIO_read_filename()\fR, \fBBIO_write_filename()\fR, \fBBIO_append_filename()\fR and
-\&\fBBIO_rw_filename()\fR return 1 for success or <=0 for failure.
-.SH "EXAMPLES"
+\&\fBBIO_rw_filename()\fR return 1 for success or <=0 for failure. An error is also
+returned if the file does not exist.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-File \s-1BIO\s0 \*(L"hello world\*(R":
+File BIO "hello world":
 .PP
 .Vb 1
 \& BIO *bio_out;
@@ -278,11 +203,11 @@ Alternative technique:
 \& BIO_printf(out, "Hello World\en");
 \& BIO_free(out);
 .Ve
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
 \&\fBBIO_reset()\fR and \fBBIO_seek()\fR are implemented using \fBfseek()\fR on the underlying
 stream. The return value for \fBfseek()\fR is 0 for success or \-1 if an error
-occurred this differs from other types of \s-1BIO\s0 which will typically return
+occurred this differs from other types of BIO which will typically return
 1 for success and a non positive value if an error occurred.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
@@ -292,11 +217,11 @@ occurred this differs from other types of \s-1BIO\s0 which will typically return
 \&\fBBIO_write_ex\fR\|(3), \fBBIO_puts\fR\|(3),
 \&\fBBIO_gets\fR\|(3), \fBBIO_printf\fR\|(3),
 \&\fBBIO_set_close\fR\|(3), \fBBIO_get_close\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_s_mem.3 b/secure/lib/libcrypto/man/man3/BIO_s_mem.3
index 5809e2963fcc..1899b218d99a 100644
--- a/secure/lib/libcrypto/man/man3/BIO_s_mem.3
+++ b/secure/lib/libcrypto/man/man3/BIO_s_mem.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,84 +52,25 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_S_MEM 3ossl"
-.TH BIO_S_MEM 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_S_MEM 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
-BIO_s_secmem,
+.SH NAME
+BIO_s_secmem, BIO_s_dgram_mem,
 BIO_s_mem, BIO_set_mem_eof_return, BIO_get_mem_data, BIO_set_mem_buf,
 BIO_get_mem_ptr, BIO_new_mem_buf \- memory BIO
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bio.h>
 \&
 \& const BIO_METHOD *BIO_s_mem(void);
+\& const BIO_METHOD *BIO_s_dgram_mem(void);
 \& const BIO_METHOD *BIO_s_secmem(void);
 \&
 \& BIO_set_mem_eof_return(BIO *b, int v);
@@ -155,121 +80,146 @@ BIO_get_mem_ptr, BIO_new_mem_buf \- memory BIO
 \&
 \& BIO *BIO_new_mem_buf(const void *buf, int len);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBBIO_s_mem()\fR returns the memory \s-1BIO\s0 method function.
+\&\fBBIO_s_mem()\fR returns the memory BIO method function.
 .PP
-A memory \s-1BIO\s0 is a source/sink \s-1BIO\s0 which uses memory for its I/O. Data
-written to a memory \s-1BIO\s0 is stored in a \s-1BUF_MEM\s0 structure which is extended
+A memory BIO is a source/sink BIO which uses memory for its I/O. Data
+written to a memory BIO is stored in a BUF_MEM structure which is extended
 as appropriate to accommodate the stored data.
 .PP
 \&\fBBIO_s_secmem()\fR is like \fBBIO_s_mem()\fR except that the secure heap is used
 for buffer storage.
 .PP
-Any data written to a memory \s-1BIO\s0 can be recalled by reading from it.
-Unless the memory \s-1BIO\s0 is read only any data read from it is deleted from
-the \s-1BIO.\s0
-.PP
-Memory BIOs support \fBBIO_gets()\fR and \fBBIO_puts()\fR.
-.PP
-If the \s-1BIO_CLOSE\s0 flag is set when a memory \s-1BIO\s0 is freed then the underlying
-\&\s-1BUF_MEM\s0 structure is also freed.
-.PP
-Calling \fBBIO_reset()\fR on a read write memory \s-1BIO\s0 clears any data in it if the
-flag \s-1BIO_FLAGS_NONCLEAR_RST\s0 is not set, otherwise it just restores the read
+\&\fBBIO_s_dgram_mem()\fR is a memory BIO that respects datagram semantics. A single
+call to \fBBIO_write\fR\|(3) will write a single datagram to the memory BIO. A
+subsequent call to \fBBIO_read\fR\|(3) will read the data in that datagram. The
+\&\fBBIO_read\fR\|(3) call will never return more data than was written in the original
+\&\fBBIO_write\fR\|(3) call even if there were subsequent \fBBIO_write\fR\|(3) calls that
+wrote more datagrams. Each successive call to \fBBIO_read\fR\|(3) will read the next
+datagram. If a \fBBIO_read\fR\|(3) call supplies a read buffer that is smaller than
+the size of the datagram, then the read buffer will be completely filled and the
+remaining data from the datagram will be discarded.
+.PP
+It is not possible to write a zero length datagram. Calling \fBBIO_write\fR\|(3) in
+this case will return 0 and no datagrams will be written. Calling \fBBIO_read\fR\|(3)
+when there are no datagrams in the BIO to read will return a negative result and
+the "retry" flags will be set (i.e. calling \fBBIO_should_retry\fR\|(3) will return
+true). A datagram mem BIO will never return true from \fBBIO_eof\fR\|(3).
+.PP
+Any data written to a memory BIO can be recalled by reading from it.
+Unless the memory BIO is read only any data read from it is deleted from
+the BIO.
+.PP
+Memory BIOs except \fBBIO_s_dgram_mem()\fR support \fBBIO_gets()\fR and \fBBIO_puts()\fR.
+.PP
+\&\fBBIO_s_dgram_mem()\fR supports \fBBIO_sendmmsg\fR\|(3) and \fBBIO_recvmmsg\fR\|(3) calls
+and calls related to \fBBIO_ADDR\fR and MTU handling similarly to the
+\&\fBBIO_s_dgram_pair\fR\|(3).
+.PP
+If the BIO_CLOSE flag is set when a memory BIO is freed then the underlying
+BUF_MEM structure is also freed.
+.PP
+Calling \fBBIO_reset()\fR on a read write memory BIO clears any data in it if the
+flag BIO_FLAGS_NONCLEAR_RST is not set, otherwise it just restores the read
 pointer to the state it was just after the last write was performed and the
-data can be read again. On a read only \s-1BIO\s0 it similarly restores the \s-1BIO\s0 to
+data can be read again. On a read only BIO it similarly restores the BIO to
 its original state and the read only data can be read again.
 .PP
-\&\fBBIO_eof()\fR is true if no data is in the \s-1BIO.\s0
+\&\fBBIO_eof()\fR is true if no data is in the BIO.
 .PP
 \&\fBBIO_ctrl_pending()\fR returns the number of bytes currently stored.
 .PP
-\&\fBBIO_set_mem_eof_return()\fR sets the behaviour of memory \s-1BIO\s0 \fBb\fR when it is
-empty. If the \fBv\fR is zero then an empty memory \s-1BIO\s0 will return \s-1EOF\s0 (that is
+\&\fBBIO_set_mem_eof_return()\fR sets the behaviour of memory BIO \fBb\fR when it is
+empty. If the \fBv\fR is zero then an empty memory BIO will return EOF (that is
 it will return zero and BIO_should_retry(b) will be false. If \fBv\fR is non
 zero then it will return \fBv\fR when it is empty and it will set the read retry
 flag (that is BIO_read_retry(b) is true). To avoid ambiguity with a normal
 positive return value \fBv\fR should be set to a negative value, typically \-1.
+Calling this macro will fail for datagram mem BIOs.
 .PP
 \&\fBBIO_get_mem_data()\fR sets *\fBpp\fR to a pointer to the start of the memory BIOs data
 and returns the total amount of data available. It is implemented as a macro.
 Note the pointer returned by this call is informative, no transfer of ownership
 of this memory is implied.  See notes on \fBBIO_set_close()\fR.
 .PP
-\&\fBBIO_set_mem_buf()\fR sets the internal \s-1BUF_MEM\s0 structure to \fBbm\fR and sets the
-close flag to \fBc\fR, that is \fBc\fR should be either \s-1BIO_CLOSE\s0 or \s-1BIO_NOCLOSE.\s0
+\&\fBBIO_set_mem_buf()\fR sets the internal BUF_MEM structure to \fBbm\fR and sets the
+close flag to \fBc\fR, that is \fBc\fR should be either BIO_CLOSE or BIO_NOCLOSE.
 It is a macro.
 .PP
-\&\fBBIO_get_mem_ptr()\fR places the underlying \s-1BUF_MEM\s0 structure in *\fBpp\fR. It is
+\&\fBBIO_get_mem_ptr()\fR places the underlying BUF_MEM structure in *\fBpp\fR. It is
 a macro.
 .PP
-\&\fBBIO_new_mem_buf()\fR creates a memory \s-1BIO\s0 using \fBlen\fR bytes of data at \fBbuf\fR,
+\&\fBBIO_new_mem_buf()\fR creates a memory BIO using \fBlen\fR bytes of data at \fBbuf\fR,
 if \fBlen\fR is \-1 then the \fBbuf\fR is assumed to be nul terminated and its
-length is determined by \fBstrlen\fR. The \s-1BIO\s0 is set to a read only state and
+length is determined by \fBstrlen\fR. The BIO is set to a read only state and
 as a result cannot be written to. This is useful when some data needs to be
-made available from a static area of memory in the form of a \s-1BIO.\s0 The
+made available from a static area of memory in the form of a BIO. The
 supplied data is read directly from the supplied buffer: it is \fBnot\fR copied
-first, so the supplied area of memory must be unchanged until the \s-1BIO\s0 is freed.
-.SH "NOTES"
+first, so the supplied area of memory must be unchanged until the BIO is freed.
+.PP
+All of the five functions described above return an error with
+\&\fBBIO_s_dgram_mem()\fR.
+.SH NOTES
 .IX Header "NOTES"
 Writes to memory BIOs will always succeed if memory is available: that is
-their size can grow indefinitely.
+their size can grow indefinitely. An exception is \fBBIO_s_dgram_mem()\fR when
+\&\fBBIO_set_write_buf_size\fR\|(3) is called on it. In such case the write buffer
+size will be fixed and any writes that would overflow the buffer will return
+an error.
 .PP
 Every write after partial read (not all data in the memory buffer was read)
-to a read write memory \s-1BIO\s0 will have to move the unread data with an internal
-copy operation, if a \s-1BIO\s0 contains a lot of data and it is read in small
+to a read write memory BIO will have to move the unread data with an internal
+copy operation, if a BIO contains a lot of data and it is read in small
 chunks intertwined with writes the operation can be very slow. Adding
-a buffering \s-1BIO\s0 to the chain can speed up the process.
+a buffering BIO to the chain can speed up the process.
 .PP
-Calling \fBBIO_set_mem_buf()\fR on a \s-1BIO\s0 created with \fBBIO_new_secmem()\fR will
-give undefined results, including perhaps a program crash.
+Calling \fBBIO_set_mem_buf()\fR on a secmem or dgram BIO will give undefined results,
+including perhaps a program crash.
 .PP
-Switching the memory \s-1BIO\s0 from read write to read only is not supported and
+Switching a memory BIO from read write to read only is not supported and
 can give undefined results including a program crash. There are two notable
 exceptions to the rule. The first one is to assign a static memory buffer
-immediately after \s-1BIO\s0 creation and set the \s-1BIO\s0 as read only.
+immediately after BIO creation and set the BIO as read only.
 .PP
-The other supported sequence is to start with read write \s-1BIO\s0 then temporarily
-switch it to read only and call \fBBIO_reset()\fR on the read only \s-1BIO\s0 immediately
-before switching it back to read write. Before the \s-1BIO\s0 is freed it must be
+The other supported sequence is to start with a read write BIO then temporarily
+switch it to read only and call \fBBIO_reset()\fR on the read only BIO immediately
+before switching it back to read write. Before the BIO is freed it must be
 switched back to the read write mode.
 .PP
-Calling \fBBIO_get_mem_ptr()\fR on read only \s-1BIO\s0 will return a \s-1BUF_MEM\s0 that
+Calling \fBBIO_get_mem_ptr()\fR on read only BIO will return a BUF_MEM that
 contains only the remaining data to be read. If the close status of the
-\&\s-1BIO\s0 is set to \s-1BIO_NOCLOSE,\s0 before freeing the \s-1BUF_MEM\s0 the data pointer
-in it must be set to \s-1NULL\s0 as the data pointer does not point to an
+BIO is set to BIO_NOCLOSE, before freeing the BUF_MEM the data pointer
+in it must be set to NULL as the data pointer does not point to an
 allocated memory.
 .PP
-Calling \fBBIO_reset()\fR on a read write memory \s-1BIO\s0 with \s-1BIO_FLAGS_NONCLEAR_RST\s0
+Calling \fBBIO_reset()\fR on a read write memory BIO with BIO_FLAGS_NONCLEAR_RST
 flag set can have unexpected outcome when the reads and writes to the
-\&\s-1BIO\s0 are intertwined. As documented above the \s-1BIO\s0 will be reset to the
+BIO are intertwined. As documented above the BIO will be reset to the
 state after the last completed write operation. The effects of reads
 preceding that write operation cannot be undone.
 .PP
 Calling \fBBIO_get_mem_ptr()\fR prior to a \fBBIO_reset()\fR call with
-\&\s-1BIO_FLAGS_NONCLEAR_RST\s0 set has the same effect as a write operation.
+BIO_FLAGS_NONCLEAR_RST set has the same effect as a write operation.
 .PP
-Calling \fBBIO_set_close()\fR with \s-1BIO_NOCLOSE\s0 orphans the \s-1BUF_MEM\s0 internal to the
-\&\s-1BIO,\s0 _not_ its actual data buffer. See the examples section for the proper
+Calling \fBBIO_set_close()\fR with BIO_NOCLOSE orphans the BUF_MEM internal to the
+BIO, _not_ its actual data buffer. See the examples section for the proper
 method for claiming ownership of the data pointer for a deferred free operation.
-.SH "BUGS"
-.IX Header "BUGS"
-There should be an option to set the maximum size of a memory \s-1BIO.\s0
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBBIO_s_mem()\fR and \fBBIO_s_secmem()\fR return a valid memory \fB\s-1BIO_METHOD\s0\fR structure.
+\&\fBBIO_s_mem()\fR, \fBBIO_s_dgram_mem()\fR and \fBBIO_s_secmem()\fR return a valid memory
+\&\fBBIO_METHOD\fR structure.
 .PP
 \&\fBBIO_set_mem_eof_return()\fR, \fBBIO_set_mem_buf()\fR and \fBBIO_get_mem_ptr()\fR
 return 1 on success or a value which is less than or equal to 0 if an error occurred.
 .PP
 \&\fBBIO_get_mem_data()\fR returns the total number of bytes available on success,
-0 if b is \s-1NULL,\s0 or a negative value in case of other errors.
+0 if b is NULL, or a negative value in case of other errors.
 .PP
-\&\fBBIO_new_mem_buf()\fR returns a valid \fB\s-1BIO\s0\fR structure on success or \s-1NULL\s0 on error.
-.SH "EXAMPLES"
+\&\fBBIO_new_mem_buf()\fR returns a valid \fBBIO\fR structure on success or NULL on error.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-Create a memory \s-1BIO\s0 and write some data to it:
+Create a memory BIO and write some data to it:
 .PP
 .Vb 1
 \& BIO *mem = BIO_new(BIO_s_mem());
@@ -277,14 +227,14 @@ Create a memory \s-1BIO\s0 and write some data to it:
 \& BIO_puts(mem, "Hello World\en");
 .Ve
 .PP
-Create a read only memory \s-1BIO:\s0
+Create a read only memory BIO:
 .PP
 .Vb 2
 \& char data[] = "Hello World";
 \& BIO *mem = BIO_new_mem_buf(data, \-1);
 .Ve
 .PP
-Extract the \s-1BUF_MEM\s0 structure from a memory \s-1BIO\s0 and then free up the \s-1BIO:\s0
+Extract the BUF_MEM structure from a memory BIO and then free up the BIO:
 .PP
 .Vb 1
 \& BUF_MEM *bptr;
@@ -294,8 +244,8 @@ Extract the \s-1BUF_MEM\s0 structure from a memory \s-1BIO\s0 and then free up t
 \& BIO_free(mem);
 .Ve
 .PP
-Extract the \s-1BUF_MEM\s0 ptr, claim ownership of the internal data and free the \s-1BIO\s0
-and \s-1BUF_MEM\s0 structure:
+Extract the BUF_MEM ptr, claim ownership of the internal data and free the BIO
+and BUF_MEM structure:
 .PP
 .Vb 2
 \& BUF_MEM *bptr;
@@ -310,11 +260,14 @@ and \s-1BUF_MEM\s0 structure:
 \& ...
 \& free(data);
 .Ve
-.SH "COPYRIGHT"
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBBIO_s_dgram_mem()\fR was added in OpenSSL 3.2.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_s_null.3 b/secure/lib/libcrypto/man/man3/BIO_s_null.3
index d2760ab10e27..d6283bd4464f 100644
--- a/secure/lib/libcrypto/man/man3/BIO_s_null.3
+++ b/secure/lib/libcrypto/man/man3/BIO_s_null.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,90 +52,30 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_S_NULL 3ossl"
-.TH BIO_S_NULL 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_S_NULL 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_s_null \- null data sink
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bio.h>
 \&
 \& const BIO_METHOD *BIO_s_null(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBBIO_s_null()\fR returns the null sink \s-1BIO\s0 method. Data written to
-the null sink is discarded, reads return \s-1EOF.\s0
-.SH "NOTES"
+\&\fBBIO_s_null()\fR returns the null sink BIO method. Data written to
+the null sink is discarded, reads return EOF.
+.SH NOTES
 .IX Header "NOTES"
-A null sink \s-1BIO\s0 behaves in a similar manner to the Unix /dev/null
+A null sink BIO behaves in a similar manner to the Unix /dev/null
 device.
 .PP
 A null bio can be placed on the end of a chain to discard any data
@@ -159,16 +83,16 @@ passed through it.
 .PP
 A null sink is useful if, for example, an application wishes to digest some
 data by writing through a digest bio but not send the digested data anywhere.
-Since a \s-1BIO\s0 chain must normally include a source/sink \s-1BIO\s0 this can be achieved
-by adding a null sink \s-1BIO\s0 to the end of the chain
+Since a BIO chain must normally include a source/sink BIO this can be achieved
+by adding a null sink BIO to the end of the chain
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBBIO_s_null()\fR returns the null sink \s-1BIO\s0 method.
-.SH "COPYRIGHT"
+\&\fBBIO_s_null()\fR returns the null sink BIO method.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_s_socket.3 b/secure/lib/libcrypto/man/man3/BIO_s_socket.3
index 1bdebe13b343..bfb34d7eef36 100644
--- a/secure/lib/libcrypto/man/man3/BIO_s_socket.3
+++ b/secure/lib/libcrypto/man/man3/BIO_s_socket.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_S_SOCKET 3ossl"
-.TH BIO_S_SOCKET 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_S_SOCKET 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_s_socket, BIO_new_socket \- socket BIO
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bio.h>
@@ -147,19 +71,19 @@ BIO_s_socket, BIO_new_socket \- socket BIO
 \&
 \& BIO *BIO_new_socket(int sock, int close_flag);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBBIO_s_socket()\fR returns the socket \s-1BIO\s0 method. This is a wrapper
+\&\fBBIO_s_socket()\fR returns the socket BIO method. This is a wrapper
 round the platform's socket routines.
 .PP
 \&\fBBIO_read_ex()\fR and \fBBIO_write_ex()\fR read or write the underlying socket.
 \&\fBBIO_puts()\fR is supported but \fBBIO_gets()\fR is not.
 .PP
 If the close flag is set then the socket is shut down and closed
-when the \s-1BIO\s0 is freed.
+when the BIO is freed.
 .PP
-\&\fBBIO_new_socket()\fR returns a socket \s-1BIO\s0 using \fBsock\fR and \fBclose_flag\fR.
-.SH "NOTES"
+\&\fBBIO_new_socket()\fR returns a socket BIO using \fBsock\fR and \fBclose_flag\fR.
+.SH NOTES
 .IX Header "NOTES"
 Socket BIOs also support any relevant functionality of file descriptor
 BIOs.
@@ -170,15 +94,15 @@ Windows is one such platform. Any code mixing the two will not work on
 all platforms.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBBIO_s_socket()\fR returns the socket \s-1BIO\s0 method.
+\&\fBBIO_s_socket()\fR returns the socket BIO method.
 .PP
-\&\fBBIO_new_socket()\fR returns the newly allocated \s-1BIO\s0 or \s-1NULL\s0 is an error
+\&\fBBIO_new_socket()\fR returns the newly allocated BIO or NULL is an error
 occurred.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_sendmmsg.3 b/secure/lib/libcrypto/man/man3/BIO_sendmmsg.3
new file mode 100644
index 000000000000..9d7c3fb6d319
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/BIO_sendmmsg.3
@@ -0,0 +1,272 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "BIO_SENDMMSG 3ossl"
+.TH BIO_SENDMMSG 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+BIO_sendmmsg, BIO_recvmmsg, BIO_dgram_set_local_addr_enable,
+BIO_dgram_get_local_addr_enable, BIO_dgram_get_local_addr_cap,
+BIO_err_is_non_fatal \- send and receive multiple datagrams in a single call
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/bio.h>
+\&
+\& typedef struct bio_msg_st {
+\&     void *data;
+\&     size_t data_len;
+\&     BIO_ADDR *peer, *local;
+\&     uint64_t flags;
+\& } BIO_MSG;
+\&
+\& int BIO_sendmmsg(BIO *b, BIO_MSG *msg,
+\&                  size_t stride, size_t num_msg, uint64_t flags,
+\&                  size_t *msgs_processed);
+\& int BIO_recvmmsg(BIO *b, BIO_MSG *msg,
+\&                  size_t stride, size_t num_msg, uint64_t flags,
+\&                  size_t *msgs_processed);
+\&
+\& int BIO_dgram_set_local_addr_enable(BIO *b, int enable);
+\& int BIO_dgram_get_local_addr_enable(BIO *b, int *enable);
+\& int BIO_dgram_get_local_addr_cap(BIO *b);
+\& int BIO_err_is_non_fatal(unsigned int errcode);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBBIO_sendmmsg()\fR and \fBBIO_recvmmsg()\fR functions can be used to send and receive
+multiple messages in a single call to a BIO. They are analogous to \fBsendmmsg\fR\|(2)
+and \fBrecvmmsg\fR\|(2) on operating systems which provide those functions.
+.PP
+The \fBBIO_MSG\fR structure provides a subset of the functionality of the \fBstruct
+msghdr\fR structure defined by POSIX. These functions accept an array of
+\&\fBBIO_MSG\fR structures. On any particular invocation, these functions may process
+all of the passed structures, some of them, or none of them. This is indicated
+by the value stored in \fI*msgs_processed\fR, which expresses the number of
+messages processed.
+.PP
+The caller should set the \fIdata\fR member of a \fBBIO_MSG\fR to a buffer containing
+the data to send, or to be filled with a received message. \fIdata_len\fR should be
+set to the size of the buffer in bytes. If the given \fBBIO_MSG\fR is processed (in
+other words, if the integer returned by the function is greater than or equal to
+that \fBBIO_MSG\fR's array index), \fIdata_len\fR will be modified to specify the
+actual amount of data sent or received.
+.PP
+The \fIflags\fR field of a \fBBIO_MSG\fR provides input per-message flags to the
+invocation. If the invocation processes that \fBBIO_MSG\fR, the \fIflags\fR field is
+written with output per-message flags, or zero if no such flags are applicable.
+.PP
+Currently, no input or output per-message flags are defined and this field
+should be set to zero before calling \fBBIO_sendmmsg()\fR or \fBBIO_recvmmsg()\fR.
+.PP
+The \fIflags\fR argument to \fBBIO_sendmmsg()\fR and \fBBIO_recvmmsg()\fR provides global
+flags which affect the entire invocation. No global flags are currently
+defined and this argument should be set to zero.
+.PP
+When these functions are used to send and receive datagrams, the \fIpeer\fR field
+of a \fBBIO_MSG\fR allows the destination address of sent datagrams to be specified
+on a per-datagram basis, and the source address of received datagrams to be
+determined. The \fIpeer\fR field should be set to point to a \fBBIO_ADDR\fR, which
+will be read by \fBBIO_sendmmsg()\fR and used as the destination address for sent
+datagrams, and written by \fBBIO_recvmmsg()\fR with the source address of received
+datagrams.
+.PP
+Similarly, the \fIlocal\fR field of a \fBBIO_MSG\fR allows the source address of sent
+datagrams to be specified on a per-datagram basis, and the destination address
+of received datagrams to be determined. Unlike \fIpeer\fR, support for \fIlocal\fR
+must be explicitly enabled on a \fBBIO\fR before it can be used; see
+\&\fBBIO_dgram_set_local_addr_enable()\fR. If \fIlocal\fR is non-NULL in a \fBBIO_MSG\fR and
+support for \fIlocal\fR has not been enabled, processing of that \fBBIO_MSG\fR fails.
+.PP
+\&\fIpeer\fR and \fIlocal\fR should be set to NULL if they are not required. Support for
+\&\fIlocal\fR may not be available on all platforms; on these platforms, these
+functions always fail if \fIlocal\fR is non-NULL.
+.PP
+If \fIlocal\fR is specified and local address support is enabled, but the operating
+system does not report a local address for a specific received message, the
+\&\fBBIO_ADDR\fR it points to will be cleared (address family set to \f(CW\*(C`AF_UNSPEC\*(C'\fR).
+This is known to happen on Windows when a packet is received which was sent by
+the local system, regardless of whether the packet's destination address was the
+loopback address or the IP address of a local non-loopback interface. This is
+also known to happen on macOS in some circumstances, such as for packets sent
+before local address support was enabled for a receiving socket. These are
+OS-specific limitations. As such, users of this API using local address support
+should expect to sometimes receive a cleared local \fBBIO_ADDR\fR instead of the
+correct value.
+.PP
+The \fIstride\fR argument must be set to \f(CWsizeof(BIO_MSG)\fR. This argument
+facilitates backwards compatibility if fields are added to \fBBIO_MSG\fR. Callers
+must zero-initialize \fBBIO_MSG\fR.
+.PP
+\&\fInum_msg\fR should be sent to the maximum number of messages to send or receive,
+which is also the length of the array pointed to by \fImsg\fR.
+.PP
+\&\fImsgs_processed\fR must be non-NULL and points to an integer written with the
+number of messages successfully processed; see the RETURN VALUES section for
+further discussion.
+.PP
+Unlike most BIO functions, these functions explicitly support multi-threaded
+use. Multiple concurrent writers and multiple concurrent readers of the same BIO
+are permitted in any combination. As such, these functions do not clear, set, or
+otherwise modify BIO retry flags. The return value must be used to determine
+whether an operation should be retried; see below.
+.PP
+The support for concurrent use extends to \fBBIO_sendmmsg()\fR and \fBBIO_recvmmsg()\fR
+only, and no other function may be called on a given BIO while any call to
+\&\fBBIO_sendmmsg()\fR or \fBBIO_recvmmsg()\fR is in progress, or vice versa.
+.PP
+\&\fBBIO_dgram_set_local_addr_enable()\fR and \fBBIO_dgram_get_local_addr_enable()\fR control
+whether local address support is enabled. To enable local address support, call
+\&\fBBIO_dgram_set_local_addr_enable()\fR with an argument of 1. The call will fail if
+local address support is not available for the platform.
+\&\fBBIO_dgram_get_local_addr_enable()\fR retrieves the value set by
+\&\fBBIO_dgram_set_local_addr_enable()\fR.
+.PP
+\&\fBBIO_dgram_get_local_addr_cap()\fR determines if the \fBBIO\fR is capable of supporting
+local addresses.
+.PP
+\&\fBBIO_err_is_non_fatal()\fR determines if a packed error code represents an error
+which is transient in nature.
+.SH NOTES
+.IX Header "NOTES"
+Some implementations of the \fBBIO_sendmmsg()\fR and \fBBIO_recvmmsg()\fR BIO methods might
+always process at most one message at a time, for example when OS-level
+functionality to transmit or receive multiple messages at a time is not
+available.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+On success, the functions \fBBIO_sendmmsg()\fR and \fBBIO_recvmmsg()\fR return 1 and write
+the number of messages successfully processed (which need not be nonzero) to
+\&\fImsgs_processed\fR. Where a positive value n is written to \fImsgs_processed\fR, all
+entries in the \fBBIO_MSG\fR array from 0 through n\-1 inclusive have their
+\&\fIdata_len\fR and \fIflags\fR fields updated with the results of the operation on
+that message. If the call was to \fBBIO_recvmmsg()\fR and the \fIpeer\fR or \fIlocal\fR
+fields of that message are non-NULL, the \fBBIO_ADDR\fR structures they point to
+are written with the relevant address.
+.PP
+On failure, the functions \fBBIO_sendmmsg()\fR and \fBBIO_recvmmsg()\fR return 0 and write
+zero to \fImsgs_processed\fR. Thus \fImsgs_processed\fR is always written regardless
+of the outcome of the function call.
+.PP
+If \fBBIO_sendmmsg()\fR and \fBBIO_recvmmsg()\fR fail, they always raise an \fBERR_LIB_BIO\fR
+error using \fBERR_raise\fR\|(3). Any error may be raised, but the following in
+particular may be noted:
+.IP \fBBIO_R_LOCAL_ADDR_NOT_AVAILABLE\fR 2
+.IX Item "BIO_R_LOCAL_ADDR_NOT_AVAILABLE"
+The \fIlocal\fR field was set to a non-NULL value, but local address support is not
+available or not enabled on the BIO.
+.IP \fBBIO_R_PEER_ADDR_NOT_AVAILABLE\fR 2
+.IX Item "BIO_R_PEER_ADDR_NOT_AVAILABLE"
+The \fIpeer\fR field was set to a non-NULL value, but peer address support is not
+available on the BIO.
+.IP \fBBIO_R_UNSUPPORTED_METHOD\fR 2
+.IX Item "BIO_R_UNSUPPORTED_METHOD"
+The \fBBIO_sendmmsg()\fR or \fBBIO_recvmmsg()\fR method is not supported on the BIO.
+.IP \fBBIO_R_NON_FATAL\fR 2
+.IX Item "BIO_R_NON_FATAL"
+The call failed due to a transient, non-fatal error (for example, because the
+BIO is in nonblocking mode and the call would otherwise have blocked).
+.Sp
+Implementations of this interface which do not make system calls and thereby
+pass through system error codes using \fBERR_LIB_SYS\fR (for example, memory-based
+implementations) should issue this reason code to indicate a transient failure.
+However, users of this interface should not test for this reason code directly,
+as there are multiple possible packed error codes representing a transient
+failure; use \fBBIO_err_is_non_fatal()\fR instead (discussed below).
+.IP "Socket errors" 2
+.IX Item "Socket errors"
+OS-level socket errors are reported using an error with library code
+\&\fBERR_LIB_SYS\fR; for a packed error code \fBerrcode\fR where
+\&\f(CW\*(C`ERR_SYSTEM_ERROR(errcode) == 1\*(C'\fR, the OS-level socket error code can be
+retrieved using \f(CWERR_GET_REASON(errcode)\fR. The packed error code can be
+retrieved by calling \fBERR_peek_last_error\fR\|(3) after the call to \fBBIO_sendmmsg()\fR
+or \fBBIO_recvmmsg()\fR returns 0.
+.IP "Non-fatal errors" 2
+.IX Item "Non-fatal errors"
+Whether an error is transient can be determined by passing the packed error code
+to \fBBIO_err_is_non_fatal()\fR. Callers should do this instead of testing the reason
+code directly, as there are many possible error codes which can indicate a
+transient error, many of which are system specific.
+.PP
+Third parties implementing custom BIOs supporting the \fBBIO_sendmmsg()\fR or
+\&\fBBIO_recvmmsg()\fR methods should note that it is a required part of the API
+contract that an error is always raised when either of these functions return 0.
+.PP
+\&\fBBIO_dgram_set_local_addr_enable()\fR returns 1 if local address support was
+successfully enabled or disabled and 0 otherwise.
+.PP
+\&\fBBIO_dgram_get_local_addr_enable()\fR returns 1 if the local address support enable
+flag was successfully retrieved.
+.PP
+\&\fBBIO_dgram_get_local_addr_cap()\fR returns 1 if the \fBBIO\fR can support local
+addresses.
+.PP
+\&\fBBIO_err_is_non_fatal()\fR returns 1 if the passed packed error code represents an
+error which is transient in nature.
+.SH HISTORY
+.IX Header "HISTORY"
+These functions were added in OpenSSL 3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_set_callback.3 b/secure/lib/libcrypto/man/man3/BIO_set_callback.3
index a41c22135345..9b11dbf7f2c7 100644
--- a/secure/lib/libcrypto/man/man3/BIO_set_callback.3
+++ b/secure/lib/libcrypto/man/man3/BIO_set_callback.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_SET_CALLBACK 3ossl"
-.TH BIO_SET_CALLBACK 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_SET_CALLBACK 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_set_callback_ex, BIO_get_callback_ex, BIO_set_callback, BIO_get_callback,
 BIO_set_callback_arg, BIO_get_callback_arg, BIO_debug_callback,
 BIO_debug_callback_ex, BIO_callback_fn_ex, BIO_callback_fn
 \&\- BIO callback functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bio.h>
@@ -161,7 +85,7 @@ BIO_debug_callback_ex, BIO_callback_fn_ex, BIO_callback_fn
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 6
@@ -171,15 +95,22 @@ see \fBopenssl_user_macros\fR\|(7):
 \& BIO_callback_fn BIO_get_callback(const BIO *b);
 \& long BIO_debug_callback(BIO *bio, int cmd, const char *argp, int argi,
 \&                         long argl, long ret);
+\&
+\& typedef struct bio_mmsg_cb_args_st {
+\&     BIO_MSG    *msg;
+\&     size_t      stride, num_msg;
+\&     uint64_t    flags;
+\&     size_t     *msgs_processed;
+\& } BIO_MMSG_CB_ARGS;
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBBIO_set_callback_ex()\fR and \fBBIO_get_callback_ex()\fR set and retrieve the \s-1BIO\s0
-callback. The callback is called during most high-level \s-1BIO\s0 operations. It can
-be used for debugging purposes to trace operations on a \s-1BIO\s0 or to modify its
+\&\fBBIO_set_callback_ex()\fR and \fBBIO_get_callback_ex()\fR set and retrieve the BIO
+callback. The callback is called during most high-level BIO operations. It can
+be used for debugging purposes to trace operations on a BIO or to modify its
 operation.
 .PP
-\&\fBBIO_set_callback()\fR and \fBBIO_get_callback()\fR set and retrieve the old format \s-1BIO\s0
+\&\fBBIO_set_callback()\fR and \fBBIO_get_callback()\fR set and retrieve the old format BIO
 callback. New code should not use these functions, but they are retained for
 backwards compatibility. Any callback set via \fBBIO_set_callback_ex()\fR will get
 called in preference to any set by \fBBIO_set_callback()\fR.
@@ -188,8 +119,8 @@ called in preference to any set by \fBBIO_set_callback()\fR.
 used to set and retrieve an argument for use in the callback.
 .PP
 \&\fBBIO_debug_callback_ex()\fR is a standard debugging callback which prints
-out information relating to each \s-1BIO\s0 operation. If the callback
-argument is set it is interpreted as a \s-1BIO\s0 to send the information
+out information relating to each BIO operation. If the callback
+argument is set it is interpreted as a BIO to send the information
 to, otherwise stderr is used. The \fBBIO_debug_callback()\fR function is the
 deprecated version of the same callback for use with the old callback
 format \fBBIO_set_callback()\fR function.
@@ -197,35 +128,35 @@ format \fBBIO_set_callback()\fR function.
 BIO_callback_fn_ex is the type of the callback function and BIO_callback_fn
 is the type of the old format callback function. The meaning of each argument
 is described below:
-.IP "\fBb\fR" 4
+.IP \fBb\fR 4
 .IX Item "b"
-The \s-1BIO\s0 the callback is attached to is passed in \fBb\fR.
-.IP "\fBoper\fR" 4
+The BIO the callback is attached to is passed in \fBb\fR.
+.IP \fBoper\fR 4
 .IX Item "oper"
 \&\fBoper\fR is set to the operation being performed. For some operations
 the callback is called twice, once before and once after the actual
-operation, the latter case has \fBoper\fR or'ed with \s-1BIO_CB_RETURN.\s0
-.IP "\fBlen\fR" 4
+operation, the latter case has \fBoper\fR or'ed with BIO_CB_RETURN.
+.IP \fBlen\fR 4
 .IX Item "len"
 The length of the data requested to be read or written. This is only useful if
-\&\fBoper\fR is \s-1BIO_CB_READ, BIO_CB_WRITE\s0 or \s-1BIO_CB_GETS.\s0
+\&\fBoper\fR is BIO_CB_READ, BIO_CB_WRITE or BIO_CB_GETS.
 .IP "\fBargp\fR \fBargi\fR \fBargl\fR" 4
 .IX Item "argp argi argl"
 The meaning of the arguments \fBargp\fR, \fBargi\fR and \fBargl\fR depends on
 the value of \fBoper\fR, that is the operation being performed.
-.IP "\fBprocessed\fR" 4
+.IP \fBprocessed\fR 4
 .IX Item "processed"
 \&\fBprocessed\fR is a pointer to a location which will be updated with the amount of
-data that was actually read or written. Only used for \s-1BIO_CB_READ, BIO_CB_WRITE,
-BIO_CB_GETS\s0 and \s-1BIO_CB_PUTS.\s0
-.IP "\fBret\fR" 4
+data that was actually read or written. Only used for BIO_CB_READ, BIO_CB_WRITE,
+BIO_CB_GETS and BIO_CB_PUTS.
+.IP \fBret\fR 4
 .IX Item "ret"
 \&\fBret\fR is the return value that would be returned to the
 application if no callback were present. The actual value returned
 is the return value of the callback itself. In the case of callbacks
-called before the actual \s-1BIO\s0 operation 1 is placed in \fBret\fR, if
+called before the actual BIO operation 1 is placed in \fBret\fR, if
 the return value is not positive it will be immediately returned to
-the application and the \s-1BIO\s0 operation will not be performed.
+the application and the BIO operation will not be performed.
 .PP
 The callback should normally simply return \fBret\fR when it has
 finished processing, unless it specifically wishes to modify the
@@ -234,7 +165,7 @@ value returned to the application.
 .IX Header "CALLBACK OPERATIONS"
 In the notes below, \fBcallback\fR defers to the actual callback
 function that is called.
-.IP "\fBBIO_free(b)\fR" 4
+.IP \fBBIO_free(b)\fR 4
 .IX Item "BIO_free(b)"
 .Vb 1
 \& callback_ex(b, BIO_CB_FREE, NULL, 0, 0, 0L, 1L, NULL)
@@ -350,7 +281,7 @@ or
 .Ve
 .Sp
 after.
-.IP "\fBBIO_ctrl(\s-1BIO\s0 *b, int cmd, long larg, void *parg)\fR" 4
+.IP "\fBBIO_ctrl(BIO *b, int cmd, long larg, void *parg)\fR" 4
 .IX Item "BIO_ctrl(BIO *b, int cmd, long larg, void *parg)"
 .Vb 1
 \& callback_ex(b, BIO_CB_CTRL, parg, 0, cmd, larg, 1L, NULL)
@@ -376,9 +307,43 @@ or
 .Sp
 after.
 .Sp
-Note: \fBcmd\fR == \fB\s-1BIO_CTRL_SET_CALLBACK\s0\fR is special, because \fBparg\fR is not the
+Note: \fBcmd\fR == \fBBIO_CTRL_SET_CALLBACK\fR is special, because \fBparg\fR is not the
 argument of type \fBBIO_info_cb\fR itself.  In this case \fBparg\fR is a pointer to
 the actual call parameter, see \fBBIO_callback_ctrl\fR.
+.IP "\fBBIO_sendmmsg(BIO *b, BIO_MSG *msg, size_t stride, size_t num_msg, uint64_t flags, size_t *msgs_processed)\fR" 4
+.IX Item "BIO_sendmmsg(BIO *b, BIO_MSG *msg, size_t stride, size_t num_msg, uint64_t flags, size_t *msgs_processed)"
+.Vb 1
+\&  callback_ex(b, BIO_CB_SENDMMSG, args, 0, 0, 0, 1, NULL)
+.Ve
+.Sp
+or
+.Sp
+.Vb 1
+\&  callback(b, BIO_CB_SENDMMSG, args, 0, 0, 1)
+.Ve
+.Sp
+is called before the call and
+.Sp
+.Vb 1
+\&  callback_ex(b, BIO_CB_SENDMMSG | BIO_CB_RETURN, args, ret, 0, 0, ret, NULL)
+.Ve
+.Sp
+or
+.Sp
+.Vb 1
+\&  callback(b, BIO_CB_SENDMMSG | BIO_CB_RETURN, args, ret, 0, 0, ret)
+.Ve
+.Sp
+after.
+.Sp
+\&\fBargs\fR is a pointer to a \fBBIO_MMSG_CB_ARGS\fR structure containing the arguments
+passed to \fBBIO_sendmmsg()\fR. \fBret\fR is the return value of the \fBBIO_sendmmsg()\fR call.
+The return value of \fBBIO_sendmmsg()\fR is altered to the value returned by the
+\&\fBBIO_CB_SENDMMSG | BIO_CB_RETURN\fR call.
+.IP "\fBBIO_recvmmsg(BIO *b, BIO_MSG *msg, size_t stride, size_t num_msg, uint64_t flags, size_t *msgs_processed)\fR" 4
+.IX Item "BIO_recvmmsg(BIO *b, BIO_MSG *msg, size_t stride, size_t num_msg, uint64_t flags, size_t *msgs_processed)"
+See the documentation for \fBBIO_sendmmsg()\fR. \fBBIO_recvmmsg()\fR works identically
+except that \fBBIO_CB_RECVMMSG\fR is used instead of \fBBIO_CB_SENDMMSG\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBBIO_get_callback_ex()\fR and \fBBIO_get_callback()\fR return the callback function
@@ -388,23 +353,23 @@ respectively.
 \&\fBBIO_get_callback_arg()\fR returns a \fBchar\fR pointer to the value previously set
 via a call to \fBBIO_set_callback_arg()\fR.
 .PP
-\&\fBBIO_debug_callback()\fR returns 1 or \fBret\fR if it's called after specific \s-1BIO\s0
+\&\fBBIO_debug_callback()\fR returns 1 or \fBret\fR if it's called after specific BIO
 operations.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 The \fBBIO_debug_callback_ex()\fR function is an example, its source is
 in crypto/bio/bio_cb.c
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBBIO_debug_callback_ex()\fR function was added in OpenSSL 3.0.
 .PP
 \&\fBBIO_set_callback()\fR, \fBBIO_get_callback()\fR, and \fBBIO_debug_callback()\fR were
 deprecated in OpenSSL 3.0. Use the non-deprecated _ex functions instead.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_should_retry.3 b/secure/lib/libcrypto/man/man3/BIO_should_retry.3
index fd4cdf2f39c9..18636af3781a 100644
--- a/secure/lib/libcrypto/man/man3/BIO_should_retry.3
+++ b/secure/lib/libcrypto/man/man3/BIO_should_retry.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_SHOULD_RETRY 3ossl"
-.TH BIO_SHOULD_RETRY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_SHOULD_RETRY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_should_read, BIO_should_write,
 BIO_should_io_special, BIO_retry_type, BIO_should_retry,
 BIO_get_retry_BIO, BIO_get_retry_reason, BIO_set_retry_reason \- BIO retry
 functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bio.h>
@@ -156,9 +80,9 @@ functions
 \& int BIO_get_retry_reason(BIO *bio);
 \& void BIO_set_retry_reason(BIO *bio, int reason);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-These functions determine why a \s-1BIO\s0 is not able to read or write data.
+These functions determine why a BIO is not able to read or write data.
 They will typically be called after a failed \fBBIO_read_ex()\fR or \fBBIO_write_ex()\fR
 call.
 .PP
@@ -167,58 +91,58 @@ should then be retried at a later time.
 .PP
 If \fBBIO_should_retry()\fR is false then the cause is an error condition.
 .PP
-\&\fBBIO_should_read()\fR is true if the cause of the condition is that the \s-1BIO\s0
+\&\fBBIO_should_read()\fR is true if the cause of the condition is that the BIO
 has insufficient data to return. Check for readability and/or retry the
 last operation.
 .PP
-\&\fBBIO_should_write()\fR is true if the cause of the condition is that the \s-1BIO\s0
+\&\fBBIO_should_write()\fR is true if the cause of the condition is that the BIO
 has pending data to write. Check for writability and/or retry the
 last operation.
 .PP
-\&\fBBIO_should_io_special()\fR is true if some \*(L"special\*(R" condition, that is a
+\&\fBBIO_should_io_special()\fR is true if some "special" condition, that is a
 reason other than reading or writing is the cause of the condition.
 .PP
 \&\fBBIO_retry_type()\fR returns a mask of the cause of a retry condition
-consisting of the values \fB\s-1BIO_FLAGS_READ\s0\fR, \fB\s-1BIO_FLAGS_WRITE\s0\fR,
-\&\fB\s-1BIO_FLAGS_IO_SPECIAL\s0\fR though current \s-1BIO\s0 types will only set one of
+consisting of the values \fBBIO_FLAGS_READ\fR, \fBBIO_FLAGS_WRITE\fR,
+\&\fBBIO_FLAGS_IO_SPECIAL\fR though current BIO types will only set one of
 these.
 .PP
 \&\fBBIO_get_retry_BIO()\fR determines the precise reason for the special
-condition, it returns the \s-1BIO\s0 that caused this condition and if
-\&\fBreason\fR is not \s-1NULL\s0 it contains the reason code. The meaning of
+condition, it returns the BIO that caused this condition and if
+\&\fBreason\fR is not NULL it contains the reason code. The meaning of
 the reason code and the action that should be taken depends on
-the type of \s-1BIO\s0 that resulted in this condition.
+the type of BIO that resulted in this condition.
 .PP
 \&\fBBIO_get_retry_reason()\fR returns the reason for a special condition if
-passed the relevant \s-1BIO,\s0 for example as returned by \fBBIO_get_retry_BIO()\fR.
+passed the relevant BIO, for example as returned by \fBBIO_get_retry_BIO()\fR.
 .PP
 \&\fBBIO_set_retry_reason()\fR sets the retry reason for a special condition for a given
-\&\s-1BIO.\s0 This would usually only be called by \s-1BIO\s0 implementations.
-.SH "NOTES"
+BIO. This would usually only be called by BIO implementations.
+.SH NOTES
 .IX Header "NOTES"
 \&\fBBIO_should_read()\fR, \fBBIO_should_write()\fR, \fBBIO_should_io_special()\fR,
 \&\fBBIO_retry_type()\fR, and \fBBIO_should_retry()\fR, are implemented as macros.
 .PP
-If \fBBIO_should_retry()\fR returns false then the precise \*(L"error condition\*(R"
-depends on the \s-1BIO\s0 type that caused it and the return code of the \s-1BIO\s0
-operation. For example if a call to \fBBIO_read_ex()\fR on a socket \s-1BIO\s0 returns
+If \fBBIO_should_retry()\fR returns false then the precise "error condition"
+depends on the BIO type that caused it and the return code of the BIO
+operation. For example if a call to \fBBIO_read_ex()\fR on a socket BIO returns
 0 and \fBBIO_should_retry()\fR is false then the cause will be that the
-connection closed. A similar condition on a file \s-1BIO\s0 will mean that it
-has reached \s-1EOF.\s0 Some \s-1BIO\s0 types may place additional information on
-the error queue. For more details see the individual \s-1BIO\s0 type manual
+connection closed. A similar condition on a file BIO will mean that it
+has reached EOF. Some BIO types may place additional information on
+the error queue. For more details see the individual BIO type manual
 pages.
 .PP
 If the underlying I/O structure is in a blocking mode almost all current
-\&\s-1BIO\s0 types will not request a retry, because the underlying I/O
-calls will not. If the application knows that the \s-1BIO\s0 type will never
+BIO types will not request a retry, because the underlying I/O
+calls will not. If the application knows that the BIO type will never
 signal a retry then it need not call \fBBIO_should_retry()\fR after a failed
-\&\s-1BIO I/O\s0 call. This is typically done with file BIOs.
+BIO I/O call. This is typically done with file BIOs.
 .PP
-\&\s-1SSL\s0 BIOs are the only current exception to this rule: they can request a
+SSL BIOs are the only current exception to this rule: they can request a
 retry even if the underlying I/O structure is blocking, if a handshake
 occurs during a call to \fBBIO_read()\fR. An application can retry the failed
-call immediately or avoid this situation by setting \s-1SSL_MODE_AUTO_RETRY\s0
-on the underlying \s-1SSL\s0 structure.
+call immediately or avoid this situation by setting SSL_MODE_AUTO_RETRY
+on the underlying SSL structure.
 .PP
 While an application may retry a failed non blocking call immediately
 this is likely to be very inefficient because the call will fail
@@ -228,47 +152,47 @@ this is done depends on the underlying I/O structure.
 .PP
 For example if the cause is ultimately a socket and \fBBIO_should_read()\fR
 is true then a call to \fBselect()\fR may be made to wait until data is
-available and then retry the \s-1BIO\s0 operation. By combining the retry
+available and then retry the BIO operation. By combining the retry
 conditions of several non blocking BIOs in a single \fBselect()\fR call
 it is possible to service several BIOs in a single thread, though
-the performance may be poor if \s-1SSL\s0 BIOs are present because long delays
+the performance may be poor if SSL BIOs are present because long delays
 can occur during the initial handshake process.
 .PP
-It is possible for a \s-1BIO\s0 to block indefinitely if the underlying I/O
+It is possible for a BIO to block indefinitely if the underlying I/O
 structure cannot process or return any data. This depends on the behaviour of
 the platforms I/O functions. This is often not desirable: one solution
 is to use non blocking I/O and use a timeout on the \fBselect()\fR (or
 equivalent) call.
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
-The OpenSSL \s-1ASN1\s0 functions cannot gracefully deal with non blocking I/O:
+The OpenSSL ASN1 functions cannot gracefully deal with non blocking I/O:
 that is they cannot retry after a partial read or write. This is usually
-worked around by only passing the relevant data to \s-1ASN1\s0 functions when
+worked around by only passing the relevant data to ASN1 functions when
 the entire structure can be read or written.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBBIO_should_read()\fR, \fBBIO_should_write()\fR, \fBBIO_should_io_special()\fR, and
 \&\fBBIO_should_retry()\fR return either 1 or 0 based on the actual conditions
-of the \fB\s-1BIO\s0\fR.
+of the \fBBIO\fR.
 .PP
 \&\fBBIO_retry_type()\fR returns a flag combination presenting the cause of a retry
 condition or false if there is no retry condition.
 .PP
-\&\fBBIO_get_retry_BIO()\fR returns a valid \fB\s-1BIO\s0\fR structure.
+\&\fBBIO_get_retry_BIO()\fR returns a valid \fBBIO\fR structure.
 .PP
 \&\fBBIO_get_retry_reason()\fR returns the reason for a special condition.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBbio\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBBIO_get_retry_reason()\fR and \fBBIO_set_retry_reason()\fR functions were added in
 OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_socket_wait.3 b/secure/lib/libcrypto/man/man3/BIO_socket_wait.3
index e12573239aa7..1c6725beb46d 100644
--- a/secure/lib/libcrypto/man/man3/BIO_socket_wait.3
+++ b/secure/lib/libcrypto/man/man3/BIO_socket_wait.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO_SOCKET_WAIT 3ossl"
-.TH BIO_SOCKET_WAIT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO_SOCKET_WAIT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BIO_socket_wait,
 BIO_wait,
 BIO_do_connect_retry
 \&\- BIO connection utility functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bio.h>
@@ -152,7 +76,7 @@ BIO_do_connect_retry
 \& int BIO_wait(BIO *bio, time_t max_time, unsigned int nap_milliseconds);
 \& int BIO_do_connect_retry(BIO *bio, int timeout, int nap_milliseconds);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBBIO_socket_wait()\fR waits on the socket \fBfd\fR for reading if \fBfor_read\fR is not 0,
 else for writing, at most until \fBmax_time\fR.
@@ -184,15 +108,15 @@ return \-1 on error, 0 on timeout, and 1 on success.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBBIO_do_connect\fR\|(3), \fBBIO_read\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBBIO_socket_wait()\fR, \fBBIO_wait()\fR, and \fBBIO_do_connect_retry()\fR
 were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2019\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_BLINDING_new.3 b/secure/lib/libcrypto/man/man3/BN_BLINDING_new.3
index 56ea0703331f..606af8f2f9d6 100644
--- a/secure/lib/libcrypto/man/man3/BN_BLINDING_new.3
+++ b/secure/lib/libcrypto/man/man3/BN_BLINDING_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BN_BLINDING_NEW 3ossl"
-.TH BN_BLINDING_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BN_BLINDING_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BN_BLINDING_new, BN_BLINDING_free, BN_BLINDING_update, BN_BLINDING_convert,
 BN_BLINDING_invert, BN_BLINDING_convert_ex, BN_BLINDING_invert_ex,
 BN_BLINDING_is_current_thread, BN_BLINDING_set_current_thread,
 BN_BLINDING_lock, BN_BLINDING_unlock, BN_BLINDING_get_flags,
 BN_BLINDING_set_flags, BN_BLINDING_create_param \- blinding related BIGNUM functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bn.h>
@@ -173,84 +97,84 @@ BN_BLINDING_set_flags, BN_BLINDING_create_param \- blinding related BIGNUM funct
 \&                                                         BN_MONT_CTX *m_ctx),
 \&                                       BN_MONT_CTX *m_ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBBN_BLINDING_new()\fR allocates a new \fB\s-1BN_BLINDING\s0\fR structure and copies
-the \fBA\fR and \fBAi\fR values into the newly created \fB\s-1BN_BLINDING\s0\fR object.
+\&\fBBN_BLINDING_new()\fR allocates a new \fBBN_BLINDING\fR structure and copies
+the \fBA\fR and \fBAi\fR values into the newly created \fBBN_BLINDING\fR object.
 .PP
-\&\fBBN_BLINDING_free()\fR frees the \fB\s-1BN_BLINDING\s0\fR structure.
-If \fBb\fR is \s-1NULL,\s0 nothing is done.
+\&\fBBN_BLINDING_free()\fR frees the \fBBN_BLINDING\fR structure.
+If \fBb\fR is NULL, nothing is done.
 .PP
-\&\fBBN_BLINDING_update()\fR updates the \fB\s-1BN_BLINDING\s0\fR parameters by squaring
+\&\fBBN_BLINDING_update()\fR updates the \fBBN_BLINDING\fR parameters by squaring
 the \fBA\fR and \fBAi\fR or, after specific number of uses and if the
 necessary parameters are set, by re-creating the blinding parameters.
 .PP
 \&\fBBN_BLINDING_convert_ex()\fR multiplies \fBn\fR with the blinding factor \fBA\fR.
-If \fBr\fR is not \s-1NULL\s0 a copy the inverse blinding factor \fBAi\fR will be
-returned in \fBr\fR (this is useful if a \fB\s-1RSA\s0\fR object is shared among
+If \fBr\fR is not NULL a copy the inverse blinding factor \fBAi\fR will be
+returned in \fBr\fR (this is useful if a \fBRSA\fR object is shared among
 several threads). \fBBN_BLINDING_invert_ex()\fR multiplies \fBn\fR with the
-inverse blinding factor \fBAi\fR. If \fBr\fR is not \s-1NULL\s0 it will be used as
+inverse blinding factor \fBAi\fR. If \fBr\fR is not NULL it will be used as
 the inverse blinding.
 .PP
 \&\fBBN_BLINDING_convert()\fR and \fBBN_BLINDING_invert()\fR are wrapper
 functions for \fBBN_BLINDING_convert_ex()\fR and \fBBN_BLINDING_invert_ex()\fR
-with \fBr\fR set to \s-1NULL.\s0
+with \fBr\fR set to NULL.
 .PP
-\&\fBBN_BLINDING_is_current_thread()\fR returns whether the \fB\s-1BN_BLINDING\s0\fR
+\&\fBBN_BLINDING_is_current_thread()\fR returns whether the \fBBN_BLINDING\fR
 structure is owned by the current thread. This is to help users
 provide proper locking if needed for multi-threaded use.
 .PP
 \&\fBBN_BLINDING_set_current_thread()\fR sets the current thread as the
-owner of the \fB\s-1BN_BLINDING\s0\fR structure.
+owner of the \fBBN_BLINDING\fR structure.
 .PP
-\&\fBBN_BLINDING_lock()\fR locks the \fB\s-1BN_BLINDING\s0\fR structure.
+\&\fBBN_BLINDING_lock()\fR locks the \fBBN_BLINDING\fR structure.
 .PP
-\&\fBBN_BLINDING_unlock()\fR unlocks the \fB\s-1BN_BLINDING\s0\fR structure.
+\&\fBBN_BLINDING_unlock()\fR unlocks the \fBBN_BLINDING\fR structure.
 .PP
-\&\fBBN_BLINDING_get_flags()\fR returns the \s-1BN_BLINDING\s0 flags. Currently
-there are two supported flags: \fB\s-1BN_BLINDING_NO_UPDATE\s0\fR and
-\&\fB\s-1BN_BLINDING_NO_RECREATE\s0\fR. \fB\s-1BN_BLINDING_NO_UPDATE\s0\fR inhibits the
-automatic update of the \fB\s-1BN_BLINDING\s0\fR parameters after each use
-and \fB\s-1BN_BLINDING_NO_RECREATE\s0\fR inhibits the automatic re-creation
-of the \fB\s-1BN_BLINDING\s0\fR parameters after a fixed number of uses (currently
-32). In newly allocated \fB\s-1BN_BLINDING\s0\fR objects no flags are set.
-\&\fBBN_BLINDING_set_flags()\fR sets the \fB\s-1BN_BLINDING\s0\fR parameters flags.
+\&\fBBN_BLINDING_get_flags()\fR returns the BN_BLINDING flags. Currently
+there are two supported flags: \fBBN_BLINDING_NO_UPDATE\fR and
+\&\fBBN_BLINDING_NO_RECREATE\fR. \fBBN_BLINDING_NO_UPDATE\fR inhibits the
+automatic update of the \fBBN_BLINDING\fR parameters after each use
+and \fBBN_BLINDING_NO_RECREATE\fR inhibits the automatic re-creation
+of the \fBBN_BLINDING\fR parameters after a fixed number of uses (currently
+32). In newly allocated \fBBN_BLINDING\fR objects no flags are set.
+\&\fBBN_BLINDING_set_flags()\fR sets the \fBBN_BLINDING\fR parameters flags.
 .PP
-\&\fBBN_BLINDING_create_param()\fR creates new \fB\s-1BN_BLINDING\s0\fR parameters
+\&\fBBN_BLINDING_create_param()\fR creates new \fBBN_BLINDING\fR parameters
 using the exponent \fBe\fR and the modulus \fBm\fR. \fBbn_mod_exp\fR and
 \&\fBm_ctx\fR can be used to pass special functions for exponentiation
-(normally \fBBN_mod_exp_mont()\fR and \fB\s-1BN_MONT_CTX\s0\fR).
+(normally \fBBN_mod_exp_mont()\fR and \fBBN_MONT_CTX\fR).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBBN_BLINDING_new()\fR returns the newly allocated \fB\s-1BN_BLINDING\s0\fR structure
-or \s-1NULL\s0 in case of an error.
+\&\fBBN_BLINDING_new()\fR returns the newly allocated \fBBN_BLINDING\fR structure
+or NULL in case of an error.
 .PP
 \&\fBBN_BLINDING_update()\fR, \fBBN_BLINDING_convert()\fR, \fBBN_BLINDING_invert()\fR,
 \&\fBBN_BLINDING_convert_ex()\fR and \fBBN_BLINDING_invert_ex()\fR return 1 on
 success and 0 if an error occurred.
 .PP
 \&\fBBN_BLINDING_is_current_thread()\fR returns 1 if the current thread owns
-the \fB\s-1BN_BLINDING\s0\fR object, 0 otherwise.
+the \fBBN_BLINDING\fR object, 0 otherwise.
 .PP
 \&\fBBN_BLINDING_set_current_thread()\fR doesn't return anything.
 .PP
 \&\fBBN_BLINDING_lock()\fR, \fBBN_BLINDING_unlock()\fR return 1 if the operation
 succeeded or 0 on error.
 .PP
-\&\fBBN_BLINDING_get_flags()\fR returns the currently set \fB\s-1BN_BLINDING\s0\fR flags
+\&\fBBN_BLINDING_get_flags()\fR returns the currently set \fBBN_BLINDING\fR flags
 (a \fBunsigned long\fR value).
 .PP
-\&\fBBN_BLINDING_create_param()\fR returns the newly created \fB\s-1BN_BLINDING\s0\fR
-parameters or \s-1NULL\s0 on error.
-.SH "HISTORY"
+\&\fBBN_BLINDING_create_param()\fR returns the newly created \fBBN_BLINDING\fR
+parameters or NULL on error.
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBBN_BLINDING_thread_id()\fR was first introduced in OpenSSL 1.0.0, and it
 deprecates \fBBN_BLINDING_set_thread_id()\fR and \fBBN_BLINDING_get_thread_id()\fR.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2005\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2005\-2017 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_CTX_new.3 b/secure/lib/libcrypto/man/man3/BN_CTX_new.3
index 5fe3a68e0972..f31578d39061 100644
--- a/secure/lib/libcrypto/man/man3/BN_CTX_new.3
+++ b/secure/lib/libcrypto/man/man3/BN_CTX_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BN_CTX_NEW 3ossl"
-.TH BN_CTX_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BN_CTX_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BN_CTX_new_ex, BN_CTX_new, BN_CTX_secure_new_ex, BN_CTX_secure_new, BN_CTX_free
 \&\- allocate and free BN_CTX structures
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bn.h>
@@ -152,38 +76,38 @@ BN_CTX_new_ex, BN_CTX_new, BN_CTX_secure_new_ex, BN_CTX_secure_new, BN_CTX_free
 \&
 \& void BN_CTX_free(BN_CTX *c);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-A \fB\s-1BN_CTX\s0\fR is a structure that holds \fB\s-1BIGNUM\s0\fR temporary variables used by
-library functions. Since dynamic memory allocation to create \fB\s-1BIGNUM\s0\fRs
+A \fBBN_CTX\fR is a structure that holds \fBBIGNUM\fR temporary variables used by
+library functions. Since dynamic memory allocation to create \fBBIGNUM\fRs
 is rather expensive when used in conjunction with repeated subroutine
-calls, the \fB\s-1BN_CTX\s0\fR structure is used.
+calls, the \fBBN_CTX\fR structure is used.
 .PP
-\&\fBBN_CTX_new_ex()\fR allocates and initializes a \fB\s-1BN_CTX\s0\fR structure for the given
-library context \fBctx\fR. The <ctx> value may be \s-1NULL\s0 in which case the default
+\&\fBBN_CTX_new_ex()\fR allocates and initializes a \fBBN_CTX\fR structure for the given
+library context \fBctx\fR. The <ctx> value may be NULL in which case the default
 library context will be used. \fBBN_CTX_new()\fR is the same as \fBBN_CTX_new_ex()\fR except
 that the default library context is always used.
 .PP
-\&\fBBN_CTX_secure_new_ex()\fR allocates and initializes a \fB\s-1BN_CTX\s0\fR structure
+\&\fBBN_CTX_secure_new_ex()\fR allocates and initializes a \fBBN_CTX\fR structure
 but uses the secure heap (see \fBCRYPTO_secure_malloc\fR\|(3)) to hold the
-\&\fB\s-1BIGNUM\s0\fRs for the given library context \fBctx\fR. The <ctx> value may be \s-1NULL\s0 in
+\&\fBBIGNUM\fRs for the given library context \fBctx\fR. The <ctx> value may be NULL in
 which case the default library context will be used. \fBBN_CTX_secure_new()\fR is the
 same as \fBBN_CTX_secure_new_ex()\fR except that the default library context is always
 used.
 .PP
-\&\fBBN_CTX_free()\fR frees the components of the \fB\s-1BN_CTX\s0\fR and the structure itself.
-Since \fBBN_CTX_start()\fR is required in order to obtain \fB\s-1BIGNUM\s0\fRs from the
-\&\fB\s-1BN_CTX\s0\fR, in most cases \fBBN_CTX_end()\fR must be called before the \fB\s-1BN_CTX\s0\fR may
-be freed by \fBBN_CTX_free()\fR.  If \fBc\fR is \s-1NULL,\s0 nothing is done.
+\&\fBBN_CTX_free()\fR frees the components of the \fBBN_CTX\fR and the structure itself.
+Since \fBBN_CTX_start()\fR is required in order to obtain \fBBIGNUM\fRs from the
+\&\fBBN_CTX\fR, in most cases \fBBN_CTX_end()\fR must be called before the \fBBN_CTX\fR may
+be freed by \fBBN_CTX_free()\fR.  If \fBc\fR is NULL, nothing is done.
 .PP
-A given \fB\s-1BN_CTX\s0\fR must only be used by a single thread of execution.  No
+A given \fBBN_CTX\fR must only be used by a single thread of execution.  No
 locking is performed, and the internal pool allocator will not properly handle
 multiple threads of execution.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBBN_CTX_new()\fR and \fBBN_CTX_secure_new()\fR return a pointer to the \fB\s-1BN_CTX\s0\fR.
+\&\fBBN_CTX_new()\fR and \fBBN_CTX_secure_new()\fR return a pointer to the \fBBN_CTX\fR.
 If the allocation fails,
-they return \fB\s-1NULL\s0\fR and sets an error code that can be obtained by
+they return \fBNULL\fR and sets an error code that can be obtained by
 \&\fBERR_get_error\fR\|(3).
 .PP
 \&\fBBN_CTX_free()\fR has no return values.
@@ -208,14 +132,14 @@ replace use of BN_CTX_init with BN_CTX_new instead:
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3), \fBBN_add\fR\|(3),
 \&\fBBN_CTX_start\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBBN_CTX_init()\fR was removed in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_CTX_start.3 b/secure/lib/libcrypto/man/man3/BN_CTX_start.3
index aa87e851e192..8a2292b2a6ec 100644
--- a/secure/lib/libcrypto/man/man3/BN_CTX_start.3
+++ b/secure/lib/libcrypto/man/man3/BN_CTX_start.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BN_CTX_START 3ossl"
-.TH BN_CTX_START 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BN_CTX_START 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BN_CTX_start, BN_CTX_get, BN_CTX_end \- use temporary BIGNUM variables
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bn.h>
@@ -149,39 +73,39 @@ BN_CTX_start, BN_CTX_get, BN_CTX_end \- use temporary BIGNUM variables
 \&
 \& void BN_CTX_end(BN_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-These functions are used to obtain temporary \fB\s-1BIGNUM\s0\fR variables from
-a \fB\s-1BN_CTX\s0\fR (which can been created by using \fBBN_CTX_new\fR\|(3))
+These functions are used to obtain temporary \fBBIGNUM\fR variables from
+a \fBBN_CTX\fR (which can been created by using \fBBN_CTX_new\fR\|(3))
 in order to save the overhead of repeatedly creating and
-freeing \fB\s-1BIGNUM\s0\fRs in functions that are called from inside a loop.
+freeing \fBBIGNUM\fRs in functions that are called from inside a loop.
 .PP
 A function must call \fBBN_CTX_start()\fR first. Then, \fBBN_CTX_get()\fR may be
-called repeatedly to obtain temporary \fB\s-1BIGNUM\s0\fRs. All \fBBN_CTX_get()\fR
+called repeatedly to obtain temporary \fBBIGNUM\fRs. All \fBBN_CTX_get()\fR
 calls must be made before calling any other functions that use the
 \&\fBctx\fR as an argument.
 .PP
 Finally, \fBBN_CTX_end()\fR must be called before returning from the function.
-If \fBctx\fR is \s-1NULL,\s0 nothing is done.
-When \fBBN_CTX_end()\fR is called, the \fB\s-1BIGNUM\s0\fR pointers obtained from
+If \fBctx\fR is NULL, nothing is done.
+When \fBBN_CTX_end()\fR is called, the \fBBIGNUM\fR pointers obtained from
 \&\fBBN_CTX_get()\fR become invalid.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBBN_CTX_start()\fR and \fBBN_CTX_end()\fR return no values.
 .PP
-\&\fBBN_CTX_get()\fR returns a pointer to the \fB\s-1BIGNUM\s0\fR, or \fB\s-1NULL\s0\fR on error.
-Once \fBBN_CTX_get()\fR has failed, the subsequent calls will return \fB\s-1NULL\s0\fR
+\&\fBBN_CTX_get()\fR returns a pointer to the \fBBIGNUM\fR, or \fBNULL\fR on error.
+Once \fBBN_CTX_get()\fR has failed, the subsequent calls will return \fBNULL\fR
 as well, so it is sufficient to check the return value of the last
 \&\fBBN_CTX_get()\fR call. In case of an error, an error code is set, which
 can be obtained by \fBERR_get_error\fR\|(3).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBBN_CTX_new\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_add.3 b/secure/lib/libcrypto/man/man3/BN_add.3
index de37c8231ce7..df638c572624 100644
--- a/secure/lib/libcrypto/man/man3/BN_add.3
+++ b/secure/lib/libcrypto/man/man3/BN_add.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BN_ADD 3ossl"
-.TH BN_ADD 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BN_ADD 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BN_add, BN_sub, BN_mul, BN_sqr, BN_div, BN_mod, BN_nnmod, BN_mod_add,
 BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_mod_sqrt, BN_exp, BN_mod_exp, BN_gcd \-
 arithmetic operations on BIGNUMs
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bn.h>
@@ -149,9 +73,9 @@ arithmetic operations on BIGNUMs
 \&
 \& int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
 \&
-\& int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
+\& int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
 \&
-\& int BN_sqr(BIGNUM *r, BIGNUM *a, BN_CTX *ctx);
+\& int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx);
 \&
 \& int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *a, const BIGNUM *d,
 \&            BN_CTX *ctx);
@@ -160,50 +84,50 @@ arithmetic operations on BIGNUMs
 \&
 \& int BN_nnmod(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
 \&
-\& int BN_mod_add(BIGNUM *r, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
+\& int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
 \&                BN_CTX *ctx);
 \&
-\& int BN_mod_sub(BIGNUM *r, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
+\& int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
 \&                BN_CTX *ctx);
 \&
-\& int BN_mod_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
+\& int BN_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
 \&                BN_CTX *ctx);
 \&
-\& int BN_mod_sqr(BIGNUM *r, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
+\& int BN_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
 \&
-\& BIGNUM *BN_mod_sqrt(BIGNUM *in, BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
+\& BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
 \&
-\& int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx);
+\& int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
 \&
-\& int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+\& int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 \&                const BIGNUM *m, BN_CTX *ctx);
 \&
-\& int BN_gcd(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
+\& int BN_gcd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBBN_add()\fR adds \fIa\fR and \fIb\fR and places the result in \fIr\fR (\f(CW\*(C`r=a+b\*(C'\fR).
-\&\fIr\fR may be the same \fB\s-1BIGNUM\s0\fR as \fIa\fR or \fIb\fR.
+\&\fIr\fR may be the same \fBBIGNUM\fR as \fIa\fR or \fIb\fR.
 .PP
 \&\fBBN_sub()\fR subtracts \fIb\fR from \fIa\fR and places the result in \fIr\fR (\f(CW\*(C`r=a\-b\*(C'\fR).
-\&\fIr\fR may be the same \fB\s-1BIGNUM\s0\fR as \fIa\fR or \fIb\fR.
+\&\fIr\fR may be the same \fBBIGNUM\fR as \fIa\fR or \fIb\fR.
 .PP
 \&\fBBN_mul()\fR multiplies \fIa\fR and \fIb\fR and places the result in \fIr\fR (\f(CW\*(C`r=a*b\*(C'\fR).
-\&\fIr\fR may be the same \fB\s-1BIGNUM\s0\fR as \fIa\fR or \fIb\fR.
+\&\fIr\fR may be the same \fBBIGNUM\fR as \fIa\fR or \fIb\fR.
 For multiplication by powers of 2, use \fBBN_lshift\fR\|(3).
 .PP
 \&\fBBN_sqr()\fR takes the square of \fIa\fR and places the result in \fIr\fR
-(\f(CW\*(C`r=a^2\*(C'\fR). \fIr\fR and \fIa\fR may be the same \fB\s-1BIGNUM\s0\fR.
+(\f(CW\*(C`r=a^2\*(C'\fR). \fIr\fR and \fIa\fR may be the same \fBBIGNUM\fR.
 This function is faster than BN_mul(r,a,a).
 .PP
 \&\fBBN_div()\fR divides \fIa\fR by \fId\fR and places the result in \fIdv\fR and the
 remainder in \fIrem\fR (\f(CW\*(C`dv=a/d, rem=a%d\*(C'\fR). Either of \fIdv\fR and \fIrem\fR may
-be \fB\s-1NULL\s0\fR, in which case the respective value is not returned.
+be \fBNULL\fR, in which case the respective value is not returned.
 The result is rounded towards zero; thus if \fIa\fR is negative, the
 remainder will be zero or negative.
 For division by powers of 2, use \fBBN_rshift\fR\|(3).
 .PP
-\&\fBBN_mod()\fR corresponds to \fBBN_div()\fR with \fIdv\fR set to \fB\s-1NULL\s0\fR.
+\&\fBBN_mod()\fR corresponds to \fBBN_div()\fR with \fIdv\fR set to \fBNULL\fR.
 .PP
 \&\fBBN_nnmod()\fR reduces \fIa\fR modulo \fIm\fR and places the nonnegative
 remainder in \fIr\fR.
@@ -216,7 +140,7 @@ nonnegative result in \fIr\fR.
 .PP
 \&\fBBN_mod_mul()\fR multiplies \fIa\fR by \fIb\fR and finds the nonnegative
 remainder respective to modulus \fIm\fR (\f(CW\*(C`r=(a*b) mod m\*(C'\fR). \fIr\fR may be
-the same \fB\s-1BIGNUM\s0\fR as \fIa\fR or \fIb\fR. For more efficient algorithms for
+the same \fBBIGNUM\fR as \fIa\fR or \fIb\fR. For more efficient algorithms for
 repeated computations using the same modulus, see
 \&\fBBN_mod_mul_montgomery\fR\|(3) and
 \&\fBBN_mod_mul_reciprocal\fR\|(3).
@@ -226,8 +150,8 @@ result in \fIr\fR.
 .PP
 \&\fBBN_mod_sqrt()\fR returns the modular square root of \fIa\fR such that
 \&\f(CW\*(C`in^2 = a (mod p)\*(C'\fR. The modulus \fIp\fR must be a
-prime, otherwise an error or an incorrect \*(L"result\*(R" will be returned.
-The result is stored into \fIin\fR which can be \s-1NULL.\s0 The result will be
+prime, otherwise an error or an incorrect "result" will be returned.
+The result is stored into \fIin\fR which can be NULL. The result will be
 newly allocated in that case.
 .PP
 \&\fBBN_exp()\fR raises \fIa\fR to the \fIp\fR\-th power and places the result in \fIr\fR
@@ -237,21 +161,25 @@ newly allocated in that case.
 \&\fBBN_mod_exp()\fR computes \fIa\fR to the \fIp\fR\-th power modulo \fIm\fR (\f(CW\*(C`r=a^p %
 m\*(C'\fR). This function uses less time and space than \fBBN_exp()\fR. Do not call this
 function when \fBm\fR is even and any of the parameters have the
-\&\fB\s-1BN_FLG_CONSTTIME\s0\fR flag set.
+\&\fBBN_FLG_CONSTTIME\fR flag set.
 .PP
 \&\fBBN_gcd()\fR computes the greatest common divisor of \fIa\fR and \fIb\fR and
-places the result in \fIr\fR. \fIr\fR may be the same \fB\s-1BIGNUM\s0\fR as \fIa\fR or
+places the result in \fIr\fR. \fIr\fR may be the same \fBBIGNUM\fR as \fIa\fR or
 \&\fIb\fR.
 .PP
-For all functions, \fIctx\fR is a previously allocated \fB\s-1BN_CTX\s0\fR used for
+For all functions, \fIctx\fR is a previously allocated \fBBN_CTX\fR used for
 temporary variables; see \fBBN_CTX_new\fR\|(3).
 .PP
-Unless noted otherwise, the result \fB\s-1BIGNUM\s0\fR must be different from
+Unless noted otherwise, the result \fBBIGNUM\fR must be different from
 the arguments.
+.SH NOTES
+.IX Header "NOTES"
+For modular operations such as \fBBN_nnmod()\fR or \fBBN_mod_exp()\fR it is an error
+to use the same \fBBIGNUM\fR object for the modulus as for the output.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The \fBBN_mod_sqrt()\fR returns the result (possibly incorrect if \fIp\fR is
-not a prime), or \s-1NULL.\s0
+not a prime), or NULL.
 .PP
 For all remaining functions, 1 is returned for success, 0 on error. The return
 value should always be checked (e.g., \f(CW\*(C`if (!BN_add(r,a,b)) goto err;\*(C'\fR).
@@ -260,11 +188,11 @@ The error codes can be obtained by \fBERR_get_error\fR\|(3).
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3), \fBBN_CTX_new\fR\|(3),
 \&\fBBN_add_word\fR\|(3), \fBBN_set_bit\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_add_word.3 b/secure/lib/libcrypto/man/man3/BN_add_word.3
index 6149484f0a3a..b84b8e3ecfb2 100644
--- a/secure/lib/libcrypto/man/man3/BN_add_word.3
+++ b/secure/lib/libcrypto/man/man3/BN_add_word.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BN_ADD_WORD 3ossl"
-.TH BN_ADD_WORD 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BN_ADD_WORD 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BN_add_word, BN_sub_word, BN_mul_word, BN_div_word, BN_mod_word \- arithmetic
 functions on BIGNUMs with integers
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bn.h>
@@ -154,10 +78,10 @@ functions on BIGNUMs with integers
 \&
 \& BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 These functions perform arithmetic operations on BIGNUMs with unsigned
-integers. They are much more efficient than the normal \s-1BIGNUM\s0
+integers. They are much more efficient than the normal BIGNUM
 arithmetic operations.
 .PP
 \&\fBBN_add_word()\fR adds \fBw\fR to \fBa\fR (\f(CW\*(C`a+=w\*(C'\fR).
@@ -177,15 +101,15 @@ For \fBBN_div_word()\fR and \fBBN_mod_word()\fR, \fBw\fR must not be 0.
 on error. The error codes can be obtained by \fBERR_get_error\fR\|(3).
 .PP
 \&\fBBN_mod_word()\fR and \fBBN_div_word()\fR return \fBa\fR%\fBw\fR on success and
-\&\fB(\s-1BN_ULONG\s0)\-1\fR if an error occurred.
+\&\fB(BN_ULONG)\-1\fR if an error occurred.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3), \fBBN_add\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_bn2bin.3 b/secure/lib/libcrypto/man/man3/BN_bn2bin.3
index f68d065f643f..fa14ca5b6bcf 100644
--- a/secure/lib/libcrypto/man/man3/BN_bn2bin.3
+++ b/secure/lib/libcrypto/man/man3/BN_bn2bin.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,93 +52,40 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BN_BN2BIN 3ossl"
-.TH BN_BN2BIN 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BN_BN2BIN 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
-BN_bn2binpad,
-BN_bn2bin, BN_bin2bn, BN_bn2lebinpad, BN_lebin2bn,
-BN_bn2nativepad, BN_native2bn, BN_bn2hex, BN_bn2dec, BN_hex2bn, BN_dec2bn,
+.SH NAME
+BN_bn2binpad, BN_signed_bn2bin, BN_bn2bin, BN_bin2bn, BN_signed_bin2bn,
+BN_bn2lebinpad, BN_signed_bn2lebin, BN_lebin2bn, BN_signed_lebin2bn,
+BN_bn2nativepad, BN_signed_bn2native, BN_native2bn, BN_signed_native2bn,
+BN_bn2hex, BN_bn2dec, BN_hex2bn, BN_dec2bn,
 BN_print, BN_print_fp, BN_bn2mpi, BN_mpi2bn \- format conversions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bn.h>
 \&
 \& int BN_bn2bin(const BIGNUM *a, unsigned char *to);
 \& int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen);
+\& int BN_signed_bn2bin(const BIGNUM *a, unsigned char *to, int tolen);
 \& BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret);
+\& BIGNUM *BN_signed_bin2bn(const unsigned char *s, int len, BIGNUM *ret);
 \&
 \& int BN_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen);
+\& int BN_signed_bn2lebin(const BIGNUM *a, unsigned char *to, int tolen);
 \& BIGNUM *BN_lebin2bn(const unsigned char *s, int len, BIGNUM *ret);
+\& BIGNUM *BN_signed_lebin2bn(const unsigned char *s, int len, BIGNUM *ret);
 \&
 \& int BN_bn2nativepad(const BIGNUM *a, unsigned char *to, int tolen);
+\& int BN_signed_bn2native(const BIGNUM *a, unsigned char *to, int tolen);
 \& BIGNUM *BN_native2bn(const unsigned char *s, int len, BIGNUM *ret);
+\& BIGNUM *BN_signed_native2bn(const unsigned char *s, int len, BIGNUM *ret);
 \&
 \& char *BN_bn2hex(const BIGNUM *a);
 \& char *BN_bn2dec(const BIGNUM *a);
@@ -167,28 +98,40 @@ BN_print, BN_print_fp, BN_bn2mpi, BN_mpi2bn \- format conversions
 \& int BN_bn2mpi(const BIGNUM *a, unsigned char *to);
 \& BIGNUM *BN_mpi2bn(unsigned char *s, int len, BIGNUM *ret);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBBN_bn2bin()\fR converts the absolute value of \fBa\fR into big-endian form
 and stores it at \fBto\fR. \fBto\fR must point to BN_num_bytes(\fBa\fR) bytes of
-memory.
+memory. \fBa\fR and \fBto\fR \fBMUST NOT\fR be NULL.
 .PP
 \&\fBBN_bn2binpad()\fR also converts the absolute value of \fBa\fR into big-endian form
 and stores it at \fBto\fR. \fBtolen\fR indicates the length of the output buffer
 \&\fBto\fR. The result is padded with zeros if necessary. If \fBtolen\fR is less than
 BN_num_bytes(\fBa\fR) an error is returned.
 .PP
+\&\fBBN_signed_bn2bin()\fR converts the value of \fBa\fR into big-endian signed 2's
+complements form and stores it at \fBto\fR. \fBtolen\fR indicates the length of
+the output buffer \fBto\fR. The result is signed extended (padded with 0x00
+for positive numbers or with 0xff for negative numbers) if necessary.
+If \fBtolen\fR is smaller than the necessary size (which may be
+\&\f(CW\*(C`<BN_num_bytes(\fR\f(CBa\fR\f(CW) + 1\*(C'\fR>), an error is returned.
+.PP
 \&\fBBN_bin2bn()\fR converts the positive integer in big-endian form of length
-\&\fBlen\fR at \fBs\fR into a \fB\s-1BIGNUM\s0\fR and places it in \fBret\fR. If \fBret\fR is
-\&\s-1NULL,\s0 a new \fB\s-1BIGNUM\s0\fR is created.
+\&\fBlen\fR at \fBs\fR into a \fBBIGNUM\fR and places it in \fBret\fR. If \fBret\fR is
+NULL, a new \fBBIGNUM\fR is created. \fBs\fR \fBMUST NOT\fR be NULL.
+.PP
+\&\fBBN_signed_bin2bn()\fR converts the integer in big-endian signed 2's complement
+form of length \fBlen\fR at \fBs\fR into a \fBBIGNUM\fR and places it in \fBret\fR. If
+\&\fBret\fR is NULL, a new \fBBIGNUM\fR is created.
 .PP
-\&\fBBN_bn2lebinpad()\fR and \fBBN_lebin2bn()\fR are identical to \fBBN_bn2binpad()\fR and
-\&\fBBN_bin2bn()\fR except the buffer is in little-endian format.
+\&\fBBN_bn2lebinpad()\fR, \fBBN_signed_bn2lebin()\fR and \fBBN_lebin2bn()\fR are identical to
+\&\fBBN_bn2binpad()\fR, \fBBN_signed_bn2bin()\fR and \fBBN_bin2bn()\fR except the buffer is in
+little-endian format.
 .PP
-\&\fBBN_bn2nativepad()\fR and \fBBN_native2bn()\fR are identical to \fBBN_bn2binpad()\fR and
-\&\fBBN_bin2bn()\fR except the buffer is in native format, i.e. most significant
-byte first on big-endian platforms, and least significant byte first on
-little-endian platforms.
+\&\fBBN_bn2nativepad()\fR, \fBBN_signed_bn2native()\fR and \fBBN_native2bn()\fR are identical
+to \fBBN_bn2binpad()\fR, \fBBN_signed_bn2bin()\fR and \fBBN_bin2bn()\fR except the buffer is
+in native format, i.e. most significant byte first on big-endian platforms,
+and least significant byte first on little-endian platforms.
 .PP
 \&\fBBN_bn2hex()\fR and \fBBN_bn2dec()\fR return printable strings containing the
 hexadecimal and decimal encoding of \fBa\fR respectively. For negative
@@ -197,46 +140,47 @@ freed later using \fBOPENSSL_free()\fR.
 .PP
 \&\fBBN_hex2bn()\fR takes as many characters as possible from the string \fBstr\fR,
 including the leading character '\-' which means negative, to form a valid
-hexadecimal number representation and converts them to a \fB\s-1BIGNUM\s0\fR and
-stores it in **\fBa\fR. If *\fBa\fR is \s-1NULL,\s0 a new \fB\s-1BIGNUM\s0\fR is created. If
-\&\fBa\fR is \s-1NULL,\s0 it only computes the length of valid representation.
-A \*(L"negative zero\*(R" is converted to zero.
+hexadecimal number representation and converts them to a \fBBIGNUM\fR and
+stores it in **\fBa\fR. If *\fBa\fR is NULL, a new \fBBIGNUM\fR is created. If
+\&\fBa\fR is NULL, it only computes the length of valid representation.
+A "negative zero" is converted to zero.
 \&\fBBN_dec2bn()\fR is the same using the decimal system.
 .PP
 \&\fBBN_print()\fR and \fBBN_print_fp()\fR write the hexadecimal encoding of \fBa\fR,
-with a leading '\-' for negative numbers, to the \fB\s-1BIO\s0\fR or \fB\s-1FILE\s0\fR
+with a leading '\-' for negative numbers, to the \fBBIO\fR or \fBFILE\fR
 \&\fBfp\fR.
 .PP
-\&\fBBN_bn2mpi()\fR and \fBBN_mpi2bn()\fR convert \fB\s-1BIGNUM\s0\fRs from and to a format
+\&\fBBN_bn2mpi()\fR and \fBBN_mpi2bn()\fR convert \fBBIGNUM\fRs from and to a format
 that consists of the number's length in bytes represented as a 4\-byte
 big-endian number, and the number itself in big-endian format, where
 the most significant bit signals a negative number (the representation
-of numbers with the \s-1MSB\s0 set is prefixed with null byte).
+of numbers with the MSB set is prefixed with null byte).
 .PP
 \&\fBBN_bn2mpi()\fR stores the representation of \fBa\fR at \fBto\fR, where \fBto\fR
 must be large enough to hold the result. The size can be determined by
-calling BN_bn2mpi(\fBa\fR, \s-1NULL\s0).
+calling BN_bn2mpi(\fBa\fR, NULL).
 .PP
 \&\fBBN_mpi2bn()\fR converts the \fBlen\fR bytes long representation at \fBs\fR to
-a \fB\s-1BIGNUM\s0\fR and stores it at \fBret\fR, or in a newly allocated \fB\s-1BIGNUM\s0\fR
-if \fBret\fR is \s-1NULL.\s0
+a \fBBIGNUM\fR and stores it at \fBret\fR, or in a newly allocated \fBBIGNUM\fR
+if \fBret\fR is NULL.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBBN_bn2bin()\fR returns the length of the big-endian number placed at \fBto\fR.
-\&\fBBN_bin2bn()\fR returns the \fB\s-1BIGNUM\s0\fR, \s-1NULL\s0 on error.
+\&\fBBN_bin2bn()\fR returns the \fBBIGNUM\fR, NULL on error.
 .PP
-\&\fBBN_bn2binpad()\fR, \fBBN_bn2lebinpad()\fR, and \fBBN_bn2nativepad()\fR return the number of bytes written or \-1 if the supplied
-buffer is too small.
+\&\fBBN_bn2binpad()\fR, \fBBN_signed_bn2bin()\fR, \fBBN_bn2lebinpad()\fR, \fBBN_signed_bn2lebin()\fR,
+\&\fBBN_bn2nativepad()\fR, and_signed \fBBN_bn2native()\fR return the number of bytes
+written or \-1 if the supplied buffer is too small.
 .PP
-\&\fBBN_bn2hex()\fR and \fBBN_bn2dec()\fR return a NUL-terminated string, or \s-1NULL\s0
+\&\fBBN_bn2hex()\fR and \fBBN_bn2dec()\fR return a NUL-terminated string, or NULL
 on error. \fBBN_hex2bn()\fR and \fBBN_dec2bn()\fR return the number of characters
 used in parsing, or 0 on error, in which
-case no new \fB\s-1BIGNUM\s0\fR will be created.
+case no new \fBBIGNUM\fR will be created.
 .PP
 \&\fBBN_print_fp()\fR and \fBBN_print()\fR return 1 on success, 0 on write errors.
 .PP
 \&\fBBN_bn2mpi()\fR returns the length of the representation. \fBBN_mpi2bn()\fR
-returns the \fB\s-1BIGNUM\s0\fR, and \s-1NULL\s0 on error.
+returns the \fBBIGNUM\fR, and NULL on error.
 .PP
 The error codes can be obtained by \fBERR_get_error\fR\|(3).
 .SH "SEE ALSO"
@@ -244,11 +188,16 @@ The error codes can be obtained by \fBERR_get_error\fR\|(3).
 \&\fBERR_get_error\fR\|(3), \fBBN_zero\fR\|(3),
 \&\fBASN1_INTEGER_to_BN\fR\|(3),
 \&\fBBN_num_bytes\fR\|(3)
-.SH "COPYRIGHT"
+.SH HISTORY
+.IX Header "HISTORY"
+The functions \fBBN_signed_bin2bn()\fR, \fBBN_signed_bn2bin()\fR, \fBBN_signed_lebin2bn()\fR,
+\&\fBBN_signed_bn2lebin()\fR, \fBBN_signed_native2bn()\fR, \fBBN_signed_bn2native()\fR
+were added in OpenSSL 3.2.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_cmp.3 b/secure/lib/libcrypto/man/man3/BN_cmp.3
index 1c459f02eaf8..c6208e6f0c71 100644
--- a/secure/lib/libcrypto/man/man3/BN_cmp.3
+++ b/secure/lib/libcrypto/man/man3/BN_cmp.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BN_CMP 3ossl"
-.TH BN_CMP 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BN_CMP 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
-BN_cmp, BN_ucmp, BN_is_zero, BN_is_one, BN_is_word, BN_abs_is_word, BN_is_odd \- BIGNUM comparison and test functions
-.SH "SYNOPSIS"
+.SH NAME
+BN_cmp, BN_ucmp, BN_is_zero, BN_is_one, BN_is_word, BN_abs_is_word, BN_is_odd, BN_are_coprime
+\&\- BIGNUM comparison and test functions
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bn.h>
@@ -151,8 +76,10 @@ BN_cmp, BN_ucmp, BN_is_zero, BN_is_one, BN_is_word, BN_abs_is_word, BN_is_odd \-
 \& int BN_is_word(const BIGNUM *a, const BN_ULONG w);
 \& int BN_abs_is_word(const BIGNUM *a, const BN_ULONG w);
 \& int BN_is_odd(const BIGNUM *a);
+\&
+\& int BN_are_coprime(BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBBN_cmp()\fR compares the numbers \fIa\fR and \fIb\fR. \fBBN_ucmp()\fR compares their
 absolute values.
@@ -160,6 +87,10 @@ absolute values.
 \&\fBBN_is_zero()\fR, \fBBN_is_one()\fR, \fBBN_is_word()\fR and \fBBN_abs_is_word()\fR test if
 \&\fIa\fR equals 0, 1, \fIw\fR, or |\fIw\fR| respectively.
 \&\fBBN_is_odd()\fR tests if \fIa\fR is odd.
+.PP
+\&\fBBN_are_coprime()\fR determines if \fBa\fR and \fBb\fR are coprime.
+\&\fBctx\fR is used internally for storing temporary variables.
+The values of \fBa\fR and \fBb\fR and \fBctx\fR must not be NULL.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBBN_cmp()\fR returns \-1 if \fIa\fR < \fIb\fR, 0 if \fIa\fR == \fIb\fR and 1 if
@@ -168,15 +99,20 @@ of \fIa\fR and \fIb\fR.
 .PP
 \&\fBBN_is_zero()\fR, \fBBN_is_one()\fR \fBBN_is_word()\fR, \fBBN_abs_is_word()\fR and
 \&\fBBN_is_odd()\fR return 1 if the condition is true, 0 otherwise.
-.SH "HISTORY"
+.PP
+\&\fBBN_are_coprime()\fR returns 1 if the \fBBIGNUM\fR's are coprime, otherwise it
+returns 0.
+.SH HISTORY
 .IX Header "HISTORY"
 Prior to OpenSSL 1.1.0, \fBBN_is_zero()\fR, \fBBN_is_one()\fR, \fBBN_is_word()\fR,
 \&\fBBN_abs_is_word()\fR and \fBBN_is_odd()\fR were macros.
-.SH "COPYRIGHT"
+.PP
+The function \fBBN_are_coprime()\fR was added in OpenSSL 3.1.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_copy.3 b/secure/lib/libcrypto/man/man3/BN_copy.3
index 5086bab21cc1..5405642c660a 100644
--- a/secure/lib/libcrypto/man/man3/BN_copy.3
+++ b/secure/lib/libcrypto/man/man3/BN_copy.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BN_COPY 3ossl"
-.TH BN_COPY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BN_COPY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BN_copy, BN_dup, BN_with_flags \- copy BIGNUMs
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bn.h>
@@ -149,9 +73,9 @@ BN_copy, BN_dup, BN_with_flags \- copy BIGNUMs
 \&
 \& void BN_with_flags(BIGNUM *dest, const BIGNUM *b, int flags);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBBN_copy()\fR copies \fBfrom\fR to \fBto\fR. \fBBN_dup()\fR creates a new \fB\s-1BIGNUM\s0\fR
+\&\fBBN_copy()\fR copies \fBfrom\fR to \fBto\fR. \fBBN_dup()\fR creates a new \fBBIGNUM\fR
 containing the value \fBfrom\fR.
 .PP
 BN_with_flags creates a \fBtemporary\fR shallow copy of \fBb\fR in \fBdest\fR. It places
@@ -159,31 +83,31 @@ significant restrictions on the copied data. Applications that do no adhere to
 these restrictions may encounter unexpected side effects or crashes. For that
 reason use of this function is discouraged. Any flags provided in \fBflags\fR will
 be set in \fBdest\fR in addition to any flags already set in \fBb\fR. For example this
-might commonly be used to create a temporary copy of a \s-1BIGNUM\s0 with the
-\&\fB\s-1BN_FLG_CONSTTIME\s0\fR flag set for constant time operations. The temporary copy in
+might commonly be used to create a temporary copy of a BIGNUM with the
+\&\fBBN_FLG_CONSTTIME\fR flag set for constant time operations. The temporary copy in
 \&\fBdest\fR will share some internal state with \fBb\fR. For this reason the following
 restrictions apply to the use of \fBdest\fR:
-.IP "\(bu" 2
-\&\fBdest\fR should be a newly allocated \s-1BIGNUM\s0 obtained via a call to \fBBN_new()\fR. It
+.IP \(bu 2
+\&\fBdest\fR should be a newly allocated BIGNUM obtained via a call to \fBBN_new()\fR. It
 should not have been used for other purposes or initialised in any way.
-.IP "\(bu" 2
-\&\fBdest\fR must only be used in \*(L"read-only\*(R" operations, i.e. typically those
-functions where the relevant parameter is declared \*(L"const\*(R".
-.IP "\(bu" 2
+.IP \(bu 2
+\&\fBdest\fR must only be used in "read-only" operations, i.e. typically those
+functions where the relevant parameter is declared "const".
+.IP \(bu 2
 \&\fBdest\fR must be used and freed before any further subsequent use of \fBb\fR
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBBN_copy()\fR returns \fBto\fR on success, \s-1NULL\s0 on error. \fBBN_dup()\fR returns
-the new \fB\s-1BIGNUM\s0\fR, and \s-1NULL\s0 on error. The error codes can be obtained
+\&\fBBN_copy()\fR returns \fBto\fR on success, NULL on error. \fBBN_dup()\fR returns
+the new \fBBIGNUM\fR, and NULL on error. The error codes can be obtained
 by \fBERR_get_error\fR\|(3).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_generate_prime.3 b/secure/lib/libcrypto/man/man3/BN_generate_prime.3
index f588873a8ef0..91a9ef3f7773 100644
--- a/secure/lib/libcrypto/man/man3/BN_generate_prime.3
+++ b/secure/lib/libcrypto/man/man3/BN_generate_prime.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BN_GENERATE_PRIME 3ossl"
-.TH BN_GENERATE_PRIME 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BN_GENERATE_PRIME 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BN_generate_prime_ex2, BN_generate_prime_ex, BN_is_prime_ex, BN_check_prime,
 BN_is_prime_fasttest_ex, BN_GENCB_call, BN_GENCB_new, BN_GENCB_free,
 BN_GENCB_set_old, BN_GENCB_set, BN_GENCB_get_arg, BN_generate_prime,
 BN_is_prime, BN_is_prime_fasttest \- generate primes and test for primality
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bn.h>
@@ -171,7 +95,7 @@ BN_is_prime, BN_is_prime_fasttest \- generate primes and test for primality
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 0.9.8, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 3
@@ -188,7 +112,7 @@ see \fBopenssl_user_macros\fR\|(7):
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
@@ -197,11 +121,11 @@ see \fBopenssl_user_macros\fR\|(7):
 \& int BN_is_prime_fasttest_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx,
 \&                             int do_trial_division, BN_GENCB *cb);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBBN_generate_prime_ex2()\fR generates a pseudo-random prime number of
-at least bit length \fBbits\fR using the \s-1BN_CTX\s0 provided in \fBctx\fR. The value of
-\&\fBctx\fR must not be \s-1NULL.\s0
+at least bit length \fBbits\fR using the BN_CTX provided in \fBctx\fR. The value of
+\&\fBctx\fR must not be NULL.
 .PP
 The returned number is probably prime with a negligible error.
 The maximum error rate is 2^\-128.
@@ -209,45 +133,45 @@ It's 2^\-287 for a 512 bit prime, 2^\-435 for a 1024 bit prime,
 2^\-648 for a 2048 bit prime, and lower than 2^\-882 for primes larger
 than 2048 bit.
 .PP
-If \fBadd\fR is \fB\s-1NULL\s0\fR the returned prime number will have exact bit
+If \fBadd\fR is \fBNULL\fR the returned prime number will have exact bit
 length \fBbits\fR with the top most two bits set.
 .PP
-If \fBret\fR is not \fB\s-1NULL\s0\fR, it will be used to store the number.
+If \fBret\fR is not \fBNULL\fR, it will be used to store the number.
 .PP
-If \fBcb\fR is not \fB\s-1NULL\s0\fR, it is used as follows:
-.IP "\(bu" 2
+If \fBcb\fR is not \fBNULL\fR, it is used as follows:
+.IP \(bu 2
 \&\fBBN_GENCB_call(cb, 0, i)\fR is called after generating the i\-th
 potential prime number.
-.IP "\(bu" 2
+.IP \(bu 2
 While the number is being tested for primality,
 \&\fBBN_GENCB_call(cb, 1, j)\fR is called as described below.
-.IP "\(bu" 2
+.IP \(bu 2
 When a prime has been found, \fBBN_GENCB_call(cb, 2, i)\fR is called.
-.IP "\(bu" 2
+.IP \(bu 2
 The callers of \fBBN_generate_prime_ex()\fR may call \fBBN_GENCB_call(cb, i, j)\fR with
-other values as described in their respective man pages; see \*(L"\s-1SEE ALSO\*(R"\s0.
+other values as described in their respective man pages; see "SEE ALSO".
 .PP
 The prime may have to fulfill additional requirements for use in
 Diffie-Hellman key exchange:
 .PP
-If \fBadd\fR is not \fB\s-1NULL\s0\fR, the prime will fulfill the condition p % \fBadd\fR
-== \fBrem\fR (p % \fBadd\fR == 1 if \fBrem\fR == \fB\s-1NULL\s0\fR) in order to suit a given
+If \fBadd\fR is not \fBNULL\fR, the prime will fulfill the condition p % \fBadd\fR
+== \fBrem\fR (p % \fBadd\fR == 1 if \fBrem\fR == \fBNULL\fR) in order to suit a given
 generator.
 .PP
 If \fBsafe\fR is true, it will be a safe prime (i.e. a prime p so
-that (p\-1)/2 is also prime). If \fBsafe\fR is true, and \fBrem\fR == \fB\s-1NULL\s0\fR
+that (p\-1)/2 is also prime). If \fBsafe\fR is true, and \fBrem\fR == \fBNULL\fR
 the condition will be p % \fBadd\fR == 3.
 It is recommended that \fBadd\fR is a multiple of 4.
 .PP
 The random generator must be seeded prior to calling \fBBN_generate_prime_ex()\fR.
-If the automatic seeding or reseeding of the OpenSSL \s-1CSPRNG\s0 fails due to
-external circumstances (see \s-1\fBRAND\s0\fR\|(7)), the operation will fail.
-The random number generator configured for the \s-1OSSL_LIB_CTX\s0 associated with
+If the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to
+external circumstances (see \fBRAND\fR\|(7)), the operation will fail.
+The random number generator configured for the OSSL_LIB_CTX associated with
 \&\fBctx\fR will be used.
 .PP
 \&\fBBN_generate_prime_ex()\fR is the same as \fBBN_generate_prime_ex2()\fR except that no
 \&\fBctx\fR parameter is passed.
-In this case the random number generator associated with the default \s-1OSSL_LIB_CTX\s0
+In this case the random number generator associated with the default OSSL_LIB_CTX
 will be used.
 .PP
 \&\fBBN_check_prime()\fR, \fBBN_is_prime_ex()\fR, \fBBN_is_prime_fasttest_ex()\fR, \fBBN_is_prime()\fR
@@ -277,29 +201,30 @@ and \fBBN_is_prime_fasttest()\fR are deprecated.
 \&\fBBN_is_prime_fasttest_ex()\fR and \fBBN_is_prime_ex()\fR respectively, but with the old
 style call back.
 .PP
-\&\fBctx\fR is a preallocated \fB\s-1BN_CTX\s0\fR (to save the overhead of allocating and
-freeing the structure in a loop), or \fB\s-1NULL\s0\fR.
+\&\fBctx\fR is a preallocated \fBBN_CTX\fR (to save the overhead of allocating and
+freeing the structure in a loop), or \fBNULL\fR.
 .PP
 If the trial division is done, and no divisors are found and \fBcb\fR
-is not \fB\s-1NULL\s0\fR, \fBBN_GENCB_call(cb, 1, \-1)\fR is called.
+is not \fBNULL\fR, \fBBN_GENCB_call(cb, 1, \-1)\fR is called.
 .PP
 After each round of the Miller-Rabin probabilistic primality test,
-if \fBcb\fR is not \fB\s-1NULL\s0\fR, \fBBN_GENCB_call(cb, 1, j)\fR is called
+if \fBcb\fR is not \fBNULL\fR, \fBBN_GENCB_call(cb, 1, j)\fR is called
 with \fBj\fR the iteration (j = 0, 1, ...).
 .PP
-\&\fBBN_GENCB_call()\fR calls the callback function held in the \fB\s-1BN_GENCB\s0\fR structure
+\&\fBBN_GENCB_call()\fR calls the callback function held in the \fBBN_GENCB\fR structure
 and passes the ints \fBa\fR and \fBb\fR as arguments. There are two types of
-\&\fB\s-1BN_GENCB\s0\fR structure that are supported: \*(L"new\*(R" style and \*(L"old\*(R" style. New
-programs should prefer the \*(L"new\*(R" style, whilst the \*(L"old\*(R" style is provided
+\&\fBBN_GENCB\fR structure that are supported: "new" style and "old" style. New
+programs should prefer the "new" style, whilst the "old" style is provided
 for backwards compatibility purposes.
 .PP
-A \fB\s-1BN_GENCB\s0\fR structure should be created through a call to \fBBN_GENCB_new()\fR,
-and freed through a call to \fBBN_GENCB_free()\fR.
+A \fBBN_GENCB\fR structure should be created through a call to \fBBN_GENCB_new()\fR,
+and freed through a call to \fBBN_GENCB_free()\fR. If the argument is NULL,
+nothing is done.
 .PP
-For \*(L"new\*(R" style callbacks a \s-1BN_GENCB\s0 structure should be initialised with a
-call to \fBBN_GENCB_set()\fR, where \fBgencb\fR is a \fB\s-1BN_GENCB\s0 *\fR, \fBcallback\fR is of
-type \fBint (*callback)(int, int, \s-1BN_GENCB\s0 *)\fR and \fBcb_arg\fR is a \fBvoid *\fR.
-\&\*(L"Old\*(R" style callbacks are the same except they are initialised with a call
+For "new" style callbacks a BN_GENCB structure should be initialised with a
+call to \fBBN_GENCB_set()\fR, where \fBgencb\fR is a \fBBN_GENCB *\fR, \fBcallback\fR is of
+type \fBint (*callback)(int, int, BN_GENCB *)\fR and \fBcb_arg\fR is a \fBvoid *\fR.
+"Old" style callbacks are the same except they are initialised with a call
 to \fBBN_GENCB_set_old()\fR and \fBcallback\fR is of type
 \&\fBvoid (*callback)(int, int, void *)\fR.
 .PP
@@ -307,7 +232,7 @@ A callback is invoked through a call to \fBBN_GENCB_call\fR. This will check
 the type of the callback and will invoke \fBcallback(a, b, gencb)\fR for new
 style callbacks or \fBcallback(a, b, cb_arg)\fR for old style.
 .PP
-It is possible to obtain the argument associated with a \s-1BN_GENCB\s0 structure
+It is possible to obtain the argument associated with a BN_GENCB structure
 (set via a call to BN_GENCB_set or BN_GENCB_set_old) using BN_GENCB_get_arg.
 .PP
 \&\fBBN_generate_prime()\fR (deprecated) works in the same way as
@@ -325,12 +250,12 @@ can similarly be compared to \fBBN_is_prime_ex()\fR and
 1 if it is prime with an error probability of less than 0.25^\fBnchecks\fR, and
 \&\-1 on error.
 .PP
-\&\fBBN_generate_prime()\fR returns the prime number on success, \fB\s-1NULL\s0\fR otherwise.
+\&\fBBN_generate_prime()\fR returns the prime number on success, \fBNULL\fR otherwise.
 .PP
-BN_GENCB_new returns a pointer to a \s-1BN_GENCB\s0 structure on success, or \fB\s-1NULL\s0\fR
+BN_GENCB_new returns a pointer to a BN_GENCB structure on success, or \fBNULL\fR
 otherwise.
 .PP
-BN_GENCB_get_arg returns the argument previously associated with a \s-1BN_GENCB\s0
+BN_GENCB_get_arg returns the argument previously associated with a BN_GENCB
 structure.
 .PP
 Callback functions should return 1 on success or 0 on error.
@@ -338,14 +263,14 @@ Callback functions should return 1 on success or 0 on error.
 The error codes can be obtained by \fBERR_get_error\fR\|(3).
 .SH "REMOVED FUNCTIONALITY"
 .IX Header "REMOVED FUNCTIONALITY"
-As of OpenSSL 1.1.0 it is no longer possible to create a \s-1BN_GENCB\s0 structure
+As of OpenSSL 1.1.0 it is no longer possible to create a BN_GENCB structure
 directly, as in:
 .PP
 .Vb 1
 \& BN_GENCB callback;
 .Ve
 .PP
-Instead applications should create a \s-1BN_GENCB\s0 structure using BN_GENCB_new:
+Instead applications should create a BN_GENCB structure using BN_GENCB_new:
 .PP
 .Vb 6
 \& BN_GENCB *callback;
@@ -359,8 +284,8 @@ Instead applications should create a \s-1BN_GENCB\s0 structure using BN_GENCB_ne
 .IX Header "SEE ALSO"
 \&\fBDH_generate_parameters\fR\|(3), \fBDSA_generate_parameters\fR\|(3),
 \&\fBRSA_generate_key\fR\|(3), \fBERR_get_error\fR\|(3), \fBRAND_bytes\fR\|(3),
-\&\s-1\fBRAND\s0\fR\|(7)
-.SH "HISTORY"
+\&\fBRAND\fR\|(7)
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBBN_is_prime_ex()\fR and \fBBN_is_prime_fasttest_ex()\fR functions were
 deprecated in OpenSSL 3.0.
@@ -369,11 +294,11 @@ The \fBBN_GENCB_new()\fR, \fBBN_GENCB_free()\fR,
 and \fBBN_GENCB_get_arg()\fR functions were added in OpenSSL 1.1.0.
 .PP
 \&\fBBN_check_prime()\fR was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_mod_exp_mont.3 b/secure/lib/libcrypto/man/man3/BN_mod_exp_mont.3
index ed1f627468fe..0dbb0e149a01 100644
--- a/secure/lib/libcrypto/man/man3/BN_mod_exp_mont.3
+++ b/secure/lib/libcrypto/man/man3/BN_mod_exp_mont.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BN_MOD_EXP_MONT 3ossl"
-.TH BN_MOD_EXP_MONT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BN_MOD_EXP_MONT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BN_mod_exp_mont, BN_mod_exp_mont_consttime, BN_mod_exp_mont_consttime_x2 \-
 Montgomery exponentiation
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bn.h>
@@ -158,11 +82,11 @@ Montgomery exponentiation
 \&                                  const BIGNUM *m2, BN_MONT_CTX *in_mont2,
 \&                                  BN_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBBN_mod_exp_mont()\fR computes \fIa\fR to the \fIp\fR\-th power modulo \fIm\fR (\f(CW\*(C`rr=a^p % m\*(C'\fR)
 using Montgomery multiplication. \fIin_mont\fR is a Montgomery context and can be
-\&\s-1NULL.\s0 In the case \fIin_mont\fR is \s-1NULL,\s0 it will be initialized within the
+NULL. In the case \fIin_mont\fR is NULL, it will be initialized within the
 function, so you can save time on initialization if you provide it in advance.
 .PP
 \&\fBBN_mod_exp_mont_consttime()\fR computes \fIa\fR to the \fIp\fR\-th power modulo \fIm\fR
@@ -170,7 +94,7 @@ function, so you can save time on initialization if you provide it in advance.
 \&\fBBN_mod_exp_mont\fR\|(3) that uses fixed windows and the special precomputation
 memory layout to limit data-dependency to a minimum to protect secret exponents.
 It is called automatically when \fBBN_mod_exp_mont\fR\|(3) is called with parameters
-\&\fIa\fR, \fIp\fR, \fIm\fR, any of which have \fB\s-1BN_FLG_CONSTTIME\s0\fR flag.
+\&\fIa\fR, \fIp\fR, \fIm\fR, any of which have \fBBN_FLG_CONSTTIME\fR flag.
 .PP
 \&\fBBN_mod_exp_mont_consttime_x2()\fR computes two independent exponentiations \fIa1\fR to
 the \fIp1\fR\-th power modulo \fIm1\fR (\f(CW\*(C`rr1=a1^p1 % m1\*(C'\fR) and \fIa2\fR to the \fIp2\fR\-th
@@ -185,11 +109,11 @@ The error codes can be obtained by \fBERR_get_error\fR\|(3).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3), \fBBN_mod_exp_mont\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_mod_inverse.3 b/secure/lib/libcrypto/man/man3/BN_mod_inverse.3
index 6a73b65ea19c..50234c619b00 100644
--- a/secure/lib/libcrypto/man/man3/BN_mod_inverse.3
+++ b/secure/lib/libcrypto/man/man3/BN_mod_inverse.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BN_MOD_INVERSE 3ossl"
-.TH BN_MOD_INVERSE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BN_MOD_INVERSE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BN_mod_inverse \- compute inverse modulo n
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bn.h>
@@ -146,26 +70,29 @@ BN_mod_inverse \- compute inverse modulo n
 \& BIGNUM *BN_mod_inverse(BIGNUM *r, BIGNUM *a, const BIGNUM *n,
 \&                        BN_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBBN_mod_inverse()\fR computes the inverse of \fBa\fR modulo \fBn\fR
-places the result in \fBr\fR (\f(CW\*(C`(a*r)%n==1\*(C'\fR). If \fBr\fR is \s-1NULL,\s0
-a new \fB\s-1BIGNUM\s0\fR is created.
+places the result in \fBr\fR (\f(CW\*(C`(a*r)%n==1\*(C'\fR). If \fBr\fR is NULL,
+a new \fBBIGNUM\fR is created.
 .PP
-\&\fBctx\fR is a previously allocated \fB\s-1BN_CTX\s0\fR used for temporary
-variables. \fBr\fR may be the same \fB\s-1BIGNUM\s0\fR as \fBa\fR or \fBn\fR.
+\&\fBctx\fR is a previously allocated \fBBN_CTX\fR used for temporary
+variables. \fBr\fR may be the same \fBBIGNUM\fR as \fBa\fR.
+.SH NOTES
+.IX Header "NOTES"
+It is an error to use the same \fBBIGNUM\fR as \fBn\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBBN_mod_inverse()\fR returns the \fB\s-1BIGNUM\s0\fR containing the inverse, and
-\&\s-1NULL\s0 on error. The error codes can be obtained by \fBERR_get_error\fR\|(3).
+\&\fBBN_mod_inverse()\fR returns the \fBBIGNUM\fR containing the inverse, and
+NULL on error. The error codes can be obtained by \fBERR_get_error\fR\|(3).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3), \fBBN_add\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_mod_mul_montgomery.3 b/secure/lib/libcrypto/man/man3/BN_mod_mul_montgomery.3
index 344d4170a296..a4562c1d3324 100644
--- a/secure/lib/libcrypto/man/man3/BN_mod_mul_montgomery.3
+++ b/secure/lib/libcrypto/man/man3/BN_mod_mul_montgomery.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BN_MOD_MUL_MONTGOMERY 3ossl"
-.TH BN_MOD_MUL_MONTGOMERY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BN_MOD_MUL_MONTGOMERY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BN_mod_mul_montgomery, BN_MONT_CTX_new,
 BN_MONT_CTX_free, BN_MONT_CTX_set, BN_MONT_CTX_copy,
 BN_from_montgomery, BN_to_montgomery \- Montgomery multiplication
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bn.h>
@@ -160,23 +84,23 @@ BN_from_montgomery, BN_to_montgomery \- Montgomery multiplication
 \& int BN_to_montgomery(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mont,
 \&                      BN_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 These functions implement Montgomery multiplication. They are used
 automatically when \fBBN_mod_exp\fR\|(3) is called with suitable input,
 but they may be useful when several operations are to be performed
 using the same modulus.
 .PP
-\&\fBBN_MONT_CTX_new()\fR allocates and initializes a \fB\s-1BN_MONT_CTX\s0\fR structure.
+\&\fBBN_MONT_CTX_new()\fR allocates and initializes a \fBBN_MONT_CTX\fR structure.
 .PP
 \&\fBBN_MONT_CTX_set()\fR sets up the \fImont\fR structure from the modulus \fIm\fR
 by precomputing its inverse and a value R.
 .PP
-\&\fBBN_MONT_CTX_copy()\fR copies the \fB\s-1BN_MONT_CTX\s0\fR \fIfrom\fR to \fIto\fR.
+\&\fBBN_MONT_CTX_copy()\fR copies the \fBBN_MONT_CTX\fR \fIfrom\fR to \fIto\fR.
 .PP
-\&\fBBN_MONT_CTX_free()\fR frees the components of the \fB\s-1BN_MONT_CTX\s0\fR, and, if
+\&\fBBN_MONT_CTX_free()\fR frees the components of the \fBBN_MONT_CTX\fR, and, if
 it was created by \fBBN_MONT_CTX_new()\fR, also the structure itself.
-If \fBmont\fR is \s-1NULL,\s0 nothing is done.
+If \fBmont\fR is NULL, nothing is done.
 .PP
 \&\fBBN_mod_mul_montgomery()\fR computes Mont(\fIa\fR,\fIb\fR):=\fIa\fR*\fIb\fR*R^\-1 and places
 the result in \fIr\fR.
@@ -186,18 +110,18 @@ the result in \fIr\fR.
 \&\fBBN_to_montgomery()\fR computes Mont(\fIa\fR,R^2), i.e. \fIa\fR*R.
 Note that \fIa\fR must be nonnegative and smaller than the modulus.
 .PP
-For all functions, \fIctx\fR is a previously allocated \fB\s-1BN_CTX\s0\fR used for
+For all functions, \fIctx\fR is a previously allocated \fBBN_CTX\fR used for
 temporary variables.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBBN_MONT_CTX_new()\fR returns the newly allocated \fB\s-1BN_MONT_CTX\s0\fR, and \s-1NULL\s0
+\&\fBBN_MONT_CTX_new()\fR returns the newly allocated \fBBN_MONT_CTX\fR, and NULL
 on error.
 .PP
 \&\fBBN_MONT_CTX_free()\fR has no return value.
 .PP
 For the other functions, 1 is returned for success, 0 on error.
 The error codes can be obtained by \fBERR_get_error\fR\|(3).
-.SH "WARNINGS"
+.SH WARNINGS
 .IX Header "WARNINGS"
 The inputs must be reduced modulo \fBm\fR, otherwise the result will be
 outside the expected range.
@@ -205,14 +129,14 @@ outside the expected range.
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3), \fBBN_add\fR\|(3),
 \&\fBBN_CTX_new\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBBN_MONT_CTX_init()\fR was removed in OpenSSL 1.1.0
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_mod_mul_reciprocal.3 b/secure/lib/libcrypto/man/man3/BN_mod_mul_reciprocal.3
index 11a11444e05b..152225145995 100644
--- a/secure/lib/libcrypto/man/man3/BN_mod_mul_reciprocal.3
+++ b/secure/lib/libcrypto/man/man3/BN_mod_mul_reciprocal.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BN_MOD_MUL_RECIPROCAL 3ossl"
-.TH BN_MOD_MUL_RECIPROCAL 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BN_MOD_MUL_RECIPROCAL 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BN_mod_mul_reciprocal, BN_div_recp, BN_RECP_CTX_new,
 BN_RECP_CTX_free, BN_RECP_CTX_set \- modular multiplication using
 reciprocal
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bn.h>
@@ -156,19 +80,19 @@ reciprocal
 \& int BN_mod_mul_reciprocal(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
 \&                           BN_RECP_CTX *recp, BN_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBBN_mod_mul_reciprocal()\fR can be used to perform an efficient
 \&\fBBN_mod_mul\fR\|(3) operation when the operation will be performed
 repeatedly with the same modulus. It computes \fBr\fR=(\fBa\fR*\fBb\fR)%\fBm\fR
 using \fBrecp\fR=1/\fBm\fR, which is set as described below.  \fBctx\fR is a
-previously allocated \fB\s-1BN_CTX\s0\fR used for temporary variables.
+previously allocated \fBBN_CTX\fR used for temporary variables.
 .PP
-\&\fBBN_RECP_CTX_new()\fR allocates and initializes a \fB\s-1BN_RECP\s0\fR structure.
+\&\fBBN_RECP_CTX_new()\fR allocates and initializes a \fBBN_RECP\fR structure.
 .PP
-\&\fBBN_RECP_CTX_free()\fR frees the components of the \fB\s-1BN_RECP\s0\fR, and, if it
+\&\fBBN_RECP_CTX_free()\fR frees the components of the \fBBN_RECP\fR, and, if it
 was created by \fBBN_RECP_CTX_new()\fR, also the structure itself.
-If \fBrecp\fR is \s-1NULL,\s0 nothing is done.
+If \fBrecp\fR is NULL, nothing is done.
 .PP
 \&\fBBN_RECP_CTX_set()\fR stores \fBm\fR in \fBrecp\fR and sets it up for computing
 1/\fBm\fR and shifting it left by BN_num_bits(\fBm\fR)+1 to make it an
@@ -178,10 +102,10 @@ later be stored in \fBrecp\fR.
 \&\fBBN_div_recp()\fR divides \fBa\fR by \fBm\fR using \fBrecp\fR. It places the quotient
 in \fBdv\fR and the remainder in \fBrem\fR.
 .PP
-The \fB\s-1BN_RECP_CTX\s0\fR structure cannot be shared between threads.
+The \fBBN_RECP_CTX\fR structure cannot be shared between threads.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBBN_RECP_CTX_new()\fR returns the newly allocated \fB\s-1BN_RECP_CTX\s0\fR, and \s-1NULL\s0
+\&\fBBN_RECP_CTX_new()\fR returns the newly allocated \fBBN_RECP_CTX\fR, and NULL
 on error.
 .PP
 \&\fBBN_RECP_CTX_free()\fR has no return value.
@@ -192,14 +116,14 @@ The error codes can be obtained by \fBERR_get_error\fR\|(3).
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3), \fBBN_add\fR\|(3),
 \&\fBBN_CTX_new\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBBN_RECP_CTX_init()\fR was removed in OpenSSL 1.1.0
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_new.3 b/secure/lib/libcrypto/man/man3/BN_new.3
index e9a51dd7de76..1894a33ced31 100644
--- a/secure/lib/libcrypto/man/man3/BN_new.3
+++ b/secure/lib/libcrypto/man/man3/BN_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BN_NEW 3ossl"
-.TH BN_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BN_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BN_new, BN_secure_new, BN_clear, BN_free, BN_clear_free \- allocate and free BIGNUMs
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bn.h>
@@ -153,41 +77,41 @@ BN_new, BN_secure_new, BN_clear, BN_free, BN_clear_free \- allocate and free BIG
 \&
 \& void BN_clear_free(BIGNUM *a);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBBN_new()\fR allocates and initializes a \fB\s-1BIGNUM\s0\fR structure.
+\&\fBBN_new()\fR allocates and initializes a \fBBIGNUM\fR structure.
 \&\fBBN_secure_new()\fR does the same except that the secure heap
 \&\fBOPENSSL_secure_malloc\fR\|(3) is used to store the value.
 .PP
 \&\fBBN_clear()\fR is used to destroy sensitive data such as keys when they
 are no longer needed. It erases the memory used by \fBa\fR and sets it
 to the value 0.
-If \fBa\fR is \s-1NULL,\s0 nothing is done.
+If \fBa\fR is NULL, nothing is done.
 .PP
-\&\fBBN_free()\fR frees the components of the \fB\s-1BIGNUM\s0\fR, and if it was created
+\&\fBBN_free()\fR frees the components of the \fBBIGNUM\fR, and if it was created
 by \fBBN_new()\fR, also the structure itself. \fBBN_clear_free()\fR additionally
 overwrites the data before the memory is returned to the system.
-If \fBa\fR is \s-1NULL,\s0 nothing is done.
+If \fBa\fR is NULL, nothing is done.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBBN_new()\fR and \fBBN_secure_new()\fR
-return a pointer to the \fB\s-1BIGNUM\s0\fR initialised to the value 0.
+return a pointer to the \fBBIGNUM\fR initialised to the value 0.
 If the allocation fails,
-they return \fB\s-1NULL\s0\fR and set an error code that can be obtained
+they return \fBNULL\fR and set an error code that can be obtained
 by \fBERR_get_error\fR\|(3).
 .PP
 \&\fBBN_clear()\fR, \fBBN_free()\fR and \fBBN_clear_free()\fR have no return values.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3), \fBOPENSSL_secure_malloc\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBBN_init()\fR was removed in OpenSSL 1.1.0; use \fBBN_new()\fR instead.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_num_bytes.3 b/secure/lib/libcrypto/man/man3/BN_num_bytes.3
index 98b161728160..afceffff6d8a 100644
--- a/secure/lib/libcrypto/man/man3/BN_num_bytes.3
+++ b/secure/lib/libcrypto/man/man3/BN_num_bytes.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BN_NUM_BYTES 3ossl"
-.TH BN_NUM_BYTES 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BN_NUM_BYTES 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BN_num_bits, BN_num_bytes, BN_num_bits_word \- get BIGNUM size
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bn.h>
@@ -149,42 +73,42 @@ BN_num_bits, BN_num_bytes, BN_num_bits_word \- get BIGNUM size
 \&
 \& int BN_num_bits_word(BN_ULONG w);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBBN_num_bytes()\fR returns the size of a \fB\s-1BIGNUM\s0\fR in bytes.
+\&\fBBN_num_bytes()\fR returns the size of a \fBBIGNUM\fR in bytes.
 .PP
 \&\fBBN_num_bits_word()\fR returns the number of significant bits in a word.
 If we take 0x00000432 as an example, it returns 11, not 16, not 32.
 Basically, except for a zero, it returns \fIfloor(log2(w))+1\fR.
 .PP
-\&\fBBN_num_bits()\fR returns the number of significant bits in a \fB\s-1BIGNUM\s0\fR,
+\&\fBBN_num_bits()\fR returns the number of significant bits in a \fBBIGNUM\fR,
 following the same principle as \fBBN_num_bits_word()\fR.
 .PP
 \&\fBBN_num_bytes()\fR is a macro.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The size.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-Some have tried using \fBBN_num_bits()\fR on individual numbers in \s-1RSA\s0 keys,
-\&\s-1DH\s0 keys and \s-1DSA\s0 keys, and found that they don't always come up with
+Some have tried using \fBBN_num_bits()\fR on individual numbers in RSA keys,
+DH keys and DSA keys, and found that they don't always come up with
 the number of bits they expected (something like 512, 1024, 2048,
 \&...).  This is because generating a number with some specific number
 of bits doesn't always set the highest bits, thereby making the number
-of \fIsignificant\fR bits a little lower.  If you want to know the \*(L"key
-size\*(R" of such a key, either use functions like \fBRSA_size()\fR, \fBDH_size()\fR
+of \fIsignificant\fR bits a little lower.  If you want to know the "key
+size" of such a key, either use functions like \fBRSA_size()\fR, \fBDH_size()\fR
 and \fBDSA_size()\fR, or use \fBBN_num_bytes()\fR and multiply with 8 (although
-there's no real guarantee that will match the \*(L"key size\*(R", just a lot
+there's no real guarantee that will match the "key size", just a lot
 more probability).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBDH_size\fR\|(3), \fBDSA_size\fR\|(3),
 \&\fBRSA_size\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_rand.3 b/secure/lib/libcrypto/man/man3/BN_rand.3
index b93aac8dd3b6..a45caf6c04ed 100644
--- a/secure/lib/libcrypto/man/man3/BN_rand.3
+++ b/secure/lib/libcrypto/man/man3/BN_rand.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BN_RAND 3ossl"
-.TH BN_RAND 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BN_RAND 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BN_rand_ex, BN_rand, BN_priv_rand_ex, BN_priv_rand, BN_pseudo_rand,
 BN_rand_range_ex, BN_rand_range, BN_priv_rand_range_ex, BN_priv_rand_range,
 BN_pseudo_rand_range
 \&\- generate pseudo\-random number
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bn.h>
@@ -164,33 +88,33 @@ BN_pseudo_rand_range
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 2
 \& int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom);
 \& int BN_pseudo_rand_range(BIGNUM *rnd, const BIGNUM *range);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBBN_rand_ex()\fR generates a cryptographically strong pseudo-random
 number of \fIbits\fR in length and security strength at least \fIstrength\fR bits
 using the random number generator for the library context associated with
 \&\fIctx\fR. The function stores the generated data in \fIrnd\fR. The parameter \fIctx\fR
-may be \s-1NULL\s0 in which case the default library context is used.
+may be NULL in which case the default library context is used.
 If \fIbits\fR is less than zero, or too small to
 accommodate the requirements specified by the \fItop\fR and \fIbottom\fR
 parameters, an error is returned.
 The \fItop\fR parameters specifies
 requirements on the most significant bit of the generated number.
-If it is \fB\s-1BN_RAND_TOP_ANY\s0\fR, there is no constraint.
-If it is \fB\s-1BN_RAND_TOP_ONE\s0\fR, the top bit must be one.
-If it is \fB\s-1BN_RAND_TOP_TWO\s0\fR, the two most significant bits of
+If it is \fBBN_RAND_TOP_ANY\fR, there is no constraint.
+If it is \fBBN_RAND_TOP_ONE\fR, the top bit must be one.
+If it is \fBBN_RAND_TOP_TWO\fR, the two most significant bits of
 the number will be set to 1, so that the product of two such random
 numbers will always have 2*\fIbits\fR length.
-If \fIbottom\fR is \fB\s-1BN_RAND_BOTTOM_ODD\s0\fR, the number will be odd; if it
-is \fB\s-1BN_RAND_BOTTOM_ANY\s0\fR it can be odd or even.
-If \fIbits\fR is 1 then \fItop\fR cannot also be \fB\s-1BN_RAND_TOP_TWO\s0\fR.
+If \fIbottom\fR is \fBBN_RAND_BOTTOM_ODD\fR, the number will be odd; if it
+is \fBBN_RAND_BOTTOM_ANY\fR it can be odd or even.
+If \fIbits\fR is 1 then \fItop\fR cannot also be \fBBN_RAND_TOP_TWO\fR.
 .PP
 \&\fBBN_rand()\fR is the same as \fBBN_rand_ex()\fR except that the default library context
 is always used.
@@ -199,7 +123,7 @@ is always used.
 number \fIrnd\fR, of security strength at least \fIstrength\fR bits,
 in the range 0 <= \fIrnd\fR < \fIrange\fR using the random number
 generator for the library context associated with \fIctx\fR. The parameter \fIctx\fR
-may be \s-1NULL\s0 in which case the default library context is used.
+may be NULL in which case the default library context is used.
 .PP
 \&\fBBN_rand_range()\fR is the same as \fBBN_rand_range_ex()\fR except that the default
 library context is always used.
@@ -209,10 +133,10 @@ library context is always used.
 \&\fBBN_rand_range_ex()\fR and \fBBN_rand_range()\fR respectively.  They are intended to be
 used for generating values that should remain private, and mirror the
 same difference between \fBRAND_bytes\fR\|(3) and \fBRAND_priv_bytes\fR\|(3).
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 Always check the error return value of these functions and do not take
-randomness for granted: an error occurs if the \s-1CSPRNG\s0 has not been
+randomness for granted: an error occurs if the CSPRNG has not been
 seeded with enough randomness to ensure an unpredictable byte sequence.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
@@ -224,27 +148,27 @@ The error codes can be obtained by \fBERR_get_error\fR\|(3).
 \&\fBRAND_add\fR\|(3),
 \&\fBRAND_bytes\fR\|(3),
 \&\fBRAND_priv_bytes\fR\|(3),
-\&\s-1\fBRAND\s0\fR\|(7),
-\&\s-1\fBEVP_RAND\s0\fR\|(7)
-.SH "HISTORY"
+\&\fBRAND\fR\|(7),
+\&\fBEVP_RAND\fR\|(7)
+.SH HISTORY
 .IX Header "HISTORY"
-.IP "\(bu" 2
+.IP \(bu 2
 Starting with OpenSSL release 1.1.0, \fBBN_pseudo_rand()\fR has been identical
 to \fBBN_rand()\fR and \fBBN_pseudo_rand_range()\fR has been identical to
 \&\fBBN_rand_range()\fR.
 The \fBBN_pseudo_rand()\fR and \fBBN_pseudo_rand_range()\fR functions were
 deprecated in OpenSSL 3.0.
-.IP "\(bu" 2
+.IP \(bu 2
 The \fBBN_priv_rand()\fR and \fBBN_priv_rand_range()\fR functions were added in
 OpenSSL 1.1.1.
-.IP "\(bu" 2
+.IP \(bu 2
 The \fBBN_rand_ex()\fR, \fBBN_priv_rand_ex()\fR, \fBBN_rand_range_ex()\fR and
 \&\fBBN_priv_rand_range_ex()\fR functions were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_security_bits.3 b/secure/lib/libcrypto/man/man3/BN_security_bits.3
index 2136603cc338..c5f29935b161 100644
--- a/secure/lib/libcrypto/man/man3/BN_security_bits.3
+++ b/secure/lib/libcrypto/man/man3/BN_security_bits.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,112 +52,52 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BN_SECURITY_BITS 3ossl"
-.TH BN_SECURITY_BITS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BN_SECURITY_BITS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BN_security_bits \- returns bits of security based on given numbers
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bn.h>
 \&
 \& int BN_security_bits(int L, int N);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBBN_security_bits()\fR returns the number of bits of security provided by a
 specific algorithm and a particular key size. The bits of security is
-defined in \s-1NIST SP800\-57.\s0 Currently, \fBBN_security_bits()\fR support two types
-of asymmetric algorithms: the \s-1FFC\s0 (Finite Field Cryptography) and \s-1IFC\s0
-(Integer Factorization Cryptography). For \s-1FFC,\s0 e.g., \s-1DSA\s0 and \s-1DH,\s0 both
+defined in NIST SP800\-57. Currently, \fBBN_security_bits()\fR support two types
+of asymmetric algorithms: the FFC (Finite Field Cryptography) and IFC
+(Integer Factorization Cryptography). For FFC, e.g., DSA and DH, both
 parameters \fBL\fR and \fBN\fR are used to decide the bits of security, where
 \&\fBL\fR is the size of the public key and \fBN\fR is the size of the private
-key. For \s-1IFC,\s0 e.g., \s-1RSA,\s0 only \fBL\fR is used and it's commonly considered
+key. For IFC, e.g., RSA, only \fBL\fR is used and it's commonly considered
 to be the key size (modulus).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 Number of security bits.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-\&\s-1ECC\s0 (Elliptic Curve Cryptography) is not covered by the \fBBN_security_bits()\fR
+ECC (Elliptic Curve Cryptography) is not covered by the \fBBN_security_bits()\fR
 function. The symmetric algorithms are not covered neither.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBDH_security_bits\fR\|(3), \fBDSA_security_bits\fR\|(3), \fBRSA_security_bits\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBBN_security_bits()\fR function was added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2019 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_set_bit.3 b/secure/lib/libcrypto/man/man3/BN_set_bit.3
index 7f9ae3bc3749..f651964f527c 100644
--- a/secure/lib/libcrypto/man/man3/BN_set_bit.3
+++ b/secure/lib/libcrypto/man/man3/BN_set_bit.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BN_SET_BIT 3ossl"
-.TH BN_SET_BIT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BN_SET_BIT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BN_set_bit, BN_clear_bit, BN_is_bit_set, BN_mask_bits, BN_lshift,
 BN_lshift1, BN_rshift, BN_rshift1 \- bit operations on BIGNUMs
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bn.h>
@@ -157,7 +81,7 @@ BN_lshift1, BN_rshift, BN_rshift1 \- bit operations on BIGNUMs
 \& int BN_rshift(BIGNUM *r, BIGNUM *a, int n);
 \& int BN_rshift1(BIGNUM *r, BIGNUM *a);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBBN_set_bit()\fR sets bit \fBn\fR in \fBa\fR to 1 (\f(CW\*(C`a|=(1<<n)\*(C'\fR). The
 number is expanded if necessary.
@@ -168,8 +92,11 @@ error occurs if \fBa\fR is shorter than \fBn\fR bits.
 \&\fBBN_is_bit_set()\fR tests if bit \fBn\fR in \fBa\fR is set.
 .PP
 \&\fBBN_mask_bits()\fR truncates \fBa\fR to an \fBn\fR bit number
-(\f(CW\*(C`a&=~((~0)<<n)\*(C'\fR).  An error occurs if \fBa\fR already is
-shorter than \fBn\fR bits.
+(\f(CW\*(C`a&=~((~0)<<n)\*(C'\fR). An error occurs if \fBn\fR is negative. An error is
+also returned if the internal representation of \fBa\fR is already shorter than
+\&\fBn\fR bits. The internal representation depends on the platform's word size, and
+this error can be safely ignored. Use \fBBN_num_bits\fR\|(3) to determine the exact
+number of bits if needed.
 .PP
 \&\fBBN_lshift()\fR shifts \fBa\fR left by \fBn\fR bits and places the result in
 \&\fBr\fR (\f(CW\*(C`r=a*2^n\*(C'\fR). Note that \fBn\fR must be nonnegative. \fBBN_lshift1()\fR shifts
@@ -189,11 +116,11 @@ can be obtained by \fBERR_get_error\fR\|(3).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBBN_num_bytes\fR\|(3), \fBBN_add\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_swap.3 b/secure/lib/libcrypto/man/man3/BN_swap.3
index cbd80ec306db..48c61762b681 100644
--- a/secure/lib/libcrypto/man/man3/BN_swap.3
+++ b/secure/lib/libcrypto/man/man3/BN_swap.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,94 +52,34 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BN_SWAP 3ossl"
-.TH BN_SWAP 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BN_SWAP 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BN_swap \- exchange BIGNUMs
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bn.h>
 \&
 \& void BN_swap(BIGNUM *a, BIGNUM *b);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBBN_swap()\fR exchanges the values of \fIa\fR and \fIb\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBBN_swap()\fR does not return a value.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_zero.3 b/secure/lib/libcrypto/man/man3/BN_zero.3
index d91cf6cc8a8c..fc958ec3246a 100644
--- a/secure/lib/libcrypto/man/man3/BN_zero.3
+++ b/secure/lib/libcrypto/man/man3/BN_zero.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BN_ZERO 3ossl"
-.TH BN_ZERO 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BN_ZERO 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BN_zero, BN_one, BN_value_one, BN_set_word, BN_get_word \- BIGNUM assignment
 operations
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bn.h>
@@ -152,18 +76,18 @@ operations
 \& int BN_set_word(BIGNUM *a, BN_ULONG w);
 \& unsigned BN_ULONG BN_get_word(BIGNUM *a);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fB\s-1BN_ULONG\s0\fR is a macro that will be an unsigned integral type optimized
+\&\fBBN_ULONG\fR is a macro that will be an unsigned integral type optimized
 for the most efficient implementation on the local platform.
 .PP
 \&\fBBN_zero()\fR, \fBBN_one()\fR and \fBBN_set_word()\fR set \fBa\fR to the values 0, 1 and
 \&\fBw\fR respectively.  \fBBN_zero()\fR and \fBBN_one()\fR are macros.
 .PP
-\&\fBBN_value_one()\fR returns a \fB\s-1BIGNUM\s0\fR constant of value 1. This constant
+\&\fBBN_value_one()\fR returns a \fBBIGNUM\fR constant of value 1. This constant
 is useful for use in comparisons and assignment.
 .PP
-\&\fBBN_get_word()\fR returns \fBa\fR, if it can be represented as a \fB\s-1BN_ULONG\s0\fR.
+\&\fBBN_get_word()\fR returns \fBa\fR, if it can be represented as a \fBBN_ULONG\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBBN_get_word()\fR returns the value \fBa\fR, or all-bits-set if \fBa\fR cannot
@@ -172,25 +96,25 @@ be represented as a single integer.
 \&\fBBN_one()\fR and \fBBN_set_word()\fR return 1 on success, 0 otherwise.
 \&\fBBN_value_one()\fR returns the constant.
 \&\fBBN_zero()\fR never fails and returns no value.
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
-If a \fB\s-1BIGNUM\s0\fR is equal to the value of all-bits-set, it will collide
+If a \fBBIGNUM\fR is equal to the value of all-bits-set, it will collide
 with the error condition returned by \fBBN_get_word()\fR which uses that
 as an error value.
 .PP
-\&\fB\s-1BN_ULONG\s0\fR should probably be a typedef.
+\&\fBBN_ULONG\fR should probably be a typedef.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBBN_bn2bin\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 In OpenSSL 0.9.8, \fBBN_zero()\fR was changed to not return a value; previous
 versions returned an int.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BUF_MEM_new.3 b/secure/lib/libcrypto/man/man3/BUF_MEM_new.3
index 012c0ccaafd8..cf7f4d232ef9 100644
--- a/secure/lib/libcrypto/man/man3/BUF_MEM_new.3
+++ b/secure/lib/libcrypto/man/man3/BUF_MEM_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BUF_MEM_NEW 3ossl"
-.TH BUF_MEM_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BUF_MEM_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 BUF_MEM_new, BUF_MEM_new_ex, BUF_MEM_free, BUF_MEM_grow,
 BUF_MEM_grow_clean, BUF_reverse
 \&\- simple character array structure
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/buffer.h>
@@ -156,7 +80,7 @@ BUF_MEM_grow_clean, BUF_reverse
 \&
 \& void BUF_reverse(unsigned char *out, const unsigned char *in, size_t size);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The buffer library handles simple character arrays. Buffers are used for
 various purposes in the library, most notably memory BIOs.
@@ -164,11 +88,12 @@ various purposes in the library, most notably memory BIOs.
 \&\fBBUF_MEM_new()\fR allocates a new buffer of zero size.
 .PP
 \&\fBBUF_MEM_new_ex()\fR allocates a buffer with the specified flags.
-The flag \fB\s-1BUF_MEM_FLAG_SECURE\s0\fR specifies that the \fBdata\fR pointer
+The flag \fBBUF_MEM_FLAG_SECURE\fR specifies that the \fBdata\fR pointer
 should be allocated on the secure heap; see \fBCRYPTO_secure_malloc\fR\|(3).
 .PP
 \&\fBBUF_MEM_free()\fR frees up an already existing buffer. The data is zeroed
 before freeing up in case the buffer contains sensitive data.
+If the argument is NULL, nothing is done.
 .PP
 \&\fBBUF_MEM_grow()\fR changes the size of an already existing buffer to
 \&\fBlen\fR. Any data already in the buffer is preserved if it increases in
@@ -178,10 +103,10 @@ size.
 or additionally-allocated memory to zero.
 .PP
 \&\fBBUF_reverse()\fR reverses \fBsize\fR bytes at \fBin\fR into \fBout\fR.  If \fBin\fR
-is \s-1NULL,\s0 the array is reversed in-place.
+is NULL, the array is reversed in-place.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBBUF_MEM_new()\fR returns the buffer or \s-1NULL\s0 on error.
+\&\fBBUF_MEM_new()\fR returns the buffer or NULL on error.
 .PP
 \&\fBBUF_MEM_free()\fR has no return value.
 .PP
@@ -191,14 +116,14 @@ zero on error or the new size (i.e., \fBlen\fR).
 .IX Header "SEE ALSO"
 \&\fBbio\fR\|(7),
 \&\fBCRYPTO_secure_malloc\fR\|(3).
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBBUF_MEM_new_ex()\fR function was added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMAC_CTX.3 b/secure/lib/libcrypto/man/man3/CMAC_CTX.3
new file mode 100644
index 000000000000..ebfa966a449d
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/CMAC_CTX.3
@@ -0,0 +1,168 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "CMAC_CTX 3ossl"
+.TH CMAC_CTX 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+CMAC_CTX, CMAC_CTX_new, CMAC_CTX_cleanup, CMAC_CTX_free,
+CMAC_CTX_get0_cipher_ctx, CMAC_CTX_copy, CMAC_Init, CMAC_Update, CMAC_Final,
+CMAC_resume
+\&\- create cipher\-based message authentication codes
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/cmac.h>
+.Ve
+.PP
+The following functions have been deprecated since OpenSSL 3.0, and can be
+disabled entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version
+value, see \fBopenssl_user_macros\fR\|(7).
+.PP
+.Vb 1
+\& typedef struct CMAC_CTX_st CMAC_CTX;
+\&
+\& CMAC_CTX *CMAC_CTX_new(void);
+\& void CMAC_CTX_cleanup(CMAC_CTX *ctx);
+\& void CMAC_CTX_free(CMAC_CTX *ctx);
+\& EVP_CIPHER_CTX *CMAC_CTX_get0_cipher_ctx(CMAC_CTX *ctx);
+\& int CMAC_CTX_copy(CMAC_CTX *out, const CMAC_CTX *in);
+\& int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen,
+\&               const EVP_CIPHER *cipher, ENGINE *impl);
+\& int CMAC_Update(CMAC_CTX *ctx, const void *data, size_t dlen);
+\& int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen);
+\& int CMAC_resume(CMAC_CTX *ctx);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+The low-level MAC functions documented on this page are deprecated.
+Applications should use the new \fBEVP_MAC\fR\|(3) interface.
+Specifically, utilize the following functions for MAC operations:
+.IP "\fBEVP_MAC_CTX_new\fR\|(3) to create a new MAC context." 4
+.IX Item "EVP_MAC_CTX_new to create a new MAC context."
+.PD 0
+.IP "\fBEVP_MAC_CTX_free\fR\|(3) to free the MAC context." 4
+.IX Item "EVP_MAC_CTX_free to free the MAC context."
+.IP "\fBEVP_MAC_init\fR\|(3) to initialize the MAC context." 4
+.IX Item "EVP_MAC_init to initialize the MAC context."
+.IP "\fBEVP_MAC_update\fR\|(3) to update the MAC with data." 4
+.IX Item "EVP_MAC_update to update the MAC with data."
+.IP "\fBEVP_MAC_final\fR\|(3) to finalize the MAC and retrieve the output." 4
+.IX Item "EVP_MAC_final to finalize the MAC and retrieve the output."
+.PD
+.PP
+Alternatively, for a single-step MAC computation, use the \fBEVP_Q_mac\fR\|(3)
+function.
+.PP
+The \fBCMAC_CTX\fR type is a structure used for the provision of CMAC
+(Cipher-based Message Authentication Code) operations.
+.PP
+\&\fBCMAC_CTX_new()\fR creates a new \fBCMAC_CTX\fR structure and returns a pointer to it.
+.PP
+\&\fBCMAC_CTX_cleanup()\fR resets the \fBCMAC_CTX\fR structure, clearing any internal data
+but not freeing the structure itself.
+.PP
+\&\fBCMAC_CTX_free()\fR frees the \fBCMAC_CTX\fR structure and any associated resources.
+If the argument is NULL, no action is taken.
+.PP
+\&\fBCMAC_CTX_get0_cipher_ctx()\fR returns a pointer to the internal \fBEVP_CIPHER_CTX\fR
+structure within the \fBCMAC_CTX\fR.
+.PP
+\&\fBCMAC_CTX_copy()\fR copies the state from one \fBCMAC_CTX\fR structure to another.
+.PP
+\&\fBCMAC_Init()\fR initializes the \fBCMAC_CTX\fR structure for a new CMAC calculation
+with the specified key, key length, and cipher type.
+Optionally, an \fBENGINE\fR can be provided.
+.PP
+\&\fBCMAC_Update()\fR processes data to be included in the CMAC calculation.
+This function can be called multiple times to update the context with
+additional data.
+.PP
+\&\fBCMAC_Final()\fR finalizes the CMAC calculation and retrieves the resulting
+MAC value. The output is stored in the provided buffer, and the length is
+stored in the variable pointed to by \fIpoutlen\fR. To determine the required
+buffer size, call with \fIout\fR set to NULL, which stores only the length in
+\&\fIpoutlen\fR. Allocate a buffer of this size and call \fBCMAC_Final()\fR again with
+the allocated buffer to retrieve the MAC.
+.PP
+\&\fBCMAC_resume()\fR resumes a previously finalized CMAC calculation, allowing
+additional data to be processed and a new MAC to be generated.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBCMAC_CTX_new()\fR returns a pointer to a new \fBCMAC_CTX\fR structure or NULL if
+an error occurs.
+.PP
+\&\fBCMAC_CTX_get0_cipher_ctx()\fR returns a pointer to the internal
+\&\fBEVP_CIPHER_CTX\fR structure, or NULL if an error occurs.
+.PP
+\&\fBCMAC_CTX_copy()\fR, \fBCMAC_Init()\fR, \fBCMAC_Update()\fR, \fBCMAC_Final()\fR and \fBCMAC_resume()\fR
+return 1 for success or 0 if an error occurs.
+.SH HISTORY
+.IX Header "HISTORY"
+All functions described here were deprecated in OpenSSL 3.0. For replacements,
+see \fBEVP_MAC_CTX_new\fR\|(3), \fBEVP_MAC_CTX_free\fR\|(3), \fBEVP_MAC_init\fR\|(3),
+\&\fBEVP_MAC_update\fR\|(3), and \fBEVP_MAC_final\fR\|(3).
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_EncryptedData_decrypt.3 b/secure/lib/libcrypto/man/man3/CMS_EncryptedData_decrypt.3
index 132bd36df317..07b96c9d64a1 100644
--- a/secure/lib/libcrypto/man/man3/CMS_EncryptedData_decrypt.3
+++ b/secure/lib/libcrypto/man/man3/CMS_EncryptedData_decrypt.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CMS_ENCRYPTEDDATA_DECRYPT 3ossl"
-.TH CMS_ENCRYPTEDDATA_DECRYPT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CMS_ENCRYPTEDDATA_DECRYPT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
-CMS_EncryptedData_decrypt
-\&\- Decrypt CMS EncryptedData
-.SH "SYNOPSIS"
+.SH NAME
+CMS_EncryptedData_decrypt, CMS_EnvelopedData_decrypt
+\&\- Decrypt CMS EncryptedData or EnvelopedData
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cms.h>
@@ -147,32 +71,51 @@ CMS_EncryptedData_decrypt
 \& int CMS_EncryptedData_decrypt(CMS_ContentInfo *cms,
 \&                               const unsigned char *key, size_t keylen,
 \&                               BIO *dcont, BIO *out, unsigned int flags);
+\&
+\& BIO *CMS_EnvelopedData_decrypt(CMS_EnvelopedData *env, BIO *detached_data,
+\&                                EVP_PKEY *pkey, X509 *cert,
+\&                                ASN1_OCTET_STRING *secret, unsigned int flags,
+\&                                OSSL_LIB_CTX *libctx, const char *propq);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBCMS_EncryptedData_decrypt()\fR decrypts a \fIcms\fR EncryptedData object using the
-symmetric \fIkey\fR of size \fIkeylen\fR bytes. \fIout\fR is a \s-1BIO\s0 to write the content
+symmetric \fIkey\fR of size \fIkeylen\fR bytes. \fIout\fR is a BIO to write the content
 to and \fIflags\fR is an optional set of flags.
 \&\fIdcont\fR is used in the rare case where the encrypted content is detached. It
-will normally be set to \s-1NULL.\s0
+will normally be set to NULL.
 .PP
 The following flags can be passed in the \fIflags\fR parameter.
 .PP
-If the \fB\s-1CMS_TEXT\s0\fR flag is set \s-1MIME\s0 headers for type \f(CW\*(C`text/plain\*(C'\fR are deleted
+If the \fBCMS_TEXT\fR flag is set MIME headers for type \f(CW\*(C`text/plain\*(C'\fR are deleted
 from the content. If the content is not of type \f(CW\*(C`text/plain\*(C'\fR then an error is
 returned.
+.PP
+\&\fBCMS_EnvelopedData_decrypt()\fR decrypts, similarly to \fBCMS_decrypt\fR\|(3),
+a CMS EnvelopedData object \fIenv\fR using the symmetric key \fIsecret\fR if it
+is not NULL, otherwise the private key of the recipient \fIpkey\fR.
+If \fIpkey\fR is given, it is recommended to provide also the associated
+certificate in \fIcert\fR \- see \fBCMS_decrypt\fR\|(3) and the NOTES on \fIcert\fR there.
+The optional parameters \fIflags\fR and \fIdcont\fR are used as described above.
+The optional parameters library context \fIlibctx\fR and property query \fIpropq\fR
+are used when retrieving algorithms from providers.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBCMS_EncryptedData_decrypt()\fR returns 0 if an error occurred otherwise it
-returns 1.
+\&\fBCMS_EncryptedData_decrypt()\fR returns 0 if an error occurred otherwise returns 1.
+.PP
+\&\fBCMS_EnvelopedData_decrypt()\fR returns NULL if an error occurred,
+otherwise a BIO containing the decypted content.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBERR_get_error\fR\|(3), \fBCMS_EncryptedData_encrypt\fR\|(3)
-.SH "COPYRIGHT"
+\&\fBERR_get_error\fR\|(3), \fBCMS_EncryptedData_encrypt\fR\|(3), \fBCMS_decrypt\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBCMS_EnvelopedData_decrypt()\fR was added in OpenSSL 3.2.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_EncryptedData_encrypt.3 b/secure/lib/libcrypto/man/man3/CMS_EncryptedData_encrypt.3
index d3532e6d524a..a903fabb07ff 100644
--- a/secure/lib/libcrypto/man/man3/CMS_EncryptedData_encrypt.3
+++ b/secure/lib/libcrypto/man/man3/CMS_EncryptedData_encrypt.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CMS_ENCRYPTEDDATA_ENCRYPT 3ossl"
-.TH CMS_ENCRYPTEDDATA_ENCRYPT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CMS_ENCRYPTEDDATA_ENCRYPT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 CMS_EncryptedData_encrypt_ex, CMS_EncryptedData_encrypt
 \&\- Create CMS EncryptedData
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cms.h>
@@ -156,43 +80,43 @@ CMS_EncryptedData_encrypt_ex, CMS_EncryptedData_encrypt
 \&     const EVP_CIPHER *cipher, const unsigned char *key, size_t keylen,
 \&     unsigned int flags);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBCMS_EncryptedData_encrypt_ex()\fR creates a \fBCMS_ContentInfo\fR structure
-with a type \fBNID_pkcs7_encrypted\fR. \fIin\fR is a \s-1BIO\s0 containing the data to
+with a type \fBNID_pkcs7_encrypted\fR. \fIin\fR is a BIO containing the data to
 encrypt using \fIcipher\fR and the encryption key \fIkey\fR of size \fIkeylen\fR bytes.
 The library context \fIlibctx\fR and the property query \fIpropq\fR are used when
 retrieving algorithms from providers. \fIflags\fR is a set of optional flags.
 .PP
-The \fIflags\fR field supports the options \fB\s-1CMS_DETACHED\s0\fR, \fB\s-1CMS_STREAM\s0\fR and
-\&\fB\s-1CMS_PARTIAL\s0\fR. Internally \fBCMS_final()\fR is called unless \fB\s-1CMS_STREAM\s0\fR and/or
-\&\fB\s-1CMS_PARTIAL\s0\fR is specified.
+The \fIflags\fR field supports the options \fBCMS_DETACHED\fR, \fBCMS_STREAM\fR and
+\&\fBCMS_PARTIAL\fR. Internally \fBCMS_final()\fR is called unless \fBCMS_STREAM\fR and/or
+\&\fBCMS_PARTIAL\fR is specified.
 .PP
-The algorithm passed in the \fIcipher\fR parameter must support \s-1ASN1\s0 encoding of
+The algorithm passed in the \fIcipher\fR parameter must support ASN1 encoding of
 its parameters.
 .PP
 The \fBCMS_ContentInfo\fR structure can be freed using \fBCMS_ContentInfo_free\fR\|(3).
 .PP
 \&\fBCMS_EncryptedData_encrypt()\fR is similar to \fBCMS_EncryptedData_encrypt_ex()\fR
-but uses default values of \s-1NULL\s0 for the library context \fIlibctx\fR and the
+but uses default values of NULL for the library context \fIlibctx\fR and the
 property query \fIpropq\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 If the allocation fails, \fBCMS_EncryptedData_encrypt_ex()\fR and
-\&\fBCMS_EncryptedData_encrypt()\fR return \s-1NULL\s0 and set an error code that can be
+\&\fBCMS_EncryptedData_encrypt()\fR return NULL and set an error code that can be
 obtained by \fBERR_get_error\fR\|(3). Otherwise they return a pointer to the newly
 allocated structure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3), \fBCMS_final\fR\|(3), \fBCMS_EncryptedData_decrypt\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBCMS_EncryptedData_encrypt_ex()\fR method was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_EnvelopedData_create.3 b/secure/lib/libcrypto/man/man3/CMS_EnvelopedData_create.3
index 91876b5bb744..6479458f58cb 100644
--- a/secure/lib/libcrypto/man/man3/CMS_EnvelopedData_create.3
+++ b/secure/lib/libcrypto/man/man3/CMS_EnvelopedData_create.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CMS_ENVELOPEDDATA_CREATE 3ossl"
-.TH CMS_ENVELOPEDDATA_CREATE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CMS_ENVELOPEDDATA_CREATE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 CMS_EnvelopedData_create_ex, CMS_EnvelopedData_create,
 CMS_AuthEnvelopedData_create, CMS_AuthEnvelopedData_create_ex
 \&\- Create CMS envelope
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cms.h>
@@ -155,7 +79,7 @@ CMS_AuthEnvelopedData_create, CMS_AuthEnvelopedData_create_ex
 \&                                 const char *propq);
 \& CMS_ContentInfo *CMS_AuthEnvelopedData_create(const EVP_CIPHER *cipher);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBCMS_EnvelopedData_create_ex()\fR creates a \fBCMS_ContentInfo\fR structure
 with a type \fBNID_pkcs7_enveloped\fR. \fIcipher\fR is the symmetric cipher to use.
@@ -164,11 +88,11 @@ retrieving algorithms from providers.
 .PP
 \&\fBCMS_AuthEnvelopedData_create_ex()\fR creates a \fBCMS_ContentInfo\fR
 structure with a type \fBNID_id_smime_ct_authEnvelopedData\fR. \fBcipher\fR is the
-symmetric \s-1AEAD\s0 cipher to use. Currently only \s-1AES\s0 variants with \s-1GCM\s0 mode are
+symmetric AEAD cipher to use. Currently only AES variants with GCM mode are
 supported. The library context \fIlibctx\fR and the property query \fIpropq\fR are
 used when retrieving algorithms from providers.
 .PP
-The algorithm passed in the \fIcipher\fR parameter must support \s-1ASN1\s0 encoding of
+The algorithm passed in the \fIcipher\fR parameter must support ASN1 encoding of
 its parameters.
 .PP
 The recipients can be added later using \fBCMS_add1_recipient_cert\fR\|(3) or
@@ -177,32 +101,39 @@ The recipients can be added later using \fBCMS_add1_recipient_cert\fR\|(3) or
 The \fBCMS_ContentInfo\fR structure needs to be finalized using \fBCMS_final\fR\|(3)
 and then freed using \fBCMS_ContentInfo_free\fR\|(3).
 .PP
-\&\fBCMS_EnvelopedData_create()\fR and  CMS_AuthEnvelopedData_create are similar to
-\&\fBCMS_EnvelopedData_create_ex()\fR and
-\&\fBCMS_AuthEnvelopedData_create_ex()\fR but use default values of \s-1NULL\s0 for
+\&\fBCMS_EnvelopedData_create()\fR and \fBCMS_AuthEnvelopedData_create()\fR are similar to
+\&\fBCMS_EnvelopedData_create_ex()\fR and \fBCMS_AuthEnvelopedData_create_ex()\fR
+but use default values of NULL for
 the library context \fIlibctx\fR and the property query \fIpropq\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-Although \fBCMS_EnvelopedData_create()\fR and \fBCMS_AuthEnvelopedData_create()\fR allocate
+Although \fBCMS_EnvelopedData_create_ex()\fR, and \fBCMS_EnvelopedData_create()\fR,
+\&\fBCMS_AuthEnvelopedData_create_ex()\fR, and \fBCMS_AuthEnvelopedData_create()\fR allocate
 a new \fBCMS_ContentInfo\fR structure, they are not usually used in applications.
 The wrappers \fBCMS_encrypt\fR\|(3) and \fBCMS_decrypt\fR\|(3) are often used instead.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-If the allocation fails, \fBCMS_EnvelopedData_create()\fR and
-\&\fBCMS_AuthEnvelopedData_create()\fR return \s-1NULL\s0 and set an error code that can be
-obtained by \fBERR_get_error\fR\|(3). Otherwise they return a pointer to the newly
-allocated structure.
+If the allocation fails, \fBCMS_EnvelopedData_create_ex()\fR,
+\&\fBCMS_EnvelopedData_create()\fR, \fBCMS_AuthEnvelopedData_create_ex()\fR,
+\&\fBCMS_AuthEnvelopedData_create()\fR, \fBCMS_AuthEnvelopedData_create()\fR,
+and \fBCMS_AuthEnvelopedData_create_ex()\fR return NULL and set an
+error code that can be obtained by \fBERR_get_error\fR\|(3).
+Otherwise, they return a pointer to the newly allocated structure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBERR_get_error\fR\|(3), \fBCMS_encrypt\fR\|(3), \fBCMS_decrypt\fR\|(3), \fBCMS_final\fR\|(3)
-.SH "HISTORY"
+\&\fBERR_get_error\fR\|(3), \fBCMS_encrypt\fR\|(3), \fBCMS_decrypt\fR\|(3), \fBCMS_final\fR\|(3),
+\&\fBCMS_sign_ex\fR\|(3), \fBCMS_encrypt_ex\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBCMS_EnvelopedData_create_ex()\fR method was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.PP
+\&\fBCMS_AuthEnvelopedData_create()\fR and \fBCMS_AuthEnvelopedData_create_ex()\fR
+were added in OpenSSL 3.5.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_add0_cert.3 b/secure/lib/libcrypto/man/man3/CMS_add0_cert.3
index f7a137c4cc82..d06970d5d807 100644
--- a/secure/lib/libcrypto/man/man3/CMS_add0_cert.3
+++ b/secure/lib/libcrypto/man/man3/CMS_add0_cert.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CMS_ADD0_CERT 3ossl"
-.TH CMS_ADD0_CERT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CMS_ADD0_CERT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
-CMS_add0_cert, CMS_add1_cert, CMS_get1_certs, CMS_add0_crl, CMS_add1_crl, CMS_get1_crls
+.SH NAME
+CMS_add0_cert, CMS_add1_cert, CMS_get1_certs,
+CMS_add0_crl, CMS_add1_crl, CMS_get1_crls
 \&\- CMS certificate and CRL utility functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cms.h>
@@ -152,58 +77,61 @@ CMS_add0_cert, CMS_add1_cert, CMS_get1_certs, CMS_add0_crl, CMS_add1_crl, CMS_ge
 \& int CMS_add1_crl(CMS_ContentInfo *cms, X509_CRL *crl);
 \& STACK_OF(X509_CRL) *CMS_get1_crls(CMS_ContentInfo *cms);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBCMS_add0_cert()\fR and \fBCMS_add1_cert()\fR add certificate \fIcert\fR to \fIcms\fR.
+\&\fBCMS_add0_cert()\fR and \fBCMS_add1_cert()\fR add certificate \fIcert\fR to \fIcms\fR
+unless it is already present.
 This is used by \fBCMS_sign_ex\fR\|(3) and \fBCMS_sign\fR\|(3) and may be used before
 calling \fBCMS_verify\fR\|(3) to help chain building in certificate validation.
+As the 0 implies, \fBCMS_add0_cert()\fR adds \fIcert\fR internally to \fIcms\fR
+and on success it must not be freed up by the caller.
+In contrast, the caller of \fBCMS_add1_cert()\fR must free \fIcert\fR.
 \&\fIcms\fR must be of type signed data or (authenticated) enveloped data.
 For signed data, such a certificate can be used when signing or verifying
-to fill in the signer certificate or to provide an extra \s-1CA\s0 certificate
+to fill in the signer certificate or to provide an extra CA certificate
 that may be needed for chain building in certificate validation.
 .PP
 \&\fBCMS_get1_certs()\fR returns all certificates in \fIcms\fR.
 .PP
-\&\fBCMS_add0_crl()\fR and \fBCMS_add1_crl()\fR add \s-1CRL\s0 \fIcrl\fR to \fIcms\fR.
+\&\fBCMS_add0_crl()\fR and \fBCMS_add1_crl()\fR add CRL \fIcrl\fR to \fIcms\fR.
 \&\fIcms\fR must be of type signed data or (authenticated) enveloped data.
-For signed data, such a \s-1CRL\s0 may be used in certificate validation
+For signed data, such a CRL may be used in certificate validation
 with \fBCMS_verify\fR\|(3).
-It may be given both for inclusion when signing a \s-1CMS\s0 message
-and when verifying a signed \s-1CMS\s0 message.
+It may be given both for inclusion when signing a CMS message
+and when verifying a signed CMS message.
 .PP
 \&\fBCMS_get1_crls()\fR returns all CRLs in \fIcms\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The CMS_ContentInfo structure \fIcms\fR must be of type signed data or enveloped
-data or an error will be returned.
-.PP
-For signed data certificates and CRLs are added to the \fIcertificates\fR and
-\&\fIcrls\fR fields of SignedData structure. For enveloped data they are added to
-\&\fBOriginatorInfo\fR.
-.PP
-As the \fI0\fR implies \fBCMS_add0_cert()\fR adds \fIcert\fR internally to \fIcms\fR and it
-must not be freed up after the call as opposed to \fBCMS_add1_cert()\fR where \fIcert\fR
-must be freed up.
+data or authenticated enveloped data or an error will be returned.
 .PP
-The same certificate must not be added to the same cms structure more than once.
+For signed data, certificates and CRLs are added to the \fIcertificates\fR and
+\&\fIcrls\fR fields of SignedData structure.
+For enveloped data they are added to \fBOriginatorInfo\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBCMS_add0_cert()\fR, \fBCMS_add1_cert()\fR and \fBCMS_add0_crl()\fR and \fBCMS_add1_crl()\fR return
 1 for success and 0 for failure.
 .PP
-\&\fBCMS_get1_certs()\fR and \fBCMS_get1_crls()\fR return the \s-1STACK\s0 of certificates or CRLs
-or \s-1NULL\s0 if there are none or an error occurs. The only error which will occur
+\&\fBCMS_get1_certs()\fR and \fBCMS_get1_crls()\fR return the STACK of certificates or CRLs
+or NULL if there are none or an error occurs.
+Besides out-of-memory, the only error which will occur
 in practice is if the \fIcms\fR type is invalid.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3),
 \&\fBCMS_sign\fR\|(3), \fBCMS_sign_ex\fR\|(3), \fBCMS_verify\fR\|(3),
 \&\fBCMS_encrypt\fR\|(3)
-.SH "COPYRIGHT"
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBCMS_add0_cert()\fR and \fBCMS_add1_cert()\fR have been changed in OpenSSL 3.2
+not to throw an error if a certificate to be added is already present.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2008\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2008\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_add1_recipient_cert.3 b/secure/lib/libcrypto/man/man3/CMS_add1_recipient_cert.3
index 5eeddb058135..d362e81a5fe4 100644
--- a/secure/lib/libcrypto/man/man3/CMS_add1_recipient_cert.3
+++ b/secure/lib/libcrypto/man/man3/CMS_add1_recipient_cert.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CMS_ADD1_RECIPIENT_CERT 3ossl"
-.TH CMS_ADD1_RECIPIENT_CERT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CMS_ADD1_RECIPIENT_CERT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 CMS_add1_recipient, CMS_add1_recipient_cert, CMS_add0_recipient_key \- add recipients to a CMS enveloped data structure
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cms.h>
@@ -157,7 +81,7 @@ CMS_add1_recipient, CMS_add1_recipient_cert, CMS_add0_recipient_key \- add recip
 \&                                           ASN1_OBJECT *otherTypeId,
 \&                                           ASN1_TYPE *otherType);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBCMS_add1_recipient()\fR adds recipient \fBrecip\fR and provides the originator pkey
 \&\fBoriginatorPrivKey\fR and originator certificate \fBoriginator\fR to CMS_ContentInfo.
@@ -173,42 +97,42 @@ values \fBdate\fR, \fBotherTypeId\fR and \fBotherType\fR to CMS_ContentInfo enve
 data structure \fBcms\fR as a KEKRecipientInfo structure.
 .PP
 The CMS_ContentInfo structure should be obtained from an initial call to
-\&\fBCMS_encrypt()\fR with the flag \fB\s-1CMS_PARTIAL\s0\fR set.
-.SH "NOTES"
+\&\fBCMS_encrypt()\fR with the flag \fBCMS_PARTIAL\fR set.
+.SH NOTES
 .IX Header "NOTES"
-The main purpose of this function is to provide finer control over a \s-1CMS\s0
+The main purpose of this function is to provide finer control over a CMS
 enveloped data structure where the simpler \fBCMS_encrypt()\fR function defaults are
 not appropriate. For example if one or more KEKRecipientInfo structures
 need to be added. New attributes can also be added using the returned
-CMS_RecipientInfo structure and the \s-1CMS\s0 attribute utility functions.
+CMS_RecipientInfo structure and the CMS attribute utility functions.
 .PP
 OpenSSL will by default identify recipient certificates using issuer name
-and serial number. If \fB\s-1CMS_USE_KEYID\s0\fR is set it will use the subject key
+and serial number. If \fBCMS_USE_KEYID\fR is set it will use the subject key
 identifier value instead. An error occurs if all recipient certificates do not
 have a subject key identifier extension.
 .PP
-Currently only \s-1AES\s0 based key wrapping algorithms are supported for \fBnid\fR,
+Currently only AES based key wrapping algorithms are supported for \fBnid\fR,
 specifically: NID_id_aes128_wrap, NID_id_aes192_wrap and NID_id_aes256_wrap.
-If \fBnid\fR is set to \fBNID_undef\fR then an \s-1AES\s0 wrap algorithm will be used
+If \fBnid\fR is set to \fBNID_undef\fR then an AES wrap algorithm will be used
 consistent with \fBkeylen\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBCMS_add1_recipient_cert()\fR and \fBCMS_add0_recipient_key()\fR return an internal
-pointer to the CMS_RecipientInfo structure just added or \s-1NULL\s0 if an error
+pointer to the CMS_RecipientInfo structure just added or NULL if an error
 occurs.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3), \fBCMS_decrypt\fR\|(3),
 \&\fBCMS_final\fR\|(3),
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBCMS_add1_recipient_cert\fR and \fBCMS_add0_recipient_key\fR were added in
 OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2008\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2008\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_add1_signer.3 b/secure/lib/libcrypto/man/man3/CMS_add1_signer.3
index 0b48ef374818..5843b351b139 100644
--- a/secure/lib/libcrypto/man/man3/CMS_add1_signer.3
+++ b/secure/lib/libcrypto/man/man3/CMS_add1_signer.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CMS_ADD1_SIGNER 3ossl"
-.TH CMS_ADD1_SIGNER 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CMS_ADD1_SIGNER 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 CMS_add1_signer, CMS_SignerInfo_sign \- add a signer to a CMS_ContentInfo signed data structure
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cms.h>
@@ -149,70 +73,71 @@ CMS_add1_signer, CMS_SignerInfo_sign \- add a signer to a CMS_ContentInfo signed
 \&
 \& int CMS_SignerInfo_sign(CMS_SignerInfo *si);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBCMS_add1_signer()\fR adds a signer with certificate \fBsigncert\fR and private
 key \fBpkey\fR using message digest \fBmd\fR to CMS_ContentInfo SignedData
 structure \fBcms\fR.
 .PP
 The CMS_ContentInfo structure should be obtained from an initial call to
-\&\fBCMS_sign()\fR with the flag \fB\s-1CMS_PARTIAL\s0\fR set or in the case or re-signing a
+\&\fBCMS_sign()\fR with the flag \fBCMS_PARTIAL\fR set or in the case or re-signing a
 valid CMS_ContentInfo SignedData structure.
 .PP
-If the \fBmd\fR parameter is \fB\s-1NULL\s0\fR then the default digest for the public
+If the \fBmd\fR parameter is \fBNULL\fR then the default digest for the public
 key algorithm will be used.
 .PP
-Unless the \fB\s-1CMS_REUSE_DIGEST\s0\fR flag is set the returned CMS_ContentInfo
+Unless the \fBCMS_REUSE_DIGEST\fR flag is set the returned CMS_ContentInfo
 structure is not complete and must be finalized either by streaming (if
 applicable) or a call to \fBCMS_final()\fR.
 .PP
-The \fBCMS_SignerInfo_sign()\fR function will explicitly sign a CMS_SignerInfo
-structure, its main use is when \fB\s-1CMS_REUSE_DIGEST\s0\fR and \fB\s-1CMS_PARTIAL\s0\fR flags
+The \fBCMS_SignerInfo_sign()\fR function explicitly signs a CMS_SignerInfo
+structure, its main use is when the \fBCMS_REUSE_DIGEST\fR and \fBCMS_PARTIAL\fR flags
 are both set.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The main purpose of \fBCMS_add1_signer()\fR is to provide finer control
-over a \s-1CMS\s0 signed data structure where the simpler \fBCMS_sign()\fR function defaults
+over a CMS signed data structure where the simpler \fBCMS_sign()\fR function defaults
 are not appropriate. For example if multiple signers or non default digest
 algorithms are needed. New attributes can also be added using the returned
-CMS_SignerInfo structure and the \s-1CMS\s0 attribute utility functions or the
-\&\s-1CMS\s0 signed receipt request functions.
+CMS_SignerInfo structure and the CMS attribute utility functions or the
+CMS signed receipt request functions.
 .PP
 Any of the following flags (ored together) can be passed in the \fBflags\fR
 parameter.
 .PP
-If \fB\s-1CMS_REUSE_DIGEST\s0\fR is set then an attempt is made to copy the content
+If \fBCMS_REUSE_DIGEST\fR is set then an attempt is made to copy the content
 digest value from the CMS_ContentInfo structure: to add a signer to an existing
 structure.  An error occurs if a matching digest value cannot be found to copy.
 The returned CMS_ContentInfo structure will be valid and finalized when this
 flag is set.
 .PP
-If \fB\s-1CMS_PARTIAL\s0\fR is set in addition to \fB\s-1CMS_REUSE_DIGEST\s0\fR then the
+If \fBCMS_PARTIAL\fR is set in addition to \fBCMS_REUSE_DIGEST\fR then the
 CMS_SignerInfo structure will not be finalized so additional attributes
 can be added. In this case an explicit call to \fBCMS_SignerInfo_sign()\fR is
 needed to finalize it.
 .PP
-If \fB\s-1CMS_NOCERTS\s0\fR is set the signer's certificate will not be included in the
+If \fBCMS_NOCERTS\fR is set the signer's certificate will not be included in the
 CMS_ContentInfo structure, the signer's certificate must still be supplied in
 the \fBsigncert\fR parameter though. This can reduce the size of the signature if
 the signers certificate can be obtained by other means: for example a
 previously signed message.
 .PP
-The SignedData structure includes several \s-1CMS\s0 signedAttributes including the
-signing time, the \s-1CMS\s0 content type and the supported list of ciphers in an
-SMIMECapabilities attribute. If \fB\s-1CMS_NOATTR\s0\fR is set then no signedAttributes
-will be used. If \fB\s-1CMS_NOSMIMECAP\s0\fR is set then just the SMIMECapabilities are
+The SignedData structure includes several CMS signedAttributes including the
+signing time, the CMS content type and the supported list of ciphers in an
+SMIMECapabilities attribute. If \fBCMS_NOATTR\fR is set then no signedAttributes
+will be used at all. If \fBCMS_NOSMIMECAP\fR is set then the SMIMECapabilities
+will be omitted. If \fBCMS_NO_SIGNING_TIME\fR is set then the signing time will be
 omitted.
 .PP
 OpenSSL will by default identify signing certificates using issuer name
-and serial number. If \fB\s-1CMS_USE_KEYID\s0\fR is set it will use the subject key
+and serial number. If \fBCMS_USE_KEYID\fR is set it will use the subject key
 identifier value instead. An error occurs if the signing certificate does not
 have a subject key identifier extension.
 .PP
 If present the SMIMECapabilities attribute indicates support for the following
-algorithms in preference order: 256 bit \s-1AES,\s0 Gost R3411\-94, Gost 28147\-89, 192
-bit \s-1AES, 128\s0 bit \s-1AES,\s0 triple \s-1DES, 128\s0 bit \s-1RC2, 64\s0 bit \s-1RC2, DES\s0 and 40 bit \s-1RC2.\s0
-If any of these algorithms is not available then it will not be included: for example the \s-1GOST\s0 algorithms will not be included if the \s-1GOST ENGINE\s0 is
+algorithms in preference order: 256 bit AES, Gost R3411\-94, Gost 28147\-89, 192
+bit AES, 128 bit AES, triple DES, 128 bit RC2, 64 bit RC2, DES and 40 bit RC2.
+If any of these algorithms is not available then it will not be included: for example the GOST algorithms will not be included if the GOST ENGINE is
 not loaded.
 .PP
 \&\fBCMS_add1_signer()\fR returns an internal pointer to the CMS_SignerInfo
@@ -221,16 +146,18 @@ before it is finalized.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBCMS_add1_signer()\fR returns an internal pointer to the CMS_SignerInfo
-structure just added or \s-1NULL\s0 if an error occurs.
+structure just added or NULL if an error occurs.
+.PP
+\&\fBCMS_SignerInfo_sign()\fR returns 1 on success, 0 on failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3), \fBCMS_sign\fR\|(3),
 \&\fBCMS_final\fR\|(3),
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2014\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_compress.3 b/secure/lib/libcrypto/man/man3/CMS_compress.3
index 8099ad52919b..bd8a365ff38d 100644
--- a/secure/lib/libcrypto/man/man3/CMS_compress.3
+++ b/secure/lib/libcrypto/man/man3/CMS_compress.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,139 +52,79 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CMS_COMPRESS 3ossl"
-.TH CMS_COMPRESS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CMS_COMPRESS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 CMS_compress \- create a CMS CompressedData structure
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cms.h>
 \&
 \& CMS_ContentInfo *CMS_compress(BIO *in, int comp_nid, unsigned int flags);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBCMS_compress()\fR creates and returns a \s-1CMS\s0 CompressedData structure. \fBcomp_nid\fR
+\&\fBCMS_compress()\fR creates and returns a CMS CompressedData structure. \fBcomp_nid\fR
 is the compression algorithm to use or \fBNID_undef\fR to use the default
 algorithm (zlib compression). \fBin\fR is the content to be compressed.
 \&\fBflags\fR is an optional set of flags.
 .PP
-The only currently supported compression algorithm is zlib using the \s-1NID\s0
+The only currently supported compression algorithm is zlib using the NID
 NID_zlib_compression.
 .PP
 If zlib support is not compiled into OpenSSL then \fBCMS_compress()\fR will return
 an error.
 .PP
-If the \fB\s-1CMS_TEXT\s0\fR flag is set \s-1MIME\s0 headers for type \fBtext/plain\fR are
+If the \fBCMS_TEXT\fR flag is set MIME headers for type \fBtext/plain\fR are
 prepended to the data.
 .PP
-Normally the supplied content is translated into \s-1MIME\s0 canonical format (as
-required by the S/MIME specifications) if \fB\s-1CMS_BINARY\s0\fR is set no translation
+Normally the supplied content is translated into MIME canonical format (as
+required by the S/MIME specifications) if \fBCMS_BINARY\fR is set no translation
 occurs. This option should be used if the supplied data is in binary format
-otherwise the translation will corrupt it. If \fB\s-1CMS_BINARY\s0\fR is set then
-\&\fB\s-1CMS_TEXT\s0\fR is ignored.
+otherwise the translation will corrupt it. If \fBCMS_BINARY\fR is set then
+\&\fBCMS_TEXT\fR is ignored.
 .PP
-If the \fB\s-1CMS_STREAM\s0\fR flag is set a partial \fBCMS_ContentInfo\fR structure is
-returned suitable for streaming I/O: no data is read from the \s-1BIO\s0 \fBin\fR.
+If the \fBCMS_STREAM\fR flag is set a partial \fBCMS_ContentInfo\fR structure is
+returned suitable for streaming I/O: no data is read from the BIO \fBin\fR.
 .PP
 The compressed data is included in the CMS_ContentInfo structure, unless
-\&\fB\s-1CMS_DETACHED\s0\fR is set in which case it is omitted. This is rarely used in
+\&\fBCMS_DETACHED\fR is set in which case it is omitted. This is rarely used in
 practice and is not supported by \fBSMIME_write_CMS()\fR.
 .PP
-If the flag \fB\s-1CMS_STREAM\s0\fR is set the returned \fBCMS_ContentInfo\fR structure is
+If the flag \fBCMS_STREAM\fR is set the returned \fBCMS_ContentInfo\fR structure is
 \&\fBnot\fR complete and outputting its contents via a function that does not
 properly finalize the \fBCMS_ContentInfo\fR structure will give unpredictable
 results.
 .PP
 Several functions including \fBSMIME_write_CMS()\fR, \fBi2d_CMS_bio_stream()\fR,
 \&\fBPEM_write_bio_CMS_stream()\fR finalize the structure. Alternatively finalization
-can be performed by obtaining the streaming \s-1ASN1\s0 \fB\s-1BIO\s0\fR directly using
+can be performed by obtaining the streaming ASN1 \fBBIO\fR directly using
 \&\fBBIO_new_CMS()\fR.
 .PP
 Additional compression parameters such as the zlib compression level cannot
 currently be set.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBCMS_compress()\fR returns either a CMS_ContentInfo structure or \s-1NULL\s0 if an error
+\&\fBCMS_compress()\fR returns either a CMS_ContentInfo structure or NULL if an error
 occurred. The error can be obtained from \fBERR_get_error\fR\|(3).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3), \fBCMS_uncompress\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-The \fB\s-1CMS_STREAM\s0\fR flag was added in OpenSSL 1.0.0.
-.SH "COPYRIGHT"
+The \fBCMS_STREAM\fR flag was added in OpenSSL 1.0.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_data_create.3 b/secure/lib/libcrypto/man/man3/CMS_data_create.3
index 8eaea558903c..6b3e4bdb5fb0 100644
--- a/secure/lib/libcrypto/man/man3/CMS_data_create.3
+++ b/secure/lib/libcrypto/man/man3/CMS_data_create.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CMS_DATA_CREATE 3ossl"
-.TH CMS_DATA_CREATE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CMS_DATA_CREATE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 CMS_data_create_ex, CMS_data_create
 \&\- Create CMS Data object
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cms.h>
@@ -148,36 +72,36 @@ CMS_data_create_ex, CMS_data_create
 \&                                     OSSL_LIB_CTX *libctx, const char *propq);
 \& CMS_ContentInfo *CMS_data_create(BIO *in, unsigned int flags);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBCMS_data_create_ex()\fR creates a \fBCMS_ContentInfo\fR structure
-with a type \fBNID_pkcs7_data\fR. The data is supplied via the \fIin\fR \s-1BIO.\s0
+with a type \fBNID_pkcs7_data\fR. The data is supplied via the \fIin\fR BIO.
 The library context \fIlibctx\fR and the property query \fIpropq\fR are used when
 retrieving algorithms from providers. The \fIflags\fR field supports the
-\&\fB\s-1CMS_STREAM\s0\fR flag. Internally \fBCMS_final()\fR is called unless \fB\s-1CMS_STREAM\s0\fR is
+\&\fBCMS_STREAM\fR flag. Internally \fBCMS_final()\fR is called unless \fBCMS_STREAM\fR is
 specified.
 .PP
 The \fBCMS_ContentInfo\fR structure can be freed using \fBCMS_ContentInfo_free\fR\|(3).
 .PP
 \&\fBCMS_data_create()\fR is similar to \fBCMS_data_create_ex()\fR
-but uses default values of \s-1NULL\s0 for the library context \fIlibctx\fR and the
+but uses default values of NULL for the library context \fIlibctx\fR and the
 property query \fIpropq\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 If the allocation fails, \fBCMS_data_create_ex()\fR and \fBCMS_data_create()\fR
-return \s-1NULL\s0 and set an error code that can be obtained by \fBERR_get_error\fR\|(3).
+return NULL and set an error code that can be obtained by \fBERR_get_error\fR\|(3).
 Otherwise they return a pointer to the newly allocated structure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3), \fBCMS_final\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBCMS_data_create_ex()\fR method was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_decrypt.3 b/secure/lib/libcrypto/man/man3/CMS_decrypt.3
index 9717fc6152d2..60fff4ceeee6 100644
--- a/secure/lib/libcrypto/man/man3/CMS_decrypt.3
+++ b/secure/lib/libcrypto/man/man3/CMS_decrypt.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CMS_DECRYPT 3ossl"
-.TH CMS_DECRYPT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CMS_DECRYPT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 CMS_decrypt, CMS_decrypt_set1_pkey_and_peer,
 CMS_decrypt_set1_pkey, CMS_decrypt_set1_password
 \&\- decrypt content from a CMS envelopedData structure
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cms.h>
@@ -153,52 +77,51 @@ CMS_decrypt_set1_pkey, CMS_decrypt_set1_password
 \& int CMS_decrypt_set1_password(CMS_ContentInfo *cms,
 \&                               unsigned char *pass, ossl_ssize_t passlen);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBCMS_decrypt()\fR extracts the decrypted content from a \s-1CMS\s0 EnvelopedData
+\&\fBCMS_decrypt()\fR extracts the decrypted content from a CMS EnvelopedData
 or AuthEnvelopedData structure.
 It uses \fBCMS_decrypt_set1_pkey()\fR to decrypt the content
-with the recipient private key \fIpkey\fR if \fIpkey\fR is not \s-1NULL.\s0
-In this case, it is recommended to provide the associated certificate
-in \fIcert\fR \- see the \s-1NOTES\s0 below.
-\&\fIout\fR is a \s-1BIO\s0 to write the content to and
+with the recipient private key \fIpkey\fR if \fIpkey\fR is not NULL.
+In this case, the associated certificate is recommended to provide in \fIcert\fR \-
+see the NOTES below.
+\&\fIout\fR is a BIO to write the content to and
 \&\fIflags\fR is an optional set of flags.
-If \fIpkey\fR is \s-1NULL\s0 the function assumes that decryption was already done
+If \fIpkey\fR is NULL the function assumes that decryption was already done
 (e.g., using \fBCMS_decrypt_set1_pkey()\fR or \fBCMS_decrypt_set1_password()\fR) and just
-provides the content unless \fIcert\fR, \fIdcont\fR, and \fIout\fR are \s-1NULL\s0 as well.
+provides the content unless \fIcert\fR, \fIdcont\fR, and \fIout\fR are NULL as well.
 The \fIdcont\fR parameter is used in the rare case where the encrypted content
-is detached. It will normally be set to \s-1NULL.\s0
+is detached. It will normally be set to NULL.
 .PP
 \&\fBCMS_decrypt_set1_pkey_and_peer()\fR decrypts the CMS_ContentInfo structure \fIcms\fR
 using the private key \fIpkey\fR, the corresponding certificate \fIcert\fR, which is
-recommended to be supplied but may be \s-1NULL,\s0
-and the (optional) originator certificate \fIpeer\fR.
-On success, it also records in \fIcms\fR the decryption key \fIpkey\fR, and this
+recommended but may be NULL, and the (optional) originator certificate \fIpeer\fR.
+On success, it also records in \fIcms\fR the decryption key \fIpkey\fR, and then
 should be followed by \f(CW\*(C`CMS_decrypt(cms, NULL, NULL, dcont, out, flags)\*(C'\fR.
 This call deallocates any decryption key stored in \fIcms\fR.
 .PP
 \&\fBCMS_decrypt_set1_pkey()\fR is the same as
-\&\fBCMS_decrypt_set1_pkey_and_peer()\fR with \fIpeer\fR being \s-1NULL.\s0
+\&\fBCMS_decrypt_set1_pkey_and_peer()\fR with \fIpeer\fR being NULL.
 .PP
 \&\fBCMS_decrypt_set1_password()\fR decrypts the CMS_ContentInfo structure \fIcms\fR
 using the secret \fIpass\fR of length \fIpasslen\fR.
-On success, it also records in \fIcms\fR the decryption key used, and this
+On success, it also records in \fIcms\fR the decryption key used, and then
 should be followed by \f(CW\*(C`CMS_decrypt(cms, NULL, NULL, dcont, out, flags)\*(C'\fR.
 This call deallocates any decryption key stored in \fIcms\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 Although the recipients certificate is not needed to decrypt the data it is
-needed to locate the appropriate (of possible several) recipients in the \s-1CMS\s0
+needed to locate the appropriate (of possible several) recipients in the CMS
 structure.
 .PP
-If \fIcert\fR is set to \s-1NULL\s0 all possible recipients are tried. This case however
-is problematic. To thwart the \s-1MMA\s0 attack (Bleichenbacher's attack on
-\&\s-1PKCS\s0 #1 v1.5 \s-1RSA\s0 padding) all recipients are tried whether they succeed or
+If \fIcert\fR is set to NULL all possible recipients are tried. This case however
+is problematic. To thwart the MMA attack (Bleichenbacher's attack on
+PKCS #1 v1.5 RSA padding) all recipients are tried whether they succeed or
 not. If no recipient succeeds then a random symmetric key is used to decrypt
 the content: this will typically output garbage and may (but is not guaranteed
 to) ultimately return a padding error only. If \fBCMS_decrypt()\fR just returned an
 error when all recipient encrypted keys failed to decrypt an attacker could
-use this in a timing attack. If the special flag \fB\s-1CMS_DEBUG_DECRYPT\s0\fR is set
+use this in a timing attack. If the special flag \fBCMS_DEBUG_DECRYPT\fR is set
 then the above behaviour is modified and an error \fBis\fR returned if no
 recipient encrypted key can be decrypted \fBwithout\fR generating a random
 content encryption key. Applications should use this flag with
@@ -206,18 +129,18 @@ content encryption key. Applications should use this flag with
 open to attack.
 .PP
 It is possible to determine the correct recipient key by other means (for
-example looking them up in a database) and setting them in the \s-1CMS\s0 structure
-in advance using the \s-1CMS\s0 utility functions such as \fBCMS_set1_pkey()\fR,
+example looking them up in a database) and setting them in the CMS structure
+in advance using the CMS utility functions such as \fBCMS_set1_pkey()\fR,
 or use \fBCMS_decrypt_set1_password()\fR if the recipient has a symmetric key.
-In these cases both \fIcert\fR and \fIpkey\fR should be set to \s-1NULL.\s0
+In these cases both \fIcert\fR and \fIpkey\fR should be set to NULL.
 .PP
 To process KEKRecipientInfo types \fBCMS_set1_key()\fR or \fBCMS_RecipientInfo_set0_key()\fR
 and \fBCMS_RecipientInfo_decrypt()\fR should be called before \fBCMS_decrypt()\fR and
-\&\fIcert\fR and \fIpkey\fR set to \s-1NULL.\s0
+\&\fIcert\fR and \fIpkey\fR set to NULL.
 .PP
 The following flags can be passed in the \fIflags\fR parameter.
 .PP
-If the \fB\s-1CMS_TEXT\s0\fR flag is set \s-1MIME\s0 headers for type \f(CW\*(C`text/plain\*(C'\fR are deleted
+If the \fBCMS_TEXT\fR flag is set MIME headers for type \f(CW\*(C`text/plain\*(C'\fR are deleted
 from the content. If the content is not of type \f(CW\*(C`text/plain\*(C'\fR then an error is
 returned.
 .SH "RETURN VALUES"
@@ -226,7 +149,7 @@ returned.
 \&\fBCMS_decrypt_set1_pkey()\fR, and \fBCMS_decrypt_set1_password()\fR
 return either 1 for success or 0 for failure.
 The error can be obtained from \fBERR_get_error\fR\|(3).
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
 The \fBset1_\fR part of these function names is misleading
 and should better read: \fBwith_\fR.
@@ -236,15 +159,15 @@ mentioned in \fBCMS_verify()\fR also applies to \fBCMS_decrypt()\fR.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3), \fBCMS_encrypt\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBCMS_decrypt_set1_pkey_and_peer()\fR and \fBCMS_decrypt_set1_password()\fR
 were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2008\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2008\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_digest_create.3 b/secure/lib/libcrypto/man/man3/CMS_digest_create.3
index f9cacb2c01db..a176afca69c5 100644
--- a/secure/lib/libcrypto/man/man3/CMS_digest_create.3
+++ b/secure/lib/libcrypto/man/man3/CMS_digest_create.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CMS_DIGEST_CREATE 3ossl"
-.TH CMS_DIGEST_CREATE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CMS_DIGEST_CREATE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 CMS_digest_create_ex, CMS_digest_create
 \&\- Create CMS DigestedData object
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cms.h>
@@ -151,36 +75,36 @@ CMS_digest_create_ex, CMS_digest_create
 \& CMS_ContentInfo *CMS_digest_create(BIO *in, const EVP_MD *md,
 \&                                    unsigned int flags);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBCMS_digest_create_ex()\fR creates a \fBCMS_ContentInfo\fR structure
-with a type \fBNID_pkcs7_digest\fR. The data supplied via the \fIin\fR \s-1BIO\s0 is digested
+with a type \fBNID_pkcs7_digest\fR. The data supplied via the \fIin\fR BIO is digested
 using \fImd\fR. The library context \fIlibctx\fR and the property query \fIpropq\fR are
 used when retrieving algorithms from providers.
-The \fIflags\fR field supports the \fB\s-1CMS_DETACHED\s0\fR and \fB\s-1CMS_STREAM\s0\fR flags,
-Internally \fBCMS_final()\fR is called unless \fB\s-1CMS_STREAM\s0\fR is specified.
+The \fIflags\fR field supports the \fBCMS_DETACHED\fR and \fBCMS_STREAM\fR flags,
+Internally \fBCMS_final()\fR is called unless \fBCMS_STREAM\fR is specified.
 .PP
 The \fBCMS_ContentInfo\fR structure can be freed using \fBCMS_ContentInfo_free\fR\|(3).
 .PP
 \&\fBCMS_digest_create()\fR is similar to \fBCMS_digest_create_ex()\fR
-but uses default values of \s-1NULL\s0 for the library context \fIlibctx\fR and the
+but uses default values of NULL for the library context \fIlibctx\fR and the
 property query \fIpropq\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 If the allocation fails, \fBCMS_digest_create_ex()\fR and \fBCMS_digest_create()\fR
-return \s-1NULL\s0 and set an error code that can be obtained by \fBERR_get_error\fR\|(3).
+return NULL and set an error code that can be obtained by \fBERR_get_error\fR\|(3).
 Otherwise they return a pointer to the newly allocated structure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3), \fBCMS_final\fR\|(3)>
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBCMS_digest_create_ex()\fR method was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_encrypt.3 b/secure/lib/libcrypto/man/man3/CMS_encrypt.3
index f874bcbe3079..2f6b2022bf86 100644
--- a/secure/lib/libcrypto/man/man3/CMS_encrypt.3
+++ b/secure/lib/libcrypto/man/man3/CMS_encrypt.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CMS_ENCRYPT 3ossl"
-.TH CMS_ENCRYPT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CMS_ENCRYPT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 CMS_encrypt_ex, CMS_encrypt \- create a CMS envelopedData structure
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cms.h>
@@ -149,95 +73,95 @@ CMS_encrypt_ex, CMS_encrypt \- create a CMS envelopedData structure
 \& CMS_ContentInfo *CMS_encrypt(STACK_OF(X509) *certs, BIO *in,
 \&                              const EVP_CIPHER *cipher, unsigned int flags);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBCMS_encrypt_ex()\fR creates and returns a \s-1CMS\s0 EnvelopedData or
+\&\fBCMS_encrypt_ex()\fR creates and returns a CMS EnvelopedData or
 AuthEnvelopedData structure. \fIcerts\fR is a list of recipient certificates.
 \&\fIin\fR is the content to be encrypted. \fIcipher\fR is the symmetric cipher to use.
 \&\fIflags\fR is an optional set of flags. The library context \fIlibctx\fR and the
 property query \fIpropq\fR are used internally when retrieving algorithms from
 providers.
 .PP
-Only certificates carrying \s-1RSA,\s0 Diffie-Hellman or \s-1EC\s0 keys are supported by this
+Only certificates carrying RSA, Diffie-Hellman or EC keys are supported by this
 function.
 .PP
-\&\fBEVP_des_ede3_cbc()\fR (triple \s-1DES\s0) is the algorithm of choice for S/MIME use
+\&\fBEVP_des_ede3_cbc()\fR (triple DES) is the algorithm of choice for S/MIME use
 because most clients will support it.
 .PP
-The algorithm passed in the \fBcipher\fR parameter must support \s-1ASN1\s0 encoding of
-its parameters. If the cipher mode is \s-1GCM,\s0 then an AuthEnvelopedData structure
-containing \s-1MAC\s0 is used. Otherwise an EnvelopedData structure is used. Currently
-the \s-1AES\s0 variants with \s-1GCM\s0 mode are the only supported \s-1AEAD\s0 algorithms.
+The algorithm passed in the \fBcipher\fR parameter must support ASN1 encoding of
+its parameters. If the cipher mode is GCM, then an AuthEnvelopedData structure
+containing MAC is used. Otherwise an EnvelopedData structure is used. Currently
+the AES variants with GCM mode are the only supported AEAD algorithms.
 .PP
-Many browsers implement a \*(L"sign and encrypt\*(R" option which is simply an S/MIME
+Many browsers implement a "sign and encrypt" option which is simply an S/MIME
 envelopedData containing an S/MIME signed message. This can be readily produced
-by storing the S/MIME signed message in a memory \s-1BIO\s0 and passing it to
+by storing the S/MIME signed message in a memory BIO and passing it to
 \&\fBCMS_encrypt()\fR.
 .PP
 The following flags can be passed in the \fBflags\fR parameter.
 .PP
-If the \fB\s-1CMS_TEXT\s0\fR flag is set \s-1MIME\s0 headers for type \fBtext/plain\fR are
+If the \fBCMS_TEXT\fR flag is set MIME headers for type \fBtext/plain\fR are
 prepended to the data.
 .PP
-Normally the supplied content is translated into \s-1MIME\s0 canonical format (as
-required by the S/MIME specifications) if \fB\s-1CMS_BINARY\s0\fR is set no translation
+Normally the supplied content is translated into MIME canonical format (as
+required by the S/MIME specifications) if \fBCMS_BINARY\fR is set no translation
 occurs. This option should be used if the supplied data is in binary format
-otherwise the translation will corrupt it. If \fB\s-1CMS_BINARY\s0\fR is set then
-\&\fB\s-1CMS_TEXT\s0\fR is ignored.
+otherwise the translation will corrupt it. If \fBCMS_BINARY\fR is set then
+\&\fBCMS_TEXT\fR is ignored.
 .PP
 OpenSSL will by default identify recipient certificates using issuer name
-and serial number. If \fB\s-1CMS_USE_KEYID\s0\fR is set it will use the subject key
+and serial number. If \fBCMS_USE_KEYID\fR is set it will use the subject key
 identifier value instead. An error occurs if all recipient certificates do not
 have a subject key identifier extension.
 .PP
-If the \fB\s-1CMS_STREAM\s0\fR flag is set a partial \fBCMS_ContentInfo\fR structure is
-returned suitable for streaming I/O: no data is read from the \s-1BIO\s0 \fBin\fR.
+If the \fBCMS_STREAM\fR flag is set a partial \fBCMS_ContentInfo\fR structure is
+returned suitable for streaming I/O: no data is read from the BIO \fBin\fR.
 .PP
-If the \fB\s-1CMS_PARTIAL\s0\fR flag is set a partial \fBCMS_ContentInfo\fR structure is
+If the \fBCMS_PARTIAL\fR flag is set a partial \fBCMS_ContentInfo\fR structure is
 returned to which additional recipients and attributes can be added before
 finalization.
 .PP
 The data being encrypted is included in the CMS_ContentInfo structure, unless
-\&\fB\s-1CMS_DETACHED\s0\fR is set in which case it is omitted. This is rarely used in
+\&\fBCMS_DETACHED\fR is set in which case it is omitted. This is rarely used in
 practice and is not supported by \fBSMIME_write_CMS()\fR.
 .PP
-If the flag \fB\s-1CMS_STREAM\s0\fR is set the returned \fBCMS_ContentInfo\fR structure is
+If the flag \fBCMS_STREAM\fR is set the returned \fBCMS_ContentInfo\fR structure is
 \&\fBnot\fR complete and outputting its contents via a function that does not
 properly finalize the \fBCMS_ContentInfo\fR structure will give unpredictable
 results.
 .PP
 Several functions including \fBSMIME_write_CMS()\fR, \fBi2d_CMS_bio_stream()\fR,
 \&\fBPEM_write_bio_CMS_stream()\fR finalize the structure. Alternatively finalization
-can be performed by obtaining the streaming \s-1ASN1\s0 \fB\s-1BIO\s0\fR directly using
+can be performed by obtaining the streaming ASN1 \fBBIO\fR directly using
 \&\fBBIO_new_CMS()\fR.
 .PP
-The recipients specified in \fBcerts\fR use a \s-1CMS\s0 KeyTransRecipientInfo info
-structure. KEKRecipientInfo is also supported using the flag \fB\s-1CMS_PARTIAL\s0\fR
+The recipients specified in \fBcerts\fR use a CMS KeyTransRecipientInfo info
+structure. KEKRecipientInfo is also supported using the flag \fBCMS_PARTIAL\fR
 and \fBCMS_add0_recipient_key()\fR.
 .PP
-The parameter \fBcerts\fR may be \s-1NULL\s0 if \fB\s-1CMS_PARTIAL\s0\fR is set and recipients
+The parameter \fBcerts\fR may be NULL if \fBCMS_PARTIAL\fR is set and recipients
 added later using \fBCMS_add1_recipient_cert()\fR or \fBCMS_add0_recipient_key()\fR.
 .PP
 \&\fBCMS_encrypt()\fR is similar to \fBCMS_encrypt_ex()\fR but uses default values
-of \s-1NULL\s0 for the library context \fIlibctx\fR and the property query \fIpropq\fR.
+of NULL for the library context \fIlibctx\fR and the property query \fIpropq\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBCMS_encrypt_ex()\fR and \fBCMS_encrypt()\fR return either a CMS_ContentInfo
-structure or \s-1NULL\s0 if an error occurred. The error can be obtained from
+structure or NULL if an error occurred. The error can be obtained from
 \&\fBERR_get_error\fR\|(3).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3), \fBCMS_decrypt\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The function \fBCMS_encrypt_ex()\fR was added in OpenSSL 3.0.
 .PP
-The \fB\s-1CMS_STREAM\s0\fR flag was first supported in OpenSSL 1.0.0.
-.SH "COPYRIGHT"
+The \fBCMS_STREAM\fR flag was first supported in OpenSSL 1.0.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2008\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_final.3 b/secure/lib/libcrypto/man/man3/CMS_final.3
index af179046e93f..4c8cefcf95ff 100644
--- a/secure/lib/libcrypto/man/man3/CMS_final.3
+++ b/secure/lib/libcrypto/man/man3/CMS_final.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,108 +52,62 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CMS_FINAL 3ossl"
-.TH CMS_FINAL 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CMS_FINAL 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
-CMS_final \- finalise a CMS_ContentInfo structure
-.SH "SYNOPSIS"
+.SH NAME
+CMS_final, CMS_final_digest \- finalise a CMS_ContentInfo structure
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cms.h>
 \&
 \& int CMS_final(CMS_ContentInfo *cms, BIO *data, BIO *dcont, unsigned int flags);
+\& int CMS_final_digest(CMS_ContentInfo *cms, const unsigned char *md,
+\&                      unsigned int mdlen, BIO *dcont, unsigned int flags);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBCMS_final()\fR finalises the structure \fBcms\fR. Its purpose is to perform any
 operations necessary on \fBcms\fR (digest computation for example) and set the
 appropriate fields. The parameter \fBdata\fR contains the content to be
-processed. The \fBdcont\fR parameter contains a \s-1BIO\s0 to write content to after
+processed. The \fBdcont\fR parameter contains a BIO to write content to after
 processing: this is only used with detached data and will usually be set to
-\&\s-1NULL.\s0
-.SH "NOTES"
+NULL.
+.PP
+\&\fBCMS_final_digest()\fR finalises the structure \fBcms\fR using a pre-computed digest,
+rather than computing the digest from the original data.
+.SH NOTES
 .IX Header "NOTES"
-This function will normally be called when the \fB\s-1CMS_PARTIAL\s0\fR flag is used. It
+These functions will normally be called when the \fBCMS_PARTIAL\fR flag is used. It
 should only be used when streaming is not performed because the streaming
 I/O functions perform finalisation operations internally.
+.PP
+To sign a pre-computed digest, \fBCMS_sign\fR\|(3) or \fBCMS_sign_ex()\fR is called
+with the \fBdata\fR parameter set to NULL before the CMS structure is finalised
+with the digest provided to \fBCMS_final_digest()\fR in binary form.
+When signing a pre-computed digest, the security relies on the digest and its
+computation from the original message being trusted.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBCMS_final()\fR returns 1 for success or 0 for failure.
+\&\fBCMS_final()\fR and \fBCMS_final_digest()\fR return 1 for success or 0 for failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3), \fBCMS_sign\fR\|(3),
 \&\fBCMS_encrypt\fR\|(3)
-.SH "COPYRIGHT"
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBCMS_final_digest()\fR was added in OpenSSL 3.2.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2008\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_get0_RecipientInfos.3 b/secure/lib/libcrypto/man/man3/CMS_get0_RecipientInfos.3
index 71b6f6b0407d..336778b818d3 100644
--- a/secure/lib/libcrypto/man/man3/CMS_get0_RecipientInfos.3
+++ b/secure/lib/libcrypto/man/man3/CMS_get0_RecipientInfos.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CMS_GET0_RECIPIENTINFOS 3ossl"
-.TH CMS_GET0_RECIPIENTINFOS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CMS_GET0_RECIPIENTINFOS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 CMS_get0_RecipientInfos, CMS_RecipientInfo_type,
 CMS_RecipientInfo_ktri_get0_signer_id, CMS_RecipientInfo_ktri_cert_cmp,
 CMS_RecipientInfo_set0_pkey, CMS_RecipientInfo_kekri_get0_id,
@@ -145,7 +69,7 @@ CMS_RecipientInfo_kari_set0_pkey,
 CMS_RecipientInfo_kekri_id_cmp, CMS_RecipientInfo_set0_key,
 CMS_RecipientInfo_decrypt, CMS_RecipientInfo_encrypt
 \&\- CMS envelopedData RecipientInfo routines
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cms.h>
@@ -175,53 +99,53 @@ CMS_RecipientInfo_decrypt, CMS_RecipientInfo_encrypt
 \& int CMS_RecipientInfo_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri);
 \& int CMS_RecipientInfo_encrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The function \fBCMS_get0_RecipientInfos()\fR returns all the CMS_RecipientInfo
-structures associated with a \s-1CMS\s0 EnvelopedData structure.
+structures associated with a CMS EnvelopedData structure.
 .PP
 \&\fBCMS_RecipientInfo_type()\fR returns the type of CMS_RecipientInfo structure \fBri\fR.
-It will currently return \s-1CMS_RECIPINFO_TRANS, CMS_RECIPINFO_AGREE,
-CMS_RECIPINFO_KEK, CMS_RECIPINFO_PASS,\s0 or \s-1CMS_RECIPINFO_OTHER.\s0
+It will currently return CMS_RECIPINFO_TRANS, CMS_RECIPINFO_AGREE,
+CMS_RECIPINFO_KEK, CMS_RECIPINFO_PASS, or CMS_RECIPINFO_OTHER.
 .PP
 \&\fBCMS_RecipientInfo_ktri_get0_signer_id()\fR retrieves the certificate recipient
 identifier associated with a specific CMS_RecipientInfo structure \fBri\fR, which
-must be of type \s-1CMS_RECIPINFO_TRANS.\s0 Either the keyidentifier will be set in
+must be of type CMS_RECIPINFO_TRANS. Either the keyidentifier will be set in
 \&\fBkeyid\fR or \fBboth\fR issuer name and serial number in \fBissuer\fR and \fBsno\fR.
 .PP
 \&\fBCMS_RecipientInfo_ktri_cert_cmp()\fR compares the certificate \fBcert\fR against the
-CMS_RecipientInfo structure \fBri\fR, which must be of type \s-1CMS_RECIPINFO_TRANS.\s0
+CMS_RecipientInfo structure \fBri\fR, which must be of type CMS_RECIPINFO_TRANS.
 It returns zero if the comparison is successful and non zero if not.
 .PP
 \&\fBCMS_RecipientInfo_set0_pkey()\fR associates the private key \fBpkey\fR with
 the CMS_RecipientInfo structure \fBri\fR, which must be of type
-\&\s-1CMS_RECIPINFO_TRANS.\s0
+CMS_RECIPINFO_TRANS.
 .PP
 \&\fBCMS_RecipientInfo_kari_set0_pkey_and_peer()\fR associates the private key \fBpkey\fR
 and peer certificate \fBpeer\fR with the CMS_RecipientInfo structure \fBri\fR, which
-must be of type \s-1CMS_RECIPINFO_AGREE.\s0
+must be of type CMS_RECIPINFO_AGREE.
 .PP
 \&\fBCMS_RecipientInfo_kari_set0_pkey()\fR associates the private key \fBpkey\fR with the
-CMS_RecipientInfo structure \fBri\fR, which must be of type \s-1CMS_RECIPINFO_AGREE.\s0
+CMS_RecipientInfo structure \fBri\fR, which must be of type CMS_RECIPINFO_AGREE.
 .PP
 \&\fBCMS_RecipientInfo_kekri_get0_id()\fR retrieves the key information from the
-CMS_RecipientInfo structure \fBri\fR which must be of type \s-1CMS_RECIPINFO_KEK.\s0  Any
-of the remaining parameters can be \s-1NULL\s0 if the application is not interested in
-the value of a field. Where a field is optional and absent \s-1NULL\s0 will be written
+CMS_RecipientInfo structure \fBri\fR which must be of type CMS_RECIPINFO_KEK.  Any
+of the remaining parameters can be NULL if the application is not interested in
+the value of a field. Where a field is optional and absent NULL will be written
 to the corresponding parameter. The keyEncryptionAlgorithm field is written to
 \&\fBpalg\fR, the \fBkeyIdentifier\fR field is written to \fBpid\fR, the \fBdate\fR field if
 present is written to \fBpdate\fR, if the \fBother\fR field is present the components
 \&\fBkeyAttrId\fR and \fBkeyAttr\fR are written to parameters \fBpotherid\fR and
 \&\fBpothertype\fR.
 .PP
-\&\fBCMS_RecipientInfo_kekri_id_cmp()\fR compares the \s-1ID\s0 in the \fBid\fR and \fBidlen\fR
+\&\fBCMS_RecipientInfo_kekri_id_cmp()\fR compares the ID in the \fBid\fR and \fBidlen\fR
 parameters against the \fBkeyIdentifier\fR CMS_RecipientInfo structure \fBri\fR,
-which must be of type \s-1CMS_RECIPINFO_KEK.\s0  It returns zero if the comparison is
+which must be of type CMS_RECIPINFO_KEK.  It returns zero if the comparison is
 successful and non zero if not.
 .PP
 \&\fBCMS_RecipientInfo_set0_key()\fR associates the symmetric key \fBkey\fR of length
 \&\fBkeylen\fR with the CMS_RecipientInfo structure \fBri\fR, which must be of type
-\&\s-1CMS_RECIPINFO_KEK.\s0
+CMS_RECIPINFO_KEK.
 .PP
 \&\fBCMS_RecipientInfo_decrypt()\fR attempts to decrypt CMS_RecipientInfo structure
 \&\fBri\fR in structure \fBcms\fR. A key must have been associated with the structure
@@ -231,7 +155,7 @@ first.
 \&\fBri\fR in structure \fBcms\fR. A key must have been associated with the structure
 first and the content encryption key must be available: for example by a
 previous call to \fBCMS_RecipientInfo_decrypt()\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The main purpose of these functions is to enable an application to lookup
 recipient keys using any appropriate technique when the simpler method
@@ -244,7 +168,7 @@ can be ignored or its key identifier data retrieved using an appropriate
 function. Then if the corresponding secret or private key can be obtained by
 any appropriate means it can then associated with the structure and
 \&\fBCMS_RecipientInfo_decrypt()\fR called. If successful \fBCMS_decrypt()\fR can be called
-with a \s-1NULL\s0 key to decrypt the enveloped content.
+with a NULL key to decrypt the enveloped content.
 .PP
 The \fBCMS_RecipientInfo_encrypt()\fR can be used to add a new recipient to an
 existing enveloped data structure. Typically an application will first decrypt
@@ -254,7 +178,7 @@ available, it will then add a new recipient using a function such as
 using \fBCMS_RecipientInfo_encrypt()\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBCMS_get0_RecipientInfos()\fR returns all CMS_RecipientInfo structures, or \s-1NULL\s0 if
+\&\fBCMS_get0_RecipientInfos()\fR returns all CMS_RecipientInfo structures, or NULL if
 an error occurs.
 .PP
 \&\fBCMS_RecipientInfo_ktri_get0_signer_id()\fR, \fBCMS_RecipientInfo_set0_pkey()\fR,
@@ -269,15 +193,15 @@ Any error can be obtained from \fBERR_get_error\fR\|(3).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3), \fBCMS_decrypt\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBCMS_RecipientInfo_kari_set0_pkey_and_peer\fR and \fBCMS_RecipientInfo_kari_set0_pkey\fR
 were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2008\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2008\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_get0_SignerInfos.3 b/secure/lib/libcrypto/man/man3/CMS_get0_SignerInfos.3
index e8c4ef8ae2b4..e4fafd1025a8 100644
--- a/secure/lib/libcrypto/man/man3/CMS_get0_SignerInfos.3
+++ b/secure/lib/libcrypto/man/man3/CMS_get0_SignerInfos.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CMS_GET0_SIGNERINFOS 3ossl"
-.TH CMS_GET0_SIGNERINFOS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CMS_GET0_SIGNERINFOS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 CMS_SignerInfo_set1_signer_cert,
 CMS_get0_SignerInfos, CMS_SignerInfo_get0_signer_id,
 CMS_SignerInfo_get0_signature, CMS_SignerInfo_cert_cmp
 \&\- CMS signedData signer functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cms.h>
@@ -154,10 +78,10 @@ CMS_SignerInfo_get0_signature, CMS_SignerInfo_cert_cmp
 \& int CMS_SignerInfo_cert_cmp(CMS_SignerInfo *si, X509 *cert);
 \& void CMS_SignerInfo_set1_signer_cert(CMS_SignerInfo *si, X509 *signer);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The function \fBCMS_get0_SignerInfos()\fR returns all the CMS_SignerInfo structures
-associated with a \s-1CMS\s0 signedData structure.
+associated with a CMS signedData structure.
 .PP
 \&\fBCMS_SignerInfo_get0_signer_id()\fR retrieves the certificate signer identifier
 associated with a specific CMS_SignerInfo structure \fBsi\fR. Either the
@@ -165,7 +89,7 @@ keyidentifier will be set in \fBkeyid\fR or \fBboth\fR issuer name and serial nu
 in \fBissuer\fR and \fBsno\fR.
 .PP
 \&\fBCMS_SignerInfo_get0_signature()\fR retrieves the signature associated with
-\&\fBsi\fR in a pointer to an \s-1ASN1_OCTET_STRING\s0 structure. This pointer returned
+\&\fBsi\fR in a pointer to an ASN1_OCTET_STRING structure. This pointer returned
 corresponds to the internal signature value if \fBsi\fR so it may be read or
 modified.
 .PP
@@ -173,9 +97,9 @@ modified.
 identifier \fBsi\fR. It returns zero if the comparison is successful and non zero
 if not.
 .PP
-\&\fBCMS_SignerInfo_set1_signer_cert()\fR sets the signers certificate of \fBsi\fR to
+\&\fBCMS_SignerInfo_set1_signer_cert()\fR sets the signer's certificate of \fBsi\fR to
 \&\fBsigner\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The main purpose of these functions is to enable an application to lookup
 signers certificates using any appropriate technique when the simpler method
@@ -183,19 +107,19 @@ of \fBCMS_verify()\fR is not appropriate.
 .PP
 In typical usage and application will retrieve all CMS_SignerInfo structures
 using \fBCMS_get0_SignerInfo()\fR and retrieve the identifier information using
-\&\s-1CMS.\s0 It will then obtain the signer certificate by some unspecified means
+CMS. It will then obtain the signer certificate by some unspecified means
 (or return and error if it cannot be found) and set it using
 \&\fBCMS_SignerInfo_set1_signer_cert()\fR.
 .PP
 Once all signer certificates have been set \fBCMS_verify()\fR can be used.
 .PP
-Although \fBCMS_get0_SignerInfos()\fR can return \s-1NULL\s0 if an error occurs \fBor\fR if
+Although \fBCMS_get0_SignerInfos()\fR can return NULL if an error occurs \fBor\fR if
 there are no signers this is not a problem in practice because the only
 error which can occur is if the \fBcms\fR structure is not of type signedData
 due to application error.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBCMS_get0_SignerInfos()\fR returns all CMS_SignerInfo structures, or \s-1NULL\s0 there
+\&\fBCMS_get0_SignerInfos()\fR returns all CMS_SignerInfo structures, or NULL there
 are no signers or an error occurs.
 .PP
 \&\fBCMS_SignerInfo_get0_signer_id()\fR returns 1 for success and 0 for failure.
@@ -209,11 +133,11 @@ Any error can be obtained from \fBERR_get_error\fR\|(3)
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3), \fBCMS_verify\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2008\-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2008\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_get0_type.3 b/secure/lib/libcrypto/man/man3/CMS_get0_type.3
index 85829171e0bd..eae32278146d 100644
--- a/secure/lib/libcrypto/man/man3/CMS_get0_type.3
+++ b/secure/lib/libcrypto/man/man3/CMS_get0_type.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CMS_GET0_TYPE 3ossl"
-.TH CMS_GET0_TYPE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CMS_GET0_TYPE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 CMS_get0_type, CMS_set1_eContentType, CMS_get0_eContentType, CMS_get0_content \- get and set CMS content types and content
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cms.h>
@@ -148,32 +72,32 @@ CMS_get0_type, CMS_set1_eContentType, CMS_get0_eContentType, CMS_get0_content \-
 \& const ASN1_OBJECT *CMS_get0_eContentType(CMS_ContentInfo *cms);
 \& ASN1_OCTET_STRING **CMS_get0_content(CMS_ContentInfo *cms);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBCMS_get0_type()\fR returns the content type of a CMS_ContentInfo structure as
-an \s-1ASN1_OBJECT\s0 pointer. An application can then decide how to process the
+an ASN1_OBJECT pointer. An application can then decide how to process the
 CMS_ContentInfo structure based on this value.
 .PP
 \&\fBCMS_set1_eContentType()\fR sets the embedded content type of a CMS_ContentInfo
-structure. It should be called with \s-1CMS\s0 functions (such as \fBCMS_sign\fR\|(3),
+structure. It should be called with CMS functions (such as \fBCMS_sign\fR\|(3),
 \&\fBCMS_encrypt\fR\|(3))
-with the \fB\s-1CMS_PARTIAL\s0\fR
+with the \fBCMS_PARTIAL\fR
 flag and \fBbefore\fR the structure is finalised, otherwise the results are
 undefined.
 .PP
-\&\s-1ASN1_OBJECT\s0 *\fBCMS_get0_eContentType()\fR returns a pointer to the embedded
+ASN1_OBJECT *\fBCMS_get0_eContentType()\fR returns a pointer to the embedded
 content type.
 .PP
-\&\fBCMS_get0_content()\fR returns a pointer to the \fB\s-1ASN1_OCTET_STRING\s0\fR pointer
+\&\fBCMS_get0_content()\fR returns a pointer to the \fBASN1_OCTET_STRING\fR pointer
 containing the embedded content.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 As the \fB0\fR implies \fBCMS_get0_type()\fR, \fBCMS_get0_eContentType()\fR and
 \&\fBCMS_get0_content()\fR return internal pointers which should \fBnot\fR be freed up.
-\&\fBCMS_set1_eContentType()\fR copies the supplied \s-1OID\s0 and it \fBshould\fR be freed up
+\&\fBCMS_set1_eContentType()\fR copies the supplied OID and it \fBshould\fR be freed up
 after use.
 .PP
-The \fB\s-1ASN1_OBJECT\s0\fR values returned can be converted to an integer \fB\s-1NID\s0\fR value
+The \fBASN1_OBJECT\fR values returned can be converted to an integer \fBNID\fR value
 using \fBOBJ_obj2nid()\fR. For the currently supported content types the following
 values are returned:
 .PP
@@ -186,31 +110,31 @@ values are returned:
 \& NID_pkcs7_enveloped
 .Ve
 .PP
-The return value of \fBCMS_get0_content()\fR is a pointer to the \fB\s-1ASN1_OCTET_STRING\s0\fR
+The return value of \fBCMS_get0_content()\fR is a pointer to the \fBASN1_OCTET_STRING\fR
 content pointer. That means that for example:
 .PP
 .Vb 1
 \& ASN1_OCTET_STRING **pconf = CMS_get0_content(cms);
 .Ve
 .PP
-\&\fB*pconf\fR could be \s-1NULL\s0 if there is no embedded content. Applications can
+\&\fB*pconf\fR could be NULL if there is no embedded content. Applications can
 access, modify or create the embedded content in a \fBCMS_ContentInfo\fR structure
 using this function. Applications usually will not need to modify the
 embedded content as it is normally set by higher level functions.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBCMS_get0_type()\fR and \fBCMS_get0_eContentType()\fR return an \s-1ASN1_OBJECT\s0 structure.
+\&\fBCMS_get0_type()\fR and \fBCMS_get0_eContentType()\fR return an ASN1_OBJECT structure.
 .PP
 \&\fBCMS_set1_eContentType()\fR returns 1 for success or 0 if an error occurred.  The
 error can be obtained from \fBERR_get_error\fR\|(3).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_get1_ReceiptRequest.3 b/secure/lib/libcrypto/man/man3/CMS_get1_ReceiptRequest.3
index 3066d6f8e951..9d5cca2a3f78 100644
--- a/secure/lib/libcrypto/man/man3/CMS_get1_ReceiptRequest.3
+++ b/secure/lib/libcrypto/man/man3/CMS_get1_ReceiptRequest.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CMS_GET1_RECEIPTREQUEST 3ossl"
-.TH CMS_GET1_RECEIPTREQUEST 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CMS_GET1_RECEIPTREQUEST 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 CMS_ReceiptRequest_create0_ex, CMS_ReceiptRequest_create0,
 CMS_add1_ReceiptRequest, CMS_get1_ReceiptRequest, CMS_ReceiptRequest_get0_values
 \&\- CMS signed receipt request functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cms.h>
@@ -159,19 +83,19 @@ CMS_add1_ReceiptRequest, CMS_get1_ReceiptRequest, CMS_ReceiptRequest_get0_values
 \&                                     STACK_OF(GENERAL_NAMES) **plist,
 \&                                     STACK_OF(GENERAL_NAMES) **prto);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBCMS_ReceiptRequest_create0_ex()\fR creates a signed receipt request
 structure. The \fBsignedContentIdentifier\fR field is set using \fIid\fR and \fIidlen\fR,
-or it is set to 32 bytes of pseudo random data if \fIid\fR is \s-1NULL.\s0
-If \fIreceiptList\fR is \s-1NULL\s0 the allOrFirstTier option in \fIreceiptsFrom\fR is used
+or it is set to 32 bytes of pseudo random data if \fIid\fR is NULL.
+If \fIreceiptList\fR is NULL the allOrFirstTier option in \fIreceiptsFrom\fR is used
 and set to the value of the \fIallorfirst\fR parameter. If \fIreceiptList\fR is not
-\&\s-1NULL\s0 the \fIreceiptList\fR option in \fIreceiptsFrom\fR is used. The \fIreceiptsTo\fR
+NULL the \fIreceiptList\fR option in \fIreceiptsFrom\fR is used. The \fIreceiptsTo\fR
 parameter specifies the \fIreceiptsTo\fR field value. The library context \fIlibctx\fR
 is used to find the public random generator.
 .PP
 \&\fBCMS_ReceiptRequest_create0()\fR is similar to
-\&\fBCMS_ReceiptRequest_create0_ex()\fR but uses default values of \s-1NULL\s0 for the
+\&\fBCMS_ReceiptRequest_create0_ex()\fR but uses default values of NULL for the
 library context \fIlibctx\fR.
 .PP
 The \fBCMS_add1_ReceiptRequest()\fR function adds a signed receipt request \fBrr\fR
@@ -185,9 +109,9 @@ The signedContentIdentifier is copied to \fBpcid\fR. If the \fBallOrFirstTier\fR
 option of \fBreceiptsFrom\fR is used its value is copied to \fBpallorfirst\fR
 otherwise the \fBreceiptList\fR field is copied to \fBplist\fR. The \fBreceiptsTo\fR
 parameter is copied to \fBprto\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-For more details of the meaning of the fields see \s-1RFC2634.\s0
+For more details of the meaning of the fields see RFC2634.
 .PP
 The contents of a signed receipt should only be considered meaningful if the
 corresponding CMS_ContentInfo structure can be successfully verified using
@@ -195,7 +119,7 @@ corresponding CMS_ContentInfo structure can be successfully verified using
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBCMS_ReceiptRequest_create0_ex()\fR and \fBCMS_ReceiptRequest_create0()\fR return
-a signed receipt request structure or \s-1NULL\s0 if an error occurred.
+a signed receipt request structure or NULL if an error occurred.
 .PP
 \&\fBCMS_add1_ReceiptRequest()\fR returns 1 for success or 0 if an error occurred.
 .PP
@@ -207,14 +131,14 @@ it is present but malformed.
 \&\fBERR_get_error\fR\|(3), \fBCMS_sign\fR\|(3),
 \&\fBCMS_sign_receipt\fR\|(3), \fBCMS_verify\fR\|(3)
 \&\fBCMS_verify_receipt\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The function \fBCMS_ReceiptRequest_create0_ex()\fR was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2008\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_sign.3 b/secure/lib/libcrypto/man/man3/CMS_sign.3
index ae864edd2e2f..29bf5b8b9927 100644
--- a/secure/lib/libcrypto/man/man3/CMS_sign.3
+++ b/secure/lib/libcrypto/man/man3/CMS_sign.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CMS_SIGN 3ossl"
-.TH CMS_SIGN 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CMS_SIGN 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 CMS_sign, CMS_sign_ex \- create a CMS SignedData structure
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cms.h>
@@ -150,120 +74,124 @@ CMS_sign, CMS_sign_ex \- create a CMS SignedData structure
 \& CMS_ContentInfo *CMS_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
 \&                           BIO *data, unsigned int flags);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBCMS_sign_ex()\fR creates and returns a \s-1CMS\s0 SignedData structure.
+\&\fBCMS_sign_ex()\fR creates and returns a CMS SignedData structure.
 \&\fIsigncert\fR is the certificate to sign with, \fIpkey\fR is the corresponding
 private key. \fIcerts\fR is an optional additional set of certificates to include
-in the \s-1CMS\s0 structure (for example any intermediate CAs in the chain). The
+in the CMS structure (for example any intermediate CAs in the chain). The
 library context \fIlibctx\fR and the property query \fIpropq\fR are used when
 retrieving algorithms from providers. Any or all of these parameters can be
-\&\fB\s-1NULL\s0\fR, see \fB\s-1NOTES\s0\fR below.
+\&\fBNULL\fR, see \fBNOTES\fR below.
 .PP
-The data to be signed is read from \s-1BIO\s0 \fBdata\fR.
+The data to be signed is read from BIO \fBdata\fR.
 .PP
 \&\fBflags\fR is an optional set of flags.
 .PP
-\&\fBCMS_sign()\fR is similar to \fBCMS_sign_ex()\fR but uses default values of \s-1NULL\s0
+\&\fBCMS_sign()\fR is similar to \fBCMS_sign_ex()\fR but uses default values of NULL
 for the library context \fIlibctx\fR and the property query \fIpropq\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 Any of the following flags (ored together) can be passed in the \fBflags\fR
 parameter.
 .PP
-Many S/MIME clients expect the signed content to include valid \s-1MIME\s0 headers. If
-the \fB\s-1CMS_TEXT\s0\fR flag is set \s-1MIME\s0 headers for type \fBtext/plain\fR are prepended
+Many S/MIME clients expect the signed content to include valid MIME headers. If
+the \fBCMS_TEXT\fR flag is set MIME headers for type \fBtext/plain\fR are prepended
 to the data.
 .PP
-If \fB\s-1CMS_NOCERTS\s0\fR is set the signer's certificate will not be included in the
+If \fBCMS_NOCERTS\fR is set the signer's certificate will not be included in the
 CMS_ContentInfo structure, the signer's certificate must still be supplied in
 the \fBsigncert\fR parameter though. This can reduce the size of the signature if
 the signers certificate can be obtained by other means: for example a
 previously signed message.
 .PP
 The data being signed is included in the CMS_ContentInfo structure, unless
-\&\fB\s-1CMS_DETACHED\s0\fR is set in which case it is omitted. This is used for
+\&\fBCMS_DETACHED\fR is set in which case it is omitted. This is used for
 CMS_ContentInfo detached signatures which are used in S/MIME plaintext signed
 messages for example.
 .PP
-Normally the supplied content is translated into \s-1MIME\s0 canonical format (as
-required by the S/MIME specifications) if \fB\s-1CMS_BINARY\s0\fR is set no translation
+Normally the supplied content is translated into MIME canonical format (as
+required by the S/MIME specifications) if \fBCMS_BINARY\fR is set no translation
 occurs. This option should be used if the supplied data is in binary format
 otherwise the translation will corrupt it.
 .PP
-The SignedData structure includes several \s-1CMS\s0 signedAttributes including the
-signing time, the \s-1CMS\s0 content type and the supported list of ciphers in an
-SMIMECapabilities attribute. If \fB\s-1CMS_NOATTR\s0\fR is set then no signedAttributes
-will be used. If \fB\s-1CMS_NOSMIMECAP\s0\fR is set then just the SMIMECapabilities are
+The SignedData structure includes several CMS signedAttributes including the
+signing time, the CMS content type and the supported list of ciphers in an
+SMIMECapabilities attribute. If \fBCMS_NOATTR\fR is set then no signedAttributes
+will be used at all. If \fBCMS_NOSMIMECAP\fR is set then the SMIMECapabilities
+will be omitted. If \fBCMS_NO_SIGNING_TIME\fR is set then the signing time will be
 omitted.
 .PP
 If present the SMIMECapabilities attribute indicates support for the following
-algorithms in preference order: 256 bit \s-1AES,\s0 Gost R3411\-94, Gost 28147\-89, 192
-bit \s-1AES, 128\s0 bit \s-1AES,\s0 triple \s-1DES, 128\s0 bit \s-1RC2, 64\s0 bit \s-1RC2, DES\s0 and 40 bit \s-1RC2.\s0
+algorithms in preference order: 256 bit AES, Gost R3411\-94, Gost 28147\-89, 192
+bit AES, 128 bit AES, triple DES, 128 bit RC2, 64 bit RC2, DES and 40 bit RC2.
 If any of these algorithms is not available then it will not be included:
-for example the \s-1GOST\s0 algorithms will not be included if the \s-1GOST ENGINE\s0 is
+for example the GOST algorithms will not be included if the GOST ENGINE is
 not loaded.
 .PP
 OpenSSL will by default identify signing certificates using issuer name
-and serial number. If \fB\s-1CMS_USE_KEYID\s0\fR is set it will use the subject key
+and serial number. If \fBCMS_USE_KEYID\fR is set it will use the subject key
 identifier value instead. An error occurs if the signing certificate does not
 have a subject key identifier extension.
 .PP
-If the flags \fB\s-1CMS_STREAM\s0\fR is set then the returned \fBCMS_ContentInfo\fR
+If the flags \fBCMS_STREAM\fR is set then the returned \fBCMS_ContentInfo\fR
 structure is just initialized ready to perform the signing operation. The
 signing is however \fBnot\fR performed and the data to be signed is not read from
 the \fBdata\fR parameter. Signing is deferred until after the data has been
 written. In this way data can be signed in a single pass.
 .PP
-If the \fB\s-1CMS_PARTIAL\s0\fR flag is set a partial \fBCMS_ContentInfo\fR structure is
+If the \fBCMS_PARTIAL\fR flag is set a partial \fBCMS_ContentInfo\fR structure is
 output to which additional signers and capabilities can be added before
 finalization.
 .PP
-If the flag \fB\s-1CMS_STREAM\s0\fR is set the returned \fBCMS_ContentInfo\fR structure is
+If the flag \fBCMS_STREAM\fR is set the returned \fBCMS_ContentInfo\fR structure is
 \&\fBnot\fR complete and outputting its contents via a function that does not
 properly finalize the \fBCMS_ContentInfo\fR structure will give unpredictable
 results.
 .PP
 Several functions including \fBSMIME_write_CMS()\fR, \fBi2d_CMS_bio_stream()\fR,
 \&\fBPEM_write_bio_CMS_stream()\fR finalize the structure. Alternatively finalization
-can be performed by obtaining the streaming \s-1ASN1\s0 \fB\s-1BIO\s0\fR directly using
+can be performed by obtaining the streaming ASN1 \fBBIO\fR directly using
 \&\fBBIO_new_CMS()\fR.
 .PP
 If a signer is specified it will use the default digest for the signing
-algorithm. This is \fB\s-1SHA1\s0\fR for both \s-1RSA\s0 and \s-1DSA\s0 keys.
+algorithm. This is \fBSHA256\fR for both RSA and DSA keys.
 .PP
-If \fBsigncert\fR and \fBpkey\fR are \s-1NULL\s0 then a certificates only \s-1CMS\s0 structure is
+If \fBsigncert\fR and \fBpkey\fR are NULL then a certificates only CMS structure is
 output.
 .PP
-The function \fBCMS_sign()\fR is a basic \s-1CMS\s0 signing function whose output will be
+The function \fBCMS_sign()\fR is a basic CMS signing function whose output will be
 suitable for many purposes. For finer control of the output format the
-\&\fBcerts\fR, \fBsigncert\fR and \fBpkey\fR parameters can all be \fB\s-1NULL\s0\fR and the
-\&\fB\s-1CMS_PARTIAL\s0\fR flag set. Then one or more signers can be added using the
+\&\fBcerts\fR, \fBsigncert\fR and \fBpkey\fR parameters can all be \fBNULL\fR and the
+\&\fBCMS_PARTIAL\fR flag set. Then one or more signers can be added using the
 function \fBCMS_add1_signer()\fR, non default digests can be used and custom
 attributes added. \fBCMS_final()\fR must then be called to finalize the
 structure if streaming is not enabled.
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
 Some attributes such as counter signatures are not supported.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBCMS_sign_ex()\fR and \fBCMS_sign()\fR return either a valid CMS_ContentInfo
-structure or \s-1NULL\s0 if an error occurred. The error can be obtained from
+structure or NULL if an error occurred. The error can be obtained from
 \&\fBERR_get_error\fR\|(3).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3), \fBCMS_verify\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-The \fB\s-1CMS_STREAM\s0\fR flag is only supported for detached data in OpenSSL 0.9.8,
+The \fBCMS_STREAM\fR flag is only supported for detached data in OpenSSL 0.9.8,
 it is supported for embedded data in OpenSSL 1.0.0 and later.
 .PP
 The \fBCMS_sign_ex()\fR method was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.PP
+Since OpenSSL 3.2, \fBCMS_sign_ex()\fR and \fBCMS_sign()\fR ignore any duplicate
+certificates in their \fIcerts\fR argument and no longer throw an error for them.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2008\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2008\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_sign_receipt.3 b/secure/lib/libcrypto/man/man3/CMS_sign_receipt.3
index be28f9191f39..eb06de4a2fcd 100644
--- a/secure/lib/libcrypto/man/man3/CMS_sign_receipt.3
+++ b/secure/lib/libcrypto/man/man3/CMS_sign_receipt.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CMS_SIGN_RECEIPT 3ossl"
-.TH CMS_SIGN_RECEIPT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CMS_SIGN_RECEIPT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 CMS_sign_receipt \- create a CMS signed receipt
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cms.h>
@@ -147,35 +71,35 @@ CMS_sign_receipt \- create a CMS signed receipt
 \&                                   EVP_PKEY *pkey, STACK_OF(X509) *certs,
 \&                                   unsigned int flags);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBCMS_sign_receipt()\fR creates and returns a \s-1CMS\s0 signed receipt structure. \fBsi\fR is
+\&\fBCMS_sign_receipt()\fR creates and returns a CMS signed receipt structure. \fBsi\fR is
 the \fBCMS_SignerInfo\fR structure containing the signed receipt request.
 \&\fBsigncert\fR is the certificate to sign with, \fBpkey\fR is the corresponding
 private key.  \fBcerts\fR is an optional additional set of certificates to include
-in the \s-1CMS\s0 structure (for example any intermediate CAs in the chain).
+in the CMS structure (for example any intermediate CAs in the chain).
 .PP
 \&\fBflags\fR is an optional set of flags.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 This functions behaves in a similar way to \fBCMS_sign()\fR except the flag values
-\&\fB\s-1CMS_DETACHED\s0\fR, \fB\s-1CMS_BINARY\s0\fR, \fB\s-1CMS_NOATTR\s0\fR, \fB\s-1CMS_TEXT\s0\fR and \fB\s-1CMS_STREAM\s0\fR
+\&\fBCMS_DETACHED\fR, \fBCMS_BINARY\fR, \fBCMS_NOATTR\fR, \fBCMS_TEXT\fR and \fBCMS_STREAM\fR
 are not supported since they do not make sense in the context of signed
 receipts.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBCMS_sign_receipt()\fR returns either a valid CMS_ContentInfo structure or \s-1NULL\s0 if
+\&\fBCMS_sign_receipt()\fR returns either a valid CMS_ContentInfo structure or NULL if
 an error occurred.  The error can be obtained from \fBERR_get_error\fR\|(3).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3),
 \&\fBCMS_verify_receipt\fR\|(3),
 \&\fBCMS_sign\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_signed_get_attr.3 b/secure/lib/libcrypto/man/man3/CMS_signed_get_attr.3
new file mode 100644
index 000000000000..f98d022fea69
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/CMS_signed_get_attr.3
@@ -0,0 +1,260 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "CMS_SIGNED_GET_ATTR 3ossl"
+.TH CMS_SIGNED_GET_ATTR 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+CMS_signed_get_attr_count,
+CMS_signed_get_attr_by_NID, CMS_signed_get_attr_by_OBJ, CMS_signed_get_attr,
+CMS_signed_delete_attr,
+CMS_signed_add1_attr, CMS_signed_add1_attr_by_OBJ,
+CMS_signed_add1_attr_by_NID, CMS_signed_add1_attr_by_txt,
+CMS_signed_get0_data_by_OBJ,
+CMS_unsigned_get_attr_count,
+CMS_unsigned_get_attr_by_NID, CMS_unsigned_get_attr_by_OBJ,
+CMS_unsigned_get_attr, CMS_unsigned_delete_attr,
+CMS_unsigned_add1_attr, CMS_unsigned_add1_attr_by_OBJ,
+CMS_unsigned_add1_attr_by_NID, CMS_unsigned_add1_attr_by_txt,
+CMS_unsigned_get0_data_by_OBJ
+\&\- CMS signed and unsigned attribute functions
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/cms.h>
+\&
+\& int CMS_signed_get_attr_count(const CMS_SignerInfo *si);
+\& int CMS_signed_get_attr_by_NID(const CMS_SignerInfo *si, int nid,
+\&                                int lastpos);
+\& int CMS_signed_get_attr_by_OBJ(const CMS_SignerInfo *si, const ASN1_OBJECT *obj,
+\&                                int lastpos);
+\& X509_ATTRIBUTE *CMS_signed_get_attr(const CMS_SignerInfo *si, int loc);
+\& X509_ATTRIBUTE *CMS_signed_delete_attr(CMS_SignerInfo *si, int loc);
+\& int CMS_signed_add1_attr(CMS_SignerInfo *si, X509_ATTRIBUTE *attr);
+\& int CMS_signed_add1_attr_by_OBJ(CMS_SignerInfo *si,
+\&                                 const ASN1_OBJECT *obj, int type,
+\&                                 const void *bytes, int len);
+\& int CMS_signed_add1_attr_by_NID(CMS_SignerInfo *si,
+\&                                 int nid, int type,
+\&                                 const void *bytes, int len);
+\& int CMS_signed_add1_attr_by_txt(CMS_SignerInfo *si,
+\&                                 const char *attrname, int type,
+\&                                 const void *bytes, int len);
+\& void *CMS_signed_get0_data_by_OBJ(const CMS_SignerInfo *si,
+\&                                   const ASN1_OBJECT *oid,
+\&                                   int lastpos, int type);
+\&
+\& int CMS_unsigned_get_attr_count(const CMS_SignerInfo *si);
+\& int CMS_unsigned_get_attr_by_NID(const CMS_SignerInfo *si, int nid,
+\&                                  int lastpos);
+\& int CMS_unsigned_get_attr_by_OBJ(const CMS_SignerInfo *si,
+\&                                  const ASN1_OBJECT *obj, int lastpos);
+\& X509_ATTRIBUTE *CMS_unsigned_get_attr(const CMS_SignerInfo *si, int loc);
+\& X509_ATTRIBUTE *CMS_unsigned_delete_attr(CMS_SignerInfo *si, int loc);
+\& int CMS_unsigned_add1_attr(CMS_SignerInfo *si, X509_ATTRIBUTE *attr);
+\& int CMS_unsigned_add1_attr_by_OBJ(CMS_SignerInfo *si,
+\&                                   const ASN1_OBJECT *obj, int type,
+\&                                   const void *bytes, int len);
+\& int CMS_unsigned_add1_attr_by_NID(CMS_SignerInfo *si,
+\&                                   int nid, int type,
+\&                                   const void *bytes, int len);
+\& int CMS_unsigned_add1_attr_by_txt(CMS_SignerInfo *si,
+\&                                   const char *attrname, int type,
+\&                                   const void *bytes, int len);
+\& void *CMS_unsigned_get0_data_by_OBJ(CMS_SignerInfo *si, ASN1_OBJECT *oid,
+\&                                     int lastpos, int type);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+CMS_signerInfo contains separate attribute lists for signed and unsigned
+attributes. Each \fBCMS_signed_XXX()\fR function is used for signed attributes, and
+each \fBCMS_unsigned_XXX()\fR function is used for unsigned attributes.
+Since the \fBCMS_unsigned_XXX()\fR functions work in the same way as the
+\&\fBCMS_signed_XXX()\fR equivalents, only the \fBCMS_signed_XXX()\fR functions are
+described below.
+.PP
+\&\fBCMS_signed_get_attr_by_OBJ()\fR finds the location of the first matching object
+\&\fIobj\fR in the SignerInfo's \fIsi\fR signed attribute list. The search starts at the
+position after \fIlastpos\fR. If the returned value is positive then it can be used
+on the next call to \fBCMS_signed_get_attr_by_OBJ()\fR as the value of \fIlastpos\fR in
+order to iterate through the remaining attributes. \fIlastpos\fR can be set to any
+negative value on the first call, in order to start searching from the start of
+the signed attribute list.
+.PP
+\&\fBCMS_signed_get_attr_by_NID()\fR is similar to \fBCMS_signed_get_attr_by_OBJ()\fR except
+that it passes the numerical identifier (NID) \fInid\fR associated with the object.
+See <openssl/obj_mac.h> for a list of NID_*.
+.PP
+\&\fBCMS_signed_get_attr()\fR returns the \fBX509_ATTRIBUTE\fR object at index \fIloc\fR in the
+\&\fIsi\fR signed attribute list. \fIloc\fR should be in the range from 0 to
+\&\fBCMS_signed_get_attr_count()\fR \- 1.
+.PP
+\&\fBCMS_signed_delete_attr()\fR removes the \fBX509_ATTRIBUTE\fR object at index \fIloc\fR in
+the \fIsi\fR signed attribute list. An error occurs if the \fIsi\fR attribute list
+is NULL.
+.PP
+\&\fBCMS_signed_add1_attr()\fR pushes a copy of the passed in \fBX509_ATTRIBUTE\fR object
+to the \fIsi\fR signed attribute list. A new signed attribute list is created if
+required. An error occurs if \fIattr\fR is NULL.
+.PP
+\&\fBCMS_signed_add1_attr_by_OBJ()\fR creates a new signed \fBX509_ATTRIBUTE\fR using
+\&\fBX509_ATTRIBUTE_set1_object()\fR and \fBX509_ATTRIBUTE_set1_data()\fR to assign a new
+\&\fIobj\fR with type \fItype\fR and data \fIbytes\fR of length \fIlen\fR and then pushes it
+to the \fIkey\fR object's attribute list.
+.PP
+\&\fBCMS_signed_add1_attr_by_NID()\fR is similar to \fBCMS_signed_add1_attr_by_OBJ()\fR except
+that it passes the numerical identifier (NID) \fInid\fR associated with the object.
+See <openssl/obj_mac.h> for a list of NID_*.
+.PP
+\&\fBCMS_signed_add1_attr_by_txt()\fR is similar to \fBCMS_signed_add1_attr_by_OBJ()\fR
+except that it passes a name \fIattrname\fR associated with the object.
+See <openssl/obj_mac.h> for a list of SN_* names.
+.PP
+\&\fBCMS_signed_get0_data_by_OBJ()\fR finds the first attribute in a \fIsi\fR signed
+attributes list that matches the \fIobj\fR starting at index \fIlastpos\fR
+and returns the data retrieved from the found attributes first \fBASN1_TYPE\fR
+object. An error will occur if the attribute type \fItype\fR does not match the
+type of the \fBASN1_TYPE\fR object OR if \fItype\fR is either \fBV_ASN1_BOOLEAN\fR or
+\&\fBV_ASN1_NULL\fR OR the attribute is not found.
+If \fIlastpos\fR is less than \-1 then an error will occur if there are multiple
+objects in the signed attribute list that match \fIobj\fR.
+If \fIlastpos\fR is less than \-2 then an error will occur if there is more than
+one \fBASN1_TYPE\fR object in the found signed attribute.
+.PP
+Refer to \fBX509_ATTRIBUTE\fR\|(3) for information related to attributes.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+The \fBCMS_unsigned_XXX()\fR functions return values are similar to those of the
+equivalent \fBCMS_signed_XXX()\fR functions.
+.PP
+\&\fBCMS_signed_get_attr_count()\fR returns the number of signed attributes in the
+SignerInfo \fIsi\fR, or \-1 if the signed attribute list is NULL.
+.PP
+\&\fBCMS_signed_get_attr_by_OBJ()\fR returns \-1 if either the signed attribute list of
+\&\fIsi\fR is empty OR if \fIobj\fR is not found, otherwise it returns the location of
+the \fIobj\fR in the SignerInfo's \fIsi\fR signed attribute list.
+.PP
+\&\fBCMS_signed_get_attr_by_NID()\fR is similar to \fBCMS_signed_get_attr_by_OBJ()\fR except
+that it returns \-2 if the \fInid\fR is not known by OpenSSL.
+.PP
+\&\fBCMS_signed_get_attr()\fR returns either a signed \fBX509_ATTRIBUTE\fR or NULL on error.
+.PP
+\&\fBCMS_signed_delete_attr()\fR returns either the removed signed \fBX509_ATTRIBUTE\fR or
+NULL if there is a error.
+.PP
+\&\fBCMS_signed_add1_attr()\fR, \fBCMS_signed_add1_attr_by_OBJ()\fR,
+\&\fBCMS_signed_add1_attr_by_NID()\fR, \fBCMS_signed_add1_attr_by_txt()\fR,
+return 1 on success or 0 on error.
+.PP
+\&\fBCMS_signed_get0_data_by_OBJ()\fR returns the data retrieved from the found
+signed attributes first \fBASN1_TYPE\fR object, or NULL if an error occurs.
+.SH NOTES
+.IX Header "NOTES"
+Some attributes are added automatically during the signing process.
+.PP
+Calling \fBCMS_SignerInfo_sign()\fR adds the NID_pkcs9_signingTime signed
+attribute.
+.PP
+Calling \fBCMS_final()\fR, \fBCMS_final_digest()\fR or \fBCMS_dataFinal()\fR adds the
+NID_pkcs9_messageDigest signed attribute.
+.PP
+The NID_pkcs9_contentType signed attribute is always added if the
+NID_pkcs9_signingTime attribute is added.
+.PP
+Calling \fBCMS_sign_ex()\fR, \fBCMS_sign_receipt()\fR or \fBCMS_add1_signer()\fR may add
+attributes depending on the flags parameter. See \fBCMS_add1_signer\fR\|(3) for
+more information.
+.PP
+OpenSSL applies special rules for the following attribute NIDs:
+.IP "CMS Signed Attributes" 4
+.IX Item "CMS Signed Attributes"
+NID_pkcs9_contentType
+NID_pkcs9_messageDigest
+NID_pkcs9_signingTime
+.IP "ESS Signed Attributes" 4
+.IX Item "ESS Signed Attributes"
+NID_id_smime_aa_signingCertificate
+NID_id_smime_aa_signingCertificateV2
+NID_id_smime_aa_receiptRequest
+.IP "CMS Unsigned Attributes" 4
+.IX Item "CMS Unsigned Attributes"
+NID_pkcs9_countersignature
+.PP
+\&\fBCMS_signed_add1_attr()\fR, \fBCMS_signed_add1_attr_by_OBJ()\fR,
+\&\fBCMS_signed_add1_attr_by_NID()\fR, \fBCMS_signed_add1_attr_by_txt()\fR
+and the equivalent \fBCMS_unsigned_add1_attrXXX()\fR functions allow
+duplicate attributes to be added. The attribute rules are not checked
+during these function calls, and are deferred until the sign or verify process
+(i.e. during calls to any of \fBCMS_sign_ex()\fR, \fBCMS_sign()\fR, \fBCMS_sign_receipt()\fR,
+\&\fBCMS_add1_signer()\fR, \fBCMS_Final()\fR, \fBCMS_dataFinal()\fR, \fBCMS_final_digest()\fR,
+\&\fBCMS_verify()\fR, \fBCMS_verify_receipt()\fR or \fBCMS_SignedData_verify()\fR).
+.PP
+For CMS attribute rules see RFC 5652 Section 11.
+For ESS attribute rules see RFC 2634 Section 1.3.4 and RFC 5035 Section 5.4.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBX509_ATTRIBUTE\fR\|(3)
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2023\-2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_uncompress.3 b/secure/lib/libcrypto/man/man3/CMS_uncompress.3
index 32db144dbedf..9cdb02e1dbea 100644
--- a/secure/lib/libcrypto/man/man3/CMS_uncompress.3
+++ b/secure/lib/libcrypto/man/man3/CMS_uncompress.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,92 +52,32 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CMS_UNCOMPRESS 3ossl"
-.TH CMS_UNCOMPRESS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CMS_UNCOMPRESS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 CMS_uncompress \- uncompress a CMS CompressedData structure
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cms.h>
 \&
 \& int CMS_uncompress(CMS_ContentInfo *cms, BIO *dcont, BIO *out, unsigned int flags);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBCMS_uncompress()\fR extracts and uncompresses the content from a \s-1CMS\s0
-CompressedData structure \fBcms\fR. \fBdata\fR is a \s-1BIO\s0 to write the content to and
+\&\fBCMS_uncompress()\fR extracts and uncompresses the content from a CMS
+CompressedData structure \fBcms\fR. \fBdata\fR is a BIO to write the content to and
 \&\fBflags\fR is an optional set of flags.
 .PP
 The \fBdcont\fR parameter is used in the rare case where the compressed content
-is detached. It will normally be set to \s-1NULL.\s0
-.SH "NOTES"
+is detached. It will normally be set to NULL.
+.SH NOTES
 .IX Header "NOTES"
 The only currently supported compression algorithm is zlib: if the structure
 indicates the use of any other algorithm an error is returned.
@@ -163,25 +87,25 @@ return an error.
 .PP
 The following flags can be passed in the \fBflags\fR parameter.
 .PP
-If the \fB\s-1CMS_TEXT\s0\fR flag is set \s-1MIME\s0 headers for type \fBtext/plain\fR are deleted
+If the \fBCMS_TEXT\fR flag is set MIME headers for type \fBtext/plain\fR are deleted
 from the content. If the content is not of type \fBtext/plain\fR then an error is
 returned.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBCMS_uncompress()\fR returns either 1 for success or 0 for failure. The error can
 be obtained from \fBERR_get_error\fR\|(3)
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
 The lack of single pass processing and the need to hold all data in memory as
 mentioned in \fBCMS_verify()\fR also applies to \fBCMS_decompress()\fR.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3), \fBCMS_compress\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_verify.3 b/secure/lib/libcrypto/man/man3/CMS_verify.3
index 7ec416584bf3..9972cbd4086f 100644
--- a/secure/lib/libcrypto/man/man3/CMS_verify.3
+++ b/secure/lib/libcrypto/man/man3/CMS_verify.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,127 +52,87 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CMS_VERIFY 3ossl"
-.TH CMS_VERIFY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CMS_VERIFY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
-CMS_verify, CMS_get0_signers \- verify a CMS SignedData structure
-.SH "SYNOPSIS"
+.SH NAME
+CMS_verify, CMS_SignedData_verify,
+CMS_get0_signers \- verify a CMS SignedData structure
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cms.h>
 \&
 \& int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs, X509_STORE *store,
-\&                BIO *indata, BIO *out, unsigned int flags);
+\&                BIO *detached_data, BIO *out, unsigned int flags);
+\& BIO *CMS_SignedData_verify(CMS_SignedData *sd, BIO *detached_data,
+\&                            STACK_OF(X509) *scerts, X509_STORE *store,
+\&                            STACK_OF(X509) *extra, STACK_OF(X509_CRL) *crls,
+\&                            unsigned int flags,
+\&                            OSSL_LIB_CTX *libctx, const char *propq);
 \&
 \& STACK_OF(X509) *CMS_get0_signers(CMS_ContentInfo *cms);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBCMS_verify()\fR is very similar to \fBPKCS7_verify\fR\|(3). It verifies a
-\&\fB\s-1CMS\s0 SignedData\fR structure contained in a structure of type \fBCMS_ContentInfo\fR.
+\&\fBCMS SignedData\fR structure contained in a structure of type \fBCMS_ContentInfo\fR.
 \&\fIcms\fR points to the \fBCMS_ContentInfo\fR structure to verify.
 The optional \fIcerts\fR parameter refers to a set of certificates
 in which to search for signing certificates.
-\&\fIcms\fR may contain extra untrusted \s-1CA\s0 certificates that may be used for
+It is also used
+as a source of untrusted intermediate CA certificates for chain building.
+\&\fIcms\fR may contain extra untrusted CA certificates that may be used for
 chain building as well as CRLs that may be used for certificate validation.
-\&\fIstore\fR may be \s-1NULL\s0 or point to
+\&\fIstore\fR may be NULL or point to
 the trusted certificate store to use for chain verification.
-\&\fIindata\fR refers to the signed data if the content is detached from \fIcms\fR.
-Otherwise \fIindata\fR should be \s-1NULL\s0 and the signed data must be in \fIcms\fR.
-The content is written to the \s-1BIO\s0 \fIout\fR unless it is \s-1NULL.\s0
+\&\fIdetached_data\fR refers to the signed data if the content is detached from \fIcms\fR.
+Otherwise \fIdetached_data\fR should be NULL and the signed data must be in \fIcms\fR.
+The content is written to the BIO \fIout\fR unless it is NULL.
 \&\fIflags\fR is an optional set of flags, which can be used to modify the operation.
 .PP
-\&\fBCMS_get0_signers()\fR retrieves the signing certificate(s) from \fIcms\fR, it may only
-be called after a successful \fBCMS_verify()\fR operation.
+\&\fBCMS_SignedData_verify()\fR is like \fBCMS_verify()\fR except that
+it operates on \fBCMS SignedData\fR input in the \fIsd\fR argument,
+it has some additional parameters described next,
+and on success it returns the verified content as a memory BIO.
+The optional \fIextra\fR parameter may be used to provide untrusted CA
+certificates that may be helpful for chain building in certificate validation.
+This list of certificates must not contain duplicates.
+The optional \fIcrls\fR parameter may be used to provide extra CRLs.
+Also the list of CRLs must not contain duplicates.
+The optional parameters library context \fIlibctx\fR and property query \fIpropq\fR
+are used when retrieving algorithms from providers.
+.PP
+\&\fBCMS_get0_signers()\fR retrieves the signing certificate(s) from \fIcms\fR; it may only
+be called after a successful \fBCMS_verify()\fR or \fBCMS_SignedData_verify()\fR operation.
 .SH "VERIFY PROCESS"
 .IX Header "VERIFY PROCESS"
 Normally the verify process proceeds as follows.
 .PP
 Initially some sanity checks are performed on \fIcms\fR. The type of \fIcms\fR must
 be SignedData. There must be at least one signature on the data and if
-the content is detached \fIindata\fR cannot be \s-1NULL.\s0
+the content is detached \fIdetached_data\fR cannot be NULL.
 .PP
 An attempt is made to locate all the signing certificate(s), first looking in
-the \fIcerts\fR parameter (if it is not \s-1NULL\s0) and then looking in any
-certificates contained in the \fIcms\fR structure unless \fB\s-1CMS_NOINTERN\s0\fR is set.
+the \fIcerts\fR parameter (if it is not NULL) and then looking in any
+certificates contained in the \fIcms\fR structure unless \fBCMS_NOINTERN\fR is set.
 If any signing certificate cannot be located the operation fails.
 .PP
 Each signing certificate is chain verified using the \fIsmimesign\fR purpose and
 using the trusted certificate store \fIstore\fR if supplied.
 Any internal certificates in the message, which may have been added using
 \&\fBCMS_add1_cert\fR\|(3), are used as untrusted CAs.
-If \s-1CRL\s0 checking is enabled in \fIstore\fR and \fB\s-1CMS_NOCRL\s0\fR is not set,
+If CRL checking is enabled in \fIstore\fR and \fBCMS_NOCRL\fR is not set,
 any internal CRLs, which may have been added using \fBCMS_add1_crl\fR\|(3),
 are used in addition to attempting to look them up in \fIstore\fR.
-If \fIstore\fR is not \s-1NULL\s0 and any chain verify fails an error code is returned.
+If \fIstore\fR is not NULL and any chain verify fails an error code is returned.
 .PP
-Finally the signed content is read (and written to \fIout\fR unless it is \s-1NULL\s0)
+Finally the signed content is read (and written to \fIout\fR unless it is NULL)
 and the signature is checked.
 .PP
 If all signatures verify correctly then the function is successful.
@@ -196,31 +140,31 @@ If all signatures verify correctly then the function is successful.
 Any of the following flags (ored together) can be passed in the \fIflags\fR
 parameter to change the default verify behaviour.
 .PP
-If \fB\s-1CMS_NOINTERN\s0\fR is set the certificates in the message itself are not
+If \fBCMS_NOINTERN\fR is set the certificates in the message itself are not
 searched when locating the signing certificate(s).
 This means that all the signing certificates must be in the \fIcerts\fR parameter.
 .PP
-If \fB\s-1CMS_NOCRL\s0\fR is set and \s-1CRL\s0 checking is enabled in \fIstore\fR then any
-CRLs in the message itself are ignored.
+If \fBCMS_NOCRL\fR is set and CRL checking is enabled in \fIstore\fR then any
+CRLs in the message itself and provided via the \fIcrls\fR parameter are ignored.
 .PP
-If the \fB\s-1CMS_TEXT\s0\fR flag is set \s-1MIME\s0 headers for type \fBtext/plain\fR are deleted
-from the content. If the content is not of type \fBtext/plain\fR then an error is
+If the \fBCMS_TEXT\fR flag is set MIME headers for type \f(CW\*(C`text/plain\*(C'\fR are deleted
+from the content. If the content is not of type \f(CW\*(C`text/plain\*(C'\fR then an error is
 returned.
 .PP
-If \fB\s-1CMS_NO_SIGNER_CERT_VERIFY\s0\fR is set the signing certificates are not
-chain verified, unless \fB\s-1CMS_CADES\s0\fR flag is also set.
+If \fBCMS_NO_SIGNER_CERT_VERIFY\fR is set the signing certificates are not
+chain verified, unless \fBCMS_CADES\fR flag is also set.
 .PP
-If \fB\s-1CMS_NO_ATTR_VERIFY\s0\fR is set the signed attributes signature is not
-verified, unless \s-1CMS_CADES\s0 flag is also set.
+If \fBCMS_NO_ATTR_VERIFY\fR is set the signed attributes signature is not
+verified, unless CMS_CADES flag is also set.
 .PP
-If \fB\s-1CMS_CADES\s0\fR is set, each signer certificate is checked against the
-\&\s-1ESS\s0 signingCertificate or \s-1ESS\s0 signingCertificateV2 extension
+If \fBCMS_CADES\fR is set, each signer certificate is checked against the
+ESS signingCertificate or ESS signingCertificateV2 extension
 that is required in the signed attributes of the signature.
 .PP
-If \fB\s-1CMS_NO_CONTENT_VERIFY\s0\fR is set then the content digest is not checked.
-.SH "NOTES"
+If \fBCMS_NO_CONTENT_VERIFY\fR is set then the content digest is not checked.
+.SH NOTES
 .IX Header "NOTES"
-One application of \fB\s-1CMS_NOINTERN\s0\fR is to only accept messages signed by
+One application of \fBCMS_NOINTERN\fR is to only accept messages signed by
 a small number of certificates. The acceptable certificates would be passed
 in the \fIcerts\fR parameter. In this case if the signer certificate is not one
 of the certificates supplied in \fIcerts\fR then the verify will fail because the
@@ -233,7 +177,7 @@ can be achieved by setting and verifying the signer certificates manually
 using the signed data utility functions.
 .PP
 Care should be taken when modifying the default verify behaviour, for example
-setting \fB\s-1CMS_NO_CONTENT_VERIFY\s0\fR will totally disable all content verification
+setting \fBCMS_NO_CONTENT_VERIFY\fR will totally disable all content verification
 and any modified content will be considered valid. This combination is however
 useful if one merely wishes to write the content to \fIout\fR and its validity
 is not considered important.
@@ -246,10 +190,13 @@ timestamp).
 .IX Header "RETURN VALUES"
 \&\fBCMS_verify()\fR returns 1 for a successful verification and 0 if an error occurred.
 .PP
-\&\fBCMS_get0_signers()\fR returns all signers or \s-1NULL\s0 if an error occurred.
+\&\fBCMS_SignedData_verify()\fR returns a memory BIO containing the verified content,
+or NULL on error.
+.PP
+\&\fBCMS_get0_signers()\fR returns all signers or NULL if an error occurred.
 .PP
-The error can be obtained from \fBERR_get_error\fR\|(3)
-.SH "BUGS"
+The error can be obtained from \fBERR_get_error\fR\|(3).
+.SH BUGS
 .IX Header "BUGS"
 The trusted certificate store is not searched for the signing certificate.
 This is primarily due to the inadequacies of the current \fBX509_STORE\fR
@@ -262,11 +209,14 @@ be held in memory if it is not detached.
 \&\fBPKCS7_verify\fR\|(3), \fBCMS_add1_cert\fR\|(3), \fBCMS_add1_crl\fR\|(3),
 \&\fBOSSL_ESS_check_signing_certs\fR\|(3),
 \&\fBERR_get_error\fR\|(3), \fBCMS_sign\fR\|(3)
-.SH "COPYRIGHT"
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBCMS_SignedData_verify()\fR was added in OpenSSL 3.2.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2008\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2008\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_verify_receipt.3 b/secure/lib/libcrypto/man/man3/CMS_verify_receipt.3
index f3b2c63af7a1..58a7c2bedf10 100644
--- a/secure/lib/libcrypto/man/man3/CMS_verify_receipt.3
+++ b/secure/lib/libcrypto/man/man3/CMS_verify_receipt.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CMS_VERIFY_RECEIPT 3ossl"
-.TH CMS_VERIFY_RECEIPT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CMS_VERIFY_RECEIPT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 CMS_verify_receipt \- verify a CMS signed receipt
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cms.h>
@@ -147,9 +71,9 @@ CMS_verify_receipt \- verify a CMS signed receipt
 \&                        STACK_OF(X509) *certs, X509_STORE *store,
 \&                        unsigned int flags);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBCMS_verify_receipt()\fR verifies a \s-1CMS\s0 signed receipt. \fBrcms\fR is the signed
+\&\fBCMS_verify_receipt()\fR verifies a CMS signed receipt. \fBrcms\fR is the signed
 receipt to verify. \fBocms\fR is the original SignedData structure containing the
 receipt request. \fBcerts\fR is a set of certificates in which to search for the
 signing certificate. \fBstore\fR is a trusted certificate store (used for chain
@@ -157,10 +81,10 @@ verification).
 .PP
 \&\fBflags\fR is an optional set of flags, which can be used to modify the verify
 operation.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 This functions behaves in a similar way to \fBCMS_verify()\fR except the flag values
-\&\fB\s-1CMS_DETACHED\s0\fR, \fB\s-1CMS_BINARY\s0\fR, \fB\s-1CMS_TEXT\s0\fR and \fB\s-1CMS_STREAM\s0\fR are not
+\&\fBCMS_DETACHED\fR, \fBCMS_BINARY\fR, \fBCMS_TEXT\fR and \fBCMS_STREAM\fR are not
 supported since they do not make sense in the context of signed receipts.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
@@ -173,11 +97,11 @@ The error can be obtained from \fBERR_get_error\fR\|(3)
 \&\fBERR_get_error\fR\|(3),
 \&\fBCMS_sign_receipt\fR\|(3),
 \&\fBCMS_verify\fR\|(3),
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/COMP_CTX_new.3 b/secure/lib/libcrypto/man/man3/COMP_CTX_new.3
new file mode 100644
index 000000000000..9f4c38ef2c76
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/COMP_CTX_new.3
@@ -0,0 +1,220 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "COMP_CTX_NEW 3ossl"
+.TH COMP_CTX_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+COMP_CTX_new,
+COMP_CTX_get_method,
+COMP_CTX_get_type,
+COMP_get_type,
+COMP_get_name,
+COMP_CTX_free,
+COMP_compress_block,
+COMP_expand_block,
+COMP_zlib,
+COMP_zlib_oneshot,
+COMP_brotli,
+COMP_brotli_oneshot,
+COMP_zstd,
+COMP_zstd_oneshot,
+BIO_f_zlib,
+BIO_f_brotli,
+BIO_f_zstd
+\&\- Compression support
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/comp.h>
+\&
+\& COMP_CTX *COMP_CTX_new(COMP_METHOD *meth);
+\& void COMP_CTX_free(COMP_CTX *ctx);
+\& const COMP_METHOD *COMP_CTX_get_method(const COMP_CTX *ctx);
+\& int COMP_CTX_get_type(const COMP_CTX* comp);
+\& int COMP_get_type(const COMP_METHOD *meth);
+\& const char *COMP_get_name(const COMP_METHOD *meth);
+\&
+\& int COMP_compress_block(COMP_CTX *ctx, unsigned char *out, int olen,
+\&                         unsigned char *in, int ilen);
+\& int COMP_expand_block(COMP_CTX *ctx, unsigned char *out, int olen,
+\&                       unsigned char *in, int ilen);
+\&
+\& COMP_METHOD *COMP_zlib(void);
+\& COMP_METHOD *COMP_zlib_oneshot(void);
+\& COMP_METHOD *COMP_brotli(void);
+\& COMP_METHOD *COMP_brotli_oneshot(void);
+\& COMP_METHOD *COMP_zstd(void);
+\& COMP_METHOD *COMP_zstd_oneshot(void);
+\&
+\& const BIO_METHOD *BIO_f_zlib(void);
+\& const BIO_METHOD *BIO_f_brotli(void);
+\& const BIO_METHOD *BIO_f_zstd(void);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+These functions provide compression support for OpenSSL. Compression is used within
+the OpenSSL library to support TLS record and certificate compression.
+.PP
+\&\fBCOMP_CTX_new()\fR is used to create a new \fBCOMP_CTX\fR structure used to compress data.
+.PP
+\&\fBCOMP_CTX_free()\fR is used to free the returned \fBCOMP_CTX\fR.
+If the argument is NULL, nothing is done.
+.PP
+\&\fBCOMP_CTX_get_method()\fR returns the \fBCOMP_METHOD\fR of the given \fIctx\fR.
+.PP
+\&\fBCOMP_CTX_get_type()\fR and \fBCOMP_get_type()\fR return the NID for the \fBCOMP_CTX\fR and
+\&\fBCOMP_METHOD\fR, respectively. \fBCOMP_get_name()\fR returns the name of the algorithm
+of the given \fBCOMP_METHOD\fR.
+.PP
+\&\fBCOMP_compress_block()\fR compresses b<ilen> bytes from the buffer \fIin\fR into the
+buffer b<out> of size \fIolen\fR using the algorithm specified by \fIctx\fR.
+.PP
+\&\fBCOMP_expand_block()\fR expands \fIilen\fR bytes from the buffer \fIin\fR into the
+buffer \fIout\fR of size \fIolen\fR using the algorithm specified by \fIctx\fR.
+.PP
+Methods (\fBCOMP_METHOD\fR) may be specified by one of these functions. These functions
+will be available even if their corresponding compression algorithm is not configured
+into the OpenSSL library. In such a case, NULL will be returned.
+.IP \(bu 4
+\&\fBCOMP_zlib()\fR returns a \fBCOMP_METHOD\fR for stream-based ZLIB compression.
+.IP \(bu 4
+\&\fBCOMP_zlib_oneshot()\fR returns a \fBCOMP_METHOD\fR for one-shot ZLIB compression.
+.IP \(bu 4
+\&\fBCOMP_brotli()\fR returns a \fBCOMP_METHOD\fR for stream-based Brotli compression.
+.IP \(bu 4
+\&\fBCOMP_brotli_oneshot()\fR returns a \fBCOMP_METHOD\fR for one-shot Brotli compression.
+.IP \(bu 4
+\&\fBCOMP_zstd()\fR returns a \fBCOMP_METHOD\fR for stream-based Zstandard compression.
+.IP \(bu 4
+\&\fBCOMP_zstd_oneshot()\fR returns a \fBCOMP_METHOD\fR for one-shot Zstandard compression.
+.PP
+\&\fBBIO_f_zlib()\fR, \fBBIO_f_brotli()\fR \fBBIO_f_zstd()\fR each return a \fBBIO_METHOD\fR that may be used to
+create a \fBBIO\fR via \fBBIO_new\|(3)\fR to read and write compressed files or streams.
+The functions are only available if the corresponding algorithm is compiled into
+the OpenSSL library. NULL may be returned if the algorithm fails to load dynamically.
+.SH NOTES
+.IX Header "NOTES"
+While compressing non-compressible data, the output may be larger than the
+input. Care should be taken to size output buffers appropriate for both
+compression and expansion.
+.PP
+Compression support and compression algorithms must be enabled and built into
+the library before use. Refer to the INSTALL.md file when configuring OpenSSL.
+.PP
+ZLIB may be found at <https://zlib.net>
+.PP
+Brotli may be found at <https://github.com/google/brotli>.
+.PP
+Zstandard may be found at <https://github.com/facebook/zstd>.
+.PP
+Compression of SSL/TLS records is not recommended, as it has been
+shown to lead to the CRIME attack <https://en.wikipedia.org/wiki/CRIME>.
+It is disabled by default, and may be enabled by clearing the
+SSL_OP_NO_COMPRESSION option and setting the security level as appropriate.
+See the documentation for the \fBSSL_CTX_set_options\fR\|(3) and
+\&\fBSSL_set_options\fR\|(3) functions.
+.PP
+Compression is also used to support certificate compression as described
+in RFC8879 <https://datatracker.ietf.org/doc/html/rfc8879>.
+It may be disabled via the SSL_OP_NO_TX_CERTIFICATE_COMPRESSION and
+SSL_OP_NO_RX_CERTIFICATE_COMPRESSION options of the
+\&\fBSSL_CTX_set_options\fR\|(3) or \fBSSL_set_options\fR\|(3) functions.
+.PP
+\&\fBCOMP_zlib()\fR, \fBCOMP_brotli()\fR and \fBCOMP_zstd()\fR are stream-based compression methods.
+Internal state (including compression dictionary) is maintained between calls.
+If an error is returned, the stream is corrupted, and should be closed.
+.PP
+\&\fBCOMP_zlib_oneshot()\fR, \fBCOMP_brotli_oneshot()\fR and \fBCOMP_zstd_oneshot()\fR are not stream-based. These
+methods do not maintain state between calls. An error in one call does not affect
+future calls.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBCOMP_CTX_new()\fR returns a \fBCOMP_CTX\fR on success, or NULL on failure.
+.PP
+\&\fBCOMP_CTX_get_method()\fR, \fBCOMP_zlib()\fR, \fBCOMP_zlib_oneshot()\fR, \fBCOMP_brotli()\fR, \fBCOMP_brotli_oneshot()\fR,
+\&\fBCOMP_zstd()\fR, and \fBCOMP_zstd_oneshot()\fR return a \fBCOMP_METHOD\fR on success,
+or NULL on failure.
+.PP
+\&\fBCOMP_CTX_get_type()\fR and \fBCOMP_get_type()\fR return a NID value. On failure,
+NID_undef is returned.
+.PP
+\&\fBCOMP_compress_block()\fR and \fBCOMP_expand_block()\fR return the number of
+bytes stored in the output buffer \fIout\fR. This may be 0. On failure,
+\&\-1 is returned.
+.PP
+\&\fBCOMP_get_name()\fR returns a \fBconst char *\fR that must not be freed
+on success, or NULL on failure.
+.PP
+\&\fBBIO_f_zlib()\fR, \fBBIO_f_brotli()\fR and \fBBIO_f_zstd()\fR return NULL on error, and
+a \fBBIO_METHOD\fR on success.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBBIO_new\fR\|(3), \fBSSL_CTX_set_options\fR\|(3), \fBSSL_set_options\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+Brotli and Zstandard functions were added in OpenSSL 3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2022\-2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CONF_modules_free.3 b/secure/lib/libcrypto/man/man3/CONF_modules_free.3
index e6d8da160892..de43e5168aa1 100644
--- a/secure/lib/libcrypto/man/man3/CONF_modules_free.3
+++ b/secure/lib/libcrypto/man/man3/CONF_modules_free.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CONF_MODULES_FREE 3ossl"
-.TH CONF_MODULES_FREE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CONF_MODULES_FREE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 CONF_modules_free, CONF_modules_finish, CONF_modules_unload \-
 OpenSSL configuration cleanup functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/conf.h>
@@ -149,13 +73,13 @@ OpenSSL configuration cleanup functions
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 1.1.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
 \& void CONF_modules_free(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBCONF_modules_free()\fR closes down and frees up all memory allocated by all
 configuration modules.  Normally, in versions of OpenSSL prior to 1.1.0,
@@ -175,15 +99,15 @@ None of the functions return a value.
 .IX Header "SEE ALSO"
 \&\fBconfig\fR\|(5), \fBOPENSSL_config\fR\|(3),
 \&\fBCONF_modules_load_file_ex\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBCONF_modules_free()\fR was deprecated in OpenSSL 1.1.0; do not use it.
 For more information see \fBOPENSSL_init_crypto\fR\|(3).
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2004\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2004\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CONF_modules_load_file.3 b/secure/lib/libcrypto/man/man3/CONF_modules_load_file.3
index 178b359462d5..0e3942009533 100644
--- a/secure/lib/libcrypto/man/man3/CONF_modules_load_file.3
+++ b/secure/lib/libcrypto/man/man3/CONF_modules_load_file.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CONF_MODULES_LOAD_FILE 3ossl"
-.TH CONF_MODULES_LOAD_FILE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CONF_MODULES_LOAD_FILE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 CONF_get1_default_config_file,
 CONF_modules_load_file_ex, CONF_modules_load_file, CONF_modules_load
 \&\- OpenSSL configuration functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/conf.h>
@@ -153,41 +77,41 @@ CONF_modules_load_file_ex, CONF_modules_load_file, CONF_modules_load
 \& int CONF_modules_load(const CONF *cnf, const char *appname,
 \&                       unsigned long flags);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The function \fBCONF_get1_default_config_file()\fR determines the default
 configuration file pathname as follows.
-If the \fB\s-1OPENSSL_CONF\s0\fR environment variable is set its value is returned.
+If the \fBOPENSSL_CONF\fR environment variable is set its value is returned.
 Else the function returns the path obtained using
 \&\fBX509_get_default_cert_area\fR\|(3) with the filename \f(CW"openssl.cnf"\fR appended.
 The caller is responsible for freeing any string returned.
 .PP
 The function \fBCONF_modules_load_file_ex()\fR configures OpenSSL using
 library context \fBlibctx\fR file \fBfilename\fR and application name \fBappname\fR.
-If \fBfilename\fR is \s-1NULL\s0 the standard OpenSSL configuration file is used
+If \fBfilename\fR is NULL the standard OpenSSL configuration file is used
 as determined by calling \fBCONF_get1_default_config_file()\fR.
-If \fBappname\fR is \s-1NULL\s0 the standard OpenSSL application name \fBopenssl_conf\fR is
+If \fBappname\fR is NULL the standard OpenSSL application name \fBopenssl_conf\fR is
 used.
 The behaviour can be customized using \fBflags\fR. Note that, the error suppressing
 can be overridden by \fBconfig_diagnostics\fR as described in \fBconfig\fR\|(5).
 .PP
 \&\fBCONF_modules_load_file()\fR is the same as \fBCONF_modules_load_file_ex()\fR but
-has a \s-1NULL\s0 library context.
+has a NULL library context.
 .PP
 \&\fBCONF_modules_load()\fR is identical to \fBCONF_modules_load_file()\fR except it
 reads configuration information from \fBcnf\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The following \fBflags\fR are currently recognized:
 .PP
-If \fB\s-1CONF_MFLAGS_IGNORE_ERRORS\s0\fR is set errors returned by individual
+If \fBCONF_MFLAGS_IGNORE_ERRORS\fR is set errors returned by individual
 configuration modules are ignored. If not set the first module error is
 considered fatal and no further modules are loaded.
 .PP
 Normally any modules errors will add error information to the error queue. If
-\&\fB\s-1CONF_MFLAGS_SILENT\s0\fR is set no error information is added.
+\&\fBCONF_MFLAGS_SILENT\fR is set no error information is added.
 .PP
-If \fB\s-1CONF_MFLAGS_IGNORE_RETURN_CODES\s0\fR is set the function unconditionally
+If \fBCONF_MFLAGS_IGNORE_RETURN_CODES\fR is set the function unconditionally
 returns success.
 This is used by default in \fBOPENSSL_init_crypto\fR\|(3) to ignore any errors in
 the default system-wide configuration file, as having all OpenSSL applications
@@ -195,20 +119,20 @@ fail to start when there are potentially minor issues in the file is too risky.
 Applications calling \fBCONF_modules_load_file_ex\fR explicitly should not
 generally set this flag.
 .PP
-If \fB\s-1CONF_MFLAGS_NO_DSO\s0\fR is set configuration module loading from DSOs is
+If \fBCONF_MFLAGS_NO_DSO\fR is set configuration module loading from DSOs is
 disabled.
 .PP
-\&\fB\s-1CONF_MFLAGS_IGNORE_MISSING_FILE\s0\fR if set will make \fBCONF_load_modules_file()\fR
+\&\fBCONF_MFLAGS_IGNORE_MISSING_FILE\fR if set will make \fBCONF_load_modules_file()\fR
 ignore missing configuration files. Normally a missing configuration file
 return an error.
 .PP
-\&\fB\s-1CONF_MFLAGS_DEFAULT_SECTION\s0\fR if set and \fBappname\fR is not \s-1NULL\s0 will use the
+\&\fBCONF_MFLAGS_DEFAULT_SECTION\fR if set and \fBappname\fR is not NULL will use the
 default section pointed to by \fBopenssl_conf\fR if \fBappname\fR does not exist.
 .PP
 By using \fBCONF_modules_load_file_ex()\fR with appropriate flags an
 application can customise application configuration to best suit its needs.
 In some cases the use of a configuration file is optional and its absence is not
-an error: in this case \fB\s-1CONF_MFLAGS_IGNORE_MISSING_FILE\s0\fR would be set.
+an error: in this case \fBCONF_MFLAGS_IGNORE_MISSING_FILE\fR would be set.
 .PP
 Errors during configuration may also be handled differently by different
 applications. For example in some cases an error may simply print out a warning
@@ -223,7 +147,7 @@ treated.
 These functions return 1 for success and a zero or negative value for
 failure. If module errors are not ignored the return code will reflect the
 return value of the failing module (this will always be zero or negative).
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 Load a configuration file and print out any errors and exit (missing file
 considered fatal):
@@ -236,7 +160,7 @@ considered fatal):
 \& }
 .Ve
 .PP
-Load default configuration file using the section indicated by \*(L"myapp\*(R",
+Load default configuration file using the section indicated by "myapp",
 tolerate missing files, but exit on other errors:
 .PP
 .Vb 6
@@ -290,11 +214,11 @@ Load and parse configuration file manually, custom error handling:
 \&\fBconfig\fR\|(5),
 \&\fBOPENSSL_config\fR\|(3),
 \&\fBNCONF_new_ex\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2004\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2004\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CRYPTO_THREAD_run_once.3 b/secure/lib/libcrypto/man/man3/CRYPTO_THREAD_run_once.3
index 506a382db1d9..c655c14d10de 100644
--- a/secure/lib/libcrypto/man/man3/CRYPTO_THREAD_run_once.3
+++ b/secure/lib/libcrypto/man/man3/CRYPTO_THREAD_run_once.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CRYPTO_THREAD_RUN_ONCE 3ossl"
-.TH CRYPTO_THREAD_RUN_ONCE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CRYPTO_THREAD_RUN_ONCE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 CRYPTO_THREAD_run_once,
 CRYPTO_THREAD_lock_new, CRYPTO_THREAD_read_lock, CRYPTO_THREAD_write_lock,
 CRYPTO_THREAD_unlock, CRYPTO_THREAD_lock_free,
-CRYPTO_atomic_add, CRYPTO_atomic_or, CRYPTO_atomic_load \- OpenSSL thread support
-.SH "SYNOPSIS"
+CRYPTO_atomic_add, CRYPTO_atomic_add64, CRYPTO_atomic_and, CRYPTO_atomic_or,
+CRYPTO_atomic_load, CRYPTO_atomic_store, CRYPTO_atomic_load_int,
+OSSL_set_max_threads, OSSL_get_max_threads,
+OSSL_get_thread_support_flags, OSSL_THREAD_SUPPORT_FLAG_THREAD_POOL,
+OSSL_THREAD_SUPPORT_FLAG_DEFAULT_SPAWN \- OpenSSL thread support
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/crypto.h>
@@ -156,72 +84,137 @@ CRYPTO_atomic_add, CRYPTO_atomic_or, CRYPTO_atomic_load \- OpenSSL thread suppor
 \& void CRYPTO_THREAD_lock_free(CRYPTO_RWLOCK *lock);
 \&
 \& int CRYPTO_atomic_add(int *val, int amount, int *ret, CRYPTO_RWLOCK *lock);
+\& int CRYPTO_atomic_add64(uint64_t *val, uint64_t op, uint64_t *ret,
+\&                         CRYPTO_RWLOCK *lock);
+\& int CRYPTO_atomic_and(uint64_t *val, uint64_t op, uint64_t *ret,
+\&                       CRYPTO_RWLOCK *lock);
 \& int CRYPTO_atomic_or(uint64_t *val, uint64_t op, uint64_t *ret,
 \&                      CRYPTO_RWLOCK *lock);
 \& int CRYPTO_atomic_load(uint64_t *val, uint64_t *ret, CRYPTO_RWLOCK *lock);
+\& int CRYPTO_atomic_store(uint64_t *dst, uint64_t val, CRYPTO_RWLOCK *lock);
+\& int CRYPTO_atomic_load_int(int *val, int *ret, CRYPTO_RWLOCK *lock);
+\&
+\& int OSSL_set_max_threads(OSSL_LIB_CTX *ctx, uint64_t max_threads);
+\& uint64_t OSSL_get_max_threads(OSSL_LIB_CTX *ctx);
+\& uint32_t OSSL_get_thread_support_flags(void);
+\&
+\& #define OSSL_THREAD_SUPPORT_FLAG_THREAD_POOL
+\& #define OSSL_THREAD_SUPPORT_FLAG_DEFAULT_SPAWN
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 OpenSSL can be safely used in multi-threaded applications provided that
-support for the underlying \s-1OS\s0 threading \s-1API\s0 is built-in. Currently, OpenSSL
+support for the underlying OS threading API is built-in. Currently, OpenSSL
 supports the pthread and Windows APIs. OpenSSL can also be built without
 any multi-threading support, for example on platforms that don't provide
-any threading support or that provide a threading \s-1API\s0 that is not yet
+any threading support or that provide a threading API that is not yet
 supported by OpenSSL.
 .PP
 The following multi-threading function are provided:
-.IP "\(bu" 2
+.IP \(bu 2
 \&\fBCRYPTO_THREAD_run_once()\fR can be used to perform one-time initialization.
 The \fIonce\fR argument must be a pointer to a static object of type
-\&\fB\s-1CRYPTO_ONCE\s0\fR that was statically initialized to the value
-\&\fB\s-1CRYPTO_ONCE_STATIC_INIT\s0\fR.
+\&\fBCRYPTO_ONCE\fR that was statically initialized to the value
+\&\fBCRYPTO_ONCE_STATIC_INIT\fR.
 The \fIinit\fR argument is a pointer to a function that performs the desired
 exactly once initialization.
 In particular, this can be used to allocate locks in a thread-safe manner,
 which can then be used with the locking functions below.
-.IP "\(bu" 2
+.IP \(bu 2
 \&\fBCRYPTO_THREAD_lock_new()\fR allocates, initializes and returns a new read/write
 lock.
-.IP "\(bu" 2
+.IP \(bu 2
 \&\fBCRYPTO_THREAD_read_lock()\fR locks the provided \fIlock\fR for reading.
-.IP "\(bu" 2
+.IP \(bu 2
 \&\fBCRYPTO_THREAD_write_lock()\fR locks the provided \fIlock\fR for writing.
-.IP "\(bu" 2
+.IP \(bu 2
 \&\fBCRYPTO_THREAD_unlock()\fR unlocks the previously locked \fIlock\fR.
-.IP "\(bu" 2
+.IP \(bu 2
 \&\fBCRYPTO_THREAD_lock_free()\fR frees the provided \fIlock\fR.
-.IP "\(bu" 2
+If the argument is NULL, nothing is done.
+.IP \(bu 2
 \&\fBCRYPTO_atomic_add()\fR atomically adds \fIamount\fR to \fI*val\fR and returns the
 result of the operation in \fI*ret\fR. \fIlock\fR will be locked, unless atomic
 operations are supported on the specific platform. Because of this, if a
 variable is modified by \fBCRYPTO_atomic_add()\fR then \fBCRYPTO_atomic_add()\fR must
 be the only way that the variable is modified. If atomic operations are not
-supported and \fIlock\fR is \s-1NULL,\s0 then the function will fail.
-.IP "\(bu" 2
+supported and \fIlock\fR is NULL, then the function will fail.
+.IP \(bu 2
+\&\fBCRYPTO_atomic_add64()\fR atomically adds \fIop\fR to \fI*val\fR and returns the
+result of the operation in \fI*ret\fR. \fIlock\fR will be locked, unless atomic
+operations are supported on the specific platform. Because of this, if a
+variable is modified by \fBCRYPTO_atomic_add64()\fR then \fBCRYPTO_atomic_add64()\fR must
+be the only way that the variable is modified. If atomic operations are not
+supported and \fIlock\fR is NULL, then the function will fail.
+.IP \(bu 2
+\&\fBCRYPTO_atomic_and()\fR performs an atomic bitwise and of \fIop\fR and \fI*val\fR and stores
+the result back in \fI*val\fR. It also returns the result of the operation in
+\&\fI*ret\fR. \fIlock\fR will be locked, unless atomic operations are supported on the
+specific platform. Because of this, if a variable is modified by
+\&\fBCRYPTO_atomic_and()\fR or read by \fBCRYPTO_atomic_load()\fR then \fBCRYPTO_atomic_and()\fR must
+be the only way that the variable is modified. If atomic operations are not
+supported and \fIlock\fR is NULL, then the function will fail.
+.IP \(bu 2
 \&\fBCRYPTO_atomic_or()\fR performs an atomic bitwise or of \fIop\fR and \fI*val\fR and stores
 the result back in \fI*val\fR. It also returns the result of the operation in
 \&\fI*ret\fR. \fIlock\fR will be locked, unless atomic operations are supported on the
 specific platform. Because of this, if a variable is modified by
 \&\fBCRYPTO_atomic_or()\fR or read by \fBCRYPTO_atomic_load()\fR then \fBCRYPTO_atomic_or()\fR must
 be the only way that the variable is modified. If atomic operations are not
-supported and \fIlock\fR is \s-1NULL,\s0 then the function will fail.
-.IP "\(bu" 2
+supported and \fIlock\fR is NULL, then the function will fail.
+.IP \(bu 2
 \&\fBCRYPTO_atomic_load()\fR atomically loads the contents of \fI*val\fR into \fI*ret\fR.
 \&\fIlock\fR will be locked, unless atomic operations are supported on the specific
 platform. Because of this, if a variable is modified by \fBCRYPTO_atomic_or()\fR or
 read by \fBCRYPTO_atomic_load()\fR then \fBCRYPTO_atomic_load()\fR must be the only way that
 the variable is read. If atomic operations are not supported and \fIlock\fR is
-\&\s-1NULL,\s0 then the function will fail.
+NULL, then the function will fail.
+.IP \(bu 2
+\&\fBCRYPTO_atomic_store()\fR atomically stores the contents of \fIval\fR into \fI*dst\fR.
+\&\fIlock\fR will be locked, unless atomic operations are supported on the specific
+platform.
+.IP \(bu 2
+\&\fBCRYPTO_atomic_load_int()\fR works identically to \fBCRYPTO_atomic_load()\fR but operates
+on an \fIint\fR value instead of a \fIuint64_t\fR value.
+.IP \(bu 2
+\&\fBOSSL_set_max_threads()\fR sets the maximum number of threads to be used by the
+thread pool. If the argument is 0, thread pooling is disabled. OpenSSL will
+not create any threads and existing threads in the thread pool will be torn
+down. The maximum thread count is a limit, not a target. Threads will not be
+spawned unless (and until) there is demand. Thread polling is disabled by
+default. To enable threading you must call \fBOSSL_set_max_threads()\fR explicitly.
+Under no circumstances is this done for you.
+.IP \(bu 2
+\&\fBOSSL_get_thread_support_flags()\fR determines what thread pool functionality
+OpenSSL is compiled with and is able to support in the current run time
+environment. \fBOSSL_THREAD_SUPPORT_FLAG_THREAD_POOL\fR indicates that the base
+thread pool functionality is available, and
+\&\fBOSSL_THREAD_SUPPORT_FLAG_DEFAULT_SPAWN\fR indicates that the default thread pool
+model is available. The default thread pool model is currently the only model
+available, therefore both of these flags must be set for thread pool
+functionality to be used.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBCRYPTO_THREAD_run_once()\fR returns 1 on success, or 0 on error.
 .PP
-\&\fBCRYPTO_THREAD_lock_new()\fR returns the allocated lock, or \s-1NULL\s0 on error.
+\&\fBCRYPTO_THREAD_lock_new()\fR returns the allocated lock, or NULL on error.
 .PP
 \&\fBCRYPTO_THREAD_lock_free()\fR returns no value.
 .PP
+\&\fBOSSL_set_max_threads()\fR returns 1 on success and 0 on failure. Returns failure
+if OpenSSL-managed thread pooling is not supported (for example, if it is not
+supported on the current platform, or because OpenSSL is not built with the
+necessary support).
+.PP
+\&\fBOSSL_get_max_threads()\fR returns the maximum number of threads currently allowed
+to be used by the thread pool. If thread pooling is disabled or not available,
+returns 0.
+.PP
+\&\fBOSSL_get_thread_support_flags()\fR returns zero or more \fBOSSL_THREAD_SUPPORT_FLAG\fR
+values.
+.PP
 The other functions return 1 on success, or 0 on error.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 On Windows platforms the CRYPTO_THREAD_* types and functions in the
 \&\fI<openssl/crypto.h>\fR header are dependent on some of the types
@@ -231,7 +224,7 @@ commonly as one of the first included headers. Therefore, it is defined as an
 application developer's responsibility to include \fI<windows.h>\fR prior to
 \&\fI<openssl/crypto.h>\fR where use of CRYPTO_THREAD_* types and functions is
 required.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 You can find out if OpenSSL was configured with thread support:
 .PP
@@ -276,10 +269,13 @@ This example safely initializes and uses a lock.
 \& {
 \&     int ret = 0;
 \&
-\&     if (mylock()) {
-\&         /* Your code here, do not return without releasing the lock! */
-\&         ret = ... ;
+\&     if (!mylock()) {
+\&        /* Do not unlock unless the lock was successfully acquired. */
+\&        return 0;
 \&     }
+\&
+\&     /* Your code here, do not return without releasing the lock! */
+\&     ret = ... ;
 \&     myunlock();
 \&     return ret;
 \& }
@@ -288,16 +284,23 @@ This example safely initializes and uses a lock.
 Finalization of locks is an advanced topic, not covered in this example.
 This can only be done at process exit or when a dynamically loaded library is
 no longer in use and is unloaded.
-The simplest solution is to just \*(L"leak\*(R" the lock in applications and not
+The simplest solution is to just "leak" the lock in applications and not
 repeatedly load/unload shared libraries that allocate locks.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBcrypto\fR\|(7), \fBopenssl\-threads\fR\|(7).
-.SH "COPYRIGHT"
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBCRYPTO_atomic_load_int()\fR, \fBOSSL_set_max_threads()\fR, \fBOSSL_get_max_threads()\fR,
+\&\fBOSSL_get_thread_support_flags()\fR were added in OpenSSL 3.2.
+.PP
+\&\fBCRYPTO_atomic_store()\fR, \fBCRYPTO_atomic_add64()\fR, \fBCRYPTO_atomic_and()\fR
+were added in OpenSSL 3.4.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CRYPTO_get_ex_new_index.3 b/secure/lib/libcrypto/man/man3/CRYPTO_get_ex_new_index.3
index 697797bd3e6e..6088cde28c4b 100644
--- a/secure/lib/libcrypto/man/man3/CRYPTO_get_ex_new_index.3
+++ b/secure/lib/libcrypto/man/man3/CRYPTO_get_ex_new_index.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CRYPTO_GET_EX_NEW_INDEX 3ossl"
-.TH CRYPTO_GET_EX_NEW_INDEX 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CRYPTO_GET_EX_NEW_INDEX 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 CRYPTO_EX_new, CRYPTO_EX_free, CRYPTO_EX_dup,
 CRYPTO_free_ex_index, CRYPTO_get_ex_new_index,
 CRYPTO_alloc_ex_data, CRYPTO_set_ex_data, CRYPTO_get_ex_data,
 CRYPTO_free_ex_data, CRYPTO_new_ex_data
 \&\- functions supporting application\-specific data
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/crypto.h>
@@ -173,10 +97,10 @@ CRYPTO_free_ex_data, CRYPTO_new_ex_data
 \&
 \& int CRYPTO_free_ex_index(int class_index, int idx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 Several OpenSSL structures can have application-specific data attached to them,
-known as \*(L"exdata.\*(R"
+known as "exdata."
 The specific structures are:
 .PP
 .Vb 10
@@ -197,19 +121,19 @@ The specific structures are:
 \&    X509_STORE_CTX
 .Ve
 .PP
-In addition, the \fB\s-1APP\s0\fR name is reserved for use by application code.
+In addition, the \fBAPP\fR name is reserved for use by application code.
 .PP
 Each is identified by an \fBCRYPTO_EX_INDEX_xxx\fR define in the header file
-\&\fI<openssl/crypto.h>\fR.  In addition, \fB\s-1CRYPTO_EX_INDEX_APP\s0\fR is reserved for
+\&\fI<openssl/crypto.h>\fR.  In addition, \fBCRYPTO_EX_INDEX_APP\fR is reserved for
 applications to use this facility for their own structures.
 .PP
-The \s-1API\s0 described here is used by OpenSSL to manipulate exdata for specific
+The API described here is used by OpenSSL to manipulate exdata for specific
 structures.  Since the application data can be anything at all it is passed
 and retrieved as a \fBvoid *\fR type.
 .PP
-The \fB\s-1CRYPTO_EX_DATA\s0\fR type is opaque.  To initialize the exdata part of
+The \fBCRYPTO_EX_DATA\fR type is opaque.  To initialize the exdata part of
 a structure, call \fBCRYPTO_new_ex_data()\fR. This is only necessary for
-\&\fB\s-1CRYPTO_EX_INDEX_APP\s0\fR objects.
+\&\fBCRYPTO_EX_INDEX_APP\fR objects.
 .PP
 Exdata types are identified by an \fBindex\fR, an integer guaranteed to be
 unique within structures for the lifetime of the program.  Applications
@@ -231,12 +155,12 @@ so that applications don't crash.  Any existing exdata will be leaked.
 .PP
 To set or get the exdata on an object, the appropriate type-specific
 routine must be used.  This is because the containing structure is opaque
-and the \fB\s-1CRYPTO_EX_DATA\s0\fR field is not accessible.  In both \s-1API\s0's, the
+and the \fBCRYPTO_EX_DATA\fR field is not accessible.  In both API's, the
 \&\fBidx\fR parameter should be an already-created index value.
 .PP
 When setting exdata, the pointer specified with a particular index is saved,
-and returned on a subsequent \*(L"get\*(R" call.  If the application is going to
-release the data, it must make sure to set a \fB\s-1NULL\s0\fR value at the index,
+and returned on a subsequent "get" call.  If the application is going to
+release the data, it must make sure to set a \fBNULL\fR value at the index,
 to avoid likely double-free crashes.
 .PP
 The function \fBCRYPTO_free_ex_data\fR is used to free all exdata attached
@@ -247,34 +171,34 @@ structure's exdata field.
 .SS "Callback Functions"
 .IX Subsection "Callback Functions"
 This section describes how the callback functions are used. Applications
-that are defining their own exdata using \fB\s-1CYPRTO_EX_INDEX_APP\s0\fR must
+that are defining their own exdata using \fBCYPRTO_EX_INDEX_APP\fR must
 call them as described here.
 .PP
 When a structure is initially allocated (such as \fBRSA_new()\fR) then the
 \&\fBnew_func()\fR is called for every defined index. There is no requirement
 that the entire parent, or containing, structure has been set up.
 The \fBnew_func()\fR is typically used only to allocate memory to store the
-exdata, and perhaps an \*(L"initialized\*(R" flag within that memory.
+exdata, and perhaps an "initialized" flag within that memory.
 The exdata value may be allocated later on with \fBCRYPTO_alloc_ex_data()\fR,
 or may be set by calling \fBCRYPTO_set_ex_data()\fR.
 .PP
 When a structure is free'd (such as \fBSSL_CTX_free()\fR) then the
 \&\fBfree_func()\fR is called for every defined index.  Again, the state of the
 parent structure is not guaranteed.  The \fBfree_func()\fR may be called with a
-\&\s-1NULL\s0 pointer.
+NULL pointer.
 .PP
 Both \fBnew_func()\fR and \fBfree_func()\fR take the same parameters.
 The \fBparent\fR is the pointer to the structure that contains the exdata.
 The \fBptr\fR is the current exdata item; for \fBnew_func()\fR this will typically
-be \s-1NULL.\s0  The \fBr\fR parameter is a pointer to the exdata field of the object.
+be NULL.  The \fBr\fR parameter is a pointer to the exdata field of the object.
 The \fBidx\fR is the index and is the value returned when the callbacks were
 initially registered via \fBCRYPTO_get_ex_new_index()\fR and can be used if
 the same callback handles different types of exdata.
 .PP
 \&\fBdup_func()\fR is called when a structure is being copied.  This is only done
-for \fB\s-1SSL\s0\fR, \fB\s-1SSL_SESSION\s0\fR, \fB\s-1EC_KEY\s0\fR objects and \fB\s-1BIO\s0\fR chains via
+for \fBSSL\fR, \fBSSL_SESSION\fR, \fBEC_KEY\fR objects and \fBBIO\fR chains via
 \&\fBBIO_dup_chain()\fR.  The \fBto\fR and \fBfrom\fR parameters
-are pointers to the destination and source \fB\s-1CRYPTO_EX_DATA\s0\fR structures,
+are pointers to the destination and source \fBCRYPTO_EX_DATA\fR structures,
 respectively.  The \fB*from_d\fR parameter is a pointer to the source exdata.
 When the \fBdup_func()\fR returns, the value in \fB*from_d\fR is copied to the
 destination ex_data.  If the pointer contained in \fB*pptr\fR is not modified
@@ -289,23 +213,23 @@ will fail.
 \&\fBCRYPTO_free_ex_index()\fR, \fBCRYPTO_alloc_ex_data()\fR and \fBCRYPTO_set_ex_data()\fR
 return 1 on success or 0 on failure.
 .PP
-\&\fBCRYPTO_get_ex_data()\fR returns the application data or \s-1NULL\s0 on failure;
-note that \s-1NULL\s0 may be a valid value.
+\&\fBCRYPTO_get_ex_data()\fR returns the application data or NULL on failure;
+note that NULL may be a valid value.
 .PP
 \&\fBdup_func()\fR should return 0 for failure and 1 for success.
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBCRYPTO_alloc_ex_data()\fR was added in OpenSSL 3.0.
 .PP
 The signature of the \fBdup_func()\fR callback was changed in OpenSSL 3.0 to use the
 type \fBvoid **\fR for \fBfrom_d\fR.  Previously this parameter was of type \fBvoid *\fR.
 .PP
-Support for \s-1ENGINE\s0 \*(L"exdata\*(R" was deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+Support for ENGINE "exdata" was deprecated in OpenSSL 3.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2015\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CRYPTO_memcmp.3 b/secure/lib/libcrypto/man/man3/CRYPTO_memcmp.3
index 64231ded501d..9ba5adbc381b 100644
--- a/secure/lib/libcrypto/man/man3/CRYPTO_memcmp.3
+++ b/secure/lib/libcrypto/man/man3/CRYPTO_memcmp.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,84 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CRYPTO_MEMCMP 3ossl"
-.TH CRYPTO_MEMCMP 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CRYPTO_MEMCMP 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 CRYPTO_memcmp \- Constant time memory comparison
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/crypto.h>
 \&
 \& int CRYPTO_memcmp(const void *a, const void *b, size_t len);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The CRYPTO_memcmp function compares the \fBlen\fR bytes pointed to by \fBa\fR and \fBb\fR
 for equality.
@@ -155,15 +79,15 @@ contents of the memory regions pointed to by \fBa\fR and \fBb\fR.
 .IX Header "RETURN VALUES"
 \&\fBCRYPTO_memcmp()\fR returns 0 if the memory regions are equal and nonzero
 otherwise.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 Unlike \fBmemcmp\fR\|(2), this function cannot be used to order the two memory regions
 as the return value when they differ is undefined, other than being nonzero.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CTLOG_STORE_get0_log_by_id.3 b/secure/lib/libcrypto/man/man3/CTLOG_STORE_get0_log_by_id.3
index 1d93253b33ef..9701ac92dc66 100644
--- a/secure/lib/libcrypto/man/man3/CTLOG_STORE_get0_log_by_id.3
+++ b/secure/lib/libcrypto/man/man3/CTLOG_STORE_get0_log_by_id.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CTLOG_STORE_GET0_LOG_BY_ID 3ossl"
-.TH CTLOG_STORE_GET0_LOG_BY_ID 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CTLOG_STORE_GET0_LOG_BY_ID 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 CTLOG_STORE_get0_log_by_id \-
 Get a Certificate Transparency log from a CTLOG_STORE
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ct.h>
@@ -148,31 +72,31 @@ Get a Certificate Transparency log from a CTLOG_STORE
 \&                                         const uint8_t *log_id,
 \&                                         size_t log_id_len);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-A Signed Certificate Timestamp (\s-1SCT\s0) identifies the Certificate Transparency
-(\s-1CT\s0) log that issued it using the log's LogID (see \s-1RFC 6962,\s0 Section 3.2).
+A Signed Certificate Timestamp (SCT) identifies the Certificate Transparency
+(CT) log that issued it using the log's LogID (see RFC 6962, Section 3.2).
 Therefore, it is useful to be able to look up more information about a log
 (e.g. its public key) using this LogID.
 .PP
-\&\fBCTLOG_STORE_get0_log_by_id()\fR provides a way to do this. It will find a \s-1CTLOG\s0
-in a \s-1CTLOG_STORE\s0 that has a given LogID.
+\&\fBCTLOG_STORE_get0_log_by_id()\fR provides a way to do this. It will find a CTLOG
+in a CTLOG_STORE that has a given LogID.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBCTLOG_STORE_get0_log_by_id\fR returns a \s-1CTLOG\s0 with the given LogID, if it
-exists in the given \s-1CTLOG_STORE,\s0 otherwise it returns \s-1NULL.\s0
+\&\fBCTLOG_STORE_get0_log_by_id\fR returns a CTLOG with the given LogID, if it
+exists in the given CTLOG_STORE, otherwise it returns NULL.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBct\fR\|(7),
 \&\fBCTLOG_STORE_new\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBCTLOG_STORE_get0_log_by_id()\fR function was added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CTLOG_STORE_new.3 b/secure/lib/libcrypto/man/man3/CTLOG_STORE_new.3
index 5cc40e9f3ec8..7e32bf774f0f 100644
--- a/secure/lib/libcrypto/man/man3/CTLOG_STORE_new.3
+++ b/secure/lib/libcrypto/man/man3/CTLOG_STORE_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CTLOG_STORE_NEW 3ossl"
-.TH CTLOG_STORE_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CTLOG_STORE_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 CTLOG_STORE_new_ex,
 CTLOG_STORE_new, CTLOG_STORE_free,
 CTLOG_STORE_load_default_file, CTLOG_STORE_load_file \-
 Create and populate a Certificate Transparency log list
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ct.h>
@@ -153,25 +77,25 @@ Create and populate a Certificate Transparency log list
 \& int CTLOG_STORE_load_default_file(CTLOG_STORE *store);
 \& int CTLOG_STORE_load_file(CTLOG_STORE *store, const char *file);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-A \s-1CTLOG_STORE\s0 is a container for a list of CTLOGs (Certificate Transparency
+A CTLOG_STORE is a container for a list of CTLOGs (Certificate Transparency
 logs). The list can be loaded from one or more files and then searched by LogID
-(see \s-1RFC 6962,\s0 Section 3.2, for the definition of a LogID).
+(see RFC 6962, Section 3.2, for the definition of a LogID).
 .PP
-\&\fBCTLOG_STORE_new_ex()\fR creates an empty list of \s-1CT\s0 logs associated with
+\&\fBCTLOG_STORE_new_ex()\fR creates an empty list of CT logs associated with
 the library context \fIlibctx\fR and the property query string \fIpropq\fR.
 .PP
 \&\fBCTLOG_STORE_new()\fR does the same thing as \fBCTLOG_STORE_new_ex()\fR but with
 the default library context and property query string.
 .PP
-The \s-1CTLOG_STORE\s0 is then populated by \fBCTLOG_STORE_load_default_file()\fR or
+The CTLOG_STORE is then populated by \fBCTLOG_STORE_load_default_file()\fR or
 \&\fBCTLOG_STORE_load_file()\fR. \fBCTLOG_STORE_load_default_file()\fR loads from the default
-file, which is named \fIct_log_list.cnf\fR in \s-1OPENSSLDIR\s0 (see the output of
+file, which is named \fIct_log_list.cnf\fR in OPENSSLDIR (see the output of
 \&\fBopenssl\-version\fR\|(1)). This can be overridden using an environment variable
-named \fB\s-1CTLOG_FILE\s0\fR. \fBCTLOG_STORE_load_file()\fR loads from a caller-specified file
-path instead. Both of these functions append any loaded \s-1CT\s0 logs to the
-\&\s-1CTLOG_STORE.\s0
+named \fBCTLOG_FILE\fR. \fBCTLOG_STORE_load_file()\fR loads from a caller-specified file
+path instead. Both of these functions append any loaded CT logs to the
+CTLOG_STORE.
 .PP
 The expected format of the file is:
 .PP
@@ -187,32 +111,32 @@ The expected format of the file is:
 \& key = <base64\-encoded DER SubjectPublicKeyInfo here>
 .Ve
 .PP
-Once a \s-1CTLOG_STORE\s0 is no longer required, it should be passed to
+Once a CTLOG_STORE is no longer required, it should be passed to
 \&\fBCTLOG_STORE_free()\fR. This will delete all of the CTLOGs stored within, along
-with the \s-1CTLOG_STORE\s0 itself.
-.SH "NOTES"
+with the CTLOG_STORE itself. If the argument is NULL, nothing is done.
+.SH NOTES
 .IX Header "NOTES"
-If there are any invalid \s-1CT\s0 logs in a file, they are skipped and the remaining
-valid logs will still be added to the \s-1CTLOG_STORE. A CT\s0 log will be considered
-invalid if it is missing a \*(L"key\*(R" or \*(L"description\*(R" field.
+If there are any invalid CT logs in a file, they are skipped and the remaining
+valid logs will still be added to the CTLOG_STORE. A CT log will be considered
+invalid if it is missing a "key" or "description" field.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 Both \fBCTLOG_STORE_load_default_file\fR and \fBCTLOG_STORE_load_file\fR return 1 if
-all \s-1CT\s0 logs in the file are successfully parsed and loaded, 0 otherwise.
+all CT logs in the file are successfully parsed and loaded, 0 otherwise.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBct\fR\|(7),
 \&\fBCTLOG_STORE_get0_log_by_id\fR\|(3),
 \&\fBSSL_CTX_set_ctlog_list_file\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 CTLOG_STORE_new_ex was added in OpenSSL 3.0. All other functions were
 added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CTLOG_new.3 b/secure/lib/libcrypto/man/man3/CTLOG_new.3
index c017d003a7f1..72990bafc3df 100644
--- a/secure/lib/libcrypto/man/man3/CTLOG_new.3
+++ b/secure/lib/libcrypto/man/man3/CTLOG_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CTLOG_NEW 3ossl"
-.TH CTLOG_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CTLOG_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 CTLOG_new_ex, CTLOG_new, CTLOG_new_from_base64,
 CTLOG_new_from_base64_ex, CTLOG_free,
 CTLOG_get0_name, CTLOG_get0_log_id, CTLOG_get0_public_key \-
 encapsulates information about a Certificate Transparency log
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ct.h>
@@ -161,10 +85,10 @@ encapsulates information about a Certificate Transparency log
 \&                        size_t *log_id_len);
 \& EVP_PKEY *CTLOG_get0_public_key(const CTLOG *log);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBCTLOG_new_ex()\fR returns a new \s-1CTLOG\s0 that represents the Certificate
-Transparency (\s-1CT\s0) log with the given public key and associates it with the
+\&\fBCTLOG_new_ex()\fR returns a new CTLOG that represents the Certificate
+Transparency (CT) log with the given public key and associates it with the
 library context \fIlibctx\fR and property query string \fIpropq\fR. A name must also
 be provided that can be used to help users identify this log. Ownership of the
 public key is transferred.
@@ -172,9 +96,9 @@ public key is transferred.
 \&\fBCTLOG_new()\fR does the same thing as \fBCTLOG_new_ex()\fR but with the default
 library context and the default property query string.
 .PP
-\&\fBCTLOG_new_from_base64_ex()\fR also creates a new \s-1CTLOG,\s0 but takes the
-public key in base64\-encoded \s-1DER\s0 form and sets the ct_log pointer to point to
-the new \s-1CTLOG.\s0 The base64 will be decoded and the public key parsed. The \s-1CTLOG\s0
+\&\fBCTLOG_new_from_base64_ex()\fR also creates a new CTLOG, but takes the
+public key in base64\-encoded DER form and sets the ct_log pointer to point to
+the new CTLOG. The base64 will be decoded and the public key parsed. The CTLOG
 will be associated with the given library context \fIlibctx\fR and property query
 string \fIpropq\fR.
 .PP
@@ -183,37 +107,37 @@ string \fIpropq\fR.
 property query string are used.
 .PP
 Regardless of whether \fBCTLOG_new()\fR or \fBCTLOG_new_from_base64()\fR is used, it is the
-caller's responsibility to pass the \s-1CTLOG\s0 to \fBCTLOG_free()\fR once it is no longer
-needed. This will delete it and, if created by \fBCTLOG_new()\fR, the \s-1EVP_PKEY\s0 that
-was passed to it.
+caller's responsibility to pass the CTLOG to \fBCTLOG_free()\fR once it is no longer
+needed. This will delete it and, if created by \fBCTLOG_new()\fR, the EVP_PKEY that
+was passed to it. If the argument to \fBCTLOG_free()\fR is NULL, nothing is done.
 .PP
-\&\fBCTLOG_get0_name()\fR returns the name of the log, as provided when the \s-1CTLOG\s0 was
-created. Ownership of the string remains with the \s-1CTLOG.\s0
+\&\fBCTLOG_get0_name()\fR returns the name of the log, as provided when the CTLOG was
+created. Ownership of the string remains with the CTLOG.
 .PP
 \&\fBCTLOG_get0_log_id()\fR sets *log_id to point to a string containing that log's
-LogID (see \s-1RFC 6962\s0). It sets *log_id_len to the length of that LogID. For a
-v1 \s-1CT\s0 log, the LogID will be a \s-1SHA\-256\s0 hash (i.e. 32 bytes long). Ownership of
-the string remains with the \s-1CTLOG.\s0
+LogID (see RFC 6962). It sets *log_id_len to the length of that LogID. For a
+v1 CT log, the LogID will be a SHA\-256 hash (i.e. 32 bytes long). Ownership of
+the string remains with the CTLOG.
 .PP
-\&\fBCTLOG_get0_public_key()\fR returns the public key of the \s-1CT\s0 log. Ownership of the
-\&\s-1EVP_PKEY\s0 remains with the \s-1CTLOG.\s0
+\&\fBCTLOG_get0_public_key()\fR returns the public key of the CT log. Ownership of the
+EVP_PKEY remains with the CTLOG.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBCTLOG_new()\fR will return \s-1NULL\s0 if an error occurs.
+\&\fBCTLOG_new()\fR will return NULL if an error occurs.
 .PP
 \&\fBCTLOG_new_from_base64()\fR will return 1 on success, 0 otherwise.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBct\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The functions \fBCTLOG_new_ex()\fR and \fBCTLOG_new_from_base64_ex()\fR
 were added in OpenSSL 3.0. All other functions were added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CT_POLICY_EVAL_CTX_new.3 b/secure/lib/libcrypto/man/man3/CT_POLICY_EVAL_CTX_new.3
index aaf9bb4c73d4..ccec4529346b 100644
--- a/secure/lib/libcrypto/man/man3/CT_POLICY_EVAL_CTX_new.3
+++ b/secure/lib/libcrypto/man/man3/CT_POLICY_EVAL_CTX_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CT_POLICY_EVAL_CTX_NEW 3ossl"
-.TH CT_POLICY_EVAL_CTX_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CT_POLICY_EVAL_CTX_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 CT_POLICY_EVAL_CTX_new_ex,
 CT_POLICY_EVAL_CTX_new, CT_POLICY_EVAL_CTX_free,
 CT_POLICY_EVAL_CTX_get0_cert, CT_POLICY_EVAL_CTX_set1_cert,
@@ -144,7 +68,7 @@ CT_POLICY_EVAL_CTX_get0_issuer, CT_POLICY_EVAL_CTX_set1_issuer,
 CT_POLICY_EVAL_CTX_get0_log_store, CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE,
 CT_POLICY_EVAL_CTX_get_time, CT_POLICY_EVAL_CTX_set_time \-
 Encapsulates the data required to evaluate whether SCTs meet a Certificate Transparency policy
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ct.h>
@@ -163,20 +87,20 @@ Encapsulates the data required to evaluate whether SCTs meet a Certificate Trans
 \& uint64_t CT_POLICY_EVAL_CTX_get_time(const CT_POLICY_EVAL_CTX *ctx);
 \& void CT_POLICY_EVAL_CTX_set_time(CT_POLICY_EVAL_CTX *ctx, uint64_t time_in_ms);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-A \fB\s-1CT_POLICY_EVAL_CTX\s0\fR is used by functions that evaluate whether Signed
-Certificate Timestamps (SCTs) fulfil a Certificate Transparency (\s-1CT\s0) policy.
-This policy may be, for example, that at least one valid \s-1SCT\s0 is available. To
-determine this, an \s-1SCT\s0's timestamp and signature must be verified.
+A \fBCT_POLICY_EVAL_CTX\fR is used by functions that evaluate whether Signed
+Certificate Timestamps (SCTs) fulfil a Certificate Transparency (CT) policy.
+This policy may be, for example, that at least one valid SCT is available. To
+determine this, an SCT's timestamp and signature must be verified.
 This requires:
-.IP "\(bu" 2
-the public key of the log that issued the \s-1SCT\s0
-.IP "\(bu" 2
-the certificate that the \s-1SCT\s0 was issued for
-.IP "\(bu" 2
-the issuer certificate (if the \s-1SCT\s0 was issued for a pre-certificate)
-.IP "\(bu" 2
+.IP \(bu 2
+the public key of the log that issued the SCT
+.IP \(bu 2
+the certificate that the SCT was issued for
+.IP \(bu 2
+the issuer certificate (if the SCT was issued for a pre-certificate)
+.IP \(bu 2
 the current time
 .PP
 The above requirements are met using the setters described below.
@@ -189,56 +113,57 @@ string \fIpropq\fR.
 \&\fBCT_POLICY_EVAL_CTX_new_ex()\fR except that it uses the default library
 context and property query string.
 .PP
-The \s-1CT_POLICY_EVAL_CTX\s0 should then be populated using:
-.IP "\(bu" 2
+The CT_POLICY_EVAL_CTX should then be populated using:
+.IP \(bu 2
 \&\fBCT_POLICY_EVAL_CTX_set1_cert()\fR to provide the certificate the SCTs were issued for
 .Sp
 Increments the reference count of the certificate.
-.IP "\(bu" 2
+.IP \(bu 2
 \&\fBCT_POLICY_EVAL_CTX_set1_issuer()\fR to provide the issuer certificate
 .Sp
 Increments the reference count of the certificate.
-.IP "\(bu" 2
+.IP \(bu 2
 \&\fBCT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE()\fR to provide a list of logs that are trusted as sources of SCTs
 .Sp
-Holds a pointer to the \s-1CTLOG_STORE,\s0 so the \s-1CTLOG_STORE\s0 must outlive the
-\&\s-1CT_POLICY_EVAL_CTX.\s0
-.IP "\(bu" 2
+Holds a pointer to the CTLOG_STORE, so the CTLOG_STORE must outlive the
+CT_POLICY_EVAL_CTX.
+.IP \(bu 2
 \&\fBCT_POLICY_EVAL_CTX_set_time()\fR to set the time SCTs should be compared with to determine if they are valid
 .Sp
-The \s-1SCT\s0 timestamp will be compared to this time to check whether the \s-1SCT\s0 was
-issued in the future. \s-1RFC6962\s0 states that \*(L"\s-1TLS\s0 clients \s-1MUST\s0 reject SCTs whose
-timestamp is in the future\*(R". By default, this will be set to 5 minutes in the
+The SCT timestamp will be compared to this time to check whether the SCT was
+issued in the future. RFC6962 states that "TLS clients MUST reject SCTs whose
+timestamp is in the future". By default, this will be set to 5 minutes in the
 future (e.g. (\fBtime()\fR + 300) * 1000), to allow for clock drift.
 .Sp
 The time should be in milliseconds since the Unix Epoch.
 .PP
 Each setter has a matching getter for accessing the current value.
 .PP
-When no longer required, the \fB\s-1CT_POLICY_EVAL_CTX\s0\fR should be passed to
-\&\fBCT_POLICY_EVAL_CTX_free()\fR to delete it.
-.SH "NOTES"
+When no longer required, the \fBCT_POLICY_EVAL_CTX\fR should be passed to
+\&\fBCT_POLICY_EVAL_CTX_free()\fR to delete it. If the argument to
+\&\fBCT_POLICY_EVAL_CTX_free()\fR is NULL, nothing is done.
+.SH NOTES
 .IX Header "NOTES"
 The issuer certificate only needs to be provided if at least one of the SCTs
 was issued for a pre-certificate. This will be the case for SCTs embedded in a
 certificate (i.e. those in an X.509 extension), but may not be the case for SCTs
-found in the \s-1TLS SCT\s0 extension or \s-1OCSP\s0 response.
+found in the TLS SCT extension or OCSP response.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBCT_POLICY_EVAL_CTX_new_ex()\fR and \fBCT_POLICY_EVAL_CTX_new()\fR will return
-\&\s-1NULL\s0 if malloc fails.
+NULL if malloc fails.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBct\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 CT_POLICY_EVAL_CTX_new_ex was added in OpenSSL 3.0. All other
 functions were added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DEFINE_STACK_OF.3 b/secure/lib/libcrypto/man/man3/DEFINE_STACK_OF.3
index 118c17dc2ff4..360ef03eee41 100644
--- a/secure/lib/libcrypto/man/man3/DEFINE_STACK_OF.3
+++ b/secure/lib/libcrypto/man/man3/DEFINE_STACK_OF.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "DEFINE_STACK_OF 3ossl"
-.TH DEFINE_STACK_OF 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH DEFINE_STACK_OF 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 DEFINE_STACK_OF, DEFINE_STACK_OF_CONST, DEFINE_SPECIAL_STACK_OF,
 DEFINE_SPECIAL_STACK_OF_CONST,
 sk_TYPE_num, sk_TYPE_value, sk_TYPE_new, sk_TYPE_new_null,
@@ -154,7 +78,7 @@ OPENSSL_sk_pop_free, OPENSSL_sk_push, OPENSSL_sk_reserve, OPENSSL_sk_set,
 OPENSSL_sk_set_cmp_func, OPENSSL_sk_shift, OPENSSL_sk_sort,
 OPENSSL_sk_unshift, OPENSSL_sk_value, OPENSSL_sk_zero
 \&\- stack container
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/safestack.h>
@@ -174,8 +98,8 @@ OPENSSL_sk_unshift, OPENSSL_sk_value, OPENSSL_sk_zero
 \& STACK_OF(TYPE) *sk_TYPE_new(sk_TYPE_compfunc compare);
 \& STACK_OF(TYPE) *sk_TYPE_new_null(void);
 \& int sk_TYPE_reserve(STACK_OF(TYPE) *sk, int n);
-\& void sk_TYPE_free(const STACK_OF(TYPE) *sk);
-\& void sk_TYPE_zero(const STACK_OF(TYPE) *sk);
+\& void sk_TYPE_free(STACK_OF(TYPE) *sk);
+\& void sk_TYPE_zero(STACK_OF(TYPE) *sk);
 \& TYPE *sk_TYPE_delete(STACK_OF(TYPE) *sk, int i);
 \& TYPE *sk_TYPE_delete_ptr(STACK_OF(TYPE) *sk, TYPE *ptr);
 \& int sk_TYPE_push(STACK_OF(TYPE) *sk, const TYPE *ptr);
@@ -198,26 +122,26 @@ OPENSSL_sk_unshift, OPENSSL_sk_value, OPENSSL_sk_zero
 \&                                         sk_TYPE_compfunc compare));
 \& STACK_OF(TYPE) *sk_TYPE_new_reserve(sk_TYPE_compfunc compare, int n);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 Applications can create and use their own stacks by placing any of the macros
 described below in a header file. These macros define typesafe inline
-functions that wrap around the utility \fBOPENSSL_sk_\fR \s-1API.\s0
-In the description here, \fB\f(BI\s-1TYPE\s0\fB\fR is used
+functions that wrap around the utility \fBOPENSSL_sk_\fR API.
+In the description here, \fR\f(BITYPE\fR\fB\fR is used
 as a placeholder for any of the OpenSSL datatypes, such as \fBX509\fR.
 .PP
-The \s-1\fBSTACK_OF\s0()\fR macro returns the name for a stack of the specified \fB\f(BI\s-1TYPE\s0\fB\fR.
+The \fBSTACK_OF()\fR macro returns the name for a stack of the specified \fR\f(BITYPE\fR\fB\fR.
 This is an opaque pointer to a structure declaration.
 This can be used in every header file that references the stack.
-There are several \fB\s-1DEFINE...\s0\fR macros that create static inline functions
+There are several \fBDEFINE...\fR macros that create static inline functions
 for all of the functions described on this page.
 This should normally be used in one source file, and the stack manipulation
 is wrapped with application-specific functions.
 .PP
-\&\s-1\fBDEFINE_STACK_OF\s0()\fR creates set of functions for a stack of \fB\f(BI\s-1TYPE\s0\fB\fR elements.
+\&\fBDEFINE_STACK_OF()\fR creates set of functions for a stack of \fR\f(BITYPE\fR\fB\fR elements.
 The type is referenced by
-\&\fB\s-1STACK_OF\s0\fR(\fB\f(BI\s-1TYPE\s0\fB\fR) and each function name begins with \fBsk_\f(BI\s-1TYPE\s0\fB_\fR.
-\&\s-1\fBDEFINE_STACK_OF_CONST\s0()\fR is identical to \s-1\fBDEFINE_STACK_OF\s0()\fR except
+\&\fBSTACK_OF\fR(\fB\fR\f(BITYPE\fR\fB\fR) and each function name begins with \fBsk_\fR\f(BITYPE\fR\fB_\fR.
+\&\fBDEFINE_STACK_OF_CONST()\fR is identical to \fBDEFINE_STACK_OF()\fR except
 each element is constant.
 .PP
 .Vb 4
@@ -227,8 +151,8 @@ each element is constant.
 \& const TYPE *sk_TYPE_value(STACK_OF(TYPE) *sk, int idx);
 .Ve
 .PP
-\&\s-1\fBDEFINE_SPECIAL_STACK_OF\s0()\fR and \s-1\fBDEFINE_SPECIAL_STACK_OF_CONST\s0()\fR are similar
-except \fB\s-1FUNCNAME\s0\fR is used in the function names:
+\&\fBDEFINE_SPECIAL_STACK_OF()\fR and \fBDEFINE_SPECIAL_STACK_OF_CONST()\fR are similar
+except \fBFUNCNAME\fR is used in the function names:
 .PP
 .Vb 4
 \& /* DEFINE_SPECIAL_STACK_OF(TYPE, FUNCNAME) */
@@ -237,124 +161,121 @@ except \fB\s-1FUNCNAME\s0\fR is used in the function names:
 \& const TYPE *sk_FUNCNAME_value(STACK_OF(TYPE) *sk, int idx);
 .Ve
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_num\fR() returns the number of elements in \fIsk\fR or \-1 if \fIsk\fR is
-\&\s-1NULL.\s0
+\&\fBsk_\fR\f(BITYPE\fR\fB_num\fR() returns the number of elements in \fIsk\fR or \-1 if \fIsk\fR is
+NULL.
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_value\fR() returns element \fIidx\fR in \fIsk\fR, where \fIidx\fR starts at
-zero. If \fIidx\fR is out of range then \s-1NULL\s0 is returned.
+\&\fBsk_\fR\f(BITYPE\fR\fB_value\fR() returns element \fIidx\fR in \fIsk\fR, where \fIidx\fR starts at
+zero. If \fIidx\fR is out of range then NULL is returned.
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_new\fR() allocates a new empty stack using comparison function
-\&\fIcompare\fR. If \fIcompare\fR is \s-1NULL\s0 then no comparison function is used. This
-function is equivalent to \fBsk_\f(BI\s-1TYPE\s0\fB_new_reserve\fR(\fIcompare\fR, 0).
+\&\fBsk_\fR\f(BITYPE\fR\fB_new\fR() allocates a new empty stack using comparison function
+\&\fIcompare\fR. If \fIcompare\fR is NULL then no comparison function is used. This
+function is equivalent to \fBsk_\fR\f(BITYPE\fR\fB_new_reserve\fR(\fIcompare\fR, 0).
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_new_null\fR() allocates a new empty stack with no comparison
-function. This function is equivalent to \fBsk_\f(BI\s-1TYPE\s0\fB_new_reserve\fR(\s-1NULL, 0\s0).
+\&\fBsk_\fR\f(BITYPE\fR\fB_new_null\fR() allocates a new empty stack with no comparison
+function. This function is equivalent to \fBsk_\fR\f(BITYPE\fR\fB_new_reserve\fR(NULL, 0).
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_reserve\fR() allocates additional memory in the \fIsk\fR structure
-such that the next \fIn\fR calls to \fBsk_\f(BI\s-1TYPE\s0\fB_insert\fR(), \fBsk_\f(BI\s-1TYPE\s0\fB_push\fR()
-or \fBsk_\f(BI\s-1TYPE\s0\fB_unshift\fR() will not fail or cause memory to be allocated
+\&\fBsk_\fR\f(BITYPE\fR\fB_reserve\fR() allocates additional memory in the \fIsk\fR structure
+such that the next \fIn\fR calls to \fBsk_\fR\f(BITYPE\fR\fB_insert\fR(), \fBsk_\fR\f(BITYPE\fR\fB_push\fR()
+or \fBsk_\fR\f(BITYPE\fR\fB_unshift\fR() will not fail or cause memory to be allocated
 or reallocated. If \fIn\fR is zero, any excess space allocated in the
 \&\fIsk\fR structure is freed. On error \fIsk\fR is unchanged.
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_new_reserve\fR() allocates a new stack. The new stack will have
+\&\fBsk_\fR\f(BITYPE\fR\fB_new_reserve\fR() allocates a new stack. The new stack will have
 additional memory allocated to hold \fIn\fR elements if \fIn\fR is positive.
-The next \fIn\fR calls to \fBsk_\f(BI\s-1TYPE\s0\fB_insert\fR(), \fBsk_\f(BI\s-1TYPE\s0\fB_push\fR() or
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_unshift\fR() will not fail or cause memory to be allocated or
+The next \fIn\fR calls to \fBsk_\fR\f(BITYPE\fR\fB_insert\fR(), \fBsk_\fR\f(BITYPE\fR\fB_push\fR() or
+\&\fBsk_\fR\f(BITYPE\fR\fB_unshift\fR() will not fail or cause memory to be allocated or
 reallocated. If \fIn\fR is zero or less than zero, no memory is allocated.
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_new_reserve\fR() also sets the comparison function \fIcompare\fR
-to the newly created stack. If \fIcompare\fR is \s-1NULL\s0 then no comparison
+\&\fBsk_\fR\f(BITYPE\fR\fB_new_reserve\fR() also sets the comparison function \fIcompare\fR
+to the newly created stack. If \fIcompare\fR is NULL then no comparison
 function is used.
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_set_cmp_func\fR() sets the comparison function of \fIsk\fR to
-\&\fIcompare\fR. The previous comparison function is returned or \s-1NULL\s0 if there
+\&\fBsk_\fR\f(BITYPE\fR\fB_set_cmp_func\fR() sets the comparison function of \fIsk\fR to
+\&\fIcompare\fR. The previous comparison function is returned or NULL if there
 was no previous comparison function.
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_free\fR() frees up the \fIsk\fR structure. It does \fInot\fR free up any
+\&\fBsk_\fR\f(BITYPE\fR\fB_free\fR() frees up the \fIsk\fR structure. It does \fInot\fR free up any
 elements of \fIsk\fR. After this call \fIsk\fR is no longer valid.
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_zero\fR() sets the number of elements in \fIsk\fR to zero. It does not
+\&\fBsk_\fR\f(BITYPE\fR\fB_zero\fR() sets the number of elements in \fIsk\fR to zero. It does not
 free \fIsk\fR so after this call \fIsk\fR is still valid.
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_pop_free\fR() frees up all elements of \fIsk\fR and \fIsk\fR itself. The
+\&\fBsk_\fR\f(BITYPE\fR\fB_pop_free\fR() frees up all elements of \fIsk\fR and \fIsk\fR itself. The
 free function \fBfreefunc()\fR is called on each element to free it.
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_delete\fR() deletes element \fIi\fR from \fIsk\fR. It returns the deleted
-element or \s-1NULL\s0 if \fIi\fR is out of range.
+\&\fBsk_\fR\f(BITYPE\fR\fB_delete\fR() deletes element \fIi\fR from \fIsk\fR. It returns the deleted
+element or NULL if \fIi\fR is out of range.
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_delete_ptr\fR() deletes element matching \fIptr\fR from \fIsk\fR. It
-returns the deleted element or \s-1NULL\s0 if no element matching \fIptr\fR was found.
+\&\fBsk_\fR\f(BITYPE\fR\fB_delete_ptr\fR() deletes element matching \fIptr\fR from \fIsk\fR. It
+returns the deleted element or NULL if no element matching \fIptr\fR was found.
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_insert\fR() inserts \fIptr\fR into \fIsk\fR at position \fIidx\fR. Any
+\&\fBsk_\fR\f(BITYPE\fR\fB_insert\fR() inserts \fIptr\fR into \fIsk\fR at position \fIidx\fR. Any
 existing elements at or after \fIidx\fR are moved downwards. If \fIidx\fR is out
-of range the new element is appended to \fIsk\fR. \fBsk_\f(BI\s-1TYPE\s0\fB_insert\fR() either
+of range the new element is appended to \fIsk\fR. \fBsk_\fR\f(BITYPE\fR\fB_insert\fR() either
 returns the number of elements in \fIsk\fR after the new element is inserted or
 zero if an error (such as memory allocation failure) occurred.
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_push\fR() appends \fIptr\fR to \fIsk\fR it is equivalent to:
+\&\fBsk_\fR\f(BITYPE\fR\fB_push\fR() appends \fIptr\fR to \fIsk\fR it is equivalent to:
 .PP
 .Vb 1
 \& sk_TYPE_insert(sk, ptr, \-1);
 .Ve
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_unshift\fR() inserts \fIptr\fR at the start of \fIsk\fR it is equivalent
+\&\fBsk_\fR\f(BITYPE\fR\fB_unshift\fR() inserts \fIptr\fR at the start of \fIsk\fR it is equivalent
 to:
 .PP
 .Vb 1
 \& sk_TYPE_insert(sk, ptr, 0);
 .Ve
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_pop\fR() returns and removes the last element from \fIsk\fR.
+\&\fBsk_\fR\f(BITYPE\fR\fB_pop\fR() returns and removes the last element from \fIsk\fR.
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_shift\fR() returns and removes the first element from \fIsk\fR.
+\&\fBsk_\fR\f(BITYPE\fR\fB_shift\fR() returns and removes the first element from \fIsk\fR.
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_set\fR() sets element \fIidx\fR of \fIsk\fR to \fIptr\fR replacing the current
-element. The new element value is returned or \s-1NULL\s0 if an error occurred:
-this will only happen if \fIsk\fR is \s-1NULL\s0 or \fIidx\fR is out of range.
+\&\fBsk_\fR\f(BITYPE\fR\fB_set\fR() sets element \fIidx\fR of \fIsk\fR to \fIptr\fR replacing the current
+element. The new element value is returned or NULL if an error occurred:
+this will only happen if \fIsk\fR is NULL or \fIidx\fR is out of range.
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_find\fR() searches \fIsk\fR for the element \fIptr\fR.  In the case
+\&\fBsk_\fR\f(BITYPE\fR\fB_find\fR() searches \fIsk\fR for the element \fIptr\fR.  In the case
 where no comparison function has been specified, the function performs
 a linear search for a pointer equal to \fIptr\fR. The index of the first
 matching element is returned or \fB\-1\fR if there is no match. In the case
 where a comparison function has been specified, \fIsk\fR is sorted and
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_find\fR() returns the index of a matching element or \fB\-1\fR if there
+\&\fBsk_\fR\f(BITYPE\fR\fB_find\fR() returns the index of a matching element or \fB\-1\fR if there
 is no match. Note that, in this case the comparison function will usually
 compare the values pointed to rather than the pointers themselves and
-the order of elements in \fIsk\fR can change. Note that because the stack may be
-sorted as the result of a \fBsk_\f(BI\s-1TYPE\s0\fB_find\fR() call, if a lock is being used to
-synchronise access to the stack across multiple threads, then that lock must be
-a \*(L"write\*(R" lock.
+the order of elements in \fIsk\fR can change.
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_find_ex\fR() operates like \fBsk_\f(BI\s-1TYPE\s0\fB_find\fR() except when a
+\&\fBsk_\fR\f(BITYPE\fR\fB_find_ex\fR() operates like \fBsk_\fR\f(BITYPE\fR\fB_find\fR() except when a
 comparison function has been specified and no matching element is found.
-Instead of returning \fB\-1\fR, \fBsk_\f(BI\s-1TYPE\s0\fB_find_ex\fR() returns the index of the
+Instead of returning \fB\-1\fR, \fBsk_\fR\f(BITYPE\fR\fB_find_ex\fR() returns the index of the
 element either before or after the location where \fIptr\fR would be if it were
 present in \fIsk\fR. The function also does not guarantee that the first matching
 element in the sorted stack is returned.
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_find_all\fR() operates like \fBsk_\f(BI\s-1TYPE\s0\fB_find\fR() but it also
+\&\fBsk_\fR\f(BITYPE\fR\fB_find_all\fR() operates like \fBsk_\fR\f(BITYPE\fR\fB_find\fR() but it also
 sets the \fI*pnum\fR to number of matching elements in the stack. In case
 no comparison function has been specified the \fI*pnum\fR will be always set
 to 1 if matching element was found, 0 otherwise.
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_sort\fR() sorts \fIsk\fR using the supplied comparison function.
+\&\fBsk_\fR\f(BITYPE\fR\fB_sort\fR() sorts \fIsk\fR using the supplied comparison function.
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_is_sorted\fR() returns \fB1\fR if \fIsk\fR is sorted and \fB0\fR otherwise.
+\&\fBsk_\fR\f(BITYPE\fR\fB_is_sorted\fR() returns \fB1\fR if \fIsk\fR is sorted and \fB0\fR otherwise.
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_dup\fR() returns a shallow copy of \fIsk\fR
-or an empty stack if the passed stack is \s-1NULL.\s0
+\&\fBsk_\fR\f(BITYPE\fR\fB_dup\fR() returns a shallow copy of \fIsk\fR
+or an empty stack if the passed stack is NULL.
 Note the pointers in the copy are identical to the original.
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_deep_copy\fR() returns a new stack where each element has been
-copied or an empty stack if the passed stack is \s-1NULL.\s0
+\&\fBsk_\fR\f(BITYPE\fR\fB_deep_copy\fR() returns a new stack where each element has been
+copied or an empty stack if the passed stack is NULL.
 Copying is performed by the supplied \fBcopyfunc()\fR and freeing by \fBfreefunc()\fR.
 The function \fBfreefunc()\fR is only called if an error occurs.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 Care should be taken when accessing stacks in multi-threaded environments.
-Any operation which increases the size of a stack such as \fBsk_\f(BI\s-1TYPE\s0\fB_insert\fR()
-or \fBsk_\f(BI\s-1TYPE\s0\fB_push\fR() can \*(L"grow\*(R" the size of an internal array and cause race
+Any operation which increases the size of a stack such as \fBsk_\fR\f(BITYPE\fR\fB_insert\fR()
+or \fBsk_\fR\f(BITYPE\fR\fB_push\fR() can "grow" the size of an internal array and cause race
 conditions if the same stack is accessed in a different thread. Operations such
-as \fBsk_\f(BI\s-1TYPE\s0\fB_find\fR() and \fBsk_\f(BI\s-1TYPE\s0\fB_sort\fR() can also reorder the stack.
+as \fBsk_\fR\f(BITYPE\fR\fB_find\fR() and \fBsk_\fR\f(BITYPE\fR\fB_sort\fR() can also reorder the stack.
 .PP
 Any comparison function supplied should use a metric suitable
 for use in a binary search operation. That is it should return zero, a
@@ -362,21 +283,21 @@ positive or negative value if \fIa\fR is equal to, greater than
 or less than \fIb\fR respectively.
 .PP
 Care should be taken when checking the return values of the functions
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_find\fR() and \fBsk_\f(BI\s-1TYPE\s0\fB_find_ex\fR(). They return an index to the
+\&\fBsk_\fR\f(BITYPE\fR\fB_find\fR() and \fBsk_\fR\f(BITYPE\fR\fB_find_ex\fR(). They return an index to the
 matching element. In particular \fB0\fR indicates a matching first element.
 A failed search is indicated by a \fB\-1\fR return value.
 .PP
-\&\s-1\fBSTACK_OF\s0()\fR, \s-1\fBDEFINE_STACK_OF\s0()\fR, \s-1\fBDEFINE_STACK_OF_CONST\s0()\fR, and
-\&\s-1\fBDEFINE_SPECIAL_STACK_OF\s0()\fR are implemented as macros.
+\&\fBSTACK_OF()\fR, \fBDEFINE_STACK_OF()\fR, \fBDEFINE_STACK_OF_CONST()\fR, and
+\&\fBDEFINE_SPECIAL_STACK_OF()\fR are implemented as macros.
 .PP
-It is not an error to call \fBsk_\f(BI\s-1TYPE\s0\fB_num\fR(), \fBsk_\f(BI\s-1TYPE\s0\fB_value\fR(),
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_free\fR(), \fBsk_\f(BI\s-1TYPE\s0\fB_zero\fR(), \fBsk_\f(BI\s-1TYPE\s0\fB_pop_free\fR(),
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_delete\fR(), \fBsk_\f(BI\s-1TYPE\s0\fB_delete_ptr\fR(), \fBsk_\f(BI\s-1TYPE\s0\fB_pop\fR(),
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_shift\fR(), \fBsk_\f(BI\s-1TYPE\s0\fB_find\fR(), \fBsk_\f(BI\s-1TYPE\s0\fB_find_ex\fR(),
-and \fBsk_\f(BI\s-1TYPE\s0\fB_find_all\fR() on a \s-1NULL\s0 stack, empty stack, or with
+It is not an error to call \fBsk_\fR\f(BITYPE\fR\fB_num\fR(), \fBsk_\fR\f(BITYPE\fR\fB_value\fR(),
+\&\fBsk_\fR\f(BITYPE\fR\fB_free\fR(), \fBsk_\fR\f(BITYPE\fR\fB_zero\fR(), \fBsk_\fR\f(BITYPE\fR\fB_pop_free\fR(),
+\&\fBsk_\fR\f(BITYPE\fR\fB_delete\fR(), \fBsk_\fR\f(BITYPE\fR\fB_delete_ptr\fR(), \fBsk_\fR\f(BITYPE\fR\fB_pop\fR(),
+\&\fBsk_\fR\f(BITYPE\fR\fB_shift\fR(), \fBsk_\fR\f(BITYPE\fR\fB_find\fR(), \fBsk_\fR\f(BITYPE\fR\fB_find_ex\fR(),
+and \fBsk_\fR\f(BITYPE\fR\fB_find_all\fR() on a NULL stack, empty stack, or with
 an invalid index. An error is not raised in these conditions.
 .PP
-The underlying utility \fBOPENSSL_sk_\fR \s-1API\s0 should not be used directly.
+The underlying utility \fBOPENSSL_sk_\fR API should not be used directly.
 It defines these functions: \fBOPENSSL_sk_deep_copy()\fR,
 \&\fBOPENSSL_sk_delete()\fR, \fBOPENSSL_sk_delete_ptr()\fR, \fBOPENSSL_sk_dup()\fR,
 \&\fBOPENSSL_sk_find()\fR, \fBOPENSSL_sk_find_ex()\fR, \fBOPENSSL_sk_find_all()\fR,
@@ -388,55 +309,62 @@ It defines these functions: \fBOPENSSL_sk_deep_copy()\fR,
 \&\fBOPENSSL_sk_value()\fR, \fBOPENSSL_sk_zero()\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_num\fR() returns the number of elements in the stack or \fB\-1\fR if the
-passed stack is \s-1NULL.\s0
+\&\fBsk_\fR\f(BITYPE\fR\fB_num\fR() returns the number of elements in the stack or \fB\-1\fR if the
+passed stack is NULL.
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_value\fR() returns a pointer to a stack element or \s-1NULL\s0 if the
+\&\fBsk_\fR\f(BITYPE\fR\fB_value\fR() returns a pointer to a stack element or NULL if the
 index is out of range.
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_new\fR(), \fBsk_\f(BI\s-1TYPE\s0\fB_new_null\fR() and \fBsk_\f(BI\s-1TYPE\s0\fB_new_reserve\fR()
-return an empty stack or \s-1NULL\s0 if an error occurs.
+\&\fBsk_\fR\f(BITYPE\fR\fB_new\fR(), \fBsk_\fR\f(BITYPE\fR\fB_new_null\fR() and \fBsk_\fR\f(BITYPE\fR\fB_new_reserve\fR()
+return an empty stack or NULL if an error occurs.
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_reserve\fR() returns \fB1\fR on successful allocation of the required
+\&\fBsk_\fR\f(BITYPE\fR\fB_reserve\fR() returns \fB1\fR on successful allocation of the required
 memory or \fB0\fR on error.
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_set_cmp_func\fR() returns the old comparison function or \s-1NULL\s0 if
+\&\fBsk_\fR\f(BITYPE\fR\fB_set_cmp_func\fR() returns the old comparison function or NULL if
 there was no old comparison function.
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_free\fR(), \fBsk_\f(BI\s-1TYPE\s0\fB_zero\fR(), \fBsk_\f(BI\s-1TYPE\s0\fB_pop_free\fR() and
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_sort\fR() do not return values.
+\&\fBsk_\fR\f(BITYPE\fR\fB_free\fR(), \fBsk_\fR\f(BITYPE\fR\fB_zero\fR(), \fBsk_\fR\f(BITYPE\fR\fB_pop_free\fR() and
+\&\fBsk_\fR\f(BITYPE\fR\fB_sort\fR() do not return values.
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_pop\fR(), \fBsk_\f(BI\s-1TYPE\s0\fB_shift\fR(), \fBsk_\f(BI\s-1TYPE\s0\fB_delete\fR() and
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_delete_ptr\fR() return a pointer to the deleted element or \s-1NULL\s0
+\&\fBsk_\fR\f(BITYPE\fR\fB_pop\fR(), \fBsk_\fR\f(BITYPE\fR\fB_shift\fR(), \fBsk_\fR\f(BITYPE\fR\fB_delete\fR() and
+\&\fBsk_\fR\f(BITYPE\fR\fB_delete_ptr\fR() return a pointer to the deleted element or NULL
 on error.
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_insert\fR(), \fBsk_\f(BI\s-1TYPE\s0\fB_push\fR() and \fBsk_\f(BI\s-1TYPE\s0\fB_unshift\fR() return
+\&\fBsk_\fR\f(BITYPE\fR\fB_insert\fR(), \fBsk_\fR\f(BITYPE\fR\fB_push\fR() and \fBsk_\fR\f(BITYPE\fR\fB_unshift\fR() return
 the total number of elements in the stack and 0 if an error occurred.
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_push\fR() further returns \-1 if \fIsk\fR is \s-1NULL.\s0
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_set\fR() returns a pointer to the replacement element or \s-1NULL\s0 on
+\&\fBsk_\fR\f(BITYPE\fR\fB_set\fR() returns a pointer to the replacement element or NULL on
 error.
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_find\fR() and \fBsk_\f(BI\s-1TYPE\s0\fB_find_ex\fR() return an index to the found
+\&\fBsk_\fR\f(BITYPE\fR\fB_find\fR() and \fBsk_\fR\f(BITYPE\fR\fB_find_ex\fR() return an index to the found
 element or \fB\-1\fR on error.
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_is_sorted\fR() returns \fB1\fR if the stack is sorted and \fB0\fR if it is
+\&\fBsk_\fR\f(BITYPE\fR\fB_is_sorted\fR() returns \fB1\fR if the stack is sorted and \fB0\fR if it is
 not.
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_dup\fR() and \fBsk_\f(BI\s-1TYPE\s0\fB_deep_copy\fR() return a pointer to the copy
-of the stack or \s-1NULL\s0 on error.
-.SH "HISTORY"
+\&\fBsk_\fR\f(BITYPE\fR\fB_dup\fR() and \fBsk_\fR\f(BITYPE\fR\fB_deep_copy\fR() return a pointer to the copy
+of the stack or NULL on error.
+.SH HISTORY
 .IX Header "HISTORY"
 Before OpenSSL 1.1.0, this was implemented via macros and not inline functions
-and was not a public \s-1API.\s0
+and was not a public API.
 .PP
-\&\fBsk_\f(BI\s-1TYPE\s0\fB_reserve\fR() and \fBsk_\f(BI\s-1TYPE\s0\fB_new_reserve\fR() were added in OpenSSL
+\&\fBsk_\fR\f(BITYPE\fR\fB_reserve\fR() and \fBsk_\fR\f(BITYPE\fR\fB_new_reserve\fR() were added in OpenSSL
 1.1.1.
-.SH "COPYRIGHT"
+.PP
+From OpenSSL 3.2.0, the \fBsk_\fR\f(BITYPE\fR\fB_find\fR(), \fBsk_\fR\f(BITYPE\fR\fB_find_ex\fR()
+and \fBsk_\fR\f(BITYPE\fR\fB_find_all\fR() calls are read-only and do not sort the
+stack.  To avoid any performance implications this change introduces,
+\&\fBsk_\fR\f(BITYPE\fR\fB_sort\fR() should be called before these find operations.
+.PP
+Before OpenSSL 3.3.0 \fBsk_\fR\f(BITYPE\fR\fB_push\fR() returned \-1 if \fIsk\fR was NULL. It
+was changed to return 0 in this condition as for other errors.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DES_random_key.3 b/secure/lib/libcrypto/man/man3/DES_random_key.3
index b9533cacd68b..815e78e096e2 100644
--- a/secure/lib/libcrypto/man/man3/DES_random_key.3
+++ b/secure/lib/libcrypto/man/man3/DES_random_key.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "DES_RANDOM_KEY 3ossl"
-.TH DES_RANDOM_KEY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH DES_RANDOM_KEY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 DES_random_key, DES_set_key, DES_key_sched, DES_set_key_checked,
 DES_set_key_unchecked, DES_set_odd_parity, DES_is_weak_key,
 DES_ecb_encrypt, DES_ecb2_encrypt, DES_ecb3_encrypt, DES_ncbc_encrypt,
@@ -146,14 +70,14 @@ DES_ede2_cfb64_encrypt, DES_ede2_ofb64_encrypt, DES_ede3_cbc_encrypt,
 DES_ede3_cfb64_encrypt, DES_ede3_ofb64_encrypt,
 DES_cbc_cksum, DES_quad_cksum, DES_string_to_key, DES_string_to_2keys,
 DES_fcrypt, DES_crypt \- DES encryption
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/des.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
@@ -233,29 +157,29 @@ see \fBopenssl_user_macros\fR\|(7):
 \& char *DES_fcrypt(const char *buf, const char *salt, char *ret);
 \& char *DES_crypt(const char *buf, const char *salt);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated. Applications should
 instead use \fBEVP_EncryptInit_ex\fR\|(3), \fBEVP_EncryptUpdate\fR\|(3) and
 \&\fBEVP_EncryptFinal_ex\fR\|(3) or the equivalently named decrypt functions.
 .PP
-This library contains a fast implementation of the \s-1DES\s0 encryption
+This library contains a fast implementation of the DES encryption
 algorithm.
 .PP
-There are two phases to the use of \s-1DES\s0 encryption.  The first is the
+There are two phases to the use of DES encryption.  The first is the
 generation of a \fIDES_key_schedule\fR from a key, the second is the
-actual encryption.  A \s-1DES\s0 key is of type \fIDES_cblock\fR. This type
+actual encryption.  A DES key is of type \fIDES_cblock\fR. This type
 consists of 8 bytes with odd parity.  The least significant bit in
 each byte is the parity bit.  The key schedule is an expanded form of
 the key; it is used to speed the encryption process.
 .PP
 \&\fBDES_random_key()\fR generates a random key.  The random generator must be
 seeded when calling this function.
-If the automatic seeding or reseeding of the OpenSSL \s-1CSPRNG\s0 fails due to
-external circumstances (see \s-1\fBRAND\s0\fR\|(7)), the operation will fail.
+If the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to
+external circumstances (see \fBRAND\fR\|(7)), the operation will fail.
 If the function fails, 0 is returned.
 .PP
-Before a \s-1DES\s0 key can be used, it must be converted into the
+Before a DES key can be used, it must be converted into the
 architecture dependent \fIDES_key_schedule\fR via the
 \&\fBDES_set_key_checked()\fR or \fBDES_set_key_unchecked()\fR function.
 .PP
@@ -275,30 +199,30 @@ is ok.
 The following routines mostly operate on an input and output stream of
 \&\fIDES_cblock\fRs.
 .PP
-\&\fBDES_ecb_encrypt()\fR is the basic \s-1DES\s0 encryption routine that encrypts or
+\&\fBDES_ecb_encrypt()\fR is the basic DES encryption routine that encrypts or
 decrypts a single 8\-byte \fIDES_cblock\fR in \fIelectronic code book\fR
-(\s-1ECB\s0) mode.  It always transforms the input data, pointed to by
+(ECB) mode.  It always transforms the input data, pointed to by
 \&\fIinput\fR, into the output data, pointed to by the \fIoutput\fR argument.
-If the \fIencrypt\fR argument is nonzero (\s-1DES_ENCRYPT\s0), the \fIinput\fR
+If the \fIencrypt\fR argument is nonzero (DES_ENCRYPT), the \fIinput\fR
 (cleartext) is encrypted in to the \fIoutput\fR (ciphertext) using the
 key_schedule specified by the \fIschedule\fR argument, previously set via
-\&\fIDES_set_key\fR. If \fIencrypt\fR is zero (\s-1DES_DECRYPT\s0), the \fIinput\fR (now
+\&\fIDES_set_key\fR. If \fIencrypt\fR is zero (DES_DECRYPT), the \fIinput\fR (now
 ciphertext) is decrypted into the \fIoutput\fR (now cleartext).  Input
 and output may overlap.  \fBDES_ecb_encrypt()\fR does not return a value.
 .PP
 \&\fBDES_ecb3_encrypt()\fR encrypts/decrypts the \fIinput\fR block by using
-three-key Triple-DES encryption in \s-1ECB\s0 mode.  This involves encrypting
+three-key Triple-DES encryption in ECB mode.  This involves encrypting
 the input with \fIks1\fR, decrypting with the key schedule \fIks2\fR, and
 then encrypting with \fIks3\fR.  This routine greatly reduces the chances
-of brute force breaking of \s-1DES\s0 and has the advantage of if \fIks1\fR,
+of brute force breaking of DES and has the advantage of if \fIks1\fR,
 \&\fIks2\fR and \fIks3\fR are the same, it is equivalent to just encryption
-using \s-1ECB\s0 mode and \fIks1\fR as the key.
+using ECB mode and \fIks1\fR as the key.
 .PP
 The macro \fBDES_ecb2_encrypt()\fR is provided to perform two-key Triple-DES
 encryption by using \fIks1\fR for the final encryption.
 .PP
 \&\fBDES_ncbc_encrypt()\fR encrypts/decrypts using the \fIcipher-block-chaining\fR
-(\s-1CBC\s0) mode of \s-1DES.\s0  If the \fIencrypt\fR argument is nonzero, the
+(CBC) mode of DES.  If the \fIencrypt\fR argument is nonzero, the
 routine cipher-block-chain encrypts the cleartext data pointed to by
 the \fIinput\fR argument into the ciphertext pointed to by the \fIoutput\fR
 argument, using the key schedule provided by the \fIschedule\fR argument,
@@ -307,18 +231,18 @@ and initialization vector provided by the \fIivec\fR argument.  If the
 last block is copied to a temporary area and zero filled.  The output
 is always an integral multiple of eight bytes.
 .PP
-\&\fBDES_xcbc_encrypt()\fR is \s-1RSA\s0's \s-1DESX\s0 mode of \s-1DES.\s0  It uses \fIinw\fR and
+\&\fBDES_xcbc_encrypt()\fR is RSA's DESX mode of DES.  It uses \fIinw\fR and
 \&\fIoutw\fR to 'whiten' the encryption.  \fIinw\fR and \fIoutw\fR are secret
 (unlike the iv) and are as such, part of the key.  So the key is sort
-of 24 bytes.  This is much better than \s-1CBC DES.\s0
+of 24 bytes.  This is much better than CBC DES.
 .PP
-\&\fBDES_ede3_cbc_encrypt()\fR implements outer triple \s-1CBC DES\s0 encryption with
-three keys. This means that each \s-1DES\s0 operation inside the \s-1CBC\s0 mode is
-\&\f(CW\*(C`C=E(ks3,D(ks2,E(ks1,M)))\*(C'\fR.  This mode is used by \s-1SSL.\s0
+\&\fBDES_ede3_cbc_encrypt()\fR implements outer triple CBC DES encryption with
+three keys. This means that each DES operation inside the CBC mode is
+\&\f(CW\*(C`C=E(ks3,D(ks2,E(ks1,M)))\*(C'\fR.  This mode is used by SSL.
 .PP
 The \fBDES_ede2_cbc_encrypt()\fR macro implements two-key Triple-DES by
 reusing \fIks1\fR for the final encryption.  \f(CW\*(C`C=E(ks1,D(ks2,E(ks1,M)))\*(C'\fR.
-This form of Triple-DES is used by the \s-1RSAREF\s0 library.
+This form of Triple-DES is used by the RSAREF library.
 .PP
 \&\fBDES_pcbc_encrypt()\fR encrypts/decrypts using the propagating cipher block
 chaining mode used by Kerberos v4. Its parameters are the same as
@@ -329,16 +253,16 @@ method takes an array of characters as input and outputs an array of
 characters.  It does not require any padding to 8 character groups.
 Note: the \fIivec\fR variable is changed and the new changed value needs to
 be passed to the next call to this function.  Since this function runs
-a complete \s-1DES ECB\s0 encryption per \fInumbits\fR, this function is only
+a complete DES ECB encryption per \fInumbits\fR, this function is only
 suggested for use when sending a small number of characters.
 .PP
 \&\fBDES_cfb64_encrypt()\fR
-implements \s-1CFB\s0 mode of \s-1DES\s0 with 64\-bit feedback.  Why is this
+implements CFB mode of DES with 64\-bit feedback.  Why is this
 useful you ask?  Because this routine will allow you to encrypt an
 arbitrary number of bytes, without 8 byte padding.  Each call to this
 routine will encrypt the input bytes to output and then update ivec
 and num.  num contains 'how far' we are though ivec.  If this does
-not make much sense, read more about \s-1CFB\s0 mode of \s-1DES.\s0
+not make much sense, read more about CFB mode of DES.
 .PP
 \&\fBDES_ede3_cfb64_encrypt()\fR and \fBDES_ede2_cfb64_encrypt()\fR is the same as
 \&\fBDES_cfb64_encrypt()\fR except that Triple-DES is used.
@@ -348,7 +272,7 @@ takes an array of characters as input and outputs an array of
 characters.  It does not require any padding to 8 character groups.
 Note: the \fIivec\fR variable is changed and the new changed value needs to
 be passed to the next call to this function.  Since this function runs
-a complete \s-1DES ECB\s0 encryption per \fInumbits\fR, this function is only
+a complete DES ECB encryption per \fInumbits\fR, this function is only
 suggested for use when sending a small number of characters.
 .PP
 \&\fBDES_ofb64_encrypt()\fR is the same as \fBDES_cfb64_encrypt()\fR using Output
@@ -357,11 +281,11 @@ Feed Back mode.
 \&\fBDES_ede3_ofb64_encrypt()\fR and \fBDES_ede2_ofb64_encrypt()\fR is the same as
 \&\fBDES_ofb64_encrypt()\fR, using Triple-DES.
 .PP
-The following functions are included in the \s-1DES\s0 library for
-compatibility with the \s-1MIT\s0 Kerberos library.
+The following functions are included in the DES library for
+compatibility with the MIT Kerberos library.
 .PP
 \&\fBDES_cbc_cksum()\fR produces an 8 byte checksum based on the input stream
-(via \s-1CBC\s0 encryption).  The last 4 bytes of the checksum are returned
+(via CBC encryption).  The last 4 bytes of the checksum are returned
 and the complete 8 bytes are placed in \fIoutput\fR. This function is
 used by Kerberos v4.  Other applications should use
 \&\fBEVP_DigestInit\fR\|(3) etc. instead.
@@ -385,9 +309,9 @@ is thread safe, unlike the normal \fBcrypt()\fR.
 This function calls \fBDES_fcrypt()\fR with a static array passed as the
 third parameter.  This mostly emulates the normal non-thread-safe semantics
 of \fBcrypt\fR\|(3).
-The \fBsalt\fR must be two \s-1ASCII\s0 characters.
+The \fBsalt\fR must be two ASCII characters.
 .PP
-The values returned by \fBDES_fcrypt()\fR and \fBDES_crypt()\fR are terminated by \s-1NUL\s0
+The values returned by \fBDES_fcrypt()\fR and \fBDES_crypt()\fR are terminated by NUL
 character.
 .PP
 \&\fBDES_enc_write()\fR writes \fIlen\fR bytes to file descriptor \fIfd\fR from
@@ -397,7 +321,7 @@ data send down \fIfd\fR consists of 4 bytes (in network byte order)
 containing the length of the following encrypted data.  The encrypted
 data then follows, padded with random data out to a multiple of 8
 bytes.
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
 \&\fBDES_cbc_encrypt()\fR does not modify \fBivec\fR; use \fBDES_ncbc_encrypt()\fR
 instead.
@@ -413,18 +337,18 @@ and because once you get into pulling bytes input bytes apart things
 get ugly!
 .PP
 \&\fBDES_string_to_key()\fR is available for backward compatibility with the
-\&\s-1MIT\s0 library.  New applications should use a cryptographic hash function.
+MIT library.  New applications should use a cryptographic hash function.
 The same applies for \fBDES_string_to_2key()\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The \fBdes\fR library was written to be source code compatible with
-the \s-1MIT\s0 Kerberos library.
+the MIT Kerberos library.
 .PP
 Applications should use the higher level functions
 \&\fBEVP_EncryptInit\fR\|(3) etc. instead of calling these
 functions directly.
 .PP
-Single-key \s-1DES\s0 is insecure due to its short key size.  \s-1ECB\s0 mode is
+Single-key DES is insecure due to its short key size.  ECB mode is
 not suitable for most applications; see \fBdes_modes\fR\|(7).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
@@ -438,25 +362,25 @@ is ok.
 last 4 bytes of the checksum of the input.
 .PP
 \&\fBDES_fcrypt()\fR returns a pointer to the caller-provided buffer and \fBDES_crypt()\fR \-
-to a static buffer on success; otherwise they return \s-1NULL.\s0
+to a static buffer on success; otherwise they return NULL.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBdes_modes\fR\|(7),
 \&\fBEVP_EncryptInit\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions were deprecated in OpenSSL 3.0.
 .PP
 The requirement that the \fBsalt\fR parameter to \fBDES_crypt()\fR and \fBDES_fcrypt()\fR
-be two \s-1ASCII\s0 characters was first enforced in
+be two ASCII characters was first enforced in
 OpenSSL 1.1.0.  Previous versions tried to use the letter uppercase \fBA\fR
 if both character were not present, and could crash when given non-ASCII
 on some platforms.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DH_generate_key.3 b/secure/lib/libcrypto/man/man3/DH_generate_key.3
index 5318fe313602..f36cd4d46c3e 100644
--- a/secure/lib/libcrypto/man/man3/DH_generate_key.3
+++ b/secure/lib/libcrypto/man/man3/DH_generate_key.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,85 +52,25 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "DH_GENERATE_KEY 3ossl"
-.TH DH_GENERATE_KEY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH DH_GENERATE_KEY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 DH_generate_key, DH_compute_key, DH_compute_key_padded \- perform
 Diffie\-Hellman key exchange
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/dh.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
@@ -156,32 +80,32 @@ see \fBopenssl_user_macros\fR\|(7):
 \&
 \& int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
 Applications should instead use \fBEVP_PKEY_derive_init\fR\|(3)
 and \fBEVP_PKEY_derive\fR\|(3).
 .PP
 \&\fBDH_generate_key()\fR performs the first step of a Diffie-Hellman key
-exchange by generating private and public \s-1DH\s0 values. By calling
+exchange by generating private and public DH values. By calling
 \&\fBDH_compute_key()\fR or \fBDH_compute_key_padded()\fR, these are combined with
 the other party's public value to compute the shared key.
 .PP
 \&\fBDH_generate_key()\fR expects \fBdh\fR to contain the shared parameters
-\&\fBdh\->p\fR and \fBdh\->g\fR. It generates a random private \s-1DH\s0 value
+\&\fBdh\->p\fR and \fBdh\->g\fR. It generates a random private DH value
 unless \fBdh\->priv_key\fR is already set, and computes the
 corresponding public value \fBdh\->pub_key\fR, which can then be
 published.
 .PP
-\&\fBDH_compute_key()\fR computes the shared secret from the private \s-1DH\s0 value
+\&\fBDH_compute_key()\fR computes the shared secret from the private DH value
 in \fBdh\fR and the other party's public value in \fBpub_key\fR and stores
 it in \fBkey\fR. \fBkey\fR must point to \fBDH_size(dh)\fR bytes of memory.
-The padding style is \s-1RFC 5246\s0 (8.1.2) that strips leading zero bytes.
+The padding style is RFC 5246 (8.1.2) that strips leading zero bytes.
 It is not constant time due to the leading zero bytes being stripped.
 The return value should be considered public.
 .PP
 \&\fBDH_compute_key_padded()\fR is similar but stores a fixed number of bytes.
-The padding style is \s-1NIST SP 800\-56A\s0 (C.1) that retains leading zero bytes.
+The padding style is NIST SP 800\-56A (C.1) that retains leading zero bytes.
 It is constant time due to the leading zero bytes being retained.
 The return value should be considered public.
 .SH "RETURN VALUES"
@@ -198,16 +122,16 @@ The error codes can be obtained by \fBERR_get_error\fR\|(3).
 .IX Header "SEE ALSO"
 \&\fBEVP_PKEY_derive\fR\|(3),
 \&\fBDH_new\fR\|(3), \fBERR_get_error\fR\|(3), \fBRAND_bytes\fR\|(3), \fBDH_size\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBDH_compute_key_padded()\fR was added in OpenSSL 1.0.2.
 .PP
 All of these functions were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DH_generate_parameters.3 b/secure/lib/libcrypto/man/man3/DH_generate_parameters.3
index fe7831b28c06..3f35ec6bc3ad 100644
--- a/secure/lib/libcrypto/man/man3/DH_generate_parameters.3
+++ b/secure/lib/libcrypto/man/man3/DH_generate_parameters.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,88 +52,28 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "DH_GENERATE_PARAMETERS 3ossl"
-.TH DH_GENERATE_PARAMETERS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH DH_GENERATE_PARAMETERS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 DH_generate_parameters_ex, DH_generate_parameters,
 DH_check, DH_check_params,
 DH_check_ex, DH_check_params_ex, DH_check_pub_key_ex
 \&\- generate and check Diffie\-Hellman
 parameters
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/dh.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
@@ -164,14 +88,14 @@ see \fBopenssl_user_macros\fR\|(7):
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 0.9.8, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 2
 \& DH *DH_generate_parameters(int prime_len, int generator,
 \&                            void (*callback)(int, int, void *), void *cb_arg);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
 Applications should instead use \fBEVP_PKEY_check\fR\|(3),
@@ -179,7 +103,7 @@ Applications should instead use \fBEVP_PKEY_check\fR\|(3),
 \&\fBEVP_PKEY_param_check\fR\|(3).
 .PP
 \&\fBDH_generate_parameters_ex()\fR generates Diffie-Hellman parameters that can
-be shared among a group of users, and stores them in the provided \fB\s-1DH\s0\fR
+be shared among a group of users, and stores them in the provided \fBDH\fR
 structure. The pseudo-random number generator must be
 seeded before calling it.
 The parameters generated by \fBDH_generate_parameters_ex()\fR should not be used in
@@ -189,7 +113,7 @@ signature schemes.
 \&\fBgenerator\fR is a small number > 1, typically 2 or 5.
 .PP
 A callback function may be used to provide feedback about the progress
-of the key generation. If \fBcb\fR is not \fB\s-1NULL\s0\fR, it will be
+of the key generation. If \fBcb\fR is not \fBNULL\fR, it will be
 called as described in \fBBN_generate_prime\fR\|(3) while a random prime
 number is generated, and when a prime has been found, \fBBN_GENCB_call(cb, 3, 0)\fR
 is called. See \fBBN_generate_prime_ex\fR\|(3) for information on
@@ -206,48 +130,52 @@ This is a lightweight check, if a more thorough check is needed, use
 The value of \fB*codes\fR is updated with any problems found.
 If \fB*codes\fR is zero then no problems were found, otherwise the
 following bits may be set:
-.IP "\s-1DH_CHECK_P_NOT_PRIME\s0" 4
+.IP DH_CHECK_P_NOT_PRIME 4
 .IX Item "DH_CHECK_P_NOT_PRIME"
 The parameter \fBp\fR has been determined to not being an odd prime.
 Note that the lack of this bit doesn't guarantee that \fBp\fR is a
 prime.
-.IP "\s-1DH_NOT_SUITABLE_GENERATOR\s0" 4
+.IP DH_NOT_SUITABLE_GENERATOR 4
 .IX Item "DH_NOT_SUITABLE_GENERATOR"
 The generator \fBg\fR is not suitable.
 Note that the lack of this bit doesn't guarantee that \fBg\fR is
 suitable, unless \fBp\fR is known to be a strong prime.
-.IP "\s-1DH_MODULUS_TOO_SMALL\s0" 4
+.IP DH_MODULUS_TOO_SMALL 4
 .IX Item "DH_MODULUS_TOO_SMALL"
 The modulus is too small.
-.IP "\s-1DH_MODULUS_TOO_LARGE\s0" 4
+.IP DH_MODULUS_TOO_LARGE 4
 .IX Item "DH_MODULUS_TOO_LARGE"
 The modulus is too large.
 .PP
 \&\fBDH_check()\fR confirms that the Diffie-Hellman parameters \fBdh\fR are valid. The
 value of \fB*codes\fR is updated with any problems found. If \fB*codes\fR is zero then
 no problems were found, otherwise the following bits may be set:
-.IP "\s-1DH_CHECK_P_NOT_PRIME\s0" 4
+.IP DH_CHECK_P_NOT_PRIME 4
 .IX Item "DH_CHECK_P_NOT_PRIME"
 The parameter \fBp\fR is not prime.
-.IP "\s-1DH_CHECK_P_NOT_SAFE_PRIME\s0" 4
+.IP DH_CHECK_P_NOT_SAFE_PRIME 4
 .IX Item "DH_CHECK_P_NOT_SAFE_PRIME"
 The parameter \fBp\fR is not a safe prime and no \fBq\fR value is present.
-.IP "\s-1DH_UNABLE_TO_CHECK_GENERATOR\s0" 4
+.IP DH_UNABLE_TO_CHECK_GENERATOR 4
 .IX Item "DH_UNABLE_TO_CHECK_GENERATOR"
 The generator \fBg\fR cannot be checked for suitability.
-.IP "\s-1DH_NOT_SUITABLE_GENERATOR\s0" 4
+.IP DH_NOT_SUITABLE_GENERATOR 4
 .IX Item "DH_NOT_SUITABLE_GENERATOR"
 The generator \fBg\fR is not suitable.
-.IP "\s-1DH_CHECK_Q_NOT_PRIME\s0" 4
+.IP DH_CHECK_Q_NOT_PRIME 4
 .IX Item "DH_CHECK_Q_NOT_PRIME"
 The parameter \fBq\fR is not prime.
-.IP "\s-1DH_CHECK_INVALID_Q_VALUE\s0" 4
+.IP DH_CHECK_INVALID_Q_VALUE 4
 .IX Item "DH_CHECK_INVALID_Q_VALUE"
 The parameter \fBq\fR is invalid.
-.IP "\s-1DH_CHECK_INVALID_J_VALUE\s0" 4
+.IP DH_CHECK_INVALID_J_VALUE 4
 .IX Item "DH_CHECK_INVALID_J_VALUE"
 The parameter \fBj\fR is invalid.
 .PP
+If 0 is returned or \fB*codes\fR is set to a nonzero value the supplied
+parameters should not be used for Diffie-Hellman operations otherwise
+the security properties of the key exchange are not guaranteed.
+.PP
 \&\fBDH_check_ex()\fR, \fBDH_check_params()\fR and \fBDH_check_pub_key_ex()\fR are similar to
 \&\fBDH_check()\fR and \fBDH_check_params()\fR respectively, but the error reasons are added
 to the thread's error queue instead of provided as return values from the
@@ -257,7 +185,7 @@ function.
 \&\fBDH_generate_parameters_ex()\fR, \fBDH_check()\fR and \fBDH_check_params()\fR return 1
 if the check could be performed, 0 otherwise.
 .PP
-\&\fBDH_generate_parameters()\fR returns a pointer to the \s-1DH\s0 structure or \s-1NULL\s0 if
+\&\fBDH_generate_parameters()\fR returns a pointer to the DH structure or NULL if
 the parameter generation fails.
 .PP
 \&\fBDH_check_ex()\fR, \fBDH_check_params()\fR and \fBDH_check_pub_key_ex()\fR return 1 if the
@@ -268,17 +196,17 @@ The error codes can be obtained by \fBERR_get_error\fR\|(3).
 .IX Header "SEE ALSO"
 \&\fBDH_new\fR\|(3), \fBERR_get_error\fR\|(3), \fBRAND_bytes\fR\|(3),
 \&\fBDH_free\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions were deprecated in OpenSSL 3.0.
 .PP
 \&\fBDH_generate_parameters()\fR was deprecated in OpenSSL 0.9.8; use
 \&\fBDH_generate_parameters_ex()\fR instead.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DH_get0_pqg.3 b/secure/lib/libcrypto/man/man3/DH_get0_pqg.3
index b4712c0542c1..d086b5b3361f 100644
--- a/secure/lib/libcrypto/man/man3/DH_get0_pqg.3
+++ b/secure/lib/libcrypto/man/man3/DH_get0_pqg.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,88 +52,28 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "DH_GET0_PQG 3ossl"
-.TH DH_GET0_PQG 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH DH_GET0_PQG 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 DH_get0_pqg, DH_set0_pqg, DH_get0_key, DH_set0_key,
 DH_get0_p, DH_get0_q, DH_get0_g,
 DH_get0_priv_key, DH_get0_pub_key,
 DH_clear_flags, DH_test_flags, DH_set_flags, DH_get0_engine,
 DH_get_length, DH_set_length \- Routines for getting and setting data in a DH object
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/dh.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 10
@@ -173,78 +97,78 @@ see \fBopenssl_user_macros\fR\|(7):
 \&
 \& ENGINE *DH_get0_engine(DH *d);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
 Applications should instead use \fBEVP_PKEY_get_bn_param\fR\|(3) for any methods that
-return a \fB\s-1BIGNUM\s0\fR. Refer to \s-1\fBEVP_PKEY\-DH\s0\fR\|(7) for more information.
+return a \fBBIGNUM\fR. Refer to \fBEVP_PKEY\-DH\fR\|(7) for more information.
 .PP
-A \s-1DH\s0 object contains the parameters \fIp\fR, \fIq\fR and \fIg\fR. Note that the \fIq\fR
+A DH object contains the parameters \fIp\fR, \fIq\fR and \fIg\fR. Note that the \fIq\fR
 parameter is optional. It also contains a public key (\fIpub_key\fR) and
 (optionally) a private key (\fIpriv_key\fR).
 .PP
 The \fIp\fR, \fIq\fR and \fIg\fR parameters can be obtained by calling \fBDH_get0_pqg()\fR.
 If the parameters have not yet been set then \fI*p\fR, \fI*q\fR and \fI*g\fR will be set
-to \s-1NULL.\s0 Otherwise they are set to pointers to their respective values. These
+to NULL. Otherwise they are set to pointers to their respective values. These
 point directly to the internal representations of the values and therefore
 should not be freed directly.
-Any of the out parameters \fIp\fR, \fIq\fR, and \fIg\fR can be \s-1NULL,\s0 in which case no
+Any of the out parameters \fIp\fR, \fIq\fR, and \fIg\fR can be NULL, in which case no
 value will be returned for that parameter.
 .PP
 The \fIp\fR, \fIq\fR and \fIg\fR values can be set by calling \fBDH_set0_pqg()\fR and passing
 the new values for \fIp\fR, \fIq\fR and \fIg\fR as parameters to the function. Calling
-this function transfers the memory management of the values to the \s-1DH\s0 object,
+this function transfers the memory management of the values to the DH object,
 and therefore the values that have been passed in should not be freed directly
-after this function has been called. The \fIq\fR parameter may be \s-1NULL.\s0
+after this function has been called. The \fIq\fR parameter may be NULL.
 \&\fBDH_set0_pqg()\fR also checks if the parameters associated with \fIp\fR and \fIg\fR and
 optionally \fIq\fR are associated with known safe prime groups. If it is a safe
 prime group then the value of \fIq\fR will be set to q = (p \- 1) / 2 if \fIq\fR is
-\&\s-1NULL.\s0 The optional length parameter will be set to BN_num_bits(\fIq\fR) if \fIq\fR
-is not \s-1NULL.\s0
+NULL. The optional length parameter will be set to BN_num_bits(\fIq\fR) if \fIq\fR
+is not NULL.
 .PP
 To get the public and private key values use the \fBDH_get0_key()\fR function. A
 pointer to the public key will be stored in \fI*pub_key\fR, and a pointer to the
-private key will be stored in \fI*priv_key\fR. Either may be \s-1NULL\s0 if they have not
+private key will be stored in \fI*priv_key\fR. Either may be NULL if they have not
 been set yet, although if the private key has been set then the public key must
 be. The values point to the internal representation of the public key and
 private key values. This memory should not be freed directly.
-Any of the out parameters \fIpub_key\fR and \fIpriv_key\fR can be \s-1NULL,\s0 in which case
+Any of the out parameters \fIpub_key\fR and \fIpriv_key\fR can be NULL, in which case
 no value will be returned for that parameter.
 .PP
 The public and private key values can be set using \fBDH_set0_key()\fR. Either
-parameter may be \s-1NULL,\s0 which means the corresponding \s-1DH\s0 field is left
+parameter may be NULL, which means the corresponding DH field is left
 untouched. As with \fBDH_set0_pqg()\fR this function transfers the memory management
-of the key values to the \s-1DH\s0 object, and therefore they should not be freed
+of the key values to the DH object, and therefore they should not be freed
 directly after this function has been called.
 .PP
 Any of the values \fIp\fR, \fIq\fR, \fIg\fR, \fIpriv_key\fR, and \fIpub_key\fR can also be
 retrieved separately by the corresponding function \fBDH_get0_p()\fR, \fBDH_get0_q()\fR,
 \&\fBDH_get0_g()\fR, \fBDH_get0_priv_key()\fR, and \fBDH_get0_pub_key()\fR, respectively.
 .PP
-\&\fBDH_set_flags()\fR sets the flags in the \fIflags\fR parameter on the \s-1DH\s0 object.
+\&\fBDH_set_flags()\fR sets the flags in the \fIflags\fR parameter on the DH object.
 Multiple flags can be passed in one go (bitwise ORed together). Any flags that
 are already set are left set. \fBDH_test_flags()\fR tests to see whether the flags
-passed in the \fIflags\fR parameter are currently set in the \s-1DH\s0 object. Multiple
+passed in the \fIflags\fR parameter are currently set in the DH object. Multiple
 flags can be tested in one go. All flags that are currently set are returned, or
 zero if none of the flags are set. \fBDH_clear_flags()\fR clears the specified flags
-within the \s-1DH\s0 object.
+within the DH object.
 .PP
-\&\fBDH_get0_engine()\fR returns a handle to the \s-1ENGINE\s0 that has been set for this \s-1DH\s0
-object, or \s-1NULL\s0 if no such \s-1ENGINE\s0 has been set. This function is deprecated. All
+\&\fBDH_get0_engine()\fR returns a handle to the ENGINE that has been set for this DH
+object, or NULL if no such ENGINE has been set. This function is deprecated. All
 engines should be replaced by providers.
 .PP
 The \fBDH_get_length()\fR and \fBDH_set_length()\fR functions get and set the optional
-length parameter associated with this \s-1DH\s0 object. If the length is nonzero then
+length parameter associated with this DH object. If the length is nonzero then
 it is used, otherwise it is ignored. The \fIlength\fR parameter indicates the
 length of the secret exponent (private key) in bits. For safe prime groups the optional length parameter \fIlength\fR can be
 set to a value greater or equal to 2 * maximum_target_security_strength(BN_num_bits(\fIp\fR))
 as listed in SP800\-56Ar3 Table(s) 25 & 26.
 These functions are deprecated and should be replaced with
 \&\fBEVP_PKEY_CTX_set_params()\fR and \fBEVP_PKEY_get_int_param()\fR using the parameter key
-\&\fB\s-1OSSL_PKEY_PARAM_DH_PRIV_LEN\s0\fR as described in \s-1\fBEVP_PKEY\-DH\s0\fR\|(7).
-.SH "NOTES"
+\&\fBOSSL_PKEY_PARAM_DH_PRIV_LEN\fR as described in \fBEVP_PKEY\-DH\fR\|(7).
+.SH NOTES
 .IX Header "NOTES"
-Values retrieved with \fBDH_get0_key()\fR are owned by the \s-1DH\s0 object used
+Values retrieved with \fBDH_get0_key()\fR are owned by the DH object used
 in the call and may therefore \fInot\fR be passed to \fBDH_set0_key()\fR.  If
 needed, duplicate the received value using \fBBN_dup()\fR and pass the
 duplicate.  The same applies to \fBDH_get0_pqg()\fR and \fBDH_set0_pqg()\fR.
@@ -253,11 +177,11 @@ duplicate.  The same applies to \fBDH_get0_pqg()\fR and \fBDH_set0_pqg()\fR.
 \&\fBDH_set0_pqg()\fR and \fBDH_set0_key()\fR return 1 on success or 0 on failure.
 .PP
 \&\fBDH_get0_p()\fR, \fBDH_get0_q()\fR, \fBDH_get0_g()\fR, \fBDH_get0_priv_key()\fR, and \fBDH_get0_pub_key()\fR
-return the respective value, or \s-1NULL\s0 if it is unset.
+return the respective value, or NULL if it is unset.
 .PP
-\&\fBDH_test_flags()\fR returns the current state of the flags in the \s-1DH\s0 object.
+\&\fBDH_test_flags()\fR returns the current state of the flags in the DH object.
 .PP
-\&\fBDH_get0_engine()\fR returns the \s-1ENGINE\s0 set for the \s-1DH\s0 object or \s-1NULL\s0 if no \s-1ENGINE\s0
+\&\fBDH_get0_engine()\fR returns the ENGINE set for the DH object or NULL if no ENGINE
 has been set.
 .PP
 \&\fBDH_get_length()\fR returns the length of the secret exponent (private key) in bits,
@@ -266,16 +190,16 @@ or zero if no such length has been explicitly set.
 .IX Header "SEE ALSO"
 \&\fBDH_new\fR\|(3), \fBDH_new\fR\|(3), \fBDH_generate_parameters\fR\|(3), \fBDH_generate_key\fR\|(3),
 \&\fBDH_set_method\fR\|(3), \fBDH_size\fR\|(3), \fBDH_meth_new\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The functions described here were added in OpenSSL 1.1.0.
 .PP
 All of these functions were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DH_get_1024_160.3 b/secure/lib/libcrypto/man/man3/DH_get_1024_160.3
index 75426aacb122..823c6a523f9e 100644
--- a/secure/lib/libcrypto/man/man3/DH_get_1024_160.3
+++ b/secure/lib/libcrypto/man/man3/DH_get_1024_160.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "DH_GET_1024_160 3ossl"
-.TH DH_GET_1024_160 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH DH_GET_1024_160 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 DH_get_1024_160,
 DH_get_2048_224,
 DH_get_2048_256,
@@ -154,7 +78,7 @@ BN_get_rfc3526_prime_4096,
 BN_get_rfc3526_prime_6144,
 BN_get_rfc3526_prime_8192
 \&\- Create standardized public primes or DH pairs
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/dh.h>
@@ -176,7 +100,7 @@ BN_get_rfc3526_prime_8192
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
@@ -186,38 +110,38 @@ see \fBopenssl_user_macros\fR\|(7):
 \& DH *DH_get_2048_224(void);
 \& DH *DH_get_2048_256(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBDH_get_1024_160()\fR, \fBDH_get_2048_224()\fR, and \fBDH_get_2048_256()\fR each return
-a \s-1DH\s0 object for the \s-1IETF RFC 5114\s0 value. These functions are deprecated.
+a DH object for the IETF RFC 5114 value. These functions are deprecated.
 Applications should instead use \fBEVP_PKEY_CTX_set_dh_rfc5114()\fR and
 \&\fBEVP_PKEY_CTX_set_dhx_rfc5114()\fR as described in \fBEVP_PKEY_CTX_ctrl\fR\|(3) or
-by setting the \fB\s-1OSSL_PKEY_PARAM_GROUP_NAME\s0\fR as specified in
-\&\*(L"\s-1DH\s0 parameters\*(R" in \s-1\fBEVP_PKEY\-DH\s0\fR\|(7)) to one of \*(L"dh_1024_160\*(R", \*(L"dh_2048_224\*(R" or
-\&\*(L"dh_2048_256\*(R".
+by setting the \fBOSSL_PKEY_PARAM_GROUP_NAME\fR as specified in
+"DH parameters" in \fBEVP_PKEY\-DH\fR\|(7)) to one of "dh_1024_160", "dh_2048_224" or
+"dh_2048_256".
 .PP
 \&\fBBN_get0_nist_prime_192()\fR, \fBBN_get0_nist_prime_224()\fR, \fBBN_get0_nist_prime_256()\fR,
 \&\fBBN_get0_nist_prime_384()\fR, and \fBBN_get0_nist_prime_521()\fR functions return
-a \s-1BIGNUM\s0 for the specific \s-1NIST\s0 prime curve (e.g., P\-256).
+a BIGNUM for the specific NIST prime curve (e.g., P\-256).
 .PP
 \&\fBBN_get_rfc2409_prime_768()\fR, \fBBN_get_rfc2409_prime_1024()\fR,
 \&\fBBN_get_rfc3526_prime_1536()\fR, \fBBN_get_rfc3526_prime_2048()\fR,
 \&\fBBN_get_rfc3526_prime_3072()\fR, \fBBN_get_rfc3526_prime_4096()\fR,
 \&\fBBN_get_rfc3526_prime_6144()\fR, and \fBBN_get_rfc3526_prime_8192()\fR functions
-return a \s-1BIGNUM\s0 for the specified size from \s-1IETF RFC 2409.\s0  If \fBbn\fR
-is not \s-1NULL,\s0 the \s-1BIGNUM\s0 will be set into that location as well.
+return a BIGNUM for the specified size from IETF RFC 2409.  If \fBbn\fR
+is not NULL, the BIGNUM will be set into that location as well.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 Defined above.
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The functions \fBDH_get_1024_160()\fR, \fBDH_get_2048_224()\fR and \fBDH_get_2048_256()\fR were
 deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2016\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DH_meth_new.3 b/secure/lib/libcrypto/man/man3/DH_meth_new.3
index 5036315d0ce0..a637526262c3 100644
--- a/secure/lib/libcrypto/man/man3/DH_meth_new.3
+++ b/secure/lib/libcrypto/man/man3/DH_meth_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "DH_METH_NEW 3ossl"
-.TH DH_METH_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH DH_METH_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 DH_meth_new, DH_meth_free, DH_meth_dup, DH_meth_get0_name, DH_meth_set1_name,
 DH_meth_get_flags, DH_meth_set_flags, DH_meth_get0_app_data,
 DH_meth_set0_app_data, DH_meth_get_generate_key, DH_meth_set_generate_key,
@@ -144,14 +68,14 @@ DH_meth_get_compute_key, DH_meth_set_compute_key, DH_meth_get_bn_mod_exp,
 DH_meth_set_bn_mod_exp, DH_meth_get_init, DH_meth_set_init, DH_meth_get_finish,
 DH_meth_set_finish, DH_meth_get_generate_params,
 DH_meth_set_generate_params \- Routines to build up DH methods
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/dh.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
@@ -197,50 +121,50 @@ see \fBopenssl_user_macros\fR\|(7):
 \& int DH_meth_set_generate_params(DH_METHOD *dhm,
 \&     int (*generate_params)(DH *, int, int, BN_GENCB *));
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
 Applications should instead use the provider APIs.
 .PP
-The \fB\s-1DH_METHOD\s0\fR type is a structure used for the provision of custom \s-1DH\s0
+The \fBDH_METHOD\fR type is a structure used for the provision of custom DH
 implementations. It provides a set of functions used by OpenSSL for the
-implementation of the various \s-1DH\s0 capabilities.
+implementation of the various DH capabilities.
 .PP
-\&\fBDH_meth_new()\fR creates a new \fB\s-1DH_METHOD\s0\fR structure. It should be given a
-unique \fBname\fR and a set of \fBflags\fR. The \fBname\fR should be a \s-1NULL\s0 terminated
-string, which will be duplicated and stored in the \fB\s-1DH_METHOD\s0\fR object. It is
+\&\fBDH_meth_new()\fR creates a new \fBDH_METHOD\fR structure. It should be given a
+unique \fBname\fR and a set of \fBflags\fR. The \fBname\fR should be a NULL terminated
+string, which will be duplicated and stored in the \fBDH_METHOD\fR object. It is
 the callers responsibility to free the original string. The flags will be used
-during the construction of a new \fB\s-1DH\s0\fR object based on this \fB\s-1DH_METHOD\s0\fR. Any
-new \fB\s-1DH\s0\fR object will have those flags set by default.
+during the construction of a new \fBDH\fR object based on this \fBDH_METHOD\fR. Any
+new \fBDH\fR object will have those flags set by default.
 .PP
-\&\fBDH_meth_dup()\fR creates a duplicate copy of the \fB\s-1DH_METHOD\s0\fR object passed as a
-parameter. This might be useful for creating a new \fB\s-1DH_METHOD\s0\fR based on an
+\&\fBDH_meth_dup()\fR creates a duplicate copy of the \fBDH_METHOD\fR object passed as a
+parameter. This might be useful for creating a new \fBDH_METHOD\fR based on an
 existing one, but with some differences.
 .PP
-\&\fBDH_meth_free()\fR destroys a \fB\s-1DH_METHOD\s0\fR structure and frees up any memory
-associated with it.
+\&\fBDH_meth_free()\fR destroys a \fBDH_METHOD\fR structure and frees up any memory
+associated with it. If the argument is NULL, nothing is done.
 .PP
-\&\fBDH_meth_get0_name()\fR will return a pointer to the name of this \s-1DH_METHOD.\s0 This
+\&\fBDH_meth_get0_name()\fR will return a pointer to the name of this DH_METHOD. This
 is a pointer to the internal name string and so should not be freed by the
-caller. \fBDH_meth_set1_name()\fR sets the name of the \s-1DH_METHOD\s0 to \fBname\fR. The
-string is duplicated and the copy is stored in the \s-1DH_METHOD\s0 structure, so the
+caller. \fBDH_meth_set1_name()\fR sets the name of the DH_METHOD to \fBname\fR. The
+string is duplicated and the copy is stored in the DH_METHOD structure, so the
 caller remains responsible for freeing the memory associated with the name.
 .PP
 \&\fBDH_meth_get_flags()\fR returns the current value of the flags associated with this
-\&\s-1DH_METHOD.\s0 \fBDH_meth_set_flags()\fR provides the ability to set these flags.
+DH_METHOD. \fBDH_meth_set_flags()\fR provides the ability to set these flags.
 .PP
 The functions \fBDH_meth_get0_app_data()\fR and \fBDH_meth_set0_app_data()\fR provide the
-ability to associate implementation specific data with the \s-1DH_METHOD.\s0 It is
-the application's responsibility to free this data before the \s-1DH_METHOD\s0 is
+ability to associate implementation specific data with the DH_METHOD. It is
+the application's responsibility to free this data before the DH_METHOD is
 freed via a call to \fBDH_meth_free()\fR.
 .PP
 \&\fBDH_meth_get_generate_key()\fR and \fBDH_meth_set_generate_key()\fR get and set the
-function used for generating a new \s-1DH\s0 key pair respectively. This function will
+function used for generating a new DH key pair respectively. This function will
 be called in response to the application calling \fBDH_generate_key()\fR. The
 parameter for the function has the same meaning as for \fBDH_generate_key()\fR.
 .PP
 \&\fBDH_meth_get_compute_key()\fR and \fBDH_meth_set_compute_key()\fR get and set the
-function used for computing a new \s-1DH\s0 shared secret respectively. This function
+function used for computing a new DH shared secret respectively. This function
 will be called in response to the application calling \fBDH_compute_key()\fR. The
 parameters for the function have the same meaning as for \fBDH_compute_key()\fR.
 .PP
@@ -253,39 +177,39 @@ used for computing the following value:
 .PP
 This function will be called by the default OpenSSL function for
 \&\fBDH_generate_key()\fR. The result is stored in the \fBr\fR parameter. This function
-may be \s-1NULL\s0 unless using the default generate key function, in which case it
+may be NULL unless using the default generate key function, in which case it
 must be present.
 .PP
 \&\fBDH_meth_get_init()\fR and \fBDH_meth_set_init()\fR get and set the function used
-for creating a new \s-1DH\s0 instance respectively. This function will be
+for creating a new DH instance respectively. This function will be
 called in response to the application calling \fBDH_new()\fR (if the current default
-\&\s-1DH_METHOD\s0 is this one) or \fBDH_new_method()\fR. The \fBDH_new()\fR and \fBDH_new_method()\fR
-functions will allocate the memory for the new \s-1DH\s0 object, and a pointer to this
+DH_METHOD is this one) or \fBDH_new_method()\fR. The \fBDH_new()\fR and \fBDH_new_method()\fR
+functions will allocate the memory for the new DH object, and a pointer to this
 newly allocated structure will be passed as a parameter to the function. This
-function may be \s-1NULL.\s0
+function may be NULL.
 .PP
 \&\fBDH_meth_get_finish()\fR and \fBDH_meth_set_finish()\fR get and set the function used
-for destroying an instance of a \s-1DH\s0 object respectively. This function will be
-called in response to the application calling \fBDH_free()\fR. A pointer to the \s-1DH\s0
+for destroying an instance of a DH object respectively. This function will be
+called in response to the application calling \fBDH_free()\fR. A pointer to the DH
 to be destroyed is passed as a parameter. The destroy function should be used
-for \s-1DH\s0 implementation specific clean up. The memory for the \s-1DH\s0 itself should
-not be freed by this function. This function may be \s-1NULL.\s0
+for DH implementation specific clean up. The memory for the DH itself should
+not be freed by this function. This function may be NULL.
 .PP
 \&\fBDH_meth_get_generate_params()\fR and \fBDH_meth_set_generate_params()\fR get and set the
-function used for generating \s-1DH\s0 parameters respectively. This function will be
+function used for generating DH parameters respectively. This function will be
 called in response to the application calling \fBDH_generate_parameters_ex()\fR (or
 \&\fBDH_generate_parameters()\fR). The parameters for the function have the same
-meaning as for \fBDH_generate_parameters_ex()\fR. This function may be \s-1NULL.\s0
+meaning as for \fBDH_generate_parameters_ex()\fR. This function may be NULL.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBDH_meth_new()\fR and \fBDH_meth_dup()\fR return the newly allocated \s-1DH_METHOD\s0 object
-or \s-1NULL\s0 on failure.
+\&\fBDH_meth_new()\fR and \fBDH_meth_dup()\fR return the newly allocated DH_METHOD object
+or NULL on failure.
 .PP
 \&\fBDH_meth_get0_name()\fR and \fBDH_meth_get_flags()\fR return the name and flags
-associated with the \s-1DH_METHOD\s0 respectively.
+associated with the DH_METHOD respectively.
 .PP
 All other DH_meth_get_*() functions return the appropriate function pointer
-that has been set in the \s-1DH_METHOD,\s0 or \s-1NULL\s0 if no such pointer has yet been
+that has been set in the DH_METHOD, or NULL if no such pointer has yet been
 set.
 .PP
 \&\fBDH_meth_set1_name()\fR and all DH_meth_set_*() functions return 1 on success or
@@ -294,16 +218,16 @@ set.
 .IX Header "SEE ALSO"
 \&\fBDH_new\fR\|(3), \fBDH_new\fR\|(3), \fBDH_generate_parameters\fR\|(3), \fBDH_generate_key\fR\|(3),
 \&\fBDH_set_method\fR\|(3), \fBDH_size\fR\|(3), \fBDH_get0_pqg\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions were deprecated in OpenSSL 3.0.
 .PP
 The functions described here were added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DH_new.3 b/secure/lib/libcrypto/man/man3/DH_new.3
index d58262296079..986ea0baba35 100644
--- a/secure/lib/libcrypto/man/man3/DH_new.3
+++ b/secure/lib/libcrypto/man/man3/DH_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,84 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "DH_NEW 3ossl"
-.TH DH_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH DH_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 DH_new, DH_free \- allocate and free DH objects
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/dh.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
@@ -153,16 +77,16 @@ see \fBopenssl_user_macros\fR\|(7):
 \&
 \& void DH_free(DH *dh);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBDH_new()\fR allocates and initializes a \fB\s-1DH\s0\fR structure.
+\&\fBDH_new()\fR allocates and initializes a \fBDH\fR structure.
 .PP
-\&\fBDH_free()\fR frees the \fB\s-1DH\s0\fR structure and its components. The values are
+\&\fBDH_free()\fR frees the \fBDH\fR structure and its components. The values are
 erased before the memory is returned to the system.
-If \fBdh\fR is \s-1NULL\s0 nothing is done.
+If \fBdh\fR is NULL nothing is done.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-If the allocation fails, \fBDH_new()\fR returns \fB\s-1NULL\s0\fR and sets an error
+If the allocation fails, \fBDH_new()\fR returns \fBNULL\fR and sets an error
 code that can be obtained by \fBERR_get_error\fR\|(3). Otherwise it returns
 a pointer to the newly allocated structure.
 .PP
@@ -172,17 +96,17 @@ a pointer to the newly allocated structure.
 \&\fBDH_new\fR\|(3), \fBERR_get_error\fR\|(3),
 \&\fBDH_generate_parameters\fR\|(3),
 \&\fBDH_generate_key\fR\|(3),
-\&\s-1\fBEVP_PKEY\-DH\s0\fR\|(7)
-.SH "HISTORY"
+\&\fBEVP_PKEY\-DH\fR\|(7)
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions were deprecated in OpenSSL 3.0.
 .PP
-For replacement see \s-1\fBEVP_PKEY\-DH\s0\fR\|(7).
-.SH "COPYRIGHT"
+For replacement see \fBEVP_PKEY\-DH\fR\|(7).
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DH_new_by_nid.3 b/secure/lib/libcrypto/man/man3/DH_new_by_nid.3
index 05368ade538f..196e76b50c18 100644
--- a/secure/lib/libcrypto/man/man3/DH_new_by_nid.3
+++ b/secure/lib/libcrypto/man/man3/DH_new_by_nid.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,84 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "DH_NEW_BY_NID 3ossl"
-.TH DH_NEW_BY_NID 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH DH_NEW_BY_NID 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 DH_new_by_nid, DH_get_nid \- create or get DH named parameters
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/dh.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
@@ -153,32 +77,32 @@ see \fBopenssl_user_macros\fR\|(7):
 \&
 \& int DH_get_nid(const DH *dh);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBDH_new_by_nid()\fR creates and returns a \s-1DH\s0 structure containing named parameters
+\&\fBDH_new_by_nid()\fR creates and returns a DH structure containing named parameters
 \&\fBnid\fR. Currently \fBnid\fR must be \fBNID_ffdhe2048\fR, \fBNID_ffdhe3072\fR,
 \&\fBNID_ffdhe4096\fR, \fBNID_ffdhe6144\fR, \fBNID_ffdhe8192\fR,
 \&\fBNID_modp_1536\fR, \fBNID_modp_2048\fR, \fBNID_modp_3072\fR,
 \&\fBNID_modp_4096\fR, \fBNID_modp_6144\fR or \fBNID_modp_8192\fR.
 .PP
 \&\fBDH_get_nid()\fR determines if the parameters contained in \fBdh\fR match
-any named safe prime group. It returns the \s-1NID\s0 corresponding to the matching
+any named safe prime group. It returns the NID corresponding to the matching
 parameters or \fBNID_undef\fR if there is no match.
 This function is deprecated.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBDH_new_by_nid()\fR returns a set of \s-1DH\s0 parameters or \fB\s-1NULL\s0\fR if an error occurred.
+\&\fBDH_new_by_nid()\fR returns a set of DH parameters or \fBNULL\fR if an error occurred.
 .PP
-\&\fBDH_get_nid()\fR returns the \s-1NID\s0 of the matching set of parameters for p and g
+\&\fBDH_get_nid()\fR returns the NID of the matching set of parameters for p and g
 and optionally q, otherwise it returns \fBNID_undef\fR if there is no match.
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2017\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DH_set_method.3 b/secure/lib/libcrypto/man/man3/DH_set_method.3
index 08533826ed66..e4dcb5fbec9f 100644
--- a/secure/lib/libcrypto/man/man3/DH_set_method.3
+++ b/secure/lib/libcrypto/man/man3/DH_set_method.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,85 +52,25 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "DH_SET_METHOD 3ossl"
-.TH DH_SET_METHOD 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH DH_SET_METHOD 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 DH_set_default_method, DH_get_default_method,
 DH_set_method, DH_new_method, DH_OpenSSL \- select DH method
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/dh.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
@@ -160,71 +84,71 @@ see \fBopenssl_user_macros\fR\|(7):
 \&
 \& const DH_METHOD *DH_OpenSSL(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
 Applications should instead use the provider APIs.
 .PP
-A \fB\s-1DH_METHOD\s0\fR specifies the functions that OpenSSL uses for Diffie-Hellman
+A \fBDH_METHOD\fR specifies the functions that OpenSSL uses for Diffie-Hellman
 operations. By modifying the method, alternative implementations
-such as hardware accelerators may be used. \s-1IMPORTANT:\s0 See the \s-1NOTES\s0 section for
-important information about how these \s-1DH API\s0 functions are affected by the use
-of \fB\s-1ENGINE\s0\fR \s-1API\s0 calls.
+such as hardware accelerators may be used. IMPORTANT: See the NOTES section for
+important information about how these DH API functions are affected by the use
+of \fBENGINE\fR API calls.
 .PP
-Initially, the default \s-1DH_METHOD\s0 is the OpenSSL internal implementation, as
+Initially, the default DH_METHOD is the OpenSSL internal implementation, as
 returned by \fBDH_OpenSSL()\fR.
 .PP
-\&\fBDH_set_default_method()\fR makes \fBmeth\fR the default method for all \s-1DH\s0
+\&\fBDH_set_default_method()\fR makes \fBmeth\fR the default method for all DH
 structures created later.
-\&\fB\s-1NB\s0\fR: This is true only whilst no \s-1ENGINE\s0 has been set
-as a default for \s-1DH,\s0 so this function is no longer recommended.
+\&\fBNB\fR: This is true only whilst no ENGINE has been set
+as a default for DH, so this function is no longer recommended.
 This function is not thread-safe and should not be called at the same time
 as other OpenSSL functions.
 .PP
-\&\fBDH_get_default_method()\fR returns a pointer to the current default \s-1DH_METHOD.\s0
-However, the meaningfulness of this result is dependent on whether the \s-1ENGINE
-API\s0 is being used, so this function is no longer recommended.
+\&\fBDH_get_default_method()\fR returns a pointer to the current default DH_METHOD.
+However, the meaningfulness of this result is dependent on whether the ENGINE
+API is being used, so this function is no longer recommended.
 .PP
 \&\fBDH_set_method()\fR selects \fBmeth\fR to perform all operations using the key \fBdh\fR.
-This will replace the \s-1DH_METHOD\s0 used by the \s-1DH\s0 key and if the previous method
-was supplied by an \s-1ENGINE,\s0 the handle to that \s-1ENGINE\s0 will be released during the
-change. It is possible to have \s-1DH\s0 keys that only work with certain \s-1DH_METHOD\s0
-implementations (e.g. from an \s-1ENGINE\s0 module that supports embedded
-hardware-protected keys), and in such cases attempting to change the \s-1DH_METHOD\s0
+This will replace the DH_METHOD used by the DH key and if the previous method
+was supplied by an ENGINE, the handle to that ENGINE will be released during the
+change. It is possible to have DH keys that only work with certain DH_METHOD
+implementations (e.g. from an ENGINE module that supports embedded
+hardware-protected keys), and in such cases attempting to change the DH_METHOD
 for the key can have unexpected results.
 .PP
-\&\fBDH_new_method()\fR allocates and initializes a \s-1DH\s0 structure so that \fBengine\fR will
-be used for the \s-1DH\s0 operations. If \fBengine\fR is \s-1NULL,\s0 the default \s-1ENGINE\s0 for \s-1DH\s0
-operations is used, and if no default \s-1ENGINE\s0 is set, the \s-1DH_METHOD\s0 controlled by
+\&\fBDH_new_method()\fR allocates and initializes a DH structure so that \fBengine\fR will
+be used for the DH operations. If \fBengine\fR is NULL, the default ENGINE for DH
+operations is used, and if no default ENGINE is set, the DH_METHOD controlled by
 \&\fBDH_set_default_method()\fR is used.
 .PP
-A new \s-1DH_METHOD\s0 object may be constructed using \fBDH_meth_new()\fR (see
+A new DH_METHOD object may be constructed using \fBDH_meth_new()\fR (see
 \&\fBDH_meth_new\fR\|(3)).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBDH_OpenSSL()\fR and \fBDH_get_default_method()\fR return pointers to the respective
-\&\fB\s-1DH_METHOD\s0\fRs.
+\&\fBDH_METHOD\fRs.
 .PP
 \&\fBDH_set_default_method()\fR returns no value.
 .PP
 \&\fBDH_set_method()\fR returns nonzero if the provided \fBmeth\fR was successfully set as
-the method for \fBdh\fR (including unloading the \s-1ENGINE\s0 handle if the previous
-method was supplied by an \s-1ENGINE\s0).
+the method for \fBdh\fR (including unloading the ENGINE handle if the previous
+method was supplied by an ENGINE).
 .PP
-\&\fBDH_new_method()\fR returns \s-1NULL\s0 and sets an error code that can be obtained by
+\&\fBDH_new_method()\fR returns NULL and sets an error code that can be obtained by
 \&\fBERR_get_error\fR\|(3) if the allocation fails. Otherwise it
 returns a pointer to the newly allocated structure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBDH_new\fR\|(3), \fBDH_new\fR\|(3), \fBDH_meth_new\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DH_size.3 b/secure/lib/libcrypto/man/man3/DH_size.3
index 6f79ffc7c4c5..ab817d3c9d61 100644
--- a/secure/lib/libcrypto/man/man3/DH_size.3
+++ b/secure/lib/libcrypto/man/man3/DH_size.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,85 +52,25 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "DH_SIZE 3ossl"
-.TH DH_SIZE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH DH_SIZE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 DH_size, DH_bits, DH_security_bits \- get Diffie\-Hellman prime size and
 security bits
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/dh.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
@@ -156,7 +80,7 @@ see \fBopenssl_user_macros\fR\|(7):
 \&
 \& int DH_security_bits(const DH *dh);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The functions described on this page are deprecated.
 Applications should instead use \fBEVP_PKEY_get_bits\fR\|(3),
@@ -164,7 +88,7 @@ Applications should instead use \fBEVP_PKEY_get_bits\fR\|(3),
 .PP
 \&\fBDH_bits()\fR returns the number of significant bits.
 .PP
-\&\fBdh\fR and \fBdh\->p\fR must not be \fB\s-1NULL\s0\fR.
+\&\fBdh\fR and \fBdh\->p\fR must not be \fBNULL\fR.
 .PP
 \&\fBDH_size()\fR returns the Diffie-Hellman prime size in bytes. It can be used
 to determine how much memory must be allocated for the shared secret
@@ -187,14 +111,14 @@ key. See \fBBN_security_bits\fR\|(3).
 \&\fBEVP_PKEY_get_bits\fR\|(3),
 \&\fBDH_new\fR\|(3), \fBDH_generate_key\fR\|(3),
 \&\fBBN_num_bits\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All functions were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DSA_SIG_new.3 b/secure/lib/libcrypto/man/man3/DSA_SIG_new.3
index 9126bfd5fe32..8cb20574d326 100644
--- a/secure/lib/libcrypto/man/man3/DSA_SIG_new.3
+++ b/secure/lib/libcrypto/man/man3/DSA_SIG_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "DSA_SIG_NEW 3ossl"
-.TH DSA_SIG_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH DSA_SIG_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 DSA_SIG_get0, DSA_SIG_set0,
 DSA_SIG_new, DSA_SIG_free \- allocate and free DSA signature objects
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/dsa.h>
@@ -149,24 +73,25 @@ DSA_SIG_new, DSA_SIG_free \- allocate and free DSA signature objects
 \& void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
 \& int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBDSA_SIG_new()\fR allocates an empty \fB\s-1DSA_SIG\s0\fR structure.
+\&\fBDSA_SIG_new()\fR allocates an empty \fBDSA_SIG\fR structure.
 .PP
-\&\fBDSA_SIG_free()\fR frees the \fB\s-1DSA_SIG\s0\fR structure and its components. The
+\&\fBDSA_SIG_free()\fR frees the \fBDSA_SIG\fR structure and its components. The
 values are erased before the memory is returned to the system.
+If the argument is NULL, nothing is done.
 .PP
 \&\fBDSA_SIG_get0()\fR returns internal pointers to the \fBr\fR and \fBs\fR values contained
 in \fBsig\fR.
 .PP
 The \fBr\fR and \fBs\fR values can be set by calling \fBDSA_SIG_set0()\fR and passing the
 new values for \fBr\fR and \fBs\fR as parameters to the function. Calling this
-function transfers the memory management of the values to the \s-1DSA_SIG\s0 object,
+function transfers the memory management of the values to the DSA_SIG object,
 and therefore the values that have been passed in should not be freed directly
 after this function has been called.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-If the allocation fails, \fBDSA_SIG_new()\fR returns \fB\s-1NULL\s0\fR and sets an
+If the allocation fails, \fBDSA_SIG_new()\fR returns \fBNULL\fR and sets an
 error code that can be obtained by
 \&\fBERR_get_error\fR\|(3). Otherwise it returns a pointer
 to the newly allocated structure.
@@ -178,11 +103,11 @@ to the newly allocated structure.
 .IX Header "SEE ALSO"
 \&\fBEVP_PKEY_new\fR\|(3), \fBEVP_PKEY_free\fR\|(3), \fBEVP_PKEY_get_bn_param\fR\|(3),
 \&\fBERR_get_error\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DSA_do_sign.3 b/secure/lib/libcrypto/man/man3/DSA_do_sign.3
index e0987e2943ce..a96bab885629 100644
--- a/secure/lib/libcrypto/man/man3/DSA_do_sign.3
+++ b/secure/lib/libcrypto/man/man3/DSA_do_sign.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,84 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "DSA_DO_SIGN 3ossl"
-.TH DSA_DO_SIGN 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH DSA_DO_SIGN 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 DSA_do_sign, DSA_do_verify \- raw DSA signature operations
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/dsa.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
@@ -154,7 +78,7 @@ see \fBopenssl_user_macros\fR\|(7):
 \& int DSA_do_verify(const unsigned char *dgst, int dgst_len,
 \&                   DSA_SIG *sig, DSA *dsa);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
 Applications should instead use \fBEVP_PKEY_sign_init\fR\|(3), \fBEVP_PKEY_sign\fR\|(3),
@@ -162,7 +86,7 @@ Applications should instead use \fBEVP_PKEY_sign_init\fR\|(3), \fBEVP_PKEY_sign\
 .PP
 \&\fBDSA_do_sign()\fR computes a digital signature on the \fBlen\fR byte message
 digest \fBdgst\fR using the private key \fBdsa\fR and returns it in a
-newly allocated \fB\s-1DSA_SIG\s0\fR structure.
+newly allocated \fBDSA_SIG\fR structure.
 .PP
 \&\fBDSA_sign_setup\fR\|(3) may be used to precompute part
 of the signing operation in case signature generation is
@@ -173,7 +97,7 @@ message digest \fBdgst\fR of size \fBlen\fR.  \fBdsa\fR is the signer's public
 key.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBDSA_do_sign()\fR returns the signature, \s-1NULL\s0 on error.  \fBDSA_do_verify()\fR
+\&\fBDSA_do_sign()\fR returns the signature, NULL on error.  \fBDSA_do_verify()\fR
 returns 1 for a valid signature, 0 for an incorrect signature and \-1
 on error. The error codes can be obtained by
 \&\fBERR_get_error\fR\|(3).
@@ -182,14 +106,14 @@ on error. The error codes can be obtained by
 \&\fBDSA_new\fR\|(3), \fBERR_get_error\fR\|(3), \fBRAND_bytes\fR\|(3),
 \&\fBDSA_SIG_new\fR\|(3),
 \&\fBDSA_sign\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DSA_dup_DH.3 b/secure/lib/libcrypto/man/man3/DSA_dup_DH.3
index a3519db15f54..1e20a5cc8d1e 100644
--- a/secure/lib/libcrypto/man/man3/DSA_dup_DH.3
+++ b/secure/lib/libcrypto/man/man3/DSA_dup_DH.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,116 +52,56 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "DSA_DUP_DH 3ossl"
-.TH DSA_DUP_DH 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH DSA_DUP_DH 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 DSA_dup_DH \- create a DH structure out of DSA structure
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/dsa.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
 \& DH *DSA_dup_DH(const DSA *r);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The function described on this page is deprecated. There is no direct
-replacement, applications should use the \s-1EVP_PKEY\s0 APIs for Diffie-Hellman
+replacement, applications should use the EVP_PKEY APIs for Diffie-Hellman
 operations.
 .PP
-\&\fBDSA_dup_DH()\fR duplicates \s-1DSA\s0 parameters/keys as \s-1DH\s0 parameters/keys. q
-is lost during that conversion, but the resulting \s-1DH\s0 parameters
+\&\fBDSA_dup_DH()\fR duplicates DSA parameters/keys as DH parameters/keys. q
+is lost during that conversion, but the resulting DH parameters
 contain its length.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBDSA_dup_DH()\fR returns the new \fB\s-1DH\s0\fR structure, and \s-1NULL\s0 on error. The
+\&\fBDSA_dup_DH()\fR returns the new \fBDH\fR structure, and NULL on error. The
 error codes can be obtained by \fBERR_get_error\fR\|(3).
-.SH "NOTE"
+.SH NOTE
 .IX Header "NOTE"
 Be careful to avoid small subgroup attacks when using this.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBDH_new\fR\|(3), \fBDSA_new\fR\|(3), \fBERR_get_error\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 This function was deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DSA_generate_key.3 b/secure/lib/libcrypto/man/man3/DSA_generate_key.3
index 9b510e2e42f0..f450c084ea09 100644
--- a/secure/lib/libcrypto/man/man3/DSA_generate_key.3
+++ b/secure/lib/libcrypto/man/man3/DSA_generate_key.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,101 +52,41 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "DSA_GENERATE_KEY 3ossl"
-.TH DSA_GENERATE_KEY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH DSA_GENERATE_KEY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 DSA_generate_key \- generate DSA key pair
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/dsa.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
 \& int DSA_generate_key(DSA *a);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
 Applications should instead use \fBEVP_PKEY_keygen_init\fR\|(3) and
-\&\fBEVP_PKEY_keygen\fR\|(3) as described in \s-1\fBEVP_PKEY\-DSA\s0\fR\|(7).
+\&\fBEVP_PKEY_keygen\fR\|(3) as described in \fBEVP_PKEY\-DSA\fR\|(7).
 .PP
-\&\fBDSA_generate_key()\fR expects \fBa\fR to contain \s-1DSA\s0 parameters. It generates
+\&\fBDSA_generate_key()\fR expects \fBa\fR to contain DSA parameters. It generates
 a new key pair and stores it in \fBa\->pub_key\fR and \fBa\->priv_key\fR.
 .PP
 The random generator must be seeded prior to calling \fBDSA_generate_key()\fR.
-If the automatic seeding or reseeding of the OpenSSL \s-1CSPRNG\s0 fails due to
-external circumstances (see \s-1\fBRAND\s0\fR\|(7)), the operation will fail.
+If the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to
+external circumstances (see \fBRAND\fR\|(7)), the operation will fail.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBDSA_generate_key()\fR returns 1 on success, 0 otherwise.
@@ -171,14 +95,14 @@ The error codes can be obtained by \fBERR_get_error\fR\|(3).
 .IX Header "SEE ALSO"
 \&\fBDSA_new\fR\|(3), \fBERR_get_error\fR\|(3), \fBRAND_bytes\fR\|(3),
 \&\fBDSA_generate_parameters_ex\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 This function was deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DSA_generate_parameters.3 b/secure/lib/libcrypto/man/man3/DSA_generate_parameters.3
index 36d668a6f5fa..07b2ae937823 100644
--- a/secure/lib/libcrypto/man/man3/DSA_generate_parameters.3
+++ b/secure/lib/libcrypto/man/man3/DSA_generate_parameters.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,84 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "DSA_GENERATE_PARAMETERS 3ossl"
-.TH DSA_GENERATE_PARAMETERS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH DSA_GENERATE_PARAMETERS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 DSA_generate_parameters_ex, DSA_generate_parameters \- generate DSA parameters
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/dsa.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 4
@@ -156,7 +80,7 @@ see \fBopenssl_user_macros\fR\|(7):
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 0.9.8, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 3
@@ -164,87 +88,87 @@ see \fBopenssl_user_macros\fR\|(7):
 \&                              int *counter_ret, unsigned long *h_ret,
 \&                              void (*callback)(int, int, void *), void *cb_arg);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
 Applications should instead use \fBEVP_PKEY_paramgen_init\fR\|(3) and
-\&\fBEVP_PKEY_keygen\fR\|(3) as described in \s-1\fBEVP_PKEY\-DSA\s0\fR\|(7).
+\&\fBEVP_PKEY_keygen\fR\|(3) as described in \fBEVP_PKEY\-DSA\fR\|(7).
 .PP
 \&\fBDSA_generate_parameters_ex()\fR generates primes p and q and a generator g
-for use in the \s-1DSA\s0 and stores the result in \fBdsa\fR.
+for use in the DSA and stores the result in \fBdsa\fR.
 .PP
 \&\fBbits\fR is the length of the prime p to be generated.
 For lengths under 2048 bits, the length of q is 160 bits; for lengths
 greater than or equal to 2048 bits, the length of q is set to 256 bits.
 .PP
-If \fBseed\fR is \s-1NULL,\s0 the primes will be generated at random.
+If \fBseed\fR is NULL, the primes will be generated at random.
 If \fBseed_len\fR is less than the length of q, an error is returned.
 .PP
 \&\fBDSA_generate_parameters_ex()\fR places the iteration count in
 *\fBcounter_ret\fR and a counter used for finding a generator in
-*\fBh_ret\fR, unless these are \fB\s-1NULL\s0\fR.
+*\fBh_ret\fR, unless these are \fBNULL\fR.
 .PP
 A callback function may be used to provide feedback about the progress
-of the key generation. If \fBcb\fR is not \fB\s-1NULL\s0\fR, it will be
-called as shown below. For information on the \s-1BN_GENCB\s0 structure and the
+of the key generation. If \fBcb\fR is not \fBNULL\fR, it will be
+called as shown below. For information on the BN_GENCB structure and the
 BN_GENCB_call function discussed below, refer to
 \&\fBBN_generate_prime\fR\|(3).
 .PP
-\&\fBDSA_generate_prime()\fR is similar to \fBDSA_generate_prime_ex()\fR but
+\&\fBDSA_generate_parameters()\fR is similar to \fBDSA_generate_parameters_ex()\fR but
 expects an old-style callback function; see
 \&\fBBN_generate_prime\fR\|(3) for information on the old-style callback.
-.IP "\(bu" 2
+.IP \(bu 2
 When a candidate for q is generated, \fBBN_GENCB_call(cb, 0, m++)\fR is called
 (m is 0 for the first candidate).
-.IP "\(bu" 2
+.IP \(bu 2
 When a candidate for q has passed a test by trial division,
 \&\fBBN_GENCB_call(cb, 1, \-1)\fR is called.
 While a candidate for q is tested by Miller-Rabin primality tests,
 \&\fBBN_GENCB_call(cb, 1, i)\fR is called in the outer loop
 (once for each witness that confirms that the candidate may be prime);
 i is the loop counter (starting at 0).
-.IP "\(bu" 2
+.IP \(bu 2
 When a prime q has been found, \fBBN_GENCB_call(cb, 2, 0)\fR and
 \&\fBBN_GENCB_call(cb, 3, 0)\fR are called.
-.IP "\(bu" 2
+.IP \(bu 2
 Before a candidate for p (other than the first) is generated and tested,
 \&\fBBN_GENCB_call(cb, 0, counter)\fR is called.
-.IP "\(bu" 2
+.IP \(bu 2
 When a candidate for p has passed the test by trial division,
 \&\fBBN_GENCB_call(cb, 1, \-1)\fR is called.
 While it is tested by the Miller-Rabin primality test,
 \&\fBBN_GENCB_call(cb, 1, i)\fR is called in the outer loop
 (once for each witness that confirms that the candidate may be prime).
 i is the loop counter (starting at 0).
-.IP "\(bu" 2
+.IP \(bu 2
 When p has been found, \fBBN_GENCB_call(cb, 2, 1)\fR is called.
-.IP "\(bu" 2
+.IP \(bu 2
 When the generator has been found, \fBBN_GENCB_call(cb, 3, 1)\fR is called.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBDSA_generate_parameters_ex()\fR returns a 1 on success, or 0 otherwise.
 The error codes can be obtained by \fBERR_get_error\fR\|(3).
 .PP
-\&\fBDSA_generate_parameters()\fR returns a pointer to the \s-1DSA\s0 structure or
-\&\fB\s-1NULL\s0\fR if the parameter generation fails.
-.SH "BUGS"
+\&\fBDSA_generate_parameters()\fR returns a pointer to the DSA structure or
+\&\fBNULL\fR if the parameter generation fails.
+.SH BUGS
 .IX Header "BUGS"
 Seed lengths greater than 20 are not supported.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBDSA_new\fR\|(3), \fBERR_get_error\fR\|(3), \fBRAND_bytes\fR\|(3),
 \&\fBDSA_free\fR\|(3), \fBBN_generate_prime\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBDSA_generate_parameters_ex()\fR was deprecated in OpenSSL 3.0.
 .PP
 \&\fBDSA_generate_parameters()\fR was deprecated in OpenSSL 0.9.8; use
 \&\fBDSA_generate_parameters_ex()\fR instead.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DSA_get0_pqg.3 b/secure/lib/libcrypto/man/man3/DSA_get0_pqg.3
index e3a65b520c8d..f7c090b4fc64 100644
--- a/secure/lib/libcrypto/man/man3/DSA_get0_pqg.3
+++ b/secure/lib/libcrypto/man/man3/DSA_get0_pqg.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,89 +52,29 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "DSA_GET0_PQG 3ossl"
-.TH DSA_GET0_PQG 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH DSA_GET0_PQG 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 DSA_get0_pqg, DSA_set0_pqg, DSA_get0_key, DSA_set0_key,
 DSA_get0_p, DSA_get0_q, DSA_get0_g,
 DSA_get0_pub_key, DSA_get0_priv_key,
 DSA_clear_flags, DSA_test_flags, DSA_set_flags,
 DSA_get0_engine \- Routines for getting and
 setting data in a DSA object
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/dsa.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 10
@@ -170,38 +94,38 @@ see \fBopenssl_user_macros\fR\|(7):
 \& void DSA_set_flags(DSA *d, int flags);
 \& ENGINE *DSA_get0_engine(DSA *d);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
 Applications should instead use \fBEVP_PKEY_get_bn_param\fR\|(3).
 .PP
-A \s-1DSA\s0 object contains the parameters \fBp\fR, \fBq\fR and \fBg\fR. It also contains a
+A DSA object contains the parameters \fBp\fR, \fBq\fR and \fBg\fR. It also contains a
 public key (\fBpub_key\fR) and (optionally) a private key (\fBpriv_key\fR).
 .PP
 The \fBp\fR, \fBq\fR and \fBg\fR parameters can be obtained by calling \fBDSA_get0_pqg()\fR.
 If the parameters have not yet been set then \fB*p\fR, \fB*q\fR and \fB*g\fR will be set
-to \s-1NULL.\s0 Otherwise they are set to pointers to their respective values. These
+to NULL. Otherwise they are set to pointers to their respective values. These
 point directly to the internal representations of the values and therefore
 should not be freed directly.
 .PP
 The \fBp\fR, \fBq\fR and \fBg\fR values can be set by calling \fBDSA_set0_pqg()\fR and passing
 the new values for \fBp\fR, \fBq\fR and \fBg\fR as parameters to the function. Calling
-this function transfers the memory management of the values to the \s-1DSA\s0 object,
+this function transfers the memory management of the values to the DSA object,
 and therefore the values that have been passed in should not be freed directly
 after this function has been called.
 .PP
 To get the public and private key values use the \fBDSA_get0_key()\fR function. A
 pointer to the public key will be stored in \fB*pub_key\fR, and a pointer to the
-private key will be stored in \fB*priv_key\fR. Either may be \s-1NULL\s0 if they have not
+private key will be stored in \fB*priv_key\fR. Either may be NULL if they have not
 been set yet, although if the private key has been set then the public key must
 be. The values point to the internal representation of the public key and
 private key values. This memory should not be freed directly.
 .PP
 The public and private key values can be set using \fBDSA_set0_key()\fR. The public
-key must be non-NULL the first time this function is called on a given \s-1DSA\s0
-object. The private key may be \s-1NULL.\s0  On subsequent calls, either may be \s-1NULL,\s0
-which means the corresponding \s-1DSA\s0 field is left untouched. As for \fBDSA_set0_pqg()\fR
-this function transfers the memory management of the key values to the \s-1DSA\s0
+key must be non-NULL the first time this function is called on a given DSA
+object. The private key may be NULL.  On subsequent calls, either may be NULL,
+which means the corresponding DSA field is left untouched. As for \fBDSA_set0_pqg()\fR
+this function transfers the memory management of the key values to the DSA
 object, and therefore they should not be freed directly after this function has
 been called.
 .PP
@@ -209,19 +133,19 @@ Any of the values \fBp\fR, \fBq\fR, \fBg\fR, \fBpriv_key\fR, and \fBpub_key\fR c
 retrieved separately by the corresponding function \fBDSA_get0_p()\fR, \fBDSA_get0_q()\fR,
 \&\fBDSA_get0_g()\fR, \fBDSA_get0_priv_key()\fR, and \fBDSA_get0_pub_key()\fR, respectively.
 .PP
-\&\fBDSA_set_flags()\fR sets the flags in the \fBflags\fR parameter on the \s-1DSA\s0 object.
+\&\fBDSA_set_flags()\fR sets the flags in the \fBflags\fR parameter on the DSA object.
 Multiple flags can be passed in one go (bitwise ORed together). Any flags that
 are already set are left set. \fBDSA_test_flags()\fR tests to see whether the flags
-passed in the \fBflags\fR parameter are currently set in the \s-1DSA\s0 object. Multiple
+passed in the \fBflags\fR parameter are currently set in the DSA object. Multiple
 flags can be tested in one go. All flags that are currently set are returned, or
 zero if none of the flags are set. \fBDSA_clear_flags()\fR clears the specified flags
-within the \s-1DSA\s0 object.
+within the DSA object.
 .PP
-\&\fBDSA_get0_engine()\fR returns a handle to the \s-1ENGINE\s0 that has been set for this \s-1DSA\s0
-object, or \s-1NULL\s0 if no such \s-1ENGINE\s0 has been set.
-.SH "NOTES"
+\&\fBDSA_get0_engine()\fR returns a handle to the ENGINE that has been set for this DSA
+object, or NULL if no such ENGINE has been set.
+.SH NOTES
 .IX Header "NOTES"
-Values retrieved with \fBDSA_get0_key()\fR are owned by the \s-1DSA\s0 object used
+Values retrieved with \fBDSA_get0_key()\fR are owned by the DSA object used
 in the call and may therefore \fInot\fR be passed to \fBDSA_set0_key()\fR.  If
 needed, duplicate the received value using \fBBN_dup()\fR and pass the
 duplicate.  The same applies to \fBDSA_get0_pqg()\fR and \fBDSA_set0_pqg()\fR.
@@ -229,9 +153,9 @@ duplicate.  The same applies to \fBDSA_get0_pqg()\fR and \fBDSA_set0_pqg()\fR.
 .IX Header "RETURN VALUES"
 \&\fBDSA_set0_pqg()\fR and \fBDSA_set0_key()\fR return 1 on success or 0 on failure.
 .PP
-\&\fBDSA_test_flags()\fR returns the current state of the flags in the \s-1DSA\s0 object.
+\&\fBDSA_test_flags()\fR returns the current state of the flags in the DSA object.
 .PP
-\&\fBDSA_get0_engine()\fR returns the \s-1ENGINE\s0 set for the \s-1DSA\s0 object or \s-1NULL\s0 if no \s-1ENGINE\s0
+\&\fBDSA_get0_engine()\fR returns the ENGINE set for the DSA object or NULL if no ENGINE
 has been set.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
@@ -239,15 +163,15 @@ has been set.
 \&\fBDSA_new\fR\|(3), \fBDSA_new\fR\|(3), \fBDSA_generate_parameters\fR\|(3), \fBDSA_generate_key\fR\|(3),
 \&\fBDSA_dup_DH\fR\|(3), \fBDSA_do_sign\fR\|(3), \fBDSA_set_method\fR\|(3), \fBDSA_SIG_new\fR\|(3),
 \&\fBDSA_sign\fR\|(3), \fBDSA_size\fR\|(3), \fBDSA_meth_new\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The functions described here were added in OpenSSL 1.1.0 and deprecated in
 OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DSA_meth_new.3 b/secure/lib/libcrypto/man/man3/DSA_meth_new.3
index 1a036a2b22d6..75f8d0f2bd03 100644
--- a/secure/lib/libcrypto/man/man3/DSA_meth_new.3
+++ b/secure/lib/libcrypto/man/man3/DSA_meth_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "DSA_METH_NEW 3ossl"
-.TH DSA_METH_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH DSA_METH_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 DSA_meth_new, DSA_meth_free, DSA_meth_dup, DSA_meth_get0_name,
 DSA_meth_set1_name, DSA_meth_get_flags, DSA_meth_set_flags,
 DSA_meth_get0_app_data, DSA_meth_set0_app_data, DSA_meth_get_sign,
@@ -146,14 +70,14 @@ DSA_meth_set_mod_exp, DSA_meth_get_bn_mod_exp, DSA_meth_set_bn_mod_exp,
 DSA_meth_get_init, DSA_meth_set_init, DSA_meth_get_finish, DSA_meth_set_finish,
 DSA_meth_get_paramgen, DSA_meth_set_paramgen, DSA_meth_get_keygen,
 DSA_meth_set_keygen \- Routines to build up DSA methods
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/dsa.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
@@ -225,56 +149,56 @@ see \fBopenssl_user_macros\fR\|(7):
 \& int (*DSA_meth_get_keygen(const DSA_METHOD *dsam))(DSA *);
 \& int DSA_meth_set_keygen(DSA_METHOD *dsam, int (*keygen)(DSA *));
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
 Applications and extension implementations should instead use the
-\&\s-1OSSL_PROVIDER\s0 APIs.
+OSSL_PROVIDER APIs.
 .PP
-The \fB\s-1DSA_METHOD\s0\fR type is a structure used for the provision of custom \s-1DSA\s0
+The \fBDSA_METHOD\fR type is a structure used for the provision of custom DSA
 implementations. It provides a set of functions used by OpenSSL for the
-implementation of the various \s-1DSA\s0 capabilities.
+implementation of the various DSA capabilities.
 .PP
-\&\fBDSA_meth_new()\fR creates a new \fB\s-1DSA_METHOD\s0\fR structure. It should be given a
-unique \fBname\fR and a set of \fBflags\fR. The \fBname\fR should be a \s-1NULL\s0 terminated
-string, which will be duplicated and stored in the \fB\s-1DSA_METHOD\s0\fR object. It is
+\&\fBDSA_meth_new()\fR creates a new \fBDSA_METHOD\fR structure. It should be given a
+unique \fBname\fR and a set of \fBflags\fR. The \fBname\fR should be a NULL terminated
+string, which will be duplicated and stored in the \fBDSA_METHOD\fR object. It is
 the callers responsibility to free the original string. The flags will be used
-during the construction of a new \fB\s-1DSA\s0\fR object based on this \fB\s-1DSA_METHOD\s0\fR. Any
-new \fB\s-1DSA\s0\fR object will have those flags set by default.
+during the construction of a new \fBDSA\fR object based on this \fBDSA_METHOD\fR. Any
+new \fBDSA\fR object will have those flags set by default.
 .PP
-\&\fBDSA_meth_dup()\fR creates a duplicate copy of the \fB\s-1DSA_METHOD\s0\fR object passed as a
-parameter. This might be useful for creating a new \fB\s-1DSA_METHOD\s0\fR based on an
+\&\fBDSA_meth_dup()\fR creates a duplicate copy of the \fBDSA_METHOD\fR object passed as a
+parameter. This might be useful for creating a new \fBDSA_METHOD\fR based on an
 existing one, but with some differences.
 .PP
-\&\fBDSA_meth_free()\fR destroys a \fB\s-1DSA_METHOD\s0\fR structure and frees up any memory
-associated with it.
+\&\fBDSA_meth_free()\fR destroys a \fBDSA_METHOD\fR structure and frees up any memory
+associated with it. If the argument is NULL, nothing is done.
 .PP
-\&\fBDSA_meth_get0_name()\fR will return a pointer to the name of this \s-1DSA_METHOD.\s0 This
+\&\fBDSA_meth_get0_name()\fR will return a pointer to the name of this DSA_METHOD. This
 is a pointer to the internal name string and so should not be freed by the
-caller. \fBDSA_meth_set1_name()\fR sets the name of the \s-1DSA_METHOD\s0 to \fBname\fR. The
-string is duplicated and the copy is stored in the \s-1DSA_METHOD\s0 structure, so the
+caller. \fBDSA_meth_set1_name()\fR sets the name of the DSA_METHOD to \fBname\fR. The
+string is duplicated and the copy is stored in the DSA_METHOD structure, so the
 caller remains responsible for freeing the memory associated with the name.
 .PP
 \&\fBDSA_meth_get_flags()\fR returns the current value of the flags associated with this
-\&\s-1DSA_METHOD.\s0 \fBDSA_meth_set_flags()\fR provides the ability to set these flags.
+DSA_METHOD. \fBDSA_meth_set_flags()\fR provides the ability to set these flags.
 .PP
 The functions \fBDSA_meth_get0_app_data()\fR and \fBDSA_meth_set0_app_data()\fR provide the
-ability to associate implementation specific data with the \s-1DSA_METHOD.\s0 It is
-the application's responsibility to free this data before the \s-1DSA_METHOD\s0 is
+ability to associate implementation specific data with the DSA_METHOD. It is
+the application's responsibility to free this data before the DSA_METHOD is
 freed via a call to \fBDSA_meth_free()\fR.
 .PP
 \&\fBDSA_meth_get_sign()\fR and \fBDSA_meth_set_sign()\fR get and set the function used for
-creating a \s-1DSA\s0 signature respectively. This function will be
+creating a DSA signature respectively. This function will be
 called in response to the application calling \fBDSA_do_sign()\fR (or \fBDSA_sign()\fR). The
 parameters for the function have the same meaning as for \fBDSA_do_sign()\fR.
 .PP
 \&\fBDSA_meth_get_sign_setup()\fR and \fBDSA_meth_set_sign_setup()\fR get and set the function
-used for precalculating the \s-1DSA\s0 signature values \fBk^\-1\fR and \fBr\fR. This function
+used for precalculating the DSA signature values \fBk^\-1\fR and \fBr\fR. This function
 will be called in response to the application calling \fBDSA_sign_setup()\fR. The
 parameters for the function have the same meaning as for \fBDSA_sign_setup()\fR.
 .PP
 \&\fBDSA_meth_get_verify()\fR and \fBDSA_meth_set_verify()\fR get and set the function used
-for verifying a \s-1DSA\s0 signature respectively. This function will be called in
+for verifying a DSA signature respectively. This function will be called in
 response to the application calling \fBDSA_do_verify()\fR (or \fBDSA_verify()\fR). The
 parameters for the function have the same meaning as for \fBDSA_do_verify()\fR.
 .PP
@@ -286,8 +210,8 @@ for computing the following value:
 .Ve
 .PP
 This function will be called by the default OpenSSL method during verification
-of a \s-1DSA\s0 signature. The result is stored in the \fBrr\fR parameter. This function
-may be \s-1NULL.\s0
+of a DSA signature. The result is stored in the \fBrr\fR parameter. This function
+may be NULL.
 .PP
 \&\fBDSA_meth_get_bn_mod_exp()\fR and \fBDSA_meth_set_bn_mod_exp()\fR get and set the function
 used for computing the following value:
@@ -298,43 +222,43 @@ used for computing the following value:
 .PP
 This function will be called by the default OpenSSL function for
 \&\fBDSA_sign_setup()\fR. The result is stored in the \fBr\fR parameter. This function
-may be \s-1NULL.\s0
+may be NULL.
 .PP
 \&\fBDSA_meth_get_init()\fR and \fBDSA_meth_set_init()\fR get and set the function used
-for creating a new \s-1DSA\s0 instance respectively. This function will be
+for creating a new DSA instance respectively. This function will be
 called in response to the application calling \fBDSA_new()\fR (if the current default
-\&\s-1DSA_METHOD\s0 is this one) or \fBDSA_new_method()\fR. The \fBDSA_new()\fR and \fBDSA_new_method()\fR
-functions will allocate the memory for the new \s-1DSA\s0 object, and a pointer to this
+DSA_METHOD is this one) or \fBDSA_new_method()\fR. The \fBDSA_new()\fR and \fBDSA_new_method()\fR
+functions will allocate the memory for the new DSA object, and a pointer to this
 newly allocated structure will be passed as a parameter to the function. This
-function may be \s-1NULL.\s0
+function may be NULL.
 .PP
 \&\fBDSA_meth_get_finish()\fR and \fBDSA_meth_set_finish()\fR get and set the function used
-for destroying an instance of a \s-1DSA\s0 object respectively. This function will be
-called in response to the application calling \fBDSA_free()\fR. A pointer to the \s-1DSA\s0
+for destroying an instance of a DSA object respectively. This function will be
+called in response to the application calling \fBDSA_free()\fR. A pointer to the DSA
 to be destroyed is passed as a parameter. The destroy function should be used
-for \s-1DSA\s0 implementation specific clean up. The memory for the \s-1DSA\s0 itself should
-not be freed by this function. This function may be \s-1NULL.\s0
+for DSA implementation specific clean up. The memory for the DSA itself should
+not be freed by this function. This function may be NULL.
 .PP
 \&\fBDSA_meth_get_paramgen()\fR and \fBDSA_meth_set_paramgen()\fR get and set the function
-used for generating \s-1DSA\s0 parameters respectively. This function will be called in
+used for generating DSA parameters respectively. This function will be called in
 response to the application calling \fBDSA_generate_parameters_ex()\fR (or
 \&\fBDSA_generate_parameters()\fR). The parameters for the function have the same
 meaning as for \fBDSA_generate_parameters_ex()\fR.
 .PP
 \&\fBDSA_meth_get_keygen()\fR and \fBDSA_meth_set_keygen()\fR get and set the function
-used for generating a new \s-1DSA\s0 key pair respectively. This function will be
+used for generating a new DSA key pair respectively. This function will be
 called in response to the application calling \fBDSA_generate_key()\fR. The parameter
 for the function has the same meaning as for \fBDSA_generate_key()\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBDSA_meth_new()\fR and \fBDSA_meth_dup()\fR return the newly allocated \s-1DSA_METHOD\s0 object
-or \s-1NULL\s0 on failure.
+\&\fBDSA_meth_new()\fR and \fBDSA_meth_dup()\fR return the newly allocated DSA_METHOD object
+or NULL on failure.
 .PP
 \&\fBDSA_meth_get0_name()\fR and \fBDSA_meth_get_flags()\fR return the name and flags
-associated with the \s-1DSA_METHOD\s0 respectively.
+associated with the DSA_METHOD respectively.
 .PP
 All other DSA_meth_get_*() functions return the appropriate function pointer
-that has been set in the \s-1DSA_METHOD,\s0 or \s-1NULL\s0 if no such pointer has yet been
+that has been set in the DSA_METHOD, or NULL if no such pointer has yet been
 set.
 .PP
 \&\fBDSA_meth_set1_name()\fR and all DSA_meth_set_*() functions return 1 on success or
@@ -344,16 +268,16 @@ set.
 \&\fBDSA_new\fR\|(3), \fBDSA_new\fR\|(3), \fBDSA_generate_parameters\fR\|(3), \fBDSA_generate_key\fR\|(3),
 \&\fBDSA_dup_DH\fR\|(3), \fBDSA_do_sign\fR\|(3), \fBDSA_set_method\fR\|(3), \fBDSA_SIG_new\fR\|(3),
 \&\fBDSA_sign\fR\|(3), \fBDSA_size\fR\|(3), \fBDSA_get0_pqg\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The functions described here were deprecated in OpenSSL 3.0.
 .PP
 The functions described here were added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DSA_new.3 b/secure/lib/libcrypto/man/man3/DSA_new.3
index 980d2c78c72e..bbd8afe7e3e8 100644
--- a/secure/lib/libcrypto/man/man3/DSA_new.3
+++ b/secure/lib/libcrypto/man/man3/DSA_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,84 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "DSA_NEW 3ossl"
-.TH DSA_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH DSA_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 DSA_new, DSA_free \- allocate and free DSA objects
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/dsa.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
@@ -153,20 +77,20 @@ see \fBopenssl_user_macros\fR\|(7):
 \&
 \& void DSA_free(DSA *dsa);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
 Applications should instead use \fBEVP_PKEY_new\fR\|(3) and \fBEVP_PKEY_free\fR\|(3).
 .PP
-\&\fBDSA_new()\fR allocates and initializes a \fB\s-1DSA\s0\fR structure. It is equivalent to
-calling DSA_new_method(\s-1NULL\s0).
+\&\fBDSA_new()\fR allocates and initializes a \fBDSA\fR structure. It is equivalent to
+calling DSA_new_method(NULL).
 .PP
-\&\fBDSA_free()\fR frees the \fB\s-1DSA\s0\fR structure and its components. The values are
+\&\fBDSA_free()\fR frees the \fBDSA\fR structure and its components. The values are
 erased before the memory is returned to the system.
-If \fBdsa\fR is \s-1NULL\s0 nothing is done.
+If \fBdsa\fR is NULL nothing is done.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-If the allocation fails, \fBDSA_new()\fR returns \fB\s-1NULL\s0\fR and sets an error
+If the allocation fails, \fBDSA_new()\fR returns \fBNULL\fR and sets an error
 code that can be obtained by
 \&\fBERR_get_error\fR\|(3). Otherwise it returns a pointer
 to the newly allocated structure.
@@ -178,14 +102,14 @@ to the newly allocated structure.
 \&\fBDSA_new\fR\|(3), \fBERR_get_error\fR\|(3),
 \&\fBDSA_generate_parameters\fR\|(3),
 \&\fBDSA_generate_key\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DSA_set_method.3 b/secure/lib/libcrypto/man/man3/DSA_set_method.3
index 79176a342a64..923c20391104 100644
--- a/secure/lib/libcrypto/man/man3/DSA_set_method.3
+++ b/secure/lib/libcrypto/man/man3/DSA_set_method.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,85 +52,25 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "DSA_SET_METHOD 3ossl"
-.TH DSA_SET_METHOD 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH DSA_SET_METHOD 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 DSA_set_default_method, DSA_get_default_method,
 DSA_set_method, DSA_new_method, DSA_OpenSSL \- select DSA method
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/dsa.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
@@ -160,71 +84,71 @@ see \fBopenssl_user_macros\fR\|(7):
 \&
 \& const DSA_METHOD *DSA_OpenSSL(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
 Applications should providers instead of method overrides.
 .PP
-A \fB\s-1DSA_METHOD\s0\fR specifies the functions that OpenSSL uses for \s-1DSA\s0
+A \fBDSA_METHOD\fR specifies the functions that OpenSSL uses for DSA
 operations. By modifying the method, alternative implementations
-such as hardware accelerators may be used. \s-1IMPORTANT:\s0 See the \s-1NOTES\s0 section for
-important information about how these \s-1DSA API\s0 functions are affected by the use
-of \fB\s-1ENGINE\s0\fR \s-1API\s0 calls.
+such as hardware accelerators may be used. IMPORTANT: See the NOTES section for
+important information about how these DSA API functions are affected by the use
+of \fBENGINE\fR API calls.
 .PP
-Initially, the default \s-1DSA_METHOD\s0 is the OpenSSL internal implementation,
+Initially, the default DSA_METHOD is the OpenSSL internal implementation,
 as returned by \fBDSA_OpenSSL()\fR.
 .PP
-\&\fBDSA_set_default_method()\fR makes \fBmeth\fR the default method for all \s-1DSA\s0
+\&\fBDSA_set_default_method()\fR makes \fBmeth\fR the default method for all DSA
 structures created later.
-\&\fB\s-1NB\s0\fR: This is true only whilst no \s-1ENGINE\s0 has
-been set as a default for \s-1DSA,\s0 so this function is no longer recommended.
+\&\fBNB\fR: This is true only whilst no ENGINE has
+been set as a default for DSA, so this function is no longer recommended.
 This function is not thread-safe and should not be called at the same time
 as other OpenSSL functions.
 .PP
 \&\fBDSA_get_default_method()\fR returns a pointer to the current default
-\&\s-1DSA_METHOD.\s0 However, the meaningfulness of this result is dependent on
-whether the \s-1ENGINE API\s0 is being used, so this function is no longer
+DSA_METHOD. However, the meaningfulness of this result is dependent on
+whether the ENGINE API is being used, so this function is no longer
 recommended.
 .PP
 \&\fBDSA_set_method()\fR selects \fBmeth\fR to perform all operations using the key
-\&\fBrsa\fR. This will replace the \s-1DSA_METHOD\s0 used by the \s-1DSA\s0 key and if the
-previous method was supplied by an \s-1ENGINE,\s0 the handle to that \s-1ENGINE\s0 will
-be released during the change. It is possible to have \s-1DSA\s0 keys that only
-work with certain \s-1DSA_METHOD\s0 implementations (e.g. from an \s-1ENGINE\s0 module
+\&\fBrsa\fR. This will replace the DSA_METHOD used by the DSA key and if the
+previous method was supplied by an ENGINE, the handle to that ENGINE will
+be released during the change. It is possible to have DSA keys that only
+work with certain DSA_METHOD implementations (e.g. from an ENGINE module
 that supports embedded hardware-protected keys), and in such cases
-attempting to change the \s-1DSA_METHOD\s0 for the key can have unexpected
-results. See \fBDSA_meth_new\fR\|(3) for information on constructing custom \s-1DSA_METHOD\s0
+attempting to change the DSA_METHOD for the key can have unexpected
+results. See \fBDSA_meth_new\fR\|(3) for information on constructing custom DSA_METHOD
 objects;
 .PP
-\&\fBDSA_new_method()\fR allocates and initializes a \s-1DSA\s0 structure so that \fBengine\fR
-will be used for the \s-1DSA\s0 operations. If \fBengine\fR is \s-1NULL,\s0 the default engine
-for \s-1DSA\s0 operations is used, and if no default \s-1ENGINE\s0 is set, the \s-1DSA_METHOD\s0
+\&\fBDSA_new_method()\fR allocates and initializes a DSA structure so that \fBengine\fR
+will be used for the DSA operations. If \fBengine\fR is NULL, the default engine
+for DSA operations is used, and if no default ENGINE is set, the DSA_METHOD
 controlled by \fBDSA_set_default_method()\fR is used.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBDSA_OpenSSL()\fR and \fBDSA_get_default_method()\fR return pointers to the respective
-\&\fB\s-1DSA_METHOD\s0\fRs.
+\&\fBDSA_METHOD\fRs.
 .PP
 \&\fBDSA_set_default_method()\fR returns no value.
 .PP
 \&\fBDSA_set_method()\fR returns nonzero if the provided \fBmeth\fR was successfully set as
-the method for \fBdsa\fR (including unloading the \s-1ENGINE\s0 handle if the previous
-method was supplied by an \s-1ENGINE\s0).
+the method for \fBdsa\fR (including unloading the ENGINE handle if the previous
+method was supplied by an ENGINE).
 .PP
-\&\fBDSA_new_method()\fR returns \s-1NULL\s0 and sets an error code that can be
+\&\fBDSA_new_method()\fR returns NULL and sets an error code that can be
 obtained by \fBERR_get_error\fR\|(3) if the allocation
 fails. Otherwise it returns a pointer to the newly allocated structure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBDSA_new\fR\|(3), \fBDSA_new\fR\|(3), \fBDSA_meth_new\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DSA_sign.3 b/secure/lib/libcrypto/man/man3/DSA_sign.3
index 5e9d5bac023f..56613a5fe66f 100644
--- a/secure/lib/libcrypto/man/man3/DSA_sign.3
+++ b/secure/lib/libcrypto/man/man3/DSA_sign.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,84 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "DSA_SIGN 3ossl"
-.TH DSA_SIGN 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH DSA_SIGN 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 DSA_sign, DSA_sign_setup, DSA_verify \- DSA signatures
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/dsa.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 2
@@ -157,20 +81,20 @@ see \fBopenssl_user_macros\fR\|(7):
 \& int DSA_verify(int type, const unsigned char *dgst, int len,
 \&                unsigned char *sigbuf, int siglen, DSA *dsa);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
 Applications should instead use \fBEVP_PKEY_sign_init\fR\|(3), \fBEVP_PKEY_sign\fR\|(3),
 \&\fBEVP_PKEY_verify_init\fR\|(3) and \fBEVP_PKEY_verify\fR\|(3).
 .PP
 \&\fBDSA_sign()\fR computes a digital signature on the \fBlen\fR byte message
-digest \fBdgst\fR using the private key \fBdsa\fR and places its \s-1ASN.1 DER\s0
+digest \fBdgst\fR using the private key \fBdsa\fR and places its ASN.1 DER
 encoding at \fBsigret\fR. The length of the signature is places in
 *\fBsiglen\fR. \fBsigret\fR must point to DSA_size(\fBdsa\fR) bytes of memory.
 .PP
 \&\fBDSA_sign_setup()\fR is defined only for backward binary compatibility and
 should not be used.
-Since OpenSSL 1.1.0 the \s-1DSA\s0 type is opaque and the output of
+Since OpenSSL 1.1.0 the DSA type is opaque and the output of
 \&\fBDSA_sign_setup()\fR cannot be used anyway: calling this function will only
 cause overhead, and does not affect the actual signature
 (pre\-)computation.
@@ -183,8 +107,8 @@ The \fBtype\fR parameter is ignored.
 .PP
 The random generator must be seeded when \fBDSA_sign()\fR (or \fBDSA_sign_setup()\fR)
 is called.
-If the automatic seeding or reseeding of the OpenSSL \s-1CSPRNG\s0 fails due to
-external circumstances (see \s-1\fBRAND\s0\fR\|(7)), the operation will fail.
+If the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to
+external circumstances (see \fBRAND\fR\|(7)), the operation will fail.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBDSA_sign()\fR and \fBDSA_sign_setup()\fR return 1 on success, 0 on error.
@@ -193,21 +117,21 @@ signature and \-1 on error. The error codes can be obtained by
 \&\fBERR_get_error\fR\|(3).
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1US\s0 Federal Information Processing Standard \s-1FIPS186\-4\s0 (Digital Signature
-Standard, \s-1DSS\s0), \s-1ANSI X9.30\s0
+US Federal Information Processing Standard FIPS186\-4 (Digital Signature
+Standard, DSS), ANSI X9.30
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBDSA_new\fR\|(3), \fBERR_get_error\fR\|(3), \fBRAND_bytes\fR\|(3),
 \&\fBDSA_do_sign\fR\|(3),
-\&\s-1\fBRAND\s0\fR\|(7)
-.SH "HISTORY"
+\&\fBRAND\fR\|(7)
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DSA_size.3 b/secure/lib/libcrypto/man/man3/DSA_size.3
index dd82f2bc4334..cd66133d09f2 100644
--- a/secure/lib/libcrypto/man/man3/DSA_size.3
+++ b/secure/lib/libcrypto/man/man3/DSA_size.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,84 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "DSA_SIZE 3ossl"
-.TH DSA_SIZE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH DSA_SIZE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 DSA_size, DSA_bits, DSA_security_bits \- get DSA signature size, key bits or security bits
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/dsa.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
@@ -155,7 +79,7 @@ see \fBopenssl_user_macros\fR\|(7):
 \&
 \& int DSA_security_bits(const DSA *dsa);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
 Applications should instead use \fBEVP_PKEY_get_bits\fR\|(3),
@@ -164,9 +88,9 @@ Applications should instead use \fBEVP_PKEY_get_bits\fR\|(3),
 \&\fBDSA_bits()\fR returns the number of bits in key \fIdsa\fR: this is the number
 of bits in the \fIp\fR parameter.
 .PP
-\&\fBDSA_size()\fR returns the maximum size of an \s-1ASN.1\s0 encoded \s-1DSA\s0 signature
+\&\fBDSA_size()\fR returns the maximum size of an ASN.1 encoded DSA signature
 for key \fIdsa\fR in bytes. It can be used to determine how much memory must
-be allocated for a \s-1DSA\s0 signature.
+be allocated for a DSA signature.
 .PP
 \&\fBDSA_security_bits()\fR returns the number of security bits of the given \fIdsa\fR
 key. See \fBBN_security_bits\fR\|(3).
@@ -186,14 +110,14 @@ hold any key parameters.
 \&\fBEVP_PKEY_get_security_bits\fR\|(3),
 \&\fBEVP_PKEY_get_size\fR\|(3),
 \&\fBDSA_new\fR\|(3), \fBDSA_sign\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DTLS_get_data_mtu.3 b/secure/lib/libcrypto/man/man3/DTLS_get_data_mtu.3
index 49d2b0ae1253..d2bb1c4a06f0 100644
--- a/secure/lib/libcrypto/man/man3/DTLS_get_data_mtu.3
+++ b/secure/lib/libcrypto/man/man3/DTLS_get_data_mtu.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,99 +52,39 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "DTLS_GET_DATA_MTU 3ossl"
-.TH DTLS_GET_DATA_MTU 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH DTLS_GET_DATA_MTU 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 DTLS_get_data_mtu \- Get maximum data payload size
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
 \& size_t DTLS_get_data_mtu(const SSL *ssl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 This function obtains the maximum data payload size for the established
-\&\s-1DTLS\s0 connection \fBssl\fR, based on the \s-1DTLS\s0 record \s-1MTU\s0 and the overhead
-of the \s-1DTLS\s0 record header, encryption and authentication currently in use.
+DTLS connection \fBssl\fR, based on the DTLS record MTU and the overhead
+of the DTLS record header, encryption and authentication currently in use.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 Returns the maximum data payload size on success, or 0 on failure.
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBDTLS_get_data_mtu()\fR function was added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DTLS_set_timer_cb.3 b/secure/lib/libcrypto/man/man3/DTLS_set_timer_cb.3
index 440455cd5e1b..a83547083ce6 100644
--- a/secure/lib/libcrypto/man/man3/DTLS_set_timer_cb.3
+++ b/secure/lib/libcrypto/man/man3/DTLS_set_timer_cb.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "DTLS_SET_TIMER_CB 3ossl"
-.TH DTLS_SET_TIMER_CB 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH DTLS_SET_TIMER_CB 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 DTLS_timer_cb,
 DTLS_set_timer_cb
 \&\- Set callback for controlling DTLS timer duration
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -149,22 +73,33 @@ DTLS_set_timer_cb
 \&
 \& void DTLS_set_timer_cb(SSL *s, DTLS_timer_cb cb);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 This function sets an optional callback function for controlling the
-timeout interval on the \s-1DTLS\s0 protocol. The callback function will be
-called by \s-1DTLS\s0 for every new \s-1DTLS\s0 packet that is sent.
+timeout interval on the DTLS protocol. The callback function will be
+called by DTLS for every new DTLS packet that is sent.
+.PP
+The callback should return the timeout interval in micro seconds.
+.PP
+The \fItimer_us\fR parameter of the callback is the last set timeout
+interval returned. On the first invocation of the callback,
+this value will be 0.
+.PP
+At the beginning of the connection, if no timeout callback has been
+set via \fBDTLS_set_timer_cb()\fR, the default timeout value is 1 second.
+For all subsequent timeouts, the default behavior is to double the
+duration up to a maximum of 1 minute.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 Returns void.
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBDTLS_set_timer_cb()\fR function was added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DTLSv1_get_timeout.3 b/secure/lib/libcrypto/man/man3/DTLSv1_get_timeout.3
new file mode 100644
index 000000000000..5e0e05e3ba29
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/DTLSv1_get_timeout.3
@@ -0,0 +1,112 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "DTLSV1_GET_TIMEOUT 3ossl"
+.TH DTLSV1_GET_TIMEOUT 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+DTLSv1_get_timeout \- determine when a DTLS or QUIC SSL object next needs a
+timeout event to be handled
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ssl.h>
+\&
+\& int DTLSv1_get_timeout(SSL *s, struct timeval *tv);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBDTLSv1_get_timeout()\fR can be used on a DTLS or QUIC SSL object to determine when
+the SSL object next needs to perform internal processing due to the passage of
+time.
+.PP
+Calling \fBDTLSv1_get_timeout()\fR results in \fI*tv\fR being written with an amount of
+time left before the SSL object needs have \fBDTLSv1_handle_timeout()\fR called on it.
+If the SSL object needs to be ticked immediately, \fI*tv\fR is zeroed and the
+function succeeds, returning 1. If no timeout is currently active, this function
+returns 0.
+.PP
+This function is only applicable to DTLS and QUIC objects. It fails if called on
+any other kind of SSL object.
+.PP
+Note that the value output by a call to \fBDTLSv1_get_timeout()\fR may change as a
+result of other calls to the SSL object.
+.PP
+Once the timeout expires, \fBDTLSv1_handle_timeout()\fR should be called to handle any
+internal processing which is due; for more information, see
+\&\fBDTLSv1_handle_timeout\fR\|(3).
+.PP
+\&\fBSSL_get_event_timeout\fR\|(3) supersedes all use cases for this this function and
+may be used instead of it.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+On success, writes a duration to \fI*tv\fR and returns 1.
+.PP
+Returns 0 on failure, or if no timeout is currently active.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBDTLSv1_handle_timeout\fR\|(3), \fBSSL_get_event_timeout\fR\|(3), \fBssl\fR\|(7)
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DTLSv1_handle_timeout.3 b/secure/lib/libcrypto/man/man3/DTLSv1_handle_timeout.3
new file mode 100644
index 000000000000..f38101311d89
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/DTLSv1_handle_timeout.3
@@ -0,0 +1,105 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "DTLSV1_HANDLE_TIMEOUT 3ossl"
+.TH DTLSV1_HANDLE_TIMEOUT 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+DTLSv1_handle_timeout \- handle a pending timeout event for a DTLS or QUIC SSL
+object
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ssl.h>
+\&
+\& int DTLSv1_handle_timeout(SSL *ssl);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBDTLSv1_handle_timeout()\fR handles any timeout events which have become pending
+on a DTLS or QUIC SSL object.
+.PP
+Use \fBDTLSv1_get_timeout\fR\|(3) or \fBSSL_get_event_timeout\fR\|(3) to determine
+when to call \fBDTLSv1_handle_timeout()\fR.
+.PP
+This function is only applicable to DTLS or QUIC SSL objects. It returns 0 if
+called on any other kind of SSL object.
+.PP
+\&\fBSSL_handle_events\fR\|(3) supersedes all use cases for this function and may
+be used instead of it.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+Returns 1 if there was a pending timeout event and it was handled successfully.
+.PP
+Returns 0 if there was no pending timeout event, or if the SSL object is not a
+DTLS or QUIC object.
+.PP
+Returns \-1 if there was a pending timeout event but it could not be handled
+successfully.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBDTLSv1_get_timeout\fR\|(3), \fBSSL_handle_events\fR\|(3), \fBssl\fR\|(7)
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DTLSv1_listen.3 b/secure/lib/libcrypto/man/man3/DTLSv1_listen.3
index eba62a4ffe1d..87b26dca2bc7 100644
--- a/secure/lib/libcrypto/man/man3/DTLSv1_listen.3
+++ b/secure/lib/libcrypto/man/man3/DTLSv1_listen.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "DTLSV1_LISTEN 3ossl"
-.TH DTLSV1_LISTEN 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH DTLSV1_LISTEN 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_stateless,
 DTLSv1_listen
 \&\- Statelessly listen for incoming connections
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -148,54 +72,54 @@ DTLSv1_listen
 \& int SSL_stateless(SSL *s);
 \& int DTLSv1_listen(SSL *ssl, BIO_ADDR *peer);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_stateless()\fR statelessly listens for new incoming TLSv1.3 connections.
-\&\fBDTLSv1_listen()\fR statelessly listens for new incoming \s-1DTLS\s0 connections. If a
+\&\fBDTLSv1_listen()\fR statelessly listens for new incoming DTLS connections. If a
 ClientHello is received that does not contain a cookie, then they respond with a
 request for a new ClientHello that does contain a cookie. If a ClientHello is
 received with a cookie that is verified then the function returns in order to
 enable the handshake to be completed (for example by using \fBSSL_accept()\fR).
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-Some transport protocols (such as \s-1UDP\s0) can be susceptible to amplification
-attacks. Unlike \s-1TCP\s0 there is no initial connection setup in \s-1UDP\s0 that
+Some transport protocols (such as UDP) can be susceptible to amplification
+attacks. Unlike TCP there is no initial connection setup in UDP that
 validates that the client can actually receive messages on its advertised source
-address. An attacker could forge its source \s-1IP\s0 address and then send handshake
+address. An attacker could forge its source IP address and then send handshake
 initiation messages to the server. The server would then send its response to
-the forged source \s-1IP.\s0 If the response messages are larger than the original
+the forged source IP. If the response messages are larger than the original
 message then the amplification attack has succeeded.
 .PP
-If \s-1DTLS\s0 is used over \s-1UDP\s0 (or any datagram based protocol that does not validate
-the source \s-1IP\s0) then it is susceptible to this type of attack. TLSv1.3 is
-designed to operate over a stream-based transport protocol (such as \s-1TCP\s0).
-If \s-1TCP\s0 is being used then there is no need to use \fBSSL_stateless()\fR. However, some
-stream-based transport protocols (e.g. \s-1QUIC\s0) may not validate the source
+If DTLS is used over UDP (or any datagram based protocol that does not validate
+the source IP) then it is susceptible to this type of attack. TLSv1.3 is
+designed to operate over a stream-based transport protocol (such as TCP).
+If TCP is being used then there is no need to use \fBSSL_stateless()\fR. However, some
+stream-based transport protocols (e.g. QUIC) may not validate the source
 address. In this case a TLSv1.3 application would be susceptible to this attack.
 .PP
-As a countermeasure to this issue TLSv1.3 and \s-1DTLS\s0 include a stateless cookie
+As a countermeasure to this issue TLSv1.3 and DTLS include a stateless cookie
 mechanism. The idea is that when a client attempts to connect to a server it
 sends a ClientHello message. The server responds with a HelloRetryRequest (in
-TLSv1.3) or a HelloVerifyRequest (in \s-1DTLS\s0) which contains a unique cookie. The
+TLSv1.3) or a HelloVerifyRequest (in DTLS) which contains a unique cookie. The
 client then resends the ClientHello, but this time includes the cookie in the
 message thus proving that the client is capable of receiving messages sent to
 that address. All of this can be done by the server without allocating any
 state, and thus without consuming expensive resources.
 .PP
 OpenSSL implements this capability via the \fBSSL_stateless()\fR and \fBDTLSv1_listen()\fR
-functions. The \fBssl\fR parameter should be a newly allocated \s-1SSL\s0 object with its
+functions. The \fBssl\fR parameter should be a newly allocated SSL object with its
 read and write BIOs set, in the same way as might be done for a call to
-\&\fBSSL_accept()\fR. Typically, for \s-1DTLS,\s0 the read \s-1BIO\s0 will be in an \*(L"unconnected\*(R"
+\&\fBSSL_accept()\fR. Typically, for DTLS, the read BIO will be in an "unconnected"
 state and thus capable of receiving messages from any peer.
 .PP
 When a ClientHello is received that contains a cookie that has been verified,
 then these functions will return with the \fBssl\fR parameter updated into a state
 where the handshake can be continued by a call to (for example) \fBSSL_accept()\fR.
-Additionally, for \fBDTLSv1_listen()\fR, the \fB\s-1BIO_ADDR\s0\fR pointed to by \fBpeer\fR will be
+Additionally, for \fBDTLSv1_listen()\fR, the \fBBIO_ADDR\fR pointed to by \fBpeer\fR will be
 filled in with details of the peer that sent the ClientHello. If the underlying
-\&\s-1BIO\s0 is unable to obtain the \fB\s-1BIO_ADDR\s0\fR of the peer (for example because the \s-1BIO\s0
+BIO is unable to obtain the \fBBIO_ADDR\fR of the peer (for example because the BIO
 does not support this), then \fB*peer\fR will be cleared and the family set to
-\&\s-1AF_UNSPEC.\s0 Typically user code is expected to \*(L"connect\*(R" the underlying socket to
+AF_UNSPEC. Typically user code is expected to "connect" the underlying socket to
 the peer and continue the handshake in a connected state.
 .PP
 Warning: It is essential that the calling code connects the underlying socket to
@@ -203,17 +127,17 @@ the peer after making use of \fBDTLSv1_listen()\fR. In the typical case where
 \&\fBBIO_s_datagram\fR\|(3) is used, the peer address is updated when receiving a
 datagram on an unconnected socket. If the socket is not connected, it can
 receive datagrams from any host on the network, which will cause subsequent
-outgoing datagrams transmitted by \s-1DTLS\s0 to be transmitted to that host. In other
+outgoing datagrams transmitted by DTLS to be transmitted to that host. In other
 words, failing to call \fBBIO_connect()\fR or a similar OS-specific function on a
-socket means that any host on the network can cause outgoing \s-1DTLS\s0 traffic to be
+socket means that any host on the network can cause outgoing DTLS traffic to be
 redirected to it by sending a datagram to the socket in question. This does not
-break the cryptographic protections of \s-1DTLS\s0 but may facilitate a
-denial-of-service attack or allow unencrypted information in the \s-1DTLS\s0 handshake
+break the cryptographic protections of DTLS but may facilitate a
+denial-of-service attack or allow unencrypted information in the DTLS handshake
 to be learned by an attacker. This is due to the historical design of
 \&\fBBIO_s_datagram\fR\|(3); see \fBBIO_s_datagram\fR\|(3) for details on this issue.
 .PP
 Once a socket has been connected, \fBBIO_ctrl_set_connected\fR\|(3) should be used to
-inform the \s-1BIO\s0 that the socket is to be used in connected mode.
+inform the BIO that the socket is to be used in connected mode.
 .PP
 Prior to calling \fBDTLSv1_listen()\fR user code must ensure that cookie generation
 and verification callbacks have been set up using
@@ -227,15 +151,18 @@ require the allocation of state). An implication of this is that \fBDTLSv1_liste
 \&\fBonly\fR supports ClientHellos that fit inside a single datagram.
 .PP
 For \fBSSL_stateless()\fR if an entire ClientHello message cannot be read without the
-\&\*(L"read\*(R" \s-1BIO\s0 becoming empty then the \fBSSL_stateless()\fR call will fail. It is the
-application's responsibility to ensure that data read from the \*(L"read\*(R" \s-1BIO\s0 during
+"read" BIO becoming empty then the \fBSSL_stateless()\fR call will fail. It is the
+application's responsibility to ensure that data read from the "read" BIO during
 a single \fBSSL_stateless()\fR call is all from the same peer.
 .PP
-\&\fBSSL_stateless()\fR will fail (with a 0 return value) if some \s-1TLS\s0 version less than
+\&\fBSSL_stateless()\fR will fail (with a 0 return value) if some TLS version less than
 TLSv1.3 is used.
 .PP
 Both \fBSSL_stateless()\fR and \fBDTLSv1_listen()\fR will clear the error queue when they
 start.
+.PP
+\&\fBSSL_stateless()\fR cannot be used with QUIC SSL objects and returns an error if
+called on such an object.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 For \fBSSL_stateless()\fR a return value of 1 indicates success and the \fBssl\fR object
@@ -248,7 +175,7 @@ will be set up ready to continue the handshake.  the \fBpeer\fR value will also
 filled in.
 .PP
 A return value of 0 indicates a non-fatal error. This could (for
-example) be because of nonblocking \s-1IO,\s0 or some invalid message having been
+example) be because of nonblocking IO, or some invalid message having been
 received from a peer. Errors may be placed on the OpenSSL error queue with
 further information if appropriate. Typically user code is expected to retry the
 call to \fBDTLSv1_listen()\fR in the event of a non-fatal error.
@@ -265,17 +192,17 @@ errors as non-fatal), whilst return codes >0 indicate success.
 \&\fBSSL_CTX_set_stateless_cookie_generate_cb\fR\|(3),
 \&\fBSSL_CTX_set_stateless_cookie_verify_cb\fR\|(3), \fBSSL_get_error\fR\|(3),
 \&\fBSSL_accept\fR\|(3), \fBssl\fR\|(7), \fBbio\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBSSL_stateless()\fR function was added in OpenSSL 1.1.1.
 .PP
 The \fBDTLSv1_listen()\fR return codes were clarified in OpenSSL 1.1.0.
-The type of \*(L"peer\*(R" also changed in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+The type of "peer" also changed in OpenSSL 1.1.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2015\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ECDSA_SIG_new.3 b/secure/lib/libcrypto/man/man3/ECDSA_SIG_new.3
index 0a3d7133dab6..ca4735fd6c0a 100644
--- a/secure/lib/libcrypto/man/man3/ECDSA_SIG_new.3
+++ b/secure/lib/libcrypto/man/man3/ECDSA_SIG_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ECDSA_SIG_NEW 3ossl"
-.TH ECDSA_SIG_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ECDSA_SIG_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ECDSA_SIG_new, ECDSA_SIG_free,
 ECDSA_SIG_get0, ECDSA_SIG_get0_r, ECDSA_SIG_get0_s, ECDSA_SIG_set0
 \&\- Functions for creating, destroying and manipulating ECDSA_SIG objects
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ecdsa.h>
@@ -152,24 +76,25 @@ ECDSA_SIG_get0, ECDSA_SIG_get0_r, ECDSA_SIG_get0_s, ECDSA_SIG_set0
 \& const BIGNUM *ECDSA_SIG_get0_s(const ECDSA_SIG *sig);
 \& int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fB\s-1ECDSA_SIG\s0\fR is an opaque structure consisting of two BIGNUMs for the
-\&\fIr\fR and \fIs\fR value of an Elliptic Curve Digital Signature Algorithm (\s-1ECDSA\s0) signature
-(see \s-1FIPS186\-4\s0 or X9.62).
-The \fB\s-1ECDSA_SIG\s0\fR object was mainly used by the deprecated low level functions described in
+\&\fBECDSA_SIG\fR is an opaque structure consisting of two BIGNUMs for the
+\&\fIr\fR and \fIs\fR value of an Elliptic Curve Digital Signature Algorithm (ECDSA) signature
+(see FIPS186\-4 or X9.62).
+The \fBECDSA_SIG\fR object was mainly used by the deprecated low level functions described in
 \&\fBECDSA_sign\fR\|(3), it is still required in order to be able to set or get the values of
 \&\fIr\fR and \fIs\fR into or from a signature. This is mainly used for testing purposes as shown
-in the \*(L"\s-1EXAMPLES\*(R"\s0.
+in the "EXAMPLES".
 .PP
-\&\fBECDSA_SIG_new()\fR allocates an empty \fB\s-1ECDSA_SIG\s0\fR structure.
+\&\fBECDSA_SIG_new()\fR allocates an empty \fBECDSA_SIG\fR structure.
 Note: before OpenSSL 1.1.0, the \fIr\fR and \fIs\fR components were initialised.
 .PP
-\&\fBECDSA_SIG_free()\fR frees the \fB\s-1ECDSA_SIG\s0\fR structure \fIsig\fR.
+\&\fBECDSA_SIG_free()\fR frees the \fBECDSA_SIG\fR structure \fIsig\fR.
+If the argument is NULL, nothing is done.
 .PP
 \&\fBECDSA_SIG_get0()\fR returns internal pointers the \fIr\fR and \fIs\fR values contained
 in \fIsig\fR and stores them in \fI*pr\fR and \fI*ps\fR, respectively.
-The pointer \fIpr\fR or \fIps\fR can be \s-1NULL,\s0 in which case the corresponding value
+The pointer \fIpr\fR or \fIps\fR can be NULL, in which case the corresponding value
 is not returned.
 .PP
 The values \fIr\fR, \fIs\fR can also be retrieved separately by the corresponding
@@ -177,22 +102,22 @@ function \fBECDSA_SIG_get0_r()\fR and \fBECDSA_SIG_get0_s()\fR, respectively.
 .PP
 Non-NULL \fIr\fR and \fIs\fR values can be set on the \fIsig\fR by calling
 \&\fBECDSA_SIG_set0()\fR. Calling this function transfers the memory management of the
-values to the \fB\s-1ECDSA_SIG\s0\fR object, and therefore the values that have been
+values to the \fBECDSA_SIG\fR object, and therefore the values that have been
 passed in should not be freed by the caller.
 .PP
 See \fBi2d_ECDSA_SIG\fR\|(3) and \fBd2i_ECDSA_SIG\fR\|(3) for information about encoding
-and decoding \s-1ECDSA\s0 signatures to/from \s-1DER.\s0
+and decoding ECDSA signatures to/from DER.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBECDSA_SIG_new()\fR returns \s-1NULL\s0 if the allocation fails.
+\&\fBECDSA_SIG_new()\fR returns NULL if the allocation fails.
 .PP
 \&\fBECDSA_SIG_set0()\fR returns 1 on success or 0 on failure.
 .PP
 \&\fBECDSA_SIG_get0_r()\fR and \fBECDSA_SIG_get0_s()\fR return the corresponding value,
-or \s-1NULL\s0 if it is unset.
-.SH "EXAMPLES"
+or NULL if it is unset.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-Extract signature \fIr\fR and \fIs\fR values from a \s-1ECDSA\s0 \fIsignature\fR
+Extract signature \fIr\fR and \fIs\fR values from a ECDSA \fIsignature\fR
 of size \fIsignaturelen\fR:
 .PP
 .Vb 2
@@ -218,7 +143,7 @@ of size \fIsignaturelen\fR:
 \& ECDSA_SIG_free(obj);
 .Ve
 .PP
-Convert \fIr\fR and \fIs\fR byte arrays into an \s-1ECDSA_SIG\s0 \fIsignature\fR of
+Convert \fIr\fR and \fIs\fR byte arrays into an ECDSA_SIG \fIsignature\fR of
 size \fIsignaturelen\fR:
 .PP
 .Vb 4
@@ -256,9 +181,9 @@ size \fIsignaturelen\fR:
 .Ve
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1ANSI X9.62,
-US\s0 Federal Information Processing Standard \s-1FIPS186\-4\s0
-(Digital Signature Standard, \s-1DSS\s0)
+ANSI X9.62,
+US Federal Information Processing Standard FIPS186\-4
+(Digital Signature Standard, DSS)
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEC_KEY_new\fR\|(3),
@@ -268,11 +193,11 @@ US\s0 Federal Information Processing Standard \s-1FIPS186\-4\s0
 \&\fBi2d_ECDSA_SIG\fR\|(3),
 \&\fBd2i_ECDSA_SIG\fR\|(3),
 \&\fBECDSA_sign\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2004\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2004\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ECDSA_sign.3 b/secure/lib/libcrypto/man/man3/ECDSA_sign.3
index 08e466880236..469664dbcf11 100644
--- a/secure/lib/libcrypto/man/man3/ECDSA_sign.3
+++ b/secure/lib/libcrypto/man/man3/ECDSA_sign.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,87 +52,27 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ECDSA_SIGN 3ossl"
-.TH ECDSA_SIGN 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ECDSA_SIGN 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ECDSA_size, ECDSA_sign, ECDSA_do_sign,
 ECDSA_verify, ECDSA_do_verify, ECDSA_sign_setup, ECDSA_sign_ex,
 ECDSA_do_sign_ex \- deprecated low\-level elliptic curve digital signature algorithm
 (ECDSA) functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ecdsa.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
@@ -172,58 +96,58 @@ see \fBopenssl_user_macros\fR\|(7):
 \&                   unsigned char *sig, unsigned int *siglen,
 \&                   const BIGNUM *kinv, const BIGNUM *rp, EC_KEY *eckey);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-See \fBECDSA_SIG_new\fR\|(3) for a description of the \fB\s-1ECDSA_SIG\s0\fR object.
+See \fBECDSA_SIG_new\fR\|(3) for a description of the \fBECDSA_SIG\fR object.
 .PP
 See \fBi2d_ECDSA_SIG\fR\|(3) and \fBd2i_ECDSA_SIG\fR\|(3) for information about encoding
-and decoding \s-1ECDSA\s0 signatures to/from \s-1DER.\s0
+and decoding ECDSA signatures to/from DER.
 .PP
 All of the functions described below are deprecated. Applications should
-use the higher level \fB\s-1EVP\s0\fR interface such as \fBEVP_DigestSignInit\fR\|(3)
+use the higher level \fBEVP\fR interface such as \fBEVP_DigestSignInit\fR\|(3)
 or \fBEVP_DigestVerifyInit\fR\|(3) instead.
 .PP
-\&\fBECDSA_size()\fR returns the maximum length of a \s-1DER\s0 encoded \s-1ECDSA\s0 signature
-created with the private \s-1EC\s0 key \fIeckey\fR. To obtain the actual signature
-size use \fBEVP_PKEY_sign\fR\|(3) with a \s-1NULL\s0 \fIsig\fR parameter.
+\&\fBECDSA_size()\fR returns the maximum length of a DER encoded ECDSA signature
+created with the private EC key \fIeckey\fR. To obtain the actual signature
+size use \fBEVP_PKEY_sign\fR\|(3) with a NULL \fIsig\fR parameter.
 .PP
 \&\fBECDSA_sign()\fR computes a digital signature of the \fIdgstlen\fR bytes hash value
-\&\fIdgst\fR using the private \s-1EC\s0 key \fIeckey\fR. The \s-1DER\s0 encoded signatures is
-stored in \fIsig\fR and its length is returned in \fIsig_len\fR. Note: \fIsig\fR must
+\&\fIdgst\fR using the private EC key \fIeckey\fR. The DER encoded signatures is
+stored in \fIsig\fR and its length is returned in \fIsiglen\fR. Note: \fIsig\fR must
 point to ECDSA_size(eckey) bytes of memory. The parameter \fItype\fR is currently
 ignored. \fBECDSA_sign()\fR is wrapper function for \fBECDSA_sign_ex()\fR with \fIkinv\fR
-and \fIrp\fR set to \s-1NULL.\s0
+and \fIrp\fR set to NULL.
 .PP
 \&\fBECDSA_do_sign()\fR is similar to \fBECDSA_sign()\fR except the signature is returned
-as a newly allocated \fB\s-1ECDSA_SIG\s0\fR structure (or \s-1NULL\s0 on error). \fBECDSA_do_sign()\fR
+as a newly allocated \fBECDSA_SIG\fR structure (or NULL on error). \fBECDSA_do_sign()\fR
 is a wrapper function for \fBECDSA_do_sign_ex()\fR with \fIkinv\fR and \fIrp\fR set to
-\&\s-1NULL.\s0
+NULL.
 .PP
 \&\fBECDSA_verify()\fR verifies that the signature in \fIsig\fR of size \fIsiglen\fR is a
-valid \s-1ECDSA\s0 signature of the hash value \fIdgst\fR of size \fIdgstlen\fR using the
+valid ECDSA signature of the hash value \fIdgst\fR of size \fIdgstlen\fR using the
 public key \fIeckey\fR.  The parameter \fItype\fR is ignored.
 .PP
 \&\fBECDSA_do_verify()\fR is similar to \fBECDSA_verify()\fR except the signature is
-presented in the form of a pointer to an \fB\s-1ECDSA_SIG\s0\fR structure.
+presented in the form of a pointer to an \fBECDSA_SIG\fR structure.
 .PP
 The remaining functions utilise the internal \fIkinv\fR and \fIr\fR values used
 during signature computation. Most applications will never need to call these
-and some external \s-1ECDSA ENGINE\s0 implementations may not support them at all if
-either \fIkinv\fR or \fIr\fR is not \s-1NULL.\s0
+and some external ECDSA ENGINE implementations may not support them at all if
+either \fIkinv\fR or \fIr\fR is not NULL.
 .PP
 \&\fBECDSA_sign_setup()\fR may be used to precompute parts of the signing operation.
-\&\fIeckey\fR is the private \s-1EC\s0 key and \fIctx\fR is a pointer to \fB\s-1BN_CTX\s0\fR structure
-(or \s-1NULL\s0). The precomputed values or returned in \fIkinv\fR and \fIrp\fR and can be
+\&\fIeckey\fR is the private EC key and \fIctx\fR is a pointer to \fBBN_CTX\fR structure
+(or NULL). The precomputed values or returned in \fIkinv\fR and \fIrp\fR and can be
 used in a later call to \fBECDSA_sign_ex()\fR or \fBECDSA_do_sign_ex()\fR.
 .PP
 \&\fBECDSA_sign_ex()\fR computes a digital signature of the \fIdgstlen\fR bytes hash value
-\&\fIdgst\fR using the private \s-1EC\s0 key \fIeckey\fR and the optional pre-computed values
-\&\fIkinv\fR and \fIrp\fR. The \s-1DER\s0 encoded signature is stored in \fIsig\fR and its
-length is returned in \fIsig_len\fR. Note: \fIsig\fR must point to ECDSA_size(eckey)
+\&\fIdgst\fR using the private EC key \fIeckey\fR and the optional pre-computed values
+\&\fIkinv\fR and \fIrp\fR. The DER encoded signature is stored in \fIsig\fR and its
+length is returned in \fIsiglen\fR. Note: \fIsig\fR must point to ECDSA_size(eckey)
 bytes of memory. The parameter \fItype\fR is ignored.
 .PP
 \&\fBECDSA_do_sign_ex()\fR is similar to \fBECDSA_sign_ex()\fR except the signature is
-returned as a newly allocated \fB\s-1ECDSA_SIG\s0\fR structure (or \s-1NULL\s0 on error).
+returned as a newly allocated \fBECDSA_SIG\fR structure (or NULL on error).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBECDSA_size()\fR returns the maximum length signature or 0 on error.
@@ -232,18 +156,18 @@ returned as a newly allocated \fB\s-1ECDSA_SIG\s0\fR structure (or \s-1NULL\s0 o
 or 0 on error.
 .PP
 \&\fBECDSA_do_sign()\fR and \fBECDSA_do_sign_ex()\fR return a pointer to an allocated
-\&\fB\s-1ECDSA_SIG\s0\fR structure or \s-1NULL\s0 on error.
+\&\fBECDSA_SIG\fR structure or NULL on error.
 .PP
 \&\fBECDSA_verify()\fR and \fBECDSA_do_verify()\fR return 1 for a valid
 signature, 0 for an invalid signature and \-1 on error.
 The error codes can be obtained by \fBERR_get_error\fR\|(3).
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-Creating an \s-1ECDSA\s0 signature of a given \s-1SHA\-256\s0 hash value using the
+Creating an ECDSA signature of a given SHA\-256 hash value using the
 named curve prime256v1 (aka P\-256).
-This example uses deprecated functionality. See \*(L"\s-1DESCRIPTION\*(R"\s0.
+This example uses deprecated functionality. See "DESCRIPTION".
 .PP
-First step: create an \s-1EC_KEY\s0 object (note: this part is \fBnot\fR \s-1ECDSA\s0
+First step: create an EC_KEY object (note: this part is \fBnot\fR ECDSA
 specific)
 .PP
 .Vb 3
@@ -258,7 +182,7 @@ specific)
 \&     /* error */
 .Ve
 .PP
-Second step: compute the \s-1ECDSA\s0 signature of a \s-1SHA\-256\s0 hash value
+Second step: compute the ECDSA signature of a SHA\-256 hash value
 using \fBECDSA_do_sign()\fR:
 .PP
 .Vb 3
@@ -280,7 +204,7 @@ or using \fBECDSA_sign()\fR:
 \&     /* error */
 .Ve
 .PP
-Third step: verify the created \s-1ECDSA\s0 signature using \fBECDSA_do_verify()\fR:
+Third step: verify the created ECDSA signature using \fBECDSA_do_verify()\fR:
 .PP
 .Vb 1
 \& ret = ECDSA_do_verify(digest, 32, sig, eckey);
@@ -304,8 +228,8 @@ and finally evaluate the return value:
 .Ve
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1ANSI X9.62, US\s0 Federal Information Processing Standard \s-1FIPS186\-2\s0
-(Digital Signature Standard, \s-1DSS\s0)
+ANSI X9.62, US Federal Information Processing Standard FIPS186\-2
+(Digital Signature Standard, DSS)
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEC_KEY_new\fR\|(3),
@@ -314,14 +238,14 @@ and finally evaluate the return value:
 \&\fBEVP_PKEY_sign\fR\|(3)
 \&\fBi2d_ECDSA_SIG\fR\|(3),
 \&\fBd2i_ECDSA_SIG\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All functionality described here was deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2004\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ECPKParameters_print.3 b/secure/lib/libcrypto/man/man3/ECPKParameters_print.3
index 376608257533..1cf6e55fd693 100644
--- a/secure/lib/libcrypto/man/man3/ECPKParameters_print.3
+++ b/secure/lib/libcrypto/man/man3/ECPKParameters_print.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,101 +52,41 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ECPKPARAMETERS_PRINT 3ossl"
-.TH ECPKPARAMETERS_PRINT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ECPKPARAMETERS_PRINT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ECPKParameters_print, ECPKParameters_print_fp \- Functions for decoding and
 encoding ASN1 representations of elliptic curve entities
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ec.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 2
 \& int ECPKParameters_print(BIO *bp, const EC_GROUP *x, int off);
 \& int ECPKParameters_print_fp(FILE *fp, const EC_GROUP *x, int off);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
 Applications should instead use \fBEVP_PKEY_print_params\fR\|(3)
 .PP
 The ECPKParameters represent the public parameters for an
-\&\fB\s-1EC_GROUP\s0\fR structure, which represents a curve.
+\&\fBEC_GROUP\fR structure, which represents a curve.
 .PP
 The \fBECPKParameters_print()\fR and \fBECPKParameters_print_fp()\fR functions print
-a human-readable output of the public parameters of the \s-1EC_GROUP\s0 to \fBbp\fR
+a human-readable output of the public parameters of the EC_GROUP to \fBbp\fR
 or \fBfp\fR. The output lines are indented by \fBoff\fR spaces.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
@@ -173,14 +97,14 @@ return 1 for success and 0 if an error occurs.
 \&\fBcrypto\fR\|(7), \fBEC_GROUP_new\fR\|(3), \fBEC_GROUP_copy\fR\|(3),
 \&\fBEC_POINT_new\fR\|(3), \fBEC_POINT_add\fR\|(3), \fBEC_KEY_new\fR\|(3),
 \&\fBEC_GFp_simple_method\fR\|(3),
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2013\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EC_GFp_simple_method.3 b/secure/lib/libcrypto/man/man3/EC_GFp_simple_method.3
index b8ae359b54ef..8cdd6c939d90 100644
--- a/secure/lib/libcrypto/man/man3/EC_GFp_simple_method.3
+++ b/secure/lib/libcrypto/man/man3/EC_GFp_simple_method.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,84 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EC_GFP_SIMPLE_METHOD 3ossl"
-.TH EC_GFP_SIMPLE_METHOD 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EC_GFP_SIMPLE_METHOD 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EC_GFp_simple_method, EC_GFp_mont_method, EC_GFp_nist_method, EC_GFp_nistp224_method, EC_GFp_nistp256_method, EC_GFp_nistp521_method, EC_GF2m_simple_method, EC_METHOD_get_field_type \- Functions for obtaining EC_METHOD objects
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ec.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 6
@@ -160,15 +84,15 @@ see \fBopenssl_user_macros\fR\|(7):
 \&
 \& int EC_METHOD_get_field_type(const EC_METHOD *meth);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-All const \s-1EC_METHOD\s0 *EC_GF* functions were deprecated in OpenSSL 3.0, since
-\&\s-1EC_METHOD\s0 is no longer a public concept.
+All const EC_METHOD *EC_GF* functions were deprecated in OpenSSL 3.0, since
+EC_METHOD is no longer a public concept.
 .PP
 The Elliptic Curve library provides a number of different implementations through a single common interface.
 When constructing a curve using EC_GROUP_new (see \fBEC_GROUP_new\fR\|(3)) an
 implementation method must be provided. The functions described here all return a const pointer to an
-\&\fB\s-1EC_METHOD\s0\fR structure that can be passed to \s-1EC_GROUP_NEW.\s0 It is important that the correct implementation
+\&\fBEC_METHOD\fR structure that can be passed to EC_GROUP_NEW. It is important that the correct implementation
 type for the form of curve selected is used.
 .PP
 For F2^m curves there is only one implementation choice, i.e. EC_GF2_simple_method.
@@ -176,38 +100,38 @@ For F2^m curves there is only one implementation choice, i.e. EC_GF2_simple_meth
 For Fp curves the lowest common denominator implementation is the EC_GFp_simple_method implementation. All
 other implementations are based on this one. EC_GFp_mont_method builds on EC_GFp_simple_method but adds the
 use of montgomery multiplication (see \fBBN_mod_mul_montgomery\fR\|(3)). EC_GFp_nist_method
-offers an implementation optimised for use with \s-1NIST\s0 recommended curves (\s-1NIST\s0 curves are available through
+offers an implementation optimised for use with NIST recommended curves (NIST curves are available through
 EC_GROUP_new_by_curve_name as described in \fBEC_GROUP_new\fR\|(3)).
 .PP
 The functions EC_GFp_nistp224_method, EC_GFp_nistp256_method and EC_GFp_nistp521_method offer 64 bit
-optimised implementations for the \s-1NIST P224, P256\s0 and P521 curves respectively. Note, however, that these
+optimised implementations for the NIST P224, P256 and P521 curves respectively. Note, however, that these
 implementations are not available on all platforms.
 .PP
 \&\fBEC_METHOD_get_field_type()\fR was deprecated in OpenSSL 3.0.
 Applications should use \fBEC_GROUP_get_field_type()\fR as a replacement (see \fBEC_GROUP_copy\fR\|(3)).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-All EC_GFp* functions and EC_GF2m_simple_method always return a const pointer to an \s-1EC_METHOD\s0 structure.
+All EC_GFp* functions and EC_GF2m_simple_method always return a const pointer to an EC_METHOD structure.
 .PP
-EC_METHOD_get_field_type returns an integer that identifies the type of field the \s-1EC_METHOD\s0 structure supports.
+EC_METHOD_get_field_type returns an integer that identifies the type of field the EC_METHOD structure supports.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBcrypto\fR\|(7), \fBEC_GROUP_new\fR\|(3), \fBEC_GROUP_copy\fR\|(3),
 \&\fBEC_POINT_new\fR\|(3), \fBEC_POINT_add\fR\|(3), \fBEC_KEY_new\fR\|(3),
 \&\fBd2i_ECPKParameters\fR\|(3),
 \&\fBBN_mod_mul_montgomery\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBEC_GFp_simple_method()\fR, EC_GFp_mont_method(void),
 \&\fBEC_GFp_nist_method()\fR, \fBEC_GFp_nistp224_method()\fR,
 \&\fBEC_GFp_nistp256_method()\fR, \fBEC_GFp_nistp521_method()\fR,
 \&\fBEC_GF2m_simple_method()\fR, and \fBEC_METHOD_get_field_type()\fR
 were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2013\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2013\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EC_GROUP_copy.3 b/secure/lib/libcrypto/man/man3/EC_GROUP_copy.3
index 1c8e41eda72a..38b74ce8c8f6 100644
--- a/secure/lib/libcrypto/man/man3/EC_GROUP_copy.3
+++ b/secure/lib/libcrypto/man/man3/EC_GROUP_copy.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EC_GROUP_COPY 3ossl"
-.TH EC_GROUP_COPY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EC_GROUP_COPY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EC_GROUP_get0_order, EC_GROUP_order_bits, EC_GROUP_get0_cofactor,
 EC_GROUP_copy, EC_GROUP_dup, EC_GROUP_method_of, EC_GROUP_set_generator,
 EC_GROUP_get0_generator, EC_GROUP_get_order, EC_GROUP_get_cofactor,
@@ -150,7 +74,7 @@ EC_GROUP_get_basis_type, EC_GROUP_get_trinomial_basis,
 EC_GROUP_get_pentanomial_basis, EC_GROUP_get0_field,
 EC_GROUP_get_field_type
 \&\- Functions for manipulating EC_GROUP objects
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ec.h>
@@ -201,21 +125,21 @@ EC_GROUP_get_field_type
 .Ve
 .PP
 The following function has been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
 \& const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBEC_GROUP_copy()\fR copies the curve \fBsrc\fR into \fBdst\fR. Both \fBsrc\fR and \fBdst\fR must use the same \s-1EC_METHOD.\s0
+\&\fBEC_GROUP_copy()\fR copies the curve \fBsrc\fR into \fBdst\fR. Both \fBsrc\fR and \fBdst\fR must use the same EC_METHOD.
 .PP
-\&\fBEC_GROUP_dup()\fR creates a new \s-1EC_GROUP\s0 object and copies the content from \fBsrc\fR to the newly created
-\&\s-1EC_GROUP\s0 object.
+\&\fBEC_GROUP_dup()\fR creates a new EC_GROUP object and copies the content from \fBsrc\fR to the newly created
+EC_GROUP object.
 .PP
-\&\fBEC_GROUP_method_of()\fR obtains the \s-1EC_METHOD\s0 of \fBgroup\fR.
-This function was deprecated in OpenSSL 3.0, since \s-1EC_METHOD\s0 is no longer a public concept.
+\&\fBEC_GROUP_method_of()\fR obtains the EC_METHOD of \fBgroup\fR.
+This function was deprecated in OpenSSL 3.0, since EC_METHOD is no longer a public concept.
 .PP
 \&\fBEC_GROUP_set_generator()\fR sets curve parameters that must be agreed by all participants using the curve. These
 parameters include the \fBgenerator\fR, the \fBorder\fR and the \fBcofactor\fR. The \fBgenerator\fR is a well defined point on the
@@ -232,24 +156,24 @@ is not set or set to zero).
 into \fBcofactor\fR. It fails in case  \fBgroup\fR is not fully initialized or if the
 cofactor is not set (or set to zero).
 .PP
-The functions \fBEC_GROUP_set_curve_name()\fR and \fBEC_GROUP_get_curve_name()\fR, set and get the \s-1NID\s0 for the curve respectively
-(see \fBEC_GROUP_new\fR\|(3)). If a curve does not have a \s-1NID\s0 associated with it, then EC_GROUP_get_curve_name
+The functions \fBEC_GROUP_set_curve_name()\fR and \fBEC_GROUP_get_curve_name()\fR, set and get the NID for the curve respectively
+(see \fBEC_GROUP_new\fR\|(3)). If a curve does not have a NID associated with it, then EC_GROUP_get_curve_name
 will return NID_undef.
 .PP
 The asn1_flag value is used to determine whether the curve encoding uses
-explicit parameters or a named curve using an \s-1ASN1 OID:\s0 many applications only
-support the latter form. If asn1_flag is \fB\s-1OPENSSL_EC_NAMED_CURVE\s0\fR then the
+explicit parameters or a named curve using an ASN1 OID: many applications only
+support the latter form. If asn1_flag is \fBOPENSSL_EC_NAMED_CURVE\fR then the
 named curve form is used and the parameters must have a corresponding
-named curve \s-1NID\s0 set. If asn1_flags is \fB\s-1OPENSSL_EC_EXPLICIT_CURVE\s0\fR the
+named curve NID set. If asn1_flags is \fBOPENSSL_EC_EXPLICIT_CURVE\fR the
 parameters are explicitly encoded. The functions \fBEC_GROUP_get_asn1_flag()\fR and
 \&\fBEC_GROUP_set_asn1_flag()\fR get and set the status of the asn1_flag for the curve.
-Note: \fB\s-1OPENSSL_EC_EXPLICIT_CURVE\s0\fR was added in OpenSSL 1.1.0, for
+Note: \fBOPENSSL_EC_EXPLICIT_CURVE\fR was added in OpenSSL 1.1.0, for
 previous versions of OpenSSL the value 0 must be used instead. Before OpenSSL
 1.1.0 the default form was to use explicit parameters (meaning that
 applications would have to explicitly set the named curve form) in OpenSSL
 1.1.0 and later the named curve form is the default.
 .PP
-The point_conversion_form for a curve controls how \s-1EC_POINT\s0 data is encoded as \s-1ASN1\s0 as defined in X9.62 (\s-1ECDSA\s0).
+The point_conversion_form for a curve controls how EC_POINT data is encoded as ASN1 as defined in X9.62 (ECDSA).
 point_conversion_form_t is an enum defined as follows:
 .PP
 .Vb 10
@@ -265,33 +189,33 @@ point_conversion_form_t is an enum defined as follows:
 \& } point_conversion_form_t;
 .Ve
 .PP
-For \s-1POINT_CONVERSION_UNCOMPRESSED\s0 the point is encoded as an octet signifying the \s-1UNCOMPRESSED\s0 form has been used followed by
+For POINT_CONVERSION_UNCOMPRESSED the point is encoded as an octet signifying the UNCOMPRESSED form has been used followed by
 the octets for x, followed by the octets for y.
 .PP
 For any given x coordinate for a point on a curve it is possible to derive two possible y values. For
-\&\s-1POINT_CONVERSION_COMPRESSED\s0 the point is encoded as an octet signifying that the \s-1COMPRESSED\s0 form has been used \s-1AND\s0 which of
+POINT_CONVERSION_COMPRESSED the point is encoded as an octet signifying that the COMPRESSED form has been used AND which of
 the two possible solutions for y has been used, followed by the octets for x.
 .PP
-For \s-1POINT_CONVERSION_HYBRID\s0 the point is encoded as an octet signifying the \s-1HYBRID\s0 form has been used \s-1AND\s0 which of the two
+For POINT_CONVERSION_HYBRID the point is encoded as an octet signifying the HYBRID form has been used AND which of the two
 possible solutions for y has been used, followed by the octets for x, followed by the octets for y.
 .PP
 The functions \fBEC_GROUP_set_point_conversion_form()\fR and \fBEC_GROUP_get_point_conversion_form()\fR, set and get the point_conversion_form
 for the curve respectively.
 .PP
-\&\s-1ANSI X9.62\s0 (\s-1ECDSA\s0 standard) defines a method of generating the curve parameter b from a random number. This provides advantages
+ANSI X9.62 (ECDSA standard) defines a method of generating the curve parameter b from a random number. This provides advantages
 in that a parameter obtained in this way is highly unlikely to be susceptible to special purpose attacks, or have any trapdoors in it.
-If the seed is present for a curve then the b parameter was generated in a verifiable fashion using that seed. The OpenSSL \s-1EC\s0 library
+If the seed is present for a curve then the b parameter was generated in a verifiable fashion using that seed. The OpenSSL EC library
 does not use this seed value but does enable you to inspect it using \fBEC_GROUP_get0_seed()\fR. This returns a pointer to a memory block
 containing the seed that was used. The length of the memory block can be obtained using \fBEC_GROUP_get_seed_len()\fR. A number of the
 built-in curves within the library provide seed values that can be obtained. It is also possible to set a custom seed using
-\&\fBEC_GROUP_set_seed()\fR and passing a pointer to a memory block, along with the length of the seed. Again, the \s-1EC\s0 library will not use
-this seed value, although it will be preserved in any \s-1ASN1\s0 based communications.
+\&\fBEC_GROUP_set_seed()\fR and passing a pointer to a memory block, along with the length of the seed. Again, the EC library will not use
+this seed value, although it will be preserved in any ASN1 based communications.
 .PP
 \&\fBEC_GROUP_get_degree()\fR gets the degree of the field.
 For Fp fields this will be the number of bits in p.
 For F2^m fields this will be the value m.
 .PP
-\&\fBEC_GROUP_get_field_type()\fR identifies what type of field the \s-1EC_GROUP\s0 structure supports,
+\&\fBEC_GROUP_get_field_type()\fR identifies what type of field the EC_GROUP structure supports,
 which will be either F2^m or Fp.
 .PP
 The function \fBEC_GROUP_check_discriminant()\fR calculates the discriminant for the curve and verifies that it is valid.
@@ -301,17 +225,17 @@ simply b. In either case for the curve to be valid the discriminant must be non
 The function \fBEC_GROUP_check()\fR behaves in the following way:
 For the OpenSSL default provider it performs a number of checks on a curve to verify that it is valid. Checks performed include
 verifying that the discriminant is non zero; that a generator has been defined; that the generator is on the curve and has
-the correct order. For the OpenSSL \s-1FIPS\s0 provider it uses \fBEC_GROUP_check_named_curve()\fR to conform to SP800\-56Ar3.
+the correct order. For the OpenSSL FIPS provider it uses \fBEC_GROUP_check_named_curve()\fR to conform to SP800\-56Ar3.
 .PP
 The function \fBEC_GROUP_check_named_curve()\fR determines if the group's domain parameters match one of the built-in curves supported by the library.
-The curve name is returned as a \fB\s-1NID\s0\fR if it matches. If the group's domain parameters have been modified then no match will be found.
+The curve name is returned as a \fBNID\fR if it matches. If the group's domain parameters have been modified then no match will be found.
 If the curve name of the given group is \fBNID_undef\fR (e.g. it has been created by using explicit parameters with no curve name),
 then this method can be used to lookup the name of the curve that matches the group domain parameters. The built-in curves contain
-aliases, so that multiple \s-1NID\s0's can map to the same domain parameters. For such curves it is unspecified which of the aliases will be
+aliases, so that multiple NID's can map to the same domain parameters. For such curves it is unspecified which of the aliases will be
 returned if the curve name of the given group is NID_undef.
-If \fBnist_only\fR is 1 it will only look for \s-1NIST\s0 approved curves, otherwise it searches all built-in curves.
-This function may be passed a \s-1BN_CTX\s0 object in the \fBctx\fR parameter.
-The \fBctx\fR parameter may be \s-1NULL.\s0
+If \fBnist_only\fR is 1 it will only look for NIST approved curves, otherwise it searches all built-in curves.
+This function may be passed a BN_CTX object in the \fBctx\fR parameter.
+The \fBctx\fR parameter may be NULL.
 .PP
 \&\fBEC_GROUP_cmp()\fR compares \fBa\fR and \fBb\fR to determine whether they represent the same curve or not.
 .PP
@@ -325,7 +249,7 @@ or a pentanomial of the form:
 .PP
 f(x) = x^m + x^k3 + x^k2 + x^k1 + 1 with m > k3 > k2 > k1 >= 1
 .PP
-The function \fBEC_GROUP_get_basis_type()\fR returns a \s-1NID\s0 identifying whether a trinomial or pentanomial is in use for the field. The
+The function \fBEC_GROUP_get_basis_type()\fR returns a NID identifying whether a trinomial or pentanomial is in use for the field. The
 function \fBEC_GROUP_get_trinomial_basis()\fR must only be called where f(x) is of the trinomial form, and returns the value of \fBk\fR. Similarly
 the function \fBEC_GROUP_get_pentanomial_basis()\fR must only be called where f(x) is of the pentanomial form, and returns the values of \fBk1\fR,
 \&\fBk2\fR and \fBk3\fR respectively.
@@ -334,20 +258,20 @@ the function \fBEC_GROUP_get_pentanomial_basis()\fR must only be called where f(
 The following functions return 1 on success or 0 on error: \fBEC_GROUP_copy()\fR, \fBEC_GROUP_set_generator()\fR, \fBEC_GROUP_check()\fR,
 \&\fBEC_GROUP_check_discriminant()\fR, \fBEC_GROUP_get_trinomial_basis()\fR and \fBEC_GROUP_get_pentanomial_basis()\fR.
 .PP
-\&\fBEC_GROUP_dup()\fR returns a pointer to the duplicated curve, or \s-1NULL\s0 on error.
+\&\fBEC_GROUP_dup()\fR returns a pointer to the duplicated curve, or NULL on error.
 .PP
-\&\fBEC_GROUP_method_of()\fR returns the \s-1EC_METHOD\s0 implementation in use for the given curve or \s-1NULL\s0 on error.
+\&\fBEC_GROUP_method_of()\fR returns the EC_METHOD implementation in use for the given curve or NULL on error.
 .PP
-\&\fBEC_GROUP_get0_generator()\fR returns the generator for the given curve or \s-1NULL\s0 on error.
+\&\fBEC_GROUP_get0_generator()\fR returns the generator for the given curve or NULL on error.
 .PP
 \&\fBEC_GROUP_get_order()\fR returns 0 if the order is not set (or set to zero) for
 \&\fBgroup\fR or if copying into \fBorder\fR fails, 1 otherwise.
 .PP
 \&\fBEC_GROUP_get_cofactor()\fR returns 0 if the cofactor is not set (or is set to zero) for \fBgroup\fR or if copying into \fBcofactor\fR fails, 1 otherwise.
 .PP
-\&\fBEC_GROUP_get_curve_name()\fR returns the curve name (\s-1NID\s0) for \fBgroup\fR or will return NID_undef if no curve name is associated.
+\&\fBEC_GROUP_get_curve_name()\fR returns the curve name (NID) for \fBgroup\fR or will return NID_undef if no curve name is associated.
 .PP
-\&\fBEC_GROUP_get_asn1_flag()\fR returns the \s-1ASN1\s0 flag for the specified \fBgroup\fR .
+\&\fBEC_GROUP_get_asn1_flag()\fR returns the ASN1 flag for the specified \fBgroup\fR .
 .PP
 \&\fBEC_GROUP_get_point_conversion_form()\fR returns the point_conversion_form for \fBgroup\fR.
 .PP
@@ -362,13 +286,13 @@ these values are defined in the \fI<openssl/obj_mac.h>\fR header file.
 \&\fBEC_GROUP_get0_order()\fR returns an internal pointer to the group order.
 \&\fBEC_GROUP_order_bits()\fR returns the number of bits in the group order.
 \&\fBEC_GROUP_get0_cofactor()\fR returns an internal pointer to the group cofactor.
-\&\fBEC_GROUP_get0_field()\fR returns an internal pointer to the group field. For curves over \s-1GF\s0(p), this is the modulus; for curves
-over \s-1GF\s0(2^m), this is the irreducible polynomial defining the field.
+\&\fBEC_GROUP_get0_field()\fR returns an internal pointer to the group field. For curves over GF(p), this is the modulus; for curves
+over GF(2^m), this is the irreducible polynomial defining the field.
 .PP
-\&\fBEC_GROUP_get0_seed()\fR returns a pointer to the seed that was used to generate the parameter b, or \s-1NULL\s0 if the seed is not
+\&\fBEC_GROUP_get0_seed()\fR returns a pointer to the seed that was used to generate the parameter b, or NULL if the seed is not
 specified. \fBEC_GROUP_get_seed_len()\fR returns the length of the seed or 0 if the seed is not specified.
 .PP
-\&\fBEC_GROUP_set_seed()\fR returns the length of the seed that has been set. If the supplied seed is \s-1NULL,\s0 or the supplied seed length is
+\&\fBEC_GROUP_set_seed()\fR returns the length of the seed that has been set. If the supplied seed is NULL, or the supplied seed length is
 0, the return value will be 1. On error 0 is returned.
 .PP
 \&\fBEC_GROUP_cmp()\fR returns 0 if the curves are equal, 1 if they are not equal, or \-1 on error.
@@ -380,16 +304,16 @@ trinomial or pentanomial respectively. Alternatively in the event of an error a
 \&\fBcrypto\fR\|(7), \fBEC_GROUP_new\fR\|(3),
 \&\fBEC_POINT_new\fR\|(3), \fBEC_POINT_add\fR\|(3), \fBEC_KEY_new\fR\|(3),
 \&\fBEC_GFp_simple_method\fR\|(3), \fBd2i_ECPKParameters\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBEC_GROUP_method_of()\fR was deprecated in OpenSSL 3.0.
 \&\fBEC_GROUP_get0_field()\fR, \fBEC_GROUP_check_named_curve()\fR and \fBEC_GROUP_get_field_type()\fR were added in OpenSSL 3.0.
 \&\fBEC_GROUP_get0_order()\fR, \fBEC_GROUP_order_bits()\fR and \fBEC_GROUP_get0_cofactor()\fR were added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2013\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EC_GROUP_new.3 b/secure/lib/libcrypto/man/man3/EC_GROUP_new.3
index 50ab5c927daf..3e44287f622a 100644
--- a/secure/lib/libcrypto/man/man3/EC_GROUP_new.3
+++ b/secure/lib/libcrypto/man/man3/EC_GROUP_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EC_GROUP_NEW 3ossl"
-.TH EC_GROUP_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EC_GROUP_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EC_GROUP_get_ecparameters,
 EC_GROUP_get_ecpkparameters,
 EC_GROUP_new_from_params,
+EC_GROUP_to_params,
 EC_GROUP_new_from_ecparameters,
 EC_GROUP_new_from_ecpkparameters,
 EC_GROUP_new,
@@ -158,13 +83,15 @@ EC_GROUP_get_curve_GF2m,
 EC_get_builtin_curves,
 OSSL_EC_curve_nid2name \-
 Functions for creating and destroying EC_GROUP objects
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ec.h>
 \&
 \& EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
 \&                                    OSSL_LIB_CTX *libctx, const char *propq);
+\& OSSL_PARAM *EC_GROUP_to_params(const EC_GROUP *group, OSSL_LIB_CTX *libctx,
+\&                                const char *propq, BN_CTX *bnctx);
 \& EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params);
 \& EC_GROUP *EC_GROUP_new_from_ecpkparameters(const ECPKPARAMETERS *params);
 \& void EC_GROUP_free(EC_GROUP *group);
@@ -192,7 +119,7 @@ Functions for creating and destroying EC_GROUP objects
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 2
@@ -208,7 +135,7 @@ see \fBopenssl_user_macros\fR\|(7):
 \& int EC_GROUP_get_curve_GF2m(const EC_GROUP *group, BIGNUM *p,
 \&                             BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 Within the library there are two forms of elliptic curve that are of interest.
 The first form is those defined over the prime field Fp. The elements of Fp are
@@ -230,23 +157,33 @@ pentanomial for this parameter.
 Although deprecated since OpenSSL 3.0 and should no longer be used,
 a new curve can be constructed by calling \fBEC_GROUP_new()\fR, using the
 implementation provided by \fImeth\fR (see \fBEC_GFp_simple_method\fR\|(3)) and
-associated with the library context \fIctx\fR (see \s-1\fBOSSL_LIB_CTX\s0\fR\|(3)).
-The \fIctx\fR parameter may be \s-1NULL\s0 in which case the default library context is
+associated with the library context \fIctx\fR (see \fBOSSL_LIB_CTX\fR\|(3)).
+The \fIctx\fR parameter may be NULL in which case the default library context is
 used.
 It is then necessary to call \fBEC_GROUP_set_curve()\fR to set the curve parameters.
 Applications should instead use one of the other EC_GROUP_new_* constructors.
 .PP
 \&\fBEC_GROUP_new_from_params()\fR creates a group with parameters specified by \fIparams\fR.
-The library context \fIlibctx\fR (see \s-1\fBOSSL_LIB_CTX\s0\fR\|(3)) and property query string
+The library context \fIlibctx\fR (see \fBOSSL_LIB_CTX\fR\|(3)) and property query string
 \&\fIpropq\fR are used to fetch algorithms from providers.
 \&\fIparams\fR may be either a list of explicit params or a named group,
-The values for \fIctx\fR and \fIpropq\fR may be \s-1NULL.\s0
+The values for \fIctx\fR and \fIpropq\fR may be NULL.
 The \fIparams\fR that can be used are described in
-\&\fB\s-1EVP_PKEY\-EC\s0\fR(7).
+\&\fBEVP_PKEY\-EC\fR(7).
+.PP
+EC_GROUP_to_params creates an OSSL_PARAM array with the corresponding parameters
+describing the given EC_GROUP. The resulting parameters may contain parameters
+describing a named or explicit curve depending on the EC_GROUP.
+The library context \fIlibctx\fR (see \fBOSSL_LIB_CTX\fR\|(3)) and property query string
+\&\fIpropq\fR are used to fetch algorithms from providers.
+\&\fIbnctx\fR is an optional preallocated BN_CTX (to save the overhead of allocating
+and freeing the structure in a loop).
+The values for \fIlibctx\fR, \fIpropq\fR and \fIbnctx\fR may be NULL.
+The caller is responsible for freeing the OSSL_PARAM pointer returned.
 .PP
 \&\fBEC_GROUP_new_from_ecparameters()\fR will create a group from the
 specified \fIparams\fR and
-\&\fBEC_GROUP_new_from_ecpkparameters()\fR will create a group from the specific \s-1PK\s0
+\&\fBEC_GROUP_new_from_ecpkparameters()\fR will create a group from the specific PK
 \&\fIparams\fR.
 .PP
 \&\fBEC_GROUP_set_curve()\fR sets the curve parameters \fIp\fR, \fIa\fR and \fIb\fR. For a curve
@@ -280,7 +217,7 @@ EC_builtin_curve structures of size \fInitems\fR. The function will populate the
 the total number of curves available, then the first \fInitems\fR curves will be
 returned. Otherwise the total number of curves will be provided. The return
 value is the total number of curves available (whether that number has been
-populated in \fIr\fR or not). Passing a \s-1NULL\s0 \fIr\fR, or setting \fInitems\fR to 0 will
+populated in \fIr\fR or not). Passing a NULL \fIr\fR, or setting \fInitems\fR to 0 will
 do nothing other than return the total number of curves available.
 The EC_builtin_curve structure is defined as follows:
 .PP
@@ -297,28 +234,28 @@ readable comment string describing the curve.
 In order to construct a built-in curve use the function
 \&\fBEC_GROUP_new_by_curve_name_ex()\fR and provide the \fInid\fR of the curve to
 be constructed, the associated library context to be used in \fIctx\fR (see
-\&\s-1\fBOSSL_LIB_CTX\s0\fR\|(3)) and any property query string in \fIpropq\fR. The \fIctx\fR value
-may be \s-1NULL\s0 in which case the default library context is used. The \fIpropq\fR
-value may also be \s-1NULL.\s0
+\&\fBOSSL_LIB_CTX\fR\|(3)) and any property query string in \fIpropq\fR. The \fIctx\fR value
+may be NULL in which case the default library context is used. The \fIpropq\fR
+value may also be NULL.
 .PP
 \&\fBEC_GROUP_new_by_curve_name()\fR is the same as
 \&\fBEC_GROUP_new_by_curve_name_ex()\fR except that the default library context
-is always used along with a \s-1NULL\s0 property query string.
+is always used along with a NULL property query string.
 .PP
-\&\fBEC_GROUP_free()\fR frees the memory associated with the \s-1EC_GROUP.\s0
-If \fIgroup\fR is \s-1NULL\s0 nothing is done.
+\&\fBEC_GROUP_free()\fR frees the memory associated with the EC_GROUP.
+If \fIgroup\fR is NULL nothing is done.
 .PP
 \&\fBEC_GROUP_clear_free()\fR is deprecated: it was meant to destroy any sensitive data
-held within the \s-1EC_GROUP\s0 and then free its memory, but since all the data stored
-in the \s-1EC_GROUP\s0 is public anyway, this function is unnecessary.
+held within the EC_GROUP and then free its memory, but since all the data stored
+in the EC_GROUP is public anyway, this function is unnecessary.
 Its use can be safely replaced with \fBEC_GROUP_free()\fR.
-If \fIgroup\fR is \s-1NULL\s0 nothing is done.
+If \fIgroup\fR is NULL nothing is done.
 .PP
 \&\fBOSSL_EC_curve_nid2name()\fR converts a curve \fInid\fR into the corresponding name.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 All EC_GROUP_new* functions return a pointer to the newly constructed group, or
-\&\s-1NULL\s0 on error.
+NULL on error.
 .PP
 \&\fBEC_get_builtin_curves()\fR returns the number of built-in curves that are
 available.
@@ -326,24 +263,25 @@ available.
 \&\fBEC_GROUP_set_curve_GFp()\fR, \fBEC_GROUP_get_curve_GFp()\fR, \fBEC_GROUP_set_curve_GF2m()\fR,
 \&\fBEC_GROUP_get_curve_GF2m()\fR return 1 on success or 0 on error.
 .PP
-\&\fBOSSL_EC_curve_nid2name()\fR returns a character string constant, or \s-1NULL\s0 on error.
+\&\fBOSSL_EC_curve_nid2name()\fR returns a character string constant, or NULL on error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBcrypto\fR\|(7), \fBEC_GROUP_copy\fR\|(3),
 \&\fBEC_POINT_new\fR\|(3), \fBEC_POINT_add\fR\|(3), \fBEC_KEY_new\fR\|(3),
 \&\fBEC_GFp_simple_method\fR\|(3), \fBd2i_ECPKParameters\fR\|(3),
-\&\s-1\fBOSSL_LIB_CTX\s0\fR\|(3), \s-1\fBEVP_PKEY\-EC\s0\fR\|(7)
-.SH "HISTORY"
+\&\fBOSSL_LIB_CTX\fR\|(3), \fBEVP_PKEY\-EC\fR\|(7)
+.SH HISTORY
 .IX Header "HISTORY"
-.IP "\(bu" 2
+\&\fBEC_GROUP_to_params()\fR was added in OpenSSL 3.2.
+.IP \(bu 2
 \&\fBEC_GROUP_new()\fR was deprecated in OpenSSL 3.0.
 .Sp
 \&\fBEC_GROUP_new_by_curve_name_ex()\fR and \fBEC_GROUP_new_from_params()\fR were
 added in OpenSSL 3.0.
-.IP "\(bu" 2
+.IP \(bu 2
 \&\fBEC_GROUP_clear_free()\fR was deprecated in OpenSSL 3.0; use \fBEC_GROUP_free()\fR
 instead.
-.IP "\(bu" 2
+.IP \(bu 2
 
 .Sp
 .Vb 3
@@ -351,11 +289,11 @@ instead.
 \& EC_GROUP_set_curve_GF2m() and EC_GROUP_get_curve_GF2m() were deprecated in
 \& OpenSSL 3.0; use EC_GROUP_set_curve() and EC_GROUP_get_curve() instead.
 .Ve
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2013\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2013\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EC_KEY_get_enc_flags.3 b/secure/lib/libcrypto/man/man3/EC_KEY_get_enc_flags.3
index e28c9abb93e4..4b14727ab15b 100644
--- a/secure/lib/libcrypto/man/man3/EC_KEY_get_enc_flags.3
+++ b/secure/lib/libcrypto/man/man3/EC_KEY_get_enc_flags.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EC_KEY_GET_ENC_FLAGS 3ossl"
-.TH EC_KEY_GET_ENC_FLAGS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EC_KEY_GET_ENC_FLAGS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EC_KEY_get_enc_flags, EC_KEY_set_enc_flags
 \&\- Get and set flags for encoding EC_KEY structures
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ec.h>
@@ -147,7 +71,7 @@ EC_KEY_get_enc_flags, EC_KEY_set_enc_flags
 \& unsigned int EC_KEY_get_enc_flags(const EC_KEY *key);
 \& void EC_KEY_set_enc_flags(EC_KEY *eckey, unsigned int flags);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The format of the external representation of the public key written by
 \&\fBi2d_ECPrivateKey()\fR (such as whether it is stored in a compressed form or not) is
@@ -155,22 +79,22 @@ described by the point_conversion_form. See \fBEC_GROUP_copy\fR\|(3)
 for a description of point_conversion_form.
 .PP
 When reading a private key encoded without an associated public key (e.g. if
-\&\s-1EC_PKEY_NO_PUBKEY\s0 has been used \- see below), then \fBd2i_ECPrivateKey()\fR generates
+EC_PKEY_NO_PUBKEY has been used \- see below), then \fBd2i_ECPrivateKey()\fR generates
 the missing public key automatically. Private keys encoded without parameters
-(e.g. if \s-1EC_PKEY_NO_PARAMETERS\s0 has been used \- see below) cannot be loaded using
+(e.g. if EC_PKEY_NO_PARAMETERS has been used \- see below) cannot be loaded using
 \&\fBd2i_ECPrivateKey()\fR.
 .PP
 The functions \fBEC_KEY_get_enc_flags()\fR and \fBEC_KEY_set_enc_flags()\fR get and set the
 value of the encoding flags for the \fBkey\fR. There are two encoding flags
-currently defined \- \s-1EC_PKEY_NO_PARAMETERS\s0 and \s-1EC_PKEY_NO_PUBKEY.\s0  These flags
-define the behaviour of how the  \fBkey\fR is converted into \s-1ASN1\s0 in a call to
-\&\fBi2d_ECPrivateKey()\fR. If \s-1EC_PKEY_NO_PARAMETERS\s0 is set then the public parameters for
-the curve are not encoded along with the private key. If \s-1EC_PKEY_NO_PUBKEY\s0 is
+currently defined \- EC_PKEY_NO_PARAMETERS and EC_PKEY_NO_PUBKEY.  These flags
+define the behaviour of how the  \fBkey\fR is converted into ASN1 in a call to
+\&\fBi2d_ECPrivateKey()\fR. If EC_PKEY_NO_PARAMETERS is set then the public parameters for
+the curve are not encoded along with the private key. If EC_PKEY_NO_PUBKEY is
 set then the public key is not encoded along with the private key.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBEC_KEY_get_enc_flags()\fR returns the value of the current encoding flags for the
-\&\s-1EC_KEY.\s0
+EC_KEY.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBcrypto\fR\|(7), \fBEC_GROUP_new\fR\|(3),
@@ -179,11 +103,11 @@ set then the public key is not encoded along with the private key.
 \&\fBEC_GFp_simple_method\fR\|(3),
 \&\fBd2i_ECPKParameters\fR\|(3),
 \&\fBd2i_ECPrivateKey\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2015\-2017 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EC_KEY_new.3 b/secure/lib/libcrypto/man/man3/EC_KEY_new.3
index 326f0d38eaad..fd664afd5e43 100644
--- a/secure/lib/libcrypto/man/man3/EC_KEY_new.3
+++ b/secure/lib/libcrypto/man/man3/EC_KEY_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EC_KEY_NEW 3ossl"
-.TH EC_KEY_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EC_KEY_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_EC_gen,
 EC_KEY_get_method, EC_KEY_set_method, EC_KEY_new_ex,
 EC_KEY_new, EC_KEY_get_flags, EC_KEY_set_flags, EC_KEY_clear_flags,
@@ -151,7 +75,7 @@ EC_KEY_generate_key, EC_KEY_check_key, EC_KEY_set_public_key_affine_coordinates,
 EC_KEY_oct2key, EC_KEY_key2buf, EC_KEY_oct2priv, EC_KEY_priv2oct,
 EC_KEY_priv2buf \- Functions for creating, destroying and manipulating
 EC_KEY objects
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ec.h>
@@ -160,7 +84,7 @@ EC_KEY objects
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 10
@@ -203,137 +127,137 @@ see \fBopenssl_user_macros\fR\|(7):
 \& size_t EC_KEY_priv2buf(const EC_KEY *eckey, unsigned char **pbuf);
 \& int EC_KEY_precompute_mult(EC_KEY *key, BN_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBEVP_EC_gen()\fR generates a new \s-1EC\s0 key pair on the given \fIcurve\fR.
+\&\fBEVP_EC_gen()\fR generates a new EC key pair on the given \fIcurve\fR.
 .PP
 All of the functions described below are deprecated.
 Applications should instead use \fBEVP_EC_gen()\fR, \fBEVP_PKEY_Q_keygen\fR\|(3), or
 \&\fBEVP_PKEY_keygen_init\fR\|(3) and \fBEVP_PKEY_keygen\fR\|(3).
 .PP
-An \s-1EC_KEY\s0 represents a public key and, optionally, the associated private
+An EC_KEY represents a public key and, optionally, the associated private
 key.
-A new \s-1EC_KEY\s0 with no associated curve can be constructed by calling
+A new EC_KEY with no associated curve can be constructed by calling
 \&\fBEC_KEY_new_ex()\fR and specifying the associated library context in \fIctx\fR
-(see \s-1\fBOSSL_LIB_CTX\s0\fR\|(3)) and property query string \fIpropq\fR.
-The \fIctx\fR parameter may be \s-1NULL\s0 in which case the default library context is
+(see \fBOSSL_LIB_CTX\fR\|(3)) and property query string \fIpropq\fR.
+The \fIctx\fR parameter may be NULL in which case the default library context is
 used.
-The reference count for the newly created \s-1EC_KEY\s0 is initially
+The reference count for the newly created EC_KEY is initially
 set to 1.
-A curve can be associated with the \s-1EC_KEY\s0 by calling
+A curve can be associated with the EC_KEY by calling
 \&\fBEC_KEY_set_group()\fR.
 .PP
 \&\fBEC_KEY_new()\fR is the same as \fBEC_KEY_new_ex()\fR except that the default library
 context is always used.
 .PP
-Alternatively a new \s-1EC_KEY\s0 can be constructed by calling
+Alternatively a new EC_KEY can be constructed by calling
 \&\fBEC_KEY_new_by_curve_name_ex()\fR and supplying the nid of the associated
-curve, the library context to be used \fIctx\fR (see \s-1\fBOSSL_LIB_CTX\s0\fR\|(3)) and any
+curve, the library context to be used \fIctx\fR (see \fBOSSL_LIB_CTX\fR\|(3)) and any
 property query string \fIpropq\fR.
-The \fIctx\fR parameter may be \s-1NULL\s0 in which case the default library context is
-used. The \fIpropq\fR value may also be \s-1NULL.\s0
+The \fIctx\fR parameter may be NULL in which case the default library context is
+used. The \fIpropq\fR value may also be NULL.
 See \fBEC_GROUP_new\fR\|(3) for a description of curve names.
 This function simply wraps calls to \fBEC_KEY_new_ex()\fR and
 \&\fBEC_GROUP_new_by_curve_name_ex()\fR.
 .PP
 \&\fBEC_KEY_new_by_curve_name()\fR is the same as \fBEC_KEY_new_by_curve_name_ex()\fR
-except that the default library context is always used and a \s-1NULL\s0 property query
+except that the default library context is always used and a NULL property query
 string.
 .PP
-Calling \fBEC_KEY_free()\fR decrements the reference count for the \s-1EC_KEY\s0 object,
+Calling \fBEC_KEY_free()\fR decrements the reference count for the EC_KEY object,
 and if it has dropped to zero then frees the memory associated with it.  If
-\&\fIkey\fR is \s-1NULL\s0 nothing is done.
+\&\fIkey\fR is NULL nothing is done.
 .PP
-\&\fBEC_KEY_copy()\fR copies the contents of the \s-1EC_KEY\s0 in \fIsrc\fR into \fIdest\fR.
+\&\fBEC_KEY_copy()\fR copies the contents of the EC_KEY in \fIsrc\fR into \fIdest\fR.
 .PP
-\&\fBEC_KEY_dup()\fR creates a new \s-1EC_KEY\s0 object and copies \fIec_key\fR into it.
+\&\fBEC_KEY_dup()\fR creates a new EC_KEY object and copies \fIec_key\fR into it.
 .PP
-\&\fBEC_KEY_up_ref()\fR increments the reference count associated with the \s-1EC_KEY\s0
+\&\fBEC_KEY_up_ref()\fR increments the reference count associated with the EC_KEY
 object.
 .PP
-\&\fBEC_KEY_get0_engine()\fR returns a handle to the \s-1ENGINE\s0 that has been set for
-this \s-1EC_KEY\s0 object.
+\&\fBEC_KEY_get0_engine()\fR returns a handle to the ENGINE that has been set for
+this EC_KEY object.
 .PP
 \&\fBEC_KEY_generate_key()\fR generates a new public and private key for the supplied
-\&\fIeckey\fR object. \fIeckey\fR must have an \s-1EC_GROUP\s0 object associated with it
+\&\fIeckey\fR object. \fIeckey\fR must have an EC_GROUP object associated with it
 before calling this function. The private key is a random integer (0 < priv_key
-< order, where \fIorder\fR is the order of the \s-1EC_GROUP\s0 object). The public key is
-an \s-1EC_POINT\s0 on the curve calculated by multiplying the generator for the
+< order, where \fIorder\fR is the order of the EC_GROUP object). The public key is
+an EC_POINT on the curve calculated by multiplying the generator for the
 curve by the private key.
 .PP
-\&\fBEC_KEY_check_key()\fR performs various sanity checks on the \s-1EC_KEY\s0 object to
+\&\fBEC_KEY_check_key()\fR performs various sanity checks on the EC_KEY object to
 confirm that it is valid.
 .PP
 \&\fBEC_KEY_set_public_key_affine_coordinates()\fR sets the public key for \fIkey\fR based
-on its affine coordinates; i.e., it constructs an \s-1EC_POINT\s0 object based on
+on its affine coordinates; i.e., it constructs an EC_POINT object based on
 the supplied \fIx\fR and \fIy\fR values and sets the public key to be this
-\&\s-1EC_POINT.\s0 It also performs certain sanity checks on the key to confirm
+EC_POINT. It also performs certain sanity checks on the key to confirm
 that it is valid.
 .PP
 The functions \fBEC_KEY_get0_group()\fR, \fBEC_KEY_set_group()\fR,
 \&\fBEC_KEY_get0_private_key()\fR, \fBEC_KEY_set_private_key()\fR, \fBEC_KEY_get0_public_key()\fR,
-and \fBEC_KEY_set_public_key()\fR get and set the \s-1EC_GROUP\s0 object, the private key,
-and the \s-1EC_POINT\s0 public key for the \fBkey\fR respectively. The function
-\&\fBEC_KEY_set_private_key()\fR accepts \s-1NULL\s0 as the priv_key argument to securely clear
-the private key component from the \s-1EC_KEY.\s0
+and \fBEC_KEY_set_public_key()\fR get and set the EC_GROUP object, the private key,
+and the EC_POINT public key for the \fBkey\fR respectively. The function
+\&\fBEC_KEY_set_private_key()\fR accepts NULL as the priv_key argument to securely clear
+the private key component from the EC_KEY.
 .PP
 The functions \fBEC_KEY_get_conv_form()\fR and \fBEC_KEY_set_conv_form()\fR get and set the
 point_conversion_form for the \fIkey\fR. For a description of
 point_conversion_forms please see \fBEC_POINT_new\fR\|(3).
 .PP
-\&\fBEC_KEY_set_flags()\fR sets the flags in the \fIflags\fR parameter on the \s-1EC_KEY\s0
+\&\fBEC_KEY_set_flags()\fR sets the flags in the \fIflags\fR parameter on the EC_KEY
 object. Any flags that are already set are left set. The flags currently
-defined are \s-1EC_FLAG_NON_FIPS_ALLOW\s0 and \s-1EC_FLAG_FIPS_CHECKED.\s0 In
-addition there is the flag \s-1EC_FLAG_COFACTOR_ECDH\s0 which is specific to \s-1ECDH.\s0
-\&\fBEC_KEY_get_flags()\fR returns the current flags that are set for this \s-1EC_KEY.\s0
+defined are EC_FLAG_NON_FIPS_ALLOW and EC_FLAG_FIPS_CHECKED. In
+addition there is the flag EC_FLAG_COFACTOR_ECDH which is specific to ECDH.
+\&\fBEC_KEY_get_flags()\fR returns the current flags that are set for this EC_KEY.
 \&\fBEC_KEY_clear_flags()\fR clears the flags indicated by the \fIflags\fR parameter; all
 other flags are left in their existing state.
 .PP
-\&\fBEC_KEY_set_asn1_flag()\fR sets the asn1_flag on the underlying \s-1EC_GROUP\s0 object
+\&\fBEC_KEY_set_asn1_flag()\fR sets the asn1_flag on the underlying EC_GROUP object
 (if set). Refer to \fBEC_GROUP_copy\fR\|(3) for further information on the
 asn1_flag.
 .PP
 \&\fBEC_KEY_decoded_from_explicit_params()\fR returns 1 if the group of the \fIkey\fR was
 decoded from data with explicitly encoded group parameters, \-1 if the \fIkey\fR
-is \s-1NULL\s0 or the group parameters are missing, and 0 otherwise.
+is NULL or the group parameters are missing, and 0 otherwise.
 .PP
-\&\fBEC_KEY_precompute_mult()\fR stores multiples of the underlying \s-1EC_GROUP\s0 generator
+\&\fBEC_KEY_precompute_mult()\fR stores multiples of the underlying EC_GROUP generator
 for faster point multiplication. See also \fBEC_POINT_add\fR\|(3).
 Modern versions should instead switch to named curves which OpenSSL has
 hardcoded lookup tables for.
 .PP
 \&\fBEC_KEY_oct2key()\fR and \fBEC_KEY_key2buf()\fR are identical to the functions
 \&\fBEC_POINT_oct2point()\fR and \fBEC_POINT_point2buf()\fR except they use the public key
-\&\s-1EC_POINT\s0 in \fIeckey\fR.
+EC_POINT in \fIeckey\fR.
 .PP
 \&\fBEC_KEY_oct2priv()\fR and \fBEC_KEY_priv2oct()\fR convert between the private key
 component of \fIeckey\fR and octet form. The octet form consists of the content
-octets of the \fIprivateKey\fR \s-1OCTET STRING\s0 in an \fIECPrivateKey\fR \s-1ASN.1\s0 structure.
+octets of the \fIprivateKey\fR OCTET STRING in an \fIECPrivateKey\fR ASN.1 structure.
 .PP
 The function \fBEC_KEY_priv2oct()\fR must be supplied with a buffer long enough to
 store the octet form. The return value provides the number of octets stored.
-Calling the function with a \s-1NULL\s0 buffer will not perform the conversion but
+Calling the function with a NULL buffer will not perform the conversion but
 will just return the required buffer length.
 .PP
 The function \fBEC_KEY_priv2buf()\fR allocates a buffer of suitable length and writes
-an \s-1EC_KEY\s0 to it in octet format. The allocated buffer is written to \fI*pbuf\fR
+an EC_KEY to it in octet format. The allocated buffer is written to \fI*pbuf\fR
 and its length is returned. The caller must free up the allocated buffer with a
 call to \fBOPENSSL_free()\fR. Since the allocated buffer value is written to \fI*pbuf\fR
-the \fIpbuf\fR parameter \fB\s-1MUST NOT\s0\fR be \fB\s-1NULL\s0\fR.
+the \fIpbuf\fR parameter \fBMUST NOT\fR be \fBNULL\fR.
 .PP
-\&\fBEC_KEY_priv2buf()\fR converts an \s-1EC_KEY\s0 private key into an allocated buffer.
+\&\fBEC_KEY_priv2buf()\fR converts an EC_KEY private key into an allocated buffer.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBEC_KEY_new_ex()\fR, \fBEC_KEY_new()\fR, \fBEC_KEY_new_by_curve_name_ex()\fR,
 \&\fBEC_KEY_new_by_curve_name()\fR and \fBEC_KEY_dup()\fR return a pointer to the newly
-created \s-1EC_KEY\s0 object, or \s-1NULL\s0 on error.
+created EC_KEY object, or NULL on error.
 .PP
-\&\fBEC_KEY_get_flags()\fR returns the flags associated with the \s-1EC_KEY\s0 object as an
+\&\fBEC_KEY_get_flags()\fR returns the flags associated with the EC_KEY object as an
 integer.
 .PP
-\&\fBEC_KEY_copy()\fR returns a pointer to the destination key, or \s-1NULL\s0 on error.
+\&\fBEC_KEY_copy()\fR returns a pointer to the destination key, or NULL on error.
 .PP
-\&\fBEC_KEY_get0_engine()\fR returns a pointer to an \s-1ENGINE,\s0 or \s-1NULL\s0 if it wasn't set.
+\&\fBEC_KEY_get0_engine()\fR returns a pointer to an ENGINE, or NULL if it wasn't set.
 .PP
 \&\fBEC_KEY_up_ref()\fR, \fBEC_KEY_set_group()\fR, \fBEC_KEY_set_public_key()\fR,
 \&\fBEC_KEY_precompute_mult()\fR, \fBEC_KEY_generate_key()\fR, \fBEC_KEY_check_key()\fR,
@@ -341,14 +265,14 @@ integer.
 \&\fBEC_KEY_oct2priv()\fR return 1 on success or 0 on error.
 .PP
 \&\fBEC_KEY_set_private_key()\fR returns 1 on success or 0 on error except when the
-priv_key argument is \s-1NULL,\s0 in that case it returns 0, for legacy compatibility,
+priv_key argument is NULL, in that case it returns 0, for legacy compatibility,
 and should not be treated as an error.
 .PP
-\&\fBEC_KEY_get0_group()\fR returns the \s-1EC_GROUP\s0 associated with the \s-1EC_KEY.\s0
+\&\fBEC_KEY_get0_group()\fR returns the EC_GROUP associated with the EC_KEY.
 .PP
-\&\fBEC_KEY_get0_private_key()\fR returns the private key associated with the \s-1EC_KEY.\s0
+\&\fBEC_KEY_get0_private_key()\fR returns the private key associated with the EC_KEY.
 .PP
-\&\fBEC_KEY_get_conv_form()\fR return the point_conversion_form for the \s-1EC_KEY.\s0
+\&\fBEC_KEY_get_conv_form()\fR return the point_conversion_form for the EC_KEY.
 .PP
 \&\fBEC_KEY_key2buf()\fR, \fBEC_KEY_priv2oct()\fR and \fBEC_KEY_priv2buf()\fR return the length
 of the buffer or 0 on error.
@@ -360,17 +284,17 @@ of the buffer or 0 on error.
 \&\fBEC_POINT_add\fR\|(3),
 \&\fBEC_GFp_simple_method\fR\|(3),
 \&\fBd2i_ECPKParameters\fR\|(3),
-\&\s-1\fBOSSL_LIB_CTX\s0\fR\|(3)
-.SH "HISTORY"
+\&\fBOSSL_LIB_CTX\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBEVP_EC_gen()\fR was added in OpenSSL 3.0.
 All other functions described here were deprecated in OpenSSL 3.0.
-For replacement see \s-1\fBEVP_PKEY\-EC\s0\fR\|(7).
-.SH "COPYRIGHT"
+For replacement see \fBEVP_PKEY\-EC\fR\|(7).
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2013\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EC_POINT_add.3 b/secure/lib/libcrypto/man/man3/EC_POINT_add.3
index 1195469bf39d..6ca161ca8ae0 100644
--- a/secure/lib/libcrypto/man/man3/EC_POINT_add.3
+++ b/secure/lib/libcrypto/man/man3/EC_POINT_add.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EC_POINT_ADD 3ossl"
-.TH EC_POINT_ADD 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EC_POINT_ADD 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EC_POINT_add, EC_POINT_dbl, EC_POINT_invert, EC_POINT_is_at_infinity, EC_POINT_is_on_curve, EC_POINT_cmp, EC_POINT_make_affine, EC_POINTs_make_affine, EC_POINTs_mul, EC_POINT_mul, EC_GROUP_precompute_mult, EC_GROUP_have_precompute_mult \- Functions for performing mathematical operations and tests on EC_POINT objects
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ec.h>
@@ -155,7 +79,7 @@ EC_POINT_add, EC_POINT_dbl, EC_POINT_invert, EC_POINT_is_at_infinity, EC_POINT_i
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 7
@@ -167,7 +91,7 @@ see \fBopenssl_user_macros\fR\|(7):
 \& int EC_GROUP_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
 \& int EC_GROUP_have_precompute_mult(const EC_GROUP *group);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 EC_POINT_add adds the two points \fBa\fR and \fBb\fR and places the result in \fBr\fR. Similarly EC_POINT_dbl doubles the point \fBa\fR and places the
 result in \fBr\fR. In both cases it is valid for \fBr\fR to be one of \fBa\fR or \fBb\fR.
@@ -180,18 +104,18 @@ EC_POINT_is_on_curve tests whether the supplied point is on the curve or not.
 .PP
 EC_POINT_cmp compares the two supplied points and tests whether or not they are equal.
 .PP
-The functions EC_POINT_make_affine and EC_POINTs_make_affine force the internal representation of the \s-1EC_POINT\s0(s) into the affine
+The functions EC_POINT_make_affine and EC_POINTs_make_affine force the internal representation of the EC_POINT(s) into the affine
 coordinate system. In the case of EC_POINTs_make_affine the value \fBnum\fR provides the number of points in the array \fBpoints\fR to be
 forced. These functions were deprecated in OpenSSL 3.0 and should no longer be used.
 Modern versions automatically perform this conversion when needed.
 .PP
 EC_POINT_mul calculates the value generator * \fBn\fR + \fBq\fR * \fBm\fR and stores the result in \fBr\fR.
-The value \fBn\fR may be \s-1NULL\s0 in which case the result is just \fBq\fR * \fBm\fR (variable point multiplication). Alternatively, both \fBq\fR and \fBm\fR may be \s-1NULL,\s0 and \fBn\fR non-NULL, in which case the result is just generator * \fBn\fR (fixed point multiplication).
+The value \fBn\fR may be NULL in which case the result is just \fBq\fR * \fBm\fR (variable point multiplication). Alternatively, both \fBq\fR and \fBm\fR may be NULL, and \fBn\fR non-NULL, in which case the result is just generator * \fBn\fR (fixed point multiplication).
 When performing a single fixed or variable point multiplication, the underlying implementation uses a constant time algorithm, when the input scalar (either \fBn\fR or \fBm\fR) is in the range [0, ec_group_order).
 .PP
 Although deprecated in OpenSSL 3.0 and should no longer be used,
-EC_POINTs_mul calculates the value generator * \fBn\fR + \fBq[0]\fR * \fBm[0]\fR + ... + \fBq[num\-1]\fR * \fBm[num\-1]\fR. As for EC_POINT_mul the value \fBn\fR may be \s-1NULL\s0 or \fBnum\fR may be zero.
-When performing a fixed point multiplication (\fBn\fR is non-NULL and \fBnum\fR is 0) or a variable point multiplication (\fBn\fR is \s-1NULL\s0 and \fBnum\fR is 1), the underlying implementation uses a constant time algorithm, when the input scalar (either \fBn\fR or \fBm[0]\fR) is in the range [0, ec_group_order).
+EC_POINTs_mul calculates the value generator * \fBn\fR + \fBq[0]\fR * \fBm[0]\fR + ... + \fBq[num\-1]\fR * \fBm[num\-1]\fR. As for EC_POINT_mul the value \fBn\fR may be NULL or \fBnum\fR may be zero.
+When performing a fixed point multiplication (\fBn\fR is non-NULL and \fBnum\fR is 0) or a variable point multiplication (\fBn\fR is NULL and \fBnum\fR is 1), the underlying implementation uses a constant time algorithm, when the input scalar (either \fBn\fR or \fBm[0]\fR) is in the range [0, ec_group_order).
 Modern versions should instead use \fBEC_POINT_mul()\fR, combined (if needed) with \fBEC_POINT_add()\fR in such rare circumstances.
 .PP
 The function EC_GROUP_precompute_mult stores multiples of the generator for faster point multiplication, whilst
@@ -216,16 +140,16 @@ EC_GROUP_have_precompute_mult return 1 if a precomputation has been done, or 0 i
 \&\fBcrypto\fR\|(7), \fBEC_GROUP_new\fR\|(3), \fBEC_GROUP_copy\fR\|(3),
 \&\fBEC_POINT_new\fR\|(3), \fBEC_KEY_new\fR\|(3),
 \&\fBEC_GFp_simple_method\fR\|(3), \fBd2i_ECPKParameters\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBEC_POINT_make_affine()\fR, \fBEC_POINTs_make_affine()\fR, \fBEC_POINTs_mul()\fR,
 \&\fBEC_GROUP_precompute_mult()\fR, and \fBEC_GROUP_have_precompute_mult()\fR
 were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2013\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EC_POINT_new.3 b/secure/lib/libcrypto/man/man3/EC_POINT_new.3
index 7fd7ce29e88c..87ee7b44e14c 100644
--- a/secure/lib/libcrypto/man/man3/EC_POINT_new.3
+++ b/secure/lib/libcrypto/man/man3/EC_POINT_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EC_POINT_NEW 3ossl"
-.TH EC_POINT_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EC_POINT_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EC_POINT_set_Jprojective_coordinates_GFp,
 EC_POINT_point2buf,
 EC_POINT_new,
@@ -163,7 +87,7 @@ EC_POINT_bn2point,
 EC_POINT_point2hex,
 EC_POINT_hex2point
 \&\- Functions for creating, destroying and manipulating EC_POINT objects
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ec.h>
@@ -197,7 +121,7 @@ EC_POINT_hex2point
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 10
@@ -236,26 +160,26 @@ see \fBopenssl_user_macros\fR\|(7):
 \& EC_POINT *EC_POINT_bn2point(const EC_GROUP *group, const BIGNUM *bn,
 \&                             EC_POINT *p, BN_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-An \fB\s-1EC_POINT\s0\fR structure represents a point on a curve. A new point is
+An \fBEC_POINT\fR structure represents a point on a curve. A new point is
 constructed by calling the function \fBEC_POINT_new()\fR and providing the
 \&\fBgroup\fR object that the point relates to.
 .PP
-\&\fBEC_POINT_free()\fR frees the memory associated with the \fB\s-1EC_POINT\s0\fR.
-if \fBpoint\fR is \s-1NULL\s0 nothing is done.
+\&\fBEC_POINT_free()\fR frees the memory associated with the \fBEC_POINT\fR.
+if \fBpoint\fR is NULL nothing is done.
 .PP
-\&\fBEC_POINT_clear_free()\fR destroys any sensitive data held within the \s-1EC_POINT\s0 and
-then frees its memory. If \fBpoint\fR is \s-1NULL\s0 nothing is done.
+\&\fBEC_POINT_clear_free()\fR destroys any sensitive data held within the EC_POINT and
+then frees its memory. If \fBpoint\fR is NULL nothing is done.
 .PP
 \&\fBEC_POINT_copy()\fR copies the point \fBsrc\fR into \fBdst\fR. Both \fBsrc\fR and \fBdst\fR
-must use the same \fB\s-1EC_METHOD\s0\fR.
+must use the same \fBEC_METHOD\fR.
 .PP
-\&\fBEC_POINT_dup()\fR creates a new \fB\s-1EC_POINT\s0\fR object and copies the content from
-\&\fBsrc\fR to the newly created \fB\s-1EC_POINT\s0\fR object.
+\&\fBEC_POINT_dup()\fR creates a new \fBEC_POINT\fR object and copies the content from
+\&\fBsrc\fR to the newly created \fBEC_POINT\fR object.
 .PP
-\&\fBEC_POINT_method_of()\fR obtains the \fB\s-1EC_METHOD\s0\fR associated with \fBpoint\fR.
-This function was deprecated in OpenSSL 3.0, since \s-1EC_METHOD\s0 is no longer a
+\&\fBEC_POINT_method_of()\fR obtains the \fBEC_METHOD\fR associated with \fBpoint\fR.
+This function was deprecated in OpenSSL 3.0, since EC_METHOD is no longer a
 public concept.
 .PP
 A valid point on a curve is the special point at infinity. A point is set to
@@ -265,7 +189,7 @@ The affine coordinates for a point describe a point in terms of its x and y
 position. The function \fBEC_POINT_set_affine_coordinates()\fR sets the \fBx\fR and \fBy\fR
 coordinates for the point \fBp\fR defined over the curve given in \fBgroup\fR. The
 function \fBEC_POINT_get_affine_coordinates()\fR sets \fBx\fR and \fBy\fR, either of which
-may be \s-1NULL,\s0 to the corresponding coordinates of \fBp\fR.
+may be NULL, to the corresponding coordinates of \fBp\fR.
 .PP
 The functions \fBEC_POINT_set_affine_coordinates_GFp()\fR and
 \&\fBEC_POINT_set_affine_coordinates_GF2m()\fR are synonyms for
@@ -305,34 +229,34 @@ The functions \fBEC_POINT_set_compressed_coordinates_GFp()\fR and
 \&\fBEC_POINT_set_compressed_coordinates()\fR. They are defined for backwards
 compatibility only and should not be used.
 .PP
-In addition \fB\s-1EC_POINT\s0\fR can be converted to and from various external
+In addition \fBEC_POINT\fR can be converted to and from various external
 representations. The octet form is the binary encoding of the \fBECPoint\fR
-structure (as defined in \s-1RFC5480\s0 and used in certificates and \s-1TLS\s0 records):
-only the content octets are present, the \fB\s-1OCTET STRING\s0\fR tag and length are
-not included. \fB\s-1BIGNUM\s0\fR form is the octet form interpreted as a big endian
-integer converted to a \fB\s-1BIGNUM\s0\fR structure. Hexadecimal form is the octet
-form converted to a \s-1NULL\s0 terminated character string where each character
+structure (as defined in RFC5480 and used in certificates and TLS records):
+only the content octets are present, the \fBOCTET STRING\fR tag and length are
+not included. \fBBIGNUM\fR form is the octet form interpreted as a big endian
+integer converted to a \fBBIGNUM\fR structure. Hexadecimal form is the octet
+form converted to a NULL terminated character string where each character
 is one of the printable values 0\-9 or A\-F (or a\-f).
 .PP
 The functions \fBEC_POINT_point2oct()\fR, \fBEC_POINT_oct2point()\fR, \fBEC_POINT_point2bn()\fR,
 \&\fBEC_POINT_bn2point()\fR, \fBEC_POINT_point2hex()\fR and \fBEC_POINT_hex2point()\fR convert from
-and to EC_POINTs for the formats: octet, \s-1BIGNUM\s0 and hexadecimal respectively.
+and to EC_POINTs for the formats: octet, BIGNUM and hexadecimal respectively.
 .PP
 The function \fBEC_POINT_point2oct()\fR encodes the given curve point \fBp\fR as an
 octet string into the buffer \fBbuf\fR of size \fBlen\fR, using the specified
 conversion form \fBform\fR.
-The encoding conforms with Sec. 2.3.3 of the \s-1SECG SEC 1\s0 (\*(L"Elliptic Curve
-Cryptography\*(R") standard.
+The encoding conforms with Sec. 2.3.3 of the SECG SEC 1 ("Elliptic Curve
+Cryptography") standard.
 Similarly the function \fBEC_POINT_oct2point()\fR decodes a curve point into \fBp\fR from
 the octet string contained in the given buffer \fBbuf\fR of size \fBlen\fR, conforming
-to Sec. 2.3.4 of the \s-1SECG SEC 1\s0 (\*(L"Elliptic Curve Cryptography\*(R") standard.
+to Sec. 2.3.4 of the SECG SEC 1 ("Elliptic Curve Cryptography") standard.
 .PP
 The functions \fBEC_POINT_point2hex()\fR and \fBEC_POINT_point2bn()\fR convert a point \fBp\fR,
-respectively, to the hexadecimal or \s-1BIGNUM\s0 representation of the same
+respectively, to the hexadecimal or BIGNUM representation of the same
 encoding of the function \fBEC_POINT_point2oct()\fR.
 Vice versa, similarly to the function \fBEC_POINT_oct2point()\fR, the functions
 \&\fBEC_POINT_hex2point()\fR and \fBEC_POINT_point2bn()\fR decode the hexadecimal or
-\&\s-1BIGNUM\s0 representation into the \s-1EC_POINT\s0 \fBp\fR.
+BIGNUM representation into the EC_POINT \fBp\fR.
 .PP
 Notice that, according to the standard, the octet string encoding of the point
 at infinity for a given curve is fixed to a single octet of value zero and that,
@@ -340,21 +264,21 @@ vice versa, a single octet of size zero is decoded as the point at infinity.
 .PP
 The function \fBEC_POINT_point2oct()\fR must be supplied with a buffer long enough to
 store the octet form. The return value provides the number of octets stored.
-Calling the function with a \s-1NULL\s0 buffer will not perform the conversion but
+Calling the function with a NULL buffer will not perform the conversion but
 will still return the required buffer length.
 .PP
 The function \fBEC_POINT_point2buf()\fR allocates a buffer of suitable length and
-writes an \s-1EC_POINT\s0 to it in octet format. The allocated buffer is written to
+writes an EC_POINT to it in octet format. The allocated buffer is written to
 \&\fB*pbuf\fR and its length is returned. The caller must free up the allocated
 buffer with a call to \fBOPENSSL_free()\fR. Since the allocated buffer value is
-written to \fB*pbuf\fR the \fBpbuf\fR parameter \fB\s-1MUST NOT\s0\fR be \fB\s-1NULL\s0\fR.
+written to \fB*pbuf\fR the \fBpbuf\fR parameter \fBMUST NOT\fR be \fBNULL\fR.
 .PP
 The function \fBEC_POINT_point2hex()\fR will allocate sufficient memory to store the
 hexadecimal string. It is the caller's responsibility to free this memory with
 a subsequent call to \fBOPENSSL_free()\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBEC_POINT_new()\fR and \fBEC_POINT_dup()\fR return the newly allocated \s-1EC_POINT\s0 or \s-1NULL\s0
+\&\fBEC_POINT_new()\fR and \fBEC_POINT_dup()\fR return the newly allocated EC_POINT or NULL
 on error.
 .PP
 The following functions return 1 on success or 0 on error: \fBEC_POINT_copy()\fR,
@@ -365,27 +289,27 @@ The following functions return 1 on success or 0 on error: \fBEC_POINT_copy()\fR
 \&\fBEC_POINT_set_affine_coordinates_GF2m()\fR, \fBEC_POINT_get_affine_coordinates_GF2m()\fR,
 \&\fBEC_POINT_set_compressed_coordinates_GF2m()\fR and \fBEC_POINT_oct2point()\fR.
 .PP
-EC_POINT_method_of returns the \s-1EC_METHOD\s0 associated with the supplied \s-1EC_POINT.\s0
+EC_POINT_method_of returns the EC_METHOD associated with the supplied EC_POINT.
 .PP
 \&\fBEC_POINT_point2oct()\fR and \fBEC_POINT_point2buf()\fR return the length of the required
 buffer or 0 on error.
 .PP
-\&\fBEC_POINT_point2bn()\fR returns the pointer to the \s-1BIGNUM\s0 supplied, or \s-1NULL\s0 on
+\&\fBEC_POINT_point2bn()\fR returns the pointer to the BIGNUM supplied, or NULL on
 error.
 .PP
-\&\fBEC_POINT_bn2point()\fR returns the pointer to the \s-1EC_POINT\s0 supplied, or \s-1NULL\s0 on
+\&\fBEC_POINT_bn2point()\fR returns the pointer to the EC_POINT supplied, or NULL on
 error.
 .PP
-\&\fBEC_POINT_point2hex()\fR returns a pointer to the hex string, or \s-1NULL\s0 on error.
+\&\fBEC_POINT_point2hex()\fR returns a pointer to the hex string, or NULL on error.
 .PP
-\&\fBEC_POINT_hex2point()\fR returns the pointer to the \s-1EC_POINT\s0 supplied, or \s-1NULL\s0 on
+\&\fBEC_POINT_hex2point()\fR returns the pointer to the EC_POINT supplied, or NULL on
 error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBcrypto\fR\|(7), \fBEC_GROUP_new\fR\|(3), \fBEC_GROUP_copy\fR\|(3),
 \&\fBEC_POINT_add\fR\|(3), \fBEC_KEY_new\fR\|(3),
 \&\fBEC_GFp_simple_method\fR\|(3), \fBd2i_ECPKParameters\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBEC_POINT_method_of()\fR,
 \&\fBEC_POINT_set_Jprojective_coordinates_GFp()\fR,
@@ -399,11 +323,11 @@ error.
 \&\fBEC_POINT_set_affine_coordinates\fR, \fBEC_POINT_get_affine_coordinates\fR,
 and \fBEC_POINT_set_compressed_coordinates\fR were
 added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2013\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ENGINE_add.3 b/secure/lib/libcrypto/man/man3/ENGINE_add.3
index 0cc95771a7d3..ab01d75df7df 100644
--- a/secure/lib/libcrypto/man/man3/ENGINE_add.3
+++ b/secure/lib/libcrypto/man/man3/ENGINE_add.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ENGINE_ADD 3ossl"
-.TH ENGINE_ADD 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ENGINE_ADD 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ENGINE_get_DH, ENGINE_get_DSA,
 ENGINE_by_id, ENGINE_get_cipher_engine, ENGINE_get_default_DH,
 ENGINE_get_default_DSA,
@@ -176,14 +100,14 @@ ENGINE_unregister_DSA,
 ENGINE_unregister_RAND, ENGINE_unregister_RSA, ENGINE_unregister_ciphers,
 ENGINE_unregister_digests
 \&\- ENGINE cryptographic module support
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/engine.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 4
@@ -297,24 +221,24 @@ see \fBopenssl_user_macros\fR\|(7):
 .Ve
 .PP
 The following function has been deprecated since OpenSSL 1.1.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
 \& void ENGINE_cleanup(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
 Applications should instead use the provider APIs.
 .PP
 These functions create, manipulate, and use cryptographic modules in the
-form of \fB\s-1ENGINE\s0\fR objects. These objects act as containers for
+form of \fBENGINE\fR objects. These objects act as containers for
 implementations of cryptographic algorithms, and support a
 reference-counted mechanism to allow them to be dynamically loaded in and
 out of the running application.
 .PP
-The cryptographic functionality that can be provided by an \fB\s-1ENGINE\s0\fR
+The cryptographic functionality that can be provided by an \fBENGINE\fR
 implementation includes the following abstractions;
 .PP
 .Vb 6
@@ -327,29 +251,29 @@ implementation includes the following abstractions;
 .Ve
 .SS "Reference counting and handles"
 .IX Subsection "Reference counting and handles"
-Due to the modular nature of the \s-1ENGINE API,\s0 pointers to ENGINEs need to be
+Due to the modular nature of the ENGINE API, pointers to ENGINEs need to be
 treated as handles \- i.e. not only as pointers, but also as references to
-the underlying \s-1ENGINE\s0 object. Ie. one should obtain a new reference when
-making copies of an \s-1ENGINE\s0 pointer if the copies will be used (and
+the underlying ENGINE object. Ie. one should obtain a new reference when
+making copies of an ENGINE pointer if the copies will be used (and
 released) independently.
 .PP
-\&\s-1ENGINE\s0 objects have two levels of reference-counting to match the way in
-which the objects are used. At the most basic level, each \s-1ENGINE\s0 pointer is
+ENGINE objects have two levels of reference-counting to match the way in
+which the objects are used. At the most basic level, each ENGINE pointer is
 inherently a \fBstructural\fR reference \- a structural reference is required
 to use the pointer value at all, as this kind of reference is a guarantee
 that the structure can not be deallocated until the reference is released.
 .PP
-However, a structural reference provides no guarantee that the \s-1ENGINE\s0 is
+However, a structural reference provides no guarantee that the ENGINE is
 initialised and able to use any of its cryptographic
 implementations. Indeed it's quite possible that most ENGINEs will not
 initialise at all in typical environments, as ENGINEs are typically used to
-support specialised hardware. To use an \s-1ENGINE\s0's functionality, you need a
+support specialised hardware. To use an ENGINE's functionality, you need a
 \&\fBfunctional\fR reference. This kind of reference can be considered a
 specialised form of structural reference, because each functional reference
 implicitly contains a structural reference as well \- however to avoid
 difficult-to-find programming bugs, it is recommended to treat the two
 kinds of reference independently. If you have a functional reference to an
-\&\s-1ENGINE,\s0 you have a guarantee that the \s-1ENGINE\s0 has been initialised and
+ENGINE, you have a guarantee that the ENGINE has been initialised and
 is ready to perform cryptographic operations, and will remain initialised
 until after you have released your reference.
 .PP
@@ -357,22 +281,23 @@ until after you have released your reference.
 .PP
 This basic type of reference is used for instantiating new ENGINEs,
 iterating across OpenSSL's internal linked-list of loaded
-ENGINEs, reading information about an \s-1ENGINE,\s0 etc. Essentially a structural
+ENGINEs, reading information about an ENGINE, etc. Essentially a structural
 reference is sufficient if you only need to query or manipulate the data of
-an \s-1ENGINE\s0 implementation rather than use its functionality.
+an ENGINE implementation rather than use its functionality.
 .PP
 The \fBENGINE_new()\fR function returns a structural reference to a new (empty)
-\&\s-1ENGINE\s0 object. There are other \s-1ENGINE API\s0 functions that return structural
+ENGINE object. There are other ENGINE API functions that return structural
 references such as; \fBENGINE_by_id()\fR, \fBENGINE_get_first()\fR, \fBENGINE_get_last()\fR,
 \&\fBENGINE_get_next()\fR, \fBENGINE_get_prev()\fR. All structural references should be
 released by a corresponding to call to the \fBENGINE_free()\fR function \- the
-\&\s-1ENGINE\s0 object itself will only actually be cleaned up and deallocated when
-the last structural reference is released.
+ENGINE object itself will only actually be cleaned up and deallocated when
+the last structural reference is released. If the argument to \fBENGINE_free()\fR
+is NULL, nothing is done.
 .PP
-It should also be noted that many \s-1ENGINE API\s0 function calls that accept a
+It should also be noted that many ENGINE API function calls that accept a
 structural reference will internally obtain another reference \- typically
-this happens whenever the supplied \s-1ENGINE\s0 will be needed by OpenSSL after
-the function has returned. Eg. the function to add a new \s-1ENGINE\s0 to
+this happens whenever the supplied ENGINE will be needed by OpenSSL after
+the function has returned. Eg. the function to add a new ENGINE to
 OpenSSL's internal list is \fBENGINE_add()\fR \- if this function returns success,
 then OpenSSL will have stored a new structural reference internally so the
 caller is still responsible for freeing their own reference with
@@ -380,29 +305,29 @@ caller is still responsible for freeing their own reference with
 functions will automatically release the structural reference passed to it
 if part of the function's job is to do so. Eg. the \fBENGINE_get_next()\fR and
 \&\fBENGINE_get_prev()\fR functions are used for iterating across the internal
-\&\s-1ENGINE\s0 list \- they will return a new structural reference to the next (or
-previous) \s-1ENGINE\s0 in the list or \s-1NULL\s0 if at the end (or beginning) of the
+ENGINE list \- they will return a new structural reference to the next (or
+previous) ENGINE in the list or NULL if at the end (or beginning) of the
 list, but in either case the structural reference passed to the function is
 released on behalf of the caller.
 .PP
 To clarify a particular function's handling of references, one should
-always consult that function's documentation \*(L"man\*(R" page, or failing that
+always consult that function's documentation "man" page, or failing that
 the \fI<openssl/engine.h>\fR header file includes some hints.
 .PP
 \&\fIFunctional references\fR
 .PP
 As mentioned, functional references exist when the cryptographic
-functionality of an \s-1ENGINE\s0 is required to be available. A functional
+functionality of an ENGINE is required to be available. A functional
 reference can be obtained in one of two ways; from an existing structural
-reference to the required \s-1ENGINE,\s0 or by asking OpenSSL for the default
-operational \s-1ENGINE\s0 for a given cryptographic purpose.
+reference to the required ENGINE, or by asking OpenSSL for the default
+operational ENGINE for a given cryptographic purpose.
 .PP
 To obtain a functional reference from an existing structural reference,
-call the \fBENGINE_init()\fR function. This returns zero if the \s-1ENGINE\s0 was not
+call the \fBENGINE_init()\fR function. This returns zero if the ENGINE was not
 already operational and couldn't be successfully initialised (e.g. lack of
 system drivers, no special hardware attached, etc), otherwise it will
-return nonzero to indicate that the \s-1ENGINE\s0 is now operational and will
-have allocated a new \fBfunctional\fR reference to the \s-1ENGINE.\s0 All functional
+return nonzero to indicate that the ENGINE is now operational and will
+have allocated a new \fBfunctional\fR reference to the ENGINE. All functional
 references are released by calling \fBENGINE_finish()\fR (which removes the
 implicit structural reference as well).
 .PP
@@ -411,68 +336,68 @@ default implementation for a given task, e.g. by \fBENGINE_get_default_RSA()\fR,
 \&\fBENGINE_get_default_cipher_engine()\fR, etc. These are discussed in the next
 section, though they are not usually required by application programmers as
 they are used automatically when creating and using the relevant
-algorithm-specific types in OpenSSL, such as \s-1RSA, DSA, EVP_CIPHER_CTX,\s0 etc.
+algorithm-specific types in OpenSSL, such as RSA, DSA, EVP_CIPHER_CTX, etc.
 .SS "Default implementations"
 .IX Subsection "Default implementations"
-For each supported abstraction, the \s-1ENGINE\s0 code maintains an internal table
+For each supported abstraction, the ENGINE code maintains an internal table
 of state to control which implementations are available for a given
 abstraction and which should be used by default. These implementations are
 registered in the tables and indexed by an 'nid' value, because
-abstractions like \s-1EVP_CIPHER\s0 and \s-1EVP_DIGEST\s0 support many distinct
+abstractions like EVP_CIPHER and EVP_DIGEST support many distinct
 algorithms and modes, and ENGINEs can support arbitrarily many of them.
-In the case of other abstractions like \s-1RSA, DSA,\s0 etc, there is only one
-\&\*(L"algorithm\*(R" so all implementations implicitly register using the same 'nid'
+In the case of other abstractions like RSA, DSA, etc, there is only one
+"algorithm" so all implementations implicitly register using the same 'nid'
 index.
 .PP
-When a default \s-1ENGINE\s0 is requested for a given abstraction/algorithm/mode, (e.g.
-when calling RSA_new_method(\s-1NULL\s0)), a \*(L"get_default\*(R" call will be made to the
-\&\s-1ENGINE\s0 subsystem to process the corresponding state table and return a
-functional reference to an initialised \s-1ENGINE\s0 whose implementation should be
-used. If no \s-1ENGINE\s0 should (or can) be used, it will return \s-1NULL\s0 and the caller
-will operate with a \s-1NULL ENGINE\s0 handle \- this usually equates to using the
+When a default ENGINE is requested for a given abstraction/algorithm/mode, (e.g.
+when calling RSA_new_method(NULL)), a "get_default" call will be made to the
+ENGINE subsystem to process the corresponding state table and return a
+functional reference to an initialised ENGINE whose implementation should be
+used. If no ENGINE should (or can) be used, it will return NULL and the caller
+will operate with a NULL ENGINE handle \- this usually equates to using the
 conventional software implementation. In the latter case, OpenSSL will from
-then on behave the way it used to before the \s-1ENGINE API\s0 existed.
+then on behave the way it used to before the ENGINE API existed.
 .PP
 Each state table has a flag to note whether it has processed this
-\&\*(L"get_default\*(R" query since the table was last modified, because to process
+"get_default" query since the table was last modified, because to process
 this question it must iterate across all the registered ENGINEs in the
 table trying to initialise each of them in turn, in case one of them is
-operational. If it returns a functional reference to an \s-1ENGINE,\s0 it will
+operational. If it returns a functional reference to an ENGINE, it will
 also cache another reference to speed up processing future queries (without
-needing to iterate across the table). Likewise, it will cache a \s-1NULL\s0
-response if no \s-1ENGINE\s0 was available so that future queries won't repeat the
+needing to iterate across the table). Likewise, it will cache a NULL
+response if no ENGINE was available so that future queries won't repeat the
 same iteration unless the state table changes. This behaviour can also be
-changed; if the \s-1ENGINE_TABLE_FLAG_NOINIT\s0 flag is set (using
+changed; if the ENGINE_TABLE_FLAG_NOINIT flag is set (using
 \&\fBENGINE_set_table_flags()\fR), no attempted initialisations will take place,
-instead the only way for the state table to return a non-NULL \s-1ENGINE\s0 to the
-\&\*(L"get_default\*(R" query will be if one is expressly set in the table. Eg.
+instead the only way for the state table to return a non-NULL ENGINE to the
+"get_default" query will be if one is expressly set in the table. Eg.
 \&\fBENGINE_set_default_RSA()\fR does the same job as \fBENGINE_register_RSA()\fR except
-that it also sets the state table's cached response for the \*(L"get_default\*(R"
-query. In the case of abstractions like \s-1EVP_CIPHER,\s0 where implementations are
+that it also sets the state table's cached response for the "get_default"
+query. In the case of abstractions like EVP_CIPHER, where implementations are
 indexed by 'nid', these flags and cached-responses are distinct for each 'nid'
 value.
 .SS "Application requirements"
 .IX Subsection "Application requirements"
 This section will explain the basic things an application programmer should
-support to make the most useful elements of the \s-1ENGINE\s0 functionality
+support to make the most useful elements of the ENGINE functionality
 available to the user. The first thing to consider is whether the
-programmer wishes to make alternative \s-1ENGINE\s0 modules available to the
+programmer wishes to make alternative ENGINE modules available to the
 application and user. OpenSSL maintains an internal linked list of
-\&\*(L"visible\*(R" ENGINEs from which it has to operate \- at start-up, this list is
-empty and in fact if an application does not call any \s-1ENGINE API\s0 calls and
+"visible" ENGINEs from which it has to operate \- at start-up, this list is
+empty and in fact if an application does not call any ENGINE API calls and
 it uses static linking against openssl, then the resulting application
-binary will not contain any alternative \s-1ENGINE\s0 code at all. So the first
-consideration is whether any/all available \s-1ENGINE\s0 implementations should be
-made visible to OpenSSL \- this is controlled by calling the various \*(L"load\*(R"
+binary will not contain any alternative ENGINE code at all. So the first
+consideration is whether any/all available ENGINE implementations should be
+made visible to OpenSSL \- this is controlled by calling the various "load"
 functions.
 .PP
 The fact that ENGINEs are made visible to OpenSSL (and thus are linked into
 the program and loaded into memory at run-time) does not mean they are
-\&\*(L"registered\*(R" or called into use by OpenSSL automatically \- that behaviour
+"registered" or called into use by OpenSSL automatically \- that behaviour
 is something for the application to control. Some applications
-will want to allow the user to specify exactly which \s-1ENGINE\s0 they want used
+will want to allow the user to specify exactly which ENGINE they want used
 if any is to be used at all. Others may prefer to load all support and have
-OpenSSL automatically use at run-time any \s-1ENGINE\s0 that is able to
+OpenSSL automatically use at run-time any ENGINE that is able to
 successfully initialise \- i.e. to assume that this corresponds to
 acceleration hardware attached to the machine or some such thing. There are
 probably numerous other ways in which applications may prefer to handle
@@ -480,17 +405,17 @@ things, so we will simply illustrate the consequences as they apply to a
 couple of simple cases and leave developers to consider these and the
 source code to openssl's built-in utilities as guides.
 .PP
-If no \s-1ENGINE API\s0 functions are called within an application, then OpenSSL
+If no ENGINE API functions are called within an application, then OpenSSL
 will not allocate any internal resources.  Prior to OpenSSL 1.1.0, however,
 if any ENGINEs are loaded, even if not registered or used, it was necessary to
 call \fBENGINE_cleanup()\fR before the program exits.
 .PP
-\&\fIUsing a specific \s-1ENGINE\s0 implementation\fR
+\&\fIUsing a specific ENGINE implementation\fR
 .PP
 Here we'll assume an application has been configured by its user or admin
-to want to use the \*(L"\s-1ACME\*(R" ENGINE\s0 if it is available in the version of
+to want to use the "ACME" ENGINE if it is available in the version of
 OpenSSL the application was compiled with. If it is available, it should be
-used by default for all \s-1RSA, DSA,\s0 and symmetric cipher operations, otherwise
+used by default for all RSA, DSA, and symmetric cipher operations, otherwise
 OpenSSL should use its built-in software as per usual. The following code
 illustrates how to approach this;
 .PP
@@ -521,11 +446,11 @@ illustrates how to approach this;
 \& ENGINE_free(e);
 .Ve
 .PP
-\&\fIAutomatically using built-in \s-1ENGINE\s0 implementations\fR
+\&\fIAutomatically using built-in ENGINE implementations\fR
 .PP
-Here we'll assume we want to load and register all \s-1ENGINE\s0 implementations
+Here we'll assume we want to load and register all ENGINE implementations
 bundled with OpenSSL, such that for any cryptographic algorithm required by
-OpenSSL \- if there is an \s-1ENGINE\s0 that implements it and can be initialised,
+OpenSSL \- if there is an ENGINE that implements it and can be initialised,
 it should be used. The following code illustrates how this can work;
 .PP
 .Vb 4
@@ -536,22 +461,22 @@ it should be used. The following code illustrates how this can work;
 .Ve
 .PP
 That's all that's required. Eg. the next time OpenSSL tries to set up an
-\&\s-1RSA\s0 key, any bundled ENGINEs that implement \s-1RSA_METHOD\s0 will be passed to
-\&\fBENGINE_init()\fR and if any of those succeed, that \s-1ENGINE\s0 will be set as the
-default for \s-1RSA\s0 use from then on.
+RSA key, any bundled ENGINEs that implement RSA_METHOD will be passed to
+\&\fBENGINE_init()\fR and if any of those succeed, that ENGINE will be set as the
+default for RSA use from then on.
 .SS "Advanced configuration support"
 .IX Subsection "Advanced configuration support"
-There is a mechanism supported by the \s-1ENGINE\s0 framework that allows each
-\&\s-1ENGINE\s0 implementation to define an arbitrary set of configuration
-\&\*(L"commands\*(R" and expose them to OpenSSL and any applications based on
+There is a mechanism supported by the ENGINE framework that allows each
+ENGINE implementation to define an arbitrary set of configuration
+"commands" and expose them to OpenSSL and any applications based on
 OpenSSL. This mechanism is entirely based on the use of name-value pairs
-and assumes \s-1ASCII\s0 input (no unicode or \s-1UTF\s0 for now!), so it is ideal if
+and assumes ASCII input (no unicode or UTF for now!), so it is ideal if
 applications want to provide a transparent way for users to provide
-arbitrary configuration \*(L"directives\*(R" directly to such ENGINEs. It is also
-possible for the application to dynamically interrogate the loaded \s-1ENGINE\s0
+arbitrary configuration "directives" directly to such ENGINEs. It is also
+possible for the application to dynamically interrogate the loaded ENGINE
 implementations for the names, descriptions, and input flags of their
-available \*(L"control commands\*(R", providing a more flexible configuration
-scheme. However, if the user is expected to know which \s-1ENGINE\s0 device he/she
+available "control commands", providing a more flexible configuration
+scheme. However, if the user is expected to know which ENGINE device he/she
 is using (in the case of specialised hardware, this goes without saying)
 then applications may not need to concern themselves with discovering the
 supported control commands and simply prefer to pass settings into ENGINEs
@@ -565,24 +490,24 @@ so that it can be initialised for use. This could include the path to any
 driver or config files it needs to load, required network addresses,
 smart-card identifiers, passwords to initialise protected devices,
 logging information, etc etc. This class of commands typically needs to be
-passed to an \s-1ENGINE\s0 \fBbefore\fR attempting to initialise it, i.e. before
+passed to an ENGINE \fBbefore\fR attempting to initialise it, i.e. before
 calling \fBENGINE_init()\fR. The other class of commands consist of settings or
 operations that tweak certain behaviour or cause certain operations to take
 place, and these commands may work either before or after \fBENGINE_init()\fR, or
-in some cases both. \s-1ENGINE\s0 implementations should provide indications of
+in some cases both. ENGINE implementations should provide indications of
 this in the descriptions attached to built-in control commands and/or in
 external product documentation.
 .PP
-\&\fIIssuing control commands to an \s-1ENGINE\s0\fR
+\&\fIIssuing control commands to an ENGINE\fR
 .PP
 Let's illustrate by example; a function for which the caller supplies the
-name of the \s-1ENGINE\s0 it wishes to use, a table of string-pairs for use before
+name of the ENGINE it wishes to use, a table of string-pairs for use before
 initialisation, and another table for use after initialisation. Note that
-the string-pairs used for control commands consist of a command \*(L"name\*(R"
-followed by the command \*(L"parameter\*(R" \- the parameter could be \s-1NULL\s0 in some
-cases but the name can not. This function should initialise the \s-1ENGINE\s0
-(issuing the \*(L"pre\*(R" commands beforehand and the \*(L"post\*(R" commands afterwards)
-and set it as the default for everything except \s-1RAND\s0 and then return a
+the string-pairs used for control commands consist of a command "name"
+followed by the command "parameter" \- the parameter could be NULL in some
+cases but the name can not. This function should initialise the ENGINE
+(issuing the "pre" commands beforehand and the "post" commands afterwards)
+and set it as the default for everything except RAND and then return a
 boolean success or failure.
 .PP
 .Vb 10
@@ -628,26 +553,26 @@ boolean success or failure.
 .PP
 Note that \fBENGINE_ctrl_cmd_string()\fR accepts a boolean argument that can
 relax the semantics of the function \- if set nonzero it will only return
-failure if the \s-1ENGINE\s0 supported the given command name but failed while
-executing it, if the \s-1ENGINE\s0 doesn't support the command name it will simply
+failure if the ENGINE supported the given command name but failed while
+executing it, if the ENGINE doesn't support the command name it will simply
 return success without doing anything. In this case we assume the user is
-only supplying commands specific to the given \s-1ENGINE\s0 so we set this to
-\&\s-1FALSE.\s0
+only supplying commands specific to the given ENGINE so we set this to
+FALSE.
 .PP
 \&\fIDiscovering supported control commands\fR
 .PP
 It is possible to discover at run-time the names, numerical-ids, descriptions
-and input parameters of the control commands supported by an \s-1ENGINE\s0 using a
+and input parameters of the control commands supported by an ENGINE using a
 structural reference. Note that some control commands are defined by OpenSSL
 itself and it will intercept and handle these control commands on behalf of the
-\&\s-1ENGINE,\s0 i.e. the \s-1ENGINE\s0's \fBctrl()\fR handler is not used for the control command.
-\&\fI<openssl/engine.h>\fR defines an index, \s-1ENGINE_CMD_BASE,\s0 that all control
+ENGINE, i.e. the ENGINE's \fBctrl()\fR handler is not used for the control command.
+\&\fI<openssl/engine.h>\fR defines an index, ENGINE_CMD_BASE, that all control
 commands implemented by ENGINEs should be numbered from. Any command value
-lower than this symbol is considered a \*(L"generic\*(R" command is handled directly
+lower than this symbol is considered a "generic" command is handled directly
 by the OpenSSL core routines.
 .PP
-It is using these \*(L"core\*(R" control commands that one can discover the control
-commands implemented by a given \s-1ENGINE,\s0 specifically the commands:
+It is using these "core" control commands that one can discover the control
+commands implemented by a given ENGINE, specifically the commands:
 .PP
 .Vb 9
 \& ENGINE_HAS_CTRL_FUNCTION
@@ -662,14 +587,14 @@ commands implemented by a given \s-1ENGINE,\s0 specifically the commands:
 .Ve
 .PP
 Whilst these commands are automatically processed by the OpenSSL framework code,
-they use various properties exposed by each \s-1ENGINE\s0 to process these
-queries. An \s-1ENGINE\s0 has 3 properties it exposes that can affect how this behaves;
-it can supply a \fBctrl()\fR handler, it can specify \s-1ENGINE_FLAGS_MANUAL_CMD_CTRL\s0 in
-the \s-1ENGINE\s0's flags, and it can expose an array of control command descriptions.
-If an \s-1ENGINE\s0 specifies the \s-1ENGINE_FLAGS_MANUAL_CMD_CTRL\s0 flag, then it will
-simply pass all these \*(L"core\*(R" control commands directly to the \s-1ENGINE\s0's \fBctrl()\fR
-handler (and thus, it must have supplied one), so it is up to the \s-1ENGINE\s0 to
-reply to these \*(L"discovery\*(R" commands itself. If that flag is not set, then the
+they use various properties exposed by each ENGINE to process these
+queries. An ENGINE has 3 properties it exposes that can affect how this behaves;
+it can supply a \fBctrl()\fR handler, it can specify ENGINE_FLAGS_MANUAL_CMD_CTRL in
+the ENGINE's flags, and it can expose an array of control command descriptions.
+If an ENGINE specifies the ENGINE_FLAGS_MANUAL_CMD_CTRL flag, then it will
+simply pass all these "core" control commands directly to the ENGINE's \fBctrl()\fR
+handler (and thus, it must have supplied one), so it is up to the ENGINE to
+reply to these "discovery" commands itself. If that flag is not set, then the
 OpenSSL framework code will work with the following rules:
 .PP
 .Vb 9
@@ -684,17 +609,17 @@ OpenSSL framework code will work with the following rules:
 \&     all other commands proceed processing ...
 .Ve
 .PP
-If the \s-1ENGINE\s0's array of control commands is empty then all other commands will
-fail, otherwise; \s-1ENGINE_CTRL_GET_FIRST_CMD_TYPE\s0 returns the identifier of
-the first command supported by the \s-1ENGINE, ENGINE_GET_NEXT_CMD_TYPE\s0 takes the
-identifier of a command supported by the \s-1ENGINE\s0 and returns the next command
-identifier or fails if there are no more, \s-1ENGINE_CMD_FROM_NAME\s0 takes a string
+If the ENGINE's array of control commands is empty then all other commands will
+fail, otherwise; ENGINE_CTRL_GET_FIRST_CMD_TYPE returns the identifier of
+the first command supported by the ENGINE, ENGINE_GET_NEXT_CMD_TYPE takes the
+identifier of a command supported by the ENGINE and returns the next command
+identifier or fails if there are no more, ENGINE_CMD_FROM_NAME takes a string
 name for a command and returns the corresponding identifier or fails if no such
 command name exists, and the remaining commands take a command identifier and
 return properties of the corresponding commands. All except
-\&\s-1ENGINE_CTRL_GET_FLAGS\s0 return the string length of a command name or description,
+ENGINE_CTRL_GET_FLAGS return the string length of a command name or description,
 or populate a supplied character buffer with a copy of the command name or
-description. \s-1ENGINE_CTRL_GET_FLAGS\s0 returns a bitwise-OR'd mask of the following
+description. ENGINE_CTRL_GET_FLAGS returns a bitwise-OR'd mask of the following
 possible values:
 .PP
 .Vb 4
@@ -704,37 +629,37 @@ possible values:
 \& ENGINE_CMD_FLAG_INTERNAL
 .Ve
 .PP
-If the \s-1ENGINE_CMD_FLAG_INTERNAL\s0 flag is set, then any other flags are purely
+If the ENGINE_CMD_FLAG_INTERNAL flag is set, then any other flags are purely
 informational to the caller \- this flag will prevent the command being usable
-for any higher-level \s-1ENGINE\s0 functions such as \fBENGINE_ctrl_cmd_string()\fR.
-\&\*(L"\s-1INTERNAL\*(R"\s0 commands are not intended to be exposed to text-based configuration
+for any higher-level ENGINE functions such as \fBENGINE_ctrl_cmd_string()\fR.
+"INTERNAL" commands are not intended to be exposed to text-based configuration
 by applications, administrations, users, etc. These can support arbitrary
 operations via \fBENGINE_ctrl()\fR, including passing to and/or from the control
 commands data of any arbitrary type. These commands are supported in the
-discovery mechanisms simply to allow applications to determine if an \s-1ENGINE\s0
-supports certain specific commands it might want to use (e.g. application \*(L"foo\*(R"
-might query various ENGINEs to see if they implement \*(L"\s-1FOO_GET_VENDOR_LOGO_GIF\*(R"\s0 \-
-and \s-1ENGINE\s0 could therefore decide whether or not to support this \*(L"foo\*(R"\-specific
+discovery mechanisms simply to allow applications to determine if an ENGINE
+supports certain specific commands it might want to use (e.g. application "foo"
+might query various ENGINEs to see if they implement "FOO_GET_VENDOR_LOGO_GIF" \-
+and ENGINE could therefore decide whether or not to support this "foo"\-specific
 extension).
-.SH "ENVIRONMENT"
+.SH ENVIRONMENT
 .IX Header "ENVIRONMENT"
-.IP "\fB\s-1OPENSSL_ENGINES\s0\fR" 4
+.IP \fBOPENSSL_ENGINES\fR 4
 .IX Item "OPENSSL_ENGINES"
 The path to the engines directory.
 Ignored in set-user-ID and set-group-ID programs.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBENGINE_get_first()\fR, \fBENGINE_get_last()\fR, \fBENGINE_get_next()\fR and \fBENGINE_get_prev()\fR
-return a valid \fB\s-1ENGINE\s0\fR structure or \s-1NULL\s0 if an error occurred.
+return a valid \fBENGINE\fR structure or NULL if an error occurred.
 .PP
 \&\fBENGINE_add()\fR and \fBENGINE_remove()\fR return 1 on success or 0 on error.
 .PP
-\&\fBENGINE_by_id()\fR returns a valid \fB\s-1ENGINE\s0\fR structure or \s-1NULL\s0 if an error occurred.
+\&\fBENGINE_by_id()\fR returns a valid \fBENGINE\fR structure or NULL if an error occurred.
 .PP
 \&\fBENGINE_init()\fR and \fBENGINE_finish()\fR return 1 on success or 0 on error.
 .PP
 All \fBENGINE_get_default_TYPE()\fR functions, \fBENGINE_get_cipher_engine()\fR and
-\&\fBENGINE_get_digest_engine()\fR return a valid \fB\s-1ENGINE\s0\fR structure on success or \s-1NULL\s0
+\&\fBENGINE_get_digest_engine()\fR return a valid \fBENGINE\fR structure on success or NULL
 if an error occurred.
 .PP
 All \fBENGINE_set_default_TYPE()\fR functions return 1 on success or 0 on error.
@@ -743,7 +668,7 @@ All \fBENGINE_set_default_TYPE()\fR functions return 1 on success or 0 on error.
 .PP
 \&\fBENGINE_get_table_flags()\fR returns an unsigned integer value representing the
 global table flags which are used to control the registration behaviour of
-\&\fB\s-1ENGINE\s0\fR implementations.
+\&\fBENGINE\fR implementations.
 .PP
 All \fBENGINE_register_TYPE()\fR functions return 1 on success or 0 on error.
 .PP
@@ -755,7 +680,7 @@ All \fBENGINE_register_TYPE()\fR functions return 1 on success or 0 on error.
 .PP
 \&\fBENGINE_ctrl_cmd()\fR and \fBENGINE_ctrl_cmd_string()\fR return 1 on success or 0 on error.
 .PP
-\&\fBENGINE_new()\fR returns a valid \fB\s-1ENGINE\s0\fR structure on success or \s-1NULL\s0 if an error
+\&\fBENGINE_new()\fR returns a valid \fBENGINE\fR structure on success or NULL if an error
 occurred.
 .PP
 \&\fBENGINE_free()\fR always returns 1.
@@ -767,7 +692,7 @@ occurred.
 All other \fBENGINE_set_*\fR functions return 1 on success or 0 on error.
 .PP
 \&\fBENGINE_get_id()\fR and \fBENGINE_get_name()\fR return a string representing the identifier
-and the name of the \s-1ENGINE\s0 \fBe\fR respectively.
+and the name of the ENGINE \fBe\fR respectively.
 .PP
 \&\fBENGINE_get_RSA()\fR, \fBENGINE_get_DSA()\fR, \fBENGINE_get_DH()\fR and \fBENGINE_get_RAND()\fR
 return corresponding method structures for each algorithms.
@@ -778,36 +703,36 @@ return corresponding method structures for each algorithms.
 \&\fBENGINE_get_ciphers()\fR and \fBENGINE_get_digests()\fR return corresponding function
 pointers of the callbacks.
 .PP
-\&\fBENGINE_get_cipher()\fR returns a valid \fB\s-1EVP_CIPHER\s0\fR structure on success or \s-1NULL\s0
+\&\fBENGINE_get_cipher()\fR returns a valid \fBEVP_CIPHER\fR structure on success or NULL
 if an error occurred.
 .PP
-\&\fBENGINE_get_digest()\fR returns a valid \fB\s-1EVP_MD\s0\fR structure on success or \s-1NULL\s0 if an
+\&\fBENGINE_get_digest()\fR returns a valid \fBEVP_MD\fR structure on success or NULL if an
 error occurred.
 .PP
-\&\fBENGINE_get_flags()\fR returns an integer representing the \s-1ENGINE\s0 flags which are
-used to control various behaviours of an \s-1ENGINE.\s0
+\&\fBENGINE_get_flags()\fR returns an integer representing the ENGINE flags which are
+used to control various behaviours of an ENGINE.
 .PP
-\&\fBENGINE_get_cmd_defns()\fR returns an \fB\s-1ENGINE_CMD_DEFN\s0\fR structure or \s-1NULL\s0 if it's
+\&\fBENGINE_get_cmd_defns()\fR returns an \fBENGINE_CMD_DEFN\fR structure or NULL if it's
 not set.
 .PP
-\&\fBENGINE_load_private_key()\fR and \fBENGINE_load_public_key()\fR return a valid \fB\s-1EVP_PKEY\s0\fR
-structure on success or \s-1NULL\s0 if an error occurred.
+\&\fBENGINE_load_private_key()\fR and \fBENGINE_load_public_key()\fR return a valid \fBEVP_PKEY\fR
+structure on success or NULL if an error occurred.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBOPENSSL_init_crypto\fR\|(3), \fBRSA_new_method\fR\|(3), \fBDSA_new\fR\|(3), \fBDH_new\fR\|(3),
 \&\fBRAND_bytes\fR\|(3), \fBconfig\fR\|(5)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions were deprecated in OpenSSL 3.0.
 .PP
 \&\fBENGINE_cleanup()\fR was deprecated in OpenSSL 1.1.0 by the automatic cleanup
 done by \fBOPENSSL_cleanup()\fR
 and should not be used.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2002\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2002\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ERR_GET_LIB.3 b/secure/lib/libcrypto/man/man3/ERR_GET_LIB.3
index d33d00924c01..9dee3a385bd3 100644
--- a/secure/lib/libcrypto/man/man3/ERR_GET_LIB.3
+++ b/secure/lib/libcrypto/man/man3/ERR_GET_LIB.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ERR_GET_LIB 3ossl"
-.TH ERR_GET_LIB 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ERR_GET_LIB 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ERR_GET_LIB, ERR_GET_REASON, ERR_FATAL_ERROR
 \&\- get information from error codes
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/err.h>
@@ -150,13 +74,13 @@ ERR_GET_LIB, ERR_GET_REASON, ERR_FATAL_ERROR
 \&
 \& int ERR_FATAL_ERROR(unsigned long e);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The error code returned by \fBERR_get_error()\fR consists of a library
-number and reason code. \s-1\fBERR_GET_LIB\s0()\fR
-and \s-1\fBERR_GET_REASON\s0()\fR can be used to extract these.
+number and reason code. \fBERR_GET_LIB()\fR
+and \fBERR_GET_REASON()\fR can be used to extract these.
 .PP
-\&\s-1\fBERR_FATAL_ERROR\s0()\fR indicates whether a given error code is a fatal error.
+\&\fBERR_FATAL_ERROR()\fR indicates whether a given error code is a fatal error.
 .PP
 The library number describes where the error
 occurred, the reason code is the information about what went wrong.
@@ -165,17 +89,17 @@ Each sub-library of OpenSSL has a unique library number; the
 reason code is unique within each sub-library.  Note that different
 libraries may use the same value to signal different reasons.
 .PP
-\&\fB\s-1ERR_R_...\s0\fR reason codes such as \fB\s-1ERR_R_MALLOC_FAILURE\s0\fR are globally
+\&\fBERR_R_...\fR reason codes such as \fBERR_R_MALLOC_FAILURE\fR are globally
 unique. However, when checking for sub-library specific reason codes,
 be sure to also compare the library number.
 .PP
-\&\s-1\fBERR_GET_LIB\s0()\fR, \s-1\fBERR_GET_REASON\s0()\fR, and \s-1\fBERR_FATAL_ERROR\s0()\fR are macros.
+\&\fBERR_GET_LIB()\fR, \fBERR_GET_REASON()\fR, and \fBERR_FATAL_ERROR()\fR are macros.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The library number, reason code, and whether the error
 is fatal, respectively.
 Starting with OpenSSL 3.0.0, the function code is always set to zero.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 Applications should not make control flow decisions based on specific error
 codes. Error codes are subject to change at any time (even in patch releases of
@@ -185,16 +109,16 @@ still appear at any time.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-\&\s-1\fBERR_GET_LIB\s0()\fR and \s-1\fBERR_GET_REASON\s0()\fR are available in all versions of OpenSSL.
+\&\fBERR_GET_LIB()\fR and \fBERR_GET_REASON()\fR are available in all versions of OpenSSL.
 .PP
-\&\s-1\fBERR_GET_FUNC\s0()\fR was removed in OpenSSL 3.0.
-.SH "COPYRIGHT"
+\&\fBERR_GET_FUNC()\fR was removed in OpenSSL 3.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ERR_clear_error.3 b/secure/lib/libcrypto/man/man3/ERR_clear_error.3
index 9372f05de9e2..bab587356b09 100644
--- a/secure/lib/libcrypto/man/man3/ERR_clear_error.3
+++ b/secure/lib/libcrypto/man/man3/ERR_clear_error.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,84 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ERR_CLEAR_ERROR 3ossl"
-.TH ERR_CLEAR_ERROR 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ERR_CLEAR_ERROR 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ERR_clear_error \- clear the error queue
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/err.h>
 \&
 \& void ERR_clear_error(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBERR_clear_error()\fR empties the current thread's error queue.
 .SH "RETURN VALUES"
@@ -154,11 +78,11 @@ ERR_clear_error \- clear the error queue
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ERR_error_string.3 b/secure/lib/libcrypto/man/man3/ERR_error_string.3
index 7819eeebe7c6..77c2a1a7cb89 100644
--- a/secure/lib/libcrypto/man/man3/ERR_error_string.3
+++ b/secure/lib/libcrypto/man/man3/ERR_error_string.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ERR_ERROR_STRING 3ossl"
-.TH ERR_ERROR_STRING 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ERR_ERROR_STRING 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ERR_error_string, ERR_error_string_n, ERR_lib_error_string,
 ERR_func_error_string, ERR_reason_error_string \- obtain human\-readable
 error message
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/err.h>
@@ -157,11 +81,11 @@ Deprecated in OpenSSL 3.0:
 .Vb 1
 \& const char *ERR_func_error_string(unsigned long e);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBERR_error_string()\fR generates a human-readable string representing the
 error code \fIe\fR, and places it at \fIbuf\fR. \fIbuf\fR must be at least 256
-bytes long. If \fIbuf\fR is \fB\s-1NULL\s0\fR, the error string is placed in a
+bytes long. If \fIbuf\fR is \fBNULL\fR, the error string is placed in a
 static buffer.
 Note that this function is not thread-safe and does no checks on the size
 of the buffer; use \fBERR_error_string_n()\fR instead.
@@ -169,7 +93,7 @@ of the buffer; use \fBERR_error_string_n()\fR instead.
 \&\fBERR_error_string_n()\fR is a variant of \fBERR_error_string()\fR that writes
 at most \fIlen\fR characters (including the terminating 0)
 and truncates the string if necessary.
-For \fBERR_error_string_n()\fR, \fIbuf\fR may not be \fB\s-1NULL\s0\fR.
+For \fBERR_error_string_n()\fR, \fIbuf\fR \fBMUST NOT\fR be NULL.
 .PP
 The string will have the following format:
 .PP
@@ -178,7 +102,7 @@ The string will have the following format:
 .Ve
 .PP
 \&\fIerror code\fR is an 8 digit hexadecimal number, \fIlibrary name\fR and
-\&\fIreason string\fR are \s-1ASCII\s0 text.
+\&\fIreason string\fR are ASCII text.
 .PP
 \&\fBERR_lib_error_string()\fR and \fBERR_reason_error_string()\fR return the library
 name and reason string respectively.
@@ -191,24 +115,24 @@ all error codes currently in the queue.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBERR_error_string()\fR returns a pointer to a static buffer containing the
-string if \fIbuf\fR \fB== \s-1NULL\s0\fR, \fIbuf\fR otherwise.
+string if \fIbuf\fR \fB== NULL\fR, \fIbuf\fR otherwise.
 .PP
 \&\fBERR_lib_error_string()\fR and \fBERR_reason_error_string()\fR return the strings,
-and \fB\s-1NULL\s0\fR if none is registered for the error code.
+and \fBNULL\fR if none is registered for the error code.
 .PP
-\&\fBERR_func_error_string()\fR returns \s-1NULL.\s0
+\&\fBERR_func_error_string()\fR returns NULL.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3),
 \&\fBERR_print_errors\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBERR_func_error_string()\fR became deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ERR_get_error.3 b/secure/lib/libcrypto/man/man3/ERR_get_error.3
index 9d5b89358564..b23e40f236aa 100644
--- a/secure/lib/libcrypto/man/man3/ERR_get_error.3
+++ b/secure/lib/libcrypto/man/man3/ERR_get_error.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ERR_GET_ERROR 3ossl"
-.TH ERR_GET_ERROR 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ERR_GET_ERROR 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ERR_get_error, ERR_peek_error, ERR_peek_last_error,
 ERR_get_error_line, ERR_peek_error_line, ERR_peek_last_error_line,
 ERR_peek_error_func, ERR_peek_last_error_func,
@@ -144,7 +68,7 @@ ERR_peek_error_data, ERR_peek_last_error_data,
 ERR_get_error_all, ERR_peek_error_all, ERR_peek_last_error_all,
 ERR_get_error_line_data, ERR_peek_error_line_data, ERR_peek_last_error_line_data
 \&\- obtain error code and data
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/err.h>
@@ -174,7 +98,7 @@ ERR_get_error_line_data, ERR_peek_error_line_data, ERR_peek_last_error_line_data
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 7
@@ -186,7 +110,7 @@ see \fBopenssl_user_macros\fR\|(7):
 \& unsigned long ERR_peek_last_error_line_data(const char **file, int *line,
 \&                                             const char **data, int *flags);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBERR_get_error()\fR returns the earliest error code from the thread's error
 queue and removes the entry.  This function can be called repeatedly
@@ -198,18 +122,18 @@ error queue without modifying it.
 \&\fBERR_peek_last_error()\fR returns the latest error code from the thread's
 error queue without modifying it.
 .PP
-See \s-1\fBERR_GET_LIB\s0\fR\|(3) for obtaining further specific information
+See \fBERR_GET_LIB\fR\|(3) for obtaining further specific information
 such as the reason of the error,
 and \fBERR_error_string\fR\|(3) for human-readable error messages.
 .PP
 \&\fBERR_get_error_all()\fR is the same as \fBERR_get_error()\fR, but on success it
 additionally stores the filename, line number and function where the error
 occurred in *\fIfile\fR, *\fIline\fR and *\fIfunc\fR, and also extra text and flags
-in *\fIdata\fR, *\fIflags\fR.  If any of those parameters are \s-1NULL,\s0 it will not
+in *\fIdata\fR, *\fIflags\fR.  If any of those parameters are NULL, it will not
 be changed.
-An unset filename is indicated as "\*(L", i.e. an empty string.
+An unset filename is indicated as "", i.e. an empty string.
 An unset line number is indicated as 0.
-An unset function name is indicated as \*(R"", i.e. an empty string.
+An unset function name is indicated as "", i.e. an empty string.
 .PP
 A pointer returned this way by these functions and the ones below
 is valid until the respective entry is overwritten in the error queue.
@@ -217,23 +141,23 @@ is valid until the respective entry is overwritten in the error queue.
 \&\fBERR_peek_error_line()\fR and \fBERR_peek_last_error_line()\fR are the same as
 \&\fBERR_peek_error()\fR and \fBERR_peek_last_error()\fR, but on success they additionally
 store the filename and line number where the error occurred in *\fIfile\fR and
-*\fIline\fR, as far as they are not \s-1NULL.\s0
+*\fIline\fR, as far as they are not NULL.
 An unset filename is indicated as "", i.e., an empty string.
 An unset line number is indicated as 0.
 .PP
 \&\fBERR_peek_error_func()\fR and \fBERR_peek_last_error_func()\fR are the same as
 \&\fBERR_peek_error()\fR and \fBERR_peek_last_error()\fR, but on success they additionally
 store the name of the function where the error occurred in *\fIfunc\fR, unless
-it is \s-1NULL.\s0
+it is NULL.
 An unset function name is indicated as "".
 .PP
 \&\fBERR_peek_error_data()\fR and \fBERR_peek_last_error_data()\fR are the same as
 \&\fBERR_peek_error()\fR and \fBERR_peek_last_error()\fR, but on success they additionally
 store additional data and flags associated with the error code in *\fIdata\fR
-and *\fIflags\fR, as far as they are not \s-1NULL.\s0
+and *\fIflags\fR, as far as they are not NULL.
 Unset data is indicated as "".
 In this case the value given for the flag is irrelevant (and equals 0).
-*\fIdata\fR contains a string if *\fIflags\fR&\fB\s-1ERR_TXT_STRING\s0\fR is true.
+*\fIdata\fR contains a string if *\fIflags\fR&\fBERR_TXT_STRING\fR is true.
 .PP
 \&\fBERR_peek_error_all()\fR and \fBERR_peek_last_error_all()\fR are combinations of all
 of the above.
@@ -243,7 +167,7 @@ and \fBERR_peek_last_error_line_data()\fR are older variants of \fBERR_get_error
 \&\fBERR_peek_error_all()\fR and \fBERR_peek_last_error_all()\fR, and may give confusing
 results.  They should no longer be used and are therefore deprecated.
 .PP
-An application \fB\s-1MUST NOT\s0\fR free the *\fIdata\fR pointer (or any other pointers
+An application \fBMUST NOT\fR free the *\fIdata\fR pointer (or any other pointers
 returned by these functions) with \fBOPENSSL_free()\fR as freeing is handled
 automatically by the error library.
 .SH "RETURN VALUES"
@@ -252,8 +176,8 @@ The error code, or 0 if there is no error in the queue.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_error_string\fR\|(3),
-\&\s-1\fBERR_GET_LIB\s0\fR\|(3)
-.SH "HISTORY"
+\&\fBERR_GET_LIB\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBERR_peek_error_func()\fR, \fBERR_peek_last_error_func()\fR,
 \&\fBERR_peek_error_data()\fR, \fBERR_peek_last_error_data()\fR,
@@ -262,11 +186,11 @@ were added in OpenSSL 3.0.
 .PP
 \&\fBERR_get_error_line()\fR, \fBERR_get_error_line_data()\fR, \fBERR_peek_error_line_data()\fR
 and \fBERR_peek_last_error_line_data()\fR became deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ERR_load_crypto_strings.3 b/secure/lib/libcrypto/man/man3/ERR_load_crypto_strings.3
index ddbd9c4c2905..c50d7c829040 100644
--- a/secure/lib/libcrypto/man/man3/ERR_load_crypto_strings.3
+++ b/secure/lib/libcrypto/man/man3/ERR_load_crypto_strings.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ERR_LOAD_CRYPTO_STRINGS 3ossl"
-.TH ERR_LOAD_CRYPTO_STRINGS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ERR_LOAD_CRYPTO_STRINGS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ERR_load_crypto_strings, SSL_load_error_strings, ERR_free_strings \-
 load and free error strings
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 The following functions have been deprecated since OpenSSL 1.1.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
@@ -155,7 +79,7 @@ see \fBopenssl_user_macros\fR\|(7):
 \&
 \& void SSL_load_error_strings(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBERR_load_crypto_strings()\fR registers the error strings for all
 \&\fBlibcrypto\fR functions. \fBSSL_load_error_strings()\fR does the same,
@@ -170,16 +94,16 @@ In versions prior to OpenSSL 1.1.0,
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_error_string\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBERR_load_crypto_strings()\fR, \fBSSL_load_error_strings()\fR, and
 \&\fBERR_free_strings()\fR functions were deprecated in OpenSSL 1.1.0 by
 \&\fBOPENSSL_init_crypto()\fR and \fBOPENSSL_init_ssl()\fR and should not be used.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ERR_load_strings.3 b/secure/lib/libcrypto/man/man3/ERR_load_strings.3
index f66cda082de5..85191a34ad95 100644
--- a/secure/lib/libcrypto/man/man3/ERR_load_strings.3
+++ b/secure/lib/libcrypto/man/man3/ERR_load_strings.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ERR_LOAD_STRINGS 3ossl"
-.TH ERR_LOAD_STRINGS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ERR_LOAD_STRINGS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ERR_load_strings, ERR_PACK, ERR_get_next_error_library \- load
 arbitrary error strings
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/err.h>
@@ -150,7 +74,7 @@ arbitrary error strings
 \&
 \& unsigned long ERR_PACK(int lib, int func, int reason);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBERR_load_strings()\fR registers error strings for library number \fBlib\fR.
 .PP
@@ -165,8 +89,8 @@ arbitrary error strings
 .Ve
 .PP
 The error code is generated from the library number and a function and
-reason code: \fBerror\fR = \s-1ERR_PACK\s0(\fBlib\fR, \fBfunc\fR, \fBreason\fR).
-\&\s-1\fBERR_PACK\s0()\fR is a macro.
+reason code: \fBerror\fR = ERR_PACK(\fBlib\fR, \fBfunc\fR, \fBreason\fR).
+\&\fBERR_PACK()\fR is a macro.
 .PP
 The last entry in the array is {0,0}.
 .PP
@@ -174,17 +98,17 @@ The last entry in the array is {0,0}.
 to user libraries at run time.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBERR_load_strings()\fR returns 1 for success and 0 for failure. \s-1\fBERR_PACK\s0()\fR returns the error code.
+\&\fBERR_load_strings()\fR returns 1 for success and 0 for failure. \fBERR_PACK()\fR returns the error code.
 \&\fBERR_get_next_error_library()\fR returns zero on failure, otherwise a new
 library number.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_load_strings\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ERR_new.3 b/secure/lib/libcrypto/man/man3/ERR_new.3
index c3d014bac8ef..6e21d7b4226e 100644
--- a/secure/lib/libcrypto/man/man3/ERR_new.3
+++ b/secure/lib/libcrypto/man/man3/ERR_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ERR_NEW 3ossl"
-.TH ERR_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ERR_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ERR_new, ERR_set_debug, ERR_set_error, ERR_vset_error
 \&\- Error recording building blocks
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/err.h>
@@ -149,7 +73,7 @@ ERR_new, ERR_set_debug, ERR_set_error, ERR_vset_error
 \& void ERR_set_error(int lib, int reason, const char *fmt, ...);
 \& void ERR_vset_error(int lib, int reason, const char *fmt, va_list args);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The functions described here are generally not used directly, but
 rather through macros such as \fBERR_raise\fR\|(3).
@@ -179,7 +103,7 @@ argument instead of a variable number of arguments.
 .IX Header "RETURN VALUES"
 ERR_new, ERR_set_debug, ERR_set_error and ERR_vset_error
 do not return any values.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The library number is unique to each unit that records errors.
 OpenSSL has a number of preallocated ones for its own uses, but
@@ -197,11 +121,11 @@ see \fBprovider\-base\fR\|(7).
 .IX Header "SEE ALSO"
 \&\fBERR_raise\fR\|(3), \fBERR_get_next_error_library\fR\|(3),
 \&\fBERR_load_strings\fR\|(3), \fBBIO_snprintf\fR\|(3), \fBprovider\-base\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ERR_print_errors.3 b/secure/lib/libcrypto/man/man3/ERR_print_errors.3
index b4d9af4b0b8c..00c7e914c6c7 100644
--- a/secure/lib/libcrypto/man/man3/ERR_print_errors.3
+++ b/secure/lib/libcrypto/man/man3/ERR_print_errors.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ERR_PRINT_ERRORS 3ossl"
-.TH ERR_PRINT_ERRORS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ERR_PRINT_ERRORS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ERR_print_errors, ERR_print_errors_fp, ERR_print_errors_cb
 \&\- print error messages
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/err.h>
@@ -149,14 +73,14 @@ ERR_print_errors, ERR_print_errors_fp, ERR_print_errors_cb
 \& void ERR_print_errors_cb(int (*cb)(const char *str, size_t len, void *u),
 \&                          void *u);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBERR_print_errors()\fR is a convenience function that prints the error
 strings for all errors that OpenSSL has recorded to \fBbp\fR, thus
 emptying the error queue.
 .PP
 \&\fBERR_print_errors_fp()\fR is the same, except that the output goes to a
-\&\fB\s-1FILE\s0\fR.
+\&\fBFILE\fR.
 .PP
 \&\fBERR_print_errors_cb()\fR is the same, except that the callback function,
 \&\fBcb\fR, is called for each error line with the string, length, and userdata
@@ -169,7 +93,7 @@ The error strings will have the following format:
 .Ve
 .PP
 \&\fIerror code\fR is an 8 digit hexadecimal number. \fIlibrary name\fR,
-\&\fIfunction name\fR and \fIreason string\fR are \s-1ASCII\s0 text, as is \fIoptional
+\&\fIfunction name\fR and \fIreason string\fR are ASCII text, as is \fIoptional
 text message\fR if one was set for the respective error code.
 .PP
 If there is no text string registered for the given error code,
@@ -181,11 +105,11 @@ the error string will contain the numeric code.
 .IX Header "SEE ALSO"
 \&\fBERR_error_string\fR\|(3),
 \&\fBERR_get_error\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ERR_put_error.3 b/secure/lib/libcrypto/man/man3/ERR_put_error.3
index 8c01af8c592b..81aaf9d8b7dc 100644
--- a/secure/lib/libcrypto/man/man3/ERR_put_error.3
+++ b/secure/lib/libcrypto/man/man3/ERR_put_error.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ERR_PUT_ERROR 3ossl"
-.TH ERR_PUT_ERROR 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ERR_PUT_ERROR 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ERR_raise, ERR_raise_data,
 ERR_put_error, ERR_add_error_data, ERR_add_error_vdata,
 ERR_add_error_txt, ERR_add_error_mem_bio
 \&\- record an error
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/err.h>
@@ -156,13 +80,13 @@ ERR_add_error_txt, ERR_add_error_mem_bio
 .Ve
 .PP
 The following function has been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
 \& void ERR_put_error(int lib, int func, int reason, const char *file, int line);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBERR_raise()\fR adds a new error to the thread's error queue.  The
 error occurred in the library \fBlib\fR for the reason given by the
@@ -187,16 +111,16 @@ The total length of the string data per error is limited to 4096 characters.
 .PP
 \&\fBERR_add_error_txt()\fR appends the given text string as additional data to the
 last error queue entry, after inserting the optional separator string if it is
-not \s-1NULL\s0 and the top error entry does not yet have additional data.
+not NULL and the top error entry does not yet have additional data.
 In case the separator is at the end of the text it is not appended to the data.
-The \fBsep\fR argument may be for instance \*(L"\en\*(R" to insert a line break when needed.
+The \fBsep\fR argument may be for instance "\en" to insert a line break when needed.
 If the associated data would become more than 4096 characters long
 (which is the limit given above)
 it is split over sufficiently many new copies of the last error queue entry.
 .PP
 \&\fBERR_add_error_mem_bio()\fR is the same as \fBERR_add_error_txt()\fR except that
-the text string is taken from the given memory \s-1BIO.\s0
-It appends '\e0' to the \s-1BIO\s0 contents if not already NUL-terminated.
+the text string is taken from the given memory BIO.
+It appends '\e0' to the BIO contents if not already NUL-terminated.
 .PP
 \&\fBERR_load_strings\fR\|(3) can be used to register
 error strings so that the application can a generate human-readable
@@ -206,31 +130,31 @@ error messages for the error code.
 \fIOpenSSL library reports\fR
 .IX Subsection "OpenSSL library reports"
 .PP
-Each OpenSSL sub-library has library code \fB\s-1ERR_LIB_XXX\s0\fR and has its own set
-of reason codes \fB\s-1XXX_R_...\s0\fR.  These are both passed in combination to
+Each OpenSSL sub-library has library code \fBERR_LIB_XXX\fR and has its own set
+of reason codes \fBXXX_R_...\fR.  These are both passed in combination to
 \&\fBERR_raise()\fR and \fBERR_raise_data()\fR, and the combination ultimately produces
 the correct error text for the reported error.
 .PP
 All these macros and the numbers they have as values are specific to
 OpenSSL's libraries.  OpenSSL reason codes normally consist of textual error
 descriptions. For example, the function \fBssl3_read_bytes()\fR reports a
-\&\*(L"handshake failure\*(R" as follows:
+"handshake failure" as follows:
 .PP
 .Vb 1
 \& ERR_raise(ERR_LIB_SSL, SSL_R_SSL_HANDSHAKE_FAILURE);
 .Ve
 .PP
 There are two exceptions:
-.IP "\fB\s-1ERR_LIB_SYS\s0\fR" 4
+.IP \fBERR_LIB_SYS\fR 4
 .IX Item "ERR_LIB_SYS"
-This \*(L"library code\*(R" indicates that a system error is being reported.  In
+This "library code" indicates that a system error is being reported.  In
 this case, the reason code given to \fBERR_raise()\fR and \fBERR_raise_data()\fR \fImust\fR
 be \fBerrno\fR\|(3).
 .Sp
 .Vb 1
 \& ERR_raise(ERR_LIB_SYS, errno);
 .Ve
-.IP "\fB\s-1ERR_R_XXX\s0\fR" 4
+.IP \fBERR_R_XXX\fR 4
 .IX Item "ERR_R_XXX"
 This set of error codes is considered global, and may be used in combination
 with any sub-library code.
@@ -245,23 +169,23 @@ with any sub-library code.
 Other pieces of software that may want to use OpenSSL's error reporting
 system, such as engines or applications, must normally get their own
 numbers.
-.IP "\(bu" 4
-To get a \*(L"library\*(R" code, call \fBERR_get_next_error_library\fR\|(3); this gives
+.IP \(bu 4
+To get a "library" code, call \fBERR_get_next_error_library\fR\|(3); this gives
 the calling code a dynamic number, usable for the duration of the process.
-.IP "\(bu" 4
-Reason codes for each such \*(L"library\*(R" are determined or generated by the
+.IP \(bu 4
+Reason codes for each such "library" are determined or generated by the
 authors of that code.  They must be numbers in the range 1 to 524287 (in
 other words, they must be nonzero unsigned 18 bit integers).
 .PP
-The exceptions mentioned in \*(L"OpenSSL library reports\*(R" above are valid for
-other pieces of software, i.e. they may use \fB\s-1ERR_LIB_SYS\s0\fR to report system
+The exceptions mentioned in "OpenSSL library reports" above are valid for
+other pieces of software, i.e. they may use \fBERR_LIB_SYS\fR to report system
 errors:
 .PP
 .Vb 1
 \& ERR_raise(ERR_LIB_SYS, errno);
 .Ve
 .PP
-\&... and they may use \fB\s-1ERR_R_XXX\s0\fR macros together with their own \*(L"library\*(R"
+\&... and they may use \fBERR_R_XXX\fR macros together with their own "library"
 code.
 .PP
 .Vb 1
@@ -277,21 +201,21 @@ code.
 \&\fBERR_add_error_data()\fR, \fBERR_add_error_vdata()\fR
 \&\fBERR_add_error_txt()\fR, and \fBERR_add_error_mem_bio()\fR
 return no values.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 \&\fBERR_raise()\fR, \fBERR_raise()\fR and \fBERR_put_error()\fR are implemented as macros.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_load_strings\fR\|(3), \fBERR_get_next_error_library\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 ERR_raise, ERR_raise_data, \fBERR_add_error_txt()\fR and \fBERR_add_error_mem_bio()\fR
 were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ERR_remove_state.3 b/secure/lib/libcrypto/man/man3/ERR_remove_state.3
index 73097bd0664f..4c14b7b84791 100644
--- a/secure/lib/libcrypto/man/man3/ERR_remove_state.3
+++ b/secure/lib/libcrypto/man/man3/ERR_remove_state.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ERR_REMOVE_STATE 3ossl"
-.TH ERR_REMOVE_STATE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ERR_REMOVE_STATE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ERR_remove_thread_state, ERR_remove_state \- DEPRECATED
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 The following function has been deprecated since OpenSSL 1.0.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
@@ -149,13 +73,13 @@ see \fBopenssl_user_macros\fR\|(7):
 .Ve
 .PP
 The following function has been deprecated since OpenSSL 1.1.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
 \& void ERR_remove_thread_state(void *tid);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBERR_remove_state()\fR frees the error queue associated with the specified
 thread, identified by \fBtid\fR.
@@ -167,16 +91,16 @@ an opaque pointer.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 L\fBOPENSSL_init_crypto\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBERR_remove_state()\fR was deprecated in OpenSSL 1.0.0 and
 \&\fBERR_remove_thread_state()\fR was deprecated in OpenSSL 1.1.0; these functions
 and should not be used.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ERR_set_mark.3 b/secure/lib/libcrypto/man/man3/ERR_set_mark.3
index 17673b13a583..d3a094db7ebf 100644
--- a/secure/lib/libcrypto/man/man3/ERR_set_mark.3
+++ b/secure/lib/libcrypto/man/man3/ERR_set_mark.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "ERR_SET_MARK 3ossl"
-.TH ERR_SET_MARK 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH ERR_SET_MARK 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
-ERR_set_mark, ERR_clear_last_mark, ERR_pop_to_mark
-\&\- set mark, clear mark and pop errors until mark
-.SH "SYNOPSIS"
+.SH NAME
+ERR_set_mark, ERR_clear_last_mark, ERR_pop_to_mark, ERR_count_to_mark, ERR_pop \-
+set mark, clear mark, pop errors until mark and pop last error
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/err.h>
@@ -147,8 +71,10 @@ ERR_set_mark, ERR_clear_last_mark, ERR_pop_to_mark
 \& int ERR_set_mark(void);
 \& int ERR_pop_to_mark(void);
 \& int ERR_clear_last_mark(void);
+\& int ERR_count_to_mark(void);
+\& int ERR_pop(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBERR_set_mark()\fR sets a mark on the current topmost error record if there
 is one.
@@ -157,17 +83,33 @@ is one.
 The mark is then removed.  If there is no mark, the whole stack is removed.
 .PP
 \&\fBERR_clear_last_mark()\fR removes the last mark added if there is one.
+.PP
+\&\fBERR_count_to_mark()\fR returns the number of entries on the error stack above the
+most recently marked entry, not including that entry. If there is no mark in the
+error stack, the number of entries in the error stack is returned.
+.PP
+\&\fBERR_pop()\fR unconditionally pops a single error entry from the top of the error
+stack (which is the entry obtainable via \fBERR_peek_last_error\fR\|(3)).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBERR_set_mark()\fR returns 0 if the error stack is empty, otherwise 1.
 .PP
 \&\fBERR_clear_last_mark()\fR and \fBERR_pop_to_mark()\fR return 0 if there was no mark in the
 error stack, which implies that the stack became empty, otherwise 1.
-.SH "COPYRIGHT"
+.PP
+\&\fBERR_count_to_mark()\fR returns the number of error stack entries found above the
+most recent mark, if any, or the total number of error stack entries.
+.PP
+\&\fBERR_pop()\fR returns 1 if an error was popped or 0 if the error stack was empty.
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBERR_count_to_mark()\fR was added in OpenSSL 3.2.
+\&\fBERR_pop()\fR was added in OpenSSL 3.3.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2003\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2003\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_ASYM_CIPHER_free.3 b/secure/lib/libcrypto/man/man3/EVP_ASYM_CIPHER_free.3
index f38b569de18d..0ff79e69991b 100644
--- a/secure/lib/libcrypto/man/man3/EVP_ASYM_CIPHER_free.3
+++ b/secure/lib/libcrypto/man/man3/EVP_ASYM_CIPHER_free.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,82 +52,22 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_ASYM_CIPHER_FREE 3ossl"
-.TH EVP_ASYM_CIPHER_FREE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_ASYM_CIPHER_FREE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_ASYM_CIPHER_fetch, EVP_ASYM_CIPHER_free, EVP_ASYM_CIPHER_up_ref,
 EVP_ASYM_CIPHER_is_a, EVP_ASYM_CIPHER_get0_provider,
 EVP_ASYM_CIPHER_do_all_provided, EVP_ASYM_CIPHER_names_do_all,
 EVP_ASYM_CIPHER_get0_name, EVP_ASYM_CIPHER_get0_description,
 EVP_ASYM_CIPHER_gettable_ctx_params, EVP_ASYM_CIPHER_settable_ctx_params
 \&\- Functions to manage EVP_ASYM_CIPHER algorithm objects
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -166,24 +90,24 @@ EVP_ASYM_CIPHER_gettable_ctx_params, EVP_ASYM_CIPHER_settable_ctx_params
 \& const OSSL_PARAM *EVP_ASYM_CIPHER_gettable_ctx_params(const EVP_ASYM_CIPHER *cip);
 \& const OSSL_PARAM *EVP_ASYM_CIPHER_settable_ctx_params(const EVP_ASYM_CIPHER *cip);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBEVP_ASYM_CIPHER_fetch()\fR fetches the implementation for the given
 \&\fBalgorithm\fR from any provider offering it, within the criteria given
 by the \fBproperties\fR and in the scope of the given library context \fBctx\fR (see
-\&\s-1\fBOSSL_LIB_CTX\s0\fR\|(3)). The algorithm will be one offering functions for performing
+\&\fBOSSL_LIB_CTX\fR\|(3)). The algorithm will be one offering functions for performing
 asymmetric cipher related tasks such as asymmetric encryption and decryption.
-See \*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7) for further information.
+See "ALGORITHM FETCHING" in \fBcrypto\fR\|(7) for further information.
 .PP
 The returned value must eventually be freed with \fBEVP_ASYM_CIPHER_free()\fR.
 .PP
-\&\fBEVP_ASYM_CIPHER_free()\fR decrements the reference count for the \fB\s-1EVP_ASYM_CIPHER\s0\fR
+\&\fBEVP_ASYM_CIPHER_free()\fR decrements the reference count for the \fBEVP_ASYM_CIPHER\fR
 structure. Typically this structure will have been obtained from an earlier call
 to \fBEVP_ASYM_CIPHER_fetch()\fR. If the reference count drops to 0 then the
-structure is freed.
+structure is freed. If the argument is NULL, nothing is done.
 .PP
 \&\fBEVP_ASYM_CIPHER_up_ref()\fR increments the reference count for an
-\&\fB\s-1EVP_ASYM_CIPHER\s0\fR structure.
+\&\fBEVP_ASYM_CIPHER\fR structure.
 .PP
 \&\fBEVP_ASYM_CIPHER_is_a()\fR returns 1 if \fIcipher\fR is an implementation of an
 algorithm that's identifiable with \fIname\fR, otherwise 0.
@@ -210,13 +134,13 @@ meant for display and human consumption.  The description is at the
 discretion of the \fIcipher\fR implementation.
 .PP
 \&\fBEVP_ASYM_CIPHER_gettable_ctx_params()\fR and \fBEVP_ASYM_CIPHER_settable_ctx_params()\fR
-return a constant \s-1\fBOSSL_PARAM\s0\fR\|(3) array that describes the names and types of key
+return a constant \fBOSSL_PARAM\fR\|(3) array that describes the names and types of key
 parameters that can be retrieved or set by a key encryption algorithm using
 \&\fBEVP_PKEY_CTX_get_params\fR\|(3) and \fBEVP_PKEY_CTX_set_params\fR\|(3).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBEVP_ASYM_CIPHER_fetch()\fR returns a pointer to an \fB\s-1EVP_ASYM_CIPHER\s0\fR for success
-or \fB\s-1NULL\s0\fR for failure.
+\&\fBEVP_ASYM_CIPHER_fetch()\fR returns a pointer to an \fBEVP_ASYM_CIPHER\fR for success
+or \fBNULL\fR for failure.
 .PP
 \&\fBEVP_ASYM_CIPHER_up_ref()\fR returns 1 for success or 0 otherwise.
 .PP
@@ -224,18 +148,18 @@ or \fB\s-1NULL\s0\fR for failure.
 names. A return value of 0 means that the callback was not called for any names.
 .PP
 \&\fBEVP_ASYM_CIPHER_gettable_ctx_params()\fR and \fBEVP_ASYM_CIPHER_settable_ctx_params()\fR
-return a constant \s-1\fBOSSL_PARAM\s0\fR\|(3) array or \s-1NULL\s0 on error.
+return a constant \fBOSSL_PARAM\fR\|(3) array or NULL on error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7), \s-1\fBOSSL_PROVIDER\s0\fR\|(3)
-.SH "HISTORY"
+"ALGORITHM FETCHING" in \fBcrypto\fR\|(7), \fBOSSL_PROVIDER\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 The functions described here were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_BytesToKey.3 b/secure/lib/libcrypto/man/man3/EVP_BytesToKey.3
index f87a1c229321..45a7a3744159 100644
--- a/secure/lib/libcrypto/man/man3/EVP_BytesToKey.3
+++ b/secure/lib/libcrypto/man/man3/EVP_BytesToKey.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_BYTESTOKEY 3ossl"
-.TH EVP_BYTESTOKEY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_BYTESTOKEY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_BytesToKey \- password based encryption routine
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -148,16 +72,16 @@ EVP_BytesToKey \- password based encryption routine
 \&                    const unsigned char *data, int datal, int count,
 \&                    unsigned char *key, unsigned char *iv);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBEVP_BytesToKey()\fR derives a key and \s-1IV\s0 from various parameters. \fBtype\fR is
-the cipher to derive the key and \s-1IV\s0 for. \fBmd\fR is the message digest to use.
+\&\fBEVP_BytesToKey()\fR derives a key and IV from various parameters. \fBtype\fR is
+the cipher to derive the key and IV for. \fBmd\fR is the message digest to use.
 The \fBsalt\fR parameter is used as a salt in the derivation: it should point to
-an 8 byte buffer or \s-1NULL\s0 if no salt is used. \fBdata\fR is a buffer containing
+an 8 byte buffer or NULL if no salt is used. \fBdata\fR is a buffer containing
 \&\fBdatal\fR bytes which is used to derive the keying data. \fBcount\fR is the
-iteration count to use. The derived key and \s-1IV\s0 will be written to \fBkey\fR
+iteration count to use. The derived key and IV will be written to \fBkey\fR
 and \fBiv\fR respectively.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 A typical application of this function is to derive keying material for an
 encryption algorithm from a password in the \fBdata\fR parameter.
@@ -166,43 +90,43 @@ Increasing the \fBcount\fR parameter slows down the algorithm which makes it
 harder for an attacker to perform a brute force attack using a large number
 of candidate passwords.
 .PP
-If the total key and \s-1IV\s0 length is less than the digest length and
-\&\fB\s-1MD5\s0\fR is used then the derivation algorithm is compatible with PKCS#5 v1.5
+If the total key and IV length is less than the digest length and
+\&\fBMD5\fR is used then the derivation algorithm is compatible with PKCS#5 v1.5
 otherwise a non standard extension is used to derive the extra data.
 .PP
-Newer applications should use a more modern algorithm such as \s-1PBKDF2\s0 as
-defined in PKCS#5v2.1 and provided by \s-1PKCS5_PBKDF2_HMAC.\s0
+Newer applications should use a more modern algorithm such as PBKDF2 as
+defined in PKCS#5v2.1 and provided by PKCS5_PBKDF2_HMAC.
 .SH "KEY DERIVATION ALGORITHM"
 .IX Header "KEY DERIVATION ALGORITHM"
-The key and \s-1IV\s0 is derived by concatenating D_1, D_2, etc until
-enough data is available for the key and \s-1IV.\s0 D_i is defined as:
+The key and IV is derived by concatenating D_1, D_2, etc until
+enough data is available for the key and IV. D_i is defined as:
 .PP
 .Vb 1
 \&        D_i = HASH^count(D_(i\-1) || data || salt)
 .Ve
 .PP
-where || denotes concatenation, D_0 is empty, \s-1HASH\s0 is the digest
-algorithm in use, HASH^1(data) is simply \s-1HASH\s0(data), HASH^2(data)
-is \s-1HASH\s0(\s-1HASH\s0(data)) and so on.
+where || denotes concatenation, D_0 is empty, HASH is the digest
+algorithm in use, HASH^1(data) is simply HASH(data), HASH^2(data)
+is HASH(HASH(data)) and so on.
 .PP
 The initial bytes are used for the key and the subsequent bytes for
-the \s-1IV.\s0
+the IV.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-If \fBdata\fR is \s-1NULL,\s0 then \fBEVP_BytesToKey()\fR returns the number of bytes
+If \fBdata\fR is NULL, then \fBEVP_BytesToKey()\fR returns the number of bytes
 needed to store the derived key.
 Otherwise, \fBEVP_BytesToKey()\fR returns the size of the derived key in bytes,
 or 0 on error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBevp\fR\|(7), \fBRAND_bytes\fR\|(3),
-\&\s-1\fBPKCS5_PBKDF2_HMAC\s0\fR\|(3),
+\&\fBPKCS5_PBKDF2_HMAC\fR\|(3),
 \&\fBEVP_EncryptInit\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_cipher_data.3 b/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_cipher_data.3
index 98f0c8350390..ff9813b09e51 100644
--- a/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_cipher_data.3
+++ b/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_cipher_data.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_CIPHER_CTX_GET_CIPHER_DATA 3ossl"
-.TH EVP_CIPHER_CTX_GET_CIPHER_DATA 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_CIPHER_CTX_GET_CIPHER_DATA 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_CIPHER_CTX_get_cipher_data, EVP_CIPHER_CTX_set_cipher_data \- Routines to
 inspect and modify EVP_CIPHER_CTX objects
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -147,10 +71,10 @@ inspect and modify EVP_CIPHER_CTX objects
 \& void *EVP_CIPHER_CTX_get_cipher_data(const EVP_CIPHER_CTX *ctx);
 \& void *EVP_CIPHER_CTX_set_cipher_data(EVP_CIPHER_CTX *ctx, void *cipher_data);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The \fBEVP_CIPHER_CTX_get_cipher_data()\fR function returns a pointer to the cipher
-data relevant to \s-1EVP_CIPHER_CTX.\s0 The contents of this data is specific to the
+data relevant to EVP_CIPHER_CTX. The contents of this data is specific to the
 particular implementation of the cipher. For example this data can be used by
 engines to store engine specific information. The data is automatically
 allocated and freed by OpenSSL, so applications and engines should not normally
@@ -163,19 +87,19 @@ should be freed through a call to \fBOPENSSL_free()\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The \fBEVP_CIPHER_CTX_get_cipher_data()\fR function returns a pointer to the current
-cipher data for the \s-1EVP_CIPHER_CTX.\s0
+cipher data for the EVP_CIPHER_CTX.
 .PP
 The \fBEVP_CIPHER_CTX_set_cipher_data()\fR function returns a pointer to the old
-cipher data for the \s-1EVP_CIPHER_CTX.\s0
-.SH "HISTORY"
+cipher data for the EVP_CIPHER_CTX.
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBEVP_CIPHER_CTX_get_cipher_data()\fR and \fBEVP_CIPHER_CTX_set_cipher_data()\fR
 functions were added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_original_iv.3 b/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_original_iv.3
index c8b99be558a9..a10248255891 100644
--- a/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_original_iv.3
+++ b/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_original_iv.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_CIPHER_CTX_GET_ORIGINAL_IV 3ossl"
-.TH EVP_CIPHER_CTX_GET_ORIGINAL_IV 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_CIPHER_CTX_GET_ORIGINAL_IV 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_CIPHER_CTX_get_original_iv, EVP_CIPHER_CTX_get_updated_iv,
 EVP_CIPHER_CTX_iv, EVP_CIPHER_CTX_original_iv,
 EVP_CIPHER_CTX_iv_noconst \- Routines to inspect EVP_CIPHER_CTX IV data
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -150,7 +74,7 @@ EVP_CIPHER_CTX_iv_noconst \- Routines to inspect EVP_CIPHER_CTX IV data
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 3
@@ -158,26 +82,26 @@ see \fBopenssl_user_macros\fR\|(7):
 \& const unsigned char *EVP_CIPHER_CTX_original_iv(const EVP_CIPHER_CTX *ctx);
 \& unsigned char *EVP_CIPHER_CTX_iv_noconst(EVP_CIPHER_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBEVP_CIPHER_CTX_get_original_iv()\fR and \fBEVP_CIPHER_CTX_get_updated_iv()\fR copy
-initialization vector (\s-1IV\s0) information from the \fB\s-1EVP_CIPHER_CTX\s0\fR into the
+initialization vector (IV) information from the \fBEVP_CIPHER_CTX\fR into the
 caller-supplied buffer. \fBEVP_CIPHER_CTX_get_iv_length\fR\|(3) can be used to
 determine an appropriate buffer size, and if the supplied buffer is too small,
 an error will be returned (and no data copied).
-\&\fBEVP_CIPHER_CTX_get_original_iv()\fR accesses the (\*(L"original\*(R") \s-1IV\s0 that was
-supplied when the \fB\s-1EVP_CIPHER_CTX\s0\fR was initialized, and
-\&\fBEVP_CIPHER_CTX_get_updated_iv()\fR accesses the current \*(L"\s-1IV\s0 state\*(R"
+\&\fBEVP_CIPHER_CTX_get_original_iv()\fR accesses the ("original") IV that was
+supplied when the \fBEVP_CIPHER_CTX\fR was initialized, and
+\&\fBEVP_CIPHER_CTX_get_updated_iv()\fR accesses the current "IV state"
 of the cipher, which is updated during cipher operation for certain cipher modes
-(e.g., \s-1CBC\s0 and \s-1OFB\s0).
+(e.g., CBC and OFB).
 .PP
 The functions \fBEVP_CIPHER_CTX_iv()\fR, \fBEVP_CIPHER_CTX_original_iv()\fR, and
 \&\fBEVP_CIPHER_CTX_iv_noconst()\fR are deprecated functions that provide similar (at
 a conceptual level) functionality.  \fBEVP_CIPHER_CTX_iv()\fR returns a pointer to
-the beginning of the \*(L"\s-1IV\s0 state\*(R" as maintained internally in the
-\&\fB\s-1EVP_CIPHER_CTX\s0\fR; \fBEVP_CIPHER_CTX_original_iv()\fR returns a pointer to the
-beginning of the (\*(L"original\*(R") \s-1IV,\s0 as maintained by the \fB\s-1EVP_CIPHER_CTX\s0\fR, that
-was provided when the \fB\s-1EVP_CIPHER_CTX\s0\fR was initialized; and
+the beginning of the "IV state" as maintained internally in the
+\&\fBEVP_CIPHER_CTX\fR; \fBEVP_CIPHER_CTX_original_iv()\fR returns a pointer to the
+beginning of the ("original") IV, as maintained by the \fBEVP_CIPHER_CTX\fR, that
+was provided when the \fBEVP_CIPHER_CTX\fR was initialized; and
 \&\fBEVP_CIPHER_CTX_get_iv_noconst()\fR is the same as \fBEVP_CIPHER_CTX_iv()\fR but has a
 different return type for the pointer.
 .SH "RETURN VALUES"
@@ -186,9 +110,9 @@ different return type for the pointer.
 on success and 0 on failure.
 .PP
 The functions \fBEVP_CIPHER_CTX_iv()\fR, \fBEVP_CIPHER_CTX_original_iv()\fR, and
-\&\fBEVP_CIPHER_CTX_iv_noconst()\fR return a pointer to an \s-1IV\s0 as an array of bytes on
-success, and \s-1NULL\s0 on failure.
-.SH "HISTORY"
+\&\fBEVP_CIPHER_CTX_iv_noconst()\fR return a pointer to an IV as an array of bytes on
+success, and NULL on failure.
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBEVP_CIPHER_CTX_get_original_iv()\fR and \fBEVP_CIPHER_CTX_get_updated_iv()\fR were added
 in OpenSSL 3.0.0.
@@ -196,11 +120,11 @@ in OpenSSL 3.0.0.
 \&\fBEVP_CIPHER_CTX_iv()\fR, \fBEVP_CIPHER_CTX_original_iv()\fR, and
 \&\fBEVP_CIPHER_CTX_iv_noconst()\fR were added in OpenSSL 1.1.0, and were deprecated
 in OpenSSL 3.0.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_CIPHER_meth_new.3 b/secure/lib/libcrypto/man/man3/EVP_CIPHER_meth_new.3
index 46ac0613263e..6273f29a182a 100644
--- a/secure/lib/libcrypto/man/man3/EVP_CIPHER_meth_new.3
+++ b/secure/lib/libcrypto/man/man3/EVP_CIPHER_meth_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_CIPHER_METH_NEW 3ossl"
-.TH EVP_CIPHER_METH_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_CIPHER_METH_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_CIPHER_meth_new, EVP_CIPHER_meth_dup, EVP_CIPHER_meth_free,
 EVP_CIPHER_meth_set_iv_length, EVP_CIPHER_meth_set_flags,
 EVP_CIPHER_meth_set_impl_ctx_size, EVP_CIPHER_meth_set_init,
@@ -147,14 +71,14 @@ EVP_CIPHER_meth_get_do_cipher, EVP_CIPHER_meth_get_cleanup,
 EVP_CIPHER_meth_get_set_asn1_params, EVP_CIPHER_meth_get_get_asn1_params,
 EVP_CIPHER_meth_get_ctrl
 \&\- Routines to build up EVP_CIPHER methods
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 3
@@ -204,21 +128,22 @@ see \fBopenssl_user_macros\fR\|(7):
 \&                                                           int type, int arg,
 \&                                                           void *ptr);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
-Applications should instead use the \s-1OSSL_PROVIDER\s0 APIs.
+Applications should instead use the OSSL_PROVIDER APIs.
 .PP
-The \fB\s-1EVP_CIPHER\s0\fR type is a structure for symmetric cipher method
+The \fBEVP_CIPHER\fR type is a structure for symmetric cipher method
 implementation.
 .PP
-\&\fBEVP_CIPHER_meth_new()\fR creates a new \fB\s-1EVP_CIPHER\s0\fR structure.
+\&\fBEVP_CIPHER_meth_new()\fR creates a new \fBEVP_CIPHER\fR structure.
 .PP
 \&\fBEVP_CIPHER_meth_dup()\fR creates a copy of \fBcipher\fR.
 .PP
-\&\fBEVP_CIPHER_meth_free()\fR destroys a \fB\s-1EVP_CIPHER\s0\fR structure.
+\&\fBEVP_CIPHER_meth_free()\fR destroys a \fBEVP_CIPHER\fR structure.
+If the argument is NULL, nothing is done.
 .PP
-\&\fBEVP_CIPHER_meth_set_iv_length()\fR sets the length of the \s-1IV.\s0
+\&\fBEVP_CIPHER_meth_set_iv_length()\fR sets the length of the IV.
 This is only needed when the implemented cipher mode requires it.
 .PP
 \&\fBEVP_CIPHER_meth_set_flags()\fR sets the flags to describe optional
@@ -226,79 +151,79 @@ behaviours in the particular \fBcipher\fR.
 With the exception of cipher modes, of which only one may be present,
 several flags can be or'd together.
 The available flags are:
-.IP "\s-1EVP_CIPH_STREAM_CIPHER, EVP_CIPH_ECB_MODE EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE, EVP_CIPH_OFB_MODE, EVP_CIPH_CTR_MODE, EVP_CIPH_GCM_MODE, EVP_CIPH_CCM_MODE, EVP_CIPH_XTS_MODE, EVP_CIPH_WRAP_MODE, EVP_CIPH_OCB_MODE, EVP_CIPH_SIV_MODE\s0" 4
+.IP "EVP_CIPH_STREAM_CIPHER, EVP_CIPH_ECB_MODE EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE, EVP_CIPH_OFB_MODE, EVP_CIPH_CTR_MODE, EVP_CIPH_GCM_MODE, EVP_CIPH_CCM_MODE, EVP_CIPH_XTS_MODE, EVP_CIPH_WRAP_MODE, EVP_CIPH_OCB_MODE, EVP_CIPH_SIV_MODE" 4
 .IX Item "EVP_CIPH_STREAM_CIPHER, EVP_CIPH_ECB_MODE EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE, EVP_CIPH_OFB_MODE, EVP_CIPH_CTR_MODE, EVP_CIPH_GCM_MODE, EVP_CIPH_CCM_MODE, EVP_CIPH_XTS_MODE, EVP_CIPH_WRAP_MODE, EVP_CIPH_OCB_MODE, EVP_CIPH_SIV_MODE"
 The cipher mode.
-.IP "\s-1EVP_CIPH_VARIABLE_LENGTH\s0" 4
+.IP EVP_CIPH_VARIABLE_LENGTH 4
 .IX Item "EVP_CIPH_VARIABLE_LENGTH"
 This cipher is of variable length.
-.IP "\s-1EVP_CIPH_CUSTOM_IV\s0" 4
+.IP EVP_CIPH_CUSTOM_IV 4
 .IX Item "EVP_CIPH_CUSTOM_IV"
-Storing and initialising the \s-1IV\s0 is left entirely to the
+Storing and initialising the IV is left entirely to the
 implementation.
-.IP "\s-1EVP_CIPH_ALWAYS_CALL_INIT\s0" 4
+.IP EVP_CIPH_ALWAYS_CALL_INIT 4
 .IX Item "EVP_CIPH_ALWAYS_CALL_INIT"
 Set this if the implementation's \fBinit()\fR function should be called even
-if \fBkey\fR is \fB\s-1NULL\s0\fR.
-.IP "\s-1EVP_CIPH_CTRL_INIT\s0" 4
+if \fBkey\fR is \fBNULL\fR.
+.IP EVP_CIPH_CTRL_INIT 4
 .IX Item "EVP_CIPH_CTRL_INIT"
 Set this to have the implementation's \fBctrl()\fR function called with
-command code \fB\s-1EVP_CTRL_INIT\s0\fR early in its setup.
-.IP "\s-1EVP_CIPH_CUSTOM_KEY_LENGTH\s0" 4
+command code \fBEVP_CTRL_INIT\fR early in its setup.
+.IP EVP_CIPH_CUSTOM_KEY_LENGTH 4
 .IX Item "EVP_CIPH_CUSTOM_KEY_LENGTH"
-Checking and setting the key length after creating the \fB\s-1EVP_CIPHER\s0\fR
+Checking and setting the key length after creating the \fBEVP_CIPHER\fR
 is left to the implementation.
 Whenever someone uses \fBEVP_CIPHER_CTX_set_key_length()\fR on a
-\&\fB\s-1EVP_CIPHER\s0\fR with this flag set, the implementation's \fBctrl()\fR function
-will be called with the control code \fB\s-1EVP_CTRL_SET_KEY_LENGTH\s0\fR and
+\&\fBEVP_CIPHER\fR with this flag set, the implementation's \fBctrl()\fR function
+will be called with the control code \fBEVP_CTRL_SET_KEY_LENGTH\fR and
 the key length in \fBarg\fR.
-.IP "\s-1EVP_CIPH_NO_PADDING\s0" 4
+.IP EVP_CIPH_NO_PADDING 4
 .IX Item "EVP_CIPH_NO_PADDING"
 Don't use standard block padding.
-.IP "\s-1EVP_CIPH_RAND_KEY\s0" 4
+.IP EVP_CIPH_RAND_KEY 4
 .IX Item "EVP_CIPH_RAND_KEY"
 Making a key with random content is left to the implementation.
 This is done by calling the implementation's \fBctrl()\fR function with the
-control code \fB\s-1EVP_CTRL_RAND_KEY\s0\fR and the pointer to the key memory
+control code \fBEVP_CTRL_RAND_KEY\fR and the pointer to the key memory
 storage in \fBptr\fR.
-.IP "\s-1EVP_CIPH_CUSTOM_COPY\s0" 4
+.IP EVP_CIPH_CUSTOM_COPY 4
 .IX Item "EVP_CIPH_CUSTOM_COPY"
 Set this to have the implementation's \fBctrl()\fR function called with
-command code \fB\s-1EVP_CTRL_COPY\s0\fR at the end of \fBEVP_CIPHER_CTX_copy()\fR.
+command code \fBEVP_CTRL_COPY\fR at the end of \fBEVP_CIPHER_CTX_copy()\fR.
 The intended use is for further things to deal with after the
 implementation specific data block has been copied.
-The destination \fB\s-1EVP_CIPHER_CTX\s0\fR is passed to the control with the
+The destination \fBEVP_CIPHER_CTX\fR is passed to the control with the
 \&\fBptr\fR parameter.
 The implementation specific data block is reached with
 \&\fBEVP_CIPHER_CTX_get_cipher_data()\fR.
-.IP "\s-1EVP_CIPH_FLAG_DEFAULT_ASN1\s0" 4
+.IP EVP_CIPH_FLAG_DEFAULT_ASN1 4
 .IX Item "EVP_CIPH_FLAG_DEFAULT_ASN1"
-Use the default \s-1EVP\s0 routines to pass \s-1IV\s0 to and from \s-1ASN.1.\s0
-.IP "\s-1EVP_CIPH_FLAG_LENGTH_BITS\s0" 4
+Use the default EVP routines to pass IV to and from ASN.1.
+.IP EVP_CIPH_FLAG_LENGTH_BITS 4
 .IX Item "EVP_CIPH_FLAG_LENGTH_BITS"
 Signals that the length of the input buffer for encryption /
 decryption is to be understood as the number of bits instead of
 bytes for this implementation.
-This is only useful for \s-1CFB1\s0 ciphers.
-.IP "\s-1EVP_CIPH_FLAG_CTS\s0" 4
+This is only useful for CFB1 ciphers.
+.IP EVP_CIPH_FLAG_CTS 4
 .IX Item "EVP_CIPH_FLAG_CTS"
 Indicates that the cipher uses ciphertext stealing. This is currently
 used to indicate that the cipher is a one shot that only allows a single call to
 \&\fBEVP_CipherUpdate()\fR.
-.IP "\s-1EVP_CIPH_FLAG_CUSTOM_CIPHER\s0" 4
+.IP EVP_CIPH_FLAG_CUSTOM_CIPHER 4
 .IX Item "EVP_CIPH_FLAG_CUSTOM_CIPHER"
 This indicates that the implementation takes care of everything,
 including padding, buffering and finalization.
-The \s-1EVP\s0 routines will simply give them control and do nothing more.
-.IP "\s-1EVP_CIPH_FLAG_AEAD_CIPHER\s0" 4
+The EVP routines will simply give them control and do nothing more.
+.IP EVP_CIPH_FLAG_AEAD_CIPHER 4
 .IX Item "EVP_CIPH_FLAG_AEAD_CIPHER"
-This indicates that this is an \s-1AEAD\s0 cipher implementation.
-.IP "\s-1EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK\s0" 4
+This indicates that this is an AEAD cipher implementation.
+.IP EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK 4
 .IX Item "EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK"
 Allow interleaving of crypto blocks, a particular optimization only applicable
-to certain \s-1TLS\s0 ciphers.
+to certain TLS ciphers.
 .PP
-\&\fBEVP_CIPHER_meth_set_impl_ctx_size()\fR sets the size of the \s-1EVP_CIPHER\s0's
+\&\fBEVP_CIPHER_meth_set_impl_ctx_size()\fR sets the size of the EVP_CIPHER's
 implementation context so that it can be automatically allocated.
 .PP
 \&\fBEVP_CIPHER_meth_set_init()\fR sets the cipher init function for
@@ -317,20 +242,20 @@ The cipher function is called by \fBEVP_CipherUpdate()\fR,
 \&\fBEVP_CIPHER_meth_set_cleanup()\fR sets the function for \fBcipher\fR to do
 extra cleanup before the method's private data structure is cleaned
 out and freed.
-Note that the cleanup function is passed a \fB\s-1EVP_CIPHER_CTX\s0 *\fR, the
+Note that the cleanup function is passed a \fBEVP_CIPHER_CTX *\fR, the
 private data structure is then available with
 \&\fBEVP_CIPHER_CTX_get_cipher_data()\fR.
 This cleanup function is called by \fBEVP_CIPHER_CTX_reset()\fR and
 \&\fBEVP_CIPHER_CTX_free()\fR.
 .PP
 \&\fBEVP_CIPHER_meth_set_set_asn1_params()\fR sets the function for \fBcipher\fR
-to set the AlgorithmIdentifier \*(L"parameter\*(R" based on the passed cipher.
+to set the AlgorithmIdentifier "parameter" based on the passed cipher.
 This function is called by \fBEVP_CIPHER_param_to_asn1()\fR.
 \&\fBEVP_CIPHER_meth_set_get_asn1_params()\fR sets the function for \fBcipher\fR
-that sets the cipher parameters based on an \s-1ASN.1\s0 AlgorithmIdentifier
-\&\*(L"parameter\*(R".
+that sets the cipher parameters based on an ASN.1 AlgorithmIdentifier
+"parameter".
 Both these functions are needed when there is a need for custom data
-(more or other than the cipher \s-1IV\s0).
+(more or other than the cipher IV).
 They are called by \fBEVP_CIPHER_param_to_asn1()\fR and
 \&\fBEVP_CIPHER_asn1_to_param()\fR respectively if defined.
 .PP
@@ -344,25 +269,25 @@ EVP_CIPHER_meth_set_*() functions above.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBEVP_CIPHER_meth_new()\fR and \fBEVP_CIPHER_meth_dup()\fR return a pointer to a
-newly created \fB\s-1EVP_CIPHER\s0\fR, or \s-1NULL\s0 on failure.
+newly created \fBEVP_CIPHER\fR, or NULL on failure.
 All EVP_CIPHER_meth_set_*() functions return 1.
 All EVP_CIPHER_meth_get_*() functions return pointers to their
 respective \fBcipher\fR function.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_EncryptInit\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions were deprecated in OpenSSL 3.0.
 .PP
 The functions described here were added in OpenSSL 1.1.0.
-The \fB\s-1EVP_CIPHER\s0\fR structure created with these functions became reference
+The \fBEVP_CIPHER\fR structure created with these functions became reference
 counted in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_DigestInit.3 b/secure/lib/libcrypto/man/man3/EVP_DigestInit.3
index 625abc8d58ed..f503de4abcea 100644
--- a/secure/lib/libcrypto/man/man3/EVP_DigestInit.3
+++ b/secure/lib/libcrypto/man/man3/EVP_DigestInit.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,100 +52,42 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_DIGESTINIT 3ossl"
-.TH EVP_DIGESTINIT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_DIGESTINIT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_MD_fetch, EVP_MD_up_ref, EVP_MD_free,
 EVP_MD_get_params, EVP_MD_gettable_params,
-EVP_MD_CTX_new, EVP_MD_CTX_reset, EVP_MD_CTX_free, EVP_MD_CTX_copy,
-EVP_MD_CTX_copy_ex, EVP_MD_CTX_ctrl,
+EVP_MD_CTX_new, EVP_MD_CTX_reset, EVP_MD_CTX_free, EVP_MD_CTX_dup,
+EVP_MD_CTX_copy, EVP_MD_CTX_copy_ex, EVP_MD_CTX_ctrl,
 EVP_MD_CTX_set_params, EVP_MD_CTX_get_params,
 EVP_MD_settable_ctx_params, EVP_MD_gettable_ctx_params,
 EVP_MD_CTX_settable_params, EVP_MD_CTX_gettable_params,
 EVP_MD_CTX_set_flags, EVP_MD_CTX_clear_flags, EVP_MD_CTX_test_flags,
 EVP_Q_digest, EVP_Digest, EVP_DigestInit_ex2, EVP_DigestInit_ex, EVP_DigestInit,
 EVP_DigestUpdate, EVP_DigestFinal_ex, EVP_DigestFinalXOF, EVP_DigestFinal,
+EVP_DigestSqueeze,
 EVP_MD_is_a, EVP_MD_get0_name, EVP_MD_get0_description,
 EVP_MD_names_do_all, EVP_MD_get0_provider, EVP_MD_get_type,
 EVP_MD_get_pkey_type, EVP_MD_get_size, EVP_MD_get_block_size, EVP_MD_get_flags,
 EVP_MD_CTX_get0_name, EVP_MD_CTX_md, EVP_MD_CTX_get0_md, EVP_MD_CTX_get1_md,
-EVP_MD_CTX_get_type, EVP_MD_CTX_get_size, EVP_MD_CTX_get_block_size,
+EVP_MD_CTX_get_type, EVP_MD_CTX_get_size_ex, EVP_MD_CTX_get_block_size,
 EVP_MD_CTX_get0_md_data, EVP_MD_CTX_update_fn, EVP_MD_CTX_set_update_fn,
 EVP_md_null,
 EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj,
 EVP_MD_CTX_get_pkey_ctx, EVP_MD_CTX_set_pkey_ctx,
 EVP_MD_do_all_provided,
 EVP_MD_type, EVP_MD_nid, EVP_MD_name, EVP_MD_pkey_type, EVP_MD_size,
-EVP_MD_block_size, EVP_MD_flags, EVP_MD_CTX_size, EVP_MD_CTX_block_size,
+EVP_MD_block_size, EVP_MD_flags, EVP_MD_xof,
+EVP_MD_CTX_size, EVP_MD_CTX_get_size, EVP_MD_CTX_block_size,
 EVP_MD_CTX_type, EVP_MD_CTX_pkey_ctx, EVP_MD_CTX_md_data
 \&\- EVP digest routines
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -196,8 +122,10 @@ EVP_MD_CTX_type, EVP_MD_CTX_pkey_ctx, EVP_MD_CTX_md_data
 \& int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl);
 \& int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt);
 \& int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s);
-\& int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t len);
+\& int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *out, size_t outlen);
+\& int EVP_DigestSqueeze(EVP_MD_CTX *ctx, unsigned char *out, size_t outlen);
 \&
+\& EVP_MD_CTX *EVP_MD_CTX_dup(const EVP_MD_CTX *in);
 \& int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in);
 \&
 \& int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type);
@@ -217,11 +145,12 @@ EVP_MD_CTX_type, EVP_MD_CTX_pkey_ctx, EVP_MD_CTX_md_data
 \& int EVP_MD_get_size(const EVP_MD *md);
 \& int EVP_MD_get_block_size(const EVP_MD *md);
 \& unsigned long EVP_MD_get_flags(const EVP_MD *md);
+\& int EVP_MD_xof(const EVP_MD *md);
 \&
 \& const EVP_MD *EVP_MD_CTX_get0_md(const EVP_MD_CTX *ctx);
 \& EVP_MD *EVP_MD_CTX_get1_md(EVP_MD_CTX *ctx);
 \& const char *EVP_MD_CTX_get0_name(const EVP_MD_CTX *ctx);
-\& int EVP_MD_CTX_get_size(const EVP_MD_CTX *ctx);
+\& int EVP_MD_CTX_get_size_ex(const EVP_MD_CTX *ctx);
 \& int EVP_MD_CTX_get_block_size(const EVP_MD_CTX *ctx);
 \& int EVP_MD_CTX_get_type(const EVP_MD_CTX *ctx);
 \& void *EVP_MD_CTX_get0_md_data(const EVP_MD_CTX *ctx);
@@ -246,7 +175,8 @@ EVP_MD_CTX_type, EVP_MD_CTX_pkey_ctx, EVP_MD_CTX_md_data
 \& #define EVP_MD_size EVP_MD_get_size
 \& #define EVP_MD_block_size EVP_MD_get_block_size
 \& #define EVP_MD_flags EVP_MD_get_flags
-\& #define EVP_MD_CTX_size EVP_MD_CTX_get_size
+\& #define EVP_MD_CTX_get_size EVP_MD_CTX_get_size_ex
+\& #define EVP_MD_CTX_size EVP_MD_CTX_get_size_ex
 \& #define EVP_MD_CTX_block_size EVP_MD_CTX_get_block_size
 \& #define EVP_MD_CTX_type EVP_MD_CTX_get_type
 \& #define EVP_MD_CTX_pkey_ctx EVP_MD_CTX_get_pkey_ctx
@@ -254,7 +184,7 @@ EVP_MD_CTX_type, EVP_MD_CTX_pkey_ctx, EVP_MD_CTX_md_data
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
@@ -267,41 +197,52 @@ see \fBopenssl_user_macros\fR\|(7):
 \&                               int (*update)(EVP_MD_CTX *ctx,
 \&                                             const void *data, size_t count));
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1EVP\s0 digest routines are a high-level interface to message digests,
-and should be used instead of the digest-specific functions.
+The EVP digest routines are a high-level interface to message digests, and
+Extendable Output Functions (XOF).
+.PP
+The \fBEVP_MD\fR type is a structure for digest method implementation.
 .PP
-The \fB\s-1EVP_MD\s0\fR type is a structure for digest method implementation.
-.IP "\fBEVP_MD_fetch()\fR" 4
+Each Message digest algorithm (such as SHA256) produces a fixed size output
+length which is returned when \fBEVP_DigestFinal_ex()\fR is called.
+Extendable Output Functions (XOF) such as SHAKE256 have a variable sized output
+length \fIoutlen\fR which can be used with either \fBEVP_DigestFinalXOF()\fR or
+\&\fBEVP_DigestSqueeze()\fR. \fBEVP_DigestFinal_ex()\fR may also be used for an XOF, but the
+"xoflen" must be set beforehand (See "PARAMETERS").
+Note that \fBEVP_MD_get_size()\fR and \fBEVP_MD_CTX_get_size_ex()\fR behave differently for
+an XOF.
+.IP \fBEVP_MD_fetch()\fR 4
 .IX Item "EVP_MD_fetch()"
 Fetches the digest implementation for the given \fIalgorithm\fR from any
 provider offering it, within the criteria given by the \fIproperties\fR.
-See \*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7) for further information.
+See "ALGORITHM FETCHING" in \fBcrypto\fR\|(7) for further information.
 .Sp
 The returned value must eventually be freed with \fBEVP_MD_free()\fR.
 .Sp
-Fetched \fB\s-1EVP_MD\s0\fR structures are reference counted.
-.IP "\fBEVP_MD_up_ref()\fR" 4
+Fetched \fBEVP_MD\fR structures are reference counted.
+.IP \fBEVP_MD_up_ref()\fR 4
 .IX Item "EVP_MD_up_ref()"
-Increments the reference count for an \fB\s-1EVP_MD\s0\fR structure.
-.IP "\fBEVP_MD_free()\fR" 4
+Increments the reference count for an \fBEVP_MD\fR structure.
+.IP \fBEVP_MD_free()\fR 4
 .IX Item "EVP_MD_free()"
-Decrements the reference count for the fetched \fB\s-1EVP_MD\s0\fR structure.
+Decrements the reference count for the fetched \fBEVP_MD\fR structure.
 If the reference count drops to 0 then the structure is freed.
-.IP "\fBEVP_MD_CTX_new()\fR" 4
+If the argument is NULL, nothing is done.
+.IP \fBEVP_MD_CTX_new()\fR 4
 .IX Item "EVP_MD_CTX_new()"
 Allocates and returns a digest context.
-.IP "\fBEVP_MD_CTX_reset()\fR" 4
+.IP \fBEVP_MD_CTX_reset()\fR 4
 .IX Item "EVP_MD_CTX_reset()"
 Resets the digest context \fIctx\fR.  This can be used to reuse an already
 existing context.
-.IP "\fBEVP_MD_CTX_free()\fR" 4
+.IP \fBEVP_MD_CTX_free()\fR 4
 .IX Item "EVP_MD_CTX_free()"
 Cleans up digest context \fIctx\fR and frees up the space allocated to it.
-.IP "\fBEVP_MD_CTX_ctrl()\fR" 4
+If the argument is NULL, nothing is done.
+.IP \fBEVP_MD_CTX_ctrl()\fR 4
 .IX Item "EVP_MD_CTX_ctrl()"
-\&\fIThis is a legacy method. \f(BIEVP_MD_CTX_set_params()\fI and \f(BIEVP_MD_CTX_get_params()\fI
+\&\fIThis is a legacy method. \fR\f(BIEVP_MD_CTX_set_params()\fR\fI and \fR\f(BIEVP_MD_CTX_get_params()\fR\fI
 is the mechanism that should be used to set and get parameters that are used by
 providers.\fR
 .Sp
@@ -310,71 +251,71 @@ is indicated in \fIcmd\fR and any additional arguments in \fIp1\fR and \fIp2\fR.
 \&\fBEVP_MD_CTX_ctrl()\fR must be called after \fBEVP_DigestInit_ex2()\fR. Other restrictions
 may apply depending on the control type and digest implementation.
 .Sp
-If this function happens to be used with a fetched \fB\s-1EVP_MD\s0\fR, it will
-translate the controls that are known to OpenSSL into \s-1\fBOSSL_PARAM\s0\fR\|(3)
+If this function happens to be used with a fetched \fBEVP_MD\fR, it will
+translate the controls that are known to OpenSSL into \fBOSSL_PARAM\fR\|(3)
 parameters with keys defined by OpenSSL and call \fBEVP_MD_CTX_get_params()\fR or
 \&\fBEVP_MD_CTX_set_params()\fR as is appropriate for each control command.
 .Sp
-See \*(L"\s-1CONTROLS\*(R"\s0 below for more information, including what translations are
+See "CONTROLS" below for more information, including what translations are
 being done.
-.IP "\fBEVP_MD_get_params()\fR" 4
+.IP \fBEVP_MD_get_params()\fR 4
 .IX Item "EVP_MD_get_params()"
-Retrieves the requested list of \fIparams\fR from a \s-1MD\s0 \fImd\fR.
-See \*(L"\s-1PARAMETERS\*(R"\s0 below for more information.
-.IP "\fBEVP_MD_CTX_get_params()\fR" 4
+Retrieves the requested list of \fIparams\fR from a MD \fImd\fR.
+See "PARAMETERS" below for more information.
+.IP \fBEVP_MD_CTX_get_params()\fR 4
 .IX Item "EVP_MD_CTX_get_params()"
-Retrieves the requested list of \fIparams\fR from a \s-1MD\s0 context \fIctx\fR.
-See \*(L"\s-1PARAMETERS\*(R"\s0 below for more information.
-.IP "\fBEVP_MD_CTX_set_params()\fR" 4
+Retrieves the requested list of \fIparams\fR from a MD context \fIctx\fR.
+See "PARAMETERS" below for more information.
+.IP \fBEVP_MD_CTX_set_params()\fR 4
 .IX Item "EVP_MD_CTX_set_params()"
-Sets the list of \fIparams\fR into a \s-1MD\s0 context \fIctx\fR.
-See \*(L"\s-1PARAMETERS\*(R"\s0 below for more information.
-.IP "\fBEVP_MD_gettable_params()\fR" 4
+Sets the list of \fIparams\fR into a MD context \fIctx\fR.
+See "PARAMETERS" below for more information.
+.IP \fBEVP_MD_gettable_params()\fR 4
 .IX Item "EVP_MD_gettable_params()"
-Get a constant \s-1\fBOSSL_PARAM\s0\fR\|(3) array that describes the retrievable parameters
+Get a constant \fBOSSL_PARAM\fR\|(3) array that describes the retrievable parameters
 that can be used with \fBEVP_MD_get_params()\fR.
 .IP "\fBEVP_MD_gettable_ctx_params()\fR, \fBEVP_MD_CTX_gettable_params()\fR" 4
 .IX Item "EVP_MD_gettable_ctx_params(), EVP_MD_CTX_gettable_params()"
-Get a constant \s-1\fBOSSL_PARAM\s0\fR\|(3) array that describes the retrievable parameters
+Get a constant \fBOSSL_PARAM\fR\|(3) array that describes the retrievable parameters
 that can be used with \fBEVP_MD_CTX_get_params()\fR.  \fBEVP_MD_gettable_ctx_params()\fR
 returns the parameters that can be retrieved from the algorithm, whereas
 \&\fBEVP_MD_CTX_gettable_params()\fR returns the parameters that can be retrieved
 in the context's current state.
 .IP "\fBEVP_MD_settable_ctx_params()\fR, \fBEVP_MD_CTX_settable_params()\fR" 4
 .IX Item "EVP_MD_settable_ctx_params(), EVP_MD_CTX_settable_params()"
-Get a constant \s-1\fBOSSL_PARAM\s0\fR\|(3) array that describes the settable parameters
+Get a constant \fBOSSL_PARAM\fR\|(3) array that describes the settable parameters
 that can be used with \fBEVP_MD_CTX_set_params()\fR.  \fBEVP_MD_settable_ctx_params()\fR
 returns the parameters that can be set from the algorithm, whereas
 \&\fBEVP_MD_CTX_settable_params()\fR returns the parameters that can be set in the
 context's current state.
 .IP "\fBEVP_MD_CTX_set_flags()\fR, \fBEVP_MD_CTX_clear_flags()\fR, \fBEVP_MD_CTX_test_flags()\fR" 4
 .IX Item "EVP_MD_CTX_set_flags(), EVP_MD_CTX_clear_flags(), EVP_MD_CTX_test_flags()"
-Sets, clears and tests \fIctx\fR flags.  See \*(L"\s-1FLAGS\*(R"\s0 below for more information.
+Sets, clears and tests \fIctx\fR flags.  See "FLAGS" below for more information.
 .IP "\fBEVP_Q_digest()\fR is a quick one-shot digest function." 4
 .IX Item "EVP_Q_digest() is a quick one-shot digest function."
 It hashes \fIdatalen\fR bytes of data at \fIdata\fR using the digest algorithm
 \&\fIname\fR, which is fetched using the optional \fIlibctx\fR and \fIpropq\fR parameters.
 The digest value is placed in \fImd\fR and its length is written at \fImdlen\fR
-if the pointer is not \s-1NULL.\s0 At most \fB\s-1EVP_MAX_MD_SIZE\s0\fR bytes will be written.
-.IP "\fBEVP_Digest()\fR" 4
+if the pointer is not NULL. At most \fBEVP_MAX_MD_SIZE\fR bytes will be written.
+.IP \fBEVP_Digest()\fR 4
 .IX Item "EVP_Digest()"
 A wrapper around the Digest Init_ex, Update and Final_ex functions.
-Hashes \fIcount\fR bytes of data at \fIdata\fR using a digest \fItype\fR from \s-1ENGINE\s0
+Hashes \fIcount\fR bytes of data at \fIdata\fR using a digest \fItype\fR from ENGINE
 \&\fIimpl\fR. The digest value is placed in \fImd\fR and its length is written at \fIsize\fR
-if the pointer is not \s-1NULL.\s0 At most \fB\s-1EVP_MAX_MD_SIZE\s0\fR bytes will be written.
-If \fIimpl\fR is \s-1NULL\s0 the default implementation of digest \fItype\fR is used.
-.IP "\fBEVP_DigestInit_ex2()\fR" 4
+if the pointer is not NULL. At most \fBEVP_MAX_MD_SIZE\fR bytes will be written.
+If \fIimpl\fR is NULL the default implementation of digest \fItype\fR is used.
+.IP \fBEVP_DigestInit_ex2()\fR 4
 .IX Item "EVP_DigestInit_ex2()"
 Sets up digest context \fIctx\fR to use a digest \fItype\fR.
 \&\fItype\fR is typically supplied by a function such as \fBEVP_sha1()\fR, or a
-value explicitly fetched with \fBEVP_MD_fetch()\fR.
+value explicitly fetched with \fBEVP_MD_fetch()\fR. \fIctx\fR \fBMUST NOT\fR be NULL.
 .Sp
 The parameters \fBparams\fR are set on the context after initialisation.
 .Sp
-The \fItype\fR parameter can be \s-1NULL\s0 if \fIctx\fR has been already initialized
+The \fItype\fR parameter can be NULL if \fIctx\fR has been already initialized
 with another \fBEVP_DigestInit_ex()\fR call and has not been reset with
 \&\fBEVP_MD_CTX_reset()\fR.
-.IP "\fBEVP_DigestInit_ex()\fR" 4
+.IP \fBEVP_DigestInit_ex()\fR 4
 .IX Item "EVP_DigestInit_ex()"
 Sets up digest context \fIctx\fR to use a digest \fItype\fR.
 \&\fItype\fR is typically supplied by a function such as \fBEVP_sha1()\fR, or a
@@ -383,47 +324,60 @@ value explicitly fetched with \fBEVP_MD_fetch()\fR.
 If \fIimpl\fR is non-NULL, its implementation of the digest \fItype\fR is used if
 there is one, and if not, the default implementation is used.
 .Sp
-The \fItype\fR parameter can be \s-1NULL\s0 if \fIctx\fR has been already initialized
+The \fItype\fR parameter can be NULL if \fIctx\fR has been already initialized
 with another \fBEVP_DigestInit_ex()\fR call and has not been reset with
 \&\fBEVP_MD_CTX_reset()\fR.
-.IP "\fBEVP_DigestUpdate()\fR" 4
+.IP \fBEVP_DigestUpdate()\fR 4
 .IX Item "EVP_DigestUpdate()"
 Hashes \fIcnt\fR bytes of data at \fId\fR into the digest context \fIctx\fR. This
 function can be called several times on the same \fIctx\fR to hash additional
 data.
-.IP "\fBEVP_DigestFinal_ex()\fR" 4
+.IP \fBEVP_DigestFinal_ex()\fR 4
 .IX Item "EVP_DigestFinal_ex()"
 Retrieves the digest value from \fIctx\fR and places it in \fImd\fR. If the \fIs\fR
-parameter is not \s-1NULL\s0 then the number of bytes of data written (i.e. the
+parameter is not NULL then the number of bytes of data written (i.e. the
 length of the digest) will be written to the integer at \fIs\fR, at most
-\&\fB\s-1EVP_MAX_MD_SIZE\s0\fR bytes will be written.  After calling \fBEVP_DigestFinal_ex()\fR
-no additional calls to \fBEVP_DigestUpdate()\fR can be made, but
-\&\fBEVP_DigestInit_ex2()\fR can be called to initialize a new digest operation.
-.IP "\fBEVP_DigestFinalXOF()\fR" 4
+\&\fBEVP_MAX_MD_SIZE\fR bytes will be written unless the digest implementation
+allows changing the digest size and it is set to a larger value by the
+application. After calling \fBEVP_DigestFinal_ex()\fR no additional calls to
+\&\fBEVP_DigestUpdate()\fR can be made, but \fBEVP_DigestInit_ex2()\fR can be called to
+initialize a new digest operation. \fIctx\fR \fBMUST NOT\fR be NULL.
+.IP \fBEVP_DigestFinalXOF()\fR 4
 .IX Item "EVP_DigestFinalXOF()"
-Interfaces to extendable-output functions, XOFs, such as \s-1SHAKE128\s0 and \s-1SHAKE256.\s0
-It retrieves the digest value from \fIctx\fR and places it in \fIlen\fR\-sized \fImd\fR.
+Interfaces to extendable-output functions, XOFs, such as SHAKE128 and SHAKE256.
+It retrieves the digest value from \fIctx\fR and places it in \fIoutlen\fR\-sized \fIout\fR.
 After calling this function no additional calls to \fBEVP_DigestUpdate()\fR can be
 made, but \fBEVP_DigestInit_ex2()\fR can be called to initialize a new operation.
-.IP "\fBEVP_MD_CTX_copy_ex()\fR" 4
+\&\fBEVP_DigestFinalXOF()\fR may only be called once
+.IP \fBEVP_DigestSqueeze()\fR 4
+.IX Item "EVP_DigestSqueeze()"
+Similar to \fBEVP_DigestFinalXOF()\fR but allows multiple calls to be made to
+squeeze variable length output data.
+\&\fBEVP_DigestFinalXOF()\fR should not be called after this.
+.IP \fBEVP_MD_CTX_dup()\fR 4
+.IX Item "EVP_MD_CTX_dup()"
+Can be used to duplicate the message digest state from \fIin\fR.  This is useful
+to avoid multiple \fBEVP_MD_fetch()\fR calls or if large amounts of data are to be
+hashed which only differ in the last few bytes.
+.IP \fBEVP_MD_CTX_copy_ex()\fR 4
 .IX Item "EVP_MD_CTX_copy_ex()"
 Can be used to copy the message digest state from \fIin\fR to \fIout\fR. This is
 useful if large amounts of data are to be hashed which only differ in the last
 few bytes.
-.IP "\fBEVP_DigestInit()\fR" 4
+.IP \fBEVP_DigestInit()\fR 4
 .IX Item "EVP_DigestInit()"
 Behaves in the same way as \fBEVP_DigestInit_ex2()\fR except it doesn't set any
 parameters and calls \fBEVP_MD_CTX_reset()\fR so it cannot be used with an \fItype\fR
-of \s-1NULL.\s0
-.IP "\fBEVP_DigestFinal()\fR" 4
+of NULL.
+.IP \fBEVP_DigestFinal()\fR 4
 .IX Item "EVP_DigestFinal()"
 Similar to \fBEVP_DigestFinal_ex()\fR except after computing the digest
 the digest context \fIctx\fR is automatically cleaned up with \fBEVP_MD_CTX_reset()\fR.
-.IP "\fBEVP_MD_CTX_copy()\fR" 4
+.IP \fBEVP_MD_CTX_copy()\fR 4
 .IX Item "EVP_MD_CTX_copy()"
 Similar to \fBEVP_MD_CTX_copy_ex()\fR except the destination \fIout\fR does not have to
 be initialized.
-.IP "\fBEVP_MD_is_a()\fR" 4
+.IP \fBEVP_MD_is_a()\fR 4
 .IX Item "EVP_MD_is_a()"
 Returns 1 if \fImd\fR is an implementation of an algorithm that's
 identifiable with \fIname\fR, otherwise 0.
@@ -431,85 +385,95 @@ identifiable with \fIname\fR, otherwise 0.
 If \fImd\fR is a legacy digest (it's the return value from the likes of
 \&\fBEVP_sha256()\fR rather than the result of an \fBEVP_MD_fetch()\fR), only cipher
 names registered with the default library context (see
-\&\s-1\fBOSSL_LIB_CTX\s0\fR\|(3)) will be considered.
+\&\fBOSSL_LIB_CTX\fR\|(3)) will be considered.
+.IP \fBEVP_MD_xof()\fR 4
+.IX Item "EVP_MD_xof()"
+Returns 1 if \fImd\fR is an Extendable-output Function (XOF) otherwise it returns
+0. SHAKE128 and SHAKE256 are XOF functions.
+It returns 0 for BLAKE2B algorithms.
 .IP "\fBEVP_MD_get0_name()\fR, \fBEVP_MD_CTX_get0_name()\fR" 4
 .IX Item "EVP_MD_get0_name(), EVP_MD_CTX_get0_name()"
 Return the name of the given message digest.  For fetched message
 digests with multiple names, only one of them is returned; it's
 recommended to use \fBEVP_MD_names_do_all()\fR instead.
-.IP "\fBEVP_MD_names_do_all()\fR" 4
+.IP \fBEVP_MD_names_do_all()\fR 4
 .IX Item "EVP_MD_names_do_all()"
 Traverses all names for the \fImd\fR, and calls \fIfn\fR with each name and
-\&\fIdata\fR.  This is only useful with fetched \fB\s-1EVP_MD\s0\fRs.
-.IP "\fBEVP_MD_get0_description()\fR" 4
+\&\fIdata\fR.  This is only useful with fetched \fBEVP_MD\fRs.
+.IP \fBEVP_MD_get0_description()\fR 4
 .IX Item "EVP_MD_get0_description()"
 Returns a description of the digest, meant for display and human consumption.
 The description is at the discretion of the digest implementation.
-.IP "\fBEVP_MD_get0_provider()\fR" 4
+.IP \fBEVP_MD_get0_provider()\fR 4
 .IX Item "EVP_MD_get0_provider()"
-Returns an \fB\s-1OSSL_PROVIDER\s0\fR pointer to the provider that implements the given
-\&\fB\s-1EVP_MD\s0\fR.
-.IP "\fBEVP_MD_get_size()\fR, \fBEVP_MD_CTX_get_size()\fR" 4
-.IX Item "EVP_MD_get_size(), EVP_MD_CTX_get_size()"
-Return the size of the message digest when passed an \fB\s-1EVP_MD\s0\fR or an
-\&\fB\s-1EVP_MD_CTX\s0\fR structure, i.e. the size of the hash.
+Returns an \fBOSSL_PROVIDER\fR pointer to the provider that implements the given
+\&\fBEVP_MD\fR.
+.IP \fBEVP_MD_get_size()\fR 4
+.IX Item "EVP_MD_get_size()"
+Return the size of the message digest when passed an \fBEVP_MD\fR, i.e. the size of
+the hash. A negative value or 0 can occur for invalid size.
+For an XOF with no default size this returns 0.
+.IP "\fBEVP_MD_CTX_get_size_ex()\fR, \fBEVP_MD_CTX_get_size()\fR" 4
+.IX Item "EVP_MD_CTX_get_size_ex(), EVP_MD_CTX_get_size()"
+For a normal digest this is the same as \fBEVP_MD_get_size()\fR.
+For an XOF this returns the "xoflen" if it has been set, otherwise it returns 0.
 .IP "\fBEVP_MD_get_block_size()\fR, \fBEVP_MD_CTX_get_block_size()\fR" 4
 .IX Item "EVP_MD_get_block_size(), EVP_MD_CTX_get_block_size()"
-Return the block size of the message digest when passed an \fB\s-1EVP_MD\s0\fR or an
-\&\fB\s-1EVP_MD_CTX\s0\fR structure.
+Return the block size of the message digest when passed an \fBEVP_MD\fR or an
+\&\fBEVP_MD_CTX\fR structure.
 .IP "\fBEVP_MD_get_type()\fR, \fBEVP_MD_CTX_get_type()\fR" 4
 .IX Item "EVP_MD_get_type(), EVP_MD_CTX_get_type()"
-Return the \s-1NID\s0 of the \s-1OBJECT IDENTIFIER\s0 representing the given message digest
-when passed an \fB\s-1EVP_MD\s0\fR structure.  For example, \f(CW\*(C`EVP_MD_get_type(EVP_sha1())\*(C'\fR
-returns \fBNID_sha1\fR. This function is normally used when setting \s-1ASN1\s0 OIDs.
-.IP "\fBEVP_MD_CTX_get0_md_data()\fR" 4
+Return the NID of the OBJECT IDENTIFIER representing the given message digest
+when passed an \fBEVP_MD\fR structure.  For example, \f(CW\*(C`EVP_MD_get_type(EVP_sha1())\*(C'\fR
+returns \fBNID_sha1\fR. This function is normally used when setting ASN1 OIDs.
+.IP \fBEVP_MD_CTX_get0_md_data()\fR 4
 .IX Item "EVP_MD_CTX_get0_md_data()"
-Return the digest method private data for the passed \fB\s-1EVP_MD_CTX\s0\fR.
+Return the digest method private data for the passed \fBEVP_MD_CTX\fR.
 The space is allocated by OpenSSL and has the size originally set with
 \&\fBEVP_MD_meth_set_app_datasize()\fR.
 .IP "\fBEVP_MD_CTX_get0_md()\fR, \fBEVP_MD_CTX_get1_md()\fR" 4
 .IX Item "EVP_MD_CTX_get0_md(), EVP_MD_CTX_get1_md()"
 \&\fBEVP_MD_CTX_get0_md()\fR returns
-the \fB\s-1EVP_MD\s0\fR structure corresponding to the passed \fB\s-1EVP_MD_CTX\s0\fR. This
-will be the same \fB\s-1EVP_MD\s0\fR object originally passed to \fBEVP_DigestInit_ex2()\fR (or
-other similar function) when the \s-1EVP_MD_CTX\s0 was first initialised. Note that
+the \fBEVP_MD\fR structure corresponding to the passed \fBEVP_MD_CTX\fR. This
+will be the same \fBEVP_MD\fR object originally passed to \fBEVP_DigestInit_ex2()\fR (or
+other similar function) when the EVP_MD_CTX was first initialised. Note that
 where explicit fetch is in use (see \fBEVP_MD_fetch\fR\|(3)) the value returned from
 this function will not have its reference count incremented and therefore it
-should not be used after the \s-1EVP_MD_CTX\s0 is freed.
+should not be used after the EVP_MD_CTX is freed.
 \&\fBEVP_MD_CTX_get1_md()\fR is the same except the ownership is passed to the
-caller and is from the passed \fB\s-1EVP_MD_CTX\s0\fR.
-.IP "\fBEVP_MD_CTX_set_update_fn()\fR" 4
+caller and is from the passed \fBEVP_MD_CTX\fR.
+.IP \fBEVP_MD_CTX_set_update_fn()\fR 4
 .IX Item "EVP_MD_CTX_set_update_fn()"
 Sets the update function for \fIctx\fR to \fIupdate\fR.
 This is the function that is called by \fBEVP_DigestUpdate()\fR. If not set, the
-update function from the \fB\s-1EVP_MD\s0\fR type specified at initialization is used.
-.IP "\fBEVP_MD_CTX_update_fn()\fR" 4
+update function from the \fBEVP_MD\fR type specified at initialization is used.
+.IP \fBEVP_MD_CTX_update_fn()\fR 4
 .IX Item "EVP_MD_CTX_update_fn()"
 Returns the update function for \fIctx\fR.
-.IP "\fBEVP_MD_get_flags()\fR" 4
+.IP \fBEVP_MD_get_flags()\fR 4
 .IX Item "EVP_MD_get_flags()"
-Returns the \fImd\fR flags. Note that these are different from the \fB\s-1EVP_MD_CTX\s0\fR
+Returns the \fImd\fR flags. Note that these are different from the \fBEVP_MD_CTX\fR
 ones. See \fBEVP_MD_meth_set_flags\fR\|(3) for more information.
-.IP "\fBEVP_MD_get_pkey_type()\fR" 4
+.IP \fBEVP_MD_get_pkey_type()\fR 4
 .IX Item "EVP_MD_get_pkey_type()"
-Returns the \s-1NID\s0 of the public key signing algorithm associated with this
-digest. For example \fBEVP_sha1()\fR is associated with \s-1RSA\s0 so this will return
+Returns the NID of the public key signing algorithm associated with this
+digest. For example \fBEVP_sha1()\fR is associated with RSA so this will return
 \&\fBNID_sha1WithRSAEncryption\fR. Since digests and signature algorithms are no
 longer linked this function is only retained for compatibility reasons.
-.IP "\fBEVP_md_null()\fR" 4
+.IP \fBEVP_md_null()\fR 4
 .IX Item "EVP_md_null()"
-A \*(L"null\*(R" message digest that does nothing: i.e. the hash it returns is of zero
+A "null" message digest that does nothing: i.e. the hash it returns is of zero
 length.
 .IP "\fBEVP_get_digestbyname()\fR, \fBEVP_get_digestbynid()\fR, \fBEVP_get_digestbyobj()\fR" 4
 .IX Item "EVP_get_digestbyname(), EVP_get_digestbynid(), EVP_get_digestbyobj()"
-Returns an \fB\s-1EVP_MD\s0\fR structure when passed a digest name, a digest \fB\s-1NID\s0\fR or an
-\&\fB\s-1ASN1_OBJECT\s0\fR structure respectively.
+Returns an \fBEVP_MD\fR structure when passed a digest name, a digest \fBNID\fR or an
+\&\fBASN1_OBJECT\fR structure respectively.
 .Sp
 The \fBEVP_get_digestbyname()\fR function is present for backwards compatibility with
 OpenSSL prior to version 3 and is different to the \fBEVP_MD_fetch()\fR function
-since it does not attempt to \*(L"fetch\*(R" an implementation of the cipher.
+since it does not attempt to "fetch" an implementation of the cipher.
 Additionally, it only knows about digests that are built-in to OpenSSL and have
-an associated \s-1NID.\s0 Similarly \fBEVP_get_digestbynid()\fR and \fBEVP_get_digestbyobj()\fR
+an associated NID. Similarly \fBEVP_get_digestbynid()\fR and \fBEVP_get_digestbyobj()\fR
 also return objects without an associated implementation.
 .Sp
 When the digest objects returned by these functions are used (such as in a call
@@ -518,84 +482,97 @@ fetched from the loaded providers. This fetch could fail if no suitable
 implementation is available. Use \fBEVP_MD_fetch()\fR instead to explicitly fetch
 the algorithm and an associated implementation from a provider.
 .Sp
-See \*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7) for more information about fetching.
+See "ALGORITHM FETCHING" in \fBcrypto\fR\|(7) for more information about fetching.
 .Sp
 The digest objects returned from these functions do not need to be freed with
 \&\fBEVP_MD_free()\fR.
-.IP "\fBEVP_MD_CTX_get_pkey_ctx()\fR" 4
+.IP \fBEVP_MD_CTX_get_pkey_ctx()\fR 4
 .IX Item "EVP_MD_CTX_get_pkey_ctx()"
-Returns the \fB\s-1EVP_PKEY_CTX\s0\fR assigned to \fIctx\fR. The returned pointer should not
+Returns the \fBEVP_PKEY_CTX\fR assigned to \fIctx\fR. The returned pointer should not
 be freed by the caller.
-.IP "\fBEVP_MD_CTX_set_pkey_ctx()\fR" 4
+.IP \fBEVP_MD_CTX_set_pkey_ctx()\fR 4
 .IX Item "EVP_MD_CTX_set_pkey_ctx()"
-Assigns an \fB\s-1EVP_PKEY_CTX\s0\fR to \fB\s-1EVP_MD_CTX\s0\fR. This is usually used to provide
-a customized \fB\s-1EVP_PKEY_CTX\s0\fR to \fBEVP_DigestSignInit\fR\|(3) or
+Assigns an \fBEVP_PKEY_CTX\fR to \fBEVP_MD_CTX\fR. This is usually used to provide
+a customized \fBEVP_PKEY_CTX\fR to \fBEVP_DigestSignInit\fR\|(3) or
 \&\fBEVP_DigestVerifyInit\fR\|(3). The \fIpctx\fR passed to this function should be freed
-by the caller. A \s-1NULL\s0 \fIpctx\fR pointer is also allowed to clear the \fB\s-1EVP_PKEY_CTX\s0\fR
-assigned to \fIctx\fR. In such case, freeing the cleared \fB\s-1EVP_PKEY_CTX\s0\fR or not
-depends on how the \fB\s-1EVP_PKEY_CTX\s0\fR is created.
-.IP "\fBEVP_MD_do_all_provided()\fR" 4
+by the caller. A NULL \fIpctx\fR pointer is also allowed to clear the \fBEVP_PKEY_CTX\fR
+assigned to \fIctx\fR. In such case, freeing the cleared \fBEVP_PKEY_CTX\fR or not
+depends on how the \fBEVP_PKEY_CTX\fR is created.
+.IP \fBEVP_MD_do_all_provided()\fR 4
 .IX Item "EVP_MD_do_all_provided()"
 Traverses all messages digests implemented by all activated providers
 in the given library context \fIlibctx\fR, and for each of the implementations,
 calls the given function \fIfn\fR with the implementation method and the given
 \&\fIarg\fR as argument.
-.SH "PARAMETERS"
+.SH PARAMETERS
 .IX Header "PARAMETERS"
-See \s-1\fBOSSL_PARAM\s0\fR\|(3) for information about passing parameters.
+See \fBOSSL_PARAM\fR\|(3) for information about passing parameters.
+.PP
+\&\fBEVP_MD_CTX_set_params()\fR and \fBEVP_MD_CTX_get_params()\fR can be used with the
+following OSSL_PARAM keys:
+.IP """xoflen"" (\fBOSSL_DIGEST_PARAM_XOFLEN\fR) <unsigned integer>" 4
+.IX Item """xoflen"" (OSSL_DIGEST_PARAM_XOFLEN) <unsigned integer>"
+Sets or gets the digest length for extendable output functions.
+The value should not exceed what can be given using a \fBsize_t\fR.
+It may be used by SHAKE\-128 and SHAKE\-256 to set the
+output length used by \fBEVP_DigestFinal_ex()\fR and \fBEVP_DigestFinal()\fR.
+.IP """size"" (\fBOSSL_DIGEST_PARAM_SIZE\fR) <unsigned integer>" 4
+.IX Item """size"" (OSSL_DIGEST_PARAM_SIZE) <unsigned integer>"
+Sets or gets a fixed digest length.
+The value should not exceed what can be given using a \fBsize_t\fR.
+It may be used by BLAKE2B\-512 to set the output length used by
+\&\fBEVP_DigestFinal_ex()\fR and \fBEVP_DigestFinal()\fR.
 .PP
-\&\fBEVP_MD_CTX_set_params()\fR can be used with the following \s-1OSSL_PARAM\s0 keys:
-.ie n .IP """xoflen"" (\fB\s-1OSSL_DIGEST_PARAM_XOFLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``xoflen'' (\fB\s-1OSSL_DIGEST_PARAM_XOFLEN\s0\fR) <unsigned integer>" 4
-.IX Item "xoflen (OSSL_DIGEST_PARAM_XOFLEN) <unsigned integer>"
-Sets the digest length for extendable output functions.
-It is used by the \s-1SHAKE\s0 algorithm and should not exceed what can be given
-using a \fBsize_t\fR.
-.ie n .IP """pad-type"" (\fB\s-1OSSL_DIGEST_PARAM_PAD_TYPE\s0\fR) <unsigned integer>" 4
-.el .IP "``pad-type'' (\fB\s-1OSSL_DIGEST_PARAM_PAD_TYPE\s0\fR) <unsigned integer>" 4
-.IX Item "pad-type (OSSL_DIGEST_PARAM_PAD_TYPE) <unsigned integer>"
+\&\fBEVP_MD_CTX_set_params()\fR can be used with the following OSSL_PARAM keys:
+.IP """pad-type"" (\fBOSSL_DIGEST_PARAM_PAD_TYPE\fR) <unsigned integer>" 4
+.IX Item """pad-type"" (OSSL_DIGEST_PARAM_PAD_TYPE) <unsigned integer>"
 Sets the padding type.
-It is used by the \s-1MDC2\s0 algorithm.
+It is used by the MDC2 algorithm.
 .PP
-\&\fBEVP_MD_CTX_get_params()\fR can be used with the following \s-1OSSL_PARAM\s0 keys:
-.ie n .IP """micalg"" (\fB\s-1OSSL_PARAM_DIGEST_KEY_MICALG\s0\fR) <\s-1UTF8\s0 string>." 4
-.el .IP "``micalg'' (\fB\s-1OSSL_PARAM_DIGEST_KEY_MICALG\s0\fR) <\s-1UTF8\s0 string>." 4
-.IX Item "micalg (OSSL_PARAM_DIGEST_KEY_MICALG) <UTF8 string>."
+\&\fBEVP_MD_CTX_get_params()\fR can be used with the following OSSL_PARAM keys:
+.IP """micalg"" (\fBOSSL_DIGEST_PARAM_MICALG\fR) <UTF8 string>." 4
+.IX Item """micalg"" (OSSL_DIGEST_PARAM_MICALG) <UTF8 string>."
 Gets the digest Message Integrity Check algorithm string. This is used when
-creating S/MIME multipart/signed messages, as specified in \s-1RFC 3851.\s0
+creating S/MIME multipart/signed messages, as specified in RFC 3851.
 It may be used by external engines or providers.
-.SH "CONTROLS"
+.SH CONTROLS
 .IX Header "CONTROLS"
 \&\fBEVP_MD_CTX_ctrl()\fR can be used to send the following standard controls:
-.IP "\s-1EVP_MD_CTRL_MICALG\s0" 4
+.IP EVP_MD_CTRL_MICALG 4
 .IX Item "EVP_MD_CTRL_MICALG"
 Gets the digest Message Integrity Check algorithm string. This is used when
-creating S/MIME multipart/signed messages, as specified in \s-1RFC 3851.\s0
+creating S/MIME multipart/signed messages, as specified in RFC 3851.
 The string value is written to \fIp2\fR.
 .Sp
-When used with a fetched \fB\s-1EVP_MD\s0\fR, \fBEVP_MD_CTX_get_params()\fR gets called with
-an \s-1\fBOSSL_PARAM\s0\fR\|(3) item with the key \*(L"micalg\*(R" (\fB\s-1OSSL_DIGEST_PARAM_MICALG\s0\fR).
-.IP "\s-1EVP_MD_CTRL_XOF_LEN\s0" 4
+When used with a fetched \fBEVP_MD\fR, \fBEVP_MD_CTX_get_params()\fR gets called with
+an \fBOSSL_PARAM\fR\|(3) item with the key "micalg" (\fBOSSL_DIGEST_PARAM_MICALG\fR).
+.IP EVP_MD_CTRL_XOF_LEN 4
 .IX Item "EVP_MD_CTRL_XOF_LEN"
 This control sets the digest length for extendable output functions to \fIp1\fR.
 Sending this control directly should not be necessary, the use of
 \&\fBEVP_DigestFinalXOF()\fR is preferred.
-Currently used by \s-1SHAKE.\s0
+Currently used by SHAKE algorithms.
 .Sp
-When used with a fetched \fB\s-1EVP_MD\s0\fR, \fBEVP_MD_CTX_get_params()\fR gets called with
-an \s-1\fBOSSL_PARAM\s0\fR\|(3) item with the key \*(L"xoflen\*(R" (\fB\s-1OSSL_DIGEST_PARAM_XOFLEN\s0\fR).
-.SH "FLAGS"
+When used with a fetched \fBEVP_MD\fR, \fBEVP_MD_CTX_get_params()\fR gets called with
+an \fBOSSL_PARAM\fR\|(3) item with the key "xoflen" (\fBOSSL_DIGEST_PARAM_XOFLEN\fR).
+.SH FLAGS
 .IX Header "FLAGS"
 \&\fBEVP_MD_CTX_set_flags()\fR, \fBEVP_MD_CTX_clear_flags()\fR and \fBEVP_MD_CTX_test_flags()\fR
-can be used the manipulate and test these \fB\s-1EVP_MD_CTX\s0\fR flags:
-.IP "\s-1EVP_MD_CTX_FLAG_ONESHOT\s0" 4
+can be used the manipulate and test these \fBEVP_MD_CTX\fR flags:
+.IP EVP_MD_CTX_FLAG_ONESHOT 4
 .IX Item "EVP_MD_CTX_FLAG_ONESHOT"
 This flag instructs the digest to optimize for one update only, if possible.
-.IP "\s-1EVP_MD_CTX_FLAG_NO_INIT\s0" 4
+.IP EVP_MD_CTX_FLAG_CLEANED 4
+.IX Item "EVP_MD_CTX_FLAG_CLEANED"
+This flag is for internal use only and \fImust not\fR be used in user code.
+.IP EVP_MD_CTX_FLAG_REUSE 4
+.IX Item "EVP_MD_CTX_FLAG_REUSE"
+This flag is for internal use only and \fImust not\fR be used in user code.
+.IP EVP_MD_CTX_FLAG_NO_INIT 4
 .IX Item "EVP_MD_CTX_FLAG_NO_INIT"
 This flag instructs \fBEVP_DigestInit()\fR and similar not to initialise the
 implementation specific data.
-.IP "\s-1EVP_MD_CTX_FLAG_FINALISE\s0" 4
+.IP EVP_MD_CTX_FLAG_FINALISE 4
 .IX Item "EVP_MD_CTX_FLAG_FINALISE"
 Some functions such as EVP_DigestSign only finalise copies of internal
 contexts so additional data can be included after the finalisation call.
@@ -603,17 +580,17 @@ This is inefficient if this functionality is not required, and can be
 disabled with this flag.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-.IP "\fBEVP_MD_fetch()\fR" 4
+.IP \fBEVP_MD_fetch()\fR 4
 .IX Item "EVP_MD_fetch()"
-Returns a pointer to a \fB\s-1EVP_MD\s0\fR for success or \s-1NULL\s0 for failure.
-.IP "\fBEVP_MD_up_ref()\fR" 4
+Returns a pointer to a \fBEVP_MD\fR for success or NULL for failure.
+.IP \fBEVP_MD_up_ref()\fR 4
 .IX Item "EVP_MD_up_ref()"
 Returns 1 for success or 0 for failure.
 .IP "\fBEVP_Q_digest()\fR, \fBEVP_Digest()\fR, \fBEVP_DigestInit_ex2()\fR, \fBEVP_DigestInit_ex()\fR, \fBEVP_DigestInit()\fR, \fBEVP_DigestUpdate()\fR, \fBEVP_DigestFinal_ex()\fR, \fBEVP_DigestFinalXOF()\fR, and \fBEVP_DigestFinal()\fR" 4
 .IX Item "EVP_Q_digest(), EVP_Digest(), EVP_DigestInit_ex2(), EVP_DigestInit_ex(), EVP_DigestInit(), EVP_DigestUpdate(), EVP_DigestFinal_ex(), EVP_DigestFinalXOF(), and EVP_DigestFinal()"
 return 1 for
 success and 0 for failure.
-.IP "\fBEVP_MD_CTX_ctrl()\fR" 4
+.IP \fBEVP_MD_CTX_ctrl()\fR 4
 .IX Item "EVP_MD_CTX_ctrl()"
 Returns 1 if successful or 0 for failure.
 .IP "\fBEVP_MD_CTX_set_params()\fR, \fBEVP_MD_CTX_get_params()\fR" 4
@@ -621,48 +598,51 @@ Returns 1 if successful or 0 for failure.
 Returns 1 if successful or 0 for failure.
 .IP "\fBEVP_MD_CTX_settable_params()\fR, \fBEVP_MD_CTX_gettable_params()\fR" 4
 .IX Item "EVP_MD_CTX_settable_params(), EVP_MD_CTX_gettable_params()"
-Return an array of constant \s-1\fBOSSL_PARAM\s0\fR\|(3)s, or \s-1NULL\s0 if there is none
+Return an array of constant \fBOSSL_PARAM\fR\|(3)s, or NULL if there is none
 to get.
-.IP "\fBEVP_MD_CTX_copy_ex()\fR" 4
+.IP \fBEVP_MD_CTX_dup()\fR 4
+.IX Item "EVP_MD_CTX_dup()"
+Returns a new EVP_MD_CTX if successful or NULL on failure.
+.IP \fBEVP_MD_CTX_copy_ex()\fR 4
 .IX Item "EVP_MD_CTX_copy_ex()"
 Returns 1 if successful or 0 for failure.
 .IP "\fBEVP_MD_get_type()\fR, \fBEVP_MD_get_pkey_type()\fR" 4
 .IX Item "EVP_MD_get_type(), EVP_MD_get_pkey_type()"
-Returns the \s-1NID\s0 of the corresponding \s-1OBJECT IDENTIFIER\s0 or NID_undef if none
+Returns the NID of the corresponding OBJECT IDENTIFIER or NID_undef if none
 exists.
 .IP "\fBEVP_MD_get_size()\fR, \fBEVP_MD_get_block_size()\fR, \fBEVP_MD_CTX_get_size()\fR, \fBEVP_MD_CTX_get_block_size()\fR" 4
 .IX Item "EVP_MD_get_size(), EVP_MD_get_block_size(), EVP_MD_CTX_get_size(), EVP_MD_CTX_get_block_size()"
 Returns the digest or block size in bytes or \-1 for failure.
-.IP "\fBEVP_md_null()\fR" 4
+.IP \fBEVP_md_null()\fR 4
 .IX Item "EVP_md_null()"
-Returns a pointer to the \fB\s-1EVP_MD\s0\fR structure of the \*(L"null\*(R" message digest.
+Returns a pointer to the \fBEVP_MD\fR structure of the "null" message digest.
 .IP "\fBEVP_get_digestbyname()\fR, \fBEVP_get_digestbynid()\fR, \fBEVP_get_digestbyobj()\fR" 4
 .IX Item "EVP_get_digestbyname(), EVP_get_digestbynid(), EVP_get_digestbyobj()"
-Returns either an \fB\s-1EVP_MD\s0\fR structure or \s-1NULL\s0 if an error occurs.
-.IP "\fBEVP_MD_CTX_set_pkey_ctx()\fR" 4
+Returns either an \fBEVP_MD\fR structure or NULL if an error occurs.
+.IP \fBEVP_MD_CTX_set_pkey_ctx()\fR 4
 .IX Item "EVP_MD_CTX_set_pkey_ctx()"
 This function has no return value.
-.IP "\fBEVP_MD_names_do_all()\fR" 4
+.IP \fBEVP_MD_names_do_all()\fR 4
 .IX Item "EVP_MD_names_do_all()"
 Returns 1 if the callback was called for all names. A return value of 0 means
 that the callback was not called for any names.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-The \fB\s-1EVP\s0\fR interface to message digests should almost always be used in
+The \fBEVP\fR interface to message digests should almost always be used in
 preference to the low-level interfaces. This is because the code then becomes
 transparent to the digest used and much more flexible.
 .PP
-New applications should use the \s-1SHA\-2\s0 (such as \fBEVP_sha256\fR\|(3)) or the \s-1SHA\-3\s0
+New applications should use the SHA\-2 (such as \fBEVP_sha256\fR\|(3)) or the SHA\-3
 digest algorithms (such as \fBEVP_sha3_512\fR\|(3)). The other digest algorithms
 are still in common use.
 .PP
 For most applications the \fIimpl\fR parameter to \fBEVP_DigestInit_ex()\fR will be
-set to \s-1NULL\s0 to use the default digest implementation.
+set to NULL to use the default digest implementation.
 .PP
 Ignoring failure returns of \fBEVP_DigestInit_ex()\fR, \fBEVP_DigestInit_ex2()\fR, or
 \&\fBEVP_DigestInit()\fR can lead to undefined behavior on subsequent calls
-updating or finalizing the \fB\s-1EVP_MD_CTX\s0\fR such as the \fBEVP_DigestUpdate()\fR or
-\&\fBEVP_DigestFinal()\fR functions. The only valid calls on the \fB\s-1EVP_MD_CTX\s0\fR
+updating or finalizing the \fBEVP_MD_CTX\fR such as the \fBEVP_DigestUpdate()\fR or
+\&\fBEVP_DigestFinal()\fR functions. The only valid calls on the \fBEVP_MD_CTX\fR
 when initialization fails are calls that attempt another initialization of
 the context or release the context.
 .PP
@@ -682,9 +662,9 @@ defined as macros.
 .PP
 \&\fBEVP_MD_CTX_ctrl()\fR sends commands to message digests for additional configuration
 or control.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-This example digests the data \*(L"Test Message\en\*(R" and \*(L"Hello World\en\*(R", using the
+This example digests the data "Test Message\en" and "Hello World\en", using the
 digest name passed on the command line.
 .PP
 .Vb 3
@@ -713,6 +693,10 @@ digest name passed on the command line.
 \&     }
 \&
 \&     mdctx = EVP_MD_CTX_new();
+\&     if (mdctx == NULL) {
+\&        printf("Message digest create failed.\en");
+\&        exit(1);
+\&     }
 \&     if (!EVP_DigestInit_ex2(mdctx, md, NULL)) {
 \&         printf("Message digest initialization failed.\en");
 \&         EVP_MD_CTX_free(mdctx);
@@ -748,10 +732,10 @@ digest name passed on the command line.
 \&\fBEVP_MD_meth_new\fR\|(3),
 \&\fBopenssl\-dgst\fR\|(1),
 \&\fBevp\fR\|(7),
-\&\s-1\fBOSSL_PROVIDER\s0\fR\|(3),
-\&\s-1\fBOSSL_PARAM\s0\fR\|(3),
+\&\fBOSSL_PROVIDER\fR\|(3),
+\&\fBOSSL_PARAM\fR\|(3),
 \&\fBproperty\fR\|(7),
-\&\*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7),
+"ALGORITHM FETCHING" in \fBcrypto\fR\|(7),
 \&\fBprovider\-digest\fR\|(7),
 \&\fBlife_cycle\-digest\fR\|(7)
 .PP
@@ -768,13 +752,13 @@ The full list of digest algorithms are provided below.
 \&\fBEVP_sha3_224\fR\|(3),
 \&\fBEVP_sm3\fR\|(3),
 \&\fBEVP_whirlpool\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBEVP_MD_CTX_create()\fR and \fBEVP_MD_CTX_destroy()\fR functions were renamed to
 \&\fBEVP_MD_CTX_new()\fR and \fBEVP_MD_CTX_free()\fR in OpenSSL 1.1.0, respectively.
 .PP
 The link between digests and signing algorithms was fixed in OpenSSL 1.0 and
-later, so now \fBEVP_sha1()\fR can be used with \s-1RSA\s0 and \s-1DSA.\s0
+later, so now \fBEVP_sha1()\fR can be used with RSA and DSA.
 .PP
 The \fBEVP_dss1()\fR function was removed in OpenSSL 1.1.0.
 .PP
@@ -798,11 +782,21 @@ The \fBEVP_MD_CTX_md()\fR function was deprecated in OpenSSL 3.0; use
 \&\fBEVP_MD_CTX_get0_md()\fR instead.
 \&\fBEVP_MD_CTX_update_fn()\fR and \fBEVP_MD_CTX_set_update_fn()\fR were deprecated
 in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.PP
+The \fBEVP_MD_CTX_dup()\fR function was added in OpenSSL 3.1.
+.PP
+The \fBEVP_DigestSqueeze()\fR function was added in OpenSSL 3.3.
+.PP
+The \fBEVP_MD_CTX_get_size_ex()\fR and \fBEVP_xof()\fR functions were added in OpenSSL 3.4.
+The macros \fBEVP_MD_CTX_get_size()\fR and EVP_MD_CTX_size were changed in OpenSSL 3.4
+to be aliases for \fBEVP_MD_CTX_get_size_ex()\fR, previously they were aliases for
+EVP_MD_get_size which returned a constant value. This is required for XOF
+digests since they do not have a fixed size.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_DigestSignInit.3 b/secure/lib/libcrypto/man/man3/EVP_DigestSignInit.3
index 7459317f1b3d..519265ed502f 100644
--- a/secure/lib/libcrypto/man/man3/EVP_DigestSignInit.3
+++ b/secure/lib/libcrypto/man/man3/EVP_DigestSignInit.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_DIGESTSIGNINIT 3ossl"
-.TH EVP_DIGESTSIGNINIT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_DIGESTSIGNINIT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_DigestSignInit_ex, EVP_DigestSignInit, EVP_DigestSignUpdate,
 EVP_DigestSignFinal, EVP_DigestSign \- EVP signing functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -153,13 +77,13 @@ EVP_DigestSignFinal, EVP_DigestSign \- EVP signing functions
 \& int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt);
 \& int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen);
 \&
-\& int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret,
+\& int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sig,
 \&                    size_t *siglen, const unsigned char *tbs,
 \&                    size_t tbslen);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1EVP\s0 signature routines are a high-level interface to digital signatures.
+The EVP signature routines are a high-level interface to digital signatures.
 Input data is digested first before the signing takes place.
 .PP
 \&\fBEVP_DigestSignInit_ex()\fR sets up signing context \fIctx\fR to use a digest
@@ -170,65 +94,65 @@ implement that digest directly itself or it may (optionally) choose to fetch it
 (which could result in a digest from a different provider being selected). If the
 provider supports fetching the digest then it may use the \fIprops\fR argument for
 the properties to be used during the fetch. Finally, the passed parameters
-\&\fIparams\fR, if not \s-1NULL,\s0 are set on the context before returning.
+\&\fIparams\fR, if not NULL, are set on the context before returning.
 .PP
-The \fIpkey\fR algorithm is used to fetch a \fB\s-1EVP_SIGNATURE\s0\fR method implicitly, to
-be used for the actual signing. See \*(L"Implicit fetch\*(R" in \fBprovider\fR\|(7) for
+The \fIpkey\fR algorithm is used to fetch a \fBEVP_SIGNATURE\fR method implicitly, to
+be used for the actual signing. See "Implicit fetch" in \fBprovider\fR\|(7) for
 more information about implicit fetches.
 .PP
 The OpenSSL default and legacy providers support fetching digests and can fetch
-those digests from any available provider. The OpenSSL \s-1FIPS\s0 provider also
+those digests from any available provider. The OpenSSL FIPS provider also
 supports fetching digests but will only fetch digests that are themselves
-implemented inside the \s-1FIPS\s0 provider.
+implemented inside the FIPS provider.
 .PP
 \&\fIctx\fR must be created with \fBEVP_MD_CTX_new()\fR before calling this function. If
-\&\fIpctx\fR is not \s-1NULL,\s0 the \s-1EVP_PKEY_CTX\s0 of the signing operation will be written
+\&\fIpctx\fR is not NULL, the EVP_PKEY_CTX of the signing operation will be written
 to \fI*pctx\fR: this can be used to set alternative signing options. Note that any
-existing value in \fI*pctx\fR is overwritten. The \s-1EVP_PKEY_CTX\s0 value returned must
+existing value in \fI*pctx\fR is overwritten. The EVP_PKEY_CTX value returned must
 not be freed directly by the application if \fIctx\fR is not assigned an
-\&\s-1EVP_PKEY_CTX\s0 value before being passed to \fBEVP_DigestSignInit_ex()\fR
-(which means the \s-1EVP_PKEY_CTX\s0 is created inside \fBEVP_DigestSignInit_ex()\fR
-and it will be freed automatically when the \s-1EVP_MD_CTX\s0 is freed). If the
-\&\s-1EVP_PKEY_CTX\s0 to be used is created by EVP_DigestSignInit_ex then it
-will use the \fB\s-1OSSL_LIB_CTX\s0\fR specified in \fIlibctx\fR and the property query string
+EVP_PKEY_CTX value before being passed to \fBEVP_DigestSignInit_ex()\fR
+(which means the EVP_PKEY_CTX is created inside \fBEVP_DigestSignInit_ex()\fR
+and it will be freed automatically when the EVP_MD_CTX is freed). If the
+EVP_PKEY_CTX to be used is created by EVP_DigestSignInit_ex then it
+will use the \fBOSSL_LIB_CTX\fR specified in \fIlibctx\fR and the property query string
 specified in \fIprops\fR.
 .PP
-The digest \fImdname\fR may be \s-1NULL\s0 if the signing algorithm supports it. The
-\&\fIprops\fR argument can always be \s-1NULL.\s0
+The digest \fImdname\fR may be NULL if the signing algorithm supports it. The
+\&\fIprops\fR argument can always be NULL.
 .PP
-No \fB\s-1EVP_PKEY_CTX\s0\fR will be created by \fBEVP_DigestSignInit_ex()\fR if the
+No \fBEVP_PKEY_CTX\fR will be created by \fBEVP_DigestSignInit_ex()\fR if the
 passed \fIctx\fR has already been assigned one via \fBEVP_MD_CTX_set_pkey_ctx\fR\|(3).
-See also \s-1\fBSM2\s0\fR\|(7).
+See also \fBSM2\fR\|(7).
 .PP
-Only \s-1EVP_PKEY\s0 types that support signing can be used with these functions. This
-includes \s-1MAC\s0 algorithms where the \s-1MAC\s0 generation is considered as a form of
-\&\*(L"signing\*(R". Built-in \s-1EVP_PKEY\s0 types supported by these functions are \s-1CMAC,\s0
-Poly1305, \s-1DSA, ECDSA, HMAC, RSA,\s0 SipHash, Ed25519 and Ed448.
+Only EVP_PKEY types that support signing can be used with these functions. This
+includes MAC algorithms where the MAC generation is considered as a form of
+"signing". Built-in EVP_PKEY types supported by these functions are CMAC,
+Poly1305, DSA, ECDSA, HMAC, RSA, SipHash, Ed25519 and Ed448.
 .PP
 Not all digests can be used for all key types. The following combinations apply.
-.IP "\s-1DSA\s0" 4
+.IP DSA 4
 .IX Item "DSA"
-Supports \s-1SHA1, SHA224, SHA256, SHA384\s0 and \s-1SHA512\s0
-.IP "\s-1ECDSA\s0" 4
+Supports SHA1, SHA224, SHA256, SHA384 and SHA512
+.IP ECDSA 4
 .IX Item "ECDSA"
-Supports \s-1SHA1, SHA224, SHA256, SHA384, SHA512\s0 and \s-1SM3\s0
-.IP "\s-1RSA\s0 with no padding" 4
+Supports SHA1, SHA224, SHA256, SHA384, SHA512 and SM3
+.IP "RSA with no padding" 4
 .IX Item "RSA with no padding"
-Supports no digests (the digest \fItype\fR must be \s-1NULL\s0)
-.IP "\s-1RSA\s0 with X931 padding" 4
+Supports no digests (the digest \fItype\fR must be NULL)
+.IP "RSA with X931 padding" 4
 .IX Item "RSA with X931 padding"
-Supports \s-1SHA1, SHA256, SHA384\s0 and \s-1SHA512\s0
-.IP "All other \s-1RSA\s0 padding types" 4
+Supports SHA1, SHA256, SHA384 and SHA512
+.IP "All other RSA padding types" 4
 .IX Item "All other RSA padding types"
-Support \s-1SHA1, SHA224, SHA256, SHA384, SHA512, MD5, MD5_SHA1, MD2, MD4, MDC2,
-SHA3\-224, SHA3\-256, SHA3\-384, SHA3\-512\s0
+Support SHA1, SHA224, SHA256, SHA384, SHA512, MD5, MD5_SHA1, MD2, MD4, MDC2,
+SHA3\-224, SHA3\-256, SHA3\-384, SHA3\-512
 .IP "Ed25519 and Ed448" 4
 .IX Item "Ed25519 and Ed448"
-Support no digests (the digest \fItype\fR must be \s-1NULL\s0)
-.IP "\s-1HMAC\s0" 4
+Support no digests (the digest \fItype\fR must be NULL)
+.IP HMAC 4
 .IX Item "HMAC"
 Supports any digest
-.IP "\s-1CMAC,\s0 Poly1305 and SipHash" 4
+.IP "CMAC, Poly1305 and SipHash" 4
 .IX Item "CMAC, Poly1305 and SipHash"
 Will ignore any digest provided.
 .PP
@@ -236,37 +160,36 @@ If RSA-PSS is used and restrictions apply then the digest must match.
 .PP
 \&\fBEVP_DigestSignInit()\fR works in the same way as \fBEVP_DigestSignInit_ex()\fR
 except that the \fImdname\fR parameter will be inferred from the supplied
-digest \fItype\fR, and \fIprops\fR will be \s-1NULL.\s0 Where supplied the \s-1ENGINE\s0 \fIe\fR will
-be used for the signing and digest algorithm implementations. \fIe\fR may be \s-1NULL.\s0
+digest \fItype\fR, and \fIprops\fR will be NULL. Where supplied the ENGINE \fIe\fR will
+be used for the signing and digest algorithm implementations. \fIe\fR may be NULL.
 .PP
 \&\fBEVP_DigestSignUpdate()\fR hashes \fIcnt\fR bytes of data at \fId\fR into the
 signature context \fIctx\fR. This function can be called several times on the
-same \fIctx\fR to include additional data.
+same \fIctx\fR to include additional data. \fIctx\fR \fBMUST NOT\fR be NULL.
 .PP
-Unless \fIsig\fR is \s-1NULL\s0 \fBEVP_DigestSignFinal()\fR signs the data in \fIctx\fR
+Unless \fIsig\fR is NULL \fBEVP_DigestSignFinal()\fR signs the data in \fIctx\fR
 and places the signature in \fIsig\fR.
 Otherwise the maximum necessary size of the output buffer is written to
-the \fIsiglen\fR parameter. If \fIsig\fR is not \s-1NULL\s0 then before the call the
+the \fIsiglen\fR parameter. If \fIsig\fR is not NULL then before the call the
 \&\fIsiglen\fR parameter should contain the length of the \fIsig\fR buffer. If the
 call is successful the signature is written to \fIsig\fR and the amount of data
 written to \fIsiglen\fR.
 .PP
-\&\fBEVP_DigestSign()\fR signs \fItbslen\fR bytes of data at \fItbs\fR and places the
-signature in \fIsig\fR and its length in \fIsiglen\fR in a similar way to
-\&\fBEVP_DigestSignFinal()\fR. In the event of a failure \fBEVP_DigestSign()\fR cannot be
-called again without reinitialising the \s-1EVP_MD_CTX.\s0 If \fIsig\fR is \s-1NULL\s0 before the
-call then \fIsiglen\fR will be populated with the required size for the \fIsig\fR
-buffer. If \fIsig\fR is non-NULL before the call then \fIsiglen\fR should contain the
-length of the \fIsig\fR buffer.
+\&\fBEVP_DigestSign()\fR is similar to a single call to \fBEVP_DigestSignUpdate()\fR and
+\&\fBEVP_DigestSignFinal()\fR.
+Unless \fIsig\fR is NULL, \fBEVP_DigestSign()\fR signs the data \fItbs\fR of length \fItbslen\fR
+bytes and places the signature in a buffer \fIsig\fR of size \fIsiglen\fR.
+If \fIsig\fR is NULL, the maximum necessary size of the signature buffer is written
+to the \fIsiglen\fR parameter.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBEVP_DigestSignInit()\fR, \fBEVP_DigestSignUpdate()\fR, \fBEVP_DigestSignFinal()\fR and
 \&\fBEVP_DigestSign()\fR return 1 for success and 0 for failure.
 .PP
 The error codes can be obtained from \fBERR_get_error\fR\|(3).
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-The \fB\s-1EVP\s0\fR interface to digital signatures should almost always be used in
+The \fBEVP\fR interface to digital signatures should almost always be used in
 preference to the low-level interfaces. This is because the code then becomes
 transparent to the algorithm used and much more flexible.
 .PP
@@ -276,23 +199,34 @@ calling \fBEVP_DigestSignUpdate()\fR and \fBEVP_DigestSignFinal()\fR. For algori
 do not support streaming (e.g. PureEdDSA) it is the only way to sign data.
 .PP
 In previous versions of OpenSSL there was a link between message digest types
-and public key algorithms. This meant that \*(L"clone\*(R" digests such as \fBEVP_dss1()\fR
-needed to be used to sign using \s-1SHA1\s0 and \s-1DSA.\s0 This is no longer necessary and
+and public key algorithms. This meant that "clone" digests such as \fBEVP_dss1()\fR
+needed to be used to sign using SHA1 and DSA. This is no longer necessary and
 the use of clone digest is now discouraged.
 .PP
 For some key types and parameters the random number generator must be seeded.
-If the automatic seeding or reseeding of the OpenSSL \s-1CSPRNG\s0 fails due to
-external circumstances (see \s-1\fBRAND\s0\fR\|(7)), the operation will fail.
+If the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to
+external circumstances (see \fBRAND\fR\|(7)), the operation will fail.
 .PP
 The call to \fBEVP_DigestSignFinal()\fR internally finalizes a copy of the digest
 context. This means that calls to \fBEVP_DigestSignUpdate()\fR and
 \&\fBEVP_DigestSignFinal()\fR can be called later to digest and sign additional data.
+Applications may disable this behavior by setting the EVP_MD_CTX_FLAG_FINALISE
+context flag via \fBEVP_MD_CTX_set_flags\fR\|(3).
+.PP
+Note that not all providers support continuation, in case the selected
+provider does not allow to duplicate contexts \fBEVP_DigestSignFinal()\fR will
+finalize the digest context and attempting to process additional data via
+\&\fBEVP_DigestSignUpdate()\fR will result in an error.
 .PP
 \&\fBEVP_DigestSignInit()\fR and \fBEVP_DigestSignInit_ex()\fR functions can be called
 multiple times on a context and the parameters set by previous calls should be
-preserved if the \fIpkey\fR parameter is \s-1NULL.\s0 The call then just resets the state
+preserved if the \fIpkey\fR parameter is NULL. The call then just resets the state
 of the \fIctx\fR.
 .PP
+\&\fBEVP_DigestSign()\fR can not be called again, once a signature is generated (by
+passing \fIsig\fR as non NULL), unless the \fBEVP_MD_CTX\fR is reinitialised by
+calling \fBEVP_DigestSignInit_ex()\fR.
+.PP
 Ignoring failure returns of \fBEVP_DigestSignInit()\fR and \fBEVP_DigestSignInit_ex()\fR
 functions can lead to subsequent undefined behavior when calling
 \&\fBEVP_DigestSignUpdate()\fR, \fBEVP_DigestSignFinal()\fR, or \fBEVP_DigestSign()\fR.
@@ -305,11 +239,11 @@ which indicates the maximum possible signature for any set of parameters.
 .IX Header "SEE ALSO"
 \&\fBEVP_DigestVerifyInit\fR\|(3),
 \&\fBEVP_DigestInit\fR\|(3),
-\&\fBevp\fR\|(7), \s-1\fBHMAC\s0\fR\|(3), \s-1\fBMD2\s0\fR\|(3),
-\&\s-1\fBMD5\s0\fR\|(3), \s-1\fBMDC2\s0\fR\|(3), \s-1\fBRIPEMD160\s0\fR\|(3),
-\&\s-1\fBSHA1\s0\fR\|(3), \fBopenssl\-dgst\fR\|(1),
-\&\s-1\fBRAND\s0\fR\|(7)
-.SH "HISTORY"
+\&\fBevp\fR\|(7), \fBHMAC\fR\|(3), \fBMD2\fR\|(3),
+\&\fBMD5\fR\|(3), \fBMDC2\fR\|(3), \fBRIPEMD160\fR\|(3),
+\&\fBSHA1\fR\|(3), \fBopenssl\-dgst\fR\|(1),
+\&\fBRAND\fR\|(7)
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBEVP_DigestSignInit()\fR, \fBEVP_DigestSignUpdate()\fR and \fBEVP_DigestSignFinal()\fR
 were added in OpenSSL 1.0.0.
@@ -317,11 +251,11 @@ were added in OpenSSL 1.0.0.
 \&\fBEVP_DigestSignInit_ex()\fR was added in OpenSSL 3.0.
 .PP
 \&\fBEVP_DigestSignUpdate()\fR was converted from a macro to a function in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2006\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_DigestVerifyInit.3 b/secure/lib/libcrypto/man/man3/EVP_DigestVerifyInit.3
index acd1078a1f16..8a0916587806 100644
--- a/secure/lib/libcrypto/man/man3/EVP_DigestVerifyInit.3
+++ b/secure/lib/libcrypto/man/man3/EVP_DigestVerifyInit.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_DIGESTVERIFYINIT 3ossl"
-.TH EVP_DIGESTVERIFYINIT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_DIGESTVERIFYINIT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_DigestVerifyInit_ex, EVP_DigestVerifyInit, EVP_DigestVerifyUpdate,
 EVP_DigestVerifyFinal, EVP_DigestVerify \- EVP signature verification functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -153,12 +77,12 @@ EVP_DigestVerifyFinal, EVP_DigestVerify \- EVP signature verification functions
 \& int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt);
 \& int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
 \&                           size_t siglen);
-\& int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
+\& int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sig,
 \&                      size_t siglen, const unsigned char *tbs, size_t tbslen);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1EVP\s0 signature routines are a high-level interface to digital signatures.
+The EVP signature routines are a high-level interface to digital signatures.
 Input data is digested first before the signature verification takes place.
 .PP
 \&\fBEVP_DigestVerifyInit_ex()\fR sets up verification context \fBctx\fR to use a
@@ -169,57 +93,57 @@ implement that digest directly itself or it may (optionally) choose to fetch it
 (which could result in a digest from a different provider being selected). If
 the provider supports fetching the digest then it may use the \fBprops\fR argument
 for the properties to be used during the fetch. Finally, the passed parameters
-\&\fIparams\fR, if not \s-1NULL,\s0 are set on the context before returning.
+\&\fIparams\fR, if not NULL, are set on the context before returning.
 .PP
-The \fIpkey\fR algorithm is used to fetch a \fB\s-1EVP_SIGNATURE\s0\fR method implicitly, to
-be used for the actual signing. See \*(L"Implicit fetch\*(R" in \fBprovider\fR\|(7) for
+The \fIpkey\fR algorithm is used to fetch a \fBEVP_SIGNATURE\fR method implicitly, to
+be used for the actual signing. See "Implicit fetch" in \fBprovider\fR\|(7) for
 more information about implicit fetches.
 .PP
 The OpenSSL default and legacy providers support fetching digests and can fetch
-those digests from any available provider. The OpenSSL \s-1FIPS\s0 provider also
+those digests from any available provider. The OpenSSL FIPS provider also
 supports fetching digests but will only fetch digests that are themselves
-implemented inside the \s-1FIPS\s0 provider.
+implemented inside the FIPS provider.
 .PP
 \&\fBctx\fR must be created with \fBEVP_MD_CTX_new()\fR before calling this function. If
-\&\fBpctx\fR is not \s-1NULL,\s0 the \s-1EVP_PKEY_CTX\s0 of the verification operation will be
+\&\fBpctx\fR is not NULL, the EVP_PKEY_CTX of the verification operation will be
 written to \fB*pctx\fR: this can be used to set alternative verification options.
-Note that any existing value in \fB*pctx\fR is overwritten. The \s-1EVP_PKEY_CTX\s0 value
+Note that any existing value in \fB*pctx\fR is overwritten. The EVP_PKEY_CTX value
 returned must not be freed directly by the application if \fBctx\fR is not assigned
-an \s-1EVP_PKEY_CTX\s0 value before being passed to \fBEVP_DigestVerifyInit_ex()\fR
-(which means the \s-1EVP_PKEY_CTX\s0 is created inside
+an EVP_PKEY_CTX value before being passed to \fBEVP_DigestVerifyInit_ex()\fR
+(which means the EVP_PKEY_CTX is created inside
 \&\fBEVP_DigestVerifyInit_ex()\fR and it will be freed automatically when the
-\&\s-1EVP_MD_CTX\s0 is freed). If the \s-1EVP_PKEY_CTX\s0 to be used is created by
-EVP_DigestVerifyInit_ex then it will use the \fB\s-1OSSL_LIB_CTX\s0\fR specified
+EVP_MD_CTX is freed). If the EVP_PKEY_CTX to be used is created by
+EVP_DigestVerifyInit_ex then it will use the \fBOSSL_LIB_CTX\fR specified
 in \fIlibctx\fR and the property query string specified in \fIprops\fR.
 .PP
-No \fB\s-1EVP_PKEY_CTX\s0\fR will be created by \fBEVP_DigestVerifyInit_ex()\fR if the
+No \fBEVP_PKEY_CTX\fR will be created by \fBEVP_DigestVerifyInit_ex()\fR if the
 passed \fBctx\fR has already been assigned one via \fBEVP_MD_CTX_set_pkey_ctx\fR\|(3).
-See also \s-1\fBSM2\s0\fR\|(7).
+See also \fBSM2\fR\|(7).
 .PP
 Not all digests can be used for all key types. The following combinations apply.
-.IP "\s-1DSA\s0" 4
+.IP DSA 4
 .IX Item "DSA"
-Supports \s-1SHA1, SHA224, SHA256, SHA384\s0 and \s-1SHA512\s0
-.IP "\s-1ECDSA\s0" 4
+Supports SHA1, SHA224, SHA256, SHA384 and SHA512
+.IP ECDSA 4
 .IX Item "ECDSA"
-Supports \s-1SHA1, SHA224, SHA256, SHA384, SHA512\s0 and \s-1SM3\s0
-.IP "\s-1RSA\s0 with no padding" 4
+Supports SHA1, SHA224, SHA256, SHA384, SHA512 and SM3
+.IP "RSA with no padding" 4
 .IX Item "RSA with no padding"
-Supports no digests (the digest \fBtype\fR must be \s-1NULL\s0)
-.IP "\s-1RSA\s0 with X931 padding" 4
+Supports no digests (the digest \fBtype\fR must be NULL)
+.IP "RSA with X931 padding" 4
 .IX Item "RSA with X931 padding"
-Supports \s-1SHA1, SHA256, SHA384\s0 and \s-1SHA512\s0
-.IP "All other \s-1RSA\s0 padding types" 4
+Supports SHA1, SHA256, SHA384 and SHA512
+.IP "All other RSA padding types" 4
 .IX Item "All other RSA padding types"
-Support \s-1SHA1, SHA224, SHA256, SHA384, SHA512, MD5, MD5_SHA1, MD2, MD4, MDC2,
-SHA3\-224, SHA3\-256, SHA3\-384, SHA3\-512\s0
+Support SHA1, SHA224, SHA256, SHA384, SHA512, MD5, MD5_SHA1, MD2, MD4, MDC2,
+SHA3\-224, SHA3\-256, SHA3\-384, SHA3\-512
 .IP "Ed25519 and Ed448" 4
 .IX Item "Ed25519 and Ed448"
-Support no digests (the digest \fBtype\fR must be \s-1NULL\s0)
-.IP "\s-1HMAC\s0" 4
+Support no digests (the digest \fBtype\fR must be NULL)
+.IP HMAC 4
 .IX Item "HMAC"
 Supports any digest
-.IP "\s-1CMAC,\s0 Poly1305 and Siphash" 4
+.IP "CMAC, Poly1305 and Siphash" 4
 .IX Item "CMAC, Poly1305 and Siphash"
 Will ignore any digest provided.
 .PP
@@ -227,9 +151,9 @@ If RSA-PSS is used and restrictions apply then the digest must match.
 .PP
 \&\fBEVP_DigestVerifyInit()\fR works in the same way as
 \&\fBEVP_DigestVerifyInit_ex()\fR except that the \fBmdname\fR parameter will be
-inferred from the supplied digest \fBtype\fR, and \fBprops\fR will be \s-1NULL.\s0 Where
-supplied the \s-1ENGINE\s0 \fBe\fR will be used for the signature verification and digest
-algorithm implementations. \fBe\fR may be \s-1NULL.\s0
+inferred from the supplied digest \fBtype\fR, and \fBprops\fR will be NULL. Where
+supplied the ENGINE \fBe\fR will be used for the signature verification and digest
+algorithm implementations. \fBe\fR may be NULL.
 .PP
 \&\fBEVP_DigestVerifyUpdate()\fR hashes \fBcnt\fR bytes of data at \fBd\fR into the
 verification context \fBctx\fR. This function can be called several times on the
@@ -252,9 +176,9 @@ the signature had an invalid form), while other values indicate a more serious
 error (and sometimes also indicate an invalid signature form).
 .PP
 The error codes can be obtained from \fBERR_get_error\fR\|(3).
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-The \fB\s-1EVP\s0\fR interface to digital signatures should almost always be used in
+The \fBEVP\fR interface to digital signatures should almost always be used in
 preference to the low-level interfaces. This is because the code then becomes
 transparent to the algorithm used and much more flexible.
 .PP
@@ -265,23 +189,33 @@ algorithms which do not support streaming (e.g. PureEdDSA) it is the only way
 to verify data.
 .PP
 In previous versions of OpenSSL there was a link between message digest types
-and public key algorithms. This meant that \*(L"clone\*(R" digests such as \fBEVP_dss1()\fR
-needed to be used to sign using \s-1SHA1\s0 and \s-1DSA.\s0 This is no longer necessary and
+and public key algorithms. This meant that "clone" digests such as \fBEVP_dss1()\fR
+needed to be used to sign using SHA1 and DSA. This is no longer necessary and
 the use of clone digest is now discouraged.
 .PP
 For some key types and parameters the random number generator must be seeded.
-If the automatic seeding or reseeding of the OpenSSL \s-1CSPRNG\s0 fails due to
-external circumstances (see \s-1\fBRAND\s0\fR\|(7)), the operation will fail.
+If the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to
+external circumstances (see \fBRAND\fR\|(7)), the operation will fail.
 .PP
 The call to \fBEVP_DigestVerifyFinal()\fR internally finalizes a copy of the digest
 context. This means that \fBEVP_VerifyUpdate()\fR and \fBEVP_VerifyFinal()\fR can
-be called later to digest and verify additional data.
+be called later to digest and verify additional data. Applications may disable
+this behavior by setting the EVP_MD_CTX_FLAG_FINALISE context flag via
+\&\fBEVP_MD_CTX_set_flags\fR\|(3).
+.PP
+Note that not all providers support continuation, in case the selected
+provider does not allow to duplicate contexts \fBEVP_DigestVerifyFinal()\fR will
+finalize the digest context and attempting to process additional data via
+\&\fBEVP_DigestVerifyUpdate()\fR will result in an error.
 .PP
 \&\fBEVP_DigestVerifyInit()\fR and \fBEVP_DigestVerifyInit_ex()\fR functions can be called
 multiple times on a context and the parameters set by previous calls should be
-preserved if the \fIpkey\fR parameter is \s-1NULL.\s0 The call then just resets the state
+preserved if the \fIpkey\fR parameter is NULL. The call then just resets the state
 of the \fIctx\fR.
 .PP
+\&\fBEVP_DigestVerify()\fR can only be called once, and cannot be used again without
+reinitialising the \fBEVP_MD_CTX\fR by calling \fBEVP_DigestVerifyInit_ex()\fR.
+.PP
 Ignoring failure returns of \fBEVP_DigestVerifyInit()\fR and \fBEVP_DigestVerifyInit_ex()\fR
 functions can lead to subsequent undefined behavior when calling
 \&\fBEVP_DigestVerifyUpdate()\fR, \fBEVP_DigestVerifyFinal()\fR, or \fBEVP_DigestVerify()\fR.
@@ -289,11 +223,11 @@ functions can lead to subsequent undefined behavior when calling
 .IX Header "SEE ALSO"
 \&\fBEVP_DigestSignInit\fR\|(3),
 \&\fBEVP_DigestInit\fR\|(3),
-\&\fBevp\fR\|(7), \s-1\fBHMAC\s0\fR\|(3), \s-1\fBMD2\s0\fR\|(3),
-\&\s-1\fBMD5\s0\fR\|(3), \s-1\fBMDC2\s0\fR\|(3), \s-1\fBRIPEMD160\s0\fR\|(3),
-\&\s-1\fBSHA1\s0\fR\|(3), \fBopenssl\-dgst\fR\|(1),
-\&\s-1\fBRAND\s0\fR\|(7)
-.SH "HISTORY"
+\&\fBevp\fR\|(7), \fBHMAC\fR\|(3), \fBMD2\fR\|(3),
+\&\fBMD5\fR\|(3), \fBMDC2\fR\|(3), \fBRIPEMD160\fR\|(3),
+\&\fBSHA1\fR\|(3), \fBopenssl\-dgst\fR\|(1),
+\&\fBRAND\fR\|(7)
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBEVP_DigestVerifyInit()\fR, \fBEVP_DigestVerifyUpdate()\fR and \fBEVP_DigestVerifyFinal()\fR
 were added in OpenSSL 1.0.0.
@@ -302,11 +236,11 @@ were added in OpenSSL 1.0.0.
 .PP
 \&\fBEVP_DigestVerifyUpdate()\fR was converted from a macro to a function in OpenSSL
 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2006\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_EncodeInit.3 b/secure/lib/libcrypto/man/man3/EVP_EncodeInit.3
index ea02b12e348e..3227724d0930 100644
--- a/secure/lib/libcrypto/man/man3/EVP_EncodeInit.3
+++ b/secure/lib/libcrypto/man/man3/EVP_EncodeInit.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_ENCODEINIT 3ossl"
-.TH EVP_ENCODEINIT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_ENCODEINIT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_ENCODE_CTX_new, EVP_ENCODE_CTX_free, EVP_ENCODE_CTX_copy,
 EVP_ENCODE_CTX_num, EVP_EncodeInit, EVP_EncodeUpdate, EVP_EncodeFinal,
 EVP_EncodeBlock, EVP_DecodeInit, EVP_DecodeUpdate, EVP_DecodeFinal,
-EVP_DecodeBlock \- EVP base 64 encode/decode routines
-.SH "SYNOPSIS"
+EVP_DecodeBlock \- EVP base64 encode/decode routines
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -162,24 +86,26 @@ EVP_DecodeBlock \- EVP base 64 encode/decode routines
 \& int EVP_DecodeFinal(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl);
 \& int EVP_DecodeBlock(unsigned char *t, const unsigned char *f, int n);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1EVP\s0 encode routines provide a high-level interface to base 64 encoding and
-decoding. Base 64 encoding converts binary data into a printable form that uses
-the characters A\-Z, a\-z, 0\-9, \*(L"+\*(R" and \*(L"/\*(R" to represent the data. For every 3
-bytes of binary data provided 4 bytes of base 64 encoded data will be produced
+The EVP encode routines provide a high-level interface to base64 encoding and
+decoding.
+Base64 encoding converts binary data into a printable form that uses
+the characters A\-Z, a\-z, 0\-9, "+" and "/" to represent the data. For every 3
+bytes of binary data provided 4 bytes of base64 encoded data will be produced
 plus some occasional newlines (see below). If the input data length is not a
-multiple of 3 then the output data will be padded at the end using the \*(L"=\*(R"
+multiple of 3 then the output data will be padded at the end using the "="
 character.
 .PP
 \&\fBEVP_ENCODE_CTX_new()\fR allocates, initializes and returns a context to be used for
 the encode/decode functions.
 .PP
 \&\fBEVP_ENCODE_CTX_free()\fR cleans up an encode/decode context \fBctx\fR and frees up the
-space allocated to it.
+space allocated to it. If the argument is NULL, nothing is done.
 .PP
 Encoding of binary data is performed in blocks of 48 input bytes (or less for
-the final block). For each 48 byte input block encoded 64 bytes of base 64 data
+the final block).
+For each 48 byte input block encoded 64 bytes of base64 data
 is output plus an additional newline character (i.e. 65 bytes in total). The
 final block (which may be less than 48 bytes) will output 4 bytes for every 3
 bytes of input. If the data length is not divisible by 3 then a full 4 bytes is
@@ -199,7 +125,7 @@ required size of the output buffer add together the value of \fBinl\fR with the
 amount of unprocessed data held in \fBctx\fR and divide the result by 48 (ignore
 any remainder). This gives the number of blocks of data that will be processed.
 Ensure the output buffer contains 65 bytes of storage for each block, plus an
-additional byte for a \s-1NUL\s0 terminator. \fBEVP_EncodeUpdate()\fR may be called
+additional byte for a NUL terminator. \fBEVP_EncodeUpdate()\fR may be called
 repeatedly to process large amounts of input data. In the event of an error
 \&\fBEVP_EncodeUpdate()\fR will set \fB*outl\fR to 0 and return 0. On success 1 will be
 returned.
@@ -209,7 +135,7 @@ process any partial block of data remaining in the \fBctx\fR object. The output
 data will be stored in \fBout\fR and the length of the data written will be stored
 in \fB*outl\fR. It is the caller's responsibility to ensure that \fBout\fR is
 sufficiently large to accommodate the output data which will never be more than
-65 bytes plus an additional \s-1NUL\s0 terminator (i.e. 66 bytes in total).
+65 bytes plus an additional NUL terminator (i.e. 66 bytes in total).
 .PP
 \&\fBEVP_ENCODE_CTX_copy()\fR can be used to copy a context \fBsctx\fR to a context
 \&\fBdctx\fR. \fBdctx\fR must be initialized before calling this function.
@@ -221,59 +147,84 @@ be encoded or decoded that are pending in the \fBctx\fR object.
 \&\fBn\fR and stores it in \fBt\fR. For every 3 bytes of input provided 4 bytes of
 output data will be produced. If \fBn\fR is not divisible by 3 then the block is
 encoded as a final block of data and the output is padded such that it is always
-divisible by 4. Additionally a \s-1NUL\s0 terminator character will be added. For
+divisible by 4. Additionally a NUL terminator character will be added. For
 example if 16 bytes of input data is provided then 24 bytes of encoded data is
-created plus 1 byte for a \s-1NUL\s0 terminator (i.e. 25 bytes in total). The length of
-the data generated \fIwithout\fR the \s-1NUL\s0 terminator is returned from the function.
+created plus 1 byte for a NUL terminator (i.e. 25 bytes in total). The length of
+the data generated \fIwithout\fR the NUL terminator is returned from the function.
 .PP
 \&\fBEVP_DecodeInit()\fR initialises \fBctx\fR for the start of a new decoding operation.
 .PP
-\&\fBEVP_DecodeUpdate()\fR decodes \fBinl\fR characters of data found in the buffer pointed
-to by \fBin\fR. The output is stored in the buffer \fBout\fR and the number of bytes
-output is stored in \fB*outl\fR. It is the caller's responsibility to ensure that
-the buffer at \fBout\fR is sufficiently large to accommodate the output data. This
-function will attempt to decode as much data as possible in 4 byte chunks. Any
-whitespace, newline or carriage return characters are ignored. Any partial chunk
-of unprocessed data (1, 2 or 3 bytes) that remains at the end will be held in
-the \fBctx\fR object and processed by a subsequent call to \fBEVP_DecodeUpdate()\fR. If
-any illegal base 64 characters are encountered or if the base 64 padding
-character \*(L"=\*(R" is encountered in the middle of the data then the function returns
-\&\-1 to indicate an error. A return value of 0 or 1 indicates successful
-processing of the data. A return value of 0 additionally indicates that the last
-input data characters processed included the base 64 padding character \*(L"=\*(R" and
-therefore no more non-padding character data is expected to be processed. For
-every 4 valid base 64 bytes processed (ignoring whitespace, carriage returns and
-line feeds), 3 bytes of binary output data will be produced (or less at the end
-of the data where the padding character \*(L"=\*(R" has been used).
-.PP
-\&\fBEVP_DecodeFinal()\fR must be called at the end of a decoding operation. If there
-is any unprocessed data still in \fBctx\fR then the input data must not have been
-a multiple of 4 and therefore an error has occurred. The function will return \-1
-in this case. Otherwise the function returns 1 on success.
-.PP
-\&\fBEVP_DecodeBlock()\fR will decode the block of \fBn\fR characters of base 64 data
-contained in \fBf\fR and store the result in \fBt\fR. Any leading whitespace will be
-trimmed as will any trailing whitespace, newlines, carriage returns or \s-1EOF\s0
-characters. After such trimming the length of the data in \fBf\fR must be divisible
-by 4. For every 4 input bytes exactly 3 output bytes will be produced. The
-output will be padded with 0 bits if necessary to ensure that the output is
-always 3 bytes for every 4 input bytes. This function will return the length of
-the data decoded or \-1 on error.
+\&\fBEVP_DecodeUpdate()\fR decodes \fBinl\fR characters of data found in the buffer
+pointed to by \fBin\fR.
+The output is stored in the buffer \fBout\fR and the number of bytes output is
+stored in \fB*outl\fR.
+It is the caller's responsibility to ensure that the buffer at \fBout\fR is
+sufficiently large to accommodate the output data.
+This function will attempt to decode as much data as possible in chunks of up
+to 80 base64 characters at a time.
+Residual input shorter than the internal chunk size will be buffered in \fBctx\fR
+if its length is not a multiple of 4 (including any padding), to be processed
+in future calls to \fBEVP_DecodeUpdate()\fR or \fBEVP_DecodeFinal()\fR.
+If the final chunk length is a multiple of 4, it is decoded immediately and
+not buffered.
+.PP
+Any whitespace, newline or carriage return characters are ignored.
+For compatibility with \fBPEM\fR, the \fB\-\fR (hyphen) character is treated as a soft
+end-of-input, subsequent bytes are not buffered, and the return value will be
+0 to indicate that the end of the base64 input has been detected.
+The soft end-of-input, if present, MUST occur after a multiple of 4 valid base64
+input bytes.
+The soft end-of-input condition is not remembered in \fBctx\fR, it is up to the
+caller to avoid further calls to \fBEVP_DecodeUpdate()\fR after a 0 or negative
+(error) return.
+.PP
+If any invalid base64 characters are encountered or if the base64 padding
+character (\fB=\fR) is encountered in the middle of the data then
+\&\fBEVP_DecodeUpdate()\fR returns \-1 to indicate an error.
+A return value of 0 or 1 indicates successful processing of the data.
+A return value of 0 additionally indicates that the last 4 bytes processed
+ended with base64 padding (\fB=\fR), or that the next 4 byte group starts with the
+soft end-of-input (\fB\-\fR) character, and therefore no more input data is
+expected to be processed.
+.PP
+For every 4 valid base64 bytes processed (ignoring whitespace, carriage returns
+and line feeds), 3 bytes of binary output data will be produced (except at the
+end of data terminated with one or two padding characters).
+.PP
+\&\fBEVP_DecodeFinal()\fR should be called at the end of a decoding operation,
+but it will never decode additional data.  If there is no residual data
+it will return 1 to indicate success.  If there is residual data, its
+length is not a multiple of 4, i.e. it was not properly padded, \-1 is
+is returned in that case to indicate an error.
+.PP
+\&\fBEVP_DecodeBlock()\fR will decode the block of \fBn\fR characters of base64 data
+contained in \fBf\fR and store the result in \fBt\fR.
+Any leading whitespace will be trimmed as will any trailing whitespace,
+newlines, carriage returns or EOF characters.
+Internal whitespace MUST NOT be present.
+After trimming the data in \fBf\fR MUST consist entirely of valid base64
+characters or padding (only at the tail of the input) and its length MUST be
+divisible by 4.
+For every 4 input bytes exactly 3 output bytes will be produced.
+Padding bytes (\fB=\fR) (even if internal) are decoded to 6 zero bits, the caller
+is responsible for taking trailing padding into account, by ignoring as many
+bytes at the tail of the returned output.
+\&\fBEVP_DecodeBlock()\fR will return the length of the data decoded or \-1 on error.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBEVP_ENCODE_CTX_new()\fR returns a pointer to the newly allocated \s-1EVP_ENCODE_CTX\s0
-object or \s-1NULL\s0 on error.
+\&\fBEVP_ENCODE_CTX_new()\fR returns a pointer to the newly allocated EVP_ENCODE_CTX
+object or NULL on error.
 .PP
 \&\fBEVP_ENCODE_CTX_num()\fR returns the number of bytes pending encoding or decoding in
 \&\fBctx\fR.
 .PP
 \&\fBEVP_EncodeUpdate()\fR returns 0 on error or 1 on success.
 .PP
-\&\fBEVP_EncodeBlock()\fR returns the number of bytes encoded excluding the \s-1NUL\s0
+\&\fBEVP_EncodeBlock()\fR returns the number of bytes encoded excluding the NUL
 terminator.
 .PP
 \&\fBEVP_DecodeUpdate()\fR returns \-1 on error and 0 or 1 on success. If 0 is returned
-then no more non-padding base 64 characters are expected.
+then no more non-padding base64 characters are expected.
 .PP
 \&\fBEVP_DecodeFinal()\fR returns \-1 on error or 1 on success.
 .PP
@@ -281,11 +232,16 @@ then no more non-padding base 64 characters are expected.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBevp\fR\|(7)
-.SH "COPYRIGHT"
+.SH HISTORY
+.IX Header "HISTORY"
+The \fBEVP_DecodeUpdate()\fR function was fixed in OpenSSL 3.5,
+so now it produces the number of bytes specified in \fBoutl*\fR
+and does not decode padding bytes (\fB=\fR) to 6 zero bits.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_EncryptInit.3 b/secure/lib/libcrypto/man/man3/EVP_EncryptInit.3
index 773d049ab9b0..d5c2ae603553 100644
--- a/secure/lib/libcrypto/man/man3/EVP_EncryptInit.3
+++ b/secure/lib/libcrypto/man/man3/EVP_EncryptInit.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,23 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_ENCRYPTINIT 3ossl"
-.TH EVP_ENCRYPTINIT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_ENCRYPTINIT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_CIPHER_fetch,
 EVP_CIPHER_up_ref,
 EVP_CIPHER_free,
 EVP_CIPHER_CTX_new,
 EVP_CIPHER_CTX_reset,
 EVP_CIPHER_CTX_free,
+EVP_CIPHER_CTX_dup,
+EVP_CIPHER_CTX_copy,
 EVP_EncryptInit_ex,
 EVP_EncryptInit_ex2,
 EVP_EncryptUpdate,
@@ -153,6 +79,7 @@ EVP_DecryptUpdate,
 EVP_DecryptFinal_ex,
 EVP_CipherInit_ex,
 EVP_CipherInit_ex2,
+EVP_CipherInit_SKEY,
 EVP_CipherUpdate,
 EVP_CipherFinal_ex,
 EVP_CIPHER_CTX_set_key_length,
@@ -164,6 +91,11 @@ EVP_DecryptFinal,
 EVP_CipherInit,
 EVP_CipherFinal,
 EVP_Cipher,
+EVP_CIPHER_can_pipeline,
+EVP_CipherPipelineEncryptInit,
+EVP_CipherPipelineDecryptInit,
+EVP_CipherPipelineUpdate,
+EVP_CipherPipelineFinal,
 EVP_get_cipherbyname,
 EVP_get_cipherbynid,
 EVP_get_cipherbyobj,
@@ -230,7 +162,7 @@ EVP_CIPHER_CTX_num,
 EVP_CIPHER_CTX_type,
 EVP_CIPHER_CTX_mode
 \&\- EVP cipher routines
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -242,6 +174,8 @@ EVP_CIPHER_CTX_mode
 \& EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void);
 \& int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx);
 \& void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx);
+\& EVP_CIPHER_CTX *EVP_CIPHER_CTX_dup(const EVP_CIPHER_CTX *in);
+\& int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in);
 \&
 \& int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
 \&                        ENGINE *impl, const unsigned char *key, const unsigned char *iv);
@@ -266,6 +200,9 @@ EVP_CIPHER_CTX_mode
 \& int EVP_CipherInit_ex2(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
 \&                        const unsigned char *key, const unsigned char *iv,
 \&                        int enc, const OSSL_PARAM params[]);
+\& int EVP_CipherInit_SKEY(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
+\&                         EVP_SKEY *skey, const unsigned char *iv, size_t iv_len,
+\&                         int enc, const OSSL_PARAM params[]);
 \& int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
 \&                      int *outl, const unsigned char *in, int inl);
 \& int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
@@ -285,6 +222,25 @@ EVP_CIPHER_CTX_mode
 \& int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 \&                const unsigned char *in, unsigned int inl);
 \&
+\& int EVP_CIPHER_can_pipeline(const EVP_CIPHER *cipher, int enc);
+\& int EVP_CipherPipelineEncryptInit(EVP_CIPHER_CTX *ctx,
+\&                                   const EVP_CIPHER *cipher,
+\&                                   const unsigned char *key, size_t keylen,
+\&                                   size_t numpipes,
+\&                                   const unsigned char **iv, size_t ivlen);
+\& int EVP_CipherPipelineDecryptInit(EVP_CIPHER_CTX *ctx,
+\&                                   const EVP_CIPHER *cipher,
+\&                                   const unsigned char *key, size_t keylen,
+\&                                   size_t numpipes,
+\&                                   const unsigned char **iv, size_t ivlen);
+\& int EVP_CipherPipelineUpdate(EVP_CIPHER_CTX *ctx,
+\&                              unsigned char **out, size_t *outl,
+\&                              const size_t *outsize,
+\&                              const unsigned char **in, const size_t *inl);
+\& int EVP_CipherPipelineFinal(EVP_CIPHER_CTX *ctx,
+\&                             unsigned char **outm, size_t *outl,
+\&                             const size_t *outsize);
+\&
 \& int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *x, int padding);
 \& int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *x, int keylen);
 \& int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int cmd, int p1, void *p2);
@@ -364,7 +320,7 @@ EVP_CIPHER_CTX_mode
 .Ve
 .PP
 The following function has been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
@@ -372,44 +328,53 @@ see \fBopenssl_user_macros\fR\|(7):
 .Ve
 .PP
 The following function has been deprecated since OpenSSL 1.1.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
 \& int EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1EVP\s0 cipher routines are a high-level interface to certain
+The EVP cipher routines are a high-level interface to certain
 symmetric ciphers.
 .PP
-The \fB\s-1EVP_CIPHER\s0\fR type is a structure for cipher method implementation.
-.IP "\fBEVP_CIPHER_fetch()\fR" 4
+The \fBEVP_CIPHER\fR type is a structure for cipher method implementation.
+.IP \fBEVP_CIPHER_fetch()\fR 4
 .IX Item "EVP_CIPHER_fetch()"
 Fetches the cipher implementation for the given \fIalgorithm\fR from any provider
 offering it, within the criteria given by the \fIproperties\fR.
-See \*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7) for further information.
+See "ALGORITHM FETCHING" in \fBcrypto\fR\|(7) for further information.
 .Sp
 The returned value must eventually be freed with \fBEVP_CIPHER_free()\fR.
 .Sp
-Fetched \fB\s-1EVP_CIPHER\s0\fR structures are reference counted.
-.IP "\fBEVP_CIPHER_up_ref()\fR" 4
+Fetched \fBEVP_CIPHER\fR structures are reference counted.
+.IP \fBEVP_CIPHER_up_ref()\fR 4
 .IX Item "EVP_CIPHER_up_ref()"
-Increments the reference count for an \fB\s-1EVP_CIPHER\s0\fR structure.
-.IP "\fBEVP_CIPHER_free()\fR" 4
+Increments the reference count for an \fBEVP_CIPHER\fR structure.
+.IP \fBEVP_CIPHER_free()\fR 4
 .IX Item "EVP_CIPHER_free()"
-Decrements the reference count for the fetched \fB\s-1EVP_CIPHER\s0\fR structure.
+Decrements the reference count for the fetched \fBEVP_CIPHER\fR structure.
 If the reference count drops to 0 then the structure is freed.
-.IP "\fBEVP_CIPHER_CTX_new()\fR" 4
+If the argument is NULL, nothing is done.
+.IP \fBEVP_CIPHER_CTX_new()\fR 4
 .IX Item "EVP_CIPHER_CTX_new()"
 Allocates and returns a cipher context.
-.IP "\fBEVP_CIPHER_CTX_free()\fR" 4
+.IP \fBEVP_CIPHER_CTX_free()\fR 4
 .IX Item "EVP_CIPHER_CTX_free()"
 Clears all information from a cipher context and frees any allocated memory
-associated with it, including \fIctx\fR itself. This function should be called after
-all operations using a cipher are complete so sensitive information does not
-remain in memory.
-.IP "\fBEVP_CIPHER_CTX_ctrl()\fR" 4
+associated with it, including \fIctx\fR itself. This function should be called
+after all operations using a cipher are complete so sensitive information does
+not remain in memory. If the argument is NULL, nothing is done.
+.IP \fBEVP_CIPHER_CTX_dup()\fR 4
+.IX Item "EVP_CIPHER_CTX_dup()"
+Can be used to duplicate the cipher state from \fIin\fR.  This is useful
+to avoid multiple \fBEVP_CIPHER_fetch()\fR calls or if large amounts of data are to be
+fed which only differ in the last few bytes.
+.IP \fBEVP_CIPHER_CTX_copy()\fR 4
+.IX Item "EVP_CIPHER_CTX_copy()"
+Can be used to copy the cipher state from \fIin\fR to \fIout\fR.
+.IP \fBEVP_CIPHER_CTX_ctrl()\fR 4
 .IX Item "EVP_CIPHER_CTX_ctrl()"
 \&\fIThis is a legacy method.\fR \fBEVP_CIPHER_CTX_set_params()\fR and
 \&\fBEVP_CIPHER_CTX_get_params()\fR is the mechanism that should be used to set and get
@@ -420,66 +385,75 @@ is indicated in \fIcmd\fR and any additional arguments in \fIp1\fR and \fIp2\fR.
 \&\fBEVP_CIPHER_CTX_ctrl()\fR must be called after \fBEVP_CipherInit_ex2()\fR. Other restrictions
 may apply depending on the control type and cipher implementation.
 .Sp
-If this function happens to be used with a fetched \fB\s-1EVP_CIPHER\s0\fR, it will
-translate the controls that are known to OpenSSL into \s-1\fBOSSL_PARAM\s0\fR\|(3)
+If this function happens to be used with a fetched \fBEVP_CIPHER\fR, it will
+translate the controls that are known to OpenSSL into \fBOSSL_PARAM\fR\|(3)
 parameters with keys defined by OpenSSL and call \fBEVP_CIPHER_CTX_get_params()\fR or
 \&\fBEVP_CIPHER_CTX_set_params()\fR as is appropriate for each control command.
 .Sp
-See \*(L"\s-1CONTROLS\*(R"\s0 below for more information, including what translations are
+See "CONTROLS" below for more information, including what translations are
 being done.
-.IP "\fBEVP_CIPHER_get_params()\fR" 4
+.IP \fBEVP_CIPHER_get_params()\fR 4
 .IX Item "EVP_CIPHER_get_params()"
-Retrieves the requested list of algorithm \fIparams\fR from a \s-1CIPHER\s0 \fIcipher\fR.
-See \*(L"\s-1PARAMETERS\*(R"\s0 below for more information.
-.IP "\fBEVP_CIPHER_CTX_get_params()\fR" 4
+Retrieves the requested list of algorithm \fIparams\fR from a CIPHER \fIcipher\fR.
+See "PARAMETERS" below for more information.
+.IP \fBEVP_CIPHER_CTX_get_params()\fR 4
 .IX Item "EVP_CIPHER_CTX_get_params()"
-Retrieves the requested list of \fIparams\fR from \s-1CIPHER\s0 context \fIctx\fR.
-See \*(L"\s-1PARAMETERS\*(R"\s0 below for more information.
-.IP "\fBEVP_CIPHER_CTX_set_params()\fR" 4
+Retrieves the requested list of \fIparams\fR from CIPHER context \fIctx\fR.
+See "PARAMETERS" below for more information.
+.IP \fBEVP_CIPHER_CTX_set_params()\fR 4
 .IX Item "EVP_CIPHER_CTX_set_params()"
-Sets the list of \fIparams\fR into a \s-1CIPHER\s0 context \fIctx\fR.
-See \*(L"\s-1PARAMETERS\*(R"\s0 below for more information.
-.IP "\fBEVP_CIPHER_gettable_params()\fR" 4
+Sets the list of \fIparams\fR into a CIPHER context \fIctx\fR.
+See "PARAMETERS" below for more information.
+.IP \fBEVP_CIPHER_gettable_params()\fR 4
 .IX Item "EVP_CIPHER_gettable_params()"
-Get a constant \s-1\fBOSSL_PARAM\s0\fR\|(3) array that describes the retrievable parameters
+Get a constant \fBOSSL_PARAM\fR\|(3) array that describes the retrievable parameters
 that can be used with \fBEVP_CIPHER_get_params()\fR.
 .IP "\fBEVP_CIPHER_gettable_ctx_params()\fR and \fBEVP_CIPHER_CTX_gettable_params()\fR" 4
 .IX Item "EVP_CIPHER_gettable_ctx_params() and EVP_CIPHER_CTX_gettable_params()"
-Get a constant \s-1\fBOSSL_PARAM\s0\fR\|(3) array that describes the retrievable parameters
+Get a constant \fBOSSL_PARAM\fR\|(3) array that describes the retrievable parameters
 that can be used with \fBEVP_CIPHER_CTX_get_params()\fR.
 \&\fBEVP_CIPHER_gettable_ctx_params()\fR returns the parameters that can be retrieved
 from the algorithm, whereas \fBEVP_CIPHER_CTX_gettable_params()\fR returns the
 parameters that can be retrieved in the context's current state.
 .IP "\fBEVP_CIPHER_settable_ctx_params()\fR and \fBEVP_CIPHER_CTX_settable_params()\fR" 4
 .IX Item "EVP_CIPHER_settable_ctx_params() and EVP_CIPHER_CTX_settable_params()"
-Get a constant \s-1\fBOSSL_PARAM\s0\fR\|(3) array that describes the settable parameters
+Get a constant \fBOSSL_PARAM\fR\|(3) array that describes the settable parameters
 that can be used with \fBEVP_CIPHER_CTX_set_params()\fR.
 \&\fBEVP_CIPHER_settable_ctx_params()\fR returns the parameters that can be set from the
 algorithm, whereas \fBEVP_CIPHER_CTX_settable_params()\fR returns the parameters that
 can be set in the context's current state.
-.IP "\fBEVP_EncryptInit_ex2()\fR" 4
+.IP \fBEVP_EncryptInit_ex2()\fR 4
 .IX Item "EVP_EncryptInit_ex2()"
-Sets up cipher context \fIctx\fR for encryption with cipher \fItype\fR. \fItype\fR is
-typically supplied by calling \fBEVP_CIPHER_fetch()\fR. \fItype\fR may also be set
+Sets up cipher context \fIctx\fR for encryption with cipher \fItype\fR. \fIctx\fR \fBMUST NOT\fR be NULL.
+\&\fItype\fR is typically supplied by calling \fBEVP_CIPHER_fetch()\fR. \fItype\fR may also be set
 using legacy functions such as \fBEVP_aes_256_cbc()\fR, but this is not recommended
-for new applications. \fIkey\fR is the symmetric key to use and \fIiv\fR is the \s-1IV\s0 to
-use (if necessary), the actual number of bytes used for the key and \s-1IV\s0 depends
+for new applications. \fIkey\fR is the symmetric key to use and \fIiv\fR is the IV to
+use (if necessary), the actual number of bytes used for the key and IV depends
 on the cipher. The parameters \fIparams\fR will be set on the context after
-initialisation. It is possible to set all parameters to \s-1NULL\s0 except \fItype\fR in
+initialisation. It is possible to set all parameters to NULL except \fItype\fR in
 an initial call and supply the remaining parameters in subsequent calls, all of
-which have \fItype\fR set to \s-1NULL.\s0 This is done when the default cipher parameters
+which have \fItype\fR set to NULL. This is done when the default cipher parameters
 are not appropriate.
-For \fB\s-1EVP_CIPH_GCM_MODE\s0\fR the \s-1IV\s0 will be generated internally if it is not
+For \fBEVP_CIPH_GCM_MODE\fR the IV will be generated internally if it is not
 specified.
-.IP "\fBEVP_EncryptInit_ex()\fR" 4
+.IP \fBEVP_EncryptInit_ex()\fR 4
 .IX Item "EVP_EncryptInit_ex()"
-This legacy function is similar to \fBEVP_EncryptInit_ex2()\fR when \fIimpl\fR is \s-1NULL.\s0
+This legacy function is similar to \fBEVP_EncryptInit_ex2()\fR when \fIimpl\fR is NULL.
 The implementation of the \fItype\fR from the \fIimpl\fR engine will be used if it
 exists.
-.IP "\fBEVP_EncryptUpdate()\fR" 4
+.IP \fBEVP_EncryptUpdate()\fR 4
 .IX Item "EVP_EncryptUpdate()"
 Encrypts \fIinl\fR bytes from the buffer \fIin\fR and writes the encrypted version to
-\&\fIout\fR. This function can be called multiple times to encrypt successive blocks
+\&\fIout\fR. The pointers \fIout\fR and \fIin\fR may point to the same location, in which
+case the encryption will be done in-place. However, in-place encryption is
+guaranteed to work only if the encryption context (\fIctx\fR) has processed data in
+multiples of the block size. If the context contains an incomplete data block
+from previous operations, in-place encryption will fail. \fIctx\fR \fBMUST NOT\fR be NULL.
+.Sp
+If \fIout\fR and \fIin\fR point to different locations, the two buffers must be
+disjoint, otherwise the operation might fail or the outcome might be undefined.
+.Sp
+This function can be called multiple times to encrypt successive blocks
 of data. The amount of data written depends on the block alignment of the
 encrypted data.
 For most ciphers and modes, the amount of data written can be anything
@@ -488,15 +462,14 @@ For wrap cipher modes, the amount of data written can be anything
 from zero bytes to (inl + cipher_block_size) bytes.
 For stream ciphers, the amount of data written can be anything from zero
 bytes to inl bytes.
-Thus, \fIout\fR should contain sufficient room for the operation being performed.
-The actual number of bytes written is placed in \fIoutl\fR. It also
-checks if \fIin\fR and \fIout\fR are partially overlapping, and if they are
-0 is returned to indicate failure.
+Thus, the buffer pointed to by \fIout\fR must contain sufficient room for the
+operation being performed.
+The actual number of bytes written is placed in \fIoutl\fR.
 .Sp
 If padding is enabled (the default) then \fBEVP_EncryptFinal_ex()\fR encrypts
-the \*(L"final\*(R" data, that is any data that remains in a partial block.
-It uses standard block padding (aka \s-1PKCS\s0 padding) as described in
-the \s-1NOTES\s0 section, below. The encrypted
+the "final" data, that is any data that remains in a partial block.
+It uses standard block padding (aka PKCS padding) as described in
+the NOTES section, below. The encrypted
 final data is written to \fIout\fR which should have sufficient space for
 one cipher block. The number of bytes written is placed in \fIoutl\fR. After
 this function is called the encryption operation is finished and no further
@@ -510,17 +483,18 @@ that is if the total data length is not a multiple of the block size.
 These functions are the corresponding decryption operations.
 \&\fBEVP_DecryptFinal()\fR will return an error code if padding is enabled and the
 final block is not correctly formatted. The parameters and restrictions are
-identical to the encryption operations except that if padding is enabled the
-decrypted data buffer \fIout\fR passed to \fBEVP_DecryptUpdate()\fR should have
-sufficient room for (\fIinl\fR + cipher_block_size) bytes unless the cipher block
-size is 1 in which case \fIinl\fR bytes is sufficient.
+identical to the encryption operations. \fIctx\fR \fBMUST NOT\fR be NULL.
 .IP "\fBEVP_CipherInit_ex2()\fR, \fBEVP_CipherInit_ex()\fR, \fBEVP_CipherUpdate()\fR and \fBEVP_CipherFinal_ex()\fR" 4
 .IX Item "EVP_CipherInit_ex2(), EVP_CipherInit_ex(), EVP_CipherUpdate() and EVP_CipherFinal_ex()"
 These functions can be used for decryption or encryption. The operation
 performed depends on the value of the \fIenc\fR parameter. It should be set to 1
 for encryption, 0 for decryption and \-1 to leave the value unchanged
 (the actual value of 'enc' being supplied in a previous call).
-.IP "\fBEVP_CIPHER_CTX_reset()\fR" 4
+.IP \fBEVP_CipherInit_SKEY()\fR 4
+.IX Item "EVP_CipherInit_SKEY()"
+This function is similar to \fBEVP_CipherInit_ex2()\fR but accepts a
+symmetric key object of type \fIEVP_SKEY\fR as a key.
+.IP \fBEVP_CIPHER_CTX_reset()\fR 4
 .IX Item "EVP_CIPHER_CTX_reset()"
 Clears all information from a cipher context and free up any allocated memory
 associated with it, except the \fIctx\fR itself. This function should be called
@@ -537,33 +511,76 @@ Identical to \fBEVP_EncryptFinal_ex()\fR, \fBEVP_DecryptFinal_ex()\fR and
 \&\fBEVP_CipherFinal_ex()\fR. In previous releases they also cleaned up
 the \fIctx\fR, but this is no longer done and \fBEVP_CIPHER_CTX_cleanup()\fR
 must be called to free any context resources.
-.IP "\fBEVP_Cipher()\fR" 4
+.IP \fBEVP_Cipher()\fR 4
 .IX Item "EVP_Cipher()"
 Encrypts or decrypts a maximum \fIinl\fR amount of bytes from \fIin\fR and leaves the
 result in \fIout\fR.
 .Sp
 For legacy ciphers \- If the cipher doesn't have the flag
-\&\fB\s-1EVP_CIPH_FLAG_CUSTOM_CIPHER\s0\fR set, then \fIinl\fR must be a multiple of
+\&\fBEVP_CIPH_FLAG_CUSTOM_CIPHER\fR set, then \fIinl\fR must be a multiple of
 \&\fBEVP_CIPHER_get_block_size()\fR.  If it isn't, the result is undefined.  If the cipher
 has that flag set, then \fIinl\fR can be any size.
 .Sp
-Due to the constraints of the \s-1API\s0 contract of this function it shouldn't be used
+Due to the constraints of the API contract of this function it shouldn't be used
 in applications, please consider using \fBEVP_CipherUpdate()\fR and
 \&\fBEVP_CipherFinal_ex()\fR instead.
+.IP \fBEVP_CIPHER_can_pipeline()\fR 4
+.IX Item "EVP_CIPHER_can_pipeline()"
+This function checks if a \fBEVP_CIPHER\fR fetched using \fBEVP_CIPHER_fetch()\fR supports
+cipher pipelining. If the cipher supports pipelining, it returns 1, otherwise 0.
+This function will return 0 for non-fetched ciphers such as \fBEVP_aes_128_gcm()\fR.
+There are currently no built-in ciphers that support pipelining.
+.Sp
+Cipher pipelining support allows an application to submit multiple chunks of
+data in one set of \fBEVP_CipherUpdate()\fR/EVP_CipherFinal calls, thereby allowing
+the provided implementation to take advantage of parallel computing. This is
+beneficial for hardware accelerators as pipeline amortizes the latency over
+multiple chunks.
+.Sp
+For non-fetched ciphers, \fBEVP_CipherPipelineEncryptInit()\fR or
+\&\fBEVP_CipherPipelineDecryptInit()\fR may be directly called, which will perform a
+fetch and return an error if a pipeline supported implementation is not found.
+.IP "\fBEVP_CipherPipelineEncryptInit()\fR, \fBEVP_CipherPipelineDecryptInit()\fR, \fBEVP_CipherPipelineUpdate()\fR and \fBEVP_CipherPipelineFinal()\fR" 4
+.IX Item "EVP_CipherPipelineEncryptInit(), EVP_CipherPipelineDecryptInit(), EVP_CipherPipelineUpdate() and EVP_CipherPipelineFinal()"
+These functions can be used to perform multiple encryption or decryption
+operations in parallel. \fBEVP_CIPHER_can_pipeline()\fR may be called to check if the
+cipher supports pipelining. These functions are analogous to
+\&\fBEVP_EncryptInit_ex2()\fR, \fBEVP_DecryptInit_ex2()\fR, \fBEVP_CipherUpdate()\fR and
+\&\fBEVP_CipherFinal()\fR but take an array of pointers for iv, input and output buffers.
+.Sp
+The \fIkey\fR, of length \fIkeylen\fR, is the symmetric key to use. The \fInumpipes\fR
+parameter specifies the number of parallel operations to perform. The
+\&\fInumpipes\fR cannot exceed \fBEVP_MAX_PIPES\fR. The \fIiv\fR parameter is an array of
+buffer pointers, containing IVs. The array size must be equal to \fInumpipes\fR.
+The size of each IV buffer must be equal to \fIivlen\fR. When IV is not provided,
+\&\fIiv\fR must be NULL, rather than an array of NULL pointers. The \fIin\fR
+parameters takes an array of buffer pointers, each pointing to a buffer
+containing the input data. The buffers can be of different sizes. The \fIinl\fR
+parameter is an array of size_t, each specifying the size of the corresponding
+input buffer. The \fIout\fR and \fIoutm\fR parameters are arrays of buffer pointers,
+each pointing to a buffer where the output data will be written. The \fIoutsize\fR
+parameter is an array of size_t, each specifying the size of the corresponding
+output buffer. The \fIoutl\fR parameter is an array of size_t which will be updated
+with the size of the output data written to the corresponding output buffer.
+For size requirement of the output buffers, see the description of \fBEVP_CipherUpdate()\fR.
+.Sp
+The \fBEVP_CipherPipelineUpdate()\fR function can be called multiple times to encrypt
+successive blocks of data. For AAD data, the \fIout\fR, and \fIoutsize\fR parameter
+should be NULL, rather than an array of NULL pointers.
 .IP "\fBEVP_get_cipherbyname()\fR, \fBEVP_get_cipherbynid()\fR and \fBEVP_get_cipherbyobj()\fR" 4
 .IX Item "EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj()"
-Returns an \fB\s-1EVP_CIPHER\s0\fR structure when passed a cipher name, a cipher \fB\s-1NID\s0\fR or
-an \fB\s-1ASN1_OBJECT\s0\fR structure respectively.
+Returns an \fBEVP_CIPHER\fR structure when passed a cipher name, a cipher \fBNID\fR or
+an \fBASN1_OBJECT\fR structure respectively.
 .Sp
-\&\fBEVP_get_cipherbyname()\fR will return \s-1NULL\s0 for algorithms such as \*(L"\s-1AES\-128\-SIV\*(R",
-\&\*(L"AES\-128\-CBC\-CTS\*(R"\s0 and \*(L"\s-1CAMELLIA\-128\-CBC\-CTS\*(R"\s0 which were previously only
+\&\fBEVP_get_cipherbyname()\fR will return NULL for algorithms such as "AES\-128\-SIV",
+"AES\-128\-CBC\-CTS" and "CAMELLIA\-128\-CBC\-CTS" which were previously only
 accessible via low level interfaces.
 .Sp
 The \fBEVP_get_cipherbyname()\fR function is present for backwards compatibility with
 OpenSSL prior to version 3 and is different to the \fBEVP_CIPHER_fetch()\fR function
-since it does not attempt to \*(L"fetch\*(R" an implementation of the cipher.
+since it does not attempt to "fetch" an implementation of the cipher.
 Additionally, it only knows about ciphers that are built-in to OpenSSL and have
-an associated \s-1NID.\s0 Similarly \fBEVP_get_cipherbynid()\fR and \fBEVP_get_cipherbyobj()\fR
+an associated NID. Similarly \fBEVP_get_cipherbynid()\fR and \fBEVP_get_cipherbyobj()\fR
 also return objects without an associated implementation.
 .Sp
 When the cipher objects returned by these functions are used (such as in a call
@@ -572,637 +589,686 @@ fetched from the loaded providers. This fetch could fail if no suitable
 implementation is available. Use \fBEVP_CIPHER_fetch()\fR instead to explicitly fetch
 the algorithm and an associated implementation from a provider.
 .Sp
-See \*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7) for more information about fetching.
+See "ALGORITHM FETCHING" in \fBcrypto\fR\|(7) for more information about fetching.
 .Sp
 The cipher objects returned from these functions do not need to be freed with
 \&\fBEVP_CIPHER_free()\fR.
 .IP "\fBEVP_CIPHER_get_nid()\fR and \fBEVP_CIPHER_CTX_get_nid()\fR" 4
 .IX Item "EVP_CIPHER_get_nid() and EVP_CIPHER_CTX_get_nid()"
-Return the \s-1NID\s0 of a cipher when passed an \fB\s-1EVP_CIPHER\s0\fR or \fB\s-1EVP_CIPHER_CTX\s0\fR
-structure.  The actual \s-1NID\s0 value is an internal value which may not have a
-corresponding \s-1OBJECT IDENTIFIER.\s0
+Return the NID of a cipher when passed an \fBEVP_CIPHER\fR or \fBEVP_CIPHER_CTX\fR
+structure.  The actual NID value is an internal value which may not have a
+corresponding OBJECT IDENTIFIER.  NID_undef is returned in the event that the
+nid is unknown or if the cipher has not been properly initialized via a call to
+\&\fBEVP_CipherInit\fR.
 .IP "\fBEVP_CIPHER_CTX_set_flags()\fR, \fBEVP_CIPHER_CTX_clear_flags()\fR and \fBEVP_CIPHER_CTX_test_flags()\fR" 4
 .IX Item "EVP_CIPHER_CTX_set_flags(), EVP_CIPHER_CTX_clear_flags() and EVP_CIPHER_CTX_test_flags()"
-Sets, clears and tests \fIctx\fR flags.  See \*(L"\s-1FLAGS\*(R"\s0 below for more information.
+Sets, clears and tests \fIctx\fR flags.  See "FLAGS" below for more information.
 .Sp
 For provided ciphers \fBEVP_CIPHER_CTX_set_flags()\fR should be called only after the
 fetched cipher has been assigned to the \fIctx\fR. It is recommended to use
-\&\*(L"\s-1PARAMETERS\*(R"\s0 instead.
-.IP "\fBEVP_CIPHER_CTX_set_padding()\fR" 4
+"PARAMETERS" instead.
+.IP \fBEVP_CIPHER_CTX_set_padding()\fR 4
 .IX Item "EVP_CIPHER_CTX_set_padding()"
 Enables or disables padding. This function should be called after the context
 is set up for encryption or decryption with \fBEVP_EncryptInit_ex2()\fR,
-\&\fBEVP_DecryptInit_ex2()\fR or \fBEVP_CipherInit_ex2()\fR. By default encryption operations
-are padded using standard block padding and the padding is checked and removed
-when decrypting. If the \fIpad\fR parameter is zero then no padding is
-performed, the total amount of data encrypted or decrypted must then
-be a multiple of the block size or an error will occur.
+\&\fBEVP_DecryptInit_ex2()\fR, \fBEVP_CipherInit_ex2()\fR, or \fBEVP_CipherInit_SKEY()\fR. By
+default encryption operations are padded using standard block padding and the
+padding is checked and removed when decrypting. If the \fIpad\fR parameter is zero
+then no padding is performed, the total amount of data encrypted or decrypted
+must then be a multiple of the block size or an error will occur. \fIx\fR \fBMUST
+NOT\fR be NULL.
 .IP "\fBEVP_CIPHER_get_key_length()\fR and \fBEVP_CIPHER_CTX_get_key_length()\fR" 4
 .IX Item "EVP_CIPHER_get_key_length() and EVP_CIPHER_CTX_get_key_length()"
-Return the key length of a cipher when passed an \fB\s-1EVP_CIPHER\s0\fR or
-\&\fB\s-1EVP_CIPHER_CTX\s0\fR structure. The constant \fB\s-1EVP_MAX_KEY_LENGTH\s0\fR is the maximum
+Return the key length of a cipher when passed an \fBEVP_CIPHER\fR or
+\&\fBEVP_CIPHER_CTX\fR structure. The constant \fBEVP_MAX_KEY_LENGTH\fR is the maximum
 key length for all ciphers. Note: although \fBEVP_CIPHER_get_key_length()\fR is fixed for
 a given cipher, the value of \fBEVP_CIPHER_CTX_get_key_length()\fR may be different for
 variable key length ciphers.
-.IP "\fBEVP_CIPHER_CTX_set_key_length()\fR" 4
+.IP \fBEVP_CIPHER_CTX_set_key_length()\fR 4
 .IX Item "EVP_CIPHER_CTX_set_key_length()"
 Sets the key length of the cipher context.
 If the cipher is a fixed length cipher then attempting to set the key
 length to any value other than the fixed value is an error.
 .IP "\fBEVP_CIPHER_get_iv_length()\fR and \fBEVP_CIPHER_CTX_get_iv_length()\fR" 4
 .IX Item "EVP_CIPHER_get_iv_length() and EVP_CIPHER_CTX_get_iv_length()"
-Return the \s-1IV\s0 length of a cipher when passed an \fB\s-1EVP_CIPHER\s0\fR or
-\&\fB\s-1EVP_CIPHER_CTX\s0\fR. It will return zero if the cipher does not use an \s-1IV.\s0
-The constant \fB\s-1EVP_MAX_IV_LENGTH\s0\fR is the maximum \s-1IV\s0 length for all ciphers.
-.IP "\fBEVP_CIPHER_CTX_get_tag_length()\fR" 4
+Return the IV length of a cipher when passed an \fBEVP_CIPHER\fR or
+\&\fBEVP_CIPHER_CTX\fR. It will return zero if the cipher does not use an IV, if
+the cipher has not yet been initialized within the \fBEVP_CIPHER_CTX\fR, or if the
+passed cipher is NULL.  The constant \fBEVP_MAX_IV_LENGTH\fR is the maximum IV
+length for all ciphers.
+.IP \fBEVP_CIPHER_CTX_get_tag_length()\fR 4
 .IX Item "EVP_CIPHER_CTX_get_tag_length()"
-Returns the tag length of an \s-1AEAD\s0 cipher when passed a \fB\s-1EVP_CIPHER_CTX\s0\fR. It will
+Returns the tag length of an AEAD cipher when passed a \fBEVP_CIPHER_CTX\fR. It will
 return zero if the cipher does not support a tag. It returns a default value if
 the tag length has not been set.
 .IP "\fBEVP_CIPHER_get_block_size()\fR and \fBEVP_CIPHER_CTX_get_block_size()\fR" 4
 .IX Item "EVP_CIPHER_get_block_size() and EVP_CIPHER_CTX_get_block_size()"
-Return the block size of a cipher when passed an \fB\s-1EVP_CIPHER\s0\fR or
-\&\fB\s-1EVP_CIPHER_CTX\s0\fR structure. The constant \fB\s-1EVP_MAX_BLOCK_LENGTH\s0\fR is also the
+Return the block size of a cipher when passed an \fBEVP_CIPHER\fR or
+\&\fBEVP_CIPHER_CTX\fR structure. The constant \fBEVP_MAX_BLOCK_LENGTH\fR is also the
 maximum block length for all ciphers.
+A value of 0 is returned if, with \fBEVP_CIPHER_get_block_size()\fR, the cipher
+\&\fIe\fR is NULL, or, with \fBEVP_CIPHER_CTX_get_block_size()\fR, the context
+\&\fIctx\fR is NULL or has not been properly initialized with a call to
+\&\fBEVP_CipherInit\fR.
 .IP "\fBEVP_CIPHER_get_type()\fR and \fBEVP_CIPHER_CTX_get_type()\fR" 4
 .IX Item "EVP_CIPHER_get_type() and EVP_CIPHER_CTX_get_type()"
-Return the type of the passed cipher or context. This \*(L"type\*(R" is the actual \s-1NID\s0
-of the cipher \s-1OBJECT IDENTIFIER\s0 and as such it ignores the cipher parameters
-(40 bit \s-1RC2\s0 and 128 bit \s-1RC2\s0 have the same \s-1NID\s0). If the cipher does not have an
-object identifier or does not have \s-1ASN1\s0 support this function will return
+Return the type of the passed cipher or context. This "type" is the actual NID
+of the cipher OBJECT IDENTIFIER and as such it ignores the cipher parameters
+(40 bit RC2 and 128 bit RC2 have the same NID). If the cipher does not have an
+object identifier or does not have ASN1 support this function will return
 \&\fBNID_undef\fR.
-.IP "\fBEVP_CIPHER_is_a()\fR" 4
+.IP \fBEVP_CIPHER_is_a()\fR 4
 .IX Item "EVP_CIPHER_is_a()"
 Returns 1 if \fIcipher\fR is an implementation of an algorithm that's identifiable
 with \fIname\fR, otherwise 0. If \fIcipher\fR is a legacy cipher (it's the return
 value from the likes of \fBEVP_aes128()\fR rather than the result of an
 \&\fBEVP_CIPHER_fetch()\fR), only cipher names registered with the default library
-context (see \s-1\fBOSSL_LIB_CTX\s0\fR\|(3)) will be considered.
+context (see \fBOSSL_LIB_CTX\fR\|(3)) will be considered.
 .IP "\fBEVP_CIPHER_get0_name()\fR and \fBEVP_CIPHER_CTX_get0_name()\fR" 4
 .IX Item "EVP_CIPHER_get0_name() and EVP_CIPHER_CTX_get0_name()"
 Return the name of the passed cipher or context.  For fetched ciphers with
 multiple names, only one of them is returned. See also \fBEVP_CIPHER_names_do_all()\fR.
-.IP "\fBEVP_CIPHER_names_do_all()\fR" 4
+\&\fIcipher\fR \fBMUST NOT\fR be NULL.
+.IP \fBEVP_CIPHER_names_do_all()\fR 4
 .IX Item "EVP_CIPHER_names_do_all()"
 Traverses all names for the \fIcipher\fR, and calls \fIfn\fR with each name and
-\&\fIdata\fR.  This is only useful with fetched \fB\s-1EVP_CIPHER\s0\fRs.
-.IP "\fBEVP_CIPHER_get0_description()\fR" 4
+\&\fIdata\fR.  This is only useful with fetched \fBEVP_CIPHER\fRs.
+.IP \fBEVP_CIPHER_get0_description()\fR 4
 .IX Item "EVP_CIPHER_get0_description()"
 Returns a description of the cipher, meant for display and human consumption.
 The description is at the discretion of the cipher implementation.
-.IP "\fBEVP_CIPHER_get0_provider()\fR" 4
+.IP \fBEVP_CIPHER_get0_provider()\fR 4
 .IX Item "EVP_CIPHER_get0_provider()"
-Returns an \fB\s-1OSSL_PROVIDER\s0\fR pointer to the provider that implements the given
-\&\fB\s-1EVP_CIPHER\s0\fR.
-.IP "\fBEVP_CIPHER_CTX_get0_cipher()\fR" 4
+Returns an \fBOSSL_PROVIDER\fR pointer to the provider that implements the given
+\&\fBEVP_CIPHER\fR.
+.IP \fBEVP_CIPHER_CTX_get0_cipher()\fR 4
 .IX Item "EVP_CIPHER_CTX_get0_cipher()"
-Returns the \fB\s-1EVP_CIPHER\s0\fR structure when passed an \fB\s-1EVP_CIPHER_CTX\s0\fR structure.
+Returns the \fBEVP_CIPHER\fR structure when passed an \fBEVP_CIPHER_CTX\fR structure.
 \&\fBEVP_CIPHER_CTX_get1_cipher()\fR is the same except the ownership is passed to
-the caller.
+the caller. Both functions return NULL on error.
 .IP "\fBEVP_CIPHER_get_mode()\fR and \fBEVP_CIPHER_CTX_get_mode()\fR" 4
 .IX Item "EVP_CIPHER_get_mode() and EVP_CIPHER_CTX_get_mode()"
 Return the block cipher mode:
-\&\s-1EVP_CIPH_ECB_MODE, EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE, EVP_CIPH_OFB_MODE,
+EVP_CIPH_ECB_MODE, EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE, EVP_CIPH_OFB_MODE,
 EVP_CIPH_CTR_MODE, EVP_CIPH_GCM_MODE, EVP_CIPH_CCM_MODE, EVP_CIPH_XTS_MODE,
-EVP_CIPH_WRAP_MODE, EVP_CIPH_OCB_MODE\s0 or \s-1EVP_CIPH_SIV_MODE.\s0
-If the cipher is a stream cipher then \s-1EVP_CIPH_STREAM_CIPHER\s0 is returned.
-.IP "\fBEVP_CIPHER_get_flags()\fR" 4
+EVP_CIPH_WRAP_MODE, EVP_CIPH_OCB_MODE or EVP_CIPH_SIV_MODE.
+If the cipher is a stream cipher then EVP_CIPH_STREAM_CIPHER is returned.
+.IP \fBEVP_CIPHER_get_flags()\fR 4
 .IX Item "EVP_CIPHER_get_flags()"
-Returns any flags associated with the cipher. See \*(L"\s-1FLAGS\*(R"\s0
+Returns any flags associated with the cipher. See "FLAGS"
 for a list of currently defined flags.
 .IP "\fBEVP_CIPHER_CTX_get_num()\fR and \fBEVP_CIPHER_CTX_set_num()\fR" 4
 .IX Item "EVP_CIPHER_CTX_get_num() and EVP_CIPHER_CTX_set_num()"
-Gets or sets the cipher specific \*(L"num\*(R" parameter for the associated \fIctx\fR.
+Gets or sets the cipher specific "num" parameter for the associated \fIctx\fR.
 Built-in ciphers typically use this to track how much of the current underlying block
-has been \*(L"used\*(R" already.
-.IP "\fBEVP_CIPHER_CTX_is_encrypting()\fR" 4
+has been "used" already.
+.IP \fBEVP_CIPHER_CTX_is_encrypting()\fR 4
 .IX Item "EVP_CIPHER_CTX_is_encrypting()"
 Reports whether the \fIctx\fR is being used for encryption or decryption.
-.IP "\fBEVP_CIPHER_CTX_flags()\fR" 4
+.IP \fBEVP_CIPHER_CTX_flags()\fR 4
 .IX Item "EVP_CIPHER_CTX_flags()"
 A deprecated macro calling \f(CW\*(C`EVP_CIPHER_get_flags(EVP_CIPHER_CTX_get0_cipher(ctx))\*(C'\fR.
 Do not use.
-.IP "\fBEVP_CIPHER_param_to_asn1()\fR" 4
+.IP \fBEVP_CIPHER_param_to_asn1()\fR 4
 .IX Item "EVP_CIPHER_param_to_asn1()"
-Sets the AlgorithmIdentifier \*(L"parameter\*(R" based on the passed cipher. This will
-typically include any parameters and an \s-1IV.\s0 The cipher \s-1IV\s0 (if any) must be set
+Sets the AlgorithmIdentifier "parameter" based on the passed cipher. This will
+typically include any parameters and an IV. The cipher IV (if any) must be set
 when this call is made. This call should be made before the cipher is actually
-\&\*(L"used\*(R" (before any \fBEVP_EncryptUpdate()\fR, \fBEVP_DecryptUpdate()\fR calls for example).
-This function may fail if the cipher does not have any \s-1ASN1\s0 support.
-.IP "\fBEVP_CIPHER_asn1_to_param()\fR" 4
+"used" (before any \fBEVP_EncryptUpdate()\fR, \fBEVP_DecryptUpdate()\fR calls for example).
+This function may fail if the cipher does not have any ASN1 support, or if an
+uninitialized cipher is passed to it.
+.IP \fBEVP_CIPHER_asn1_to_param()\fR 4
 .IX Item "EVP_CIPHER_asn1_to_param()"
-Sets the cipher parameters based on an \s-1ASN1\s0 AlgorithmIdentifier \*(L"parameter\*(R".
-The precise effect depends on the cipher. In the case of \fB\s-1RC2\s0\fR, for example,
-it will set the \s-1IV\s0 and effective key length.
+Sets the cipher parameters based on an ASN1 AlgorithmIdentifier "parameter".
+The precise effect depends on the cipher. In the case of \fBRC2\fR, for example,
+it will set the IV and effective key length.
 This function should be called after the base cipher type is set but before
-the key is set. For example \fBEVP_CipherInit()\fR will be called with the \s-1IV\s0 and
-key set to \s-1NULL,\s0 \fBEVP_CIPHER_asn1_to_param()\fR will be called and finally
-\&\fBEVP_CipherInit()\fR again with all parameters except the key set to \s-1NULL.\s0 It is
-possible for this function to fail if the cipher does not have any \s-1ASN1\s0 support
-or the parameters cannot be set (for example the \s-1RC2\s0 effective key length
+the key is set. For example \fBEVP_CipherInit()\fR will be called with the IV and
+key set to NULL, \fBEVP_CIPHER_asn1_to_param()\fR will be called and finally
+\&\fBEVP_CipherInit()\fR again with all parameters except the key set to NULL. It is
+possible for this function to fail if the cipher does not have any ASN1 support
+or the parameters cannot be set (for example the RC2 effective key length
 is not supported.
-.IP "\fBEVP_CIPHER_CTX_rand_key()\fR" 4
+.IP \fBEVP_CIPHER_CTX_rand_key()\fR 4
 .IX Item "EVP_CIPHER_CTX_rand_key()"
 Generates a random key of the appropriate length based on the cipher context.
-The \fB\s-1EVP_CIPHER\s0\fR can provide its own random key generation routine to support
+The \fBEVP_CIPHER\fR can provide its own random key generation routine to support
 keys of a specific form. \fIkey\fR must point to a buffer at least as big as the
 value returned by \fBEVP_CIPHER_CTX_get_key_length()\fR.
-.IP "\fBEVP_CIPHER_do_all_provided()\fR" 4
+.IP \fBEVP_CIPHER_do_all_provided()\fR 4
 .IX Item "EVP_CIPHER_do_all_provided()"
 Traverses all ciphers implemented by all activated providers in the given
 library context \fIlibctx\fR, and for each of the implementations, calls the given
 function \fIfn\fR with the implementation method and the given \fIarg\fR as argument.
-.SH "PARAMETERS"
+.SH PARAMETERS
 .IX Header "PARAMETERS"
-See \s-1\fBOSSL_PARAM\s0\fR\|(3) for information about passing parameters.
-.SS "Gettable \s-1EVP_CIPHER\s0 parameters"
+See \fBOSSL_PARAM\fR\|(3) for information about passing parameters.
+.SS "Gettable EVP_CIPHER parameters"
 .IX Subsection "Gettable EVP_CIPHER parameters"
 When \fBEVP_CIPHER_fetch()\fR is called it internally calls \fBEVP_CIPHER_get_params()\fR
 and caches the results.
 .PP
-\&\fBEVP_CIPHER_get_params()\fR can be used with the following \s-1\fBOSSL_PARAM\s0\fR\|(3) keys:
-.ie n .IP """mode"" (\fB\s-1OSSL_CIPHER_PARAM_MODE\s0\fR) <unsigned integer>" 4
-.el .IP "``mode'' (\fB\s-1OSSL_CIPHER_PARAM_MODE\s0\fR) <unsigned integer>" 4
-.IX Item "mode (OSSL_CIPHER_PARAM_MODE) <unsigned integer>"
+\&\fBEVP_CIPHER_get_params()\fR can be used with the following \fBOSSL_PARAM\fR\|(3) keys:
+.IP """mode"" (\fBOSSL_CIPHER_PARAM_MODE\fR) <unsigned integer>" 4
+.IX Item """mode"" (OSSL_CIPHER_PARAM_MODE) <unsigned integer>"
 Gets the mode for the associated cipher algorithm \fIcipher\fR.
-See \*(L"\fBEVP_CIPHER_get_mode()\fR and \fBEVP_CIPHER_CTX_get_mode()\fR\*(R" for a list of valid modes.
+See "\fBEVP_CIPHER_get_mode()\fR and \fBEVP_CIPHER_CTX_get_mode()\fR" for a list of valid modes.
 Use \fBEVP_CIPHER_get_mode()\fR to retrieve the cached value.
-.ie n .IP """keylen"" (\fB\s-1OSSL_CIPHER_PARAM_KEYLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``keylen'' (\fB\s-1OSSL_CIPHER_PARAM_KEYLEN\s0\fR) <unsigned integer>" 4
-.IX Item "keylen (OSSL_CIPHER_PARAM_KEYLEN) <unsigned integer>"
+.IP """keylen"" (\fBOSSL_CIPHER_PARAM_KEYLEN\fR) <unsigned integer>" 4
+.IX Item """keylen"" (OSSL_CIPHER_PARAM_KEYLEN) <unsigned integer>"
 Gets the key length for the associated cipher algorithm \fIcipher\fR.
 Use \fBEVP_CIPHER_get_key_length()\fR to retrieve the cached value.
-.ie n .IP """ivlen"" (\fB\s-1OSSL_CIPHER_PARAM_IVLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``ivlen'' (\fB\s-1OSSL_CIPHER_PARAM_IVLEN\s0\fR) <unsigned integer>" 4
-.IX Item "ivlen (OSSL_CIPHER_PARAM_IVLEN) <unsigned integer>"
-Gets the \s-1IV\s0 length for the associated cipher algorithm \fIcipher\fR.
+.IP """ivlen"" (\fBOSSL_CIPHER_PARAM_IVLEN\fR) <unsigned integer>" 4
+.IX Item """ivlen"" (OSSL_CIPHER_PARAM_IVLEN) <unsigned integer>"
+Gets the IV length for the associated cipher algorithm \fIcipher\fR.
 Use \fBEVP_CIPHER_get_iv_length()\fR to retrieve the cached value.
-.ie n .IP """blocksize"" (\fB\s-1OSSL_CIPHER_PARAM_BLOCK_SIZE\s0\fR) <unsigned integer>" 4
-.el .IP "``blocksize'' (\fB\s-1OSSL_CIPHER_PARAM_BLOCK_SIZE\s0\fR) <unsigned integer>" 4
-.IX Item "blocksize (OSSL_CIPHER_PARAM_BLOCK_SIZE) <unsigned integer>"
+.IP """blocksize"" (\fBOSSL_CIPHER_PARAM_BLOCK_SIZE\fR) <unsigned integer>" 4
+.IX Item """blocksize"" (OSSL_CIPHER_PARAM_BLOCK_SIZE) <unsigned integer>"
 Gets the block size for the associated cipher algorithm \fIcipher\fR.
 The block size should be 1 for stream ciphers.
 Note that the block size for a cipher may be different to the block size for
 the underlying encryption/decryption primitive.
-For example \s-1AES\s0 in \s-1CTR\s0 mode has a block size of 1 (because it operates like a
-stream cipher), even though \s-1AES\s0 has a block size of 16.
+For example AES in CTR mode has a block size of 1 (because it operates like a
+stream cipher), even though AES has a block size of 16.
 Use \fBEVP_CIPHER_get_block_size()\fR to retrieve the cached value.
-.ie n .IP """aead"" (\fB\s-1OSSL_CIPHER_PARAM_AEAD\s0\fR) <integer>" 4
-.el .IP "``aead'' (\fB\s-1OSSL_CIPHER_PARAM_AEAD\s0\fR) <integer>" 4
-.IX Item "aead (OSSL_CIPHER_PARAM_AEAD) <integer>"
-Gets 1 if this is an \s-1AEAD\s0 cipher algorithm, otherwise it gets 0.
-Use (EVP_CIPHER_get_flags(cipher) & \s-1EVP_CIPH_FLAG_AEAD_CIPHER\s0) to retrieve the
+.IP """aead"" (\fBOSSL_CIPHER_PARAM_AEAD\fR) <integer>" 4
+.IX Item """aead"" (OSSL_CIPHER_PARAM_AEAD) <integer>"
+Gets 1 if this is an AEAD cipher algorithm, otherwise it gets 0.
+Use (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) to retrieve the
 cached value.
-.ie n .IP """custom-iv"" (\fB\s-1OSSL_CIPHER_PARAM_CUSTOM_IV\s0\fR) <integer>" 4
-.el .IP "``custom-iv'' (\fB\s-1OSSL_CIPHER_PARAM_CUSTOM_IV\s0\fR) <integer>" 4
-.IX Item "custom-iv (OSSL_CIPHER_PARAM_CUSTOM_IV) <integer>"
-Gets 1 if the cipher algorithm \fIcipher\fR has a custom \s-1IV,\s0 otherwise it gets 0.
-Storing and initializing the \s-1IV\s0 is left entirely to the implementation, if a
-custom \s-1IV\s0 is used.
-Use (EVP_CIPHER_get_flags(cipher) & \s-1EVP_CIPH_CUSTOM_IV\s0) to retrieve the
+.IP """custom-iv"" (\fBOSSL_CIPHER_PARAM_CUSTOM_IV\fR) <integer>" 4
+.IX Item """custom-iv"" (OSSL_CIPHER_PARAM_CUSTOM_IV) <integer>"
+Gets 1 if the cipher algorithm \fIcipher\fR has a custom IV, otherwise it gets 0.
+Storing and initializing the IV is left entirely to the implementation, if a
+custom IV is used.
+Use (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_CUSTOM_IV) to retrieve the
 cached value.
-.ie n .IP """cts"" (\fB\s-1OSSL_CIPHER_PARAM_CTS\s0\fR) <integer>" 4
-.el .IP "``cts'' (\fB\s-1OSSL_CIPHER_PARAM_CTS\s0\fR) <integer>" 4
-.IX Item "cts (OSSL_CIPHER_PARAM_CTS) <integer>"
+.IP """cts"" (\fBOSSL_CIPHER_PARAM_CTS\fR) <integer>" 4
+.IX Item """cts"" (OSSL_CIPHER_PARAM_CTS) <integer>"
 Gets 1 if the cipher algorithm \fIcipher\fR uses ciphertext stealing,
 otherwise it gets 0.
 This is currently used to indicate that the cipher is a one shot that only
 allows a single call to \fBEVP_CipherUpdate()\fR.
-Use (EVP_CIPHER_get_flags(cipher) & \s-1EVP_CIPH_FLAG_CTS\s0) to retrieve the
+Use (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_CTS) to retrieve the
 cached value.
-.ie n .IP """tls-multi"" (\fB\s-1OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK\s0\fR) <integer>" 4
-.el .IP "``tls-multi'' (\fB\s-1OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK\s0\fR) <integer>" 4
-.IX Item "tls-multi (OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK) <integer>"
+.IP """tls-multi"" (\fBOSSL_CIPHER_PARAM_TLS1_MULTIBLOCK\fR) <integer>" 4
+.IX Item """tls-multi"" (OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK) <integer>"
 Gets 1 if the cipher algorithm \fIcipher\fR supports interleaving of crypto blocks,
 otherwise it gets 0. The interleaving is an optimization only applicable to certain
-\&\s-1TLS\s0 ciphers.
-Use (EVP_CIPHER_get_flags(cipher) & \s-1EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK\s0) to retrieve the
+TLS ciphers.
+Use (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) to retrieve the
 cached value.
-.ie n .IP """has-randkey"" (\fB\s-1OSSL_CIPHER_PARAM_HAS_RANDKEY\s0\fR) <integer>" 4
-.el .IP "``has-randkey'' (\fB\s-1OSSL_CIPHER_PARAM_HAS_RANDKEY\s0\fR) <integer>" 4
-.IX Item "has-randkey (OSSL_CIPHER_PARAM_HAS_RANDKEY) <integer>"
-Gets 1 if the cipher algorithm \fIcipher\fR supports the gettable \s-1EVP_CIPHER_CTX\s0
-parameter \fB\s-1OSSL_CIPHER_PARAM_RANDOM_KEY\s0\fR. Only \s-1DES\s0 and 3DES set this to 1,
+.IP """has-randkey"" (\fBOSSL_CIPHER_PARAM_HAS_RANDKEY\fR) <integer>" 4
+.IX Item """has-randkey"" (OSSL_CIPHER_PARAM_HAS_RANDKEY) <integer>"
+Gets 1 if the cipher algorithm \fIcipher\fR supports the gettable EVP_CIPHER_CTX
+parameter \fBOSSL_CIPHER_PARAM_RANDOM_KEY\fR. Only DES and 3DES set this to 1,
 all other OpenSSL ciphers return 0.
-.SS "Gettable and Settable \s-1EVP_CIPHER_CTX\s0 parameters"
+.IP """decrypt-only"" (\fBOSSL_CIPHER_PARAM_DECRYPT_ONLY) <integer\fR" 4
+.IX Item """decrypt-only"" (OSSL_CIPHER_PARAM_DECRYPT_ONLY) <integer"
+Gets 1 if the cipher algorithm \fIcipher\fR implementation supports only
+the decryption operation such as the 3DES ciphers in the fips provider.
+Otherwise gets 0 or the parameter might not be present at all.
+.SS "Gettable and Settable EVP_CIPHER_CTX parameters"
 .IX Subsection "Gettable and Settable EVP_CIPHER_CTX parameters"
-The following \s-1\fBOSSL_PARAM\s0\fR\|(3) keys can be used with both \fBEVP_CIPHER_CTX_get_params()\fR
+The following \fBOSSL_PARAM\fR\|(3) keys can be used with both \fBEVP_CIPHER_CTX_get_params()\fR
 and \fBEVP_CIPHER_CTX_set_params()\fR.
-.ie n .IP """padding"" (\fB\s-1OSSL_CIPHER_PARAM_PADDING\s0\fR) <unsigned integer>" 4
-.el .IP "``padding'' (\fB\s-1OSSL_CIPHER_PARAM_PADDING\s0\fR) <unsigned integer>" 4
-.IX Item "padding (OSSL_CIPHER_PARAM_PADDING) <unsigned integer>"
+.IP """padding"" (\fBOSSL_CIPHER_PARAM_PADDING\fR) <unsigned integer>" 4
+.IX Item """padding"" (OSSL_CIPHER_PARAM_PADDING) <unsigned integer>"
 Gets or sets the padding mode for the cipher context \fIctx\fR.
 Padding is enabled if the value is 1, and disabled if the value is 0.
 See also \fBEVP_CIPHER_CTX_set_padding()\fR.
-.ie n .IP """num"" (\fB\s-1OSSL_CIPHER_PARAM_NUM\s0\fR) <unsigned integer>" 4
-.el .IP "``num'' (\fB\s-1OSSL_CIPHER_PARAM_NUM\s0\fR) <unsigned integer>" 4
-.IX Item "num (OSSL_CIPHER_PARAM_NUM) <unsigned integer>"
-Gets or sets the cipher specific \*(L"num\*(R" parameter for the cipher context \fIctx\fR.
+.IP """num"" (\fBOSSL_CIPHER_PARAM_NUM\fR) <unsigned integer>" 4
+.IX Item """num"" (OSSL_CIPHER_PARAM_NUM) <unsigned integer>"
+Gets or sets the cipher specific "num" parameter for the cipher context \fIctx\fR.
 Built-in ciphers typically use this to track how much of the current underlying
-block has been \*(L"used\*(R" already.
+block has been "used" already.
 See also \fBEVP_CIPHER_CTX_get_num()\fR and \fBEVP_CIPHER_CTX_set_num()\fR.
-.ie n .IP """keylen"" (\fB\s-1OSSL_CIPHER_PARAM_KEYLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``keylen'' (\fB\s-1OSSL_CIPHER_PARAM_KEYLEN\s0\fR) <unsigned integer>" 4
-.IX Item "keylen (OSSL_CIPHER_PARAM_KEYLEN) <unsigned integer>"
+.IP """keylen"" (\fBOSSL_CIPHER_PARAM_KEYLEN\fR) <unsigned integer>" 4
+.IX Item """keylen"" (OSSL_CIPHER_PARAM_KEYLEN) <unsigned integer>"
 Gets or sets the key length for the cipher context \fIctx\fR.
-The length of the \*(L"keylen\*(R" parameter should not exceed that of a \fBsize_t\fR.
+The length of the "keylen" parameter should not exceed that of a \fBsize_t\fR.
 See also \fBEVP_CIPHER_CTX_get_key_length()\fR and \fBEVP_CIPHER_CTX_set_key_length()\fR.
-.ie n .IP """tag"" (\fB\s-1OSSL_CIPHER_PARAM_AEAD_TAG\s0\fR) <octet string>" 4
-.el .IP "``tag'' (\fB\s-1OSSL_CIPHER_PARAM_AEAD_TAG\s0\fR) <octet string>" 4
-.IX Item "tag (OSSL_CIPHER_PARAM_AEAD_TAG) <octet string>"
-Gets or sets the \s-1AEAD\s0 tag for the associated cipher context \fIctx\fR.
-See \*(L"\s-1AEAD\s0 Interface\*(R" in \fBEVP_EncryptInit\fR\|(3).
-.ie n .IP """keybits"" (\fB\s-1OSSL_CIPHER_PARAM_RC2_KEYBITS\s0\fR) <unsigned integer>" 4
-.el .IP "``keybits'' (\fB\s-1OSSL_CIPHER_PARAM_RC2_KEYBITS\s0\fR) <unsigned integer>" 4
-.IX Item "keybits (OSSL_CIPHER_PARAM_RC2_KEYBITS) <unsigned integer>"
-Gets or sets the effective keybits used for a \s-1RC2\s0 cipher.
-The length of the \*(L"keybits\*(R" parameter should not exceed that of a \fBsize_t\fR.
-.ie n .IP """rounds"" (\fB\s-1OSSL_CIPHER_PARAM_ROUNDS\s0\fR) <unsigned integer>" 4
-.el .IP "``rounds'' (\fB\s-1OSSL_CIPHER_PARAM_ROUNDS\s0\fR) <unsigned integer>" 4
-.IX Item "rounds (OSSL_CIPHER_PARAM_ROUNDS) <unsigned integer>"
+.IP """tag"" (\fBOSSL_CIPHER_PARAM_AEAD_TAG\fR) <octet string>" 4
+.IX Item """tag"" (OSSL_CIPHER_PARAM_AEAD_TAG) <octet string>"
+Gets or sets the AEAD tag for the associated cipher context \fIctx\fR.
+See "AEAD Interface" in \fBEVP_EncryptInit\fR\|(3).
+.IP """pipeline-tag"" (\fBOSSL_CIPHER_PARAM_PIPELINE_AEAD_TAG\fR) <octet ptr>" 4
+.IX Item """pipeline-tag"" (OSSL_CIPHER_PARAM_PIPELINE_AEAD_TAG) <octet ptr>"
+Gets or sets the AEAD tag when using cipher pipelining. The pointer must 
+point to an array of buffers, where the aead tag will be read from or written to.
+The array size must be equal to \fInumpipes\fR used in
+\&\fBEVP_CipherPipelineEncryptInit()\fR or \fBEVP_CipherPipelineDecryptInit()\fR.
+.IP """keybits"" (\fBOSSL_CIPHER_PARAM_RC2_KEYBITS\fR) <unsigned integer>" 4
+.IX Item """keybits"" (OSSL_CIPHER_PARAM_RC2_KEYBITS) <unsigned integer>"
+Gets or sets the effective keybits used for a RC2 cipher.
+The length of the "keybits" parameter should not exceed that of a \fBsize_t\fR.
+.IP """rounds"" (\fBOSSL_CIPHER_PARAM_ROUNDS\fR) <unsigned integer>" 4
+.IX Item """rounds"" (OSSL_CIPHER_PARAM_ROUNDS) <unsigned integer>"
 Gets or sets the number of rounds to be used for a cipher.
-This is used by the \s-1RC5\s0 cipher.
-.ie n .IP """alg_id_param"" (\fB\s-1OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS\s0\fR) <octet string>" 4
-.el .IP "``alg_id_param'' (\fB\s-1OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS\s0\fR) <octet string>" 4
-.IX Item "alg_id_param (OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS) <octet string>"
-Used to pass the \s-1DER\s0 encoded AlgorithmIdentifier parameter to or from
-the cipher implementation.  Functions like \fBEVP_CIPHER_param_to_asn1\fR\|(3)
-and \fBEVP_CIPHER_asn1_to_param\fR\|(3) use this parameter for any implementation
-that has the flag \fB\s-1EVP_CIPH_FLAG_CUSTOM_ASN1\s0\fR set.
-.ie n .IP """cts_mode"" (\fB\s-1OSSL_CIPHER_PARAM_CTS_MODE\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``cts_mode'' (\fB\s-1OSSL_CIPHER_PARAM_CTS_MODE\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "cts_mode (OSSL_CIPHER_PARAM_CTS_MODE) <UTF8 string>"
+This is used by the RC5 cipher.
+.IP """algorithm-id"" (\fBOSSL_CIPHER_PARAM_ALGORITHM_ID\fR) <octet string>" 4
+.IX Item """algorithm-id"" (OSSL_CIPHER_PARAM_ALGORITHM_ID) <octet string>"
+Used to get the DER encoded AlgorithmIdentifier from the cipher
+implementation.  Functions like \fBEVP_PKEY_CTX_get_algor\fR\|(3) use this
+parameter.
+.IP """algorithm-id-params"" (\fBOSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS\fR) <octet string>" 4
+.IX Item """algorithm-id-params"" (OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS) <octet string>"
+Used to pass the DER encoded AlgorithmIdentifier parameter to or from
+the cipher implementation.
+Functions like \fBEVP_CIPHER_CTX_set_algor_params\fR\|(3) and
+\&\fBEVP_CIPHER_CTX_get_algor_params\fR\|(3) use this parameter.
+.IP """alg_id_params"" (\fBOSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS_OLD\fR) <octet string>" 4
+.IX Item """alg_id_params"" (OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS_OLD) <octet string>"
+An deprecated alias for "algorithm-id-params", only used by
+\&\fBEVP_CIPHER_param_to_asn1\fR\|(3) and \fBEVP_CIPHER_asn1_to_param\fR\|(3).
+.IP """cts_mode"" (\fBOSSL_CIPHER_PARAM_CTS_MODE\fR) <UTF8 string>" 4
+.IX Item """cts_mode"" (OSSL_CIPHER_PARAM_CTS_MODE) <UTF8 string>"
 Gets or sets the cipher text stealing mode. For all modes the output size is the
 same as the input size. The input length must be greater than or equal to the
-block size. (The block size for \s-1AES\s0 and \s-1CAMELLIA\s0 is 16 bytes).
+block size. (The block size for AES and CAMELLIA is 16 bytes).
 .Sp
 Valid values for the mode are:
 .RS 4
-.ie n .IP """\s-1CS1""\s0" 4
-.el .IP "``\s-1CS1''\s0" 4
-.IX Item "CS1"
-The \s-1NIST\s0 variant of cipher text stealing.
+.IP """CS1""" 4
+.IX Item """CS1"""
+The NIST variant of cipher text stealing.
 For input lengths that are multiples of the block size it is equivalent to
-using a \*(L"AES-XXX-CBC\*(R" or \*(L"CAMELLIA-XXX-CBC\*(R" cipher otherwise the second last
+using a "AES-XXX-CBC" or "CAMELLIA-XXX-CBC" cipher otherwise the second last
 cipher text block is a partial block.
-.ie n .IP """\s-1CS2""\s0" 4
-.el .IP "``\s-1CS2''\s0" 4
-.IX Item "CS2"
+.IP """CS2""" 4
+.IX Item """CS2"""
 For input lengths that are multiples of the block size it is equivalent to
-using a \*(L"AES-XXX-CBC\*(R" or \*(L"CAMELLIA-XXX-CBC\*(R" cipher, otherwise it is the same as
-\&\*(L"\s-1CS3\*(R"\s0 mode.
-.ie n .IP """\s-1CS3""\s0" 4
-.el .IP "``\s-1CS3''\s0" 4
-.IX Item "CS3"
+using a "AES-XXX-CBC" or "CAMELLIA-XXX-CBC" cipher, otherwise it is the same as
+"CS3" mode.
+.IP """CS3""" 4
+.IX Item """CS3"""
 The Kerberos5 variant of cipher text stealing which always swaps the last
 cipher text block with the previous block (which may be a partial or full block
 depending on the input length). If the input length is exactly one full block
-then this is equivalent to using a \*(L"AES-XXX-CBC\*(R" or \*(L"CAMELLIA-XXX-CBC\*(R" cipher.
+then this is equivalent to using a "AES-XXX-CBC" or "CAMELLIA-XXX-CBC" cipher.
 .RE
 .RS 4
 .Sp
-The default is \*(L"\s-1CS1\*(R".\s0
-This is only supported for \*(L"\s-1AES\-128\-CBC\-CTS\*(R", \*(L"AES\-192\-CBC\-CTS\*(R", \*(L"AES\-256\-CBC\-CTS\*(R",
-\&\*(L"CAMELLIA\-128\-CBC\-CTS\*(R", \*(L"CAMELLIA\-192\-CBC\-CTS\*(R"\s0 and \*(L"\s-1CAMELLIA\-256\-CBC\-CTS\*(R".\s0
+The default is "CS1".
+This is only supported for "AES\-128\-CBC\-CTS", "AES\-192\-CBC\-CTS", "AES\-256\-CBC\-CTS",
+"CAMELLIA\-128\-CBC\-CTS", "CAMELLIA\-192\-CBC\-CTS" and "CAMELLIA\-256\-CBC\-CTS".
 .RE
-.ie n .IP """tls1multi_interleave"" (\fB\s-1OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE\s0\fR) <unsigned integer>" 4
-.el .IP "``tls1multi_interleave'' (\fB\s-1OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE\s0\fR) <unsigned integer>" 4
-.IX Item "tls1multi_interleave (OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE) <unsigned integer>"
+.IP """tls1multi_interleave"" (\fBOSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE\fR) <unsigned integer>" 4
+.IX Item """tls1multi_interleave"" (OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE) <unsigned integer>"
 Sets or gets the number of records being sent in one go for a tls1 multiblock
 cipher operation (either 4 or 8 records).
-.SS "Gettable \s-1EVP_CIPHER_CTX\s0 parameters"
+.SS "Gettable EVP_CIPHER_CTX parameters"
 .IX Subsection "Gettable EVP_CIPHER_CTX parameters"
-The following \s-1\fBOSSL_PARAM\s0\fR\|(3) keys can be used with \fBEVP_CIPHER_CTX_get_params()\fR:
-.ie n .IP """ivlen"" (\fB\s-1OSSL_CIPHER_PARAM_IVLEN\s0\fR and <\fB\s-1OSSL_CIPHER_PARAM_AEAD_IVLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``ivlen'' (\fB\s-1OSSL_CIPHER_PARAM_IVLEN\s0\fR and <\fB\s-1OSSL_CIPHER_PARAM_AEAD_IVLEN\s0\fR) <unsigned integer>" 4
-.IX Item "ivlen (OSSL_CIPHER_PARAM_IVLEN and <OSSL_CIPHER_PARAM_AEAD_IVLEN) <unsigned integer>"
-Gets the \s-1IV\s0 length for the cipher context \fIctx\fR.
-The length of the \*(L"ivlen\*(R" parameter should not exceed that of a \fBsize_t\fR.
+The following \fBOSSL_PARAM\fR\|(3) keys can be used with \fBEVP_CIPHER_CTX_get_params()\fR:
+.IP """ivlen"" (\fBOSSL_CIPHER_PARAM_IVLEN\fR and <\fBOSSL_CIPHER_PARAM_AEAD_IVLEN\fR) <unsigned integer>" 4
+.IX Item """ivlen"" (OSSL_CIPHER_PARAM_IVLEN and <OSSL_CIPHER_PARAM_AEAD_IVLEN) <unsigned integer>"
+Gets the IV length for the cipher context \fIctx\fR.
+The length of the "ivlen" parameter should not exceed that of a \fBsize_t\fR.
 See also \fBEVP_CIPHER_CTX_get_iv_length()\fR.
-.ie n .IP """iv"" (\fB\s-1OSSL_CIPHER_PARAM_IV\s0\fR) <octet string \s-1OR\s0 octet ptr>" 4
-.el .IP "``iv'' (\fB\s-1OSSL_CIPHER_PARAM_IV\s0\fR) <octet string \s-1OR\s0 octet ptr>" 4
-.IX Item "iv (OSSL_CIPHER_PARAM_IV) <octet string OR octet ptr>"
-Gets the \s-1IV\s0 used to initialize the associated cipher context \fIctx\fR.
+.IP """iv"" (\fBOSSL_CIPHER_PARAM_IV\fR) <octet string OR octet ptr>" 4
+.IX Item """iv"" (OSSL_CIPHER_PARAM_IV) <octet string OR octet ptr>"
+Gets the IV used to initialize the associated cipher context \fIctx\fR.
 See also \fBEVP_CIPHER_CTX_get_original_iv()\fR.
-.ie n .IP """updated-iv"" (\fB\s-1OSSL_CIPHER_PARAM_UPDATED_IV\s0\fR) <octet string \s-1OR\s0 octet ptr>" 4
-.el .IP "``updated-iv'' (\fB\s-1OSSL_CIPHER_PARAM_UPDATED_IV\s0\fR) <octet string \s-1OR\s0 octet ptr>" 4
-.IX Item "updated-iv (OSSL_CIPHER_PARAM_UPDATED_IV) <octet string OR octet ptr>"
+.IP """updated-iv"" (\fBOSSL_CIPHER_PARAM_UPDATED_IV\fR) <octet string OR octet ptr>" 4
+.IX Item """updated-iv"" (OSSL_CIPHER_PARAM_UPDATED_IV) <octet string OR octet ptr>"
 Gets the updated pseudo-IV state for the associated cipher context, e.g.,
-the previous ciphertext block for \s-1CBC\s0 mode or the iteratively encrypted \s-1IV\s0
-value for \s-1OFB\s0 mode.  Note that octet pointer access is deprecated and is
+the previous ciphertext block for CBC mode or the iteratively encrypted IV
+value for OFB mode.  Note that octet pointer access is deprecated and is
 provided only for backwards compatibility with historical libcrypto APIs.
 See also \fBEVP_CIPHER_CTX_get_updated_iv()\fR.
-.ie n .IP """randkey"" (\fB\s-1OSSL_CIPHER_PARAM_RANDOM_KEY\s0\fR) <octet string>" 4
-.el .IP "``randkey'' (\fB\s-1OSSL_CIPHER_PARAM_RANDOM_KEY\s0\fR) <octet string>" 4
-.IX Item "randkey (OSSL_CIPHER_PARAM_RANDOM_KEY) <octet string>"
+.IP """randkey"" (\fBOSSL_CIPHER_PARAM_RANDOM_KEY\fR) <octet string>" 4
+.IX Item """randkey"" (OSSL_CIPHER_PARAM_RANDOM_KEY) <octet string>"
 Gets an implementation specific randomly generated key for the associated
-cipher context \fIctx\fR. This is currently only supported by \s-1DES\s0 and 3DES (which set
+cipher context \fIctx\fR. This is currently only supported by DES and 3DES (which set
 the key to odd parity).
-.ie n .IP """taglen"" (\fB\s-1OSSL_CIPHER_PARAM_AEAD_TAGLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``taglen'' (\fB\s-1OSSL_CIPHER_PARAM_AEAD_TAGLEN\s0\fR) <unsigned integer>" 4
-.IX Item "taglen (OSSL_CIPHER_PARAM_AEAD_TAGLEN) <unsigned integer>"
-Gets the tag length to be used for an \s-1AEAD\s0 cipher for the associated cipher
+.IP """taglen"" (\fBOSSL_CIPHER_PARAM_AEAD_TAGLEN\fR) <unsigned integer>" 4
+.IX Item """taglen"" (OSSL_CIPHER_PARAM_AEAD_TAGLEN) <unsigned integer>"
+Gets the tag length to be used for an AEAD cipher for the associated cipher
 context \fIctx\fR. It gets a default value if it has not been set.
-The length of the \*(L"taglen\*(R" parameter should not exceed that of a \fBsize_t\fR.
+The length of the "taglen" parameter should not exceed that of a \fBsize_t\fR.
 See also \fBEVP_CIPHER_CTX_get_tag_length()\fR.
-.ie n .IP """tlsaadpad"" (\fB\s-1OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD\s0\fR) <unsigned integer>" 4
-.el .IP "``tlsaadpad'' (\fB\s-1OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD\s0\fR) <unsigned integer>" 4
-.IX Item "tlsaadpad (OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD) <unsigned integer>"
-Gets the length of the tag that will be added to a \s-1TLS\s0 record for the \s-1AEAD\s0
+.IP """tlsaadpad"" (\fBOSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD\fR) <unsigned integer>" 4
+.IX Item """tlsaadpad"" (OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD) <unsigned integer>"
+Gets the length of the tag that will be added to a TLS record for the AEAD
 tag for the associated cipher context \fIctx\fR.
-The length of the \*(L"tlsaadpad\*(R" parameter should not exceed that of a \fBsize_t\fR.
-.ie n .IP """tlsivgen"" (\fB\s-1OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN\s0\fR) <octet string>" 4
-.el .IP "``tlsivgen'' (\fB\s-1OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN\s0\fR) <octet string>" 4
-.IX Item "tlsivgen (OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN) <octet string>"
+The length of the "tlsaadpad" parameter should not exceed that of a \fBsize_t\fR.
+.IP """tlsivgen"" (\fBOSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN\fR) <octet string>" 4
+.IX Item """tlsivgen"" (OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN) <octet string>"
 Gets the invocation field generated for encryption.
-Can only be called after \*(L"tlsivfixed\*(R" is set.
-This is only used for \s-1GCM\s0 mode.
-.ie n .IP """tls1multi_enclen"" (\fB\s-1OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_LEN\s0\fR) <unsigned integer>" 4
-.el .IP "``tls1multi_enclen'' (\fB\s-1OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_LEN\s0\fR) <unsigned integer>" 4
-.IX Item "tls1multi_enclen (OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_LEN) <unsigned integer>"
-Get the total length of the record returned from the \*(L"tls1multi_enc\*(R" operation.
-.ie n .IP """tls1multi_maxbufsz"" (\fB\s-1OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE\s0\fR) <unsigned integer>" 4
-.el .IP "``tls1multi_maxbufsz'' (\fB\s-1OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE\s0\fR) <unsigned integer>" 4
-.IX Item "tls1multi_maxbufsz (OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE) <unsigned integer>"
-Gets the maximum record length for a \s-1TLS1\s0 multiblock cipher operation.
-The length of the \*(L"tls1multi_maxbufsz\*(R" parameter should not exceed that of a \fBsize_t\fR.
-.ie n .IP """tls1multi_aadpacklen"" (\fB\s-1OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``tls1multi_aadpacklen'' (\fB\s-1OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN\s0\fR) <unsigned integer>" 4
-.IX Item "tls1multi_aadpacklen (OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN) <unsigned integer>"
-Gets the result of running the \*(L"tls1multi_aad\*(R" operation.
-.ie n .IP """tls-mac"" (\fB\s-1OSSL_CIPHER_PARAM_TLS_MAC\s0\fR) <octet ptr>" 4
-.el .IP "``tls-mac'' (\fB\s-1OSSL_CIPHER_PARAM_TLS_MAC\s0\fR) <octet ptr>" 4
-.IX Item "tls-mac (OSSL_CIPHER_PARAM_TLS_MAC) <octet ptr>"
-Used to pass the \s-1TLS MAC\s0 data.
-.SS "Settable \s-1EVP_CIPHER_CTX\s0 parameters"
+Can only be called after "tlsivfixed" is set.
+This is only used for GCM mode.
+.IP """tls1multi_enclen"" (\fBOSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_LEN\fR) <unsigned integer>" 4
+.IX Item """tls1multi_enclen"" (OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_LEN) <unsigned integer>"
+Get the total length of the record returned from the "tls1multi_enc" operation.
+.IP """tls1multi_maxbufsz"" (\fBOSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE\fR) <unsigned integer>" 4
+.IX Item """tls1multi_maxbufsz"" (OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE) <unsigned integer>"
+Gets the maximum record length for a TLS1 multiblock cipher operation.
+The length of the "tls1multi_maxbufsz" parameter should not exceed that of a \fBsize_t\fR.
+.IP """tls1multi_aadpacklen"" (\fBOSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN\fR) <unsigned integer>" 4
+.IX Item """tls1multi_aadpacklen"" (OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN) <unsigned integer>"
+Gets the result of running the "tls1multi_aad" operation.
+.IP """tls-mac"" (\fBOSSL_CIPHER_PARAM_TLS_MAC\fR) <octet ptr>" 4
+.IX Item """tls-mac"" (OSSL_CIPHER_PARAM_TLS_MAC) <octet ptr>"
+Used to pass the TLS MAC data.
+.IP """fips-indicator"" (\fBOSSL_CIPHER_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_CIPHER_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+This option is used by the OpenSSL FIPS provider.
+.Sp
+A getter that returns 1 if the operation is FIPS approved, or 0 otherwise.
+This may be used after calling a cipher final operation such as
+\&\fBEVP_EncryptFinal_ex()\fR. It may return 0 if the "encrypt-check" option is set to 0.
+.IP """iv-generated"" (\fBOSSL_CIPHER_PARAM_AEAD_IV_GENERATED\fR) <unsigned integer>" 4
+.IX Item """iv-generated"" (OSSL_CIPHER_PARAM_AEAD_IV_GENERATED) <unsigned integer>"
+An indicator that returns 1 if an IV was generated internally during encryption,
+or O otherwise.
+This may be used by GCM ciphers after calling a cipher final operation such
+as \fBEVP_EncryptFinal_ex()\fR.
+GCM should generate an IV internally if the IV is not specified during a
+cipher initialisation call such as \fBEVP_CipherInit_ex()\fR.
+See FIPS 140\-3 IG C.H for information related to IV requirements.
+.SS "Settable EVP_CIPHER_CTX parameters"
 .IX Subsection "Settable EVP_CIPHER_CTX parameters"
-The following \s-1\fBOSSL_PARAM\s0\fR\|(3) keys can be used with \fBEVP_CIPHER_CTX_set_params()\fR:
-.ie n .IP """mackey"" (\fB\s-1OSSL_CIPHER_PARAM_AEAD_MAC_KEY\s0\fR) <octet string>" 4
-.el .IP "``mackey'' (\fB\s-1OSSL_CIPHER_PARAM_AEAD_MAC_KEY\s0\fR) <octet string>" 4
-.IX Item "mackey (OSSL_CIPHER_PARAM_AEAD_MAC_KEY) <octet string>"
-Sets the \s-1MAC\s0 key used by composite \s-1AEAD\s0 ciphers such as \s-1AES\-CBC\-HMAC\-SHA256.\s0
-.ie n .IP """speed"" (\fB\s-1OSSL_CIPHER_PARAM_SPEED\s0\fR) <unsigned integer>" 4
-.el .IP "``speed'' (\fB\s-1OSSL_CIPHER_PARAM_SPEED\s0\fR) <unsigned integer>" 4
-.IX Item "speed (OSSL_CIPHER_PARAM_SPEED) <unsigned integer>"
+The following \fBOSSL_PARAM\fR\|(3) keys can be used with \fBEVP_CIPHER_CTX_set_params()\fR:
+.IP """mackey"" (\fBOSSL_CIPHER_PARAM_AEAD_MAC_KEY\fR) <octet string>" 4
+.IX Item """mackey"" (OSSL_CIPHER_PARAM_AEAD_MAC_KEY) <octet string>"
+Sets the MAC key used by composite AEAD ciphers such as AES\-CBC\-HMAC\-SHA256.
+.IP """speed"" (\fBOSSL_CIPHER_PARAM_SPEED\fR) <unsigned integer>" 4
+.IX Item """speed"" (OSSL_CIPHER_PARAM_SPEED) <unsigned integer>"
 Sets the speed option for the associated cipher context. This is only supported
-by \s-1AES SIV\s0 ciphers which disallow multiple operations by default.
-Setting \*(L"speed\*(R" to 1 allows another encrypt or decrypt operation to be
+by AES SIV ciphers which disallow multiple operations by default.
+Setting "speed" to 1 allows another encrypt or decrypt operation to be
 performed. This is used for performance testing.
-.ie n .IP """use-bits"" (\fB\s-1OSSL_CIPHER_PARAM_USE_BITS\s0\fR) <unsigned integer>" 4
-.el .IP "``use-bits'' (\fB\s-1OSSL_CIPHER_PARAM_USE_BITS\s0\fR) <unsigned integer>" 4
-.IX Item "use-bits (OSSL_CIPHER_PARAM_USE_BITS) <unsigned integer>"
+.IP """use-bits"" (\fBOSSL_CIPHER_PARAM_USE_BITS\fR) <unsigned integer>" 4
+.IX Item """use-bits"" (OSSL_CIPHER_PARAM_USE_BITS) <unsigned integer>"
 Determines if the input length \fIinl\fR passed to \fBEVP_EncryptUpdate()\fR,
 \&\fBEVP_DecryptUpdate()\fR and \fBEVP_CipherUpdate()\fR is the number of bits or number of bytes.
-Setting \*(L"use-bits\*(R" to 1 uses bits. The default is in bytes.
-This is only used for \fB\s-1CFB1\s0\fR ciphers.
+Setting "use-bits" to 1 uses bits. The default is in bytes.
+This is only used for \fBCFB1\fR ciphers.
 .Sp
-This can be set using EVP_CIPHER_CTX_set_flags(ctx, \s-1EVP_CIPH_FLAG_LENGTH_BITS\s0).
-.ie n .IP """tls-version"" (\fB\s-1OSSL_CIPHER_PARAM_TLS_VERSION\s0\fR) <integer>" 4
-.el .IP "``tls-version'' (\fB\s-1OSSL_CIPHER_PARAM_TLS_VERSION\s0\fR) <integer>" 4
-.IX Item "tls-version (OSSL_CIPHER_PARAM_TLS_VERSION) <integer>"
-Sets the \s-1TLS\s0 version.
-.ie n .IP """tls-mac-size"" (\fB\s-1OSSL_CIPHER_PARAM_TLS_MAC_SIZE\s0\fR) <unsigned integer>" 4
-.el .IP "``tls-mac-size'' (\fB\s-1OSSL_CIPHER_PARAM_TLS_MAC_SIZE\s0\fR) <unsigned integer>" 4
-.IX Item "tls-mac-size (OSSL_CIPHER_PARAM_TLS_MAC_SIZE) <unsigned integer>"
-Set the \s-1TLS MAC\s0 size.
-.ie n .IP """tlsaad"" (\fB\s-1OSSL_CIPHER_PARAM_AEAD_TLS1_AAD\s0\fR) <octet string>" 4
-.el .IP "``tlsaad'' (\fB\s-1OSSL_CIPHER_PARAM_AEAD_TLS1_AAD\s0\fR) <octet string>" 4
-.IX Item "tlsaad (OSSL_CIPHER_PARAM_AEAD_TLS1_AAD) <octet string>"
-Sets TLSv1.2 \s-1AAD\s0 information for the associated cipher context \fIctx\fR.
-TLSv1.2 \s-1AAD\s0 information is always 13 bytes in length and is as defined for the
-\&\*(L"additional_data\*(R" field described in section 6.2.3.3 of \s-1RFC5246.\s0
-.ie n .IP """tlsivfixed"" (\fB\s-1OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED\s0\fR) <octet string>" 4
-.el .IP "``tlsivfixed'' (\fB\s-1OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED\s0\fR) <octet string>" 4
-.IX Item "tlsivfixed (OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED) <octet string>"
-Sets the fixed portion of an \s-1IV\s0 for an \s-1AEAD\s0 cipher used in a \s-1TLS\s0 record
+This can be set using EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS).
+.IP """tls-version"" (\fBOSSL_CIPHER_PARAM_TLS_VERSION\fR) <integer>" 4
+.IX Item """tls-version"" (OSSL_CIPHER_PARAM_TLS_VERSION) <integer>"
+Sets the TLS version.
+.IP """tls-mac-size"" (\fBOSSL_CIPHER_PARAM_TLS_MAC_SIZE\fR) <unsigned integer>" 4
+.IX Item """tls-mac-size"" (OSSL_CIPHER_PARAM_TLS_MAC_SIZE) <unsigned integer>"
+Set the TLS MAC size.
+.IP """tlsaad"" (\fBOSSL_CIPHER_PARAM_AEAD_TLS1_AAD\fR) <octet string>" 4
+.IX Item """tlsaad"" (OSSL_CIPHER_PARAM_AEAD_TLS1_AAD) <octet string>"
+Sets TLSv1.2 AAD information for the associated cipher context \fIctx\fR.
+TLSv1.2 AAD information is always 13 bytes in length and is as defined for the
+"additional_data" field described in section 6.2.3.3 of RFC5246.
+.IP """tlsivfixed"" (\fBOSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED\fR) <octet string>" 4
+.IX Item """tlsivfixed"" (OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED) <octet string>"
+Sets the fixed portion of an IV for an AEAD cipher used in a TLS record
 encryption/ decryption for the associated cipher context.
-\&\s-1TLS\s0 record encryption/decryption always occurs \*(L"in place\*(R" so that the input and
+TLS record encryption/decryption always occurs "in place" so that the input and
 output buffers are always the same memory location.
-\&\s-1AEAD\s0 IVs in TLSv1.2 consist of an implicit \*(L"fixed\*(R" part and an explicit part
+AEAD IVs in TLSv1.2 consist of an implicit "fixed" part and an explicit part
 that varies with every record.
-Setting a \s-1TLS\s0 fixed \s-1IV\s0 changes a cipher to encrypt/decrypt \s-1TLS\s0 records.
-\&\s-1TLS\s0 records are encrypted/decrypted using a single OSSL_FUNC_cipher_cipher call per
+Setting a TLS fixed IV changes a cipher to encrypt/decrypt TLS records.
+TLS records are encrypted/decrypted using a single OSSL_FUNC_cipher_cipher call per
 record.
 For a record decryption the first bytes of the input buffer will be the explicit
-part of the \s-1IV\s0 and the final bytes of the input buffer will be the \s-1AEAD\s0 tag.
-The length of the explicit part of the \s-1IV\s0 and the tag length will depend on the
-cipher in use and will be defined in the \s-1RFC\s0 for the relevant ciphersuite.
-In order to allow for \*(L"in place\*(R" decryption the plaintext output should be
+part of the IV and the final bytes of the input buffer will be the AEAD tag.
+The length of the explicit part of the IV and the tag length will depend on the
+cipher in use and will be defined in the RFC for the relevant ciphersuite.
+In order to allow for "in place" decryption the plaintext output should be
 written to the same location in the output buffer that the ciphertext payload
-was read from, i.e. immediately after the explicit \s-1IV.\s0
+was read from, i.e. immediately after the explicit IV.
 .Sp
 When encrypting a record the first bytes of the input buffer should be empty to
-allow space for the explicit \s-1IV,\s0 as will the final bytes where the tag will
+allow space for the explicit IV, as will the final bytes where the tag will
 be written.
-The length of the input buffer will include the length of the explicit \s-1IV,\s0 the
+The length of the input buffer will include the length of the explicit IV, the
 payload, and the tag bytes.
-The cipher implementation should generate the explicit \s-1IV\s0 and write it to the
-beginning of the output buffer, do \*(L"in place\*(R" encryption of the payload and
+The cipher implementation should generate the explicit IV and write it to the
+beginning of the output buffer, do "in place" encryption of the payload and
 write that to the output buffer, and finally add the tag onto the end of the
 output buffer.
 .Sp
 Whether encrypting or decrypting the value written to \fI*outl\fR in the
 OSSL_FUNC_cipher_cipher call should be the length of the payload excluding the explicit
-\&\s-1IV\s0 length and the tag length.
-.ie n .IP """tlsivinv"" (\fB\s-1OSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV\s0\fR) <octet string>" 4
-.el .IP "``tlsivinv'' (\fB\s-1OSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV\s0\fR) <octet string>" 4
-.IX Item "tlsivinv (OSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV) <octet string>"
+IV length and the tag length.
+.IP """tlsivinv"" (\fBOSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV\fR) <octet string>" 4
+.IX Item """tlsivinv"" (OSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV) <octet string>"
 Sets the invocation field used for decryption.
-Can only be called after \*(L"tlsivfixed\*(R" is set.
-This is only used for \s-1GCM\s0 mode.
-.ie n .IP """tls1multi_enc"" (\fB\s-1OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC\s0\fR) <octet string>" 4
-.el .IP "``tls1multi_enc'' (\fB\s-1OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC\s0\fR) <octet string>" 4
-.IX Item "tls1multi_enc (OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC) <octet string>"
-Triggers a multiblock \s-1TLS1\s0 encrypt operation for a \s-1TLS1\s0 aware cipher that
+Can only be called after "tlsivfixed" is set.
+This is only used for GCM mode.
+.IP """tls1multi_enc"" (\fBOSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC\fR) <octet string>" 4
+.IX Item """tls1multi_enc"" (OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC) <octet string>"
+Triggers a multiblock TLS1 encrypt operation for a TLS1 aware cipher that
 supports sending 4 or 8 records in one go.
-The cipher performs both the \s-1MAC\s0 and encrypt stages and constructs the record
+The cipher performs both the MAC and encrypt stages and constructs the record
 headers itself.
-\&\*(L"tls1multi_enc\*(R" supplies the output buffer for the encrypt operation,
-\&\*(L"tls1multi_encin\*(R" & \*(L"tls1multi_interleave\*(R" must also be set in order to supply
+"tls1multi_enc" supplies the output buffer for the encrypt operation,
+"tls1multi_encin" & "tls1multi_interleave" must also be set in order to supply
 values to the encrypt operation.
-.ie n .IP """tls1multi_encin"" (\fB\s-1OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_IN\s0\fR) <octet string>" 4
-.el .IP "``tls1multi_encin'' (\fB\s-1OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_IN\s0\fR) <octet string>" 4
-.IX Item "tls1multi_encin (OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_IN) <octet string>"
-Supplies the data to encrypt for a \s-1TLS1\s0 multiblock cipher operation.
-.ie n .IP """tls1multi_maxsndfrag"" (\fB\s-1OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT\s0\fR) <unsigned integer>" 4
-.el .IP "``tls1multi_maxsndfrag'' (\fB\s-1OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT\s0\fR) <unsigned integer>" 4
-.IX Item "tls1multi_maxsndfrag (OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT) <unsigned integer>"
-Sets the maximum send fragment size for a \s-1TLS1\s0 multiblock cipher operation.
-It must be set before using \*(L"tls1multi_maxbufsz\*(R".
-The length of the \*(L"tls1multi_maxsndfrag\*(R" parameter should not exceed that of a \fBsize_t\fR.
-.ie n .IP """tls1multi_aad"" (\fB\s-1OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD\s0\fR) <octet string>" 4
-.el .IP "``tls1multi_aad'' (\fB\s-1OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD\s0\fR) <octet string>" 4
-.IX Item "tls1multi_aad (OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD) <octet string>"
-Sets the authenticated additional data used by a \s-1TLS1\s0 multiblock cipher operation.
+.IP """tls1multi_encin"" (\fBOSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_IN\fR) <octet string>" 4
+.IX Item """tls1multi_encin"" (OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_IN) <octet string>"
+Supplies the data to encrypt for a TLS1 multiblock cipher operation.
+.IP """tls1multi_maxsndfrag"" (\fBOSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT\fR) <unsigned integer>" 4
+.IX Item """tls1multi_maxsndfrag"" (OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT) <unsigned integer>"
+Sets the maximum send fragment size for a TLS1 multiblock cipher operation.
+It must be set before using "tls1multi_maxbufsz".
+The length of the "tls1multi_maxsndfrag" parameter should not exceed that of a \fBsize_t\fR.
+.IP """tls1multi_aad"" (\fBOSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD\fR) <octet string>" 4
+.IX Item """tls1multi_aad"" (OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD) <octet string>"
+Sets the authenticated additional data used by a TLS1 multiblock cipher operation.
 The supplied data consists of 13 bytes of record data containing:
 Bytes 0\-7: The sequence number of the first record
 Byte 8: The record type
 Byte 9\-10: The protocol version
 Byte 11\-12: Input length (Always 0)
 .Sp
-\&\*(L"tls1multi_interleave\*(R" must also be set for this operation.
-.SH "CONTROLS"
+"tls1multi_interleave" must also be set for this operation.
+.IP """xts_standard"" (\fBOSSL_CIPHER_PARAM_XTS_STANDARD\fR) <UTF8 string>" 4
+.IX Item """xts_standard"" (OSSL_CIPHER_PARAM_XTS_STANDARD) <UTF8 string>"
+Sets the XTS standard to use with SM4\-XTS algorithm. XTS mode has two
+implementations, one is standardized in IEEE Std. 1619\-2007 and has
+been widely used (e.g., XTS AES), the other is proposed recently
+(GB/T 17964\-2021 implemented in May 2022) and is currently only used
+in SM4.
+.Sp
+The main difference between them is the multiplication by the
+primitive element α to calculate the tweak values. The IEEE
+Std 1619\-2007 noted that the multiplication "is a left shift of each
+byte by one bit with carry propagating from one byte to the next
+one", which means that in each byte, the leftmost bit is the most
+significant bit. But in GB/T 17964\-2021, the rightmost bit is the
+most significant bit, thus the multiplication becomes a right shift
+of each byte by one bit with carry propagating from one byte to the
+next one.
+.Sp
+Valid values for the mode are:
+.RS 4
+.IP """GB""" 4
+.IX Item """GB"""
+The GB/T 17964\-2021 variant of SM4\-XTS algorithm.
+.IP """IEEE""" 4
+.IX Item """IEEE"""
+The IEEE Std. 1619\-2007 variant of SM4\-XTS algorithm.
+.RE
+.RS 4
+.Sp
+The default value is "GB".
+.RE
+.IP """encrypt-check"" (\fBOSSL_CIPHER_PARAM_FIPS_ENCRYPT_CHECK\fR) <integer>" 4
+.IX Item """encrypt-check"" (OSSL_CIPHER_PARAM_FIPS_ENCRYPT_CHECK) <integer>"
+This option is used by the OpenSSL FIPS provider.
+.Sp
+If required this parameter should be set early via an cipher encrypt init
+function such as \fBEVP_EncryptInit_ex2()\fR.
+The default value of 1 causes an error when an encryption operation is triggered.
+Setting this to 0 will ignore the error and set the approved "fips-indicator" to
+0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
+.SH CONTROLS
 .IX Header "CONTROLS"
-The Mappings from \fBEVP_CIPHER_CTX_ctrl()\fR identifiers to \s-1PARAMETERS\s0 are listed
-in the following section. See the \*(L"\s-1PARAMETERS\*(R"\s0 section for more details.
+The Mappings from \fBEVP_CIPHER_CTX_ctrl()\fR identifiers to PARAMETERS are listed
+in the following section. See the "PARAMETERS" section for more details.
 .PP
 \&\fBEVP_CIPHER_CTX_ctrl()\fR can be used to send the following standard controls:
-.IP "\s-1EVP_CTRL_AEAD_SET_IVLEN\s0 and \s-1EVP_CTRL_GET_IVLEN\s0" 4
+.IP "EVP_CTRL_AEAD_SET_IVLEN and EVP_CTRL_GET_IVLEN" 4
 .IX Item "EVP_CTRL_AEAD_SET_IVLEN and EVP_CTRL_GET_IVLEN"
-When used with a fetched \fB\s-1EVP_CIPHER\s0\fR, \fBEVP_CIPHER_CTX_set_params()\fR and
-\&\fBEVP_CIPHER_CTX_get_params()\fR get called with an \s-1\fBOSSL_PARAM\s0\fR\|(3) item with the
-key \*(L"ivlen\*(R" (\fB\s-1OSSL_CIPHER_PARAM_IVLEN\s0\fR).
-.IP "\s-1EVP_CTRL_AEAD_SET_IV_FIXED\s0" 4
+When used with a fetched \fBEVP_CIPHER\fR, \fBEVP_CIPHER_CTX_set_params()\fR and
+\&\fBEVP_CIPHER_CTX_get_params()\fR get called with an \fBOSSL_PARAM\fR\|(3) item with the
+key "ivlen" (\fBOSSL_CIPHER_PARAM_IVLEN\fR).
+.IP EVP_CTRL_AEAD_SET_IV_FIXED 4
 .IX Item "EVP_CTRL_AEAD_SET_IV_FIXED"
-When used with a fetched \fB\s-1EVP_CIPHER\s0\fR, \fBEVP_CIPHER_CTX_set_params()\fR gets called
-with an \s-1\fBOSSL_PARAM\s0\fR\|(3) item with the key \*(L"tlsivfixed\*(R"
-(\fB\s-1OSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED\s0\fR).
-.IP "\s-1EVP_CTRL_AEAD_SET_MAC_KEY\s0" 4
+When used with a fetched \fBEVP_CIPHER\fR, \fBEVP_CIPHER_CTX_set_params()\fR gets called
+with an \fBOSSL_PARAM\fR\|(3) item with the key "tlsivfixed"
+(\fBOSSL_CIPHER_PARAM_AEAD_TLS1_IV_FIXED\fR).
+.IP EVP_CTRL_AEAD_SET_MAC_KEY 4
 .IX Item "EVP_CTRL_AEAD_SET_MAC_KEY"
-When used with a fetched \fB\s-1EVP_CIPHER\s0\fR, \fBEVP_CIPHER_CTX_set_params()\fR gets called
-with an \s-1\fBOSSL_PARAM\s0\fR\|(3) item with the key \*(L"mackey\*(R"
-(\fB\s-1OSSL_CIPHER_PARAM_AEAD_MAC_KEY\s0\fR).
-.IP "\s-1EVP_CTRL_AEAD_SET_TAG\s0 and \s-1EVP_CTRL_AEAD_GET_TAG\s0" 4
+When used with a fetched \fBEVP_CIPHER\fR, \fBEVP_CIPHER_CTX_set_params()\fR gets called
+with an \fBOSSL_PARAM\fR\|(3) item with the key "mackey"
+(\fBOSSL_CIPHER_PARAM_AEAD_MAC_KEY\fR).
+.IP "EVP_CTRL_AEAD_SET_TAG and EVP_CTRL_AEAD_GET_TAG" 4
 .IX Item "EVP_CTRL_AEAD_SET_TAG and EVP_CTRL_AEAD_GET_TAG"
-When used with a fetched \fB\s-1EVP_CIPHER\s0\fR, \fBEVP_CIPHER_CTX_set_params()\fR and
-\&\fBEVP_CIPHER_CTX_get_params()\fR get called with an \s-1\fBOSSL_PARAM\s0\fR\|(3) item with the
-key \*(L"tag\*(R" (\fB\s-1OSSL_CIPHER_PARAM_AEAD_TAG\s0\fR).
-.IP "\s-1EVP_CTRL_CCM_SET_L\s0" 4
+When used with a fetched \fBEVP_CIPHER\fR, \fBEVP_CIPHER_CTX_set_params()\fR and
+\&\fBEVP_CIPHER_CTX_get_params()\fR get called with an \fBOSSL_PARAM\fR\|(3) item with the
+key "tag" (\fBOSSL_CIPHER_PARAM_AEAD_TAG\fR).
+.IP EVP_CTRL_CCM_SET_L 4
 .IX Item "EVP_CTRL_CCM_SET_L"
-When used with a fetched \fB\s-1EVP_CIPHER\s0\fR, \fBEVP_CIPHER_CTX_set_params()\fR gets called
-with an \s-1\fBOSSL_PARAM\s0\fR\|(3) item with the key \*(L"ivlen\*(R" (\fB\s-1OSSL_CIPHER_PARAM_IVLEN\s0\fR)
+When used with a fetched \fBEVP_CIPHER\fR, \fBEVP_CIPHER_CTX_set_params()\fR gets called
+with an \fBOSSL_PARAM\fR\|(3) item with the key "ivlen" (\fBOSSL_CIPHER_PARAM_IVLEN\fR)
 with a value of (15 \- L)
-.IP "\s-1EVP_CTRL_COPY\s0" 4
+.IP EVP_CTRL_COPY 4
 .IX Item "EVP_CTRL_COPY"
-There is no \s-1OSSL_PARAM\s0 mapping for this. Use \fBEVP_CIPHER_CTX_copy()\fR instead.
-.IP "\s-1EVP_CTRL_GCM_SET_IV_INV\s0" 4
+There is no OSSL_PARAM mapping for this. Use \fBEVP_CIPHER_CTX_copy()\fR instead.
+.IP EVP_CTRL_GCM_SET_IV_INV 4
 .IX Item "EVP_CTRL_GCM_SET_IV_INV"
-When used with a fetched \fB\s-1EVP_CIPHER\s0\fR, \fBEVP_CIPHER_CTX_set_params()\fR gets called
-with an \s-1\fBOSSL_PARAM\s0\fR\|(3) item with the key \*(L"tlsivinv\*(R"
-(\fB\s-1OSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV\s0\fR).
-.IP "\s-1EVP_CTRL_RAND_KEY\s0" 4
+When used with a fetched \fBEVP_CIPHER\fR, \fBEVP_CIPHER_CTX_set_params()\fR gets called
+with an \fBOSSL_PARAM\fR\|(3) item with the key "tlsivinv"
+(\fBOSSL_CIPHER_PARAM_AEAD_TLS1_SET_IV_INV\fR).
+.IP EVP_CTRL_RAND_KEY 4
 .IX Item "EVP_CTRL_RAND_KEY"
-When used with a fetched \fB\s-1EVP_CIPHER\s0\fR, \fBEVP_CIPHER_CTX_set_params()\fR gets called
-with an \s-1\fBOSSL_PARAM\s0\fR\|(3) item with the key \*(L"randkey\*(R"
-(\fB\s-1OSSL_CIPHER_PARAM_RANDOM_KEY\s0\fR).
-.IP "\s-1EVP_CTRL_SET_KEY_LENGTH\s0" 4
+When used with a fetched \fBEVP_CIPHER\fR, \fBEVP_CIPHER_CTX_set_params()\fR gets called
+with an \fBOSSL_PARAM\fR\|(3) item with the key "randkey"
+(\fBOSSL_CIPHER_PARAM_RANDOM_KEY\fR).
+.IP EVP_CTRL_SET_KEY_LENGTH 4
 .IX Item "EVP_CTRL_SET_KEY_LENGTH"
-When used with a fetched \fB\s-1EVP_CIPHER\s0\fR, \fBEVP_CIPHER_CTX_set_params()\fR gets called
-with an \s-1\fBOSSL_PARAM\s0\fR\|(3) item with the key \*(L"keylen\*(R" (\fB\s-1OSSL_CIPHER_PARAM_KEYLEN\s0\fR).
-.IP "\s-1EVP_CTRL_SET_RC2_KEY_BITS\s0 and \s-1EVP_CTRL_GET_RC2_KEY_BITS\s0" 4
+When used with a fetched \fBEVP_CIPHER\fR, \fBEVP_CIPHER_CTX_set_params()\fR gets called
+with an \fBOSSL_PARAM\fR\|(3) item with the key "keylen" (\fBOSSL_CIPHER_PARAM_KEYLEN\fR).
+.IP "EVP_CTRL_SET_RC2_KEY_BITS and EVP_CTRL_GET_RC2_KEY_BITS" 4
 .IX Item "EVP_CTRL_SET_RC2_KEY_BITS and EVP_CTRL_GET_RC2_KEY_BITS"
-When used with a fetched \fB\s-1EVP_CIPHER\s0\fR, \fBEVP_CIPHER_CTX_set_params()\fR and
-\&\fBEVP_CIPHER_CTX_get_params()\fR get called with an \s-1\fBOSSL_PARAM\s0\fR\|(3) item with the
-key \*(L"keybits\*(R" (\fB\s-1OSSL_CIPHER_PARAM_RC2_KEYBITS\s0\fR).
-.IP "\s-1EVP_CTRL_SET_RC5_ROUNDS\s0 and \s-1EVP_CTRL_GET_RC5_ROUNDS\s0" 4
+When used with a fetched \fBEVP_CIPHER\fR, \fBEVP_CIPHER_CTX_set_params()\fR and
+\&\fBEVP_CIPHER_CTX_get_params()\fR get called with an \fBOSSL_PARAM\fR\|(3) item with the
+key "keybits" (\fBOSSL_CIPHER_PARAM_RC2_KEYBITS\fR).
+.IP "EVP_CTRL_SET_RC5_ROUNDS and EVP_CTRL_GET_RC5_ROUNDS" 4
 .IX Item "EVP_CTRL_SET_RC5_ROUNDS and EVP_CTRL_GET_RC5_ROUNDS"
-When used with a fetched \fB\s-1EVP_CIPHER\s0\fR, \fBEVP_CIPHER_CTX_set_params()\fR and
-\&\fBEVP_CIPHER_CTX_get_params()\fR get called with an \s-1\fBOSSL_PARAM\s0\fR\|(3) item with the
-key \*(L"rounds\*(R" (\fB\s-1OSSL_CIPHER_PARAM_ROUNDS\s0\fR).
-.IP "\s-1EVP_CTRL_SET_SPEED\s0" 4
+When used with a fetched \fBEVP_CIPHER\fR, \fBEVP_CIPHER_CTX_set_params()\fR and
+\&\fBEVP_CIPHER_CTX_get_params()\fR get called with an \fBOSSL_PARAM\fR\|(3) item with the
+key "rounds" (\fBOSSL_CIPHER_PARAM_ROUNDS\fR).
+.IP EVP_CTRL_SET_SPEED 4
 .IX Item "EVP_CTRL_SET_SPEED"
-When used with a fetched \fB\s-1EVP_CIPHER\s0\fR, \fBEVP_CIPHER_CTX_set_params()\fR gets called
-with an \s-1\fBOSSL_PARAM\s0\fR\|(3) item with the key \*(L"speed\*(R" (\fB\s-1OSSL_CIPHER_PARAM_SPEED\s0\fR).
-.IP "\s-1EVP_CTRL_GCM_IV_GEN\s0" 4
+When used with a fetched \fBEVP_CIPHER\fR, \fBEVP_CIPHER_CTX_set_params()\fR gets called
+with an \fBOSSL_PARAM\fR\|(3) item with the key "speed" (\fBOSSL_CIPHER_PARAM_SPEED\fR).
+.IP EVP_CTRL_GCM_IV_GEN 4
 .IX Item "EVP_CTRL_GCM_IV_GEN"
-When used with a fetched \fB\s-1EVP_CIPHER\s0\fR, \fBEVP_CIPHER_CTX_get_params()\fR gets called
-with an \s-1\fBOSSL_PARAM\s0\fR\|(3) item with the key
-\&\*(L"tlsivgen\*(R" (\fB\s-1OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN\s0\fR).
-.IP "\s-1EVP_CTRL_AEAD_TLS1_AAD\s0" 4
+When used with a fetched \fBEVP_CIPHER\fR, \fBEVP_CIPHER_CTX_get_params()\fR gets called
+with an \fBOSSL_PARAM\fR\|(3) item with the key
+"tlsivgen" (\fBOSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN\fR).
+.IP EVP_CTRL_AEAD_TLS1_AAD 4
 .IX Item "EVP_CTRL_AEAD_TLS1_AAD"
-When used with a fetched \fB\s-1EVP_CIPHER\s0\fR, \fBEVP_CIPHER_CTX_set_params()\fR get called
-with an \s-1\fBOSSL_PARAM\s0\fR\|(3) item with the key
-\&\*(L"tlsaad\*(R" (\fB\s-1OSSL_CIPHER_PARAM_AEAD_TLS1_AAD\s0\fR)
+When used with a fetched \fBEVP_CIPHER\fR, \fBEVP_CIPHER_CTX_set_params()\fR get called
+with an \fBOSSL_PARAM\fR\|(3) item with the key
+"tlsaad" (\fBOSSL_CIPHER_PARAM_AEAD_TLS1_AAD\fR)
 followed by \fBEVP_CIPHER_CTX_get_params()\fR with a key of
-\&\*(L"tlsaadpad\*(R" (\fB\s-1OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD\s0\fR).
-.IP "\s-1EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE\s0" 4
+"tlsaadpad" (\fBOSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD\fR).
+.IP EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE 4
 .IX Item "EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE"
-When used with a fetched \fB\s-1EVP_CIPHER\s0\fR,
-\&\fBEVP_CIPHER_CTX_set_params()\fR gets called with an \s-1\fBOSSL_PARAM\s0\fR\|(3) item with the
-key \s-1OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT\s0
+When used with a fetched \fBEVP_CIPHER\fR,
+\&\fBEVP_CIPHER_CTX_set_params()\fR gets called with an \fBOSSL_PARAM\fR\|(3) item with the
+key OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT
 followed by \fBEVP_CIPHER_CTX_get_params()\fR with a key of
-\&\*(L"tls1multi_maxbufsz\*(R" (\fB\s-1OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE\s0\fR).
-.IP "\s-1EVP_CTRL_TLS1_1_MULTIBLOCK_AAD\s0" 4
+"tls1multi_maxbufsz" (\fBOSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE\fR).
+.IP EVP_CTRL_TLS1_1_MULTIBLOCK_AAD 4
 .IX Item "EVP_CTRL_TLS1_1_MULTIBLOCK_AAD"
-When used with a fetched \fB\s-1EVP_CIPHER\s0\fR, \fBEVP_CIPHER_CTX_set_params()\fR gets called
-with \s-1\fBOSSL_PARAM\s0\fR\|(3) items with the keys
-\&\*(L"tls1multi_aad\*(R" (\fB\s-1OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD\s0\fR) and
-\&\*(L"tls1multi_interleave\*(R" (\fB\s-1OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE\s0\fR)
+When used with a fetched \fBEVP_CIPHER\fR, \fBEVP_CIPHER_CTX_set_params()\fR gets called
+with \fBOSSL_PARAM\fR\|(3) items with the keys
+"tls1multi_aad" (\fBOSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD\fR) and
+"tls1multi_interleave" (\fBOSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE\fR)
 followed by \fBEVP_CIPHER_CTX_get_params()\fR with keys of
-\&\*(L"tls1multi_aadpacklen\*(R" (\fB\s-1OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN\s0\fR) and
-\&\*(L"tls1multi_interleave\*(R" (\fB\s-1OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE\s0\fR).
-.IP "\s-1EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT\s0" 4
+"tls1multi_aadpacklen" (\fBOSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_AAD_PACKLEN\fR) and
+"tls1multi_interleave" (\fBOSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE\fR).
+.IP EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT 4
 .IX Item "EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT"
-When used with a fetched \fB\s-1EVP_CIPHER\s0\fR, \fBEVP_CIPHER_CTX_set_params()\fR gets called
-with \s-1\fBOSSL_PARAM\s0\fR\|(3) items with the keys
-\&\*(L"tls1multi_enc\*(R" (\fB\s-1OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC\s0\fR),
-\&\*(L"tls1multi_encin\*(R" (\fB\s-1OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_IN\s0\fR) and
-\&\*(L"tls1multi_interleave\*(R" (\fB\s-1OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE\s0\fR),
+When used with a fetched \fBEVP_CIPHER\fR, \fBEVP_CIPHER_CTX_set_params()\fR gets called
+with \fBOSSL_PARAM\fR\|(3) items with the keys
+"tls1multi_enc" (\fBOSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC\fR),
+"tls1multi_encin" (\fBOSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_IN\fR) and
+"tls1multi_interleave" (\fBOSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_INTERLEAVE\fR),
 followed by \fBEVP_CIPHER_CTX_get_params()\fR with a key of
-\&\*(L"tls1multi_enclen\*(R" (\fB\s-1OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_LEN\s0\fR).
-.SH "FLAGS"
+"tls1multi_enclen" (\fBOSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_ENC_LEN\fR).
+.SH FLAGS
 .IX Header "FLAGS"
 \&\fBEVP_CIPHER_CTX_set_flags()\fR, \fBEVP_CIPHER_CTX_clear_flags()\fR and \fBEVP_CIPHER_CTX_test_flags()\fR.
-can be used to manipulate and test these \fB\s-1EVP_CIPHER_CTX\s0\fR flags:
-.IP "\s-1EVP_CIPH_NO_PADDING\s0" 4
+can be used to manipulate and test these \fBEVP_CIPHER_CTX\fR flags:
+.IP EVP_CIPH_NO_PADDING 4
 .IX Item "EVP_CIPH_NO_PADDING"
 Used by \fBEVP_CIPHER_CTX_set_padding()\fR.
 .Sp
-See also \*(L"Gettable and Settable \s-1EVP_CIPHER_CTX\s0 parameters\*(R" \*(L"padding\*(R"
-.IP "\s-1EVP_CIPH_FLAG_LENGTH_BITS\s0" 4
+See also "Gettable and Settable EVP_CIPHER_CTX parameters" "padding"
+.IP EVP_CIPH_FLAG_LENGTH_BITS 4
 .IX Item "EVP_CIPH_FLAG_LENGTH_BITS"
-See \*(L"Settable \s-1EVP_CIPHER_CTX\s0 parameters\*(R" \*(L"use-bits\*(R".
-.IP "\s-1EVP_CIPHER_CTX_FLAG_WRAP_ALLOW\s0" 4
+See "Settable EVP_CIPHER_CTX parameters" "use-bits".
+.IP EVP_CIPHER_CTX_FLAG_WRAP_ALLOW 4
 .IX Item "EVP_CIPHER_CTX_FLAG_WRAP_ALLOW"
 Used for Legacy purposes only. This flag needed to be set to indicate the
 cipher handled wrapping.
 .PP
 \&\fBEVP_CIPHER_flags()\fR uses the following flags that
-have mappings to \*(L"Gettable \s-1EVP_CIPHER\s0 parameters\*(R":
-.IP "\s-1EVP_CIPH_FLAG_AEAD_CIPHER\s0" 4
+have mappings to "Gettable EVP_CIPHER parameters":
+.IP EVP_CIPH_FLAG_AEAD_CIPHER 4
 .IX Item "EVP_CIPH_FLAG_AEAD_CIPHER"
-See \*(L"Gettable \s-1EVP_CIPHER\s0 parameters\*(R" \*(L"aead\*(R".
-.IP "\s-1EVP_CIPH_CUSTOM_IV\s0" 4
+See "Gettable EVP_CIPHER parameters" "aead".
+.IP EVP_CIPH_CUSTOM_IV 4
 .IX Item "EVP_CIPH_CUSTOM_IV"
-See \*(L"Gettable \s-1EVP_CIPHER\s0 parameters\*(R" \*(L"custom-iv\*(R".
-.IP "\s-1EVP_CIPH_FLAG_CTS\s0" 4
+See "Gettable EVP_CIPHER parameters" "custom-iv".
+.IP EVP_CIPH_FLAG_CTS 4
 .IX Item "EVP_CIPH_FLAG_CTS"
-See \*(L"Gettable \s-1EVP_CIPHER\s0 parameters\*(R" \*(L"cts\*(R".
-.IP "\s-1EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK\s0;" 4
+See "Gettable EVP_CIPHER parameters" "cts".
+.IP EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK; 4
 .IX Item "EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK;"
-See \*(L"Gettable \s-1EVP_CIPHER\s0 parameters\*(R" \*(L"tls-multi\*(R".
-.IP "\s-1EVP_CIPH_RAND_KEY\s0" 4
+See "Gettable EVP_CIPHER parameters" "tls-multi".
+.IP EVP_CIPH_RAND_KEY 4
 .IX Item "EVP_CIPH_RAND_KEY"
-See \*(L"Gettable \s-1EVP_CIPHER\s0 parameters\*(R" \*(L"has-randkey\*(R".
+See "Gettable EVP_CIPHER parameters" "has-randkey".
 .PP
 \&\fBEVP_CIPHER_flags()\fR uses the following flags for legacy purposes only:
-.IP "\s-1EVP_CIPH_VARIABLE_LENGTH\s0" 4
+.IP EVP_CIPH_VARIABLE_LENGTH 4
 .IX Item "EVP_CIPH_VARIABLE_LENGTH"
 .PD 0
-.IP "\s-1EVP_CIPH_FLAG_CUSTOM_CIPHER\s0" 4
+.IP EVP_CIPH_FLAG_CUSTOM_CIPHER 4
 .IX Item "EVP_CIPH_FLAG_CUSTOM_CIPHER"
-.IP "\s-1EVP_CIPH_ALWAYS_CALL_INIT\s0" 4
+.IP EVP_CIPH_ALWAYS_CALL_INIT 4
 .IX Item "EVP_CIPH_ALWAYS_CALL_INIT"
-.IP "\s-1EVP_CIPH_CTRL_INIT\s0" 4
+.IP EVP_CIPH_CTRL_INIT 4
 .IX Item "EVP_CIPH_CTRL_INIT"
-.IP "\s-1EVP_CIPH_CUSTOM_KEY_LENGTH\s0" 4
+.IP EVP_CIPH_CUSTOM_KEY_LENGTH 4
 .IX Item "EVP_CIPH_CUSTOM_KEY_LENGTH"
-.IP "\s-1EVP_CIPH_CUSTOM_COPY\s0" 4
+.IP EVP_CIPH_CUSTOM_COPY 4
 .IX Item "EVP_CIPH_CUSTOM_COPY"
-.IP "\s-1EVP_CIPH_FLAG_DEFAULT_ASN1\s0" 4
+.IP EVP_CIPH_FLAG_DEFAULT_ASN1 4
 .IX Item "EVP_CIPH_FLAG_DEFAULT_ASN1"
 .PD
 See \fBEVP_CIPHER_meth_set_flags\fR\|(3) for further information related to the above
 flags.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBEVP_CIPHER_fetch()\fR returns a pointer to a \fB\s-1EVP_CIPHER\s0\fR for success
-and \fB\s-1NULL\s0\fR for failure.
+\&\fBEVP_CIPHER_fetch()\fR returns a pointer to a \fBEVP_CIPHER\fR for success
+and NULL for failure.
 .PP
 \&\fBEVP_CIPHER_up_ref()\fR returns 1 for success or 0 otherwise.
 .PP
 \&\fBEVP_CIPHER_CTX_new()\fR returns a pointer to a newly created
-\&\fB\s-1EVP_CIPHER_CTX\s0\fR for success and \fB\s-1NULL\s0\fR for failure.
+\&\fBEVP_CIPHER_CTX\fR for success and NULL for failure.
+.PP
+\&\fBEVP_CIPHER_CTX_dup()\fR returns a new EVP_CIPHER_CTX if successful or NULL on failure.
+.PP
+\&\fBEVP_CIPHER_CTX_copy()\fR returns 1 if successful or 0 for failure.
 .PP
 \&\fBEVP_EncryptInit_ex2()\fR, \fBEVP_EncryptUpdate()\fR and \fBEVP_EncryptFinal_ex()\fR
 return 1 for success and 0 for failure.
@@ -1210,44 +1276,56 @@ return 1 for success and 0 for failure.
 \&\fBEVP_DecryptInit_ex2()\fR and \fBEVP_DecryptUpdate()\fR return 1 for success and 0 for failure.
 \&\fBEVP_DecryptFinal_ex()\fR returns 0 if the decrypt failed or 1 for success.
 .PP
-\&\fBEVP_CipherInit_ex2()\fR and \fBEVP_CipherUpdate()\fR return 1 for success and 0 for failure.
-\&\fBEVP_CipherFinal_ex()\fR returns 0 for a decryption failure or 1 for success.
+\&\fBEVP_CipherInit_ex2()\fR, \fBEVP_CipherInit_SKEY()\fR and \fBEVP_CipherUpdate()\fR return 1 for
+success and 0 for failure.
+\&\fBEVP_CipherFinal_ex()\fR returns 0 for an encryption/decryption failure or 1 for
+success.
+.PP
+\&\fBEVP_Cipher()\fR returns 1 on success and <= 0 on failure, if the flag
+\&\fBEVP_CIPH_FLAG_CUSTOM_CIPHER\fR is not set for the cipher, or if the cipher has
+not been initialized via a call to \fBEVP_CipherInit_ex2\fR.
+\&\fBEVP_Cipher()\fR returns the number of bytes written to \fIout\fR for
+encryption/decryption, or the number of bytes authenticated in a call specifying
+AAD for an AEAD cipher, if the flag \fBEVP_CIPH_FLAG_CUSTOM_CIPHER\fR is set for
+the cipher.
 .PP
-\&\fBEVP_Cipher()\fR returns 1 on success or 0 on failure, if the flag
-\&\fB\s-1EVP_CIPH_FLAG_CUSTOM_CIPHER\s0\fR is not set for the cipher.
-\&\fBEVP_Cipher()\fR returns the number of bytes written to \fIout\fR for encryption / decryption, or
-the number of bytes authenticated in a call specifying \s-1AAD\s0 for an \s-1AEAD\s0 cipher, if the flag
-\&\fB\s-1EVP_CIPH_FLAG_CUSTOM_CIPHER\s0\fR is set for the cipher.
+\&\fBEVP_CIPHER_can_pipeline()\fR returns 1 if the cipher can be used in a pipeline, 0 otherwise.
+.PP
+\&\fBEVP_CipherPipelineEncryptInit()\fR and \fBEVP_CipherPipelineDecryptInit()\fR
+return 1 for success and 0 for failure.
+.PP
+\&\fBEVP_CipherPipelineUpdate()\fR and \fBEVP_CipherPipelineFinal()\fR
+return 1 for success and 0 for failure.
 .PP
 \&\fBEVP_CIPHER_CTX_reset()\fR returns 1 for success and 0 for failure.
 .PP
 \&\fBEVP_get_cipherbyname()\fR, \fBEVP_get_cipherbynid()\fR and \fBEVP_get_cipherbyobj()\fR
-return an \fB\s-1EVP_CIPHER\s0\fR structure or \s-1NULL\s0 on error.
+return an \fBEVP_CIPHER\fR structure or NULL on error.
 .PP
-\&\fBEVP_CIPHER_get_nid()\fR and \fBEVP_CIPHER_CTX_get_nid()\fR return a \s-1NID.\s0
+\&\fBEVP_CIPHER_get_nid()\fR and \fBEVP_CIPHER_CTX_get_nid()\fR return a NID.
 .PP
 \&\fBEVP_CIPHER_get_block_size()\fR and \fBEVP_CIPHER_CTX_get_block_size()\fR return the
-block size.
+block size, or 0 on error.
 .PP
 \&\fBEVP_CIPHER_get_key_length()\fR and \fBEVP_CIPHER_CTX_get_key_length()\fR return the key
 length.
 .PP
 \&\fBEVP_CIPHER_CTX_set_padding()\fR always returns 1.
 .PP
-\&\fBEVP_CIPHER_get_iv_length()\fR and \fBEVP_CIPHER_CTX_get_iv_length()\fR return the \s-1IV\s0
-length or zero if the cipher does not use an \s-1IV.\s0
+\&\fBEVP_CIPHER_get_iv_length()\fR and \fBEVP_CIPHER_CTX_get_iv_length()\fR return the IV
+length, zero if the cipher does not use an IV and a negative value on error.
 .PP
 \&\fBEVP_CIPHER_CTX_get_tag_length()\fR return the tag length or zero if the cipher
 does not use a tag.
 .PP
-\&\fBEVP_CIPHER_get_type()\fR and \fBEVP_CIPHER_CTX_get_type()\fR return the \s-1NID\s0 of the
-cipher's \s-1OBJECT IDENTIFIER\s0 or NID_undef if it has no defined
-\&\s-1OBJECT IDENTIFIER.\s0
+\&\fBEVP_CIPHER_get_type()\fR and \fBEVP_CIPHER_CTX_get_type()\fR return the NID of the
+cipher's OBJECT IDENTIFIER or NID_undef if it has no defined
+OBJECT IDENTIFIER.
 .PP
-\&\fBEVP_CIPHER_CTX_cipher()\fR returns an \fB\s-1EVP_CIPHER\s0\fR structure.
+\&\fBEVP_CIPHER_CTX_cipher()\fR returns an \fBEVP_CIPHER\fR structure.
 .PP
 \&\fBEVP_CIPHER_CTX_get_num()\fR returns a nonnegative num value or
-\&\fB\s-1EVP_CTRL_RET_UNSUPPORTED\s0\fR if the implementation does not support the call
+\&\fBEVP_CTRL_RET_UNSUPPORTED\fR if the implementation does not support the call
 or on any other error.
 .PP
 \&\fBEVP_CIPHER_CTX_set_num()\fR returns 1 on success and 0 if the implementation
@@ -1268,170 +1346,180 @@ A return value of 0 means that the callback was not called for any names.
 .IX Header "CIPHER LISTING"
 All algorithms have a fixed key length unless otherwise stated.
 .PP
-Refer to \*(L"\s-1SEE ALSO\*(R"\s0 for the full list of ciphers available through the \s-1EVP\s0
+Refer to "SEE ALSO" for the full list of ciphers available through the EVP
 interface.
-.IP "\fBEVP_enc_null()\fR" 4
+.IP \fBEVP_enc_null()\fR 4
 .IX Item "EVP_enc_null()"
 Null cipher: does nothing.
 .SH "AEAD INTERFACE"
 .IX Header "AEAD INTERFACE"
-The \s-1EVP\s0 interface for Authenticated Encryption with Associated Data (\s-1AEAD\s0)
+The EVP interface for Authenticated Encryption with Associated Data (AEAD)
 modes are subtly altered and several additional \fIctrl\fR operations are supported
 depending on the mode specified.
 .PP
-To specify additional authenticated data (\s-1AAD\s0), a call to \fBEVP_CipherUpdate()\fR,
+To specify additional authenticated data (AAD), a call to \fBEVP_CipherUpdate()\fR,
 \&\fBEVP_EncryptUpdate()\fR or \fBEVP_DecryptUpdate()\fR should be made with the output
-parameter \fIout\fR set to \fB\s-1NULL\s0\fR. In this case, on success, the parameter
+parameter \fIout\fR set to NULL. In this case, on success, the parameter
 \&\fIoutl\fR is set to the number of bytes authenticated.
 .PP
 When decrypting, the return value of \fBEVP_DecryptFinal()\fR or \fBEVP_CipherFinal()\fR
 indicates whether the operation was successful. If it does not indicate success,
-the authentication operation has failed and any output data \fB\s-1MUST NOT\s0\fR be used
+the authentication operation has failed and any output data \fBMUST NOT\fR be used
 as it is corrupted.
-.SS "\s-1GCM\s0 and \s-1OCB\s0 Modes"
+.PP
+Please note that the number of authenticated bytes returned by
+\&\fBEVP_CipherUpdate()\fR depends on the cipher used. Stream ciphers, such as ChaCha20
+or ciphers in GCM mode, can handle 1 byte at a time, resulting in an effective
+"block" size of 1. Conversely, ciphers in OCB mode must process data one block
+at a time, and the block size is returned.
+.PP
+Regardless of the returned size, it is safe to pass unpadded data to an
+\&\fBEVP_CipherUpdate()\fR call in a single operation.
+.SS "GCM and OCB Modes"
 .IX Subsection "GCM and OCB Modes"
-The following \fIctrl\fRs are supported in \s-1GCM\s0 and \s-1OCB\s0 modes.
-.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_AEAD_SET_IVLEN,\s0 ivlen, \s-1NULL\s0)" 4
+The following \fIctrl\fRs are supported in GCM and OCB modes.
+.IP "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)" 4
 .IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)"
-Sets the \s-1IV\s0 length. This call can only be made before specifying an \s-1IV.\s0 If
-not called a default \s-1IV\s0 length is used.
+Sets the IV length. This call can only be made before specifying an IV. If
+not called a default IV length is used.
 .Sp
-For \s-1GCM AES\s0 and \s-1OCB AES\s0 the default is 12 (i.e. 96 bits). For \s-1OCB\s0 mode the
+For GCM AES and OCB AES the default is 12 (i.e. 96 bits). For OCB mode the
 maximum is 15.
-.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_AEAD_GET_TAG,\s0 taglen, tag)" 4
+.IP "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag)" 4
 .IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag)"
 Writes \f(CW\*(C`taglen\*(C'\fR bytes of the tag value to the buffer indicated by \f(CW\*(C`tag\*(C'\fR.
 This call can only be made when encrypting data and \fBafter\fR all data has been
 processed (e.g. after an \fBEVP_EncryptFinal()\fR call).
 .Sp
-For \s-1OCB,\s0 \f(CW\*(C`taglen\*(C'\fR must either be 16 or the value previously set via
-\&\fB\s-1EVP_CTRL_AEAD_SET_TAG\s0\fR.
-.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_AEAD_SET_TAG,\s0 taglen, tag)" 4
+For OCB, \f(CW\*(C`taglen\*(C'\fR must either be 16 or the value previously set via
+\&\fBEVP_CTRL_AEAD_SET_TAG\fR.
+.IP "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag)" 4
 .IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag)"
 When decrypting, this call sets the expected tag to \f(CW\*(C`taglen\*(C'\fR bytes from \f(CW\*(C`tag\*(C'\fR.
 \&\f(CW\*(C`taglen\*(C'\fR must be between 1 and 16 inclusive.
 The tag must be set prior to any call to \fBEVP_DecryptFinal()\fR or
 \&\fBEVP_DecryptFinal_ex()\fR.
 .Sp
-For \s-1GCM,\s0 this call is only valid when decrypting data.
+For GCM, this call is only valid when decrypting data.
 .Sp
-For \s-1OCB,\s0 this call is valid when decrypting data to set the expected tag,
+For OCB, this call is valid when decrypting data to set the expected tag,
 and when encrypting to set the desired tag length.
 .Sp
-In \s-1OCB\s0 mode, calling this when encrypting with \f(CW\*(C`tag\*(C'\fR set to \f(CW\*(C`NULL\*(C'\fR sets the
-tag length. The tag length can only be set before specifying an \s-1IV.\s0 If this is
-not called prior to setting the \s-1IV\s0 during encryption, then a default tag length
-is used.
+In OCB mode, calling this with \f(CW\*(C`tag\*(C'\fR set to \f(CW\*(C`NULL\*(C'\fR sets the tag length.
+The tag length can only be set before specifying an IV. If this is not called
+prior to setting the IV, then a default tag length is used.
 .Sp
-For \s-1OCB AES,\s0 the default tag length is 16 (i.e. 128 bits).  It is also the
-maximum tag length for \s-1OCB.\s0
-.SS "\s-1CCM\s0 Mode"
+For OCB AES, the default tag length is 16 (i.e. 128 bits).  It is also the
+maximum tag length for OCB.
+.SS "CCM Mode"
 .IX Subsection "CCM Mode"
-The \s-1EVP\s0 interface for \s-1CCM\s0 mode is similar to that of the \s-1GCM\s0 mode but with a
+The EVP interface for CCM mode is similar to that of the GCM mode but with a
 few additional requirements and different \fIctrl\fR values.
 .PP
-For \s-1CCM\s0 mode, the total plaintext or ciphertext length \fB\s-1MUST\s0\fR be passed to
+For CCM mode, the total plaintext or ciphertext length \fBMUST\fR be passed to
 \&\fBEVP_CipherUpdate()\fR, \fBEVP_EncryptUpdate()\fR or \fBEVP_DecryptUpdate()\fR with the output
-and input parameters (\fIin\fR and \fIout\fR) set to \fB\s-1NULL\s0\fR and the length passed in
+and input parameters (\fIin\fR and \fIout\fR) set to NULL and the length passed in
 the \fIinl\fR parameter.
 .PP
-The following \fIctrl\fRs are supported in \s-1CCM\s0 mode.
-.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_AEAD_SET_TAG,\s0 taglen, tag)" 4
+The following \fIctrl\fRs are supported in CCM mode.
+.IP "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag)" 4
 .IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag)"
-This call is made to set the expected \fB\s-1CCM\s0\fR tag value when decrypting or
-the length of the tag (with the \f(CW\*(C`tag\*(C'\fR parameter set to \s-1NULL\s0) when encrypting.
+This call is made to set the expected \fBCCM\fR tag value when decrypting or
+the length of the tag (with the \f(CW\*(C`tag\*(C'\fR parameter set to NULL) when encrypting.
 The tag length is often referred to as \fBM\fR. If not set a default value is
-used (12 for \s-1AES\s0). When decrypting, the tag needs to be set before passing
-in data to be decrypted, but as in \s-1GCM\s0 and \s-1OCB\s0 mode, it can be set after
-passing additional authenticated data (see \*(L"\s-1AEAD INTERFACE\*(R"\s0).
-.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_CCM_SET_L,\s0 ivlen, \s-1NULL\s0)" 4
+used (12 for AES). When decrypting, the tag needs to be set before passing
+in data to be decrypted, but as in GCM and OCB mode, it can be set after
+passing additional authenticated data (see "AEAD INTERFACE").
+.IP "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_L, ivlen, NULL)" 4
 .IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_L, ivlen, NULL)"
-Sets the \s-1CCM\s0 \fBL\fR value. If not set a default is used (8 for \s-1AES\s0).
-.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_AEAD_SET_IVLEN,\s0 ivlen, \s-1NULL\s0)" 4
+Sets the CCM \fBL\fR value. If not set a default is used (8 for AES).
+.IP "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)" 4
 .IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)"
-Sets the \s-1CCM\s0 nonce (\s-1IV\s0) length. This call can only be made before specifying a
+Sets the CCM nonce (IV) length. This call can only be made before specifying a
 nonce value. The nonce length is given by \fB15 \- L\fR so it is 7 by default for
-\&\s-1AES.\s0
-.SS "\s-1SIV\s0 Mode"
+AES.
+.SS "SIV Mode"
 .IX Subsection "SIV Mode"
-For \s-1SIV\s0 mode ciphers the behaviour of the \s-1EVP\s0 interface is subtly
+Both the AES-SIV and AES-GCM-SIV ciphers fall under this mode.
+.PP
+For SIV mode ciphers the behaviour of the EVP interface is subtly
 altered and several additional ctrl operations are supported.
 .PP
-To specify any additional authenticated data (\s-1AAD\s0) and/or a Nonce, a call to
+To specify any additional authenticated data (AAD) and/or a Nonce, a call to
 \&\fBEVP_CipherUpdate()\fR, \fBEVP_EncryptUpdate()\fR or \fBEVP_DecryptUpdate()\fR should be made
-with the output parameter \fIout\fR set to \fB\s-1NULL\s0\fR.
+with the output parameter \fIout\fR set to NULL.
 .PP
-\&\s-1RFC5297\s0 states that the Nonce is the last piece of \s-1AAD\s0 before the actual
-encrypt/decrypt takes place. The \s-1API\s0 does not differentiate the Nonce from
-other \s-1AAD.\s0
+RFC5297 states that the Nonce is the last piece of AAD before the actual
+encrypt/decrypt takes place. The API does not differentiate the Nonce from
+other AAD.
 .PP
 When decrypting the return value of \fBEVP_DecryptFinal()\fR or \fBEVP_CipherFinal()\fR
 indicates if the operation was successful. If it does not indicate success
-the authentication operation has failed and any output data \fB\s-1MUST NOT\s0\fR
+the authentication operation has failed and any output data \fBMUST NOT\fR
 be used as it is corrupted.
 .PP
-The \s-1API\s0 does not store the the \s-1SIV\s0 (Synthetic Initialization Vector) in
-the cipher text. Instead, it is stored as the tag within the \s-1EVP_CIPHER_CTX.\s0
-The \s-1SIV\s0 must be retrieved from the context after encryption, and set into
+The API does not store the SIV (Synthetic Initialization Vector) in
+the cipher text. Instead, it is stored as the tag within the EVP_CIPHER_CTX.
+The SIV must be retrieved from the context after encryption, and set into
 the context before decryption.
 .PP
-This differs from \s-1RFC5297\s0 in that the cipher output from encryption, and
-the cipher input to decryption, does not contain the \s-1SIV.\s0 This also means
+This differs from RFC5297 in that the cipher output from encryption, and
+the cipher input to decryption, does not contain the SIV. This also means
 that the plain text and cipher text lengths are identical.
 .PP
-The following ctrls are supported in \s-1SIV\s0 mode, and are used to get and set
+The following ctrls are supported in SIV mode, and are used to get and set
 the Synthetic Initialization Vector:
-.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_AEAD_GET_TAG,\s0 taglen, tag);" 4
+.IP "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag);" 4
 .IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag);"
 Writes \fItaglen\fR bytes of the tag value (the Synthetic Initialization Vector)
 to the buffer indicated by \fItag\fR. This call can only be made when encrypting
 data and \fBafter\fR all data has been processed (e.g. after an \fBEVP_EncryptFinal()\fR
-call). For \s-1SIV\s0 mode the taglen must be 16.
-.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_AEAD_SET_TAG,\s0 taglen, tag);" 4
+call). For SIV mode the taglen must be 16.
+.IP "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag);" 4
 .IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag);"
 Sets the expected tag (the Synthetic Initialization Vector) to \fItaglen\fR
 bytes from \fItag\fR. This call is only legal when decrypting data and must be
 made \fBbefore\fR any data is processed (e.g. before any \fBEVP_DecryptUpdate()\fR
-calls). For \s-1SIV\s0 mode the taglen must be 16.
+calls). For SIV mode the taglen must be 16.
 .PP
-\&\s-1SIV\s0 mode makes two passes over the input data, thus, only one call to
+SIV mode makes two passes over the input data, thus, only one call to
 \&\fBEVP_CipherUpdate()\fR, \fBEVP_EncryptUpdate()\fR or \fBEVP_DecryptUpdate()\fR should be made
-with \fIout\fR set to a non\-\fB\s-1NULL\s0\fR value. A call to \fBEVP_DecryptFinal()\fR or
+with \fIout\fR set to a non-NULL value. A call to \fBEVP_DecryptFinal()\fR or
 \&\fBEVP_CipherFinal()\fR is not required, but will indicate if the update
 operation succeeded.
-.SS "ChaCha20\-Poly1305"
+.SS ChaCha20\-Poly1305
 .IX Subsection "ChaCha20-Poly1305"
-The following \fIctrl\fRs are supported for the ChaCha20\-Poly1305 \s-1AEAD\s0 algorithm.
-.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_AEAD_SET_IVLEN,\s0 ivlen, \s-1NULL\s0)" 4
+The following \fIctrl\fRs are supported for the ChaCha20\-Poly1305 AEAD algorithm.
+.IP "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)" 4
 .IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)"
 Sets the nonce length. This call is now redundant since the only valid value
 is the default length of 12 (i.e. 96 bits).
 Prior to OpenSSL 3.0 a nonce of less than 12 bytes could be used to automatically
 pad the iv with leading 0 bytes to make it 12 bytes in length.
-.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_AEAD_GET_TAG,\s0 taglen, tag)" 4
+.IP "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag)" 4
 .IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag)"
 Writes \f(CW\*(C`taglen\*(C'\fR bytes of the tag value to the buffer indicated by \f(CW\*(C`tag\*(C'\fR.
 This call can only be made when encrypting data and \fBafter\fR all data has been
 processed (e.g. after an \fBEVP_EncryptFinal()\fR call).
 .Sp
-\&\f(CW\*(C`taglen\*(C'\fR specified here must be 16 (\fB\s-1POLY1305_BLOCK_SIZE\s0\fR, i.e. 128\-bits) or
+\&\f(CW\*(C`taglen\*(C'\fR specified here must be 16 (\fBPOLY1305_BLOCK_SIZE\fR, i.e. 128\-bits) or
 less.
-.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_AEAD_SET_TAG,\s0 taglen, tag)" 4
+.IP "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag)" 4
 .IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag)"
 Sets the expected tag to \f(CW\*(C`taglen\*(C'\fR bytes from \f(CW\*(C`tag\*(C'\fR.
-The tag length can only be set before specifying an \s-1IV.\s0
-\&\f(CW\*(C`taglen\*(C'\fR must be between 1 and 16 (\fB\s-1POLY1305_BLOCK_SIZE\s0\fR) inclusive.
+The tag length can only be set before specifying an IV.
+\&\f(CW\*(C`taglen\*(C'\fR must be between 1 and 16 (\fBPOLY1305_BLOCK_SIZE\fR) inclusive.
 This call is only valid when decrypting data.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-Where possible the \fB\s-1EVP\s0\fR interface to symmetric ciphers should be used in
+Where possible the \fBEVP\fR interface to symmetric ciphers should be used in
 preference to the low-level interfaces. This is because the code then becomes
 transparent to the cipher used and much more flexible. Additionally, the
-\&\fB\s-1EVP\s0\fR interface will ensure the use of platform specific cryptographic
+\&\fBEVP\fR interface will ensure the use of platform specific cryptographic
 acceleration such as AES-NI (the low-level interfaces do not provide the
 guarantee).
 .PP
-\&\s-1PKCS\s0 padding works by adding \fBn\fR padding bytes of value \fBn\fR to make the total
+PKCS padding works by adding \fBn\fR padding bytes of value \fBn\fR to make the total
 length of the encrypted data a multiple of the block size. Padding is always
 added so if the data is already a multiple of the block size \fBn\fR will equal
 the block size. For example if the block size is 8 and 11 bytes are to be
@@ -1460,31 +1548,31 @@ There are some differences between functions \fBEVP_CipherInit()\fR and
 \&\fBEVP_CipherInit_ex()\fR, significant in some circumstances. \fBEVP_CipherInit()\fR fills
 the passed context object with zeros.  As a consequence, \fBEVP_CipherInit()\fR does
 not allow step-by-step initialization of the ctx when the \fIkey\fR and \fIiv\fR are
-passed in separate calls. It also means that the flags set for the \s-1CTX\s0 are
+passed in separate calls. It also means that the flags set for the CTX are
 removed, and it is especially important for the
-\&\fB\s-1EVP_CIPHER_CTX_FLAG_WRAP_ALLOW\s0\fR flag treated specially in
+\&\fBEVP_CIPHER_CTX_FLAG_WRAP_ALLOW\fR flag treated specially in
 \&\fBEVP_CipherInit_ex()\fR.
 .PP
-Ignoring failure returns of the \fB\s-1EVP_CIPHER_CTX\s0\fR initialization functions can
+Ignoring failure returns of the \fBEVP_CIPHER_CTX\fR initialization functions can
 lead to subsequent undefined behavior when calling the functions that update or
-finalize the context. The only valid calls on the \fB\s-1EVP_CIPHER_CTX\s0\fR when
+finalize the context. The only valid calls on the \fBEVP_CIPHER_CTX\fR when
 initialization fails are calls that attempt another initialization of the
 context or release the context.
 .PP
 \&\fBEVP_get_cipherbynid()\fR, and \fBEVP_get_cipherbyobj()\fR are implemented as macros.
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
-\&\fB\s-1EVP_MAX_KEY_LENGTH\s0\fR and \fB\s-1EVP_MAX_IV_LENGTH\s0\fR only refer to the internal
+\&\fBEVP_MAX_KEY_LENGTH\fR and \fBEVP_MAX_IV_LENGTH\fR only refer to the internal
 ciphers with default key lengths. If custom ciphers exceed these values the
 results are unpredictable. This is because it has become standard practice to
 define a generic key as a fixed unsigned char array containing
-\&\fB\s-1EVP_MAX_KEY_LENGTH\s0\fR bytes.
+\&\fBEVP_MAX_KEY_LENGTH\fR bytes.
 .PP
-The \s-1ASN1\s0 code is incomplete (and sometimes inaccurate) it has only been tested
-for certain common S/MIME ciphers (\s-1RC2, DES,\s0 triple \s-1DES\s0) in \s-1CBC\s0 mode.
-.SH "EXAMPLES"
+The ASN1 code is incomplete (and sometimes inaccurate) it has only been tested
+for certain common S/MIME ciphers (RC2, DES, triple DES) in CBC mode.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-Encrypt a string using \s-1IDEA:\s0
+Encrypt a string using IDEA:
 .PP
 .Vb 10
 \& int do_crypt(char *outfile)
@@ -1549,7 +1637,7 @@ utility with the command line (shown on two lines for clarity):
 \&     \-K 000102030405060708090A0B0C0D0E0F \-iv 0102030405060708 <filename
 .Ve
 .PP
-General encryption and decryption function example using \s-1FILE I/O\s0 and \s-1AES128\s0
+General encryption and decryption function example using FILE I/O and AES128
 with a 128\-bit key:
 .PP
 .Vb 12
@@ -1607,7 +1695,7 @@ with a 128\-bit key:
 \& }
 .Ve
 .PP
-Encryption using AES-CBC with a 256\-bit key with \*(L"\s-1CS1\*(R"\s0 ciphertext stealing.
+Encryption using AES-CBC with a 256\-bit key with "CS1" ciphertext stealing.
 .PP
 .Vb 10
 \& int encrypt(const unsigned char *key, const unsigned char *iv,
@@ -1656,7 +1744,7 @@ Encryption using AES-CBC with a 256\-bit key with \*(L"\s-1CS1\*(R"\s0 ciphertex
 .IX Header "SEE ALSO"
 \&\fBevp\fR\|(7),
 \&\fBproperty\fR\|(7),
-\&\*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7),
+"ALGORITHM FETCHING" in \fBcrypto\fR\|(7),
 \&\fBprovider\-cipher\fR\|(7),
 \&\fBlife_cycle\-cipher\fR\|(7)
 .PP
@@ -1676,11 +1764,11 @@ Supported ciphers are listed in:
 \&\fBEVP_rc5_32_12_16_cbc\fR\|(3),
 \&\fBEVP_seed_cbc\fR\|(3),
 \&\fBEVP_sm4_cbc\fR\|(3),
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-Support for \s-1OCB\s0 mode was added in OpenSSL 1.1.0.
+Support for OCB mode was added in OpenSSL 1.1.0.
 .PP
-\&\fB\s-1EVP_CIPHER_CTX\s0\fR was made opaque in OpenSSL 1.1.0.  As a result,
+\&\fBEVP_CIPHER_CTX\fR was made opaque in OpenSSL 1.1.0.  As a result,
 \&\fBEVP_CIPHER_CTX_reset()\fR appeared and \fBEVP_CIPHER_CTX_cleanup()\fR
 disappeared.  \fBEVP_CIPHER_CTX_init()\fR remains as an alias for
 \&\fBEVP_CIPHER_CTX_reset()\fR.
@@ -1712,11 +1800,19 @@ The \fBEVP_CIPHER_CTX_encrypting()\fR function was renamed to
 non-deprecated alias macro.
 .PP
 The \fBEVP_CIPHER_CTX_flags()\fR macro was deprecated in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.PP
+\&\fBEVP_CIPHER_CTX_dup()\fR was added in OpenSSL 3.2.
+.PP
+\&\fBEVP_CipherInit_SKEY()\fR was added in OpenSSL 3.5.
+.PP
+Prior to OpenSSL 3.5, passing a NULL \fIctx\fR to
+\&\fBEVP_CIPHER_CTX_get_block_size()\fR would result in a NULL pointer dereference,
+rather than a 0 return value indicating an error.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_KDF.3 b/secure/lib/libcrypto/man/man3/EVP_KDF.3
index 657e4e61d7da..fa51ec4eede1 100644
--- a/secure/lib/libcrypto/man/man3/EVP_KDF.3
+++ b/secure/lib/libcrypto/man/man3/EVP_KDF.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_KDF 3ossl"
-.TH EVP_KDF 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_KDF 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_KDF, EVP_KDF_fetch, EVP_KDF_free, EVP_KDF_up_ref,
 EVP_KDF_CTX, EVP_KDF_CTX_new, EVP_KDF_CTX_free, EVP_KDF_CTX_dup,
 EVP_KDF_CTX_reset, EVP_KDF_derive,
@@ -147,7 +71,7 @@ EVP_KDF_CTX_get_params, EVP_KDF_CTX_set_params, EVP_KDF_do_all_provided,
 EVP_KDF_get_params, EVP_KDF_gettable_params,
 EVP_KDF_gettable_ctx_params, EVP_KDF_settable_ctx_params,
 EVP_KDF_CTX_gettable_params, EVP_KDF_CTX_settable_params \- EVP KDF routines
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/kdf.h>
@@ -155,7 +79,7 @@ EVP_KDF_CTX_gettable_params, EVP_KDF_CTX_settable_params \- EVP KDF routines
 \& typedef struct evp_kdf_st EVP_KDF;
 \& typedef struct evp_kdf_ctx_st EVP_KDF_CTX;
 \&
-\& EVP_KDF_CTX *EVP_KDF_CTX_new(const EVP_KDF *kdf);
+\& EVP_KDF_CTX *EVP_KDF_CTX_new(EVP_KDF *kdf);
 \& const EVP_KDF *EVP_KDF_CTX_kdf(EVP_KDF_CTX *ctx);
 \& void EVP_KDF_CTX_free(EVP_KDF_CTX *ctx);
 \& EVP_KDF_CTX *EVP_KDF_CTX_dup(const EVP_KDF_CTX *src);
@@ -187,46 +111,46 @@ EVP_KDF_CTX_gettable_params, EVP_KDF_CTX_settable_params \- EVP KDF routines
 \& const OSSL_PARAM *EVP_KDF_CTX_settable_params(const EVP_KDF *kdf);
 \& const OSSL_PROVIDER *EVP_KDF_get0_provider(const EVP_KDF *kdf);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1EVP KDF\s0 routines are a high-level interface to Key Derivation Function
+The EVP KDF routines are a high-level interface to Key Derivation Function
 algorithms and should be used instead of algorithm-specific functions.
 .PP
-After creating a \fB\s-1EVP_KDF_CTX\s0\fR for the required algorithm using
+After creating a \fBEVP_KDF_CTX\fR for the required algorithm using
 \&\fBEVP_KDF_CTX_new()\fR, inputs to the algorithm are supplied either by
 passing them as part of the \fBEVP_KDF_derive()\fR call or using calls
 to \fBEVP_KDF_CTX_set_params()\fR before calling \fBEVP_KDF_derive()\fR to derive
 the key.
-.SS "Types"
+.SS Types
 .IX Subsection "Types"
-\&\fB\s-1EVP_KDF\s0\fR is a type that holds the implementation of a \s-1KDF.\s0
+\&\fBEVP_KDF\fR is a type that holds the implementation of a KDF.
 .PP
-\&\fB\s-1EVP_KDF_CTX\s0\fR is a context type that holds the algorithm inputs.
+\&\fBEVP_KDF_CTX\fR is a context type that holds the algorithm inputs.
 .SS "Algorithm implementation fetching"
 .IX Subsection "Algorithm implementation fetching"
-\&\fBEVP_KDF_fetch()\fR fetches an implementation of a \s-1KDF\s0 \fIalgorithm\fR, given
+\&\fBEVP_KDF_fetch()\fR fetches an implementation of a KDF \fIalgorithm\fR, given
 a library context \fIlibctx\fR and a set of \fIproperties\fR.
-See \*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7) for further information.
+See "ALGORITHM FETCHING" in \fBcrypto\fR\|(7) for further information.
 .PP
-See \*(L"Key Derivation Function (\s-1KDF\s0)\*(R" in \fBOSSL_PROVIDER\-default\fR\|(7) for the lists of
+See "Key Derivation Function (KDF)" in \fBOSSL_PROVIDER\-default\fR\|(7) for the lists of
 algorithms supported by the default provider.
 .PP
 The returned value must eventually be freed with
 \&\fBEVP_KDF_free\fR\|(3).
 .PP
 \&\fBEVP_KDF_up_ref()\fR increments the reference count of an already fetched
-\&\s-1KDF.\s0
+KDF.
 .PP
 \&\fBEVP_KDF_free()\fR frees a fetched algorithm.
-\&\s-1NULL\s0 is a valid parameter, for which this function is a no-op.
+NULL is a valid parameter, for which this function is a no-op.
 .SS "Context manipulation functions"
 .IX Subsection "Context manipulation functions"
-\&\fBEVP_KDF_CTX_new()\fR creates a new context for the \s-1KDF\s0 implementation \fIkdf\fR.
+\&\fBEVP_KDF_CTX_new()\fR creates a new context for the KDF implementation \fIkdf\fR.
 .PP
-\&\fBEVP_KDF_CTX_free()\fR frees up the context \fIctx\fR.  If \fIctx\fR is \s-1NULL,\s0 nothing
+\&\fBEVP_KDF_CTX_free()\fR frees up the context \fIctx\fR.  If \fIctx\fR is NULL, nothing
 is done.
 .PP
-\&\fBEVP_KDF_CTX_kdf()\fR returns the \fB\s-1EVP_KDF\s0\fR associated with the context
+\&\fBEVP_KDF_CTX_kdf()\fR returns the \fBEVP_KDF\fR associated with the context
 \&\fIctx\fR.
 .SS "Computing functions"
 .IX Subsection "Computing functions"
@@ -262,19 +186,19 @@ simply ignored.
 Also, what happens when a needed parameter isn't passed down is
 defined by the implementation.
 .PP
-\&\fBEVP_KDF_gettable_params()\fR returns an \s-1\fBOSSL_PARAM\s0\fR\|(3) array that describes
+\&\fBEVP_KDF_gettable_params()\fR returns an \fBOSSL_PARAM\fR\|(3) array that describes
 the retrievable and settable parameters.  \fBEVP_KDF_gettable_params()\fR
 returns parameters that can be used with \fBEVP_KDF_get_params()\fR.
 .PP
 \&\fBEVP_KDF_gettable_ctx_params()\fR and \fBEVP_KDF_CTX_gettable_params()\fR
-return constant \s-1\fBOSSL_PARAM\s0\fR\|(3) arrays that describe the retrievable
+return constant \fBOSSL_PARAM\fR\|(3) arrays that describe the retrievable
 parameters that can be used with \fBEVP_KDF_CTX_get_params()\fR.
 \&\fBEVP_KDF_gettable_ctx_params()\fR returns the parameters that can be retrieved
 from the algorithm, whereas \fBEVP_KDF_CTX_gettable_params()\fR returns
 the parameters that can be retrieved in the context's current state.
 .PP
 \&\fBEVP_KDF_settable_ctx_params()\fR and \fBEVP_KDF_CTX_settable_params()\fR return
-constant \s-1\fBOSSL_PARAM\s0\fR\|(3) arrays that describe the settable parameters that
+constant \fBOSSL_PARAM\fR\|(3) arrays that describe the settable parameters that
 can be used with \fBEVP_KDF_CTX_set_params()\fR.  \fBEVP_KDF_settable_ctx_params()\fR
 returns the parameters that can be retrieved from the algorithm,
 whereas \fBEVP_KDF_CTX_settable_params()\fR returns the parameters that can
@@ -282,7 +206,7 @@ be retrieved in the context's current state.
 .SS "Information functions"
 .IX Subsection "Information functions"
 \&\fBEVP_KDF_CTX_get_kdf_size()\fR returns the output size if the algorithm produces a fixed amount
-of output and \fB\s-1SIZE_MAX\s0\fR otherwise.  If an error occurs then 0 is returned.
+of output and \fBSIZE_MAX\fR otherwise.  If an error occurs then 0 is returned.
 For some algorithms an error may result if input parameters necessary to
 calculate a fixed output size have not yet been supplied.
 .PP
@@ -292,12 +216,12 @@ algorithm that's identifiable with \fIname\fR, otherwise 0.
 \&\fBEVP_KDF_get0_provider()\fR returns the provider that holds the implementation
 of the given \fIkdf\fR.
 .PP
-\&\fBEVP_KDF_do_all_provided()\fR traverses all \s-1KDF\s0 implemented by all activated
+\&\fBEVP_KDF_do_all_provided()\fR traverses all KDF implemented by all activated
 providers in the given library context \fIlibctx\fR, and for each of the
 implementations, calls the given function \fIfn\fR with the implementation method
 and the given \fIarg\fR as argument.
 .PP
-\&\fBEVP_KDF_get0_name()\fR return the name of the given \s-1KDF.\s0  For fetched KDFs
+\&\fBEVP_KDF_get0_name()\fR return the name of the given KDF.  For fetched KDFs
 with multiple names, only one of them is returned; it's
 recommended to use \fBEVP_KDF_names_do_all()\fR instead.
 .PP
@@ -307,44 +231,37 @@ recommended to use \fBEVP_KDF_names_do_all()\fR instead.
 \&\fBEVP_KDF_get0_description()\fR returns a description of the \fIkdf\fR, meant for
 display and human consumption.  The description is at the discretion of
 the \fIkdf\fR implementation.
-.SH "PARAMETERS"
+.SH PARAMETERS
 .IX Header "PARAMETERS"
 The standard parameter names are:
-.ie n .IP """pass"" (\fB\s-1OSSL_KDF_PARAM_PASSWORD\s0\fR) <octet string>" 4
-.el .IP "``pass'' (\fB\s-1OSSL_KDF_PARAM_PASSWORD\s0\fR) <octet string>" 4
-.IX Item "pass (OSSL_KDF_PARAM_PASSWORD) <octet string>"
-Some \s-1KDF\s0 implementations require a password.
-For those \s-1KDF\s0 implementations that support it, this parameter sets the password.
-.ie n .IP """salt"" (\fB\s-1OSSL_KDF_PARAM_SALT\s0\fR) <octet string>" 4
-.el .IP "``salt'' (\fB\s-1OSSL_KDF_PARAM_SALT\s0\fR) <octet string>" 4
-.IX Item "salt (OSSL_KDF_PARAM_SALT) <octet string>"
-Some \s-1KDF\s0 implementations can take a non-secret unique cryptographic salt.
-For those \s-1KDF\s0 implementations that support it, this parameter sets the salt.
+.IP """pass"" (\fBOSSL_KDF_PARAM_PASSWORD\fR) <octet string>" 4
+.IX Item """pass"" (OSSL_KDF_PARAM_PASSWORD) <octet string>"
+Some KDF implementations require a password.
+For those KDF implementations that support it, this parameter sets the password.
+.IP """salt"" (\fBOSSL_KDF_PARAM_SALT\fR) <octet string>" 4
+.IX Item """salt"" (OSSL_KDF_PARAM_SALT) <octet string>"
+Some KDF implementations can take a non-secret unique cryptographic salt.
+For those KDF implementations that support it, this parameter sets the salt.
 .Sp
 The default value, if any, is implementation dependent.
-.ie n .IP """iter"" (\fB\s-1OSSL_KDF_PARAM_ITER\s0\fR) <unsigned integer>" 4
-.el .IP "``iter'' (\fB\s-1OSSL_KDF_PARAM_ITER\s0\fR) <unsigned integer>" 4
-.IX Item "iter (OSSL_KDF_PARAM_ITER) <unsigned integer>"
-Some \s-1KDF\s0 implementations require an iteration count.
-For those \s-1KDF\s0 implementations that support it, this parameter sets the
+.IP """iter"" (\fBOSSL_KDF_PARAM_ITER\fR) <unsigned integer>" 4
+.IX Item """iter"" (OSSL_KDF_PARAM_ITER) <unsigned integer>"
+Some KDF implementations require an iteration count.
+For those KDF implementations that support it, this parameter sets the
 iteration count.
 .Sp
 The default value, if any, is implementation dependent.
-.ie n .IP """properties"" (\fB\s-1OSSL_KDF_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``properties'' (\fB\s-1OSSL_KDF_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "properties (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
+.IP """properties"" (\fBOSSL_KDF_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
 .PD 0
-.ie n .IP """mac"" (\fB\s-1OSSL_KDF_PARAM_MAC\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``mac'' (\fB\s-1OSSL_KDF_PARAM_MAC\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "mac (OSSL_KDF_PARAM_MAC) <UTF8 string>"
-.ie n .IP """digest"" (\fB\s-1OSSL_KDF_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_KDF_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_KDF_PARAM_DIGEST) <UTF8 string>"
-.ie n .IP """cipher"" (\fB\s-1OSSL_KDF_PARAM_CIPHER\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``cipher'' (\fB\s-1OSSL_KDF_PARAM_CIPHER\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "cipher (OSSL_KDF_PARAM_CIPHER) <UTF8 string>"
+.IP """mac"" (\fBOSSL_KDF_PARAM_MAC\fR) <UTF8 string>" 4
+.IX Item """mac"" (OSSL_KDF_PARAM_MAC) <UTF8 string>"
+.IP """digest"" (\fBOSSL_KDF_PARAM_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_KDF_PARAM_DIGEST) <UTF8 string>"
+.IP """cipher"" (\fBOSSL_KDF_PARAM_CIPHER\fR) <UTF8 string>" 4
+.IX Item """cipher"" (OSSL_KDF_PARAM_CIPHER) <UTF8 string>"
 .PD
-For \s-1KDF\s0 implementations that use an underlying computation \s-1MAC,\s0 digest or
+For KDF implementations that use an underlying computation MAC, digest or
 cipher, these parameters set what the algorithm should be.
 .Sp
 The value is always the name of the intended algorithm,
@@ -352,36 +269,32 @@ or the properties.
 .Sp
 Note that not all algorithms may support all possible underlying
 implementations.
-.ie n .IP """key"" (\fB\s-1OSSL_KDF_PARAM_KEY\s0\fR) <octet string>" 4
-.el .IP "``key'' (\fB\s-1OSSL_KDF_PARAM_KEY\s0\fR) <octet string>" 4
-.IX Item "key (OSSL_KDF_PARAM_KEY) <octet string>"
-Some \s-1KDF\s0 implementations require a key.
-For those \s-1KDF\s0 implementations that support it, this octet string parameter
+.IP """key"" (\fBOSSL_KDF_PARAM_KEY\fR) <octet string>" 4
+.IX Item """key"" (OSSL_KDF_PARAM_KEY) <octet string>"
+Some KDF implementations require a key.
+For those KDF implementations that support it, this octet string parameter
 sets the key.
-.ie n .IP """info"" (\fB\s-1OSSL_KDF_PARAM_INFO\s0\fR) <octet string>" 4
-.el .IP "``info'' (\fB\s-1OSSL_KDF_PARAM_INFO\s0\fR) <octet string>" 4
-.IX Item "info (OSSL_KDF_PARAM_INFO) <octet string>"
-Some \s-1KDF\s0 implementations, such as \s-1\fBEVP_KDF\-HKDF\s0\fR\|(7), take an 'info' parameter
+.IP """info"" (\fBOSSL_KDF_PARAM_INFO\fR) <octet string>" 4
+.IX Item """info"" (OSSL_KDF_PARAM_INFO) <octet string>"
+Some KDF implementations, such as \fBEVP_KDF\-HKDF\fR\|(7), take an 'info' parameter
 for binding the derived key material
 to application\- and context-specific information.
 This parameter sets the info, fixed info, other info or shared info argument.
 You can specify this parameter multiple times, and each instance will
 be concatenated to form the final value.
-.ie n .IP """maclen"" (\fB\s-1OSSL_KDF_PARAM_MAC_SIZE\s0\fR) <unsigned integer>" 4
-.el .IP "``maclen'' (\fB\s-1OSSL_KDF_PARAM_MAC_SIZE\s0\fR) <unsigned integer>" 4
-.IX Item "maclen (OSSL_KDF_PARAM_MAC_SIZE) <unsigned integer>"
-Used by implementations that use a \s-1MAC\s0 with a variable output size (\s-1KMAC\s0).
-For those \s-1KDF\s0 implementations that support it, this parameter
-sets the \s-1MAC\s0 output size.
+.IP """maclen"" (\fBOSSL_KDF_PARAM_MAC_SIZE\fR) <unsigned integer>" 4
+.IX Item """maclen"" (OSSL_KDF_PARAM_MAC_SIZE) <unsigned integer>"
+Used by implementations that use a MAC with a variable output size (KMAC).
+For those KDF implementations that support it, this parameter
+sets the MAC output size.
 .Sp
 The default value, if any, is implementation dependent.
 The length must never exceed what can be given with a \fBsize_t\fR.
-.ie n .IP """maxmem_bytes"" (\fB\s-1OSSL_KDF_PARAM_SCRYPT_MAXMEM\s0\fR) <unsigned integer>" 4
-.el .IP "``maxmem_bytes'' (\fB\s-1OSSL_KDF_PARAM_SCRYPT_MAXMEM\s0\fR) <unsigned integer>" 4
-.IX Item "maxmem_bytes (OSSL_KDF_PARAM_SCRYPT_MAXMEM) <unsigned integer>"
-Memory-hard password-based \s-1KDF\s0 algorithms, such as scrypt, use an amount of
+.IP """maxmem_bytes"" (\fBOSSL_KDF_PARAM_SCRYPT_MAXMEM\fR) <unsigned integer>" 4
+.IX Item """maxmem_bytes"" (OSSL_KDF_PARAM_SCRYPT_MAXMEM) <unsigned integer>"
+Memory-hard password-based KDF algorithms, such as scrypt, use an amount of
 memory that depends on the load factors provided as input.
-For those \s-1KDF\s0 implementations that support it, this \fBuint64_t\fR parameter sets
+For those KDF implementations that support it, this \fBuint64_t\fR parameter sets
 an upper limit on the amount of memory that may be consumed while performing
 a key derivation.
 If this memory usage limit is exceeded because the load factors are chosen
@@ -391,47 +304,45 @@ The default value is implementation dependent.
 The memory size must never exceed what can be given with a \fBsize_t\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBEVP_KDF_fetch()\fR returns a pointer to a newly fetched \fB\s-1EVP_KDF\s0\fR, or
-\&\s-1NULL\s0 if allocation failed.
+\&\fBEVP_KDF_fetch()\fR returns a pointer to a newly fetched \fBEVP_KDF\fR, or
+NULL if allocation failed.
 .PP
-\&\fBEVP_KDF_get0_provider()\fR returns a pointer to the provider for the \s-1KDF,\s0 or
-\&\s-1NULL\s0 on error.
+\&\fBEVP_KDF_get0_provider()\fR returns a pointer to the provider for the KDF, or
+NULL on error.
 .PP
 \&\fBEVP_KDF_up_ref()\fR returns 1 on success, 0 on error.
 .PP
 \&\fBEVP_KDF_CTX_new()\fR returns either the newly allocated
-\&\fB\s-1EVP_KDF_CTX\s0\fR structure or \s-1NULL\s0 if an error occurred.
+\&\fBEVP_KDF_CTX\fR structure or NULL if an error occurred.
 .PP
 \&\fBEVP_KDF_CTX_free()\fR and \fBEVP_KDF_CTX_reset()\fR do not return a value.
 .PP
-\&\fBEVP_KDF_CTX_get_kdf_size()\fR returns the output size.  \fB\s-1SIZE_MAX\s0\fR is returned to indicate
+\&\fBEVP_KDF_CTX_get_kdf_size()\fR returns the output size.  \fBSIZE_MAX\fR is returned to indicate
 that the algorithm produces a variable amount of output; 0 to indicate failure.
 .PP
-\&\fBEVP_KDF_get0_name()\fR returns the name of the \s-1KDF,\s0 or \s-1NULL\s0 on error.
+\&\fBEVP_KDF_get0_name()\fR returns the name of the KDF, or NULL on error.
 .PP
 \&\fBEVP_KDF_names_do_all()\fR returns 1 if the callback was called for all names. A
 return value of 0 means that the callback was not called for any names.
 .PP
-The remaining functions return 1 for success and 0 or a negative value for
-failure.  In particular, a return value of \-2 indicates the operation is not
-supported by the \s-1KDF\s0 algorithm.
-.SH "NOTES"
+The remaining functions return 1 for success and 0 for failure.
+.SH NOTES
 .IX Header "NOTES"
-The \s-1KDF\s0 life-cycle is described in \fBlife_cycle\-kdf\fR\|(7).  In the future,
+The KDF life-cycle is described in \fBlife_cycle\-kdf\fR\|(7).  In the future,
 the transitions described there will be enforced.  When this is done, it will
-not be considered a breaking change to the \s-1API.\s0
+not be considered a breaking change to the API.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\*(L"Key Derivation Function (\s-1KDF\s0)\*(R" in \fBOSSL_PROVIDER\-default\fR\|(7),
+"Key Derivation Function (KDF)" in \fBOSSL_PROVIDER\-default\fR\|(7),
 \&\fBlife_cycle\-kdf\fR\|(7).
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 This functionality was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_KEM_free.3 b/secure/lib/libcrypto/man/man3/EVP_KEM_free.3
index d8027fc8af63..51e538f0a970 100644
--- a/secure/lib/libcrypto/man/man3/EVP_KEM_free.3
+++ b/secure/lib/libcrypto/man/man3/EVP_KEM_free.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_KEM_FREE 3ossl"
-.TH EVP_KEM_FREE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_KEM_FREE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_KEM_fetch, EVP_KEM_free, EVP_KEM_up_ref,
 EVP_KEM_get0_name, EVP_KEM_is_a, EVP_KEM_get0_provider,
 EVP_KEM_do_all_provided, EVP_KEM_names_do_all, EVP_KEM_get0_description,
 EVP_KEM_gettable_ctx_params, EVP_KEM_settable_ctx_params
 \&\- Functions to manage EVP_KEM algorithm objects
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -162,22 +86,23 @@ EVP_KEM_gettable_ctx_params, EVP_KEM_settable_ctx_params
 \& const OSSL_PARAM *EVP_KEM_gettable_ctx_params(const EVP_KEM *kem);
 \& const OSSL_PARAM *EVP_KEM_settable_ctx_params(const EVP_KEM *kem);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBEVP_KEM_fetch()\fR fetches the implementation for the given \fBalgorithm\fR from any
 provider offering it, within the criteria given by the \fBproperties\fR and in the
-scope of the given library context \fBctx\fR (see \s-1\fBOSSL_LIB_CTX\s0\fR\|(3)). The algorithm
+scope of the given library context \fBctx\fR (see \fBOSSL_LIB_CTX\fR\|(3)). The algorithm
 will be one offering functions for performing asymmetric kem related tasks such
 as key encapsulation and decapsulation.
-See \*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7) for further information.
+See "ALGORITHM FETCHING" in \fBcrypto\fR\|(7) for further information.
 .PP
 The returned value must eventually be freed with \fBEVP_KEM_free()\fR.
 .PP
-\&\fBEVP_KEM_free()\fR decrements the reference count for the \fB\s-1EVP_KEM\s0\fR structure.
+\&\fBEVP_KEM_free()\fR decrements the reference count for the \fBEVP_KEM\fR structure.
 Typically this structure will have been obtained from an earlier call to
 \&\fBEVP_KEM_fetch()\fR. If the reference count drops to 0 then the structure is freed.
+If the argument is NULL, nothing is done.
 .PP
-\&\fBEVP_KEM_up_ref()\fR increments the reference count for an \fB\s-1EVP_KEM\s0\fR structure.
+\&\fBEVP_KEM_up_ref()\fR increments the reference count for an \fBEVP_KEM\fR structure.
 .PP
 \&\fBEVP_KEM_is_a()\fR returns 1 if \fIkem\fR is an implementation of an
 algorithm that's identifiable with \fIname\fR, otherwise 0.
@@ -203,12 +128,12 @@ display and human consumption.  The description is at the discretion of
 the \fIkem\fR implementation.
 .PP
 \&\fBEVP_KEM_gettable_ctx_params()\fR and \fBEVP_KEM_settable_ctx_params()\fR return
-a constant \s-1\fBOSSL_PARAM\s0\fR\|(3) array that describes the names and types of key
+a constant \fBOSSL_PARAM\fR\|(3) array that describes the names and types of key
 parameters that can be retrieved or set by a key encapsulation algorithm using
 \&\fBEVP_PKEY_CTX_get_params\fR\|(3) and \fBEVP_PKEY_CTX_set_params\fR\|(3).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBEVP_KEM_fetch()\fR returns a pointer to an \fB\s-1EVP_KEM\s0\fR for success or \fB\s-1NULL\s0\fR for
+\&\fBEVP_KEM_fetch()\fR returns a pointer to an \fBEVP_KEM\fR for success or \fBNULL\fR for
 failure.
 .PP
 \&\fBEVP_KEM_up_ref()\fR returns 1 for success or 0 otherwise.
@@ -217,18 +142,18 @@ failure.
 return value of 0 means that the callback was not called for any names.
 .PP
 \&\fBEVP_KEM_gettable_ctx_params()\fR and \fBEVP_KEM_settable_ctx_params()\fR return
-a constant \s-1\fBOSSL_PARAM\s0\fR\|(3) array or \s-1NULL\s0 on error.
+a constant \fBOSSL_PARAM\fR\|(3) array or NULL on error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7), \s-1\fBOSSL_PROVIDER\s0\fR\|(3)
-.SH "HISTORY"
+"ALGORITHM FETCHING" in \fBcrypto\fR\|(7), \fBOSSL_PROVIDER\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 The functions described here were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_KEYEXCH_free.3 b/secure/lib/libcrypto/man/man3/EVP_KEYEXCH_free.3
index aa7bfaf7b646..46d5c097c3ce 100644
--- a/secure/lib/libcrypto/man/man3/EVP_KEYEXCH_free.3
+++ b/secure/lib/libcrypto/man/man3/EVP_KEYEXCH_free.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_KEYEXCH_FREE 3ossl"
-.TH EVP_KEYEXCH_FREE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_KEYEXCH_FREE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_KEYEXCH_fetch, EVP_KEYEXCH_free, EVP_KEYEXCH_up_ref,
 EVP_KEYEXCH_get0_provider, EVP_KEYEXCH_is_a, EVP_KEYEXCH_do_all_provided,
 EVP_KEYEXCH_names_do_all, EVP_KEYEXCH_get0_name, EVP_KEYEXCH_get0_description,
 EVP_KEYEXCH_gettable_ctx_params, EVP_KEYEXCH_settable_ctx_params
 \&\- Functions to manage EVP_KEYEXCH algorithm objects
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -164,21 +88,21 @@ EVP_KEYEXCH_gettable_ctx_params, EVP_KEYEXCH_settable_ctx_params
 \& const OSSL_PARAM *EVP_KEYEXCH_gettable_ctx_params(const EVP_KEYEXCH *keyexch);
 \& const OSSL_PARAM *EVP_KEYEXCH_settable_ctx_params(const EVP_KEYEXCH *keyexch);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBEVP_KEYEXCH_fetch()\fR fetches the key exchange implementation for the given
 \&\fIalgorithm\fR from any provider offering it, within the criteria given
 by the \fIproperties\fR.
-See \*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7) for further information.
+See "ALGORITHM FETCHING" in \fBcrypto\fR\|(7) for further information.
 .PP
 The returned value must eventually be freed with \fBEVP_KEYEXCH_free()\fR.
 .PP
-\&\fBEVP_KEYEXCH_free()\fR decrements the reference count for the \fB\s-1EVP_KEYEXCH\s0\fR
+\&\fBEVP_KEYEXCH_free()\fR decrements the reference count for the \fBEVP_KEYEXCH\fR
 structure. Typically this structure will have been obtained from an earlier call
 to \fBEVP_KEYEXCH_fetch()\fR. If the reference count drops to 0 then the
-structure is freed.
+structure is freed. If the argument is NULL, nothing is done.
 .PP
-\&\fBEVP_KEYEXCH_up_ref()\fR increments the reference count for an \fB\s-1EVP_KEYEXCH\s0\fR
+\&\fBEVP_KEYEXCH_up_ref()\fR increments the reference count for an \fBEVP_KEYEXCH\fR
 structure.
 .PP
 \&\fBEVP_KEYEXCH_get0_provider()\fR returns the provider that \fIexchange\fR was
@@ -206,13 +130,13 @@ of the implementations, calls \fIfn\fR with the implementation method and
 \&\fIdata\fR as arguments.
 .PP
 \&\fBEVP_KEYEXCH_gettable_ctx_params()\fR and \fBEVP_KEYEXCH_settable_ctx_params()\fR return
-a constant \s-1\fBOSSL_PARAM\s0\fR\|(3) array that describes the names and types of key
+a constant \fBOSSL_PARAM\fR\|(3) array that describes the names and types of key
 parameters that can be retrieved or set by a key exchange algorithm using
 \&\fBEVP_PKEY_CTX_get_params\fR\|(3) and \fBEVP_PKEY_CTX_set_params\fR\|(3).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBEVP_KEYEXCH_fetch()\fR returns a pointer to a \fB\s-1EVP_KEYEXCH\s0\fR for success
-or \s-1NULL\s0 for failure.
+\&\fBEVP_KEYEXCH_fetch()\fR returns a pointer to a \fBEVP_KEYEXCH\fR for success
+or NULL for failure.
 .PP
 \&\fBEVP_KEYEXCH_up_ref()\fR returns 1 for success or 0 otherwise.
 .PP
@@ -223,18 +147,18 @@ names. A return value of 0 means that the callback was not called for any names.
 otherwise 0.
 .PP
 \&\fBEVP_KEYEXCH_gettable_ctx_params()\fR and \fBEVP_KEYEXCH_settable_ctx_params()\fR return
-a constant \s-1\fBOSSL_PARAM\s0\fR\|(3) array or \s-1NULL\s0 on error.
+a constant \fBOSSL_PARAM\fR\|(3) array or NULL on error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7), \s-1\fBOSSL_PROVIDER\s0\fR\|(3)
-.SH "HISTORY"
+"ALGORITHM FETCHING" in \fBcrypto\fR\|(7), \fBOSSL_PROVIDER\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 The functions described here were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_KEYMGMT.3 b/secure/lib/libcrypto/man/man3/EVP_KEYMGMT.3
index c841aa611be7..5c22bae7d509 100644
--- a/secure/lib/libcrypto/man/man3/EVP_KEYMGMT.3
+++ b/secure/lib/libcrypto/man/man3/EVP_KEYMGMT.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_KEYMGMT 3ossl"
-.TH EVP_KEYMGMT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_KEYMGMT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_KEYMGMT,
 EVP_KEYMGMT_fetch,
 EVP_KEYMGMT_up_ref,
@@ -149,9 +73,10 @@ EVP_KEYMGMT_do_all_provided,
 EVP_KEYMGMT_names_do_all,
 EVP_KEYMGMT_gettable_params,
 EVP_KEYMGMT_settable_params,
+EVP_KEYMGMT_gen_gettable_params,
 EVP_KEYMGMT_gen_settable_params
 \&\- EVP key management routines
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -176,10 +101,11 @@ EVP_KEYMGMT_gen_settable_params
 \& const OSSL_PARAM *EVP_KEYMGMT_gettable_params(const EVP_KEYMGMT *keymgmt);
 \& const OSSL_PARAM *EVP_KEYMGMT_settable_params(const EVP_KEYMGMT *keymgmt);
 \& const OSSL_PARAM *EVP_KEYMGMT_gen_settable_params(const EVP_KEYMGMT *keymgmt);
+\& const OSSL_PARAM *EVP_KEYMGMT_gen_gettable_params(const EVP_KEYMGMT *keymgmt);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fB\s-1EVP_KEYMGMT\s0\fR is a method object that represents key management
+\&\fBEVP_KEYMGMT\fR is a method object that represents key management
 implementations for different cryptographic algorithms.
 This method object provides functionality to have providers import key
 material from the outside, as well as export key material to the
@@ -189,14 +115,15 @@ public interface, this object is simply passed into other functions
 when needed.
 .PP
 \&\fBEVP_KEYMGMT_fetch()\fR looks for an algorithm within the provider that
-has been loaded into the \fB\s-1OSSL_LIB_CTX\s0\fR given by \fIctx\fR, having the
+has been loaded into the \fBOSSL_LIB_CTX\fR given by \fIctx\fR, having the
 name given by \fIalgorithm\fR and the properties given by \fIproperties\fR.
 .PP
 \&\fBEVP_KEYMGMT_up_ref()\fR increments the reference count for the given
-\&\fB\s-1EVP_KEYMGMT\s0\fR \fIkeymgmt\fR.
+\&\fBEVP_KEYMGMT\fR \fIkeymgmt\fR.
 .PP
 \&\fBEVP_KEYMGMT_free()\fR decrements the reference count for the given
-\&\fB\s-1EVP_KEYMGMT\s0\fR \fIkeymgmt\fR, and when the count reaches zero, frees it.
+\&\fBEVP_KEYMGMT\fR \fIkeymgmt\fR, and when the count reaches zero, frees it.
+If the argument is NULL, nothing is done.
 .PP
 \&\fBEVP_KEYMGMT_get0_provider()\fR returns the provider that has this particular
 implementation.
@@ -223,22 +150,23 @@ of the implementations, calls \fIfn\fR with the implementation method and
 \&\fIdata\fR as arguments.
 .PP
 \&\fBEVP_KEYMGMT_gettable_params()\fR and \fBEVP_KEYMGMT_settable_params()\fR return a
-constant \s-1\fBOSSL_PARAM\s0\fR\|(3) array that describes the names and types of key
+constant \fBOSSL_PARAM\fR\|(3) array that describes the names and types of key
 parameters that can be retrieved or set.
 \&\fBEVP_KEYMGMT_gettable_params()\fR is used by \fBEVP_PKEY_gettable_params\fR\|(3).
 .PP
-\&\fBEVP_KEYMGMT_gen_settable_params()\fR returns a constant \s-1\fBOSSL_PARAM\s0\fR\|(3) array that
-describes the names and types of key generation parameters that can be set via
-\&\fBEVP_PKEY_CTX_set_params\fR\|(3).
-.SH "NOTES"
+\&\fBEVP_KEYMGMT_gen_gettable_params()\fR and \fBEVP_KEYMGMT_gen_settable_params()\fR return a
+constant \fBOSSL_PARAM\fR\|(3) array that describes the names and types of key
+generation parameters that can be retrieved or set via
+\&\fBEVP_PKEY_CTX_get_params\fR\|(3) or \fBEVP_PKEY_CTX_set_params\fR\|(3) respectively.
+.SH NOTES
 .IX Header "NOTES"
 \&\fBEVP_KEYMGMT_fetch()\fR may be called implicitly by other fetching
 functions, using the same library context and properties.
-Any other \s-1API\s0 that uses keys will typically do this.
+Any other API that uses keys will typically do this.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBEVP_KEYMGMT_fetch()\fR returns a pointer to the key management
-implementation represented by an \s-1EVP_KEYMGMT\s0 object, or \s-1NULL\s0 on
+implementation represented by an EVP_KEYMGMT object, or NULL on
 error.
 .PP
 \&\fBEVP_KEYMGMT_up_ref()\fR returns 1 on success, or 0 on error.
@@ -248,31 +176,32 @@ names. A return value of 0 means that the callback was not called for any names.
 .PP
 \&\fBEVP_KEYMGMT_free()\fR doesn't return any value.
 .PP
-\&\fBEVP_KEYMGMT_get0_provider()\fR returns a pointer to a provider object, or \s-1NULL\s0
+\&\fBEVP_KEYMGMT_get0_provider()\fR returns a pointer to a provider object, or NULL
 on error.
 .PP
 \&\fBEVP_KEYMGMT_is_a()\fR returns 1 of \fIkeymgmt\fR was identifiable,
 otherwise 0.
 .PP
-\&\fBEVP_KEYMGMT_get0_name()\fR returns the algorithm name, or \s-1NULL\s0 on error.
+\&\fBEVP_KEYMGMT_get0_name()\fR returns the algorithm name, or NULL on error.
 .PP
-\&\fBEVP_KEYMGMT_get0_description()\fR returns a pointer to a description, or \s-1NULL\s0 if
+\&\fBEVP_KEYMGMT_get0_description()\fR returns a pointer to a description, or NULL if
 there isn't one.
 .PP
-\&\fBEVP_KEYMGMT_gettable_params()\fR, \fBEVP_KEYMGMT_settable_params()\fR and
-\&\fBEVP_KEYMGMT_gen_settable_params()\fR return a constant \s-1\fBOSSL_PARAM\s0\fR\|(3) array or
-\&\s-1NULL\s0 on error.
+\&\fBEVP_KEYMGMT_gettable_params()\fR, \fBEVP_KEYMGMT_settable_params()\fR,
+\&\fBEVP_KEYMGMT_gen_gettable_params()\fR and \fBEVP_KEYMGMT_gen_settable_params()\fR
+return a constant \fBOSSL_PARAM\fR\|(3) array or NULL on error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBEVP_MD_fetch\fR\|(3), \s-1\fBOSSL_LIB_CTX\s0\fR\|(3)
-.SH "HISTORY"
+\&\fBEVP_MD_fetch\fR\|(3), \fBOSSL_LIB_CTX\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
-The functions described here were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The function \fBEVP_KEYMGMT_gen_gettable_params()\fR was added in OpenSSL 3.4.0
+All other functions described here were added in OpenSSL 3.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_MAC.3 b/secure/lib/libcrypto/man/man3/EVP_MAC.3
index 1f09c04db2b4..14f7a75f5ef4 100644
--- a/secure/lib/libcrypto/man/man3/EVP_MAC.3
+++ b/secure/lib/libcrypto/man/man3/EVP_MAC.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,86 +52,26 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_MAC 3ossl"
-.TH EVP_MAC 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_MAC 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_MAC, EVP_MAC_fetch, EVP_MAC_up_ref, EVP_MAC_free, EVP_MAC_is_a,
 EVP_MAC_get0_name, EVP_MAC_names_do_all, EVP_MAC_get0_description,
 EVP_MAC_get0_provider, EVP_MAC_get_params, EVP_MAC_gettable_params,
 EVP_MAC_CTX, EVP_MAC_CTX_new, EVP_MAC_CTX_free, EVP_MAC_CTX_dup,
 EVP_MAC_CTX_get0_mac, EVP_MAC_CTX_get_params, EVP_MAC_CTX_set_params,
 EVP_MAC_CTX_get_mac_size, EVP_MAC_CTX_get_block_size, EVP_Q_mac,
-EVP_MAC_init, EVP_MAC_update, EVP_MAC_final, EVP_MAC_finalXOF,
+EVP_MAC_init, EVP_MAC_init_SKEY, EVP_MAC_update, EVP_MAC_final, EVP_MAC_finalXOF,
 EVP_MAC_gettable_ctx_params, EVP_MAC_settable_ctx_params,
 EVP_MAC_CTX_gettable_params, EVP_MAC_CTX_settable_params,
 EVP_MAC_do_all_provided \- EVP MAC routines
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -184,6 +108,7 @@ EVP_MAC_do_all_provided \- EVP MAC routines
 \&                          unsigned char *out, size_t outsize, size_t *outlen);
 \& int EVP_MAC_init(EVP_MAC_CTX *ctx, const unsigned char *key, size_t keylen,
 \&                  const OSSL_PARAM params[]);
+\& int EVP_MAC_init_SKEY(EVP_MAC_CTX *ctx, EVP_SKEY *skey, const OSSL_PARAM params[]);
 \& int EVP_MAC_update(EVP_MAC_CTX *ctx, const unsigned char *data, size_t datalen);
 \& int EVP_MAC_final(EVP_MAC_CTX *ctx,
 \&                   unsigned char *out, size_t *outl, size_t outsize);
@@ -199,99 +124,105 @@ EVP_MAC_do_all_provided \- EVP MAC routines
 \&                              void (*fn)(EVP_MAC *mac, void *arg),
 \&                              void *arg);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 These types and functions help the application to calculate MACs of
 different types and with different underlying algorithms if there are
 any.
 .PP
 MACs are a bit complex insofar that some of them use other algorithms
-for actual computation.  \s-1HMAC\s0 uses a digest, and \s-1CMAC\s0 uses a cipher.
+for actual computation.  HMAC uses a digest, and CMAC uses a cipher.
 Therefore, there are sometimes two contexts to keep track of, one for
-the \s-1MAC\s0 algorithm itself and one for the underlying computation
+the MAC algorithm itself and one for the underlying computation
 algorithm if there is one.
 .PP
-To make things less ambiguous, this manual talks about a \*(L"context\*(R" or
-\&\*(L"\s-1MAC\s0 context\*(R", which is to denote the \s-1MAC\s0 level context, and about a
-\&\*(L"underlying context\*(R", or \*(L"computation context\*(R", which is to denote the
+To make things less ambiguous, this manual talks about a "context" or
+"MAC context", which is to denote the MAC level context, and about a
+"underlying context", or "computation context", which is to denote the
 context for the underlying computation algorithm if there is one.
-.SS "Types"
+.SS Types
 .IX Subsection "Types"
-\&\fB\s-1EVP_MAC\s0\fR is a type that holds the implementation of a \s-1MAC.\s0
+\&\fBEVP_MAC\fR is a type that holds the implementation of a MAC.
 .PP
-\&\fB\s-1EVP_MAC_CTX\s0\fR is a context type that holds internal \s-1MAC\s0 information
+\&\fBEVP_MAC_CTX\fR is a context type that holds internal MAC information
 as well as a reference to a computation context, for those MACs that
 rely on an underlying computation algorithm.
 .SS "Algorithm implementation fetching"
 .IX Subsection "Algorithm implementation fetching"
-\&\fBEVP_MAC_fetch()\fR fetches an implementation of a \s-1MAC\s0 \fIalgorithm\fR, given
+\&\fBEVP_MAC_fetch()\fR fetches an implementation of a MAC \fIalgorithm\fR, given
 a library context \fIlibctx\fR and a set of \fIproperties\fR.
-See \*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7) for further information.
+See "ALGORITHM FETCHING" in \fBcrypto\fR\|(7) for further information.
 .PP
-See \*(L"Message Authentication Code (\s-1MAC\s0)\*(R" in \fBOSSL_PROVIDER\-default\fR\|(7) for the list
+See "Message Authentication Code (MAC)" in \fBOSSL_PROVIDER\-default\fR\|(7) for the list
 of algorithms supported by the default provider.
 .PP
 The returned value must eventually be freed with
 \&\fBEVP_MAC_free\fR\|(3).
 .PP
 \&\fBEVP_MAC_up_ref()\fR increments the reference count of an already fetched
-\&\s-1MAC.\s0
+MAC.
 .PP
 \&\fBEVP_MAC_free()\fR frees a fetched algorithm.
-\&\s-1NULL\s0 is a valid parameter, for which this function is a no-op.
+NULL is a valid parameter, for which this function is a no-op.
 .SS "Context manipulation functions"
 .IX Subsection "Context manipulation functions"
-\&\fBEVP_MAC_CTX_new()\fR creates a new context for the \s-1MAC\s0 type \fImac\fR.
+\&\fBEVP_MAC_CTX_new()\fR creates a new context for the MAC type \fImac\fR.
 The created context can then be used with most other functions
 described here.
 .PP
 \&\fBEVP_MAC_CTX_free()\fR frees the contents of the context, including an
 underlying context if there is one, as well as the context itself.
-\&\s-1NULL\s0 is a valid parameter, for which this function is a no-op.
+NULL is a valid parameter, for which this function is a no-op.
 .PP
 \&\fBEVP_MAC_CTX_dup()\fR duplicates the \fIsrc\fR context and returns a newly allocated
 context.
 .PP
-\&\fBEVP_MAC_CTX_get0_mac()\fR returns the \fB\s-1EVP_MAC\s0\fR associated with the context
+\&\fBEVP_MAC_CTX_get0_mac()\fR returns the \fBEVP_MAC\fR associated with the context
 \&\fIctx\fR.
 .SS "Computing functions"
 .IX Subsection "Computing functions"
 \&\fBEVP_Q_mac()\fR computes the message authentication code
 of \fIdata\fR with length \fIdatalen\fR
-using the \s-1MAC\s0 algorithm \fIname\fR and the key \fIkey\fR with length \fIkeylen\fR.
-The \s-1MAC\s0 algorithm is fetched using any given \fIlibctx\fR and property query
+using the MAC algorithm \fIname\fR and the key \fIkey\fR with length \fIkeylen\fR.
+The MAC algorithm is fetched using any given \fIlibctx\fR and property query
 string \fIpropq\fR. It takes parameters \fIsubalg\fR and further \fIparams\fR,
-both of which may be \s-1NULL\s0 if not needed.
-If \fIout\fR is not \s-1NULL,\s0 it places the result in the memory pointed at by \fIout\fR,
+both of which may be NULL if not needed.
+If \fIout\fR is not NULL, it places the result in the memory pointed at by \fIout\fR,
 but only if \fIoutsize\fR is sufficient (otherwise no computation is made).
-If \fIout\fR is \s-1NULL,\s0 it allocates and uses a buffer of suitable length,
+If \fIout\fR is NULL, it allocates and uses a buffer of suitable length,
 which will be returned on success and must be freed by the caller.
 In either case, also on error,
-it assigns the number of bytes written to \fI*outlen\fR unless \fIoutlen\fR is \s-1NULL.\s0
+it assigns the number of bytes written to \fI*outlen\fR unless \fIoutlen\fR is NULL.
 .PP
 \&\fBEVP_MAC_init()\fR sets up the underlying context \fIctx\fR with information given
-via the \fIkey\fR and \fIparams\fR arguments.  The \s-1MAC\s0 \fIkey\fR has a length of
+via the \fIkey\fR and \fIparams\fR arguments.  The MAC \fIkey\fR has a length of
 \&\fIkeylen\fR and the parameters in \fIparams\fR are processed before setting
-the key.  If \fIkey\fR is \s-1NULL,\s0 the key must be set via \fIparams\fR either
+the key.  If \fIkey\fR is NULL, the key must be set via \fIparams\fR either
 as part of this call or separately using \fBEVP_MAC_CTX_set_params()\fR.
 Providing non-NULL \fIparams\fR to this function is equivalent to calling
 \&\fBEVP_MAC_CTX_set_params()\fR with those \fIparams\fR for the same \fIctx\fR beforehand.
+Note: There are additional requirements for some MAC algorithms during
+re-initalization (i.e. calling \fBEVP_MAC_init()\fR on an EVP_MAC after \fBEVP_MAC_final()\fR
+has been called on the same object).  See the NOTES section below.
 .PP
 \&\fBEVP_MAC_init()\fR should be called before \fBEVP_MAC_update()\fR and \fBEVP_MAC_final()\fR.
 .PP
-\&\fBEVP_MAC_update()\fR adds \fIdatalen\fR bytes from \fIdata\fR to the \s-1MAC\s0 input.
+\&\fBEVP_MAC_init_SKEY()\fR is similar to \fBEVP_MAC_init()\fR but it accepts an opaque
+\&\fBEVP_SKEY\fR object as a key.
+.PP
+\&\fBEVP_MAC_update()\fR adds \fIdatalen\fR bytes from \fIdata\fR to the MAC input.
 .PP
 \&\fBEVP_MAC_final()\fR does the final computation and stores the result in
 the memory pointed at by \fIout\fR of size \fIoutsize\fR, and sets the number
 of bytes written in \fI*outl\fR at.
-If \fIout\fR is \s-1NULL\s0 or \fIoutsize\fR is too small, then no computation
+If \fIout\fR is NULL or \fIoutsize\fR is too small, then no computation
 is made.
 To figure out what the output length will be and allocate space for it
-dynamically, simply call with \fIout\fR being \s-1NULL\s0 and \fIoutl\fR
+dynamically, simply call with \fIout\fR being NULL and \fIoutl\fR
 pointing at a valid location, then allocate space and make a second
 call with \fIout\fR pointing at the allocated space.
 .PP
-\&\fBEVP_MAC_finalXOF()\fR does the final computation for an \s-1XOF\s0 based \s-1MAC\s0 and stores
+\&\fBEVP_MAC_finalXOF()\fR does the final computation for an XOF based MAC and stores
 the result in the memory pointed at by \fIout\fR of size \fIoutsize\fR.
 .PP
 \&\fBEVP_MAC_get_params()\fR retrieves details about the implementation
@@ -312,35 +243,35 @@ simply ignored.
 context, given a context \fIctx\fR.
 The set of parameters given with \fIparams\fR determine exactly what
 parameters are passed down.
-If \fIparams\fR are \s-1NULL,\s0 the underlying context should do nothing and return 1.
+If \fIparams\fR are NULL, the underlying context should do nothing and return 1.
 Note that a parameter that is unknown in the underlying context is
 simply ignored.
 Also, what happens when a needed parameter isn't passed down is
 defined by the implementation.
 .PP
-\&\fBEVP_MAC_gettable_params()\fR returns an \s-1\fBOSSL_PARAM\s0\fR\|(3) array that describes
+\&\fBEVP_MAC_gettable_params()\fR returns an \fBOSSL_PARAM\fR\|(3) array that describes
 the retrievable and settable parameters.  \fBEVP_MAC_gettable_params()\fR
 returns parameters that can be used with \fBEVP_MAC_get_params()\fR.
 .PP
 \&\fBEVP_MAC_gettable_ctx_params()\fR and \fBEVP_MAC_CTX_gettable_params()\fR
-return constant \s-1\fBOSSL_PARAM\s0\fR\|(3) arrays that describe the retrievable
+return constant \fBOSSL_PARAM\fR\|(3) arrays that describe the retrievable
 parameters that can be used with \fBEVP_MAC_CTX_get_params()\fR.
 \&\fBEVP_MAC_gettable_ctx_params()\fR returns the parameters that can be retrieved
 from the algorithm, whereas \fBEVP_MAC_CTX_gettable_params()\fR returns
 the parameters that can be retrieved in the context's current state.
 .PP
 \&\fBEVP_MAC_settable_ctx_params()\fR and \fBEVP_MAC_CTX_settable_params()\fR return
-constant \s-1\fBOSSL_PARAM\s0\fR\|(3) arrays that describe the settable parameters that
+constant \fBOSSL_PARAM\fR\|(3) arrays that describe the settable parameters that
 can be used with \fBEVP_MAC_CTX_set_params()\fR.  \fBEVP_MAC_settable_ctx_params()\fR
 returns the parameters that can be retrieved from the algorithm,
 whereas \fBEVP_MAC_CTX_settable_params()\fR returns the parameters that can
 be retrieved in the context's current state.
 .SS "Information functions"
 .IX Subsection "Information functions"
-\&\fBEVP_MAC_CTX_get_mac_size()\fR returns the \s-1MAC\s0 output size for the given context.
+\&\fBEVP_MAC_CTX_get_mac_size()\fR returns the MAC output size for the given context.
 .PP
-\&\fBEVP_MAC_CTX_get_block_size()\fR returns the \s-1MAC\s0 block size for the given context.
-Not all \s-1MAC\s0 algorithms support this.
+\&\fBEVP_MAC_CTX_get_block_size()\fR returns the MAC block size for the given context.
+Not all MAC algorithms support this.
 .PP
 \&\fBEVP_MAC_is_a()\fR checks if the given \fImac\fR is an implementation of an
 algorithm that's identifiable with \fIname\fR.
@@ -348,12 +279,12 @@ algorithm that's identifiable with \fIname\fR.
 \&\fBEVP_MAC_get0_provider()\fR returns the provider that holds the implementation
 of the given \fImac\fR.
 .PP
-\&\fBEVP_MAC_do_all_provided()\fR traverses all \s-1MAC\s0 implemented by all activated
+\&\fBEVP_MAC_do_all_provided()\fR traverses all MAC implemented by all activated
 providers in the given library context \fIlibctx\fR, and for each of the
 implementations, calls the given function \fIfn\fR with the implementation method
 and the given \fIarg\fR as argument.
 .PP
-\&\fBEVP_MAC_get0_name()\fR return the name of the given \s-1MAC.\s0  For fetched MACs
+\&\fBEVP_MAC_get0_name()\fR return the name of the given MAC.  For fetched MACs
 with multiple names, only one of them is returned; it's
 recommended to use \fBEVP_MAC_names_do_all()\fR instead.
 .PP
@@ -363,116 +294,113 @@ recommended to use \fBEVP_MAC_names_do_all()\fR instead.
 \&\fBEVP_MAC_get0_description()\fR returns a description of the \fImac\fR, meant
 for display and human consumption.  The description is at the discretion
 of the mac implementation.
-.SH "PARAMETERS"
+.SH PARAMETERS
 .IX Header "PARAMETERS"
 Parameters are identified by name as strings, and have an expected
 data type and maximum size.
 OpenSSL has a set of macros for parameter names it expects to see in
-its own \s-1MAC\s0 implementations.
+its own MAC implementations.
 Here, we show all three, the OpenSSL macro for the parameter name, the
 name in string form, and a type description.
 .PP
 The standard parameter names are:
-.ie n .IP """key"" (\fB\s-1OSSL_MAC_PARAM_KEY\s0\fR) <octet string>" 4
-.el .IP "``key'' (\fB\s-1OSSL_MAC_PARAM_KEY\s0\fR) <octet string>" 4
-.IX Item "key (OSSL_MAC_PARAM_KEY) <octet string>"
-Its value is the \s-1MAC\s0 key as an array of bytes.
+.IP """key"" (\fBOSSL_MAC_PARAM_KEY\fR) <octet string>" 4
+.IX Item """key"" (OSSL_MAC_PARAM_KEY) <octet string>"
+Its value is the MAC key as an array of bytes.
 .Sp
 For MACs that use an underlying computation algorithm, the algorithm
-must be set first, see parameter names \*(L"algorithm\*(R" below.
-.ie n .IP """iv"" (\fB\s-1OSSL_MAC_PARAM_IV\s0\fR) <octet string>" 4
-.el .IP "``iv'' (\fB\s-1OSSL_MAC_PARAM_IV\s0\fR) <octet string>" 4
-.IX Item "iv (OSSL_MAC_PARAM_IV) <octet string>"
-Some \s-1MAC\s0 implementations (\s-1GMAC\s0) require an \s-1IV,\s0 this parameter sets the \s-1IV.\s0
-.ie n .IP """custom"" (\fB\s-1OSSL_MAC_PARAM_CUSTOM\s0\fR) <octet string>" 4
-.el .IP "``custom'' (\fB\s-1OSSL_MAC_PARAM_CUSTOM\s0\fR) <octet string>" 4
-.IX Item "custom (OSSL_MAC_PARAM_CUSTOM) <octet string>"
-Some \s-1MAC\s0 implementations (\s-1KMAC, BLAKE2\s0) accept a Customization String,
+must be set first, see parameter names "algorithm" below.
+.IP """iv"" (\fBOSSL_MAC_PARAM_IV\fR) <octet string>" 4
+.IX Item """iv"" (OSSL_MAC_PARAM_IV) <octet string>"
+Some MAC implementations (GMAC) require an IV, this parameter sets the IV.
+.IP """custom"" (\fBOSSL_MAC_PARAM_CUSTOM\fR) <octet string>" 4
+.IX Item """custom"" (OSSL_MAC_PARAM_CUSTOM) <octet string>"
+Some MAC implementations (KMAC, BLAKE2) accept a Customization String,
 this parameter sets the Customization String. The default value is the
 empty string.
-.ie n .IP """salt"" (\fB\s-1OSSL_MAC_PARAM_SALT\s0\fR) <octet string>" 4
-.el .IP "``salt'' (\fB\s-1OSSL_MAC_PARAM_SALT\s0\fR) <octet string>" 4
-.IX Item "salt (OSSL_MAC_PARAM_SALT) <octet string>"
-This option is used by \s-1BLAKE2 MAC.\s0
-.ie n .IP """xof"" (\fB\s-1OSSL_MAC_PARAM_XOF\s0\fR) <integer>" 4
-.el .IP "``xof'' (\fB\s-1OSSL_MAC_PARAM_XOF\s0\fR) <integer>" 4
-.IX Item "xof (OSSL_MAC_PARAM_XOF) <integer>"
+.IP """salt"" (\fBOSSL_MAC_PARAM_SALT\fR) <octet string>" 4
+.IX Item """salt"" (OSSL_MAC_PARAM_SALT) <octet string>"
+This option is used by BLAKE2 MAC.
+.IP """xof"" (\fBOSSL_MAC_PARAM_XOF\fR) <integer>" 4
+.IX Item """xof"" (OSSL_MAC_PARAM_XOF) <integer>"
 It's a simple flag, the value 0 or 1 are expected.
 .Sp
-This option is used by \s-1KMAC.\s0
-.ie n .IP """digest-noinit"" (\fB\s-1OSSL_MAC_PARAM_DIGEST_NOINIT\s0\fR) <integer>" 4
-.el .IP "``digest-noinit'' (\fB\s-1OSSL_MAC_PARAM_DIGEST_NOINIT\s0\fR) <integer>" 4
-.IX Item "digest-noinit (OSSL_MAC_PARAM_DIGEST_NOINIT) <integer>"
-A simple flag to set the \s-1MAC\s0 digest to not initialise the
+This option is used by KMAC.
+.IP """digest-noinit"" (\fBOSSL_MAC_PARAM_DIGEST_NOINIT\fR) <integer>" 4
+.IX Item """digest-noinit"" (OSSL_MAC_PARAM_DIGEST_NOINIT) <integer>"
+A simple flag to set the MAC digest to not initialise the
 implementation specific data. The value 0 or 1 is expected.
 .Sp
-This option is used by \s-1HMAC.\s0
-.ie n .IP """digest-oneshot"" (\fB\s-1OSSL_MAC_PARAM_DIGEST_ONESHOT\s0\fR) <integer>" 4
-.el .IP "``digest-oneshot'' (\fB\s-1OSSL_MAC_PARAM_DIGEST_ONESHOT\s0\fR) <integer>" 4
-.IX Item "digest-oneshot (OSSL_MAC_PARAM_DIGEST_ONESHOT) <integer>"
-A simple flag to set the \s-1MAC\s0 digest to be a oneshot operation.
+This option is deprecated and will be removed in a future release.
+The option may be set, but is ignored.
+.IP """digest-oneshot"" (\fBOSSL_MAC_PARAM_DIGEST_ONESHOT\fR) <integer>" 4
+.IX Item """digest-oneshot"" (OSSL_MAC_PARAM_DIGEST_ONESHOT) <integer>"
+A simple flag to set the MAC digest to be a oneshot operation.
 The value 0 or 1 is expected.
 .Sp
-This option is used by \s-1HMAC.\s0
-.ie n .IP """properties"" (\fB\s-1OSSL_MAC_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``properties'' (\fB\s-1OSSL_MAC_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "properties (OSSL_MAC_PARAM_PROPERTIES) <UTF8 string>"
+This option is deprecated and will be removed in a future release.
+The option may be set, but is ignored.
+.IP """properties"" (\fBOSSL_MAC_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_MAC_PARAM_PROPERTIES) <UTF8 string>"
 .PD 0
-.ie n .IP """digest"" (\fB\s-1OSSL_MAC_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_MAC_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_MAC_PARAM_DIGEST) <UTF8 string>"
-.ie n .IP """cipher"" (\fB\s-1OSSL_MAC_PARAM_CIPHER\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``cipher'' (\fB\s-1OSSL_MAC_PARAM_CIPHER\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "cipher (OSSL_MAC_PARAM_CIPHER) <UTF8 string>"
+.IP """digest"" (\fBOSSL_MAC_PARAM_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_MAC_PARAM_DIGEST) <UTF8 string>"
+.IP """cipher"" (\fBOSSL_MAC_PARAM_CIPHER\fR) <UTF8 string>" 4
+.IX Item """cipher"" (OSSL_MAC_PARAM_CIPHER) <UTF8 string>"
 .PD
-For \s-1MAC\s0 implementations that use an underlying computation cipher or
+For MAC implementations that use an underlying computation cipher or
 digest, these parameters set what the algorithm should be.
 .Sp
 The value is always the name of the intended algorithm,
 or the properties.
 .Sp
 Note that not all algorithms may support all digests.
-\&\s-1HMAC\s0 does not support variable output length digests such as \s-1SHAKE128\s0
-or \s-1SHAKE256.\s0
-.ie n .IP """size"" (\fB\s-1OSSL_MAC_PARAM_SIZE\s0\fR) <unsigned integer>" 4
-.el .IP "``size'' (\fB\s-1OSSL_MAC_PARAM_SIZE\s0\fR) <unsigned integer>" 4
-.IX Item "size (OSSL_MAC_PARAM_SIZE) <unsigned integer>"
-For \s-1MAC\s0 implementations that support it, set the output size that
+HMAC does not support variable output length digests such as SHAKE128
+or SHAKE256.
+.IP """size"" (\fBOSSL_MAC_PARAM_SIZE\fR) <unsigned integer>" 4
+.IX Item """size"" (OSSL_MAC_PARAM_SIZE) <unsigned integer>"
+For MAC implementations that support it, set the output size that
 \&\fBEVP_MAC_final()\fR should produce.
-The allowed sizes vary between \s-1MAC\s0 implementations, but must never exceed
+The allowed sizes vary between MAC implementations, but must never exceed
 what can be given with a \fBsize_t\fR.
-.ie n .IP """tls-data-size"" (\fB\s-1OSSL_MAC_PARAM_TLS_DATA_SIZE\s0\fR) <unsigned integer>" 4
-.el .IP "``tls-data-size'' (\fB\s-1OSSL_MAC_PARAM_TLS_DATA_SIZE\s0\fR) <unsigned integer>" 4
-.IX Item "tls-data-size (OSSL_MAC_PARAM_TLS_DATA_SIZE) <unsigned integer>"
-This parameter is only supported by \s-1HMAC.\s0 If set then special handling is
-activated for calculating the \s-1MAC\s0 of a received mac-then-encrypt \s-1TLS\s0 record
-where variable length record padding has been used (as in the case of \s-1CBC\s0 mode
+.IP """tls-data-size"" (\fBOSSL_MAC_PARAM_TLS_DATA_SIZE\fR) <unsigned integer>" 4
+.IX Item """tls-data-size"" (OSSL_MAC_PARAM_TLS_DATA_SIZE) <unsigned integer>"
+This parameter is only supported by HMAC. If set then special handling is
+activated for calculating the MAC of a received mac-then-encrypt TLS record
+where variable length record padding has been used (as in the case of CBC mode
 ciphersuites). The value represents the total length of the record that is
-having the \s-1MAC\s0 calculated including the received \s-1MAC\s0 and the record padding.
+having the MAC calculated including the received MAC and the record padding.
 .Sp
 When used EVP_MAC_update must be called precisely twice. The first time with
-the 13 bytes of \s-1TLS\s0 \*(L"header\*(R" data, and the second time with the entire record
-including the \s-1MAC\s0 itself and any padding. The entire record length must equal
-the value passed in the \*(L"tls-data-size\*(R" parameter. The length passed in the
+the 13 bytes of TLS "header" data, and the second time with the entire record
+including the MAC itself and any padding. The entire record length must equal
+the value passed in the "tls-data-size" parameter. The length passed in the
 \&\fBdatalen\fR parameter to \fBEVP_MAC_update()\fR should be equal to the length of the
-record after the \s-1MAC\s0 and any padding has been removed.
+record after the MAC and any padding has been removed.
 .PP
 All these parameters should be used before the calls to any of
 \&\fBEVP_MAC_init()\fR, \fBEVP_MAC_update()\fR and \fBEVP_MAC_final()\fR for a full
 computation.
 Anything else may give undefined results.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-The \s-1MAC\s0 life-cycle is described in \fBlife_cycle\-mac\fR\|(7).  In the future,
+The MAC life-cycle is described in \fBlife_cycle\-mac\fR\|(7).  In the future,
 the transitions described there will be enforced.  When this is done, it will
-not be considered a breaking change to the \s-1API.\s0
+not be considered a breaking change to the API.
 .PP
-The usage of the parameter names \*(L"custom\*(R", \*(L"iv\*(R" and \*(L"salt\*(R" correspond to
+The usage of the parameter names "custom", "iv" and "salt" correspond to
 the names used in the standard where the algorithm was defined.
+.PP
+Some MAC algorithms store internal state that cannot be extracted during
+re-initalization.  For example GMAC cannot extract an \fBIV\fR from the
+underlying CIPHER context, and so calling \fBEVP_MAC_init()\fR on an EVP_MAC object
+after \fBEVP_MAC_final()\fR has been called cannot reset its cipher state to what it
+was when the \fBIV\fR was initially generated.  For such instances, an
+\&\fBOSSL_MAC_PARAM_IV\fR parameter must be passed with each call to \fBEVP_MAC_init()\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBEVP_MAC_fetch()\fR returns a pointer to a newly fetched \fB\s-1EVP_MAC\s0\fR, or
-\&\s-1NULL\s0 if allocation failed.
+\&\fBEVP_MAC_fetch()\fR returns a pointer to a newly fetched \fBEVP_MAC\fR, or
+NULL if allocation failed.
 .PP
 \&\fBEVP_MAC_up_ref()\fR returns 1 on success, 0 on error.
 .PP
@@ -484,23 +412,23 @@ return value of 0 means that the callback was not called for any names.
 \&\fBEVP_MAC_is_a()\fR returns 1 if the given method can be identified with
 the given name, otherwise 0.
 .PP
-\&\fBEVP_MAC_get0_name()\fR returns a name of the \s-1MAC,\s0 or \s-1NULL\s0 on error.
+\&\fBEVP_MAC_get0_name()\fR returns a name of the MAC, or NULL on error.
 .PP
-\&\fBEVP_MAC_get0_provider()\fR returns a pointer to the provider for the \s-1MAC,\s0 or
-\&\s-1NULL\s0 on error.
+\&\fBEVP_MAC_get0_provider()\fR returns a pointer to the provider for the MAC, or
+NULL on error.
 .PP
 \&\fBEVP_MAC_CTX_new()\fR and \fBEVP_MAC_CTX_dup()\fR return a pointer to a newly
-created \s-1EVP_MAC_CTX,\s0 or \s-1NULL\s0 if allocation failed.
+created EVP_MAC_CTX, or NULL if allocation failed.
 .PP
 \&\fBEVP_MAC_CTX_free()\fR returns nothing at all.
 .PP
 \&\fBEVP_MAC_CTX_get_params()\fR and \fBEVP_MAC_CTX_set_params()\fR return 1 on
 success, 0 on error.
 .PP
-\&\fBEVP_Q_mac()\fR returns a pointer to the computed \s-1MAC\s0 value, or \s-1NULL\s0 on error.
+\&\fBEVP_Q_mac()\fR returns a pointer to the computed MAC value, or NULL on error.
 .PP
-\&\fBEVP_MAC_init()\fR, \fBEVP_MAC_update()\fR, \fBEVP_MAC_final()\fR, and \fBEVP_MAC_finalXOF()\fR
-return 1 on success, 0 on error.
+\&\fBEVP_MAC_init()\fR, \fBEVP_MAC_init_SKEY()\fR, \fBEVP_MAC_update()\fR, \fBEVP_MAC_final()\fR, and
+\&\fBEVP_MAC_finalXOF()\fR return 1 on success, 0 on error.
 .PP
 \&\fBEVP_MAC_CTX_get_mac_size()\fR returns the expected output size, or 0 if it isn't
 set.  If it isn't set, a call to \fBEVP_MAC_init()\fR will set it.
@@ -509,7 +437,7 @@ set.  If it isn't set, a call to \fBEVP_MAC_init()\fR will set it.
 If it isn't set, a call to \fBEVP_MAC_init()\fR will set it.
 .PP
 \&\fBEVP_MAC_do_all_provided()\fR returns nothing at all.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 .Vb 5
 \&  #include <stdlib.h>
@@ -593,24 +521,26 @@ look like this:
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBproperty\fR\|(7)
-\&\s-1\fBOSSL_PARAM\s0\fR\|(3),
-\&\s-1\fBEVP_MAC\-BLAKE2\s0\fR\|(7),
-\&\s-1\fBEVP_MAC\-CMAC\s0\fR\|(7),
-\&\s-1\fBEVP_MAC\-GMAC\s0\fR\|(7),
-\&\s-1\fBEVP_MAC\-HMAC\s0\fR\|(7),
-\&\s-1\fBEVP_MAC\-KMAC\s0\fR\|(7),
+\&\fBOSSL_PARAM\fR\|(3),
+\&\fBEVP_MAC\-BLAKE2\fR\|(7),
+\&\fBEVP_MAC\-CMAC\fR\|(7),
+\&\fBEVP_MAC\-GMAC\fR\|(7),
+\&\fBEVP_MAC\-HMAC\fR\|(7),
+\&\fBEVP_MAC\-KMAC\fR\|(7),
 \&\fBEVP_MAC\-Siphash\fR\|(7),
 \&\fBEVP_MAC\-Poly1305\fR\|(7),
 \&\fBprovider\-mac\fR\|(7),
 \&\fBlife_cycle\-mac\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 These functions were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.PP
+The \fBEVP_MAC_init_SKEY()\fR function was added in OpenSSL 3.5.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2018\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2018\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_MD_meth_new.3 b/secure/lib/libcrypto/man/man3/EVP_MD_meth_new.3
index 35762d706378..6f610f9c9b9e 100644
--- a/secure/lib/libcrypto/man/man3/EVP_MD_meth_new.3
+++ b/secure/lib/libcrypto/man/man3/EVP_MD_meth_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_MD_METH_NEW 3ossl"
-.TH EVP_MD_METH_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_MD_METH_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_MD_meth_new, EVP_MD_meth_dup, EVP_MD_meth_free,
 EVP_MD_meth_set_input_blocksize,
 EVP_MD_meth_set_result_size, EVP_MD_meth_set_app_datasize,
@@ -148,14 +72,14 @@ EVP_MD_meth_get_flags, EVP_MD_meth_get_init, EVP_MD_meth_get_update,
 EVP_MD_meth_get_final, EVP_MD_meth_get_copy, EVP_MD_meth_get_cleanup,
 EVP_MD_meth_get_ctrl
 \&\- Routines to build up legacy EVP_MD methods
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 3
@@ -195,22 +119,23 @@ see \fBopenssl_user_macros\fR\|(7):
 \& int (*EVP_MD_meth_get_ctrl(const EVP_MD *md))(EVP_MD_CTX *ctx, int cmd,
 \&                                               int p1, void *p2);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
-Applications should instead use the \s-1OSSL_PROVIDER\s0 APIs.
+Applications should instead use the OSSL_PROVIDER APIs.
 .PP
-The \fB\s-1EVP_MD\s0\fR type is a structure for digest method implementation.
+The \fBEVP_MD\fR type is a structure for digest method implementation.
 It can also have associated public/private key signing and verifying
 routines.
 .PP
-\&\fBEVP_MD_meth_new()\fR creates a new \fB\s-1EVP_MD\s0\fR structure.
-These \fB\s-1EVP_MD\s0\fR structures are reference counted.
+\&\fBEVP_MD_meth_new()\fR creates a new \fBEVP_MD\fR structure.
+These \fBEVP_MD\fR structures are reference counted.
 .PP
 \&\fBEVP_MD_meth_dup()\fR creates a copy of \fBmd\fR.
 .PP
-\&\fBEVP_MD_meth_free()\fR decrements the reference count for the \fB\s-1EVP_MD\s0\fR structure.
+\&\fBEVP_MD_meth_free()\fR decrements the reference count for the \fBEVP_MD\fR structure.
 If the reference count drops to 0 then the structure is freed.
+If the argument is NULL, nothing is done.
 .PP
 \&\fBEVP_MD_meth_set_input_blocksize()\fR sets the internal input block size
 for the method \fBmd\fR to \fBblocksize\fR bytes.
@@ -225,32 +150,32 @@ set the size for it to \fBdatasize\fR.
 \&\fBEVP_MD_meth_set_flags()\fR sets the flags to describe optional
 behaviours in the particular \fBmd\fR.  Several flags can be or'd
 together.  The available flags are:
-.IP "\s-1EVP_MD_FLAG_ONESHOT\s0" 4
+.IP EVP_MD_FLAG_ONESHOT 4
 .IX Item "EVP_MD_FLAG_ONESHOT"
 This digest method can only handle one block of input.
-.IP "\s-1EVP_MD_FLAG_XOF\s0" 4
+.IP EVP_MD_FLAG_XOF 4
 .IX Item "EVP_MD_FLAG_XOF"
-This digest method is an extensible-output function (\s-1XOF\s0) and supports
-the \fB\s-1EVP_MD_CTRL_XOF_LEN\s0\fR control.
-.IP "\s-1EVP_MD_FLAG_DIGALGID_NULL\s0" 4
+This digest method is an extensible-output function (XOF) and supports
+the \fBEVP_MD_CTRL_XOF_LEN\fR control.
+.IP EVP_MD_FLAG_DIGALGID_NULL 4
 .IX Item "EVP_MD_FLAG_DIGALGID_NULL"
 When setting up a DigestAlgorithmIdentifier, this flag will have the
-parameter set to \s-1NULL\s0 by default.  Use this for PKCS#1.  \fINote: if
-combined with \s-1EVP_MD_FLAG_DIGALGID_ABSENT,\s0 the latter will override.\fR
-.IP "\s-1EVP_MD_FLAG_DIGALGID_ABSENT\s0" 4
+parameter set to NULL by default.  Use this for PKCS#1.  \fINote: if
+combined with EVP_MD_FLAG_DIGALGID_ABSENT, the latter will override.\fR
+.IP EVP_MD_FLAG_DIGALGID_ABSENT 4
 .IX Item "EVP_MD_FLAG_DIGALGID_ABSENT"
 When setting up a DigestAlgorithmIdentifier, this flag will have the
 parameter be left absent by default.  \fINote: if combined with
-\&\s-1EVP_MD_FLAG_DIGALGID_NULL,\s0 the latter will be overridden.\fR
-.IP "\s-1EVP_MD_FLAG_DIGALGID_CUSTOM\s0" 4
+EVP_MD_FLAG_DIGALGID_NULL, the latter will be overridden.\fR
+.IP EVP_MD_FLAG_DIGALGID_CUSTOM 4
 .IX Item "EVP_MD_FLAG_DIGALGID_CUSTOM"
 Custom DigestAlgorithmIdentifier handling via ctrl, with
-\&\fB\s-1EVP_MD_FLAG_DIGALGID_ABSENT\s0\fR as default.  \fINote: if combined with
-\&\s-1EVP_MD_FLAG_DIGALGID_NULL,\s0 the latter will be overridden.\fR
+\&\fBEVP_MD_FLAG_DIGALGID_ABSENT\fR as default.  \fINote: if combined with
+EVP_MD_FLAG_DIGALGID_NULL, the latter will be overridden.\fR
 Currently unused.
-.IP "\s-1EVP_MD_FLAG_FIPS\s0" 4
+.IP EVP_MD_FLAG_FIPS 4
 .IX Item "EVP_MD_FLAG_FIPS"
-This digest method is suitable for use in \s-1FIPS\s0 mode.
+This digest method is suitable for use in FIPS mode.
 Currently unused.
 .PP
 \&\fBEVP_MD_meth_set_init()\fR sets the digest init function for \fBmd\fR.
@@ -268,9 +193,9 @@ The digest final function is called by \fBEVP_Digest()\fR, \fBEVP_DigestFinal()\
 .PP
 \&\fBEVP_MD_meth_set_copy()\fR sets the function for \fBmd\fR to do extra
 computations after the method's private data structure has been copied
-from one \fB\s-1EVP_MD_CTX\s0\fR to another.  If all that's needed is to copy
+from one \fBEVP_MD_CTX\fR to another.  If all that's needed is to copy
 the data, there is no need for this copy function.
-Note that the copy function is passed two \fB\s-1EVP_MD_CTX\s0 *\fR, the private
+Note that the copy function is passed two \fBEVP_MD_CTX *\fR, the private
 data structure is then available with \fBEVP_MD_CTX_get0_md_data()\fR.
 This copy function is called by \fBEVP_MD_CTX_copy()\fR and
 \&\fBEVP_MD_CTX_copy_ex()\fR.
@@ -278,7 +203,7 @@ This copy function is called by \fBEVP_MD_CTX_copy()\fR and
 \&\fBEVP_MD_meth_set_cleanup()\fR sets the function for \fBmd\fR to do extra
 cleanup before the method's private data structure is cleaned out and
 freed.
-Note that the cleanup function is passed a \fB\s-1EVP_MD_CTX\s0 *\fR, the
+Note that the cleanup function is passed a \fBEVP_MD_CTX *\fR, the
 private data structure is then available with \fBEVP_MD_CTX_get0_md_data()\fR.
 This cleanup function is called by \fBEVP_MD_CTX_reset()\fR and
 \&\fBEVP_MD_CTX_free()\fR.
@@ -296,7 +221,7 @@ functions above.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBEVP_MD_meth_new()\fR and \fBEVP_MD_meth_dup()\fR return a pointer to a newly
-created \fB\s-1EVP_MD\s0\fR, or \s-1NULL\s0 on failure.
+created \fBEVP_MD\fR, or NULL on failure.
 All EVP_MD_meth_set_*() functions return 1.
 \&\fBEVP_MD_get_input_blocksize()\fR, \fBEVP_MD_meth_get_result_size()\fR,
 \&\fBEVP_MD_meth_get_app_datasize()\fR and \fBEVP_MD_meth_get_flags()\fR return the
@@ -306,20 +231,20 @@ respective \fBmd\fR function.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_DigestInit\fR\|(3), \fBEVP_SignInit\fR\|(3), \fBEVP_VerifyInit\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions were deprecated in OpenSSL 3.0.
 .PP
-The \fB\s-1EVP_MD\s0\fR structure was openly available in OpenSSL before version
+The \fBEVP_MD\fR structure was openly available in OpenSSL before version
 1.1.
 The functions described here were added in OpenSSL 1.1.
-The \fB\s-1EVP_MD\s0\fR structure created with these functions became reference
+The \fBEVP_MD\fR structure created with these functions became reference
 counted in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2015\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_OpenInit.3 b/secure/lib/libcrypto/man/man3/EVP_OpenInit.3
index e25cb0a0e2b6..75f52dacf884 100644
--- a/secure/lib/libcrypto/man/man3/EVP_OpenInit.3
+++ b/secure/lib/libcrypto/man/man3/EVP_OpenInit.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_OPENINIT 3ossl"
-.TH EVP_OPENINIT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_OPENINIT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_OpenInit, EVP_OpenUpdate, EVP_OpenFinal \- EVP envelope decryption
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -149,27 +73,27 @@ EVP_OpenInit, EVP_OpenUpdate, EVP_OpenFinal \- EVP envelope decryption
 \&                    int *outl, unsigned char *in, int inl);
 \& int EVP_OpenFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1EVP\s0 envelope routines are a high-level interface to envelope
+The EVP envelope routines are a high-level interface to envelope
 decryption. They decrypt a public key encrypted symmetric key and
 then decrypt data using it.
 .PP
 \&\fBEVP_OpenInit()\fR initializes a cipher context \fBctx\fR for decryption
 with cipher \fBtype\fR. It decrypts the encrypted symmetric key of length
 \&\fBekl\fR bytes passed in the \fBek\fR parameter using the private key \fBpriv\fR.
-The \s-1IV\s0 is supplied in the \fBiv\fR parameter.
+The IV is supplied in the \fBiv\fR parameter.
 .PP
 \&\fBEVP_OpenUpdate()\fR and \fBEVP_OpenFinal()\fR have exactly the same properties
 as the \fBEVP_DecryptUpdate()\fR and \fBEVP_DecryptFinal()\fR routines, as
 documented on the \fBEVP_EncryptInit\fR\|(3) manual
 page.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 It is possible to call \fBEVP_OpenInit()\fR twice in the same way as
-\&\fBEVP_DecryptInit()\fR. The first call should have \fBpriv\fR set to \s-1NULL\s0
+\&\fBEVP_DecryptInit()\fR. The first call should have \fBpriv\fR set to NULL
 and (after setting any cipher parameters) it should be called again
-with \fBtype\fR set to \s-1NULL.\s0
+with \fBtype\fR set to NULL.
 .PP
 If the cipher passed in the \fBtype\fR parameter is a variable length
 cipher then the key length will be set to the value of the recovered
@@ -188,11 +112,11 @@ recovered secret key size) if successful.
 \&\fBevp\fR\|(7), \fBRAND_bytes\fR\|(3),
 \&\fBEVP_EncryptInit\fR\|(3),
 \&\fBEVP_SealInit\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PBE_CipherInit.3 b/secure/lib/libcrypto/man/man3/EVP_PBE_CipherInit.3
index 3bed3c5682c9..33d26fbb16fc 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PBE_CipherInit.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PBE_CipherInit.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PBE_CIPHERINIT 3ossl"
-.TH EVP_PBE_CIPHERINIT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PBE_CIPHERINIT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PBE_CipherInit, EVP_PBE_CipherInit_ex,
 EVP_PBE_find, EVP_PBE_find_ex,
 EVP_PBE_alg_add_type, EVP_PBE_alg_add \- Password based encryption routines
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -161,46 +85,46 @@ EVP_PBE_alg_add_type, EVP_PBE_alg_add \- Password based encryption routines
 \& int EVP_PBE_alg_add(int nid, const EVP_CIPHER *cipher, const EVP_MD *md,
 \&                     EVP_PBE_KEYGEN *keygen);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-.SS "\s-1PBE\s0 operations"
+.SS "PBE operations"
 .IX Subsection "PBE operations"
-\&\fBEVP_PBE_CipherInit()\fR and \fBEVP_PBE_CipherInit_ex()\fR initialise an \fB\s-1EVP_CIPHER_CTX\s0\fR
+\&\fBEVP_PBE_CipherInit()\fR and \fBEVP_PBE_CipherInit_ex()\fR initialise an \fBEVP_CIPHER_CTX\fR
 \&\fIctx\fR for encryption (\fIen_de\fR=1) or decryption (\fIen_de\fR=0) using the password
-\&\fIpass\fR of length \fIpasslen\fR. The \s-1PBE\s0 algorithm type and parameters are extracted
-from an \s-1OID\s0 \fIpbe_obj\fR and parameters \fIparam\fR.
+\&\fIpass\fR of length \fIpasslen\fR. The PBE algorithm type and parameters are extracted
+from an OID \fIpbe_obj\fR and parameters \fIparam\fR.
 .PP
 \&\fBEVP_PBE_CipherInit_ex()\fR also allows the application to specify a library context
 \&\fIlibctx\fR and property query \fIpropq\fR to select appropriate algorithm
 implementations.
-.SS "\s-1PBE\s0 algorithm search"
+.SS "PBE algorithm search"
 .IX Subsection "PBE algorithm search"
 \&\fBEVP_PBE_find()\fR and \fBEVP_PBE_find_ex()\fR search for a matching algorithm using two parameters:
 .PP
 1. An algorithm type \fItype\fR which can be:
-.IP "\(bu" 4
-\&\s-1EVP_PBE_TYPE_OUTER\s0 \- A \s-1PBE\s0 algorithm
-.IP "\(bu" 4
-\&\s-1EVP_PBE_TYPE_PRF\s0 \- A pseudo-random function
-.IP "\(bu" 4
-\&\s-1EVP_PBE_TYPE_KDF\s0 \- A key derivation function
+.IP \(bu 4
+EVP_PBE_TYPE_OUTER \- A PBE algorithm
+.IP \(bu 4
+EVP_PBE_TYPE_PRF \- A pseudo-random function
+.IP \(bu 4
+EVP_PBE_TYPE_KDF \- A key derivation function
 .PP
 2. A \fIpbe_nid\fR which can represent the algorithm identifier with parameters e.g.
 \&\fBNID_pbeWithSHA1AndRC2_CBC\fR or an algorithm class e.g. \fBNID_pbes2\fR.
 .PP
-They return the algorithm's cipher \s-1ID\s0 \fIpcnid\fR, digest \s-1ID\s0 \fIpmnid\fR and a key
+They return the algorithm's cipher ID \fIpcnid\fR, digest ID \fIpmnid\fR and a key
 generation function for the algorithm \fIpkeygen\fR. \fBEVP_PBE_CipherInit_ex()\fR also
 returns an extended key generation function \fIkeygen_ex\fR which takes a library
 context and property query.
 .PP
-If a \s-1NULL\s0 is supplied for any of \fIpcnid\fR, \fIpmnid\fR, \fIpkeygen\fR or \fIpkeygen_ex\fR
+If a NULL is supplied for any of \fIpcnid\fR, \fIpmnid\fR, \fIpkeygen\fR or \fIpkeygen_ex\fR
 then this parameter is not returned.
-.SS "\s-1PBE\s0 algorithm add"
+.SS "PBE algorithm add"
 .IX Subsection "PBE algorithm add"
 \&\fBEVP_PBE_alg_add_type()\fR and \fBEVP_PBE_alg_add()\fR add an algorithm to the list
 of known algorithms. Their parameters have the same meaning as for
 \&\fBEVP_PBE_find()\fR and \fBEVP_PBE_find_ex()\fR functions.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The arguments \fIpbe_obj\fR and \fIparam\fR to \fBEVP_PBE_CipherInit()\fR and \fBEVP_PBE_CipherInit_ex()\fR
 together form an \fBX509_ALGOR\fR and can often be extracted directly from this structure.
@@ -214,14 +138,14 @@ Return value is 1 for success and 0 if an error occurred.
 \&\fBPKCS5_v2_PBE_keyivgen_ex\fR\|(3),
 \&\fBPKCS12_pbe_crypt_ex\fR\|(3),
 \&\fBPKCS12_create_ex\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBEVP_PBE_CipherInit_ex()\fR and \fBEVP_PBE_find_ex()\fR were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2021\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY2PKCS8.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY2PKCS8.3
index 1846e9f509af..f84cc43d2893 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY2PKCS8.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY2PKCS8.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY2PKCS8 3ossl"
-.TH EVP_PKEY2PKCS8 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY2PKCS8 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY2PKCS8, EVP_PKCS82PKEY_ex, EVP_PKCS82PKEY
 \&\- Convert a private key to/from PKCS8
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
@@ -149,29 +73,29 @@ EVP_PKEY2PKCS8, EVP_PKCS82PKEY_ex, EVP_PKCS82PKEY
 \& EVP_PKEY *EVP_PKCS82PKEY_ex(const PKCS8_PRIV_KEY_INFO *p8, OSSL_LIB_CTX *libctx,
 \&                             const char *propq);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\s-1\fBEVP_PKEY2PKCS8\s0()\fR converts a private key \fIpkey\fR into a returned \s-1PKCS8\s0 object.
+\&\fBEVP_PKEY2PKCS8()\fR converts a private key \fIpkey\fR into a returned PKCS8 object.
 .PP
-\&\fBEVP_PKCS82PKEY_ex()\fR converts a \s-1PKCS8\s0 object \fIp8\fR into a returned private key.
+\&\fBEVP_PKCS82PKEY_ex()\fR converts a PKCS8 object \fIp8\fR into a returned private key.
 It uses \fIlibctx\fR and \fIpropq\fR when fetching algorithms.
 .PP
-\&\s-1\fBEVP_PKCS82PKEY\s0()\fR is similar to \fBEVP_PKCS82PKEY_ex()\fR but uses default values of
-\&\s-1NULL\s0 for the \fIlibctx\fR and \fIpropq\fR.
+\&\fBEVP_PKCS82PKEY()\fR is similar to \fBEVP_PKCS82PKEY_ex()\fR but uses default values of
+NULL for the \fIlibctx\fR and \fIpropq\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\s-1\fBEVP_PKEY2PKCS8\s0()\fR returns a \s-1PKCS8\s0 object on success.
-\&\s-1\fBEVP_PKCS82PKEY\s0()\fR and \fBEVP_PKCS82PKEY_ex()\fR return a private key on success.
+\&\fBEVP_PKEY2PKCS8()\fR returns a PKCS8 object on success.
+\&\fBEVP_PKCS82PKEY()\fR and \fBEVP_PKCS82PKEY_ex()\fR return a private key on success.
 .PP
-All functions return \s-1NULL\s0 if the operation fails.
+All functions return NULL if the operation fails.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBPKCS8_pkey_add1_attr\fR\|(3),
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_ASN1_METHOD.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_ASN1_METHOD.3
index c074b88940fd..8aae4958b3f3 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_ASN1_METHOD.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_ASN1_METHOD.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_ASN1_METHOD 3ossl"
-.TH EVP_PKEY_ASN1_METHOD 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_ASN1_METHOD 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_ASN1_METHOD,
 EVP_PKEY_asn1_new,
 EVP_PKEY_asn1_copy,
@@ -160,7 +84,7 @@ EVP_PKEY_asn1_set_get_priv_key,
 EVP_PKEY_asn1_set_get_pub_key,
 EVP_PKEY_get0_asn1
 \&\- manipulating and registering EVP_PKEY_ASN1_METHOD structure
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -274,21 +198,21 @@ EVP_PKEY_get0_asn1
 \&
 \& const EVP_PKEY_ASN1_METHOD *EVP_PKEY_get0_asn1(const EVP_PKEY *pkey);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR is a structure which holds a set of \s-1ASN.1\s0
+\&\fBEVP_PKEY_ASN1_METHOD\fR is a structure which holds a set of ASN.1
 conversion, printing and information methods for a specific public key
 algorithm.
 .PP
-There are two places where the \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR objects are
+There are two places where the \fBEVP_PKEY_ASN1_METHOD\fR objects are
 stored: one is a built-in array representing the standard methods for
 different algorithms, and the other one is a stack of user-defined
 application-specific methods, which can be manipulated by using
 \&\fBEVP_PKEY_asn1_add0\fR\|(3).
-.SS "Methods"
+.SS Methods
 .IX Subsection "Methods"
 The methods are the underlying implementations of a particular public
-key algorithm present by the \fB\s-1EVP_PKEY\s0\fR object.
+key algorithm present by the \fBEVP_PKEY\fR object.
 .PP
 .Vb 5
 \& int (*pub_decode) (EVP_PKEY *pk, const X509_PUBKEY *pub);
@@ -299,18 +223,18 @@ key algorithm present by the \fB\s-1EVP_PKEY\s0\fR object.
 .Ve
 .PP
 The \fBpub_decode()\fR and \fBpub_encode()\fR methods are called to decode /
-encode \fBX509_PUBKEY\fR \s-1ASN.1\s0 parameters to / from \fBpk\fR.
-They \s-1MUST\s0 return 0 on error, 1 on success.
+encode \fBX509_PUBKEY\fR ASN.1 parameters to / from \fBpk\fR.
+They MUST return 0 on error, 1 on success.
 They're called by \fBX509_PUBKEY_get0\fR\|(3) and \fBX509_PUBKEY_set\fR\|(3).
 .PP
 The \fBpub_cmp()\fR method is called when two public keys are to be
 compared.
-It \s-1MUST\s0 return 1 when the keys are equal, 0 otherwise.
+It MUST return 1 when the keys are equal, 0 otherwise.
 It's called by \fBEVP_PKEY_eq\fR\|(3).
 .PP
 The \fBpub_print()\fR method is called to print a public key in humanly
 readable text to \fBout\fR, indented \fBindent\fR spaces.
-It \s-1MUST\s0 return 0 on error, 1 on success.
+It MUST return 0 on error, 1 on success.
 It's called by \fBEVP_PKEY_print_public\fR\|(3).
 .PP
 .Vb 4
@@ -321,13 +245,13 @@ It's called by \fBEVP_PKEY_print_public\fR\|(3).
 .Ve
 .PP
 The \fBpriv_decode()\fR and \fBpriv_encode()\fR methods are called to decode /
-encode \fB\s-1PKCS8_PRIV_KEY_INFO\s0\fR form private key to / from \fBpk\fR.
-They \s-1MUST\s0 return 0 on error, 1 on success.
-They're called by \s-1\fBEVP_PKCS82PKEY\s0\fR\|(3) and \s-1\fBEVP_PKEY2PKCS8\s0\fR\|(3).
+encode \fBPKCS8_PRIV_KEY_INFO\fR form private key to / from \fBpk\fR.
+They MUST return 0 on error, 1 on success.
+They're called by \fBEVP_PKCS82PKEY\fR\|(3) and \fBEVP_PKEY2PKCS8\fR\|(3).
 .PP
 The \fBpriv_print()\fR method is called to print a private key in humanly
 readable text to \fBout\fR, indented \fBindent\fR spaces.
-It \s-1MUST\s0 return 0 on error, 1 on success.
+It MUST return 0 on error, 1 on success.
 It's called by \fBEVP_PKEY_print_private\fR\|(3).
 .PP
 .Vb 3
@@ -354,27 +278,27 @@ It's called by \fBEVP_PKEY_get_bits\fR\|(3).
 .Ve
 .PP
 The \fBparam_decode()\fR and \fBparam_encode()\fR methods are called to decode /
-encode \s-1DER\s0 formatted parameters to / from \fBpk\fR.
-They \s-1MUST\s0 return 0 on error, 1 on success.
+encode DER formatted parameters to / from \fBpk\fR.
+They MUST return 0 on error, 1 on success.
 They're called by \fBPEM_read_bio_Parameters\fR\|(3) and the \fBfile:\fR
-\&\s-1\fBOSSL_STORE_LOADER\s0\fR\|(3).
+\&\fBOSSL_STORE_LOADER\fR\|(3).
 .PP
 The \fBparam_missing()\fR method returns 0 if a key parameter is missing,
 otherwise 1.
 It's called by \fBEVP_PKEY_missing_parameters\fR\|(3).
 .PP
 The \fBparam_copy()\fR method copies key parameters from \fBfrom\fR to \fBto\fR.
-It \s-1MUST\s0 return 0 on error, 1 on success.
+It MUST return 0 on error, 1 on success.
 It's called by \fBEVP_PKEY_copy_parameters\fR\|(3).
 .PP
 The \fBparam_cmp()\fR method compares the parameters of keys \fBa\fR and \fBb\fR.
-It \s-1MUST\s0 return 1 when the keys are equal, 0 when not equal, or a
+It MUST return 1 when the keys are equal, 0 when not equal, or a
 negative number on error.
 It's called by \fBEVP_PKEY_parameters_eq\fR\|(3).
 .PP
 The \fBparam_print()\fR method prints the private key parameters in humanly
 readable text to \fBout\fR, indented \fBindent\fR spaces.
-It \s-1MUST\s0 return 0 on error, 1 on success.
+It MUST return 0 on error, 1 on success.
 It's called by \fBEVP_PKEY_print_params\fR\|(3).
 .PP
 .Vb 3
@@ -388,7 +312,7 @@ The \fBsig_print()\fR method prints a signature in humanly readable text to
 \&\fBsigalg\fR contains the exact signature algorithm.
 If the signature in \fBsig\fR doesn't correspond to what this method
 expects, \fBX509_signature_dump()\fR must be used as a last resort.
-It \s-1MUST\s0 return 0 on error, 1 on success.
+It MUST return 0 on error, 1 on success.
 It's called by \fBX509_signature_print\fR\|(3).
 .PP
 .Vb 1
@@ -416,11 +340,11 @@ It's called by \fBEVP_PKEY_get_default_digest_nid\fR\|(3),
 .Ve
 .PP
 The \fBold_priv_decode()\fR and \fBold_priv_encode()\fR methods decode / encode
-they private key \fBpkey\fR from / to a \s-1DER\s0 formatted array.
+they private key \fBpkey\fR from / to a DER formatted array.
 These are exclusively used to help decoding / encoding older (pre
-PKCS#8) \s-1PEM\s0 formatted encrypted private keys.
-\&\fBold_priv_decode()\fR \s-1MUST\s0 return 0 on error, 1 on success.
-\&\fBold_priv_encode()\fR \s-1MUST\s0 the return same kind of values as
+PKCS#8) PEM formatted encrypted private keys.
+\&\fBold_priv_decode()\fR MUST return 0 on error, 1 on success.
+\&\fBold_priv_encode()\fR MUST the return same kind of values as
 \&\fBi2d_PrivateKey()\fR.
 They're called by \fBd2i_PrivateKey\fR\|(3) and \fBi2d_PrivateKey\fR\|(3).
 .PP
@@ -435,32 +359,32 @@ They're called by \fBd2i_PrivateKey\fR\|(3) and \fBi2d_PrivateKey\fR\|(3).
 The \fBitem_sign()\fR and  \fBitem_verify()\fR methods make it possible to have
 algorithm specific signatures and verification of them.
 .PP
-\&\fBitem_sign()\fR \s-1MUST\s0 return one of:
-.IP "<=0" 4
+\&\fBitem_sign()\fR MUST return one of:
+.IP <=0 4
 .IX Item "<=0"
 error
-.IP "1" 4
+.IP 1 4
 .IX Item "1"
 \&\fBitem_sign()\fR did everything, OpenSSL internals just needs to pass the
 signature length back.
-.IP "2" 4
+.IP 2 4
 .IX Item "2"
 \&\fBitem_sign()\fR did nothing, OpenSSL internal standard routines are
 expected to continue with the default signature production.
-.IP "3" 4
+.IP 3 4
 .IX Item "3"
 \&\fBitem_sign()\fR set the algorithm identifier \fBalgor1\fR and \fBalgor2\fR,
 OpenSSL internals should just sign using those algorithms.
 .PP
-\&\fBitem_verify()\fR \s-1MUST\s0 return one of:
-.IP "<=0" 4
+\&\fBitem_verify()\fR MUST return one of:
+.IP <=0 4
 .IX Item "<=0"
 error
-.IP "1" 4
+.IP 1 4
 .IX Item "1"
 \&\fBitem_sign()\fR did everything, OpenSSL internals just needs to pass the
 signature length back.
-.IP "2" 4
+.IP 2 4
 .IX Item "2"
 \&\fBitem_sign()\fR did nothing, OpenSSL internal standard routines are
 expected to continue with the default signature production.
@@ -476,7 +400,7 @@ expected to continue with the default signature production.
 .PP
 The \fBsiginf_set()\fR method is used to set custom \fBX509_SIG_INFO\fR
 parameters.
-It \s-1MUST\s0 return 0 on error, or 1 on success.
+It MUST return 0 on error, or 1 on success.
 It's called as part of \fBX509_check_purpose\fR\|(3), \fBX509_check_ca\fR\|(3)
 and \fBX509_check_issued\fR\|(3).
 .PP
@@ -489,7 +413,7 @@ and \fBX509_check_issued\fR\|(3).
 The \fBpkey_check()\fR, \fBpkey_public_check()\fR and \fBpkey_param_check()\fR methods are used
 to check the validity of \fBpk\fR for key-pair, public component and parameters,
 respectively.
-They \s-1MUST\s0 return 0 for an invalid key, or 1 for a valid key.
+They MUST return 0 for an invalid key, or 1 for a valid key.
 They are called by \fBEVP_PKEY_check\fR\|(3), \fBEVP_PKEY_public_check\fR\|(3) and
 \&\fBEVP_PKEY_param_check\fR\|(3) respectively.
 .PP
@@ -499,7 +423,7 @@ They are called by \fBEVP_PKEY_check\fR\|(3), \fBEVP_PKEY_public_check\fR\|(3) a
 .Ve
 .PP
 The \fBset_priv_key()\fR and \fBset_pub_key()\fR methods are used to set the raw private and
-public key data for an \s-1EVP_PKEY.\s0 They \s-1MUST\s0 return 0 on error, or 1 on success.
+public key data for an EVP_PKEY. They MUST return 0 on error, or 1 on success.
 They are called by \fBEVP_PKEY_new_raw_private_key\fR\|(3), and
 \&\fBEVP_PKEY_new_raw_public_key\fR\|(3) respectively.
 .PP
@@ -512,14 +436,14 @@ They are called by \fBEVP_PKEY_new_raw_private_key\fR\|(3), and
 This can be used to synchronise different copies of the same keys.
 .PP
 The \fBexport_to()\fR method exports the key material from the given key to
-a provider, through the \s-1\fBEVP_KEYMGMT\s0\fR\|(3) interface, if that provider
+a provider, through the \fBEVP_KEYMGMT\fR\|(3) interface, if that provider
 supports importing key material.
-.SS "Functions"
+.SS Functions
 .IX Subsection "Functions"
-\&\fBEVP_PKEY_asn1_new()\fR creates and returns a new \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR
+\&\fBEVP_PKEY_asn1_new()\fR creates and returns a new \fBEVP_PKEY_ASN1_METHOD\fR
 object, and associates the given \fBid\fR, \fBflags\fR, \fBpem_str\fR and
 \&\fBinfo\fR.
-\&\fBid\fR is a \s-1NID,\s0 \fBpem_str\fR is the \s-1PEM\s0 type string, \fBinfo\fR is a
+\&\fBid\fR is a NID, \fBpem_str\fR is the PEM type string, \fBinfo\fR is a
 descriptive string.
 The following \fBflags\fR are supported:
 .PP
@@ -527,29 +451,29 @@ The following \fBflags\fR are supported:
 \& ASN1_PKEY_SIGPARAM_NULL
 .Ve
 .PP
-If \fB\s-1ASN1_PKEY_SIGPARAM_NULL\s0\fR is set, then the signature algorithm
+If \fBASN1_PKEY_SIGPARAM_NULL\fR is set, then the signature algorithm
 parameters are given the type \fBV_ASN1_NULL\fR by default, otherwise
 they will be given the type \fBV_ASN1_UNDEF\fR (i.e. the parameter is
 omitted).
 See \fBX509_ALGOR_set0\fR\|(3) for more information.
 .PP
-\&\fBEVP_PKEY_asn1_copy()\fR copies an \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR object from
+\&\fBEVP_PKEY_asn1_copy()\fR copies an \fBEVP_PKEY_ASN1_METHOD\fR object from
 \&\fBsrc\fR to \fBdst\fR.
 This function is not thread safe, it's recommended to only use this
 when initializing the application.
 .PP
-\&\fBEVP_PKEY_asn1_free()\fR frees an existing \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR pointed
-by \fBameth\fR.
+\&\fBEVP_PKEY_asn1_free()\fR frees an existing \fBEVP_PKEY_ASN1_METHOD\fR pointed
+by \fBameth\fR. If the argument is NULL, nothing is done.
 .PP
 \&\fBEVP_PKEY_asn1_add0()\fR adds \fBameth\fR to the user defined stack of
-methods unless another \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR with the same \s-1NID\s0 is
+methods unless another \fBEVP_PKEY_ASN1_METHOD\fR with the same NID is
 already there.
 This function is not thread safe, it's recommended to only use this
 when initializing the application.
 .PP
-\&\fBEVP_PKEY_asn1_add_alias()\fR creates an alias with the \s-1NID\s0 \fBto\fR for the
-\&\fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR with \s-1NID\s0 \fBfrom\fR unless another
-\&\fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR with the same \s-1NID\s0 is already added.
+\&\fBEVP_PKEY_asn1_add_alias()\fR creates an alias with the NID \fBto\fR for the
+\&\fBEVP_PKEY_ASN1_METHOD\fR with NID \fBfrom\fR unless another
+\&\fBEVP_PKEY_ASN1_METHOD\fR with the same NID is already added.
 This function is not thread safe, it's recommended to only use this
 when initializing the application.
 .PP
@@ -561,30 +485,30 @@ when initializing the application.
 \&\fBEVP_PKEY_asn1_set_security_bits()\fR, \fBEVP_PKEY_asn1_set_set_priv_key()\fR,
 \&\fBEVP_PKEY_asn1_set_set_pub_key()\fR, \fBEVP_PKEY_asn1_set_get_priv_key()\fR and
 \&\fBEVP_PKEY_asn1_set_get_pub_key()\fR set the diverse methods of the given
-\&\fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR object.
+\&\fBEVP_PKEY_ASN1_METHOD\fR object.
 .PP
-\&\fBEVP_PKEY_get0_asn1()\fR finds the \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR associated
+\&\fBEVP_PKEY_get0_asn1()\fR finds the \fBEVP_PKEY_ASN1_METHOD\fR associated
 with the key \fBpkey\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBEVP_PKEY_asn1_new()\fR returns \s-1NULL\s0 on error, or a pointer to an
-\&\fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR object otherwise.
+\&\fBEVP_PKEY_asn1_new()\fR returns NULL on error, or a pointer to an
+\&\fBEVP_PKEY_ASN1_METHOD\fR object otherwise.
 .PP
 \&\fBEVP_PKEY_asn1_add0()\fR and \fBEVP_PKEY_asn1_add_alias()\fR return 0 on error,
 or 1 on success.
 .PP
-\&\fBEVP_PKEY_get0_asn1()\fR returns \s-1NULL\s0 on error, or a pointer to a constant
-\&\fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR object otherwise.
-.SH "HISTORY"
+\&\fBEVP_PKEY_get0_asn1()\fR returns NULL on error, or a pointer to a constant
+\&\fBEVP_PKEY_ASN1_METHOD\fR object otherwise.
+.SH HISTORY
 .IX Header "HISTORY"
 The signature of the \fIpub_decode\fR functional argument of
 \&\fBEVP_PKEY_asn1_set_public()\fR has changed in OpenSSL 3.0 so its \fIpub\fR
 parameter is now constified.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2017\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_ctrl.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_ctrl.3
index 2d4cc4986a6e..e8bd5a41f279 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_ctrl.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_ctrl.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_CTX_CTRL 3ossl"
-.TH EVP_PKEY_CTX_CTRL 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_CTX_CTRL 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_CTX_ctrl,
 EVP_PKEY_CTX_ctrl_str,
 EVP_PKEY_CTX_ctrl_uint64,
@@ -206,7 +130,7 @@ EVP_PKEY_CTX_get0_ecdh_kdf_ukm,
 EVP_PKEY_CTX_set1_id, EVP_PKEY_CTX_get1_id, EVP_PKEY_CTX_get1_id_len,
 EVP_PKEY_CTX_set_kem_op
 \&\- algorithm specific control operations
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -313,7 +237,7 @@ EVP_PKEY_CTX_set_kem_op
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
@@ -329,7 +253,7 @@ see \fBopenssl_user_macros\fR\|(7):
 \&
 \& int EVP_PKEY_CTX_get0_ecdh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBEVP_PKEY_CTX_ctrl()\fR sends a control operation to the context \fIctx\fR. The key
 type used must match \fIkeytype\fR if it is not \-1. The parameter \fIoptype\fR is a
@@ -337,8 +261,8 @@ mask indicating which operations the control can be applied to.
 The control command is indicated in \fIcmd\fR and any additional arguments in
 \&\fIp1\fR and \fIp2\fR.
 .PP
-For \fIcmd\fR = \fB\s-1EVP_PKEY_CTRL_SET_MAC_KEY\s0\fR, \fIp1\fR is the length of the \s-1MAC\s0 key,
-and \fIp2\fR is the \s-1MAC\s0 key. This is used by Poly1305, SipHash, \s-1HMAC\s0 and \s-1CMAC.\s0
+For \fIcmd\fR = \fBEVP_PKEY_CTRL_SET_MAC_KEY\fR, \fIp1\fR is the length of the MAC key,
+and \fIp2\fR is the MAC key. This is used by Poly1305, SipHash, HMAC and CMAC.
 .PP
 Applications will not normally call \fBEVP_PKEY_CTX_ctrl()\fR directly but will
 instead call one of the algorithm specific functions below.
@@ -357,10 +281,10 @@ command line pages for the option \fI\-pkeyopt\fR which is supported by the
 \&\fIctx\fR. The message digest is specified by its name \fImd\fR.
 .PP
 \&\fBEVP_PKEY_CTX_set_signature_md()\fR sets the message digest type used
-in a signature. It can be used in the \s-1RSA, DSA\s0 and \s-1ECDSA\s0 algorithms.
+in a signature. It can be used in the RSA, DSA and ECDSA algorithms.
 .PP
 \&\fBEVP_PKEY_CTX_get_signature_md()\fRgets the message digest type used
-in a signature. It can be used in the \s-1RSA, DSA\s0 and \s-1ECDSA\s0 algorithms.
+in a signature. It can be used in the RSA, DSA and ECDSA algorithms.
 .PP
 Key generation typically involves setting up parameters to be used and
 generating the private and public key data. Some algorithm implementations
@@ -374,62 +298,68 @@ functions instead.
 the \fBEVP_PKEY_new_raw_private_key\fR\|(3) function.
 .PP
 \&\fBEVP_PKEY_CTX_set_group_name()\fR sets the group name to \fIname\fR for parameter and
-key generation. For example for \s-1EC\s0 keys this will set the curve name and for
-\&\s-1DH\s0 keys it will set the name of the finite field group.
+key generation. For example for EC keys this will set the curve name and for
+DH keys it will set the name of the finite field group.
 .PP
 \&\fBEVP_PKEY_CTX_get_group_name()\fR finds the group name that's currently
 set with \fIctx\fR, and writes it to the location that \fIname\fR points at, as long
 as its size \fInamelen\fR is large enough to store that name, including a
-terminating \s-1NUL\s0 byte.
-.SS "\s-1RSA\s0 parameters"
+terminating NUL byte.
+.SS "RSA parameters"
 .IX Subsection "RSA parameters"
-\&\fBEVP_PKEY_CTX_set_rsa_padding()\fR sets the \s-1RSA\s0 padding mode for \fIctx\fR.
-The \fIpad\fR parameter can take the value \fB\s-1RSA_PKCS1_PADDING\s0\fR for PKCS#1
-padding, \fB\s-1RSA_NO_PADDING\s0\fR for
-no padding, \fB\s-1RSA_PKCS1_OAEP_PADDING\s0\fR for \s-1OAEP\s0 padding (encrypt and
-decrypt only), \fB\s-1RSA_X931_PADDING\s0\fR for X9.31 padding (signature operations
-only), \fB\s-1RSA_PKCS1_PSS_PADDING\s0\fR (sign and verify only) and
-\&\fB\s-1RSA_PKCS1_WITH_TLS_PADDING\s0\fR for \s-1TLS RSA\s0 ClientKeyExchange message padding
+\&\fBEVP_PKEY_CTX_set_rsa_padding()\fR sets the RSA padding mode for \fIctx\fR.
+The \fIpad\fR parameter can take the value \fBRSA_PKCS1_PADDING\fR for PKCS#1
+padding, \fBRSA_NO_PADDING\fR for
+no padding, \fBRSA_PKCS1_OAEP_PADDING\fR for OAEP padding (encrypt and
+decrypt only), \fBRSA_X931_PADDING\fR for X9.31 padding (signature operations
+only), \fBRSA_PKCS1_PSS_PADDING\fR (sign and verify only) and
+\&\fBRSA_PKCS1_WITH_TLS_PADDING\fR for TLS RSA ClientKeyExchange message padding
 (decryption only).
 .PP
-Two \s-1RSA\s0 padding modes behave differently if \fBEVP_PKEY_CTX_set_signature_md()\fR
+Two RSA padding modes behave differently if \fBEVP_PKEY_CTX_set_signature_md()\fR
 is used. If this function is called for PKCS#1 padding the plaintext buffer is
 an actual digest value and is encapsulated in a DigestInfo structure according
 to PKCS#1 when signing and this structure is expected (and stripped off) when
-verifying. If this control is not used with \s-1RSA\s0 and PKCS#1 padding then the
+verifying. If this control is not used with RSA and PKCS#1 padding then the
 supplied data is used directly and not encapsulated. In the case of X9.31
-padding for \s-1RSA\s0 the algorithm identifier byte is added or checked and removed
+padding for RSA the algorithm identifier byte is added or checked and removed
 if this control is called. If it is not called then the first byte of the plaintext
 buffer is expected to be the algorithm identifier byte.
 .PP
-\&\fBEVP_PKEY_CTX_get_rsa_padding()\fR gets the \s-1RSA\s0 padding mode for \fIctx\fR.
+\&\fBEVP_PKEY_CTX_get_rsa_padding()\fR gets the RSA padding mode for \fIctx\fR.
 .PP
-\&\fBEVP_PKEY_CTX_set_rsa_pss_saltlen()\fR sets the \s-1RSA PSS\s0 salt length to \fIsaltlen\fR.
-As its name implies it is only supported for \s-1PSS\s0 padding. If this function is
-not called then the maximum salt length is used when signing and auto detection
-when verifying. Three special values are supported:
-.IP "\fB\s-1RSA_PSS_SALTLEN_DIGEST\s0\fR" 4
+\&\fBEVP_PKEY_CTX_set_rsa_pss_saltlen()\fR sets the RSA PSS salt length to \fIsaltlen\fR.
+As its name implies it is only supported for PSS padding. If this function is
+not called then the salt length is maximized up to the digest length when
+signing and auto detection when verifying. Four special values are supported:
+.IP \fBRSA_PSS_SALTLEN_DIGEST\fR 4
 .IX Item "RSA_PSS_SALTLEN_DIGEST"
 sets the salt length to the digest length.
-.IP "\fB\s-1RSA_PSS_SALTLEN_MAX\s0\fR" 4
+.IP \fBRSA_PSS_SALTLEN_MAX\fR 4
 .IX Item "RSA_PSS_SALTLEN_MAX"
 sets the salt length to the maximum permissible value.
-.IP "\fB\s-1RSA_PSS_SALTLEN_AUTO\s0\fR" 4
+.IP \fBRSA_PSS_SALTLEN_AUTO\fR 4
 .IX Item "RSA_PSS_SALTLEN_AUTO"
 causes the salt length to be automatically determined based on the
-\&\fB\s-1PSS\s0\fR block structure when verifying.  When signing, it has the same
-meaning as \fB\s-1RSA_PSS_SALTLEN_MAX\s0\fR.
-.PP
-\&\fBEVP_PKEY_CTX_get_rsa_pss_saltlen()\fR gets the \s-1RSA PSS\s0 salt length for \fIctx\fR.
-The padding mode must already have been set to \fB\s-1RSA_PKCS1_PSS_PADDING\s0\fR.
-.PP
-\&\fBEVP_PKEY_CTX_set_rsa_keygen_bits()\fR sets the \s-1RSA\s0 key length for
-\&\s-1RSA\s0 key generation to \fIbits\fR. If not specified 2048 bits is used.
-.PP
-\&\fBEVP_PKEY_CTX_set1_rsa_keygen_pubexp()\fR sets the public exponent value for \s-1RSA\s0 key
+\&\fBPSS\fR block structure when verifying.  When signing, it has the same
+meaning as \fBRSA_PSS_SALTLEN_MAX\fR.
+.IP \fBRSA_PSS_SALTLEN_AUTO_DIGEST_MAX\fR 4
+.IX Item "RSA_PSS_SALTLEN_AUTO_DIGEST_MAX"
+causes the salt length to be automatically determined based on the \fBPSS\fR block
+structure when verifying, like \fBRSA_PSS_SALTLEN_AUTO\fR.  When signing, the salt
+length is maximized up to a maximum of the digest length to comply with FIPS
+186\-4 section 5.5.
+.PP
+\&\fBEVP_PKEY_CTX_get_rsa_pss_saltlen()\fR gets the RSA PSS salt length for \fIctx\fR.
+The padding mode must already have been set to \fBRSA_PKCS1_PSS_PADDING\fR.
+.PP
+\&\fBEVP_PKEY_CTX_set_rsa_keygen_bits()\fR sets the RSA key length for
+RSA key generation to \fIbits\fR. If not specified 2048 bits is used.
+.PP
+\&\fBEVP_PKEY_CTX_set1_rsa_keygen_pubexp()\fR sets the public exponent value for RSA key
 generation to the value stored in \fIpubexp\fR. Currently it should be an odd
 integer. In accordance with the OpenSSL naming convention, the \fIpubexp\fR pointer
-must be freed independently of the \s-1EVP_PKEY_CTX\s0 (ie, it is internally copied).
+must be freed independently of the EVP_PKEY_CTX (ie, it is internally copied).
 If not specified 65537 is used.
 .PP
 \&\fBEVP_PKEY_CTX_set_rsa_keygen_pubexp()\fR does the same as
@@ -437,36 +367,36 @@ If not specified 65537 is used.
 therefore \fIpubexp\fR should not be modified or freed after the call.
 .PP
 \&\fBEVP_PKEY_CTX_set_rsa_keygen_primes()\fR sets the number of primes for
-\&\s-1RSA\s0 key generation to \fIprimes\fR. If not specified 2 is used.
+RSA key generation to \fIprimes\fR. If not specified 2 is used.
 .PP
-\&\fBEVP_PKEY_CTX_set_rsa_mgf1_md_name()\fR sets the \s-1MGF1\s0 digest for \s-1RSA\s0
-padding schemes to the digest named \fImdname\fR. If the \s-1RSA\s0 algorithm
+\&\fBEVP_PKEY_CTX_set_rsa_mgf1_md_name()\fR sets the MGF1 digest for RSA
+padding schemes to the digest named \fImdname\fR. If the RSA algorithm
 implementation for the selected provider supports it then the digest will be
 fetched using the properties \fImdprops\fR. If not explicitly set the signing
-digest is used. The padding mode must have been set to \fB\s-1RSA_PKCS1_OAEP_PADDING\s0\fR
-or \fB\s-1RSA_PKCS1_PSS_PADDING\s0\fR.
+digest is used. The padding mode must have been set to \fBRSA_PKCS1_OAEP_PADDING\fR
+or \fBRSA_PKCS1_PSS_PADDING\fR.
 .PP
 \&\fBEVP_PKEY_CTX_set_rsa_mgf1_md()\fR does the same as
 \&\fBEVP_PKEY_CTX_set_rsa_mgf1_md_name()\fR except that the name of the digest is
 inferred from the supplied \fImd\fR and it is not possible to specify any
 properties.
 .PP
-\&\fBEVP_PKEY_CTX_get_rsa_mgf1_md_name()\fR gets the name of the \s-1MGF1\s0
+\&\fBEVP_PKEY_CTX_get_rsa_mgf1_md_name()\fR gets the name of the MGF1
 digest algorithm for \fIctx\fR. If not explicitly set the signing digest is used.
-The padding mode must have been set to \fB\s-1RSA_PKCS1_OAEP_PADDING\s0\fR or
-\&\fB\s-1RSA_PKCS1_PSS_PADDING\s0\fR.
+The padding mode must have been set to \fBRSA_PKCS1_OAEP_PADDING\fR or
+\&\fBRSA_PKCS1_PSS_PADDING\fR.
 .PP
 \&\fBEVP_PKEY_CTX_get_rsa_mgf1_md()\fR does the same as
 \&\fBEVP_PKEY_CTX_get_rsa_mgf1_md_name()\fR except that it returns a pointer to an
-\&\s-1EVP_MD\s0 object instead. Note that only known, built-in \s-1EVP_MD\s0 objects will be
-returned. The \s-1EVP_MD\s0 object may be \s-1NULL\s0 if the digest is not one of these (such
+EVP_MD object instead. Note that only known, built-in EVP_MD objects will be
+returned. The EVP_MD object may be NULL if the digest is not one of these (such
 as a digest only implemented in a third party provider).
 .PP
 \&\fBEVP_PKEY_CTX_set_rsa_oaep_md_name()\fR sets the message digest type
-used in \s-1RSA OAEP\s0 to the digest named \fImdname\fR.  If the \s-1RSA\s0 algorithm
+used in RSA OAEP to the digest named \fImdname\fR.  If the RSA algorithm
 implementation for the selected provider supports it then the digest will be
 fetched using the properties \fImdprops\fR. The padding mode must have been set to
-\&\fB\s-1RSA_PKCS1_OAEP_PADDING\s0\fR.
+\&\fBRSA_PKCS1_OAEP_PADDING\fR.
 .PP
 \&\fBEVP_PKEY_CTX_set_rsa_oaep_md()\fR does the same as
 \&\fBEVP_PKEY_CTX_set_rsa_oaep_md_name()\fR except that the name of the digest is
@@ -474,65 +404,75 @@ inferred from the supplied \fImd\fR and it is not possible to specify any
 properties.
 .PP
 \&\fBEVP_PKEY_CTX_get_rsa_oaep_md_name()\fR gets the message digest
-algorithm name used in \s-1RSA OAEP\s0 and stores it in the buffer \fIname\fR which is of
+algorithm name used in RSA OAEP and stores it in the buffer \fIname\fR which is of
 size \fInamelen\fR. The padding mode must have been set to
-\&\fB\s-1RSA_PKCS1_OAEP_PADDING\s0\fR. The buffer should be sufficiently large for any
+\&\fBRSA_PKCS1_OAEP_PADDING\fR. The buffer should be sufficiently large for any
 expected digest algorithm names or the function will fail.
 .PP
 \&\fBEVP_PKEY_CTX_get_rsa_oaep_md()\fR does the same as
 \&\fBEVP_PKEY_CTX_get_rsa_oaep_md_name()\fR except that it returns a pointer to an
-\&\s-1EVP_MD\s0 object instead. Note that only known, built-in \s-1EVP_MD\s0 objects will be
-returned. The \s-1EVP_MD\s0 object may be \s-1NULL\s0 if the digest is not one of these (such
+EVP_MD object instead. Note that only known, built-in EVP_MD objects will be
+returned. The EVP_MD object may be NULL if the digest is not one of these (such
 as a digest only implemented in a third party provider).
 .PP
-\&\fBEVP_PKEY_CTX_set0_rsa_oaep_label()\fR sets the \s-1RSA OAEP\s0 label to binary data
-\&\fIlabel\fR and its length in bytes to \fIlen\fR. If \fIlabel\fR is \s-1NULL\s0 or \fIlen\fR is 0,
+\&\fBEVP_PKEY_CTX_set0_rsa_oaep_label()\fR sets the RSA OAEP label to binary data
+\&\fIlabel\fR and its length in bytes to \fIlen\fR. If \fIlabel\fR is NULL or \fIlen\fR is 0,
 the label is cleared. The library takes ownership of the label so the
 caller should not free the original memory pointed to by \fIlabel\fR.
-The padding mode must have been set to \fB\s-1RSA_PKCS1_OAEP_PADDING\s0\fR.
+The padding mode must have been set to \fBRSA_PKCS1_OAEP_PADDING\fR.
 .PP
-\&\fBEVP_PKEY_CTX_get0_rsa_oaep_label()\fR gets the \s-1RSA OAEP\s0 label to
+\&\fBEVP_PKEY_CTX_get0_rsa_oaep_label()\fR gets the RSA OAEP label to
 \&\fIlabel\fR. The return value is the label length. The padding mode
-must have been set to \fB\s-1RSA_PKCS1_OAEP_PADDING\s0\fR. The resulting pointer is owned
+must have been set to \fBRSA_PKCS1_OAEP_PADDING\fR. The resulting pointer is owned
 by the library and should not be freed by the caller.
 .PP
-\&\fB\s-1RSA_PKCS1_WITH_TLS_PADDING\s0\fR is used when decrypting an \s-1RSA\s0 encrypted \s-1TLS\s0
-pre-master secret in a \s-1TLS\s0 ClientKeyExchange message. It is the same as
-\&\s-1RSA_PKCS1_PADDING\s0 except that it additionally verifies that the result is the
+\&\fBRSA_PKCS1_WITH_TLS_PADDING\fR is used when decrypting an RSA encrypted TLS
+pre-master secret in a TLS ClientKeyExchange message. It is the same as
+RSA_PKCS1_PADDING except that it additionally verifies that the result is the
 correct length and the first two bytes are the protocol version initially
 requested by the client. If the encrypted content is publicly invalid then the
 decryption will fail. However, if the padding checks fail then decryption will
-still appear to succeed but a random \s-1TLS\s0 premaster secret will be returned
+still appear to succeed but a random TLS premaster secret will be returned
 instead. This padding mode accepts two parameters which can be set using the
 \&\fBEVP_PKEY_CTX_set_params\fR\|(3) function. These are
-\&\s-1OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION\s0 and
-\&\s-1OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION,\s0 both of which are expected to be
+OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION and
+OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, both of which are expected to be
 unsigned integers. Normally only the first of these will be set and represents
-the \s-1TLS\s0 protocol version that was first requested by the client (e.g. 0x0303 for
+the TLS protocol version that was first requested by the client (e.g. 0x0303 for
 TLSv1.2, 0x0302 for TLSv1.1 etc). Historically some buggy clients would use the
 negotiated protocol version instead of the protocol version first requested. If
 this behaviour should be tolerated then
-\&\s-1OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION\s0 should be set to the actual
+OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION should be set to the actual
 negotiated protocol version. Otherwise it should be left unset.
-.SS "\s-1DSA\s0 parameters"
+.PP
+Similarly to the \fBRSA_PKCS1_WITH_TLS_PADDING\fR above, since OpenSSL version
+3.2.0, the use of \fBRSA_PKCS1_PADDING\fR will return a randomly generated message
+instead of padding errors in case padding checks fail. Applications that
+want to remain secure while using earlier versions of OpenSSL, or a provider
+that doesn't implement the implicit rejection mechanism, still need to
+handle both the error code from the RSA decryption operation and the
+returned message in a side channel secure manner.
+This protection against Bleichenbacher attacks can be disabled by setting
+\&\fBOSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION\fR (an unsigned integer) to 0.
+.SS "DSA parameters"
 .IX Subsection "DSA parameters"
-\&\fBEVP_PKEY_CTX_set_dsa_paramgen_bits()\fR sets the number of bits used for \s-1DSA\s0
+\&\fBEVP_PKEY_CTX_set_dsa_paramgen_bits()\fR sets the number of bits used for DSA
 parameter generation to \fBnbits\fR. If not specified, 2048 is used.
 .PP
 \&\fBEVP_PKEY_CTX_set_dsa_paramgen_q_bits()\fR sets the number of bits in the subprime
-parameter \fIq\fR for \s-1DSA\s0 parameter generation to \fIqbits\fR. If not specified, 224
+parameter \fIq\fR for DSA parameter generation to \fIqbits\fR. If not specified, 224
 is used. If a digest function is specified below, this parameter is ignored and
 instead, the number of bits in \fIq\fR matches the size of the digest.
 .PP
-\&\fBEVP_PKEY_CTX_set_dsa_paramgen_md()\fR sets the digest function used for \s-1DSA\s0
-parameter generation to \fImd\fR. If not specified, one of \s-1SHA\-1, SHA\-224,\s0 or
-\&\s-1SHA\-256\s0 is selected to match the bit length of \fIq\fR above.
+\&\fBEVP_PKEY_CTX_set_dsa_paramgen_md()\fR sets the digest function used for DSA
+parameter generation to \fImd\fR. If not specified, one of SHA\-1, SHA\-224, or
+SHA\-256 is selected to match the bit length of \fIq\fR above.
 .PP
-\&\fBEVP_PKEY_CTX_set_dsa_paramgen_md_props()\fR sets the digest function used for \s-1DSA\s0
+\&\fBEVP_PKEY_CTX_set_dsa_paramgen_md_props()\fR sets the digest function used for DSA
 parameter generation using \fImd_name\fR and \fImd_properties\fR to retrieve the
 digest from a provider.
-If not specified, \fImd_name\fR will be set to one of \s-1SHA\-1, SHA\-224,\s0 or
-\&\s-1SHA\-256\s0 depending on the bit length of \fIq\fR above. \fImd_properties\fR is a
+If not specified, \fImd_name\fR will be set to one of SHA\-1, SHA\-224, or
+SHA\-256 depending on the bit length of \fIq\fR above. \fImd_properties\fR is a
 property query string that has a default value of '' if not specified.
 .PP
 \&\fBEVP_PKEY_CTX_set_dsa_paramgen_gindex()\fR sets the \fIgindex\fR used by the generator
@@ -546,44 +486,44 @@ testing purposes only and can fail if the seed does not produce primes for both
 p & q on its first iteration. This value must be saved if key validation of
 p, q, and verifiable g are required, since it is not part of a persisted key.
 .PP
-\&\fBEVP_PKEY_CTX_set_dsa_paramgen_type()\fR sets the generation type to use \s-1FIPS186\-4\s0
-generation if \fIname\fR is \*(L"fips186_4\*(R", or \s-1FIPS186\-2\s0 generation if \fIname\fR is
-\&\*(L"fips186_2\*(R". The default value for the default provider is \*(L"fips186_2\*(R". The
-default value for the \s-1FIPS\s0 provider is \*(L"fips186_4\*(R".
-.SS "\s-1DH\s0 parameters"
+\&\fBEVP_PKEY_CTX_set_dsa_paramgen_type()\fR sets the generation type to use FIPS186\-4
+generation if \fIname\fR is "fips186_4", or FIPS186\-2 generation if \fIname\fR is
+"fips186_2". The default value for the default provider is "fips186_2". The
+default value for the FIPS provider is "fips186_4".
+.SS "DH parameters"
 .IX Subsection "DH parameters"
-\&\fBEVP_PKEY_CTX_set_dh_paramgen_prime_len()\fR sets the length of the \s-1DH\s0 prime
-parameter \fIp\fR for \s-1DH\s0 parameter generation. If this function is not called then
+\&\fBEVP_PKEY_CTX_set_dh_paramgen_prime_len()\fR sets the length of the DH prime
+parameter \fIp\fR for DH parameter generation. If this function is not called then
 2048 is used. Only accepts lengths greater than or equal to 256.
 .PP
-\&\fBEVP_PKEY_CTX_set_dh_paramgen_subprime_len()\fR sets the length of the \s-1DH\s0
-optional subprime parameter \fIq\fR for \s-1DH\s0 parameter generation. The default is
-256 if the prime is at least 2048 bits long or 160 otherwise. The \s-1DH\s0 paramgen
-type must have been set to \*(L"fips186_4\*(R".
+\&\fBEVP_PKEY_CTX_set_dh_paramgen_subprime_len()\fR sets the length of the DH
+optional subprime parameter \fIq\fR for DH parameter generation. The default is
+256 if the prime is at least 2048 bits long or 160 otherwise. The DH paramgen
+type must have been set to "fips186_4".
 .PP
-\&\fBEVP_PKEY_CTX_set_dh_paramgen_generator()\fR sets \s-1DH\s0 generator to \fIgen\fR for \s-1DH\s0
+\&\fBEVP_PKEY_CTX_set_dh_paramgen_generator()\fR sets DH generator to \fIgen\fR for DH
 parameter generation. If not specified 2 is used.
 .PP
-\&\fBEVP_PKEY_CTX_set_dh_paramgen_type()\fR sets the key type for \s-1DH\s0 parameter
+\&\fBEVP_PKEY_CTX_set_dh_paramgen_type()\fR sets the key type for DH parameter
 generation. The supported parameters are:
-.IP "\fB\s-1DH_PARAMGEN_TYPE_GROUP\s0\fR" 4
+.IP \fBDH_PARAMGEN_TYPE_GROUP\fR 4
 .IX Item "DH_PARAMGEN_TYPE_GROUP"
 Use a named group. If only the safe prime parameter \fIp\fR is set this can be
 used to select a ffdhe safe prime group of the correct size.
-.IP "\fB\s-1DH_PARAMGEN_TYPE_FIPS_186_4\s0\fR" 4
+.IP \fBDH_PARAMGEN_TYPE_FIPS_186_4\fR 4
 .IX Item "DH_PARAMGEN_TYPE_FIPS_186_4"
-\&\s-1FIPS186\-4 FFC\s0 parameter generator.
-.IP "\fB\s-1DH_PARAMGEN_TYPE_FIPS_186_2\s0\fR" 4
+FIPS186\-4 FFC parameter generator.
+.IP \fBDH_PARAMGEN_TYPE_FIPS_186_2\fR 4
 .IX Item "DH_PARAMGEN_TYPE_FIPS_186_2"
-\&\s-1FIPS186\-2 FFC\s0 parameter generator (X9.42 \s-1DH\s0).
-.IP "\fB\s-1DH_PARAMGEN_TYPE_GENERATOR\s0\fR" 4
+FIPS186\-2 FFC parameter generator (X9.42 DH).
+.IP \fBDH_PARAMGEN_TYPE_GENERATOR\fR 4
 .IX Item "DH_PARAMGEN_TYPE_GENERATOR"
 Uses a safe prime generator g (PKCS#3 format).
 .PP
-The default in the default provider is \fB\s-1DH_PARAMGEN_TYPE_GENERATOR\s0\fR for the
-\&\*(L"\s-1DH\*(R"\s0 keytype, and \fB\s-1DH_PARAMGEN_TYPE_FIPS_186_2\s0\fR for the \*(L"\s-1DHX\*(R"\s0 keytype. In the
-\&\s-1FIPS\s0 provider the default value is \fB\s-1DH_PARAMGEN_TYPE_GROUP\s0\fR for the \*(L"\s-1DH\*(R"\s0
-keytype and <\fB\s-1DH_PARAMGEN_TYPE_FIPS_186_4\s0\fR for the \*(L"\s-1DHX\*(R"\s0 keytype.
+The default in the default provider is \fBDH_PARAMGEN_TYPE_GENERATOR\fR for the
+"DH" keytype, and \fBDH_PARAMGEN_TYPE_FIPS_186_2\fR for the "DHX" keytype. In the
+FIPS provider the default value is \fBDH_PARAMGEN_TYPE_GROUP\fR for the "DH"
+keytype and <\fBDH_PARAMGEN_TYPE_FIPS_186_4\fR for the "DHX" keytype.
 .PP
 \&\fBEVP_PKEY_CTX_set_dh_paramgen_gindex()\fR sets the \fIgindex\fR used by the generator G.
 The default value is \-1 which uses unverifiable g, otherwise a positive value
@@ -596,13 +536,13 @@ testing purposes only and can fail if the seed does not produce primes for both
 p & q on its first iteration. This value must be saved if key validation of p, q,
 and verifiable g are required, since it is not part of a persisted key.
 .PP
-\&\fBEVP_PKEY_CTX_set_dh_pad()\fR sets the \s-1DH\s0 padding mode.
-If \fIpad\fR is 1 the shared secret is padded with zeros up to the size of the \s-1DH\s0
+\&\fBEVP_PKEY_CTX_set_dh_pad()\fR sets the DH padding mode.
+If \fIpad\fR is 1 the shared secret is padded with zeros up to the size of the DH
 prime \fIp\fR.
 If \fIpad\fR is zero (the default) then no padding is performed.
 .PP
-\&\fBEVP_PKEY_CTX_set_dh_nid()\fR sets the \s-1DH\s0 parameters to values corresponding to
-\&\fInid\fR as defined in \s-1RFC7919\s0 or \s-1RFC3526.\s0 The \fInid\fR parameter must be
+\&\fBEVP_PKEY_CTX_set_dh_nid()\fR sets the DH parameters to values corresponding to
+\&\fInid\fR as defined in RFC7919 or RFC3526. The \fInid\fR parameter must be
 \&\fBNID_ffdhe2048\fR, \fBNID_ffdhe3072\fR, \fBNID_ffdhe4096\fR, \fBNID_ffdhe6144\fR,
 \&\fBNID_ffdhe8192\fR, \fBNID_modp_1536\fR, \fBNID_modp_2048\fR, \fBNID_modp_3072\fR,
 \&\fBNID_modp_4096\fR, \fBNID_modp_6144\fR, \fBNID_modp_8192\fR or \fBNID_undef\fR to clear
@@ -610,55 +550,55 @@ the stored value. This function can be called during parameter or key generation
 The nid parameter and the rfc5114 parameter are mutually exclusive.
 .PP
 \&\fBEVP_PKEY_CTX_set_dh_rfc5114()\fR and \fBEVP_PKEY_CTX_set_dhx_rfc5114()\fR both set the
-\&\s-1DH\s0 parameters to the values defined in \s-1RFC5114.\s0 The \fIrfc5114\fR parameter must
-be 1, 2 or 3 corresponding to \s-1RFC5114\s0 sections 2.1, 2.2 and 2.3. or 0 to clear
+DH parameters to the values defined in RFC5114. The \fIrfc5114\fR parameter must
+be 1, 2 or 3 corresponding to RFC5114 sections 2.1, 2.2 and 2.3. or 0 to clear
 the stored value. This macro can be called during parameter generation. The
-\&\fIctx\fR must have a key type of \fB\s-1EVP_PKEY_DHX\s0\fR.
+\&\fIctx\fR must have a key type of \fBEVP_PKEY_DHX\fR.
 The rfc5114 parameter and the nid parameter are mutually exclusive.
-.SS "\s-1DH\s0 key derivation function parameters"
+.SS "DH key derivation function parameters"
 .IX Subsection "DH key derivation function parameters"
 Note that all of the following functions require that the \fIctx\fR parameter has
-a private key type of \fB\s-1EVP_PKEY_DHX\s0\fR. When using key derivation, the output of
-\&\fBEVP_PKEY_derive()\fR is the output of the \s-1KDF\s0 instead of the \s-1DH\s0 shared secret.
-The \s-1KDF\s0 output is typically used as a Key Encryption Key (\s-1KEK\s0) that in turn
-encrypts a Content Encryption Key (\s-1CEK\s0).
+a private key type of \fBEVP_PKEY_DHX\fR. When using key derivation, the output of
+\&\fBEVP_PKEY_derive()\fR is the output of the KDF instead of the DH shared secret.
+The KDF output is typically used as a Key Encryption Key (KEK) that in turn
+encrypts a Content Encryption Key (CEK).
 .PP
 \&\fBEVP_PKEY_CTX_set_dh_kdf_type()\fR sets the key derivation function type to \fIkdf\fR
-for \s-1DH\s0 key derivation. Possible values are \fB\s-1EVP_PKEY_DH_KDF_NONE\s0\fR and
-\&\fB\s-1EVP_PKEY_DH_KDF_X9_42\s0\fR which uses the key derivation specified in \s-1RFC2631\s0
+for DH key derivation. Possible values are \fBEVP_PKEY_DH_KDF_NONE\fR and
+\&\fBEVP_PKEY_DH_KDF_X9_42\fR which uses the key derivation specified in RFC2631
 (based on the keying algorithm described in X9.42). When using key derivation,
 the \fIkdf_oid\fR, \fIkdf_md\fR and \fIkdf_outlen\fR parameters must also be specified.
 .PP
 \&\fBEVP_PKEY_CTX_get_dh_kdf_type()\fR gets the key derivation function type for \fIctx\fR
-used for \s-1DH\s0 key derivation. Possible values are \fB\s-1EVP_PKEY_DH_KDF_NONE\s0\fR and
-\&\fB\s-1EVP_PKEY_DH_KDF_X9_42\s0\fR.
+used for DH key derivation. Possible values are \fBEVP_PKEY_DH_KDF_NONE\fR and
+\&\fBEVP_PKEY_DH_KDF_X9_42\fR.
 .PP
 \&\fBEVP_PKEY_CTX_set0_dh_kdf_oid()\fR sets the key derivation function object
-identifier to \fIoid\fR for \s-1DH\s0 key derivation. This \s-1OID\s0 should identify the
+identifier to \fIoid\fR for DH key derivation. This OID should identify the
 algorithm to be used with the Content Encryption Key.
 The library takes ownership of the object identifier so the caller should not
 free the original memory pointed to by \fIoid\fR.
 .PP
 \&\fBEVP_PKEY_CTX_get0_dh_kdf_oid()\fR gets the key derivation function oid for \fIctx\fR
-used for \s-1DH\s0 key derivation. The resulting pointer is owned by the library and
+used for DH key derivation. The resulting pointer is owned by the library and
 should not be freed by the caller.
 .PP
 \&\fBEVP_PKEY_CTX_set_dh_kdf_md()\fR sets the key derivation function message digest to
-\&\fImd\fR for \s-1DH\s0 key derivation. Note that \s-1RFC2631\s0 specifies that this digest should
-be \s-1SHA1\s0 but OpenSSL tolerates other digests.
+\&\fImd\fR for DH key derivation. Note that RFC2631 specifies that this digest should
+be SHA1 but OpenSSL tolerates other digests.
 .PP
 \&\fBEVP_PKEY_CTX_get_dh_kdf_md()\fR gets the key derivation function message digest for
-\&\fIctx\fR used for \s-1DH\s0 key derivation.
+\&\fIctx\fR used for DH key derivation.
 .PP
 \&\fBEVP_PKEY_CTX_set_dh_kdf_outlen()\fR sets the key derivation function output length
-to \fIlen\fR for \s-1DH\s0 key derivation.
+to \fIlen\fR for DH key derivation.
 .PP
 \&\fBEVP_PKEY_CTX_get_dh_kdf_outlen()\fR gets the key derivation function output length
-for \fIctx\fR used for \s-1DH\s0 key derivation.
+for \fIctx\fR used for DH key derivation.
 .PP
 \&\fBEVP_PKEY_CTX_set0_dh_kdf_ukm()\fR sets the user key material to \fIukm\fR and its
-length to \fIlen\fR for \s-1DH\s0 key derivation. This parameter is optional and
-corresponds to the partyAInfo field in \s-1RFC2631\s0 terms. The specification
+length to \fIlen\fR for DH key derivation. This parameter is optional and
+corresponds to the partyAInfo field in RFC2631 terms. The specification
 requires that it is 512 bits long but this is not enforced by OpenSSL.
 The library takes ownership of the user key material so the caller should not
 free the original memory pointed to by \fIukm\fR.
@@ -666,67 +606,67 @@ free the original memory pointed to by \fIukm\fR.
 \&\fBEVP_PKEY_CTX_get0_dh_kdf_ukm()\fR gets the user key material for \fIctx\fR.
 The return value is the user key material length. The resulting pointer is owned
 by the library and should not be freed by the caller.
-.SS "\s-1EC\s0 parameters"
+.SS "EC parameters"
 .IX Subsection "EC parameters"
 Use \fBEVP_PKEY_CTX_set_group_name()\fR (described above) to set the curve name to
 \&\fIname\fR for parameter and key generation.
 .PP
 \&\fBEVP_PKEY_CTX_set_ec_paramgen_curve_nid()\fR does the same as
-\&\fBEVP_PKEY_CTX_set_group_name()\fR, but is specific to \s-1EC\s0 and uses a \fInid\fR rather
+\&\fBEVP_PKEY_CTX_set_group_name()\fR, but is specific to EC and uses a \fInid\fR rather
 than a name string.
 .PP
-For \s-1EC\s0 parameter generation, one of \fBEVP_PKEY_CTX_set_group_name()\fR
+For EC parameter generation, one of \fBEVP_PKEY_CTX_set_group_name()\fR
 or \fBEVP_PKEY_CTX_set_ec_paramgen_curve_nid()\fR must be called or an error occurs
 because there is no default curve.
 These function can also be called to set the curve explicitly when
-generating an \s-1EC\s0 key.
+generating an EC key.
 .PP
 \&\fBEVP_PKEY_CTX_get_group_name()\fR (described above) can be used to obtain the curve
 name that's currently set with \fIctx\fR.
 .PP
-\&\fBEVP_PKEY_CTX_set_ec_param_enc()\fR sets the \s-1EC\s0 parameter encoding to \fIparam_enc\fR
-when generating \s-1EC\s0 parameters or an \s-1EC\s0 key. The encoding can be
-\&\fB\s-1OPENSSL_EC_EXPLICIT_CURVE\s0\fR for explicit parameters (the default in versions
-of OpenSSL before 1.1.0) or \fB\s-1OPENSSL_EC_NAMED_CURVE\s0\fR to use named curve form.
+\&\fBEVP_PKEY_CTX_set_ec_param_enc()\fR sets the EC parameter encoding to \fIparam_enc\fR
+when generating EC parameters or an EC key. The encoding can be
+\&\fBOPENSSL_EC_EXPLICIT_CURVE\fR for explicit parameters (the default in versions
+of OpenSSL before 1.1.0) or \fBOPENSSL_EC_NAMED_CURVE\fR to use named curve form.
 For maximum compatibility the named curve form should be used. Note: the
-\&\fB\s-1OPENSSL_EC_NAMED_CURVE\s0\fR value was added in OpenSSL 1.1.0; previous
+\&\fBOPENSSL_EC_NAMED_CURVE\fR value was added in OpenSSL 1.1.0; previous
 versions should use 0 instead.
-.SS "\s-1ECDH\s0 parameters"
+.SS "ECDH parameters"
 .IX Subsection "ECDH parameters"
 \&\fBEVP_PKEY_CTX_set_ecdh_cofactor_mode()\fR sets the cofactor mode to \fIcofactor_mode\fR
-for \s-1ECDH\s0 key derivation. Possible values are 1 to enable cofactor
+for ECDH key derivation. Possible values are 1 to enable cofactor
 key derivation, 0 to disable it and \-1 to clear the stored cofactor mode and
 fallback to the private key cofactor mode.
 .PP
 \&\fBEVP_PKEY_CTX_get_ecdh_cofactor_mode()\fR returns the cofactor mode for \fIctx\fR used
-for \s-1ECDH\s0 key derivation. Possible values are 1 when cofactor key derivation is
+for ECDH key derivation. Possible values are 1 when cofactor key derivation is
 enabled and 0 otherwise.
-.SS "\s-1ECDH\s0 key derivation function parameters"
+.SS "ECDH key derivation function parameters"
 .IX Subsection "ECDH key derivation function parameters"
 \&\fBEVP_PKEY_CTX_set_ecdh_kdf_type()\fR sets the key derivation function type to
-\&\fIkdf\fR for \s-1ECDH\s0 key derivation. Possible values are \fB\s-1EVP_PKEY_ECDH_KDF_NONE\s0\fR
-and \fB\s-1EVP_PKEY_ECDH_KDF_X9_63\s0\fR which uses the key derivation specified in X9.63.
+\&\fIkdf\fR for ECDH key derivation. Possible values are \fBEVP_PKEY_ECDH_KDF_NONE\fR
+and \fBEVP_PKEY_ECDH_KDF_X9_63\fR which uses the key derivation specified in X9.63.
 When using key derivation, the \fIkdf_md\fR and \fIkdf_outlen\fR parameters must
 also be specified.
 .PP
 \&\fBEVP_PKEY_CTX_get_ecdh_kdf_type()\fR returns the key derivation function type for
-\&\fIctx\fR used for \s-1ECDH\s0 key derivation. Possible values are
-\&\fB\s-1EVP_PKEY_ECDH_KDF_NONE\s0\fR and \fB\s-1EVP_PKEY_ECDH_KDF_X9_63\s0\fR.
+\&\fIctx\fR used for ECDH key derivation. Possible values are
+\&\fBEVP_PKEY_ECDH_KDF_NONE\fR and \fBEVP_PKEY_ECDH_KDF_X9_63\fR.
 .PP
 \&\fBEVP_PKEY_CTX_set_ecdh_kdf_md()\fR sets the key derivation function message digest
-to \fImd\fR for \s-1ECDH\s0 key derivation. Note that X9.63 specifies that this digest
-should be \s-1SHA1\s0 but OpenSSL tolerates other digests.
+to \fImd\fR for ECDH key derivation. Note that X9.63 specifies that this digest
+should be SHA1 but OpenSSL tolerates other digests.
 .PP
 \&\fBEVP_PKEY_CTX_get_ecdh_kdf_md()\fR gets the key derivation function message digest
-for \fIctx\fR used for \s-1ECDH\s0 key derivation.
+for \fIctx\fR used for ECDH key derivation.
 .PP
 \&\fBEVP_PKEY_CTX_set_ecdh_kdf_outlen()\fR sets the key derivation function output
-length to \fIlen\fR for \s-1ECDH\s0 key derivation.
+length to \fIlen\fR for ECDH key derivation.
 .PP
 \&\fBEVP_PKEY_CTX_get_ecdh_kdf_outlen()\fR gets the key derivation function output
-length for \fIctx\fR used for \s-1ECDH\s0 key derivation.
+length for \fIctx\fR used for ECDH key derivation.
 .PP
-\&\fBEVP_PKEY_CTX_set0_ecdh_kdf_ukm()\fR sets the user key material to \fIukm\fR for \s-1ECDH\s0
+\&\fBEVP_PKEY_CTX_set0_ecdh_kdf_ukm()\fR sets the user key material to \fIukm\fR for ECDH
 key derivation. This parameter is optional and corresponds to the shared info in
 X9.63 terms. The library takes ownership of the user key material so the caller
 should not free the original memory pointed to by \fIukm\fR.
@@ -738,20 +678,24 @@ by the library and should not be freed by the caller.
 .IX Subsection "Other parameters"
 \&\fBEVP_PKEY_CTX_set1_id()\fR, \fBEVP_PKEY_CTX_get1_id()\fR and \fBEVP_PKEY_CTX_get1_id_len()\fR
 are used to manipulate the special identifier field for specific signature
-algorithms such as \s-1SM2.\s0 The \fBEVP_PKEY_CTX_set1_id()\fR sets an \s-1ID\s0 pointed by \fIid\fR with
+algorithms such as SM2. The \fBEVP_PKEY_CTX_set1_id()\fR sets an ID pointed by \fIid\fR with
 the length \fIid_len\fR to the library. The library takes a copy of the id so that
 the caller can safely free the original memory pointed to by \fIid\fR.
-\&\fBEVP_PKEY_CTX_get1_id_len()\fR returns the length of the \s-1ID\s0 set via a previous call
+\&\fBEVP_PKEY_CTX_get1_id_len()\fR returns the length of the ID set via a previous call
 to \fBEVP_PKEY_CTX_set1_id()\fR. The length is usually used to allocate adequate
 memory for further calls to \fBEVP_PKEY_CTX_get1_id()\fR. \fBEVP_PKEY_CTX_get1_id()\fR
-returns the previously set \s-1ID\s0 value to caller in \fIid\fR. The caller should
+returns the previously set ID value to caller in \fIid\fR. The caller should
 allocate adequate memory space for the \fIid\fR before calling \fBEVP_PKEY_CTX_get1_id()\fR.
 .PP
-\&\fBEVP_PKEY_CTX_set_kem_op()\fR sets the \s-1KEM\s0 operation to run. This can be set after
-\&\fBEVP_PKEY_encapsulate_init()\fR or \fBEVP_PKEY_decapsulate_init()\fR to select the
-kem operation. \s-1RSA\s0 is the only key type that supports encapsulation currently,
-and as there is no default operation for the \s-1RSA\s0 type, this function must be
-called before \fBEVP_PKEY_encapsulate()\fR or \fBEVP_PKEY_decapsulate()\fR.
+\&\fBEVP_PKEY_CTX_set_kem_op()\fR sets the KEM operation to run. This can be set after
+\&\fBEVP_PKEY_encapsulate_init()\fR or \fBEVP_PKEY_decapsulate_init()\fR to select the kem
+operation. For the key types that support encapsulation and don't have the
+default operation, e.g. RSA, this function must be called before
+\&\fBEVP_PKEY_encapsulate()\fR or \fBEVP_PKEY_decapsulate()\fR.
+.PP
+The supported parameters for the built-in algorithms are documented in
+\&\fBEVP_KEM\-RSA\fR\|(7), \fBEVP_KEM\-EC\fR\|(7), \fBEVP_KEM\-X25519\fR\|(7),
+\&\fBEVP_KEM\-X448\fR\|(7), and \fBEVP_KEM\-ML\-KEM\fR\|(7).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 All other functions described on this page return a positive value for success
@@ -770,7 +714,7 @@ indicates the operation is not supported by the public key algorithm.
 \&\fBEVP_PKEY_keygen\fR\|(3)
 \&\fBEVP_PKEY_encapsulate\fR\|(3)
 \&\fBEVP_PKEY_decapsulate\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBEVP_PKEY_CTX_get_rsa_oaep_md_name()\fR, \fBEVP_PKEY_CTX_get_rsa_mgf1_md_name()\fR,
 \&\fBEVP_PKEY_CTX_set_rsa_mgf1_md_name()\fR, \fBEVP_PKEY_CTX_set_rsa_oaep_md_name()\fR,
@@ -788,11 +732,11 @@ From OpenSSL 3.0 they are all functions.
 .PP
 \&\fBEVP_PKEY_CTX_set_rsa_keygen_pubexp()\fR, \fBEVP_PKEY_CTX_get0_dh_kdf_ukm()\fR,
 and \fBEVP_PKEY_CTX_get0_ecdh_kdf_ukm()\fR were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2006\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get0_libctx.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get0_libctx.3
index ea9bf86e3b9a..66fe1bc5489e 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get0_libctx.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get0_libctx.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_CTX_GET0_LIBCTX 3ossl"
-.TH EVP_PKEY_CTX_GET0_LIBCTX 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_CTX_GET0_LIBCTX 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_CTX_get0_libctx,
 EVP_PKEY_CTX_get0_propq,
 EVP_PKEY_CTX_get0_provider
 \&\- functions for getting diverse information from an EVP_PKEY_CTX
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -150,34 +74,34 @@ EVP_PKEY_CTX_get0_provider
 \& const char *EVP_PKEY_CTX_get0_propq(const EVP_PKEY_CTX *ctx);
 \& const OSSL_PROVIDER *EVP_PKEY_CTX_get0_provider(const EVP_PKEY_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBEVP_PKEY_CTX_get0_libctx()\fR and \fBEVP_PKEY_CTX_get0_propq()\fR obtain the
-\&\s-1OSSL_LIB_CTX\s0 and property query string values respectively that were
-associated with the \s-1EVP_PKEY_CTX\s0 when it was constructed.
+OSSL_LIB_CTX and property query string values respectively that were
+associated with the EVP_PKEY_CTX when it was constructed.
 .PP
 \&\fBEVP_PKEY_CTX_get0_provider()\fR returns the provider associated with the
-ongoing \fB\s-1EVP_PKEY_CTX\s0\fR operation.  If the operation is performed by
-en \fB\s-1ENGINE\s0\fR, this function returns \s-1NULL.\s0
+ongoing \fBEVP_PKEY_CTX\fR operation.  If the operation is performed by
+en \fBENGINE\fR, this function returns NULL.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBEVP_PKEY_CTX_get0_libctx()\fR and \fBEVP_PKEY_CTX_get0_propq()\fR functions return the
-\&\s-1OSSL_LIB_CTX\s0 and property query string associated with the \s-1EVP_PKEY_CTX\s0 or \s-1NULL\s0
+OSSL_LIB_CTX and property query string associated with the EVP_PKEY_CTX or NULL
 if they are not set. The returned values should not be freed by the caller.
 .PP
 \&\fBEVP_PKEY_CTX_get0_provider()\fR returns a provider if an operation performed by
-a provider is ongoing, otherwise \s-1NULL.\s0
+a provider is ongoing, otherwise NULL.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_PKEY_CTX_new\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All functions were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get0_pkey.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get0_pkey.3
index 750611704d7b..2377046445d2 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get0_pkey.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get0_pkey.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_CTX_GET0_PKEY 3ossl"
-.TH EVP_PKEY_CTX_GET0_PKEY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_CTX_GET0_PKEY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_CTX_get0_pkey,
 EVP_PKEY_CTX_get0_peerkey
 \&\- functions for accessing the EVP_PKEY associated with an EVP_PKEY_CTX
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -148,39 +72,39 @@ EVP_PKEY_CTX_get0_peerkey
 \& EVP_PKEY *EVP_PKEY_CTX_get0_pkey(EVP_PKEY_CTX *ctx);
 \& EVP_PKEY *EVP_PKEY_CTX_get0_peerkey(EVP_PKEY_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBEVP_PKEY_CTX_get0_pkey()\fR is used to access the \fB\s-1EVP_PKEY\s0\fR
-associated with the given \fB\s-1EVP_PKEY_CTX\s0\fR \fIctx\fR.
-The \fB\s-1EVP_PKEY\s0\fR obtained is the one used for creating the \fB\s-1EVP_PKEY_CTX\s0\fR
+\&\fBEVP_PKEY_CTX_get0_pkey()\fR is used to access the \fBEVP_PKEY\fR
+associated with the given \fBEVP_PKEY_CTX\fR \fIctx\fR.
+The \fBEVP_PKEY\fR obtained is the one used for creating the \fBEVP_PKEY_CTX\fR
 using either \fBEVP_PKEY_CTX_new\fR\|(3) or \fBEVP_PKEY_CTX_new_from_pkey\fR\|(3).
 .PP
-\&\fBEVP_PKEY_CTX_get0_peerkey()\fR is used to access the peer \fB\s-1EVP_PKEY\s0\fR
-associated with the given \fB\s-1EVP_PKEY_CTX\s0\fR \fIctx\fR.
-The peer \fB\s-1EVP_PKEY\s0\fR obtained is the one set using
+\&\fBEVP_PKEY_CTX_get0_peerkey()\fR is used to access the peer \fBEVP_PKEY\fR
+associated with the given \fBEVP_PKEY_CTX\fR \fIctx\fR.
+The peer \fBEVP_PKEY\fR obtained is the one set using
 either \fBEVP_PKEY_derive_set_peer\fR\|(3) or \fBEVP_PKEY_derive_set_peer_ex\fR\|(3).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBEVP_PKEY_CTX_get0_pkey()\fR returns the \fB\s-1EVP_PKEY\s0\fR associated with the
-\&\s-1EVP_PKEY_CTX\s0 or \s-1NULL\s0 if it is not set.
+\&\fBEVP_PKEY_CTX_get0_pkey()\fR returns the \fBEVP_PKEY\fR associated with the
+EVP_PKEY_CTX or NULL if it is not set.
 .PP
-\&\fBEVP_PKEY_CTX_get0_peerkey()\fR returns the peer \fB\s-1EVP_PKEY\s0\fR associated with the
-\&\s-1EVP_PKEY_CTX\s0 or \s-1NULL\s0 if it is not set.
+\&\fBEVP_PKEY_CTX_get0_peerkey()\fR returns the peer \fBEVP_PKEY\fR associated with the
+EVP_PKEY_CTX or NULL if it is not set.
 .PP
-The returned \s-1EVP_PKEY\s0 objects are owned by the \s-1EVP_PKEY_CTX,\s0
+The returned EVP_PKEY objects are owned by the EVP_PKEY_CTX,
 and therefore should not explicitly be freed by the caller.
 .PP
-These functions do not affect the \s-1EVP_PKEY\s0 reference count.
+These functions do not affect the EVP_PKEY reference count.
 They merely act as getter functions, and should be treated as such.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_PKEY_CTX_new\fR\|(3), \fBEVP_PKEY_CTX_new_from_pkey\fR\|(3),
 \&\fBEVP_PKEY_derive_set_peer\fR\|(3), \fBEVP_PKEY_derive_set_peer_ex\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2022\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").
+Licensed under the Apache License 2.0 (the "License").
 You may not use this file except in compliance with the License.
-You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at
+You can obtain a copy in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get_algor.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get_algor.3
new file mode 100644
index 000000000000..f97bf28e8bab
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_get_algor.3
@@ -0,0 +1,120 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "EVP_PKEY_CTX_GET_ALGOR 3ossl"
+.TH EVP_PKEY_CTX_GET_ALGOR 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+EVP_CIPHER_CTX_get_algor,
+EVP_CIPHER_CTX_get_algor_params,
+EVP_CIPHER_CTX_set_algor_params,
+EVP_PKEY_CTX_get_algor,
+EVP_PKEY_CTX_get_algor_params,
+EVP_PKEY_CTX_set_algor_params
+\&\- pass AlgorithmIdentifier and its params to/from algorithm implementations
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 3
+\& int EVP_TYPE_CTX_get_algor(EVP_TYPE_CTX *ctx, X509_ALGOR **alg);
+\& int EVP_TYPE_CTX_get_algor_params(EVP_TYPE_CTX *ctx, X509_ALGOR *alg);
+\& int EVP_TYPE_CTX_set_algor_params(EVP_TYPE_CTX *ctx, const X509_ALGOR *alg);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+In the description here and the "SYNOPSIS" above, \fR\f(BITYPE\fR\fB\fR is used as a
+placeholder for any EVP operation type.
+.PP
+\&\fBEVP_\fR\f(BITYPE\fR\fB_CTX_get_algor\fR() attempts to retrieve a complete
+AlgorithmIdentifier from the \fBEVP_\fR\f(BITYPE\fR implementation, and populates
+\&\fI*alg\fR with it.
+If \fIalg\fR is NULL, calling this function will serve to see if calling this
+function is supported at all by the \fBEVP_\fR\f(BITYPE\fR\fB\fR implementation.
+If \fI*alg\fR is NULL, space will be allocated automatically, and assigned to
+\&\fI*alg\fR.
+.PP
+\&\fBEVP_\fR\f(BITYPE\fR\fB_CTX_get_algor_params\fR() attempts to retrieve the \fIparameters\fR
+part of an AlgorithmIdentifier from the \fBEVP_\fR\f(BITYPE\fR implementation, and
+populates \fIalg\-\fRparameters> with it.
+If \fIalg\fR is NULL, calling this function will serve to see if calling this
+function is supported at all by the \fBEVP_\fR\f(BITYPE\fR\fB\fR implementation.
+If \fIalg\->parameters\fR is NULL, space will be allocated automatically, and
+assigned to  \fIalg\->parameters\fR.
+If \fIalg\->parameters\fR is not NULL, its previous contents will be overwritten
+with the retrieved AlgorithmIdentifier parameters.  Beware!
+.PP
+\&\fBEVP_\fR\f(BITYPE\fR\fB_CTX_set_algor_params\fR() attempts to pass \fIalg\->parameters\fR
+to the \fBEVP_\fR\f(BITYPE\fR implementation.
+If \fIalg\fR is NULL, calling this function will serve to see if calling this
+function is supported at all by the \fBEVP_\fR\f(BITYPE\fR\fB\fR implementation.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+All functions return 1 for success, and 0 or a negative number if an error
+occurs.  In particular, \-2 is returned when the function isn't supported by
+the \fBEVP_\fR\f(BITYPE\fR implementation.
+.SH HISTORY
+.IX Header "HISTORY"
+These functions were added in OpenSSL 3.4.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_new.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_new.3
index da3aa0b1da56..8864b0d84e39 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_new.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_CTX_NEW 3ossl"
-.TH EVP_PKEY_CTX_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_CTX_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_CTX_new, EVP_PKEY_CTX_new_id, EVP_PKEY_CTX_new_from_name,
 EVP_PKEY_CTX_new_from_pkey, EVP_PKEY_CTX_dup, EVP_PKEY_CTX_free,
 EVP_PKEY_CTX_is_a
 \&\- public key algorithm context functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -158,77 +82,80 @@ EVP_PKEY_CTX_is_a
 \& void EVP_PKEY_CTX_free(EVP_PKEY_CTX *ctx);
 \& int EVP_PKEY_CTX_is_a(EVP_PKEY_CTX *ctx, const char *keytype);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The \fBEVP_PKEY_CTX_new()\fR function allocates public key algorithm context using
-the \fIpkey\fR key type and \s-1ENGINE\s0 \fIe\fR.
+the \fIpkey\fR key type and ENGINE \fIe\fR.
 .PP
 The \fBEVP_PKEY_CTX_new_id()\fR function allocates public key algorithm context
-using the key type specified by \fIid\fR and \s-1ENGINE\s0 \fIe\fR.
+using the key type specified by \fIid\fR and ENGINE \fIe\fR.
 .PP
 The \fBEVP_PKEY_CTX_new_from_name()\fR function allocates a public key algorithm
-context using the library context \fIlibctx\fR (see \s-1\fBOSSL_LIB_CTX\s0\fR\|(3)), the
+context using the library context \fIlibctx\fR (see \fBOSSL_LIB_CTX\fR\|(3)), the
 key type specified by \fIname\fR and the property query \fIpropquery\fR.  None
 of the arguments are duplicated, so they  must remain unchanged for the
-lifetime of the returned \fB\s-1EVP_PKEY_CTX\s0\fR or of any of its duplicates.  Read
-further about the possible names in \*(L"\s-1NOTES\*(R"\s0 below.
+lifetime of the returned \fBEVP_PKEY_CTX\fR or of any of its duplicates.  Read
+further about the possible names in "NOTES" below.
 .PP
 The \fBEVP_PKEY_CTX_new_from_pkey()\fR function allocates a public key algorithm
-context using the library context \fIlibctx\fR (see \s-1\fBOSSL_LIB_CTX\s0\fR\|(3)) and the
+context using the library context \fIlibctx\fR (see \fBOSSL_LIB_CTX\fR\|(3)) and the
 algorithm specified by \fIpkey\fR and the property query \fIpropquery\fR. None of the
 arguments are duplicated, so they must remain unchanged for the lifetime of the
-returned \fB\s-1EVP_PKEY_CTX\s0\fR or any of its duplicates.
+returned \fBEVP_PKEY_CTX\fR or any of its duplicates.
 .PP
 \&\fBEVP_PKEY_CTX_new_id()\fR and \fBEVP_PKEY_CTX_new_from_name()\fR are normally
-used when no \fB\s-1EVP_PKEY\s0\fR structure is associated with the operations,
+used when no \fBEVP_PKEY\fR structure is associated with the operations,
 for example during parameter generation or key generation for some
 algorithms.
 .PP
-\&\fBEVP_PKEY_CTX_dup()\fR duplicates the context \fIctx\fR. It is not supported for a
-keygen operation.
+\&\fBEVP_PKEY_CTX_dup()\fR duplicates the context \fIctx\fR.
+It is not supported for a keygen operation.
+It is however possible to duplicate a context freshly created via any of the
+above \f(CW\*(C`new\*(C'\fR functions, provided \fBEVP_PKEY_keygen_init\fR\|(3) has not yet been
+called on the source context, and then use the copy for key generation.
 .PP
 \&\fBEVP_PKEY_CTX_free()\fR frees up the context \fIctx\fR.
-If \fIctx\fR is \s-1NULL,\s0 nothing is done.
+If \fIctx\fR is NULL, nothing is done.
 .PP
 \&\fBEVP_PKEY_is_a()\fR checks if the key type associated with \fIctx\fR is \fIkeytype\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-.SS "On \fB\s-1EVP_PKEY_CTX\s0\fP"
+.SS "On \fBEVP_PKEY_CTX\fP"
 .IX Subsection "On EVP_PKEY_CTX"
-The \fB\s-1EVP_PKEY_CTX\s0\fR structure is an opaque public key algorithm context used
-by the OpenSSL high-level public key \s-1API.\s0 Contexts \fB\s-1MUST NOT\s0\fR be shared between
+The \fBEVP_PKEY_CTX\fR structure is an opaque public key algorithm context used
+by the OpenSSL high-level public key API. Contexts \fBMUST NOT\fR be shared between
 threads: that is it is not permissible to use the same context simultaneously
 in two threads.
 .SS "On Key Types"
 .IX Subsection "On Key Types"
-We mention \*(L"key type\*(R" in this manual, which is the same
-as \*(L"algorithm\*(R" in most cases, allowing either term to be used
+We mention "key type" in this manual, which is the same
+as "algorithm" in most cases, allowing either term to be used
 interchangeably.  There are algorithms where the \fIkey type\fR and the
 \&\fIalgorithm\fR of the operations that use the keys are not the same,
-such as \s-1EC\s0 keys being used for \s-1ECDSA\s0 and \s-1ECDH\s0 operations.
+such as EC keys being used for ECDSA and ECDH operations.
 .PP
 Key types are given in two different manners:
-.IP "Legacy \s-1NID\s0 or \s-1EVP_PKEY\s0 type" 4
+.IP "Legacy NID or EVP_PKEY type" 4
 .IX Item "Legacy NID or EVP_PKEY type"
 This is the \fIid\fR used with \fBEVP_PKEY_CTX_new_id()\fR.
 .Sp
-These are \fB\s-1EVP_PKEY_RSA\s0\fR, \fB\s-1EVP_PKEY_RSA_PSS\s0\fR, \fB\s-1EVP_PKEY_DSA\s0\fR,
-\&\fB\s-1EVP_PKEY_DH\s0\fR, \fB\s-1EVP_PKEY_EC\s0\fR, \fB\s-1EVP_PKEY_SM2\s0\fR, \fB\s-1EVP_PKEY_X25519\s0\fR,
-\&\fB\s-1EVP_PKEY_X448\s0\fR, and are used by legacy methods.
+These are \fBEVP_PKEY_RSA\fR, \fBEVP_PKEY_RSA_PSS\fR, \fBEVP_PKEY_DSA\fR,
+\&\fBEVP_PKEY_DH\fR, \fBEVP_PKEY_EC\fR, \fBEVP_PKEY_SM2\fR, \fBEVP_PKEY_X25519\fR,
+\&\fBEVP_PKEY_X448\fR, and are used by legacy methods.
 .IP "Name strings" 4
 .IX Item "Name strings"
 This is the \fIname\fR used with \fBEVP_PKEY_CTX_new_from_name()\fR.
 .Sp
-These are names like \*(L"\s-1RSA\*(R", \*(L"DSA\*(R",\s0 and what's available depends on what
+These are names like "RSA", "DSA", and what's available depends on what
 providers are currently accessible.
 .Sp
 The OpenSSL providers offer a set of key types available this way, please
-see \s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7) and \fBOSSL_PROVIDER\-default\fR\|(7) and related
+see \fBOSSL_PROVIDER\-FIPS\fR\|(7) and \fBOSSL_PROVIDER\-default\fR\|(7) and related
 documentation for more information.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBEVP_PKEY_CTX_new()\fR, \fBEVP_PKEY_CTX_new_id()\fR and \fBEVP_PKEY_CTX_dup()\fR return either
-the newly allocated \fB\s-1EVP_PKEY_CTX\s0\fR structure or \fB\s-1NULL\s0\fR if an error occurred.
+the newly allocated \fBEVP_PKEY_CTX\fR structure or \fBNULL\fR if an error occurred.
 .PP
 \&\fBEVP_PKEY_CTX_free()\fR does not return a value.
 .PP
@@ -236,18 +163,18 @@ the newly allocated \fB\s-1EVP_PKEY_CTX\s0\fR structure or \fB\s-1NULL\s0\fR if
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_PKEY_new\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBEVP_PKEY_CTX_new()\fR, \fBEVP_PKEY_CTX_new_id()\fR, \fBEVP_PKEY_CTX_dup()\fR and
 \&\fBEVP_PKEY_CTX_free()\fR functions were added in OpenSSL 1.0.0.
 .PP
 The \fBEVP_PKEY_CTX_new_from_name()\fR and \fBEVP_PKEY_CTX_new_from_pkey()\fR functions were
 added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2006\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set1_pbe_pass.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set1_pbe_pass.3
index 1f51590c373a..c24d6889b6a0 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set1_pbe_pass.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set1_pbe_pass.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_CTX_SET1_PBE_PASS 3ossl"
-.TH EVP_PKEY_CTX_SET1_PBE_PASS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_CTX_SET1_PBE_PASS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_CTX_set1_pbe_pass
 \&\- generic KDF support functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/kdf.h>
@@ -147,9 +71,9 @@ EVP_PKEY_CTX_set1_pbe_pass
 \& int EVP_PKEY_CTX_set1_pbe_pass(EVP_PKEY_CTX *pctx, unsigned char *pass,
 \&                                int passlen);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-These functions are generic support functions for all \s-1KDF\s0 algorithms.
+These functions are generic support functions for all KDF algorithms.
 .PP
 \&\fBEVP_PKEY_CTX_set1_pbe_pass()\fR sets the password to the \fBpasslen\fR first
 bytes from \fBpass\fR.
@@ -158,7 +82,7 @@ bytes from \fBpass\fR.
 There is also support for string based control operations via
 \&\fBEVP_PKEY_CTX_ctrl_str\fR\|(3).
 The \fBpassword\fR can be directly specified using the \fBtype\fR parameter
-\&\*(L"pass\*(R" or given in hex encoding using the \*(L"hexpass\*(R" parameter.
+"pass" or given in hex encoding using the "hexpass" parameter.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 All these functions return 1 for success and 0 or a negative value for failure.
@@ -169,15 +93,15 @@ the public key algorithm.
 \&\fBEVP_PKEY_CTX_new\fR\|(3),
 \&\fBEVP_PKEY_CTX_ctrl_str\fR\|(3),
 \&\fBEVP_PKEY_derive\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBEVP_PKEY_CTX_set1_pbe_pass()\fR was converted from a macro to a function in
 OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2018\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_hkdf_md.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_hkdf_md.3
index 20b5f1062e0f..6064eefc0527 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_hkdf_md.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_hkdf_md.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_CTX_SET_HKDF_MD 3ossl"
-.TH EVP_PKEY_CTX_SET_HKDF_MD 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_CTX_SET_HKDF_MD 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_CTX_set_hkdf_md, EVP_PKEY_CTX_set1_hkdf_salt,
 EVP_PKEY_CTX_set1_hkdf_key, EVP_PKEY_CTX_add1_hkdf_info,
 EVP_PKEY_CTX_set_hkdf_mode \-
 HMAC\-based Extract\-and\-Expand key derivation algorithm
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/kdf.h>
@@ -159,27 +83,27 @@ HMAC\-based Extract\-and\-Expand key derivation algorithm
 \& int EVP_PKEY_CTX_add1_hkdf_info(EVP_PKEY_CTX *pctx, unsigned char *info,
 \&                                 int infolen);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1EVP_PKEY_HKDF\s0 algorithm implements the \s-1HKDF\s0 key derivation function.
-\&\s-1HKDF\s0 follows the \*(L"extract-then-expand\*(R" paradigm, where the \s-1KDF\s0 logically
+The EVP_PKEY_HKDF algorithm implements the HKDF key derivation function.
+HKDF follows the "extract-then-expand" paradigm, where the KDF logically
 consists of two modules. The first stage takes the input keying material
-and \*(L"extracts\*(R" from it a fixed-length pseudorandom key K. The second stage
-\&\*(L"expands\*(R" the key K into several additional pseudorandom keys (the output
-of the \s-1KDF\s0).
+and "extracts" from it a fixed-length pseudorandom key K. The second stage
+"expands" the key K into several additional pseudorandom keys (the output
+of the KDF).
 .PP
-\&\fBEVP_PKEY_CTX_set_hkdf_mode()\fR sets the mode for the \s-1HKDF\s0 operation. There
+\&\fBEVP_PKEY_CTX_set_hkdf_mode()\fR sets the mode for the HKDF operation. There
 are three modes that are currently defined:
-.IP "\s-1EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND\s0" 4
+.IP EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND 4
 .IX Item "EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND"
-This is the default mode. Calling \fBEVP_PKEY_derive\fR\|(3) on an \s-1EVP_PKEY_CTX\s0 set
-up for \s-1HKDF\s0 will perform an extract followed by an expand operation in one go.
+This is the default mode. Calling \fBEVP_PKEY_derive\fR\|(3) on an EVP_PKEY_CTX set
+up for HKDF will perform an extract followed by an expand operation in one go.
 The derived key returned will be the result after the expand operation. The
 intermediate fixed-length pseudorandom key K is not returned.
 .Sp
 In this mode the digest, key, salt and info values must be set before a key is
 derived or an error occurs.
-.IP "\s-1EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY\s0" 4
+.IP EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY 4
 .IX Item "EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY"
 In this mode calling \fBEVP_PKEY_derive\fR\|(3) will just perform the extract
 operation. The value returned will be the intermediate fixed-length pseudorandom
@@ -187,7 +111,7 @@ key K.
 .Sp
 The digest, key and salt values must be set before a key is derived or an
 error occurs.
-.IP "\s-1EVP_PKEY_HKDEF_MODE_EXPAND_ONLY\s0" 4
+.IP EVP_PKEY_HKDEF_MODE_EXPAND_ONLY 4
 .IX Item "EVP_PKEY_HKDEF_MODE_EXPAND_ONLY"
 In this mode calling \fBEVP_PKEY_derive\fR\|(3) will just perform the expand
 operation. The input key should be set to the intermediate fixed-length
@@ -196,7 +120,7 @@ pseudorandom key K returned from a previous extract operation.
 The digest, key and info values must be set before a key is derived or an
 error occurs.
 .PP
-\&\fBEVP_PKEY_CTX_set_hkdf_md()\fR sets the message digest associated with the \s-1HKDF.\s0
+\&\fBEVP_PKEY_CTX_set_hkdf_md()\fR sets the message digest associated with the HKDF.
 .PP
 \&\fBEVP_PKEY_CTX_set1_hkdf_salt()\fR sets the salt to \fBsaltlen\fR bytes of the
 buffer \fBsalt\fR. Any existing value is replaced.
@@ -209,46 +133,46 @@ buffer \fBinfo\fR. If a value is already set, it is appended to the existing
 value.
 .SH "STRING CTRLS"
 .IX Header "STRING CTRLS"
-\&\s-1HKDF\s0 also supports string based control operations via
+HKDF also supports string based control operations via
 \&\fBEVP_PKEY_CTX_ctrl_str\fR\|(3).
-The \fBtype\fR parameter \*(L"md\*(R" uses the supplied \fBvalue\fR as the name of the digest
+The \fBtype\fR parameter "md" uses the supplied \fBvalue\fR as the name of the digest
 algorithm to use.
-The \fBtype\fR parameter \*(L"mode\*(R" uses the values \*(L"\s-1EXTRACT_AND_EXPAND\*(R",
-\&\*(L"EXTRACT_ONLY\*(R"\s0 and \*(L"\s-1EXPAND_ONLY\*(R"\s0 to determine the mode to use.
-The \fBtype\fR parameters \*(L"salt\*(R", \*(L"key\*(R" and \*(L"info\*(R" use the supplied \fBvalue\fR
+The \fBtype\fR parameter "mode" uses the values "EXTRACT_AND_EXPAND",
+"EXTRACT_ONLY" and "EXPAND_ONLY" to determine the mode to use.
+The \fBtype\fR parameters "salt", "key" and "info" use the supplied \fBvalue\fR
 parameter as a \fBseed\fR, \fBkey\fR or \fBinfo\fR value.
-The names \*(L"hexsalt\*(R", \*(L"hexkey\*(R" and \*(L"hexinfo\*(R" are similar except they take a hex
+The names "hexsalt", "hexkey" and "hexinfo" are similar except they take a hex
 string which is converted to binary.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-A context for \s-1HKDF\s0 can be obtained by calling:
+A context for HKDF can be obtained by calling:
 .PP
 .Vb 1
 \& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
 .Ve
 .PP
 The total length of the info buffer cannot exceed 2048 bytes in length: this
-should be more than enough for any normal use of \s-1HKDF.\s0
+should be more than enough for any normal use of HKDF.
 .PP
-The output length of an \s-1HKDF\s0 expand operation is specified via the length
+The output length of an HKDF expand operation is specified via the length
 parameter to the \fBEVP_PKEY_derive\fR\|(3) function.
-Since the \s-1HKDF\s0 output length is variable, passing a \fB\s-1NULL\s0\fR buffer as a means
-to obtain the requisite length is not meaningful with \s-1HKDF\s0 in any mode that
+Since the HKDF output length is variable, passing a \fBNULL\fR buffer as a means
+to obtain the requisite length is not meaningful with HKDF in any mode that
 performs an expand operation. Instead, the caller must allocate a buffer of the
 desired length, and pass that buffer to \fBEVP_PKEY_derive\fR\|(3) along with (a
-pointer initialized to) the desired length. Passing a \fB\s-1NULL\s0\fR buffer to obtain
-the length is allowed when using \s-1EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY.\s0
+pointer initialized to) the desired length. Passing a \fBNULL\fR buffer to obtain
+the length is allowed when using EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY.
 .PP
-Optimised versions of \s-1HKDF\s0 can be implemented in an \s-1ENGINE.\s0
+Optimised versions of HKDF can be implemented in an ENGINE.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 All these functions return 1 for success and 0 or a negative value for failure.
 In particular a return value of \-2 indicates the operation is not supported by
 the public key algorithm.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-This example derives 10 bytes using \s-1SHA\-256\s0 with the secret key \*(L"secret\*(R",
-salt value \*(L"salt\*(R" and info value \*(L"label\*(R":
+This example derives 10 bytes using SHA\-256 with the secret key "secret",
+salt value "salt" and info value "label":
 .PP
 .Vb 4
 \& EVP_PKEY_CTX *pctx;
@@ -271,21 +195,21 @@ salt value \*(L"salt\*(R" and info value \*(L"label\*(R":
 .Ve
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1RFC 5869\s0
+RFC 5869
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_PKEY_CTX_new\fR\|(3),
 \&\fBEVP_PKEY_CTX_ctrl_str\fR\|(3),
 \&\fBEVP_PKEY_derive\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All of the functions described here were converted from macros to functions in
 OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_params.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_params.3
index cdbb0cbe389c..55a635fdde68 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_params.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_params.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_CTX_SET_PARAMS 3ossl"
-.TH EVP_PKEY_CTX_SET_PARAMS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_CTX_SET_PARAMS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_CTX_set_params,
 EVP_PKEY_CTX_settable_params,
 EVP_PKEY_CTX_get_params,
 EVP_PKEY_CTX_gettable_params
 \&\- provider parameter passing operations
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -152,49 +76,53 @@ EVP_PKEY_CTX_gettable_params
 \& int EVP_PKEY_CTX_get_params(EVP_PKEY_CTX *ctx, OSSL_PARAM *params);
 \& const OSSL_PARAM *EVP_PKEY_CTX_gettable_params(const EVP_PKEY_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The \fBEVP_PKEY_CTX_get_params()\fR and \fBEVP_PKEY_CTX_set_params()\fR functions allow
 transfer of arbitrary key parameters to and from providers.
 Not all parameters may be supported by all providers.
-See \s-1\fBOSSL_PROVIDER\s0\fR\|(3) for more information on providers.
-See \s-1\fBOSSL_PARAM\s0\fR\|(3) for more information on parameters.
-These functions must only be called after the \s-1EVP_PKEY_CTX\s0 has been initialised
+See \fBOSSL_PROVIDER\fR\|(3) for more information on providers.
+The \fIparams\fR field is a pointer to a list of \fBOSSL_PARAM\fR structures,
+terminated with a \fBOSSL_PARAM_END\fR\|(3) struct.
+See \fBOSSL_PARAM\fR\|(3) for information about passing parameters.
+These functions must only be called after the EVP_PKEY_CTX has been initialised
 for use in an operation.
 These methods replace the \fBEVP_PKEY_CTX_ctrl()\fR mechanism. (EVP_PKEY_CTX_ctrl now
 calls these methods internally to interact with providers).
 .PP
 \&\fBEVP_PKEY_CTX_gettable_params()\fR and \fBEVP_PKEY_CTX_settable_params()\fR get a
-constant \s-1\fBOSSL_PARAM\s0\fR\|(3) array that describes the gettable and
+constant \fBOSSL_PARAM\fR\|(3) array that describes the gettable and
 settable parameters for the current algorithm implementation, i.e. parameters
 that can be used with \fBEVP_PKEY_CTX_get_params()\fR and \fBEVP_PKEY_CTX_set_params()\fR
 respectively.
-These functions must only be called after the \s-1EVP_PKEY_CTX\s0 has been initialised
+These functions must only be called after the EVP_PKEY_CTX has been initialised
 for use in an operation.
-.SS "Parameters"
+.SS Parameters
 .IX Subsection "Parameters"
-Examples of \s-1EVP_PKEY\s0 parameters include the following:
+Examples of EVP_PKEY parameters include the following:
 .PP
-\&\*(L"Common parameters\*(R" in \fBprovider\-keymgmt\fR\|(7)
-\&\*(L"Key Exchange parameters\*(R" in \fBprovider\-keyexch\fR\|(7)
-\&\*(L"Signature parameters\*(R" in \fBprovider\-signature\fR\|(7)
+"Common parameters" in \fBprovider\-keymgmt\fR\|(7)
+"Key Exchange parameters" in \fBprovider\-keyexch\fR\|(7)
+"Signature parameters" in \fBprovider\-signature\fR\|(7)
 .PP
-\&\*(L"Common \s-1RSA\s0 parameters\*(R" in \s-1\fBEVP_PKEY\-RSA\s0\fR\|(7)
-\&\*(L"\s-1RSA\s0 key generation parameters\*(R" in \s-1\fBEVP_PKEY\-RSA\s0\fR\|(7)
-\&\*(L"\s-1FFC\s0 parameters\*(R" in \s-1\fBEVP_PKEY\-FFC\s0\fR\|(7)
-\&\*(L"\s-1FFC\s0 key generation parameters\*(R" in \s-1\fBEVP_PKEY\-FFC\s0\fR\|(7)
-\&\*(L"\s-1DSA\s0 parameters\*(R" in \s-1\fBEVP_PKEY\-DSA\s0\fR\|(7)
-\&\*(L"\s-1DSA\s0 key generation parameters\*(R" in \s-1\fBEVP_PKEY\-DSA\s0\fR\|(7)
-\&\*(L"\s-1DH\s0 parameters\*(R" in \s-1\fBEVP_PKEY\-DH\s0\fR\|(7)
-\&\*(L"\s-1DH\s0 key generation parameters\*(R" in \s-1\fBEVP_PKEY\-DH\s0\fR\|(7)
-\&\*(L"Common \s-1EC\s0 parameters\*(R" in \s-1\fBEVP_PKEY\-EC\s0\fR\|(7)
-\&\*(L"Common X25519, X448, \s-1ED25519\s0 and \s-1ED448\s0 parameters\*(R" in \s-1\fBEVP_PKEY\-X25519\s0\fR\|(7)
+"Common RSA parameters" in \fBEVP_PKEY\-RSA\fR\|(7)
+"RSA key generation parameters" in \fBEVP_PKEY\-RSA\fR\|(7)
+"FFC parameters" in \fBEVP_PKEY\-FFC\fR\|(7)
+"FFC key generation parameters" in \fBEVP_PKEY\-FFC\fR\|(7)
+"DSA parameters" in \fBEVP_PKEY\-DSA\fR\|(7)
+"DSA key generation parameters" in \fBEVP_PKEY\-DSA\fR\|(7)
+"DH parameters" in \fBEVP_PKEY\-DH\fR\|(7)
+"DH key generation parameters" in \fBEVP_PKEY\-DH\fR\|(7)
+"Common EC parameters" in \fBEVP_PKEY\-EC\fR\|(7)
+"Common X25519, X448, ED25519 and ED448 parameters" in \fBEVP_PKEY\-X25519\fR\|(7)
+"Common parameters" in \fBEVP_PKEY\-ML\-DSA\fR\|(7)
+"Common parameters" in \fBEVP_PKEY\-ML\-KEM\fR\|(7)
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBEVP_PKEY_CTX_set_params()\fR returns 1 for success or 0 otherwise.
-\&\fBEVP_PKEY_CTX_settable_params()\fR returns an \s-1OSSL_PARAM\s0 array on success or \s-1NULL\s0 on
+\&\fBEVP_PKEY_CTX_settable_params()\fR returns an OSSL_PARAM array on success or NULL on
 error.
-It may also return \s-1NULL\s0 if there are no settable parameters available.
+It may also return NULL if there are no settable parameters available.
 .PP
 All other functions and macros described on this page return a positive value
 for success and 0 or a negative value for failure. In particular a return value
@@ -209,14 +137,16 @@ of \-2 indicates the operation is not supported by the public key algorithm.
 \&\fBEVP_PKEY_verify_recover\fR\|(3),
 \&\fBEVP_PKEY_derive\fR\|(3),
 \&\fBEVP_PKEY_keygen\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All functions were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.PP
+Support for \fBML-DSA\fR> and \fBML-KEM\fR was added in OpenSSL 3.5.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.3
index 520595a6f0ad..182e82365352 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,82 +52,22 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_CTX_SET_RSA_PSS_KEYGEN_MD 3ossl"
-.TH EVP_PKEY_CTX_SET_RSA_PSS_KEYGEN_MD 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_CTX_SET_RSA_PSS_KEYGEN_MD 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_CTX_set_rsa_pss_keygen_md,
 EVP_PKEY_CTX_set_rsa_pss_keygen_md_name,
 EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md,
 EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md_name,
 EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen
 \&\- EVP_PKEY RSA\-PSS algorithm support functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/rsa.h>
@@ -160,53 +84,53 @@ EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen
 \& int EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(EVP_PKEY_CTX *pctx,
 \&                                             int saltlen);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-These are the functions that implement \s-1\fBRSA\-PSS\s0\fR\|(7).
+These are the functions that implement \fBRSA\-PSS\fR\|(7).
 .SS "Signing and Verification"
 .IX Subsection "Signing and Verification"
 The macro \fBEVP_PKEY_CTX_set_rsa_padding()\fR is supported but an error is
 returned if an attempt is made to set the padding mode to anything other
-than \fB\s-1PSS\s0\fR. It is otherwise similar to the \fB\s-1RSA\s0\fR version.
+than \fBPSS\fR. It is otherwise similar to the \fBRSA\fR version.
 .PP
 The \fBEVP_PKEY_CTX_set_rsa_pss_saltlen()\fR macro is used to set the salt length.
 If the key has usage restrictions then an error is returned if an attempt is
 made to set the salt length below the minimum value. It is otherwise similar
-to the \fB\s-1RSA\s0\fR operation except detection of the salt length (using
-\&\s-1RSA_PSS_SALTLEN_AUTO\s0) is not supported for verification if the key has
+to the \fBRSA\fR operation except detection of the salt length (using
+RSA_PSS_SALTLEN_AUTO) is not supported for verification if the key has
 usage restrictions.
 .PP
 The \fBEVP_PKEY_CTX_set_signature_md\fR\|(3) and \fBEVP_PKEY_CTX_set_rsa_mgf1_md\fR\|(3)
-functions are used to set the digest and \s-1MGF1\s0 algorithms respectively. If the
+functions are used to set the digest and MGF1 algorithms respectively. If the
 key has usage restrictions then an error is returned if an attempt is made to
 set the digest to anything other than the restricted value. Otherwise these are
-similar to the \fB\s-1RSA\s0\fR versions.
+similar to the \fBRSA\fR versions.
 .SS "Key Generation"
 .IX Subsection "Key Generation"
-As with \s-1RSA\s0 key generation the \fBEVP_PKEY_CTX_set_rsa_keygen_bits()\fR
+As with RSA key generation the \fBEVP_PKEY_CTX_set_rsa_keygen_bits()\fR
 and \fBEVP_PKEY_CTX_set_rsa_keygen_pubexp()\fR macros are supported for RSA-PSS:
-they have exactly the same meaning as for the \s-1RSA\s0 algorithm.
+they have exactly the same meaning as for the RSA algorithm.
 .PP
-Optional parameter restrictions can be specified when generating a \s-1PSS\s0 key.
+Optional parameter restrictions can be specified when generating a PSS key.
 If any restrictions are set (using the macros described below) then \fBall\fR
 parameters are restricted. For example, setting a minimum salt length also
-restricts the digest and \s-1MGF1\s0 algorithms. If any restrictions are in place
+restricts the digest and MGF1 algorithms. If any restrictions are in place
 then they are reflected in the corresponding parameters of the public key
 when (for example) a certificate request is signed.
 .PP
 \&\fBEVP_PKEY_CTX_set_rsa_pss_keygen_md()\fR restricts the digest algorithm the
 generated key can use to \fImd\fR.
 \&\fBEVP_PKEY_CTX_set_rsa_pss_keygen_md_name()\fR does the same thing, but
-passes the algorithm by name rather than by \fB\s-1EVP_MD\s0\fR.
+passes the algorithm by name rather than by \fBEVP_MD\fR.
 .PP
-\&\fBEVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md()\fR restricts the \s-1MGF1\s0 algorithm the
+\&\fBEVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md()\fR restricts the MGF1 algorithm the
 generated key can use to \fImd\fR.
 \&\fBEVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md_name()\fR does the same thing, but
-passes the algorithm by name rather than by \fB\s-1EVP_MD\s0\fR.
+passes the algorithm by name rather than by \fBEVP_MD\fR.
 .PP
 \&\fBEVP_PKEY_CTX_set_rsa_pss_keygen_saltlen()\fR restricts the minimum salt length
 to \fIsaltlen\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 A context for the \fBRSA-PSS\fR algorithm can be obtained by calling:
 .PP
@@ -220,15 +144,15 @@ In particular a return value of \-2 indicates the operation is not supported by
 the public key algorithm.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBRSA\-PSS\s0\fR\|(7),
+\&\fBRSA\-PSS\fR\|(7),
 \&\fBEVP_PKEY_CTX_new\fR\|(3),
 \&\fBEVP_PKEY_CTX_ctrl_str\fR\|(3),
 \&\fBEVP_PKEY_derive\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_scrypt_N.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_scrypt_N.3
index 4f8cd73ab865..8d8ce01dc777 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_scrypt_N.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_scrypt_N.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,82 +52,22 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_CTX_SET_SCRYPT_N 3ossl"
-.TH EVP_PKEY_CTX_SET_SCRYPT_N 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_CTX_SET_SCRYPT_N 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_CTX_set1_scrypt_salt,
 EVP_PKEY_CTX_set_scrypt_N,
 EVP_PKEY_CTX_set_scrypt_r,
 EVP_PKEY_CTX_set_scrypt_p,
 EVP_PKEY_CTX_set_scrypt_maxmem_bytes
 \&\- EVP_PKEY scrypt KDF support functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/kdf.h>
@@ -160,11 +84,11 @@ EVP_PKEY_CTX_set_scrypt_maxmem_bytes
 \& int EVP_PKEY_CTX_set_scrypt_maxmem_bytes(EVP_PKEY_CTX *pctx,
 \&                                          uint64_t maxmem);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 These functions are used to set up the necessary data to use the
-scrypt \s-1KDF.\s0
-For more information on scrypt, see \s-1\fBEVP_KDF\-SCRYPT\s0\fR\|(7).
+scrypt KDF.
+For more information on scrypt, see \fBEVP_KDF\-SCRYPT\fR\|(7).
 .PP
 \&\fBEVP_PKEY_CTX_set1_scrypt_salt()\fR sets the \fBsaltlen\fR bytes long salt
 value.
@@ -172,26 +96,26 @@ value.
 \&\fBEVP_PKEY_CTX_set_scrypt_N()\fR, \fBEVP_PKEY_CTX_set_scrypt_r()\fR and
 \&\fBEVP_PKEY_CTX_set_scrypt_p()\fR configure the work factors N, r and p.
 .PP
-\&\fBEVP_PKEY_CTX_set_scrypt_maxmem_bytes()\fR sets how much \s-1RAM\s0 key
+\&\fBEVP_PKEY_CTX_set_scrypt_maxmem_bytes()\fR sets how much RAM key
 derivation may maximally use, given in bytes.
-If \s-1RAM\s0 is exceeded because the load factors are chosen too high, the
+If RAM is exceeded because the load factors are chosen too high, the
 key derivation will fail.
 .SH "STRING CTRLS"
 .IX Header "STRING CTRLS"
 scrypt also supports string based control operations via
 \&\fBEVP_PKEY_CTX_ctrl_str\fR\|(3).
 Similarly, the \fBsalt\fR can either be specified using the \fBtype\fR
-parameter \*(L"salt\*(R" or in hex encoding by using the \*(L"hexsalt\*(R" parameter.
+parameter "salt" or in hex encoding by using the "hexsalt" parameter.
 The work factors \fBN\fR, \fBr\fR and \fBp\fR as well as \fBmaxmem_bytes\fR can be
-set by using the parameters \*(L"N\*(R", \*(L"r\*(R", \*(L"p\*(R" and \*(L"maxmem_bytes\*(R",
+set by using the parameters "N", "r", "p" and "maxmem_bytes",
 respectively.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-There is a newer generic \s-1API\s0 for KDFs, \s-1\fBEVP_KDF\s0\fR\|(3), which is
-preferred over the \s-1EVP_PKEY\s0 method.
+There is a newer generic API for KDFs, \fBEVP_KDF\fR\|(3), which is
+preferred over the EVP_PKEY method.
 .PP
-The scrypt \s-1KDF\s0 also uses \fBEVP_PKEY_CTX_set1_pbe_pass()\fR as well as
-the value from the string controls \*(L"pass\*(R" and \*(L"hexpass\*(R".
+The scrypt KDF also uses \fBEVP_PKEY_CTX_set1_pbe_pass()\fR as well as
+the value from the string controls "pass" and "hexpass".
 See \fBEVP_PKEY_CTX_set1_pbe_pass\fR\|(3).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
@@ -201,19 +125,19 @@ In particular a return value of \-2 indicates the operation is not
 supported by the public key algorithm.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_KDF\s0\fR\|(3)
+\&\fBEVP_KDF\fR\|(3)
 \&\fBEVP_PKEY_CTX_new\fR\|(3),
 \&\fBEVP_PKEY_CTX_ctrl_str\fR\|(3),
 \&\fBEVP_PKEY_derive\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All of the functions described here were converted from macros to functions in
 OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_tls1_prf_md.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_tls1_prf_md.3
index 7b019d481478..ffce41036ade 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_tls1_prf_md.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_tls1_prf_md.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_CTX_SET_TLS1_PRF_MD 3ossl"
-.TH EVP_PKEY_CTX_SET_TLS1_PRF_MD 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_CTX_SET_TLS1_PRF_MD 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_CTX_set_tls1_prf_md,
 EVP_PKEY_CTX_set1_tls1_prf_secret, EVP_PKEY_CTX_add1_tls1_prf_seed \-
 TLS PRF key derivation algorithm
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/kdf.h>
@@ -151,17 +75,17 @@ TLS PRF key derivation algorithm
 \& int EVP_PKEY_CTX_add1_tls1_prf_seed(EVP_PKEY_CTX *pctx,
 \&                                     unsigned char *seed, int seedlen);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \fB\s-1EVP_PKEY_TLS1_PRF\s0\fR algorithm implements the \s-1PRF\s0 key derivation function for
-\&\s-1TLS.\s0 It has no associated private key and only implements key derivation
+The \fBEVP_PKEY_TLS1_PRF\fR algorithm implements the PRF key derivation function for
+TLS. It has no associated private key and only implements key derivation
 using \fBEVP_PKEY_derive\fR\|(3).
 .PP
 \&\fBEVP_PKEY_set_tls1_prf_md()\fR sets the message digest associated with the
-\&\s-1TLS PRF.\s0 \fBEVP_md5_sha1()\fR is treated as a special case which uses the \s-1PRF\s0
-algorithm using both \fB\s-1MD5\s0\fR and \fB\s-1SHA1\s0\fR as used in \s-1TLS 1.0\s0 and 1.1.
+TLS PRF. \fBEVP_md5_sha1()\fR is treated as a special case which uses the PRF
+algorithm using both \fBMD5\fR and \fBSHA1\fR as used in TLS 1.0 and 1.1.
 .PP
-\&\fBEVP_PKEY_CTX_set_tls1_prf_secret()\fR sets the secret value of the \s-1TLS PRF\s0
+\&\fBEVP_PKEY_CTX_set_tls1_prf_secret()\fR sets the secret value of the TLS PRF
 to \fBseclen\fR bytes of the buffer \fBsec\fR. Any existing secret value is replaced
 and any seed is reset.
 .PP
@@ -169,17 +93,17 @@ and any seed is reset.
 If a seed is already set it is appended to the existing value.
 .SH "STRING CTRLS"
 .IX Header "STRING CTRLS"
-The \s-1TLS PRF\s0 also supports string based control operations using
+The TLS PRF also supports string based control operations using
 \&\fBEVP_PKEY_CTX_ctrl_str\fR\|(3).
-The \fBtype\fR parameter \*(L"md\*(R" uses the supplied \fBvalue\fR as the name of the digest
+The \fBtype\fR parameter "md" uses the supplied \fBvalue\fR as the name of the digest
 algorithm to use.
-The \fBtype\fR parameters \*(L"secret\*(R" and \*(L"seed\*(R" use the supplied \fBvalue\fR parameter
+The \fBtype\fR parameters "secret" and "seed" use the supplied \fBvalue\fR parameter
 as a secret or seed value.
-The names \*(L"hexsecret\*(R" and \*(L"hexseed\*(R" are similar except they take a hex string
+The names "hexsecret" and "hexseed" are similar except they take a hex string
 which is converted to binary.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-A context for the \s-1TLS PRF\s0 can be obtained by calling:
+A context for the TLS PRF can be obtained by calling:
 .PP
 .Vb 1
 \& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);
@@ -189,22 +113,22 @@ The digest, secret value and seed must be set before a key is derived or an
 error occurs.
 .PP
 The total length of all seeds cannot exceed 1024 bytes in length: this should
-be more than enough for any normal use of the \s-1TLS PRF.\s0
+be more than enough for any normal use of the TLS PRF.
 .PP
-The output length of the \s-1PRF\s0 is specified by the length parameter in the
+The output length of the PRF is specified by the length parameter in the
 \&\fBEVP_PKEY_derive()\fR function. Since the output length is variable, setting
-the buffer to \fB\s-1NULL\s0\fR is not meaningful for the \s-1TLS PRF.\s0
+the buffer to \fBNULL\fR is not meaningful for the TLS PRF.
 .PP
-Optimised versions of the \s-1TLS PRF\s0 can be implemented in an \s-1ENGINE.\s0
+Optimised versions of the TLS PRF can be implemented in an ENGINE.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 All these functions return 1 for success and 0 or a negative value for failure.
 In particular a return value of \-2 indicates the operation is not supported by
 the public key algorithm.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-This example derives 10 bytes using \s-1SHA\-256\s0 with the secret key \*(L"secret\*(R"
-and seed value \*(L"seed\*(R":
+This example derives 10 bytes using SHA\-256 with the secret key "secret"
+and seed value "seed":
 .PP
 .Vb 3
 \& EVP_PKEY_CTX *pctx;
@@ -228,15 +152,15 @@ and seed value \*(L"seed\*(R":
 \&\fBEVP_PKEY_CTX_new\fR\|(3),
 \&\fBEVP_PKEY_CTX_ctrl_str\fR\|(3),
 \&\fBEVP_PKEY_derive\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All of the functions described here were converted from macros to functions in
 OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_asn1_get_count.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_asn1_get_count.3
index 22d8bc710aa1..ebc659abd070 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_asn1_get_count.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_asn1_get_count.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,82 +52,22 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_ASN1_GET_COUNT 3ossl"
-.TH EVP_PKEY_ASN1_GET_COUNT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_ASN1_GET_COUNT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_asn1_find,
 EVP_PKEY_asn1_find_str,
 EVP_PKEY_asn1_get_count,
 EVP_PKEY_asn1_get0,
 EVP_PKEY_asn1_get0_info
 \&\- enumerate public key ASN.1 methods
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -158,53 +82,53 @@ EVP_PKEY_asn1_get0_info
 \&                             const char **ppem_str,
 \&                             const EVP_PKEY_ASN1_METHOD *ameth);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBEVP_PKEY_asn1_count()\fR returns a count of the number of public key
-\&\s-1ASN.1\s0 methods available: it includes standard methods and any methods
+ASN.1 methods available: it includes standard methods and any methods
 added by the application.
 .PP
-\&\fBEVP_PKEY_asn1_get0()\fR returns the public key \s-1ASN.1\s0 method \fBidx\fR.
+\&\fBEVP_PKEY_asn1_get0()\fR returns the public key ASN.1 method \fBidx\fR.
 The value of \fBidx\fR must be between zero and \fBEVP_PKEY_asn1_get_count()\fR
 \&\- 1.
 .PP
-\&\fBEVP_PKEY_asn1_find()\fR looks up the \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR with \s-1NID\s0
+\&\fBEVP_PKEY_asn1_find()\fR looks up the \fBEVP_PKEY_ASN1_METHOD\fR with NID
 \&\fBtype\fR.
-If \fBpe\fR isn't \fB\s-1NULL\s0\fR, then it will look up an engine implementing a
-\&\fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR for the \s-1NID\s0 \fBtype\fR and return that instead,
+If \fBpe\fR isn't \fBNULL\fR, then it will look up an engine implementing a
+\&\fBEVP_PKEY_ASN1_METHOD\fR for the NID \fBtype\fR and return that instead,
 and also set \fB*pe\fR to point at the engine that implements it.
 .PP
-\&\fBEVP_PKEY_asn1_find_str()\fR looks up the \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR with \s-1PEM\s0
+\&\fBEVP_PKEY_asn1_find_str()\fR looks up the \fBEVP_PKEY_ASN1_METHOD\fR with PEM
 type string \fBstr\fR.
-Just like \fBEVP_PKEY_asn1_find()\fR, if \fBpe\fR isn't \fB\s-1NULL\s0\fR, then it will
-look up an engine implementing a \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR for the \s-1NID\s0
+Just like \fBEVP_PKEY_asn1_find()\fR, if \fBpe\fR isn't \fBNULL\fR, then it will
+look up an engine implementing a \fBEVP_PKEY_ASN1_METHOD\fR for the NID
 \&\fBtype\fR and return that instead, and also set \fB*pe\fR to point at the
 engine that implements it.
 .PP
-\&\fBEVP_PKEY_asn1_get0_info()\fR returns the public key \s-1ID,\s0 base public key
-\&\s-1ID\s0 (both NIDs), any flags, the method description and \s-1PEM\s0 type string
-associated with the public key \s-1ASN.1\s0 method \fB*ameth\fR.
+\&\fBEVP_PKEY_asn1_get0_info()\fR returns the public key ID, base public key
+ID (both NIDs), any flags, the method description and PEM type string
+associated with the public key ASN.1 method \fB*ameth\fR.
 .PP
 \&\fBEVP_PKEY_asn1_count()\fR, \fBEVP_PKEY_asn1_get0()\fR, \fBEVP_PKEY_asn1_find()\fR and
 \&\fBEVP_PKEY_asn1_find_str()\fR are not thread safe, but as long as all
-\&\fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR objects are added before the application gets
+\&\fBEVP_PKEY_ASN1_METHOD\fR objects are added before the application gets
 threaded, using them is safe.  See \fBEVP_PKEY_asn1_add0\fR\|(3).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBEVP_PKEY_asn1_count()\fR returns the number of available public key methods.
 .PP
-\&\fBEVP_PKEY_asn1_get0()\fR return a public key method or \fB\s-1NULL\s0\fR if \fBidx\fR is
+\&\fBEVP_PKEY_asn1_get0()\fR return a public key method or \fBNULL\fR if \fBidx\fR is
 out of range.
 .PP
 \&\fBEVP_PKEY_asn1_get0_info()\fR returns 0 on failure, 1 on success.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_PKEY_asn1_new\fR\|(3), \fBEVP_PKEY_asn1_add0\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_check.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_check.3
index 55c6119668fa..eb466be01aa1 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_check.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_check.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_CHECK 3ossl"
-.TH EVP_PKEY_CHECK 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_CHECK 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_check, EVP_PKEY_param_check, EVP_PKEY_param_check_quick,
 EVP_PKEY_public_check, EVP_PKEY_public_check_quick, EVP_PKEY_private_check,
 EVP_PKEY_pairwise_check
 \&\- key and parameter validation functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -154,7 +78,7 @@ EVP_PKEY_pairwise_check
 \& int EVP_PKEY_private_check(EVP_PKEY_CTX *ctx);
 \& int EVP_PKEY_pairwise_check(EVP_PKEY_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBEVP_PKEY_param_check()\fR validates the parameters component of the key
 given by \fBctx\fR. This check will always succeed for key types that do not have
@@ -180,20 +104,25 @@ provided then this function call does the same thing as \fBEVP_PKEY_public_check
 the correct mathematical relationship to each other for the key given by \fBctx\fR.
 .PP
 \&\fBEVP_PKEY_check()\fR is an alias for the \fBEVP_PKEY_pairwise_check()\fR function.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-Key validation used by the OpenSSL \s-1FIPS\s0 provider complies with the rules
-within \s-1SP800\-56A\s0 and \s-1SP800\-56B.\s0 For backwards compatibility reasons the OpenSSL
+Key validation used by the OpenSSL FIPS provider complies with the rules
+within SP800\-56A and SP800\-56B. For backwards compatibility reasons the OpenSSL
 default provider may use checks that are not as restrictive for certain key types.
-For further information see \*(L"\s-1DSA\s0 key validation\*(R" in \s-1\fBEVP_PKEY\-DSA\s0\fR\|(7),
-\&\*(L"\s-1DH\s0 key validation\*(R" in \s-1\fBEVP_PKEY\-DH\s0\fR\|(7), \*(L"\s-1EC\s0 key validation\*(R" in \s-1\fBEVP_PKEY\-EC\s0\fR\|(7) and
-\&\*(L"\s-1RSA\s0 key validation\*(R" in \s-1\fBEVP_PKEY\-RSA\s0\fR\|(7).
+For further information see "DSA key validation" in \fBEVP_PKEY\-DSA\fR\|(7),
+"DH key validation" in \fBEVP_PKEY\-DH\fR\|(7), "EC key validation" in \fBEVP_PKEY\-EC\fR\|(7) and
+"RSA key validation" in \fBEVP_PKEY\-RSA\fR\|(7).
 .PP
-Refer to \s-1SP800\-56A\s0 and \s-1SP800\-56B\s0 for rules relating to when these functions
+Refer to SP800\-56A and SP800\-56B for rules relating to when these functions
 should be called during key establishment.
 It is not necessary to call these functions after locally calling an approved key
 generation method, but may be required for assurance purposes when receiving
 keys from a third party.
+.PP
+The \fBEVP_PKEY_pairwise_check()\fR and \fBEVP_PKEY_private_check()\fR might not be bounded
+by any key size limits as private keys are not expected to be supplied by
+attackers. For that reason they might take an unbounded time if run on
+arbitrarily large keys.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 All functions return 1 for success or others for failure.
@@ -202,23 +131,23 @@ They return \-2 if the operation is not supported for the specific algorithm.
 .IX Header "SEE ALSO"
 \&\fBEVP_PKEY_CTX_new\fR\|(3),
 \&\fBEVP_PKEY_fromdata\fR\|(3),
-\&\s-1\fBEVP_PKEY\-DH\s0\fR\|(7),
-\&\s-1\fBEVP_PKEY\-FFC\s0\fR\|(7),
-\&\s-1\fBEVP_PKEY\-DSA\s0\fR\|(7),
-\&\s-1\fBEVP_PKEY\-EC\s0\fR\|(7),
-\&\s-1\fBEVP_PKEY\-RSA\s0\fR\|(7),
-.SH "HISTORY"
+\&\fBEVP_PKEY\-DH\fR\|(7),
+\&\fBEVP_PKEY\-FFC\fR\|(7),
+\&\fBEVP_PKEY\-DSA\fR\|(7),
+\&\fBEVP_PKEY\-EC\fR\|(7),
+\&\fBEVP_PKEY\-RSA\fR\|(7),
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBEVP_PKEY_check()\fR, \fBEVP_PKEY_public_check()\fR and \fBEVP_PKEY_param_check()\fR were added
 in OpenSSL 1.1.1.
 .PP
 \&\fBEVP_PKEY_param_check_quick()\fR, \fBEVP_PKEY_public_check_quick()\fR,
 \&\fBEVP_PKEY_private_check()\fR and \fBEVP_PKEY_pairwise_check()\fR were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2006\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_copy_parameters.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_copy_parameters.3
index 57a2bc873790..4fac0a668a4b 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_copy_parameters.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_copy_parameters.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_COPY_PARAMETERS 3ossl"
-.TH EVP_PKEY_COPY_PARAMETERS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_COPY_PARAMETERS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_missing_parameters, EVP_PKEY_copy_parameters, EVP_PKEY_parameters_eq,
 EVP_PKEY_cmp_parameters, EVP_PKEY_eq,
 EVP_PKEY_cmp \- public key parameter and comparison functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -153,14 +77,14 @@ EVP_PKEY_cmp \- public key parameter and comparison functions
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 2
 \& int EVP_PKEY_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b);
 \& int EVP_PKEY_cmp(const EVP_PKEY *a, const EVP_PKEY *b);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The function \fBEVP_PKEY_missing_parameters()\fR returns 1 if the public key
 parameters of \fBpkey\fR are missing and 0 if they are present or the algorithm
@@ -176,12 +100,12 @@ The function \fBEVP_PKEY_parameters_eq()\fR checks the parameters of keys
 .PP
 The function \fBEVP_PKEY_eq()\fR checks the keys \fBa\fR and \fBb\fR for equality,
 including their parameters if they are available.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The main purpose of the functions \fBEVP_PKEY_missing_parameters()\fR and
 \&\fBEVP_PKEY_copy_parameters()\fR is to handle public keys in certificates where the
 parameters are sometimes omitted from a public key if they are inherited from
-the \s-1CA\s0 that signed it.
+the CA that signed it.
 .PP
 The deprecated functions \fBEVP_PKEY_cmp()\fR and \fBEVP_PKEY_cmp_parameters()\fR differ in
 their return values compared to other \fB_cmp()\fR functions. They are aliases for
@@ -190,15 +114,15 @@ their return values compared to other \fB_cmp()\fR functions. They are aliases f
 The function \fBEVP_PKEY_cmp()\fR previously only checked the key parameters
 (if there are any) and the public key, assuming that there always was
 a public key and that private key equality could be derived from that.
-Because it's no longer assumed that the private key in an \s-1\fBEVP_PKEY\s0\fR\|(3) is
+Because it's no longer assumed that the private key in an \fBEVP_PKEY\fR\|(3) is
 always accompanied by a public key, the comparison can not rely on public
 key comparison alone.
 .PP
 Instead, \fBEVP_PKEY_eq()\fR (and therefore also \fBEVP_PKEY_cmp()\fR) now compares:
-.IP "1." 4
+.IP 1. 4
 the key parameters (if there are any)
-.IP "2." 4
-the public keys or the private keys of the two \fB\s-1EVP_PKEY\s0\fRs, depending on
+.IP 2. 4
+the public keys or the private keys of the two \fBEVP_PKEY\fRs, depending on
 what they both contain.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
@@ -217,18 +141,18 @@ inputs match, 0 if they don't match, \-1 if the key types are different and
 .IX Header "SEE ALSO"
 \&\fBEVP_PKEY_CTX_new\fR\|(3),
 \&\fBEVP_PKEY_keygen\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBEVP_PKEY_cmp()\fR and \fBEVP_PKEY_cmp_parameters()\fR functions were deprecated in
 OpenSSL 3.0.
 .PP
 The \fBEVP_PKEY_eq()\fR and \fBEVP_PKEY_parameters_eq()\fR were added in OpenSSL 3.0 to
 replace \fBEVP_PKEY_cmp()\fR and \fBEVP_PKEY_cmp_parameters()\fR.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2006\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_decapsulate.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_decapsulate.3
index 16cfa3d468b7..2e3f11da9cd2 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_decapsulate.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_decapsulate.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,88 +52,30 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_DECAPSULATE 3ossl"
-.TH EVP_PKEY_DECAPSULATE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_DECAPSULATE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
-EVP_PKEY_decapsulate_init, EVP_PKEY_decapsulate
+.SH NAME
+EVP_PKEY_decapsulate_init, EVP_PKEY_auth_decapsulate_init, EVP_PKEY_decapsulate
 \&\- Key decapsulation using a KEM algorithm with a private key
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
 \&
 \& int EVP_PKEY_decapsulate_init(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]);
+\& int EVP_PKEY_auth_decapsulate_init(EVP_PKEY_CTX *ctx, EVP_PKEY *authpub,
+\&                                   const OSSL_PARAM params[]);
 \& int EVP_PKEY_decapsulate(EVP_PKEY_CTX *ctx,
 \&                          unsigned char *unwrapped, size_t *unwrappedlen,
 \&                          const unsigned char *wrapped, size_t wrappedlen);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The \fBEVP_PKEY_decapsulate_init()\fR function initializes a private key algorithm
 context \fIctx\fR for a decapsulation operation and then sets the \fIparams\fR
@@ -157,25 +83,48 @@ on the context in the same way as calling \fBEVP_PKEY_CTX_set_params\fR\|(3).
 Note that \fIctx\fR usually is produced using \fBEVP_PKEY_CTX_new_from_pkey\fR\|(3),
 specifying the private key to use.
 .PP
+The \fBEVP_PKEY_auth_decapsulate_init()\fR function is similar to
+\&\fBEVP_PKEY_decapsulate_init()\fR but also passes an \fIauthpub\fR authentication public
+key that is used during decapsulation.
+.PP
 The \fBEVP_PKEY_decapsulate()\fR function performs a private key decapsulation
 operation using \fIctx\fR. The data to be decapsulated is specified using the
-\&\fIwrapped\fR and \fIwrappedlen\fR parameters.
-If \fIunwrapped\fR is \s-1NULL\s0 then the maximum size of the output secret buffer
-is written to \fI*unwrappedlen\fR. If \fIunwrapped\fR is not \s-1NULL\s0 and the
-call is successful then the decapsulated secret data is written to \fIunwrapped\fR
-and the amount of data written to \fI*unwrappedlen\fR.
-.SH "NOTES"
+\&\fIwrapped\fR and \fIwrappedlen\fR parameters (which must both non-NULL).
+.PP
+The \fIwrapped\fR parameter is an output argument, to which the decapsulated
+shared secret is written.
+The shared secret may not match the peer's value even when decapsulation
+returns success.
+Instead, the shared secret must be used to derive a key that is used to
+authenticate data subsequently received from the peer.
+If \fIunwrapped\fR is NULL then the size of the output shared secret buffer is
+written to \fI*unwrappedlen\fR and no decapsulation is performed, this makes it
+possible to determine the required buffer size at run time.  Otherwise, the
+decapsulated secret data is written to \fIunwrapped\fR and the length of shared
+secret is written to \fI*unwrappedlen\fR.
+.PP
+Note that the value pointed to by \fIunwrappedlen\fR (which must NOT be \fBNULL\fR)
+must be initialised to the length of \fIunwrapped\fR, so that the call can
+validate it is of sufficient size to hold the result of the operation.
+.PP
+Absent detailed prior knowledge of the internals of the specific KEM
+algorithm, callers SHOULD NOT assume that the returned shared secret
+is necessarily of the maximum possible length.
+The length returned via \fI*unwrappedlen\fR SHOULD be used to determine the actual
+length of the output.
+.SH NOTES
 .IX Header "NOTES"
 After the call to \fBEVP_PKEY_decapsulate_init()\fR algorithm-specific parameters
 for the operation may be set or modified using \fBEVP_PKEY_CTX_set_params\fR\|(3).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBEVP_PKEY_decapsulate_init()\fR and \fBEVP_PKEY_decapsulate()\fR return 1 for
-success and 0 or a negative value for failure. In particular a return value of \-2
-indicates the operation is not supported by the private key algorithm.
-.SH "EXAMPLES"
+\&\fBEVP_PKEY_decapsulate_init()\fR, \fBEVP_PKEY_auth_decapsulate_init()\fR and
+\&\fBEVP_PKEY_decapsulate()\fR return 1 for success and 0 or a negative value for
+failure. In particular a return value of \-2 indicates the operation is not
+supported by the private key algorithm.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-Decapsulate data using \s-1RSA:\s0
+Decapsulate data using RSA:
 .PP
 .Vb 1
 \& #include <openssl/evp.h>
@@ -190,7 +139,7 @@ Decapsulate data using \s-1RSA:\s0
 \& unsigned char *secret = NULL;;
 \&
 \& ctx = EVP_PKEY_CTX_new_from_pkey(libctx, rsa_priv_key, NULL);
-\& if (ctx = NULL)
+\& if (ctx == NULL)
 \&     /* Error */
 \& if (EVP_PKEY_decapsulate_init(ctx, NULL) <= 0)
 \&     /* Error */
@@ -208,22 +157,32 @@ Decapsulate data using \s-1RSA:\s0
 \&     /* malloc failure */
 \&
 \& /* Decapsulated secret data is secretlen bytes long */
-\& if (EVP_PKEY_decapsulaterctx, secret, &secretlen, in, inlen) <= 0)
+\& if (EVP_PKEY_decapsulate(ctx, secret, &secretlen, in, inlen) <= 0)
 \&     /* Error */
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_PKEY_CTX_new_from_pkey\fR\|(3),
 \&\fBEVP_PKEY_encapsulate\fR\|(3),
-\&\s-1\fBEVP_KEM\-RSA\s0\fR\|(7),
-.SH "HISTORY"
+\&\fBEVP_KEM\-RSA\fR\|(7),
+\&\fBEVP_KEM\-X25519\fR\|(7),
+\&\fBEVP_KEM\-EC\fR\|(7),
+\&\fBEVP_KEM\-ML\-KEM\-512\fR\|(7),
+\&\fBEVP_KEM\-ML\-KEM\-768\fR\|(7),
+\&\fBEVP_KEM\-ML\-KEM\-1024\fR\|(7)
+.SH HISTORY
 .IX Header "HISTORY"
-These functions were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The functions \fBEVP_PKEY_decapsulate_init()\fR and \fBEVP_PKEY_decapsulate()\fR were added
+in OpenSSL 3.0.
+.PP
+The function \fBEVP_PKEY_auth_decapsulate_init()\fR was added in OpenSSL 3.2.
+.PP
+Support for \fBML-KEM\fR was added in OpenSSL 3.5.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_decrypt.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_decrypt.3
index 10528a4c842a..da5fc45a1dd4 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_decrypt.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_decrypt.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_DECRYPT 3ossl"
-.TH EVP_PKEY_DECRYPT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_DECRYPT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_decrypt_init, EVP_PKEY_decrypt_init_ex,
 EVP_PKEY_decrypt \- decrypt using a public key algorithm
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -150,7 +74,7 @@ EVP_PKEY_decrypt \- decrypt using a public key algorithm
 \&                      unsigned char *out, size_t *outlen,
 \&                      const unsigned char *in, size_t inlen);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The \fBEVP_PKEY_decrypt_init()\fR function initializes a public key algorithm
 context using key \fIpkey\fR for a decryption operation.
@@ -161,14 +85,14 @@ algorithm specific \fIparams\fR.
 .PP
 The \fBEVP_PKEY_decrypt()\fR function performs a public key decryption operation
 using \fIctx\fR. The data to be decrypted is specified using the \fIin\fR and
-\&\fIinlen\fR parameters. If \fIout\fR is \s-1NULL\s0 then the minimum required size of
+\&\fIinlen\fR parameters. If \fIout\fR is NULL then the minimum required size of
 the output buffer is written to the \fI*outlen\fR parameter.
 .PP
-If \fIout\fR is not \s-1NULL\s0 then before the call the \fI*outlen\fR parameter must
+If \fIout\fR is not NULL then before the call the \fI*outlen\fR parameter must
 contain the length of the \fIout\fR buffer. If the call is successful the
 decrypted data is written to \fIout\fR and the amount of the decrypted data
 written to \fI*outlen\fR, otherwise an error is returned.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 After the call to \fBEVP_PKEY_decrypt_init()\fR algorithm specific control
 operations can be performed to set any appropriate parameters for the
@@ -183,9 +107,29 @@ context if several operations are performed using the same parameters.
 return 1 for success and 0 or a negative value for failure. In particular a
 return value of \-2 indicates the operation is not supported by the public key
 algorithm.
-.SH "EXAMPLES"
+.SH WARNINGS
+.IX Header "WARNINGS"
+In OpenSSL versions before 3.2.0, when used in PKCS#1 v1.5 padding,
+both the return value from the \fBEVP_PKEY_decrypt()\fR and the \fBoutlen\fR provided
+information useful in mounting a Bleichenbacher attack against the
+used private key. They had to be processed in a side-channel free way.
+.PP
+Since version 3.2.0, the \fBEVP_PKEY_decrypt()\fR method when used with PKCS#1
+v1.5 padding as implemented in the \fBdefault\fR provider implements
+the implicit rejection mechanism (see
+\&\fBOSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION\fR in \fBprovider\-asym_cipher\fR\|(7)).
+That means it doesn't return an error when it detects an error in padding,
+instead it returns a pseudo-randomly generated message, removing the need
+of side-channel secure code from applications using OpenSSL.
+If OpenSSL is configured to use a provider that doesn't implement implicit
+rejection, the code still needs to handle the returned values
+using side-channel free code.
+Side-channel free handling of the error stack can be performed using
+either a pair of unconditional \fBERR_set_mark\fR\|(3) and \fBERR_pop_to_mark\fR\|(3)
+calls or by using the \fBERR_clear_error\fR\|(3) call.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-Decrypt data using \s-1OAEP\s0 (for \s-1RSA\s0 keys):
+Decrypt data using OAEP (for RSA keys):
 .PP
 .Vb 2
 \& #include <openssl/evp.h>
@@ -231,14 +175,14 @@ Decrypt data using \s-1OAEP\s0 (for \s-1RSA\s0 keys):
 \&\fBEVP_PKEY_verify\fR\|(3),
 \&\fBEVP_PKEY_verify_recover\fR\|(3),
 \&\fBEVP_PKEY_derive\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 These functions were added in OpenSSL 1.0.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2006\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_derive.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_derive.3
index 3942c345c62c..19c6aafd52d9 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_derive.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_derive.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_DERIVE 3ossl"
-.TH EVP_PKEY_DERIVE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_DERIVE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_derive_init, EVP_PKEY_derive_init_ex,
 EVP_PKEY_derive_set_peer_ex, EVP_PKEY_derive_set_peer, EVP_PKEY_derive
 \&\- derive public key algorithm shared secret
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -152,12 +76,12 @@ EVP_PKEY_derive_set_peer_ex, EVP_PKEY_derive_set_peer, EVP_PKEY_derive
 \& int EVP_PKEY_derive_set_peer(EVP_PKEY_CTX *ctx, EVP_PKEY *peer);
 \& int EVP_PKEY_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBEVP_PKEY_derive_init()\fR initializes a public key algorithm context \fIctx\fR for
 shared secret derivation using the algorithm given when the context was created
 using \fBEVP_PKEY_CTX_new\fR\|(3) or variants thereof.  The algorithm is used to
-fetch a \fB\s-1EVP_KEYEXCH\s0\fR method implicitly, see \*(L"Implicit fetch\*(R" in \fBprovider\fR\|(7) for
+fetch a \fBEVP_KEYEXCH\fR method implicitly, see "Implicit fetch" in \fBprovider\fR\|(7) for
 more information about implicit fetches.
 .PP
 \&\fBEVP_PKEY_derive_init_ex()\fR is the same as \fBEVP_PKEY_derive_init()\fR but additionally
@@ -171,12 +95,12 @@ is non zero.
 \&\fIvalidate_peer\fR set to 1.
 .PP
 \&\fBEVP_PKEY_derive()\fR derives a shared secret using \fIctx\fR.
-If \fIkey\fR is \s-1NULL\s0 then the maximum size of the output buffer is written to the
-\&\fIkeylen\fR parameter. If \fIkey\fR is not \s-1NULL\s0 then before the call the \fIkeylen\fR
+If \fIkey\fR is NULL then the maximum size of the output buffer is written to the
+\&\fIkeylen\fR parameter. If \fIkey\fR is not NULL then before the call the \fIkeylen\fR
 parameter should contain the length of the \fIkey\fR buffer, if the call is
 successful the shared secret is written to \fIkey\fR and the amount of data
 written to \fIkeylen\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 After the call to \fBEVP_PKEY_derive_init()\fR, algorithm
 specific control operations can be performed to set any appropriate parameters
@@ -190,9 +114,9 @@ context if several operations are performed using the same parameters.
 for success and 0 or a negative value for failure.
 In particular a return value of \-2 indicates the operation is not supported by
 the public key algorithm.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-Derive shared secret (for example \s-1DH\s0 or \s-1EC\s0 keys):
+Derive shared secret (for example DH or EC keys):
 .PP
 .Vb 2
 \& #include <openssl/evp.h>
@@ -236,18 +160,18 @@ Derive shared secret (for example \s-1DH\s0 or \s-1EC\s0 keys):
 \&\fBEVP_PKEY_verify\fR\|(3),
 \&\fBEVP_PKEY_verify_recover\fR\|(3),
 \&\fBEVP_KEYEXCH_fetch\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBEVP_PKEY_derive_init()\fR, \fBEVP_PKEY_derive_set_peer()\fR and \fBEVP_PKEY_derive()\fR
 functions were originally added in OpenSSL 1.0.0.
 .PP
 The \fBEVP_PKEY_derive_init_ex()\fR and \fBEVP_PKEY_derive_set_peer_ex()\fR functions were
 added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2006\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_digestsign_supports_digest.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_digestsign_supports_digest.3
index e4e8810b361f..5c9e63565d71 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_digestsign_supports_digest.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_digestsign_supports_digest.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,84 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_DIGESTSIGN_SUPPORTS_DIGEST 3ossl"
-.TH EVP_PKEY_DIGESTSIGN_SUPPORTS_DIGEST 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_DIGESTSIGN_SUPPORTS_DIGEST 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_digestsign_supports_digest \- indicate support for signature digest
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 3
 \& #include <openssl/evp.h>
 \& int EVP_PKEY_digestsign_supports_digest(EVP_PKEY *pkey, OSSL_LIB_CTX *libctx,
 \&                                         const char *name, const char *propq);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The \fBEVP_PKEY_digestsign_supports_digest()\fR function queries whether the message
 digest \fIname\fR is supported for public key signature operations associated with
@@ -160,14 +84,14 @@ a negative value for failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_DigestSignInit_ex\fR\|(3),
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBEVP_PKEY_digestsign_supports_digest()\fR function was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_encapsulate.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_encapsulate.3
index 8d7aedb791ae..bdd9c97c523f 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_encapsulate.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_encapsulate.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,88 +52,30 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_ENCAPSULATE 3ossl"
-.TH EVP_PKEY_ENCAPSULATE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_ENCAPSULATE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
-EVP_PKEY_encapsulate_init, EVP_PKEY_encapsulate
+.SH NAME
+EVP_PKEY_encapsulate_init, EVP_PKEY_auth_encapsulate_init, EVP_PKEY_encapsulate
 \&\- Key encapsulation using a KEM algorithm with a public key
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
 \&
 \& int EVP_PKEY_encapsulate_init(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]);
+\& int EVP_PKEY_auth_encapsulate_init(EVP_PKEY_CTX *ctx, EVP_PKEY *authpriv,
+\&                                   const OSSL_PARAM params[]);
 \& int EVP_PKEY_encapsulate(EVP_PKEY_CTX *ctx,
 \&                          unsigned char *wrappedkey, size_t *wrappedkeylen,
 \&                          unsigned char *genkey, size_t *genkeylen);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The \fBEVP_PKEY_encapsulate_init()\fR function initializes a public key algorithm
 context \fIctx\fR for an encapsulation operation and then sets the \fIparams\fR
@@ -157,32 +83,55 @@ on the context in the same way as calling \fBEVP_PKEY_CTX_set_params\fR\|(3).
 Note that \fIctx\fR is usually is produced using \fBEVP_PKEY_CTX_new_from_pkey\fR\|(3),
 specifying the public key to use.
 .PP
+The \fBEVP_PKEY_auth_encapsulate_init()\fR function is similar to
+\&\fBEVP_PKEY_encapsulate_init()\fR but also passes an \fIauthpriv\fR authentication private
+key that is used during encapsulation.
+.PP
 The \fBEVP_PKEY_encapsulate()\fR function performs a public key encapsulation
 operation using \fIctx\fR.
-The symmetric secret generated in \fIgenkey\fR can be used as key material.
-The ciphertext in \fIwrappedkey\fR is its encapsulated form, which can be sent
-to another party, who can use \fBEVP_PKEY_decapsulate\fR\|(3) to retrieve it
-using their private key.
-If \fIwrappedkey\fR is \s-1NULL\s0 then the maximum size of the output buffer
-is written to the \fI*wrappedkeylen\fR parameter unless \fIwrappedkeylen\fR is \s-1NULL\s0
-and the maximum size of the generated key buffer is written to \fI*genkeylen\fR
-unless \fIgenkeylen\fR is \s-1NULL.\s0
-If \fIwrappedkey\fR is not \s-1NULL\s0 and the call is successful then the
-internally generated key is written to \fIgenkey\fR and its size is written to
-\&\fI*genkeylen\fR. The encapsulated version of the generated key is written to
-\&\fIwrappedkey\fR and its size is written to \fI*wrappedkeylen\fR.
-.SH "NOTES"
+The shared secret written to \fIgenkey\fR can be used as an input for key
+derivation, typically for various symmetric algorithms.
+Its size is written to \fIgenkeylen\fR, which must be initialised to the
+size of the provided buffer.
+.PP
+The ciphertext written to \fIwrappedkey\fR is an encapsulated form, which
+is expected to be only usable by the holder of the private key corresponding
+to the public key associated with \fIctx\fR.
+This ciphertext is then communicated to the private-key holder, who can use
+\&\fBEVP_PKEY_decapsulate\fR\|(3) to securely recover the same shared secret.
+.PP
+If \fIwrappedkey\fR is NULL then the maximum size of the output buffer is written
+to the \fI*wrappedkeylen\fR parameter unless \fIwrappedkeylen\fR is NULL and the
+maximum size of the generated key buffer is written to \fI*genkeylen\fR unless
+\&\fIgenkeylen\fR is NULL.
+.PP
+If \fIwrappedkey\fR is not NULL and the call is successful then the generated
+shared secret is written to \fIgenkey\fR and its size is written to
+\&\fI*genkeylen\fR (which must be non-NULL).
+The encapsulated ciphertext is written to \fIwrappedkey\fR and
+its size is written to \fI*wrappedkeylen\fR (must also be non-NULL),
+The value pointed to by \fIwrappedlen\fR initially hold the size of the
+\&\fIunwrapped\fR buffer so that its size can be validated by the call, ensuring it
+is large enough to hold the result written to \fIwrapped\fR.
+.PP
+Absent detailed prior knowledge of the internals of the specific KEM
+algorithm, callers SHOULD NOT assume that the returned shared secret and
+ciphertext are necessarily of the maximum possible length.
+The lengths returned via \fI*wrappedkeylen\fR and \fI*genkeylen\fR SHOULD
+be used to determine the actual lengths of the outputs.
+.SH NOTES
 .IX Header "NOTES"
-After the call to \fBEVP_PKEY_encapsulate_init()\fR algorithm-specific parameters
+After the call to \fBEVP_PKEY_encapsulate_init()\fR, algorithm-specific parameters
 for the operation may be set or modified using \fBEVP_PKEY_CTX_set_params\fR\|(3).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBEVP_PKEY_encapsulate_init()\fR and \fBEVP_PKEY_encapsulate()\fR return 1 for
-success and 0 or a negative value for failure. In particular a return value of \-2
-indicates the operation is not supported by the public key algorithm.
-.SH "EXAMPLES"
+\&\fBEVP_PKEY_encapsulate_init()\fR, \fBEVP_PKEY_auth_encapsulate_init()\fR and
+\&\fBEVP_PKEY_encapsulate()\fR return 1 for success and 0 or a negative value for
+failure. In particular a return value of \-2 indicates the operation is not
+supported by the public key algorithm.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-Encapsulate an \s-1RSASVE\s0 key (for \s-1RSA\s0 keys).
+Encapsulate an RSASVE key (for RSA keys).
 .PP
 .Vb 1
 \& #include <openssl/evp.h>
@@ -196,7 +145,7 @@ Encapsulate an \s-1RSASVE\s0 key (for \s-1RSA\s0 keys).
 \& unsigned char *out = NULL, *secret = NULL;
 \&
 \& ctx = EVP_PKEY_CTX_new_from_pkey(libctx, rsa_pub_key, NULL);
-\& if (ctx = NULL)
+\& if (ctx == NULL)
 \&     /* Error */
 \& if (EVP_PKEY_encapsulate_init(ctx, NULL) <= 0)
 \&     /* Error */
@@ -225,15 +174,24 @@ Encapsulate an \s-1RSASVE\s0 key (for \s-1RSA\s0 keys).
 .IX Header "SEE ALSO"
 \&\fBEVP_PKEY_CTX_new_from_pkey\fR\|(3),
 \&\fBEVP_PKEY_decapsulate\fR\|(3),
-\&\s-1\fBEVP_KEM\-RSA\s0\fR\|(7),
-.SH "HISTORY"
+\&\fBEVP_KEM\-RSA\fR\|(7),
+\&\fBEVP_KEM\-X25519\fR\|(7),
+\&\fBEVP_KEM\-EC\fR\|(7),
+\&\fBEVP_KEM\-ML\-KEM\-512\fR\|(7),
+\&\fBEVP_KEM\-ML\-KEM\-768\fR\|(7),
+\&\fBEVP_KEM\-ML\-KEM\-1024\fR\|(7)
+.SH HISTORY
 .IX Header "HISTORY"
-These functions were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The functions \fBEVP_PKEY_encapsulate_init()\fR and \fBEVP_PKEY_encapsulate()\fR were
+added in OpenSSL 3.0.
+The function \fBEVP_PKEY_auth_encapsulate_init()\fR was added in OpenSSL 3.2.
+.PP
+Support for \fBML-KEM\fR was added in OpenSSL 3.5.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_encrypt.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_encrypt.3
index c8cc1b513cc5..0a3b247aea55 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_encrypt.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_encrypt.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_ENCRYPT 3ossl"
-.TH EVP_PKEY_ENCRYPT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_ENCRYPT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_encrypt_init_ex,
 EVP_PKEY_encrypt_init, EVP_PKEY_encrypt \- encrypt using a public key algorithm
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -150,7 +74,7 @@ EVP_PKEY_encrypt_init, EVP_PKEY_encrypt \- encrypt using a public key algorithm
 \&                      unsigned char *out, size_t *outlen,
 \&                      const unsigned char *in, size_t inlen);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The \fBEVP_PKEY_encrypt_init()\fR function initializes a public key algorithm
 context using key \fBpkey\fR for an encryption operation.
@@ -161,12 +85,12 @@ algorithm specific \fBparams\fR.
 .PP
 The \fBEVP_PKEY_encrypt()\fR function performs a public key encryption operation
 using \fBctx\fR. The data to be encrypted is specified using the \fBin\fR and
-\&\fBinlen\fR parameters. If \fBout\fR is \fB\s-1NULL\s0\fR then the maximum size of the output
-buffer is written to the \fBoutlen\fR parameter. If \fBout\fR is not \fB\s-1NULL\s0\fR then
+\&\fBinlen\fR parameters. If \fBout\fR is \fBNULL\fR then the maximum size of the output
+buffer is written to the \fBoutlen\fR parameter. If \fBout\fR is not \fBNULL\fR then
 before the call the \fBoutlen\fR parameter should contain the length of the
 \&\fBout\fR buffer, if the call is successful the encrypted data is written to
 \&\fBout\fR and the amount of data written to \fBoutlen\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 After the call to \fBEVP_PKEY_encrypt_init()\fR algorithm specific control
 operations can be performed to set any appropriate parameters for the
@@ -181,11 +105,11 @@ context if several operations are performed using the same parameters.
 return 1 for success and 0 or a negative value for failure. In particular a
 return value of \-2 indicates the operation is not supported by the public key
 algorithm.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-Encrypt data using \s-1OAEP\s0 (for \s-1RSA\s0 keys). See also \fBPEM_read_PUBKEY\fR\|(3) or
+Encrypt data using OAEP (for RSA keys). See also \fBPEM_read_PUBKEY\fR\|(3) or
 \&\fBd2i_X509\fR\|(3) for means to load a public key. You may also simply
-set 'eng = \s-1NULL\s0;' to start with the default OpenSSL \s-1RSA\s0 implementation:
+set 'eng = NULL;' to start with the default OpenSSL RSA implementation:
 .PP
 .Vb 3
 \& #include <openssl/evp.h>
@@ -234,14 +158,14 @@ set 'eng = \s-1NULL\s0;' to start with the default OpenSSL \s-1RSA\s0 implementa
 \&\fBEVP_PKEY_verify\fR\|(3),
 \&\fBEVP_PKEY_verify_recover\fR\|(3),
 \&\fBEVP_PKEY_derive\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 These functions were added in OpenSSL 1.0.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2006\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_fromdata.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_fromdata.3
index f08f0ec2f8ec..e4dba0798235 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_fromdata.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_fromdata.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_FROMDATA 3ossl"
-.TH EVP_PKEY_FROMDATA 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_FROMDATA 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_fromdata_init, EVP_PKEY_fromdata, EVP_PKEY_fromdata_settable
 \&\- functions to create keys and key parameters from user data
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -149,18 +73,18 @@ EVP_PKEY_fromdata_init, EVP_PKEY_fromdata, EVP_PKEY_fromdata_settable
 \&                       OSSL_PARAM params[]);
 \& const OSSL_PARAM *EVP_PKEY_fromdata_settable(EVP_PKEY_CTX *ctx, int selection);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The functions described here are used to create new keys from user
-provided key data, such as \fIn\fR, \fIe\fR and \fId\fR for a minimal \s-1RSA\s0
+provided key data, such as \fIn\fR, \fIe\fR and \fId\fR for a minimal RSA
 keypair.
 .PP
-These functions use an \fB\s-1EVP_PKEY_CTX\s0\fR context, which should primarily
+These functions use an \fBEVP_PKEY_CTX\fR context, which should primarily
 be created with \fBEVP_PKEY_CTX_new_from_name\fR\|(3) or
 \&\fBEVP_PKEY_CTX_new_id\fR\|(3).
 .PP
 The exact key data that the user can pass depends on the key type.
-These are passed as an \s-1\fBOSSL_PARAM\s0\fR\|(3) array.
+These are passed as an \fBOSSL_PARAM\fR\|(3) array.
 .PP
 \&\fBEVP_PKEY_fromdata_init()\fR initializes a public key algorithm context
 for creating a key or key parameters from user data.
@@ -168,39 +92,43 @@ for creating a key or key parameters from user data.
 \&\fBEVP_PKEY_fromdata()\fR creates the structure to store a key or key parameters,
 given data from \fIparams\fR, \fIselection\fR and a context that's been initialized
 with \fBEVP_PKEY_fromdata_init()\fR.  The result is written to \fI*ppkey\fR.
-\&\fIselection\fR is described in \*(L"Selections\*(R".
-The parameters that can be used for various types of key are as described by the
-diverse \*(L"Common parameters\*(R" sections of the
-\&\fB\s-1EVP_PKEY\-RSA\s0\fR(7),
-\&\fB\s-1EVP_PKEY\-DSA\s0\fR(7),
-\&\fB\s-1EVP_PKEY\-DH\s0\fR(7),
-\&\fB\s-1EVP_PKEY\-EC\s0\fR(7),
-\&\fB\s-1EVP_PKEY\-ED448\s0\fR(7),
-\&\fB\s-1EVP_PKEY\-X25519\s0\fR(7),
-\&\fB\s-1EVP_PKEY\-X448\s0\fR(7),
-and \fB\s-1EVP_PKEY\-ED25519\s0\fR(7) pages.
+\&\fIselection\fR is described in "Selections".
+The parameters that can be used for various types of key are as described by
+the various "Common parameters" sections of the
+\&\fBEVP_PKEY\-RSA\fR(7),
+\&\fBEVP_PKEY\-DSA\fR(7),
+\&\fBEVP_PKEY\-DH\fR(7),
+\&\fBEVP_PKEY\-EC\fR(7),
+\&\fBEVP_PKEY\-ED448\fR(7),
+\&\fBEVP_PKEY\-X25519\fR(7),
+\&\fBEVP_PKEY\-X448\fR(7),
+\&\fBEVP_PKEY\-ED25519\fR(7),
+\&\fBEVP_PKEY\-ML\-DSA\|(7)\fR
+and
+\&\fBEVP_PKEY\-ML\-KEM\|(7)\fR
+pages.
 .PP
-\&\fBEVP_PKEY_fromdata_settable()\fR gets a constant \s-1\fBOSSL_PARAM\s0\fR\|(3) array that describes
+\&\fBEVP_PKEY_fromdata_settable()\fR gets a constant \fBOSSL_PARAM\fR\|(3) array that describes
 the settable parameters that can be used with \fBEVP_PKEY_fromdata()\fR.
-\&\fIselection\fR is described in \*(L"Selections\*(R".
+\&\fIselection\fR is described in "Selections".
 .PP
 Parameters in the \fIparams\fR array that are not among the settable parameters
 for the given \fIselection\fR are ignored.
-.SS "Selections"
+.SS Selections
 .IX Subsection "Selections"
 The following constants can be used for \fIselection\fR:
-.IP "\fB\s-1EVP_PKEY_KEY_PARAMETERS\s0\fR" 4
+.IP \fBEVP_PKEY_KEY_PARAMETERS\fR 4
 .IX Item "EVP_PKEY_KEY_PARAMETERS"
 Only key parameters will be selected.
-.IP "\fB\s-1EVP_PKEY_PUBLIC_KEY\s0\fR" 4
+.IP \fBEVP_PKEY_PUBLIC_KEY\fR 4
 .IX Item "EVP_PKEY_PUBLIC_KEY"
 Only public key components will be selected. This includes optional key
 parameters.
-.IP "\fB\s-1EVP_PKEY_KEYPAIR\s0\fR" 4
+.IP \fBEVP_PKEY_KEYPAIR\fR 4
 .IX Item "EVP_PKEY_KEYPAIR"
 Any keypair components will be selected. This includes the private key,
 public key and key parameters.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 These functions only work with key management methods coming from a provider.
 This is the mirror function to \fBEVP_PKEY_todata\fR\|(3).
@@ -209,13 +137,13 @@ This is the mirror function to \fBEVP_PKEY_todata\fR\|(3).
 \&\fBEVP_PKEY_fromdata_init()\fR and \fBEVP_PKEY_fromdata()\fR return 1 for success and 0 or
 a negative value for failure.  In particular a return value of \-2 indicates the
 operation is not supported by the public key algorithm.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 These examples are very terse for the sake of staying on topic, which
 is the \fBEVP_PKEY_fromdata()\fR set of functions.  In real applications,
 BIGNUMs would be handled and converted to byte arrays with
 \&\fBBN_bn2nativepad()\fR, but that's off topic here.
-.SS "Creating an \s-1RSA\s0 keypair using raw key data"
+.SS "Creating an RSA keypair using raw key data"
 .IX Subsection "Creating an RSA keypair using raw key data"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -249,7 +177,7 @@ BIGNUMs would be handled and converted to byte arrays with
 \&     /* Do what you want with |pkey| */
 \& }
 .Ve
-.SS "Creating an \s-1ECC\s0 keypair using raw key data"
+.SS "Creating an ECC keypair using raw key data"
 .IX Subsection "Creating an ECC keypair using raw key data"
 .Vb 3
 \& #include <openssl/evp.h>
@@ -367,24 +295,37 @@ BIGNUMs would be handled and converted to byte arrays with
 \& }
 .Ve
 .PP
-The descriptor \s-1\fBOSSL_PARAM\s0\fR\|(3) returned by
+The descriptor \fBOSSL_PARAM\fR\|(3) returned by
 \&\fBEVP_PKEY_fromdata_settable()\fR may also be used programmatically, for
 example with \fBOSSL_PARAM_allocate_from_text\fR\|(3).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBEVP_PKEY_CTX_new\fR\|(3), \fBprovider\fR\|(7), \fBEVP_PKEY_gettable_params\fR\|(3),
-\&\s-1\fBOSSL_PARAM\s0\fR\|(3), \fBEVP_PKEY_todata\fR\|(3),
-\&\s-1\fBEVP_PKEY\-RSA\s0\fR\|(7), \s-1\fBEVP_PKEY\-DSA\s0\fR\|(7), \s-1\fBEVP_PKEY\-DH\s0\fR\|(7), \s-1\fBEVP_PKEY\-EC\s0\fR\|(7),
-\&\s-1\fBEVP_PKEY\-ED448\s0\fR\|(7), \s-1\fBEVP_PKEY\-X25519\s0\fR\|(7), \s-1\fBEVP_PKEY\-X448\s0\fR\|(7),
-\&\s-1\fBEVP_PKEY\-ED25519\s0\fR\|(7)
-.SH "HISTORY"
+\&\fBEVP_PKEY_CTX_new\fR\|(3),
+\&\fBEVP_PKEY_todata\fR\|(3),
+\&\fBEVP_PKEY_gettable_params\fR\|(3),
+\&\fBOSSL_PARAM\fR\|(3),
+\&\fBprovider\fR\|(7),
+\&\fBEVP_PKEY\-RSA\fR\|(7),
+\&\fBEVP_PKEY\-EC\fR\|(7),
+\&\fBEVP_PKEY\-ED25519\fR\|(7),
+\&\fBEVP_PKEY\-ED448\fR\|(7),
+\&\fBEVP_PKEY\-DSA\fR\|(7),
+\&\fBEVP_PKEY\-DH\fR\|(7),
+\&\fBEVP_PKEY\-X25519\fR\|(7),
+\&\fBEVP_PKEY\-X448\fR\|(7),
+\&\fBEVP_PKEY\-ML\-DSA\fR\|(7),
+\&\fBEVP_PKEY\-ML\-KEM\fR\|(7),
+\&\fBEVP_PKEY\-SLH\-DSA\fR\|(7).
+.SH HISTORY
 .IX Header "HISTORY"
 These functions were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.PP
+Support for \fBML-DSA\fR, \fBML-KEM\fR and \fBSLH-DSA\fR was added in OpenSSL 3.5.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_get_attr.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_attr.3
new file mode 100644
index 000000000000..bdbe7aacbb7d
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_attr.3
@@ -0,0 +1,166 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "EVP_PKEY_GET_ATTR 3ossl"
+.TH EVP_PKEY_GET_ATTR 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+EVP_PKEY_get_attr,
+EVP_PKEY_get_attr_count,
+EVP_PKEY_get_attr_by_NID, EVP_PKEY_get_attr_by_OBJ,
+EVP_PKEY_delete_attr,
+EVP_PKEY_add1_attr,
+EVP_PKEY_add1_attr_by_OBJ, EVP_PKEY_add1_attr_by_NID, EVP_PKEY_add1_attr_by_txt
+\&\- EVP_PKEY X509_ATTRIBUTE functions
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/x509.h>
+\&
+\& int EVP_PKEY_get_attr_count(const EVP_PKEY *key);
+\& int EVP_PKEY_get_attr_by_NID(const EVP_PKEY *key, int nid, int lastpos);
+\& int EVP_PKEY_get_attr_by_OBJ(const EVP_PKEY *key, const ASN1_OBJECT *obj,
+\&                              int lastpos);
+\& X509_ATTRIBUTE *EVP_PKEY_get_attr(const EVP_PKEY *key, int loc);
+\& X509_ATTRIBUTE *EVP_PKEY_delete_attr(EVP_PKEY *key, int loc);
+\& int EVP_PKEY_add1_attr(EVP_PKEY *key, X509_ATTRIBUTE *attr);
+\& int EVP_PKEY_add1_attr_by_OBJ(EVP_PKEY *key,
+\&                               const ASN1_OBJECT *obj, int type,
+\&                               const unsigned char *bytes, int len);
+\& int EVP_PKEY_add1_attr_by_NID(EVP_PKEY *key,
+\&                               int nid, int type,
+\&                               const unsigned char *bytes, int len);
+\& int EVP_PKEY_add1_attr_by_txt(EVP_PKEY *key,
+\&                               const char *attrname, int type,
+\&                               const unsigned char *bytes, int len);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+These functions are used by \fBPKCS12\fR.
+.PP
+\&\fBEVP_PKEY_get_attr_by_OBJ()\fR finds the location of the first matching object \fIobj\fR
+in the \fIkey\fR attribute list. The search starts at the position after \fIlastpos\fR.
+If the returned value is positive then it can be used on the next call to
+\&\fBEVP_PKEY_get_attr_by_OBJ()\fR as the value of \fIlastpos\fR in order to iterate through
+the remaining attributes. \fIlastpos\fR can be set to any negative value on the
+first call, in order to start searching from the start of the attribute list.
+.PP
+\&\fBEVP_PKEY_get_attr_by_NID()\fR is similar to \fBEVP_PKEY_get_attr_by_OBJ()\fR except that
+it passes the numerical identifier (NID) \fInid\fR associated with the object.
+See <openssl/obj_mac.h> for a list of NID_*.
+.PP
+\&\fBEVP_PKEY_get_attr()\fR returns the \fBX509_ATTRIBUTE\fR object at index \fIloc\fR in the
+\&\fIkey\fR attribute list. \fIloc\fR should be in the range from 0 to
+\&\fBEVP_PKEY_get_attr_count()\fR \- 1.
+.PP
+\&\fBEVP_PKEY_delete_attr()\fR removes the \fBX509_ATTRIBUTE\fR object at index \fIloc\fR in
+the \fIkey\fR attribute list.
+.PP
+\&\fBEVP_PKEY_add1_attr()\fR pushes a copy of the passed in \fBX509_ATTRIBUTE\fR object
+to the \fIkey\fR attribute list. A new \fIkey\fR attribute list is created if required.
+An error occurs if either \fIattr\fR is NULL, or the attribute already exists.
+.PP
+\&\fBEVP_PKEY_add1_attr_by_OBJ()\fR creates a new \fBX509_ATTRIBUTE\fR using
+\&\fBX509_ATTRIBUTE_set1_object()\fR and \fBX509_ATTRIBUTE_set1_data()\fR to assign a new
+\&\fIobj\fR with type \fItype\fR and data \fIbytes\fR of length \fIlen\fR and then pushes it
+to the \fIkey\fR object's attribute list. If \fIobj\fR already exists in the attribute
+list then an error occurs.
+.PP
+\&\fBEVP_PKEY_add1_attr_by_NID()\fR is similar to \fBEVP_PKEY_add1_attr_by_OBJ()\fR except
+that it passes the numerical identifier (NID) \fInid\fR associated with the object.
+See <openssl/obj_mac.h> for a list of NID_*.
+.PP
+\&\fBEVP_PKEY_add1_attr_by_txt()\fR is similar to \fBEVP_PKEY_add1_attr_by_OBJ()\fR except
+that it passes a name \fIattrname\fR associated with the object.
+See <openssl/obj_mac.h> for a list of SN_* names.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBEVP_PKEY_get_attr_count()\fR returns the number of attributes in the \fIkey\fR object
+attribute list or \-1 if the attribute list is NULL.
+.PP
+\&\fBEVP_PKEY_get_attr_by_OBJ()\fR returns \-1 if either the list is empty OR the object
+is not found, otherwise it returns the location of the object in the list.
+.PP
+\&\fBEVP_PKEY_get_attr_by_NID()\fR is similar to \fBEVP_PKEY_get_attr_by_OBJ()\fR, except that
+it returns \-2 if the \fInid\fR is not known by OpenSSL.
+.PP
+\&\fBEVP_PKEY_get_attr()\fR returns either a \fBX509_ATTRIBUTE\fR or NULL if there is a
+error.
+.PP
+\&\fBEVP_PKEY_delete_attr()\fR returns either the removed \fBX509_ATTRIBUTE\fR or NULL if
+there is a error.
+.PP
+\&\fBEVP_PKEY_add1_attr()\fR, \fBEVP_PKEY_add1_attr_by_OBJ()\fR, \fBEVP_PKEY_add1_attr_by_NID()\fR
+and \fBEVP_PKEY_add1_attr_by_txt()\fR return 1 on success or 0 otherwise.
+.SH NOTES
+.IX Header "NOTES"
+A \fBEVP_PKEY\fR object's attribute list is initially NULL. All the above functions
+listed will return an error unless \fBEVP_PKEY_add1_attr()\fR is called.
+All functions listed assume that the \fIkey\fR is not NULL.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBX509_ATTRIBUTE\fR\|(3)
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2023\-2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_get_default_digest_nid.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_default_digest_nid.3
index a67894f3d43b..be8ba3c33d51 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_get_default_digest_nid.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_default_digest_nid.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_GET_DEFAULT_DIGEST_NID 3ossl"
-.TH EVP_PKEY_GET_DEFAULT_DIGEST_NID 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_GET_DEFAULT_DIGEST_NID 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_get_default_digest_nid, EVP_PKEY_get_default_digest_name
 \&\- get default signature digest
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -148,25 +72,25 @@ EVP_PKEY_get_default_digest_nid, EVP_PKEY_get_default_digest_name
 \&                                      char *mdname, size_t mdname_sz);
 \& int EVP_PKEY_get_default_digest_nid(EVP_PKEY *pkey, int *pnid);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBEVP_PKEY_get_default_digest_name()\fR fills in the default message digest
 name for the public key signature operations associated with key
 \&\fIpkey\fR into \fImdname\fR, up to at most \fImdname_sz\fR bytes including the
-ending \s-1NUL\s0 byte.  The name could be \f(CW"UNDEF"\fR, signifying that a digest
+ending NUL byte.  The name could be \f(CW"UNDEF"\fR, signifying that a digest
 must (for return value 2) or may (for return value 1) be left unspecified.
 .PP
 \&\fBEVP_PKEY_get_default_digest_nid()\fR sets \fIpnid\fR to the default message
-digest \s-1NID\s0 for the public key signature operations associated with key
+digest NID for the public key signature operations associated with key
 \&\fIpkey\fR.  Note that some signature algorithms (i.e. Ed25519 and Ed448)
 do not use a digest during signing.  In this case \fIpnid\fR will be set
 to NID_undef.  This function is only reliable for legacy keys, which
-are keys with a \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR; these keys have typically
+are keys with a \fBEVP_PKEY_ASN1_METHOD\fR; these keys have typically
 been loaded from engines, or created with \fBEVP_PKEY_assign_RSA\fR\|(3) or
 similar.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-For all current standard OpenSSL public key algorithms \s-1SHA256\s0 is returned.
+For all current standard OpenSSL public key algorithms SHA256 is returned.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBEVP_PKEY_get_default_digest_name()\fR and \fBEVP_PKEY_get_default_digest_nid()\fR
@@ -182,14 +106,14 @@ algorithm.
 \&\fBEVP_PKEY_digestsign_supports_digest\fR\|(3),
 \&\fBEVP_PKEY_verify\fR\|(3),
 \&\fBEVP_PKEY_verify_recover\fR\|(3),
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 This function was added in OpenSSL 1.0.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2006\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_get_field_type.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_field_type.3
index 14cf187d81a0..722c0df92026 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_get_field_type.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_field_type.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_GET_FIELD_TYPE 3ossl"
-.TH EVP_PKEY_GET_FIELD_TYPE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_GET_FIELD_TYPE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_get_field_type, EVP_PKEY_get_ec_point_conv_form \- get field type
 or point conversion form of a key
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -147,9 +71,9 @@ or point conversion form of a key
 \& int EVP_PKEY_get_field_type(const EVP_PKEY *pkey);
 \& int EVP_PKEY_get_ec_point_conv_form(const EVP_PKEY *pkey);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBEVP_PKEY_get_field_type()\fR returns the field type \s-1NID\s0 of the \fIpkey\fR, if
+\&\fBEVP_PKEY_get_field_type()\fR returns the field type NID of the \fIpkey\fR, if
 \&\fIpkey\fR's key type supports it. The types currently supported
 by the built-in OpenSSL providers are either \fBNID_X9_62_prime_field\fR
 for prime curves or \fBNID_X9_62_characteristic_two_field\fR for binary curves;
@@ -157,27 +81,27 @@ these values are defined in the \fI<openssl/obj_mac.h>\fR header file.
 .PP
 \&\fBEVP_PKEY_get_ec_point_conv_form()\fR returns the point conversion format
 of the \fIpkey\fR, if \fIpkey\fR's key type supports it.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-Among the standard OpenSSL key types, this is only supported for \s-1EC\s0 and
-\&\s-1SM2\s0 keys.  Other providers may support this for additional key types.
+Among the standard OpenSSL key types, this is only supported for EC and
+SM2 keys.  Other providers may support this for additional key types.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBEVP_PKEY_get_field_type()\fR returns the field type \s-1NID\s0 or 0 on error.
+\&\fBEVP_PKEY_get_field_type()\fR returns the field type NID or 0 on error.
 .PP
 \&\fBEVP_PKEY_get_ec_point_conv_form()\fR returns the point conversion format number
 (see \fBEC_GROUP_copy\fR\|(3)) or 0 on error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEC_GROUP_copy\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 These functions were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_get_group_name.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_group_name.3
index 11ae97dba18b..1c1f19d8e0d0 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_get_group_name.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_group_name.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_GET_GROUP_NAME 3ossl"
-.TH EVP_PKEY_GET_GROUP_NAME 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_GET_GROUP_NAME 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_get_group_name \- get group name of a key
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -146,30 +70,30 @@ EVP_PKEY_get_group_name \- get group name of a key
 \& int EVP_PKEY_get_group_name(EVP_PKEY *pkey, char *gname, size_t gname_sz,
 \&                             size_t *gname_len);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBEVP_PKEY_get_group_name()\fR fills in the group name of the \fIpkey\fR into
-\&\fIgname\fR, up to at most \fIgname_sz\fR bytes including the ending \s-1NUL\s0 byte
+\&\fIgname\fR, up to at most \fIgname_sz\fR bytes including the ending NUL byte
 and assigns \fI*gname_len\fR the actual length of the name not including
-the \s-1NUL\s0 byte, if \fIpkey\fR's key type supports it.
-\&\fIgname\fR as well as \fIgname_len\fR may individually be \s-1NULL,\s0 and won't be
+the NUL byte, if \fIpkey\fR's key type supports it.
+\&\fIgname\fR as well as \fIgname_len\fR may individually be NULL, and won't be
 filled in or assigned in that case.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-Among the standard OpenSSL key types, this is only supported for \s-1DH, EC\s0 and
-\&\s-1SM2\s0 keys.  Other providers may support this for additional key types.
+Among the standard OpenSSL key types, this is only supported for DH, EC and
+SM2 keys.  Other providers may support this for additional key types.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBEVP_PKEY_get_group_name()\fR returns 1 if the group name could be filled in,
 otherwise 0.
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 This function was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_get_size.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_size.3
index bbf65f83e1aa..7955e0d453cd 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_get_size.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_size.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_GET_SIZE 3ossl"
-.TH EVP_PKEY_GET_SIZE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_GET_SIZE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_get_size, EVP_PKEY_get_bits, EVP_PKEY_get_security_bits,
 EVP_PKEY_bits, EVP_PKEY_security_bits, EVP_PKEY_size
 \&\- EVP_PKEY information functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -153,10 +77,11 @@ EVP_PKEY_bits, EVP_PKEY_security_bits, EVP_PKEY_size
 \& #define EVP_PKEY_security_bits EVP_PKEY_get_security_bits
 \& #define EVP_PKEY_size EVP_PKEY_get_size
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBEVP_PKEY_get_size()\fR returns the maximum suitable size for the output
 buffers for almost all operations that can be done with \fIpkey\fR.
+This corresponds to the provider parameter \fBOSSL_PKEY_PARAM_MAX_SIZE\fR.
 The primary documented use is with \fBEVP_SignFinal\fR\|(3) and
 \&\fBEVP_SealInit\fR\|(3), but it isn't limited there.  The returned size is
 also large enough for the output buffer of \fBEVP_PKEY_sign\fR\|(3),
@@ -173,17 +98,19 @@ receive that length), to avoid bugs.
 \&\fBEVP_PKEY_get_bits()\fR returns the cryptographic length of the cryptosystem
 to which the key in \fIpkey\fR belongs, in bits.  Note that the definition
 of cryptographic length is specific to the key cryptosystem.
+This length corresponds to the provider parameter \fBOSSL_PKEY_PARAM_BITS\fR.
 .PP
 \&\fBEVP_PKEY_get_security_bits()\fR returns the number of security bits of the given
-\&\fIpkey\fR, bits of security is defined in \s-1NIST SP800\-57.\s0
+\&\fIpkey\fR, bits of security is defined in NIST SP800\-57.
+This corresponds to the provider parameter \fBOSSL_PKEY_PARAM_SECURITY_BITS\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBEVP_PKEY_get_size()\fR, \fBEVP_PKEY_get_bits()\fR and \fBEVP_PKEY_get_security_bits()\fR
 return a positive number, or 0 if this size isn't available.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 Most functions that have an output buffer and are mentioned with
-\&\fBEVP_PKEY_get_size()\fR have a functionality where you can pass \s-1NULL\s0 for the
+\&\fBEVP_PKEY_get_size()\fR have a functionality where you can pass NULL for the
 buffer and still pass a pointer to an integer and get the exact size
 that this function call delivers in the context that it's called in.
 This allows those functions to be called twice, once to find out the
@@ -195,25 +122,26 @@ the upper limit in advance.
 .PP
 It should also be especially noted that \fBEVP_PKEY_get_size()\fR shouldn't be
 used to get the output size for \fBEVP_DigestSignFinal()\fR, according to
-\&\*(L"\s-1NOTES\*(R"\s0 in \fBEVP_DigestSignFinal\fR\|(3).
+"NOTES" in \fBEVP_DigestSignFinal\fR\|(3).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
+\&\fBprovider\-keymgmt\fR\|(7),
 \&\fBEVP_SignFinal\fR\|(3),
 \&\fBEVP_SealInit\fR\|(3),
 \&\fBEVP_PKEY_sign\fR\|(3),
 \&\fBEVP_PKEY_encrypt\fR\|(3),
 \&\fBEVP_PKEY_decrypt\fR\|(3),
 \&\fBEVP_PKEY_derive\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBEVP_PKEY_bits()\fR, \fBEVP_PKEY_security_bits()\fR, and \fBEVP_PKEY_size()\fR functions
 were renamed to include \f(CW\*(C`get\*(C'\fR in their names in OpenSSL 3.0, respectively.
 The old names are kept as non-deprecated alias macros.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_gettable_params.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_gettable_params.3
index a010ef157935..772f4a23ce3b 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_gettable_params.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_gettable_params.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_GETTABLE_PARAMS 3ossl"
-.TH EVP_PKEY_GETTABLE_PARAMS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_GETTABLE_PARAMS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_gettable_params, EVP_PKEY_get_params,
 EVP_PKEY_get_int_param, EVP_PKEY_get_size_t_param,
 EVP_PKEY_get_bn_param, EVP_PKEY_get_utf8_string_param,
 EVP_PKEY_get_octet_string_param
 \&\- retrieve key parameters from a key
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -162,9 +86,9 @@ EVP_PKEY_get_octet_string_param
 \&                                     unsigned char *buf, size_t max_buf_sz,
 \&                                     size_t *out_len);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-See \s-1\fBOSSL_PARAM\s0\fR\|(3) for information about parameters.
+See \fBOSSL_PARAM\fR\|(3) for information about parameters.
 .PP
 \&\fBEVP_PKEY_get_params()\fR retrieves parameters from the key \fIpkey\fR, according to
 the contents of \fIparams\fR.
@@ -172,8 +96,8 @@ the contents of \fIparams\fR.
 \&\fBEVP_PKEY_gettable_params()\fR returns a constant list of \fIparams\fR indicating
 the names and types of key parameters that can be retrieved.
 .PP
-An \s-1\fBOSSL_PARAM\s0\fR\|(3) of type \fB\s-1OSSL_PARAM_INTEGER\s0\fR or
-\&\fB\s-1OSSL_PARAM_UNSIGNED_INTEGER\s0\fR is of arbitrary length. Such a parameter can be
+An \fBOSSL_PARAM\fR\|(3) of type \fBOSSL_PARAM_INTEGER\fR or
+\&\fBOSSL_PARAM_UNSIGNED_INTEGER\fR is of arbitrary length. Such a parameter can be
 obtained using any of the functions \fBEVP_PKEY_get_int_param()\fR,
 \&\fBEVP_PKEY_get_size_t_param()\fR or \fBEVP_PKEY_get_bn_param()\fR. Attempting to
 obtain an integer value that does not fit into a native C \fBint\fR type will cause
@@ -189,38 +113,38 @@ parameters that do not fit into \f(CW\*(C`int\*(C'\fR use \fBEVP_PKEY_get_bn_par
 associated with a name of \fIkey_name\fR if it fits into \f(CW\*(C`size_t\*(C'\fR type. For
 parameters that do not fit into \f(CW\*(C`size_t\*(C'\fR use \fBEVP_PKEY_get_bn_param()\fR.
 .PP
-\&\fBEVP_PKEY_get_bn_param()\fR retrieves a key \fIpkey\fR \s-1BIGNUM\s0 value \fI**bn\fR
-associated with a name of \fIkey_name\fR. If \fI*bn\fR is \s-1NULL\s0 then the \s-1BIGNUM\s0
+\&\fBEVP_PKEY_get_bn_param()\fR retrieves a key \fIpkey\fR BIGNUM value \fI**bn\fR
+associated with a name of \fIkey_name\fR. If \fI*bn\fR is NULL then the BIGNUM
 is allocated by the method.
 .PP
-\&\fBEVP_PKEY_get_utf8_string_param()\fR get a key \fIpkey\fR \s-1UTF8\s0 string value into a
+\&\fBEVP_PKEY_get_utf8_string_param()\fR get a key \fIpkey\fR UTF8 string value into a
 buffer \fIstr\fR of maximum size \fImax_buf_sz\fR associated with a name of
 \&\fIkey_name\fR.  The maximum size must be large enough to accommodate the string
-value including a terminating \s-1NUL\s0 byte, or this function will fail.
-If \fIout_len\fR is not \s-1NULL,\s0 \fI*out_len\fR is set to the length of the string
-not including the terminating \s-1NUL\s0 byte. The required buffer size not including
-the terminating \s-1NUL\s0 byte can be obtained from \fI*out_len\fR by calling the
-function with \fIstr\fR set to \s-1NULL.\s0
+value including a terminating NUL byte, or this function will fail.
+If \fIout_len\fR is not NULL, \fI*out_len\fR is set to the length of the string
+not including the terminating NUL byte. The required buffer size not including
+the terminating NUL byte can be obtained from \fI*out_len\fR by calling the
+function with \fIstr\fR set to NULL.
 .PP
 \&\fBEVP_PKEY_get_octet_string_param()\fR get a key \fIpkey\fR's octet string value into a
 buffer \fIbuf\fR of maximum size \fImax_buf_sz\fR associated with a name of \fIkey_name\fR.
-If \fIout_len\fR is not \s-1NULL,\s0 \fI*out_len\fR is set to the length of the contents.
+If \fIout_len\fR is not NULL, \fI*out_len\fR is set to the length of the contents.
 The required buffer size can be obtained from \fI*out_len\fR by calling the
-function with \fIbuf\fR set to \s-1NULL.\s0
-.SH "NOTES"
+function with \fIbuf\fR set to NULL.
+.SH NOTES
 .IX Header "NOTES"
-These functions only work for \fB\s-1EVP_PKEY\s0\fRs that contain a provider side key.
+These functions only work for \fBEVP_PKEY\fRs that contain a provider side key.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBEVP_PKEY_gettable_params()\fR returns \s-1NULL\s0 on error or if it is not supported.
+\&\fBEVP_PKEY_gettable_params()\fR returns NULL on error or if it is not supported.
 .PP
 All other methods return 1 if a value associated with the key's \fIkey_name\fR was
 successfully returned, or 0 if there was an error.
 An error may be returned by methods \fBEVP_PKEY_get_utf8_string_param()\fR and
 \&\fBEVP_PKEY_get_octet_string_param()\fR if \fImax_buf_sz\fR is not big enough to hold the
-value.  If \fIout_len\fR is not \s-1NULL,\s0 \fI*out_len\fR will be assigned the required
+value.  If \fIout_len\fR is not NULL, \fI*out_len\fR will be assigned the required
 buffer size to hold the value.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -250,15 +174,15 @@ buffer size to hold the value.
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBEVP_PKEY_CTX_new\fR\|(3), \fBprovider\-keymgmt\fR\|(7), \s-1\fBOSSL_PARAM\s0\fR\|(3)
-.SH "HISTORY"
+\&\fBEVP_PKEY_CTX_new\fR\|(3), \fBprovider\-keymgmt\fR\|(7), \fBOSSL_PARAM\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 These functions were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_is_a.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_is_a.3
index ea5cab554ab5..d91af45a0a34 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_is_a.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_is_a.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_IS_A 3ossl"
-.TH EVP_PKEY_IS_A 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_IS_A 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_is_a, EVP_PKEY_can_sign, EVP_PKEY_type_names_do_all,
 EVP_PKEY_get0_type_name, EVP_PKEY_get0_description, EVP_PKEY_get0_provider
 \&\- key type and capabilities functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -154,7 +78,7 @@ EVP_PKEY_get0_type_name, EVP_PKEY_get0_description, EVP_PKEY_get0_provider
 \& const char *EVP_PKEY_get0_description(const EVP_PKEY *key);
 \& const OSSL_PROVIDER *EVP_PKEY_get0_provider(const EVP_PKEY *key);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBEVP_PKEY_is_a()\fR checks if the key type of \fIpkey\fR is \fIname\fR.
 .PP
@@ -163,7 +87,7 @@ EVP_PKEY_get0_type_name, EVP_PKEY_get0_description, EVP_PKEY_get0_provider
 \&\fIpkey\fR contains a private key.
 .PP
 \&\fBEVP_PKEY_type_names_do_all()\fR traverses all names for \fIpkey\fR's key type, and
-calls \fIfn\fR with each name and \fIdata\fR.  For example, an \s-1RSA\s0 \fB\s-1EVP_PKEY\s0\fR may
+calls \fIfn\fR with each name and \fIdata\fR.  For example, an RSA \fBEVP_PKEY\fR may
 be named both \f(CW\*(C`RSA\*(C'\fR and \f(CW\*(C`rsaEncryption\*(C'\fR.
 The order of the names depends on the provider implementation that holds
 the key.
@@ -175,12 +99,12 @@ that holds the key which one will be returned.
 Ownership of the returned string is retained by the \fIpkey\fR object and should
 not be freed by the caller.
 .PP
-\&\fBEVP_PKEY_get0_description()\fR returns a description of the type of \fB\s-1EVP_PKEY\s0\fR,
+\&\fBEVP_PKEY_get0_description()\fR returns a description of the type of \fBEVP_PKEY\fR,
 meant for display and human consumption.  The description is at the
 discretion of the key type implementation.
 .PP
-\&\fBEVP_PKEY_get0_provider()\fR returns the provider of the \fB\s-1EVP_PKEY\s0\fR's
-\&\s-1\fBEVP_KEYMGMT\s0\fR\|(3).
+\&\fBEVP_PKEY_get0_provider()\fR returns the provider of the \fBEVP_PKEY\fR's
+\&\fBEVP_KEYMGMT\fR\|(3).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBEVP_PKEY_is_a()\fR returns 1 if \fIpkey\fR has the key type \fIname\fR,
@@ -189,22 +113,22 @@ otherwise 0.
 \&\fBEVP_PKEY_can_sign()\fR returns 1 if the \fIpkey\fR key type functionality
 supports signing, otherwise 0.
 .PP
-\&\fBEVP_PKEY_get0_type_name()\fR returns the name that is found or \s-1NULL\s0 on error.
+\&\fBEVP_PKEY_get0_type_name()\fR returns the name that is found or NULL on error.
 .PP
-\&\fBEVP_PKEY_get0_description()\fR returns the description if found or \s-1NULL\s0 if not.
+\&\fBEVP_PKEY_get0_description()\fR returns the description if found or NULL if not.
 .PP
-\&\fBEVP_PKEY_get0_provider()\fR returns the provider if found or \s-1NULL\s0 if not.
+\&\fBEVP_PKEY_get0_provider()\fR returns the provider if found or NULL if not.
 .PP
 \&\fBEVP_PKEY_type_names_do_all()\fR returns 1 if the callback was called for all
 names. A return value of 0 means that the callback was not called for any
 names.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-.SS "\fBEVP_PKEY_is_a()\fP"
+.SS \fBEVP_PKEY_is_a()\fP
 .IX Subsection "EVP_PKEY_is_a()"
 The loaded providers and what key types they support will ultimately
 determine what \fIname\fR is possible to use with \fBEVP_PKEY_is_a()\fR.  We do know
-that the default provider supports \s-1RSA, DH, DSA\s0 and \s-1EC\s0 keys, so we can use
+that the default provider supports RSA, DH, DSA and EC keys, so we can use
 this as an crude example:
 .PP
 .Vb 1
@@ -219,7 +143,7 @@ this as an crude example:
 \&         BN_free(modulus);
 \&     }
 .Ve
-.SS "\fBEVP_PKEY_can_sign()\fP"
+.SS \fBEVP_PKEY_can_sign()\fP
 .IX Subsection "EVP_PKEY_can_sign()"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -232,14 +156,14 @@ this as an crude example:
 \&     }
 \&     /* Sign something... */
 .Ve
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The functions described here were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_keygen.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_keygen.3
index 42e362116f09..dfe03759d429 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_keygen.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_keygen.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_KEYGEN 3ossl"
-.TH EVP_PKEY_KEYGEN 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_KEYGEN 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_Q_keygen,
 EVP_PKEY_keygen_init, EVP_PKEY_paramgen_init, EVP_PKEY_generate,
 EVP_PKEY_CTX_set_cb, EVP_PKEY_CTX_get_cb,
@@ -145,7 +69,7 @@ EVP_PKEY_CTX_get_app_data,
 EVP_PKEY_gen_cb,
 EVP_PKEY_paramgen, EVP_PKEY_keygen
 \&\- key and parameter generation and check functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -169,7 +93,7 @@ EVP_PKEY_paramgen, EVP_PKEY_keygen
 \& void EVP_PKEY_CTX_set_app_data(EVP_PKEY_CTX *ctx, void *data);
 \& void *EVP_PKEY_CTX_get_app_data(EVP_PKEY_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 Generating keys is sometimes straight forward, just generate the key's
 numbers and be done with it.  However, there are certain key types that need
@@ -197,7 +121,7 @@ After initialization, generation parameters may be provided with
 function described in those manuals.
 .PP
 \&\fBEVP_PKEY_generate()\fR performs the generation operation, the resulting key
-parameters or key are written to \fI*ppkey\fR.  If \fI*ppkey\fR is \s-1NULL\s0 when this
+parameters or key are written to \fI*ppkey\fR.  If \fI*ppkey\fR is NULL when this
 function is called, it will be allocated, and should be freed by the caller
 when no longer useful, using \fBEVP_PKEY_free\fR\|(3).
 .PP
@@ -219,24 +143,37 @@ that parameter. \fBEVP_PKEY_CTX_gen_keygen_info()\fR with a nonnegative value fo
 .PP
 If the callback returns 0 then the key generation operation is aborted and an
 error occurs. This might occur during a time consuming operation where
-a user clicks on a \*(L"cancel\*(R" button.
+a user clicks on a "cancel" button.
 .PP
 The functions \fBEVP_PKEY_CTX_set_app_data()\fR and \fBEVP_PKEY_CTX_get_app_data()\fR set
 and retrieve an opaque pointer. This can be used to set some application
 defined value which can be retrieved in the callback: for example a handle
-which is used to update a \*(L"progress dialog\*(R".
+which is used to update a "progress dialog".
 .PP
-\&\fBEVP_PKEY_Q_keygen()\fR abstracts from the explicit use of \fB\s-1EVP_PKEY_CTX\s0\fR while
+\&\fBEVP_PKEY_Q_keygen()\fR abstracts from the explicit use of \fBEVP_PKEY_CTX\fR while
 providing a 'quick' but limited way of generating a new asymmetric key pair.
 It provides shorthands for simple and common cases of key generation.
 As usual, the library context \fIlibctx\fR and property query \fIpropq\fR
 can be given for fetching algorithms from providers.
 If \fItype\fR is \f(CW\*(C`RSA\*(C'\fR,
-a \fBsize_t\fR parameter must be given to specify the size of the \s-1RSA\s0 key.
+a \fBsize_t\fR parameter must be given to specify the size of the RSA key.
 If \fItype\fR is \f(CW\*(C`EC\*(C'\fR,
-a string parameter must be given to specify the name of the \s-1EC\s0 curve.
-If \fItype\fR is \f(CW\*(C`X25519\*(C'\fR, \f(CW\*(C`X448\*(C'\fR, \f(CW\*(C`ED25519\*(C'\fR, \f(CW\*(C`ED448\*(C'\fR, or \f(CW\*(C`SM2\*(C'\fR
-no further parameter is needed.
+a string parameter must be given to specify the name of the EC curve.
+If \fItype\fR is:
+\&\f(CW\*(C`ED25519\*(C'\fR,
+\&\f(CW\*(C`ED448\*(C'\fR,
+\&\f(CW\*(C`SM2\*(C'\fR,
+\&\f(CW\*(C`X25519\*(C'\fR,
+\&\f(CW\*(C`X448\*(C'\fR,
+\&\f(CW\*(C`ML\-DSA\-44\*(C'\fR,
+\&\f(CW\*(C`ML\-DSA\-65\*(C'\fR,
+\&\f(CW\*(C`ML\-DSA\-87\*(C'\fR,
+\&\f(CW\*(C`ML\-KEM\-512\*(C'\fR,
+\&\f(CW\*(C`ML\-KEM\-768\*(C'\fR, or
+\&\f(CW\*(C`ML\-KEM\-1024\*(C'\fR
+no further parameters are needed. Other key types may be possible if they are
+supplied by the loaded providers. \fBEVP_PKEY_Q_keygen()\fR may be usable with such
+key types as long as they do not require further parameters.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBEVP_PKEY_keygen_init()\fR, \fBEVP_PKEY_paramgen_init()\fR, \fBEVP_PKEY_keygen()\fR and
@@ -244,8 +181,8 @@ no further parameter is needed.
 In particular a return value of \-2 indicates the operation is not supported by
 the public key algorithm.
 .PP
-\&\fBEVP_PKEY_Q_keygen()\fR returns an \fB\s-1EVP_PKEY\s0\fR, or \s-1NULL\s0 on failure.
-.SH "NOTES"
+\&\fBEVP_PKEY_Q_keygen()\fR returns an \fBEVP_PKEY\fR, or NULL on failure.
+.SH NOTES
 .IX Header "NOTES"
 After the call to \fBEVP_PKEY_keygen_init()\fR or \fBEVP_PKEY_paramgen_init()\fR algorithm
 specific control operations can be performed to set any appropriate parameters
@@ -261,16 +198,16 @@ give any useful information at all during key or parameter generation. Others
 might not even call the callback.
 .PP
 The operation performed by key or parameter generation depends on the algorithm
-used. In some cases (e.g. \s-1EC\s0 with a supplied named curve) the \*(L"generation\*(R"
-option merely sets the appropriate fields in an \s-1EVP_PKEY\s0 structure.
+used. In some cases (e.g. EC with a supplied named curve) the "generation"
+option merely sets the appropriate fields in an EVP_PKEY structure.
 .PP
-In OpenSSL an \s-1EVP_PKEY\s0 structure containing a private key also contains the
+In OpenSSL an EVP_PKEY structure containing a private key also contains the
 public key components and parameters (if any). An OpenSSL private key is
-equivalent to what some libraries call a \*(L"key pair\*(R". A private key can be used
+equivalent to what some libraries call a "key pair". A private key can be used
 in functions which require the use of a public key or parameters.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-Generate a 2048 bit \s-1RSA\s0 key:
+Generate a 2048 bit RSA key:
 .PP
 .Vb 2
 \& #include <openssl/evp.h>
@@ -350,7 +287,7 @@ Example of generation callback for OpenSSL public key implementations:
 \&\fBEVP_PKEY_verify\fR\|(3),
 \&\fBEVP_PKEY_verify_recover\fR\|(3),
 \&\fBEVP_PKEY_derive\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBEVP_PKEY_keygen_init()\fR, int \fBEVP_PKEY_paramgen_init()\fR, \fBEVP_PKEY_keygen()\fR,
 \&\fBEVP_PKEY_paramgen()\fR, \fBEVP_PKEY_gen_cb()\fR, \fBEVP_PKEY_CTX_set_cb()\fR,
@@ -359,11 +296,11 @@ Example of generation callback for OpenSSL public key implementations:
 OpenSSL 1.0.0.
 .PP
 \&\fBEVP_PKEY_Q_keygen()\fR and \fBEVP_PKEY_generate()\fR were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2006\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_get_count.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_get_count.3
index abba5a6dfb26..000238815fbb 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_get_count.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_get_count.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,84 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_METH_GET_COUNT 3ossl"
-.TH EVP_PKEY_METH_GET_COUNT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_METH_GET_COUNT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_meth_get_count, EVP_PKEY_meth_get0, EVP_PKEY_meth_get0_info \- enumerate public key methods
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 4
@@ -154,10 +78,10 @@ see \fBopenssl_user_macros\fR\|(7):
 \& void EVP_PKEY_meth_get0_info(int *ppkey_id, int *pflags,
 \&                              const EVP_PKEY_METHOD *meth);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
-Applications should instead use the \s-1OSSL_PROVIDER\s0 APIs.
+Applications should instead use the OSSL_PROVIDER APIs.
 .PP
 \&\fBEVP_PKEY_meth_count()\fR returns a count of the number of public key methods
 available: it includes standard methods and any methods added by the
@@ -166,27 +90,27 @@ application.
 \&\fBEVP_PKEY_meth_get0()\fR returns the public key method \fBidx\fR. The value of \fBidx\fR
 must be between zero and \fBEVP_PKEY_meth_get_count()\fR \- 1.
 .PP
-\&\fBEVP_PKEY_meth_get0_info()\fR returns the public key \s-1ID\s0 (a \s-1NID\s0) and any flags
+\&\fBEVP_PKEY_meth_get0_info()\fR returns the public key ID (a NID) and any flags
 associated with the public key method \fB*meth\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBEVP_PKEY_meth_count()\fR returns the number of available public key methods.
 .PP
-\&\fBEVP_PKEY_meth_get0()\fR return a public key method or \fB\s-1NULL\s0\fR if \fBidx\fR is
+\&\fBEVP_PKEY_meth_get0()\fR return a public key method or \fBNULL\fR if \fBidx\fR is
 out of range.
 .PP
 \&\fBEVP_PKEY_meth_get0_info()\fR does not return a value.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_PKEY_new\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2002\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2002\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_new.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_new.3
index 922e5e3e6eb8..500e82e281ca 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_new.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_METH_NEW 3ossl"
-.TH EVP_PKEY_METH_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_METH_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_meth_new, EVP_PKEY_meth_free, EVP_PKEY_meth_copy, EVP_PKEY_meth_find,
 EVP_PKEY_meth_add0, EVP_PKEY_METHOD,
 EVP_PKEY_meth_set_init, EVP_PKEY_meth_set_copy, EVP_PKEY_meth_set_cleanup,
@@ -159,14 +83,14 @@ EVP_PKEY_meth_get_public_check, EVP_PKEY_meth_get_param_check,
 EVP_PKEY_meth_get_digest_custom,
 EVP_PKEY_meth_remove
 \&\- manipulating EVP_PKEY_METHOD structure
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
@@ -379,27 +303,27 @@ see \fBopenssl_user_macros\fR\|(7):
 \&                                     int (**pdigest_custom) (EVP_PKEY_CTX *ctx,
 \&                                                             EVP_MD_CTX *mctx));
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
-Applications should instead use the \s-1OSSL_PROVIDER\s0 APIs.
+Applications should instead use the OSSL_PROVIDER APIs.
 .PP
-\&\fB\s-1EVP_PKEY_METHOD\s0\fR is a structure which holds a set of methods for a
+\&\fBEVP_PKEY_METHOD\fR is a structure which holds a set of methods for a
 specific public key cryptographic algorithm. Those methods are usually
 used to perform different jobs, such as generating a key, signing or
 verifying, encrypting or decrypting, etc.
 .PP
-There are two places where the \fB\s-1EVP_PKEY_METHOD\s0\fR objects are stored: one
+There are two places where the \fBEVP_PKEY_METHOD\fR objects are stored: one
 is a built-in static array representing the standard methods for different
 algorithms, and the other one is a stack of user-defined application-specific
 methods, which can be manipulated by using \fBEVP_PKEY_meth_add0\fR\|(3).
 .PP
-The \fB\s-1EVP_PKEY_METHOD\s0\fR objects are usually referenced by \fB\s-1EVP_PKEY_CTX\s0\fR
+The \fBEVP_PKEY_METHOD\fR objects are usually referenced by \fBEVP_PKEY_CTX\fR
 objects.
-.SS "Methods"
+.SS Methods
 .IX Subsection "Methods"
 The methods are the underlying implementations of a particular public key
-algorithm present by the \fB\s-1EVP_PKEY_CTX\s0\fR object.
+algorithm present by the \fBEVP_PKEY_CTX\fR object.
 .PP
 .Vb 3
 \& int (*init) (EVP_PKEY_CTX *ctx);
@@ -408,8 +332,8 @@ algorithm present by the \fB\s-1EVP_PKEY_CTX\s0\fR object.
 .Ve
 .PP
 The \fBinit()\fR method is called to initialize algorithm-specific data when a new
-\&\fB\s-1EVP_PKEY_CTX\s0\fR is created. As opposed to \fBinit()\fR, the \fBcleanup()\fR method is called
-when an \fB\s-1EVP_PKEY_CTX\s0\fR is freed. The \fBcopy()\fR method is called when an \fB\s-1EVP_PKEY_CTX\s0\fR
+\&\fBEVP_PKEY_CTX\fR is created. As opposed to \fBinit()\fR, the \fBcleanup()\fR method is called
+when an \fBEVP_PKEY_CTX\fR is freed. The \fBcopy()\fR method is called when an \fBEVP_PKEY_CTX\fR
 is being duplicated. Refer to \fBEVP_PKEY_CTX_new\fR\|(3), \fBEVP_PKEY_CTX_new_id\fR\|(3),
 \&\fBEVP_PKEY_CTX_free\fR\|(3) and \fBEVP_PKEY_CTX_dup\fR\|(3).
 .PP
@@ -460,7 +384,7 @@ valid. They are called by \fBEVP_PKEY_verify_init\fR\|(3) and \fBEVP_PKEY_verify
 .PP
 The \fBverify_recover_init()\fR and \fBverify_recover()\fR methods are used to verify a
 signature and then recover the digest from the signature (for instance, a
-signature that was generated by \s-1RSA\s0 signing algorithm). They are called by
+signature that was generated by RSA signing algorithm). They are called by
 \&\fBEVP_PKEY_verify_recover_init\fR\|(3) and \fBEVP_PKEY_verify_recover\fR\|(3).
 .PP
 .Vb 3
@@ -470,7 +394,7 @@ signature that was generated by \s-1RSA\s0 signing algorithm). They are called b
 .Ve
 .PP
 The \fBsignctx_init()\fR and \fBsignctx()\fR methods are used to sign a digest present by
-a \fB\s-1EVP_MD_CTX\s0\fR object. They are called by the EVP_DigestSign functions. See
+a \fBEVP_MD_CTX\fR object. They are called by the EVP_DigestSign functions. See
 \&\fBEVP_DigestSignInit\fR\|(3) for details.
 .PP
 .Vb 3
@@ -480,7 +404,7 @@ a \fB\s-1EVP_MD_CTX\s0\fR object. They are called by the EVP_DigestSign function
 .Ve
 .PP
 The \fBverifyctx_init()\fR and \fBverifyctx()\fR methods are used to verify a signature
-against the data in a \fB\s-1EVP_MD_CTX\s0\fR object. They are called by the various
+against the data in a \fBEVP_MD_CTX\fR object. They are called by the various
 EVP_DigestVerify functions. See \fBEVP_DigestVerifyInit\fR\|(3) for details.
 .PP
 .Vb 3
@@ -507,7 +431,7 @@ They are called by \fBEVP_PKEY_decrypt_init\fR\|(3) and \fBEVP_PKEY_decrypt\fR\|
 .Ve
 .PP
 The \fBderive_init()\fR and \fBderive()\fR methods are used to derive the shared secret
-from a public key algorithm (for instance, the \s-1DH\s0 algorithm). They are called by
+from a public key algorithm (for instance, the DH algorithm). They are called by
 \&\fBEVP_PKEY_derive_init\fR\|(3) and \fBEVP_PKEY_derive\fR\|(3).
 .PP
 .Vb 2
@@ -548,12 +472,12 @@ They could be called by \fBEVP_PKEY_check\fR\|(3), \fBEVP_PKEY_public_check\fR\|
 The \fBdigest_custom()\fR method is used to generate customized digest content before
 the real message is passed to functions like \fBEVP_DigestSignUpdate\fR\|(3) or
 \&\fBEVP_DigestVerifyInit\fR\|(3). This is usually required by some public key
-signature algorithms like \s-1SM2\s0 which requires a hashed prefix to the message to
+signature algorithms like SM2 which requires a hashed prefix to the message to
 be signed. The \fBdigest_custom()\fR function will be called by \fBEVP_DigestSignInit\fR\|(3)
 and \fBEVP_DigestVerifyInit\fR\|(3).
-.SS "Functions"
+.SS Functions
 .IX Subsection "Functions"
-\&\fBEVP_PKEY_meth_new()\fR creates and returns a new \fB\s-1EVP_PKEY_METHOD\s0\fR object,
+\&\fBEVP_PKEY_meth_new()\fR creates and returns a new \fBEVP_PKEY_METHOD\fR object,
 and associates the given \fBid\fR and \fBflags\fR. The following flags are
 supported:
 .PP
@@ -562,46 +486,46 @@ supported:
 \& EVP_PKEY_FLAG_SIGCTX_CUSTOM
 .Ve
 .PP
-If an \fB\s-1EVP_PKEY_METHOD\s0\fR is set with the \fB\s-1EVP_PKEY_FLAG_AUTOARGLEN\s0\fR flag, the
+If an \fBEVP_PKEY_METHOD\fR is set with the \fBEVP_PKEY_FLAG_AUTOARGLEN\fR flag, the
 maximum size of the output buffer will be automatically calculated or checked
-in corresponding \s-1EVP\s0 methods by the \s-1EVP\s0 framework. Thus the implementations of
+in corresponding EVP methods by the EVP framework. Thus the implementations of
 these methods don't need to care about handling the case of returning output
 buffer size by themselves. For details on the output buffer size, refer to
 \&\fBEVP_PKEY_sign\fR\|(3).
 .PP
-The \fB\s-1EVP_PKEY_FLAG_SIGCTX_CUSTOM\s0\fR is used to indicate the \fBsignctx()\fR method
-of an \fB\s-1EVP_PKEY_METHOD\s0\fR is always called by the \s-1EVP\s0 framework while doing a
+The \fBEVP_PKEY_FLAG_SIGCTX_CUSTOM\fR is used to indicate the \fBsignctx()\fR method
+of an \fBEVP_PKEY_METHOD\fR is always called by the EVP framework while doing a
 digest signing operation by calling \fBEVP_DigestSignFinal\fR\|(3).
 .PP
-\&\fBEVP_PKEY_meth_free()\fR frees an existing \fB\s-1EVP_PKEY_METHOD\s0\fR pointed by
-\&\fBpmeth\fR.
+\&\fBEVP_PKEY_meth_free()\fR frees an existing \fBEVP_PKEY_METHOD\fR pointed by
+\&\fBpmeth\fR. If the argument is NULL, nothing is done.
 .PP
-\&\fBEVP_PKEY_meth_copy()\fR copies an \fB\s-1EVP_PKEY_METHOD\s0\fR object from \fBsrc\fR
+\&\fBEVP_PKEY_meth_copy()\fR copies an \fBEVP_PKEY_METHOD\fR object from \fBsrc\fR
 to \fBdst\fR.
 .PP
-\&\fBEVP_PKEY_meth_find()\fR finds an \fB\s-1EVP_PKEY_METHOD\s0\fR object with the \fBid\fR.
+\&\fBEVP_PKEY_meth_find()\fR finds an \fBEVP_PKEY_METHOD\fR object with the \fBid\fR.
 This function first searches through the user-defined method objects and
 then the built-in objects.
 .PP
 \&\fBEVP_PKEY_meth_add0()\fR adds \fBpmeth\fR to the user defined stack of methods.
 .PP
-\&\fBEVP_PKEY_meth_remove()\fR removes an \fB\s-1EVP_PKEY_METHOD\s0\fR object added by
+\&\fBEVP_PKEY_meth_remove()\fR removes an \fBEVP_PKEY_METHOD\fR object added by
 \&\fBEVP_PKEY_meth_add0()\fR.
 .PP
 The EVP_PKEY_meth_set functions set the corresponding fields of
-\&\fB\s-1EVP_PKEY_METHOD\s0\fR structure with the arguments passed.
+\&\fBEVP_PKEY_METHOD\fR structure with the arguments passed.
 .PP
 The EVP_PKEY_meth_get functions get the corresponding fields of
-\&\fB\s-1EVP_PKEY_METHOD\s0\fR structure to the arguments provided.
+\&\fBEVP_PKEY_METHOD\fR structure to the arguments provided.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBEVP_PKEY_meth_new()\fR returns a pointer to a new \fB\s-1EVP_PKEY_METHOD\s0\fR
-object or returns \s-1NULL\s0 on error.
+\&\fBEVP_PKEY_meth_new()\fR returns a pointer to a new \fBEVP_PKEY_METHOD\fR
+object or returns NULL on error.
 .PP
 \&\fBEVP_PKEY_meth_free()\fR and \fBEVP_PKEY_meth_copy()\fR do not return values.
 .PP
-\&\fBEVP_PKEY_meth_find()\fR returns a pointer to the found \fB\s-1EVP_PKEY_METHOD\s0\fR
-object or returns \s-1NULL\s0 if not found.
+\&\fBEVP_PKEY_meth_find()\fR returns a pointer to the found \fBEVP_PKEY_METHOD\fR
+object or returns NULL if not found.
 .PP
 \&\fBEVP_PKEY_meth_add0()\fR returns 1 if method is added successfully or 0
 if an error occurred.
@@ -612,17 +536,17 @@ if an error occurred.
 All EVP_PKEY_meth_set and EVP_PKEY_meth_get functions have no return
 values. For the 'get' functions, function pointers are returned by
 arguments.
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions were deprecated in OpenSSL 3.0.
 .PP
 The signature of the \fIcopy\fR functional argument of \fBEVP_PKEY_meth_set_copy()\fR
 has changed in OpenSSL 3.0 so its \fIsrc\fR parameter is now constified.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2017\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_new.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_new.3
index 7a0935b0803c..feda33f3e26a 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_new.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_NEW 3ossl"
-.TH EVP_PKEY_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY,
 EVP_PKEY_new,
 EVP_PKEY_up_ref,
@@ -151,7 +75,7 @@ EVP_PKEY_new_mac_key,
 EVP_PKEY_get_raw_private_key,
 EVP_PKEY_get_raw_public_key
 \&\- public/private key allocation and raw key handling functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -187,51 +111,62 @@ EVP_PKEY_get_raw_public_key
 .Ve
 .PP
 The following function has been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 2
 \& EVP_PKEY *EVP_PKEY_new_CMAC_key(ENGINE *e, const unsigned char *priv,
 \&                                 size_t len, const EVP_CIPHER *cipher);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fB\s-1EVP_PKEY\s0\fR is a generic structure to hold diverse types of asymmetric keys
-(also known as \*(L"key pairs\*(R"), and can be used for diverse operations, like
+\&\fBEVP_PKEY\fR is a generic structure to hold diverse types of asymmetric keys
+(also known as "key pairs"), and can be used for diverse operations, like
 signing, verifying signatures, key derivation, etc.  The asymmetric keys
-themselves are often referred to as the \*(L"internal key\*(R", and are handled by
-backends, such as providers (through \s-1\fBEVP_KEYMGMT\s0\fR\|(3)) or \fB\s-1ENGINE\s0\fRs.
+themselves are often referred to as the "internal key", and are handled by
+backends, such as providers (through \fBEVP_KEYMGMT\fR\|(3)) or \fBENGINE\fRs.
 .PP
-Conceptually, an \fB\s-1EVP_PKEY\s0\fR internal key may hold a private key, a public
+Conceptually, an \fBEVP_PKEY\fR internal key may hold a private key, a public
 key, or both (a keypair), and along with those, key parameters if the key type
 requires them.  The presence of these components determine what operations can
 be made; for example, signing normally requires the presence of a private key,
 and verifying normally requires the presence of a public key.
 .PP
-\&\fB\s-1EVP_PKEY\s0\fR has also been used for \s-1MAC\s0 algorithm that were conceived as
-producing signatures, although not being public key algorithms; \*(L"\s-1POLY1305\*(R",
-\&\*(L"SIPHASH\*(R", \*(L"HMAC\*(R", \*(L"CMAC\*(R".\s0  This usage is considered legacy and is discouraged
-in favor of the \s-1\fBEVP_MAC\s0\fR\|(3) \s-1API.\s0
+\&\fBEVP_PKEY\fR has also been used for MAC algorithm that were conceived as
+producing signatures, although not being public key algorithms; "POLY1305",
+"SIPHASH", "HMAC", "CMAC".  This usage is considered legacy and is discouraged
+in favor of the \fBEVP_MAC\fR\|(3) API.
 .PP
-The \fBEVP_PKEY_new()\fR function allocates an empty \fB\s-1EVP_PKEY\s0\fR structure which is
+The \fBEVP_PKEY_new()\fR function allocates an empty \fBEVP_PKEY\fR structure which is
 used by OpenSSL to store public and private keys. The reference count is set to
 \&\fB1\fR.
 .PP
 \&\fBEVP_PKEY_up_ref()\fR increments the reference count of \fIkey\fR.
 .PP
-\&\fBEVP_PKEY_dup()\fR duplicates the \fIkey\fR. The \fIkey\fR must not be \s-1ENGINE\s0 based or
+\&\fBEVP_PKEY_dup()\fR duplicates the \fIkey\fR. The \fIkey\fR must not be ENGINE based or
 a raw key, otherwise the duplication will fail.
 .PP
 \&\fBEVP_PKEY_free()\fR decrements the reference count of \fIkey\fR and, if the reference
-count is zero, frees it up. If \fIkey\fR is \s-1NULL,\s0 nothing is done.
+count is zero, frees it up. If \fIkey\fR is NULL, nothing is done.
 .PP
-\&\fBEVP_PKEY_new_raw_private_key_ex()\fR allocates a new \fB\s-1EVP_PKEY\s0\fR. Unless an
+\&\fBEVP_PKEY_new_raw_private_key_ex()\fR allocates a new \fBEVP_PKEY\fR. Unless an
 engine should be used for the key type, a provider for the key is found using
 the library context \fIlibctx\fR and the property query string \fIpropq\fR. The
 \&\fIkeytype\fR argument indicates what kind of key this is. The value should be a
-string for a public key algorithm that supports raw private keys, i.e one of
-\&\*(L"X25519\*(R", \*(L"\s-1ED25519\*(R", \*(L"X448\*(R"\s0 or \*(L"\s-1ED448\*(R".\s0 \fIkey\fR points to the raw private key
-data for this \fB\s-1EVP_PKEY\s0\fR which should be of length \fIkeylen\fR. The length
+string for a public key algorithm that supports raw private keys, e.g., one of:
+\&\f(CW\*(C`ED25519\*(C'\fR,
+\&\f(CW\*(C`ED448\*(C'\fR,
+\&\f(CW\*(C`X25519\*(C'\fR,
+\&\f(CW\*(C`X448\*(C'\fR,
+\&\f(CW\*(C`ML\-DSA\-44\*(C'\fR,
+\&\f(CW\*(C`ML\-DSA\-65\*(C'\fR,
+\&\f(CW\*(C`ML\-DSA\-87\*(C'\fR,
+\&\f(CW\*(C`ML\-KEM\-512\*(C'\fR,
+\&\f(CW\*(C`ML\-KEM\-768\*(C'\fR,
+or
+\&\f(CW\*(C`ML\-KEM\-1024\*(C'\fR.
+\&\fIkey\fR points to the raw private key
+data for this \fBEVP_PKEY\fR which should be of length \fIkeylen\fR. The length
 should be appropriate for the type of the key. The public key data will be
 automatically derived from the given private key data (if appropriate for the
 algorithm type).
@@ -239,28 +174,38 @@ algorithm type).
 \&\fBEVP_PKEY_new_raw_private_key()\fR does the same as
 \&\fBEVP_PKEY_new_raw_private_key_ex()\fR except that the default library context and
 default property query are used instead. If \fIe\fR is non-NULL then the new
-\&\fB\s-1EVP_PKEY\s0\fR structure is associated with the engine \fIe\fR. The \fItype\fR argument
-indicates what kind of key this is. The value should be a \s-1NID\s0 for a public key
-algorithm that supports raw private keys, i.e. one of \fB\s-1EVP_PKEY_X25519\s0\fR,
-\&\fB\s-1EVP_PKEY_ED25519\s0\fR, \fB\s-1EVP_PKEY_X448\s0\fR or \fB\s-1EVP_PKEY_ED448\s0\fR.
+\&\fBEVP_PKEY\fR structure is associated with the engine \fIe\fR. The \fItype\fR argument
+indicates what kind of key this is. The value should be a NID for a public key
+algorithm that supports raw private keys, i.e. one of \fBEVP_PKEY_X25519\fR,
+\&\fBEVP_PKEY_ED25519\fR, \fBEVP_PKEY_X448\fR or \fBEVP_PKEY_ED448\fR.
 .PP
 \&\fBEVP_PKEY_new_raw_private_key_ex()\fR and \fBEVP_PKEY_new_raw_private_key()\fR may also
 be used with most MACs implemented as public key algorithms, so key types such
-as \*(L"\s-1HMAC\*(R", \*(L"POLY1305\*(R", \*(L"SIPHASH\*(R",\s0 or their \s-1NID\s0 form \fB\s-1EVP_PKEY_POLY1305\s0\fR,
-\&\fB\s-1EVP_PKEY_SIPHASH\s0\fR, \fB\s-1EVP_PKEY_HMAC\s0\fR are also accepted.  This usage is,
-as mentioned above, discouraged in favor of the \s-1\fBEVP_MAC\s0\fR\|(3) \s-1API.\s0
+as "HMAC", "POLY1305", "SIPHASH", or their NID form \fBEVP_PKEY_POLY1305\fR,
+\&\fBEVP_PKEY_SIPHASH\fR, \fBEVP_PKEY_HMAC\fR are also accepted.  This usage is,
+as mentioned above, discouraged in favor of the \fBEVP_MAC\fR\|(3) API.
 .PP
 \&\fBEVP_PKEY_new_raw_public_key_ex()\fR works in the same way as
 \&\fBEVP_PKEY_new_raw_private_key_ex()\fR except that \fIkey\fR points to the raw
-public key data. The \fB\s-1EVP_PKEY\s0\fR structure will be initialised without any
+public key data. The \fBEVP_PKEY\fR structure will be initialised without any
 private key information. Algorithm types that support raw public keys are
-\&\*(L"X25519\*(R", \*(L"\s-1ED25519\*(R", \*(L"X448\*(R"\s0 or \*(L"\s-1ED448\*(R".\s0
+\&\fBED25519\fR,
+\&\fBED448\fR,
+\&\fBX25519\fR,
+\&\fBX448\fR,
+\&\f(CW\*(C`ML\-DSA\-44\*(C'\fR,
+\&\f(CW\*(C`ML\-DSA\-65\*(C'\fR,
+\&\f(CW\*(C`ML\-DSA\-87\*(C'\fR,
+\&\fBML\-KEM\-512\fR,
+\&\fBML\-KEM\-768\fR,
+and
+\&\fBML\-KEM\-1024\fR.
 .PP
 \&\fBEVP_PKEY_new_raw_public_key()\fR works in the same way as
-\&\fBEVP_PKEY_new_raw_private_key()\fR except that \fIkey\fR points to the raw public key
-data. The \fB\s-1EVP_PKEY\s0\fR structure will be initialised without any private key
-information. Algorithm types that support raw public keys are
-\&\fB\s-1EVP_PKEY_X25519\s0\fR, \fB\s-1EVP_PKEY_ED25519\s0\fR, \fB\s-1EVP_PKEY_X448\s0\fR or \fB\s-1EVP_PKEY_ED448\s0\fR.
+\&\fBEVP_PKEY_new_raw_private_key_ex()\fR except that \fIkey\fR points to the raw public
+key data.
+The \fBEVP_PKEY\fR structure will be initialised without any private key
+information.
 .PP
 \&\fBEVP_PKEY_new_mac_key()\fR works in the same way as \fBEVP_PKEY_new_raw_private_key()\fR.
 New applications should use \fBEVP_PKEY_new_raw_private_key()\fR instead.
@@ -268,35 +213,64 @@ New applications should use \fBEVP_PKEY_new_raw_private_key()\fR instead.
 \&\fBEVP_PKEY_get_raw_private_key()\fR fills the buffer provided by \fIpriv\fR with raw
 private key data. The size of the \fIpriv\fR buffer should be in \fI*len\fR on entry
 to the function, and on exit \fI*len\fR is updated with the number of bytes
-actually written. If the buffer \fIpriv\fR is \s-1NULL\s0 then \fI*len\fR is populated with
+actually written. If the buffer \fIpriv\fR is NULL then \fI*len\fR is populated with
 the number of bytes required to hold the key. The calling application is
 responsible for ensuring that the buffer is large enough to receive the private
 key data. This function only works for algorithms that support raw private keys.
-Currently this is: \fB\s-1EVP_PKEY_HMAC\s0\fR, \fB\s-1EVP_PKEY_POLY1305\s0\fR, \fB\s-1EVP_PKEY_SIPHASH\s0\fR,
-\&\fB\s-1EVP_PKEY_X25519\s0\fR, \fB\s-1EVP_PKEY_ED25519\s0\fR, \fB\s-1EVP_PKEY_X448\s0\fR or \fB\s-1EVP_PKEY_ED448\s0\fR.
+These include:
+\&\fBED25519\fR,
+\&\fBED448\fR,
+\&\fBX25519\fR,
+\&\fBX448\fR,
+\&\fBHMAC\fR,
+\&\fBPOLY1305\fR,
+and
+\&\fBSIPHASH\fR.
+\&\fBEVP_PKEY_get_raw_private_key()\fR also works with
+\&\f(CW\*(C`ML\-DSA\-44\*(C'\fR,
+\&\f(CW\*(C`ML\-DSA\-65\*(C'\fR,
+\&\f(CW\*(C`ML\-DSA\-87\*(C'\fR,
+\&\fBML\-KEM\-512\fR,
+\&\fBML\-KEM\-768\fR and
+\&\fBML\-KEM\-1024\fR
+keys, which don't have legacy numeric \fINID\fR assignments, but their raw form is
+nevertheless available.
 .PP
 \&\fBEVP_PKEY_get_raw_public_key()\fR fills the buffer provided by \fIpub\fR with raw
 public key data. The size of the \fIpub\fR buffer should be in \fI*len\fR on entry
 to the function, and on exit \fI*len\fR is updated with the number of bytes
-actually written. If the buffer \fIpub\fR is \s-1NULL\s0 then \fI*len\fR is populated with
+actually written. If the buffer \fIpub\fR is NULL then \fI*len\fR is populated with
 the number of bytes required to hold the key. The calling application is
 responsible for ensuring that the buffer is large enough to receive the public
 key data. This function only works for algorithms that support raw public  keys.
-Currently this is: \fB\s-1EVP_PKEY_X25519\s0\fR, \fB\s-1EVP_PKEY_ED25519\s0\fR, \fB\s-1EVP_PKEY_X448\s0\fR or
-\&\fB\s-1EVP_PKEY_ED448\s0\fR.
+These include:
+\&\fBED25519\fR,
+\&\fBED448\fR,
+\&\fBX25519\fR,
+and
+\&\fBX448\fR
+\&\fBEVP_PKEY_get_raw_public_key()\fR also works with
+\&\f(CW\*(C`ML\-DSA\-44\*(C'\fR,
+\&\f(CW\*(C`ML\-DSA\-65\*(C'\fR,
+\&\f(CW\*(C`ML\-DSA\-87\*(C'\fR,
+\&\fBML\-KEM\-512\fR,
+\&\fBML\-KEM\-768\fR and
+\&\fBML\-KEM\-1024\fR
+keys, which don't have legacy numeric \fINID\fR assignments, but their raw form is
+nevertheless available.
 .PP
 \&\fBEVP_PKEY_new_CMAC_key()\fR works in the same way as \fBEVP_PKEY_new_raw_private_key()\fR
-except it is only for the \fB\s-1EVP_PKEY_CMAC\s0\fR algorithm type. In addition to the
+except it is only for the \fBEVP_PKEY_CMAC\fR algorithm type. In addition to the
 raw private key data, it also takes a cipher algorithm to be used during
-creation of a \s-1CMAC\s0 in the \fBcipher\fR argument. The cipher should be a standard
-encryption-only cipher. For example \s-1AEAD\s0 and \s-1XTS\s0 ciphers should not be used.
+creation of a CMAC in the \fBcipher\fR argument. The cipher should be a standard
+encryption-only cipher. For example AEAD and XTS ciphers should not be used.
 .PP
-Applications should use the \s-1\fBEVP_MAC\s0\fR\|(3) \s-1API\s0 instead
-and set the \fB\s-1OSSL_MAC_PARAM_CIPHER\s0\fR parameter on the \fB\s-1EVP_MAC_CTX\s0\fR object
+Applications should use the \fBEVP_MAC\fR\|(3) API instead
+and set the \fBOSSL_MAC_PARAM_CIPHER\fR parameter on the \fBEVP_MAC_CTX\fR object
 with the name of the cipher being used.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-The \fB\s-1EVP_PKEY\s0\fR structure is used by various OpenSSL functions which require a
+The \fBEVP_PKEY\fR structure is used by various OpenSSL functions which require a
 general private key without reference to any particular algorithm.
 .PP
 The structure returned by \fBEVP_PKEY_new()\fR is empty. To add a private or public
@@ -307,17 +281,28 @@ key to this empty structure use the appropriate functions described in
 .IX Header "RETURN VALUES"
 \&\fBEVP_PKEY_new()\fR, \fBEVP_PKEY_new_raw_private_key()\fR, \fBEVP_PKEY_new_raw_public_key()\fR,
 \&\fBEVP_PKEY_new_CMAC_key()\fR and \fBEVP_PKEY_new_mac_key()\fR return either the newly
-allocated \fB\s-1EVP_PKEY\s0\fR structure or \s-1NULL\s0 if an error occurred.
+allocated \fBEVP_PKEY\fR structure or NULL if an error occurred.
 .PP
-\&\fBEVP_PKEY_dup()\fR returns the key duplicate or \s-1NULL\s0 if an error occurred.
+\&\fBEVP_PKEY_dup()\fR returns the key duplicate or NULL if an error occurred.
 .PP
 \&\fBEVP_PKEY_up_ref()\fR, \fBEVP_PKEY_get_raw_private_key()\fR and
 \&\fBEVP_PKEY_get_raw_public_key()\fR return 1 for success and 0 for failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBEVP_PKEY_set1_RSA\fR\|(3), \fBEVP_PKEY_set1_DSA\fR\|(3), \fBEVP_PKEY_set1_DH\fR\|(3) or
-\&\fBEVP_PKEY_set1_EC_KEY\fR\|(3)
-.SH "HISTORY"
+\&\fBEVP_PKEY_set1_RSA\fR\|(3),
+\&\fBEVP_PKEY_set1_DSA\fR\|(3),
+\&\fBEVP_PKEY_set1_DH\fR\|(3),
+\&\fBEVP_PKEY_set1_EC_KEY\fR\|(3),
+\&\fBEVP_PKEY\-ED25519\fR\|(7),
+\&\fBEVP_PKEY\-ED448\fR\|(7).
+\&\fBEVP_PKEY\-HMAC\fR\|(7),
+\&\fBEVP_PKEY\-Poly1305\fR\|(7),
+\&\fBEVP_PKEY\-Siphash\fR\|(7),
+\&\fBEVP_PKEY\-X25519\fR\|(7),
+\&\fBEVP_PKEY\-X448\fR\|(7),
+\&\fBEVP_PKEY\-ML\-DSA\fR\|(7),
+\&\fBEVP_PKEY\-ML\-KEM\fR\|(7).
+.SH HISTORY
 .IX Header "HISTORY"
 The
 \&\fBEVP_PKEY_new()\fR and \fBEVP_PKEY_free()\fR functions exist in all versions of OpenSSL.
@@ -335,14 +320,16 @@ functions were added in OpenSSL 3.0.
 .PP
 The \fBEVP_PKEY_new_CMAC_key()\fR was deprecated in OpenSSL 3.0.
 .PP
-The documentation of \fB\s-1EVP_PKEY\s0\fR was amended in OpenSSL 3.0 to allow there to
+The documentation of \fBEVP_PKEY\fR was amended in OpenSSL 3.0 to allow there to
 be the private part of the keypair without the public part, where this was
 previously implied to be disallowed.
-.SH "COPYRIGHT"
+.PP
+Support for \fBML-DSA\fR and \fBML-KEM\fR was added in OpenSSL 3.5.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2002\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2002\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_print_private.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_print_private.3
index 147bcf3284b4..87d8cc7dcb69 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_print_private.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_print_private.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_PRINT_PRIVATE 3ossl"
-.TH EVP_PKEY_PRINT_PRIVATE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_PRINT_PRIVATE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_print_public, EVP_PKEY_print_private, EVP_PKEY_print_params,
 EVP_PKEY_print_public_fp, EVP_PKEY_print_private_fp,
 EVP_PKEY_print_params_fp \- public key algorithm printing routines
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -158,21 +82,21 @@ EVP_PKEY_print_params_fp \- public key algorithm printing routines
 \& int EVP_PKEY_print_params_fp(FILE *fp, const EVP_PKEY *pkey,
 \&                              int indent, ASN1_PCTX *pctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The functions \fBEVP_PKEY_print_public()\fR, \fBEVP_PKEY_print_private()\fR and
 \&\fBEVP_PKEY_print_params()\fR print out the public, private or parameter components
-of key \fIpkey\fR respectively. The key is sent to \fB\s-1BIO\s0\fR \fIout\fR in human readable
+of key \fIpkey\fR respectively. The key is sent to \fBBIO\fR \fIout\fR in human readable
 form. The parameter \fIindent\fR indicates how far the printout should be indented.
 .PP
 The \fIpctx\fR parameter allows the print output to be finely tuned by using
-\&\s-1ASN1\s0 printing options. If \fIpctx\fR is set to \s-1NULL\s0 then default values will
+ASN1 printing options. If \fIpctx\fR is set to NULL then default values will
 be used.
 .PP
 The functions \fBEVP_PKEY_print_public_fp()\fR, \fBEVP_PKEY_print_private_fp()\fR and
-\&\fBEVP_PKEY_print_params_fp()\fR do the same as the \fB\s-1BIO\s0\fR based functions
-but use \fB\s-1FILE\s0\fR \fIfp\fR instead.
-.SH "NOTES"
+\&\fBEVP_PKEY_print_params_fp()\fR do the same as the \fBBIO\fR based functions
+but use \fBFILE\fR \fIfp\fR instead.
+.SH NOTES
 .IX Header "NOTES"
 Currently no public key algorithms include any options in the \fIpctx\fR parameter.
 .PP
@@ -188,18 +112,18 @@ the public key algorithm.
 .IX Header "SEE ALSO"
 \&\fBEVP_PKEY_CTX_new\fR\|(3),
 \&\fBEVP_PKEY_keygen\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The functions \fBEVP_PKEY_print_public()\fR, \fBEVP_PKEY_print_private()\fR,
 and \fBEVP_PKEY_print_params()\fR were added in OpenSSL 1.0.0.
 .PP
 The functions \fBEVP_PKEY_print_public_fp()\fR, \fBEVP_PKEY_print_private_fp()\fR,
 and \fBEVP_PKEY_print_params_fp()\fR were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2006\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_set1_RSA.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_set1_RSA.3
index d012ccc40128..e7f13dca090b 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_set1_RSA.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_set1_RSA.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_SET1_RSA 3ossl"
-.TH EVP_PKEY_SET1_RSA 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_SET1_RSA 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_set1_RSA, EVP_PKEY_set1_DSA, EVP_PKEY_set1_DH, EVP_PKEY_set1_EC_KEY,
 EVP_PKEY_get1_RSA, EVP_PKEY_get1_DSA, EVP_PKEY_get1_DH, EVP_PKEY_get1_EC_KEY,
 EVP_PKEY_get0_RSA, EVP_PKEY_get0_DSA, EVP_PKEY_get0_DH, EVP_PKEY_get0_EC_KEY,
@@ -147,7 +71,7 @@ EVP_PKEY_get0, EVP_PKEY_type, EVP_PKEY_get_id, EVP_PKEY_get_base_id,
 EVP_PKEY_set1_engine, EVP_PKEY_get0_engine,
 EVP_PKEY_id, EVP_PKEY_base_id \-
 EVP_PKEY assignment functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -161,7 +85,7 @@ EVP_PKEY assignment functions
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 4
@@ -194,24 +118,24 @@ see \fBopenssl_user_macros\fR\|(7):
 \& ENGINE *EVP_PKEY_get0_engine(const EVP_PKEY *pkey);
 \& int EVP_PKEY_set1_engine(EVP_PKEY *pkey, ENGINE *engine);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBEVP_PKEY_get_base_id()\fR returns the type of \fIpkey\fR. For example
-an \s-1RSA\s0 key will return \fB\s-1EVP_PKEY_RSA\s0\fR.
+an RSA key will return \fBEVP_PKEY_RSA\fR.
 .PP
-\&\fBEVP_PKEY_get_id()\fR returns the actual \s-1NID\s0 associated with \fIpkey\fR
+\&\fBEVP_PKEY_get_id()\fR returns the actual NID associated with \fIpkey\fR
 only if the \fIpkey\fR type isn't implemented just in a \fBprovider\fR\|(7).
 Historically keys using the same algorithm could use different NIDs.
-For example an \s-1RSA\s0 key could use the NIDs corresponding to
-the NIDs \fBNID_rsaEncryption\fR (equivalent to \fB\s-1EVP_PKEY_RSA\s0\fR) or
-\&\fBNID_rsa\fR (equivalent to \fB\s-1EVP_PKEY_RSA2\s0\fR). The use of
-alternative non-standard NIDs is now rare so \fB\s-1EVP_PKEY_RSA2\s0\fR et al are not
+For example an RSA key could use the NIDs corresponding to
+the NIDs \fBNID_rsaEncryption\fR (equivalent to \fBEVP_PKEY_RSA\fR) or
+\&\fBNID_rsa\fR (equivalent to \fBEVP_PKEY_RSA2\fR). The use of
+alternative non-standard NIDs is now rare so \fBEVP_PKEY_RSA2\fR et al are not
 often seen in practice.
-\&\fBEVP_PKEY_get_id()\fR returns \-1 (\fB\s-1EVP_PKEY_KEYMGMT\s0\fR) if the \fIpkey\fR is
+\&\fBEVP_PKEY_get_id()\fR returns \-1 (\fBEVP_PKEY_KEYMGMT\fR) if the \fIpkey\fR is
 only implemented in a \fBprovider\fR\|(7).
 .PP
-\&\fBEVP_PKEY_type()\fR returns the underlying type of the \s-1NID\s0 \fItype\fR. For example
-EVP_PKEY_type(\s-1EVP_PKEY_RSA2\s0) will return \fB\s-1EVP_PKEY_RSA\s0\fR.
+\&\fBEVP_PKEY_type()\fR returns the underlying type of the NID \fItype\fR. For example
+EVP_PKEY_type(EVP_PKEY_RSA2) will return \fBEVP_PKEY_RSA\fR.
 .PP
 \&\fBEVP_PKEY_set1_RSA()\fR, \fBEVP_PKEY_set1_DSA()\fR, \fBEVP_PKEY_set1_DH()\fR and
 \&\fBEVP_PKEY_set1_EC_KEY()\fR set the key referenced by \fIpkey\fR to \fIkey\fR. These
@@ -223,32 +147,32 @@ functions are deprecated. Applications should instead use
 \&\fBEVP_PKEY_assign_SIPHASH()\fR set the referenced key to \fIkey\fR however these use
 the supplied \fIkey\fR internally and so \fIkey\fR will be freed when the parent
 \&\fIpkey\fR is freed. These macros are deprecated. Applications should instead read
-an \s-1EVP_PKEY\s0 directly using the \s-1OSSL_DECODER\s0 APIs (see
-\&\fBOSSL_DECODER_CTX_new_for_pkey\fR\|(3)), or construct an \s-1EVP_PKEY\s0 from data using
+an EVP_PKEY directly using the OSSL_DECODER APIs (see
+\&\fBOSSL_DECODER_CTX_new_for_pkey\fR\|(3)), or construct an EVP_PKEY from data using
 \&\fBEVP_PKEY_fromdata\fR\|(3).
 .PP
 \&\fBEVP_PKEY_get1_RSA()\fR, \fBEVP_PKEY_get1_DSA()\fR, \fBEVP_PKEY_get1_DH()\fR and
-\&\fBEVP_PKEY_get1_EC_KEY()\fR return the referenced key in \fIpkey\fR or \s-1NULL\s0 if the
+\&\fBEVP_PKEY_get1_EC_KEY()\fR return the referenced key in \fIpkey\fR or NULL if the
 key is not of the correct type. The returned key must be freed after use.
-These functions are deprecated. Applications should instead use the \s-1EVP_PKEY\s0
+These functions are deprecated. Applications should instead use the EVP_PKEY
 directly where possible. If access to the low level key parameters is required
 then applications should use \fBEVP_PKEY_get_params\fR\|(3) and other similar
-functions. To write an \s-1EVP_PKEY\s0 out use the \s-1OSSL_ENCODER\s0 APIs (see
+functions. To write an EVP_PKEY out use the OSSL_ENCODER APIs (see
 \&\fBOSSL_ENCODER_CTX_new_for_pkey\fR\|(3)).
 .PP
 \&\fBEVP_PKEY_get0_hmac()\fR, \fBEVP_PKEY_get0_poly1305()\fR, \fBEVP_PKEY_get0_siphash()\fR,
 \&\fBEVP_PKEY_get0_RSA()\fR, \fBEVP_PKEY_get0_DSA()\fR, \fBEVP_PKEY_get0_DH()\fR and
-\&\fBEVP_PKEY_get0_EC_KEY()\fR return the referenced key in \fIpkey\fR or \s-1NULL\s0 if the
+\&\fBEVP_PKEY_get0_EC_KEY()\fR return the referenced key in \fIpkey\fR or NULL if the
 key is not of the correct type. The reference count of the returned key is
 \&\fBnot\fR incremented and so the key must not be freed after use. These functions
-are deprecated. Applications should instead use the \s-1EVP_PKEY\s0 directly where
+are deprecated. Applications should instead use the EVP_PKEY directly where
 possible. If access to the low level key parameters is required then
 applications should use \fBEVP_PKEY_get_params\fR\|(3) and other similar functions.
-To write an \s-1EVP_PKEY\s0 out use the \s-1OSSL_ENCODER\s0 APIs (see
+To write an EVP_PKEY out use the OSSL_ENCODER APIs (see
 \&\fBOSSL_ENCODER_CTX_new_for_pkey\fR\|(3)). \fBEVP_PKEY_get0()\fR returns a pointer to the
-legacy key or \s-1NULL\s0 if the key is not legacy.
+legacy key or NULL if the key is not legacy.
 .PP
-Note that if an \s-1EVP_PKEY\s0 was not constructed using one of the deprecated
+Note that if an EVP_PKEY was not constructed using one of the deprecated
 functions such as \fBEVP_PKEY_set1_RSA()\fR, \fBEVP_PKEY_set1_DSA()\fR, \fBEVP_PKEY_set1_DH()\fR
 or \fBEVP_PKEY_set1_EC_KEY()\fR, or via the similarly named \fBEVP_PKEY_assign\fR macros
 described above then the internal key will be managed by a provider (see
@@ -263,38 +187,38 @@ the provider's key. Subsequent calls to \fBEVP_PKEY_get1_RSA()\fR,
 \&\fBEVP_PKEY_get1_DSA()\fR, \fBEVP_PKEY_get1_DH()\fR and \fBEVP_PKEY_get1_EC_KEY()\fR will always
 return the cached copy returned by the first call.
 .PP
-\&\fBEVP_PKEY_get0_engine()\fR returns a reference to the \s-1ENGINE\s0 handling \fIpkey\fR. This
+\&\fBEVP_PKEY_get0_engine()\fR returns a reference to the ENGINE handling \fIpkey\fR. This
 function is deprecated. Applications should use providers instead of engines
 (see \fBprovider\fR\|(7) for details).
 .PP
-\&\fBEVP_PKEY_set1_engine()\fR sets the \s-1ENGINE\s0 handling \fIpkey\fR to \fIengine\fR. It
+\&\fBEVP_PKEY_set1_engine()\fR sets the ENGINE handling \fIpkey\fR to \fIengine\fR. It
 must be called after the key algorithm and components are set up.
-If \fIengine\fR does not include an \fB\s-1EVP_PKEY_METHOD\s0\fR for \fIpkey\fR an
+If \fIengine\fR does not include an \fBEVP_PKEY_METHOD\fR for \fIpkey\fR an
 error occurs. This function is deprecated. Applications should use providers
 instead of engines (see \fBprovider\fR\|(7) for details).
-.SH "WARNINGS"
+.SH WARNINGS
 .IX Header "WARNINGS"
-The following functions are only reliable with \fB\s-1EVP_PKEY\s0\fRs that have
+The following functions are only reliable with \fBEVP_PKEY\fRs that have
 been assigned an internal key with EVP_PKEY_assign_*():
 .PP
 \&\fBEVP_PKEY_get_id()\fR, \fBEVP_PKEY_get_base_id()\fR, \fBEVP_PKEY_type()\fR
 .PP
-For \s-1EVP_PKEY\s0 key type checking purposes, \fBEVP_PKEY_is_a\fR\|(3) is more generic.
+For EVP_PKEY key type checking purposes, \fBEVP_PKEY_is_a\fR\|(3) is more generic.
 .PP
-For purposes of retrieving the name of the \fB\s-1EVP_PKEY\s0\fR the function
+For purposes of retrieving the name of the \fBEVP_PKEY\fR the function
 \&\fBEVP_PKEY_get0_type_name\fR\|(3) is more generally useful.
 .PP
 The keys returned from the functions \fBEVP_PKEY_get0_RSA()\fR, \fBEVP_PKEY_get0_DSA()\fR,
-\&\fBEVP_PKEY_get0_DH()\fR and \fBEVP_PKEY_get0_EC_KEY()\fR were changed to have a \*(L"const\*(R"
+\&\fBEVP_PKEY_get0_DH()\fR and \fBEVP_PKEY_get0_EC_KEY()\fR were changed to have a "const"
 return type in OpenSSL 3.0. As described above the keys returned may be cached
 copies of the key held in a provider. Due to this, and unlike in earlier
 versions of OpenSSL, they should be considered read-only copies of the key.
 Updates to these keys will not be reflected back in the provider side key. The
 \&\fBEVP_PKEY_get1_RSA()\fR, \fBEVP_PKEY_get1_DSA()\fR, \fBEVP_PKEY_get1_DH()\fR and
-\&\fBEVP_PKEY_get1_EC_KEY()\fR functions were not changed to have a \*(L"const\*(R" return type
-in order that applications can \*(L"free\*(R" the return value. However applications
+\&\fBEVP_PKEY_get1_EC_KEY()\fR functions were not changed to have a "const" return type
+in order that applications can "free" the return value. However applications
 should still consider them as read-only copies.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 In accordance with the OpenSSL naming convention the key obtained
 from or assigned to the \fIpkey\fR using the \fB1\fR functions must be
@@ -305,18 +229,18 @@ freed as well as \fIpkey\fR.
 and \fBEVP_PKEY_assign_SIPHASH()\fR are implemented as macros.
 .PP
 \&\fBEVP_PKEY_assign_EC_KEY()\fR looks at the curve name id to determine if
-the passed \fB\s-1EC_KEY\s0\fR is an \s-1\fBSM2\s0\fR\|(7) key, and will set the \fB\s-1EVP_PKEY\s0\fR
-type to \fB\s-1EVP_PKEY_SM2\s0\fR in that case, instead of \fB\s-1EVP_PKEY_EC\s0\fR.
+the passed \fBEC_KEY\fR is an \fBSM2\fR\|(7) key, and will set the \fBEVP_PKEY\fR
+type to \fBEVP_PKEY_SM2\fR in that case, instead of \fBEVP_PKEY_EC\fR.
 .PP
 Most applications wishing to know a key type will simply call
 \&\fBEVP_PKEY_get_base_id()\fR and will not care about the actual type:
 which will be identical in almost all cases.
 .PP
 Previous versions of this document suggested using EVP_PKEY_type(pkey\->type)
-to determine the type of a key. Since \fB\s-1EVP_PKEY\s0\fR is now opaque this
+to determine the type of a key. Since \fBEVP_PKEY\fR is now opaque this
 is no longer possible: the equivalent is EVP_PKEY_get_base_id(pkey).
 .PP
-\&\fBEVP_PKEY_set1_engine()\fR is typically used by an \s-1ENGINE\s0 returning an \s-1HSM\s0
+\&\fBEVP_PKEY_set1_engine()\fR is typically used by an ENGINE returning an HSM
 key as part of its routine to load a private key.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
@@ -324,7 +248,7 @@ key as part of its routine to load a private key.
 \&\fBEVP_PKEY_set1_EC_KEY()\fR return 1 for success or 0 for failure.
 .PP
 \&\fBEVP_PKEY_get1_RSA()\fR, \fBEVP_PKEY_get1_DSA()\fR, \fBEVP_PKEY_get1_DH()\fR and
-\&\fBEVP_PKEY_get1_EC_KEY()\fR return the referenced key or \s-1NULL\s0 if
+\&\fBEVP_PKEY_get1_EC_KEY()\fR return the referenced key or NULL if
 an error occurred.
 .PP
 \&\fBEVP_PKEY_assign_RSA()\fR, \fBEVP_PKEY_assign_DSA()\fR, \fBEVP_PKEY_assign_DH()\fR,
@@ -332,13 +256,13 @@ an error occurred.
 and \fBEVP_PKEY_assign_SIPHASH()\fR return 1 for success and 0 for failure.
 .PP
 \&\fBEVP_PKEY_get_base_id()\fR, \fBEVP_PKEY_get_id()\fR and \fBEVP_PKEY_type()\fR return a key
-type or \fBNID_undef\fR (equivalently \fB\s-1EVP_PKEY_NONE\s0\fR) on error.
+type or \fBNID_undef\fR (equivalently \fBEVP_PKEY_NONE\fR) on error.
 .PP
 \&\fBEVP_PKEY_set1_engine()\fR returns 1 for success and 0 for failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBEVP_PKEY_new\fR\|(3), \s-1\fBSM2\s0\fR\|(7)
-.SH "HISTORY"
+\&\fBEVP_PKEY_new\fR\|(3), \fBSM2\fR\|(7)
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBEVP_PKEY_id()\fR and \fBEVP_PKEY_base_id()\fR functions were renamed to
 include \f(CW\*(C`get\*(C'\fR in their names in OpenSSL 3.0, respectively. The old names
@@ -357,11 +281,11 @@ EVP_PKEY_get0_EC_KEY were made const in OpenSSL 3.0.
 .PP
 The function \fBEVP_PKEY_set_alias_type()\fR was previously documented on this page.
 It was removed in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2002\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_set1_encoded_public_key.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_set1_encoded_public_key.3
index 117c76533dc7..eb01aac6502c 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_set1_encoded_public_key.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_set1_encoded_public_key.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_SET1_ENCODED_PUBLIC_KEY 3ossl"
-.TH EVP_PKEY_SET1_ENCODED_PUBLIC_KEY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_SET1_ENCODED_PUBLIC_KEY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_set1_encoded_public_key, EVP_PKEY_get1_encoded_public_key,
 EVP_PKEY_set1_tls_encodedpoint, EVP_PKEY_get1_tls_encodedpoint
 \&\- functions to set and get public key data within an EVP_PKEY
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -152,7 +76,7 @@ EVP_PKEY_set1_tls_encodedpoint, EVP_PKEY_get1_tls_encodedpoint
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 2
@@ -161,21 +85,27 @@ see \fBopenssl_user_macros\fR\|(7):
 \&
 \& size_t EVP_PKEY_get1_tls_encodedpoint(EVP_PKEY *pkey, unsigned char **ppt);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBEVP_PKEY_set1_encoded_public_key()\fR can be used to set the public key value
-within an existing \s-1EVP_PKEY\s0 object. For the built-in OpenSSL algorithms this
-currently only works for those that support key exchange. Parameters are not
-set as part of this operation, so typically an application will create an
-\&\s-1EVP_PKEY\s0 first, set the parameters on it, and then call this function.
+within an existing EVP_PKEY object, which does not yet have either a public or
+private key assigned.
+For the built-in OpenSSL algorithms this currently only works for those that
+support key exchange or key encapsulation.
+Parameters are not set as part of this operation, so typically an application
+will create an EVP_PKEY first, set the parameters on it, and then call this
+function.
 For example setting the parameters might be done using
 \&\fBEVP_PKEY_copy_parameters\fR\|(3).
 .PP
 The format for the encoded public key will depend on the algorithm in use. For
-\&\s-1DH\s0 it should be encoded as a positive integer in big-endian form. For \s-1EC\s0 is
-should be a point conforming to Sec. 2.3.4 of the \s-1SECG SEC 1\s0 (\*(L"Elliptic
-Curve Cryptography\*(R") standard. For X25519 and X448 it should be encoded in a
-format as defined by \s-1RFC7748.\s0
+DH it should be encoded as a positive integer in big-endian form. For EC is
+should be a point conforming to Sec. 2.3.4 of the SECG SEC 1 ("Elliptic
+Curve Cryptography") standard. For \fBX25519\fR and \fBX448\fR it should be encoded
+in the format defined by RFC7748.
+For \fBML\-KEM\-512\fR, \fBML\-KEM\-768\fR and \fBML\-KEM\-1024\fR, this is the public key
+format defined in \fBFIPS 203\fR (the 12\-bit per-coefficient encoded public \fIt\fR
+vector and 32\-byte matrix seed \fIrho\fR).
 .PP
 The key to be updated is supplied in \fBpkey\fR. The buffer containing the encoded
 key is pointed to be \fBpub\fR. The length of the buffer is supplied in \fBpublen\fR.
@@ -200,11 +130,11 @@ should use \fBEVP_PKEY_get1_encoded_public_key()\fR instead.
 value for failure.
 .PP
 \&\fBEVP_PKEY_get1_encoded_public_key()\fR returns the length of the encoded key or 0 for failure.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 See \fBEVP_PKEY_derive_init\fR\|(3) and \fBEVP_PKEY_derive\fR\|(3) for information about
 performing a key exchange operation.
-.SS "Set up a peer's \s-1EVP_PKEY\s0 ready for a key exchange operation"
+.SS "Set up a peer's EVP_PKEY ready for a key exchange operation"
 .IX Subsection "Set up a peer's EVP_PKEY ready for a key exchange operation"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -252,21 +182,31 @@ performing a key exchange operation.
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBEVP_PKEY_new\fR\|(3), \fBEVP_PKEY_copy_parameters\fR\|(3),
-\&\fBEVP_PKEY_derive_init\fR\|(3), \fBEVP_PKEY_derive\fR\|(3),
-\&\s-1\fBEVP_PKEY\-DH\s0\fR\|(7), \s-1\fBEVP_PKEY\-EC\s0\fR\|(7), \s-1\fBEVP_PKEY\-X25519\s0\fR\|(7), \s-1\fBEVP_PKEY\-X448\s0\fR\|(7)
-.SH "HISTORY"
+\&\fBEVP_PKEY_new\fR\|(3),
+\&\fBEVP_PKEY_copy_parameters\fR\|(3),
+\&\fBEVP_PKEY_derive_init\fR\|(3),
+\&\fBEVP_PKEY_derive\fR\|(3),
+\&\fBEVP_PKEY\-DH\fR\|(7),
+\&\fBEVP_PKEY\-EC\fR\|(7),
+\&\fBEVP_PKEY\-X25519\fR\|(7),
+\&\fBEVP_PKEY\-X448\fR\|(7),
+\&\fBEVP_PKEY\-ML\-KEM\-512\fR\|(7),
+\&\fBEVP_PKEY\-ML\-KEM\-768\fR\|(7),
+\&\fBEVP_PKEY\-ML\-KEM\-1024\fR\|(7).
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBEVP_PKEY_set1_encoded_public_key()\fR and \fBEVP_PKEY_get1_encoded_public_key()\fR were
 added in OpenSSL 3.0.
 .PP
 \&\fBEVP_PKEY_set1_tls_encodedpoint()\fR and \fBEVP_PKEY_get1_tls_encodedpoint()\fR were
 deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.PP
+Support for \fBML-KEM\fR was added in OpenSSL 3.5.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_set_type.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_set_type.3
index 964fc264ddd3..1e9ab4d53ddd 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_set_type.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_set_type.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_SET_TYPE 3ossl"
-.TH EVP_PKEY_SET_TYPE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_SET_TYPE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_set_type, EVP_PKEY_set_type_str, EVP_PKEY_set_type_by_keymgmt
 \&\- functions to change the EVP_PKEY type
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -148,30 +72,30 @@ EVP_PKEY_set_type, EVP_PKEY_set_type_str, EVP_PKEY_set_type_by_keymgmt
 \& int EVP_PKEY_set_type_str(EVP_PKEY *pkey, const char *str, int len);
 \& int EVP_PKEY_set_type_by_keymgmt(EVP_PKEY *pkey, EVP_KEYMGMT *keymgmt);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All the functions described here behave the same in so far that they
 clear all the previous key data and methods from \fIpkey\fR, and reset it
 to be of the type of key given by the different arguments.  If
-\&\fIpkey\fR is \s-1NULL,\s0 these functions will still return the same return
+\&\fIpkey\fR is NULL, these functions will still return the same return
 values as if it wasn't.
 .PP
 \&\fBEVP_PKEY_set_type()\fR initialises \fIpkey\fR to contain an internal legacy
-key.  When doing this, it finds a \s-1\fBEVP_PKEY_ASN1_METHOD\s0\fR\|(3)
+key.  When doing this, it finds a \fBEVP_PKEY_ASN1_METHOD\fR\|(3)
 corresponding to \fItype\fR, and associates \fIpkey\fR with the findings.
-It is an error if no \s-1\fBEVP_PKEY_ASN1_METHOD\s0\fR\|(3) could be found for
+It is an error if no \fBEVP_PKEY_ASN1_METHOD\fR\|(3) could be found for
 \&\fItype\fR.
 .PP
 \&\fBEVP_PKEY_set_type_str()\fR initialises \fIpkey\fR to contain an internal legacy
-key. When doing this, it finds a \s-1\fBEVP_PKEY_ASN1_METHOD\s0\fR\|(3)
+key. When doing this, it finds a \fBEVP_PKEY_ASN1_METHOD\fR\|(3)
 corresponding to \fIstr\fR that has then length \fIlen\fR, and associates
 \&\fIpkey\fR with the findings.
-It is an error if no \s-1\fBEVP_PKEY_ASN1_METHOD\s0\fR\|(3) could be found for
+It is an error if no \fBEVP_PKEY_ASN1_METHOD\fR\|(3) could be found for
 \&\fItype\fR.
 .PP
 For both \fBEVP_PKEY_set_type()\fR and \fBEVP_PKEY_set_type_str()\fR, \fIpkey\fR gets
 a numeric type, which can be retrieved with \fBEVP_PKEY_get_id\fR\|(3).  This
-numeric type is taken from the \s-1\fBEVP_PKEY_ASN1_METHOD\s0\fR\|(3) that was
+numeric type is taken from the \fBEVP_PKEY_ASN1_METHOD\fR\|(3) that was
 found, and is equal to or closely related to \fItype\fR in the case of
 \&\fBEVP_PKEY_set_type()\fR, or related to \fIstr\fR in the case of
 \&\fBEVP_PKEY_set_type_str()\fR.
@@ -179,20 +103,20 @@ found, and is equal to or closely related to \fItype\fR in the case of
 \&\fBEVP_PKEY_set_type_by_keymgmt()\fR initialises \fIpkey\fR to contain an
 internal provider side key.  When doing this, it associates \fIpkey\fR
 with \fIkeymgmt\fR.  For keys initialised like this, the numeric type
-retrieved with \fBEVP_PKEY_get_id\fR\|(3) will always be \fB\s-1EVP_PKEY_NONE\s0\fR.
+retrieved with \fBEVP_PKEY_get_id\fR\|(3) will always be \fBEVP_PKEY_NONE\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 All functions described here return 1 if successful, or 0 on error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_PKEY_assign\fR\|(3), \fBEVP_PKEY_get_id\fR\|(3), \fBEVP_PKEY_get0_RSA\fR\|(3),
-\&\fBEVP_PKEY_copy_parameters\fR\|(3), \s-1\fBEVP_PKEY_ASN1_METHOD\s0\fR\|(3),
-\&\s-1\fBEVP_KEYMGMT\s0\fR\|(3)
-.SH "COPYRIGHT"
+\&\fBEVP_PKEY_copy_parameters\fR\|(3), \fBEVP_PKEY_ASN1_METHOD\fR\|(3),
+\&\fBEVP_KEYMGMT\fR\|(3)
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_settable_params.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_settable_params.3
index 39b829c4aa62..368213768eee 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_settable_params.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_settable_params.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_SETTABLE_PARAMS 3ossl"
-.TH EVP_PKEY_SETTABLE_PARAMS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_SETTABLE_PARAMS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_settable_params, EVP_PKEY_set_params,
 EVP_PKEY_set_int_param, EVP_PKEY_set_size_t_param, EVP_PKEY_set_bn_param,
 EVP_PKEY_set_utf8_string_param, EVP_PKEY_set_octet_string_param
 \&\- set key parameters into a key
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -157,17 +81,17 @@ EVP_PKEY_set_utf8_string_param, EVP_PKEY_set_octet_string_param
 \& int EVP_PKEY_set_octet_string_param(EVP_PKEY *pkey, const char *key_name,
 \&                                     const unsigned char *buf, size_t bsize);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 These functions can be used to set additional parameters into an existing
-\&\fB\s-1EVP_PKEY\s0\fR.
+\&\fBEVP_PKEY\fR.
 .PP
 \&\fBEVP_PKEY_set_params()\fR sets one or more \fIparams\fR into a \fIpkey\fR.
-See \s-1\fBOSSL_PARAM\s0\fR\|(3) for information about parameters.
+See \fBOSSL_PARAM\fR\|(3) for information about parameters.
 .PP
 \&\fBEVP_PKEY_settable_params()\fR returns a constant list of \fIparams\fR indicating
 the names and types of key parameters that can be set.
-See \s-1\fBOSSL_PARAM\s0\fR\|(3) for information about parameters.
+See \fBOSSL_PARAM\fR\|(3) for information about parameters.
 .PP
 \&\fBEVP_PKEY_set_int_param()\fR sets an integer value \fIin\fR into a key \fIpkey\fR for the
 associated field \fIkey_name\fR.
@@ -175,35 +99,35 @@ associated field \fIkey_name\fR.
 \&\fBEVP_PKEY_set_size_t_param()\fR sets an size_t value \fIin\fR into a key \fIpkey\fR for
 the associated field \fIkey_name\fR.
 .PP
-\&\fBEVP_PKEY_set_bn_param()\fR sets the \s-1BIGNUM\s0 value \fIbn\fR into a key \fIpkey\fR for the
+\&\fBEVP_PKEY_set_bn_param()\fR sets the BIGNUM value \fIbn\fR into a key \fIpkey\fR for the
 associated field \fIkey_name\fR.
 .PP
-\&\fBEVP_PKEY_set_utf8_string_param()\fR sets the \s-1UTF8\s0 string \fIstr\fR into a key \fIpkey\fR
+\&\fBEVP_PKEY_set_utf8_string_param()\fR sets the UTF8 string \fIstr\fR into a key \fIpkey\fR
 for the associated field \fIkey_name\fR.
 .PP
 \&\fBEVP_PKEY_set_octet_string_param()\fR sets the octet string value \fIbuf\fR with a
 size \fIbsize\fR into a key \fIpkey\fR for the associated field \fIkey_name\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-These functions only work for \fB\s-1EVP_PKEY\s0\fRs that contain a provider side key.
+These functions only work for \fBEVP_PKEY\fRs that contain a provider side key.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBEVP_PKEY_settable_params()\fR returns \s-1NULL\s0 on error or if it is not supported,
+\&\fBEVP_PKEY_settable_params()\fR returns NULL on error or if it is not supported,
 .PP
 All other methods return 1 if a value was successfully set, or 0 if
 there was an error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_PKEY_gettable_params\fR\|(3),
-\&\fBEVP_PKEY_CTX_new\fR\|(3), \fBprovider\-keymgmt\fR\|(7), \s-1\fBOSSL_PARAM\s0\fR\|(3),
-.SH "HISTORY"
+\&\fBEVP_PKEY_CTX_new\fR\|(3), \fBprovider\-keymgmt\fR\|(7), \fBOSSL_PARAM\fR\|(3),
+.SH HISTORY
 .IX Header "HISTORY"
 These functions were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_sign.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_sign.3
index e0357dbc07cd..16b771a8a2e8 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_sign.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_sign.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,127 +52,144 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_SIGN 3ossl"
-.TH EVP_PKEY_SIGN 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_SIGN 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
-EVP_PKEY_sign_init, EVP_PKEY_sign_init_ex, EVP_PKEY_sign
-\&\- sign using a public key algorithm
-.SH "SYNOPSIS"
+.SH NAME
+EVP_PKEY_sign_init, EVP_PKEY_sign_init_ex, EVP_PKEY_sign_init_ex2,
+EVP_PKEY_sign, EVP_PKEY_sign_message_init, EVP_PKEY_sign_message_update,
+EVP_PKEY_sign_message_final \- sign using a public key algorithm
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
 \&
 \& int EVP_PKEY_sign_init(EVP_PKEY_CTX *ctx);
 \& int EVP_PKEY_sign_init_ex(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]);
+\& int EVP_PKEY_sign_init_ex2(EVP_PKEY_CTX *ctx, EVP_SIGNATURE *algo,
+\&                            const OSSL_PARAM params[]);
+\& int EVP_PKEY_sign_message_init(EVP_PKEY_CTX *ctx, EVP_SIGNATURE *algo,
+\&                                const OSSL_PARAM params[]);
+\& int EVP_PKEY_sign_message_update(EVP_PKEY_CTX *ctx,
+\&                                  unsigned char *in, size_t inlen);
+\& int EVP_PKEY_sign_message_final(EVP_PKEY_CTX *ctx, unsigned char *sig,
+\&                                 size_t *siglen, size_t sigsize);
 \& int EVP_PKEY_sign(EVP_PKEY_CTX *ctx,
 \&                   unsigned char *sig, size_t *siglen,
 \&                   const unsigned char *tbs, size_t tbslen);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBEVP_PKEY_sign_init()\fR initializes a public key algorithm context \fIctx\fR for
 signing using the algorithm given when the context was created
 using \fBEVP_PKEY_CTX_new\fR\|(3) or variants thereof.  The algorithm is used to
-fetch a \fB\s-1EVP_SIGNATURE\s0\fR method implicitly, see \*(L"Implicit fetch\*(R" in \fBprovider\fR\|(7)
+fetch a \fBEVP_SIGNATURE\fR method implicitly, see "Implicit fetch" in \fBprovider\fR\|(7)
 for more information about implicit fetches.
 .PP
 \&\fBEVP_PKEY_sign_init_ex()\fR is the same as \fBEVP_PKEY_sign_init()\fR but additionally
 sets the passed parameters \fIparams\fR on the context before returning.
 .PP
-The \fBEVP_PKEY_sign()\fR function performs a public key signing operation
-using \fIctx\fR. The data to be signed is specified using the \fItbs\fR and
-\&\fItbslen\fR parameters. If \fIsig\fR is \s-1NULL\s0 then the maximum size of the output
-buffer is written to the \fIsiglen\fR parameter. If \fIsig\fR is not \s-1NULL\s0 then
-before the call the \fIsiglen\fR parameter should contain the length of the
-\&\fIsig\fR buffer, if the call is successful the signature is written to
-\&\fIsig\fR and the amount of data written to \fIsiglen\fR.
-.SH "NOTES"
+\&\fBEVP_PKEY_sign_init_ex2()\fR initializes a public key algorithm context \fIctx\fR for
+signing a pre-computed message digest using the algorithm given by \fIalgo\fR and
+the key given through \fBEVP_PKEY_CTX_new\fR\|(3) or \fBEVP_PKEY_CTX_new_from_pkey\fR\|(3).
+A context \fIctx\fR without a pre-loaded key cannot be used with this function.
+This function provides almost the same functionality as \fBEVP_PKEY_sign_init_ex()\fR,
+but is uniquely intended to be used with a pre-computed message digest, and
+allows pre-determining the exact conditions for that message digest, if a
+composite signature algorithm (such as RSA\-SHA256) was fetched.
+Following a call to this function, setting parameters that modifies the digest
+implementation or padding is not normally supported.
+.PP
+\&\fBEVP_PKEY_sign_message_init()\fR initializes a public key algorithm context \fIctx\fR
+for signing an unlimited size message using the algorithm given by \fIalgo\fR and
+the key given through \fBEVP_PKEY_CTX_new\fR\|(3) or \fBEVP_PKEY_CTX_new_from_pkey\fR\|(3).
+Passing the message is supported both in a one-shot fashion using
+\&\fBEVP_PKEY_sign()\fR, and through the combination of \fBEVP_PKEY_sign_message_update()\fR
+and \fBEVP_PKEY_sign_message_final()\fR.
+This function enables using algorithms that can process input of arbitrary
+length, such as ED25519, RSA\-SHA256 and similar.
+.PP
+\&\fBEVP_PKEY_sign_message_update()\fR adds \fIinlen\fR bytes from \fIin\fR to the data to be
+processed for signature.  The signature algorithm specification and
+implementation determine how the input bytes are processed and if there's a
+limit on the total size of the input.  See "NOTES" below for a deeper
+explanation.
+.PP
+\&\fBEVP_PKEY_sign_message_final()\fR signs the processed data and places the data in
+\&\fIsig\fR, and the number of signature bytes in \fI*siglen\fR, if the number of
+bytes doesn't surpass the size given by \fIsigsize\fR.
+\&\fIsig\fR may be NULL, and in that case, only \fI*siglen\fR is updated with the
+number of signature bytes.
+.PP
+\&\fBEVP_PKEY_sign()\fR is a one-shot function that can be used with all the init
+functions above.
+When initialization was done with \fBEVP_PKEY_sign_init()\fR, \fBEVP_PKEY_sign_init_ex()\fR
+or \fBEVP_PKEY_sign_init_ex2()\fR, the data specified by \fItbs\fR and \fItbslen\fR is
+signed after appropriate padding.
+When initialization was done with \fBEVP_PKEY_sign_message_init()\fR, the data
+specified by \fItbs\fR and \fItbslen\fR is digested by the implied message digest
+algorithm, and the result is signed after appropriate padding.
+If \fIsig\fR is NULL then the maximum size of the output buffer is written to the
+\&\fIsiglen\fR parameter.
+If \fIsig\fR is not NULL, then before the call the \fIsiglen\fR parameter should
+contain the length of the \fIsig\fR buffer, and if the call is successful the
+signature is written to \fIsig\fR and the amount of data written to \fIsiglen\fR.
+.SH NOTES
 .IX Header "NOTES"
-\&\fBEVP_PKEY_sign()\fR does not hash the data to be signed, and therefore is
-normally used to sign digests. For signing arbitrary messages, see the
-\&\fBEVP_DigestSignInit\fR\|(3) and
-\&\fBEVP_SignInit\fR\|(3) signing interfaces instead.
+.SS General
+.IX Subsection "General"
+Some signature implementations only accumulate the input data and do no
+further processing before signing it (they expect the input to be a digest),
+while others compress the data, typically by internally producing a digest,
+and signing the result.
+Some of them support both modes of operation at the same time.
+The caller is expected to know how the chosen algorithm is supposed to behave
+and under what conditions.
+.PP
+For example, an RSA implementation can be expected to only expect a message
+digest as input, while ED25519 can be expected to process the input with a hash,
+i.e. to produce the message digest internally, and while RSA\-SHA256 can be
+expected to handle either mode of operation, depending on if the operation was
+initialized with \fBEVP_PKEY_sign_init_ex2()\fR or with \fBEVP_PKEY_sign_message_init()\fR.
 .PP
-After the call to \fBEVP_PKEY_sign_init()\fR algorithm specific control
-operations can be performed to set any appropriate parameters for the
-operation (see \fBEVP_PKEY_CTX_ctrl\fR\|(3)).
+Similarly, an RSA implementation usually expects additional details to be set,
+like the message digest algorithm that the input is supposed to be digested
+with, as well as the padding mode (see \fBEVP_PKEY_CTX_set_signature_md\fR\|(3) and
+\&\fBEVP_PKEY_CTX_set_rsa_padding\fR\|(3) and similar others), while an RSA\-SHA256
+implementation usually has these details pre-set and immutable.
 .PP
-The function \fBEVP_PKEY_sign()\fR can be called more than once on the same
-context if several operations are performed using the same parameters.
+The functions described here can't be used to combine separate algorithms.  In
+particular, neither \fBEVP_PKEY_CTX_set_signature_md\fR\|(3) nor the \fBOSSL_PARAM\fR
+parameter "digest" (\fBOSSL_SIGNATURE_PARAM_DIGEST\fR) can be used to combine a
+signature algorithm with a hash algorithm to process the input.  In other
+words, it's not possible to specify a \fIctx\fR pre-loaded with an RSA pkey, or
+an \fIalgo\fR that fetched \f(CW\*(C`RSA\*(C'\fR and try to specify SHA256 separately to get the
+functionality of RSA\-SHA256.  If combining algorithms in that manner is
+desired, please use \fBEVP_DigestSignInit\fR\|(3) and associated functions.
+.SS "Performing multiple signatures"
+.IX Subsection "Performing multiple signatures"
+When initialized using \fBEVP_PKEY_sign_init_ex()\fR or  \fBEVP_PKEY_sign_init_ex2()\fR,
+\&\fBEVP_PKEY_sign()\fR can be called more than once on the same context to have
+several one-shot operations performed using the same parameters.
+.PP
+When initialized using \fBEVP_PKEY_sign_message_init()\fR, it's not possible to
+call \fBEVP_PKEY_sign()\fR multiple times.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBEVP_PKEY_sign_init()\fR and \fBEVP_PKEY_sign()\fR return 1 for success and 0
-or a negative value for failure. In particular a return value of \-2
-indicates the operation is not supported by the public key algorithm.
-.SH "EXAMPLES"
+All functions return 1 for success and 0 or a negative value for failure.
+.PP
+In particular, \fBEVP_PKEY_sign_init()\fR and its other variants may return \-2 to
+indicate that the operation is not supported by the public key algorithm.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-Sign data using \s-1RSA\s0 with PKCS#1 padding and \s-1SHA256\s0 digest:
+.SS "RSA with PKCS#1 padding for SHA256"
+.IX Subsection "RSA with PKCS#1 padding for SHA256"
+Sign data using RSA with PKCS#1 padding and a SHA256 digest as input:
 .PP
 .Vb 2
 \& #include <openssl/evp.h>
@@ -206,7 +207,7 @@ Sign data using \s-1RSA\s0 with PKCS#1 padding and \s-1SHA256\s0 digest:
 \&  * point to the SHA\-256 digest to be signed.
 \&  */
 \& ctx = EVP_PKEY_CTX_new(signing_key, NULL /* no engine */);
-\& if (!ctx)
+\& if (ctx == NULL)
 \&     /* Error occurred */
 \& if (EVP_PKEY_sign_init(ctx) <= 0)
 \&     /* Error */
@@ -221,7 +222,7 @@ Sign data using \s-1RSA\s0 with PKCS#1 padding and \s-1SHA256\s0 digest:
 \&
 \& sig = OPENSSL_malloc(siglen);
 \&
-\& if (!sig)
+\& if (sig == NULL)
 \&     /* malloc failure */
 \&
 \& if (EVP_PKEY_sign(ctx, sig, &siglen, md, mdlen) <= 0)
@@ -229,6 +230,153 @@ Sign data using \s-1RSA\s0 with PKCS#1 padding and \s-1SHA256\s0 digest:
 \&
 \& /* Signature is siglen bytes written to buffer sig */
 .Ve
+.SS "RSA\-SHA256 with a pre-computed digest"
+.IX Subsection "RSA-SHA256 with a pre-computed digest"
+Sign a digest with RSA\-SHA256 using one-shot functions.  To be noted is that
+RSA\-SHA256 is assumed to be an implementation of \f(CW\*(C`sha256WithRSAEncryption\*(C'\fR,
+for which the padding is pre-determined to be \fBRSA_PKCS1_PADDING\fR, and the
+input digest is assumed to have been computed using SHA256.
+.PP
+.Vb 2
+\& #include <openssl/evp.h>
+\& #include <openssl/rsa.h>
+\&
+\& EVP_PKEY_CTX *ctx;
+\& /* md is a SHA\-256 digest in this example. */
+\& unsigned char *md, *sig;
+\& size_t mdlen = 32, siglen;
+\& EVP_PKEY *signing_key;
+\&
+\& /*
+\&  * NB: assumes signing_key and md are set up before the next
+\&  * step. signing_key must be an RSA private key and md must
+\&  * point to the SHA\-256 digest to be signed.
+\&  */
+\& ctx = EVP_PKEY_CTX_new(signing_key, NULL /* no engine */);
+\& alg = EVP_SIGNATURE_fetch(NULL, "RSA\-SHA256", NULL);
+\&
+\& if (ctx == NULL)
+\&     /* Error occurred */
+\& if (EVP_PKEY_sign_init_ex2(ctx, alg, NULL) <= 0)
+\&     /* Error */
+\&
+\& /* Determine buffer length */
+\& if (EVP_PKEY_sign(ctx, NULL, &siglen, md, mdlen) <= 0)
+\&     /* Error */
+\&
+\& sig = OPENSSL_malloc(siglen);
+\&
+\& if (sig == NULL)
+\&     /* malloc failure */
+\&
+\& if (EVP_PKEY_sign(ctx, sig, &siglen, md, mdlen) <= 0)
+\&     /* Error */
+\&
+\& /* Signature is siglen bytes written to buffer sig */
+.Ve
+.SS "RSA\-SHA256, one-shot"
+.IX Subsection "RSA-SHA256, one-shot"
+Sign a document with RSA\-SHA256 using one-shot functions.
+To be noted is that RSA\-SHA256 is assumed to be an implementation of
+\&\f(CW\*(C`sha256WithRSAEncryption\*(C'\fR, for which the padding is pre-determined to be
+\&\fBRSA_PKCS1_PADDING\fR.
+.PP
+.Vb 2
+\& #include <openssl/evp.h>
+\& #include <openssl/rsa.h>
+\&
+\& EVP_PKEY_CTX *ctx;
+\& /* in is the input in this example. */
+\& unsigned char *in, *sig;
+\& /* inlen is the length of the input in this example. */
+\& size_t inlen, siglen;
+\& EVP_PKEY *signing_key;
+\& EVP_SIGNATURE *alg;
+\&
+\& /*
+\&  * NB: assumes signing_key, in and inlen are set up before
+\&  * the next step. signing_key must be an RSA private key,
+\&  * in must point to data to be digested and signed, and
+\&  * inlen must be the size of the data in bytes.
+\&  */
+\& ctx = EVP_PKEY_CTX_new(signing_key, NULL /* no engine */);
+\& alg = EVP_SIGNATURE_fetch(NULL, "RSA\-SHA256", NULL);
+\&
+\& if (ctx == NULL || alg == NULL)
+\&     /* Error occurred */
+\& if (EVP_PKEY_sign_message_init(ctx, alg, NULL) <= 0)
+\&     /* Error */
+\&
+\& /* Determine sig buffer length */
+\& if (EVP_PKEY_sign(ctx, NULL, &siglen, in, inlen) <= 0)
+\&     /* Error */
+\&
+\& sig = OPENSSL_malloc(siglen);
+\&
+\& if (sig == NULL)
+\&     /* malloc failure */
+\&
+\& if (EVP_PKEY_sign(ctx, sig, &siglen, in, inlen) <= 0)
+\&     /* Error */
+\&
+\& /* Signature is siglen bytes written to buffer sig */
+.Ve
+.SS "RSA\-SHA256, using update and final"
+.IX Subsection "RSA-SHA256, using update and final"
+This is the same as the previous example, but allowing stream-like
+functionality.
+.PP
+.Vb 2
+\& #include <openssl/evp.h>
+\& #include <openssl/rsa.h>
+\&
+\& EVP_PKEY_CTX *ctx;
+\& /* in is the input in this example. */
+\& unsigned char *in, *sig;
+\& /* inlen is the length of the input in this example. */
+\& size_t inlen, siglen;
+\& EVP_PKEY *signing_key;
+\& EVP_SIGNATURE *alg;
+\&
+\& /*
+\&  * NB: assumes signing_key, in and inlen are set up before
+\&  * the next step. signing_key must be an RSA private key,
+\&  * in must point to data to be digested and signed, and
+\&  * inlen must be the size of the data in bytes.
+\&  */
+\& ctx = EVP_PKEY_CTX_new(signing_key, NULL /* no engine */);
+\& alg = EVP_SIGNATURE_fetch(NULL, "RSA\-SHA256", NULL);
+\&
+\& if (ctx == NULL || alg == NULL)
+\&     /* Error occurred */
+\& if (EVP_PKEY_sign_message_init(ctx, alg, NULL) <= 0)
+\&     /* Error */
+\&
+\& while (inlen > 0) {
+\&     if (EVP_PKEY_sign_message_update(ctx, in, inlen)) <= 0)
+\&         /* Error */
+\&     if (inlen > 256) {
+\&         inlen \-= 256;
+\&         in += 256;
+\&     } else {
+\&         inlen = 0;
+\&     }
+\& }
+\&
+\& /* Determine sig buffer length */
+\& if (EVP_PKEY_sign_message_final(ctx, NULL, &siglen) <= 0)
+\&     /* Error */
+\&
+\& sig = OPENSSL_malloc(siglen);
+\&
+\& if (sig == NULL)
+\&     /* malloc failure */
+\&
+\& if (EVP_PKEY_sign_message_final(ctx, sig, &siglen) <= 0)
+\&     /* Error */
+\&
+\& /* Signature is siglen bytes written to buffer sig */
+.Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_PKEY_CTX_new\fR\|(3),
@@ -238,17 +386,21 @@ Sign data using \s-1RSA\s0 with PKCS#1 padding and \s-1SHA256\s0 digest:
 \&\fBEVP_PKEY_verify\fR\|(3),
 \&\fBEVP_PKEY_verify_recover\fR\|(3),
 \&\fBEVP_PKEY_derive\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBEVP_PKEY_sign_init()\fR and \fBEVP_PKEY_sign()\fR functions were added in
 OpenSSL 1.0.0.
 .PP
 The \fBEVP_PKEY_sign_init_ex()\fR function was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.PP
+The \fBEVP_PKEY_sign_init_ex2()\fR, \fBEVP_PKEY_sign_message_init()\fR,
+\&\fBEVP_PKEY_sign_message_update()\fR and \fBEVP_PKEY_sign_message_final()\fR functions
+where added in OpenSSL 3.4.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2006\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_todata.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_todata.3
index 9dcd9dbb1e10..e3c1d72df6c2 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_todata.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_todata.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_TODATA 3ossl"
-.TH EVP_PKEY_TODATA 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_TODATA 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_todata, EVP_PKEY_export
 \&\- functions to return keys as an array of key parameters
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -148,23 +72,23 @@ EVP_PKEY_todata, EVP_PKEY_export
 \& int EVP_PKEY_export(const EVP_PKEY *pkey, int selection,
 \&                     OSSL_CALLBACK *export_cb, void *export_cbarg);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The functions described here are used to extract \fB\s-1EVP_PKEY\s0\fR key values as an
-array of \s-1\fBOSSL_PARAM\s0\fR\|(3).
+The functions described here are used to extract \fBEVP_PKEY\fR key values as an
+array of \fBOSSL_PARAM\fR\|(3).
 .PP
 \&\fBEVP_PKEY_todata()\fR extracts values from a key \fIpkey\fR using the \fIselection\fR.
-\&\fIselection\fR is described in \*(L"Selections\*(R" in \fBEVP_PKEY_fromdata\fR\|(3).
+\&\fIselection\fR is described in "Selections" in \fBEVP_PKEY_fromdata\fR\|(3).
 \&\fBOSSL_PARAM_free\fR\|(3) should be used to free the returned parameters in
 \&\fI*params\fR.
 .PP
 \&\fBEVP_PKEY_export()\fR is similar to \fBEVP_PKEY_todata()\fR but uses a callback
 \&\fIexport_cb\fR that gets passed the value of \fIexport_cbarg\fR.
 See \fBopenssl\-core.h\fR\|(7) for more information about the callback. Note that the
-\&\s-1\fBOSSL_PARAM\s0\fR\|(3) array that is passed to the callback is not persistent after the
+\&\fBOSSL_PARAM\fR\|(3) array that is passed to the callback is not persistent after the
 callback returns. The user must preserve the items of interest, or use
 \&\fBEVP_PKEY_todata()\fR if persistence is required.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 These functions only work with key management methods coming from a provider.
 This is the mirror function to \fBEVP_PKEY_fromdata\fR\|(3).
@@ -173,19 +97,30 @@ This is the mirror function to \fBEVP_PKEY_fromdata\fR\|(3).
 \&\fBEVP_PKEY_todata()\fR and \fBEVP_PKEY_export()\fR return 1 for success and 0 for failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBOSSL_PARAM\s0\fR\|(3), \fBopenssl\-core.h\fR\|(7),
+\&\fBOSSL_PARAM\fR\|(3),
+\&\fBopenssl\-core.h\fR\|(7),
 \&\fBEVP_PKEY_fromdata\fR\|(3),
-\&\s-1\fBEVP_PKEY\-RSA\s0\fR\|(7), \s-1\fBEVP_PKEY\-DSA\s0\fR\|(7), \s-1\fBEVP_PKEY\-DH\s0\fR\|(7), \s-1\fBEVP_PKEY\-EC\s0\fR\|(7),
-\&\s-1\fBEVP_PKEY\-ED448\s0\fR\|(7), \s-1\fBEVP_PKEY\-X25519\s0\fR\|(7), \s-1\fBEVP_PKEY\-X448\s0\fR\|(7),
-\&\s-1\fBEVP_PKEY\-ED25519\s0\fR\|(7)
-.SH "HISTORY"
+\&\fBEVP_PKEY\-RSA\fR\|(7),
+\&\fBEVP_PKEY\-EC\fR\|(7),
+\&\fBEVP_PKEY\-DSA\fR\|(7),
+\&\fBEVP_PKEY\-ED25519\fR\|(7)
+\&\fBEVP_PKEY\-ED448\fR\|(7),
+\&\fBEVP_PKEY\-DH\fR\|(7),
+\&\fBEVP_PKEY\-X25519\fR\|(7),
+\&\fBEVP_PKEY\-X448\fR\|(7),
+\&\fBEVP_PKEY\-ML\-DSA\fR\|(7),
+\&\fBEVP_PKEY\-ML\-KEM\fR\|(7),
+\&\fBEVP_PKEY\-SLH\-DSA\fR\|(7).
+.SH HISTORY
 .IX Header "HISTORY"
 These functions were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.PP
+Support for \fBML-DSA\fR, \fBML-KEM\fR and \fBSLH-DSA\fR was added in OpenSSL 3.5.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2021\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_verify.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_verify.3
index adfaf1a543c2..e4db7bac5135 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_verify.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_verify.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,125 +52,155 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_VERIFY 3ossl"
-.TH EVP_PKEY_VERIFY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_VERIFY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
-EVP_PKEY_verify_init, EVP_PKEY_verify_init_ex, EVP_PKEY_verify
-\&\- signature verification using a public key algorithm
-.SH "SYNOPSIS"
+.SH NAME
+EVP_PKEY_verify_init, EVP_PKEY_verify_init_ex, EVP_PKEY_verify_init_ex2,
+EVP_PKEY_verify, EVP_PKEY_verify_message_init, EVP_PKEY_verify_message_update,
+EVP_PKEY_verify_message_final, EVP_PKEY_CTX_set_signature \- signature
+verification using a public key algorithm
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
 \&
 \& int EVP_PKEY_verify_init(EVP_PKEY_CTX *ctx);
 \& int EVP_PKEY_verify_init_ex(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]);
+\& int EVP_PKEY_verify_init_ex2(EVP_PKEY_CTX *ctx, EVP_SIGNATURE *algo,
+\&                              const OSSL_PARAM params[]);
+\& int EVP_PKEY_verify_message_init(EVP_PKEY_CTX *ctx, EVP_SIGNATURE *algo,
+\&                                  const OSSL_PARAM params[]);
+\& int EVP_PKEY_CTX_set_signature(EVP_PKEY_CTX *pctx,
+\&                                const unsigned char *sig, size_t siglen);
+\& int EVP_PKEY_verify_message_update(EVP_PKEY_CTX *ctx,
+\&                                    unsigned char *in, size_t inlen);
+\& int EVP_PKEY_verify_message_final(EVP_PKEY_CTX *ctx);
 \& int EVP_PKEY_verify(EVP_PKEY_CTX *ctx,
 \&                     const unsigned char *sig, size_t siglen,
 \&                     const unsigned char *tbs, size_t tbslen);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBEVP_PKEY_verify_init()\fR initializes a public key algorithm context \fIctx\fR for
-signing using the algorithm given when the context was created
+verification using the algorithm given when the context was created
 using \fBEVP_PKEY_CTX_new\fR\|(3) or variants thereof.  The algorithm is used to
-fetch a \fB\s-1EVP_SIGNATURE\s0\fR method implicitly, see \*(L"Implicit fetch\*(R" in \fBprovider\fR\|(7)
+fetch a \fBEVP_SIGNATURE\fR method implicitly, see "Implicit fetch" in \fBprovider\fR\|(7)
 for more information about implicit fetches.
 .PP
 \&\fBEVP_PKEY_verify_init_ex()\fR is the same as \fBEVP_PKEY_verify_init()\fR but additionally
 sets the passed parameters \fIparams\fR on the context before returning.
 .PP
-The \fBEVP_PKEY_verify()\fR function performs a public key verification operation
-using \fIctx\fR. The signature is specified using the \fIsig\fR and
-\&\fIsiglen\fR parameters. The verified data (i.e. the data believed originally
-signed) is specified using the \fItbs\fR and \fItbslen\fR parameters.
-.SH "NOTES"
+\&\fBEVP_PKEY_verify_init_ex2()\fR is the same as \fBEVP_PKEY_verify_init_ex()\fR, but works
+with an explicitly fetched \fBEVP_SIGNATURE\fR \fIalgo\fR.
+A context \fIctx\fR without a pre-loaded key cannot be used with this function.
+Depending on what algorithm was fetched, certain details revolving around the
+treatment of the input to \fBEVP_PKEY_verify()\fR may be pre-determined, and in that
+case, those details may normally not be changed.
+See "NOTES" below for a deeper explanation.
+.PP
+\&\fBEVP_PKEY_verify_message_init()\fR initializes a public key algorithm context
+\&\fIctx\fR for verifying an unlimited size message using the algorithm given by
+\&\fIalgo\fR and the key given through \fBEVP_PKEY_CTX_new\fR\|(3) or
+\&\fBEVP_PKEY_CTX_new_from_pkey\fR\|(3).
+Passing the message is supported both in a one-shot fashion using
+\&\fBEVP_PKEY_verify()\fR, and through the combination of \fBEVP_PKEY_verify_update()\fR and
+\&\fBEVP_PKEY_verify_final()\fR.
+This function enables using algorithms that can process input of arbitrary
+length, such as ED25519, RSA\-SHA256 and similar.
+.PP
+\&\fBEVP_PKEY_CTX_set_signature()\fR specifies the \fIsiglen\fR bytes long signature
+\&\fIsig\fR to be verified against by \fBEVP_PKEY_verify_final()\fR.
+It \fImust\fR be used together with \fBEVP_PKEY_verify_update()\fR and
+\&\fBEVP_PKEY_verify_final()\fR.
+See "NOTES" below for a deeper explanation.
+.PP
+\&\fBEVP_PKEY_verify_update()\fR adds \fIinlen\fR bytes from \fIin\fR to the data to be
+processed for verification.  The signature algorithm specification and
+implementation determine how the input bytes are processed and if there's a
+limit on the total size of the input.  See "NOTES" below for a deeper
+explanation.
+.PP
+\&\fBEVP_PKEY_verify_final()\fR verifies the processed data, given only \fIctx\fR.
+The signature to verify against must have been given with
+\&\fBEVP_PKEY_CTX_set_signature()\fR.
+.PP
+\&\fBEVP_PKEY_verify()\fR is a one-shot function that performs the same thing as
+\&\fBEVP_PKEY_CTX_set_signature()\fR call with \fIsig\fR and \fIsiglen\fR as parameters,
+followed by a single \fBEVP_PKEY_verify_update()\fR call with \fItbs\fR and \fItbslen\fR,
+followed by \fBEVP_PKEY_verify_final()\fR call.
+.SH NOTES
 .IX Header "NOTES"
-After the call to \fBEVP_PKEY_verify_init()\fR algorithm specific control
-operations can be performed to set any appropriate parameters for the
-operation.
+.SS General
+.IX Subsection "General"
+Some signature implementations only accumulate the input data and do no
+further processing before verifying it (they expect the input to be a digest),
+while others compress the data, typically by internally producing a digest,
+and signing the result, which is then verified against a given signature.
+Some of them support both modes of operation at the same time.
+The caller is expected to know how the chosen algorithm is supposed to behave
+and under what conditions.
 .PP
-The function \fBEVP_PKEY_verify()\fR can be called more than once on the same
-context if several operations are performed using the same parameters.
+For example, an RSA implementation can be expected to only expect a digest as
+input, while ED25519 can be expected to process the input with a hash, i.e.
+to produce the digest internally, and while RSA\-SHA256 can be expected to
+handle either mode of operation, depending on if the operation was initialized
+with \fBEVP_PKEY_verify_init_ex2()\fR or with \fBEVP_PKEY_verify_message_init()\fR.
+.PP
+Similarly, an RSA implementation usually expects additional details to be set,
+like the message digest algorithm that the input is supposed to be digested
+with, as well as the padding mode (see \fBEVP_PKEY_CTX_set_signature_md\fR\|(3) and
+\&\fBEVP_PKEY_CTX_set_rsa_padding\fR\|(3) and similar others), while an RSA\-SHA256
+implementation usually has these details pre-set and immutable.
+.PP
+The functions described here can't be used to combine separate algorithms.  In
+particular, neither \fBEVP_PKEY_CTX_set_signature_md\fR\|(3) nor the \fBOSSL_PARAM\fR
+parameter "digest" (\fBOSSL_SIGNATURE_PARAM_DIGEST\fR) can be used to combine a
+signature algorithm with a hash algorithm to process the input.  In other
+words, it's not possible to specify a \fIctx\fR pre-loaded with an RSA pkey, or
+an \fIalgo\fR that fetched \f(CW\*(C`RSA\*(C'\fR and try to specify SHA256 separately to get the
+functionality of RSA\-SHA256.  If combining algorithms in that manner is
+desired, please use \fBEVP_DigestVerifyInit\fR\|(3) and associated functions, or
+\&\fBEVP_VerifyInit\fR\|(3) and associated functions.
+.SS "Performing multiple verifications"
+.IX Subsection "Performing multiple verifications"
+When initialized using \fBEVP_PKEY_verify_init_ex()\fR or  \fBEVP_PKEY_verify_init_ex2()\fR,
+\&\fBEVP_PKEY_verify()\fR can be called more than once on the same context to have
+several one-shot operations performed using the same parameters.
+.PP
+When initialized using \fBEVP_PKEY_verify_message_init()\fR, it's not possible to
+call \fBEVP_PKEY_verify()\fR multiple times.
+.SS "On \fBEVP_PKEY_CTX_set_signature()\fP"
+.IX Subsection "On EVP_PKEY_CTX_set_signature()"
+Some signature algorithms (such as LMS) require the signature verification
+data be specified before verifying the message.
+Other algorithms allow the signature to be specified late.
+To allow either way (which may depend on the application's flow of input), the
+signature to be verified against \fImust\fR be specified using this function when
+using \fBEVP_PKEY_verify_message_update()\fR and \fBEVP_PKEY_verify_message_final()\fR to
+perform the verification.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBEVP_PKEY_verify_init()\fR and \fBEVP_PKEY_verify()\fR return 1 if the verification was
-successful and 0 if it failed. Unlike other functions the return value 0 from
-\&\fBEVP_PKEY_verify()\fR only indicates that the signature did not verify
-successfully (that is tbs did not match the original data or the signature was
-of invalid form) it is not an indication of a more serious error.
+All functions return 1 for success and 0 or a negative value for failure.
+However, unlike other functions, the return value 0 from \fBEVP_PKEY_verify()\fR,
+\&\fBEVP_PKEY_verify_recover()\fR and \fBEVP_PKEY_verify_message_final()\fR only indicates
+that the signature did not verify successfully (that is tbs did not match the
+original data or the signature was of invalid form) it is not an indication of
+a more serious error.
 .PP
 A negative value indicates an error other that signature verification failure.
 In particular a return value of \-2 indicates the operation is not supported by
 the public key algorithm.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-Verify signature using PKCS#1 and \s-1SHA256\s0 digest:
+.SS "RSA with PKCS#1 padding for SHA256"
+.IX Subsection "RSA with PKCS#1 padding for SHA256"
+Verify signature using PKCS#1 padding and a SHA256 digest as input:
 .PP
 .Vb 2
 \& #include <openssl/evp.h>
@@ -202,7 +216,7 @@ Verify signature using PKCS#1 and \s-1SHA256\s0 digest:
 \&  * and that verify_key is an RSA public key
 \&  */
 \& ctx = EVP_PKEY_CTX_new(verify_key, NULL /* no engine */);
-\& if (!ctx)
+\& if (ctx == NULL)
 \&     /* Error occurred */
 \& if (EVP_PKEY_verify_init(ctx) <= 0)
 \&     /* Error */
@@ -219,6 +233,140 @@ Verify signature using PKCS#1 and \s-1SHA256\s0 digest:
 \&  * other error.
 \&  */
 .Ve
+.SS "RSA\-SHA256 with a pre-computed digest"
+.IX Subsection "RSA-SHA256 with a pre-computed digest"
+Verify a digest with RSA\-SHA256 using one-shot functions.  To be noted is that
+RSA\-SHA256 is assumed to be an implementation of \f(CW\*(C`sha256WithRSAEncryption\*(C'\fR,
+for which the padding is pre-determined to be \fBRSA_PKCS1_PADDING\fR, and the
+input digest is assumed to have been computed using SHA256.
+.PP
+.Vb 2
+\& #include <openssl/evp.h>
+\& #include <openssl/rsa.h>
+\&
+\& EVP_PKEY_CTX *ctx;
+\& /* md is a SHA\-256 digest in this example. */
+\& unsigned char *md, *sig;
+\& size_t mdlen = 32, siglen;
+\& EVP_PKEY *signing_key;
+\&
+\& /*
+\&  * NB: assumes verify_key, sig, siglen, md and mdlen are already set up
+\&  * and that verify_key is an RSA public key
+\&  */
+\& ctx = EVP_PKEY_CTX_new(signing_key, NULL /* no engine */);
+\& alg = EVP_SIGNATURE_fetch(NULL, "RSA\-SHA256", NULL);
+\&
+\& if (ctx == NULL)
+\&     /* Error occurred */
+\& if (EVP_PKEY_verify_init_ex2(ctx, alg, NULL) <= 0)
+\&     /* Error */
+\&
+\& /* Determine buffer length */
+\& if (EVP_PKEY_verify(ctx, sig, siglen, md, mdlen) <= 0)
+\&     /* Error or signature doesn\*(Aqt verify */
+\&
+\& /* Perform operation */
+\& ret = EVP_PKEY_verify(ctx, sig, siglen, md, mdlen);
+\&
+\& /*
+\&  * ret == 1 indicates success, 0 verify failure and < 0 for some
+\&  * other error.
+\&  */
+.Ve
+.SS "RSA\-SHA256, one-shot"
+.IX Subsection "RSA-SHA256, one-shot"
+Verify a document with RSA\-SHA256 using one-shot functions.
+To be noted is that RSA\-SHA256 is assumed to be an implementation of
+\&\f(CW\*(C`sha256WithRSAEncryption\*(C'\fR, for which the padding is pre-determined to be
+\&\fBRSA_PKCS1_PADDING\fR.
+.PP
+.Vb 2
+\& #include <openssl/evp.h>
+\& #include <openssl/rsa.h>
+\&
+\& EVP_PKEY_CTX *ctx;
+\& /* in the input in this example. */
+\& unsigned char *in, *sig;
+\& /* inlen is the length of the input in this example. */
+\& size_t inlen, siglen;
+\& EVP_PKEY *signing_key;
+\& EVP_SIGNATURE *alg;
+\&
+\& /*
+\&  * NB: assumes signing_key, in and inlen are set up before
+\&  * the next step. signing_key must be an RSA private key,
+\&  * in must point to data to be digested and signed, and
+\&  * inlen must be the size of the data in bytes.
+\&  */
+\& ctx = EVP_PKEY_CTX_new(signing_key, NULL /* no engine */);
+\& alg = EVP_SIGNATURE_fetch(NULL, "RSA\-SHA256", NULL);
+\&
+\& if (ctx == NULL || alg == NULL)
+\&     /* Error occurred */
+\& if (EVP_PKEY_verify_message_init(ctx, alg, NULL) <= 0)
+\&     /* Error */
+\&
+\& /* Perform operation */
+\& ret = EVP_PKEY_verify(ctx, sig, siglen, in, inlen);
+\&
+\& /*
+\&  * ret == 1 indicates success, 0 verify failure and < 0 for some
+\&  * other error.
+\&  */
+.Ve
+.SS "RSA\-SHA256, using update and final"
+.IX Subsection "RSA-SHA256, using update and final"
+This is the same as the previous example, but allowing stream-like
+functionality.
+.PP
+.Vb 2
+\& #include <openssl/evp.h>
+\& #include <openssl/rsa.h>
+\&
+\& EVP_PKEY_CTX *ctx;
+\& /* in is the input in this example. */
+\& unsigned char *in, *sig;
+\& /* inlen is the length of the input in this example. */
+\& size_t inlen, siglen;
+\& EVP_PKEY *signing_key;
+\& EVP_SIGNATURE *alg;
+\&
+\& /*
+\&  * NB: assumes signing_key, in and inlen are set up before
+\&  * the next step. signing_key must be an RSA private key,
+\&  * in must point to data to be digested and signed, and
+\&  * inlen must be the size of the data in bytes.
+\&  */
+\& ctx = EVP_PKEY_CTX_new(signing_key, NULL /* no engine */);
+\& alg = EVP_SIGNATURE_fetch(NULL, "RSA\-SHA256", NULL);
+\&
+\& if (ctx == NULL || alg == NULL)
+\&     /* Error occurred */
+\& if (EVP_PKEY_verify_message_init(ctx, alg, NULL) <= 0)
+\&     /* Error */
+\&
+\& /* We have the signature, specify it early */
+\& EVP_PKEY_CTX_set_signature(ctx, sig, siglen);
+\&
+\& /* Perform operation */
+\& while (inlen > 0) {
+\&     if (EVP_PKEY_verify_message_update(ctx, in, inlen)) <= 0)
+\&         /* Error */
+\&     if (inlen > 256) {
+\&         inlen \-= 256;
+\&         in += 256;
+\&     } else {
+\&         inlen = 0;
+\&     }
+\& }
+\& ret = EVP_PKEY_verify_message_final(ctx);
+\&
+\& /*
+\&  * ret == 1 indicates success, 0 verify failure and < 0 for some
+\&  * other error.
+\&  */
+.Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_PKEY_CTX_new\fR\|(3),
@@ -227,17 +375,21 @@ Verify signature using PKCS#1 and \s-1SHA256\s0 digest:
 \&\fBEVP_PKEY_sign\fR\|(3),
 \&\fBEVP_PKEY_verify_recover\fR\|(3),
 \&\fBEVP_PKEY_derive\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBEVP_PKEY_verify_init()\fR and \fBEVP_PKEY_verify()\fR functions were added in
 OpenSSL 1.0.0.
 .PP
 The \fBEVP_PKEY_verify_init_ex()\fR function was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.PP
+The \fBEVP_PKEY_verify_init_ex2()\fR, \fBEVP_PKEY_verify_message_init()\fR,
+\&\fBEVP_PKEY_verify_message_update()\fR, \fBEVP_PKEY_verify_message_final()\fR and
+\&\fBEVP_PKEY_CTX_set_signature()\fR functions where added in OpenSSL 3.4.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2006\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_verify_recover.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_verify_recover.3
index 8cc3f87a06b9..8ac1daa9210e 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_verify_recover.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_verify_recover.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY_VERIFY_RECOVER 3ossl"
-.TH EVP_PKEY_VERIFY_RECOVER 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY_VERIFY_RECOVER 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY_verify_recover_init, EVP_PKEY_verify_recover_init_ex,
-EVP_PKEY_verify_recover
+EVP_PKEY_verify_recover_init_ex2, EVP_PKEY_verify_recover
 \&\- recover signature using a public key algorithm
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -148,30 +72,40 @@ EVP_PKEY_verify_recover
 \& int EVP_PKEY_verify_recover_init(EVP_PKEY_CTX *ctx);
 \& int EVP_PKEY_verify_recover_init_ex(EVP_PKEY_CTX *ctx,
 \&                                     const OSSL_PARAM params[]);
+\& int EVP_PKEY_verify_recover_init_ex2(EVP_PKEY_CTX *ctx, EVP_SIGNATURE *algo,
+\&                                      const OSSL_PARAM params[]);
 \& int EVP_PKEY_verify_recover(EVP_PKEY_CTX *ctx,
 \&                             unsigned char *rout, size_t *routlen,
 \&                             const unsigned char *sig, size_t siglen);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBEVP_PKEY_verify_recover_init()\fR initializes a public key algorithm context
 \&\fIctx\fR for signing using the algorithm given when the context was created
 using \fBEVP_PKEY_CTX_new\fR\|(3) or variants thereof.  The algorithm is used to
-fetch a \fB\s-1EVP_SIGNATURE\s0\fR method implicitly, see \*(L"Implicit fetch\*(R" in \fBprovider\fR\|(7)
+fetch a \fBEVP_SIGNATURE\fR method implicitly, see "Implicit fetch" in \fBprovider\fR\|(7)
 for more information about implicit fetches.
 .PP
 \&\fBEVP_PKEY_verify_recover_init_ex()\fR is the same as
 \&\fBEVP_PKEY_verify_recover_init()\fR but additionally sets the passed parameters
 \&\fIparams\fR on the context before returning.
 .PP
+\&\fBEVP_PKEY_verify_recover_init_ex2()\fR is the same as \fBEVP_PKEY_verify_recover_init_ex()\fR,
+but works with an explicitly fetched \fBEVP_SIGNATURE\fR \fIalgo\fR.
+A context \fIctx\fR without a pre-loaded key cannot be used with this function.
+Depending on what algorithm was fetched, certain details revolving around the
+treatment of the input to \fBEVP_PKEY_verify()\fR may be pre-determined, and in that
+case, those details may normally not be changed.
+See "NOTES" below for a deeper explanation.
+.PP
 The \fBEVP_PKEY_verify_recover()\fR function recovers signed data
 using \fIctx\fR. The signature is specified using the \fIsig\fR and
-\&\fIsiglen\fR parameters. If \fIrout\fR is \s-1NULL\s0 then the maximum size of the output
-buffer is written to the \fIroutlen\fR parameter. If \fIrout\fR is not \s-1NULL\s0 then
+\&\fIsiglen\fR parameters. If \fIrout\fR is NULL then the maximum size of the output
+buffer is written to the \fIroutlen\fR parameter. If \fIrout\fR is not NULL then
 before the call the \fIroutlen\fR parameter should contain the length of the
 \&\fIrout\fR buffer, if the call is successful recovered data is written to
 \&\fIrout\fR and the amount of data written to \fIroutlen\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 Normally an application is only interested in whether a signature verification
 operation is successful in those cases the \fBEVP_verify()\fR function should be
@@ -179,12 +113,16 @@ used.
 .PP
 Sometimes however it is useful to obtain the data originally signed using a
 signing operation. Only certain public key algorithms can recover a signature
-in this way (for example \s-1RSA\s0 in \s-1PKCS\s0 padding mode).
+in this way (for example RSA in PKCS padding mode).
 .PP
 After the call to \fBEVP_PKEY_verify_recover_init()\fR algorithm specific control
 operations can be performed to set any appropriate parameters for the
 operation.
 .PP
+After the call to \fBEVP_PKEY_verify_recover_init_ex2()\fR, algorithm specific control
+operations may not be needed if the chosen algorithm implies that those controls
+pre-set (and immutable).
+.PP
 The function \fBEVP_PKEY_verify_recover()\fR can be called more than once on the same
 context if several operations are performed using the same parameters.
 .SH "RETURN VALUES"
@@ -192,9 +130,9 @@ context if several operations are performed using the same parameters.
 \&\fBEVP_PKEY_verify_recover_init()\fR and \fBEVP_PKEY_verify_recover()\fR return 1 for success
 and 0 or a negative value for failure. In particular a return value of \-2
 indicates the operation is not supported by the public key algorithm.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-Recover digest originally signed using PKCS#1 and \s-1SHA256\s0 digest:
+Recover digest originally signed using PKCS#1 and SHA256 digest:
 .PP
 .Vb 2
 \& #include <openssl/evp.h>
@@ -241,17 +179,17 @@ Recover digest originally signed using PKCS#1 and \s-1SHA256\s0 digest:
 \&\fBEVP_PKEY_sign\fR\|(3),
 \&\fBEVP_PKEY_verify\fR\|(3),
 \&\fBEVP_PKEY_derive\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBEVP_PKEY_verify_recover_init()\fR and \fBEVP_PKEY_verify_recover()\fR
 functions were added in OpenSSL 1.0.0.
 .PP
 The \fBEVP_PKEY_verify_recover_init_ex()\fR function was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2013\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2013\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_RAND.3 b/secure/lib/libcrypto/man/man3/EVP_RAND.3
index 2358620a90f0..d69daad48404 100644
--- a/secure/lib/libcrypto/man/man3/EVP_RAND.3
+++ b/secure/lib/libcrypto/man/man3/EVP_RAND.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_RAND 3ossl"
-.TH EVP_RAND 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_RAND 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_RAND, EVP_RAND_fetch, EVP_RAND_free, EVP_RAND_up_ref, EVP_RAND_CTX,
-EVP_RAND_CTX_new, EVP_RAND_CTX_free, EVP_RAND_instantiate,
+EVP_RAND_CTX_new, EVP_RAND_CTX_free, EVP_RAND_CTX_up_ref, EVP_RAND_instantiate,
 EVP_RAND_uninstantiate, EVP_RAND_generate, EVP_RAND_reseed, EVP_RAND_nonce,
 EVP_RAND_enable_locking, EVP_RAND_verify_zeroization, EVP_RAND_get_strength,
 EVP_RAND_get_state,
@@ -151,7 +75,7 @@ EVP_RAND_gettable_ctx_params, EVP_RAND_settable_ctx_params,
 EVP_RAND_CTX_gettable_params, EVP_RAND_CTX_settable_params,
 EVP_RAND_gettable_params, EVP_RAND_STATE_UNINITIALISED, EVP_RAND_STATE_READY,
 EVP_RAND_STATE_ERROR \- EVP RAND routines
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -165,6 +89,7 @@ EVP_RAND_STATE_ERROR \- EVP RAND routines
 \& void EVP_RAND_free(EVP_RAND *rand);
 \& EVP_RAND_CTX *EVP_RAND_CTX_new(EVP_RAND *rand, EVP_RAND_CTX *parent);
 \& void EVP_RAND_CTX_free(EVP_RAND_CTX *ctx);
+\& int EVP_RAND_CTX_up_ref(EVP_RAND_CTX *ctx);
 \& EVP_RAND *EVP_RAND_CTX_get0_rand(EVP_RAND_CTX *ctx);
 \& int EVP_RAND_get_params(EVP_RAND *rand, OSSL_PARAM params[]);
 \& int EVP_RAND_CTX_get_params(EVP_RAND_CTX *ctx, OSSL_PARAM params[]);
@@ -206,89 +131,86 @@ EVP_RAND_STATE_ERROR \- EVP RAND routines
 \& #define EVP_RAND_STATE_READY            1
 \& #define EVP_RAND_STATE_ERROR            2
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1EVP RAND\s0 routines are a high-level interface to random number generators
+The EVP RAND routines are a high-level interface to random number generators
 both deterministic and not.
 If you just want to generate random bytes then you don't need to use
 these functions: just call \fBRAND_bytes()\fR or \fBRAND_priv_bytes()\fR.
 If you want to do more, these calls should be used instead of the older
-\&\s-1RAND\s0 and \s-1RAND_DRBG\s0 functions.
+RAND and RAND_DRBG functions.
 .PP
-After creating a \fB\s-1EVP_RAND_CTX\s0\fR for the required algorithm using
+After creating a \fBEVP_RAND_CTX\fR for the required algorithm using
 \&\fBEVP_RAND_CTX_new()\fR, inputs to the algorithm are supplied either by
 passing them as part of the \fBEVP_RAND_instantiate()\fR call or using calls to
 \&\fBEVP_RAND_CTX_set_params()\fR before calling \fBEVP_RAND_instantiate()\fR.  Finally,
 call \fBEVP_RAND_generate()\fR to produce cryptographically secure random bytes.
-.SS "Types"
+.SS Types
 .IX Subsection "Types"
-\&\fB\s-1EVP_RAND\s0\fR is a type that holds the implementation of a \s-1RAND.\s0
+\&\fBEVP_RAND\fR is a type that holds the implementation of a RAND.
 .PP
-\&\fB\s-1EVP_RAND_CTX\s0\fR is a context type that holds the algorithm inputs.
-\&\fB\s-1EVP_RAND_CTX\s0\fR structures are reference counted.
+\&\fBEVP_RAND_CTX\fR is a context type that holds the algorithm inputs.
+\&\fBEVP_RAND_CTX\fR structures are reference counted.
 .SS "Algorithm implementation fetching"
 .IX Subsection "Algorithm implementation fetching"
-\&\fBEVP_RAND_fetch()\fR fetches an implementation of a \s-1RAND\s0 \fIalgorithm\fR, given
+\&\fBEVP_RAND_fetch()\fR fetches an implementation of a RAND \fIalgorithm\fR, given
 a library context \fIlibctx\fR and a set of \fIproperties\fR.
-See \*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7) for further information.
+See "ALGORITHM FETCHING" in \fBcrypto\fR\|(7) for further information.
 .PP
 The returned value must eventually be freed with
 \&\fBEVP_RAND_free\fR\|(3).
 .PP
 \&\fBEVP_RAND_up_ref()\fR increments the reference count of an already fetched
-\&\s-1RAND.\s0
+RAND.
 .PP
 \&\fBEVP_RAND_free()\fR frees a fetched algorithm.
-\&\s-1NULL\s0 is a valid parameter, for which this function is a no-op.
+NULL is a valid parameter, for which this function is a no-op.
 .SS "Context manipulation functions"
 .IX Subsection "Context manipulation functions"
-\&\fBEVP_RAND_CTX_new()\fR creates a new context for the \s-1RAND\s0 implementation \fIrand\fR.
-If not \s-1NULL,\s0 \fIparent\fR specifies the seed source for this implementation.
+\&\fBEVP_RAND_CTX_new()\fR creates a new context for the RAND implementation \fIrand\fR.
+If not NULL, \fIparent\fR specifies the seed source for this implementation.
 Not all random number generators need to have a seed source specified.
-If a parent is required, a \s-1NULL\s0 \fIparent\fR will utilise the operating
+If a parent is required, a NULL \fIparent\fR will utilise the operating
 system entropy sources.
 It is recommended to minimise the number of random number generators that
 rely on the operating system for their randomness because this is often scarce.
 .PP
-\&\fBEVP_RAND_CTX_free()\fR frees up the context \fIctx\fR.  If \fIctx\fR is \s-1NULL,\s0 nothing
+\&\fBEVP_RAND_CTX_free()\fR frees up the context \fIctx\fR.  If \fIctx\fR is NULL, nothing
 is done.
 .PP
-\&\fBEVP_RAND_CTX_get0_rand()\fR returns the \fB\s-1EVP_RAND\s0\fR associated with the context
+\&\fBEVP_RAND_CTX_get0_rand()\fR returns the \fBEVP_RAND\fR associated with the context
 \&\fIctx\fR.
 .SS "Random Number Generator Functions"
 .IX Subsection "Random Number Generator Functions"
 \&\fBEVP_RAND_instantiate()\fR processes any parameters in \fIparams\fR and
-then instantiates the \s-1RAND\s0 \fIctx\fR with a minimum security strength
+then instantiates the RAND \fIctx\fR with a minimum security strength
 of <strength> and personalisation string \fIpstr\fR of length <pstr_len>.
 If \fIprediction_resistance\fR is specified, fresh entropy from a live source
-will be sought.  This call operates as per \s-1NIST SP 800\-90A\s0 and \s-1SP 800\-90C.\s0
+will be sought.  This call operates as per NIST SP 800\-90A and SP 800\-90C.
 .PP
-\&\fBEVP_RAND_uninstantiate()\fR uninstantiates the \s-1RAND\s0 \fIctx\fR as per
-\&\s-1NIST SP 800\-90A\s0 and \s-1SP 800\-90C.\s0  Subsequent to this call, the \s-1RAND\s0 cannot
+\&\fBEVP_RAND_uninstantiate()\fR uninstantiates the RAND \fIctx\fR as per
+NIST SP 800\-90A and SP 800\-90C.  Subsequent to this call, the RAND cannot
 be used to generate bytes.  It can only be freed or instantiated again.
 .PP
-\&\fBEVP_RAND_generate()\fR produces random bytes from the \s-1RAND\s0 \fIctx\fR with the
+\&\fBEVP_RAND_generate()\fR produces random bytes from the RAND \fIctx\fR with the
 additional input \fIaddin\fR of length \fIaddin_len\fR.  The bytes
 produced will meet the security \fIstrength\fR.
 If \fIprediction_resistance\fR is specified, fresh entropy from a live source
-will be sought.  This call operates as per \s-1NIST SP 800\-90A\s0 and \s-1SP 800\-90C.\s0
+will be sought.  This call operates as per NIST SP 800\-90A and SP 800\-90C.
 .PP
-\&\fBEVP_RAND_reseed()\fR reseeds the \s-1RAND\s0 with new entropy.
+\&\fBEVP_RAND_reseed()\fR reseeds the RAND with new entropy.
 Entropy \fIent\fR of length \fIent_len\fR bytes can be supplied as can additional
-input \fIaddin\fR of length \fIaddin_len\fR bytes.  In the \s-1FIPS\s0 provider, both are
-treated as additional input as per \s-1NIST\s0 SP\-800\-90Ar1, Sections 9.1 and 9.2.
-Additional seed material is also drawn from the \s-1RAND\s0's parent or the
+input \fIaddin\fR of length \fIaddin_len\fR bytes.  In the FIPS provider, both are
+treated as additional input as per NIST SP\-800\-90Ar1, Sections 9.1 and 9.2.
+Additional seed material is also drawn from the RAND's parent or the
 operating system.  If \fIprediction_resistance\fR is specified, fresh entropy
-from a live source will be sought.  This call operates as per \s-1NIST SP 800\-90A\s0
-and \s-1SP 800\-90C.\s0
+from a live source will be sought.  This call operates as per NIST SP 800\-90A
+and SP 800\-90C.
 .PP
-\&\fBEVP_RAND_nonce()\fR creates a nonce in \fIout\fR of maximum length \fIoutlen\fR
-bytes from the \s-1RAND\s0 \fIctx\fR. The function returns the length of the generated
-nonce. If \fIout\fR is \s-1NULL,\s0 the length is still returned but no generation
-takes place. This allows a caller to dynamically allocate a buffer of the
-appropriate size.
+\&\fBEVP_RAND_nonce()\fR creates a nonce in \fIout\fR of length \fIoutlen\fR
+bytes from the RAND \fIctx\fR.
 .PP
-\&\fBEVP_RAND_enable_locking()\fR enables locking for the \s-1RAND\s0 \fIctx\fR and all of
+\&\fBEVP_RAND_enable_locking()\fR enables locking for the RAND \fIctx\fR and all of
 its parents.  After this \fIctx\fR will operate in a thread safe manner, albeit
 more slowly. This function is not itself thread safe if called with the same
 \&\fIctx\fR from multiple threads. Typically locking should be enabled before a
@@ -317,36 +239,36 @@ simply ignored.
 Also, what happens when a needed parameter isn't passed down is
 defined by the implementation.
 .PP
-\&\fBEVP_RAND_gettable_params()\fR returns an \s-1\fBOSSL_PARAM\s0\fR\|(3) array that describes
+\&\fBEVP_RAND_gettable_params()\fR returns an \fBOSSL_PARAM\fR\|(3) array that describes
 the retrievable and settable parameters.  \fBEVP_RAND_gettable_params()\fR returns
 parameters that can be used with \fBEVP_RAND_get_params()\fR.
 .PP
 \&\fBEVP_RAND_gettable_ctx_params()\fR and \fBEVP_RAND_CTX_gettable_params()\fR return
-constant \s-1\fBOSSL_PARAM\s0\fR\|(3) arrays that describe the retrievable parameters that
+constant \fBOSSL_PARAM\fR\|(3) arrays that describe the retrievable parameters that
 can be used with \fBEVP_RAND_CTX_get_params()\fR.  \fBEVP_RAND_gettable_ctx_params()\fR
 returns the parameters that can be retrieved from the algorithm, whereas
 \&\fBEVP_RAND_CTX_gettable_params()\fR returns the parameters that can be retrieved
 in the context's current state.
 .PP
 \&\fBEVP_RAND_settable_ctx_params()\fR and \fBEVP_RAND_CTX_settable_params()\fR return
-constant \s-1\fBOSSL_PARAM\s0\fR\|(3) arrays that describe the settable parameters that
+constant \fBOSSL_PARAM\fR\|(3) arrays that describe the settable parameters that
 can be used with \fBEVP_RAND_CTX_set_params()\fR.  \fBEVP_RAND_settable_ctx_params()\fR
 returns the parameters that can be retrieved from the algorithm, whereas
 \&\fBEVP_RAND_CTX_settable_params()\fR returns the parameters that can be retrieved
 in the context's current state.
 .SS "Information functions"
 .IX Subsection "Information functions"
-\&\fBEVP_RAND_get_strength()\fR returns the security strength of the \s-1RAND\s0 \fIctx\fR.
+\&\fBEVP_RAND_get_strength()\fR returns the security strength of the RAND \fIctx\fR.
 .PP
-\&\fBEVP_RAND_get_state()\fR returns the current state of the \s-1RAND\s0 \fIctx\fR.
+\&\fBEVP_RAND_get_state()\fR returns the current state of the RAND \fIctx\fR.
 States defined by the OpenSSL RNGs are:
-.IP "\(bu" 4
-\&\s-1EVP_RAND_STATE_UNINITIALISED:\s0 this \s-1RNG\s0 is currently uninitialised.
+.IP \(bu 4
+EVP_RAND_STATE_UNINITIALISED: this RNG is currently uninitialised.
 The instantiate call will change this to the ready state.
-.IP "\(bu" 4
-\&\s-1EVP_RAND_STATE_READY:\s0 this \s-1RNG\s0 is currently ready to generate output.
-.IP "\(bu" 4
-\&\s-1EVP_RAND_STATE_ERROR:\s0 this \s-1RNG\s0 is in an error state.
+.IP \(bu 4
+EVP_RAND_STATE_READY: this RNG is currently ready to generate output.
+.IP \(bu 4
+EVP_RAND_STATE_ERROR: this RNG is in an error state.
 .PP
 \&\fBEVP_RAND_is_a()\fR returns 1 if \fIrand\fR is an implementation of an
 algorithm that's identifiable with \fIname\fR, otherwise 0.
@@ -354,7 +276,7 @@ algorithm that's identifiable with \fIname\fR, otherwise 0.
 \&\fBEVP_RAND_get0_provider()\fR returns the provider that holds the implementation
 of the given \fIrand\fR.
 .PP
-\&\fBEVP_RAND_do_all_provided()\fR traverses all \s-1RAND\s0 implemented by all activated
+\&\fBEVP_RAND_do_all_provided()\fR traverses all RAND implemented by all activated
 providers in the given library context \fIlibctx\fR, and for each of the
 implementations, calls the given function \fIfn\fR with the implementation method
 and the given \fIarg\fR as argument.
@@ -368,93 +290,82 @@ and the given \fIarg\fR as argument.
 display and human consumption.  The description is at the discretion of
 the rand implementation.
 .PP
-\&\fBEVP_RAND_verify_zeroization()\fR confirms if the internal \s-1DRBG\s0 state is
-currently zeroed.  This is used by the \s-1FIPS\s0 provider to support the mandatory
+\&\fBEVP_RAND_verify_zeroization()\fR confirms if the internal DRBG state is
+currently zeroed.  This is used by the FIPS provider to support the mandatory
 self tests.
-.SH "PARAMETERS"
+.SH PARAMETERS
 .IX Header "PARAMETERS"
 The standard parameter names are:
-.ie n .IP """state"" (\fB\s-1OSSL_RAND_PARAM_STATE\s0\fR) <integer>" 4
-.el .IP "``state'' (\fB\s-1OSSL_RAND_PARAM_STATE\s0\fR) <integer>" 4
-.IX Item "state (OSSL_RAND_PARAM_STATE) <integer>"
+.IP """state"" (\fBOSSL_RAND_PARAM_STATE\fR) <integer>" 4
+.IX Item """state"" (OSSL_RAND_PARAM_STATE) <integer>"
 Returns the state of the random number generator.
-.ie n .IP """strength"" (\fB\s-1OSSL_RAND_PARAM_STRENGTH\s0\fR) <unsigned integer>" 4
-.el .IP "``strength'' (\fB\s-1OSSL_RAND_PARAM_STRENGTH\s0\fR) <unsigned integer>" 4
-.IX Item "strength (OSSL_RAND_PARAM_STRENGTH) <unsigned integer>"
+.IP """strength"" (\fBOSSL_RAND_PARAM_STRENGTH\fR) <unsigned integer>" 4
+.IX Item """strength"" (OSSL_RAND_PARAM_STRENGTH) <unsigned integer>"
 Returns the bit strength of the random number generator.
+.IP """fips-indicator"" (\fBOSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+A getter that returns 1 if the operation is FIPS approved, or 0 otherwise.
+This option is used by the OpenSSL FIPS provider and is not supported
+by all EVP_RAND sources.
 .PP
 For rands that are also deterministic random bit generators (DRBGs), these
 additional parameters are recognised. Not all
-parameters are relevant to, or are understood by all \s-1DRBG\s0 rands:
-.ie n .IP """reseed_requests"" (\fB\s-1OSSL_DRBG_PARAM_RESEED_REQUESTS\s0\fR) <unsigned integer>" 4
-.el .IP "``reseed_requests'' (\fB\s-1OSSL_DRBG_PARAM_RESEED_REQUESTS\s0\fR) <unsigned integer>" 4
-.IX Item "reseed_requests (OSSL_DRBG_PARAM_RESEED_REQUESTS) <unsigned integer>"
+parameters are relevant to, or are understood by all DRBG rands:
+.IP """reseed_requests"" (\fBOSSL_DRBG_PARAM_RESEED_REQUESTS\fR) <unsigned integer>" 4
+.IX Item """reseed_requests"" (OSSL_DRBG_PARAM_RESEED_REQUESTS) <unsigned integer>"
 Reads or set the number of generate requests before reseeding the
-associated \s-1RAND\s0 ctx.
-.ie n .IP """reseed_time_interval"" (\fB\s-1OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL\s0\fR) <integer>" 4
-.el .IP "``reseed_time_interval'' (\fB\s-1OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL\s0\fR) <integer>" 4
-.IX Item "reseed_time_interval (OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL) <integer>"
+associated RAND ctx.
+.IP """reseed_time_interval"" (\fBOSSL_DRBG_PARAM_RESEED_TIME_INTERVAL\fR) <integer>" 4
+.IX Item """reseed_time_interval"" (OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL) <integer>"
 Reads or set the number of elapsed seconds before reseeding the
-associated \s-1RAND\s0 ctx.
-.ie n .IP """max_request"" (\fB\s-1OSSL_DRBG_PARAM_RESEED_REQUESTS\s0\fR) <unsigned integer>" 4
-.el .IP "``max_request'' (\fB\s-1OSSL_DRBG_PARAM_RESEED_REQUESTS\s0\fR) <unsigned integer>" 4
-.IX Item "max_request (OSSL_DRBG_PARAM_RESEED_REQUESTS) <unsigned integer>"
+associated RAND ctx.
+.IP """max_request"" (\fBOSSL_RAND_PARAM_MAX_REQUEST\fR) <unsigned integer>" 4
+.IX Item """max_request"" (OSSL_RAND_PARAM_MAX_REQUEST) <unsigned integer>"
 Specifies the maximum number of bytes that can be generated in a single
 call to OSSL_FUNC_rand_generate.
-.ie n .IP """min_entropylen"" (\fB\s-1OSSL_DRBG_PARAM_MIN_ENTROPYLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``min_entropylen'' (\fB\s-1OSSL_DRBG_PARAM_MIN_ENTROPYLEN\s0\fR) <unsigned integer>" 4
-.IX Item "min_entropylen (OSSL_DRBG_PARAM_MIN_ENTROPYLEN) <unsigned integer>"
+.IP """min_entropylen"" (\fBOSSL_DRBG_PARAM_MIN_ENTROPYLEN\fR) <unsigned integer>" 4
+.IX Item """min_entropylen"" (OSSL_DRBG_PARAM_MIN_ENTROPYLEN) <unsigned integer>"
 .PD 0
-.ie n .IP """max_entropylen"" (\fB\s-1OSSL_DRBG_PARAM_MAX_ENTROPYLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``max_entropylen'' (\fB\s-1OSSL_DRBG_PARAM_MAX_ENTROPYLEN\s0\fR) <unsigned integer>" 4
-.IX Item "max_entropylen (OSSL_DRBG_PARAM_MAX_ENTROPYLEN) <unsigned integer>"
+.IP """max_entropylen"" (\fBOSSL_DRBG_PARAM_MAX_ENTROPYLEN\fR) <unsigned integer>" 4
+.IX Item """max_entropylen"" (OSSL_DRBG_PARAM_MAX_ENTROPYLEN) <unsigned integer>"
 .PD
 Specify the minimum and maximum number of bytes of random material that
-can be used to seed the \s-1DRBG.\s0
-.ie n .IP """min_noncelen"" (\fB\s-1OSSL_DRBG_PARAM_MIN_NONCELEN\s0\fR) <unsigned integer>" 4
-.el .IP "``min_noncelen'' (\fB\s-1OSSL_DRBG_PARAM_MIN_NONCELEN\s0\fR) <unsigned integer>" 4
-.IX Item "min_noncelen (OSSL_DRBG_PARAM_MIN_NONCELEN) <unsigned integer>"
+can be used to seed the DRBG.
+.IP """min_noncelen"" (\fBOSSL_DRBG_PARAM_MIN_NONCELEN\fR) <unsigned integer>" 4
+.IX Item """min_noncelen"" (OSSL_DRBG_PARAM_MIN_NONCELEN) <unsigned integer>"
 .PD 0
-.ie n .IP """max_noncelen"" (\fB\s-1OSSL_DRBG_PARAM_MAX_NONCELEN\s0\fR) <unsigned integer>" 4
-.el .IP "``max_noncelen'' (\fB\s-1OSSL_DRBG_PARAM_MAX_NONCELEN\s0\fR) <unsigned integer>" 4
-.IX Item "max_noncelen (OSSL_DRBG_PARAM_MAX_NONCELEN) <unsigned integer>"
+.IP """max_noncelen"" (\fBOSSL_DRBG_PARAM_MAX_NONCELEN\fR) <unsigned integer>" 4
+.IX Item """max_noncelen"" (OSSL_DRBG_PARAM_MAX_NONCELEN) <unsigned integer>"
 .PD
 Specify the minimum and maximum number of bytes of nonce that can be used to
-seed the \s-1DRBG.\s0
-.ie n .IP """max_perslen"" (\fB\s-1OSSL_DRBG_PARAM_MAX_PERSLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``max_perslen'' (\fB\s-1OSSL_DRBG_PARAM_MAX_PERSLEN\s0\fR) <unsigned integer>" 4
-.IX Item "max_perslen (OSSL_DRBG_PARAM_MAX_PERSLEN) <unsigned integer>"
+seed the DRBG.
+.IP """max_perslen"" (\fBOSSL_DRBG_PARAM_MAX_PERSLEN\fR) <unsigned integer>" 4
+.IX Item """max_perslen"" (OSSL_DRBG_PARAM_MAX_PERSLEN) <unsigned integer>"
 .PD 0
-.ie n .IP """max_adinlen"" (\fB\s-1OSSL_DRBG_PARAM_MAX_ADINLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``max_adinlen'' (\fB\s-1OSSL_DRBG_PARAM_MAX_ADINLEN\s0\fR) <unsigned integer>" 4
-.IX Item "max_adinlen (OSSL_DRBG_PARAM_MAX_ADINLEN) <unsigned integer>"
+.IP """max_adinlen"" (\fBOSSL_DRBG_PARAM_MAX_ADINLEN\fR) <unsigned integer>" 4
+.IX Item """max_adinlen"" (OSSL_DRBG_PARAM_MAX_ADINLEN) <unsigned integer>"
 .PD
 Specify the minimum and maximum number of bytes of personalisation string
-that can be used with the \s-1DRBG.\s0
-.ie n .IP """reseed_counter"" (\fB\s-1OSSL_DRBG_PARAM_RESEED_COUNTER\s0\fR) <unsigned integer>" 4
-.el .IP "``reseed_counter'' (\fB\s-1OSSL_DRBG_PARAM_RESEED_COUNTER\s0\fR) <unsigned integer>" 4
-.IX Item "reseed_counter (OSSL_DRBG_PARAM_RESEED_COUNTER) <unsigned integer>"
-Specifies the number of times the \s-1DRBG\s0 has been seeded or reseeded.
-.ie n .IP """properties"" (\fB\s-1OSSL_RAND_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``properties'' (\fB\s-1OSSL_RAND_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "properties (OSSL_RAND_PARAM_PROPERTIES) <UTF8 string>"
+that can be used with the DRBG.
+.IP """reseed_counter"" (\fBOSSL_DRBG_PARAM_RESEED_COUNTER\fR) <unsigned integer>" 4
+.IX Item """reseed_counter"" (OSSL_DRBG_PARAM_RESEED_COUNTER) <unsigned integer>"
+Specifies the number of times the DRBG has been seeded or reseeded.
+.IP """properties"" (\fBOSSL_RAND_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_RAND_PARAM_PROPERTIES) <UTF8 string>"
 .PD 0
-.ie n .IP """mac"" (\fB\s-1OSSL_RAND_PARAM_MAC\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``mac'' (\fB\s-1OSSL_RAND_PARAM_MAC\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "mac (OSSL_RAND_PARAM_MAC) <UTF8 string>"
-.ie n .IP """digest"" (\fB\s-1OSSL_RAND_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_RAND_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_RAND_PARAM_DIGEST) <UTF8 string>"
-.ie n .IP """cipher"" (\fB\s-1OSSL_RAND_PARAM_CIPHER\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``cipher'' (\fB\s-1OSSL_RAND_PARAM_CIPHER\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "cipher (OSSL_RAND_PARAM_CIPHER) <UTF8 string>"
+.IP """mac"" (\fBOSSL_RAND_PARAM_MAC\fR) <UTF8 string>" 4
+.IX Item """mac"" (OSSL_RAND_PARAM_MAC) <UTF8 string>"
+.IP """digest"" (\fBOSSL_RAND_PARAM_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_RAND_PARAM_DIGEST) <UTF8 string>"
+.IP """cipher"" (\fBOSSL_RAND_PARAM_CIPHER\fR) <UTF8 string>" 4
+.IX Item """cipher"" (OSSL_RAND_PARAM_CIPHER) <UTF8 string>"
 .PD
-For \s-1RAND\s0 implementations that use an underlying computation \s-1MAC,\s0 digest or
+For RAND implementations that use an underlying computation MAC, digest or
 cipher, these parameters set what the algorithm should be.
 .Sp
 The value is always the name of the intended algorithm,
-or the properties in the case of \fB\s-1OSSL_RAND_PARAM_PROPERTIES\s0\fR.
-.SH "NOTES"
+or the properties in the case of \fBOSSL_RAND_PARAM_PROPERTIES\fR.
+.SH NOTES
 .IX Header "NOTES"
 The use of a nonzero value for the \fIprediction_resistance\fR argument to
 \&\fBEVP_RAND_instantiate()\fR, \fBEVP_RAND_generate()\fR or \fBEVP_RAND_reseed()\fR should
@@ -462,28 +373,28 @@ be used sparingly.  In the default setup, this will cause all public and
 private DRBGs to be reseeded on next use.  Since, by default, public and
 private DRBGs are allocated on a per thread basis, this can result in
 significant overhead for highly multi-threaded applications.  For normal
-use-cases, the default \*(L"reseed_requests\*(R" and \*(L"reseed_time_interval\*(R"
+use-cases, the default "reseed_requests" and "reseed_time_interval"
 thresholds ensure sufficient prediction resistance over time and you
 can reduce those values if you think they are too high.  Explicitly
 requesting prediction resistance is intended for more special use-cases
 like generating long-term secrets.
 .PP
-An \fB\s-1EVP_RAND_CTX\s0\fR needs to have locking enabled if it acts as the parent of
+An \fBEVP_RAND_CTX\fR needs to have locking enabled if it acts as the parent of
 more than one child and the children can be accessed concurrently.  This must
 be done by explicitly calling \fBEVP_RAND_enable_locking()\fR.
 .PP
-The \s-1RAND\s0 life-cycle is described in \fBlife_cycle\-rand\fR\|(7).  In the future,
+The RAND life-cycle is described in \fBlife_cycle\-rand\fR\|(7).  In the future,
 the transitions described there will be enforced.  When this is done, it will
-not be considered a breaking change to the \s-1API.\s0
+not be considered a breaking change to the API.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBEVP_RAND_fetch()\fR returns a pointer to a newly fetched \fB\s-1EVP_RAND\s0\fR, or
-\&\s-1NULL\s0 if allocation failed.
+\&\fBEVP_RAND_fetch()\fR returns a pointer to a newly fetched \fBEVP_RAND\fR, or
+NULL if allocation failed.
 .PP
-\&\fBEVP_RAND_get0_provider()\fR returns a pointer to the provider for the \s-1RAND,\s0 or
-\&\s-1NULL\s0 on error.
+\&\fBEVP_RAND_get0_provider()\fR returns a pointer to the provider for the RAND, or
+NULL on error.
 .PP
-\&\fBEVP_RAND_CTX_get0_rand()\fR returns a pointer to the \fB\s-1EVP_RAND\s0\fR associated
+\&\fBEVP_RAND_CTX_get0_rand()\fR returns a pointer to the \fBEVP_RAND\fR associated
 with the context.
 .PP
 \&\fBEVP_RAND_get0_name()\fR returns the name of the random number generation
@@ -495,11 +406,13 @@ algorithm.
 return value of 0 means that the callback was not called for any names.
 .PP
 \&\fBEVP_RAND_CTX_new()\fR returns either the newly allocated
-\&\fB\s-1EVP_RAND_CTX\s0\fR structure or \s-1NULL\s0 if an error occurred.
+\&\fBEVP_RAND_CTX\fR structure or NULL if an error occurred.
 .PP
 \&\fBEVP_RAND_CTX_free()\fR does not return a value.
 .PP
-\&\fBEVP_RAND_nonce()\fR returns the length of the nonce.
+\&\fBEVP_RAND_CTX_up_ref()\fR returns 1 on success, 0 on error.
+.PP
+\&\fBEVP_RAND_nonce()\fR returns 1 on success, 0 on error.
 .PP
 \&\fBEVP_RAND_get_strength()\fR returns the strength of the random number generator
 in bits.
@@ -507,7 +420,7 @@ in bits.
 \&\fBEVP_RAND_gettable_params()\fR, \fBEVP_RAND_gettable_ctx_params()\fR and
 \&\fBEVP_RAND_settable_ctx_params()\fR return an array of OSSL_PARAMs.
 .PP
-\&\fBEVP_RAND_verify_zeroization()\fR returns 1 if the internal \s-1DRBG\s0 state is
+\&\fBEVP_RAND_verify_zeroization()\fR returns 1 if the internal DRBG state is
 currently zeroed, and 0 if not.
 .PP
 The remaining functions return 1 for success and 0 or a negative value for
@@ -515,20 +428,22 @@ failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBRAND_bytes\fR\|(3),
-\&\s-1\fBEVP_RAND\-CTR\-DRBG\s0\fR\|(7),
-\&\s-1\fBEVP_RAND\-HASH\-DRBG\s0\fR\|(7),
-\&\s-1\fBEVP_RAND\-HMAC\-DRBG\s0\fR\|(7),
-\&\s-1\fBEVP_RAND\-TEST\-RAND\s0\fR\|(7),
+\&\fBEVP_RAND\-CTR\-DRBG\fR\|(7),
+\&\fBEVP_RAND\-HASH\-DRBG\fR\|(7),
+\&\fBEVP_RAND\-HMAC\-DRBG\fR\|(7),
+\&\fBEVP_RAND\-TEST\-RAND\fR\|(7),
 \&\fBprovider\-rand\fR\|(7),
 \&\fBlife_cycle\-rand\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-This functionality was added to OpenSSL 3.0.
-.SH "COPYRIGHT"
+\&\fBEVP_RAND_CTX_up_ref()\fR was added in OpenSSL 3.1.
+.PP
+The remaining functions were added in OpenSSL 3.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_SIGNATURE.3 b/secure/lib/libcrypto/man/man3/EVP_SIGNATURE.3
index 424120e08668..433db4f60da5 100644
--- a/secure/lib/libcrypto/man/man3/EVP_SIGNATURE.3
+++ b/secure/lib/libcrypto/man/man3/EVP_SIGNATURE.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_SIGNATURE 3ossl"
-.TH EVP_SIGNATURE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_SIGNATURE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_SIGNATURE,
 EVP_SIGNATURE_fetch, EVP_SIGNATURE_free, EVP_SIGNATURE_up_ref,
 EVP_SIGNATURE_is_a, EVP_SIGNATURE_get0_provider,
@@ -144,7 +68,7 @@ EVP_SIGNATURE_do_all_provided, EVP_SIGNATURE_names_do_all,
 EVP_SIGNATURE_get0_name, EVP_SIGNATURE_get0_description,
 EVP_SIGNATURE_gettable_ctx_params, EVP_SIGNATURE_settable_ctx_params
 \&\- Functions to manage EVP_SIGNATURE algorithm objects
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -170,23 +94,23 @@ EVP_SIGNATURE_gettable_ctx_params, EVP_SIGNATURE_settable_ctx_params
 \& const OSSL_PARAM *EVP_SIGNATURE_gettable_ctx_params(const EVP_SIGNATURE *sig);
 \& const OSSL_PARAM *EVP_SIGNATURE_settable_ctx_params(const EVP_SIGNATURE *sig);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBEVP_SIGNATURE_fetch()\fR fetches the implementation for the given
 \&\fBalgorithm\fR from any provider offering it, within the criteria given
 by the \fBproperties\fR.
 The algorithm will be one offering functions for performing signature related
 tasks such as signing and verifying.
-See \*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7) for further information.
+See "ALGORITHM FETCHING" in \fBcrypto\fR\|(7) for further information.
 .PP
 The returned value must eventually be freed with \fBEVP_SIGNATURE_free()\fR.
 .PP
-\&\fBEVP_SIGNATURE_free()\fR decrements the reference count for the \fB\s-1EVP_SIGNATURE\s0\fR
+\&\fBEVP_SIGNATURE_free()\fR decrements the reference count for the \fBEVP_SIGNATURE\fR
 structure. Typically this structure will have been obtained from an earlier call
 to \fBEVP_SIGNATURE_fetch()\fR. If the reference count drops to 0 then the
-structure is freed.
+structure is freed. If the argument is NULL, nothing is done.
 .PP
-\&\fBEVP_SIGNATURE_up_ref()\fR increments the reference count for an \fB\s-1EVP_SIGNATURE\s0\fR
+\&\fBEVP_SIGNATURE_up_ref()\fR increments the reference count for an \fBEVP_SIGNATURE\fR
 structure.
 .PP
 \&\fBEVP_SIGNATURE_is_a()\fR returns 1 if \fIsignature\fR is an implementation of an
@@ -195,7 +119,7 @@ algorithm that's identifiable with \fIname\fR, otherwise 0.
 \&\fBEVP_SIGNATURE_get0_provider()\fR returns the provider that \fIsignature\fR was
 fetched from.
 .PP
-\&\fBEVP_SIGNATURE_do_all_provided()\fR traverses all \s-1SIGNATURE\s0 implemented by all
+\&\fBEVP_SIGNATURE_do_all_provided()\fR traverses all SIGNATURE implemented by all
 activated providers in the given library context \fIlibctx\fR, and for each of the
 implementations, calls the given function \fIfn\fR with the implementation method
 and the given \fIarg\fR as argument.
@@ -214,13 +138,13 @@ meant for display and human consumption.  The description is at the
 discretion of the \fIsignature\fR implementation.
 .PP
 \&\fBEVP_SIGNATURE_gettable_ctx_params()\fR and \fBEVP_SIGNATURE_settable_ctx_params()\fR
-return a constant \s-1\fBOSSL_PARAM\s0\fR\|(3) array that describes the names and types of key
+return a constant \fBOSSL_PARAM\fR\|(3) array that describes the names and types of key
 parameters that can be retrieved or set by a signature algorithm using
 \&\fBEVP_PKEY_CTX_get_params\fR\|(3) and \fBEVP_PKEY_CTX_set_params\fR\|(3).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBEVP_SIGNATURE_fetch()\fR returns a pointer to an \fB\s-1EVP_SIGNATURE\s0\fR for success
-or \fB\s-1NULL\s0\fR for failure.
+\&\fBEVP_SIGNATURE_fetch()\fR returns a pointer to an \fBEVP_SIGNATURE\fR for success
+or \fBNULL\fR for failure.
 .PP
 \&\fBEVP_SIGNATURE_up_ref()\fR returns 1 for success or 0 otherwise.
 .PP
@@ -228,18 +152,18 @@ or \fB\s-1NULL\s0\fR for failure.
 A return value of 0 means that the callback was not called for any names.
 .PP
 \&\fBEVP_SIGNATURE_gettable_ctx_params()\fR and \fBEVP_SIGNATURE_settable_ctx_params()\fR
-return a constant \s-1\fBOSSL_PARAM\s0\fR\|(3) array or \s-1NULL\s0 on error.
+return a constant \fBOSSL_PARAM\fR\|(3) array or NULL on error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7), \s-1\fBOSSL_PROVIDER\s0\fR\|(3)
-.SH "HISTORY"
+"ALGORITHM FETCHING" in \fBcrypto\fR\|(7), \fBOSSL_PROVIDER\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 The functions described here were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_SKEY.3 b/secure/lib/libcrypto/man/man3/EVP_SKEY.3
new file mode 100644
index 000000000000..f77ab2f0b994
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/EVP_SKEY.3
@@ -0,0 +1,205 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "EVP_SKEY 3ossl"
+.TH EVP_SKEY 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+EVP_SKEY, EVP_SKEY_generate,
+EVP_SKEY_import, EVP_SKEY_import_raw_key, EVP_SKEY_up_ref,
+EVP_SKEY_export, EVP_SKEY_get0_raw_key, EVP_SKEY_get0_key_id,
+EVP_SKEY_get0_skeymgmt_name, EVP_SKEY_get0_provider_name,
+EVP_SKEY_free, EVP_SKEY_is_a, EVP_SKEY_to_provider
+\&\- opaque symmetric key allocation and handling functions
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/evp.h>
+\&
+\& typedef evp_skey_st EVP_SKEY;
+\&
+\& EVP_SKEY *EVP_SKEY_generate(OSSL_LIB_CTX *libctx, const char *skeymgmtname,
+\&                             const char *propquery, const OSSL_PARAM *params);
+\& EVP_SKEY *EVP_SKEY_import(OSSL_LIB_CTX *libctx, const char *skeymgmtname,
+\&                           const char *propquery,
+\&                           int selection, const OSSL_PARAM *params);
+\& EVP_SKEY *EVP_SKEY_import_raw_key(OSSL_LIB_CTX *libctx, const char *skeymgmtname,
+\&                                   unsigned char *key, size_t *len,
+\&                                   const char *propquery);
+\& int EVP_SKEY_export(const EVP_SKEY *skey, int selection,
+\&                     OSSL_CALLBACK *export_cb, void *export_cbarg);
+\& int EVP_SKEY_get0_raw_key(const EVP_SKEY *skey, const unsigned char **key,
+\&                          size_t *len);
+\& const char *EVP_SKEY_get0_key_id(const EVP_SKEY *skey);
+\&
+\& const char *EVP_SKEY_get0_skeymgmt_name(const EVP_SKEY *skey);
+\& const char *EVP_SKEY_get0_provider_name(const EVP_SKEY *skey);
+\&
+\& int EVP_SKEY_up_ref(EVP_SKEY *key);
+\& void EVP_SKEY_free(EVP_SKEY *key);
+\& int EVP_SKEY_is_a(const EVP_SKEY *skey, const char *name);
+\& EVP_SKEY *EVP_SKEY_to_provider(EVP_SKEY *skey, OSSL_LIB_CTX *libctx,
+\&                                OSSL_PROVIDER *prov, const char *propquery);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBEVP_SKEY\fR is a generic structure to hold symmetric keys as opaque objects.
+The keys themselves are often referred to as the "internal key", and are handled by
+providers using \fBEVP_SKEYMGMT\fR\|(3).
+.PP
+Conceptually, an \fBEVP_SKEY\fR internal key may hold a symmetric key, and along
+with those, key parameters if the key type requires them.
+.PP
+The \fBEVP_SKEY_generate()\fR functions creates a new \fBEVP_SKEY\fR object and
+initializes it according to the \fBparams\fR argument.
+.PP
+The \fBEVP_SKEY_import()\fR function allocates an empty \fBEVP_SKEY\fR structure
+which is used by OpenSSL to store symmetric keys, assigns the
+\&\fBEVP_SKEYMGMT\fR object associated with the key, and initializes the object from
+the \fBparams\fR argument.
+.PP
+The \fBEVP_SKEY_import_raw_key()\fR function is a helper that creates an \fBEVP_SKEY\fR object
+containing the raw byte representation of the symmetric keys.
+.PP
+The \fBEVP_SKEY_export()\fR function extracts values from a key \fIskey\fR using the
+\&\fIselection\fR.  \fIselection\fR is described below. It uses a callback \fIexport_cb\fR
+that gets passed the value of \fIexport_cbarg\fR.  See \fBopenssl\-core.h\fR\|(7) for
+more information about the callback. Note that the \fBOSSL_PARAM\fR\|(3) array that
+is passed to the callback is not persistent after the callback returns.
+.PP
+The \fBEVP_SKEY_get0_raw_key()\fR returns a pointer to a raw key bytes to the passed
+address and sets the key len. The returned address is managed by the internal
+key management and shouldn't be freed explicitly.  The operation can fail when
+the underlying key management doesn't support export of the secret key.
+.PP
+The \fBEVP_SKEY_get0_key_id()\fR returns a NUL-terminated string providing some
+human-readable identifier of the key if provided by the underlying key
+management. The pointer becomes invalid after freeing the EVP_SKEY object.
+.PP
+The \fBEVP_SKEY_get0_skeymgmt_name()\fR and \fBEVP_SKEY_get0_provider_name()\fR return the
+names of the associated EVP_SKEYMGMT object and its provider correspondingly.
+.PP
+\&\fBEVP_SKEY_up_ref()\fR increments the reference count of \fIkey\fR.
+.PP
+\&\fBEVP_SKEY_free()\fR decrements the reference count of \fIkey\fR and, if the reference
+count is zero, frees it. If \fIkey\fR is NULL, nothing is done.
+.PP
+\&\fBEVP_SKEY_is_a()\fR checks if the key type of \fIskey\fR is \fIname\fR.
+.PP
+\&\fBEVP_SKEY_to_provider()\fR simplifies the task of importing a \fIskey\fR into a
+different provider identified by \fIprov\fR. If \fIprov\fR is NULL, the default
+provider for the key type identified via \fIskey\fR is used.
+.SS Selections
+.IX Subsection "Selections"
+The following constants can be used for \fIselection\fR:
+.IP \fBOSSL_SKEYMGMT_SELECT_SECRET_KEY\fR 4
+.IX Item "OSSL_SKEYMGMT_SELECT_SECRET_KEY"
+Only the raw key representation will be selected.
+.IP \fBOSSL_SKEYMGMT_SELECT_PARAMETERS\fR 4
+.IX Item "OSSL_SKEYMGMT_SELECT_PARAMETERS"
+Only the key parameters will be selected. This includes optional key
+parameters.
+.IP \fBOSSL_SKEYMGMT_SELECT_ALL\fR 4
+.IX Item "OSSL_SKEYMGMT_SELECT_ALL"
+All parameters will be selected.
+.SH NOTES
+.IX Header "NOTES"
+The \fBEVP_SKEY\fR structure is used by various OpenSSL functions which require a
+general symmetric key without reference to any particular algorithm.
+.PP
+The \fBEVP_SKEY_to_provider()\fR function will fail and return NULL if the origin
+key \fIskey\fR cannot be exported from its provider.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBEVP_SKEY_generate()\fR, \fBEVP_SKEY_import()\fR and \fBEVP_SKEY_import_raw_key()\fR return
+either the newly allocated \fBEVP_SKEY\fR structure or NULL if an error occurred.
+.PP
+\&\fBEVP_SKEY_get0_key_id()\fR returns either a valid pointer or NULL.
+.PP
+\&\fBEVP_SKEY_up_ref()\fR returns 1 for success and 0 on failure.
+.PP
+\&\fBEVP_SKEY_export()\fR and \fBEVP_SKEY_get0_raw_key()\fR return 1 for success and 0 on failure.
+.PP
+\&\fBEVP_SKEY_get0_skeymgmt_name()\fR and \fBEVP_SKEY_get0_provider_name()\fR return the
+names of the associated EVP_SKEYMGMT object and its provider correspondigly.
+.PP
+\&\fBEVP_SKEY_is_a()\fR returns 1 if \fIskey\fR has the key type \fIname\fR,
+otherwise 0.
+.PP
+\&\fBEVP_SKEY_to_provider()\fR returns a new \fBEVP_SKEY\fR suitable for operations with
+the \fIprov\fR provider or NULL in case of failure.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBEVP_SKEYMGMT\fR\|(3), \fBprovider\fR\|(7), \fBOSSL_PARAM\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+The \fBEVP_SKEY\fR API and functions \fBEVP_SKEY_export()\fR,
+\&\fBEVP_SKEY_free()\fR, \fBEVP_SKEY_get0_raw_key()\fR, \fBEVP_SKEY_import()\fR,
+\&\fBEVP_SKEY_import_raw_key()\fR, \fBEVP_SKEY_up_ref()\fR, \fBEVP_SKEY_generate()\fR,
+\&\fBEVP_SKEY_get0_key_id()\fR, \fBEVP_SKEY_get0_provider_name()\fR,
+\&\fBEVP_SKEY_get0_skeymgmt_name()\fR, \fBEVP_SKEY_is_a()\fR, \fBEVP_SKEY_to_provider()\fR
+were introduced in OpenSSL 3.5.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_SKEYMGMT.3 b/secure/lib/libcrypto/man/man3/EVP_SKEYMGMT.3
new file mode 100644
index 000000000000..d124ab6e4229
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/EVP_SKEYMGMT.3
@@ -0,0 +1,203 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "EVP_SKEYMGMT 3ossl"
+.TH EVP_SKEYMGMT 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+EVP_SKEYMGMT,
+EVP_SKEYMGMT_fetch,
+EVP_SKEYMGMT_up_ref,
+EVP_SKEYMGMT_free,
+EVP_SKEYMGMT_get0_provider,
+EVP_SKEYMGMT_is_a,
+EVP_SKEYMGMT_get0_description,
+EVP_SKEYMGMT_get0_name,
+EVP_SKEYMGMT_do_all_provided,
+EVP_SKEYMGMT_names_do_all,
+EVP_SKEYMGMT_get0_gen_settable_params,
+EVP_SKEYMGMT_get0_imp_settable_params
+\&\- EVP key management routines for opaque symmetric keys
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/evp.h>
+\&
+\& typedef struct evp_sskeymgmt_st EVP_SKEYMGMT;
+\&
+\& EVP_SKEYMGMT *EVP_SKEYMGMT_fetch(OSSL_LIB_CTX *ctx, const char *algorithm,
+\&                                  const char *properties);
+\& int EVP_SKEYMGMT_up_ref(EVP_SKEYMGMT *skeymgmt);
+\& void EVP_SKEYMGMT_free(EVP_SKEYMGMT *skeymgmt);
+\& const OSSL_PROVIDER *EVP_SKEYMGMT_get0_provider(const EVP_SKEYMGMT *skeymgmt);
+\& int EVP_SKEYMGMT_is_a(const EVP_SKEYMGMT *skeymgmt, const char *name);
+\& const char *EVP_SKEYMGMT_get0_name(const EVP_SKEYMGMT *skeymgmt);
+\& const char *EVP_SKEYMGMT_get0_description(const EVP_SKEYMGMT *skeymgmt);
+\&
+\& void EVP_SKEYMGMT_do_all_provided(OSSL_LIB_CTX *libctx,
+\&                                   void (*fn)(EVP_SKEYMGMT *skeymgmt, void *arg),
+\&                                   void *arg);
+\& int EVP_SKEYMGMT_names_do_all(const EVP_SKEYMGMT *skeymgmt,
+\&                               void (*fn)(const char *name, void *data),
+\&                               void *data);
+\& const OSSL_PARAM *EVP_SKEYMGMT_get0_gen_settable_params(const EVP_SKEYMGMT *skeymgmt);
+\& const OSSL_PARAM *EVP_SKEYMGMT_get0_imp_settable_params(const EVP_SKEYMGMT *skeymgmt);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBEVP_SKEYMGMT\fR is a method object that represents symmetric key management
+implementations for different cryptographic algorithms.  This method object
+provides functionality to allow providers to import key material from the
+outside, as well as export key material to the outside.
+.PP
+Most of the functionality can only be used internally and has no public
+interface, this opaque object is simply passed into other functions when
+needed.
+.PP
+\&\fBEVP_SKEYMGMT_fetch()\fR looks for an algorithm within a provider that
+has been loaded into the \fBOSSL_LIB_CTX\fR given by \fIctx\fR, having the
+name given by \fIalgorithm\fR and the properties given by \fIproperties\fR.
+.PP
+\&\fBEVP_SKEYMGMT_up_ref()\fR increments the reference count for the given
+\&\fBEVP_SKEYMGMT\fR \fIskeymgmt\fR.
+.PP
+\&\fBEVP_SKEYMGMT_free()\fR decrements the reference count for the given
+\&\fBEVP_SKEYMGMT\fR \fIskeymgmt\fR, and when the count reaches zero, frees it.
+If the argument is NULL, nothing is done.
+.PP
+\&\fBEVP_SKEYMGMT_get0_provider()\fR returns the provider that has this particular
+implementation.
+.PP
+\&\fBEVP_SKEYMGMT_is_a()\fR checks if \fIskeymgmt\fR is an implementation of an
+algorithm that's identified by \fIname\fR.
+.PP
+\&\fBEVP_SKEYMGMT_get0_name()\fR returns the algorithm name from the provided
+implementation for the given \fIskeymgmt\fR. Note that the \fIskeymgmt\fR may have
+multiple synonyms associated with it. In this case the first name from the
+algorithm definition is returned. Ownership of the returned string is
+retained by the \fIskeymgmt\fR object and should not be freed by the caller.
+.PP
+\&\fBEVP_SKEYMGMT_names_do_all()\fR traverses all names for the \fIskeymgmt\fR, and
+calls \fIfn\fR with each name and \fIdata\fR.
+.PP
+\&\fBEVP_SKEYMGMT_get0_description()\fR returns a description of the \fIskeymgmt\fR, meant
+for display and human consumption.  The description is at the discretion
+of the \fIskeymgmt\fR implementation.
+.PP
+\&\fBEVP_SKEYMGMT_do_all_provided()\fR traverses all key \fIskeymgmt\fR implementations by
+all activated providers in the library context \fIlibctx\fR, and for each
+of the implementations, calls \fIfn\fR with the implementation method and
+\&\fIdata\fR as arguments.
+.PP
+\&\fBEVP_SKEYMGMT_get0_gen_settable_params()\fR and \fBEVP_SKEYMGMT_get0_imp_settable_params()\fR
+get a constant \fBOSSL_PARAM\fR\|(3) array that describes the settable parameters
+that can be used with \fBEVP_SKEY_generate()\fR and \fBEVP_SKEY_import()\fR correspondingly.
+.SH NOTES
+.IX Header "NOTES"
+\&\fBEVP_SKEYMGMT_fetch()\fR may be called implicitly by other fetching
+functions, using the same library context and properties.
+Any other API that uses symmetric keys will typically do this.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBEVP_SKEYMGMT_fetch()\fR returns a pointer to the key management
+implementation represented by an EVP_SKEYMGMT object, or NULL on
+error.
+.PP
+\&\fBEVP_SKEYMGMT_up_ref()\fR returns 1 on success, or 0 on error.
+.PP
+\&\fBEVP_SKEYMGMT_names_do_all()\fR returns 1 if the callback was called for all
+names. A return value of 0 means that the callback was not called for any names.
+.PP
+\&\fBEVP_SKEYMGMT_free()\fR doesn't return any value.
+.PP
+\&\fBEVP_SKEYMGMT_get0_provider()\fR returns a pointer to a provider object, or NULL
+on error.
+.PP
+\&\fBEVP_SKEYMGMT_is_a()\fR returns 1 if \fIskeymgmt\fR was identifiable, otherwise 0.
+.PP
+\&\fBEVP_SKEYMGMT_get0_name()\fR returns the algorithm name, or NULL on error.
+.PP
+\&\fBEVP_SKEYMGMT_get0_description()\fR returns a pointer to a description, or NULL if
+there isn't one.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBEVP_SKEY\fR\|(3), \fBEVP_MD_fetch\fR\|(3), \fBOSSL_LIB_CTX\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBEVP_SKEYMGMT\fR structure and functions
+\&\fBEVP_SKEYMGMT_fetch()\fR,
+\&\fBEVP_SKEYMGMT_up_ref()\fR,
+\&\fBEVP_SKEYMGMT_free()\fR,
+\&\fBEVP_SKEYMGMT_get0_provider()\fR,
+\&\fBEVP_SKEYMGMT_is_a()\fR,
+\&\fBEVP_SKEYMGMT_get0_description()\fR,
+\&\fBEVP_SKEYMGMT_get0_name()\fR,
+\&\fBEVP_SKEYMGMT_do_all_provided()\fR,
+\&\fBEVP_SKEYMGMT_names_do_all()\fR,
+\&\fBEVP_SKEYMGMT_get0_gen_settable_params()\fR,
+\&\fBEVP_SKEYMGMT_get0_imp_settable_params()\fR
+were added in OpenSSL 3.5.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_SealInit.3 b/secure/lib/libcrypto/man/man3/EVP_SealInit.3
index 30e72e5e74d0..3bf7517059ab 100644
--- a/secure/lib/libcrypto/man/man3/EVP_SealInit.3
+++ b/secure/lib/libcrypto/man/man3/EVP_SealInit.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_SEALINIT 3ossl"
-.TH EVP_SEALINIT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_SEALINIT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_SealInit, EVP_SealUpdate, EVP_SealFinal \- EVP envelope encryption
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -150,15 +74,15 @@ EVP_SealInit, EVP_SealUpdate, EVP_SealFinal \- EVP envelope encryption
 \&                    int *outl, unsigned char *in, int inl);
 \& int EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1EVP\s0 envelope routines are a high-level interface to envelope
-encryption. They generate a random key and \s-1IV\s0 (if required) then
-\&\*(L"envelope\*(R" it by using public key encryption. Data can then be
+The EVP envelope routines are a high-level interface to envelope
+encryption. They generate a random key and IV (if required) then
+"envelope" it by using public key encryption. Data can then be
 encrypted using this key.
 .PP
 \&\fBEVP_SealInit()\fR initializes a cipher context \fBctx\fR for encryption
-with cipher \fBtype\fR using a random secret key and \s-1IV.\s0 \fBtype\fR is normally
+with cipher \fBtype\fR using a random secret key and IV. \fBtype\fR is normally
 supplied by a function such as \fBEVP_aes_256_cbc()\fR. The secret key is encrypted
 using one or more public keys, this allows the same encrypted data to be
 decrypted using any of the corresponding private keys. \fBek\fR is an array of
@@ -168,12 +92,12 @@ must contain enough room for the corresponding encrypted key: that is
 size of each encrypted secret key is written to the array \fBekl\fR. \fBpubk\fR is
 an array of \fBnpubk\fR public keys.
 .PP
-The \fBiv\fR parameter is a buffer where the generated \s-1IV\s0 is written to. It must
-contain enough room for the corresponding cipher's \s-1IV,\s0 as determined by (for
+The \fBiv\fR parameter is a buffer where the generated IV is written to. It must
+contain enough room for the corresponding cipher's IV, as determined by (for
 example) EVP_CIPHER_get_iv_length(type).
 .PP
-If the cipher does not require an \s-1IV\s0 then the \fBiv\fR parameter is ignored
-and can be \fB\s-1NULL\s0\fR.
+If the cipher does not require an IV then the \fBiv\fR parameter is ignored
+and can be \fBNULL\fR.
 .PP
 \&\fBEVP_SealUpdate()\fR and \fBEVP_SealFinal()\fR have exactly the same properties
 as the \fBEVP_EncryptUpdate()\fR and \fBEVP_EncryptFinal()\fR routines, as
@@ -185,14 +109,14 @@ page.
 .PP
 \&\fBEVP_SealUpdate()\fR and \fBEVP_SealFinal()\fR return 1 for success and 0 for
 failure.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 Because a random secret key is generated the random number generator
 must be seeded when \fBEVP_SealInit()\fR is called.
-If the automatic seeding or reseeding of the OpenSSL \s-1CSPRNG\s0 fails due to
-external circumstances (see \s-1\fBRAND\s0\fR\|(7)), the operation will fail.
+If the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to
+external circumstances (see \fBRAND\fR\|(7)), the operation will fail.
 .PP
-The public key must be \s-1RSA\s0 because it is the only OpenSSL public key
+The public key must be RSA because it is the only OpenSSL public key
 algorithm that supports key transport.
 .PP
 Envelope encryption is the usual method of using public key encryption
@@ -204,18 +128,18 @@ using public key encryption.
 It is possible to call \fBEVP_SealInit()\fR twice in the same way as
 \&\fBEVP_EncryptInit()\fR. The first call should have \fBnpubk\fR set to 0
 and (after setting any cipher parameters) it should be called again
-with \fBtype\fR set to \s-1NULL.\s0
+with \fBtype\fR set to NULL.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBevp\fR\|(7), \fBRAND_bytes\fR\|(3),
 \&\fBEVP_EncryptInit\fR\|(3),
 \&\fBEVP_OpenInit\fR\|(3),
-\&\s-1\fBRAND\s0\fR\|(7)
-.SH "COPYRIGHT"
+\&\fBRAND\fR\|(7)
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_SignInit.3 b/secure/lib/libcrypto/man/man3/EVP_SignInit.3
index 76fdea677cdf..e72bb23ed1cb 100644
--- a/secure/lib/libcrypto/man/man3/EVP_SignInit.3
+++ b/secure/lib/libcrypto/man/man3/EVP_SignInit.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_SIGNINIT 3ossl"
-.TH EVP_SIGNINIT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_SIGNINIT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_SignInit, EVP_SignInit_ex, EVP_SignUpdate,
 EVP_SignFinal_ex, EVP_SignFinal
 \&\- EVP signing functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -154,13 +78,13 @@ EVP_SignFinal_ex, EVP_SignFinal
 \&
 \& void EVP_SignInit(EVP_MD_CTX *ctx, const EVP_MD *type);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1EVP\s0 signature routines are a high-level interface to digital
+The EVP signature routines are a high-level interface to digital
 signatures.
 .PP
 \&\fBEVP_SignInit_ex()\fR sets up signing context \fIctx\fR to use digest
-\&\fItype\fR from \fB\s-1ENGINE\s0\fR \fIimpl\fR. \fIctx\fR must be created with
+\&\fItype\fR from \fBENGINE\fR \fIimpl\fR. \fIctx\fR must be created with
 \&\fBEVP_MD_CTX_new()\fR before calling this function.
 .PP
 \&\fBEVP_SignUpdate()\fR hashes \fIcnt\fR bytes of data at \fId\fR into the
@@ -170,14 +94,14 @@ same \fIctx\fR to include additional data.
 \&\fBEVP_SignFinal_ex()\fR signs the data in \fIctx\fR using the private key
 \&\fIpkey\fR and places the signature in \fIsig\fR. The library context \fIlibctx\fR and
 property query \fIpropq\fR are used when creating a context to use with the key
-\&\fIpkey\fR. \fIsig\fR must be at least \f(CW\*(C`EVP_PKEY_get_size(pkey)\*(C'\fR bytes in size.
-\&\fIs\fR is an \s-1OUT\s0 parameter, and not used as an \s-1IN\s0 parameter.
+\&\fIpkey\fR. \fIsig\fR must be at least \f(CWEVP_PKEY_get_size(pkey)\fR bytes in size.
+\&\fIs\fR is an OUT parameter, and not used as an IN parameter.
 The number of bytes of data written (i.e. the length of the signature)
-will be written to the integer at \fIs\fR, at most \f(CW\*(C`EVP_PKEY_get_size(pkey)\*(C'\fR
+will be written to the integer at \fIs\fR, at most \f(CWEVP_PKEY_get_size(pkey)\fR
 bytes will be written.
 .PP
 \&\fBEVP_SignFinal()\fR is similar to \fBEVP_SignFinal_ex()\fR but uses default
-values of \s-1NULL\s0 for the library context \fIlibctx\fR and the property query \fIpropq\fR.
+values of NULL for the library context \fIlibctx\fR and the property query \fIpropq\fR.
 .PP
 \&\fBEVP_SignInit()\fR initializes a signing context \fIctx\fR to use the default
 implementation of digest \fItype\fR.
@@ -187,24 +111,31 @@ implementation of digest \fItype\fR.
 \&\fBEVP_SignFinal()\fR return 1 for success and 0 for failure.
 .PP
 The error codes can be obtained by \fBERR_get_error\fR\|(3).
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-The \fB\s-1EVP\s0\fR interface to digital signatures should almost always be used in
+The \fBEVP\fR interface to digital signatures should almost always be used in
 preference to the low-level interfaces. This is because the code then becomes
 transparent to the algorithm used and much more flexible.
 .PP
 When signing with some private key types the random number generator must
-be seeded. If the automatic seeding or reseeding of the OpenSSL \s-1CSPRNG\s0 fails
-due to external circumstances (see \s-1\fBRAND\s0\fR\|(7)), the operation will fail.
+be seeded. If the automatic seeding or reseeding of the OpenSSL CSPRNG fails
+due to external circumstances (see \fBRAND\fR\|(7)), the operation will fail.
 .PP
 The call to \fBEVP_SignFinal()\fR internally finalizes a copy of the digest context.
 This means that calls to \fBEVP_SignUpdate()\fR and \fBEVP_SignFinal()\fR can be called
-later to digest and sign additional data.
+later to digest and sign additional data.cApplications may disable this
+behavior by setting the EVP_MD_CTX_FLAG_FINALISE context flag via
+\&\fBEVP_MD_CTX_set_flags\fR\|(3).
 .PP
 Since only a copy of the digest context is ever finalized the context must
 be cleaned up after use by calling \fBEVP_MD_CTX_free()\fR or a memory leak
 will occur.
-.SH "BUGS"
+.PP
+Note that not all providers support continuation, in case the selected
+provider does not allow to duplicate contexts \fBEVP_SignFinal()\fR will
+finalize the digest context and attempting to process additional data via
+\&\fBEVP_SignUpdate()\fR will result in an error.
+.SH BUGS
 .IX Header "BUGS"
 Older versions of this documentation wrongly stated that calls to
 \&\fBEVP_SignUpdate()\fR could not be made after calling \fBEVP_SignFinal()\fR.
@@ -223,17 +154,17 @@ The previous two bugs are fixed in the newer EVP_DigestSign*() functions.
 \&\fBEVP_PKEY_get_security_bits\fR\|(3),
 \&\fBEVP_VerifyInit\fR\|(3),
 \&\fBEVP_DigestInit\fR\|(3),
-\&\fBevp\fR\|(7), \s-1\fBHMAC\s0\fR\|(3), \s-1\fBMD2\s0\fR\|(3),
-\&\s-1\fBMD5\s0\fR\|(3), \s-1\fBMDC2\s0\fR\|(3), \s-1\fBRIPEMD160\s0\fR\|(3),
-\&\s-1\fBSHA1\s0\fR\|(3), \fBopenssl\-dgst\fR\|(1)
-.SH "HISTORY"
+\&\fBevp\fR\|(7), \fBHMAC\fR\|(3), \fBMD2\fR\|(3),
+\&\fBMD5\fR\|(3), \fBMDC2\fR\|(3), \fBRIPEMD160\fR\|(3),
+\&\fBSHA1\fR\|(3), \fBopenssl\-dgst\fR\|(1)
+.SH HISTORY
 .IX Header "HISTORY"
 The function \fBEVP_SignFinal_ex()\fR was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_VerifyInit.3 b/secure/lib/libcrypto/man/man3/EVP_VerifyInit.3
index d770409b8e4a..fa0ad2c729c5 100644
--- a/secure/lib/libcrypto/man/man3/EVP_VerifyInit.3
+++ b/secure/lib/libcrypto/man/man3/EVP_VerifyInit.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_VERIFYINIT 3ossl"
-.TH EVP_VERIFYINIT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_VERIFYINIT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_VerifyInit_ex,
 EVP_VerifyInit, EVP_VerifyUpdate, EVP_VerifyFinal_ex, EVP_VerifyFinal
 \&\- EVP signature verification functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -155,13 +79,13 @@ EVP_VerifyInit, EVP_VerifyUpdate, EVP_VerifyFinal_ex, EVP_VerifyFinal
 \&
 \& int EVP_VerifyInit(EVP_MD_CTX *ctx, const EVP_MD *type);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1EVP\s0 signature verification routines are a high-level interface to digital
+The EVP signature verification routines are a high-level interface to digital
 signatures.
 .PP
 \&\fBEVP_VerifyInit_ex()\fR sets up verification context \fIctx\fR to use digest
-\&\fItype\fR from \s-1ENGINE\s0 \fIimpl\fR. \fIctx\fR must be created by calling
+\&\fItype\fR from ENGINE \fIimpl\fR. \fIctx\fR must be created by calling
 \&\fBEVP_MD_CTX_new()\fR before calling this function.
 .PP
 \&\fBEVP_VerifyUpdate()\fR hashes \fIcnt\fR bytes of data at \fId\fR into the
@@ -174,7 +98,7 @@ The library context \fIlibctx\fR and property query \fIpropq\fR are used when cr
 a context to use with the key \fIpkey\fR.
 .PP
 \&\fBEVP_VerifyFinal()\fR is similar to \fBEVP_VerifyFinal_ex()\fR but uses default
-values of \s-1NULL\s0 for the library context \fIlibctx\fR and the property query \fIpropq\fR.
+values of NULL for the library context \fIlibctx\fR and the property query \fIpropq\fR.
 .PP
 \&\fBEVP_VerifyInit()\fR initializes verification context \fIctx\fR to use the default
 implementation of digest \fItype\fR.
@@ -187,20 +111,27 @@ failure.
 signature, 0 for failure and a negative value if some other error occurred.
 .PP
 The error codes can be obtained by \fBERR_get_error\fR\|(3).
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-The \fB\s-1EVP\s0\fR interface to digital signatures should almost always be used in
+The \fBEVP\fR interface to digital signatures should almost always be used in
 preference to the low-level interfaces. This is because the code then becomes
 transparent to the algorithm used and much more flexible.
 .PP
 The call to \fBEVP_VerifyFinal()\fR internally finalizes a copy of the digest context.
 This means that calls to \fBEVP_VerifyUpdate()\fR and \fBEVP_VerifyFinal()\fR can be called
-later to digest and verify additional data.
+later to digest and verify additional data. Applications may disable this
+behavior by setting the EVP_MD_CTX_FLAG_FINALISE context flag via
+\&\fBEVP_MD_CTX_set_flags\fR\|(3).
 .PP
 Since only a copy of the digest context is ever finalized the context must
 be cleaned up after use by calling \fBEVP_MD_CTX_free()\fR or a memory leak
 will occur.
-.SH "BUGS"
+.PP
+Note that not all providers support continuation, in case the selected
+provider does not allow to duplicate contexts \fBEVP_VerifyFinal()\fR will
+finalize the digest context and attempting to process additional data via
+\&\fBEVP_VerifyUpdate()\fR will result in an error.
+.SH BUGS
 .IX Header "BUGS"
 Older versions of this documentation wrongly stated that calls to
 \&\fBEVP_VerifyUpdate()\fR could not be made after calling \fBEVP_VerifyFinal()\fR.
@@ -218,17 +149,17 @@ The previous two bugs are fixed in the newer EVP_DigestVerify*() function.
 \&\fBevp\fR\|(7),
 \&\fBEVP_SignInit\fR\|(3),
 \&\fBEVP_DigestInit\fR\|(3),
-\&\fBevp\fR\|(7), \s-1\fBHMAC\s0\fR\|(3), \s-1\fBMD2\s0\fR\|(3),
-\&\s-1\fBMD5\s0\fR\|(3), \s-1\fBMDC2\s0\fR\|(3), \s-1\fBRIPEMD160\s0\fR\|(3),
-\&\s-1\fBSHA1\s0\fR\|(3), \fBopenssl\-dgst\fR\|(1)
-.SH "HISTORY"
+\&\fBevp\fR\|(7), \fBHMAC\fR\|(3), \fBMD2\fR\|(3),
+\&\fBMD5\fR\|(3), \fBMDC2\fR\|(3), \fBRIPEMD160\fR\|(3),
+\&\fBSHA1\fR\|(3), \fBopenssl\-dgst\fR\|(1)
+.SH HISTORY
 .IX Header "HISTORY"
 The function \fBEVP_VerifyFinal_ex()\fR was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_aes_128_gcm.3 b/secure/lib/libcrypto/man/man3/EVP_aes_128_gcm.3
index 101d18726c4f..e396a0e41daa 100644
--- a/secure/lib/libcrypto/man/man3/EVP_aes_128_gcm.3
+++ b/secure/lib/libcrypto/man/man3/EVP_aes_128_gcm.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_AES_128_GCM 3ossl"
-.TH EVP_AES_128_GCM 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_AES_128_GCM 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_aes_128_cbc,
 EVP_aes_192_cbc,
 EVP_aes_256_cbc,
@@ -183,7 +107,7 @@ EVP_aes_256_wrap_pad,
 EVP_aes_128_xts,
 EVP_aes_256_xts
 \&\- EVP AES cipher
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -193,80 +117,80 @@ EVP_aes_256_xts
 .PP
 \&\fIEVP_ciphername\fR is used a placeholder for any of the described cipher
 functions, such as \fIEVP_aes_128_cbc\fR.
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1AES\s0 encryption algorithm for \s-1EVP.\s0
+The AES encryption algorithm for EVP.
 .IP "\fBEVP_aes_128_cbc()\fR, \fBEVP_aes_192_cbc()\fR, \fBEVP_aes_256_cbc()\fR, \fBEVP_aes_128_cfb()\fR, \fBEVP_aes_192_cfb()\fR, \fBEVP_aes_256_cfb()\fR, \fBEVP_aes_128_cfb1()\fR, \fBEVP_aes_192_cfb1()\fR, \fBEVP_aes_256_cfb1()\fR, \fBEVP_aes_128_cfb8()\fR, \fBEVP_aes_192_cfb8()\fR, \fBEVP_aes_256_cfb8()\fR, \fBEVP_aes_128_cfb128()\fR, \fBEVP_aes_192_cfb128()\fR, \fBEVP_aes_256_cfb128()\fR, \fBEVP_aes_128_ctr()\fR, \fBEVP_aes_192_ctr()\fR, \fBEVP_aes_256_ctr()\fR, \fBEVP_aes_128_ecb()\fR, \fBEVP_aes_192_ecb()\fR, \fBEVP_aes_256_ecb()\fR, \fBEVP_aes_128_ofb()\fR, \fBEVP_aes_192_ofb()\fR, \fBEVP_aes_256_ofb()\fR" 4
 .IX Item "EVP_aes_128_cbc(), EVP_aes_192_cbc(), EVP_aes_256_cbc(), EVP_aes_128_cfb(), EVP_aes_192_cfb(), EVP_aes_256_cfb(), EVP_aes_128_cfb1(), EVP_aes_192_cfb1(), EVP_aes_256_cfb1(), EVP_aes_128_cfb8(), EVP_aes_192_cfb8(), EVP_aes_256_cfb8(), EVP_aes_128_cfb128(), EVP_aes_192_cfb128(), EVP_aes_256_cfb128(), EVP_aes_128_ctr(), EVP_aes_192_ctr(), EVP_aes_256_ctr(), EVP_aes_128_ecb(), EVP_aes_192_ecb(), EVP_aes_256_ecb(), EVP_aes_128_ofb(), EVP_aes_192_ofb(), EVP_aes_256_ofb()"
-\&\s-1AES\s0 for 128, 192 and 256 bit keys in the following modes: \s-1CBC, CFB\s0 with 128\-bit
-shift, \s-1CFB\s0 with 1\-bit shift, \s-1CFB\s0 with 8\-bit shift, \s-1CTR, ECB,\s0 and \s-1OFB.\s0
+AES for 128, 192 and 256 bit keys in the following modes: CBC, CFB with 128\-bit
+shift, CFB with 1\-bit shift, CFB with 8\-bit shift, CTR, ECB, and OFB.
 .IP "\fBEVP_aes_128_cbc_hmac_sha1()\fR, \fBEVP_aes_256_cbc_hmac_sha1()\fR" 4
 .IX Item "EVP_aes_128_cbc_hmac_sha1(), EVP_aes_256_cbc_hmac_sha1()"
-Authenticated encryption with \s-1AES\s0 in \s-1CBC\s0 mode using \s-1SHA\-1\s0 as \s-1HMAC,\s0 with keys of
+Authenticated encryption with AES in CBC mode using SHA\-1 as HMAC, with keys of
 128 and 256 bits length respectively. The authentication tag is 160 bits long.
 .Sp
-\&\s-1WARNING:\s0 this is not intended for usage outside of \s-1TLS\s0 and requires calling of
-some undocumented ctrl functions. These ciphers do not conform to the \s-1EVP AEAD\s0
+WARNING: this is not intended for usage outside of TLS and requires calling of
+some undocumented ctrl functions. These ciphers do not conform to the EVP AEAD
 interface.
 .IP "\fBEVP_aes_128_cbc_hmac_sha256()\fR, \fBEVP_aes_256_cbc_hmac_sha256()\fR" 4
 .IX Item "EVP_aes_128_cbc_hmac_sha256(), EVP_aes_256_cbc_hmac_sha256()"
-Authenticated encryption with \s-1AES\s0 in \s-1CBC\s0 mode using \s-1SHA256\s0 (\s-1SHA\-2,\s0 256\-bits) as
-\&\s-1HMAC,\s0 with keys of 128 and 256 bits length respectively. The authentication tag
+Authenticated encryption with AES in CBC mode using SHA256 (SHA\-2, 256\-bits) as
+HMAC, with keys of 128 and 256 bits length respectively. The authentication tag
 is 256 bits long.
 .Sp
-\&\s-1WARNING:\s0 this is not intended for usage outside of \s-1TLS\s0 and requires calling of
-some undocumented ctrl functions. These ciphers do not conform to the \s-1EVP AEAD\s0
+WARNING: this is not intended for usage outside of TLS and requires calling of
+some undocumented ctrl functions. These ciphers do not conform to the EVP AEAD
 interface.
 .IP "\fBEVP_aes_128_ccm()\fR, \fBEVP_aes_192_ccm()\fR, \fBEVP_aes_256_ccm()\fR, \fBEVP_aes_128_gcm()\fR, \fBEVP_aes_192_gcm()\fR, \fBEVP_aes_256_gcm()\fR, \fBEVP_aes_128_ocb()\fR, \fBEVP_aes_192_ocb()\fR, \fBEVP_aes_256_ocb()\fR" 4
 .IX Item "EVP_aes_128_ccm(), EVP_aes_192_ccm(), EVP_aes_256_ccm(), EVP_aes_128_gcm(), EVP_aes_192_gcm(), EVP_aes_256_gcm(), EVP_aes_128_ocb(), EVP_aes_192_ocb(), EVP_aes_256_ocb()"
-\&\s-1AES\s0 for 128, 192 and 256 bit keys in CBC-MAC Mode (\s-1CCM\s0), Galois Counter Mode
-(\s-1GCM\s0) and \s-1OCB\s0 Mode respectively. These ciphers require additional control
-operations to function correctly, see the \*(L"\s-1AEAD\s0 Interface\*(R" in \fBEVP_EncryptInit\fR\|(3)
+AES for 128, 192 and 256 bit keys in CBC-MAC Mode (CCM), Galois Counter Mode
+(GCM) and OCB Mode respectively. These ciphers require additional control
+operations to function correctly, see the "AEAD Interface" in \fBEVP_EncryptInit\fR\|(3)
 section for details.
-.IP "\fBEVP_aes_128_wrap()\fR, \fBEVP_aes_192_wrap()\fR, \fBEVP_aes_256_wrap()\fR, \fBEVP_aes_128_wrap_pad()\fR, \fBEVP_aes_128_wrap()\fR, \fBEVP_aes_192_wrap()\fR, \fBEVP_aes_256_wrap()\fR, \fBEVP_aes_192_wrap_pad()\fR, \fBEVP_aes_128_wrap()\fR, \fBEVP_aes_192_wrap()\fR, \fBEVP_aes_256_wrap()\fR, \fBEVP_aes_256_wrap_pad()\fR" 4
-.IX Item "EVP_aes_128_wrap(), EVP_aes_192_wrap(), EVP_aes_256_wrap(), EVP_aes_128_wrap_pad(), EVP_aes_128_wrap(), EVP_aes_192_wrap(), EVP_aes_256_wrap(), EVP_aes_192_wrap_pad(), EVP_aes_128_wrap(), EVP_aes_192_wrap(), EVP_aes_256_wrap(), EVP_aes_256_wrap_pad()"
-\&\s-1AES\s0 key wrap with 128, 192 and 256 bit keys, as according to \s-1RFC 3394\s0 section
-2.2.1 (\*(L"wrap\*(R") and \s-1RFC 5649\s0 section 4.1 (\*(L"wrap with padding\*(R") respectively.
+.IP "\fBEVP_aes_128_wrap()\fR, \fBEVP_aes_192_wrap()\fR, \fBEVP_aes_256_wrap()\fR, \fBEVP_aes_128_wrap_pad()\fR, \fBEVP_aes_192_wrap_pad()\fR, \fBEVP_aes_256_wrap_pad()\fR" 4
+.IX Item "EVP_aes_128_wrap(), EVP_aes_192_wrap(), EVP_aes_256_wrap(), EVP_aes_128_wrap_pad(), EVP_aes_192_wrap_pad(), EVP_aes_256_wrap_pad()"
+AES key wrap with 128, 192 and 256 bit keys, as according to RFC 3394 section
+2.2.1 ("wrap") and RFC 5649 section 4.1 ("wrap with padding") respectively.
 .IP "\fBEVP_aes_128_xts()\fR, \fBEVP_aes_256_xts()\fR" 4
 .IX Item "EVP_aes_128_xts(), EVP_aes_256_xts()"
-\&\s-1AES XTS\s0 mode (XTS-AES) is standardized in \s-1IEEE\s0 Std. 1619\-2007 and described in \s-1NIST
-SP 800\-38E.\s0 The \s-1XTS\s0 (XEX-based tweaked-codebook mode with ciphertext stealing)
+AES XTS mode (XTS-AES) is standardized in IEEE Std. 1619\-2007 and described in NIST
+SP 800\-38E. The XTS (XEX-based tweaked-codebook mode with ciphertext stealing)
 mode was designed by Prof. Phillip Rogaway of University of California, Davis,
 intended for encrypting data on a storage device.
 .Sp
 XTS-AES provides confidentiality but not authentication of data. It also
 requires a key of double-length for protection of a certain key size.
-In particular, \s-1XTS\-AES\-128\s0 (\fBEVP_aes_128_xts\fR) takes input of a 256\-bit key to
-achieve \s-1AES\s0 128\-bit security, and \s-1XTS\-AES\-256\s0 (\fBEVP_aes_256_xts\fR) takes input
-of a 512\-bit key to achieve \s-1AES\s0 256\-bit security.
+In particular, XTS\-AES\-128 (\fBEVP_aes_128_xts\fR) takes input of a 256\-bit key to
+achieve AES 128\-bit security, and XTS\-AES\-256 (\fBEVP_aes_256_xts\fR) takes input
+of a 512\-bit key to achieve AES 256\-bit security.
 .Sp
-The \s-1XTS\s0 implementation in OpenSSL does not support streaming. That is there must
+The XTS implementation in OpenSSL does not support streaming. That is there must
 only be one \fBEVP_EncryptUpdate\fR\|(3) call per \fBEVP_EncryptInit_ex\fR\|(3) call (and
-similarly with the \*(L"Decrypt\*(R" functions).
+similarly with the "Decrypt" functions).
 .Sp
 The \fIiv\fR parameter to \fBEVP_EncryptInit_ex\fR\|(3) or \fBEVP_DecryptInit_ex\fR\|(3) is
-the \s-1XTS\s0 \*(L"tweak\*(R" value.
-.SH "NOTES"
+the XTS "tweak" value.
+.SH NOTES
 .IX Header "NOTES"
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-\&\fBEVP_CIPHER_fetch\fR\|(3) instead.
-See \*(L"Performance\*(R" in \fBcrypto\fR\|(7) for further information.
+\&\fBEVP_CIPHER_fetch\fR\|(3) with \fBEVP_CIPHER\-AES\fR\|(7) instead.
+See "Performance" in \fBcrypto\fR\|(7) for further information.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the
+These functions return an \fBEVP_CIPHER\fR structure that contains the
 implementation of the symmetric cipher. See \fBEVP_CIPHER_meth_new\fR\|(3) for
-details of the \fB\s-1EVP_CIPHER\s0\fR structure.
+details of the \fBEVP_CIPHER\fR structure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBevp\fR\|(7),
 \&\fBEVP_EncryptInit\fR\|(3),
 \&\fBEVP_CIPHER_meth_new\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_aria_128_gcm.3 b/secure/lib/libcrypto/man/man3/EVP_aria_128_gcm.3
index e7465d37ae97..ce9143145633 100644
--- a/secure/lib/libcrypto/man/man3/EVP_aria_128_gcm.3
+++ b/secure/lib/libcrypto/man/man3/EVP_aria_128_gcm.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_ARIA_128_GCM 3ossl"
-.TH EVP_ARIA_128_GCM 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_ARIA_128_GCM 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_aria_128_cbc,
 EVP_aria_192_cbc,
 EVP_aria_256_cbc,
@@ -168,7 +92,7 @@ EVP_aria_128_gcm,
 EVP_aria_192_gcm,
 EVP_aria_256_gcm,
 \&\- EVP ARIA cipher
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -178,39 +102,39 @@ EVP_aria_256_gcm,
 .PP
 \&\fIEVP_ciphername\fR is used a placeholder for any of the described cipher
 functions, such as \fIEVP_aria_128_cbc\fR.
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1ARIA\s0 encryption algorithm for \s-1EVP.\s0
+The ARIA encryption algorithm for EVP.
 .IP "\fBEVP_aria_128_cbc()\fR, \fBEVP_aria_192_cbc()\fR, \fBEVP_aria_256_cbc()\fR, \fBEVP_aria_128_cfb()\fR, \fBEVP_aria_192_cfb()\fR, \fBEVP_aria_256_cfb()\fR, \fBEVP_aria_128_cfb1()\fR, \fBEVP_aria_192_cfb1()\fR, \fBEVP_aria_256_cfb1()\fR, \fBEVP_aria_128_cfb8()\fR, \fBEVP_aria_192_cfb8()\fR, \fBEVP_aria_256_cfb8()\fR, \fBEVP_aria_128_cfb128()\fR, \fBEVP_aria_192_cfb128()\fR, \fBEVP_aria_256_cfb128()\fR, \fBEVP_aria_128_ctr()\fR, \fBEVP_aria_192_ctr()\fR, \fBEVP_aria_256_ctr()\fR, \fBEVP_aria_128_ecb()\fR, \fBEVP_aria_192_ecb()\fR, \fBEVP_aria_256_ecb()\fR, \fBEVP_aria_128_ofb()\fR, \fBEVP_aria_192_ofb()\fR, \fBEVP_aria_256_ofb()\fR" 4
 .IX Item "EVP_aria_128_cbc(), EVP_aria_192_cbc(), EVP_aria_256_cbc(), EVP_aria_128_cfb(), EVP_aria_192_cfb(), EVP_aria_256_cfb(), EVP_aria_128_cfb1(), EVP_aria_192_cfb1(), EVP_aria_256_cfb1(), EVP_aria_128_cfb8(), EVP_aria_192_cfb8(), EVP_aria_256_cfb8(), EVP_aria_128_cfb128(), EVP_aria_192_cfb128(), EVP_aria_256_cfb128(), EVP_aria_128_ctr(), EVP_aria_192_ctr(), EVP_aria_256_ctr(), EVP_aria_128_ecb(), EVP_aria_192_ecb(), EVP_aria_256_ecb(), EVP_aria_128_ofb(), EVP_aria_192_ofb(), EVP_aria_256_ofb()"
-\&\s-1ARIA\s0 for 128, 192 and 256 bit keys in the following modes: \s-1CBC, CFB\s0 with
-128\-bit shift, \s-1CFB\s0 with 1\-bit shift, \s-1CFB\s0 with 8\-bit shift, \s-1CTR, ECB\s0 and \s-1OFB.\s0
+ARIA for 128, 192 and 256 bit keys in the following modes: CBC, CFB with
+128\-bit shift, CFB with 1\-bit shift, CFB with 8\-bit shift, CTR, ECB and OFB.
 .IP "\fBEVP_aria_128_ccm()\fR, \fBEVP_aria_192_ccm()\fR, \fBEVP_aria_256_ccm()\fR, \fBEVP_aria_128_gcm()\fR, \fBEVP_aria_192_gcm()\fR, \fBEVP_aria_256_gcm()\fR," 4
 .IX Item "EVP_aria_128_ccm(), EVP_aria_192_ccm(), EVP_aria_256_ccm(), EVP_aria_128_gcm(), EVP_aria_192_gcm(), EVP_aria_256_gcm(),"
-\&\s-1ARIA\s0 for 128, 192 and 256 bit keys in CBC-MAC Mode (\s-1CCM\s0) and Galois Counter
-Mode (\s-1GCM\s0). These ciphers require additional control operations to function
-correctly, see the \*(L"\s-1AEAD\s0 Interface\*(R" in \fBEVP_EncryptInit\fR\|(3) section for details.
-.SH "NOTES"
+ARIA for 128, 192 and 256 bit keys in CBC-MAC Mode (CCM) and Galois Counter
+Mode (GCM). These ciphers require additional control operations to function
+correctly, see the "AEAD Interface" in \fBEVP_EncryptInit\fR\|(3) section for details.
+.SH NOTES
 .IX Header "NOTES"
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-\&\fBEVP_CIPHER_fetch\fR\|(3) instead.
-See \*(L"Performance\*(R" in \fBcrypto\fR\|(7) for further information.
+\&\fBEVP_CIPHER_fetch\fR\|(3) with \fBEVP_CIPHER\-ARIA\fR\|(7) instead.
+See "Performance" in \fBcrypto\fR\|(7) for further information.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the
+These functions return an \fBEVP_CIPHER\fR structure that contains the
 implementation of the symmetric cipher. See \fBEVP_CIPHER_meth_new\fR\|(3) for
-details of the \fB\s-1EVP_CIPHER\s0\fR structure.
+details of the \fBEVP_CIPHER\fR structure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBevp\fR\|(7),
 \&\fBEVP_EncryptInit\fR\|(3),
 \&\fBEVP_CIPHER_meth_new\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_bf_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_bf_cbc.3
index 029b263fa6b3..52ff07977931 100644
--- a/secure/lib/libcrypto/man/man3/EVP_bf_cbc.3
+++ b/secure/lib/libcrypto/man/man3/EVP_bf_cbc.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,82 +52,22 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_BF_CBC 3ossl"
-.TH EVP_BF_CBC 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_BF_CBC 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_bf_cbc,
 EVP_bf_cfb,
 EVP_bf_cfb64,
 EVP_bf_ecb,
 EVP_bf_ofb
 \&\- EVP Blowfish cipher
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -154,35 +78,35 @@ EVP_bf_ofb
 \& const EVP_CIPHER *EVP_bf_ecb(void);
 \& const EVP_CIPHER *EVP_bf_ofb(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The Blowfish encryption algorithm for \s-1EVP.\s0
+The Blowfish encryption algorithm for EVP.
 .PP
 This is a variable key length cipher.
 .IP "\fBEVP_bf_cbc()\fR, \fBEVP_bf_cfb()\fR, \fBEVP_bf_cfb64()\fR, \fBEVP_bf_ecb()\fR, \fBEVP_bf_ofb()\fR" 4
 .IX Item "EVP_bf_cbc(), EVP_bf_cfb(), EVP_bf_cfb64(), EVP_bf_ecb(), EVP_bf_ofb()"
-Blowfish encryption algorithm in \s-1CBC, CFB, ECB\s0 and \s-1OFB\s0 modes respectively.
-.SH "NOTES"
+Blowfish encryption algorithm in CBC, CFB, ECB and OFB modes respectively.
+.SH NOTES
 .IX Header "NOTES"
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-\&\fBEVP_CIPHER_fetch\fR\|(3) instead.
-See \*(L"Performance\*(R" in \fBcrypto\fR\|(7) for further information.
+\&\fBEVP_CIPHER_fetch\fR\|(3) with \fBEVP_CIPHER\-BLOWFISH\fR\|(7) instead.
+See "Performance" in \fBcrypto\fR\|(7) for further information.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the
+These functions return an \fBEVP_CIPHER\fR structure that contains the
 implementation of the symmetric cipher. See \fBEVP_CIPHER_meth_new\fR\|(3) for
-details of the \fB\s-1EVP_CIPHER\s0\fR structure.
+details of the \fBEVP_CIPHER\fR structure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBevp\fR\|(7),
 \&\fBEVP_EncryptInit\fR\|(3),
 \&\fBEVP_CIPHER_meth_new\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_blake2b512.3 b/secure/lib/libcrypto/man/man3/EVP_blake2b512.3
index 830a991fc596..d01d177dc76c 100644
--- a/secure/lib/libcrypto/man/man3/EVP_blake2b512.3
+++ b/secure/lib/libcrypto/man/man3/EVP_blake2b512.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_BLAKE2B512 3ossl"
-.TH EVP_BLAKE2B512 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_BLAKE2B512 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_blake2b512,
 EVP_blake2s256
 \&\- BLAKE2 For EVP
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -148,44 +72,43 @@ EVP_blake2s256
 \& const EVP_MD *EVP_blake2b512(void);
 \& const EVP_MD *EVP_blake2s256(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\s-1BLAKE2\s0 is an improved version of \s-1BLAKE,\s0 which was submitted to the \s-1NIST SHA\-3\s0
+BLAKE2 is an improved version of BLAKE, which was submitted to the NIST SHA\-3
 algorithm competition. The BLAKE2s and BLAKE2b algorithms are described in
-\&\s-1RFC 7693.\s0
-.IP "\fBEVP_blake2s256()\fR" 4
+RFC 7693.
+.IP \fBEVP_blake2s256()\fR 4
 .IX Item "EVP_blake2s256()"
 The BLAKE2s algorithm that produces a 256\-bit output from a given input.
-.IP "\fBEVP_blake2b512()\fR" 4
+.IP \fBEVP_blake2b512()\fR 4
 .IX Item "EVP_blake2b512()"
 The BLAKE2b algorithm that produces a 512\-bit output from a given input.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-\&\fBEVP_MD_fetch\fR\|(3) instead.
-See \*(L"Performance\*(R" in \fBcrypto\fR\|(7) for further information.
+\&\fBEVP_MD_fetch\fR\|(3) with \fBEVP_MD\-BLAKE2\fR\|(7) instead.
+See "Performance" in \fBcrypto\fR\|(7) for further information.
 .PP
-While the BLAKE2b and BLAKE2s algorithms supports a variable length digest,
-this implementation outputs a digest of a fixed length (the maximum length
-supported), which is 512\-bits for BLAKE2b and 256\-bits for BLAKE2s.
+Both algorithms support a variable-length digest,
+but this is only available through \fBEVP_MD\-BLAKE2\fR\|(7).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the
+These functions return a \fBEVP_MD\fR structure that contains the
 implementation of the message digest. See \fBEVP_MD_meth_new\fR\|(3) for
-details of the \fB\s-1EVP_MD\s0\fR structure.
+details of the \fBEVP_MD\fR structure.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1RFC 7693.\s0
+RFC 7693.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBevp\fR\|(7),
 \&\fBEVP_DigestInit\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_camellia_128_ecb.3 b/secure/lib/libcrypto/man/man3/EVP_camellia_128_ecb.3
index a99942a3ee75..8343dd1ac182 100644
--- a/secure/lib/libcrypto/man/man3/EVP_camellia_128_ecb.3
+++ b/secure/lib/libcrypto/man/man3/EVP_camellia_128_ecb.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_CAMELLIA_128_ECB 3ossl"
-.TH EVP_CAMELLIA_128_ECB 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_CAMELLIA_128_ECB 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_camellia_128_cbc,
 EVP_camellia_192_cbc,
 EVP_camellia_256_cbc,
@@ -162,7 +86,7 @@ EVP_camellia_128_ofb,
 EVP_camellia_192_ofb,
 EVP_camellia_256_ofb
 \&\- EVP Camellia cipher
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -172,34 +96,34 @@ EVP_camellia_256_ofb
 .PP
 \&\fIEVP_ciphername\fR is used a placeholder for any of the described cipher
 functions, such as \fIEVP_camellia_128_cbc\fR.
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The Camellia encryption algorithm for \s-1EVP.\s0
+The Camellia encryption algorithm for EVP.
 .IP "\fBEVP_camellia_128_cbc()\fR, \fBEVP_camellia_192_cbc()\fR, \fBEVP_camellia_256_cbc()\fR, \fBEVP_camellia_128_cfb()\fR, \fBEVP_camellia_192_cfb()\fR, \fBEVP_camellia_256_cfb()\fR, \fBEVP_camellia_128_cfb1()\fR, \fBEVP_camellia_192_cfb1()\fR, \fBEVP_camellia_256_cfb1()\fR, \fBEVP_camellia_128_cfb8()\fR, \fBEVP_camellia_192_cfb8()\fR, \fBEVP_camellia_256_cfb8()\fR, \fBEVP_camellia_128_cfb128()\fR, \fBEVP_camellia_192_cfb128()\fR, \fBEVP_camellia_256_cfb128()\fR, \fBEVP_camellia_128_ctr()\fR, \fBEVP_camellia_192_ctr()\fR, \fBEVP_camellia_256_ctr()\fR, \fBEVP_camellia_128_ecb()\fR, \fBEVP_camellia_192_ecb()\fR, \fBEVP_camellia_256_ecb()\fR, \fBEVP_camellia_128_ofb()\fR, \fBEVP_camellia_192_ofb()\fR, \fBEVP_camellia_256_ofb()\fR" 4
 .IX Item "EVP_camellia_128_cbc(), EVP_camellia_192_cbc(), EVP_camellia_256_cbc(), EVP_camellia_128_cfb(), EVP_camellia_192_cfb(), EVP_camellia_256_cfb(), EVP_camellia_128_cfb1(), EVP_camellia_192_cfb1(), EVP_camellia_256_cfb1(), EVP_camellia_128_cfb8(), EVP_camellia_192_cfb8(), EVP_camellia_256_cfb8(), EVP_camellia_128_cfb128(), EVP_camellia_192_cfb128(), EVP_camellia_256_cfb128(), EVP_camellia_128_ctr(), EVP_camellia_192_ctr(), EVP_camellia_256_ctr(), EVP_camellia_128_ecb(), EVP_camellia_192_ecb(), EVP_camellia_256_ecb(), EVP_camellia_128_ofb(), EVP_camellia_192_ofb(), EVP_camellia_256_ofb()"
-Camellia for 128, 192 and 256 bit keys in the following modes: \s-1CBC, CFB\s0 with
-128\-bit shift, \s-1CFB\s0 with 1\-bit shift, \s-1CFB\s0 with 8\-bit shift, \s-1CTR, ECB\s0 and \s-1OFB.\s0
-.SH "NOTES"
+Camellia for 128, 192 and 256 bit keys in the following modes: CBC, CFB with
+128\-bit shift, CFB with 1\-bit shift, CFB with 8\-bit shift, CTR, ECB and OFB.
+.SH NOTES
 .IX Header "NOTES"
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-\&\fBEVP_CIPHER_fetch\fR\|(3) instead.
-See \*(L"Performance\*(R" in \fBcrypto\fR\|(7) for further information.
+\&\fBEVP_CIPHER_fetch\fR\|(3) with \fBEVP_CIPHER\-CAMELLIA\fR\|(7) instead.
+See "Performance" in \fBcrypto\fR\|(7) for further information.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the
+These functions return an \fBEVP_CIPHER\fR structure that contains the
 implementation of the symmetric cipher. See \fBEVP_CIPHER_meth_new\fR\|(3) for
-details of the \fB\s-1EVP_CIPHER\s0\fR structure.
+details of the \fBEVP_CIPHER\fR structure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBevp\fR\|(7),
 \&\fBEVP_EncryptInit\fR\|(3),
 \&\fBEVP_CIPHER_meth_new\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_cast5_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_cast5_cbc.3
index f368b5ca89ea..a96084da7ffe 100644
--- a/secure/lib/libcrypto/man/man3/EVP_cast5_cbc.3
+++ b/secure/lib/libcrypto/man/man3/EVP_cast5_cbc.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,82 +52,22 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_CAST5_CBC 3ossl"
-.TH EVP_CAST5_CBC 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_CAST5_CBC 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_cast5_cbc,
 EVP_cast5_cfb,
 EVP_cast5_cfb64,
 EVP_cast5_ecb,
 EVP_cast5_ofb
 \&\- EVP CAST cipher
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -154,35 +78,35 @@ EVP_cast5_ofb
 \& const EVP_CIPHER *EVP_cast5_ecb(void);
 \& const EVP_CIPHER *EVP_cast5_ofb(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1CAST\s0 encryption algorithm for \s-1EVP.\s0
+The CAST encryption algorithm for EVP.
 .PP
 This is a variable key length cipher.
 .IP "\fBEVP_cast5_cbc()\fR, \fBEVP_cast5_ecb()\fR, \fBEVP_cast5_cfb()\fR, \fBEVP_cast5_cfb64()\fR, \fBEVP_cast5_ofb()\fR" 4
 .IX Item "EVP_cast5_cbc(), EVP_cast5_ecb(), EVP_cast5_cfb(), EVP_cast5_cfb64(), EVP_cast5_ofb()"
-\&\s-1CAST\s0 encryption algorithm in \s-1CBC, ECB, CFB\s0 and \s-1OFB\s0 modes respectively.
-.SH "NOTES"
+CAST encryption algorithm in CBC, ECB, CFB and OFB modes respectively.
+.SH NOTES
 .IX Header "NOTES"
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-\&\fBEVP_CIPHER_fetch\fR\|(3) instead.
-See \*(L"Performance\*(R" in \fBcrypto\fR\|(7) for further information.
+\&\fBEVP_CIPHER_fetch\fR\|(3) with \fBEVP_CIPHER\-CAST\fR\|(7) instead.
+See "Performance" in \fBcrypto\fR\|(7) for further information.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the
+These functions return an \fBEVP_CIPHER\fR structure that contains the
 implementation of the symmetric cipher. See \fBEVP_CIPHER_meth_new\fR\|(3) for
-details of the \fB\s-1EVP_CIPHER\s0\fR structure.
+details of the \fBEVP_CIPHER\fR structure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBevp\fR\|(7),
 \&\fBEVP_EncryptInit\fR\|(3),
 \&\fBEVP_CIPHER_meth_new\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_chacha20.3 b/secure/lib/libcrypto/man/man3/EVP_chacha20.3
index db996e6d4422..0f9e0f784ffd 100644
--- a/secure/lib/libcrypto/man/man3/EVP_chacha20.3
+++ b/secure/lib/libcrypto/man/man3/EVP_chacha20.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_CHACHA20 3ossl"
-.TH EVP_CHACHA20 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_CHACHA20 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_chacha20,
 EVP_chacha20_poly1305
 \&\- EVP ChaCha20 stream cipher
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -148,12 +72,12 @@ EVP_chacha20_poly1305
 \& const EVP_CIPHER *EVP_chacha20(void);
 \& const EVP_CIPHER *EVP_chacha20_poly1305(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The ChaCha20 stream cipher for \s-1EVP.\s0
-.IP "\fBEVP_chacha20()\fR" 4
+The ChaCha20 stream cipher for EVP.
+.IP \fBEVP_chacha20()\fR 4
 .IX Item "EVP_chacha20()"
-The ChaCha20 stream cipher. The key length is 256 bits, the \s-1IV\s0 is 128 bits long.
+The ChaCha20 stream cipher. The key length is 256 bits, the IV is 128 bits long.
 The first 64 bits consists of a counter in little-endian order followed by a 64
 bit nonce. For example a nonce of:
 .Sp
@@ -162,36 +86,36 @@ bit nonce. For example a nonce of:
 With an initial counter of 42 (2a in hex) would be expressed as:
 .Sp
 2a000000000000000000000000000002
-.IP "\fBEVP_chacha20_poly1305()\fR" 4
+.IP \fBEVP_chacha20_poly1305()\fR 4
 .IX Item "EVP_chacha20_poly1305()"
 Authenticated encryption with ChaCha20\-Poly1305. Like \fBEVP_chacha20()\fR, the key
-is 256 bits and the \s-1IV\s0 is 96 bits. This supports additional authenticated data
-(\s-1AAD\s0) and produces a 128\-bit authentication tag. See the
-\&\*(L"\s-1AEAD\s0 Interface\*(R" in \fBEVP_EncryptInit\fR\|(3) section for more information.
-.SH "NOTES"
+is 256 bits and the IV is 96 bits. This supports additional authenticated data
+(AAD) and produces a 128\-bit authentication tag. See the
+"AEAD Interface" in \fBEVP_EncryptInit\fR\|(3) section for more information.
+.SH NOTES
 .IX Header "NOTES"
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-\&\fBEVP_CIPHER_fetch\fR\|(3) instead.
-See \*(L"Performance\*(R" in \fBcrypto\fR\|(7) for further information.
+\&\fBEVP_CIPHER_fetch\fR\|(3) with \fBEVP_CIPHER\-CHACHA\fR\|(7) instead.
+See "Performance" in \fBcrypto\fR\|(7) for further information.
 .PP
-\&\s-1RFC 7539\s0 <https://www.rfc-editor.org/rfc/rfc7539.html#section-2.4>
-uses a 32 bit counter and a 96 bit nonce for the \s-1IV.\s0
+RFC 7539 <https://www.rfc-editor.org/rfc/rfc7539.html#section-2.4>
+uses a 32 bit counter and a 96 bit nonce for the IV.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the
+These functions return an \fBEVP_CIPHER\fR structure that contains the
 implementation of the symmetric cipher. See \fBEVP_CIPHER_meth_new\fR\|(3) for
-details of the \fB\s-1EVP_CIPHER\s0\fR structure.
+details of the \fBEVP_CIPHER\fR structure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBevp\fR\|(7),
 \&\fBEVP_EncryptInit\fR\|(3),
 \&\fBEVP_CIPHER_meth_new\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_des_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_des_cbc.3
index b81f969f5d5c..3f79931c4e89 100644
--- a/secure/lib/libcrypto/man/man3/EVP_des_cbc.3
+++ b/secure/lib/libcrypto/man/man3/EVP_des_cbc.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_DES_CBC 3ossl"
-.TH EVP_DES_CBC 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_DES_CBC 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_des_cbc,
 EVP_des_cfb,
 EVP_des_cfb1,
@@ -160,7 +84,7 @@ EVP_des_ede3_ecb,
 EVP_des_ede3_ofb,
 EVP_des_ede3_wrap
 \&\- EVP DES cipher
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -170,48 +94,48 @@ EVP_des_ede3_wrap
 .PP
 \&\fIEVP_ciphername\fR is used a placeholder for any of the described cipher
 functions, such as \fIEVP_des_cbc\fR.
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1DES\s0 encryption algorithm for \s-1EVP.\s0
+The DES encryption algorithm for EVP.
 .IP "\fBEVP_des_cbc()\fR, \fBEVP_des_ecb()\fR, \fBEVP_des_cfb()\fR, \fBEVP_des_cfb1()\fR, \fBEVP_des_cfb8()\fR, \fBEVP_des_cfb64()\fR, \fBEVP_des_ofb()\fR" 4
 .IX Item "EVP_des_cbc(), EVP_des_ecb(), EVP_des_cfb(), EVP_des_cfb1(), EVP_des_cfb8(), EVP_des_cfb64(), EVP_des_ofb()"
-\&\s-1DES\s0 in \s-1CBC, ECB, CFB\s0 with 64\-bit shift, \s-1CFB\s0 with 1\-bit shift, \s-1CFB\s0 with 8\-bit
-shift and \s-1OFB\s0 modes.
+DES in CBC, ECB, CFB with 64\-bit shift, CFB with 1\-bit shift, CFB with 8\-bit
+shift and OFB modes.
 .Sp
 None of these algorithms are provided by the OpenSSL default provider.
 To use them it is necessary to load either the OpenSSL legacy provider or another
 implementation.
 .IP "\fBEVP_des_ede()\fR, \fBEVP_des_ede_cbc()\fR, \fBEVP_des_ede_cfb()\fR, \fBEVP_des_ede_cfb64()\fR, \fBEVP_des_ede_ecb()\fR, \fBEVP_des_ede_ofb()\fR" 4
 .IX Item "EVP_des_ede(), EVP_des_ede_cbc(), EVP_des_ede_cfb(), EVP_des_ede_cfb64(), EVP_des_ede_ecb(), EVP_des_ede_ofb()"
-Two key triple \s-1DES\s0 in \s-1ECB, CBC, CFB\s0 with 64\-bit shift and \s-1OFB\s0 modes.
+Two key triple DES in ECB, CBC, CFB with 64\-bit shift and OFB modes.
 .IP "\fBEVP_des_ede3()\fR, \fBEVP_des_ede3_cbc()\fR, \fBEVP_des_ede3_cfb()\fR, \fBEVP_des_ede3_cfb1()\fR, \fBEVP_des_ede3_cfb8()\fR, \fBEVP_des_ede3_cfb64()\fR, \fBEVP_des_ede3_ecb()\fR, \fBEVP_des_ede3_ofb()\fR" 4
 .IX Item "EVP_des_ede3(), EVP_des_ede3_cbc(), EVP_des_ede3_cfb(), EVP_des_ede3_cfb1(), EVP_des_ede3_cfb8(), EVP_des_ede3_cfb64(), EVP_des_ede3_ecb(), EVP_des_ede3_ofb()"
-Three-key triple \s-1DES\s0 in \s-1ECB, CBC, CFB\s0 with 64\-bit shift, \s-1CFB\s0 with 1\-bit shift,
-\&\s-1CFB\s0 with 8\-bit shift and \s-1OFB\s0 modes.
-.IP "\fBEVP_des_ede3_wrap()\fR" 4
+Three-key triple DES in ECB, CBC, CFB with 64\-bit shift, CFB with 1\-bit shift,
+CFB with 8\-bit shift and OFB modes.
+.IP \fBEVP_des_ede3_wrap()\fR 4
 .IX Item "EVP_des_ede3_wrap()"
-Triple-DES key wrap according to \s-1RFC 3217\s0 Section 3.
-.SH "NOTES"
+Triple-DES key wrap according to RFC 3217 Section 3.
+.SH NOTES
 .IX Header "NOTES"
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-\&\fBEVP_CIPHER_fetch\fR\|(3) instead.
-See \*(L"Performance\*(R" in \fBcrypto\fR\|(7) for further information.
+\&\fBEVP_CIPHER_fetch\fR\|(3) with \fBEVP_CIPHER\-DES\fR\|(7) instead.
+See "Performance" in \fBcrypto\fR\|(7) for further information.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the
+These functions return an \fBEVP_CIPHER\fR structure that contains the
 implementation of the symmetric cipher. See \fBEVP_CIPHER_meth_new\fR\|(3) for
-details of the \fB\s-1EVP_CIPHER\s0\fR structure.
+details of the \fBEVP_CIPHER\fR structure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBevp\fR\|(7),
 \&\fBEVP_EncryptInit\fR\|(3),
 \&\fBEVP_CIPHER_meth_new\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_desx_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_desx_cbc.3
index f954ba66a0cf..b07b81f33de1 100644
--- a/secure/lib/libcrypto/man/man3/EVP_desx_cbc.3
+++ b/secure/lib/libcrypto/man/man3/EVP_desx_cbc.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,92 +52,32 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_DESX_CBC 3ossl"
-.TH EVP_DESX_CBC 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_DESX_CBC 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_desx_cbc
 \&\- EVP DES\-X cipher
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
 \&
 \& const EVP_CIPHER *EVP_desx_cbc(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The DES-X encryption algorithm for \s-1EVP.\s0
+The DES-X encryption algorithm for EVP.
 .PP
 All modes below use a key length of 128 bits and acts on blocks of 128\-bits.
-.IP "\fBEVP_desx_cbc()\fR" 4
+.IP \fBEVP_desx_cbc()\fR 4
 .IX Item "EVP_desx_cbc()"
-The DES-X algorithm in \s-1CBC\s0 mode.
+The DES-X algorithm in CBC mode.
 .Sp
 This algorithm is not provided by the OpenSSL default provider.
 To use it is necessary to load either the OpenSSL legacy provider or another
@@ -161,23 +85,23 @@ implementation.
 .PP
 Developers should be aware of the negative performance implications of
 calling this function multiple times and should consider using
-\&\fBEVP_CIPHER_fetch\fR\|(3) instead.
-See \*(L"Performance\*(R" in \fBcrypto\fR\|(7) for further information.
+\&\fBEVP_CIPHER_fetch\fR\|(3) with \fBEVP_CIPHER\-DES\fR\|(7) instead.
+See "Performance" in \fBcrypto\fR\|(7) for further information.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the
+These functions return an \fBEVP_CIPHER\fR structure that contains the
 implementation of the symmetric cipher. See \fBEVP_CIPHER_meth_new\fR\|(3) for
-details of the \fB\s-1EVP_CIPHER\s0\fR structure.
+details of the \fBEVP_CIPHER\fR structure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBevp\fR\|(7),
 \&\fBEVP_EncryptInit\fR\|(3),
 \&\fBEVP_CIPHER_meth_new\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_idea_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_idea_cbc.3
index d4f8c3fb0f32..13cc945ad7ba 100644
--- a/secure/lib/libcrypto/man/man3/EVP_idea_cbc.3
+++ b/secure/lib/libcrypto/man/man3/EVP_idea_cbc.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,82 +52,22 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_IDEA_CBC 3ossl"
-.TH EVP_IDEA_CBC 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_IDEA_CBC 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_idea_cbc,
 EVP_idea_cfb,
 EVP_idea_cfb64,
 EVP_idea_ecb,
 EVP_idea_ofb
 \&\- EVP IDEA cipher
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -154,33 +78,33 @@ EVP_idea_ofb
 \& const EVP_CIPHER *EVP_idea_ecb(void);
 \& const EVP_CIPHER *EVP_idea_ofb(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1IDEA\s0 encryption algorithm for \s-1EVP.\s0
+The IDEA encryption algorithm for EVP.
 .IP "\fBEVP_idea_cbc()\fR, \fBEVP_idea_cfb()\fR, \fBEVP_idea_cfb64()\fR, \fBEVP_idea_ecb()\fR, \fBEVP_idea_ofb()\fR" 4
 .IX Item "EVP_idea_cbc(), EVP_idea_cfb(), EVP_idea_cfb64(), EVP_idea_ecb(), EVP_idea_ofb()"
-The \s-1IDEA\s0 encryption algorithm in \s-1CBC, CFB, ECB\s0 and \s-1OFB\s0 modes respectively.
-.SH "NOTES"
+The IDEA encryption algorithm in CBC, CFB, ECB and OFB modes respectively.
+.SH NOTES
 .IX Header "NOTES"
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-\&\fBEVP_CIPHER_fetch\fR\|(3) instead.
-See \*(L"Performance\*(R" in \fBcrypto\fR\|(7) for further information.
+\&\fBEVP_CIPHER_fetch\fR\|(3) with \fBEVP_CIPHER\-IDEA\fR\|(7) instead.
+See "Performance" in \fBcrypto\fR\|(7) for further information.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the
+These functions return an \fBEVP_CIPHER\fR structure that contains the
 implementation of the symmetric cipher. See \fBEVP_CIPHER_meth_new\fR\|(3) for
-details of the \fB\s-1EVP_CIPHER\s0\fR structure.
+details of the \fBEVP_CIPHER\fR structure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBevp\fR\|(7),
 \&\fBEVP_EncryptInit\fR\|(3),
 \&\fBEVP_CIPHER_meth_new\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_md2.3 b/secure/lib/libcrypto/man/man3/EVP_md2.3
index 49e7a69e1b06..5542a3fca519 100644
--- a/secure/lib/libcrypto/man/man3/EVP_md2.3
+++ b/secure/lib/libcrypto/man/man3/EVP_md2.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,115 +52,55 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_MD2 3ossl"
-.TH EVP_MD2 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_MD2 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_md2
 \&\- MD2 For EVP
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
 \&
 \& const EVP_MD *EVP_md2(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\s-1MD2\s0 is a cryptographic hash function standardized in \s-1RFC 1319\s0 and designed by
+MD2 is a cryptographic hash function standardized in RFC 1319 and designed by
 Ronald Rivest. This implementation is only available with the legacy provider.
-.IP "\fBEVP_md2()\fR" 4
+.IP \fBEVP_md2()\fR 4
 .IX Item "EVP_md2()"
-The \s-1MD2\s0 algorithm which produces a 128\-bit output from a given input.
-.SH "NOTES"
+The MD2 algorithm which produces a 128\-bit output from a given input.
+.SH NOTES
 .IX Header "NOTES"
 Developers should be aware of the negative performance implications of
 calling this function multiple times and should consider using
-\&\fBEVP_MD_fetch\fR\|(3) instead.
-See \*(L"Performance\*(R" in \fBcrypto\fR\|(7) for further information.
+\&\fBEVP_MD_fetch\fR\|(3) with \fBEVP_MD\-MD2\fR\|(7) instead.
+See "Performance" in \fBcrypto\fR\|(7) for further information.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the
+These functions return a \fBEVP_MD\fR structure that contains the
 implementation of the message digest. See \fBEVP_MD_meth_new\fR\|(3) for
-details of the \fB\s-1EVP_MD\s0\fR structure.
+details of the \fBEVP_MD\fR structure.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1IETF RFC 1319.\s0
+IETF RFC 1319.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBevp\fR\|(7),
 \&\fBprovider\fR\|(7),
 \&\fBEVP_DigestInit\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_md4.3 b/secure/lib/libcrypto/man/man3/EVP_md4.3
index 01ea0bb0f398..5199f76d95a7 100644
--- a/secure/lib/libcrypto/man/man3/EVP_md4.3
+++ b/secure/lib/libcrypto/man/man3/EVP_md4.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,116 +52,56 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_MD4 3ossl"
-.TH EVP_MD4 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_MD4 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_md4
 \&\- MD4 For EVP
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
 \&
 \& const EVP_MD *EVP_md4(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\s-1MD4\s0 is a cryptographic hash function standardized in \s-1RFC 1320\s0 and designed by
+MD4 is a cryptographic hash function standardized in RFC 1320 and designed by
 Ronald Rivest, first published in 1990. This implementation is only available
 with the legacy provider.
-.IP "\fBEVP_md4()\fR" 4
+.IP \fBEVP_md4()\fR 4
 .IX Item "EVP_md4()"
-The \s-1MD4\s0 algorithm which produces a 128\-bit output from a given input.
-.SH "NOTES"
+The MD4 algorithm which produces a 128\-bit output from a given input.
+.SH NOTES
 .IX Header "NOTES"
 Developers should be aware of the negative performance implications of
 calling this function multiple times and should consider using
-\&\fBEVP_MD_fetch\fR\|(3) instead.
-See \*(L"Performance\*(R" in \fBcrypto\fR\|(7) for further information.
+\&\fBEVP_MD_fetch\fR\|(3) with \fBEVP_MD\-MD4\fR\|(7) instead.
+See "Performance" in \fBcrypto\fR\|(7) for further information.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the
+These functions return a \fBEVP_MD\fR structure that contains the
 implementation of the message digest. See \fBEVP_MD_meth_new\fR\|(3) for
-details of the \fB\s-1EVP_MD\s0\fR structure.
+details of the \fBEVP_MD\fR structure.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1IETF RFC 1320.\s0
+IETF RFC 1320.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBevp\fR\|(7),
 \&\fBprovider\fR\|(7),
 \&\fBEVP_DigestInit\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_md5.3 b/secure/lib/libcrypto/man/man3/EVP_md5.3
index f697683cfaaf..66d92742ff2b 100644
--- a/secure/lib/libcrypto/man/man3/EVP_md5.3
+++ b/secure/lib/libcrypto/man/man3/EVP_md5.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_MD5 3ossl"
-.TH EVP_MD5 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_MD5 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_md5,
 EVP_md5_sha1
 \&\- MD5 For EVP
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -148,45 +72,45 @@ EVP_md5_sha1
 \& const EVP_MD *EVP_md5(void);
 \& const EVP_MD *EVP_md5_sha1(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\s-1MD5\s0 is a cryptographic hash function standardized in \s-1RFC 1321\s0 and designed by
+MD5 is a cryptographic hash function standardized in RFC 1321 and designed by
 Ronald Rivest.
 .PP
-The \s-1CMU\s0 Software Engineering Institute considers \s-1MD5\s0 unsuitable for further
+The CMU Software Engineering Institute considers MD5 unsuitable for further
 use since its security has been severely compromised.
-.IP "\fBEVP_md5()\fR" 4
+.IP \fBEVP_md5()\fR 4
 .IX Item "EVP_md5()"
-The \s-1MD5\s0 algorithm which produces a 128\-bit output from a given input.
-.IP "\fBEVP_md5_sha1()\fR" 4
+The MD5 algorithm which produces a 128\-bit output from a given input.
+.IP \fBEVP_md5_sha1()\fR 4
 .IX Item "EVP_md5_sha1()"
-A hash algorithm of \s-1SSL\s0 v3 that combines \s-1MD5\s0 with \s-1SHA\-1\s0 as described in \s-1RFC
-6101.\s0
+A hash algorithm of SSL v3 that combines MD5 with SHA\-1 as described in RFC
+6101.
 .Sp
-\&\s-1WARNING:\s0 this algorithm is not intended for non-SSL usage.
-.SH "NOTES"
+WARNING: this algorithm is not intended for non-SSL usage.
+.SH NOTES
 .IX Header "NOTES"
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-\&\fBEVP_MD_fetch\fR\|(3) instead.
-See \*(L"Performance\*(R" in \fBcrypto\fR\|(7) for further information.
+\&\fBEVP_MD_fetch\fR\|(3) with \fBEVP_MD\-MD5\fR\|(7) or \fBEVP_MD\-MD5\-SHA1\fR\|(7) instead.
+See "Performance" in \fBcrypto\fR\|(7) for further information.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the
+These functions return a \fBEVP_MD\fR structure that contains the
 implementation of the message digest. See \fBEVP_MD_meth_new\fR\|(3) for
-details of the \fB\s-1EVP_MD\s0\fR structure.
+details of the \fBEVP_MD\fR structure.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1IETF RFC 1321.\s0
+IETF RFC 1321.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBevp\fR\|(7),
 \&\fBEVP_DigestInit\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_mdc2.3 b/secure/lib/libcrypto/man/man3/EVP_mdc2.3
index d8b657cc4783..239d78c83e59 100644
--- a/secure/lib/libcrypto/man/man3/EVP_mdc2.3
+++ b/secure/lib/libcrypto/man/man3/EVP_mdc2.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,117 +52,57 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_MDC2 3ossl"
-.TH EVP_MDC2 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_MDC2 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_mdc2
 \&\- MDC\-2 For EVP
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
 \&
 \& const EVP_MD *EVP_mdc2(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\s-1MDC\-2\s0 (Modification Detection Code 2 or Meyer-Schilling) is a cryptographic
+MDC\-2 (Modification Detection Code 2 or Meyer-Schilling) is a cryptographic
 hash function based on a block cipher. This implementation is only available
 with the legacy provider.
-.IP "\fBEVP_mdc2()\fR" 4
+.IP \fBEVP_mdc2()\fR 4
 .IX Item "EVP_mdc2()"
-The \s-1MDC\-2DES\s0 algorithm of using \s-1MDC\-2\s0 with the \s-1DES\s0 block cipher. It produces a
+The MDC\-2DES algorithm of using MDC\-2 with the DES block cipher. It produces a
 128\-bit output from a given input.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 Developers should be aware of the negative performance implications of
 calling this function multiple times and should consider using
-\&\fBEVP_MD_fetch\fR\|(3) instead.
-See \*(L"Performance\*(R" in \fBcrypto\fR\|(7) for further information.
+\&\fBEVP_MD_fetch\fR\|(3) with \fBEVP_MD\-MDC2\fR\|(7) instead.
+See "Performance" in \fBcrypto\fR\|(7) for further information.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the
+These functions return a \fBEVP_MD\fR structure that contains the
 implementation of the message digest. See \fBEVP_MD_meth_new\fR\|(3) for
-details of the \fB\s-1EVP_MD\s0\fR structure.
+details of the \fBEVP_MD\fR structure.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1ISO/IEC 10118\-2:2000\s0 Hash-Function 2, with \s-1DES\s0 as the underlying block cipher.
+ISO/IEC 10118\-2:2000 Hash-Function 2, with DES as the underlying block cipher.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBevp\fR\|(7),
 \&\fBprovider\fR\|(7),
 \&\fBEVP_DigestInit\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_rc2_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_rc2_cbc.3
index f98b84035be5..888bb8025c28 100644
--- a/secure/lib/libcrypto/man/man3/EVP_rc2_cbc.3
+++ b/secure/lib/libcrypto/man/man3/EVP_rc2_cbc.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_RC2_CBC 3ossl"
-.TH EVP_RC2_CBC 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_RC2_CBC 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_rc2_cbc,
 EVP_rc2_cfb,
 EVP_rc2_cfb64,
@@ -145,7 +69,7 @@ EVP_rc2_ofb,
 EVP_rc2_40_cbc,
 EVP_rc2_64_cbc
 \&\- EVP RC2 cipher
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -158,43 +82,43 @@ EVP_rc2_64_cbc
 \& const EVP_CIPHER *EVP_rc2_40_cbc(void);
 \& const EVP_CIPHER *EVP_rc2_64_cbc(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1RC2\s0 encryption algorithm for \s-1EVP.\s0
+The RC2 encryption algorithm for EVP.
 .IP "\fBEVP_rc2_cbc()\fR, \fBEVP_rc2_cfb()\fR, \fBEVP_rc2_cfb64()\fR, \fBEVP_rc2_ecb()\fR, \fBEVP_rc2_ofb()\fR" 4
 .IX Item "EVP_rc2_cbc(), EVP_rc2_cfb(), EVP_rc2_cfb64(), EVP_rc2_ecb(), EVP_rc2_ofb()"
-\&\s-1RC2\s0 encryption algorithm in \s-1CBC, CFB, ECB\s0 and \s-1OFB\s0 modes respectively. This is a
-variable key length cipher with an additional parameter called \*(L"effective key
-bits\*(R" or \*(L"effective key length\*(R". By default both are set to 128 bits.
+RC2 encryption algorithm in CBC, CFB, ECB and OFB modes respectively. This is a
+variable key length cipher with an additional parameter called "effective key
+bits" or "effective key length". By default both are set to 128 bits.
 .IP "\fBEVP_rc2_40_cbc()\fR, \fBEVP_rc2_64_cbc()\fR" 4
 .IX Item "EVP_rc2_40_cbc(), EVP_rc2_64_cbc()"
-\&\s-1RC2\s0 algorithm in \s-1CBC\s0 mode with a default key length and effective key length of
+RC2 algorithm in CBC mode with a default key length and effective key length of
 40 and 64 bits.
 .Sp
-\&\s-1WARNING:\s0 these functions are obsolete. Their usage should be replaced with the
+WARNING: these functions are obsolete. Their usage should be replaced with the
 \&\fBEVP_rc2_cbc()\fR, \fBEVP_CIPHER_CTX_set_key_length()\fR and \fBEVP_CIPHER_CTX_ctrl()\fR
 functions to set the key length and effective key length.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-\&\fBEVP_CIPHER_fetch\fR\|(3) instead.
-See \*(L"Performance\*(R" in \fBcrypto\fR\|(7) for further information.
+\&\fBEVP_CIPHER_fetch\fR\|(3) with \fBEVP_CIPHER\-RC2\fR\|(7) instead.
+See "Performance" in \fBcrypto\fR\|(7) for further information.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the
+These functions return an \fBEVP_CIPHER\fR structure that contains the
 implementation of the symmetric cipher. See \fBEVP_CIPHER_meth_new\fR\|(3) for
-details of the \fB\s-1EVP_CIPHER\s0\fR structure.
+details of the \fBEVP_CIPHER\fR structure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBevp\fR\|(7),
 \&\fBEVP_EncryptInit\fR\|(3),
 \&\fBEVP_CIPHER_meth_new\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_rc4.3 b/secure/lib/libcrypto/man/man3/EVP_rc4.3
index 1e5bc73f49ec..28787a5a349f 100644
--- a/secure/lib/libcrypto/man/man3/EVP_rc4.3
+++ b/secure/lib/libcrypto/man/man3/EVP_rc4.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_RC4 3ossl"
-.TH EVP_RC4 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_RC4 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_rc4,
 EVP_rc4_40,
 EVP_rc4_hmac_md5
 \&\- EVP RC4 stream cipher
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -150,47 +74,47 @@ EVP_rc4_hmac_md5
 \& const EVP_CIPHER *EVP_rc4_40(void);
 \& const EVP_CIPHER *EVP_rc4_hmac_md5(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1RC4\s0 stream cipher for \s-1EVP.\s0
-.IP "\fBEVP_rc4()\fR" 4
+The RC4 stream cipher for EVP.
+.IP \fBEVP_rc4()\fR 4
 .IX Item "EVP_rc4()"
-\&\s-1RC4\s0 stream cipher. This is a variable key length cipher with a default key
+RC4 stream cipher. This is a variable key length cipher with a default key
 length of 128 bits.
-.IP "\fBEVP_rc4_40()\fR" 4
+.IP \fBEVP_rc4_40()\fR 4
 .IX Item "EVP_rc4_40()"
-\&\s-1RC4\s0 stream cipher with 40 bit key length.
+RC4 stream cipher with 40 bit key length.
 .Sp
-\&\s-1WARNING:\s0 this function is obsolete. Its usage should be replaced with the
+WARNING: this function is obsolete. Its usage should be replaced with the
 \&\fBEVP_rc4()\fR and the \fBEVP_CIPHER_CTX_set_key_length()\fR functions.
-.IP "\fBEVP_rc4_hmac_md5()\fR" 4
+.IP \fBEVP_rc4_hmac_md5()\fR 4
 .IX Item "EVP_rc4_hmac_md5()"
-Authenticated encryption with the \s-1RC4\s0 stream cipher with \s-1MD5\s0 as \s-1HMAC.\s0
+Authenticated encryption with the RC4 stream cipher with MD5 as HMAC.
 .Sp
-\&\s-1WARNING:\s0 this is not intended for usage outside of \s-1TLS\s0 and requires calling of
-some undocumented ctrl functions. These ciphers do not conform to the \s-1EVP AEAD\s0
+WARNING: this is not intended for usage outside of TLS and requires calling of
+some undocumented ctrl functions. These ciphers do not conform to the EVP AEAD
 interface.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-\&\fBEVP_CIPHER_fetch\fR\|(3) instead.
-See \*(L"Performance\*(R" in \fBcrypto\fR\|(7) for further information.
+\&\fBEVP_CIPHER_fetch\fR\|(3) with \fBEVP_CIPHER\-RC4\fR\|(7) instead.
+See "Performance" in \fBcrypto\fR\|(7) for further information.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the
+These functions return an \fBEVP_CIPHER\fR structure that contains the
 implementation of the symmetric cipher. See \fBEVP_CIPHER_meth_new\fR\|(3) for
-details of the \fB\s-1EVP_CIPHER\s0\fR structure.
+details of the \fBEVP_CIPHER\fR structure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBevp\fR\|(7),
 \&\fBEVP_EncryptInit\fR\|(3),
 \&\fBEVP_CIPHER_meth_new\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_rc5_32_12_16_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_rc5_32_12_16_cbc.3
index e5959e4af34e..1061dd7bef74 100644
--- a/secure/lib/libcrypto/man/man3/EVP_rc5_32_12_16_cbc.3
+++ b/secure/lib/libcrypto/man/man3/EVP_rc5_32_12_16_cbc.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,82 +52,22 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_RC5_32_12_16_CBC 3ossl"
-.TH EVP_RC5_32_12_16_CBC 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_RC5_32_12_16_CBC 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_rc5_32_12_16_cbc,
 EVP_rc5_32_12_16_cfb,
 EVP_rc5_32_12_16_cfb64,
 EVP_rc5_32_12_16_ecb,
 EVP_rc5_32_12_16_ofb
 \&\- EVP RC5 cipher
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -154,13 +78,13 @@ EVP_rc5_32_12_16_ofb
 \& const EVP_CIPHER *EVP_rc5_32_12_16_ecb(void);
 \& const EVP_CIPHER *EVP_rc5_32_12_16_ofb(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1RC5\s0 encryption algorithm for \s-1EVP.\s0
+The RC5 encryption algorithm for EVP.
 .IP "\fBEVP_rc5_32_12_16_cbc()\fR, \fBEVP_rc5_32_12_16_cfb()\fR, \fBEVP_rc5_32_12_16_cfb64()\fR, \fBEVP_rc5_32_12_16_ecb()\fR, \fBEVP_rc5_32_12_16_ofb()\fR" 4
 .IX Item "EVP_rc5_32_12_16_cbc(), EVP_rc5_32_12_16_cfb(), EVP_rc5_32_12_16_cfb64(), EVP_rc5_32_12_16_ecb(), EVP_rc5_32_12_16_ofb()"
-\&\s-1RC5\s0 encryption algorithm in \s-1CBC, CFB, ECB\s0 and \s-1OFB\s0 modes respectively. This is a
-variable key length cipher with an additional \*(L"number of rounds\*(R" parameter. By
+RC5 encryption algorithm in CBC, CFB, ECB and OFB modes respectively. This is a
+variable key length cipher with an additional "number of rounds" parameter. By
 default the key length is set to 128 bits and 12 rounds. Alternative key lengths
 can be set using \fBEVP_CIPHER_CTX_set_key_length\fR\|(3). The maximum key length is
 2040 bits.
@@ -168,38 +92,38 @@ can be set using \fBEVP_CIPHER_CTX_set_key_length\fR\|(3). The maximum key lengt
 The following rc5 specific \fIctrl\fRs are supported (see
 \&\fBEVP_CIPHER_CTX_ctrl\fR\|(3)).
 .RS 4
-.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_SET_RC5_ROUNDS,\s0 rounds, \s-1NULL\s0)" 4
+.IP "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_RC5_ROUNDS, rounds, NULL)" 4
 .IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_RC5_ROUNDS, rounds, NULL)"
-Sets the number of rounds to \fBrounds\fR. This must be one of \s-1RC5_8_ROUNDS,
-RC5_12_ROUNDS\s0 or \s-1RC5_16_ROUNDS.\s0
-.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_GET_RC5_ROUNDS, 0,\s0 &rounds)" 4
+Sets the number of rounds to \fBrounds\fR. This must be one of RC5_8_ROUNDS,
+RC5_12_ROUNDS or RC5_16_ROUNDS.
+.IP "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GET_RC5_ROUNDS, 0, &rounds)" 4
 .IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GET_RC5_ROUNDS, 0, &rounds)"
 Stores the number of rounds currently configured in \fB*rounds\fR where \fB*rounds\fR
 is an int.
 .RE
 .RS 4
 .RE
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-\&\fBEVP_CIPHER_fetch\fR\|(3) instead.
-See \*(L"Performance\*(R" in \fBcrypto\fR\|(7) for further information.
+\&\fBEVP_CIPHER_fetch\fR\|(3) with \fBEVP_CIPHER\-RC5\fR\|(7) instead.
+See "Performance" in \fBcrypto\fR\|(7) for further information.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the
+These functions return an \fBEVP_CIPHER\fR structure that contains the
 implementation of the symmetric cipher. See \fBEVP_CIPHER_meth_new\fR\|(3) for
-details of the \fB\s-1EVP_CIPHER\s0\fR structure.
+details of the \fBEVP_CIPHER\fR structure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBevp\fR\|(7),
 \&\fBEVP_EncryptInit\fR\|(3),
 \&\fBEVP_CIPHER_meth_new\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_ripemd160.3 b/secure/lib/libcrypto/man/man3/EVP_ripemd160.3
index d94953cc5209..1024ad65f3a2 100644
--- a/secure/lib/libcrypto/man/man3/EVP_ripemd160.3
+++ b/secure/lib/libcrypto/man/man3/EVP_ripemd160.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,116 +52,56 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_RIPEMD160 3ossl"
-.TH EVP_RIPEMD160 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_RIPEMD160 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_ripemd160
 \&\- RIPEMD160 For EVP
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
 \&
 \& const EVP_MD *EVP_ripemd160(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\s-1RIPEMD\-160\s0 is a cryptographic hash function first published in 1996 belonging
-to the \s-1RIPEMD\s0 family (\s-1RACE\s0 Integrity Primitives Evaluation Message Digest).
+RIPEMD\-160 is a cryptographic hash function first published in 1996 belonging
+to the RIPEMD family (RACE Integrity Primitives Evaluation Message Digest).
 This implementation is only available with the legacy provider.
-.IP "\fBEVP_ripemd160()\fR" 4
+.IP \fBEVP_ripemd160()\fR 4
 .IX Item "EVP_ripemd160()"
-The \s-1RIPEMD\-160\s0 algorithm which produces a 160\-bit output from a given input.
-.SH "NOTES"
+The RIPEMD\-160 algorithm which produces a 160\-bit output from a given input.
+.SH NOTES
 .IX Header "NOTES"
 Developers should be aware of the negative performance implications of
 calling this function multiple times and should consider using
-\&\fBEVP_MD_fetch\fR\|(3) instead.
-See \*(L"Performance\*(R" in \fBcrypto\fR\|(7) for further information.
+\&\fBEVP_MD_fetch\fR\|(3) with \fBEVP_MD\-RIPEMD160\fR\|(7) instead.
+See "Performance" in \fBcrypto\fR\|(7) for further information.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the
+These functions return a \fBEVP_MD\fR structure that contains the
 implementation of the message digest. See \fBEVP_MD_meth_new\fR\|(3) for
-details of the \fB\s-1EVP_MD\s0\fR structure.
+details of the \fBEVP_MD\fR structure.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1ISO/IEC 10118\-3:2016\s0 Dedicated Hash-Function 1 (\s-1RIPEMD\-160\s0).
+ISO/IEC 10118\-3:2016 Dedicated Hash-Function 1 (RIPEMD\-160).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBevp\fR\|(7),
 \&\fBprovider\fR\|(7),
 \&\fBEVP_DigestInit\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_seed_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_seed_cbc.3
index e63a36f2a978..f46ebd48c7d0 100644
--- a/secure/lib/libcrypto/man/man3/EVP_seed_cbc.3
+++ b/secure/lib/libcrypto/man/man3/EVP_seed_cbc.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,82 +52,22 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_SEED_CBC 3ossl"
-.TH EVP_SEED_CBC 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_SEED_CBC 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_seed_cbc,
 EVP_seed_cfb,
 EVP_seed_cfb128,
 EVP_seed_ecb,
 EVP_seed_ofb
 \&\- EVP SEED cipher
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -154,35 +78,35 @@ EVP_seed_ofb
 \& const EVP_CIPHER *EVP_seed_ecb(void);
 \& const EVP_CIPHER *EVP_seed_ofb(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1SEED\s0 encryption algorithm for \s-1EVP.\s0
+The SEED encryption algorithm for EVP.
 .PP
 All modes below use a key length of 128 bits and acts on blocks of 128\-bits.
 .IP "\fBEVP_seed_cbc()\fR, \fBEVP_seed_cfb()\fR, \fBEVP_seed_cfb128()\fR, \fBEVP_seed_ecb()\fR, \fBEVP_seed_ofb()\fR" 4
 .IX Item "EVP_seed_cbc(), EVP_seed_cfb(), EVP_seed_cfb128(), EVP_seed_ecb(), EVP_seed_ofb()"
-The \s-1SEED\s0 encryption algorithm in \s-1CBC, CFB, ECB\s0 and \s-1OFB\s0 modes respectively.
-.SH "NOTES"
+The SEED encryption algorithm in CBC, CFB, ECB and OFB modes respectively.
+.SH NOTES
 .IX Header "NOTES"
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-\&\fBEVP_CIPHER_fetch\fR\|(3) instead.
-See \*(L"Performance\*(R" in \fBcrypto\fR\|(7) for further information.
+\&\fBEVP_CIPHER_fetch\fR\|(3) with \fBEVP_CIPHER\-SEED\fR\|(7) instead.
+See "Performance" in \fBcrypto\fR\|(7) for further information.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the
+These functions return an \fBEVP_CIPHER\fR structure that contains the
 implementation of the symmetric cipher. See \fBEVP_CIPHER_meth_new\fR\|(3) for
-details of the \fB\s-1EVP_CIPHER\s0\fR structure.
+details of the \fBEVP_CIPHER\fR structure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBevp\fR\|(7),
 \&\fBEVP_EncryptInit\fR\|(3),
 \&\fBEVP_CIPHER_meth_new\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_set_default_properties.3 b/secure/lib/libcrypto/man/man3/EVP_set_default_properties.3
index fd412b94f801..72eb56d45dfe 100644
--- a/secure/lib/libcrypto/man/man3/EVP_set_default_properties.3
+++ b/secure/lib/libcrypto/man/man3/EVP_set_default_properties.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,101 +52,46 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_SET_DEFAULT_PROPERTIES 3ossl"
-.TH EVP_SET_DEFAULT_PROPERTIES 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_SET_DEFAULT_PROPERTIES 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_set_default_properties, EVP_default_properties_enable_fips,
-EVP_default_properties_is_fips_enabled
-\&\- Set default properties for future algorithm fetches
-.SH "SYNOPSIS"
+EVP_default_properties_is_fips_enabled, EVP_get1_default_properties
+\&\- manage default properties for future algorithm fetches
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
 \&
 \& int EVP_set_default_properties(OSSL_LIB_CTX *libctx, const char *propq);
+\& char *EVP_get1_default_properties(OSSL_LIB_CTX *libctx);
 \& int EVP_default_properties_enable_fips(OSSL_LIB_CTX *libctx, int enable);
 \& int EVP_default_properties_is_fips_enabled(OSSL_LIB_CTX *libctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBEVP_set_default_properties()\fR sets the default properties for all
-future \s-1EVP\s0 algorithm fetches, implicit as well as explicit. See
-\&\*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7) for information about implicit and explicit
+future EVP algorithm fetches, implicit as well as explicit. See
+"ALGORITHM FETCHING" in \fBcrypto\fR\|(7) for information about implicit and explicit
 fetching.
 .PP
 EVP_set_default_properties stores the properties given with the string
-\&\fIpropq\fR among the \s-1EVP\s0 data that's been stored in the library context
-given with \fIlibctx\fR (\s-1NULL\s0 signifies the default library context).
+\&\fIpropq\fR among the EVP data that's been stored in the library context
+given with \fIlibctx\fR (NULL signifies the default library context).
 .PP
 Any previous default property for the specified library context will
 be dropped.
 .PP
+\&\fBEVP_get1_default_properties()\fR gets the default properties set for all future EVP
+algorithm fetches, implicit as well as explicit, for the specific library
+context.
+.PP
 \&\fBEVP_default_properties_enable_fips()\fR sets the 'fips=yes' to be a default property
 if \fIenable\fR is non zero, otherwise it clears 'fips' from the default property
 query for the given \fIlibctx\fR. It merges the fips default property query with any
@@ -170,11 +99,15 @@ existing query strings that have been set via \fBEVP_set_default_properties()\fR
 .PP
 \&\fBEVP_default_properties_is_fips_enabled()\fR indicates if 'fips=yes' is a default
 property for the given \fIlibctx\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 \&\fBEVP_set_default_properties()\fR and  \fBEVP_default_properties_enable_fips()\fR are not
 thread safe. They are intended to be called only during the initialisation
 phase of a \fIlibctx\fR.
+.PP
+\&\fBEVP_get1_default_properties()\fR is not thread safe. The application must ensure
+that the context reference is valid and default fetching properties are not
+being modified by a different thread.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBEVP_set_default_properties()\fR and  \fBEVP_default_properties_enable_fips()\fR return 1
@@ -183,17 +116,23 @@ failure occurs.
 .PP
 \&\fBEVP_default_properties_is_fips_enabled()\fR returns 1 if the 'fips=yes' default
 property is set for the given \fIlibctx\fR, otherwise it returns 0.
+.PP
+\&\fBEVP_get1_default_properties()\fR returns allocated memory that must be freed by
+\&\fBOPENSSL_free\fR\|(3) on success and NULL on failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_MD_fetch\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-The functions described here were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The functions \fBEVP_set_default_properties()\fR, \fBEVP_default_properties_enable_fips()\fR,
+\&\fBEVP_default_properties_is_fips_enabled()\fR were added in OpenSSL 3.0.
+.PP
+The function \fBEVP_get1_default_properties()\fR was added in OpenSSL 3.5.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_sha1.3 b/secure/lib/libcrypto/man/man3/EVP_sha1.3
index dd35e2b52874..6bbbdecd2260 100644
--- a/secure/lib/libcrypto/man/man3/EVP_sha1.3
+++ b/secure/lib/libcrypto/man/man3/EVP_sha1.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,115 +52,55 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_SHA1 3ossl"
-.TH EVP_SHA1 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_SHA1 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_sha1
 \&\- SHA\-1 For EVP
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
 \&
 \& const EVP_MD *EVP_sha1(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\s-1SHA\-1\s0 (Secure Hash Algorithm 1) is a cryptographic hash function standardized
-in \s-1NIST FIPS 180\-4.\s0 The algorithm was designed by the United States National
+SHA\-1 (Secure Hash Algorithm 1) is a cryptographic hash function standardized
+in NIST FIPS 180\-4. The algorithm was designed by the United States National
 Security Agency and initially published in 1995.
-.IP "\fBEVP_sha1()\fR" 4
+.IP \fBEVP_sha1()\fR 4
 .IX Item "EVP_sha1()"
-The \s-1SHA\-1\s0 algorithm which produces a 160\-bit output from a given input.
-.SH "NOTES"
+The SHA\-1 algorithm which produces a 160\-bit output from a given input.
+.SH NOTES
 .IX Header "NOTES"
 Developers should be aware of the negative performance implications of
 calling this function multiple times and should consider using
-\&\fBEVP_MD_fetch\fR\|(3) instead.
-See \*(L"Performance\*(R" in \fBcrypto\fR\|(7) for further information.
+\&\fBEVP_MD_fetch\fR\|(3) with \fBEVP_MD\-SHA1\fR\|(7) instead.
+See "Performance" in \fBcrypto\fR\|(7) for further information.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the
+These functions return a \fBEVP_MD\fR structure that contains the
 implementation of the message digest. See \fBEVP_MD_meth_new\fR\|(3) for
-details of the \fB\s-1EVP_MD\s0\fR structure.
+details of the \fBEVP_MD\fR structure.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1NIST FIPS 180\-4.\s0
+NIST FIPS 180\-4.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBevp\fR\|(7),
 \&\fBEVP_DigestInit\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_sha224.3 b/secure/lib/libcrypto/man/man3/EVP_sha224.3
index f9445a7af4f7..1c4a6081e5ef 100644
--- a/secure/lib/libcrypto/man/man3/EVP_sha224.3
+++ b/secure/lib/libcrypto/man/man3/EVP_sha224.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_SHA224 3ossl"
-.TH EVP_SHA224 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_SHA224 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_sha224,
 EVP_sha256,
 EVP_sha512_224,
@@ -144,7 +68,7 @@ EVP_sha512_256,
 EVP_sha384,
 EVP_sha512
 \&\- SHA\-2 For EVP
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -156,42 +80,42 @@ EVP_sha512
 \& const EVP_MD *EVP_sha384(void);
 \& const EVP_MD *EVP_sha512(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\s-1SHA\-2\s0 (Secure Hash Algorithm 2) is a family of cryptographic hash functions
-standardized in \s-1NIST FIPS 180\-4,\s0 first published in 2001.
+SHA\-2 (Secure Hash Algorithm 2) is a family of cryptographic hash functions
+standardized in NIST FIPS 180\-4, first published in 2001.
 .IP "\fBEVP_sha224()\fR, \fBEVP_sha256()\fR, EVP_sha512_224, EVP_sha512_256, \fBEVP_sha384()\fR, \fBEVP_sha512()\fR" 4
 .IX Item "EVP_sha224(), EVP_sha256(), EVP_sha512_224, EVP_sha512_256, EVP_sha384(), EVP_sha512()"
-The \s-1SHA\-2 SHA\-224, SHA\-256, SHA\-512/224, SHA512/256, SHA\-384\s0 and \s-1SHA\-512\s0
+The SHA\-2 SHA\-224, SHA\-256, SHA\-512/224, SHA512/256, SHA\-384 and SHA\-512
 algorithms, which generate 224, 256, 224, 256, 384 and 512 bits
 respectively of output from a given input.
 .Sp
-The two algorithms: \s-1SHA\-512/224\s0 and \s-1SHA512/256\s0 are truncated forms of the
-\&\s-1SHA\-512\s0 algorithm. They are distinct from \s-1SHA\-224\s0 and \s-1SHA\-256\s0 even though
+The two algorithms: SHA\-512/224 and SHA512/256 are truncated forms of the
+SHA\-512 algorithm. They are distinct from SHA\-224 and SHA\-256 even though
 their outputs are of the same size.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-\&\fBEVP_MD_fetch\fR\|(3) instead.
-See \*(L"Performance\*(R" in \fBcrypto\fR\|(7) for further information.
+\&\fBEVP_MD_fetch\fR\|(3) with \fBEVP_MD\-SHA2\fR\|(7)instead.
+See "Performance" in \fBcrypto\fR\|(7) for further information.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the
+These functions return a \fBEVP_MD\fR structure that contains the
 implementation of the message digest. See \fBEVP_MD_meth_new\fR\|(3) for
-details of the \fB\s-1EVP_MD\s0\fR structure.
+details of the \fBEVP_MD\fR structure.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1NIST FIPS 180\-4.\s0
+NIST FIPS 180\-4.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBevp\fR\|(7),
 \&\fBEVP_DigestInit\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_sha3_224.3 b/secure/lib/libcrypto/man/man3/EVP_sha3_224.3
index c22506d9d48c..f2fb6625c9d0 100644
--- a/secure/lib/libcrypto/man/man3/EVP_sha3_224.3
+++ b/secure/lib/libcrypto/man/man3/EVP_sha3_224.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_SHA3_224 3ossl"
-.TH EVP_SHA3_224 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_SHA3_224 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_sha3_224,
 EVP_sha3_256,
 EVP_sha3_384,
@@ -144,7 +68,7 @@ EVP_sha3_512,
 EVP_shake128,
 EVP_shake256
 \&\- SHA\-3 For EVP
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -157,46 +81,46 @@ EVP_shake256
 \& const EVP_MD *EVP_shake128(void);
 \& const EVP_MD *EVP_shake256(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\s-1SHA\-3\s0 (Secure Hash Algorithm 3) is a family of cryptographic hash functions
-standardized in \s-1NIST FIPS 202,\s0 first published in 2015. It is based on the
+SHA\-3 (Secure Hash Algorithm 3) is a family of cryptographic hash functions
+standardized in NIST FIPS 202, first published in 2015. It is based on the
 Keccak algorithm.
 .IP "\fBEVP_sha3_224()\fR, \fBEVP_sha3_256()\fR, \fBEVP_sha3_384()\fR, \fBEVP_sha3_512()\fR" 4
 .IX Item "EVP_sha3_224(), EVP_sha3_256(), EVP_sha3_384(), EVP_sha3_512()"
-The \s-1SHA\-3 SHA\-3\-224, SHA\-3\-256, SHA\-3\-384,\s0 and \s-1SHA\-3\-512\s0 algorithms
+The SHA\-3 SHA\-3\-224, SHA\-3\-256, SHA\-3\-384, and SHA\-3\-512 algorithms
 respectively. They produce 224, 256, 384 and 512 bits of output from a given
 input.
 .IP "\fBEVP_shake128()\fR, \fBEVP_shake256()\fR" 4
 .IX Item "EVP_shake128(), EVP_shake256()"
-The \s-1SHAKE\-128\s0 and \s-1SHAKE\-256\s0 Extendable Output Functions (\s-1XOF\s0) that can generate
+The SHAKE\-128 and SHAKE\-256 Extendable Output Functions (XOF) that can generate
 a variable hash length.
 .Sp
 Specifically, \fBEVP_shake128\fR provides an overall security of 128 bits, while
 \&\fBEVP_shake256\fR provides that of 256 bits.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-\&\fBEVP_MD_fetch\fR\|(3) instead.
-See \*(L"Performance\*(R" in \fBcrypto\fR\|(7) for further information.
+\&\fBEVP_MD_fetch\fR\|(3) with \fBEVP_MD\-SHA3\fR\|(7) or \fBEVP_MD\-SHAKE\fR\|(7) instead.
+See "Performance" in \fBcrypto\fR\|(7) for further information.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the
+These functions return a \fBEVP_MD\fR structure that contains the
 implementation of the message digest. See \fBEVP_MD_meth_new\fR\|(3) for
-details of the \fB\s-1EVP_MD\s0\fR structure.
+details of the \fBEVP_MD\fR structure.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1NIST FIPS 202.\s0
+NIST FIPS 202.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBevp\fR\|(7),
 \&\fBEVP_DigestInit\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_sm3.3 b/secure/lib/libcrypto/man/man3/EVP_sm3.3
index 8a4c76520a07..8c6908a9ca14 100644
--- a/secure/lib/libcrypto/man/man3/EVP_sm3.3
+++ b/secure/lib/libcrypto/man/man3/EVP_sm3.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,115 +52,55 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_SM3 3ossl"
-.TH EVP_SM3 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_SM3 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_sm3
 \&\- SM3 for EVP
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
 \&
 \& const EVP_MD *EVP_sm3(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\s-1SM3\s0 is a cryptographic hash function with a 256\-bit output, defined in \s-1GB/T
-32905\-2016.\s0
-.IP "\fBEVP_sm3()\fR" 4
+SM3 is a cryptographic hash function with a 256\-bit output, defined in GB/T
+32905\-2016.
+.IP \fBEVP_sm3()\fR 4
 .IX Item "EVP_sm3()"
-The \s-1SM3\s0 hash function.
-.SH "NOTES"
+The SM3 hash function.
+.SH NOTES
 .IX Header "NOTES"
 Developers should be aware of the negative performance implications of
 calling this function multiple times and should consider using
-\&\fBEVP_MD_fetch\fR\|(3) instead.
-See \*(L"Performance\*(R" in \fBcrypto\fR\|(7) for further information.
+\&\fBEVP_MD_fetch\fR\|(3) with \fBEVP_MD\-SM3\fR\|(7) instead.
+See "Performance" in \fBcrypto\fR\|(7) for further information.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the
+These functions return a \fBEVP_MD\fR structure that contains the
 implementation of the message digest. See \fBEVP_MD_meth_new\fR\|(3) for
-details of the \fB\s-1EVP_MD\s0\fR structure.
+details of the \fBEVP_MD\fR structure.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1GB/T 32905\-2016\s0 and \s-1GM/T 0004\-2012.\s0
+GB/T 32905\-2016 and GM/T 0004\-2012.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBevp\fR\|(7),
 \&\fBEVP_DigestInit\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2023 The OpenSSL Project Authors. All Rights Reserved.
 Copyright 2017 Ribose Inc. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_sm4_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_sm4_cbc.3
index 885be7b03cc4..ebca2629d848 100644
--- a/secure/lib/libcrypto/man/man3/EVP_sm4_cbc.3
+++ b/secure/lib/libcrypto/man/man3/EVP_sm4_cbc.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_SM4_CBC 3ossl"
-.TH EVP_SM4_CBC 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_SM4_CBC 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_sm4_cbc,
 EVP_sm4_ecb,
 EVP_sm4_cfb,
@@ -144,7 +68,7 @@ EVP_sm4_cfb128,
 EVP_sm4_ofb,
 EVP_sm4_ctr
 \&\- EVP SM4 cipher
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -156,37 +80,37 @@ EVP_sm4_ctr
 \& const EVP_CIPHER *EVP_sm4_ofb(void);
 \& const EVP_CIPHER *EVP_sm4_ctr(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1SM4\s0 blockcipher (\s-1GB/T 32907\-2016\s0) for \s-1EVP.\s0
+The SM4 blockcipher (GB/T 32907\-2016) for EVP.
 .PP
 All modes below use a key length of 128 bits and acts on blocks of 128 bits.
 .IP "\fBEVP_sm4_cbc()\fR, \fBEVP_sm4_ecb()\fR, \fBEVP_sm4_cfb()\fR, \fBEVP_sm4_cfb128()\fR, \fBEVP_sm4_ofb()\fR, \fBEVP_sm4_ctr()\fR" 4
 .IX Item "EVP_sm4_cbc(), EVP_sm4_ecb(), EVP_sm4_cfb(), EVP_sm4_cfb128(), EVP_sm4_ofb(), EVP_sm4_ctr()"
-The \s-1SM4\s0 blockcipher with a 128\-bit key in \s-1CBC, ECB, CFB, OFB\s0 and \s-1CTR\s0 modes
+The SM4 blockcipher with a 128\-bit key in CBC, ECB, CFB, OFB and CTR modes
 respectively.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 Developers should be aware of the negative performance implications of
 calling these functions multiple times and should consider using
-\&\fBEVP_CIPHER_fetch\fR\|(3) instead.
-See \*(L"Performance\*(R" in \fBcrypto\fR\|(7) for further information.
+\&\fBEVP_CIPHER_fetch\fR\|(3) with \fBEVP_CIPHER\-SM4\fR\|(7) instead.
+See "Performance" in \fBcrypto\fR\|(7) for further information.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-These functions return a \fB\s-1EVP_CIPHER\s0\fR structure that contains the
+These functions return a \fBEVP_CIPHER\fR structure that contains the
 implementation of the symmetric cipher. See \fBEVP_CIPHER_meth_new\fR\|(3) for
-details of the \fB\s-1EVP_CIPHER\s0\fR structure.
+details of the \fBEVP_CIPHER\fR structure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBevp\fR\|(7),
 \&\fBEVP_EncryptInit\fR\|(3),
 \&\fBEVP_CIPHER_meth_new\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2023 The OpenSSL Project Authors. All Rights Reserved.
 Copyright 2017 Ribose Inc. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_whirlpool.3 b/secure/lib/libcrypto/man/man3/EVP_whirlpool.3
index 2181ad119915..de4dbc74d0c7 100644
--- a/secure/lib/libcrypto/man/man3/EVP_whirlpool.3
+++ b/secure/lib/libcrypto/man/man3/EVP_whirlpool.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,117 +52,57 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_WHIRLPOOL 3ossl"
-.TH EVP_WHIRLPOOL 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_WHIRLPOOL 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_whirlpool
 \&\- WHIRLPOOL For EVP
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
 \&
 \& const EVP_MD *EVP_whirlpool(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\s-1WHIRLPOOL\s0 is a cryptographic hash function standardized in \s-1ISO/IEC 10118\-3:2004\s0
+WHIRLPOOL is a cryptographic hash function standardized in ISO/IEC 10118\-3:2004
 designed by Vincent Rijmen and Paulo S. L. M. Barreto. This implementation is
 only available with the legacy provider.
-.IP "\fBEVP_whirlpool()\fR" 4
+.IP \fBEVP_whirlpool()\fR 4
 .IX Item "EVP_whirlpool()"
-The \s-1WHIRLPOOL\s0 algorithm that produces a message digest of 512\-bits from a given
+The WHIRLPOOL algorithm that produces a message digest of 512\-bits from a given
 input.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 Developers should be aware of the negative performance implications of
 calling this function multiple times and should consider using
-\&\fBEVP_MD_fetch\fR\|(3) instead.
-See \*(L"Performance\*(R" in \fBcrypto\fR\|(7) for further information.
+\&\fBEVP_MD_fetch\fR\|(3) with \fBEVP_MD\-WHIRLPOOL\fR\|(7) instead.
+See "Performance" in \fBcrypto\fR\|(7) for further information.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the
+These functions return a \fBEVP_MD\fR structure that contains the
 implementation of the message digest. See \fBEVP_MD_meth_new\fR\|(3) for
-details of the \fB\s-1EVP_MD\s0\fR structure.
+details of the \fBEVP_MD\fR structure.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1ISO/IEC 10118\-3:2004.\s0
+ISO/IEC 10118\-3:2004.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBevp\fR\|(7),
 \&\fBprovider\fR\|(7),
 \&\fBEVP_DigestInit\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/GENERAL_NAME.3 b/secure/lib/libcrypto/man/man3/GENERAL_NAME.3
new file mode 100644
index 000000000000..bf7107757e94
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/GENERAL_NAME.3
@@ -0,0 +1,95 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "GENERAL_NAME 3ossl"
+.TH GENERAL_NAME 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+GENERAL_NAME,
+GENERAL_NAME_set1_X509_NAME
+\&\- GENERAL_NAME method routines
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/x509v3.h>
+\&
+\& typedef struct GENERAL_NAME_st GENERAL_NAME;
+\&
+\& int GENERAL_NAME_set1_X509_NAME(GENERAL_NAME **tgt, const X509_NAME *src);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBGENERAL_NAME_set1_X509_NAME()\fR creates a new GENERAL_NAME of type GEN_DIRNAME
+and populates it based on provided X509_NAME \fIsrc\fR which can be NULL.
+\&\fItgt\fR must not be NULL. If successful, \fI*tgt\fR will be set to point
+to the newly created GENERAL_NAME.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBGENERAL_NAME_set1_X509_NAME()\fR return 1 on success, 0 on error.
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBGENERAL_NAME_set1_X509_NAME()\fR was added in OpenSSL 3.4.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2007\-2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/HMAC.3 b/secure/lib/libcrypto/man/man3/HMAC.3
index 15ab6c68203e..4134748713cd 100644
--- a/secure/lib/libcrypto/man/man3/HMAC.3
+++ b/secure/lib/libcrypto/man/man3/HMAC.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "HMAC 3ossl"
-.TH HMAC 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH HMAC 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 HMAC,
 HMAC_CTX_new,
 HMAC_CTX_reset,
@@ -150,7 +74,7 @@ HMAC_CTX_set_flags,
 HMAC_CTX_get_md,
 HMAC_size
 \&\- HMAC message authentication code
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/hmac.h>
@@ -161,7 +85,7 @@ HMAC_size
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 2
@@ -183,66 +107,66 @@ see \fBopenssl_user_macros\fR\|(7):
 .Ve
 .PP
 The following function has been deprecated since OpenSSL 1.1.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 2
 \& int HMAC_Init(HMAC_CTX *ctx, const void *key, int key_len,
 \&               const EVP_MD *md);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\s-1HMAC\s0 is a \s-1MAC\s0 (message authentication code), i.e. a keyed hash
+HMAC is a MAC (message authentication code), i.e. a keyed hash
 function used for message authentication, which is based on a hash
 function.
 .PP
-\&\s-1\fBHMAC\s0()\fR computes the message authentication code of the \fIdata_len\fR bytes at
+\&\fBHMAC()\fR computes the message authentication code of the \fIdata_len\fR bytes at
 \&\fIdata\fR using the hash function \fIevp_md\fR and the key \fIkey\fR which is
-\&\fIkey_len\fR bytes long. The \fIkey\fR may also be \s-1NULL\s0 with \fIkey_len\fR being 0.
+\&\fIkey_len\fR bytes long. The \fIkey\fR may also be NULL with \fIkey_len\fR being 0.
 .PP
 It places the result in \fImd\fR (which must have space for the output of
-the hash function, which is no more than \fB\s-1EVP_MAX_MD_SIZE\s0\fR bytes).
-If \fImd\fR is \s-1NULL,\s0 the digest is placed in a static array.  The size of
-the output is placed in \fImd_len\fR, unless it is \s-1NULL.\s0 Note: passing a \s-1NULL\s0
+the hash function, which is no more than \fBEVP_MAX_MD_SIZE\fR bytes).
+If \fImd\fR is NULL, the digest is placed in a static array.  The size of
+the output is placed in \fImd_len\fR, unless it is NULL. Note: passing a NULL
 value for \fImd\fR to use the static array is not thread safe.
 .PP
 \&\fIevp_md\fR is a message digest such as \fBEVP_sha1()\fR, \fBEVP_ripemd160()\fR etc.
-\&\s-1HMAC\s0 does not support variable output length digests such as \fBEVP_shake128()\fR and
+HMAC does not support variable output length digests such as \fBEVP_shake128()\fR and
 \&\fBEVP_shake256()\fR.
 .PP
-\&\s-1\fBHMAC\s0()\fR uses the default \fB\s-1OSSL_LIB_CTX\s0\fR.
+\&\fBHMAC()\fR uses the default \fBOSSL_LIB_CTX\fR.
 Use \fBEVP_Q_mac\fR\|(3) instead if a library context is required.
 .PP
 All of the functions described below are deprecated.
 Applications should instead use \fBEVP_MAC_CTX_new\fR\|(3), \fBEVP_MAC_CTX_free\fR\|(3),
 \&\fBEVP_MAC_init\fR\|(3), \fBEVP_MAC_update\fR\|(3) and \fBEVP_MAC_final\fR\|(3)
-or the 'quick' single-shot \s-1MAC\s0 function \fBEVP_Q_mac\fR\|(3).
+or the 'quick' single-shot MAC function \fBEVP_Q_mac\fR\|(3).
 .PP
-\&\fBHMAC_CTX_new()\fR creates a new \s-1HMAC_CTX\s0 in heap memory.
+\&\fBHMAC_CTX_new()\fR creates a new HMAC_CTX in heap memory.
 .PP
-\&\fBHMAC_CTX_reset()\fR clears an existing \fB\s-1HMAC_CTX\s0\fR and associated
+\&\fBHMAC_CTX_reset()\fR clears an existing \fBHMAC_CTX\fR and associated
 resources, making it suitable for new computations as if it was newly
 created with \fBHMAC_CTX_new()\fR.
 .PP
-\&\fBHMAC_CTX_free()\fR erases the key and other data from the \fB\s-1HMAC_CTX\s0\fR,
-releases any associated resources and finally frees the \fB\s-1HMAC_CTX\s0\fR
-itself.
+\&\fBHMAC_CTX_free()\fR erases the key and other data from the \fBHMAC_CTX\fR,
+releases any associated resources and finally frees the \fBHMAC_CTX\fR
+itself. If the argument is NULL, nothing is done.
 .PP
 The following functions may be used if the message is not completely
 stored in memory:
 .PP
-\&\fBHMAC_Init_ex()\fR initializes or reuses a \fB\s-1HMAC_CTX\s0\fR structure to use the hash
-function \fIevp_md\fR and key \fIkey\fR. If both are \s-1NULL,\s0 or if \fIkey\fR is \s-1NULL\s0
+\&\fBHMAC_Init_ex()\fR initializes or reuses a \fBHMAC_CTX\fR structure to use the hash
+function \fIevp_md\fR and key \fIkey\fR. If both are NULL, or if \fIkey\fR is NULL
 and \fIevp_md\fR is the same as the previous call, then the
 existing key is
 reused. \fIctx\fR must have been created with \fBHMAC_CTX_new()\fR before the first use
-of an \fB\s-1HMAC_CTX\s0\fR in this function.
+of an \fBHMAC_CTX\fR in this function.
 .PP
-If \fBHMAC_Init_ex()\fR is called with \fIkey\fR \s-1NULL\s0 and \fIevp_md\fR is not the
+If \fBHMAC_Init_ex()\fR is called with \fIkey\fR NULL and \fIevp_md\fR is not the
 same as the previous digest used by \fIctx\fR then an error is returned
 because reuse of an existing key with a different digest is not supported.
 .PP
-\&\fBHMAC_Init()\fR initializes a \fB\s-1HMAC_CTX\s0\fR structure to use the hash
+\&\fBHMAC_Init()\fR initializes a \fBHMAC_CTX\fR structure to use the hash
 function \fIevp_md\fR and the key \fIkey\fR which is \fIkey_len\fR bytes
 long.
 .PP
@@ -257,35 +181,35 @@ must have space for the hash function output.
 \&\fBHMAC_CTX_set_flags()\fR applies the specified flags to the internal EVP_MD_CTXs.
 These flags have the same meaning as for \fBEVP_MD_CTX_set_flags\fR\|(3).
 .PP
-\&\fBHMAC_CTX_get_md()\fR returns the \s-1EVP_MD\s0 that has previously been set for the
-supplied \s-1HMAC_CTX.\s0
+\&\fBHMAC_CTX_get_md()\fR returns the EVP_MD that has previously been set for the
+supplied HMAC_CTX.
 .PP
 \&\fBHMAC_size()\fR returns the length in bytes of the underlying hash function output.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\s-1\fBHMAC\s0()\fR returns a pointer to the message authentication code or \s-1NULL\s0 if
+\&\fBHMAC()\fR returns a pointer to the message authentication code or NULL if
 an error occurred.
 .PP
-\&\fBHMAC_CTX_new()\fR returns a pointer to a new \fB\s-1HMAC_CTX\s0\fR on success or
-\&\s-1NULL\s0 if an error occurred.
+\&\fBHMAC_CTX_new()\fR returns a pointer to a new \fBHMAC_CTX\fR on success or
+NULL if an error occurred.
 .PP
 \&\fBHMAC_CTX_reset()\fR, \fBHMAC_Init_ex()\fR, \fBHMAC_Update()\fR, \fBHMAC_Final()\fR and
 \&\fBHMAC_CTX_copy()\fR return 1 for success or 0 if an error occurred.
 .PP
-\&\fBHMAC_CTX_get_md()\fR return the \s-1EVP_MD\s0 previously set for the supplied \s-1HMAC_CTX\s0 or
-\&\s-1NULL\s0 if no \s-1EVP_MD\s0 has been set.
+\&\fBHMAC_CTX_get_md()\fR return the EVP_MD previously set for the supplied HMAC_CTX or
+NULL if no EVP_MD has been set.
 .PP
 \&\fBHMAC_size()\fR returns the length in bytes of the underlying hash function output
 or zero on error.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1RFC 2104\s0
+RFC 2104
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBSHA1\s0\fR\|(3), \fBEVP_Q_mac\fR\|(3), \fBevp\fR\|(7)
-.SH "HISTORY"
+\&\fBSHA1\fR\|(3), \fBEVP_Q_mac\fR\|(3), \fBevp\fR\|(7)
+.SH HISTORY
 .IX Header "HISTORY"
-All functions except for \s-1\fBHMAC\s0()\fR were deprecated in OpenSSL 3.0.
+All functions except for \fBHMAC()\fR were deprecated in OpenSSL 3.0.
 .PP
 \&\fBHMAC_CTX_init()\fR was replaced with \fBHMAC_CTX_reset()\fR in OpenSSL 1.1.0.
 .PP
@@ -295,11 +219,11 @@ All functions except for \s-1\fBHMAC\s0()\fR were deprecated in OpenSSL 3.0.
 .PP
 \&\fBHMAC_Init_ex()\fR, \fBHMAC_Update()\fR and \fBHMAC_Final()\fR did not return values in
 OpenSSL before version 1.0.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/MD5.3 b/secure/lib/libcrypto/man/man3/MD5.3
index cdf581142d5a..ed96e64817de 100644
--- a/secure/lib/libcrypto/man/man3/MD5.3
+++ b/secure/lib/libcrypto/man/man3/MD5.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,181 +52,117 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "MD5 3ossl"
-.TH MD5 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH MD5 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 MD2, MD4, MD5, MD2_Init, MD2_Update, MD2_Final, MD4_Init, MD4_Update,
 MD4_Final, MD5_Init, MD5_Update, MD5_Final \- MD2, MD4, and MD5 hash functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
-.Vb 1
-\& #include <openssl/md2.h>
-.Ve
-.PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
+\& #include <openssl/md2.h>
+\&
 \& unsigned char *MD2(const unsigned char *d, unsigned long n, unsigned char *md);
 \&
 \& int MD2_Init(MD2_CTX *c);
 \& int MD2_Update(MD2_CTX *c, const unsigned char *data, unsigned long len);
 \& int MD2_Final(unsigned char *md, MD2_CTX *c);
-\&
-\&
-\& #include <openssl/md4.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
+\& #include <openssl/md4.h>
+\&
 \& unsigned char *MD4(const unsigned char *d, unsigned long n, unsigned char *md);
 \&
 \& int MD4_Init(MD4_CTX *c);
 \& int MD4_Update(MD4_CTX *c, const void *data, unsigned long len);
 \& int MD4_Final(unsigned char *md, MD4_CTX *c);
-\&
-\&
-\& #include <openssl/md5.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
+\& #include <openssl/md5.h>
+\&
 \& unsigned char *MD5(const unsigned char *d, unsigned long n, unsigned char *md);
 \&
 \& int MD5_Init(MD5_CTX *c);
 \& int MD5_Update(MD5_CTX *c, const void *data, unsigned long len);
 \& int MD5_Final(unsigned char *md, MD5_CTX *c);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
 Applications should instead use \fBEVP_DigestInit_ex\fR\|(3), \fBEVP_DigestUpdate\fR\|(3)
 and \fBEVP_DigestFinal_ex\fR\|(3).
 .PP
-\&\s-1MD2, MD4,\s0 and \s-1MD5\s0 are cryptographic hash functions with a 128 bit output.
+MD2, MD4, and MD5 are cryptographic hash functions with a 128 bit output.
 .PP
-\&\s-1\fBMD2\s0()\fR, \s-1\fBMD4\s0()\fR, and \s-1\fBMD5\s0()\fR compute the \s-1MD2, MD4,\s0 and \s-1MD5\s0 message digest
+\&\fBMD2()\fR, \fBMD4()\fR, and \fBMD5()\fR compute the MD2, MD4, and MD5 message digest
 of the \fBn\fR bytes at \fBd\fR and place it in \fBmd\fR (which must have space
-for \s-1MD2_DIGEST_LENGTH\s0 == \s-1MD4_DIGEST_LENGTH\s0 == \s-1MD5_DIGEST_LENGTH\s0 == 16
-bytes of output). If \fBmd\fR is \s-1NULL,\s0 the digest is placed in a static
+for MD2_DIGEST_LENGTH == MD4_DIGEST_LENGTH == MD5_DIGEST_LENGTH == 16
+bytes of output). If \fBmd\fR is NULL, the digest is placed in a static
 array.
 .PP
 The following functions may be used if the message is not completely
 stored in memory:
 .PP
-\&\fBMD2_Init()\fR initializes a \fB\s-1MD2_CTX\s0\fR structure.
+\&\fBMD2_Init()\fR initializes a \fBMD2_CTX\fR structure.
 .PP
 \&\fBMD2_Update()\fR can be called repeatedly with chunks of the message to
 be hashed (\fBlen\fR bytes at \fBdata\fR).
 .PP
 \&\fBMD2_Final()\fR places the message digest in \fBmd\fR, which must have space
-for \s-1MD2_DIGEST_LENGTH\s0 == 16 bytes of output, and erases the \fB\s-1MD2_CTX\s0\fR.
+for MD2_DIGEST_LENGTH == 16 bytes of output, and erases the \fBMD2_CTX\fR.
 .PP
 \&\fBMD4_Init()\fR, \fBMD4_Update()\fR, \fBMD4_Final()\fR, \fBMD5_Init()\fR, \fBMD5_Update()\fR, and
-\&\fBMD5_Final()\fR are analogous using an \fB\s-1MD4_CTX\s0\fR and \fB\s-1MD5_CTX\s0\fR structure.
+\&\fBMD5_Final()\fR are analogous using an \fBMD4_CTX\fR and \fBMD5_CTX\fR structure. The parameter \fBMUST NOT\fR be NULL.
 .PP
 Applications should use the higher level functions
 \&\fBEVP_DigestInit\fR\|(3)
 etc. instead of calling the hash functions directly.
-.SH "NOTE"
+.SH NOTE
 .IX Header "NOTE"
-\&\s-1MD2, MD4,\s0 and \s-1MD5\s0 are recommended only for compatibility with existing
-applications. In new applications, hashes from the \s-1SHA\-2\s0 or \s-1SHA\-3\s0 family
+MD2, MD4, and MD5 are recommended only for compatibility with existing
+applications. In new applications, hashes from the SHA\-2 or SHA\-3 family
 should be preferred.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\s-1\fBMD2\s0()\fR, \s-1\fBMD4\s0()\fR, and \s-1\fBMD5\s0()\fR return pointers to the hash value.
+\&\fBMD2()\fR, \fBMD4()\fR, and \fBMD5()\fR return pointers to the hash value.
 .PP
 \&\fBMD2_Init()\fR, \fBMD2_Update()\fR, \fBMD2_Final()\fR, \fBMD4_Init()\fR, \fBMD4_Update()\fR,
 \&\fBMD4_Final()\fR, \fBMD5_Init()\fR, \fBMD5_Update()\fR, and \fBMD5_Final()\fR return 1 for
 success, 0 otherwise.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1RFC 1319, RFC 1320, RFC 1321\s0
+RFC 1319, RFC 1320, RFC 1321
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBEVP_DigestInit\fR\|(3), \s-1\fBEVP_MD\-SHA2\s0\fR\|(7), \s-1\fBEVP_MD\-SHA3\s0\fR\|(7)
-.SH "HISTORY"
+\&\fBEVP_DigestInit\fR\|(3), \fBEVP_MD\-SHA2\fR\|(7), \fBEVP_MD\-SHA3\fR\|(7)
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/MDC2_Init.3 b/secure/lib/libcrypto/man/man3/MDC2_Init.3
index 7eea4cf29a48..1a62d03fd4b5 100644
--- a/secure/lib/libcrypto/man/man3/MDC2_Init.3
+++ b/secure/lib/libcrypto/man/man3/MDC2_Init.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,84 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "MDC2_INIT 3ossl"
-.TH MDC2_INIT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH MDC2_INIT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 MDC2, MDC2_Init, MDC2_Update, MDC2_Final \- MDC2 hash function
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/mdc2.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 2
@@ -157,54 +81,54 @@ see \fBopenssl_user_macros\fR\|(7):
 \&                 unsigned long len);
 \& int MDC2_Final(unsigned char *md, MDC2_CTX *c);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
 Applications should instead use \fBEVP_DigestInit_ex\fR\|(3), \fBEVP_DigestUpdate\fR\|(3)
 and \fBEVP_DigestFinal_ex\fR\|(3).
 .PP
-\&\s-1MDC2\s0 is a method to construct hash functions with 128 bit output from
-block ciphers.  These functions are an implementation of \s-1MDC2\s0 with
-\&\s-1DES.\s0
+MDC2 is a method to construct hash functions with 128 bit output from
+block ciphers.  These functions are an implementation of MDC2 with
+DES.
 .PP
-\&\s-1\fBMDC2\s0()\fR computes the \s-1MDC2\s0 message digest of the \fBn\fR
+\&\fBMDC2()\fR computes the MDC2 message digest of the \fBn\fR
 bytes at \fBd\fR and places it in \fBmd\fR (which must have space for
-\&\s-1MDC2_DIGEST_LENGTH\s0 == 16 bytes of output). If \fBmd\fR is \s-1NULL,\s0 the digest
+MDC2_DIGEST_LENGTH == 16 bytes of output). If \fBmd\fR is NULL, the digest
 is placed in a static array.
 .PP
 The following functions may be used if the message is not completely
 stored in memory:
 .PP
-\&\fBMDC2_Init()\fR initializes a \fB\s-1MDC2_CTX\s0\fR structure.
+\&\fBMDC2_Init()\fR initializes a \fBMDC2_CTX\fR structure.
 .PP
 \&\fBMDC2_Update()\fR can be called repeatedly with chunks of the message to
 be hashed (\fBlen\fR bytes at \fBdata\fR).
 .PP
 \&\fBMDC2_Final()\fR places the message digest in \fBmd\fR, which must have space
-for \s-1MDC2_DIGEST_LENGTH\s0 == 16 bytes of output, and erases the \fB\s-1MDC2_CTX\s0\fR.
+for MDC2_DIGEST_LENGTH == 16 bytes of output, and erases the \fBMDC2_CTX\fR.
 .PP
 Applications should use the higher level functions
 \&\fBEVP_DigestInit\fR\|(3) etc. instead of calling the
 hash functions directly.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\s-1\fBMDC2\s0()\fR returns a pointer to the hash value.
+\&\fBMDC2()\fR returns a pointer to the hash value.
 .PP
 \&\fBMDC2_Init()\fR, \fBMDC2_Update()\fR and \fBMDC2_Final()\fR return 1 for success, 0 otherwise.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1ISO/IEC 10118\-2:2000\s0 Hash-Function 2, with \s-1DES\s0 as the underlying block cipher.
+ISO/IEC 10118\-2:2000 Hash-Function 2, with DES as the underlying block cipher.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_DigestInit\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/Makefile b/secure/lib/libcrypto/man/man3/Makefile
index dfac5d5c5545..46d20013e0ac 100644
--- a/secure/lib/libcrypto/man/man3/Makefile
+++ b/secure/lib/libcrypto/man/man3/Makefile
@@ -33,6 +33,7 @@ MAN+= BIO_f_ssl.3
 MAN+= BIO_find_type.3
 MAN+= BIO_get_data.3
 MAN+= BIO_get_ex_new_index.3
+MAN+= BIO_get_rpoll_descriptor.3
 MAN+= BIO_meth_new.3
 MAN+= BIO_new.3
 MAN+= BIO_new_CMS.3
@@ -45,11 +46,13 @@ MAN+= BIO_s_bio.3
 MAN+= BIO_s_connect.3
 MAN+= BIO_s_core.3
 MAN+= BIO_s_datagram.3
+MAN+= BIO_s_dgram_pair.3
 MAN+= BIO_s_fd.3
 MAN+= BIO_s_file.3
 MAN+= BIO_s_mem.3
 MAN+= BIO_s_null.3
 MAN+= BIO_s_socket.3
+MAN+= BIO_sendmmsg.3
 MAN+= BIO_set_callback.3
 MAN+= BIO_should_retry.3
 MAN+= BIO_socket_wait.3
@@ -74,6 +77,7 @@ MAN+= BN_set_bit.3
 MAN+= BN_swap.3
 MAN+= BN_zero.3
 MAN+= BUF_MEM_new.3
+MAN+= CMAC_CTX.3
 MAN+= CMS_EncryptedData_decrypt.3
 MAN+= CMS_EncryptedData_encrypt.3
 MAN+= CMS_EnvelopedData_create.3
@@ -92,9 +96,11 @@ MAN+= CMS_get0_type.3
 MAN+= CMS_get1_ReceiptRequest.3
 MAN+= CMS_sign.3
 MAN+= CMS_sign_receipt.3
+MAN+= CMS_signed_get_attr.3
 MAN+= CMS_uncompress.3
 MAN+= CMS_verify.3
 MAN+= CMS_verify_receipt.3
+MAN+= COMP_CTX_new.3
 MAN+= CONF_modules_free.3
 MAN+= CONF_modules_load_file.3
 MAN+= CRYPTO_THREAD_run_once.3
@@ -128,6 +134,8 @@ MAN+= DSA_sign.3
 MAN+= DSA_size.3
 MAN+= DTLS_get_data_mtu.3
 MAN+= DTLS_set_timer_cb.3
+MAN+= DTLSv1_get_timeout.3
+MAN+= DTLSv1_handle_timeout.3
 MAN+= DTLSv1_listen.3
 MAN+= ECDSA_SIG_new.3
 MAN+= ECDSA_sign.3
@@ -174,6 +182,7 @@ MAN+= EVP_PKEY_ASN1_METHOD.3
 MAN+= EVP_PKEY_CTX_ctrl.3
 MAN+= EVP_PKEY_CTX_get0_libctx.3
 MAN+= EVP_PKEY_CTX_get0_pkey.3
+MAN+= EVP_PKEY_CTX_get_algor.3
 MAN+= EVP_PKEY_CTX_new.3
 MAN+= EVP_PKEY_CTX_set1_pbe_pass.3
 MAN+= EVP_PKEY_CTX_set_hkdf_md.3
@@ -191,6 +200,7 @@ MAN+= EVP_PKEY_digestsign_supports_digest.3
 MAN+= EVP_PKEY_encapsulate.3
 MAN+= EVP_PKEY_encrypt.3
 MAN+= EVP_PKEY_fromdata.3
+MAN+= EVP_PKEY_get_attr.3
 MAN+= EVP_PKEY_get_default_digest_nid.3
 MAN+= EVP_PKEY_get_field_type.3
 MAN+= EVP_PKEY_get_group_name.3
@@ -212,6 +222,8 @@ MAN+= EVP_PKEY_verify.3
 MAN+= EVP_PKEY_verify_recover.3
 MAN+= EVP_RAND.3
 MAN+= EVP_SIGNATURE.3
+MAN+= EVP_SKEY.3
+MAN+= EVP_SKEYMGMT.3
 MAN+= EVP_SealInit.3
 MAN+= EVP_SignInit.3
 MAN+= EVP_VerifyInit.3
@@ -241,6 +253,7 @@ MAN+= EVP_sha3_224.3
 MAN+= EVP_sm3.3
 MAN+= EVP_sm4_cbc.3
 MAN+= EVP_whirlpool.3
+MAN+= GENERAL_NAME.3
 MAN+= HMAC.3
 MAN+= MD5.3
 MAN+= MDC2_Init.3
@@ -265,14 +278,18 @@ MAN+= OPENSSL_init_crypto.3
 MAN+= OPENSSL_init_ssl.3
 MAN+= OPENSSL_instrument_bus.3
 MAN+= OPENSSL_load_builtin_modules.3
+MAN+= OPENSSL_load_u16_le.3
 MAN+= OPENSSL_malloc.3
+MAN+= OPENSSL_riscvcap.3
 MAN+= OPENSSL_s390xcap.3
 MAN+= OPENSSL_secure_malloc.3
 MAN+= OPENSSL_strcasecmp.3
 MAN+= OSSL_ALGORITHM.3
 MAN+= OSSL_CALLBACK.3
+MAN+= OSSL_CMP_ATAV_set0.3
 MAN+= OSSL_CMP_CTX_new.3
 MAN+= OSSL_CMP_HDR_get0_transactionID.3
+MAN+= OSSL_CMP_ITAV_new_caCerts.3
 MAN+= OSSL_CMP_ITAV_set0.3
 MAN+= OSSL_CMP_MSG_get0_header.3
 MAN+= OSSL_CMP_MSG_http_perform.3
@@ -296,18 +313,27 @@ MAN+= OSSL_ENCODER.3
 MAN+= OSSL_ENCODER_CTX.3
 MAN+= OSSL_ENCODER_CTX_new_for_pkey.3
 MAN+= OSSL_ENCODER_to_bio.3
+MAN+= OSSL_ERR_STATE_save.3
 MAN+= OSSL_ESS_check_signing_certs.3
+MAN+= OSSL_GENERAL_NAMES_print.3
+MAN+= OSSL_HPKE_CTX_new.3
 MAN+= OSSL_HTTP_REQ_CTX.3
 MAN+= OSSL_HTTP_parse_url.3
 MAN+= OSSL_HTTP_transfer.3
+MAN+= OSSL_IETF_ATTR_SYNTAX.3
+MAN+= OSSL_IETF_ATTR_SYNTAX_print.3
+MAN+= OSSL_INDICATOR_set_callback.3
 MAN+= OSSL_ITEM.3
 MAN+= OSSL_LIB_CTX.3
+MAN+= OSSL_LIB_CTX_set_conf_diagnostics.3
 MAN+= OSSL_PARAM.3
 MAN+= OSSL_PARAM_BLD.3
 MAN+= OSSL_PARAM_allocate_from_text.3
 MAN+= OSSL_PARAM_dup.3
 MAN+= OSSL_PARAM_int.3
+MAN+= OSSL_PARAM_print_to_bio.3
 MAN+= OSSL_PROVIDER.3
+MAN+= OSSL_QUIC_client_method.3
 MAN+= OSSL_SELF_TEST_new.3
 MAN+= OSSL_SELF_TEST_set_callback.3
 MAN+= OSSL_STORE_INFO.3
@@ -316,11 +342,13 @@ MAN+= OSSL_STORE_SEARCH.3
 MAN+= OSSL_STORE_attach.3
 MAN+= OSSL_STORE_expect.3
 MAN+= OSSL_STORE_open.3
+MAN+= OSSL_sleep.3
 MAN+= OSSL_trace_enabled.3
 MAN+= OSSL_trace_get_category_num.3
 MAN+= OSSL_trace_set_channel.3
 MAN+= OpenSSL_add_all_algorithms.3
 MAN+= OpenSSL_version.3
+MAN+= PBMAC1_get1_pbkdf2_param.3
 MAN+= PEM_X509_INFO_read_bio_ex.3
 MAN+= PEM_bytes_read_bio.3
 MAN+= PEM_read.3
@@ -333,6 +361,7 @@ MAN+= PKCS12_PBE_keyivgen.3
 MAN+= PKCS12_SAFEBAG_create_cert.3
 MAN+= PKCS12_SAFEBAG_get0_attrs.3
 MAN+= PKCS12_SAFEBAG_get1_cert.3
+MAN+= PKCS12_SAFEBAG_set0_attrs.3
 MAN+= PKCS12_add1_attr_by_NID.3
 MAN+= PKCS12_add_CSPName_asc.3
 MAN+= PKCS12_add_cert.3
@@ -424,6 +453,7 @@ MAN+= SSL_CTX_sess_set_cache_size.3
 MAN+= SSL_CTX_sess_set_get_cb.3
 MAN+= SSL_CTX_sessions.3
 MAN+= SSL_CTX_set0_CA_list.3
+MAN+= SSL_CTX_set1_cert_comp_preference.3
 MAN+= SSL_CTX_set1_curves.3
 MAN+= SSL_CTX_set1_sigalgs.3
 MAN+= SSL_CTX_set1_verify_cert_store.3
@@ -437,6 +467,7 @@ MAN+= SSL_CTX_set_client_hello_cb.3
 MAN+= SSL_CTX_set_ct_validation_callback.3
 MAN+= SSL_CTX_set_ctlog_list_file.3
 MAN+= SSL_CTX_set_default_passwd_cb.3
+MAN+= SSL_CTX_set_domain_flags.3
 MAN+= SSL_CTX_set_generate_session_id.3
 MAN+= SSL_CTX_set_info_callback.3
 MAN+= SSL_CTX_set_keylog_callback.3
@@ -444,6 +475,7 @@ MAN+= SSL_CTX_set_max_cert_list.3
 MAN+= SSL_CTX_set_min_proto_version.3
 MAN+= SSL_CTX_set_mode.3
 MAN+= SSL_CTX_set_msg_callback.3
+MAN+= SSL_CTX_set_new_pending_conn_cb.3
 MAN+= SSL_CTX_set_num_tickets.3
 MAN+= SSL_CTX_set_options.3
 MAN+= SSL_CTX_set_psk_client_callback.3
@@ -482,6 +514,7 @@ MAN+= SSL_SESSION_is_resumable.3
 MAN+= SSL_SESSION_print.3
 MAN+= SSL_SESSION_set1_id.3
 MAN+= SSL_accept.3
+MAN+= SSL_accept_stream.3
 MAN+= SSL_alert_type_string.3
 MAN+= SSL_alloc_buffers.3
 MAN+= SSL_check_chain.3
@@ -491,60 +524,92 @@ MAN+= SSL_do_handshake.3
 MAN+= SSL_export_keying_material.3
 MAN+= SSL_extension_supported.3
 MAN+= SSL_free.3
+MAN+= SSL_get0_connection.3
+MAN+= SSL_get0_group_name.3
+MAN+= SSL_get0_peer_rpk.3
 MAN+= SSL_get0_peer_scts.3
+MAN+= SSL_get1_builtin_sigalgs.3
 MAN+= SSL_get_SSL_CTX.3
 MAN+= SSL_get_all_async_fds.3
 MAN+= SSL_get_certificate.3
 MAN+= SSL_get_ciphers.3
 MAN+= SSL_get_client_random.3
+MAN+= SSL_get_conn_close_info.3
 MAN+= SSL_get_current_cipher.3
 MAN+= SSL_get_default_timeout.3
 MAN+= SSL_get_error.3
+MAN+= SSL_get_event_timeout.3
 MAN+= SSL_get_extms_support.3
 MAN+= SSL_get_fd.3
+MAN+= SSL_get_handshake_rtt.3
 MAN+= SSL_get_peer_cert_chain.3
 MAN+= SSL_get_peer_certificate.3
 MAN+= SSL_get_peer_signature_nid.3
 MAN+= SSL_get_peer_tmp_key.3
 MAN+= SSL_get_psk_identity.3
 MAN+= SSL_get_rbio.3
+MAN+= SSL_get_rpoll_descriptor.3
 MAN+= SSL_get_session.3
 MAN+= SSL_get_shared_sigalgs.3
+MAN+= SSL_get_stream_id.3
+MAN+= SSL_get_stream_read_state.3
+MAN+= SSL_get_value_uint.3
 MAN+= SSL_get_verify_result.3
 MAN+= SSL_get_version.3
 MAN+= SSL_group_to_name.3
+MAN+= SSL_handle_events.3
 MAN+= SSL_in_init.3
+MAN+= SSL_inject_net_dgram.3
 MAN+= SSL_key_update.3
 MAN+= SSL_library_init.3
 MAN+= SSL_load_client_CA_file.3
 MAN+= SSL_new.3
+MAN+= SSL_new_domain.3
+MAN+= SSL_new_listener.3
+MAN+= SSL_new_stream.3
 MAN+= SSL_pending.3
+MAN+= SSL_poll.3
 MAN+= SSL_read.3
 MAN+= SSL_read_early_data.3
 MAN+= SSL_rstate_string.3
 MAN+= SSL_session_reused.3
 MAN+= SSL_set1_host.3
+MAN+= SSL_set1_initial_peer_addr.3
+MAN+= SSL_set1_server_cert_type.3
 MAN+= SSL_set_async_callback.3
 MAN+= SSL_set_bio.3
+MAN+= SSL_set_blocking_mode.3
 MAN+= SSL_set_connect_state.3
+MAN+= SSL_set_default_stream_mode.3
 MAN+= SSL_set_fd.3
+MAN+= SSL_set_incoming_stream_policy.3
+MAN+= SSL_set_quic_tls_cbs.3
 MAN+= SSL_set_retry_verify.3
 MAN+= SSL_set_session.3
+MAN+= SSL_set_session_secret_cb.3
 MAN+= SSL_set_shutdown.3
 MAN+= SSL_set_verify_result.3
 MAN+= SSL_shutdown.3
 MAN+= SSL_state_string.3
+MAN+= SSL_stream_conclude.3
+MAN+= SSL_stream_reset.3
 MAN+= SSL_want.3
 MAN+= SSL_write.3
 MAN+= TS_RESP_CTX_new.3
-MAN+= TS_VERIFY_CTX_set_certs.3
+MAN+= TS_VERIFY_CTX.3
 MAN+= UI_STRING.3
 MAN+= UI_UTIL_read_pw.3
 MAN+= UI_create_method.3
 MAN+= UI_new.3
 MAN+= X509V3_get_d2i.3
 MAN+= X509V3_set_ctx.3
+MAN+= X509_ACERT_add1_attr.3
+MAN+= X509_ACERT_add_attr_nconf.3
+MAN+= X509_ACERT_get0_holder_baseCertId.3
+MAN+= X509_ACERT_get_attr.3
+MAN+= X509_ACERT_print_ex.3
 MAN+= X509_ALGOR_dup.3
+MAN+= X509_ATTRIBUTE.3
 MAN+= X509_CRL_get0_by_serial.3
 MAN+= X509_EXTENSION_set_object.3
 MAN+= X509_LOOKUP.3
@@ -556,7 +621,10 @@ MAN+= X509_NAME_get0_der.3
 MAN+= X509_NAME_get_index_by_NID.3
 MAN+= X509_NAME_print_ex.3
 MAN+= X509_PUBKEY_new.3
+MAN+= X509_REQ_get_attr.3
+MAN+= X509_REQ_get_extensions.3
 MAN+= X509_SIG_get0.3
+MAN+= X509_STORE_CTX_get_by_subject.3
 MAN+= X509_STORE_CTX_get_error.3
 MAN+= X509_STORE_CTX_new.3
 MAN+= X509_STORE_CTX_set_verify_cb.3
@@ -579,6 +647,7 @@ MAN+= X509_get0_distinguishing_id.3
 MAN+= X509_get0_notBefore.3
 MAN+= X509_get0_signature.3
 MAN+= X509_get0_uids.3
+MAN+= X509_get_default_cert_file.3
 MAN+= X509_get_extension_flags.3
 MAN+= X509_get_pubkey.3
 MAN+= X509_get_serialNumber.3
@@ -4281,7 +4350,6 @@ MLINKS+= X509_dup.3 TS_STATUS_INFO_new.3
 MLINKS+= X509_dup.3 TS_TST_INFO_dup.3
 MLINKS+= X509_dup.3 TS_TST_INFO_free.3
 MLINKS+= X509_dup.3 TS_TST_INFO_new.3
-MLINKS+= TS_VERIFY_CTX_set_certs.3 TS_VERIFY_CTS_set_certs.3
 MLINKS+= UI_new.3 UI.3
 MLINKS+= UI_create_method.3 UI_METHOD.3
 MLINKS+= UI_new.3 UI_OpenSSL.3
diff --git a/secure/lib/libcrypto/man/man3/NCONF_new_ex.3 b/secure/lib/libcrypto/man/man3/NCONF_new_ex.3
index b822b992f520..c381c63979a2 100644
--- a/secure/lib/libcrypto/man/man3/NCONF_new_ex.3
+++ b/secure/lib/libcrypto/man/man3/NCONF_new_ex.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "NCONF_NEW_EX 3ossl"
-.TH NCONF_NEW_EX 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH NCONF_NEW_EX 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 NCONF_new_ex, NCONF_new, NCONF_free, NCONF_default, NCONF_load,
 NCONF_get0_libctx, NCONF_get_section, NCONF_get_section_names
 \&\- functionality to Load and parse configuration files manually
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/conf.h>
@@ -161,20 +85,20 @@ NCONF_get0_libctx, NCONF_get_section, NCONF_get_section_names
 \& STACK_OF(CONF_VALUE) *NCONF_get_section(const CONF *conf, const char *name);
 \& STACK_OF(OPENSSL_CSTRING) *NCONF_get_section_names(const CONF *conf);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBNCONF_new_ex()\fR creates a new \s-1CONF\s0 object in heap memory and assigns to
+\&\fBNCONF_new_ex()\fR creates a new CONF object in heap memory and assigns to
 it a context \fIlibctx\fR that can be used during loading. If the method table
-\&\fImeth\fR is set to \s-1NULL\s0 then the default value of \fBNCONF_default()\fR is used.
+\&\fImeth\fR is set to NULL then the default value of \fBNCONF_default()\fR is used.
 .PP
-\&\fBNCONF_new()\fR is similar to \fBNCONF_new_ex()\fR but sets the \fIlibctx\fR to \s-1NULL.\s0
+\&\fBNCONF_new()\fR is similar to \fBNCONF_new_ex()\fR but sets the \fIlibctx\fR to NULL.
 .PP
 \&\fBNCONF_free()\fR frees the data associated with \fIconf\fR and then frees the \fIconf\fR
-object.
+object. If the argument is NULL, nothing is done.
 .PP
 \&\fBNCONF_load()\fR parses the file named \fIfilename\fR and adds the values found to
 \&\fIconf\fR. If an error occurs \fIfile\fR and \fIeline\fR list the file and line that
-the load failed on if they are not \s-1NULL.\s0
+the load failed on if they are not NULL.
 .PP
 \&\fBNCONF_default()\fR gets the default method table for processing a configuration file.
 .PP
@@ -182,32 +106,32 @@ the load failed on if they are not \s-1NULL.\s0
 parameter.
 .PP
 \&\fBNCONF_get_section_names()\fR gets the names of the sections associated with
-the \fIconf\fR as \fB\s-1STACK_OF\s0(\s-1OPENSSL_CSTRING\s0)\fR strings. The individual strings
+the \fIconf\fR as \fBSTACK_OF(OPENSSL_CSTRING)\fR strings. The individual strings
 are associated with the \fIconf\fR and will be invalid after \fIconf\fR is
 freed. The returned stack must be freed with \fBsk_OPENSSL_CSTRING_free()\fR.
 .PP
 \&\fBNCONF_get_section()\fR gets the config values associated with the \fIconf\fR from
-the config section \fIname\fR as \fB\s-1STACK_OF\s0(\s-1CONF_VALUE\s0)\fR structures. The returned
+the config section \fIname\fR as \fBSTACK_OF(CONF_VALUE)\fR structures. The returned
 stack is associated with the \fIconf\fR and will be invalid after \fIconf\fR
 is freed. It must not be freed by the caller.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBNCONF_load()\fR returns 1 on success or 0 on error.
 .PP
-\&\fBNCONF_new_ex()\fR and \fBNCONF_new()\fR return a newly created \fI\s-1CONF\s0\fR object
-or \s-1NULL\s0 if an error occurs.
+\&\fBNCONF_new_ex()\fR and \fBNCONF_new()\fR return a newly created \fICONF\fR object
+or NULL if an error occurs.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBCONF_modules_load_file\fR\|(3),
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBNCONF_new_ex()\fR, \fBNCONF_get0_libctx()\fR, and \fBNCONF_get_section_names()\fR were added
 in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OBJ_nid2obj.3 b/secure/lib/libcrypto/man/man3/OBJ_nid2obj.3
index 10f728653301..e21e4d730458 100644
--- a/secure/lib/libcrypto/man/man3/OBJ_nid2obj.3
+++ b/secure/lib/libcrypto/man/man3/OBJ_nid2obj.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OBJ_NID2OBJ 3ossl"
-.TH OBJ_NID2OBJ 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OBJ_NID2OBJ 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 i2t_ASN1_OBJECT,
 OBJ_length, OBJ_get0_data, OBJ_nid2obj, OBJ_nid2ln,
 OBJ_nid2sn, OBJ_obj2nid, OBJ_txt2nid, OBJ_ln2nid, OBJ_sn2nid, OBJ_cmp,
 OBJ_dup, OBJ_txt2obj, OBJ_obj2txt, OBJ_create, OBJ_cleanup, OBJ_add_sigid
 \&\- ASN1 object utility functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/objects.h>
@@ -174,44 +98,44 @@ OBJ_dup, OBJ_txt2obj, OBJ_obj2txt, OBJ_create, OBJ_cleanup, OBJ_add_sigid
 .Ve
 .PP
 The following function has been deprecated since OpenSSL 1.1.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
 \& void OBJ_cleanup(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1ASN1\s0 object utility functions process \s-1ASN1_OBJECT\s0 structures which are
-a representation of the \s-1ASN1 OBJECT IDENTIFIER\s0 (\s-1OID\s0) type.
+The ASN1 object utility functions process ASN1_OBJECT structures which are
+a representation of the ASN1 OBJECT IDENTIFIER (OID) type.
 For convenience, OIDs are usually represented in source code as numeric
-identifiers, or \fB\s-1NID\s0\fRs.  OpenSSL has an internal table of OIDs that
+identifiers, or \fBNID\fRs.  OpenSSL has an internal table of OIDs that
 are generated when the library is built, and their corresponding NIDs
 are available as defined constants.  For the functions below, application
-code should treat all returned values \*(-- OIDs, NIDs, or names \*(-- as
+code should treat all returned values \-\- OIDs, NIDs, or names \-\- as
 constants.
 .PP
-\&\fBOBJ_nid2obj()\fR, \fBOBJ_nid2ln()\fR and \fBOBJ_nid2sn()\fR convert the \s-1NID\s0 \fIn\fR to
-an \s-1ASN1_OBJECT\s0 structure, its long name and its short name respectively,
-or \fB\s-1NULL\s0\fR if an error occurred.
+\&\fBOBJ_nid2obj()\fR, \fBOBJ_nid2ln()\fR and \fBOBJ_nid2sn()\fR convert the NID \fIn\fR to
+an ASN1_OBJECT structure, its long name and its short name respectively,
+or \fBNULL\fR if an error occurred.
 .PP
-\&\fBOBJ_obj2nid()\fR, \fBOBJ_ln2nid()\fR, \fBOBJ_sn2nid()\fR return the corresponding \s-1NID\s0
+\&\fBOBJ_obj2nid()\fR, \fBOBJ_ln2nid()\fR, \fBOBJ_sn2nid()\fR return the corresponding NID
 for the object \fIo\fR, the long name \fIln\fR or the short name \fIsn\fR respectively
 or NID_undef if an error occurred.
 .PP
-\&\fBOBJ_txt2nid()\fR returns \s-1NID\s0 corresponding to text string \fIs\fR. \fIs\fR can be
+\&\fBOBJ_txt2nid()\fR returns NID corresponding to text string \fIs\fR. \fIs\fR can be
 a long name, a short name or the numerical representation of an object.
 .PP
-\&\fBOBJ_txt2obj()\fR converts the text string \fIs\fR into an \s-1ASN1_OBJECT\s0 structure.
+\&\fBOBJ_txt2obj()\fR converts the text string \fIs\fR into an ASN1_OBJECT structure.
 If \fIno_name\fR is 0 then long names and short names will be interpreted
 as well as numerical forms. If \fIno_name\fR is 1 only the numerical form
 is acceptable.
 .PP
-\&\fBOBJ_obj2txt()\fR converts the \fB\s-1ASN1_OBJECT\s0\fR \fIa\fR into a textual representation.
-Unless \fIbuf\fR is \s-1NULL,\s0
+\&\fBOBJ_obj2txt()\fR converts the \fBASN1_OBJECT\fR \fIa\fR into a textual representation.
+Unless \fIbuf\fR is NULL,
 the representation is written as a NUL-terminated string to \fIbuf\fR, where
 at most \fIbuf_len\fR bytes are written, truncating the result if necessary.
-In any case it returns the total string length, excluding the \s-1NUL\s0 character,
+In any case it returns the total string length, excluding the NUL character,
 required for non-truncated representation, or \-1 on error.
 If \fIno_name\fR is 0 then if the object has a long or short name
 then that will be used, otherwise the numerical form will be used.
@@ -225,31 +149,32 @@ If \fIno_name\fR is 1 then the numerical form will always be used.
 .PP
 \&\fBOBJ_create()\fR adds a new object to the internal table. \fIoid\fR is the
 numerical form of the object, \fIsn\fR the short name and \fIln\fR the
-long name. A new \s-1NID\s0 is returned for the created object in case of
-success and NID_undef in case of failure.
+long name. A new NID is returned for the created object in case of
+success and NID_undef in case of failure.  Any of \fIoid\fR, \fIsn\fR and
+\&\fIln\fR may be NULL, but not all at once.
 .PP
 \&\fBOBJ_length()\fR returns the size of the content octets of \fIobj\fR.
 .PP
 \&\fBOBJ_get0_data()\fR returns a pointer to the content octets of \fIobj\fR.
 The returned pointer is an internal pointer which \fBmust not\fR be freed.
 .PP
-\&\fBOBJ_add_sigid()\fR creates a new composite \*(L"Signature Algorithm\*(R" that associates a
-given \s-1NID\s0 with two other NIDs \- one representing the underlying signature
+\&\fBOBJ_add_sigid()\fR creates a new composite "Signature Algorithm" that associates a
+given NID with two other NIDs \- one representing the underlying signature
 algorithm and the other representing a digest algorithm to be used in
-conjunction with it. \fIsignid\fR represents the \s-1NID\s0 for the composite \*(L"Signature
-Algorithm\*(R", \fIdig_id\fR is the \s-1NID\s0 for the digest algorithm and \fIpkey_id\fR is the
-\&\s-1NID\s0 for the underlying signature algorithm. As there are signature algorithms
+conjunction with it. \fIsignid\fR represents the NID for the composite "Signature
+Algorithm", \fIdig_id\fR is the NID for the digest algorithm and \fIpkey_id\fR is the
+NID for the underlying signature algorithm. As there are signature algorithms
 that do not require a digest, NID_undef is a valid \fIdig_id\fR.
 .PP
 \&\fBOBJ_cleanup()\fR releases any resources allocated by creating new objects.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 Objects in OpenSSL can have a short name, a long name and a numerical
-identifier (\s-1NID\s0) associated with them. A standard set of objects is
+identifier (NID) associated with them. A standard set of objects is
 represented in an internal table. The appropriate values are defined
 in the header file \fBobjects.h\fR.
 .PP
-For example the \s-1OID\s0 for commonName has the following definitions:
+For example the OID for commonName has the following definitions:
 .PP
 .Vb 3
 \& #define SN_commonName                   "CN"
@@ -264,39 +189,41 @@ their NIDs can be used in a C language switch statement. They are
 also static constant structures which are shared: that is there
 is only a single constant structure for each table object.
 .PP
-Objects which are not in the table have the \s-1NID\s0 value NID_undef.
+Objects which are not in the table have the NID value NID_undef.
 .PP
 Objects do not need to be in the internal tables to be processed,
 the functions \fBOBJ_txt2obj()\fR and \fBOBJ_obj2txt()\fR can process the numerical
-form of an \s-1OID.\s0
+form of an OID.
 .PP
 Some objects are used to represent algorithms which do not have a
-corresponding \s-1ASN.1 OBJECT IDENTIFIER\s0 encoding (for example no \s-1OID\s0 currently
+corresponding ASN.1 OBJECT IDENTIFIER encoding (for example no OID currently
 exists for a particular algorithm). As a result they \fBcannot\fR be encoded or
-decoded as part of \s-1ASN.1\s0 structures. Applications can determine if there
-is a corresponding \s-1OBJECT IDENTIFIER\s0 by checking \fBOBJ_length()\fR is not zero.
+decoded as part of ASN.1 structures. Applications can determine if there
+is a corresponding OBJECT IDENTIFIER by checking \fBOBJ_length()\fR is not zero.
 .PP
-These functions cannot return \fBconst\fR because an \fB\s-1ASN1_OBJECT\s0\fR can
-represent both an internal, constant, \s-1OID\s0 and a dynamically-created one.
+These functions cannot return \fBconst\fR because an \fBASN1_OBJECT\fR can
+represent both an internal, constant, OID and a dynamically-created one.
 The latter cannot be constant because it needs to be freed after use.
+.PP
+These functions were not thread safe in OpenSSL 3.0 and before.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBOBJ_nid2obj()\fR returns an \fB\s-1ASN1_OBJECT\s0\fR structure or \fB\s-1NULL\s0\fR is an
+\&\fBOBJ_nid2obj()\fR returns an \fBASN1_OBJECT\fR structure or \fBNULL\fR is an
 error occurred.
 .PP
-\&\fBOBJ_nid2ln()\fR and \fBOBJ_nid2sn()\fR returns a valid string or \fB\s-1NULL\s0\fR
+\&\fBOBJ_nid2ln()\fR and \fBOBJ_nid2sn()\fR returns a valid string or \fBNULL\fR
 on error.
 .PP
 \&\fBOBJ_obj2nid()\fR, \fBOBJ_ln2nid()\fR, \fBOBJ_sn2nid()\fR and \fBOBJ_txt2nid()\fR return
-a \s-1NID\s0 or \fBNID_undef\fR on error.
+a NID or \fBNID_undef\fR on error.
 .PP
 \&\fBOBJ_add_sigid()\fR returns 1 on success or 0 on error.
 .PP
 \&\fBi2t_ASN1_OBJECT()\fR an \fBOBJ_obj2txt()\fR return \-1 on error.
 On success, they return the length of the string written to \fIbuf\fR if \fIbuf\fR is
-not \s-1NULL\s0 and \fIbuf_len\fR is big enough, otherwise the total string length.
-Note that this does not count the trailing \s-1NUL\s0 character.
-.SH "EXAMPLES"
+not NULL and \fIbuf_len\fR is big enough, otherwise the total string length.
+Note that this does not count the trailing NUL character.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 Create an object for \fBcommonName\fR:
 .PP
@@ -311,7 +238,7 @@ Check if an object is \fBcommonName\fR
 \&     /* Do something */
 .Ve
 .PP
-Create a new \s-1NID\s0 and initialize an object from it:
+Create a new NID and initialize an object from it:
 .PP
 .Vb 2
 \& int new_nid = OBJ_create("1.2.3.4", "NewOID", "New Object Identifier");
@@ -323,23 +250,18 @@ Create a new object directly:
 .Vb 1
 \& obj = OBJ_txt2obj("1.2.3.4", 1);
 .Ve
-.SH "BUGS"
-.IX Header "BUGS"
-Neither \fBOBJ_create()\fR nor \fBOBJ_add_sigid()\fR do any locking and are thus not
-thread safe.  Moreover, none of the other functions should be called while
-concurrent calls to these two functions are possible.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBOBJ_cleanup()\fR was deprecated in OpenSSL 1.1.0 by \fBOPENSSL_init_crypto\fR\|(3)
 and should not be used.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2002\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OCSP_REQUEST_new.3 b/secure/lib/libcrypto/man/man3/OCSP_REQUEST_new.3
index f92456647b91..d54db7e37fc6 100644
--- a/secure/lib/libcrypto/man/man3/OCSP_REQUEST_new.3
+++ b/secure/lib/libcrypto/man/man3/OCSP_REQUEST_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OCSP_REQUEST_NEW 3ossl"
-.TH OCSP_REQUEST_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OCSP_REQUEST_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OCSP_REQUEST_new, OCSP_REQUEST_free, OCSP_request_add0_id, OCSP_request_sign,
 OCSP_request_add1_cert, OCSP_request_onereq_count,
 OCSP_request_onereq_get0 \- OCSP request functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ocsp.h>
@@ -159,57 +83,58 @@ OCSP_request_onereq_get0 \- OCSP request functions
 \& int OCSP_request_onereq_count(OCSP_REQUEST *req);
 \& OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBOCSP_REQUEST_new()\fR allocates and returns an empty \fB\s-1OCSP_REQUEST\s0\fR structure.
+\&\fBOCSP_REQUEST_new()\fR allocates and returns an empty \fBOCSP_REQUEST\fR structure.
 .PP
 \&\fBOCSP_REQUEST_free()\fR frees up the request structure \fBreq\fR.
+If the argument is NULL, nothing is done.
 .PP
-\&\fBOCSP_request_add0_id()\fR adds certificate \s-1ID\s0 \fBcid\fR to \fBreq\fR. It returns
-the \fB\s-1OCSP_ONEREQ\s0\fR structure added so an application can add additional
-extensions to the request. The \fBid\fR parameter \fB\s-1MUST NOT\s0\fR be freed up after
+\&\fBOCSP_request_add0_id()\fR adds certificate ID \fBcid\fR to \fBreq\fR. It returns
+the \fBOCSP_ONEREQ\fR structure added so an application can add additional
+extensions to the request. The \fBid\fR parameter \fBMUST NOT\fR be freed up after
 the operation.
 .PP
-\&\fBOCSP_request_sign()\fR signs \s-1OCSP\s0 request \fBreq\fR using certificate
+\&\fBOCSP_request_sign()\fR signs OCSP request \fBreq\fR using certificate
 \&\fBsigner\fR, private key \fBkey\fR, digest \fBdgst\fR and additional certificates
-\&\fBcerts\fR. If the \fBflags\fR option \fB\s-1OCSP_NOCERTS\s0\fR is set then no certificates
+\&\fBcerts\fR. If the \fBflags\fR option \fBOCSP_NOCERTS\fR is set then no certificates
 will be included in the request.
 .PP
 \&\fBOCSP_request_add1_cert()\fR adds certificate \fBcert\fR to request \fBreq\fR. The
 application is responsible for freeing up \fBcert\fR after use.
 .PP
-\&\fBOCSP_request_onereq_count()\fR returns the total number of \fB\s-1OCSP_ONEREQ\s0\fR
+\&\fBOCSP_request_onereq_count()\fR returns the total number of \fBOCSP_ONEREQ\fR
 structures in \fBreq\fR.
 .PP
-\&\fBOCSP_request_onereq_get0()\fR returns an internal pointer to the \fB\s-1OCSP_ONEREQ\s0\fR
+\&\fBOCSP_request_onereq_get0()\fR returns an internal pointer to the \fBOCSP_ONEREQ\fR
 contained in \fBreq\fR of index \fBi\fR. The index value \fBi\fR runs from 0 to
 OCSP_request_onereq_count(req) \- 1.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBOCSP_REQUEST_new()\fR returns an empty \fB\s-1OCSP_REQUEST\s0\fR structure or \fB\s-1NULL\s0\fR if
+\&\fBOCSP_REQUEST_new()\fR returns an empty \fBOCSP_REQUEST\fR structure or \fBNULL\fR if
 an error occurred.
 .PP
-\&\fBOCSP_request_add0_id()\fR returns the \fB\s-1OCSP_ONEREQ\s0\fR structure containing \fBcid\fR
-or \fB\s-1NULL\s0\fR if an error occurred.
+\&\fBOCSP_request_add0_id()\fR returns the \fBOCSP_ONEREQ\fR structure containing \fBcid\fR
+or \fBNULL\fR if an error occurred.
 .PP
 \&\fBOCSP_request_sign()\fR and \fBOCSP_request_add1_cert()\fR return 1 for success and 0
 for failure.
 .PP
-\&\fBOCSP_request_onereq_count()\fR returns the total number of \fB\s-1OCSP_ONEREQ\s0\fR
+\&\fBOCSP_request_onereq_count()\fR returns the total number of \fBOCSP_ONEREQ\fR
 structures in \fBreq\fR and \-1 on error.
 .PP
-\&\fBOCSP_request_onereq_get0()\fR returns a pointer to an \fB\s-1OCSP_ONEREQ\s0\fR structure
-or \fB\s-1NULL\s0\fR if the index value is out or range.
-.SH "NOTES"
+\&\fBOCSP_request_onereq_get0()\fR returns a pointer to an \fBOCSP_ONEREQ\fR structure
+or \fBNULL\fR if the index value is out or range.
+.SH NOTES
 .IX Header "NOTES"
-An \s-1OCSP\s0 request structure contains one or more \fB\s-1OCSP_ONEREQ\s0\fR structures
+An OCSP request structure contains one or more \fBOCSP_ONEREQ\fR structures
 corresponding to each certificate.
 .PP
 \&\fBOCSP_request_onereq_count()\fR and \fBOCSP_request_onereq_get0()\fR are mainly used by
-\&\s-1OCSP\s0 responders.
-.SH "EXAMPLES"
+OCSP responders.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-Create an \fB\s-1OCSP_REQUEST\s0\fR structure for certificate \fBcert\fR with issuer
+Create an \fBOCSP_REQUEST\fR structure for certificate \fBcert\fR with issuer
 \&\fBissuer\fR:
 .PP
 .Vb 2
@@ -238,11 +163,11 @@ Create an \fB\s-1OCSP_REQUEST\s0\fR structure for certificate \fBcert\fR with is
 \&\fBOCSP_resp_find_status\fR\|(3),
 \&\fBOCSP_response_status\fR\|(3),
 \&\fBOCSP_sendreq_new\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OCSP_cert_to_id.3 b/secure/lib/libcrypto/man/man3/OCSP_cert_to_id.3
index 606c6b5e0fdf..6080897ea68f 100644
--- a/secure/lib/libcrypto/man/man3/OCSP_cert_to_id.3
+++ b/secure/lib/libcrypto/man/man3/OCSP_cert_to_id.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OCSP_CERT_TO_ID 3ossl"
-.TH OCSP_CERT_TO_ID 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OCSP_CERT_TO_ID 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OCSP_cert_to_id, OCSP_cert_id_new, OCSP_CERTID_free, OCSP_id_issuer_cmp,
 OCSP_id_cmp, OCSP_id_get0_info \- OCSP certificate ID utility functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ocsp.h>
@@ -161,29 +85,30 @@ OCSP_id_cmp, OCSP_id_get0_info \- OCSP certificate ID utility functions
 \&                       ASN1_OCTET_STRING **pikeyHash,
 \&                       ASN1_INTEGER **pserial, OCSP_CERTID *cid);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBOCSP_cert_to_id()\fR creates and returns a new \fB\s-1OCSP_CERTID\s0\fR structure using
+\&\fBOCSP_cert_to_id()\fR creates and returns a new \fBOCSP_CERTID\fR structure using
 message digest \fBdgst\fR for certificate \fBsubject\fR with issuer \fBissuer\fR. If
-\&\fBdgst\fR is \fB\s-1NULL\s0\fR then \s-1SHA1\s0 is used.
+\&\fBdgst\fR is \fBNULL\fR then SHA1 is used.
 .PP
-\&\fBOCSP_cert_id_new()\fR creates and returns a new \fB\s-1OCSP_CERTID\s0\fR using \fBdgst\fR and
+\&\fBOCSP_cert_id_new()\fR creates and returns a new \fBOCSP_CERTID\fR using \fBdgst\fR and
 issuer name \fBissuerName\fR, issuer key hash \fBissuerKey\fR and serial number
 \&\fBserialNumber\fR.
 .PP
 \&\fBOCSP_CERTID_free()\fR frees up \fBid\fR.
+If the argument is NULL, nothing is done.
 .PP
-\&\fBOCSP_id_cmp()\fR compares \fB\s-1OCSP_CERTID\s0\fR \fBa\fR and \fBb\fR.
+\&\fBOCSP_id_cmp()\fR compares \fBOCSP_CERTID\fR \fBa\fR and \fBb\fR.
 .PP
-\&\fBOCSP_id_issuer_cmp()\fR compares only the issuer name of \fB\s-1OCSP_CERTID\s0\fR \fBa\fR and \fBb\fR.
+\&\fBOCSP_id_issuer_cmp()\fR compares only the issuer name of \fBOCSP_CERTID\fR \fBa\fR and \fBb\fR.
 .PP
-\&\fBOCSP_id_get0_info()\fR returns the issuer name hash, hash \s-1OID,\s0 issuer key hash and
+\&\fBOCSP_id_get0_info()\fR returns the issuer name hash, hash OID, issuer key hash and
 serial number contained in \fBcid\fR. If any of the values are not required the
-corresponding parameter can be set to \fB\s-1NULL\s0\fR.
+corresponding parameter can be set to \fBNULL\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBOCSP_cert_to_id()\fR and \fBOCSP_cert_id_new()\fR return either a pointer to a valid
-\&\fB\s-1OCSP_CERTID\s0\fR structure or \fB\s-1NULL\s0\fR if an error occurred.
+\&\fBOCSP_CERTID\fR structure or \fBNULL\fR if an error occurred.
 .PP
 \&\fBOCSP_id_cmp()\fR and \fBOCSP_id_issuer_cmp()\fR returns zero for a match and nonzero
 otherwise.
@@ -191,14 +116,14 @@ otherwise.
 \&\fBOCSP_CERTID_free()\fR does not return a value.
 .PP
 \&\fBOCSP_id_get0_info()\fR returns 1 for success and 0 for failure.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-\&\s-1OCSP\s0 clients will typically only use \fBOCSP_cert_to_id()\fR or \fBOCSP_cert_id_new()\fR:
+OCSP clients will typically only use \fBOCSP_cert_to_id()\fR or \fBOCSP_cert_id_new()\fR:
 the other functions are used by responder applications.
 .PP
-The values returned by \fBOCSP_id_get0_info()\fR are internal pointers and \fB\s-1MUST
-NOT\s0\fR be freed up by an application: they will be freed when the corresponding
-\&\fB\s-1OCSP_CERTID\s0\fR structure is freed.
+The values returned by \fBOCSP_id_get0_info()\fR are internal pointers and \fBMUST
+NOT\fR be freed up by an application: they will be freed when the corresponding
+\&\fBOCSP_CERTID\fR structure is freed.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBcrypto\fR\|(7),
@@ -207,11 +132,11 @@ NOT\s0\fR be freed up by an application: they will be freed when the correspondi
 \&\fBOCSP_resp_find_status\fR\|(3),
 \&\fBOCSP_response_status\fR\|(3),
 \&\fBOCSP_sendreq_new\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OCSP_request_add1_nonce.3 b/secure/lib/libcrypto/man/man3/OCSP_request_add1_nonce.3
index 2c77cdab64e3..8ddedb5967ab 100644
--- a/secure/lib/libcrypto/man/man3/OCSP_request_add1_nonce.3
+++ b/secure/lib/libcrypto/man/man3/OCSP_request_add1_nonce.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OCSP_REQUEST_ADD1_NONCE 3ossl"
-.TH OCSP_REQUEST_ADD1_NONCE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OCSP_REQUEST_ADD1_NONCE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OCSP_request_add1_nonce, OCSP_basic_add1_nonce, OCSP_check_nonce, OCSP_copy_nonce \- OCSP nonce functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ocsp.h>
@@ -148,14 +72,14 @@ OCSP_request_add1_nonce, OCSP_basic_add1_nonce, OCSP_check_nonce, OCSP_copy_nonc
 \& int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req);
 \& int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *resp);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBOCSP_request_add1_nonce()\fR adds a nonce of value \fBval\fR and length \fBlen\fR to
-\&\s-1OCSP\s0 request \fBreq\fR. If \fBval\fR is \fB\s-1NULL\s0\fR a random nonce is used. If \fBlen\fR
+OCSP request \fBreq\fR. If \fBval\fR is \fBNULL\fR a random nonce is used. If \fBlen\fR
 is zero or negative a default length will be used (currently 16 bytes).
 .PP
 \&\fBOCSP_basic_add1_nonce()\fR is identical to \fBOCSP_request_add1_nonce()\fR except
-it adds a nonce to \s-1OCSP\s0 basic response \fBresp\fR.
+it adds a nonce to OCSP basic response \fBresp\fR.
 .PP
 \&\fBOCSP_check_nonce()\fR compares the nonce value in \fBreq\fR and \fBresp\fR.
 .PP
@@ -174,18 +98,18 @@ nonces are present and equal 1 is returned. If the nonces are absent 2 is
 returned. If a nonce is present in the response only 3 is returned. If nonces
 are present and unequal 0 is returned. If the nonce is present in the request
 only then \-1 is returned.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 For most purposes the nonce value in a request is set to a random value so
-the \fBval\fR parameter in \fBOCSP_request_add1_nonce()\fR is usually \s-1NULL.\s0
+the \fBval\fR parameter in \fBOCSP_request_add1_nonce()\fR is usually NULL.
 .PP
-An \s-1OCSP\s0 nonce is typically added to an \s-1OCSP\s0 request to thwart replay attacks
+An OCSP nonce is typically added to an OCSP request to thwart replay attacks
 by checking the same nonce value appears in the response.
 .PP
 Some responders may include a nonce in all responses even if one is not
 supplied.
 .PP
-Some responders cache \s-1OCSP\s0 responses and do not sign each response for
+Some responders cache OCSP responses and do not sign each response for
 performance reasons. As a result they do not support nonces.
 .PP
 The return values of \fBOCSP_check_nonce()\fR can be checked to cover each case.  A
@@ -203,11 +127,11 @@ condition.
 \&\fBOCSP_resp_find_status\fR\|(3),
 \&\fBOCSP_response_status\fR\|(3),
 \&\fBOCSP_sendreq_new\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2015\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OCSP_resp_find_status.3 b/secure/lib/libcrypto/man/man3/OCSP_resp_find_status.3
index bd41ecfe8fb0..ec960b7aea49 100644
--- a/secure/lib/libcrypto/man/man3/OCSP_resp_find_status.3
+++ b/secure/lib/libcrypto/man/man3/OCSP_resp_find_status.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OCSP_RESP_FIND_STATUS 3ossl"
-.TH OCSP_RESP_FIND_STATUS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OCSP_RESP_FIND_STATUS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OCSP_resp_find_status, OCSP_resp_count,
 OCSP_resp_get0, OCSP_resp_find, OCSP_single_get0_status,
 OCSP_resp_get0_produced_at, OCSP_resp_get0_signature,
@@ -145,7 +69,7 @@ OCSP_resp_get0_certs, OCSP_resp_get0_signer,
 OCSP_resp_get0_id, OCSP_resp_get1_id,
 OCSP_check_validity, OCSP_basic_verify
 \&\- OCSP response utility functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ocsp.h>
@@ -189,24 +113,24 @@ OCSP_check_validity, OCSP_basic_verify
 \& int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
 \&                      X509_STORE *st, unsigned long flags);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBOCSP_resp_find_status()\fR searches \fIbs\fR for an \s-1OCSP\s0 response for \fIid\fR. If it is
+\&\fBOCSP_resp_find_status()\fR searches \fIbs\fR for an OCSP response for \fIid\fR. If it is
 successful the fields of the response are returned in \fI*status\fR, \fI*reason\fR,
 \&\fI*revtime\fR, \fI*thisupd\fR and \fI*nextupd\fR.  The \fI*status\fR value will be one of
 \&\fBV_OCSP_CERTSTATUS_GOOD\fR, \fBV_OCSP_CERTSTATUS_REVOKED\fR or
 \&\fBV_OCSP_CERTSTATUS_UNKNOWN\fR. The \fI*reason\fR and \fI*revtime\fR fields are only
 set if the status is \fBV_OCSP_CERTSTATUS_REVOKED\fR. If set the \fI*reason\fR field
 will be set to the revocation reason which will be one of
-\&\fB\s-1OCSP_REVOKED_STATUS_NOSTATUS\s0\fR, \fB\s-1OCSP_REVOKED_STATUS_UNSPECIFIED\s0\fR,
-\&\fB\s-1OCSP_REVOKED_STATUS_KEYCOMPROMISE\s0\fR, \fB\s-1OCSP_REVOKED_STATUS_CACOMPROMISE\s0\fR,
-\&\fB\s-1OCSP_REVOKED_STATUS_AFFILIATIONCHANGED\s0\fR, \fB\s-1OCSP_REVOKED_STATUS_SUPERSEDED\s0\fR,
-\&\fB\s-1OCSP_REVOKED_STATUS_CESSATIONOFOPERATION\s0\fR,
-\&\fB\s-1OCSP_REVOKED_STATUS_CERTIFICATEHOLD\s0\fR or \fB\s-1OCSP_REVOKED_STATUS_REMOVEFROMCRL\s0\fR.
+\&\fBOCSP_REVOKED_STATUS_NOSTATUS\fR, \fBOCSP_REVOKED_STATUS_UNSPECIFIED\fR,
+\&\fBOCSP_REVOKED_STATUS_KEYCOMPROMISE\fR, \fBOCSP_REVOKED_STATUS_CACOMPROMISE\fR,
+\&\fBOCSP_REVOKED_STATUS_AFFILIATIONCHANGED\fR, \fBOCSP_REVOKED_STATUS_SUPERSEDED\fR,
+\&\fBOCSP_REVOKED_STATUS_CESSATIONOFOPERATION\fR,
+\&\fBOCSP_REVOKED_STATUS_CERTIFICATEHOLD\fR or \fBOCSP_REVOKED_STATUS_REMOVEFROMCRL\fR.
 .PP
-\&\fBOCSP_resp_count()\fR returns the number of \fB\s-1OCSP_SINGLERESP\s0\fR structures in \fIbs\fR.
+\&\fBOCSP_resp_count()\fR returns the number of \fBOCSP_SINGLERESP\fR structures in \fIbs\fR.
 .PP
-\&\fBOCSP_resp_get0()\fR returns the \fB\s-1OCSP_SINGLERESP\s0\fR structure in \fIbs\fR corresponding
+\&\fBOCSP_resp_get0()\fR returns the \fBOCSP_SINGLERESP\fR structure in \fIbs\fR corresponding
 to index \fIidx\fR, where \fIidx\fR runs from 0 to OCSP_resp_count(bs) \- 1.
 .PP
 \&\fBOCSP_resp_find()\fR searches \fIbs\fR for \fIid\fR and returns the index of the first
@@ -227,15 +151,15 @@ single response \fIbs\fR.
 \&\fBOCSP_resp_get0_certs()\fR returns any certificates included in \fIbs\fR.
 .PP
 \&\fBOCSP_resp_get0_signer()\fR attempts to retrieve the certificate that directly
-signed \fIbs\fR.  The \s-1OCSP\s0 protocol does not require that this certificate
+signed \fIbs\fR.  The OCSP protocol does not require that this certificate
 is included in the \fBcerts\fR field of the response, so additional certificates
 can be supplied via the \fIextra_certs\fR if the certificates that may have
 signed the response are known via some out-of-band mechanism.
 .PP
-\&\fBOCSP_resp_get0_id()\fR gets the responder id of \fIbs\fR. If the responder \s-1ID\s0 is
-a name then <*pname> is set to the name and \fI*pid\fR is set to \s-1NULL.\s0 If the
-responder \s-1ID\s0 is by key \s-1ID\s0 then \fI*pid\fR is set to the key \s-1ID\s0 and \fI*pname\fR
-is set to \s-1NULL.\s0
+\&\fBOCSP_resp_get0_id()\fR gets the responder id of \fIbs\fR. If the responder ID is
+a name then <*pname> is set to the name and \fI*pid\fR is set to NULL. If the
+responder ID is by key ID then \fI*pid\fR is set to the key ID and \fI*pname\fR
+is set to NULL.
 .PP
 \&\fBOCSP_resp_get1_id()\fR is the same as \fBOCSP_resp_get0_id()\fR
 but leaves ownership of \fI*pid\fR and \fI*pname\fR with the caller,
@@ -252,37 +176,37 @@ signed and that the signer certificate can be validated. It takes \fIst\fR as
 the trusted store and \fIcerts\fR as a set of untrusted intermediate certificates.
 The function first tries to find the signer certificate of the response
 in \fIcerts\fR. It then searches the certificates the responder may have included
-in \fIbs\fR unless \fIflags\fR contains \fB\s-1OCSP_NOINTERN\s0\fR.
+in \fIbs\fR unless \fIflags\fR contains \fBOCSP_NOINTERN\fR.
 It fails if the signer certificate cannot be found.
-Next, unless \fIflags\fR contains \fB\s-1OCSP_NOSIGS\s0\fR, the function checks
+Next, unless \fIflags\fR contains \fBOCSP_NOSIGS\fR, the function checks
 the signature of \fIbs\fR and fails on error. Then the function already returns
-success if \fIflags\fR contains \fB\s-1OCSP_NOVERIFY\s0\fR or if the signer certificate
-was found in \fIcerts\fR and \fIflags\fR contains \fB\s-1OCSP_TRUSTOTHER\s0\fR.
+success if \fIflags\fR contains \fBOCSP_NOVERIFY\fR or if the signer certificate
+was found in \fIcerts\fR and \fIflags\fR contains \fBOCSP_TRUSTOTHER\fR.
 Otherwise the function continues by validating the signer certificate.
-If \fIflags\fR contains \fB\s-1OCSP_PARTIAL_CHAIN\s0\fR it takes intermediate \s-1CA\s0
+If \fIflags\fR contains \fBOCSP_PARTIAL_CHAIN\fR it takes intermediate CA
 certificates in \fIst\fR as trust anchors.
 For more details, see the description of \fBX509_V_FLAG_PARTIAL_CHAIN\fR
-in \*(L"\s-1VERIFICATION FLAGS\*(R"\s0 in \fBX509_VERIFY_PARAM_set_flags\fR\|(3).
-If \fIflags\fR contains \fB\s-1OCSP_NOCHAIN\s0\fR it ignores all certificates in \fIcerts\fR
-and in \fIbs\fR, else it takes them as untrusted intermediate \s-1CA\s0 certificates
+in "VERIFICATION FLAGS" in \fBX509_VERIFY_PARAM_set_flags\fR\|(3).
+If \fIflags\fR contains \fBOCSP_NOCHAIN\fR it ignores all certificates in \fIcerts\fR
+and in \fIbs\fR, else it takes them as untrusted intermediate CA certificates
 and uses them for constructing the validation path for the signer certificate.
 Certificate revocation status checks using CRLs is disabled during path validation
 if the signer certificate contains the \fBid-pkix-ocsp-no-check\fR extension.
 After successful path
-validation the function returns success if the \fB\s-1OCSP_NOCHECKS\s0\fR flag is set.
-Otherwise it verifies that the signer certificate meets the \s-1OCSP\s0 issuer
+validation the function returns success if the \fBOCSP_NOCHECKS\fR flag is set.
+Otherwise it verifies that the signer certificate meets the OCSP issuer
 criteria including potential delegation. If this does not succeed and the
-\&\fB\s-1OCSP_NOEXPLICIT\s0\fR flag is not set the function checks for explicit
-trust for \s-1OCSP\s0 signing in the root \s-1CA\s0 certificate.
+\&\fBOCSP_NOEXPLICIT\fR flag is not set the function checks for explicit
+trust for OCSP signing in the root CA certificate.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBOCSP_resp_find_status()\fR returns 1 if \fIid\fR is found in \fIbs\fR and 0 otherwise.
 .PP
-\&\fBOCSP_resp_count()\fR returns the total number of \fB\s-1OCSP_SINGLERESP\s0\fR fields in \fIbs\fR
+\&\fBOCSP_resp_count()\fR returns the total number of \fBOCSP_SINGLERESP\fR fields in \fIbs\fR
 or \-1 on error.
 .PP
-\&\fBOCSP_resp_get0()\fR returns a pointer to an \fB\s-1OCSP_SINGLERESP\s0\fR structure or
-\&\s-1NULL\s0 on error, such as \fIidx\fR being out of range.
+\&\fBOCSP_resp_get0()\fR returns a pointer to an \fBOCSP_SINGLERESP\fR structure or
+NULL on error, such as \fIidx\fR being out of range.
 .PP
 \&\fBOCSP_resp_find()\fR returns the index of \fIid\fR in \fIbs\fR (which may be 0)
 or \-1 on error, such as when \fIid\fR was not found.
@@ -312,13 +236,13 @@ Otherwise it returns 0 to indicate an error.
 .PP
 \&\fBOCSP_basic_verify()\fR returns 1 on success, 0 on verification not successful,
 or \-1 on a fatal error such as malloc failure.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 Applications will typically call \fBOCSP_resp_find_status()\fR using the certificate
-\&\s-1ID\s0 of interest and then check its validity using \fBOCSP_check_validity()\fR. They
+ID of interest and then check its validity using \fBOCSP_check_validity()\fR. They
 can then take appropriate action based on the status of the certificate.
 .PP
-An \s-1OCSP\s0 response for a certificate contains \fBthisUpdate\fR and \fBnextUpdate\fR
+An OCSP response for a certificate contains \fBthisUpdate\fR and \fBnextUpdate\fR
 fields. Normally the current time should be between these two values. To
 account for clock skew the \fImaxsec\fR field can be set to nonzero in
 \&\fBOCSP_check_validity()\fR. Some responders do not set the \fBnextUpdate\fR field, this
@@ -328,8 +252,8 @@ age of responses.
 .PP
 The values written to \fI*revtime\fR, \fI*thisupd\fR and \fI*nextupd\fR by
 \&\fBOCSP_resp_find_status()\fR and \fBOCSP_single_get0_status()\fR are internal pointers
-which \s-1MUST NOT\s0 be freed up by the calling application. Any or all of these
-parameters can be set to \s-1NULL\s0 if their value is not required.
+which MUST NOT be freed up by the calling application. Any or all of these
+parameters can be set to NULL if their value is not required.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBcrypto\fR\|(7),
@@ -339,11 +263,11 @@ parameters can be set to \s-1NULL\s0 if their value is not required.
 \&\fBOCSP_response_status\fR\|(3),
 \&\fBOCSP_sendreq_new\fR\|(3),
 \&\fBX509_VERIFY_PARAM_set_flags\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2015\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OCSP_response_status.3 b/secure/lib/libcrypto/man/man3/OCSP_response_status.3
index 231c85ab8e37..3376db40368c 100644
--- a/secure/lib/libcrypto/man/man3/OCSP_response_status.3
+++ b/secure/lib/libcrypto/man/man3/OCSP_response_status.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OCSP_RESPONSE_STATUS 3ossl"
-.TH OCSP_RESPONSE_STATUS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OCSP_RESPONSE_STATUS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OCSP_response_status, OCSP_response_get1_basic, OCSP_response_create,
 OCSP_RESPONSE_free, OCSP_RESPID_set_by_name,
 OCSP_RESPID_set_by_key_ex, OCSP_RESPID_set_by_key, OCSP_RESPID_match_ex,
 OCSP_RESPID_match, OCSP_basic_sign, OCSP_basic_sign_ctx
 \&\- OCSP response functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ocsp.h>
@@ -166,61 +90,62 @@ OCSP_RESPID_match, OCSP_basic_sign, OCSP_basic_sign_ctx
 \& int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp, X509 *signer, EVP_MD_CTX *ctx,
 \&                         STACK_OF(X509) *certs, unsigned long flags);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBOCSP_response_status()\fR returns the \s-1OCSP\s0 response status of \fIresp\fR. It returns
-one of the values: \fI\s-1OCSP_RESPONSE_STATUS_SUCCESSFUL\s0\fR,
-\&\fI\s-1OCSP_RESPONSE_STATUS_MALFORMEDREQUEST\s0\fR,
-\&\fI\s-1OCSP_RESPONSE_STATUS_INTERNALERROR\s0\fR, \fI\s-1OCSP_RESPONSE_STATUS_TRYLATER\s0\fR
-\&\fI\s-1OCSP_RESPONSE_STATUS_SIGREQUIRED\s0\fR, or \fI\s-1OCSP_RESPONSE_STATUS_UNAUTHORIZED\s0\fR.
+\&\fBOCSP_response_status()\fR returns the OCSP response status of \fIresp\fR. It returns
+one of the values: \fIOCSP_RESPONSE_STATUS_SUCCESSFUL\fR,
+\&\fIOCSP_RESPONSE_STATUS_MALFORMEDREQUEST\fR,
+\&\fIOCSP_RESPONSE_STATUS_INTERNALERROR\fR, \fIOCSP_RESPONSE_STATUS_TRYLATER\fR
+\&\fIOCSP_RESPONSE_STATUS_SIGREQUIRED\fR, or \fIOCSP_RESPONSE_STATUS_UNAUTHORIZED\fR.
 .PP
-\&\fBOCSP_response_get1_basic()\fR decodes and returns the \fI\s-1OCSP_BASICRESP\s0\fR structure
+\&\fBOCSP_response_get1_basic()\fR decodes and returns the \fIOCSP_BASICRESP\fR structure
 contained in \fIresp\fR.
 .PP
-\&\fBOCSP_response_create()\fR creates and returns an \fI\s-1OCSP_RESPONSE\s0\fR structure for
+\&\fBOCSP_response_create()\fR creates and returns an \fIOCSP_RESPONSE\fR structure for
 \&\fIstatus\fR and optionally including basic response \fIbs\fR.
 .PP
-\&\fBOCSP_RESPONSE_free()\fR frees up \s-1OCSP\s0 response \fIresp\fR.
+\&\fBOCSP_RESPONSE_free()\fR frees up OCSP response \fIresp\fR.
+If the argument is NULL, nothing is done.
 .PP
-\&\fBOCSP_RESPID_set_by_name()\fR sets the name of the \s-1OCSP_RESPID\s0 to be the same as the
-subject name in the supplied X509 certificate \fIcert\fR for the \s-1OCSP\s0 responder.
+\&\fBOCSP_RESPID_set_by_name()\fR sets the name of the OCSP_RESPID to be the same as the
+subject name in the supplied X509 certificate \fIcert\fR for the OCSP responder.
 .PP
-\&\fBOCSP_RESPID_set_by_key_ex()\fR sets the key of the \s-1OCSP_RESPID\s0 to be the same as the
-key in the supplied X509 certificate \fIcert\fR for the \s-1OCSP\s0 responder. The key is
-stored as a \s-1SHA1\s0 hash. To calculate the hash the \s-1SHA1\s0 algorithm is fetched using
+\&\fBOCSP_RESPID_set_by_key_ex()\fR sets the key of the OCSP_RESPID to be the same as the
+key in the supplied X509 certificate \fIcert\fR for the OCSP responder. The key is
+stored as a SHA1 hash. To calculate the hash the SHA1 algorithm is fetched using
 the library ctx \fIlibctx\fR and the property query string \fIpropq\fR (see
-\&\*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7) for further information).
+"ALGORITHM FETCHING" in \fBcrypto\fR\|(7) for further information).
 .PP
 \&\fBOCSP_RESPID_set_by_key()\fR does the same as \fBOCSP_RESPID_set_by_key_ex()\fR except
 that the default library context is used with an empty property query string.
 .PP
-Note that an \s-1OCSP_RESPID\s0 can only have one of the name, or the key set. Calling
+Note that an OCSP_RESPID can only have one of the name, or the key set. Calling
 \&\fBOCSP_RESPID_set_by_name()\fR or \fBOCSP_RESPID_set_by_key()\fR will clear any existing
 setting.
 .PP
-\&\fBOCSP_RESPID_match_ex()\fR tests whether the \s-1OCSP_RESPID\s0 given in \fIrespid\fR matches
-with the X509 certificate \fIcert\fR based on the \s-1SHA1\s0 hash. To calculate the hash
-the \s-1SHA1\s0 algorithm is fetched using the library ctx \fIlibctx\fR and the property
-query string \fIpropq\fR (see \*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7) for further
+\&\fBOCSP_RESPID_match_ex()\fR tests whether the OCSP_RESPID given in \fIrespid\fR matches
+with the X509 certificate \fIcert\fR based on the SHA1 hash. To calculate the hash
+the SHA1 algorithm is fetched using the library ctx \fIlibctx\fR and the property
+query string \fIpropq\fR (see "ALGORITHM FETCHING" in \fBcrypto\fR\|(7) for further
 information).
 .PP
 \&\fBOCSP_RESPID_match()\fR does the same as \fBOCSP_RESPID_match_ex()\fR except that the
 default library context is used with an empty property query string.
 .PP
-\&\fBOCSP_basic_sign()\fR signs \s-1OCSP\s0 response \fIbrsp\fR using certificate \fIsigner\fR, private key
+\&\fBOCSP_basic_sign()\fR signs OCSP response \fIbrsp\fR using certificate \fIsigner\fR, private key
 \&\fIkey\fR, digest \fIdgst\fR and additional certificates \fIcerts\fR. If the \fIflags\fR option
-\&\fI\s-1OCSP_NOCERTS\s0\fR is set then no certificates will be included in the response. If the
-\&\fIflags\fR option \fI\s-1OCSP_RESPID_KEY\s0\fR is set then the responder is identified by key \s-1ID\s0
-rather than by name. \fBOCSP_basic_sign_ctx()\fR also signs \s-1OCSP\s0 response \fIbrsp\fR but
+\&\fIOCSP_NOCERTS\fR is set then no certificates will be included in the response. If the
+\&\fIflags\fR option \fIOCSP_RESPID_KEY\fR is set then the responder is identified by key ID
+rather than by name. \fBOCSP_basic_sign_ctx()\fR also signs OCSP response \fIbrsp\fR but
 uses the parameters contained in digest context \fIctx\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBOCSP_RESPONSE_status()\fR returns a status value.
 .PP
-\&\fBOCSP_response_get1_basic()\fR returns an \fI\s-1OCSP_BASICRESP\s0\fR structure pointer or
-\&\fI\s-1NULL\s0\fR if an error occurred.
+\&\fBOCSP_response_get1_basic()\fR returns an \fIOCSP_BASICRESP\fR structure pointer or
+\&\fINULL\fR if an error occurred.
 .PP
-\&\fBOCSP_response_create()\fR returns an \fI\s-1OCSP_RESPONSE\s0\fR structure pointer or \fI\s-1NULL\s0\fR
+\&\fBOCSP_response_create()\fR returns an \fIOCSP_RESPONSE\fR structure pointer or \fINULL\fR
 if an error occurred.
 .PP
 \&\fBOCSP_RESPONSE_free()\fR does not return a value.
@@ -229,12 +154,12 @@ if an error occurred.
 \&\fBOCSP_basic_sign_ctx()\fR return 1 on success or 0
 on failure.
 .PP
-\&\fBOCSP_RESPID_match()\fR returns 1 if the \s-1OCSP_RESPID\s0 and the X509 certificate match
+\&\fBOCSP_RESPID_match()\fR returns 1 if the OCSP_RESPID and the X509 certificate match
 or 0 otherwise.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 \&\fBOCSP_response_get1_basic()\fR is only called if the status of a response is
-\&\fI\s-1OCSP_RESPONSE_STATUS_SUCCESSFUL\s0\fR.
+\&\fIOCSP_RESPONSE_STATUS_SUCCESSFUL\fR.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBcrypto\fR\|(7)
@@ -245,17 +170,17 @@ or 0 otherwise.
 \&\fBOCSP_sendreq_new\fR\|(3)
 \&\fBOCSP_RESPID_new\fR\|(3)
 \&\fBOCSP_RESPID_free\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBOCSP_RESPID_set_by_name()\fR, \fBOCSP_RESPID_set_by_key()\fR and \fBOCSP_RESPID_match()\fR
 functions were added in OpenSSL 1.1.0a.
 .PP
 The \fBOCSP_basic_sign_ctx()\fR function was added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2015\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OCSP_sendreq_new.3 b/secure/lib/libcrypto/man/man3/OCSP_sendreq_new.3
index 8d8a42d3f8ce..1d965a6145fd 100644
--- a/secure/lib/libcrypto/man/man3/OCSP_sendreq_new.3
+++ b/secure/lib/libcrypto/man/man3/OCSP_sendreq_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OCSP_SENDREQ_NEW 3ossl"
-.TH OCSP_SENDREQ_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OCSP_SENDREQ_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OCSP_REQ_CTX,
 OCSP_sendreq_new,
 OCSP_sendreq_nbio,
@@ -147,7 +71,7 @@ OCSP_REQ_CTX_free,
 OCSP_set_max_response_length,
 OCSP_REQ_CTX_set1_req
 \&\- OCSP responder query functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ocsp.h>
@@ -158,7 +82,7 @@ OCSP_REQ_CTX_set1_req
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 8
@@ -171,31 +95,31 @@ see \fBopenssl_user_macros\fR\|(7):
 \& void OCSP_set_max_response_length(OCSP_REQ_CT *rctx, unsigned long len);
 \& int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, const OCSP_REQUEST *req);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-These functions perform an \s-1OCSP POST\s0 request / response transfer over \s-1HTTP,\s0
-using the \s-1HTTP\s0 request functions described in \s-1\fBOSSL_HTTP_REQ_CTX\s0\fR\|(3).
+These functions perform an OCSP POST request / response transfer over HTTP,
+using the HTTP request functions described in \fBOSSL_HTTP_REQ_CTX\fR\|(3).
 .PP
-The function \fBOCSP_sendreq_new()\fR builds a complete \fB\s-1OSSL_HTTP_REQ_CTX\s0\fR structure
-with the \fB\s-1BIO\s0\fR \fIio\fR to be used for requests and response, the \s-1URL\s0 path \fIpath\fR,
-optionally the \s-1OCSP\s0 request \fIreq\fR, and a response header maximum line length
+The function \fBOCSP_sendreq_new()\fR builds a complete \fBOSSL_HTTP_REQ_CTX\fR structure
+with the \fBBIO\fR \fIio\fR to be used for requests and response, the URL path \fIpath\fR,
+optionally the OCSP request \fIreq\fR, and a response header maximum line length
 of \fIbuf_size\fR. If \fIbuf_size\fR is zero a default value of 4KiB is used.
-The \fIreq\fR may be set to \s-1NULL\s0 and provided later using \fBOCSP_REQ_CTX_set1_req()\fR
+The \fIreq\fR may be set to NULL and provided later using \fBOCSP_REQ_CTX_set1_req()\fR
 or \fBOSSL_HTTP_REQ_CTX_set1_req\fR\|(3).
 The \fIio\fR and \fIpath\fR arguments to \fBOCSP_sendreq_new()\fR correspond to the
-components of the \s-1URL.\s0
-For example if the responder \s-1URL\s0 is \f(CW\*(C`http://example.com/ocspreq\*(C'\fR the \s-1BIO\s0
+components of the URL.
+For example if the responder URL is \f(CW\*(C`http://example.com/ocspreq\*(C'\fR the BIO
 \&\fIio\fR should haven been connected to host \f(CW\*(C`example.com\*(C'\fR on port 80 and \fIpath\fR
 should be set to \f(CW\*(C`/ocspreq\*(C'\fR.
 .PP
 \&\fBOCSP_sendreq_nbio()\fR attempts to send the request prepared in \fIrctx\fR
-and to gather the response via \s-1HTTP,\s0 using the \s-1BIO\s0 \fIio\fR and \fIpath\fR
+and to gather the response via HTTP, using the BIO \fIio\fR and \fIpath\fR
 that were given when calling \fBOCSP_sendreq_new()\fR.
 If the operation gets completed it assigns the response,
-a pointer to a \fB\s-1OCSP_RESPONSE\s0\fR structure, in \fI*presp\fR.
+a pointer to a \fBOCSP_RESPONSE\fR structure, in \fI*presp\fR.
 The function may need to be called again if its result is \-1, which indicates
 \&\fBBIO_should_retry\fR\|(3).  In such a case it is advisable to sleep a little in
-between, using \fBBIO_wait\fR\|(3) on the read \s-1BIO\s0 to prevent a busy loop.
+between, using \fBBIO_wait\fR\|(3) on the read BIO to prevent a busy loop.
 .PP
 \&\fBOCSP_sendreq_bio()\fR combines \fBOCSP_sendreq_new()\fR with as many calls of
 \&\fBOCSP_sendreq_nbio()\fR as needed and then \fBOCSP_REQ_CTX_free()\fR, with a
@@ -219,42 +143,42 @@ OCSP_REQ_CTX_set1_req(rctx, req) is equivalent to the following:
 .PP
 The deprecated type and the remaining deprecated functions
 have been superseded by the following equivalents:
-\&\fB\s-1OCSP_REQ_CTX\s0\fR by \s-1\fBOSSL_HTTP_REQ_CTX\s0\fR\|(3),
+\&\fBOCSP_REQ_CTX\fR by \fBOSSL_HTTP_REQ_CTX\fR\|(3),
 \&\fBOCSP_REQ_CTX_add1_header()\fR by \fBOSSL_HTTP_REQ_CTX_add1_header\fR\|(3),
 \&\fBOCSP_REQ_CTX_free()\fR by \fBOSSL_HTTP_REQ_CTX_free\fR\|(3), and
 \&\fBOCSP_set_max_response_length()\fR by
 \&\fBOSSL_HTTP_REQ_CTX_set_max_response_length\fR\|(3).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBOCSP_sendreq_new()\fR returns a valid \fB\s-1OSSL_HTTP_REQ_CTX\s0\fR structure or \s-1NULL\s0
+\&\fBOCSP_sendreq_new()\fR returns a valid \fBOSSL_HTTP_REQ_CTX\fR structure or NULL
 if an error occurred.
 .PP
 \&\fBOCSP_sendreq_nbio()\fR returns 1 for success, 0 on error, \-1 if retry is needed.
 .PP
-\&\fBOCSP_sendreq_bio()\fR returns the \fB\s-1OCSP_RESPONSE\s0\fR structure sent by the
-responder or \s-1NULL\s0 if an error occurred.
+\&\fBOCSP_sendreq_bio()\fR returns the \fBOCSP_RESPONSE\fR structure sent by the
+responder or NULL if an error occurred.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBOSSL_HTTP_REQ_CTX\s0\fR\|(3), \fBOSSL_HTTP_transfer\fR\|(3),
+\&\fBOSSL_HTTP_REQ_CTX\fR\|(3), \fBOSSL_HTTP_transfer\fR\|(3),
 \&\fBOCSP_cert_to_id\fR\|(3),
 \&\fBOCSP_request_add1_nonce\fR\|(3),
 \&\fBOCSP_REQUEST_new\fR\|(3),
 \&\fBOCSP_resp_find_status\fR\|(3),
 \&\fBOCSP_response_status\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-\&\fB\s-1OCSP_REQ_CTX\s0\fR,
+\&\fBOCSP_REQ_CTX\fR,
 \&\fBOCSP_REQ_CTX_i2d()\fR,
 \&\fBOCSP_REQ_CTX_add1_header()\fR,
 \&\fBOCSP_REQ_CTX_free()\fR,
 \&\fBOCSP_set_max_response_length()\fR,
 and \fBOCSP_REQ_CTX_set1_req()\fR
 were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2015\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_Applink.3 b/secure/lib/libcrypto/man/man3/OPENSSL_Applink.3
index e35c12145522..8bd39da67a28 100644
--- a/secure/lib/libcrypto/man/man3/OPENSSL_Applink.3
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_Applink.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,85 +52,25 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL_APPLINK 3ossl"
-.TH OPENSSL_APPLINK 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OPENSSL_APPLINK 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OPENSSL_Applink \- glue between OpenSSL BIO and Win32 compiler run\-time
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& _\|_declspec(dllexport) void **OPENSSL_Applink();
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 OPENSSL_Applink is application-side interface which provides a glue
-between OpenSSL \s-1BIO\s0 layer and Win32 compiler run-time environment.
+between OpenSSL BIO layer and Win32 compiler run-time environment.
 Even though it appears at application side, it's essentially OpenSSL
 private interface. For this reason application developers are not
 expected to implement it, but to compile provided module with
@@ -156,11 +80,11 @@ the public header files (only on the platforms where applicable).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 Not available.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2004\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_FILE.3 b/secure/lib/libcrypto/man/man3/OPENSSL_FILE.3
index c657b8fb23a8..497080920b3b 100644
--- a/secure/lib/libcrypto/man/man3/OPENSSL_FILE.3
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_FILE.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL_FILE 3ossl"
-.TH OPENSSL_FILE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OPENSSL_FILE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OPENSSL_FILE, OPENSSL_LINE, OPENSSL_FUNC,
 OPENSSL_MSTR, OPENSSL_MSTR_HELPER
 \&\- generic C programming utility macros
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/macros.h>
@@ -152,34 +76,34 @@ OPENSSL_MSTR, OPENSSL_MSTR_HELPER
 \& #define OPENSSL_MSTR_HELPER(x) #x
 \& #define OPENSSL_MSTR(x) OPENSSL_MSTR_HELPER(x)
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The macros \fB\s-1OPENSSL_FILE\s0\fR and \fB\s-1OPENSSL_LINE\s0\fR
+The macros \fBOPENSSL_FILE\fR and \fBOPENSSL_LINE\fR
 typically yield the current filename and line number during C compilation.
-When \fB\s-1OPENSSL_NO_FILENAMES\s0\fR is defined they yield \fB""\fR and \fB0\fR, respectively.
+When \fBOPENSSL_NO_FILENAMES\fR is defined they yield \fB""\fR and \fB0\fR, respectively.
 .PP
-The macro \fB\s-1OPENSSL_FUNC\s0\fR attempts to yield the name of the C function
+The macro \fBOPENSSL_FUNC\fR attempts to yield the name of the C function
 currently being compiled, as far as language and compiler versions allow.
-Otherwise, it yields \*(L"(unknown function)\*(R".
+Otherwise, it yields "(unknown function)".
 .PP
-The macro \fB\s-1OPENSSL_MSTR\s0\fR yields the expansion of the macro given as argument,
+The macro \fBOPENSSL_MSTR\fR yields the expansion of the macro given as argument,
 which is useful for concatenation with string constants.
-The macro \fB\s-1OPENSSL_MSTR_HELPER\s0\fR is an auxiliary macro for this purpose.
+The macro \fBOPENSSL_MSTR_HELPER\fR is an auxiliary macro for this purpose.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 see above
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBcrypto\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-\&\fB\s-1OPENSSL_FUNC\s0\fR, \fB\s-1OPENSSL_MSTR\s0\fR, and \fB\s-1OPENSSL_MSTR_HELPER\s0\fR
+\&\fBOPENSSL_FUNC\fR, \fBOPENSSL_MSTR\fR, and \fBOPENSSL_MSTR_HELPER\fR
 were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2018\-2019 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_LH_COMPFUNC.3 b/secure/lib/libcrypto/man/man3/OPENSSL_LH_COMPFUNC.3
index c0f84876956d..3af7ccd30bcc 100644
--- a/secure/lib/libcrypto/man/man3/OPENSSL_LH_COMPFUNC.3
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_LH_COMPFUNC.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,96 +52,46 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL_LH_COMPFUNC 3ossl"
-.TH OPENSSL_LH_COMPFUNC 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OPENSSL_LH_COMPFUNC 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
-LHASH, DECLARE_LHASH_OF,
+.SH NAME
+LHASH, LHASH_OF, DEFINE_LHASH_OF_EX, DEFINE_LHASH_OF,
 OPENSSL_LH_COMPFUNC, OPENSSL_LH_HASHFUNC, OPENSSL_LH_DOALL_FUNC,
 LHASH_DOALL_ARG_FN_TYPE,
 IMPLEMENT_LHASH_HASH_FN, IMPLEMENT_LHASH_COMP_FN,
 lh_TYPE_new, lh_TYPE_free, lh_TYPE_flush,
 lh_TYPE_insert, lh_TYPE_delete, lh_TYPE_retrieve,
-lh_TYPE_doall, lh_TYPE_doall_arg, lh_TYPE_error,
+lh_TYPE_doall, lh_TYPE_doall_arg, lh_TYPE_num_items, lh_TYPE_get_down_load,
+lh_TYPE_set_down_load, lh_TYPE_error,
 OPENSSL_LH_new, OPENSSL_LH_free,  OPENSSL_LH_flush,
 OPENSSL_LH_insert, OPENSSL_LH_delete, OPENSSL_LH_retrieve,
-OPENSSL_LH_doall, OPENSSL_LH_doall_arg, OPENSSL_LH_error
+OPENSSL_LH_doall, OPENSSL_LH_doall_arg, OPENSSL_LH_doall_arg_thunk,
+OPENSSL_LH_set_thunks, OPENSSL_LH_num_items,
+OPENSSL_LH_get_down_load, OPENSSL_LH_set_down_load, OPENSSL_LH_error
 \&\- dynamic hash table
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/lhash.h>
 \&
-\& DECLARE_LHASH_OF(TYPE);
+\& LHASH_OF(TYPE)
+\&
+\& DEFINE_LHASH_OF_EX(TYPE);
 \&
 \& LHASH_OF(TYPE) *lh_TYPE_new(OPENSSL_LH_HASHFUNC hash, OPENSSL_LH_COMPFUNC compare);
 \& void lh_TYPE_free(LHASH_OF(TYPE) *table);
 \& void lh_TYPE_flush(LHASH_OF(TYPE) *table);
+\& OPENSSL_LHASH *OPENSSL_LH_set_thunks(OPENSSL_LHASH *lh,
+\&                                      OPENSSL_LH_HASHFUNCTHUNK hw,
+\&                                      OPENSSL_LH_COMPFUNCTHUNK cw,
+\&                                      OPENSSL_LH_DOALL_FUNC_THUNK daw,
+\&                                      OPENSSL_LH_DOALL_FUNCARG_THUNK daaw)
 \&
 \& TYPE *lh_TYPE_insert(LHASH_OF(TYPE) *table, TYPE *data);
 \& TYPE *lh_TYPE_delete(LHASH_OF(TYPE) *table, TYPE *data);
@@ -166,6 +100,13 @@ OPENSSL_LH_doall, OPENSSL_LH_doall_arg, OPENSSL_LH_error
 \& void lh_TYPE_doall(LHASH_OF(TYPE) *table, OPENSSL_LH_DOALL_FUNC func);
 \& void lh_TYPE_doall_arg(LHASH_OF(TYPE) *table, OPENSSL_LH_DOALL_FUNCARG func,
 \&                        TYPE *arg);
+\& void OPENSSL_LH_doall_arg_thunk(OPENSSL_LHASH *lh,
+\&                                 OPENSSL_LH_DOALL_FUNCARG_THUNK daaw,
+\&                                 OPENSSL_LH_DOALL_FUNCARG fn, void *arg)
+\&
+\& unsigned long lh_TYPE_num_items(OPENSSL_LHASH *lh);
+\& unsigned long lh_TYPE_get_down_load(OPENSSL_LHASH *lh);
+\& void lh_TYPE_set_down_load(OPENSSL_LHASH *lh, unsigned long dl);
 \&
 \& int lh_TYPE_error(LHASH_OF(TYPE) *table);
 \&
@@ -185,16 +126,34 @@ OPENSSL_LH_doall, OPENSSL_LH_doall_arg, OPENSSL_LH_error
 \& void OPENSSL_LH_doall(OPENSSL_LHASH *lh, OPENSSL_LH_DOALL_FUNC func);
 \& void OPENSSL_LH_doall_arg(OPENSSL_LHASH *lh, OPENSSL_LH_DOALL_FUNCARG func, void *arg);
 \&
+\& unsigned long OPENSSL_LH_num_items(OPENSSL_LHASH *lh);
+\& unsigned long OPENSSL_LH_get_down_load(OPENSSL_LHASH *lh);
+\& void OPENSSL_LH_set_down_load(OPENSSL_LHASH *lh, unsigned long dl);
+\&
 \& int OPENSSL_LH_error(OPENSSL_LHASH *lh);
+\&
+\& #define LH_LOAD_MULT   /* integer constant */
 .Ve
-.SH "DESCRIPTION"
+.PP
+The following macro is deprecated:
+.PP
+.Vb 1
+\& DEFINE_LHASH_OF(TYPE);
+.Ve
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 This library implements type-checked dynamic hash tables. The hash
 table entries can be arbitrary structures. Usually they consist of key
-and value fields.  In the description here, \fB\f(BI\s-1TYPE\s0\fB\fR is used a placeholder
-for any of the OpenSSL datatypes, such as \fI\s-1SSL_SESSION\s0\fR.
+and value fields.  In the description here, \fR\f(BITYPE\fR\fB\fR is used a placeholder
+for any of the OpenSSL datatypes, such as \fISSL_SESSION\fR.
+.PP
+To define a new type-checked dynamic hash table, use \fBDEFINE_LHASH_OF_EX\fR().
+\&\fBDEFINE_LHASH_OF\fR() was previously used for this purpose, but is now
+deprecated. The \fBDEFINE_LHASH_OF_EX\fR() macro provides all functionality of
+\&\fBDEFINE_LHASH_OF\fR() except for certain deprecated statistics functions (see
+\&\fBOPENSSL_LH_stats\fR\|(3)).
 .PP
-\&\fBlh_\f(BI\s-1TYPE\s0\fB_new\fR() creates a new \fB\s-1LHASH_OF\s0\fR(\fB\f(BI\s-1TYPE\s0\fB\fR) structure to store
+\&\fBlh_\fR\f(BITYPE\fR\fB_new\fR() creates a new \fBLHASH_OF\fR(\fR\f(BITYPE\fR\fB\fR) structure to store
 arbitrary data entries, and specifies the 'hash' and 'compare'
 callbacks to be used in organising the table's entries.  The \fIhash\fR
 callback takes a pointer to a table entry as its argument and returns
@@ -207,9 +166,9 @@ takes two arguments (pointers to two hash table entries), and returns
 If your hash table
 will contain items of some particular type and the \fIhash\fR and
 \&\fIcompare\fR callbacks hash/compare these types, then the
-\&\fB\s-1IMPLEMENT_LHASH_HASH_FN\s0\fR and \fB\s-1IMPLEMENT_LHASH_COMP_FN\s0\fR macros can be
+\&\fBIMPLEMENT_LHASH_HASH_FN\fR and \fBIMPLEMENT_LHASH_COMP_FN\fR macros can be
 used to create callback wrappers of the prototypes required by
-\&\fBlh_\f(BI\s-1TYPE\s0\fB_new\fR() as shown in this example:
+\&\fBlh_\fR\f(BITYPE\fR\fB_new\fR() as shown in this example:
 .PP
 .Vb 11
 \& /*
@@ -239,7 +198,7 @@ can be used in a common header file to declare the function wrappers:
 \& DECLARE_LHASH_COMP_FN(stuff, TYPE)
 .Ve
 .PP
-Then a hash table of \fB\f(BI\s-1TYPE\s0\fB\fR objects can be created using this:
+Then a hash table of \fR\f(BITYPE\fR\fB\fR objects can be created using this:
 .PP
 .Vb 1
 \& LHASH_OF(TYPE) *htable;
@@ -247,28 +206,28 @@ Then a hash table of \fB\f(BI\s-1TYPE\s0\fB\fR objects can be created using this
 \& htable = B<lh_I<TYPE>_new>(LHASH_HASH_FN(stuff), LHASH_COMP_FN(stuff));
 .Ve
 .PP
-\&\fBlh_\f(BI\s-1TYPE\s0\fB_free\fR() frees the \fB\s-1LHASH_OF\s0\fR(\fB\f(BI\s-1TYPE\s0\fB\fR) structure
+\&\fBlh_\fR\f(BITYPE\fR\fB_free\fR() frees the \fBLHASH_OF\fR(\fR\f(BITYPE\fR\fB\fR) structure
 \&\fItable\fR. Allocated hash table entries will not be freed; consider
-using \fBlh_\f(BI\s-1TYPE\s0\fB_doall\fR() to deallocate any remaining entries in the
-hash table (see below).
+using \fBlh_\fR\f(BITYPE\fR\fB_doall\fR() to deallocate any remaining entries in the
+hash table (see below). If the argument is NULL, nothing is done.
 .PP
-\&\fBlh_\f(BI\s-1TYPE\s0\fB_flush\fR() empties the \fB\s-1LHASH_OF\s0\fR(\fB\f(BI\s-1TYPE\s0\fB\fR) structure \fItable\fR. New
+\&\fBlh_\fR\f(BITYPE\fR\fB_flush\fR() empties the \fBLHASH_OF\fR(\fR\f(BITYPE\fR\fB\fR) structure \fItable\fR. New
 entries can be added to the flushed table.  Allocated hash table entries
-will not be freed; consider using \fBlh_\f(BI\s-1TYPE\s0\fB_doall\fR() to deallocate any
+will not be freed; consider using \fBlh_\fR\f(BITYPE\fR\fB_doall\fR() to deallocate any
 remaining entries in the hash table (see below).
 .PP
-\&\fBlh_\f(BI\s-1TYPE\s0\fB_insert\fR() inserts the structure pointed to by \fIdata\fR into
+\&\fBlh_\fR\f(BITYPE\fR\fB_insert\fR() inserts the structure pointed to by \fIdata\fR into
 \&\fItable\fR.  If there already is an entry with the same key, the old
-value is replaced. Note that \fBlh_\f(BI\s-1TYPE\s0\fB_insert\fR() stores pointers, the
+value is replaced. Note that \fBlh_\fR\f(BITYPE\fR\fB_insert\fR() stores pointers, the
 data are not copied.
 .PP
-\&\fBlh_\f(BI\s-1TYPE\s0\fB_delete\fR() deletes an entry from \fItable\fR.
+\&\fBlh_\fR\f(BITYPE\fR\fB_delete\fR() deletes an entry from \fItable\fR.
 .PP
-\&\fBlh_\f(BI\s-1TYPE\s0\fB_retrieve\fR() looks up an entry in \fItable\fR. Normally, \fIdata\fR
+\&\fBlh_\fR\f(BITYPE\fR\fB_retrieve\fR() looks up an entry in \fItable\fR. Normally, \fIdata\fR
 is a structure with the key field(s) set; the function will return a
 pointer to a fully populated structure.
 .PP
-\&\fBlh_\f(BI\s-1TYPE\s0\fB_doall\fR() will, for every entry in the hash table, call
+\&\fBlh_\fR\f(BITYPE\fR\fB_doall\fR() will, for every entry in the hash table, call
 \&\fIfunc\fR with the data item as its parameter.
 For example:
 .PP
@@ -286,24 +245,15 @@ For example:
 \& lh_TYPE_free(hashtable);
 .Ve
 .PP
-When doing this, be careful if you delete entries from the hash table
-in your callbacks: the table may decrease in size, moving the item
-that you are currently on down lower in the hash table \- this could
-cause some entries to be skipped during the iteration.  The second
-best solution to this problem is to set hash\->down_load=0 before
-you start (which will stop the hash table ever decreasing in size).
-The best solution is probably to avoid deleting items from the hash
-table inside a \*(L"doall\*(R" callback!
-.PP
-\&\fBlh_\f(BI\s-1TYPE\s0\fB_doall_arg\fR() is the same as \fBlh_\f(BI\s-1TYPE\s0\fB_doall\fR() except that
+\&\fBlh_\fR\f(BITYPE\fR\fB_doall_arg\fR() is the same as \fBlh_\fR\f(BITYPE\fR\fB_doall\fR() except that
 \&\fIfunc\fR will be called with \fIarg\fR as the second argument and \fIfunc\fR
-should be of type \fB\s-1LHASH_DOALL_ARG_FN\s0\fR(\fB\f(BI\s-1TYPE\s0\fB\fR) (a callback prototype
+should be of type \fBLHASH_DOALL_ARG_FN\fR(\fR\f(BITYPE\fR\fB\fR) (a callback prototype
 that is passed both the table entry and an extra argument).  As with
 \&\fBlh_doall()\fR, you can instead choose to declare your callback with a
 prototype matching the types you are dealing with and use the
 declare/implement macros to create compatible wrappers that cast
 variables before calling your type-specific callbacks.  An example of
-this is demonstrated here (printing all hash table entries to a \s-1BIO\s0
+this is demonstrated here (printing all hash table entries to a BIO
 that is provided by the caller):
 .PP
 .Vb 2
@@ -318,97 +268,133 @@ that is provided by the caller):
 \&                   logging_bio);
 .Ve
 .PP
-\&\fBlh_\f(BI\s-1TYPE\s0\fB_error\fR() can be used to determine if an error occurred in the last
+Note that it is by default \fBnot\fR safe to use \fBlh_\fR\f(BITYPE\fR\fB_delete\fR() inside a
+callback passed to \fBlh_\fR\f(BITYPE\fR\fB_doall\fR() or \fBlh_\fR\f(BITYPE\fR\fB_doall_arg\fR(). The
+reason for this is that deleting an item from the hash table may result in the
+hash table being contracted to a smaller size and rehashed.
+\&\fBlh_\fR\f(BITYPE\fR\fB_doall\fR() and \fBlh_\fR\f(BITYPE\fR\fB_doall_arg\fR() are unsafe and will exhibit
+undefined behaviour under these conditions, as these functions assume the hash
+table size and bucket pointers do not change during the call.
+.PP
+If it is desired to use \fBlh_\fR\f(BITYPE\fR\fB_doall\fR() or \fBlh_\fR\f(BITYPE\fR\fB_doall_arg\fR() with
+\&\fBlh_\fR\f(BITYPE\fR\fB_delete\fR(), it is essential that you call
+\&\fBlh_\fR\f(BITYPE\fR\fB_set_down_load\fR() with a \fIdown_load\fR argument of 0 first. This
+disables hash table contraction and guarantees that it will be safe to delete
+items from a hash table during a call to \fBlh_\fR\f(BITYPE\fR\fB_doall\fR() or
+\&\fBlh_\fR\f(BITYPE\fR\fB_doall_arg\fR().
+.PP
+It is never safe to call \fBlh_\fR\f(BITYPE\fR\fB_insert\fR() during a call to
+\&\fBlh_\fR\f(BITYPE\fR\fB_doall\fR() or \fBlh_\fR\f(BITYPE\fR\fB_doall_arg\fR().
+.PP
+\&\fBlh_\fR\f(BITYPE\fR\fB_error\fR() can be used to determine if an error occurred in the last
 operation.
 .PP
-\&\fBOPENSSL_LH_new()\fR is the same as the \fBlh_\f(BI\s-1TYPE\s0\fB_new\fR() except that it is not
-type specific. So instead of returning an \fB\s-1LHASH_OF\s0(\f(BI\s-1TYPE\s0\fB)\fR value it returns
+\&\fBlh_\fR\f(BITYPE\fR\fB_num_items\fR() returns the number of items in the hash table.
+.PP
+\&\fBlh_\fR\f(BITYPE\fR\fB_get_down_load\fR() and \fBlh_\fR\f(BITYPE\fR\fB_set_down_load\fR() get and set the
+factor used to determine when the hash table is contracted. The factor is the
+load factor at or below which hash table contraction will occur, multiplied by
+\&\fBLH_LOAD_MULT\fR, where the load factor is the number of items divided by the
+number of nodes. Setting this value to 0 disables hash table contraction.
+.PP
+\&\fBOPENSSL_LH_new()\fR is the same as the \fBlh_\fR\f(BITYPE\fR\fB_new\fR() except that it is not
+type specific. So instead of returning an \fBLHASH_OF(\fR\f(BITYPE\fR\fB)\fR value it returns
 a \fBvoid *\fR. In the same way the functions \fBOPENSSL_LH_free()\fR,
 \&\fBOPENSSL_LH_flush()\fR, \fBOPENSSL_LH_insert()\fR, \fBOPENSSL_LH_delete()\fR,
-\&\fBOPENSSL_LH_retrieve()\fR, \fBOPENSSL_LH_doall()\fR, \fBOPENSSL_LH_doall_arg()\fR, and
-\&\fBOPENSSL_LH_error()\fR are equivalent to the similarly named \fBlh_\f(BI\s-1TYPE\s0\fB\fR functions
-except that they return or use a \fBvoid *\fR where the equivalent \fBlh_\f(BI\s-1TYPE\s0\fB\fR
-function returns or uses a \fB\f(BI\s-1TYPE\s0\fB *\fR or \fB\s-1LHASH_OF\s0(\f(BI\s-1TYPE\s0\fB) *\fR. \fBlh_\f(BI\s-1TYPE\s0\fB\fR
-functions are implemented as type checked wrappers around the \fB\s-1OPENSSL_LH\s0\fR
-functions. Most applications should not call the \fB\s-1OPENSSL_LH\s0\fR functions
-directly.
+\&\fBOPENSSL_LH_retrieve()\fR, \fBOPENSSL_LH_doall()\fR, \fBOPENSSL_LH_doall_arg()\fR,
+\&\fBOPENSSL_LH_num_items()\fR, \fBOPENSSL_LH_get_down_load()\fR, \fBOPENSSL_LH_set_down_load()\fR
+and \fBOPENSSL_LH_error()\fR are equivalent to the similarly named \fBlh_\fR\f(BITYPE\fR
+functions except that they return or use a \fBvoid *\fR where the equivalent
+\&\fBlh_\fR\f(BITYPE\fR\fB\fR function returns or uses a \fB\fR\f(BITYPE\fR\fB *\fR or \fBLHASH_OF(\fR\f(BITYPE\fR\fB) *\fR.
+\&\fBlh_\fR\f(BITYPE\fR\fB\fR functions are implemented as type checked wrappers around the
+\&\fBOPENSSL_LH\fR functions. Most applications should not call the \fBOPENSSL_LH\fR
+functions directly.
+.PP
+\&\fBOPENSSL_LH_set_thunks()\fR and \fBOPENSSL_LH_doall_arg_thunk()\fR, while public by
+necessity, are actually internal functions and should not be used.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBlh_\f(BI\s-1TYPE\s0\fB_new\fR() and \fBOPENSSL_LH_new()\fR return \s-1NULL\s0 on error, otherwise a
-pointer to the new \fB\s-1LHASH\s0\fR structure.
+\&\fBlh_\fR\f(BITYPE\fR\fB_new\fR() and \fBOPENSSL_LH_new()\fR return NULL on error, otherwise a
+pointer to the new \fBLHASH\fR structure.
 .PP
-When a hash table entry is replaced, \fBlh_\f(BI\s-1TYPE\s0\fB_insert\fR() or
-\&\fBOPENSSL_LH_insert()\fR return the value being replaced. \s-1NULL\s0 is returned on normal
+When a hash table entry is replaced, \fBlh_\fR\f(BITYPE\fR\fB_insert\fR() or
+\&\fBOPENSSL_LH_insert()\fR return the value being replaced. NULL is returned on normal
 operation and on error.
 .PP
-\&\fBlh_\f(BI\s-1TYPE\s0\fB_delete\fR() and \fBOPENSSL_LH_delete()\fR return the entry being deleted.
-\&\s-1NULL\s0 is returned if there is no such value in the hash table.
+\&\fBlh_\fR\f(BITYPE\fR\fB_delete\fR() and \fBOPENSSL_LH_delete()\fR return the entry being deleted.
+NULL is returned if there is no such value in the hash table.
 .PP
-\&\fBlh_\f(BI\s-1TYPE\s0\fB_retrieve\fR() and \fBOPENSSL_LH_retrieve()\fR return the hash table entry
-if it has been found, \s-1NULL\s0 otherwise.
+\&\fBlh_\fR\f(BITYPE\fR\fB_retrieve\fR() and \fBOPENSSL_LH_retrieve()\fR return the hash table entry
+if it has been found, NULL otherwise.
 .PP
-\&\fBlh_\f(BI\s-1TYPE\s0\fB_error\fR() and \fBOPENSSL_LH_error()\fR return 1 if an error occurred in
+\&\fBlh_\fR\f(BITYPE\fR\fB_error\fR() and \fBOPENSSL_LH_error()\fR return 1 if an error occurred in
 the last operation, 0 otherwise. It's meaningful only after non-retrieve
 operations.
 .PP
-\&\fBlh_\f(BI\s-1TYPE\s0\fB_free\fR(), \fBOPENSSL_LH_free()\fR, \fBlh_\f(BI\s-1TYPE\s0\fB_flush\fR(),
-\&\fBOPENSSL_LH_flush()\fR, \fBlh_\f(BI\s-1TYPE\s0\fB_doall\fR() \fBOPENSSL_LH_doall()\fR,
-\&\fBlh_\f(BI\s-1TYPE\s0\fB_doall_arg\fR() and \fBOPENSSL_LH_doall_arg()\fR return no values.
-.SH "NOTE"
+\&\fBlh_\fR\f(BITYPE\fR\fB_free\fR(), \fBOPENSSL_LH_free()\fR, \fBlh_\fR\f(BITYPE\fR\fB_flush\fR(),
+\&\fBOPENSSL_LH_flush()\fR, \fBlh_\fR\f(BITYPE\fR\fB_doall\fR() \fBOPENSSL_LH_doall()\fR,
+\&\fBlh_\fR\f(BITYPE\fR\fB_doall_arg\fR() and \fBOPENSSL_LH_doall_arg()\fR return no values.
+.SH NOTE
 .IX Header "NOTE"
-The \s-1LHASH\s0 code is not thread safe. All updating operations, as well as
-\&\fBlh_\f(BI\s-1TYPE\s0\fB_error\fR() or \fBOPENSSL_LH_error()\fR calls must be performed under
+The LHASH code is not thread safe. All updating operations, as well as
+\&\fBlh_\fR\f(BITYPE\fR\fB_error\fR() or \fBOPENSSL_LH_error()\fR calls must be performed under
 a write lock. All retrieve operations should be performed under a read lock,
 \&\fIunless\fR accurate usage statistics are desired. In which case, a write lock
 should be used for retrieve operations as well. For output of the usage
 statistics, using the functions from \fBOPENSSL_LH_stats\fR\|(3), a read lock
 suffices.
 .PP
-The \s-1LHASH\s0 code regards table entries as constant data.  As such, it
-internally represents \fBlh_insert()\fR'd items with a \*(L"const void *\*(R"
+The LHASH code regards table entries as constant data.  As such, it
+internally represents \fBlh_insert()\fR'd items with a "const void *"
 pointer type.  This is why callbacks such as those used by \fBlh_doall()\fR
-and \fBlh_doall_arg()\fR declare their prototypes with \*(L"const\*(R", even for the
+and \fBlh_doall_arg()\fR declare their prototypes with "const", even for the
 parameters that pass back the table items' data pointers \- for
-consistency, user-provided data is \*(L"const\*(R" at all times as far as the
-\&\s-1LHASH\s0 code is concerned.  However, as callers are themselves providing
+consistency, user-provided data is "const" at all times as far as the
+LHASH code is concerned.  However, as callers are themselves providing
 these pointers, they can choose whether they too should be treating
 all such parameters as constant.
 .PP
 As an example, a hash table may be maintained by code that, for
-reasons of encapsulation, has only \*(L"const\*(R" access to the data being
-indexed in the hash table (i.e. it is returned as \*(L"const\*(R" from
-elsewhere in their code) \- in this case the \s-1LHASH\s0 prototypes are
+reasons of encapsulation, has only "const" access to the data being
+indexed in the hash table (i.e. it is returned as "const" from
+elsewhere in their code) \- in this case the LHASH prototypes are
 appropriate as-is.  Conversely, if the caller is responsible for the
 life-time of the data in question, then they may well wish to make
 modifications to table item passed back in the \fBlh_doall()\fR or
-\&\fBlh_doall_arg()\fR callbacks (see the \*(L"TYPE_cleanup\*(R" example above).  If
-so, the caller can either cast the \*(L"const\*(R" away (if they're providing
+\&\fBlh_doall_arg()\fR callbacks (see the "TYPE_cleanup" example above).  If
+so, the caller can either cast the "const" away (if they're providing
 the raw callbacks themselves) or use the macros to declare/implement
-the wrapper functions without \*(L"const\*(R" types.
+the wrapper functions without "const" types.
 .PP
-Callers that only have \*(L"const\*(R" access to data they're indexing in a
+Callers that only have "const" access to data they're indexing in a
 table, yet declare callbacks without constant types (or cast the
-\&\*(L"const\*(R" away themselves), are therefore creating their own risks/bugs
-without being encouraged to do so by the \s-1API.\s0  On a related note,
+"const" away themselves), are therefore creating their own risks/bugs
+without being encouraged to do so by the API.  On a related note,
 those auditing code should pay special attention to any instances of
-DECLARE/IMPLEMENT_LHASH_DOALL_[\s-1ARG_\s0]_FN macros that provide types
-without any \*(L"const\*(R" qualifiers.
-.SH "BUGS"
+DECLARE/IMPLEMENT_LHASH_DOALL_[ARG_]_FN macros that provide types
+without any "const" qualifiers.
+.SH BUGS
 .IX Header "BUGS"
-\&\fBlh_\f(BI\s-1TYPE\s0\fB_insert\fR() and \fBOPENSSL_LH_insert()\fR return \s-1NULL\s0 both for success
+\&\fBlh_\fR\f(BITYPE\fR\fB_insert\fR() and \fBOPENSSL_LH_insert()\fR return NULL both for success
 and error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBOPENSSL_LH_stats\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 In OpenSSL 1.0.0, the lhash interface was revamped for better
 type checking.
-.SH "COPYRIGHT"
+.PP
+In OpenSSL 3.1, \fBDEFINE_LHASH_OF_EX\fR() was introduced and \fBDEFINE_LHASH_OF\fR()
+was deprecated.
+.PP
+\&\fBOPENSSL_LH_doall_arg_thunk()\fR, \fBOPENSSL_LH_set_thunks()\fR were added in
+OpenSSL 3.3.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_LH_stats.3 b/secure/lib/libcrypto/man/man3/OPENSSL_LH_stats.3
index f723f2345e8e..cfd634dad473 100644
--- a/secure/lib/libcrypto/man/man3/OPENSSL_LH_stats.3
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_LH_stats.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,94 +52,41 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL_LH_STATS 3ossl"
-.TH OPENSSL_LH_STATS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OPENSSL_LH_STATS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OPENSSL_LH_stats, OPENSSL_LH_node_stats, OPENSSL_LH_node_usage_stats,
 OPENSSL_LH_stats_bio,
 OPENSSL_LH_node_stats_bio, OPENSSL_LH_node_usage_stats_bio \- LHASH statistics
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/lhash.h>
-\&
-\& void OPENSSL_LH_stats(LHASH *table, FILE *out);
+.Ve
+.PP
+The following functions have been deprecated since OpenSSL 3.1, and can be
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
+see \fBopenssl_user_macros\fR\|(7):
+.PP
+.Vb 2
 \& void OPENSSL_LH_node_stats(LHASH *table, FILE *out);
 \& void OPENSSL_LH_node_usage_stats(LHASH *table, FILE *out);
 \&
-\& void OPENSSL_LH_stats_bio(LHASH *table, BIO *out);
 \& void OPENSSL_LH_node_stats_bio(LHASH *table, BIO *out);
 \& void OPENSSL_LH_node_usage_stats_bio(LHASH *table, BIO *out);
+\&
+\& void OPENSSL_LH_stats(LHASH *table, FILE *out);
+\& void OPENSSL_LH_stats_bio(LHASH *table, BIO *out);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \fB\s-1LHASH\s0\fR structure records statistics about most aspects of
+The \fBLHASH\fR structure records statistics about most aspects of
 accessing the hash table.
 .PP
 \&\fBOPENSSL_LH_stats()\fR prints out statistics on the size of the hash table and how
@@ -176,23 +107,28 @@ table, while the 'load' is the average number that will be done to
 record a miss.
 .PP
 \&\fBOPENSSL_LH_stats_bio()\fR, \fBOPENSSL_LH_node_stats_bio()\fR and \fBOPENSSL_LH_node_usage_stats_bio()\fR
-are the same as the above, except that the output goes to a \fB\s-1BIO\s0\fR.
+are the same as the above, except that the output goes to a \fBBIO\fR.
+.PP
+These functions are deprecated and should no longer be used.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 These functions do not return values.
-.SH "NOTE"
+.SH NOTE
 .IX Header "NOTE"
 These calls should be made under a read lock. Refer to
-\&\*(L"\s-1NOTE\*(R"\s0 in \s-1\fBOPENSSL_LH_COMPFUNC\s0\fR\|(3) for more details about the locks required
-when using the \s-1LHASH\s0 data structure.
+"NOTE" in \fBOPENSSL_LH_COMPFUNC\fR\|(3) for more details about the locks required
+when using the LHASH data structure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBbio\fR\|(7), \s-1\fBOPENSSL_LH_COMPFUNC\s0\fR\|(3)
-.SH "COPYRIGHT"
+\&\fBbio\fR\|(7), \fBOPENSSL_LH_COMPFUNC\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+These functions were deprecated in version 3.1.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_config.3 b/secure/lib/libcrypto/man/man3/OPENSSL_config.3
index ec2be154f702..87277c90184d 100644
--- a/secure/lib/libcrypto/man/man3/OPENSSL_config.3
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_config.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,94 +52,34 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL_CONFIG 3ossl"
-.TH OPENSSL_CONFIG 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OPENSSL_CONFIG 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OPENSSL_config, OPENSSL_no_config \- simple OpenSSL configuration functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/conf.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 1.1.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 2
 \& void OPENSSL_config(const char *appname);
 \& void OPENSSL_no_config(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBOPENSSL_config()\fR configures OpenSSL using the standard \fBopenssl.cnf\fR and
-reads from the application section \fBappname\fR. If \fBappname\fR is \s-1NULL\s0 then
+reads from the application section \fBappname\fR. If \fBappname\fR is NULL then
 the default section, \fBopenssl_conf\fR, will be used.
 Errors are silently ignored.
 Multiple calls have no effect.
@@ -163,13 +87,13 @@ Multiple calls have no effect.
 \&\fBOPENSSL_no_config()\fR disables configuration. If called before \fBOPENSSL_config()\fR
 no configuration takes place.
 .PP
-If the application is built with \fB\s-1OPENSSL_LOAD_CONF\s0\fR defined, then a
+If the application is built with \fBOPENSSL_LOAD_CONF\fR defined, then a
 call to \fBOpenSSL_add_all_algorithms()\fR will implicitly call \fBOPENSSL_config()\fR
 first.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-The \fBOPENSSL_config()\fR function is designed to be a very simple \*(L"call it and
-forget it\*(R" function.
+The \fBOPENSSL_config()\fR function is designed to be a very simple "call it and
+forget it" function.
 It is however \fBmuch\fR better than nothing. Applications which need finer
 control over their configuration functionality should use the configuration
 functions such as \fBCONF_modules_load()\fR directly. This function is deprecated
@@ -183,11 +107,11 @@ However, very few applications currently support the control interface and so
 very few can load and use dynamic ENGINEs. Equally in future more sophisticated
 ENGINEs will require certain control operations to customize them. If an
 application calls \fBOPENSSL_config()\fR it doesn't need to know or care about
-\&\s-1ENGINE\s0 control operations because they can be performed by editing a
+ENGINE control operations because they can be performed by editing a
 configuration file.
-.SH "ENVIRONMENT"
+.SH ENVIRONMENT
 .IX Header "ENVIRONMENT"
-.IP "\fB\s-1OPENSSL_CONF\s0\fR" 4
+.IP \fBOPENSSL_CONF\fR 4
 .IX Item "OPENSSL_CONF"
 The path to the config file.
 Ignored in set-user-ID and set-group-ID programs.
@@ -198,15 +122,15 @@ Neither \fBOPENSSL_config()\fR nor \fBOPENSSL_no_config()\fR return a value.
 .IX Header "SEE ALSO"
 \&\fBconfig\fR\|(5),
 \&\fBCONF_modules_load_file\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBOPENSSL_no_config()\fR and \fBOPENSSL_config()\fR functions were
 deprecated in OpenSSL 1.1.0 by \fBOPENSSL_init_crypto()\fR.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2004\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2004\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_fork_prepare.3 b/secure/lib/libcrypto/man/man3/OPENSSL_fork_prepare.3
index 18306b5f4938..ee49e11518ad 100644
--- a/secure/lib/libcrypto/man/man3/OPENSSL_fork_prepare.3
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_fork_prepare.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,87 +52,27 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL_FORK_PREPARE 3ossl"
-.TH OPENSSL_FORK_PREPARE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OPENSSL_FORK_PREPARE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OPENSSL_fork_prepare,
 OPENSSL_fork_parent,
 OPENSSL_fork_child
 \&\- OpenSSL fork handlers
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/crypto.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 3
@@ -156,7 +80,7 @@ see \fBopenssl_user_macros\fR\|(7):
 \& void OPENSSL_fork_parent(void);
 \& void OPENSSL_fork_child(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 These methods are currently unused, and as such, no replacement methods are
 required or planned.
@@ -174,7 +98,7 @@ such as Linux that have both functions will normally not need to call these
 functions as the OpenSSL library will do so automatically.
 .PP
 \&\fBOPENSSL_init_crypto\fR\|(3) will register these functions with the appropriate
-handler, when the \fB\s-1OPENSSL_INIT_ATFORK\s0\fR flag is used. For other
+handler, when the \fBOPENSSL_INIT_ATFORK\fR flag is used. For other
 applications, these functions can be called directly. They should be used
 according to the calling sequence described by the \fBpthread_atfork\fR\|(3)
 documentation, which is summarized here.  \fBOPENSSL_fork_prepare()\fR should
@@ -188,14 +112,14 @@ return values.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBOPENSSL_init_crypto\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 These functions were added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2017\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_gmtime.3 b/secure/lib/libcrypto/man/man3/OPENSSL_gmtime.3
index 769b5be13f71..4615b8bd5b18 100644
--- a/secure/lib/libcrypto/man/man3/OPENSSL_gmtime.3
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_gmtime.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL_GMTIME 3ossl"
-.TH OPENSSL_GMTIME 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OPENSSL_GMTIME 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OPENSSL_gmtime,
 OPENSSL_gmtime_adj,
 OPENSSL_gmtime_diff \- platform\-agnostic OpenSSL time routines
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/crypto.h>
@@ -150,19 +74,19 @@ OPENSSL_gmtime_diff \- platform\-agnostic OpenSSL time routines
 \& int OPENSSL_gmtime_diff(int *pday, int *psec,
 \&                        const struct tm *from, const struct tm *to);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBOPENSSL_gmtime()\fR returns the \s-1UTC\s0 time specified by \fItimer\fR into the provided
+\&\fBOPENSSL_gmtime()\fR returns the UTC time specified by \fItimer\fR into the provided
 \&\fIresult\fR argument.
 .PP
 \&\fBOPENSSL_gmtime_adj()\fR adds the offsets in \fIoffset_day\fR and \fIoffset_sec\fR to \fItm\fR.
 .PP
 \&\fBOPENSSL_gmtime_diff()\fR calculates the difference between \fIfrom\fR and \fIto\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-It is an error to call \fBOPENSSL_gmtime()\fR with \fIresult\fR equal to \s-1NULL.\s0 The
+It is an error to call \fBOPENSSL_gmtime()\fR with \fIresult\fR equal to NULL. The
 contents of the time_t given by \fItimer\fR are stored into the \fIresult\fR. Calling
-with \fItimer\fR equal to \s-1NULL\s0 means use the current time.
+with \fItimer\fR equal to NULL means use the current time.
 .PP
 \&\fBOPENSSL_gmtime_adj()\fR converts \fItm\fR into a days and seconds value, adds the
 offsets, then converts back into a \fIstruct tm\fR specified by \fItm\fR. Leap seconds
@@ -174,18 +98,18 @@ the remaining seconds are placed to \fI*psec\fR. The value in \fI*psec\fR will b
 than the number of seconds per day (3600). Leap seconds are not considered.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBOPENSSL_gmtime()\fR returns \s-1NULL\s0 on error, or \fIresult\fR on success.
+\&\fBOPENSSL_gmtime()\fR returns NULL on error, or \fIresult\fR on success.
 .PP
 \&\fBOPENSSL_gmtime_adj()\fR and \fBOPENSSL_gmtime_diff()\fR return 0 on error, and 1 on success.
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBOPENSSL_gmtime()\fR, \fBOPENSSL_gmtime_adj()\fR and \fBOPENSSL_gmtime_diff()\fR have been
 in OpenSSL since 1.0.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_hexchar2int.3 b/secure/lib/libcrypto/man/man3/OPENSSL_hexchar2int.3
index 462ece74bb94..695398c80809 100644
--- a/secure/lib/libcrypto/man/man3/OPENSSL_hexchar2int.3
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_hexchar2int.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL_HEXCHAR2INT 3ossl"
-.TH OPENSSL_HEXCHAR2INT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OPENSSL_HEXCHAR2INT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OPENSSL_hexchar2int,
 OPENSSL_hexstr2buf_ex, OPENSSL_hexstr2buf,
 OPENSSL_buf2hexstr_ex, OPENSSL_buf2hexstr
 \&\- Hex encoding and decoding functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/crypto.h>
@@ -155,7 +79,7 @@ OPENSSL_buf2hexstr_ex, OPENSSL_buf2hexstr
 \&                           const char sep);
 \& char *OPENSSL_buf2hexstr(const unsigned char *buf, long buflen);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBOPENSSL_hexchar2int()\fR converts a hexadecimal character to its numeric
 equivalent.
@@ -165,10 +89,10 @@ resulting string of bytes in the given \fIbuf\fR.
 The character \fIsep\fR is the separator between the bytes, setting this to '\e0'
 means that there is no separator.
 \&\fIbuf_n\fR gives the size of the buffer.
-If \fIbuflen\fR is not \s-1NULL,\s0 it is filled in with the result length.
-To find out how large the result will be, call this function with \s-1NULL\s0
+If \fIbuflen\fR is not NULL, it is filled in with the result length.
+To find out how large the result will be, call this function with NULL
 for \fIbuf\fR.
-Colons between two-character hex \*(L"bytes\*(R" are accepted and ignored.
+Colons between two-character hex "bytes" are accepted and ignored.
 An odd number of hex digits is an error.
 .PP
 \&\fBOPENSSL_hexstr2buf()\fR does the same thing as \fBOPENSSL_hexstr2buf_ex()\fR,
@@ -183,8 +107,8 @@ in the given \fIstr\fR.
 The character \fIsep\fR is the separator between the bytes, setting this to '\e0'
 means that there is no separator.
 \&\fIstr_n\fR gives the size of the of the string buffer.
-If \fIstrlength\fR is not \s-1NULL,\s0 it is filled in with the result length.
-To find out how large the result will be, call this function with \s-1NULL\s0
+If \fIstrlength\fR is not NULL, it is filled in with the result length.
+To find out how large the result will be, call this function with NULL
 for \fIstr\fR.
 .PP
 \&\fBOPENSSL_buf2hexstr()\fR does the same thing as \fBOPENSSL_buf2hexstr_ex()\fR,
@@ -198,15 +122,15 @@ OPENSSL_hexchar2int returns the value of a decoded hex character,
 or \-1 on error.
 .PP
 \&\fBOPENSSL_buf2hexstr()\fR and \fBOPENSSL_hexstr2buf()\fR
-return a pointer to allocated memory, or \s-1NULL\s0 on error.
+return a pointer to allocated memory, or NULL on error.
 .PP
 \&\fBOPENSSL_buf2hexstr_ex()\fR and \fBOPENSSL_hexstr2buf_ex()\fR return 1 on
 success, or 0 on error.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2016\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_ia32cap.3 b/secure/lib/libcrypto/man/man3/OPENSSL_ia32cap.3
index 3cc800c675a1..244125c3c5a3 100644
--- a/secure/lib/libcrypto/man/man3/OPENSSL_ia32cap.3
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_ia32cap.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,195 +52,217 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL_IA32CAP 3ossl"
-.TH OPENSSL_IA32CAP 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OPENSSL_IA32CAP 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OPENSSL_ia32cap \- the x86[_64] processor capabilities vector
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& env OPENSSL_ia32cap=... <application>
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-OpenSSL supports a range of x86[_64] instruction set extensions. These
-extensions are denoted by individual bits in capability vector returned
-by processor in \s-1EDX:ECX\s0 register pair after executing \s-1CPUID\s0 instruction
-with EAX=1 input value (see Intel Application Note #241618). This vector
-is copied to memory upon toolkit initialization and used to choose
-between different code paths to provide optimal performance across wide
-range of processors. For the moment of this writing following bits are
-significant:
-.IP "bit #4 denoting presence of Time-Stamp Counter." 4
-.IX Item "bit #4 denoting presence of Time-Stamp Counter."
-.PD 0
-.IP "bit #19 denoting availability of \s-1CLFLUSH\s0 instruction;" 4
-.IX Item "bit #19 denoting availability of CLFLUSH instruction;"
-.IP "bit #20, reserved by Intel, is used to choose among \s-1RC4\s0 code paths;" 4
-.IX Item "bit #20, reserved by Intel, is used to choose among RC4 code paths;"
-.IP "bit #23 denoting \s-1MMX\s0 support;" 4
-.IX Item "bit #23 denoting MMX support;"
-.IP "bit #24, \s-1FXSR\s0 bit, denoting availability of \s-1XMM\s0 registers;" 4
-.IX Item "bit #24, FXSR bit, denoting availability of XMM registers;"
-.IP "bit #25 denoting \s-1SSE\s0 support;" 4
-.IX Item "bit #25 denoting SSE support;"
-.IP "bit #26 denoting \s-1SSE2\s0 support;" 4
-.IX Item "bit #26 denoting SSE2 support;"
-.IP "bit #28 denoting Hyperthreading, which is used to distinguish cores with shared cache;" 4
-.IX Item "bit #28 denoting Hyperthreading, which is used to distinguish cores with shared cache;"
-.IP "bit #30, reserved by Intel, denotes specifically Intel CPUs;" 4
-.IX Item "bit #30, reserved by Intel, denotes specifically Intel CPUs;"
-.IP "bit #33 denoting availability of \s-1PCLMULQDQ\s0 instruction;" 4
-.IX Item "bit #33 denoting availability of PCLMULQDQ instruction;"
-.IP "bit #41 denoting \s-1SSSE3,\s0 Supplemental \s-1SSE3,\s0 support;" 4
-.IX Item "bit #41 denoting SSSE3, Supplemental SSE3, support;"
-.IP "bit #43 denoting \s-1AMD XOP\s0 support (forced to zero on non-AMD CPUs);" 4
-.IX Item "bit #43 denoting AMD XOP support (forced to zero on non-AMD CPUs);"
-.IP "bit #54 denoting availability of \s-1MOVBE\s0 instruction;" 4
-.IX Item "bit #54 denoting availability of MOVBE instruction;"
-.IP "bit #57 denoting AES-NI instruction set extension;" 4
-.IX Item "bit #57 denoting AES-NI instruction set extension;"
-.IP "bit #58, \s-1XSAVE\s0 bit, lack of which in combination with \s-1MOVBE\s0 is used to identify Atom Silvermont core;" 4
-.IX Item "bit #58, XSAVE bit, lack of which in combination with MOVBE is used to identify Atom Silvermont core;"
-.IP "bit #59, \s-1OSXSAVE\s0 bit, denoting availability of \s-1YMM\s0 registers;" 4
-.IX Item "bit #59, OSXSAVE bit, denoting availability of YMM registers;"
-.IP "bit #60 denoting \s-1AVX\s0 extension;" 4
-.IX Item "bit #60 denoting AVX extension;"
-.IP "bit #62 denoting availability of \s-1RDRAND\s0 instruction;" 4
-.IX Item "bit #62 denoting availability of RDRAND instruction;"
-.PD
+OpenSSL supports a range of x86[_64] instruction set extensions and
+features. These extensions are denoted by individual bits or groups of bits
+stored internally as ten 32\-bit capability vectors and for simplicity
+represented logically below as five 64\-bit vectors. This logical
+vector (LV) representation is used to streamline the definition of the
+OPENSSL_ia32cap environment variable.
 .PP
-For example, in 32\-bit application context clearing bit #26 at run-time
-disables high-performance \s-1SSE2\s0 code present in the crypto library, while
-clearing bit #24 disables \s-1SSE2\s0 code operating on 128\-bit \s-1XMM\s0 register
-bank. You might have to do the latter if target OpenSSL application is
-executed on \s-1SSE2\s0 capable \s-1CPU,\s0 but under control of \s-1OS\s0 that does not
-enable \s-1XMM\s0 registers. Historically address of the capability vector copy
-was exposed to application through \fBOPENSSL_ia32cap_loc()\fR, but not
-anymore. Now the only way to affect the capability detection is to set
-\&\fBOPENSSL_ia32cap\fR environment variable prior target application start. To
-give a specific example, on Intel P4 processor
-\&\f(CW\*(C`env OPENSSL_ia32cap=0x16980010 apps/openssl\*(C'\fR, or better yet
-\&\f(CW\*(C`env OPENSSL_ia32cap=~0x1000000 apps/openssl\*(C'\fR would achieve the desired
-effect. Alternatively you can reconfigure the toolkit with no\-sse2
-option and recompile.
+Upon toolkit initialization, the capability vectors are populated through
+successive executions of the CPUID instruction, after which any OPENSSL_ia32cap
+environment variable capability bit modifications are applied. After toolkit
+initialization is complete, populated vectors are then used to choose
+between different code paths to provide optimal performance across a wide
+range of x86[_64] based processors.
 .PP
-Less intuitive is clearing bit #28, or ~0x10000000 in the \*(L"environment
-variable\*(R" terms. The truth is that it's not copied from \s-1CPUID\s0 output
-verbatim, but is adjusted to reflect whether or not the data cache is
-actually shared between logical cores. This in turn affects the decision
-on whether or not expensive countermeasures against cache-timing attacks
-are applied, most notably in \s-1AES\s0 assembler module.
-.PP
-The capability vector is further extended with \s-1EBX\s0 value returned by
-\&\s-1CPUID\s0 with EAX=7 and ECX=0 as input. Following bits are significant:
-.IP "bit #64+3 denoting availability of \s-1BMI1\s0 instructions, e.g. \s-1ANDN\s0;" 4
+Further CPUID information can be found in the Intel(R) Architecture
+Instruction Set Extensions Programming Reference, and the AMD64 Architecture
+Programmer's Manual (Volume 3).
+.SS "Notable Capability Bits for LV0"
+.IX Subsection "Notable Capability Bits for LV0"
+The following are notable capability bits from logical vector 0 (LV0)
+resulting from the following execution of CPUID.(EAX=01H).EDX and
+CPUID.(EAX=01H).ECX:
+.IP "bit #0+4 denoting presence of Time-Stamp Counter;" 4
+.IX Item "bit #0+4 denoting presence of Time-Stamp Counter;"
+.PD 0
+.IP "bit #0+19 denoting availability of CLFLUSH instruction;" 4
+.IX Item "bit #0+19 denoting availability of CLFLUSH instruction;"
+.IP "bit #0+20, reserved by Intel, is used to choose among RC4 code paths;" 4
+.IX Item "bit #0+20, reserved by Intel, is used to choose among RC4 code paths;"
+.IP "bit #0+23 denoting MMX support;" 4
+.IX Item "bit #0+23 denoting MMX support;"
+.IP "bit #0+24, FXSR bit, denoting availability of XMM registers;" 4
+.IX Item "bit #0+24, FXSR bit, denoting availability of XMM registers;"
+.IP "bit #0+25 denoting SSE support;" 4
+.IX Item "bit #0+25 denoting SSE support;"
+.IP "bit #0+26 denoting SSE2 support;" 4
+.IX Item "bit #0+26 denoting SSE2 support;"
+.IP "bit #0+28 denoting Hyperthreading, which is used to distinguish cores with shared cache;" 4
+.IX Item "bit #0+28 denoting Hyperthreading, which is used to distinguish cores with shared cache;"
+.IP "bit #0+30, reserved by Intel, denotes specifically Intel CPUs;" 4
+.IX Item "bit #0+30, reserved by Intel, denotes specifically Intel CPUs;"
+.IP "bit #0+33 denoting availability of PCLMULQDQ instruction;" 4
+.IX Item "bit #0+33 denoting availability of PCLMULQDQ instruction;"
+.IP "bit #0+41 denoting SSSE3, Supplemental SSE3, support;" 4
+.IX Item "bit #0+41 denoting SSSE3, Supplemental SSE3, support;"
+.IP "bit #0+43 denoting AMD XOP support (forced to zero on non-AMD CPUs);" 4
+.IX Item "bit #0+43 denoting AMD XOP support (forced to zero on non-AMD CPUs);"
+.IP "bit #0+54 denoting availability of MOVBE instruction;" 4
+.IX Item "bit #0+54 denoting availability of MOVBE instruction;"
+.IP "bit #0+57 denoting AES-NI instruction set extension;" 4
+.IX Item "bit #0+57 denoting AES-NI instruction set extension;"
+.IP "bit #0+58, XSAVE bit, lack of which in combination with MOVBE is used to identify Atom Silvermont core;" 4
+.IX Item "bit #0+58, XSAVE bit, lack of which in combination with MOVBE is used to identify Atom Silvermont core;"
+.IP "bit #0+59, OSXSAVE bit, denoting availability of YMM registers;" 4
+.IX Item "bit #0+59, OSXSAVE bit, denoting availability of YMM registers;"
+.IP "bit #0+60 denoting AVX extension;" 4
+.IX Item "bit #0+60 denoting AVX extension;"
+.IP "bit #0+62 denoting availability of RDRAND instruction;" 4
+.IX Item "bit #0+62 denoting availability of RDRAND instruction;"
+.PD
+.SS "Notable Capability Bits for LV1"
+.IX Subsection "Notable Capability Bits for LV1"
+The following are notable capability bits from logical vector 1 (LV1)
+resulting from the following execution of CPUID.(EAX=07H,ECX=0H).EBX and
+CPUID.(EAX=07H,ECX=0H).ECX:
+.IP "bit #64+3 denoting availability of BMI1 instructions, e.g. ANDN;" 4
 .IX Item "bit #64+3 denoting availability of BMI1 instructions, e.g. ANDN;"
 .PD 0
-.IP "bit #64+5 denoting availability of \s-1AVX2\s0 instructions;" 4
+.IP "bit #64+5 denoting availability of AVX2 instructions;" 4
 .IX Item "bit #64+5 denoting availability of AVX2 instructions;"
-.IP "bit #64+8 denoting availability of \s-1BMI2\s0 instructions, e.g. \s-1MULX\s0 and \s-1RORX\s0;" 4
+.IP "bit #64+8 denoting availability of BMI2 instructions, e.g. MULX and RORX;" 4
 .IX Item "bit #64+8 denoting availability of BMI2 instructions, e.g. MULX and RORX;"
-.IP "bit #64+16 denoting availability of \s-1AVX512F\s0 extension;" 4
+.IP "bit #64+16 denoting availability of AVX512F extension;" 4
 .IX Item "bit #64+16 denoting availability of AVX512F extension;"
-.IP "bit #64+17 denoting availability of \s-1AVX512DQ\s0 extension;" 4
+.IP "bit #64+17 denoting availability of AVX512DQ extension;" 4
 .IX Item "bit #64+17 denoting availability of AVX512DQ extension;"
-.IP "bit #64+18 denoting availability of \s-1RDSEED\s0 instruction;" 4
+.IP "bit #64+18 denoting availability of RDSEED instruction;" 4
 .IX Item "bit #64+18 denoting availability of RDSEED instruction;"
-.IP "bit #64+19 denoting availability of \s-1ADCX\s0 and \s-1ADOX\s0 instructions;" 4
+.IP "bit #64+19 denoting availability of ADCX and ADOX instructions;" 4
 .IX Item "bit #64+19 denoting availability of ADCX and ADOX instructions;"
-.IP "bit #64+21 denoting availability of VPMADD52[\s-1LH\s0]UQ instructions, aka \s-1AVX512IFMA\s0 extension;" 4
-.IX Item "bit #64+21 denoting availability of VPMADD52[LH]UQ instructions, aka AVX512IFMA extension;"
-.IP "bit #64+29 denoting availability of \s-1SHA\s0 extension;" 4
+.IP "bit #64+21 denoting availability of AVX512IFMA extension;" 4
+.IX Item "bit #64+21 denoting availability of AVX512IFMA extension;"
+.IP "bit #64+29 denoting availability of SHA extension;" 4
 .IX Item "bit #64+29 denoting availability of SHA extension;"
-.IP "bit #64+30 denoting availability of \s-1AVX512BW\s0 extension;" 4
+.IP "bit #64+30 denoting availability of AVX512BW extension;" 4
 .IX Item "bit #64+30 denoting availability of AVX512BW extension;"
-.IP "bit #64+31 denoting availability of \s-1AVX512VL\s0 extension;" 4
+.IP "bit #64+31 denoting availability of AVX512VL extension;" 4
 .IX Item "bit #64+31 denoting availability of AVX512VL extension;"
-.IP "bit #64+41 denoting availability of \s-1VAES\s0 extension;" 4
+.IP "bit #64+41 denoting availability of VAES extension;" 4
 .IX Item "bit #64+41 denoting availability of VAES extension;"
-.IP "bit #64+42 denoting availability of \s-1VPCLMULQDQ\s0 extension;" 4
+.IP "bit #64+42 denoting availability of VPCLMULQDQ extension;" 4
 .IX Item "bit #64+42 denoting availability of VPCLMULQDQ extension;"
 .PD
+.SS "Notable Capability Bits for LV2"
+.IX Subsection "Notable Capability Bits for LV2"
+The following are notable capability bits from logical vector 2 (LV2)
+resulting from the following execution of CPUID.(EAX=07H,ECX=0H).EDX and
+CPUID.(EAX=07H,ECX=1H).EAX:
+.IP "bit #128+15 denoting availability of Hybrid CPU;" 4
+.IX Item "bit #128+15 denoting availability of Hybrid CPU;"
+.PD 0
+.IP "bit #128+29 denoting support for IA32_ARCH_CAPABILITIES MSR;" 4
+.IX Item "bit #128+29 denoting support for IA32_ARCH_CAPABILITIES MSR;"
+.IP "bit #128+32 denoting availability of SHA512 extension;" 4
+.IX Item "bit #128+32 denoting availability of SHA512 extension;"
+.IP "bit #128+33 denoting availability of SM3 extension;" 4
+.IX Item "bit #128+33 denoting availability of SM3 extension;"
+.IP "bit #128+34 denoting availability of SM4 extension;" 4
+.IX Item "bit #128+34 denoting availability of SM4 extension;"
+.IP "bit #128+55 denoting availability of AVX-IFMA extension;" 4
+.IX Item "bit #128+55 denoting availability of AVX-IFMA extension;"
+.PD
+.SS "Notable Capability Bits for LV3"
+.IX Subsection "Notable Capability Bits for LV3"
+The following are notable capability bits from logical vector 3 (LV3)
+resulting from the following execution of CPUID.(EAX=07H,ECX=1H).EDX and
+CPUID.(EAX=07H,ECX=1H).EBX:
+.IP "bit #192+19 denoting availability of AVX10 Converged Vector ISA extension;" 4
+.IX Item "bit #192+19 denoting availability of AVX10 Converged Vector ISA extension;"
+.PD 0
+.IP "bit #192+21 denoting availability of APX_F extension;" 4
+.IX Item "bit #192+21 denoting availability of APX_F extension;"
+.PD
+.SS "Notable Capability Bits for LV4"
+.IX Subsection "Notable Capability Bits for LV4"
+The following are notable capability bits from logical vector 4 (LV4)
+resulting from the following execution of CPUID.(EAX=07H,ECX=1H).ECX and
+CPUID.(EAX=24H,ECX=0H).EBX:
+.IP "bits #256+32+[0:7] denoting AVX10 Converged Vector ISA Version (8 bits);" 4
+.IX Item "bits #256+32+[0:7] denoting AVX10 Converged Vector ISA Version (8 bits);"
+.PD 0
+.IP "bit #256+48 denoting AVX10 XMM support;" 4
+.IX Item "bit #256+48 denoting AVX10 XMM support;"
+.IP "bit #256+49 denoting AVX10 YMM support;" 4
+.IX Item "bit #256+49 denoting AVX10 YMM support;"
+.IP "bit #256+50 denoting AVX10 ZMM support;" 4
+.IX Item "bit #256+50 denoting AVX10 ZMM support;"
+.PD
+.SS "OPENSSL_ia32cap environment variable"
+.IX Subsection "OPENSSL_ia32cap environment variable"
+The \fBOPENSSL_ia32cap\fR environment variable provides a mechanism to override
+the default capability vector values at library initialization time.
+The variable consists of a series of 64\-bit numbers representing each
+of the logical vectors (LV) described above. Each value is delimited by a '\fB:\fR'.
+Decimal/Octal/Hexadecimal values representations are supported.
+.PP
+\&\f(CW\*(C`env OPENSSL_ia32cap=LV0:LV1:LV2:LV3:LV4\*(C'\fR
+.PP
+Used in this form, each non-null logical vector will *overwrite* the entire corresponding
+capability vector pair with the provided value. To keep compatibility with the
+behaviour of the original OPENSSL_ia32cap environment variable
+<env OPENSSL_ia32cap=LV0:LV1>, the next capability vector pairs will be set to zero.
+.PP
+To illustrate, the following will zero all capability bits in logical vectors 1 and further
+(disable all post-AVX extensions):
+.PP
+\&\f(CW\*(C`env OPENSSL_ia32cap=:0\*(C'\fR
+.PP
+The following will zero all capability bits in logical vectors 2 and further:
+.PP
+\&\f(CW\*(C`env OPENSSL_ia32cap=::0\*(C'\fR
+.PP
+The following will zero all capability bits only in logical vector 1:
+\&\f(CW\*(C`env OPENSSL_ia32cap=:0::::\*(C'\fR
+.PP
+A more likely usage scenario would be to disable specific instruction set extensions.
+The '\fB~\fR' character is used to specify a bit mask of the extensions to be disabled for
+a particular logical vector.
+.PP
+To illustrate, the following will disable AVX2 code paths and further extensions:
+.PP
+\&\f(CW\*(C`env OPENSSL_ia32cap=:~0x20000000000\*(C'\fR
+.PP
+The following will disable AESNI (LV0 bit 57) and VAES (LV1 bit 41)
+extensions and therefore any code paths using those extensions but leave
+the rest of the logical vectors unchanged:
 .PP
-To control this extended capability word use \f(CW\*(C`:\*(C'\fR as delimiter when
-setting up \fBOPENSSL_ia32cap\fR environment variable. For example assigning
-\&\f(CW\*(C`:~0x20\*(C'\fR would disable \s-1AVX2\s0 code paths, and \f(CW\*(C`:0\*(C'\fR \- all post-AVX
-extensions.
+\&\f(CW\*(C`env OPENSSL_ia32cap=~0x200000000000000:~0x20000000000:~0x0:~0x0:~0x0\*(C'\fR
+.SH NOTES
+.IX Header "NOTES"
+Not all capability bits are copied from CPUID output verbatim. An example
+of this is the somewhat less intuitive clearing of LV0 bit #28, or ~0x10000000
+in the "environment variable" terms. It has been adjusted to reflect whether or
+not the data cache is actually shared between logical cores. This in turn affects
+the decision on whether or not expensive countermeasures against cache-timing attacks
+are applied, most notably in AES assembler module.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 Not available.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2004\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_init_crypto.3 b/secure/lib/libcrypto/man/man3/OPENSSL_init_crypto.3
index d86064ae7585..ef5439fb9732 100644
--- a/secure/lib/libcrypto/man/man3/OPENSSL_init_crypto.3
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_init_crypto.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL_INIT_CRYPTO 3ossl"
-.TH OPENSSL_INIT_CRYPTO 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OPENSSL_INIT_CRYPTO 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OPENSSL_INIT_new, OPENSSL_INIT_set_config_filename,
 OPENSSL_INIT_set_config_appname, OPENSSL_INIT_set_config_file_flags,
 OPENSSL_INIT_free, OPENSSL_init_crypto, OPENSSL_cleanup, OPENSSL_atexit,
 OPENSSL_thread_stop_ex, OPENSSL_thread_stop \- OpenSSL initialisation
 and deinitialisation functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/crypto.h>
@@ -162,7 +86,7 @@ and deinitialisation functions
 \&                                     const char* name);
 \& void OPENSSL_INIT_free(OPENSSL_INIT_SETTINGS *init);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 During normal operation OpenSSL (libcrypto) will allocate various resources at
 start up that must, subsequently, be freed on close down of the library.
@@ -182,49 +106,49 @@ equivalent).
 .PP
 Numerous internal OpenSSL functions call \fBOPENSSL_init_crypto()\fR.
 Therefore, in order to perform nondefault initialisation,
-\&\fBOPENSSL_init_crypto()\fR \s-1MUST\s0 be called by application code prior to
+\&\fBOPENSSL_init_crypto()\fR MUST be called by application code prior to
 any other OpenSSL function calls.
 .PP
 The \fBopts\fR parameter specifies which aspects of libcrypto should be
 initialised. Valid options are:
-.IP "\s-1OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS\s0" 4
+.IP OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS 4
 .IX Item "OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS"
 Suppress automatic loading of the libcrypto error strings. This option is
 not a default option. Once selected subsequent calls to
 \&\fBOPENSSL_init_crypto()\fR with the option
-\&\fB\s-1OPENSSL_INIT_LOAD_CRYPTO_STRINGS\s0\fR will be ignored.
-.IP "\s-1OPENSSL_INIT_LOAD_CRYPTO_STRINGS\s0" 4
+\&\fBOPENSSL_INIT_LOAD_CRYPTO_STRINGS\fR will be ignored.
+.IP OPENSSL_INIT_LOAD_CRYPTO_STRINGS 4
 .IX Item "OPENSSL_INIT_LOAD_CRYPTO_STRINGS"
 Automatic loading of the libcrypto error strings. With this option the
 library will automatically load the libcrypto error strings.
 This option is a default option. Once selected subsequent calls to
 \&\fBOPENSSL_init_crypto()\fR with the option
-\&\fB\s-1OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS\s0\fR will be ignored.
-.IP "\s-1OPENSSL_INIT_ADD_ALL_CIPHERS\s0" 4
+\&\fBOPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS\fR will be ignored.
+.IP OPENSSL_INIT_ADD_ALL_CIPHERS 4
 .IX Item "OPENSSL_INIT_ADD_ALL_CIPHERS"
 With this option the library will automatically load and make available all
 libcrypto ciphers. This option is a default option. Once selected subsequent
 calls to \fBOPENSSL_init_crypto()\fR with the option
-\&\fB\s-1OPENSSL_INIT_NO_ADD_ALL_CIPHERS\s0\fR will be ignored.
-.IP "\s-1OPENSSL_INIT_ADD_ALL_DIGESTS\s0" 4
+\&\fBOPENSSL_INIT_NO_ADD_ALL_CIPHERS\fR will be ignored.
+.IP OPENSSL_INIT_ADD_ALL_DIGESTS 4
 .IX Item "OPENSSL_INIT_ADD_ALL_DIGESTS"
 With this option the library will automatically load and make available all
 libcrypto digests. This option is a default option. Once selected subsequent
 calls to \fBOPENSSL_init_crypto()\fR with the option
-\&\fB\s-1OPENSSL_INIT_NO_ADD_ALL_DIGESTS\s0\fR will be ignored.
-.IP "\s-1OPENSSL_INIT_NO_ADD_ALL_CIPHERS\s0" 4
+\&\fBOPENSSL_INIT_NO_ADD_ALL_DIGESTS\fR will be ignored.
+.IP OPENSSL_INIT_NO_ADD_ALL_CIPHERS 4
 .IX Item "OPENSSL_INIT_NO_ADD_ALL_CIPHERS"
 With this option the library will suppress automatic loading of libcrypto
 ciphers. This option is not a default option. Once selected subsequent
 calls to \fBOPENSSL_init_crypto()\fR with the option
-\&\fB\s-1OPENSSL_INIT_ADD_ALL_CIPHERS\s0\fR will be ignored.
-.IP "\s-1OPENSSL_INIT_NO_ADD_ALL_DIGESTS\s0" 4
+\&\fBOPENSSL_INIT_ADD_ALL_CIPHERS\fR will be ignored.
+.IP OPENSSL_INIT_NO_ADD_ALL_DIGESTS 4
 .IX Item "OPENSSL_INIT_NO_ADD_ALL_DIGESTS"
 With this option the library will suppress automatic loading of libcrypto
 digests. This option is not a default option. Once selected subsequent
 calls to \fBOPENSSL_init_crypto()\fR with the option
-\&\fB\s-1OPENSSL_INIT_ADD_ALL_DIGESTS\s0\fR will be ignored.
-.IP "\s-1OPENSSL_INIT_LOAD_CONFIG\s0" 4
+\&\fBOPENSSL_INIT_ADD_ALL_DIGESTS\fR will be ignored.
+.IP OPENSSL_INIT_LOAD_CONFIG 4
 .IX Item "OPENSSL_INIT_LOAD_CONFIG"
 With this option an OpenSSL configuration file will be automatically loaded and
 used by calling \fBOPENSSL_config()\fR. This is a default option.
@@ -233,64 +157,64 @@ libcrypto (see \fBOPENSSL_init_ssl\fR\|(3) for further details about libssl
 initialisation).
 In OpenSSL 1.1.0 this was a nondefault option for both libssl and libcrypto.
 See the description of \fBOPENSSL_INIT_new()\fR, below.
-.IP "\s-1OPENSSL_INIT_NO_LOAD_CONFIG\s0" 4
+.IP OPENSSL_INIT_NO_LOAD_CONFIG 4
 .IX Item "OPENSSL_INIT_NO_LOAD_CONFIG"
 With this option the loading of OpenSSL configuration files will be suppressed.
 It is the equivalent of calling \fBOPENSSL_no_config()\fR. This is not a default
 option.
-.IP "\s-1OPENSSL_INIT_ASYNC\s0" 4
+.IP OPENSSL_INIT_ASYNC 4
 .IX Item "OPENSSL_INIT_ASYNC"
 With this option the library with automatically initialise the libcrypto async
 sub-library (see \fBASYNC_start_job\fR\|(3)). This is a default option.
-.IP "\s-1OPENSSL_INIT_ENGINE_RDRAND\s0" 4
+.IP OPENSSL_INIT_ENGINE_RDRAND 4
 .IX Item "OPENSSL_INIT_ENGINE_RDRAND"
 With this option the library will automatically load and initialise the
-\&\s-1RDRAND\s0 engine (if available). This not a default option and is deprecated
+RDRAND engine (if available). This not a default option and is deprecated
 in OpenSSL 3.0.
-.IP "\s-1OPENSSL_INIT_ENGINE_DYNAMIC\s0" 4
+.IP OPENSSL_INIT_ENGINE_DYNAMIC 4
 .IX Item "OPENSSL_INIT_ENGINE_DYNAMIC"
 With this option the library will automatically load and initialise the
 dynamic engine. This not a default option and is deprecated
 in OpenSSL 3.0.
-.IP "\s-1OPENSSL_INIT_ENGINE_OPENSSL\s0" 4
+.IP OPENSSL_INIT_ENGINE_OPENSSL 4
 .IX Item "OPENSSL_INIT_ENGINE_OPENSSL"
 With this option the library will automatically load and initialise the
 openssl engine. This not a default option and is deprecated
 in OpenSSL 3.0.
-.IP "\s-1OPENSSL_INIT_ENGINE_CRYPTODEV\s0" 4
+.IP OPENSSL_INIT_ENGINE_CRYPTODEV 4
 .IX Item "OPENSSL_INIT_ENGINE_CRYPTODEV"
 With this option the library will automatically load and initialise the
 cryptodev engine (if available). This not a default option and is deprecated
 in OpenSSL 3.0.
-.IP "\s-1OPENSSL_INIT_ENGINE_CAPI\s0" 4
+.IP OPENSSL_INIT_ENGINE_CAPI 4
 .IX Item "OPENSSL_INIT_ENGINE_CAPI"
 With this option the library will automatically load and initialise the
-\&\s-1CAPI\s0 engine (if available). This not a default option and is deprecated
+CAPI engine (if available). This not a default option and is deprecated
 in OpenSSL 3.0.
-.IP "\s-1OPENSSL_INIT_ENGINE_PADLOCK\s0" 4
+.IP OPENSSL_INIT_ENGINE_PADLOCK 4
 .IX Item "OPENSSL_INIT_ENGINE_PADLOCK"
 With this option the library will automatically load and initialise the
 padlock engine (if available). This not a default option and is deprecated
 in OpenSSL 3.0.
-.IP "\s-1OPENSSL_INIT_ENGINE_AFALG\s0" 4
+.IP OPENSSL_INIT_ENGINE_AFALG 4
 .IX Item "OPENSSL_INIT_ENGINE_AFALG"
 With this option the library will automatically load and initialise the
-\&\s-1AFALG\s0 engine. This not a default option and is deprecated
+AFALG engine. This not a default option and is deprecated
 in OpenSSL 3.0.
-.IP "\s-1OPENSSL_INIT_ENGINE_ALL_BUILTIN\s0" 4
+.IP OPENSSL_INIT_ENGINE_ALL_BUILTIN 4
 .IX Item "OPENSSL_INIT_ENGINE_ALL_BUILTIN"
 With this option the library will automatically load and initialise all the
 built in engines listed above with the exception of the openssl and afalg
 engines. This not a default option and is deprecated
 in OpenSSL 3.0.
-.IP "\s-1OPENSSL_INIT_ATFORK\s0" 4
+.IP OPENSSL_INIT_ATFORK 4
 .IX Item "OPENSSL_INIT_ATFORK"
 With this option the library will register its fork handlers.
 See \fBOPENSSL_fork_prepare\fR\|(3) for details.
-.IP "\s-1OPENSSL_INIT_NO_ATEXIT\s0" 4
+.IP OPENSSL_INIT_NO_ATEXIT 4
 .IX Item "OPENSSL_INIT_NO_ATEXIT"
 By default OpenSSL will attempt to clean itself up when the process exits via an
-\&\*(L"atexit\*(R" handler. Using this option suppresses that behaviour. This means that
+"atexit" handler. Using this option suppresses that behaviour. This means that
 the application will have to clean up OpenSSL explicitly using
 \&\fBOPENSSL_cleanup()\fR.
 .PP
@@ -315,7 +239,7 @@ application and a library it depends on both use OpenSSL, and the library
 deinitialises it before the application has finished using it.
 .PP
 Once \fBOPENSSL_cleanup()\fR has been called the library cannot be reinitialised.
-Attempts to call \fBOPENSSL_init_crypto()\fR will fail and an \s-1ERR_R_INIT_FAIL\s0 error
+Attempts to call \fBOPENSSL_init_crypto()\fR will fail and an ERR_R_INIT_FAIL error
 will be added to the error stack. Note that because initialisation has failed
 OpenSSL error strings will not be available, only an error code. This code can
 be put through the openssl errstr command line application to produce a human
@@ -328,46 +252,47 @@ process wide resources are freed. In the event that multiple stop handlers are
 registered, no guarantees are made about the order of execution.
 .PP
 The \fBOPENSSL_thread_stop_ex()\fR function deallocates resources associated
-with the current thread for the given \s-1OSSL_LIB_CTX\s0 \fBctx\fR. The \fBctx\fR parameter
-can be \s-1NULL\s0 in which case the default \s-1OSSL_LIB_CTX\s0 is used.
+with the current thread for the given OSSL_LIB_CTX \fBctx\fR. The \fBctx\fR parameter
+can be NULL in which case the default OSSL_LIB_CTX is used.
 .PP
 Typically, this function will be called automatically by the library when
-the thread exits as long as the \s-1OSSL_LIB_CTX\s0 has not been freed before the thread
+the thread exits as long as the OSSL_LIB_CTX has not been freed before the thread
 exits. If \fBOSSL_LIB_CTX_free()\fR is called OPENSSL_thread_stop_ex will be called
 automatically for the current thread (but not any other threads that may have
-used this \s-1OSSL_LIB_CTX\s0).
+used this OSSL_LIB_CTX).
 .PP
 OPENSSL_thread_stop_ex should be called on all threads that will exit after the
-\&\s-1OSSL_LIB_CTX\s0 is freed.
-Typically this is not necessary for the default \s-1OSSL_LIB_CTX\s0 (because all
+OSSL_LIB_CTX is freed.
+Typically this is not necessary for the default OSSL_LIB_CTX (because all
 resources are cleaned up on library exit) except if thread local resources
 should be freed before library exit, or under the circumstances described in
-the \s-1NOTES\s0 section below.
+the NOTES section below.
 .PP
 \&\fBOPENSSL_thread_stop()\fR is the same as \fBOPENSSL_thread_stop_ex()\fR except that the
-default \s-1OSSL_LIB_CTX\s0 is always used.
+default OSSL_LIB_CTX is always used.
 .PP
-The \fB\s-1OPENSSL_INIT_LOAD_CONFIG\s0\fR flag will load a configuration file, as with
-\&\fBCONF_modules_load_file\fR\|(3) with \s-1NULL\s0 filename and application name and the
-\&\fB\s-1CONF_MFLAGS_IGNORE_MISSING_FILE\s0\fR, \fB\s-1CONF_MFLAGS_IGNORE_RETURN_CODES\s0\fR  and
-\&\fB\s-1CONF_MFLAGS_DEFAULT_SECTION\s0\fR flags.
+The \fBOPENSSL_INIT_LOAD_CONFIG\fR flag will load a configuration file, as with
+\&\fBCONF_modules_load_file\fR\|(3) with NULL filename and application name and the
+\&\fBCONF_MFLAGS_IGNORE_MISSING_FILE\fR, \fBCONF_MFLAGS_IGNORE_RETURN_CODES\fR  and
+\&\fBCONF_MFLAGS_DEFAULT_SECTION\fR flags.
 The filename, application name, and flags can be customized by providing a
-non-null \fB\s-1OPENSSL_INIT_SETTINGS\s0\fR object.
-The object can be allocated via \fB\fBOPENSSL_INIT_new()\fB\fR.
-The \fB\fBOPENSSL_INIT_set_config_filename()\fB\fR function can be used to specify a
+non-null \fBOPENSSL_INIT_SETTINGS\fR object.
+The object can be allocated via \fBOPENSSL_INIT_new()\fR.
+The \fBOPENSSL_INIT_set_config_filename()\fR function can be used to specify a
 nondefault filename, which is copied and need not refer to persistent storage.
 Similarly, \fBOPENSSL_INIT_set_config_appname()\fR can be used to specify a
 nondefault application name.
 Finally, OPENSSL_INIT_set_file_flags can be used to specify nondefault flags.
-If the \fB\s-1CONF_MFLAGS_IGNORE_RETURN_CODES\s0\fR flag is not included, any errors in
+If the \fBCONF_MFLAGS_IGNORE_RETURN_CODES\fR flag is not included, any errors in
 the configuration file will cause an error return from \fBOPENSSL_init_crypto\fR
 or indirectly \fBOPENSSL_init_ssl\fR\|(3).
 The object can be released with \fBOPENSSL_INIT_free()\fR when done.
-.SH "NOTES"
+If the argument to \fBOPENSSL_INIT_free()\fR is NULL, nothing is done.
+.SH NOTES
 .IX Header "NOTES"
 Resources local to a thread are deallocated automatically when the thread exits
 (e.g. in a pthreads environment, when \fBpthread_exit()\fR is called). On Windows
-platforms this is done in response to a \s-1DLL_THREAD_DETACH\s0 message being sent to
+platforms this is done in response to a DLL_THREAD_DETACH message being sent to
 the libcrypto32.dll entry point. Some windows functions may cause threads to exit
 without sending this message (for example \fBExitProcess()\fR). If the application
 uses such functions, then the application must free up OpenSSL resources
@@ -383,7 +308,7 @@ multi-threaded and if \fBdlclose()\fR is subsequently called prior to the thread
 being destroyed then OpenSSL will not be able to deallocate resources associated
 with those threads. The application should either call \fBOPENSSL_thread_stop()\fR on
 each thread prior to the \fBdlclose()\fR call, or alternatively the original \fBdlopen()\fR
-call should use the \s-1RTLD_NODELETE\s0 flag (where available on the platform).
+call should use the RTLD_NODELETE flag (where available on the platform).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The functions OPENSSL_init_crypto, \fBOPENSSL_atexit()\fR and
@@ -391,16 +316,16 @@ The functions OPENSSL_init_crypto, \fBOPENSSL_atexit()\fR and
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBOPENSSL_init_ssl\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBOPENSSL_init_crypto()\fR, \fBOPENSSL_cleanup()\fR, \fBOPENSSL_atexit()\fR,
 \&\fBOPENSSL_thread_stop()\fR, \fBOPENSSL_INIT_new()\fR, \fBOPENSSL_INIT_set_config_appname()\fR
 and \fBOPENSSL_INIT_free()\fR functions were added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_init_ssl.3 b/secure/lib/libcrypto/man/man3/OPENSSL_init_ssl.3
index d6723a1dedc4..a969a86dca43 100644
--- a/secure/lib/libcrypto/man/man3/OPENSSL_init_ssl.3
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_init_ssl.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,84 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL_INIT_SSL 3ossl"
-.TH OPENSSL_INIT_SSL 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OPENSSL_INIT_SSL 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OPENSSL_init_ssl \- OpenSSL (libssl and libcrypto) initialisation
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
 \& int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 During normal operation OpenSSL (libssl and libcrypto) will allocate various
 resources at start up that must, subsequently, be freed on close down of the
@@ -160,31 +84,31 @@ automatically deinitialise as required.
 However, there may be situations when explicit initialisation is desirable or
 needed, for example when some nondefault initialisation is required. The
 function \fBOPENSSL_init_ssl()\fR can be used for this purpose. Calling
-this function will explicitly initialise \s-1BOTH\s0 libcrypto and libssl. To
-explicitly initialise \s-1ONLY\s0 libcrypto see the
+this function will explicitly initialise BOTH libcrypto and libssl. To
+explicitly initialise ONLY libcrypto see the
 \&\fBOPENSSL_init_crypto\fR\|(3) function.
 .PP
 Numerous internal OpenSSL functions call \fBOPENSSL_init_ssl()\fR.
 Therefore, in order to perform nondefault initialisation,
-\&\fBOPENSSL_init_ssl()\fR \s-1MUST\s0 be called by application code prior to
+\&\fBOPENSSL_init_ssl()\fR MUST be called by application code prior to
 any other OpenSSL function calls.
 .PP
 The \fBopts\fR parameter specifies which aspects of libssl and libcrypto should be
 initialised. Valid options for libcrypto are described on the
 \&\fBOPENSSL_init_crypto\fR\|(3) page. In addition to any libcrypto
 specific option the following libssl options can also be used:
-.IP "\s-1OPENSSL_INIT_NO_LOAD_SSL_STRINGS\s0" 4
+.IP OPENSSL_INIT_NO_LOAD_SSL_STRINGS 4
 .IX Item "OPENSSL_INIT_NO_LOAD_SSL_STRINGS"
 Suppress automatic loading of the libssl error strings. This option is
 not a default option. Once selected subsequent calls to
 \&\fBOPENSSL_init_ssl()\fR with the option
-\&\fB\s-1OPENSSL_INIT_LOAD_SSL_STRINGS\s0\fR will be ignored.
-.IP "\s-1OPENSSL_INIT_LOAD_SSL_STRINGS\s0" 4
+\&\fBOPENSSL_INIT_LOAD_SSL_STRINGS\fR will be ignored.
+.IP OPENSSL_INIT_LOAD_SSL_STRINGS 4
 .IX Item "OPENSSL_INIT_LOAD_SSL_STRINGS"
 Automatic loading of the libssl error strings. This option is a
 default option. Once selected subsequent calls to
 \&\fBOPENSSL_init_ssl()\fR with the option
-\&\fB\s-1OPENSSL_INIT_LOAD_SSL_STRINGS\s0\fR will be ignored.
+\&\fBOPENSSL_INIT_LOAD_SSL_STRINGS\fR will be ignored.
 .PP
 \&\fBOPENSSL_init_ssl()\fR takes a \fBsettings\fR parameter which can be used to
 set parameter values.  See \fBOPENSSL_init_crypto\fR\|(3) for details.
@@ -194,14 +118,14 @@ The function \fBOPENSSL_init_ssl()\fR returns 1 on success or 0 on error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBOPENSSL_init_crypto\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBOPENSSL_init_ssl()\fR function was added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_instrument_bus.3 b/secure/lib/libcrypto/man/man3/OPENSSL_instrument_bus.3
index b791de884f4e..d651ac2b92fd 100644
--- a/secure/lib/libcrypto/man/man3/OPENSSL_instrument_bus.3
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_instrument_bus.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL_INSTRUMENT_BUS 3ossl"
-.TH OPENSSL_INSTRUMENT_BUS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OPENSSL_INSTRUMENT_BUS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OPENSSL_instrument_bus, OPENSSL_instrument_bus2 \- instrument references to memory bus
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 4
 \& #ifdef OPENSSL_CPUID_OBJ
@@ -146,7 +70,7 @@ OPENSSL_instrument_bus, OPENSSL_instrument_bus2 \- instrument references to memo
 \& size_t OPENSSL_instrument_bus2(unsigned int *vector, size_t num, size_t max);
 \& #endif
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 It was empirically found that timings of references to primary memory
 are subject to irregular, apparently non-deterministic variations. The
@@ -165,20 +89,20 @@ oscillator cycles every probe took.
 probes with the same value, i.e. in a way it records duration of
 periods when probe values appeared deterministic. The subroutine
 performs at most \fBmax\fR probes in attempt to fill the \fBvector[num]\fR,
-with \fBmax\fR value of 0 meaning \*(L"as many as it takes.\*(R"
+with \fBmax\fR value of 0 meaning "as many as it takes."
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-Return value of 0 indicates that \s-1CPU\s0 is not capable of performing the
+Return value of 0 indicates that CPU is not capable of performing the
 benchmark, either because oscillator counter or 'flush cache line' is
 not available on current platform. For reference, on x86 'flush cache
-line' was introduced with the \s-1SSE2\s0 extensions.
+line' was introduced with the SSE2 extensions.
 .PP
 Otherwise number of recorded values is returned.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2011\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2011\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_load_builtin_modules.3 b/secure/lib/libcrypto/man/man3/OPENSSL_load_builtin_modules.3
index 4d381feeb4ff..064df6f7c680 100644
--- a/secure/lib/libcrypto/man/man3/OPENSSL_load_builtin_modules.3
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_load_builtin_modules.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL_LOAD_BUILTIN_MODULES 3ossl"
-.TH OPENSSL_LOAD_BUILTIN_MODULES 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OPENSSL_LOAD_BUILTIN_MODULES 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OPENSSL_load_builtin_modules, ASN1_add_oid_module, ENGINE_add_conf_module \- add standard configuration modules
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/conf.h>
@@ -147,16 +71,16 @@ OPENSSL_load_builtin_modules, ASN1_add_oid_module, ENGINE_add_conf_module \- add
 \& void ASN1_add_oid_module(void);
 \& void ENGINE_add_conf_module(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The function \fBOPENSSL_load_builtin_modules()\fR adds all the standard OpenSSL
 configuration modules to the internal list. They can then be used by the
 OpenSSL configuration code.
 .PP
-\&\fBASN1_add_oid_module()\fR adds just the \s-1ASN1 OBJECT\s0 module.
+\&\fBASN1_add_oid_module()\fR adds just the ASN1 OBJECT module.
 .PP
-\&\fBENGINE_add_conf_module()\fR adds just the \s-1ENGINE\s0 configuration module.
-.SH "NOTES"
+\&\fBENGINE_add_conf_module()\fR adds just the ENGINE configuration module.
+.SH NOTES
 .IX Header "NOTES"
 If the simple configuration function \fBOPENSSL_config()\fR is called then
 \&\fBOPENSSL_load_builtin_modules()\fR is called automatically.
@@ -175,14 +99,14 @@ None of the functions return a value.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBconfig\fR\|(5), \fBOPENSSL_config\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBENGINE_add_conf_module()\fR was deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2004\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_load_u16_le.3 b/secure/lib/libcrypto/man/man3/OPENSSL_load_u16_le.3
new file mode 100644
index 000000000000..db0657b34869
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_load_u16_le.3
@@ -0,0 +1,138 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OPENSSL_LOAD_U16_LE 3ossl"
+.TH OPENSSL_LOAD_U16_LE 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+OPENSSL_load_u16_le, OPENSSL_load_u16_be, OPENSSL_load_u32_le,
+OPENSSL_load_u32_be, OPENSSL_load_u64_le, OPENSSL_load_u64_be,
+OPENSSL_store_u16_le, OPENSSL_store_u16_be,
+OPENSSL_store_u32_le, OPENSSL_store_u32_be,
+OPENSSL_store_u64_le, OPENSSL_store_u64_be \-
+Read and write unsigned 16, 32 and 64\-bit integers in a specific byte order
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\&    #include <openssl/byteorder.h>
+\&
+\&    static ossl_inline unsigned char *OPENSSL_store_u16_le(
+\&        unsigned char *out, uint16_t val);
+\&    static ossl_inline unsigned char *OPENSSL_store_u16_be(
+\&        unsigned char *out, uint16_t val);
+\&    static ossl_inline unsigned char *OPENSSL_store_u32_le(
+\&        unsigned char *out, uint32_t val);
+\&    static ossl_inline unsigned char *OPENSSL_store_u32_be(
+\&        unsigned char *out, uint32_t val);
+\&    static ossl_inline unsigned char *OPENSSL_store_u64_le(
+\&        unsigned char *out, uint64_t val);
+\&    static ossl_inline unsigned char *OPENSSL_store_u64_be(
+\&        unsigned char *out, uint64_t val);
+\&    static ossl_inline const unsigned char *OPENSSL_load_u16_le(
+\&        uint16_t *val, const unsigned char *in);
+\&    static ossl_inline const unsigned char *OPENSSL_load_u16_be(
+\&        uint16_t *val, const unsigned char *in);
+\&    static ossl_inline const unsigned char *OPENSSL_load_u32_le(
+\&        uint32_t *val, const unsigned char *in);
+\&    static ossl_inline const unsigned char *OPENSSL_load_u32_be(
+\&        uint32_t *val, const unsigned char *in);
+\&    static ossl_inline const unsigned char *OPENSSL_load_u64_le(
+\&        uint64_t *val, const unsigned char *in);
+\&    static ossl_inline const unsigned char *OPENSSL_load_u64_be(
+\&        uint64_t *val, const unsigned char *in);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+These functions read and write 16, 32 and 64 bit unsigned integers in a
+specified byte order.
+The \f(CW\*(C`_be\*(C'\fR functions use big-endian byte order, while the \f(CW\*(C`_le\*(C'\fR functions use
+little-endian byte order.
+They're implemented directly in the header file, and declared static.  When the
+compiler supports inline functions, they're also declared inline.
+An optimising compiler will often convert these to just one or two machine
+instructions: a load or store with a possible byte swap.
+.PP
+The \f(CW\*(C`load\*(C'\fR functions write the decoded integer value at the address pointed to
+by \fIval\fR, which must be a valid (possibly suitably aligned) address of an
+object of the appropriate type.
+The \f(CW\*(C`store\*(C'\fR functions write the encoding of \fIval\fR at the address pointed to
+by \fIout\fR.
+.PP
+For convenience, these functions return the updated input or output pointer,
+making it easy to continue reading or writing more data at the next memory
+location.
+.PP
+No bounds checks are performed, the caller is responsible for making sure that
+the input or output buffers are sufficiently large for the requested read or
+write.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+All these functions return the next memory address following the last byte
+written or read.
+.SH HISTORY
+.IX Header "HISTORY"
+These functions were added in OpenSSL 3.5.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_malloc.3 b/secure/lib/libcrypto/man/man3/OPENSSL_malloc.3
index ea5b325e5f4f..f1f106be80f8 100644
--- a/secure/lib/libcrypto/man/man3/OPENSSL_malloc.3
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_malloc.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL_MALLOC 3ossl"
-.TH OPENSSL_MALLOC 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OPENSSL_MALLOC 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OPENSSL_malloc_init,
-OPENSSL_malloc, OPENSSL_zalloc, OPENSSL_realloc, OPENSSL_free,
-OPENSSL_clear_realloc, OPENSSL_clear_free, OPENSSL_cleanse,
-CRYPTO_malloc, CRYPTO_zalloc, CRYPTO_realloc, CRYPTO_free,
+OPENSSL_malloc, OPENSSL_aligned_alloc, OPENSSL_zalloc, OPENSSL_realloc,
+OPENSSL_free, OPENSSL_clear_realloc, OPENSSL_clear_free, OPENSSL_cleanse,
+CRYPTO_malloc, CRYPTO_aligned_alloc, CRYPTO_zalloc, CRYPTO_realloc, CRYPTO_free,
 OPENSSL_strdup, OPENSSL_strndup,
-OPENSSL_memdup, OPENSSL_strlcpy, OPENSSL_strlcat,
+OPENSSL_memdup, OPENSSL_strlcpy, OPENSSL_strlcat, OPENSSL_strtoul,
 CRYPTO_strdup, CRYPTO_strndup,
 OPENSSL_mem_debug_push, OPENSSL_mem_debug_pop,
 CRYPTO_mem_debug_push, CRYPTO_mem_debug_pop,
@@ -155,7 +79,7 @@ CRYPTO_mem_leaks, CRYPTO_mem_leaks_fp, CRYPTO_mem_leaks_cb,
 OPENSSL_MALLOC_FAILURES,
 OPENSSL_MALLOC_FD
 \&\- Memory allocation functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/crypto.h>
@@ -163,6 +87,7 @@ OPENSSL_MALLOC_FD
 \& int OPENSSL_malloc_init(void);
 \&
 \& void *OPENSSL_malloc(size_t num);
+\& void *OPENSSL_aligned_alloc(size_t num, size_t alignment, void **freeptr);
 \& void *OPENSSL_zalloc(size_t num);
 \& void *OPENSSL_realloc(void *addr, size_t num);
 \& void OPENSSL_free(void *addr);
@@ -170,12 +95,15 @@ OPENSSL_MALLOC_FD
 \& char *OPENSSL_strndup(const char *str, size_t s);
 \& size_t OPENSSL_strlcat(char *dst, const char *src, size_t size);
 \& size_t OPENSSL_strlcpy(char *dst, const char *src, size_t size);
+\& int OPENSSL_strtoul(char *src, char **endptr, int base, unsigned long *num);
 \& void *OPENSSL_memdup(void *data, size_t s);
 \& void *OPENSSL_clear_realloc(void *p, size_t old_len, size_t num);
 \& void OPENSSL_clear_free(void *str, size_t num);
 \& void OPENSSL_cleanse(void *ptr, size_t len);
 \&
 \& void *CRYPTO_malloc(size_t num, const char *file, int line);
+\& void *CRYPTO_aligned_alloc(size_t num, size_t align, void **freeptr, 
+\&                            const char *file, int line);
 \& void *CRYPTO_zalloc(size_t num, const char *file, int line);
 \& void *CRYPTO_realloc(void *p, size_t num, const char *file, int line);
 \& void CRYPTO_free(void *str, const char *, int);
@@ -203,7 +131,7 @@ OPENSSL_MALLOC_FD
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 4
@@ -219,11 +147,11 @@ see \fBopenssl_user_macros\fR\|(7):
 \& int CRYPTO_mem_debug_push(const char *info, const char *file, int line);
 \& int CRYPTO_mem_debug_pop(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-OpenSSL memory allocation is handled by the \fBOPENSSL_xxx\fR \s-1API.\s0 These are
+OpenSSL memory allocation is handled by the \fBOPENSSL_xxx\fR API. These are
 generally macro's that add the standard C \fB_\|_FILE_\|_\fR and \fB_\|_LINE_\|_\fR
-parameters and call a lower-level \fBCRYPTO_xxx\fR \s-1API.\s0
+parameters and call a lower-level \fBCRYPTO_xxx\fR API.
 Some functions do not add those parameters, but exist for consistency.
 .PP
 \&\fBOPENSSL_malloc_init()\fR does nothing and does not need to be called. It is
@@ -233,10 +161,25 @@ included for compatibility with older versions of OpenSSL.
 C \fBmalloc()\fR, \fBrealloc()\fR, and \fBfree()\fR functions.
 \&\fBOPENSSL_zalloc()\fR calls \fBmemset()\fR to zero the memory before returning.
 .PP
+\&\fBOPENSSL_aligned_alloc()\fR operates just as OPENSSL_malloc does, but it
+allows for the caller to specify an alignment value, for instances in
+which the default alignment of malloc is insufficient for the callers
+needs.  Note, the alignment value must be a power of 2, and the size
+specified must be a multiple of the alignment.
+NOTE: The call to \fBOPENSSL_aligned_alloc()\fR accepts a 3rd argument, \fIfreeptr\fR
+which must point to a void pointer.  On some platforms, there is no available
+library call to obtain memory allocations greater than what malloc provides.  In
+this case, OPENSSL_aligned_alloc implements its own alignment routine,
+allocating additional memory and offsetting the returned pointer to be on the
+requested alignment boundary.  In order to safely free allocations made by this
+method, the caller must return the value in the \fIfreeptr\fR variable, rather than
+the returned pointer.
+.PP
 \&\fBOPENSSL_clear_realloc()\fR and \fBOPENSSL_clear_free()\fR should be used
 when the buffer at \fBaddr\fR holds sensitive information.
 The old buffer is filled with zero's by calling \fBOPENSSL_cleanse()\fR
-before ultimately calling \fBOPENSSL_free()\fR.
+before ultimately calling \fBOPENSSL_free()\fR. If the argument to \fBOPENSSL_free()\fR is
+NULL, nothing is done.
 .PP
 \&\fBOPENSSL_cleanse()\fR fills \fBptr\fR of size \fBlen\fR with a string of 0's.
 Use \fBOPENSSL_cleanse()\fR with care if the memory is a mapping of a file.
@@ -254,13 +197,19 @@ equivalent C functions, except that memory is allocated by calling the
 \&\fBOPENSSL_strlcat()\fR and \fBOPENSSL_strnlen()\fR are equivalents of the common C
 library functions and are provided for portability.
 .PP
-If no allocations have been done, it is possible to \*(L"swap out\*(R" the default
+\&\fBOPENSSL_strtoul()\fR is a wrapper around the POSIX function strtoul, with the same
+behaviors listed in the POSIX documentation, with the additional behavior that
+it validates the input \fIstr\fR and \fInum\fR parameters for not being NULL, and confirms
+that at least a single byte of input has been consumed in the translation,
+returning an error in the event that no bytes were consumed.
+.PP
+If no allocations have been done, it is possible to "swap out" the default
 implementations for \fBOPENSSL_malloc()\fR, \fBOPENSSL_realloc()\fR and \fBOPENSSL_free()\fR
 and replace them with alternate versions.
 \&\fBCRYPTO_get_mem_functions()\fR function fills in the given arguments with the
 function pointers for the current implementations.
 With \fBCRYPTO_set_mem_functions()\fR, you can specify a different set of functions.
-If any of \fBmalloc_fn\fR, \fBrealloc_fn\fR, or \fBfree_fn\fR are \s-1NULL,\s0 then
+If any of \fBmalloc_fn\fR, \fBrealloc_fn\fR, or \fBfree_fn\fR are NULL, then
 the function is not changed.
 While it's permitted to swap out only a few and not all the functions
 with \fBCRYPTO_set_mem_functions()\fR, it's recommended to swap them all out
@@ -268,26 +217,27 @@ at once.
 .PP
 If the library is built with the \f(CW\*(C`crypto\-mdebug\*(C'\fR option, then one
 function, \fBCRYPTO_get_alloc_counts()\fR, and two additional environment
-variables, \fB\s-1OPENSSL_MALLOC_FAILURES\s0\fR and \fB\s-1OPENSSL_MALLOC_FD\s0\fR,
+variables, \fBOPENSSL_MALLOC_FAILURES\fR and \fBOPENSSL_MALLOC_FD\fR,
 are available.
 .PP
 The function \fBCRYPTO_get_alloc_counts()\fR fills in the number of times
 each of \fBCRYPTO_malloc()\fR, \fBCRYPTO_realloc()\fR, and \fBCRYPTO_free()\fR have been
 called, into the values pointed to by \fBmcount\fR, \fBrcount\fR, and \fBfcount\fR,
-respectively.  If a pointer is \s-1NULL,\s0 then the corresponding count is not stored.
+respectively.  If a pointer is NULL, then the corresponding count is not stored.
 .PP
 The variable
-\&\fB\s-1OPENSSL_MALLOC_FAILURES\s0\fR controls how often allocations should fail.
+\&\fBOPENSSL_MALLOC_FAILURES\fR controls how often allocations should fail.
 It is a set of fields separated by semicolons, which each field is a count
 (defaulting to zero) and an optional atsign and percentage (defaulting
 to 100).  If the count is zero, then it lasts forever.  For example,
 \&\f(CW\*(C`100;@25\*(C'\fR or \f(CW\*(C`100@0;0@25\*(C'\fR means the first 100 allocations pass, then all
 other allocations (until the program exits or crashes) have a 25% chance of
-failing.
+failing. The length of the value of \fBOPENSSL_MALLOC_FAILURES\fR must be 256 or
+fewer characters.
 .PP
-If the variable \fB\s-1OPENSSL_MALLOC_FD\s0\fR is parsed as a positive integer, then
+If the variable \fBOPENSSL_MALLOC_FD\fR is parsed as a positive integer, then
 it is taken as an open file descriptor. This is used in conjunction with
-\&\fB\s-1OPENSSL_MALLOC_FAILURES\s0\fR described above. For every allocation it will log
+\&\fBOPENSSL_MALLOC_FAILURES\fR described above. For every allocation it will log
 details about how many allocations there have been so far, what percentage
 chance there is for this allocation failing, and whether it has actually failed.
 The following example in classic shell syntax shows how to use this (will not
@@ -306,12 +256,12 @@ work on all platforms):
 \&\fBCRYPTO_free()\fR, \fBCRYPTO_clear_free()\fR and \fBCRYPTO_get_mem_functions()\fR
 return no value.
 .PP
-\&\fBOPENSSL_malloc()\fR, \fBOPENSSL_zalloc()\fR, \fBOPENSSL_realloc()\fR,
+\&\fBOPENSSL_malloc()\fR, \fBOPENSSL_aligned_alloc()\fR, \fBOPENSSL_zalloc()\fR, \fBOPENSSL_realloc()\fR,
 \&\fBOPENSSL_clear_realloc()\fR,
 \&\fBCRYPTO_malloc()\fR, \fBCRYPTO_zalloc()\fR, \fBCRYPTO_realloc()\fR,
 \&\fBCRYPTO_clear_realloc()\fR,
 \&\fBOPENSSL_strdup()\fR, and \fBOPENSSL_strndup()\fR
-return a pointer to allocated memory or \s-1NULL\s0 on error.
+return a pointer to allocated memory or NULL on error.
 .PP
 \&\fBCRYPTO_set_mem_functions()\fR returns 1 on success or 0 on failure (almost
 always because allocations have already happened).
@@ -322,7 +272,28 @@ always return \-1.
 \&\fBOPENSSL_mem_debug_push()\fR, \fBOPENSSL_mem_debug_pop()\fR,
 \&\fBCRYPTO_mem_debug_push()\fR, and \fBCRYPTO_mem_debug_pop()\fR
 are deprecated and are no-ops that always return 0.
-.SH "HISTORY"
+.PP
+\&\fBOPENSSL_strtoul()\fR returns 1 on success and 0 in the event that an error has
+occurred. Specifically, 0 is returned in the following events:
+.IP \(bu 4
+If the underlying call to strtoul returned a non zero errno value
+.IP \(bu 4
+If the translation did not consume the entire input string, and the passed
+endptr value was NULL
+.IP \(bu 4
+If no characters were consumed in the translation
+.PP
+Note that a success condition does not imply that the expected
+translation has been performed.  For instance calling
+.PP
+.Vb 1
+\&    OPENSSL_strtoul("0x12345", &endptr, 10, &num);
+.Ve
+.PP
+will result in a successful translation with num having the value 0, and
+*endptr = 'x'.  Be sure to validate how much data was consumed when calling this
+function.
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBOPENSSL_mem_debug_push()\fR, \fBOPENSSL_mem_debug_pop()\fR,
 \&\fBCRYPTO_mem_debug_push()\fR, \fBCRYPTO_mem_debug_pop()\fR,
@@ -331,11 +302,13 @@ are deprecated and are no-ops that always return 0.
 were deprecated in OpenSSL 3.0.
 The memory-leak checking has been deprecated in OpenSSL 3.0 in favor of
 clang's memory and leak sanitizer.
-.SH "COPYRIGHT"
+\&\fBOPENSSL_aligned_alloc()\fR, \fBCRYPTO_aligned_alloc()\fR, \fBOPENSSL_strtoul()\fR were
+added in OpenSSL 3.4.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_riscvcap.3 b/secure/lib/libcrypto/man/man3/OPENSSL_riscvcap.3
new file mode 100644
index 000000000000..ceda30c57dba
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_riscvcap.3
@@ -0,0 +1,245 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OPENSSL_RISCVCAP 3ossl"
+.TH OPENSSL_RISCVCAP 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+OPENSSL_riscvcap \- the RISC\-V processor capabilities vector
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& env OPENSSL_riscvcap=... <application>
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+libcrypto supports RISC-V instruction set extensions. These
+extensions are denoted by individual extension names in the capabilities
+vector. For Linux platform, when libcrypto is initialized, the results
+returned by the RISC-V Hardware Probing syscall (hwprobe) are stored
+in the vector. Otherwise all capabilities are disabled.
+.PP
+To override the set of instructions available to an application, you can
+set the \fBOPENSSL_riscvcap\fR environment variable before you start the
+application.
+.PP
+The environment variable is similar to the RISC-V ISA string defined in the
+RISC-V Instruction Set Manual. It is case insensitive. Though due to the limit
+of the environment variable parser inside libcrypto, an extension must be
+prefixed with an underscore to make it recognizable. This also applies to the
+Vector extension.
+.PP
+.Vb 1
+\& OPENSSL_riscvcap="rv64gc_v_zba_zbb_zbs..."
+.Ve
+.PP
+Note that extension implication is currently not implemented.
+For example, when "rv64gc_b" is provided as the environment variable,
+zba/zbb/zbs would not be implied in the capability vector.
+.PP
+Currently only these extensions are recognized:
+.IP ZBA 4
+.IX Item "ZBA"
+Address Generation
+.Sp
+Could be detected using hwprobe for Linux kernel >= 6.5
+.IP ZBB 4
+.IX Item "ZBB"
+Basic bit-manipulation
+.Sp
+Could be detected using hwprobe for Linux kernel >= 6.5
+.IP ZBC 4
+.IX Item "ZBC"
+Carry-less multiplication
+.Sp
+Could be detected using hwprobe for Linux kernel >= 6.8
+.IP ZBS 4
+.IX Item "ZBS"
+Single-bit instructions
+.Sp
+Could be detected using hwprobe for Linux kernel >= 6.5
+.IP ZBKB 4
+.IX Item "ZBKB"
+Bit-manipulation for Cryptography
+.Sp
+Could be detected using hwprobe for Linux kernel >= 6.8
+.IP ZBKC 4
+.IX Item "ZBKC"
+Carry-less multiplication for Cryptography
+.Sp
+Could be detected using hwprobe for Linux kernel >= 6.8
+.IP ZBKX 4
+.IX Item "ZBKX"
+Crossbar permutations
+.Sp
+Could be detected using hwprobe for Linux kernel >= 6.8
+.IP ZKND 4
+.IX Item "ZKND"
+NIST Suite: AES Decryption
+.Sp
+Could be detected using hwprobe for Linux kernel >= 6.8
+.IP ZKNE 4
+.IX Item "ZKNE"
+NIST Suite: AES Encryption
+.Sp
+Could be detected using hwprobe for Linux kernel >= 6.8
+.IP ZKNH 4
+.IX Item "ZKNH"
+NIST Suite: Hash Function Instructions
+.Sp
+Could be detected using hwprobe for Linux kernel >= 6.8
+.IP ZKSED 4
+.IX Item "ZKSED"
+ShangMi Suite: SM4 Block Cipher Instructions
+.Sp
+Could be detected using hwprobe for Linux kernel >= 6.8
+.IP ZKSH 4
+.IX Item "ZKSH"
+ShangMi Suite: SM3 Hash Function Instructions
+.Sp
+Could be detected using hwprobe for Linux kernel >= 6.8
+.IP ZKR 4
+.IX Item "ZKR"
+Entropy Source Extension
+.IP ZKT 4
+.IX Item "ZKT"
+Data Independent Execution Latency
+.Sp
+Could be detected using hwprobe for Linux kernel >= 6.8
+.IP V 4
+.IX Item "V"
+Vector Extension for Application Processors
+.Sp
+Could be detected using hwprobe for Linux kernel >= 6.5
+.IP ZVBB 4
+.IX Item "ZVBB"
+Vector Basic Bit-manipulation
+.Sp
+Could be detected using hwprobe for Linux kernel >= 6.8
+.IP ZVBC 4
+.IX Item "ZVBC"
+Vector Carryless Multiplication
+.Sp
+Could be detected using hwprobe for Linux kernel >= 6.8
+.IP ZVKB 4
+.IX Item "ZVKB"
+Vector Cryptography Bit-manipulation
+.Sp
+Could be detected using hwprobe for Linux kernel >= 6.8
+.IP ZVKG 4
+.IX Item "ZVKG"
+Vector GCM/GMAC
+.Sp
+Could be detected using hwprobe for Linux kernel >= 6.8
+.IP ZVKNED 4
+.IX Item "ZVKNED"
+NIST Suite: Vector AES Block Cipher
+.Sp
+Could be detected using hwprobe for Linux kernel >= 6.8
+.IP ZVKNHA 4
+.IX Item "ZVKNHA"
+NIST Suite: Vector SHA\-2 Secure Hash
+.Sp
+Could be detected using hwprobe for Linux kernel >= 6.8
+.IP ZVKNHB 4
+.IX Item "ZVKNHB"
+NIST Suite: Vector SHA\-2 Secure Hash
+.Sp
+Could be detected using hwprobe for Linux kernel >= 6.8
+.IP ZVKSED 4
+.IX Item "ZVKSED"
+ShangMi Suite: SM4 Block Cipher
+.Sp
+Could be detected using hwprobe for Linux kernel >= 6.8
+.IP ZVKSH 4
+.IX Item "ZVKSH"
+ShangMi Suite: SM3 Secure Hash
+.Sp
+Could be detected using hwprobe for Linux kernel >= 6.8
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+Not available.
+.SH EXAMPLES
+.IX Header "EXAMPLES"
+Check currently detected capabilities
+.PP
+.Vb 2
+\& $ openssl info \-cpusettings
+\& OPENSSL_riscvcap=ZBA_ZBB_ZBC_ZBS_V
+.Ve
+.PP
+Disables all instruction set extensions:
+.PP
+.Vb 1
+\& OPENSSL_riscvcap="rv64gc"
+.Ve
+.PP
+Only enable the vector extension:
+.PP
+.Vb 1
+\& OPENSSL_riscvcap="rv64gc_v"
+.Ve
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_s390xcap.3 b/secure/lib/libcrypto/man/man3/OPENSSL_s390xcap.3
index 41bb687f21e6..2ee5f9692621 100644
--- a/secure/lib/libcrypto/man/man3/OPENSSL_s390xcap.3
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_s390xcap.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,87 +52,27 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL_S390XCAP 3ossl"
-.TH OPENSSL_S390XCAP 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OPENSSL_S390XCAP 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OPENSSL_s390xcap \- the IBM z processor capabilities vector
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& env OPENSSL_s390xcap=... <application>
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 libcrypto supports z/Architecture instruction set extensions. These
 extensions are denoted by individual bits in the capabilities vector.
-When libcrypto is initialized, the bits returned by the \s-1STFLE\s0 instruction
-and by the \s-1QUERY\s0 functions are stored in the vector.
+When libcrypto is initialized, the bits returned by the STFLE instruction
+and by the QUERY functions are stored in the vector.
 .PP
 To change the set of instructions available to an application, you can
 set the \fBOPENSSL_s390xcap\fR environment variable before you start the
@@ -162,29 +86,33 @@ processed from left to right (whitespace is ignored):
 \& OPENSSL_s390xcap="<tok1>;<tok2>;..."
 .Ve
 .PP
-There are three types of tokens:
-.IP "<string>" 4
+There are four types of tokens:
+.IP <string> 4
 .IX Item "<string>"
 The name of a processor generation. A bit in the environment variable's
 mask is set to one if and only if the specified processor generation
 implements the corresponding instruction set extension. Possible values
-are \fBz900\fR, \fBz990\fR, \fBz9\fR, \fBz10\fR, \fBz196\fR, \fBzEC12\fR, \fBz13\fR, \fBz14\fR
-and \fBz15\fR.
-.IP "<string>:<mask>:<mask>" 4
+are \fBz900\fR, \fBz990\fR, \fBz9\fR, \fBz10\fR, \fBz196\fR, \fBzEC12\fR, \fBz13\fR, \fBz14\fR,
+\&\fBz15\fR, and \fBz16\fR.
+.IP <string>:<mask>:<mask> 4
 .IX Item "<string>:<mask>:<mask>"
 The name of an instruction followed by two 64\-bit masks. The part of the
 environment variable's mask corresponding to the specified instruction is
 set to the specified 128\-bit mask. Possible values are \fBkimd\fR, \fBklmd\fR,
 \&\fBkm\fR, \fBkmc\fR, \fBkmac\fR, \fBkmctr\fR, \fBkmo\fR, \fBkmf\fR, \fBprno\fR, \fBkma\fR, \fBpcc\fR
 and \fBkdsa\fR.
-.IP "stfle:<mask>:<mask>:<mask>" 4
+.IP stfle:<mask>:<mask>:<mask> 4
 .IX Item "stfle:<mask>:<mask>:<mask>"
 Store-facility-list-extended (stfle) followed by three 64\-bit masks. The
 part of the environment variable's mask corresponding to the stfle
 instruction is set to the specified 192\-bit mask.
+.IP nocex 4
+.IX Item "nocex"
+Deactivate modular exponentiation and CRT operation offloading to
+Crypto Express Adapters.
 .PP
 The 64\-bit masks are specified in hexadecimal notation. The 0x prefix is
-optional. Prefix a mask with a tilde, \f(CW\*(C`~\*(C'\fR, to denote a bitwise \s-1NOT\s0 operation.
+optional. Prefix a mask with a tilde, \f(CW\*(C`~\*(C'\fR, to denote a bitwise NOT operation.
 .PP
 The following is a list of significant bits for each instruction. Colon
 rows separate the individual 64\-bit masks. The bit numbers in the first
@@ -200,6 +128,7 @@ the numbering is continuous across 64\-bit mask boundaries.
 \&      :
 \&      # 76    1<<51    message\-security assist extension 3
 \&      # 77    1<<50    message\-security assist extension 4
+\&      # 86    1<<41    message\-security\-assist extension 12
 \&      :
 \&      #129    1<<62    vector facility
 \&      #134    1<<57    vector packed decimal facility
@@ -236,6 +165,8 @@ the numbering is continuous across 64\-bit mask boundaries.
 \&      # 50    1<<13    KM\-XTS\-AES\-128
 \&      # 52    1<<11    KM\-XTS\-AES\-256
 \&      :
+\&      # 82    1<<45    KM\-XTS\-AES\-128\-MSA10
+\&      # 84    1<<43    KM\-XTS\-AES\-256\-MSA10
 \&
 \& kmc  :
 \&      # 18    1<<45    KMC\-AES\-128
@@ -248,6 +179,10 @@ the numbering is continuous across 64\-bit mask boundaries.
 \&      # 19    1<<44    KMAC\-AES\-192
 \&      # 20    1<<43    KMAC\-AES\-256
 \&      :
+\&      # 112   1<<15    KMAC\-SHA\-224
+\&      # 113   1<<14    KMAC\-SHA\-256
+\&      # 114   1<<13    KMAC\-SHA\-384
+\&      # 115   1<<12    KMAC\-SHA\-512
 \&
 \& kmctr:
 \&      :
@@ -299,7 +234,7 @@ the numbering is continuous across 64\-bit mask boundaries.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 Not available.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 Disables all instruction set extensions which the z196 processor does not implement:
 .PP
@@ -320,12 +255,12 @@ Disables the KM-XTS-AES and the KIMD-SHAKE function codes:
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-[1] z/Architecture Principles of Operation, \s-1SA22\-7832\-12\s0
-.SH "COPYRIGHT"
+[1] z/Architecture Principles of Operation, SA22\-7832\-12
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2018\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2018\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_secure_malloc.3 b/secure/lib/libcrypto/man/man3/OPENSSL_secure_malloc.3
index f2d734a8dcbc..394d623a7349 100644
--- a/secure/lib/libcrypto/man/man3/OPENSSL_secure_malloc.3
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_secure_malloc.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL_SECURE_MALLOC 3ossl"
-.TH OPENSSL_SECURE_MALLOC 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OPENSSL_SECURE_MALLOC 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 CRYPTO_secure_malloc_init, CRYPTO_secure_malloc_initialized,
 CRYPTO_secure_malloc_done, OPENSSL_secure_malloc, CRYPTO_secure_malloc,
 OPENSSL_secure_zalloc, CRYPTO_secure_zalloc, OPENSSL_secure_free,
@@ -144,7 +68,7 @@ CRYPTO_secure_free, OPENSSL_secure_clear_free,
 CRYPTO_secure_clear_free, OPENSSL_secure_actual_size,
 CRYPTO_secure_allocated,
 CRYPTO_secure_used \- secure heap storage
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/crypto.h>
@@ -172,17 +96,17 @@ CRYPTO_secure_used \- secure heap storage
 \& int CRYPTO_secure_allocated(const void *ptr);
 \& size_t CRYPTO_secure_used();
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 In order to help protect applications (particularly long-running servers)
 from pointer overruns or underruns that could return arbitrary data from
 the program's dynamic memory area, where keys and other sensitive
-information might be stored, OpenSSL supports the concept of a \*(L"secure heap.\*(R"
+information might be stored, OpenSSL supports the concept of a "secure heap."
 The level and type of security guarantees depend on the operating system.
 It is a good idea to review the code and see if it addresses your
 threat model and concerns.
 .PP
-If a secure heap is used, then private key \fB\s-1BIGNUM\s0\fR values are stored there.
+If a secure heap is used, then private key \fBBIGNUM\fR values are stored there.
 This protects long-term storage of private keys, but will not necessarily
 put all intermediate values and computations there.
 .PP
@@ -217,17 +141,19 @@ If \fBCRYPTO_secure_malloc_init()\fR is not called, this is equivalent to
 calling \fBOPENSSL_free()\fR.
 It exists for consistency with \fBOPENSSL_secure_malloc()\fR , and
 is a macro that expands to \fBCRYPTO_secure_free()\fR and adds the \f(CW\*(C`_\|_FILE_\|_\*(C'\fR
-and \f(CW\*(C`_\|_LINE_\|_\*(C'\fR parameters..
+and \f(CW\*(C`_\|_LINE_\|_\*(C'\fR parameters..  If the argument to \fBOPENSSL_secure_free()\fR
+is NULL, nothing is done.
 .PP
 \&\fBOPENSSL_secure_clear_free()\fR is similar to \fBOPENSSL_secure_free()\fR except
 that it has an additional \f(CW\*(C`num\*(C'\fR parameter which is used to clear
 the memory if it was not allocated from the secure heap.
 If \fBCRYPTO_secure_malloc_init()\fR is not called, this is equivalent to
-calling \fBOPENSSL_clear_free()\fR.
+calling \fBOPENSSL_clear_free()\fR. If the argument to \fBOPENSSL_secure_clear_free()\fR
+is NULL, nothing is done.
 .PP
 \&\fBOPENSSL_secure_actual_size()\fR tells the actual size allocated to the
 pointer; implementations may allocate more space than initially
-requested, in order to \*(L"round up\*(R" and reduce secure heap fragmentation.
+requested, in order to "round up" and reduce secure heap fragmentation.
 .PP
 \&\fBOPENSSL_secure_allocated()\fR tells if a pointer is allocated in the secure heap.
 .PP
@@ -256,17 +182,17 @@ allocated.
 .IX Header "SEE ALSO"
 \&\fBOPENSSL_malloc\fR\|(3),
 \&\fBBN_new\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBOPENSSL_secure_clear_free()\fR function was added in OpenSSL 1.1.0g.
 .PP
 The second argument to \fBCRYPTO_secure_malloc_init()\fR was changed from an \fBint\fR to
 a \fBsize_t\fR in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2015\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_strcasecmp.3 b/secure/lib/libcrypto/man/man3/OPENSSL_strcasecmp.3
index 7f626482ed5f..7d1a2e629370 100644
--- a/secure/lib/libcrypto/man/man3/OPENSSL_strcasecmp.3
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_strcasecmp.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL_STRCASECMP 3ossl"
-.TH OPENSSL_STRCASECMP 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OPENSSL_STRCASECMP 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OPENSSL_strcasecmp, OPENSSL_strncasecmp \- compare two strings ignoring case
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/crypto.h>
@@ -146,7 +70,7 @@ OPENSSL_strcasecmp, OPENSSL_strncasecmp \- compare two strings ignoring case
 \& int OPENSSL_strcasecmp(const char *s1, const char *s2);
 \& int OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The OPENSSL_strcasecmp function performs a byte-by-byte comparison of the strings
 \&\fBs1\fR and \fBs2\fR, ignoring the case of the characters.
@@ -154,24 +78,27 @@ The OPENSSL_strcasecmp function performs a byte-by-byte comparison of the string
 The OPENSSL_strncasecmp function is similar, except that it compares no more than
 \&\fBn\fR bytes of \fBs1\fR and \fBs2\fR.
 .PP
-In POSIX-compatible system and on Windows these functions use \*(L"C\*(R" locale for
+In POSIX-compatible system and on Windows these functions use "C" locale for
 case insensitive. Otherwise the comparison is done in current locale.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 Both functions return an integer less than, equal to, or greater than zero if
 s1 is found, respectively, to be less than, to match, or be greater than s2.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-OpenSSL extensively uses case insensitive comparison of \s-1ASCII\s0 strings. Though
+OpenSSL extensively uses case insensitive comparison of ASCII strings. Though
 OpenSSL itself is locale-agnostic, the applications using OpenSSL libraries may
 unpredictably suffer when they use localization (e.g. Turkish locale is
 well-known with a specific I/i cases). These functions use C locale for string
 comparison.
-.SH "COPYRIGHT"
+.SH HISTORY
+.IX Header "HISTORY"
+These functions were added in OpenSSL 3.0.3.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2022\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_ALGORITHM.3 b/secure/lib/libcrypto/man/man3/OSSL_ALGORITHM.3
index 587bd0510f67..deeb0454e5cd 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_ALGORITHM.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_ALGORITHM.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_ALGORITHM 3ossl"
-.TH OSSL_ALGORITHM 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_ALGORITHM 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_ALGORITHM \- OpenSSL Core type to define a fetchable algorithm
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/core.h>
@@ -151,42 +75,42 @@ OSSL_ALGORITHM \- OpenSSL Core type to define a fetchable algorithm
 \&     const char *algorithm_description;
 \& };
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \fB\s-1OSSL_ALGORITHM\s0\fR type is a \fIpublic structure\fR that describes an
+The \fBOSSL_ALGORITHM\fR type is a \fIpublic structure\fR that describes an
 algorithm that a \fBprovider\fR\|(7) provides.  Arrays of this type are returned
 by providers on demand from the OpenSSL libraries to describe what
 algorithms the providers provide implementations of, and with what
 properties.
 .PP
 Arrays of this type must be terminated with a tuple where \fIalgorithm_names\fR
-is \s-1NULL.\s0
+is NULL.
 .PP
 This type of array is typically returned by the provider's operation querying
-function, further described in \*(L"Provider Functions\*(R" in \fBprovider\-base\fR\|(7).
-.SS "\fB\s-1OSSL_ALGORITHM\s0\fP fields"
+function, further described in "Provider Functions" in \fBprovider\-base\fR\|(7).
+.SS "\fBOSSL_ALGORITHM\fP fields"
 .IX Subsection "OSSL_ALGORITHM fields"
-.IP "\fIalgorithm_names\fR" 4
+.IP \fIalgorithm_names\fR 4
 .IX Item "algorithm_names"
 This string is a colon separated set of names / identities, and is used by
 the appropriate fetching functionality (such as \fBEVP_CIPHER_fetch\fR\|(3),
 \&\fBEVP_MD_fetch\fR\|(3), etc) to find the desired algorithm.
 .Sp
 Multiple names / identities allow a specific algorithm implementation to be
-fetched multiple ways.  For example, the \s-1RSA\s0 algorithm has the following
+fetched multiple ways.  For example, the RSA algorithm has the following
 known identities:
 .RS 4
-.IP "\(bu" 4
+.IP \(bu 4
 \&\f(CW\*(C`RSA\*(C'\fR
-.IP "\(bu" 4
+.IP \(bu 4
 \&\f(CW\*(C`rsaEncryption\*(C'\fR
 .Sp
-This is the name of the algorithm's \s-1OBJECT IDENTIFIER\s0 (\s-1OID\s0), as given by the
-PKCS#1 \s-1RFC\s0's \s-1ASN.1\s0 module <https://www.rfc-editor.org/rfc/rfc8017#appendix-C>
-.IP "\(bu" 4
+This is the name of the algorithm's OBJECT IDENTIFIER (OID), as given by the
+PKCS#1 RFC's ASN.1 module <https://www.rfc-editor.org/rfc/rfc8017#appendix-C>
+.IP \(bu 4
 \&\f(CW1.2.840.113549.1.1.1\fR
 .Sp
-This is the \s-1OID\s0 itself for \f(CW\*(C`rsaEncryption\*(C'\fR, in canonical decimal text form.
+This is the OID itself for \f(CW\*(C`rsaEncryption\*(C'\fR, in canonical decimal text form.
 .RE
 .RS 4
 .Sp
@@ -199,11 +123,11 @@ The resulting \fIalgorithm_names\fR string would look like this:
 The OpenSSL libraries use the first of the algorithm names as the main
 or canonical name, on a per algorithm implementation basis.
 .Sp
-See the notes \*(L"On the subject of algorithm names\*(R" below for a more in
+See the notes "On the subject of algorithm names" below for a more in
 depth discussion on \fIalgorithm_names\fR and how that may interact with
 applications and libraries, including OpenSSL's.
 .RE
-.IP "\fIproperty_definition\fR" 4
+.IP \fIproperty_definition\fR 4
 .IX Item "property_definition"
 This string defines a set of properties associated with a particular
 algorithm implementation, and is used by the appropriate fetching
@@ -213,46 +137,46 @@ case multiple implementations of the same algorithm are available.
 .Sp
 See \fBproperty\fR\|(7) for a further description of the contents of this
 string.
-.IP "\fIimplementation\fR" 4
+.IP \fIimplementation\fR 4
 .IX Item "implementation"
-Pointer to an \s-1\fBOSSL_DISPATCH\s0\fR\|(3) array, containing pointers to the
+Pointer to an \fBOSSL_DISPATCH\fR\|(3) array, containing pointers to the
 functions of a particular algorithm implementation.
-.IP "\fIalgorithm_description\fR" 4
+.IP \fIalgorithm_description\fR 4
 .IX Item "algorithm_description"
 A string with a short human-readable description of the algorithm.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 .SS "On the subject of algorithm names"
 .IX Subsection "On the subject of algorithm names"
-Providers may find the need to register \s-1ASN.1\s0 OIDs for algorithms using
+Providers may find the need to register ASN.1 OIDs for algorithms using
 \&\fBOBJ_create\fR\|(3) (via the \fBcore_obj_create\fR upcall described in
-\&\fBprovider\-base\fR\|(7), because some application or library \*(-- possibly still
-the OpenSSL libraries, even \*(-- use NIDs to look up algorithms.
+\&\fBprovider\-base\fR\|(7), because some application or library \-\- possibly still
+the OpenSSL libraries, even \-\- use NIDs to look up algorithms.
 .PP
-In that scenario, you must make sure that the corresponding \fB\s-1OSSL_ALGORITHM\s0\fR's
+In that scenario, you must make sure that the corresponding \fBOSSL_ALGORITHM\fR's
 \&\fIalgorithm_names\fR includes both the short and the long name.
 .PP
-Most of the time, registering \s-1ASN.1\s0 OIDs like this shouldn't be necessary,
+Most of the time, registering ASN.1 OIDs like this shouldn't be necessary,
 and applications and libraries are encouraged to use \fBOBJ_obj2txt\fR\|(3) to
-get a text representation of the \s-1OID,\s0 which may be a long or short name for
-OIDs that are registered, or the \s-1OID\s0 itself in canonical decimal text form
+get a text representation of the OID, which may be a long or short name for
+OIDs that are registered, or the OID itself in canonical decimal text form
 if not (or if \fBOBJ_obj2txt\fR\|(3) is called with \fIno_name\fR = 1).
 .PP
-It's recommended to make sure that the corresponding \fB\s-1OSSL_ALGORITHM\s0\fR's
-\&\fIalgorithm_names\fR include known names as well as the \s-1OID\s0 itself in
+It's recommended to make sure that the corresponding \fBOSSL_ALGORITHM\fR's
+\&\fIalgorithm_names\fR include known names as well as the OID itself in
 canonical decimal text form.  That should cover all scenarios.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBcrypto\fR\|(7), \fBprovider\-base\fR\|(7), \fBopenssl\-core.h\fR\|(7),
-\&\fBopenssl\-core_dispatch.h\fR\|(7), \s-1\fBOSSL_DISPATCH\s0\fR\|(3)
-.SH "HISTORY"
+\&\fBopenssl\-core_dispatch.h\fR\|(7), \fBOSSL_DISPATCH\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
-\&\fB\s-1OSSL_ALGORITHM\s0\fR was added in OpenSSL 3.0
-.SH "COPYRIGHT"
+\&\fBOSSL_ALGORITHM\fR was added in OpenSSL 3.0
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_CALLBACK.3 b/secure/lib/libcrypto/man/man3/OSSL_CALLBACK.3
index 6b78f3f18fe9..33a5b9bfaa3b 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_CALLBACK.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_CALLBACK.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_CALLBACK 3ossl"
-.TH OSSL_CALLBACK 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_CALLBACK 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_CALLBACK, OSSL_PASSPHRASE_CALLBACK \- OpenSSL Core type to define callbacks
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 6
 \& #include <openssl/core.h>
@@ -148,7 +72,7 @@ OSSL_CALLBACK, OSSL_PASSPHRASE_CALLBACK \- OpenSSL Core type to define callbacks
 \&                                        const OSSL_PARAM params[],
 \&                                        void *arg);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 For certain events or activities, provider functionality may need help from
 the application or the calling OpenSSL libraries themselves.  For example,
@@ -160,13 +84,13 @@ OpenSSL libraries, along with a generic pointer to data \fIarg\fR.  As far as
 the function receiving the pointer to the function pointer and \fIarg\fR is
 concerned, the data that \fIarg\fR points at is opaque, and the pointer should
 simply be passed back to the callback function when it's called.
-.IP "\fB\s-1OSSL_CALLBACK\s0\fR" 4
+.IP \fBOSSL_CALLBACK\fR 4
 .IX Item "OSSL_CALLBACK"
 This is a generic callback function.  When calling this callback function,
-the caller is expected to build an \s-1\fBOSSL_PARAM\s0\fR\|(3) array of data it wants or
+the caller is expected to build an \fBOSSL_PARAM\fR\|(3) array of data it wants or
 is expected to pass back, and pass that as \fIparams\fR, as well as the opaque
 data pointer it received, as \fIarg\fR.
-.IP "\fB\s-1OSSL_PASSPHRASE_CALLBACK\s0\fR" 4
+.IP \fBOSSL_PASSPHRASE_CALLBACK\fR 4
 .IX Item "OSSL_PASSPHRASE_CALLBACK"
 This is a specialised callback function, used specifically to prompt the
 user for a passphrase.  When calling this callback function, a buffer to
@@ -174,18 +98,18 @@ store the pass phrase needs to be given with \fIpass\fR, and its size with
 \&\fIpass_size\fR.  The length of the prompted pass phrase will be given back in
 \&\fI*pass_len\fR.
 .Sp
-Additional parameters can be passed with the \s-1\fBOSSL_PARAM\s0\fR\|(3) array \fIparams\fR,
+Additional parameters can be passed with the \fBOSSL_PARAM\fR\|(3) array \fIparams\fR,
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBopenssl\-core.h\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The types described here were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_ATAV_set0.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_ATAV_set0.3
new file mode 100644
index 000000000000..a0d18a508133
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_ATAV_set0.3
@@ -0,0 +1,170 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OSSL_CMP_ATAV_SET0 3ossl"
+.TH OSSL_CMP_ATAV_SET0 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+OSSL_CMP_ATAV,
+OSSL_CMP_ATAV_create,
+OSSL_CMP_ATAV_set0,
+OSSL_CMP_ATAV_get0_type,
+OSSL_CMP_ATAV_get0_value,
+OSSL_CMP_ATAV_new_algId,
+OSSL_CMP_ATAV_get0_algId,
+OSSL_CMP_ATAV_new_rsaKeyLen,
+OSSL_CMP_ATAV_get_rsaKeyLen,
+OSSL_CMP_ATAVS,
+OSSL_CMP_ATAV_push1,
+OSSL_CMP_ATAV_free
+\&\- OSSL_CMP_ATAV utility functions
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/cmp.h>
+\&
+\& typedef OSSL_CRMF_ATTRIBUTETYPEANDVALUE OSSL_CMP_ATAV;
+\& OSSL_CMP_ATAV *OSSL_CMP_ATAV_create(ASN1_OBJECT *type, ASN1_TYPE *value);
+\& void OSSL_CMP_ATAV_set0(OSSL_CMP_ATAV *atav, ASN1_OBJECT *type,
+\&                         ASN1_TYPE *value);
+\& ASN1_OBJECT *OSSL_CMP_ATAV_get0_type(const OSSL_CMP_ATAV *atav);
+\& ASN1_TYPE *OSSL_CMP_ATAV_get0_value(const OSSL_CMP_ATAV *atav);
+\&
+\& OSSL_CMP_ATAV *OSSL_CMP_ATAV_new_algId(const X509_ALGOR *alg);
+\& X509_ALGOR *OSSL_CMP_ATAV_get0_algId(const OSSL_CMP_ATAV *atav);
+\& OSSL_CMP_ATAV *OSSL_CMP_ATAV_new_rsaKeyLen(int len);
+\& int OSSL_CMP_ATAV_get_rsaKeyLen(const OSSL_CMP_ATAV *atav);
+\&
+\& typedef STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) OSSL_CMP_ATAVS;
+\& int OSSL_CMP_ATAV_push1(OSSL_CMP_ATAVS **sk_p, const OSSL_CMP_ATAV *atav);
+\& void OSSL_CMP_ATAV_free(OSSL_CMP_ATAV *atav);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBOSSL_CMP_ATAV\fR is a short hand of \fBOSSL_CRMF_ATTRIBUTETYPEANDVALUE\fR,
+defined in RFC 4211 Appendix B.
+It is typically used in CertRequest structures,
+but also in CertReqTemplateContent structures for key specifications.
+.PP
+\&\fBOSSL_CMP_ATAV_create()\fR creates a new \fBOSSL_CMP_ATAV\fR structure and fills it in.
+It combines \fBOSSL_CMP_ATAV_new()\fR and \fBOSSL_CMP_ATAV_set0()\fR.
+.PP
+\&\fBOSSL_CMP_ATAV_set0()\fR sets the \fIatav\fR with an infoType of \fItype\fR and an
+infoValue of \fIvalue\fR.
+The pointers \fItype\fR and \fIvalue\fR may be NULL, otherwise
+they must \fBnot\fR be freed up after the call because their ownership
+is transferred to \fIatav\fR. The \fIitav\fR pointer must not be NULL.
+.PP
+\&\fBOSSL_CMP_ATAV_get0_type()\fR returns a direct pointer to the infoType
+in the \fIatav\fR unless it is NULL.
+.PP
+\&\fBOSSL_CMP_ATAV_get0_value()\fR returns a direct pointer to the infoValue
+in the \fIatav\fR as generic \fBASN1_TYPE\fR pointer unless \fIatav\fR is NULL.
+.PP
+\&\fBOSSL_CMP_ATAV_new_algId()\fR creates a new \fBOSSL_CMP_ATAV\fR structure of type
+\&\fBalgId\fR and fills it in with a copy of the given \fIalg\fR.
+.PP
+\&\fBOSSL_CMP_ATAV_get0_algId()\fR returns
+a direct pointer to the algId infoValue in the \fIatav\fR of type \fBX509_ALGOR\fR
+or NULL if \fIatav\fR is NULL or does not contain an algId.
+.PP
+\&\fBOSSL_CMP_ATAV_new_rsaKeyLen()\fR creates a new \fBOSSL_CMP_ATAV\fR structure of type
+\&\fBrsaKeyLen\fR and fills it in with the given \fIlen\fR, which must be positive.
+.PP
+\&\fBOSSL_CMP_ATAV_get_rsaKeyLen()\fR returns
+the RSA key length in rsaKeyLen infoValue in the \fIatav\fR,
+\&\-1 if \fIatav\fR is NULL or does not contain an rsaKeyLen or cannot be parsed,
+or \-2 if the value is less than 1 or is greater than INT_MAX.
+.PP
+\&\fBOSSL_CMP_ATAV_push1()\fR pushes a copy of \fIatav\fR to the stack of \fBOSSL_CMP_ATAV\fR
+pointed to by \fI*sk_p\fR. It creates a new stack if \fI*sk_p\fR points to NULL.
+.PP
+\&\fBOSSL_CMP_ATAV_free()\fR deallocates \fIatav\fR. It is defined as a macro.
+.SH NOTES
+.IX Header "NOTES"
+CMP is defined in RFC 4210. CRMF is defined in RFC 4211.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBOSSL_CMP_ATAV_create()\fR,
+\&\fBOSSL_CMP_ATAV_new_algId()\fR, and \fBOSSL_CMP_ATAV_new_rsaKeyLen()\fR
+return a pointer to the ATAV structure on success, or NULL on error.
+.PP
+\&\fBOSSL_CMP_ATAV_set0()\fR and \fBOSSL_CMP_ATAV_free()\fR do not return a value.
+.PP
+\&\fBOSSL_CMP_ATAV_get0_type()\fR, \fBOSSL_CMP_ATAV_get0_value()\fR, and
+\&\fBOSSL_CMP_ATAV_get0_algId()\fR
+return the respective pointer or NULL if their input is NULL.
+.PP
+\&\fBOSSL_CMP_ATAV_get_rsaKeyLen()\fR return a key length in bits or < 0 on error.
+.PP
+\&\fBOSSL_CMP_ATAV_push1()\fR returns 1 on success, 0 on error.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBOSSL_CMP_ITAV_new0_certReqTemplate\fR\|(3), \fBASN1_TYPE_set\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+The \fBOSSL_CMP_ATAV\fR type and related functions were added in OpenSSL 3.4.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2022\-2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_CTX_new.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_CTX_new.3
index afe7ab22742d..daa74a21b768 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_CMP_CTX_new.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_CTX_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_CMP_CTX_NEW 3ossl"
-.TH OSSL_CMP_CTX_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_CMP_CTX_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_CMP_CTX_new,
 OSSL_CMP_CTX_free,
 OSSL_CMP_CTX_reinit,
+OSSL_CMP_CTX_get0_libctx, OSSL_CMP_CTX_get0_propq,
 OSSL_CMP_CTX_set_option,
 OSSL_CMP_CTX_get_option,
 OSSL_CMP_CTX_set_log_cb,
@@ -159,7 +84,9 @@ OSSL_CMP_CTX_set_transfer_cb_arg,
 OSSL_CMP_CTX_get_transfer_cb_arg,
 OSSL_CMP_CTX_set1_srvCert,
 OSSL_CMP_CTX_set1_expected_sender,
+OSSL_CMP_CTX_set0_trusted,
 OSSL_CMP_CTX_set0_trustedStore,
+OSSL_CMP_CTX_get0_trusted,
 OSSL_CMP_CTX_get0_trustedStore,
 OSSL_CMP_CTX_set1_untrusted,
 OSSL_CMP_CTX_get0_untrusted,
@@ -171,10 +98,12 @@ OSSL_CMP_CTX_set1_secretValue,
 OSSL_CMP_CTX_set1_recipient,
 OSSL_CMP_CTX_push0_geninfo_ITAV,
 OSSL_CMP_CTX_reset_geninfo_ITAVs,
+OSSL_CMP_CTX_get0_geninfo_ITAVs,
 OSSL_CMP_CTX_set1_extraCertsOut,
 OSSL_CMP_CTX_set0_newPkey,
 OSSL_CMP_CTX_get0_newPkey,
 OSSL_CMP_CTX_set1_issuer,
+OSSL_CMP_CTX_set1_serialNumber,
 OSSL_CMP_CTX_set1_subjectName,
 OSSL_CMP_CTX_push1_subjectAltName,
 OSSL_CMP_CTX_set0_reqExtensions,
@@ -191,6 +120,7 @@ OSSL_CMP_CTX_get_certConf_cb_arg,
 OSSL_CMP_CTX_get_status,
 OSSL_CMP_CTX_get0_statusString,
 OSSL_CMP_CTX_get_failInfoCode,
+OSSL_CMP_CTX_get0_validatedSrvCert,
 OSSL_CMP_CTX_get0_newCert,
 OSSL_CMP_CTX_get1_newChain,
 OSSL_CMP_CTX_get1_caPubs,
@@ -198,7 +128,7 @@ OSSL_CMP_CTX_get1_extraCertsIn,
 OSSL_CMP_CTX_set1_transactionID,
 OSSL_CMP_CTX_set1_senderNonce
 \&\- functions for managing the CMP client context data structure
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cmp.h>
@@ -206,6 +136,8 @@ OSSL_CMP_CTX_set1_senderNonce
 \& OSSL_CMP_CTX *OSSL_CMP_CTX_new(OSSL_LIB_CTX *libctx, const char *propq);
 \& void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx);
 \& int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx);
+\& OSSL_LIB_CTX *OSSL_CMP_CTX_get0_libctx(const OSSL_CMP_CTX *ctx);
+\& const char *OSSL_CMP_CTX_get0_propq(const OSSL_CMP_CTX *ctx);
 \& int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val);
 \& int OSSL_CMP_CTX_get_option(const OSSL_CMP_CTX *ctx, int opt);
 \&
@@ -233,8 +165,10 @@ OSSL_CMP_CTX_set1_senderNonce
 \& /* server authentication: */
 \& int OSSL_CMP_CTX_set1_srvCert(OSSL_CMP_CTX *ctx, X509 *cert);
 \& int OSSL_CMP_CTX_set1_expected_sender(OSSL_CMP_CTX *ctx,
-\&                                      const X509_NAME *name);
+\&                                       const X509_NAME *name);
+\& #define OSSL_CMP_CTX_set0_trusted OSSL_CMP_CTX_set0_trustedStore
 \& int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store);
+\& #define OSSL_CMP_CTX_get0_trusted OSSL_CMP_CTX_get0_trustedStore
 \& X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx);
 \& int OSSL_CMP_CTX_set1_untrusted(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs);
 \& STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted(const OSSL_CMP_CTX *ctx);
@@ -253,6 +187,8 @@ OSSL_CMP_CTX_set1_senderNonce
 \& int OSSL_CMP_CTX_set1_recipient(OSSL_CMP_CTX *ctx, const X509_NAME *name);
 \& int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav);
 \& int OSSL_CMP_CTX_reset_geninfo_ITAVs(OSSL_CMP_CTX *ctx);
+\& STACK_OF(OSSL_CMP_ITAV)
+\&     *OSSL_CMP_CTX_get0_geninfo_ITAVs(const OSSL_CMP_CTX *ctx);
 \& int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx,
 \&                                     STACK_OF(X509) *extraCertsOut);
 \&
@@ -260,6 +196,7 @@ OSSL_CMP_CTX_set1_senderNonce
 \& int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX *ctx, int priv, EVP_PKEY *pkey);
 \& EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv);
 \& int OSSL_CMP_CTX_set1_issuer(OSSL_CMP_CTX *ctx, const X509_NAME *name);
+\& int OSSL_CMP_CTX_set1_serialNumber(OSSL_CMP_CTX *ctx, const ASN1_INTEGER *sn);
 \& int OSSL_CMP_CTX_set1_subjectName(OSSL_CMP_CTX *ctx, const X509_NAME *name);
 \& int OSSL_CMP_CTX_push1_subjectAltName(OSSL_CMP_CTX *ctx,
 \&                                       const GENERAL_NAME *name);
@@ -286,6 +223,7 @@ OSSL_CMP_CTX_set1_senderNonce
 \& OSSL_CMP_PKIFREETEXT *OSSL_CMP_CTX_get0_statusString(const OSSL_CMP_CTX *ctx);
 \& int OSSL_CMP_CTX_get_failInfoCode(const OSSL_CMP_CTX *ctx);
 \&
+\& X509 *OSSL_CMP_CTX_get0_validatedSrvCert(const OSSL_CMP_CTX *ctx);
 \& X509 *OSSL_CMP_CTX_get0_newCert(const OSSL_CMP_CTX *ctx);
 \& STACK_OF(X509) *OSSL_CMP_CTX_get1_newChain(const OSSL_CMP_CTX *ctx);
 \& STACK_OF(X509) *OSSL_CMP_CTX_get1_caPubs(const OSSL_CMP_CTX *ctx);
@@ -297,238 +235,236 @@ OSSL_CMP_CTX_set1_senderNonce
 \& int OSSL_CMP_CTX_set1_senderNonce(OSSL_CMP_CTX *ctx,
 \&                                   const ASN1_OCTET_STRING *nonce);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-This is the context \s-1API\s0 for using \s-1CMP\s0 (Certificate Management Protocol) with
+This is the context API for using CMP (Certificate Management Protocol) with
 OpenSSL.
 .PP
-\&\fBOSSL_CMP_CTX_new()\fR allocates an \fB\s-1OSSL_CMP_CTX\s0\fR structure associated with
+\&\fBOSSL_CMP_CTX_new()\fR allocates an \fBOSSL_CMP_CTX\fR structure associated with
 the library context \fIlibctx\fR and property query string \fIpropq\fR,
-both of which may be \s-1NULL\s0 to select the defaults.
+both of which may be NULL to select the defaults.
 It initializes the remaining fields to their default values \- for instance,
-the logging verbosity is set to \s-1OSSL_CMP_LOG_INFO,\s0
+the logging verbosity is set to OSSL_CMP_LOG_INFO,
 the message timeout is set to 120 seconds,
-and the proof-of-possession method is set to \s-1OSSL_CRMF_POPO_SIGNATURE.\s0
+and the proof-of-possession method is set to OSSL_CRMF_POPO_SIGNATURE.
 .PP
-\&\fBOSSL_CMP_CTX_free()\fR deallocates an \s-1OSSL_CMP_CTX\s0 structure.
+\&\fBOSSL_CMP_CTX_free()\fR deallocates an OSSL_CMP_CTX structure.
+If the argument is NULL, nothing is done.
 .PP
 \&\fBOSSL_CMP_CTX_reinit()\fR prepares the given \fIctx\fR for a further transaction by
-clearing the internal \s-1CMP\s0 transaction (aka session) status, PKIStatusInfo,
+clearing the internal CMP transaction (aka session) status, PKIStatusInfo,
 and any previous results (newCert, newChain, caPubs, and extraCertsIn)
 from the last executed transaction.
 It also clears any ITAVs that were added by \fBOSSL_CMP_CTX_push0_genm_ITAV()\fR.
-All other field values (i.e., \s-1CMP\s0 options) are retained for potential reuse.
+All other field values (i.e., CMP options) are retained for potential reuse.
+.PP
+\&\fBOSSL_CMP_CTX_get0_libctx()\fR returns the \fIlibctx\fR argument that was used
+when constructing \fIctx\fR with \fBOSSL_CMP_CTX_new()\fR, which may be NULL.
+.PP
+\&\fBOSSL_CMP_CTX_get0_propq()\fR returns the \fIpropq\fR argument that was used
+when constructing \fIctx\fR with \fBOSSL_CMP_CTX_new()\fR, which may be NULL.
 .PP
 \&\fBOSSL_CMP_CTX_set_option()\fR sets the given value for the given option
-(e.g., \s-1OSSL_CMP_OPT_IMPLICIT_CONFIRM\s0) in the given \s-1OSSL_CMP_CTX\s0 structure.
+(e.g., OSSL_CMP_OPT_IMPLICIT_CONFIRM) in the given OSSL_CMP_CTX structure.
 .PP
 The following options can be set:
-.IP "\fB\s-1OSSL_CMP_OPT_LOG_VERBOSITY\s0\fR" 4
+.IP \fBOSSL_CMP_OPT_LOG_VERBOSITY\fR 4
 .IX Item "OSSL_CMP_OPT_LOG_VERBOSITY"
-.Vb 3
-\&        The level of severity needed for actually outputting log messages
-\&        due to errors, warnings, general info, debugging, etc.
-\&        Default is OSSL_CMP_LOG_INFO. See also L<OSSL_CMP_log_open(3)>.
-.Ve
-.IP "\fB\s-1OSSL_CMP_OPT_KEEP_ALIVE\s0\fR" 4
+The level of severity needed for actually outputting log messages
+due to errors, warnings, general info, debugging, etc.
+Default is OSSL_CMP_LOG_INFO. See also \fBOSSL_CMP_log_open\fR\|(3).
+.IP \fBOSSL_CMP_OPT_KEEP_ALIVE\fR 4
 .IX Item "OSSL_CMP_OPT_KEEP_ALIVE"
-.Vb 6
-\&        If the given value is 0 then HTTP connections are not kept open
-\&        after receiving a response, which is the default behavior for HTTP 1.0.
-\&        If the value is 1 or 2 then persistent connections are requested.
-\&        If the value is 2 then persistent connections are required,
-\&        i.e., in case the server does not grant them an error occurs.
-\&        The default value is 1: prefer to keep the connection open.
-.Ve
-.IP "\fB\s-1OSSL_CMP_OPT_MSG_TIMEOUT\s0\fR" 4
+If the given value is 0 then HTTP connections are not kept open
+after receiving a response, which is the default behavior for HTTP 1.0.
+If the value is 1 or 2 then persistent connections are requested.
+If the value is 2 then persistent connections are required,
+i.e., in case the server does not grant them an error occurs.
+The default value is 1: prefer to keep the connection open.
+.IP \fBOSSL_CMP_OPT_MSG_TIMEOUT\fR 4
 .IX Item "OSSL_CMP_OPT_MSG_TIMEOUT"
-.Vb 4
-\&        Number of seconds a CMP request\-response message round trip
-\&        is allowed to take before a timeout error is returned.
-\&        A value <= 0 means no limitation (waiting indefinitely).
-\&        Default is to use the B<OSSL_CMP_OPT_TOTAL_TIMEOUT> setting.
-.Ve
-.IP "\fB\s-1OSSL_CMP_OPT_TOTAL_TIMEOUT\s0\fR" 4
+Number of seconds a CMP request-response message round trip
+is allowed to take before a timeout error is returned.
+A value <= 0 means no limitation (waiting indefinitely).
+Default is to use the \fBOSSL_CMP_OPT_TOTAL_TIMEOUT\fR setting.
+.IP \fBOSSL_CMP_OPT_TOTAL_TIMEOUT\fR 4
 .IX Item "OSSL_CMP_OPT_TOTAL_TIMEOUT"
-.Vb 4
-\&        Maximum total number of seconds a transaction may take,
-\&        including polling etc.
-\&        A value <= 0 means no limitation (waiting indefinitely).
-\&        Default is 0.
-.Ve
-.IP "\fB\s-1OSSL_CMP_OPT_VALIDITY_DAYS\s0\fR" 4
+Maximum total number of seconds a transaction may take,
+including polling etc.
+A value <= 0 means no limitation (waiting indefinitely).
+Default is 0.
+.IP \fBOSSL_CMP_OPT_USE_TLS\fR 4
+.IX Item "OSSL_CMP_OPT_USE_TLS"
+Use this option to indicate to the HTTP implementation
+whether TLS is going to be used for the connection (resulting in HTTPS).
+The value 1 indicates that TLS is used for client-side HTTP connections,
+which needs to be implemented via a callback function set by
+\&\fBOSSL_CMP_CTX_set_http_cb()\fR.
+The value 0 indicates that TLS is not used.
+Default is \-1 for backward compatibility: TLS is used by the client side
+if and only if \fBOSSL_CMP_CTX_set_http_cb_arg()\fR sets a non-NULL \fIarg\fR.
+.IP \fBOSSL_CMP_OPT_VALIDITY_DAYS\fR 4
 .IX Item "OSSL_CMP_OPT_VALIDITY_DAYS"
-.Vb 1
-\&        Number of days new certificates are asked to be valid for.
-.Ve
-.IP "\fB\s-1OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT\s0\fR" 4
+Number of days new certificates are asked to be valid for.
+.IP \fBOSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT\fR 4
 .IX Item "OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT"
-.Vb 2
-\&        Do not take default Subject Alternative Names
-\&        from the reference certificate.
-.Ve
-.IP "\fB\s-1OSSL_CMP_OPT_SUBJECTALTNAME_CRITICAL\s0\fR" 4
+Do not take default Subject Alternative Names
+from the reference certificate.
+.IP \fBOSSL_CMP_OPT_SUBJECTALTNAME_CRITICAL\fR 4
 .IX Item "OSSL_CMP_OPT_SUBJECTALTNAME_CRITICAL"
-.Vb 1
-\&        Demand that the given Subject Alternative Names are flagged as critical.
-.Ve
-.IP "\fB\s-1OSSL_CMP_OPT_POLICIES_CRITICAL\s0\fR" 4
+Demand that the given Subject Alternative Names are flagged as critical.
+.IP \fBOSSL_CMP_OPT_POLICIES_CRITICAL\fR 4
 .IX Item "OSSL_CMP_OPT_POLICIES_CRITICAL"
-.Vb 1
-\&        Demand that the given policies are flagged as critical.
-.Ve
-.IP "\fB\s-1OSSL_CMP_OPT_POPO_METHOD\s0\fR" 4
+Demand that the given policies are flagged as critical.
+.IP \fBOSSL_CMP_OPT_POPO_METHOD\fR 4
 .IX Item "OSSL_CMP_OPT_POPO_METHOD"
-.Vb 1
-\&        Select the proof of possession method to use. Possible values are:
-\&
-\&            OSSL_CRMF_POPO_NONE       \- ProofOfPossession field omitted
-\&            OSSL_CRMF_POPO_RAVERIFIED \- assert that the RA has already
-\&                                        verified the PoPo
-\&            OSSL_CRMF_POPO_SIGNATURE  \- sign a value with private key,
-\&                                        which is the default.
-\&            OSSL_CRMF_POPO_KEYENC     \- decrypt the encrypted certificate
-\&                                        ("indirect method")
-\&
-\&        Note that a signature\-based POPO can only be produced if a private key
-\&        is provided as the newPkey or client\*(Aqs pkey component of the CMP context.
+Select the proof of possession method to use. Possible values are:
+.Sp
+.Vb 8
+\&    OSSL_CRMF_POPO_NONE       \- ProofOfPossession field omitted,
+\&                                which implies central key generation
+\&    OSSL_CRMF_POPO_RAVERIFIED \- assert that the RA has already
+\&                                verified the PoPo
+\&    OSSL_CRMF_POPO_SIGNATURE  \- sign a value with private key,
+\&                                which is the default.
+\&    OSSL_CRMF_POPO_KEYENC     \- decrypt the encrypted certificate
+\&                                ("indirect method")
 .Ve
-.IP "\fB\s-1OSSL_CMP_OPT_DIGEST_ALGNID\s0\fR" 4
+.Sp
+Note that a signature-based POPO can only be produced if a private key
+is provided as the newPkey or client's pkey component of the CMP context.
+.IP \fBOSSL_CMP_OPT_DIGEST_ALGNID\fR 4
 .IX Item "OSSL_CMP_OPT_DIGEST_ALGNID"
-.Vb 3
-\&        The NID of the digest algorithm to be used in RFC 4210\*(Aqs MSG_SIG_ALG
-\&        for signature\-based message protection and Proof\-of\-Possession (POPO).
-\&        Default is SHA256.
-.Ve
-.IP "\fB\s-1OSSL_CMP_OPT_OWF_ALGNID\s0\fR The \s-1NID\s0 of the digest algorithm to be used as one-way function (\s-1OWF\s0) for MAC-based message protection with password-based \s-1MAC\s0 (\s-1PBM\s0). See \s-1RFC 4210\s0 section 5.1.3.1 for details. Default is \s-1SHA256.\s0" 4
+The NID of the digest algorithm to be used in RFC 4210's MSG_SIG_ALG
+for signature-based message protection and Proof-of-Possession (POPO).
+Default is SHA256.
+.IP "\fBOSSL_CMP_OPT_OWF_ALGNID\fR The NID of the digest algorithm to be used as one-way function (OWF) for MAC-based message protection with password-based MAC (PBM). See RFC 4210 section 5.1.3.1 for details. Default is SHA256." 4
 .IX Item "OSSL_CMP_OPT_OWF_ALGNID The NID of the digest algorithm to be used as one-way function (OWF) for MAC-based message protection with password-based MAC (PBM). See RFC 4210 section 5.1.3.1 for details. Default is SHA256."
 .PD 0
-.IP "\fB\s-1OSSL_CMP_OPT_MAC_ALGNID\s0\fR The \s-1NID\s0 of the \s-1MAC\s0 algorithm to be used for message protection with \s-1PBM.\s0 Default is \s-1HMAC\-SHA1\s0 as per \s-1RFC 4210.\s0" 4
+.IP "\fBOSSL_CMP_OPT_MAC_ALGNID\fR The NID of the MAC algorithm to be used for message protection with PBM. Default is HMAC\-SHA1 as per RFC 4210." 4
 .IX Item "OSSL_CMP_OPT_MAC_ALGNID The NID of the MAC algorithm to be used for message protection with PBM. Default is HMAC-SHA1 as per RFC 4210."
-.IP "\fB\s-1OSSL_CMP_OPT_REVOCATION_REASON\s0\fR" 4
+.IP \fBOSSL_CMP_OPT_REVOCATION_REASON\fR 4
 .IX Item "OSSL_CMP_OPT_REVOCATION_REASON"
 .PD
-.Vb 2
-\&        The reason code to be included in a Revocation Request (RR);
-\&        values: 0..10 (RFC 5210, 5.3.1) or \-1 for none, which is the default.
-.Ve
-.IP "\fB\s-1OSSL_CMP_OPT_IMPLICIT_CONFIRM\s0\fR" 4
+The reason code to be included in a Revocation Request (RR);
+values: 0..10 (RFC 5210, 5.3.1) or \-1 for none, which is the default.
+.IP \fBOSSL_CMP_OPT_IMPLICIT_CONFIRM\fR 4
 .IX Item "OSSL_CMP_OPT_IMPLICIT_CONFIRM"
-.Vb 4
-\&        Request server to enable implicit confirm mode, where the client
-\&        does not need to send confirmation upon receiving the
-\&        certificate. If the server does not enable implicit confirmation
-\&        in the return message, then confirmation is sent anyway.
-.Ve
-.IP "\fB\s-1OSSL_CMP_OPT_DISABLE_CONFIRM\s0\fR" 4
+Request server to enable implicit confirm mode, where the client
+does not need to send confirmation upon receiving the
+certificate. If the server does not enable implicit confirmation
+in the return message, then confirmation is sent anyway.
+.IP \fBOSSL_CMP_OPT_DISABLE_CONFIRM\fR 4
 .IX Item "OSSL_CMP_OPT_DISABLE_CONFIRM"
-.Vb 5
-\&        Do not confirm enrolled certificates, to cope with broken servers
-\&        not supporting implicit confirmation correctly.
-\&B<WARNING:> This setting leads to unspecified behavior and it is meant
-\&exclusively to allow interoperability with server implementations violating
-\&RFC 4210.
-.Ve
-.IP "\fB\s-1OSSL_CMP_OPT_UNPROTECTED_SEND\s0\fR" 4
+Do not confirm enrolled certificates, to cope with broken servers
+not supporting implicit confirmation correctly.
+\&\fBWARNING:\fR This setting leads to unspecified behavior and it is meant
+exclusively to allow interoperability with server implementations violating
+RFC 4210.
+.IP \fBOSSL_CMP_OPT_UNPROTECTED_SEND\fR 4
 .IX Item "OSSL_CMP_OPT_UNPROTECTED_SEND"
-.Vb 1
-\&        Send request or response messages without CMP\-level protection.
-.Ve
-.IP "\fB\s-1OSSL_CMP_OPT_UNPROTECTED_ERRORS\s0\fR" 4
+Send request or response messages without CMP-level protection.
+.IP \fBOSSL_CMP_OPT_UNPROTECTED_ERRORS\fR 4
 .IX Item "OSSL_CMP_OPT_UNPROTECTED_ERRORS"
-.Vb 7
-\&        Accept unprotected error responses which are either explicitly
-\&        unprotected or where protection verification failed. Applies to regular
-\&        error messages as well as certificate responses (IP/CP/KUP) and
-\&        revocation responses (RP) with rejection.
-\&B<WARNING:> This setting leads to unspecified behavior and it is meant
-\&exclusively to allow interoperability with server implementations violating
-\&RFC 4210.
-.Ve
-.IP "\fB\s-1OSSL_CMP_OPT_IGNORE_KEYUSAGE\s0\fR" 4
+Accept unprotected error responses which are either explicitly
+unprotected or where protection verification failed. Applies to regular
+error messages as well as certificate responses (IP/CP/KUP) and
+revocation responses (RP) with rejection.
+\&\fBWARNING:\fR This setting leads to unspecified behavior and it is meant
+exclusively to allow interoperability with server implementations violating
+RFC 4210.
+.IP \fBOSSL_CMP_OPT_IGNORE_KEYUSAGE\fR 4
 .IX Item "OSSL_CMP_OPT_IGNORE_KEYUSAGE"
-.Vb 3
-\&        Ignore key usage restrictions in the signer\*(Aqs certificate when
-\&        validating signature\-based protection in received CMP messages.
-\&        Else, \*(AqdigitalSignature\*(Aq must be allowed by CMP signer certificates.
-.Ve
-.IP "\fB\s-1OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR\s0\fR" 4
+Ignore key usage restrictions in the signer's certificate when
+validating signature-based protection in received CMP messages.
+Else, 'digitalSignature' must be allowed by CMP signer certificates.
+.IP \fBOSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR\fR 4
 .IX Item "OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR"
-.Vb 2
-\&        Allow retrieving a trust anchor from extraCerts and using that
-\&        to validate the certificate chain of an IP message.
-.Ve
+Allow retrieving a trust anchor from extraCerts and using that
+to validate the certificate chain of an IP message.
+This is a quirk option added to support 3GPP TS 33.310.
+.Sp
+Note that using this option is dangerous as the certificate obtained
+this way has not been authenticated (at least not at CMP level).
+Taking it over as a trust anchor implements trust-on-first-use (TOFU).
+.IP \fBOSSL_CMP_OPT_NO_CACHE_EXTRACERTS\fR 4
+.IX Item "OSSL_CMP_OPT_NO_CACHE_EXTRACERTS"
+Do not cache certificates received in the extraCerts CMP message field.
+Otherwise they are stored to potentially help validate further messages.
 .PP
 \&\fBOSSL_CMP_CTX_get_option()\fR reads the current value of the given option
-(e.g., \s-1OSSL_CMP_OPT_IMPLICIT_CONFIRM\s0) from the given \s-1OSSL_CMP_CTX\s0 structure.
+(e.g., OSSL_CMP_OPT_IMPLICIT_CONFIRM) from the given OSSL_CMP_CTX structure.
 .PP
 \&\fBOSSL_CMP_CTX_set_log_cb()\fR sets in \fIctx\fR the callback function \fIcb\fR
 for handling error queue entries and logging messages.
-When \fIcb\fR is \s-1NULL\s0 errors are printed to \s-1STDERR\s0 (if available, else ignored)
+When \fIcb\fR is NULL errors are printed to STDERR (if available, else ignored)
 any log messages are ignored.
-Alternatively, \fBOSSL_CMP_log_open\fR\|(3) may be used to direct logging to \s-1STDOUT.\s0
+Alternatively, \fBOSSL_CMP_log_open\fR\|(3) may be used to direct logging to STDOUT.
 .PP
 \&\fBOSSL_CMP_CTX_set_log_verbosity()\fR is a macro setting the
-\&\s-1OSSL_CMP_OPT_LOG_VERBOSITY\s0 context option to the given level.
+OSSL_CMP_OPT_LOG_VERBOSITY context option to the given level.
 .PP
 \&\fBOSSL_CMP_CTX_print_errors()\fR outputs any entries in the OpenSSL error queue. It
-is similar to \fBERR_print_errors_cb\fR\|(3) but uses the \s-1CMP\s0 log callback function
-if set in the \fIctx\fR for uniformity with \s-1CMP\s0 logging if given. Otherwise it uses
-\&\fBERR_print_errors\fR\|(3) to print to \s-1STDERR\s0 (unless \s-1OPENSSL_NO_STDIO\s0 is defined).
+is similar to \fBERR_print_errors_cb\fR\|(3) but uses the CMP log callback function
+if set in the \fIctx\fR for uniformity with CMP logging if given. Otherwise it uses
+\&\fBERR_print_errors\fR\|(3) to print to STDERR (unless OPENSSL_NO_STDIO is defined).
 .PP
-\&\fBOSSL_CMP_CTX_set1_serverPath()\fR sets the \s-1HTTP\s0 path of the \s-1CMP\s0 server on the host,
-also known as \*(L"\s-1CMP\s0 alias\*(R".
+\&\fBOSSL_CMP_CTX_set1_serverPath()\fR sets the HTTP path of the CMP server on the host,
+also known as "CMP alias".
 The default is \f(CW\*(C`/\*(C'\fR.
 .PP
 \&\fBOSSL_CMP_CTX_set1_server()\fR sets the given server \fIaddress\fR
-(which may be a hostname or \s-1IP\s0 address or \s-1NULL\s0) in the given \fIctx\fR.
+(which may be a hostname or IP address or NULL) in the given \fIctx\fR.
+If \fBOSSL_CMP_CTX_get_transfer_cb_arg()\fR sets a non-NULL argument,
+this server address information is used for diagnostic output only.
 .PP
-\&\fBOSSL_CMP_CTX_set_serverPort()\fR sets the port of the \s-1CMP\s0 server to connect to.
+\&\fBOSSL_CMP_CTX_set_serverPort()\fR sets the port of the CMP server to connect to.
 If not used or the \fIport\fR argument is 0
-the default port applies, which is 80 for \s-1HTTP\s0 and 443 for \s-1HTTPS.\s0
+the default port applies, which is 80 for HTTP and 443 for HTTPS.
+If \fBOSSL_CMP_CTX_get_transfer_cb_arg()\fR sets a non-NULL argument,
+this server port information is used for diagnostic output only.
 .PP
-\&\fBOSSL_CMP_CTX_set1_proxy()\fR sets the \s-1HTTP\s0 proxy to be used for connecting to
-the given \s-1CMP\s0 server unless overruled by any \*(L"no_proxy\*(R" settings (see below).
-If \s-1TLS\s0 is not used this defaults to the value of
+\&\fBOSSL_CMP_CTX_set1_proxy()\fR sets the HTTP proxy to be used for connecting to
+the given CMP server unless overruled by any "no_proxy" settings (see below).
+If TLS is not used this defaults to the value of
 the environment variable \f(CW\*(C`http_proxy\*(C'\fR if set, else \f(CW\*(C`HTTP_PROXY\*(C'\fR.
 Otherwise defaults to the value of \f(CW\*(C`https_proxy\*(C'\fR if set, else \f(CW\*(C`HTTPS_PROXY\*(C'\fR.
 An empty proxy string specifies not to use a proxy.
-Else the format is \f(CW\*(C`[http[s]://]address[:port][/path]\*(C'\fR,
-where any path given is ignored.
+Otherwise the format is
+\&\f(CW\*(C`[http[s]://][userinfo@]host[:port][/path][?query][#fragment]\*(C'\fR,
+where any given userinfo, path, query, and fragment is ignored.
+If the host string is an IPv6 address, it must be enclosed in \f(CW\*(C`[\*(C'\fR and \f(CW\*(C`]\*(C'\fR.
 The default port number is 80, or 443 in case \f(CW\*(C`https:\*(C'\fR is given.
 .PP
 \&\fBOSSL_CMP_CTX_set1_no_proxy()\fR sets the list of server hostnames not to use
-an \s-1HTTP\s0 proxy for. The names may be separated by commas and/or whitespace.
+an HTTP proxy for. The names may be separated by commas and/or whitespace.
 Defaults to the environment variable \f(CW\*(C`no_proxy\*(C'\fR if set, else \f(CW\*(C`NO_PROXY\*(C'\fR.
 .PP
-\&\fBOSSL_CMP_CTX_set_http_cb()\fR sets the optional \s-1BIO\s0 connect/disconnect callback
+\&\fBOSSL_CMP_CTX_set_http_cb()\fR sets the optional BIO connect/disconnect callback
 function, which has the prototype
 .PP
 .Vb 1
-\& typedef BIO *(*HTTP_bio_cb_t) (BIO *bio, void *ctx, int connect, int detail);
+\& typedef BIO *(*HTTP_bio_cb_t) (BIO *bio, void *arg, int connect, int detail);
 .Ve
 .PP
-The callback may modify the \fIbio\fR provided by \fBOSSL_CMP_MSG_http_perform\fR\|(3),
-whereby it may make use of a custom defined argument \fIctx\fR
-stored in the \s-1OSSL_CMP_CTX\s0 by means of \fBOSSL_CMP_CTX_set_http_cb_arg()\fR.
-During connection establishment, just after calling \fBBIO_do_connect_retry()\fR,
-the function is invoked with the \fIconnect\fR argument being 1 and the \fIdetail\fR
-argument being 1 if \s-1HTTPS\s0 is requested, i.e., \s-1SSL/TLS\s0 should be enabled. On
-disconnect \fIconnect\fR is 0 and \fIdetail\fR is 1 in case no error occurred, else 0.
-For instance, on connect the function may prepend a \s-1TLS BIO\s0 to implement \s-1HTTPS\s0;
-after disconnect it may do some diagnostic output and/or specific cleanup.
-The function should return \s-1NULL\s0 to indicate failure.
-After disconnect the modified \s-1BIO\s0 will be deallocated using \fBBIO_free_all()\fR.
-.PP
-\&\fBOSSL_CMP_CTX_set_http_cb_arg()\fR sets an argument, respectively a pointer to
-a structure containing arguments,
+The callback may modify the \fIbio\fR provided by \fBOSSL_CMP_MSG_http_perform\fR\|(3)
+as described for the \fIbio_update_fn\fR parameter of \fBOSSL_HTTP_open\fR\|(3).
+The callback may make use of a custom defined argument \fIarg\fR,
+as described for the \fIarg\fR parameter of \fBOSSL_HTTP_open\fR\|(3).
+The argument is stored in the OSSL_CMP_CTX using \fBOSSL_CMP_CTX_set_http_cb_arg()\fR.
+See also the \fBOSSL_CMP_OPT_USE_TLS\fR option described above.
+.PP
+\&\fBOSSL_CMP_CTX_set_http_cb_arg()\fR sets the argument, respectively a pointer to
+a structure containing arguments such as an \fBSSL_CTX\fR structure,
 optionally to be used by the http connect/disconnect callback function.
 \&\fIarg\fR is not consumed, and it must therefore explicitly be freed when not
-needed any more. \fIarg\fR may be \s-1NULL\s0 to clear the entry.
+needed any more. \fIarg\fR may be NULL to clear the entry.
+If a non-NULL argument is set, it is an error to use \fBOSSL_CMP_CTX_set1_proxy()\fR
+or \fBOSSL_CMP_CTX_set1_no_proxy()\fR for setting non-NULL strings.
 .PP
 \&\fBOSSL_CMP_CTX_get_http_cb_arg()\fR gets the argument, respectively the pointer to a
 structure containing arguments, previously set by
-\&\fBOSSL_CMP_CTX_set_http_cb_arg()\fR or \s-1NULL\s0 if unset.
+\&\fBOSSL_CMP_CTX_set_http_cb_arg()\fR or NULL if unset.
 .PP
 \&\fBOSSL_CMP_CTX_set_transfer_cb()\fR sets the message transfer callback function,
 which has the type
@@ -538,11 +474,9 @@ which has the type
 \&                                                  const OSSL_CMP_MSG *req);
 .Ve
 .PP
-Returns 1 on success, 0 on error.
-.PP
-Default is \s-1NULL,\s0 which implies the use of \fBOSSL_CMP_MSG_http_perform\fR\|(3).
-The callback should send the \s-1CMP\s0 request message it obtains via the \fIreq\fR
-parameter and on success return the response, else it must return \s-1NULL.\s0
+Default is NULL, which implies the use of \fBOSSL_CMP_MSG_http_perform\fR\|(3).
+The callback should send the CMP request message it obtains via the \fIreq\fR
+parameter and on success return the response, else it must return NULL.
 The transfer callback may make use of a custom defined argument stored in
 the ctx by means of \fBOSSL_CMP_CTX_set_transfer_cb_arg()\fR, which may be retrieved
 again through \fBOSSL_CMP_CTX_get_transfer_cb_arg()\fR.
@@ -550,165 +484,178 @@ again through \fBOSSL_CMP_CTX_get_transfer_cb_arg()\fR.
 \&\fBOSSL_CMP_CTX_set_transfer_cb_arg()\fR sets an argument, respectively a pointer to a
 structure containing arguments, optionally to be used by the transfer callback.
 \&\fIarg\fR is not consumed, and it must therefore explicitly be freed when not
-needed any more. \fIarg\fR may be \s-1NULL\s0 to clear the entry.
+needed any more. \fIarg\fR may be NULL to clear the entry.
 .PP
 \&\fBOSSL_CMP_CTX_get_transfer_cb_arg()\fR gets the argument, respectively the pointer
 to a structure containing arguments, previously set by
-\&\fBOSSL_CMP_CTX_set_transfer_cb_arg()\fR or \s-1NULL\s0 if unset.
+\&\fBOSSL_CMP_CTX_set_transfer_cb_arg()\fR or NULL if unset.
 .PP
 \&\fBOSSL_CMP_CTX_set1_srvCert()\fR sets the expected server cert in \fIctx\fR and trusts
 it directly (even if it is expired) when verifying signed response messages.
-This pins the accepted \s-1CMP\s0 server and
-results in ignoring whatever may be set using \fBOSSL_CMP_CTX_set0_trustedStore()\fR.
+This pins the accepted CMP server
+and results in ignoring whatever may be set using \fBOSSL_CMP_CTX_set0_trusted()\fR.
 Any previously set value is freed.
-The \fIcert\fR argument may be \s-1NULL\s0 to clear the entry.
+The \fIcert\fR argument may be NULL to clear the entry.
 If set, the subject of the certificate is also used
-as default value for the recipient of \s-1CMP\s0 requests
-and as default value for the expected sender of \s-1CMP\s0 responses.
+as default value for the recipient of CMP requests
+and as default value for the expected sender of CMP responses.
 .PP
-\&\fBOSSL_CMP_CTX_set1_expected_sender()\fR sets the Distinguished Name (\s-1DN\s0)
-expected in the sender field of incoming \s-1CMP\s0 messages.
+\&\fBOSSL_CMP_CTX_set1_expected_sender()\fR sets the Distinguished Name (DN)
+expected in the sender field of incoming CMP messages.
 Defaults to the subject of the pinned server certificate, if any.
 This can be used to make sure that only a particular entity is accepted as
-\&\s-1CMP\s0 message signer, and attackers are not able to use arbitrary certificates
-of a trusted \s-1PKI\s0 hierarchy to fraudulently pose as \s-1CMP\s0 server.
+CMP message signer, and attackers are not able to use arbitrary certificates
+of a trusted PKI hierarchy to fraudulently pose as CMP server.
 Note that this gives slightly more freedom than \fBOSSL_CMP_CTX_set1_srvCert()\fR,
 which pins the server to the holder of a particular certificate, while the
 expected sender name will continue to match after updates of the server cert.
 .PP
-\&\fBOSSL_CMP_CTX_set0_trustedStore()\fR
-sets in the \s-1CMP\s0 context \fIctx\fR the certificate store of type X509_STORE
+\&\fBOSSL_CMP_CTX_set0_trusted()\fR is an alias of the original
+\&\fBOSSL_CMP_CTX_set0_trustedStore()\fR.
+It sets in the CMP context \fIctx\fR the certificate store of type X509_STORE
 containing trusted certificates, typically of root CAs.
 This is ignored when a certificate is pinned using \fBOSSL_CMP_CTX_set1_srvCert()\fR.
 The store may also hold CRLs and a certificate verification callback function
 used for signature-based peer authentication.
 Any store entry already set before is freed.
-When given a \s-1NULL\s0 parameter the entry is cleared.
+When given a NULL parameter the entry is cleared.
 .PP
-\&\fBOSSL_CMP_CTX_get0_trustedStore()\fR
-extracts from the \s-1CMP\s0 context \fIctx\fR the pointer to the currently set
+\&\fBOSSL_CMP_CTX_get0_trusted()\fR is an alias of the original
+\&\fBOSSL_CMP_CTX_get0_trustedStore()\fR.
+It extracts from the CMP context \fIctx\fR the pointer to the currently set
 certificate store containing trust anchors etc., or an empty store if unset.
 .PP
 \&\fBOSSL_CMP_CTX_set1_untrusted()\fR sets up a list of non-trusted certificates
-of intermediate CAs that may be useful for path construction for the own \s-1CMP\s0
-signer certificate, for the own \s-1TLS\s0 certificate (if any), when verifying peer
-\&\s-1CMP\s0 protection certificates, and when verifying newly enrolled certificates.
+of intermediate CAs that may be useful for path construction for the own CMP
+signer certificate, for the own TLS certificate (if any), when verifying peer
+CMP protection certificates, and when verifying newly enrolled certificates.
 The reference counts of those certificates handled successfully are increased.
+This list of untrusted certificates in \fIctx\fR will get augmented by extraCerts
+in received CMP messages unless \fBOSSL_CMP_OPT_NO_CACHE_EXTRACERTS\fR is set.
 .PP
-OSSL_CMP_CTX_get0_untrusted(\s-1OSSL_CMP_CTX\s0 *ctx) returns a pointer to the
-list of untrusted certs, which may be empty if unset.
+\&\fBOSSL_CMP_CTX_get0_untrusted()\fR returns a pointer to the
+list of untrusted certs in \fIctx\fR, which may be empty if unset.
 .PP
-\&\fBOSSL_CMP_CTX_set1_cert()\fR sets the \s-1CMP\s0 signer certificate, also called protection
-certificate, related to the private key for signature-based message protection.
+\&\fBOSSL_CMP_CTX_set1_cert()\fR sets the CMP \fIsigner certificate\fR,
+also called \fIprotection certificate\fR,
+related to the private key used for signature-based CMP message protection.
 Therefore the public key of this \fIcert\fR must correspond to
 the private key set before or thereafter via \fBOSSL_CMP_CTX_set1_pkey()\fR.
-When using signature-based protection of \s-1CMP\s0 request messages
-this \s-1CMP\s0 signer certificate will be included first in the extraCerts field.
+When using signature-based protection of CMP request messages
+this CMP signer certificate will be included first in the extraCerts field.
 It serves as fallback reference certificate, see \fBOSSL_CMP_CTX_set1_oldCert()\fR.
 The subject of this \fIcert\fR will be used as the sender field of outgoing
-messages, while the subject of any cert set via \fBOSSL_CMP_CTX_set1_oldCert()\fR
+messages, while the subject of any cert set via \fBOSSL_CMP_CTX_set1_oldCert()\fR,
+the subject of any PKCS#10 CSR set via \fBOSSL_CMP_CTX_set1_p10CSR()\fR,
 and any value set via \fBOSSL_CMP_CTX_set1_subjectName()\fR are used as fallback.
 .PP
-The \fIcert\fR argument may be \s-1NULL\s0 to clear the entry.
+The \fIcert\fR argument may be NULL to clear the entry.
 .PP
-\&\fBOSSL_CMP_CTX_build_cert_chain()\fR builds a certificate chain for the \s-1CMP\s0 signer
+\&\fBOSSL_CMP_CTX_build_cert_chain()\fR builds a certificate chain for the CMP signer
 certificate previously set in the \fIctx\fR. It adds the optional \fIcandidates\fR,
-a list of intermediate \s-1CA\s0 certs that may already constitute the targeted chain,
+a list of intermediate CA certs that may already constitute the targeted chain,
 to the untrusted certs that may already exist in the \fIctx\fR.
 Then the function uses this augmented set of certs for chain construction.
-If \fIown_trusted\fR is \s-1NULL\s0 it builds the chain as far down as possible and
-ignores any verification errors. Else the \s-1CMP\s0 signer certificate must be
+If \fIown_trusted\fR is NULL it builds the chain as far down as possible and
+ignores any verification errors. Else the CMP signer certificate must be
 verifiable where the chain reaches a trust anchor contained in \fIown_trusted\fR.
 On success the function stores the resulting chain in \fIctx\fR
 for inclusion in the extraCerts field of signature-protected messages.
 Calling this function is optional; by default a chain construction
 is performed on demand that is equivalent to calling this function
-with the \fIcandidates\fR and \fIown_trusted\fR arguments being \s-1NULL.\s0
+with the \fIcandidates\fR and \fIown_trusted\fR arguments being NULL.
 .PP
 \&\fBOSSL_CMP_CTX_set1_pkey()\fR sets the client's private key corresponding to the
-\&\s-1CMP\s0 signer certificate set via \fBOSSL_CMP_CTX_set1_cert()\fR.
-This key is used create signature-based protection (protectionAlg = \s-1MSG_SIG_ALG\s0)
+CMP signer certificate set via \fBOSSL_CMP_CTX_set1_cert()\fR.
+This key is used create signature-based protection (protectionAlg = MSG_SIG_ALG)
 of outgoing messages
 unless a symmetric secret has been set via \fBOSSL_CMP_CTX_set1_secretValue()\fR.
-The \fIpkey\fR argument may be \s-1NULL\s0 to clear the entry.
+The \fIpkey\fR argument may be NULL to clear the entry.
 .PP
 \&\fBOSSL_CMP_CTX_set1_secretValue()\fR sets in \fIctx\fR the byte string \fIsec\fR of length
-\&\fIlen\fR to use as pre-shared secret, or clears it if the \fIsec\fR argument is \s-1NULL.\s0
+\&\fIlen\fR to use as pre-shared secret, or clears it if the \fIsec\fR argument is NULL.
 If present, this secret is used to create MAC-based authentication and integrity
 protection (rather than applying signature-based protection)
 of outgoing messages and to verify authenticity and integrity of incoming
 messages that have MAC-based protection (protectionAlg = \f(CW\*(C`MSG_MAC_ALG\*(C'\fR).
 .PP
 \&\fBOSSL_CMP_CTX_set1_referenceValue()\fR sets the given referenceValue \fIref\fR with
-length \fIlen\fR in the given \fIctx\fR or clears it if the \fIref\fR argument is \s-1NULL.\s0
-According to \s-1RFC 4210\s0 section 5.1.1, if no value for the sender field in
-\&\s-1CMP\s0 message headers can be determined (i.e., no \s-1CMP\s0 signer certificate
-and no subject \s-1DN\s0 is set via \fBOSSL_CMP_CTX_set1_subjectName()\fR
+length \fIlen\fR in the given \fIctx\fR or clears it if the \fIref\fR argument is NULL.
+According to RFC 4210 section 5.1.1, if no value for the sender field in
+CMP message headers can be determined (i.e., no CMP signer certificate
+and no subject DN is set via \fBOSSL_CMP_CTX_set1_subjectName()\fR
 then the sender field will contain the NULL-DN
-and the senderKID field of the \s-1CMP\s0 message header must be set.
+and the senderKID field of the CMP message header must be set.
 When signature-based protection is used the senderKID will be set to
-the subjectKeyIdentifier of the \s-1CMP\s0 signer certificate as far as present.
+the subjectKeyIdentifier of the CMP signer certificate as far as present.
 If not present or when MAC-based protection is used
 the \fIref\fR value is taken as the fallback value for the senderKID.
 .PP
 \&\fBOSSL_CMP_CTX_set1_recipient()\fR sets the recipient name that will be used in the
-PKIHeader of \s-1CMP\s0 request messages, i.e. the X509 name of the (\s-1CA\s0) server.
+PKIHeader of CMP request messages, i.e. the X509 name of the (CA) server.
 .PP
-The recipient field in the header of a \s-1CMP\s0 message is mandatory.
+The recipient field in the header of a CMP message is mandatory.
 If not given explicitly the recipient is determined in the following order:
-the subject of the \s-1CMP\s0 server certificate set using \fBOSSL_CMP_CTX_set1_srvCert()\fR,
+the subject of the CMP server certificate set using \fBOSSL_CMP_CTX_set1_srvCert()\fR,
 the value set using \fBOSSL_CMP_CTX_set1_issuer()\fR,
 the issuer of the certificate set using \fBOSSL_CMP_CTX_set1_oldCert()\fR,
-the issuer of the \s-1CMP\s0 signer certificate,
+the issuer of the CMP signer certificate,
 as far as any of those is present, else the NULL-DN as last resort.
 .PP
 \&\fBOSSL_CMP_CTX_push0_geninfo_ITAV()\fR adds \fIitav\fR to the stack in the \fIctx\fR to be
-added to the GeneralInfo field of the \s-1CMP\s0 PKIMessage header of a request
+added to the generalInfo field of the CMP PKIMessage header of a request
 message sent with this context.
 .PP
 \&\fBOSSL_CMP_CTX_reset_geninfo_ITAVs()\fR
 clears any ITAVs that were added by \fBOSSL_CMP_CTX_push0_geninfo_ITAV()\fR.
 .PP
+\&\fBOSSL_CMP_CTX_get0_geninfo_ITAVs()\fR returns the list of ITAVs set in \fIctx\fR
+for inclusion in the generalInfo field of the CMP PKIMessage header of requests
+or NULL if not set.
+.PP
 \&\fBOSSL_CMP_CTX_set1_extraCertsOut()\fR sets the stack of extraCerts that will be
 sent to remote.
 .PP
-\&\fBOSSL_CMP_CTX_set0_newPkey()\fR can be used to explicitly set the given \s-1EVP_PKEY\s0
-structure as the private or public key to be certified in the \s-1CMP\s0 context.
+\&\fBOSSL_CMP_CTX_set0_newPkey()\fR can be used to explicitly set the given EVP_PKEY
+structure as the private or public key to be certified in the CMP context.
 The \fIpriv\fR parameter must be 0 if and only if the given key is a public key.
 .PP
 \&\fBOSSL_CMP_CTX_get0_newPkey()\fR gives the key to use for certificate enrollment
-dependent on fields of the \s-1CMP\s0 context structure:
+dependent on fields of the CMP context structure:
 the newPkey (which may be a private or public key) if present,
 else the public key in the p10CSR if present, else the client's private key.
 If the \fIpriv\fR parameter is not 0 and the selected key does not have a
-private component then \s-1NULL\s0 is returned.
+private component then NULL is returned.
 .PP
 \&\fBOSSL_CMP_CTX_set1_issuer()\fR sets the name of the intended issuer that
-will be set in the CertTemplate, i.e., the X509 name of the \s-1CA\s0 server.
+will be set in the CertTemplate, i.e., the X509 name of the CA server.
+.PP
+\&\fBOSSL_CMP_CTX_set1_serialNumber()\fR sets the serial number optionally used to
+select the certificate to be revoked in Revocation Requests (RR).
 .PP
-\&\fBOSSL_CMP_CTX_set1_subjectName()\fR sets the subject \s-1DN\s0 that will be used in
+\&\fBOSSL_CMP_CTX_set1_subjectName()\fR sets the subject DN that will be used in
 the CertTemplate structure when requesting a new cert. For Key Update Requests
-(\s-1KUR\s0), it defaults to the subject \s-1DN\s0 of the reference certificate,
+(KUR), it defaults to the subject DN of the reference certificate,
 see \fBOSSL_CMP_CTX_set1_oldCert()\fR. This default is used for Initialization
-Requests (\s-1IR\s0) and Certification Requests (\s-1CR\s0) only if no SANs are set.
+Requests (IR) and Certification Requests (CR) only if no SANs are set.
 The \fIsubjectName\fR is also used as fallback for the sender field
-of outgoing \s-1CMP\s0 messages if no reference certificate is available.
+of outgoing CMP messages if no reference certificate is available.
 .PP
 \&\fBOSSL_CMP_CTX_push1_subjectAltName()\fR adds the given X509 name to the list of
 alternate names on the certificate template request. This cannot be used if
 any Subject Alternative Name extension is set via
 \&\fBOSSL_CMP_CTX_set0_reqExtensions()\fR.
-By default, unless \fB\s-1OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT\s0\fR has been set,
+By default, unless \fBOSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT\fR has been set,
 the Subject Alternative Names are copied from the reference certificate,
 see \fBOSSL_CMP_CTX_set1_oldCert()\fR.
-If set and the subject \s-1DN\s0 is not set with \fBOSSL_CMP_CTX_set1_subjectName()\fR then
-the certificate template of an \s-1IR\s0 and \s-1CR\s0 will not be filled with the default
-subject \s-1DN\s0 from the reference certificate.
-If a subject \s-1DN\s0 is desired it needs to be set explicitly with
+If set and the subject DN is not set with \fBOSSL_CMP_CTX_set1_subjectName()\fR then
+the certificate template of an IR and CR will not be filled with the default
+subject DN from the reference certificate.
+If a subject DN is desired it needs to be set explicitly with
 \&\fBOSSL_CMP_CTX_set1_subjectName()\fR.
 .PP
 \&\fBOSSL_CMP_CTX_set0_reqExtensions()\fR sets the X.509v3 extensions to be used in
-\&\s-1IR/CR/KUR.\s0
+IR/CR/KUR.
 .PP
 \&\fBOSSL_CMP_CTX_reqExtensions_have_SAN()\fR returns 1 if the context contains
 a Subject Alternative Name extension, else 0 or \-1 on error.
@@ -717,32 +664,39 @@ a Subject Alternative Name extension, else 0 or \-1 on error.
 to the X509_EXTENSIONS of the requested certificate template.
 .PP
 \&\fBOSSL_CMP_CTX_set1_oldCert()\fR sets the old certificate to be updated in
-Key Update Requests (\s-1KUR\s0) or to be revoked in Revocation Requests (\s-1RR\s0).
-It must be given for \s-1RR,\s0 else it defaults to the \s-1CMP\s0 signer certificate.
-The \fIreference certificate\fR determined in this way, if any, is also used for
-deriving default subject \s-1DN,\s0 public key, Subject Alternative Names, and the
-default issuer entry in the requested certificate template of \s-1IR/CR/KUR.\s0
+Key Update Requests (KUR) or to be revoked in Revocation Requests (RR).
+For RR, this is ignored if an issuer name and a serial number are provided using
+\&\fBOSSL_CMP_CTX_set1_issuer()\fR and \fBOSSL_CMP_CTX_set1_serialNumber()\fR, respectively.
+For IR/CR/KUR this sets the \fIreference certificate\fR,
+which otherwise defaults to the CMP signer certificate.
+The \fIreference certificate\fR determined this way, if any, is used for providing
+default public key, subject DN, Subject Alternative Names, and issuer DN entries
+in the requested certificate template of IR/CR/KUR messages.
+.PP
 The subject of the reference certificate is used as the sender field value
-in \s-1CMP\s0 message headers.
-Its issuer is used as default recipient in \s-1CMP\s0 message headers.
+in CMP message headers.
+Its issuer is used as default recipient in CMP message headers.
 .PP
-\&\fBOSSL_CMP_CTX_set1_p10CSR()\fR sets the PKCS#10 \s-1CSR\s0 to use in P10CR messages.
-If such a \s-1CSR\s0 is provided, its subject, public key, and extension fields are
-also used as fallback values for the certificate template of \s-1IR/CR/KUR\s0 messages.
+\&\fBOSSL_CMP_CTX_set1_p10CSR()\fR sets the PKCS#10 CSR to use in P10CR messages.
+If such a CSR is provided, its subject and public key fields are also
+used as fallback values for the certificate template of IR/CR/KUR/RR messages,
+and any extensions included are added to the template of IR/CR/KUR messages.
 .PP
 \&\fBOSSL_CMP_CTX_push0_genm_ITAV()\fR adds \fIitav\fR to the stack in the \fIctx\fR which
 will be the body of a General Message sent with this context.
 .PP
 \&\fBOSSL_CMP_certConf_cb()\fR is the default certificate confirmation callback function.
-If the callback argument is not \s-1NULL\s0 it must point to a trust store.
+If the callback argument is not NULL it must point to a trust store.
 In this case the function checks that the newly enrolled certificate can be
 verified using this trust store and untrusted certificates from the \fIctx\fR,
 which have been augmented by the list of extraCerts received.
 During this verification, any certificate status checking is disabled.
-If the callback argument is \s-1NULL\s0 the function tries building an approximate
+If the callback argument is NULL the function tries building an approximate
 chain as far as possible using the same untrusted certificates from the \fIctx\fR,
 and if this fails it takes the received extraCerts as fallback.
 The resulting cert chain can be retrieved using \fBOSSL_CMP_CTX_get1_newChain()\fR.
+This chain excludes the leaf certificate, i.e., the newly enrolled certificate.
+Also the trust anchor (the root certificate) is not included.
 .PP
 \&\fBOSSL_CMP_CTX_set_certConf_cb()\fR sets the callback used for evaluating the newly
 enrolled certificate before the library sends, depending on its result,
@@ -763,28 +717,28 @@ in the \fIctx\fR by means of \fBOSSL_CMP_CTX_set_certConf_cb_arg()\fR, which may
 retrieved again through \fBOSSL_CMP_CTX_get_certConf_cb_arg()\fR.
 Typically, the callback will check at least that the certificate can be verified
 using a set of trusted certificates.
-It also could compare the subject \s-1DN\s0 and other fields of the newly
+It also could compare the subject DN and other fields of the newly
 enrolled certificate with the certificate template of the request.
 .PP
 \&\fBOSSL_CMP_CTX_set_certConf_cb_arg()\fR sets an argument, respectively a pointer to a
 structure containing arguments, optionally to be used by the certConf callback.
 \&\fIarg\fR is not consumed, and it must therefore explicitly be freed when not
-needed any more. \fIarg\fR may be \s-1NULL\s0 to clear the entry.
+needed any more. \fIarg\fR may be NULL to clear the entry.
 .PP
 \&\fBOSSL_CMP_CTX_get_certConf_cb_arg()\fR gets the argument, respectively the pointer
 to a structure containing arguments, previously set by
-\&\fBOSSL_CMP_CTX_set_certConf_cb_arg()\fR, or \s-1NULL\s0 if unset.
+\&\fBOSSL_CMP_CTX_set_certConf_cb_arg()\fR, or NULL if unset.
 .PP
 \&\fBOSSL_CMP_CTX_get_status()\fR returns for client contexts the PKIstatus from
 the last received CertRepMessage or Revocation Response or error message:
-=item \fBOSSL_CMP_PKISTATUS_accepted\fR on successful receipt of a \s-1GENP\s0 message:
-.IP "\fBOSSL_CMP_PKISTATUS_request\fR" 4
+=item \fBOSSL_CMP_PKISTATUS_accepted\fR on successful receipt of a GENP message:
+.IP \fBOSSL_CMP_PKISTATUS_request\fR 4
 .IX Item "OSSL_CMP_PKISTATUS_request"
-if an \s-1IR/CR/KUR/RR/GENM\s0 request message could not be produced,
-.IP "\fBOSSL_CMP_PKISTATUS_trans\fR" 4
+if an IR/CR/KUR/RR/GENM request message could not be produced,
+.IP \fBOSSL_CMP_PKISTATUS_trans\fR 4
 .IX Item "OSSL_CMP_PKISTATUS_trans"
 on a transmission error or transaction error for this type of request, and
-.IP "\fBOSSL_CMP_PKISTATUS_unspecified\fR" 4
+.IP \fBOSSL_CMP_PKISTATUS_unspecified\fR 4
 .IX Item "OSSL_CMP_PKISTATUS_unspecified"
 if no such request was attempted or \fBOSSL_CMP_CTX_reinit()\fR has been called.
 .PP
@@ -793,26 +747,33 @@ For server contexts it returns
 otherwise \fBOSSL_CMP_PKISTATUS_unspecified\fR.
 .PP
 \&\fBOSSL_CMP_CTX_get0_statusString()\fR returns the statusString from the last received
-CertRepMessage or Revocation Response or error message, or \s-1NULL\s0 if unset.
+CertRepMessage or Revocation Response or error message, or NULL if unset.
 .PP
 \&\fBOSSL_CMP_CTX_get_failInfoCode()\fR returns the error code from the failInfo field
 of the last received CertRepMessage or Revocation Response or error message,
 or \-1 if no such response was received or \fBOSSL_CMP_CTX_reinit()\fR has been called.
 This is a bit field and the flags for it are specified in the header file
 \&\fI<openssl/cmp.h>\fR.
-The flags start with \s-1OSSL_CMP_CTX_FAILINFO,\s0 for example:
+The flags start with OSSL_CMP_CTX_FAILINFO, for example:
 OSSL_CMP_CTX_FAILINFO_badAlg. Returns \-1 if the failInfoCode field is unset.
 .PP
+\&\fBOSSL_CMP_CTX_get0_validatedSrvCert()\fR returns
+the successfully validated certificate, if any, that the CMP server used
+in the current transaction for signature-based response message protection,
+or NULL if the server used MAC-based protection.
+The value is relevant only at the end of a successful transaction.
+It may be used to check the authorization of the server based on its cert.
+.PP
 \&\fBOSSL_CMP_CTX_get0_newCert()\fR returns the pointer to the newly obtained
-certificate in case it is available, else \s-1NULL.\s0
+certificate in case it is available, else NULL.
 .PP
 \&\fBOSSL_CMP_CTX_get1_newChain()\fR returns a pointer to a duplicate of the stack of
 X.509 certificates computed by \fBOSSL_CMP_certConf_cb()\fR (if this function has
-been called) on the last received certificate response message \s-1IP/CP/KUP.\s0
+been called) on the last received certificate response message IP/CP/KUP.
 .PP
 \&\fBOSSL_CMP_CTX_get1_caPubs()\fR returns a pointer to a duplicate of the list of
 X.509 certificates in the caPubs field of the last received certificate
-response message (of type \s-1IP, CP,\s0 or \s-1KUP\s0),
+response message (of type IP, CP, or KUP),
 or an empty stack if no caPubs have been received in the current transaction.
 .PP
 \&\fBOSSL_CMP_CTX_get1_extraCertsIn()\fR returns a pointer to a duplicate of the list
@@ -820,31 +781,34 @@ of X.509 certificates contained in the extraCerts field of the last received
 response message (except for pollRep and PKIConf), or
 an empty stack if no extraCerts have been received in the current transaction.
 .PP
-\&\fBOSSL_CMP_CTX_set1_transactionID()\fR sets the given transaction \s-1ID\s0 in the given
-\&\s-1OSSL_CMP_CTX\s0 structure.
+\&\fBOSSL_CMP_CTX_set1_transactionID()\fR sets the given transaction ID in the given
+OSSL_CMP_CTX structure.
 .PP
 \&\fBOSSL_CMP_CTX_set1_senderNonce()\fR stores the last sent sender \fInonce\fR in
 the \fIctx\fR. This will be used to validate the recipNonce in incoming messages.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-\&\s-1CMP\s0 is defined in \s-1RFC 4210\s0 (and \s-1CRMF\s0 in \s-1RFC 4211\s0).
+CMP is defined in RFC 4210 (and CRMF in RFC 4211).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBOSSL_CMP_CTX_free()\fR and \fBOSSL_CMP_CTX_print_errors()\fR do not return anything.
 .PP
 \&\fBOSSL_CMP_CTX_new()\fR,
+\&\fBOSSL_CMP_CTX_get0_libctx()\fR, \fBOSSL_CMP_CTX_get0_propq()\fR,
 \&\fBOSSL_CMP_CTX_get_http_cb_arg()\fR,
 \&\fBOSSL_CMP_CTX_get_transfer_cb_arg()\fR,
-\&\fBOSSL_CMP_CTX_get0_trustedStore()\fR,
+\&\fBOSSL_CMP_CTX_get0_trusted()\fR,
 \&\fBOSSL_CMP_CTX_get0_untrusted()\fR,
+\&\fBOSSL_CMP_CTX_get0_geninfo_ITAVs()\fR,
 \&\fBOSSL_CMP_CTX_get0_newPkey()\fR,
 \&\fBOSSL_CMP_CTX_get_certConf_cb_arg()\fR,
 \&\fBOSSL_CMP_CTX_get0_statusString()\fR,
+\&\fBOSSL_CMP_CTX_get0_validatedSrvCert()\fR,
 \&\fBOSSL_CMP_CTX_get0_newCert()\fR,
 \&\fBOSSL_CMP_CTX_get0_newChain()\fR,
 \&\fBOSSL_CMP_CTX_get1_caPubs()\fR, and
 \&\fBOSSL_CMP_CTX_get1_extraCertsIn()\fR
-return the intended pointer value as described above or \s-1NULL\s0 on error.
+return the intended pointer value as described above or NULL on error.
 .PP
 \&\fBOSSL_CMP_CTX_get_option()\fR,
 \&\fBOSSL_CMP_CTX_reqExtensions_have_SAN()\fR,
@@ -859,21 +823,21 @@ or else a bit field with the \fBOSSL_CMP_PKIFAILUREINFO_incorrectData\fR bit set
 All other functions, including \fBOSSL_CMP_CTX_reinit()\fR
 and \fBOSSL_CMP_CTX_reset_geninfo_ITAVs()\fR,
 return 1 on success, 0 on error.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 The following code omits error handling.
 .PP
-Set up a \s-1CMP\s0 client context for sending requests and verifying responses:
+Set up a CMP client context for sending requests and verifying responses:
 .PP
 .Vb 5
 \&    cmp_ctx = OSSL_CMP_CTX_new();
 \&    OSSL_CMP_CTX_set1_server(cmp_ctx, name_or_address);
 \&    OSSL_CMP_CTX_set1_serverPort(cmp_ctx, port_string);
 \&    OSSL_CMP_CTX_set1_serverPath(cmp_ctx, path_or_alias);
-\&    OSSL_CMP_CTX_set0_trustedStore(cmp_ctx, ts);
+\&    OSSL_CMP_CTX_set0_trusted(cmp_ctx, ts);
 .Ve
 .PP
-Set up symmetric credentials for MAC-based message protection such as \s-1PBM:\s0
+Set up symmetric credentials for MAC-based message protection such as PBM:
 .PP
 .Vb 2
 \&    OSSL_CMP_CTX_set1_referenceValue(cmp_ctx, ref, ref_len);
@@ -893,7 +857,7 @@ Perform an Initialization Request transaction:
 \&    initialCert = OSSL_CMP_exec_IR_ses(cmp_ctx);
 .Ve
 .PP
-Reset the transaction state of the \s-1CMP\s0 context and the credentials:
+Reset the transaction state of the CMP context and the credentials:
 .PP
 .Vb 3
 \&    OSSL_CMP_CTX_reinit(cmp_ctx);
@@ -922,7 +886,7 @@ Perform a Key Update Request, signed using the cert (and key) to be updated:
 .Ve
 .PP
 Perform a General Message transaction including, as an example,
-the id-it-signKeyPairTypes \s-1OID\s0 and prints info on the General Response contents:
+the id-it-signKeyPairTypes OID and prints info on the General Response contents:
 .PP
 .Vb 1
 \&    OSSL_CMP_CTX_reinit(cmp_ctx);
@@ -941,17 +905,31 @@ the id-it-signKeyPairTypes \s-1OID\s0 and prints info on the General Response co
 \&\fBOSSL_CMP_exec_IR_ses\fR\|(3), \fBOSSL_CMP_exec_CR_ses\fR\|(3),
 \&\fBOSSL_CMP_exec_KUR_ses\fR\|(3), \fBOSSL_CMP_exec_GENM_ses\fR\|(3),
 \&\fBOSSL_CMP_exec_certreq\fR\|(3), \fBOSSL_CMP_MSG_http_perform\fR\|(3),
-\&\fBERR_print_errors_cb\fR\|(3)
-.SH "HISTORY"
+\&\fBERR_print_errors_cb\fR\|(3), \fBOSSL_HTTP_open\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
-The OpenSSL \s-1CMP\s0 support was added in OpenSSL 3.0.
+The OpenSSL CMP support was added in OpenSSL 3.0.
+.PP
+\&\fBOSSL_CMP_CTX_get0_trustedStore()\fR was renamed to \fBOSSL_CMP_CTX_get0_trusted()\fR and
+\&\fBOSSL_CMP_CTX_set0_trustedStore()\fR was renamed to \fBOSSL_CMP_CTX_set0_trusted()\fR,
+using macros, while keeping the old names for backward compatibility,
+in OpenSSL 3.2.
 .PP
 \&\fBOSSL_CMP_CTX_reset_geninfo_ITAVs()\fR was added in OpenSSL 3.0.8.
-.SH "COPYRIGHT"
+.PP
+\&\fBOSSL_CMP_CTX_set1_serialNumber()\fR,
+\&\fBOSSL_CMP_CTX_get0_libctx()\fR, \fBOSSL_CMP_CTX_get0_propq()\fR, and
+\&\fBOSSL_CMP_CTX_get0_validatedSrvCert()\fR were added in OpenSSL 3.2.
+.PP
+\&\fBOSSL_CMP_CTX_get0_geninfo_ITAVs()\fR was added in OpenSSL 3.3.
+.PP
+Support for central key generation, requested via \fBOSSL_CRMF_POPO_NONE\fR,
+was added in OpenSSL 3.5.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2007\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2007\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_HDR_get0_transactionID.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_HDR_get0_transactionID.3
index bc1585dfb70b..2a5e8611375a 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_CMP_HDR_get0_transactionID.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_HDR_get0_transactionID.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_CMP_HDR_GET0_TRANSACTIONID 3ossl"
-.TH OSSL_CMP_HDR_GET0_TRANSACTIONID 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_CMP_HDR_GET0_TRANSACTIONID 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_CMP_HDR_get0_transactionID,
-OSSL_CMP_HDR_get0_recipNonce
+OSSL_CMP_HDR_get0_recipNonce,
+OSSL_CMP_HDR_get0_geninfo_ITAVs
 \&\- functions manipulating CMP message headers
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \&  #include <openssl/cmp.h>
@@ -149,28 +74,35 @@ OSSL_CMP_HDR_get0_recipNonce
 \&                                                     OSSL_CMP_PKIHEADER *hdr);
 \&  ASN1_OCTET_STRING *OSSL_CMP_HDR_get0_recipNonce(const
 \&                                                  OSSL_CMP_PKIHEADER *hdr);
+\& STACK_OF(OSSL_CMP_ITAV)
+\&     *OSSL_CMP_HDR_get0_geninfo_ITAVs(const OSSL_CMP_PKIHEADER *hdr);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-OSSL_CMP_HDR_get0_transactionID returns the transaction \s-1ID\s0 of the given
+OSSL_CMP_HDR_get0_transactionID returns the transaction ID of the given
 PKIHeader.
 .PP
 OSSL_CMP_HDR_get0_recipNonce returns the recipient nonce of the given PKIHeader.
-.SH "NOTES"
+.PP
+\&\fBOSSL_CMP_HDR_get0_geninfo_ITAVs()\fR returns the list of ITAVs
+in the generalInfo field of the given PKIHeader.
+.SH NOTES
 .IX Header "NOTES"
-\&\s-1CMP\s0 is defined in \s-1RFC 4210.\s0
+CMP is defined in RFC 4210.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The functions return the intended pointer value as described above
-or \s-1NULL\s0 if the respective entry does not exist and on error.
-.SH "HISTORY"
+or NULL if the respective entry does not exist and on error.
+.SH HISTORY
 .IX Header "HISTORY"
-The OpenSSL \s-1CMP\s0 support was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The OpenSSL CMP support was added in OpenSSL 3.0.
+.PP
+\&\fBOSSL_CMP_HDR_get0_geninfo_ITAVs()\fR was added in OpenSSL 3.3.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2007\-2019 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_ITAV_new_caCerts.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_ITAV_new_caCerts.3
new file mode 100644
index 000000000000..9bee15d28414
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_ITAV_new_caCerts.3
@@ -0,0 +1,267 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OSSL_CMP_ITAV_NEW_CACERTS 3ossl"
+.TH OSSL_CMP_ITAV_NEW_CACERTS 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+OSSL_CMP_ITAV_new_caCerts,
+OSSL_CMP_ITAV_get0_caCerts,
+OSSL_CMP_ITAV_new_rootCaCert,
+OSSL_CMP_ITAV_get0_rootCaCert,
+OSSL_CMP_ITAV_new_rootCaKeyUpdate,
+OSSL_CMP_ITAV_get0_rootCaKeyUpdate,
+OSSL_CMP_CRLSTATUS_new1,
+OSSL_CMP_CRLSTATUS_create,
+OSSL_CMP_CRLSTATUS_get0,
+OSSL_CMP_ITAV_new0_crlStatusList,
+OSSL_CMP_ITAV_get0_crlStatusList,
+OSSL_CMP_ITAV_new_crls,
+OSSL_CMP_ITAV_get0_crls,
+OSSL_CMP_ITAV_new0_certReqTemplate,
+OSSL_CMP_ITAV_get1_certReqTemplate
+\&\- CMP utility functions for handling specific genm and genp messages
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/cmp.h>
+\&
+\& OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_caCerts(const STACK_OF(X509) *caCerts);
+\& int OSSL_CMP_ITAV_get0_caCerts(const OSSL_CMP_ITAV *itav, STACK_OF(X509) **out);
+\&
+\& OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_rootCaCert(const X509 *rootCaCert);
+\& int OSSL_CMP_ITAV_get0_rootCaCert(const OSSL_CMP_ITAV *itav, X509 **out);
+\& OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_rootCaKeyUpdate(const X509 *newWithNew,
+\&                                                  const X509 *newWithOld,
+\&                                                  const X509 *oldWithNew);
+\& int OSSL_CMP_ITAV_get0_rootCaKeyUpdate(const OSSL_CMP_ITAV *itav,
+\&                                        X509 **newWithNew,
+\&                                        X509 **newWithOld,
+\&                                        X509 **oldWithNew);
+\&
+\& OSSL_CMP_CRLSTATUS *OSSL_CMP_CRLSTATUS_new1(const DIST_POINT_NAME *dpn,
+\&                                             const GENERAL_NAMES *issuer,
+\&                                             const ASN1_TIME *thisUpdate);
+\& OSSL_CMP_CRLSTATUS *OSSL_CMP_CRLSTATUS_create(const X509_CRL *crl,
+\&                                               const X509 *cert, int only_DN);
+\& int OSSL_CMP_CRLSTATUS_get0(const OSSL_CMP_CRLSTATUS *crlstatus,
+\&                             DIST_POINT_NAME **dpn, GENERAL_NAMES **issuer,
+\&                             ASN1_TIME **thisUpdate);
+\& OSSL_CMP_ITAV
+\& *OSSL_CMP_ITAV_new0_crlStatusList(STACK_OF(OSSL_CMP_CRLSTATUS) *crlStatusList);
+\& int OSSL_CMP_ITAV_get0_crlStatusList(const OSSL_CMP_ITAV *itav,
+\&                                      STACK_OF(OSSL_CMP_CRLSTATUS) **out);
+\& OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_crls(const X509_CRL *crl);
+\& int OSSL_CMP_ITAV_get0_crls(const OSSL_CMP_ITAV *itav, STACK_OF(X509_CRL) **out);
+\& OSSL_CMP_ITAV
+\& *OSSL_CMP_ITAV_new0_certReqTemplate(OSSL_CRMF_CERTTEMPLATE *certTemplate,
+\&                                     OSSL_CMP_ATAVS *keySpec);
+\& int OSSL_CMP_ITAV_get1_certReqTemplate(const OSSL_CMP_ITAV *itav,
+\&                                        OSSL_CRMF_CERTTEMPLATE **certTemplate,
+\&                                        OSSL_CMP_ATAVS **keySpec);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+ITAV is short for InfoTypeAndValue.
+.PP
+\&\fBOSSL_CMP_ITAV_new_caCerts()\fR creates an \fBOSSL_CMP_ITAV\fR structure of type
+\&\fBcaCerts\fR and fills it with a copy of the provided list of certificates.
+The \fIcaCerts\fR argument may be NULL or contain any number of certificates.
+.PP
+\&\fBOSSL_CMP_ITAV_get0_caCerts()\fR requires that \fIitav\fR has type \fBcaCerts\fR.
+It assigns NULL to \fI*out\fR if there are no CA certificates in \fIitav\fR, otherwise
+the internal pointer of type \fBSTACK_OF(X509)\fR with the certificates present.
+.PP
+\&\fBOSSL_CMP_ITAV_new_rootCaCert()\fR creates a new \fBOSSL_CMP_ITAV\fR structure
+of type \fBrootCaCert\fR that includes the optionally given certificate.
+.PP
+\&\fBOSSL_CMP_ITAV_get0_rootCaCert()\fR requires that \fIitav\fR has type \fBrootCaCert\fR.
+It assigns NULL to \fI*out\fR if no certificate is included in \fIitav\fR, otherwise
+the internal pointer to the certificate contained in the infoValue field.
+.PP
+\&\fBOSSL_CMP_ITAV_new_rootCaKeyUpdate()\fR creates a new \fBOSSL_CMP_ITAV\fR structure
+of type \fBrootCaKeyUpdate\fR that includes an RootCaKeyUpdateContent structure
+with the optional \fInewWithNew\fR, \fInewWithOld\fR, and \fIoldWithNew\fR certificates.
+An RootCaKeyUpdateContent structure is included only if \fInewWithNew\fR
+is not NULL.
+.PP
+\&\fBOSSL_CMP_ITAV_get0_rootCaKeyUpdate()\fR requires that \fIitav\fR has infoType
+\&\fBrootCaKeyUpdate\fR.
+If an update of a root CA certificate is included,
+it assigns to \fI*newWithNew\fR the internal pointer
+to the certificate contained in the newWithNew infoValue sub-field of \fIitav\fR.
+If \fInewWithOld\fR is not NULL, it assigns to \fI*newWithOld\fR the internal pointer
+to the certificate contained in the newWithOld infoValue sub-field of \fIitav\fR.
+If \fIoldWithNew\fR is not NULL, it assigns to \fI*oldWithNew\fR the internal pointer
+to the certificate contained in the oldWithNew infoValue sub-field of \fIitav\fR.
+Each of these pointers will be set to NULL if no root CA certificate update 
+is present or the respective sub-field is not included.
+.PP
+\&\fBOSSL_CMP_CRLSTATUS_new1()\fR allocates a new \fBOSSL_CMP_CRLSTATUS\fR structure
+that contains either a copy of the distribution point name \fIdpn\fR
+or a copy of the certificate issuer \fIissuer\fR, while giving both is an error.
+If given, a copy of the CRL issuance time \fIthisUpdate\fR is also included.
+.PP
+\&\fBOSSL_CMP_CRLSTATUS_create()\fR is a high-level variant of \fBOSSL_CMP_CRLSTATUS_new1()\fR.
+It fills the thisUpdate field with a copy of the thisUpdate field of \fIcrl\fR if present.
+It fills the CRLSource field with a copy of the first data item found using the \fIcrl\fR
+and/or \fIcert\fR parameters as follows.
+Any available distribution point name is preferred over issuer names.
+Data from \fIcert\fR, if present, is preferred over data from \fIcrl\fR.
+If no distribution point names are available,
+candidate issuer names are taken from following sources, as far as present:
+.IP "the list of distribution points in the first cRLDistributionPoints extension of \fIcert\fR," 4
+.IX Item "the list of distribution points in the first cRLDistributionPoints extension of cert,"
+.PD 0
+.IP "the issuer field of the authority key identifier of \fIcert\fR," 4
+.IX Item "the issuer field of the authority key identifier of cert,"
+.IP "the issuer DN of \fIcert\fR," 4
+.IX Item "the issuer DN of cert,"
+.IP "the issuer field of the authority key identifier of \fIcrl\fR, and" 4
+.IX Item "the issuer field of the authority key identifier of crl, and"
+.IP "the issuer DN of \fIcrl\fR." 4
+.IX Item "the issuer DN of crl."
+.PD
+.PP
+If <only_DN> is set, a candidate issuer name of type \fBGENERAL_NAMES\fR is
+accepted only if it contains exactly one general name of type directoryName.
+.PP
+\&\fBOSSL_CMP_CRLSTATUS_get0()\fR reads the fields of \fIcrlstatus\fR
+and assigns them to \fI*dpn\fR, \fI*issuer\fR, and \fI*thisUpdate\fR.
+\&\fI*thisUpdate\fR is assigned only if the \fIthisUpdate\fR argument is not NULL.
+Depending on the choice present, either \fI*dpn\fR or \fI*issuer\fR will be NULL.
+\&\fI*thisUpdate\fR can also be NULL if the field is not present.
+.PP
+\&\fBOSSL_CMP_ITAV_new0_crlStatusList()\fR creates a new \fBOSSL_CMP_ITAV\fR structure of
+type \fBcrlStatusList\fR that includes the optionally given list of
+CRL status data, each of which is of type \fBOSSL_CMP_CRLSTATUS\fR.
+.PP
+\&\fBOSSL_CMP_ITAV_get0_crlStatusList()\fR on success assigns to \fI*out\fR an internal
+pointer to the list of CRL status data in the infoValue field of \fIitav\fR.
+The pointer may be NULL if no CRL status data is included.
+It is an error if the infoType of \fIitav\fR is not \fBcrlStatusList\fR.
+.PP
+\&\fBOSSL_CMP_ITAV_new_crls()\fR creates a new \fBOSSL_CMP_ITAV\fR structure
+of type \fBcrls\fR including an empty list of CRLs if the \fIcrl\fR argument is NULL
+or including a singleton list a with copy of the provided CRL otherwise.
+.PP
+\&\fBOSSL_CMP_ITAV_get0_crls()\fR on success assigns to \fI*out\fR an internal pointer to
+the list of CRLs contained in the infoValue field of \fIitav\fR.
+The pointer may be NULL if no CRL is included.
+It is an error if the infoType of \fIitav\fR is not \fBcrls\fR.
+.PP
+\&\fBOSSL_CMP_ITAV_new0_certReqTemplate()\fR creates an \fBOSSL_CMP_ITAV\fR structure
+of type \fBcertReqTemplate\fR.
+If \fIcertTemplate\fR is NULL then also \fIkeySpec\fR must be NULL,
+and the resulting ITAV can be used in a \fBgenm\fR message to obtain the
+requirements a PKI has on the certificate template used to request certificates,
+or in a \fBgenp\fR message stating that there are no such requirements.
+Otherwise the resulting ITAV includes a CertReqTemplateValue structure
+with \fIcertTemplate\fR of type \fBOSSL_CRMF_CERTTEMPLATE\fR and an optional list
+of key specifications \fIkeySpec\fR, each being of type \fBOSSL_CMP_ATAV\fR, and
+the resulting ATAV can be used in a \fBgenp\fR message to provide requirements.
+.PP
+\&\fBOSSL_CMP_ITAV_get1_certReqTemplate()\fR
+requires that \fIitav\fR has type \fBcertReqTemplate\fR.
+If assigns NULL to \fI*certTemplate\fR if no \fBOSSL_CRMF_CERTTEMPLATE\fR structure
+with a certificate template value is in \fIitav\fR,
+otherwise a copy of the certTemplate field value.
+If \fIkeySpec\fR is not NULL, it is assigned NULL
+if the structure is not present in \fIitav\fR or the keySpec field is absent.
+Otherwise, the function checks that all elements of keySpec field are of type
+\&\fBalgId\fR or \fBrsaKeyLen\fR and assigns to \fI*keySpec\fR a copy of the keySpec field.
+.SH NOTES
+.IX Header "NOTES"
+CMP is defined in RFC 4210.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBOSSL_CMP_ITAV_new_caCerts()\fR, \fBOSSL_CMP_ITAV_new_rootCaCert()\fR,
+\&\fBOSSL_CMP_ITAV_new_rootCaKeyUpdate()\fR, \fBOSSL_CMP_CRLSTATUS_new1()\fR,
+\&\fBOSSL_CMP_CRLSTATUS_create()\fR, \fBOSSL_CMP_ITAV_new0_crlStatusList()\fR,
+\&\fBOSSL_CMP_ITAV_new_crls()\fR and \fBOSSL_CMP_ITAV_new0_certReqTemplate()\fR
+return a pointer to the new ITAV structure on success, or NULL on error.
+.PP
+\&\fBOSSL_CMP_ITAV_get0_caCerts()\fR, \fBOSSL_CMP_ITAV_get0_rootCaCert()\fR,
+\&\fBOSSL_CMP_ITAV_get0_rootCaKeyUpdate()\fR, \fBOSSL_CMP_CRLSTATUS_get0()\fR,
+\&\fBOSSL_CMP_ITAV_get0_crlStatusList()\fR, \fBOSSL_CMP_ITAV_get0_crls()\fR
+and \fBOSSL_CMP_ITAV_get1_certReqTemplate()\fR
+return 1 on success, 0 on error.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBOSSL_CMP_ITAV_create\fR\|(3) and \fBOSSL_CMP_ITAV_get0_type\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBOSSL_CMP_ITAV_new_caCerts()\fR, \fBOSSL_CMP_ITAV_get0_caCerts()\fR,
+\&\fBOSSL_CMP_ITAV_new_rootCaCert()\fR, \fBOSSL_CMP_ITAV_get0_rootCaCert()\fR,
+\&\fBOSSL_CMP_ITAV_new_rootCaKeyUpdate()\fR, and \fBOSSL_CMP_ITAV_get0_rootCaKeyUpdate()\fR
+were added in OpenSSL 3.2.
+.PP
+\&\fBOSSL_CMP_CRLSTATUS_new1()\fR, \fBOSSL_CMP_CRLSTATUS_create()\fR,
+\&\fBOSSL_CMP_CRLSTATUS_get0()\fR, \fBOSSL_CMP_ITAV_new0_crlStatusList()\fR,
+\&\fBOSSL_CMP_ITAV_get0_crlStatusList()\fR, \fBOSSL_CMP_ITAV_new_crls()\fR,
+\&\fBOSSL_CMP_ITAV_get0_crls()\fR, \fBOSSL_CMP_ITAV_new0_certReqTemplate()\fR
+and \fBOSSL_CMP_ITAV_get1_certReqTemplate()\fR were added in OpenSSL 3.4.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2022\-2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_ITAV_set0.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_ITAV_set0.3
index 411763ba0c4b..44973437c568 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_CMP_ITAV_set0.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_ITAV_set0.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,103 +52,47 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_CMP_ITAV_SET0 3ossl"
-.TH OSSL_CMP_ITAV_SET0 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_CMP_ITAV_SET0 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_CMP_ITAV_create,
 OSSL_CMP_ITAV_set0,
 OSSL_CMP_ITAV_get0_type,
 OSSL_CMP_ITAV_get0_value,
-OSSL_CMP_ITAV_push0_stack_item
+OSSL_CMP_ITAV_push0_stack_item,
+OSSL_CMP_ITAV_new0_certProfile,
+OSSL_CMP_ITAV_get0_certProfile
 \&\- OSSL_CMP_ITAV utility functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
-.Vb 6
-\&  #include <openssl/cmp.h>
-\&  OSSL_CMP_ITAV *OSSL_CMP_ITAV_create(ASN1_OBJECT *type, ASN1_TYPE *value);
-\&  void OSSL_CMP_ITAV_set0(OSSL_CMP_ITAV *itav, ASN1_OBJECT *type,
-\&                          ASN1_TYPE *value);
-\&  ASN1_OBJECT *OSSL_CMP_ITAV_get0_type(const OSSL_CMP_ITAV *itav);
-\&  ASN1_TYPE *OSSL_CMP_ITAV_get0_value(const OSSL_CMP_ITAV *itav);
+.Vb 1
+\& #include <openssl/cmp.h>
 \&
-\&  int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p,
-\&                                     OSSL_CMP_ITAV *itav);
+\& OSSL_CMP_ITAV *OSSL_CMP_ITAV_create(ASN1_OBJECT *type, ASN1_TYPE *value);
+\& void OSSL_CMP_ITAV_set0(OSSL_CMP_ITAV *itav, ASN1_OBJECT *type,
+\&                         ASN1_TYPE *value);
+\& ASN1_OBJECT *OSSL_CMP_ITAV_get0_type(const OSSL_CMP_ITAV *itav);
+\& ASN1_TYPE *OSSL_CMP_ITAV_get0_value(const OSSL_CMP_ITAV *itav);
+\& int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p,
+\&                                    OSSL_CMP_ITAV *itav);
+\& OSSL_CMP_ITAV
+\& *OSSL_CMP_ITAV_new0_certProfile(STACK_OF(ASN1_UTF8STRING) *certProfile);
+\& int OSSL_CMP_ITAV_get0_certProfile(const OSSL_CMP_ITAV *itav,
+\&                                    STACK_OF(ASN1_UTF8STRING) **out);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Certificate Management Protocol (\s-1CMP, RFC 4210\s0) extension to OpenSSL
-.PP
-\&\s-1ITAV\s0 is short for InfoTypeAndValue. This type is defined in \s-1RFC 4210\s0
-section 5.3.19 and Appendix F. It is used at various places in \s-1CMP\s0 messages,
+ITAV is short for InfoTypeAndValue. This type is defined in RFC 4210
+section 5.3.19 and Appendix F. It is used at various places in CMP messages,
 e.g., in the generalInfo PKIHeader field, to hold a key-value pair.
 .PP
-\&\fBOSSL_CMP_ITAV_create()\fR creates a new \fB\s-1OSSL_CMP_ITAV\s0\fR structure and fills it in.
+\&\fBOSSL_CMP_ITAV_create()\fR creates a new \fBOSSL_CMP_ITAV\fR structure and fills it in.
 It combines \fBOSSL_CMP_ITAV_new()\fR and \fBOSSL_CMP_ITAV_set0()\fR.
 .PP
 \&\fBOSSL_CMP_ITAV_set0()\fR sets the \fIitav\fR with an infoType of \fItype\fR and an
@@ -175,29 +103,45 @@ internally, so they must \fBnot\fR be freed up after the call.
 \&\fIitav\fR.
 .PP
 \&\fBOSSL_CMP_ITAV_get0_value()\fR returns a direct pointer to the infoValue in
-the \fIitav\fR as generic \fB\s-1ASN1_TYPE\s0\fR pointer.
+the \fIitav\fR as generic \fBASN1_TYPE\fR pointer.
 .PP
 \&\fBOSSL_CMP_ITAV_push0_stack_item()\fR pushes \fIitav\fR to the stack pointed to
-by \fI*itav_sk_p\fR. It creates a new stack if \fI*itav_sk_p\fR points to \s-1NULL.\s0
-.SH "NOTES"
+by \fI*itav_sk_p\fR. It creates a new stack if \fI*itav_sk_p\fR points to NULL.
+.PP
+\&\fBOSSL_CMP_ITAV_new0_certProfile()\fR creates a new \fBOSSL_CMP_ITAV\fR structure
+of type \fBcertProfile\fR that includes the optionally given list of profile names.
+On success, ownership of the list is with the new \fBOSSL_CMP_ITAV\fR structure.
+.PP
+\&\fBOSSL_CMP_ITAV_get0_certProfile()\fR on success assigns to \fI*out\fR
+an internal pointer to the
+list of certificate profile names contained in the infoValue field of \fIitav\fR.
+The pointer may be NULL if no profile name is included.
+It is an error if the infoType of \fIitav\fR is not \fBcertProfile\fR.
+.SH NOTES
 .IX Header "NOTES"
-\&\s-1CMP\s0 is defined in \s-1RFC 4210\s0 (and \s-1CRMF\s0 in \s-1RFC 4211\s0).
+CMP is defined in RFC 4210 and RFC 9480 (and CRMF in RFC 4211).
+.PP
+OIDs to use as types in \fBOSSL_CMP_ITAV\fR can be found at
+<https://datatracker.ietf.org/doc/html/rfc9480#section\-4.2.2>.
+The respective OpenSSL NIDs, such as \fBNID_id_it_certProfile\fR,
+are defined in the \fI<openssl/obj_mac.h>\fR header file.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBOSSL_CMP_ITAV_create()\fR returns a pointer to the \s-1ITAV\s0 structure on success,
-or \s-1NULL\s0 on error.
+\&\fBOSSL_CMP_ITAV_create()\fR and \fBOSSL_CMP_ITAV_new0_certProfile()\fR
+return a pointer to an ITAV structure on success, or NULL on error.
 .PP
 \&\fBOSSL_CMP_ITAV_set0()\fR does not return a value.
 .PP
 \&\fBOSSL_CMP_ITAV_get0_type()\fR and \fBOSSL_CMP_ITAV_get0_value()\fR
-return the respective pointer or \s-1NULL\s0 if their input is \s-1NULL.\s0
+return the respective pointer or NULL if their input is NULL.
 .PP
-\&\fBOSSL_CMP_ITAV_push0_stack_item()\fR returns 1 on success, 0 on error.
-.SH "EXAMPLES"
+\&\fBOSSL_CMP_ITAV_push0_stack_item()\fR and \fBOSSL_CMP_ITAV_get0_certProfile()\fR
+return 1 on success, 0 on error.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 The following code creates and sets a structure representing a generic
-InfoTypeAndValue sequence, using an \s-1OID\s0 created from text as type, and an
-integer as value. Afterwards, it is pushed to the \fB\s-1OSSL_CMP_CTX\s0\fR to be later
+InfoTypeAndValue sequence, using an OID created from text as type, and an
+integer as value. Afterwards, it is pushed to the \fBOSSL_CMP_CTX\fR to be later
 included in the requests' PKIHeader's genInfo field.
 .PP
 .Vb 2
@@ -214,10 +158,9 @@ included in the requests' PKIHeader's genInfo field.
 \&    OSSL_CMP_ITAV *itav = OSSL_CMP_ITAV_create(type, val);
 \&    if (itav == NULL) ...
 \&
-\&    OSSL_CMP_CTX *ctx = OSSL_CMP_CTX_new();
-\&    if (ctx == NULL || !OSSL_CMP_CTX_geninfo_push0_ITAV(ctx, itav)) {
+\&    if (!OSSL_CMP_CTX_push0_geninfo_ITAV(ctx, itav)) {
 \&        OSSL_CMP_ITAV_free(itav); /* also frees type and val */
-\&        goto err;
+\&        ...
 \&    }
 \&
 \&    ...
@@ -227,14 +170,17 @@ included in the requests' PKIHeader's genInfo field.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBOSSL_CMP_CTX_new\fR\|(3), \fBOSSL_CMP_CTX_free\fR\|(3), \fBASN1_TYPE_set\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-The OpenSSL \s-1CMP\s0 support was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The OpenSSL CMP support was added in OpenSSL 3.0.
+.PP
+\&\fBOSSL_CMP_ITAV_new0_certProfile()\fR and \fBOSSL_CMP_ITAV_get0_certProfile()\fR
+were added in OpenSSL 3.3.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2007\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_MSG_get0_header.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_MSG_get0_header.3
index 325c659e76b5..cc35a0335660 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_CMP_MSG_get0_header.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_MSG_get0_header.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_CMP_MSG_GET0_HEADER 3ossl"
-.TH OSSL_CMP_MSG_GET0_HEADER 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_CMP_MSG_GET0_HEADER 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_CMP_MSG_get0_header,
 OSSL_CMP_MSG_get_bodytype,
+OSSL_CMP_MSG_get0_certreq_publickey,
 OSSL_CMP_MSG_update_transactionID,
 OSSL_CMP_MSG_update_recipNonce,
 OSSL_CMP_CTX_setup_CRM,
@@ -147,13 +72,14 @@ OSSL_CMP_MSG_write,
 d2i_OSSL_CMP_MSG_bio,
 i2d_OSSL_CMP_MSG_bio
 \&\- function(s) manipulating CMP messages
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \&  #include <openssl/cmp.h>
 \&
 \&  OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg);
 \&  int OSSL_CMP_MSG_get_bodytype(const OSSL_CMP_MSG *msg);
+\&  X509_PUBKEY *OSSL_CMP_MSG_get0_certreq_publickey(const OSSL_CMP_MSG *msg);
 \&  int OSSL_CMP_MSG_update_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg);
 \&  int OSSL_CMP_MSG_update_recipNonce(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg);
 \&  OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid);
@@ -162,32 +88,35 @@ i2d_OSSL_CMP_MSG_bio
 \&  OSSL_CMP_MSG *d2i_OSSL_CMP_MSG_bio(BIO *bio, OSSL_CMP_MSG **msg);
 \&  int i2d_OSSL_CMP_MSG_bio(BIO *bio, const OSSL_CMP_MSG *msg);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBOSSL_CMP_MSG_get0_header()\fR returns the header of the given \s-1CMP\s0 message.
+\&\fBOSSL_CMP_MSG_get0_header()\fR returns the header of the given CMP message.
+.PP
+\&\fBOSSL_CMP_MSG_get_bodytype()\fR returns the body type of the given CMP message.
 .PP
-\&\fBOSSL_CMP_MSG_get_bodytype()\fR returns the body type of the given \s-1CMP\s0 message.
+\&\fBOSSL_CMP_MSG_get0_certreq_publickey()\fR expects that \fImsg\fR is a certificate request
+message and returns the public key in its certificate template if present.
 .PP
 \&\fBOSSL_CMP_MSG_update_transactionID()\fR updates the transactionID field
-in the header of the given message according to the \s-1CMP_CTX.\s0
-If \fIctx\fR does not contain a transaction \s-1ID,\s0 a fresh one is created before.
+in the header of the given message according to the CMP_CTX.
+If \fIctx\fR does not contain a transaction ID, a fresh one is created before.
 The message gets re-protected (if protecting requests is required).
 .PP
 \&\fBOSSL_CMP_MSG_update_recipNonce()\fR updates the recipNonce field
-in the header of the given message according to the \s-1CMP_CTX.\s0
+in the header of the given message according to the CMP_CTX.
 The message gets re-protected (if protecting requests is required).
 .PP
-\&\fBOSSL_CMP_CTX_setup_CRM()\fR creates a \s-1CRMF\s0 certificate request message
-from various information provided in the \s-1CMP\s0 context argument \fIctx\fR
-for inclusion in a \s-1CMP\s0 request message based on details contained in \fIctx\fR.
+\&\fBOSSL_CMP_CTX_setup_CRM()\fR creates a CRMF certificate request message
+from various information provided in the CMP context argument \fIctx\fR
+for inclusion in a CMP request message based on details contained in \fIctx\fR.
 The \fIrid\fR argument defines the request identifier to use, which typically is 0.
 .PP
-The subject \s-1DN\s0 included in the certificate template is
+The subject DN included in the certificate template is
 the first available value of these:
 .IP "any subject name in \fIctx\fR set via \fBOSSL_CMP_CTX_set1_subjectName\fR\|(3) \- if it is the NULL-DN (i.e., any empty sequence of RDNs), no subject is included," 4
 .IX Item "any subject name in ctx set via OSSL_CMP_CTX_set1_subjectName - if it is the NULL-DN (i.e., any empty sequence of RDNs), no subject is included,"
 .PD 0
-.IP "the subject field of any PKCS#10 \s-1CSR\s0 set in \fIctx\fR via \fBOSSL_CMP_CTX_set1_p10CSR\fR\|(3)," 4
+.IP "the subject field of any PKCS#10 CSR set in \fIctx\fR via \fBOSSL_CMP_CTX_set1_p10CSR\fR\|(3)," 4
 .IX Item "the subject field of any PKCS#10 CSR set in ctx via OSSL_CMP_CTX_set1_p10CSR,"
 .IP "the subject field of any reference certificate given in \fIctx\fR (see \fBOSSL_CMP_CTX_set1_oldCert\fR\|(3)), but only if \fIfor_KUR\fR is nonzero or the \fIctx\fR does not include a Subject Alternative Name." 4
 .IX Item "the subject field of any reference certificate given in ctx (see OSSL_CMP_CTX_set1_oldCert), but only if for_KUR is nonzero or the ctx does not include a Subject Alternative Name."
@@ -197,7 +126,7 @@ The public key included is the first available value of these:
 .IP "the public key derived from any key set via \fBOSSL_CMP_CTX_set0_newPkey\fR\|(3)," 4
 .IX Item "the public key derived from any key set via OSSL_CMP_CTX_set0_newPkey,"
 .PD 0
-.IP "the public key of any PKCS#10 \s-1CSR\s0 given in \fIctx\fR," 4
+.IP "the public key of any PKCS#10 CSR given in \fIctx\fR," 4
 .IX Item "the public key of any PKCS#10 CSR given in ctx,"
 .IP "the public key of any reference certificate given in \fIctx\fR (see \fBOSSL_CMP_CTX_set1_oldCert\fR\|(3))," 4
 .IX Item "the public key of any reference certificate given in ctx (see OSSL_CMP_CTX_set1_oldCert),"
@@ -206,11 +135,11 @@ The public key included is the first available value of these:
 .PD
 .PP
 The set of X.509 extensions to include is computed as follows.
-If a PKCS#10 \s-1CSR\s0 is present in \fIctx\fR, default extensions are taken from there,
+If a PKCS#10 CSR is present in \fIctx\fR, default extensions are taken from there,
 otherwise the empty set is taken as the initial value.
 If there is a reference certificate in \fIctx\fR and contains Subject Alternative
-Names (SANs) and \fB\s-1OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT\s0\fR is not set,
-these override any SANs from the PKCS#10 \s-1CSR.\s0
+Names (SANs) and \fBOSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT\fR is not set,
+these override any SANs from the PKCS#10 CSR.
 The extensions are further augmented or overridden by any extensions with the
 same OIDs included in the \fIctx\fR via \fBOSSL_CMP_CTX_set0_reqExtensions\fR\|(3).
 The SANs are further overridden by any SANs included in \fIctx\fR via
@@ -219,35 +148,37 @@ Finally, policies are overridden by any policies included in \fIctx\fR via
 \&\fBOSSL_CMP_CTX_push0_policy\fR\|(3).
 .PP
 \&\fBOSSL_CMP_CTX_setup_CRM()\fR also sets the sets the regToken control \fBoldCertID\fR
-for \s-1KUR\s0 messages using the issuer name and serial number of the reference
+for KUR messages using the issuer name and serial number of the reference
 certificate, if present.
 .PP
-\&\fBOSSL_CMP_MSG_read()\fR loads a DER-encoded \s-1OSSL_CMP_MSG\s0 from \fIfile\fR.
+\&\fBOSSL_CMP_MSG_read()\fR loads a DER-encoded OSSL_CMP_MSG from \fIfile\fR.
 .PP
-\&\fBOSSL_CMP_MSG_write()\fR stores the given \s-1OSSL_CMP_MSG\s0 to \fIfile\fR in \s-1DER\s0 encoding.
+\&\fBOSSL_CMP_MSG_write()\fR stores the given OSSL_CMP_MSG to \fIfile\fR in DER encoding.
 .PP
-\&\fBd2i_OSSL_CMP_MSG_bio()\fR parses an \s-1ASN\s0.1\-encoded \s-1OSSL_CMP_MSG\s0 from the \s-1BIO\s0 \fIbio\fR.
-It assigns a pointer to the new structure to \fI*msg\fR if \fImsg\fR is not \s-1NULL.\s0
+\&\fBd2i_OSSL_CMP_MSG_bio()\fR parses an ASN.1\-encoded OSSL_CMP_MSG from the BIO \fIbio\fR.
+It assigns a pointer to the new structure to \fI*msg\fR if \fImsg\fR is not NULL.
 .PP
-\&\fBi2d_OSSL_CMP_MSG_bio()\fR writes the \s-1OSSL_CMP_MSG\s0 \fImsg\fR in \s-1ASN.1\s0 encoding
-to \s-1BIO\s0 \fIbio\fR.
-.SH "NOTES"
+\&\fBi2d_OSSL_CMP_MSG_bio()\fR writes the OSSL_CMP_MSG \fImsg\fR in ASN.1 encoding
+to BIO \fIbio\fR.
+.SH NOTES
 .IX Header "NOTES"
-\&\s-1CMP\s0 is defined in \s-1RFC 4210.\s0
+CMP is defined in RFC 4210.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBOSSL_CMP_MSG_get0_header()\fR returns the intended pointer value as described above
-or \s-1NULL\s0 if the respective entry does not exist and on error.
+or NULL if the respective entry does not exist and on error.
 .PP
 \&\fBOSSL_CMP_MSG_get_bodytype()\fR returns the body type or \-1 on error.
 .PP
-\&\fBOSSL_CMP_CTX_setup_CRM()\fR returns a pointer to a \fB\s-1OSSL_CRMF_MSG\s0\fR on success,
-\&\s-1NULL\s0 on error.
+\&\fBOSSL_CMP_MSG_get0_certreq_publickey()\fR returns a public key or NULL on error.
 .PP
-\&\fBd2i_OSSL_CMP_MSG_bio()\fR returns the parsed message or \s-1NULL\s0 on error.
+\&\fBOSSL_CMP_CTX_setup_CRM()\fR returns a pointer to a \fBOSSL_CRMF_MSG\fR on success,
+NULL on error.
+.PP
+\&\fBd2i_OSSL_CMP_MSG_bio()\fR returns the parsed message or NULL on error.
 .PP
 \&\fBOSSL_CMP_MSG_read()\fR and \fBd2i_OSSL_CMP_MSG_bio()\fR
-return the parsed \s-1CMP\s0 message or \s-1NULL\s0 on error.
+return the parsed CMP message or NULL on error.
 .PP
 \&\fBOSSL_CMP_MSG_write()\fR returns the number of bytes successfully encoded or a
 negative value if an error occurs.
@@ -261,16 +192,18 @@ return 1 on success, 0 on error.
 \&\fBOSSL_CMP_CTX_set1_oldCert\fR\|(3), \fBOSSL_CMP_CTX_set0_newPkey\fR\|(3),
 \&\fBOSSL_CMP_CTX_set1_pkey\fR\|(3), \fBOSSL_CMP_CTX_set0_reqExtensions\fR\|(3),
 \&\fBOSSL_CMP_CTX_push1_subjectAltName\fR\|(3), \fBOSSL_CMP_CTX_push0_policy\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-The OpenSSL \s-1CMP\s0 support was added in OpenSSL 3.0.
+The OpenSSL CMP support was added in OpenSSL 3.0.
 .PP
 \&\fBOSSL_CMP_MSG_update_recipNonce()\fR was added in OpenSSL 3.0.9.
-.SH "COPYRIGHT"
+.PP
+\&\fBOSSL_CMP_MSG_get0_certreq_publickey()\fR was added in OpenSSL 3.3.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2007\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2007\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_MSG_http_perform.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_MSG_http_perform.3
index 060abdf0b707..01455d668a94 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_CMP_MSG_http_perform.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_MSG_http_perform.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_CMP_MSG_HTTP_PERFORM 3ossl"
-.TH OSSL_CMP_MSG_HTTP_PERFORM 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_CMP_MSG_HTTP_PERFORM 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_CMP_MSG_http_perform
 \&\- client\-side HTTP(S) transfer of a CMP request\-response pair
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cmp.h>
@@ -147,42 +71,55 @@ OSSL_CMP_MSG_http_perform
 \& OSSL_CMP_MSG *OSSL_CMP_MSG_http_perform(OSSL_CMP_CTX *ctx,
 \&                                         const OSSL_CMP_MSG *req);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBOSSL_CMP_MSG_http_perform()\fR sends the given PKIMessage \fIreq\fR
-to the \s-1CMP\s0 server specified in \fIctx\fR via \fBOSSL_CMP_CTX_set1_server\fR\|(3)
-and optionally \fBOSSL_CMP_CTX_set_serverPort\fR\|(3), using
-any \*(L"\s-1CMP\s0 alias\*(R" optionally specified via \fBOSSL_CMP_CTX_set1_serverPath\fR\|(3).
-The default port is 80 for \s-1HTTP\s0 and 443 for \s-1HTTPS\s0; the default path is \*(L"/\*(R".
+\&\fBOSSL_CMP_MSG_http_perform()\fR sends the given PKIMessage \fIreq\fR to the
+CMP server specified in \fIctx\fR and returns the result obtained from it.
+.PP
+If \fBOSSL_CMP_CTX_set_transfer_cb_arg\fR\|(3) has been used to set the transfer
+callback argument then the provided pointer \fIbios\fR is taken as
+a two-element \fBBIO\fR array to use for the exchange with the server
+as described for the \fIbio\fR and \fIrbio\fR parameters of \fBOSSL_HTTP_open\fR\|(3).
+For instance, the two BIO pointers may be equal and refer to a TLS connection,
+such as in BRSKI-AE where a pre-established TLS channel is reused for CMP.
+.PP
+Otherwise the server specified via \fBOSSL_CMP_CTX_set1_server\fR\|(3)
+and optionally \fBOSSL_CMP_CTX_set_serverPort\fR\|(3) is contacted,
+where the default port is 80 for HTTP and 443 for HTTPS.
+The HTTP path (aka "CMP alias" in this context) to use is by default \f(CW\*(C`/\*(C'\fR,
+otherwise the string specified via \fBOSSL_CMP_CTX_set1_serverPath\fR\|(3).
 On success the function returns the server's response PKIMessage.
 .PP
-The function makes use of any \s-1HTTP\s0 callback function
+The function makes use of any HTTP callback function
 set via \fBOSSL_CMP_CTX_set_http_cb\fR\|(3).
 It respects any timeout value set via \fBOSSL_CMP_CTX_set_option\fR\|(3)
-with an \fB\s-1OSSL_CMP_OPT_MSG_TIMEOUT\s0\fR argument.
-It also respects any \s-1HTTP\s0(S) proxy options set via \fBOSSL_CMP_CTX_set1_proxy\fR\|(3)
+with an \fBOSSL_CMP_OPT_MSG_TIMEOUT\fR argument.
+It also respects any HTTP(S) proxy options set via \fBOSSL_CMP_CTX_set1_proxy\fR\|(3)
 and \fBOSSL_CMP_CTX_set1_no_proxy\fR\|(3) and the respective environment variables.
-Proxying plain \s-1HTTP\s0 is supported directly,
-while using a proxy for \s-1HTTPS\s0 connections requires a suitable callback function
+Proxying plain HTTP is supported directly,
+while using a proxy for HTTPS connections requires a suitable callback function
 such as \fBOSSL_HTTP_proxy_connect\fR\|(3).
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-\&\s-1CMP\s0 is defined in \s-1RFC 4210.
-HTTP\s0 transfer for \s-1CMP\s0 is defined in \s-1RFC 6712.\s0
+CMP is defined in RFC 4210.
+HTTP transfer for CMP is defined in RFC 6712.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBOSSL_CMP_MSG_http_perform()\fR returns a \s-1CMP\s0 message on success, else \s-1NULL.\s0
+\&\fBOSSL_CMP_MSG_http_perform()\fR
+returns the received CMP response message on success, else NULL.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBOSSL_CMP_CTX_new\fR\|(3), \fBOSSL_HTTP_proxy_connect\fR\|(3).
-.SH "HISTORY"
+\&\fBOSSL_CMP_CTX_new\fR\|(3), \fBOSSL_HTTP_open\fR\|(3), and \fBOSSL_HTTP_proxy_connect\fR\|(3).
+.SH HISTORY
 .IX Header "HISTORY"
-The OpenSSL \s-1CMP\s0 support was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The OpenSSL CMP support was added in OpenSSL 3.0.
+.PP
+The \fBOSSL_CMP_MSG_http_perform()\fR use of transfer_cb_arg was added in OpenSSL 3.5.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2007\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2007\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_SRV_CTX_new.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_SRV_CTX_new.3
index 213fddb6e74d..92091bdbc326 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_CMP_SRV_CTX_new.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_SRV_CTX_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_CMP_SRV_CTX_NEW 3ossl"
-.TH OSSL_CMP_SRV_CTX_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_CMP_SRV_CTX_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_CMP_SRV_process_request,
 OSSL_CMP_CTX_server_perform,
 OSSL_CMP_SRV_CTX_new,
@@ -148,6 +72,9 @@ OSSL_CMP_SRV_genm_cb_t,
 OSSL_CMP_SRV_error_cb_t,
 OSSL_CMP_SRV_pollReq_cb_t,
 OSSL_CMP_SRV_CTX_init,
+OSSL_CMP_SRV_delayed_delivery_cb_t,
+OSSL_CMP_SRV_clean_transaction_cb_t,
+OSSL_CMP_SRV_CTX_init_trans,
 OSSL_CMP_SRV_CTX_get0_cmp_ctx,
 OSSL_CMP_SRV_CTX_get0_custom_ctx,
 OSSL_CMP_SRV_CTX_set_send_unprotected_errors,
@@ -155,7 +82,7 @@ OSSL_CMP_SRV_CTX_set_accept_unprotected,
 OSSL_CMP_SRV_CTX_set_accept_raverified,
 OSSL_CMP_SRV_CTX_set_grant_implicit_confirm
 \&\- generic functions to set up and control a CMP server
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cmp.h>
@@ -206,6 +133,13 @@ OSSL_CMP_SRV_CTX_set_grant_implicit_confirm
 \&                           OSSL_CMP_SRV_error_cb_t process_error,
 \&                           OSSL_CMP_SRV_certConf_cb_t process_certConf,
 \&                           OSSL_CMP_SRV_pollReq_cb_t process_pollReq);
+\& typedef int (*OSSL_CMP_SRV_delayed_delivery_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx,
+\&                                                   const OSSL_CMP_MSG *req);
+\& typedef int (*OSSL_CMP_SRV_clean_transaction_cb_t)(OSSL_CMP_SRV_CTX *srv_ctx,
+\&                                                    const ASN1_OCTET_STRING *id);
+\& int OSSL_CMP_SRV_CTX_init_trans(OSSL_CMP_SRV_CTX *srv_ctx,
+\&                                 OSSL_CMP_SRV_delayed_delivery_cb_t delay,
+\&                                 OSSL_CMP_SRV_clean_transaction_cb_t clean);
 \&
 \& OSSL_CMP_CTX *OSSL_CMP_SRV_CTX_get0_cmp_ctx(const OSSL_CMP_SRV_CTX *srv_ctx);
 \& void *OSSL_CMP_SRV_CTX_get0_custom_ctx(const OSSL_CMP_SRV_CTX *srv_ctx);
@@ -217,38 +151,53 @@ OSSL_CMP_SRV_CTX_set_grant_implicit_confirm
 \& int OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(OSSL_CMP_SRV_CTX *srv_ctx,
 \&                                                 int val);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBOSSL_CMP_SRV_process_request()\fR implements the generic aspects of a \s-1CMP\s0 server.
-Its arguments are the \fB\s-1OSSL_CMP_SRV_CTX\s0\fR \fIsrv_ctx\fR and the \s-1CMP\s0 request message
+\&\fBOSSL_CMP_SRV_process_request()\fR implements the generic aspects of a CMP server.
+Its arguments are the \fBOSSL_CMP_SRV_CTX\fR \fIsrv_ctx\fR and the CMP request message
 \&\fIreq\fR. It does the typical generic checks on \fIreq\fR, calls
 the respective callback function (if present) for more specific processing,
-and then assembles a result message, which may be a \s-1CMP\s0 error message.
+and then assembles a result message, which may be a CMP error message.
 If after return of the function the expression
 \&\fIOSSL_CMP_CTX_get_status(OSSL_CMP_SRV_CTX_get0_cmp_ctx(srv_ctx))\fR yields \-1
 then the function has closed the current transaction,
 which may be due to normal successful end of the transaction or due to an error.
 .PP
 \&\fBOSSL_CMP_CTX_server_perform()\fR is an interface to
-\&\fBOSSL_CMP_SRV_process_request()\fR that can be used by a \s-1CMP\s0 client
+\&\fBOSSL_CMP_SRV_process_request()\fR that can be used by a CMP client
 in the same way as \fBOSSL_CMP_MSG_http_perform\fR\|(3).
-The \fB\s-1OSSL_CMP_SRV_CTX\s0\fR must be set as \fItransfer_cb_arg\fR of \fIclient_ctx\fR.
+The \fBOSSL_CMP_SRV_CTX\fR must be set as \fItransfer_cb_arg\fR of \fIclient_ctx\fR.
 .PP
-\&\fBOSSL_CMP_SRV_CTX_new()\fR creates and initializes an \fB\s-1OSSL_CMP_SRV_CTX\s0\fR structure
+\&\fBOSSL_CMP_SRV_CTX_new()\fR creates and initializes an \fBOSSL_CMP_SRV_CTX\fR structure
 associated with the library context \fIlibctx\fR and property query string
-\&\fIpropq\fR, both of which may be \s-1NULL\s0 to select the defaults.
+\&\fIpropq\fR, both of which may be NULL to select the defaults.
 .PP
 \&\fBOSSL_CMP_SRV_CTX_free()\fR deletes the given \fIsrv_ctx\fR.
+If the argument is NULL, nothing is done.
 .PP
 \&\fBOSSL_CMP_SRV_CTX_init()\fR sets in the given \fIsrv_ctx\fR a custom server context
-pointer as well as callback functions performing the specific processing of \s-1CMP\s0
+pointer as well as callback functions performing the specific processing of CMP
 certificate requests, revocation requests, certificate confirmation requests,
 general messages, error messages, and poll requests.
-All arguments except \fIsrv_ctx\fR may be \s-1NULL.\s0
+All arguments except \fIsrv_ctx\fR may be NULL.
 If a callback for some message type is not given this means that the respective
-type of \s-1CMP\s0 message is not supported by the server.
-.PP
-\&\fBOSSL_CMP_SRV_CTX_get0_cmp_ctx()\fR returns the \fB\s-1OSSL_CMP_CTX\s0\fR from the \fIsrv_ctx\fR.
+type of CMP message is not supported by the server.
+.PP
+\&\fBOSSL_CMP_SRV_CTX_init_trans()\fR sets in \fIsrv_ctx\fR the optional callback
+functions for initiating delayed delivery and cleaning up a transaction.
+If the <delay> function is NULL then delivery of responses is never delayed.
+Otherwise \fIdelay\fR takes a custom server context and a request message as input.
+It must return 1 if delivery of the respective response shall be delayed,
+0 if not, and \-1 on error.
+If the <clean> function is NULL then no specific cleanup is performed.
+Otherwise \fIclean\fR takes a custom server context and a transaction ID pointer
+as input, where the pointer is NULL in case a new transaction is being started
+and otherwise provides the ID of the transaction being terminated.
+The <clean> function should reset the respective portions of the state
+and free related memory.
+It must return 1 on success and 0 on error.
+.PP
+\&\fBOSSL_CMP_SRV_CTX_get0_cmp_ctx()\fR returns the \fBOSSL_CMP_CTX\fR from the \fIsrv_ctx\fR.
 .PP
 \&\fBOSSL_CMP_SRV_CTX_get0_custom_ctx()\fR returns the custom server context from
 \&\fIsrv_ctx\fR that has been set using \fBOSSL_CMP_SRV_CTX_init()\fR.
@@ -260,38 +209,42 @@ and other forms of negative responses unprotected.
 without protection of with invalid protection.
 .PP
 \&\fBOSSL_CMP_SRV_CTX_set_accept_raverified()\fR enables acceptance of ir/cr/kur
-messages with \s-1POPO\s0 'RAVerified'.
+messages with POPO 'RAVerified'.
 .PP
 \&\fBOSSL_CMP_SRV_CTX_set_grant_implicit_confirm()\fR enables granting implicit
 confirmation of newly enrolled certificates if requested.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-\&\s-1CMP\s0 is defined in \s-1RFC 4210\s0 (and \s-1CRMF\s0 in \s-1RFC 4211\s0).
+CMP is defined in RFC 4210 (and CRMF in RFC 4211).
 .PP
-So far the \s-1CMP\s0 server implementation is limited to one request per \s-1CMP\s0 message
-(and consequently to at most one response component per \s-1CMP\s0 message).
+So far the CMP server implementation is limited to one request per CMP message
+(and consequently to at most one response component per CMP message).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBOSSL_CMP_SRV_CTX_new()\fR returns a \fB\s-1OSSL_CMP_SRV_CTX\s0\fR structure on success,
-\&\s-1NULL\s0 on error.
+\&\fBOSSL_CMP_SRV_CTX_new()\fR returns a \fBOSSL_CMP_SRV_CTX\fR structure on success,
+NULL on error.
 .PP
 \&\fBOSSL_CMP_SRV_CTX_free()\fR does not return a value.
 .PP
-\&\fBOSSL_CMP_SRV_CTX_get0_cmp_ctx()\fR returns a \fB\s-1OSSL_CMP_CTX\s0\fR structure on success,
-\&\s-1NULL\s0 on error.
+\&\fBOSSL_CMP_SRV_CTX_get0_cmp_ctx()\fR returns a \fBOSSL_CMP_CTX\fR structure on success,
+NULL on error.
 .PP
 \&\fBOSSL_CMP_SRV_CTX_get0_custom_ctx()\fR returns the custom server context
 that has been set using \fBOSSL_CMP_SRV_CTX_init()\fR.
 .PP
 All other functions return 1 on success, 0 on error.
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-The OpenSSL \s-1CMP\s0 support was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The OpenSSL CMP support was added in OpenSSL 3.0.
+.PP
+\&\fBOSSL_CMP_SRV_CTX_init_trans()\fR
+supporting delayed delivery of all types of response messages
+was added in OpenSSL 3.3.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2007\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2007\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_STATUSINFO_new.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_STATUSINFO_new.3
index bc90dd503384..81e373505ca9 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_CMP_STATUSINFO_new.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_STATUSINFO_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_CMP_STATUSINFO_NEW 3ossl"
-.TH OSSL_CMP_STATUSINFO_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_CMP_STATUSINFO_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_CMP_STATUSINFO_new,
 OSSL_CMP_snprint_PKIStatusInfo,
 OSSL_CMP_CTX_snprint_PKIStatus
 \&\- function(s) for managing the CMP PKIStatus
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cmp.h>
@@ -153,15 +77,15 @@ OSSL_CMP_CTX_snprint_PKIStatus
 \& char *OSSL_CMP_CTX_snprint_PKIStatus(const OSSL_CMP_CTX *ctx, char *buf,
 \&                                      size_t bufsize);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-This is the PKIStatus \s-1API\s0 for using \s-1CMP\s0 (Certificate Management Protocol) with
+This is the PKIStatus API for using CMP (Certificate Management Protocol) with
 OpenSSL.
 .PP
 \&\fBOSSL_CMP_STATUSINFO_new()\fR creates a new PKIStatusInfo structure
 and fills in the given values.
 It sets the status field to \fIstatus\fR,
-copies \fItext\fR (unless it is \s-1NULL\s0) to statusString,
+copies \fItext\fR (unless it is NULL) to statusString,
 and interprets \fIfail_info\fR as bit pattern for the failInfo field.
 .PP
 \&\fBOSSL_CMP_snprint_PKIStatusInfo()\fR places a human-readable string
@@ -169,27 +93,27 @@ representing the given statusInfo
 in the given buffer, with the given maximal length.
 .PP
 \&\fBOSSL_CMP_CTX_snprint_PKIStatus()\fR places a human-readable string
-representing the PKIStatusInfo components of the \s-1CMP\s0 context \fIctx\fR
+representing the PKIStatusInfo components of the CMP context \fIctx\fR
 in the given buffer, with the given maximal length.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-\&\s-1CMP\s0 is defined in \s-1RFC 4210\s0 (and \s-1CRMF\s0 in \s-1RFC 4211\s0).
+CMP is defined in RFC 4210 (and CRMF in RFC 4211).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBOSSL_CMP_STATUSINFO_new()\fR
-returns a pointer to the structure on success, or \s-1NULL\s0 on error.
+returns a pointer to the structure on success, or NULL on error.
 .PP
 \&\fBOSSL_CMP_snprint_PKIStatusInfo()\fR and
 \&\fBOSSL_CMP_CTX_snprint_PKIStatus()\fR
-return a copy of the buffer pointer containing the string or \s-1NULL\s0 on error.
-.SH "HISTORY"
+return a copy of the buffer pointer containing the string or NULL on error.
+.SH HISTORY
 .IX Header "HISTORY"
-The OpenSSL \s-1CMP\s0 support was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The OpenSSL CMP support was added in OpenSSL 3.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2007\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_exec_certreq.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_exec_certreq.3
index 12390c84f1cf..4d58ece2eae9 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_CMP_exec_certreq.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_exec_certreq.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_CMP_EXEC_CERTREQ 3ossl"
-.TH OSSL_CMP_EXEC_CERTREQ 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_CMP_EXEC_CERTREQ 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_CMP_exec_certreq,
 OSSL_CMP_exec_IR_ses,
 OSSL_CMP_exec_CR_ses,
@@ -148,9 +72,13 @@ OSSL_CMP_P10CR,
 OSSL_CMP_KUR,
 OSSL_CMP_try_certreq,
 OSSL_CMP_exec_RR_ses,
-OSSL_CMP_exec_GENM_ses
+OSSL_CMP_exec_GENM_ses,
+OSSL_CMP_get1_caCerts,
+OSSL_CMP_get1_rootCaKeyUpdate,
+OSSL_CMP_get1_crlUpdate,
+OSSL_CMP_get1_certReqTemplate
 \&\- functions implementing CMP client transactions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cmp.h>
@@ -168,30 +96,41 @@ OSSL_CMP_exec_GENM_ses
 \& int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type,
 \&                          const OSSL_CRMF_MSG *crm, int *checkAfter);
 \& int OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx);
+\&
 \& STACK_OF(OSSL_CMP_ITAV) *OSSL_CMP_exec_GENM_ses(OSSL_CMP_CTX *ctx);
+\& int OSSL_CMP_get1_caCerts(OSSL_CMP_CTX *ctx, STACK_OF(X509) **out);
+\& int OSSL_CMP_get1_rootCaKeyUpdate(OSSL_CMP_CTX *ctx,
+\&                                   const X509 *oldWithOld, X509 **newWithNew,
+\&                                   X509 **newWithOld, X509 **oldWithNew);
+\& int OSSL_CMP_get1_crlUpdate(OSSL_CMP_CTX *ctx, const X509 *crlcert,
+\&                             const X509_CRL *last_crl,
+\&                             X509_CRL **crl);
+\& int OSSL_CMP_get1_certReqTemplate(OSSL_CMP_CTX *ctx,
+\&                                   OSSL_CRMF_CERTTEMPLATE **certTemplate,
+\&                                   OSSL_CMP_ATAVS **keySpec);
+\&=head1 DESCRIPTION
 .Ve
-.SH "DESCRIPTION"
-.IX Header "DESCRIPTION"
-This is the OpenSSL \s-1API\s0 for doing \s-1CMP\s0 (Certificate Management Protocol)
-client-server transactions, i.e., sequences of \s-1CMP\s0 requests and responses.
 .PP
-All functions take a populated \s-1OSSL_CMP_CTX\s0 structure as their first argument.
-Usually the server name, port, and path (\*(L"\s-1CMP\s0 alias\*(R") need to be set, as well as
+This is the OpenSSL API for doing CMP (Certificate Management Protocol)
+client-server transactions, i.e., sequences of CMP requests and responses.
+.PP
+All functions take a populated OSSL_CMP_CTX structure as their first argument.
+Usually the server name, port, and path ("CMP alias") need to be set, as well as
 credentials the client can use for authenticating itself to the server.
 In order to authenticate the server the client typically needs a trust store.
 The functions return their respective main results directly, while there are
 also accessor functions for retrieving various results and status information
 from the \fIctx\fR. See \fBOSSL_CMP_CTX_new\fR\|(3) etc. for details.
 .PP
-The default conveying protocol is \s-1HTTP.\s0
+The default conveying protocol is HTTP.
 Timeout values may be given per request-response pair and per transaction.
 See \fBOSSL_CMP_MSG_http_perform\fR\|(3) for details.
 .PP
-\&\fBOSSL_CMP_exec_IR_ses()\fR requests an initial certificate from the given \s-1PKI.\s0
+\&\fBOSSL_CMP_exec_IR_ses()\fR requests an initial certificate from the given PKI.
 .PP
 \&\fBOSSL_CMP_exec_CR_ses()\fR requests an additional certificate.
 .PP
-\&\fBOSSL_CMP_exec_P10CR_ses()\fR conveys a legacy PKCS#10 \s-1CSR\s0 requesting a certificate.
+\&\fBOSSL_CMP_exec_P10CR_ses()\fR conveys a legacy PKCS#10 CSR requesting a certificate.
 .PP
 \&\fBOSSL_CMP_exec_KUR_ses()\fR obtains an updated certificate.
 .PP
@@ -199,15 +138,15 @@ These four types of certificate enrollment are implemented as macros
 calling \fBOSSL_CMP_exec_certreq()\fR.
 .PP
 \&\fBOSSL_CMP_exec_certreq()\fR performs a certificate request of the type specified
-by the \fIreq_type\fR parameter, which may be \s-1IR, CR, P10CR,\s0 or \s-1KUR.\s0
-For \s-1IR, CR,\s0 and \s-1KUR,\s0 the certificate template to be used in the request
-may be supplied via the \fIcrm\fR parameter pointing to a \s-1CRMF\s0 structure.
-Typically \fIcrm\fR is \s-1NULL,\s0 then the template ingredients are taken from \fIctx\fR
+by the \fIreq_type\fR parameter, which may be IR, CR, P10CR, or KUR.
+For IR, CR, and KUR, the certificate template to be used in the request
+may be supplied via the \fIcrm\fR parameter pointing to a CRMF structure.
+Typically \fIcrm\fR is NULL, then the template ingredients are taken from \fIctx\fR
 and need to be filled in using \fBOSSL_CMP_CTX_set1_subjectName\fR\|(3),
 \&\fBOSSL_CMP_CTX_set0_newPkey\fR\|(3), \fBOSSL_CMP_CTX_set1_oldCert\fR\|(3), etc.
 For P10CR, \fBOSSL_CMP_CTX_set1_p10CSR\fR\|(3) needs to be used instead.
-The enrollment session may be blocked by sleeping until the addressed
-\&\s-1CA\s0 (or an intermediate \s-1PKI\s0 component) can fully process and answer the request.
+The enrollment session may be blocked (with polling and sleeping in between)
+until the server side can fully process and ultimately answer the request.
 .PP
 \&\fBOSSL_CMP_try_certreq()\fR is an alternative to the above functions that is
 more flexible regarding what to do after receiving a checkAfter value.
@@ -220,9 +159,9 @@ unless the \fIreq_type\fR argument is < 0, which aborts the request.
 If the requested certificate is available the function returns 1 and the
 caller can use \fBOSSL_CMP_CTX_get0_newCert\fR\|(3) to retrieve the new certificate.
 If no error occurred but no certificate is available yet then
-\&\fBOSSL_CMP_try_certreq()\fR remembers in the \s-1CMP\s0 context that it should be retried
+\&\fBOSSL_CMP_try_certreq()\fR remembers in the CMP context that it should be retried
 and returns \-1 after assigning the received checkAfter value
-via the output pointer argument (unless it is \s-1NULL\s0).
+via the output pointer argument (unless it is NULL).
 The checkAfter value indicates the number of seconds the caller should let pass
 before trying again. The caller is free to sleep for the given number of seconds
 or for some other time and/or to do anything else before retrying by calling
@@ -231,43 +170,99 @@ or for some other time and/or to do anything else before retrying by calling
 to see whether meanwhile the requested certificate is available.
 If the caller decides to abort the pending certificate request and provides
 a negative value as the \fIreq_type\fR argument then \fBOSSL_CMP_try_certreq()\fR
-aborts the \s-1CMP\s0 transaction by sending an error message to the server.
+aborts the CMP transaction by sending an error message to the server.
 .PP
 \&\fBOSSL_CMP_exec_RR_ses()\fR requests the revocation of the certificate
-specified in the \fIctx\fR using \fBOSSL_CMP_CTX_set1_oldCert\fR\|(3).
-\&\s-1RFC 4210\s0 is vague in which PKIStatus should be returned by the server.
-We take \*(L"accepted\*(R" and \*(L"grantedWithMods\*(R" as clear success and handle
-\&\*(L"revocationWarning\*(R" and \*(L"revocationNotification\*(R" just as warnings because CAs
+specified in the \fIctx\fR using the issuer DN and serial number set by
+\&\fBOSSL_CMP_CTX_set1_issuer\fR\|(3) and \fBOSSL_CMP_CTX_set1_serialNumber\fR\|(3), respectively,
+otherwise the issuer DN and serial number
+of the certificate set by \fBOSSL_CMP_CTX_set1_oldCert\fR\|(3),
+otherwise the subject DN and public key
+of the certificate signing request set by \fBOSSL_CMP_CTX_set1_p10CSR\fR\|(3).
+RFC 4210 is vague in which PKIStatus should be returned by the server.
+We take "accepted" and "grantedWithMods" as clear success and handle
+"revocationWarning" and "revocationNotification" just as warnings because CAs
 typically return them as an indication that the certificate was already revoked.
-\&\*(L"rejection\*(R" is a clear error. The values \*(L"waiting\*(R" and \*(L"keyUpdateWarning\*(R"
+"rejection" is a clear error. The values "waiting" and "keyUpdateWarning"
 make no sense for revocation and thus are treated as an error as well.
+The revocation session may be blocked (with polling and sleeping in between)
+until the server can fully process and ultimately answer the request.
 .PP
-\&\fBOSSL_CMP_exec_GENM_ses()\fR sends a general message containing the sequence of
-infoType and infoValue pairs (InfoTypeAndValue; short: \fB\s-1ITAV\s0\fR)
+\&\fBOSSL_CMP_exec_GENM_ses()\fR sends a genm general message containing the sequence of
+infoType and infoValue pairs (InfoTypeAndValue; short: \fBITAV\fR)
 optionally provided in the \fIctx\fR using \fBOSSL_CMP_CTX_push0_genm_ITAV\fR\|(3).
-On success it records in \fIctx\fR the status \fBOSSL_CMP_PKISTATUS_accepted\fR
-and returns the list of \fB\s-1ITAV\s0\fRs received in the \s-1GENP\s0 message.
-This can be used, for instance, to poll for CRLs or \s-1CA\s0 Key Updates.
-See \s-1RFC 4210\s0 section 5.3.19 and appendix E.5 for details.
-.SH "NOTES"
+The message exchange may be blocked (with polling and sleeping in between)
+until the server can fully process and ultimately answer the request.
+On success the function records in \fIctx\fR status \fBOSSL_CMP_PKISTATUS_accepted\fR
+and returns the list of \fBITAV\fRs received in a genp response message.
+This can be used, for instance,
+with infoType \f(CW\*(C`signKeyPairTypes\*(C'\fR to obtain the set of signature
+algorithm identifiers that the CA will certify for subject public keys.
+See RFC 4210 section 5.3.19 and appendix E.5 for details.
+Functions implementing more specific genm/genp exchanges are described next.
+.PP
+\&\fBOSSL_CMP_get1_caCerts()\fR uses a genm/genp message exchange with infoType caCerts
+to obtain a list of CA certificates from the CMP server referenced by \fIctx\fR.
+On success it assigns to \fI*out\fR the list of certificates received,
+which must be freed by the caller.
+NULL output means that no CA certificates were provided by the server.
+.PP
+\&\fBOSSL_CMP_get1_rootCaKeyUpdate()\fR uses a genm request message
+with infoType rootCaCert to obtain from the CMP server referenced by \fIctx\fR
+in a genp response message with infoType rootCaKeyUpdate any update of the
+given root CA certificate \fIoldWithOld\fR and verifies it as far as possible.
+See RFC 4210 section 4.4 for details.
+On success it assigns to \fI*newWithNew\fR the root certificate received.
+When the \fInewWithOld\fR and \fIoldWithNew\fR output parameters are not NULL,
+it assigns to them the corresponding transition certificates.
+NULL means that the respective certificate was not provided by the server.
+All certificates obtained this way must be freed by the caller.
+.PP
+\&\fBWARNING:\fR
+The \fInewWithNew\fR certificate is meant to be a certificate that will be trusted.
+The trust placed in it cannot be stronger than the trust placed in
+the \fIoldwithold\fR certificate if present, otherwise it cannot be stronger than
+the weakest trust in any of the certificates in the trust store of \fIctx\fR.
+.PP
+\&\fBOSSL_CMP_get1_crlUpdate()\fR uses a genm request message with infoType crlStatusList
+to obtain CRL from the CMP server referenced by \fIctx\fR in a genp response message
+with infoType crls. It uses \fIlast_crl\fR and \fIcrlcert\fR to create  
+a request with a status field as described for \fBOSSL_CMP_CRLSTATUS_create\fR\|(3). 
+On success it assigns to \fI*crl\fR the CRL received.
+NULL means that no CRL was provided by the server.
+The CRL obtained this way must be freed by the caller.
+.PP
+\&\fBOSSL_CMP_get1_certReqTemplate()\fR uses a genm request message with
+infoType certReqTemplate to obtain a certificate request template from the
+CMP server referenced by \fIctx\fR. On success it assigns to \fI*certTemplate\fR
+the certificate template received. NULL output means that no certificate
+request template was provided by the server.
+The optional \fIkeySpec\fR output parameter is assigned the key specification
+if received, otherwise it set to NULL.
+Both must be freed by the caller.
+.SH NOTES
 .IX Header "NOTES"
-\&\s-1CMP\s0 is defined in \s-1RFC 4210\s0 (and \s-1CRMF\s0 in \s-1RFC 4211\s0).
+CMP is defined in RFC 4210 (and CRMF in RFC 4211).
 .PP
-The \s-1CMP\s0 client implementation is limited to one request per \s-1CMP\s0 message
-(and consequently to at most one response component per \s-1CMP\s0 message).
+The CMP client implementation is limited to one request per CMP message
+(and consequently to at most one response component per CMP message).
 .PP
-When a client obtains from a \s-1CMP\s0 server \s-1CA\s0 certificates that it is going to
-trust, for instance via the caPubs field of a certificate response,
-authentication of the \s-1CMP\s0 server is particularly critical.
+When a client obtains from a CMP server CA certificates that it is going to
+trust, for instance via the caPubs field of a certificate response or using
+functions like \fBOSSL_CMP_get1_caCerts()\fR and \fBOSSL_CMP_get1_rootCaKeyUpdate()\fR,
+authentication of the CMP server is particularly critical.
 So special care must be taken setting up server authentication in \fIctx\fR
 using functions such as
-\&\fBOSSL_CMP_CTX_set0_trustedStore\fR\|(3) (for certificate-based authentication) or
+\&\fBOSSL_CMP_CTX_set0_trusted\fR\|(3) (for certificate-based authentication) or
 \&\fBOSSL_CMP_CTX_set1_secretValue\fR\|(3) (for MAC-based protection).
+If authentication is certificate-based, \fBOSSL_CMP_CTX_get0_validatedSrvCert\fR\|(3)
+should be used to obtain the server validated certificate
+and perform an authorization check based on it.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBOSSL_CMP_exec_certreq()\fR, \fBOSSL_CMP_exec_IR_ses()\fR, \fBOSSL_CMP_exec_CR_ses()\fR,
 \&\fBOSSL_CMP_exec_P10CR_ses()\fR, and \fBOSSL_CMP_exec_KUR_ses()\fR return a
-pointer to the newly obtained X509 certificate on success, \s-1NULL\s0 on error.
+pointer to the newly obtained X509 certificate on success, NULL on error.
 This pointer will be freed implicitly by \fBOSSL_CMP_CTX_free()\fR or
 \&\fBCSSL_CMP_CTX_reinit()\fR.
 .PP
@@ -275,18 +270,21 @@ This pointer will be freed implicitly by \fBOSSL_CMP_CTX_free()\fR or
 via \fBOSSL_CMP_CTX_get0_newCert\fR\|(3)
 or on successfully aborting a pending certificate request, 0 on error, and \-1
 in case a 'waiting' status has been received and checkAfter value is available.
-In the latter case \fBOSSL_CMP_CTX_get0_newCert\fR\|(3) yields \s-1NULL\s0
+In the latter case \fBOSSL_CMP_CTX_get0_newCert\fR\|(3) yields NULL
 and the output parameter \fIcheckAfter\fR has been used to
-assign the received value unless \fIcheckAfter\fR is \s-1NULL.\s0
+assign the received value unless \fIcheckAfter\fR is NULL.
 .PP
-\&\fBOSSL_CMP_exec_RR_ses()\fR returns 1 on success, 0 on error.
+\&\fBOSSL_CMP_exec_RR_ses()\fR, \fBOSSL_CMP_get1_caCerts()\fR,
+\&\fBOSSL_CMP_get1_rootCaKeyUpdate()\fR, \fBOSSL_CMP_get1_crlUpdate()\fR
+and \fBOSSL_CMP_get1_certReqTemplate()\fR
+return 1 on success, 0 on error.
 .PP
-\&\fBOSSL_CMP_exec_GENM_ses()\fR returns \s-1NULL\s0 on error,
-otherwise a pointer to the sequence of \fB\s-1ITAV\s0\fR received, which may be empty.
+\&\fBOSSL_CMP_exec_GENM_ses()\fR returns NULL on error,
+otherwise a pointer to the sequence of \fBITAV\fR received, which may be empty.
 This pointer must be freed by the caller.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-See \s-1OSSL_CMP_CTX\s0 for examples on how to prepare the context for these
+See OSSL_CMP_CTX for examples on how to prepare the context for these
 functions.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
@@ -294,15 +292,24 @@ functions.
 \&\fBOSSL_CMP_CTX_set1_subjectName\fR\|(3), \fBOSSL_CMP_CTX_set0_newPkey\fR\|(3),
 \&\fBOSSL_CMP_CTX_set1_p10CSR\fR\|(3), \fBOSSL_CMP_CTX_set1_oldCert\fR\|(3),
 \&\fBOSSL_CMP_CTX_get0_newCert\fR\|(3), \fBOSSL_CMP_CTX_push0_genm_ITAV\fR\|(3),
-\&\fBOSSL_CMP_MSG_http_perform\fR\|(3)
-.SH "HISTORY"
+\&\fBOSSL_CMP_MSG_http_perform\fR\|(3), \fBOSSL_CMP_CRLSTATUS_create\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
-The OpenSSL \s-1CMP\s0 support was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The OpenSSL CMP support was added in OpenSSL 3.0.
+.PP
+\&\fBOSSL_CMP_get1_caCerts()\fR and \fBOSSL_CMP_get1_rootCaKeyUpdate()\fR
+were added in OpenSSL 3.2.
+.PP
+Support for delayed delivery of all types of response messages
+was added in OpenSSL 3.3.
+.PP
+\&\fBOSSL_CMP_get1_crlUpdate()\fR and \fBOSSL_CMP_get1_certReqTemplate()\fR
+were added in OpenSSL 3.4.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2007\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2007\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_log_open.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_log_open.3
index a98cd4860761..ecaf9546dff2 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_CMP_log_open.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_log_open.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_CMP_LOG_OPEN 3ossl"
-.TH OSSL_CMP_LOG_OPEN 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_CMP_LOG_OPEN 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_CMP_log_open,
 OSSL_CMP_log_close,
 OSSL_CMP_severity,
@@ -154,7 +78,7 @@ OSSL_CMP_log_cb_t,
 OSSL_CMP_print_to_bio,
 OSSL_CMP_print_errors_cb
 \&\- functions for logging and error reporting
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cmp_util.h>
@@ -181,17 +105,17 @@ OSSL_CMP_print_errors_cb
 \&                           int line, OSSL_CMP_severity level, const char *msg);
 \& void OSSL_CMP_print_errors_cb(OSSL_CMP_log_cb_t log_fn);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The logging and error reporting facility described here contains
 convenience functions for CMP-specific logging,
 including a string prefix mirroring the severity levels of syslog.h,
 and enhancements of the error queue mechanism needed for large diagnostic
-messages produced by the \s-1CMP\s0 library in case of certificate validation failures.
+messages produced by the CMP library in case of certificate validation failures.
 .PP
 When an interesting activity is performed or an error occurs, some detail
 should be provided for user information, debugging, and auditing purposes.
-A \s-1CMP\s0 application can obtain this information by providing a callback function
+A CMP application can obtain this information by providing a callback function
 with the following type:
 .PP
 .Vb 3
@@ -201,8 +125,8 @@ with the following type:
 .Ve
 .PP
 The parameters may provide
-some component info (which may be a module name and/or function name) or \s-1NULL,\s0
-a file pathname or \s-1NULL,\s0
+some component info (which may be a module name and/or function name) or NULL,
+a file pathname or NULL,
 a line number or 0 indicating the source code location,
 a severity level, and
 a message string describing the nature of the event, terminated by '\en'.
@@ -212,14 +136,14 @@ of auditing may be required. Therefore, the logging facility supports a severity
 level and the callback function has a \fIlevel\fR parameter indicating such a
 level, such that error, warning, info, debug, etc. can be treated differently.
 The callback is activated only when the severity level is sufficient according
-to the current level of verbosity, which by default is \fB\s-1OSSL_CMP_LOG_INFO\s0\fR.
+to the current level of verbosity, which by default is \fBOSSL_CMP_LOG_INFO\fR.
 .PP
 The callback function may itself do non-trivial tasks like writing to
 a log file or remote stream, which in turn may fail.
 Therefore, the function should return 1 on success and 0 on failure.
 .PP
 \&\fBOSSL_CMP_log_open()\fR initializes the CMP-specific logging facility to output
-everything to \s-1STDOUT.\s0 It fails if the integrated tracing is disabled or \s-1STDIO\s0
+everything to STDOUT. It fails if the integrated tracing is disabled or STDIO
 is not available. It may be called during application startup.
 Alternatively, \fBOSSL_CMP_CTX_set_log_cb\fR\|(3) can be used for more flexibility.
 As long as neither if the two is used any logging output is ignored.
@@ -231,26 +155,26 @@ It may be called multiple times. It does get called at OpenSSL shutdown.
 \&\fBOSSL_CMP_print_to_bio()\fR prints the given component info, filename, line number,
 severity level, and log message or error queue message to the given \fIbio\fR.
 \&\fIcomponent\fR usually is a function or module name.
-If it is \s-1NULL,\s0 empty, or \*(L"(unknown function)\*(R" then \*(L"\s-1CMP\*(R"\s0 is used as fallback.
+If it is NULL, empty, or "(unknown function)" then "CMP" is used as fallback.
 .PP
 \&\fBOSSL_CMP_print_errors_cb()\fR outputs any entries in the OpenSSL error queue.
-It is similar to \fBERR_print_errors_cb\fR\|(3) but uses the \s-1CMP\s0 log callback
-function \fIlog_fn\fR for uniformity with \s-1CMP\s0 logging if not \s-1NULL.\s0 Otherwise it
-prints to \s-1STDERR\s0 using \fBOSSL_CMP_print_to_bio\fR\|(3) (unless \fB\s-1OPENSSL_NO_STDIO\s0\fR
+It is similar to \fBERR_print_errors_cb\fR\|(3) but uses the CMP log callback
+function \fIlog_fn\fR for uniformity with CMP logging if not NULL. Otherwise it
+prints to STDERR using \fBOSSL_CMP_print_to_bio\fR\|(3) (unless \fBOPENSSL_NO_STDIO\fR
 is defined).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBOSSL_CMP_log_close()\fR and \fBOSSL_CMP_print_errors_cb()\fR do not return anything.
 .PP
 All other functions return 1 on success, 0 on error.
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-The OpenSSL \s-1CMP\s0 support was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The OpenSSL CMP support was added in OpenSSL 3.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2007\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2007\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_CMP_validate_msg.3 b/secure/lib/libcrypto/man/man3/OSSL_CMP_validate_msg.3
index 8baced1731e6..d05fb26e6aff 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_CMP_validate_msg.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_CMP_validate_msg.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_CMP_VALIDATE_MSG 3ossl"
-.TH OSSL_CMP_VALIDATE_MSG 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_CMP_VALIDATE_MSG 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_CMP_validate_msg,
 OSSL_CMP_validate_cert_path
 \&\- functions for verifying CMP message protection
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 4
 \& #include <openssl/cmp.h>
@@ -148,15 +72,15 @@ OSSL_CMP_validate_cert_path
 \& int OSSL_CMP_validate_cert_path(const OSSL_CMP_CTX *ctx,
 \&                                 X509_STORE *trusted_store, X509 *cert);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-This is the \s-1API\s0 for validating the protection of \s-1CMP\s0 messages,
-which includes validating \s-1CMP\s0 message sender certificates and their paths
+This is the API for validating the protection of CMP messages,
+which includes validating CMP message sender certificates and their paths
 while optionally checking the revocation status of the certificates(s).
 .PP
 \&\fBOSSL_CMP_validate_msg()\fR validates the protection of the given \fImsg\fR,
-which must be signature-based or using password-based \s-1MAC\s0 (\s-1PBM\s0).
-In the former case a suitable trust anchor must be given in the \s-1CMP\s0 context
+which must be signature-based or using password-based MAC (PBM).
+In the former case a suitable trust anchor must be given in the CMP context
 \&\fIctx\fR, and in the latter case the matching secret must have been set there
 using \fBOSSL_CMP_CTX_set1_secretValue\fR\|(3).
 .PP
@@ -165,21 +89,26 @@ is preferably the one provided by a call to \fBOSSL_CMP_CTX_set1_srvCert\fR\|(3)
 If no such sender cert has been pinned then candidate sender certificates are
 taken from the list of certificates received in the \fImsg\fR extraCerts, then any
 certificates provided before via \fBOSSL_CMP_CTX_set1_untrusted\fR\|(3), and
-then all trusted certificates provided via \fBOSSL_CMP_CTX_set0_trustedStore\fR\|(3),
-where a candidate is acceptable only if has not expired, its subject \s-1DN\s0 matches
-the \fImsg\fR sender \s-1DN\s0 (as far as present), and its subject key identifier
-is present and matches the senderKID (as far as the latter present).
+then all trusted certificates provided via \fBOSSL_CMP_CTX_set0_trusted\fR\|(3).
+A candidate certificate is acceptable only if it is currently valid
+(or the trust store contains a verification callback that overrides the verdict
+that the certificate is expired or not yet valid), its subject DN matches
+the \fImsg\fR sender DN (as far as present), and its subject key identifier
+is present and matches the senderKID (as far as the latter is present).
 Each acceptable cert is tried in the given order to see if the message
 signature check succeeds and the cert and its path can be verified
-using any trust store set via \fBOSSL_CMP_CTX_set0_trustedStore\fR\|(3).
+using any trust store set via \fBOSSL_CMP_CTX_set0_trusted\fR\|(3).
 .PP
-If the option \s-1OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR\s0 was set by calling
-\&\fBOSSL_CMP_CTX_set_option\fR\|(3), for an Initialization Response (\s-1IP\s0) message
-any self-issued certificate from the \fImsg\fR extraCerts field may also be used
-as trust anchor for the path verification of an acceptable cert if it can be
-used also to validate the issued certificate returned in the \s-1IP\s0 message. This is
-according to \s-1TS 33.310\s0 [Network Domain Security (\s-1NDS\s0); Authentication Framework
-(\s-1AF\s0)] document specified by the The 3rd Generation Partnership Project (3GPP).
+If the option OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR was set by calling
+\&\fBOSSL_CMP_CTX_set_option\fR\|(3), for an Initialization Response (IP) message
+any self-issued certificate from the \fImsg\fR extraCerts field may be used
+as a trust anchor for the path verification of an 'acceptable' cert if it can be
+used also to validate the issued certificate returned in the IP message. This is
+according to TS 33.310 [Network Domain Security (NDS); Authentication Framework
+(AF)] document specified by The 3rd Generation Partnership Project (3GPP).
+Note that using this option is dangerous as the certificate obtained this way
+has not been authenticated (at least not at CMP level).
+Taking it over as a trust anchor implements trust-on-first-use (TOFU).
 .PP
 Any cert that has been found as described above is cached and tried first when
 validating the signatures of subsequent messages in the same transaction.
@@ -187,9 +116,9 @@ validating the signatures of subsequent messages in the same transaction.
 \&\fBOSSL_CMP_validate_cert_path()\fR attempts to validate the given certificate and its
 path using the given store of trusted certs (possibly including CRLs and a cert
 verification callback) and non-trusted intermediate certs from the \fIctx\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-\&\s-1CMP\s0 is defined in \s-1RFC 4210\s0 (and \s-1CRMF\s0 in \s-1RFC 4211\s0).
+CMP is defined in RFC 4210 (and CRMF in RFC 4211).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBOSSL_CMP_validate_msg()\fR and \fBOSSL_CMP_validate_cert_path()\fR
@@ -198,15 +127,15 @@ return 1 on success, 0 on error or validation failed.
 .IX Header "SEE ALSO"
 \&\fBOSSL_CMP_CTX_new\fR\|(3), \fBOSSL_CMP_exec_certreq\fR\|(3),
 \&\fBOSSL_CMP_CTX_set1_secretValue\fR\|(3), \fBOSSL_CMP_CTX_set1_srvCert\fR\|(3),
-\&\fBOSSL_CMP_CTX_set1_untrusted\fR\|(3), \fBOSSL_CMP_CTX_set0_trustedStore\fR\|(3)
-.SH "HISTORY"
+\&\fBOSSL_CMP_CTX_set1_untrusted\fR\|(3), \fBOSSL_CMP_CTX_set0_trusted\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
-The OpenSSL \s-1CMP\s0 support was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The OpenSSL CMP support was added in OpenSSL 3.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2007\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2007\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_CORE_MAKE_FUNC.3 b/secure/lib/libcrypto/man/man3/OSSL_CORE_MAKE_FUNC.3
index 6078f93f89dd..e40dd042cd49 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_CORE_MAKE_FUNC.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_CORE_MAKE_FUNC.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_CORE_MAKE_FUNC 3ossl"
-.TH OSSL_CORE_MAKE_FUNC 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_CORE_MAKE_FUNC 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_CORE_MAKE_FUNC,
 SSL_OP_BIT,
 EXT_UTF8STRING
 \&\- OpenSSL reserved symbols
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/core_dispatch.h>
@@ -150,7 +74,7 @@ EXT_UTF8STRING
 \& #define SSL_OP_BIT(n)
 \& #define EXT_UTF8STRING(nid)
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 There are certain macros that may appear in OpenSSL header files that are
 reserved for internal use. They should not be used by applications or assumed
@@ -160,14 +84,14 @@ All the macros listed in the synopsis above are reserved.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 Not applicable.
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The macros described here were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_get0_tmpl.3 b/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_get0_tmpl.3
index 3bb5ee3a0389..0347faf02671 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_get0_tmpl.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_get0_tmpl.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,97 +52,45 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_CRMF_MSG_GET0_TMPL 3ossl"
-.TH OSSL_CRMF_MSG_GET0_TMPL 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_CRMF_MSG_GET0_TMPL 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_CRMF_MSG_get0_tmpl,
-OSSL_CRMF_CERTTEMPLATE_get0_serialNumber,
+OSSL_CRMF_CERTTEMPLATE_get0_publicKey,
 OSSL_CRMF_CERTTEMPLATE_get0_subject,
 OSSL_CRMF_CERTTEMPLATE_get0_issuer,
+OSSL_CRMF_CERTTEMPLATE_get0_serialNumber,
 OSSL_CRMF_CERTTEMPLATE_get0_extensions,
 OSSL_CRMF_CERTID_get0_serialNumber,
 OSSL_CRMF_CERTID_get0_issuer,
+OSSL_CRMF_ENCRYPTEDKEY_get1_encCert,
+OSSL_CRMF_ENCRYPTEDKEY_get1_pkey,
+OSSL_CRMF_ENCRYPTEDKEY_init_envdata,
+OSSL_CRMF_ENCRYPTEDVALUE_decrypt,
 OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert,
-OSSL_CRMF_MSG_get_certReqId
+OSSL_CRMF_MSG_get_certReqId,
+OSSL_CRMF_MSG_centralkeygen_requested
 \&\- functions reading from CRMF CertReqMsg structures
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/crmf.h>
 \&
 \& OSSL_CRMF_CERTTEMPLATE *OSSL_CRMF_MSG_get0_tmpl(const OSSL_CRMF_MSG *crm);
-\& const ASN1_INTEGER
-\& *OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(const OSSL_CRMF_CERTTEMPLATE *tmpl);
+\& X509_PUBKEY
+\& *OSSL_CRMF_CERTTEMPLATE_get0_publicKey(const OSSL_CRMF_CERTTEMPLATE *tmpl);
 \& const X509_NAME
 \& *OSSL_CRMF_CERTTEMPLATE_get0_subject(const OSSL_CRMF_CERTTEMPLATE *tmpl);
 \& const X509_NAME
 \& *OSSL_CRMF_CERTTEMPLATE_get0_issuer(const OSSL_CRMF_CERTTEMPLATE *tmpl);
+\& const ASN1_INTEGER
+\& *OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(const OSSL_CRMF_CERTTEMPLATE *tmpl);
 \& X509_EXTENSIONS
 \& *OSSL_CRMF_CERTTEMPLATE_get0_extensions(const OSSL_CRMF_CERTTEMPLATE *tmpl);
 \&
@@ -166,18 +98,36 @@ OSSL_CRMF_MSG_get_certReqId
 \& *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID *cid);
 \& const X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid);
 \&
+\& X509 *OSSL_CRMF_ENCRYPTEDKEY_get1_encCert(const OSSL_CRMF_ENCRYPTEDKEY *ecert,
+\&                                           OSSL_LIB_CTX *libctx, const char *propq,
+\&                                           EVP_PKEY *pkey, unsigned int flags);
+\& EVP_PKEY
+\& *OSSL_CRMF_ENCRYPTEDKEY_get1_pkey(OSSL_CRMF_ENCRYPTEDKEY *encryptedKey,
+\&                                   X509_STORE *ts, STACK_OF(X509) *extra,
+\&                                   EVP_PKEY *pkey, X509 *cert,
+\&                                   ASN1_OCTET_STRING *secret,
+\&                                   OSSL_LIB_CTX *libctx, const char *propq);
+\& OSSL_CRMF_ENCRYPTEDKEY
+\& *OSSL_CRMF_ENCRYPTEDKEY_init_envdata(CMS_EnvelopedData *envdata);
+\&
+\& unsigned char
+\& *OSSL_CRMF_ENCRYPTEDVALUE_decrypt(const OSSL_CRMF_ENCRYPTEDVALUE *enc,
+\&                                   OSSL_LIB_CTX *libctx, const char *propq,
+\&                                   EVP_PKEY *pkey, int *outlen);
 \& X509
 \& *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(const OSSL_CRMF_ENCRYPTEDVALUE *ecert,
 \&                                        OSSL_LIB_CTX *libctx, const char *propq,
 \&                                        EVP_PKEY *pkey);
 \&
 \& int OSSL_CRMF_MSG_get_certReqId(const OSSL_CRMF_MSG *crm);
+\& int OSSL_CRMF_MSG_centralkeygen_requested(const OSSL_CRMF_MSG *crm,
+\&                                           const X509_REQ *p10cr);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBOSSL_CRMF_MSG_get0_tmpl()\fR retrieves the certificate template of \fIcrm\fR.
 .PP
-\&\fBOSSL_CRMF_CERTTEMPLATE_get0_serialNumber()\fR retrieves the serialNumber of the
+\&\fBOSSL_CRMF_CERTTEMPLATE_get0_publicKey()\fR retrieves the public key of the
 given certificate template \fItmpl\fR.
 .PP
 \&\fBOSSL_CRMF_CERTTEMPLATE_get0_subject()\fR retrieves the subject name of the
@@ -186,40 +136,86 @@ given certificate template \fItmpl\fR.
 \&\fBOSSL_CRMF_CERTTEMPLATE_get0_issuer()\fR retrieves the issuer name of the
 given certificate template \fItmpl\fR.
 .PP
+\&\fBOSSL_CRMF_CERTTEMPLATE_get0_serialNumber()\fR retrieves the serialNumber of the
+given certificate template \fItmpl\fR.
+.PP
 \&\fBOSSL_CRMF_CERTTEMPLATE_get0_extensions()\fR retrieves the X.509 extensions
-of the given certificate template \fItmpl\fR, or \s-1NULL\s0 if not present.
+of the given certificate template \fItmpl\fR, or NULL if not present.
 .PP
 OSSL_CRMF_CERTID_get0_serialNumber retrieves the serialNumber
 of the given CertId \fIcid\fR.
 .PP
 OSSL_CRMF_CERTID_get0_issuer retrieves the issuer name
-of the given CertId \fIcid\fR, which must be of \s-1ASN.1\s0 type \s-1GEN_DIRNAME.\s0
+of the given CertId \fIcid\fR, which must be of ASN.1 type GEN_DIRNAME.
+.PP
+\&\fBOSSL_CRMF_ENCRYPTEDKEY_get1_encCert()\fR decrypts the certificate in the given
+encryptedKey \fIecert\fR, using the private key \fIpkey\fR, library context
+\&\fIlibctx\fR and property query string \fIpropq\fR (see \fBOSSL_LIB_CTX\fR\|(3)).
+This is needed for the indirect POPO method as in RFC 4210 section 5.2.8.2.
+The function returns the decrypted certificate as a copy, leaving its ownership
+with the caller, who is responsible for freeing it.
+.PP
+\&\fBOSSL_CRMF_ENCRYPTEDKEY_get1_pkey()\fR decrypts the private key in \fIencryptedKey\fR.
+If \fIencryptedKey\fR is not of type \fBOSSL_CRMF_ENCRYPTEDKEY_ENVELOPEDDATA\fR,
+decryption uses the private key \fIpkey\fR.
+The library context \fIlibctx\fR and property query \fIpropq\fR are taken into account as usual.
+The rest of this paragraph is relevant only if CMS support not disabled for the OpenSSL build
+and \fIencryptedKey\fR is of type case \fBOSSL_CRMF_ENCRYPTEDKEY_ENVELOPEDDATA\fR.
+Decryption uses the \fIsecret\fR parameter if not NULL;
+otherwise uses the private key <pkey> and the certificate \fIcert\fR 
+related to \fIpkey\fR, where \fIcert\fR is recommended to be given if available.
+On success, the function verifies the decrypted data as signed data,
+using the trust store \fIts\fR and any untrusted certificates in \fIextra\fR.
+Doing so, it checks for the purpose "CMP Key Generation Authority" (cmKGA).
+.PP
+\&\fBOSSL_CRMF_ENCRYPTEDKEY_init_envdata()\fR returns \fIOSSL_CRMF_ENCRYPTEDKEY\fR, initialized with
+the enveloped data \fIenvdata\fR.
+.PP
+\&\fBOSSL_CRMF_ENCRYPTEDVALUE_decrypt()\fR decrypts the encrypted value in the given
+encryptedValue \fIenc\fR, using the private key \fIpkey\fR, library context
+\&\fIlibctx\fR and property query string \fIpropq\fR (see \fBOSSL_LIB_CTX\fR\|(3)).
 .PP
 \&\fBOSSL_CRMF_ENCRYPTEDVALUE_get1_encCert()\fR decrypts the certificate in the given
 encryptedValue \fIecert\fR, using the private key \fIpkey\fR, library context
-\&\fIlibctx\fR and property query string \fIpropq\fR (see \s-1\fBOSSL_LIB_CTX\s0\fR\|(3)).
-This is needed for the indirect \s-1POPO\s0 method as in \s-1RFC 4210\s0 section 5.2.8.2.
+\&\fIlibctx\fR and property query string \fIpropq\fR (see \fBOSSL_LIB_CTX\fR\|(3)).
+This is needed for the indirect POPO method as in RFC 4210 section 5.2.8.2.
 The function returns the decrypted certificate as a copy, leaving its ownership
 with the caller, who is responsible for freeing it.
 .PP
 \&\fBOSSL_CRMF_MSG_get_certReqId()\fR retrieves the certReqId of \fIcrm\fR.
+.PP
+\&\fBOSSL_CRMF_MSG_centralkeygen_requested()\fR returns 1 if central key generation
+is requested i.e., the public key in the certificate request (\fIcrm\fR is taken if it is non-NULL,
+otherwise \fIp10cr\fR) is NULL or has an empty key value (with length zero).
+In case \fIcrm\fR is non-NULL, this is checked for consistency with its \fBpopo\fR field
+(must be NULL if and only if central key generation is requested).
+Otherwise it returns 0, and on error a negative value.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBOSSL_CRMF_MSG_get_certReqId()\fR returns the certificate request \s-1ID\s0 as a
+\&\fBOSSL_CRMF_MSG_get_certReqId()\fR returns the certificate request ID as a
 nonnegative integer or \-1 on error.
 .PP
-All other functions return a pointer with the intended result or \s-1NULL\s0 on error.
+\&\fBOSSL_CRMF_MSG_centralkeygen_requested()\fR returns 1 if central key generation
+is requested, 0 if it is not requested, and a negative value on error.
+.PP
+All other functions return a pointer with the intended result or NULL on error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1RFC 4211\s0
-.SH "HISTORY"
+RFC 4211
+.SH HISTORY
 .IX Header "HISTORY"
-The OpenSSL \s-1CRMF\s0 support was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The OpenSSL CRMF support was added in OpenSSL 3.0.
+.PP
+\&\fBOSSL_CRMF_CERTTEMPLATE_get0_publicKey()\fR was added in OpenSSL 3.2.
+.PP
+\&\fBOSSL_CRMF_ENCRYPTEDKEY_get1_encCert()\fR, \fBOSSL_CRMF_ENCRYPTEDKEY_get1_pkey()\fR,
+\&\fBOSSL_CRMF_ENCRYPTEDKEY_init_envdata()\fR, \fBOSSL_CRMF_ENCRYPTEDVALUE_decrypt()\fR
+and \fBOSSL_CRMF_MSG_centralkeygen_requested()\fR were added in OpenSSL 3.5.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2007\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2007\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set0_validity.3 b/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set0_validity.3
index 4a7daa1a7684..9172ca3f2b1d 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set0_validity.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set0_validity.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_CRMF_MSG_SET0_VALIDITY 3ossl"
-.TH OSSL_CRMF_MSG_SET0_VALIDITY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_CRMF_MSG_SET0_VALIDITY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_CRMF_MSG_set0_validity,
 OSSL_CRMF_MSG_set_certReqId,
 OSSL_CRMF_CERTTEMPLATE_fill,
@@ -145,7 +69,7 @@ OSSL_CRMF_MSG_push0_extension,
 OSSL_CRMF_MSG_create_popo,
 OSSL_CRMF_MSGS_verify_popo
 \&\- functions populating and verifying CRMF CertReqMsg structures
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/crmf.h>
@@ -173,11 +97,11 @@ OSSL_CRMF_MSGS_verify_popo
 \&                                int rid, int acceptRAVerified,
 \&                                OSSL_LIB_CTX *libctx, const char *propq);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBOSSL_CRMF_MSG_set0_validity()\fR sets the \fInotBefore\fR and \fInotAfter\fR fields
 as validity constraints in the certTemplate of \fIcrm\fR.
-Any of the \fInotBefore\fR and \fInotAfter\fR parameters may be \s-1NULL,\s0
+Any of the \fInotBefore\fR and \fInotAfter\fR parameters may be NULL,
 which means no constraint for the respective field.
 On success ownership of \fInotBefore\fR and \fInotAfter\fR is transferred to \fIcrm\fR.
 .PP
@@ -196,32 +120,32 @@ certTemplate of \fIcrm\fR. Frees any pre-existing ones and consumes \fIexts\fR.
 \&\fBOSSL_CRMF_MSG_push0_extension()\fR pushes the X509 extension \fIext\fR to the
 extensions in the certTemplate of \fIcrm\fR.  Consumes \fIext\fR.
 .PP
-\&\fBOSSL_CRMF_MSG_create_popo()\fR creates and sets the Proof-of-Possession (\s-1POPO\s0)
+\&\fBOSSL_CRMF_MSG_create_popo()\fR creates and sets the Proof-of-Possession (POPO)
 according to the method \fImeth\fR in \fIcrm\fR.
 The library context \fIlibctx\fR and property query string \fIpropq\fR,
-may be \s-1NULL\s0 to select the defaults.
-In case the method is \s-1OSSL_CRMF_POPO_SIGNATURE\s0 the \s-1POPO\s0 is calculated
+may be NULL to select the defaults.
+In case the method is OSSL_CRMF_POPO_SIGNATURE the POPO is calculated
 using the private key \fIpkey\fR and the digest method \fIdigest\fR,
 where the \fIdigest\fR argument is ignored if \fIpkey\fR is of a type (such as
 Ed25519 and Ed448) that is implicitly associated with a digest algorithm.
 .PP
 \&\fImeth\fR can be one of the following:
-.IP "\(bu" 8
-\&\s-1OSSL_CRMF_POPO_NONE\s0       \- \s-1RFC 4211,\s0 section 4, \s-1POP\s0 field omitted.
-\&\s-1CA/RA\s0 uses out-of-band method to verify \s-1POP.\s0 Note that servers may fail in this
-case, resulting for instance in \s-1HTTP\s0 error code 500 (Internal error).
-.IP "\(bu" 8
-\&\s-1OSSL_CRMF_POPO_RAVERIFIED\s0 \- \s-1RFC 4211,\s0 section 4, explicit indication
-that the \s-1RA\s0 has already verified the \s-1POP.\s0
-.IP "\(bu" 8
-\&\s-1OSSL_CRMF_POPO_SIGNATURE\s0  \- \s-1RFC 4211,\s0 section 4.1, only case 3 supported
+.IP \(bu 8
+OSSL_CRMF_POPO_NONE       \- RFC 4211, section 4, POP field omitted.
+CA/RA uses out-of-band method to verify POP. Note that servers may fail in this
+case, resulting for instance in HTTP error code 500 (Internal error).
+.IP \(bu 8
+OSSL_CRMF_POPO_RAVERIFIED \- RFC 4211, section 4, explicit indication
+that the RA has already verified the POP.
+.IP \(bu 8
+OSSL_CRMF_POPO_SIGNATURE  \- RFC 4211, section 4.1, only case 3 supported
 so far.
-.IP "\(bu" 8
-\&\s-1OSSL_CRMF_POPO_KEYENC\s0     \- \s-1RFC 4211,\s0 section 4.2, only indirect method
+.IP \(bu 8
+OSSL_CRMF_POPO_KEYENC     \- RFC 4211, section 4.2, only indirect method
 (subsequentMessage/enccert) supported,
 challenge-response exchange (challengeResp) not yet supported.
-.IP "\(bu" 8
-\&\s-1OSSL_CRMF_POPO_KEYAGREE\s0   \- \s-1RFC 4211,\s0 section 4.3, not yet supported.
+.IP \(bu 8
+OSSL_CRMF_POPO_KEYAGREE   \- RFC 4211, section 4.3, not yet supported.
 .PP
 OSSL_CRMF_MSGS_verify_popo verifies the Proof-of-Possession of the request with
 the given \fIrid\fR in the list of \fIreqs\fR. Optionally accepts RAVerified. It can
@@ -231,15 +155,15 @@ make use of the library context \fIlibctx\fR and property query string \fIpropq\
 All functions return 1 on success, 0 on error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1RFC 4211\s0
-.SH "HISTORY"
+RFC 4211
+.SH HISTORY
 .IX Header "HISTORY"
-The OpenSSL \s-1CRMF\s0 support was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The OpenSSL CRMF support was added in OpenSSL 3.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2007\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.3 b/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.3
index d97de742711a..62510a11eeee 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_CRMF_MSG_SET1_REGCTRL_REGTOKEN 3ossl"
-.TH OSSL_CRMF_MSG_SET1_REGCTRL_REGTOKEN 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_CRMF_MSG_SET1_REGCTRL_REGTOKEN 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_CRMF_MSG_get0_regCtrl_regToken,
 OSSL_CRMF_MSG_set1_regCtrl_regToken,
 OSSL_CRMF_MSG_get0_regCtrl_authenticator,
@@ -152,7 +76,7 @@ OSSL_CRMF_MSG_get0_regCtrl_oldCertID,
 OSSL_CRMF_MSG_set1_regCtrl_oldCertID,
 OSSL_CRMF_CERTID_gen
 \&\- functions getting or setting CRMF Registration Controls
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/crmf.h>
@@ -187,73 +111,73 @@ OSSL_CRMF_CERTID_gen
 \& OSSL_CRMF_CERTID *OSSL_CRMF_CERTID_gen(const X509_NAME *issuer,
 \&                                        const ASN1_INTEGER *serial);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 Each of the \fBOSSL_CRMF_MSG_get0_regCtrl_X()\fR functions
 returns the respective control X in the given \fImsg\fR, if present.
 .PP
 \&\fBOSSL_CRMF_MSG_set1_regCtrl_regToken()\fR sets the regToken control in the given
-\&\fImsg\fR copying the given \fItok\fR as value. See \s-1RFC 4211,\s0 section 6.1.
+\&\fImsg\fR copying the given \fItok\fR as value. See RFC 4211, section 6.1.
 .PP
 \&\fBOSSL_CRMF_MSG_set1_regCtrl_authenticator()\fR sets the authenticator control in
-the given \fImsg\fR copying the given \fIauth\fR as value. See \s-1RFC 4211,\s0 section 6.2.
+the given \fImsg\fR copying the given \fIauth\fR as value. See RFC 4211, section 6.2.
 .PP
 \&\fBOSSL_CRMF_MSG_PKIPublicationInfo_push0_SinglePubInfo()\fR pushes the given \fIspi\fR
 to \fIsi\fR. Consumes the \fIspi\fR pointer.
 .PP
 \&\fBOSSL_CRMF_MSG_set0_SinglePubInfo()\fR sets in the given SinglePubInfo \fIspi\fR
 the \fImethod\fR and publication location, in the form of a GeneralName, \fInm\fR.
-The publication location is optional, and therefore \fInm\fR may be \s-1NULL.\s0
+The publication location is optional, and therefore \fInm\fR may be NULL.
 The function consumes the \fInm\fR pointer if present.
 Available methods are:
- # define \s-1OSSL_CRMF_PUB_METHOD_DONTCARE 0\s0
- # define \s-1OSSL_CRMF_PUB_METHOD_X500\s0     1
- # define \s-1OSSL_CRMF_PUB_METHOD_WEB\s0      2
- # define \s-1OSSL_CRMF_PUB_METHOD_LDAP\s0     3
+ # define OSSL_CRMF_PUB_METHOD_DONTCARE 0
+ # define OSSL_CRMF_PUB_METHOD_X500     1
+ # define OSSL_CRMF_PUB_METHOD_WEB      2
+ # define OSSL_CRMF_PUB_METHOD_LDAP     3
 .PP
 \&\fBOSSL_CRMF_MSG_set_PKIPublicationInfo_action()\fR sets the action in the given \fIpi\fR
-using the given \fIaction\fR as value. See \s-1RFC 4211,\s0 section 6.3.
+using the given \fIaction\fR as value. See RFC 4211, section 6.3.
 Available actions are:
- # define \s-1OSSL_CRMF_PUB_ACTION_DONTPUBLISH\s0   0
- # define \s-1OSSL_CRMF_PUB_ACTION_PLEASEPUBLISH 1\s0
+ # define OSSL_CRMF_PUB_ACTION_DONTPUBLISH   0
+ # define OSSL_CRMF_PUB_ACTION_PLEASEPUBLISH 1
 .PP
 \&\fBOSSL_CRMF_MSG_set1_regCtrl_pkiPublicationInfo()\fR sets the pkiPublicationInfo
-control in the given \fImsg\fR copying the given \fItok\fR as value. See \s-1RFC 4211,\s0
+control in the given \fImsg\fR copying the given \fItok\fR as value. See RFC 4211,
 section 6.3.
 .PP
 \&\fBOSSL_CRMF_MSG_set1_regCtrl_protocolEncrKey()\fR sets the protocolEncrKey control in
-the given \fImsg\fR copying the given \fIpubkey\fR as value. See \s-1RFC 4211\s0 section 6.6.
+the given \fImsg\fR copying the given \fIpubkey\fR as value. See RFC 4211 section 6.6.
 .PP
 \&\fBOSSL_CRMF_MSG_set1_regCtrl_oldCertID()\fR sets the \fBoldCertID\fR regToken control in
-the given \fImsg\fR copying the given \fIcid\fR as value. See \s-1RFC 4211,\s0 section 6.5.
+the given \fImsg\fR copying the given \fIcid\fR as value. See RFC 4211, section 6.5.
 .PP
 OSSL_CRMF_CERTID_gen produces an OSSL_CRMF_CERTID_gen structure copying the
 given \fIissuer\fR name and \fIserial\fR number.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 All OSSL_CRMF_MSG_get0_*() functions
-return the respective pointer value or \s-1NULL\s0 if not present and on error.
+return the respective pointer value or NULL if not present and on error.
 .PP
 All OSSL_CRMF_MSG_set1_*() functions return 1 on success, 0 on error.
 .PP
 \&\fBOSSL_CRMF_CERTID_gen()\fR returns a pointer to the resulting structure
-or \s-1NULL\s0 on error.
-.SH "NOTES"
+or NULL on error.
+.SH NOTES
 .IX Header "NOTES"
 A function \fBOSSL_CRMF_MSG_set1_regCtrl_pkiArchiveOptions()\fR for setting an
 Archive Options Control is not yet implemented due to missing features to
-create the needed \s-1OSSL_CRMF_PKIARCHIVEOPTINS\s0 content.
+create the needed OSSL_CRMF_PKIARCHIVEOPTINS content.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1RFC 4211\s0
-.SH "HISTORY"
+RFC 4211
+.SH HISTORY
 .IX Header "HISTORY"
-The OpenSSL \s-1CRMF\s0 support was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The OpenSSL CRMF support was added in OpenSSL 3.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2007\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.3 b/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.3
index 43b3a291ab39..19ff8478aeab 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_CRMF_MSG_SET1_REGINFO_CERTREQ 3ossl"
-.TH OSSL_CRMF_MSG_SET1_REGINFO_CERTREQ 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_CRMF_MSG_SET1_REGINFO_CERTREQ 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_CRMF_MSG_get0_regInfo_utf8Pairs,
 OSSL_CRMF_MSG_set1_regInfo_utf8Pairs,
 OSSL_CRMF_MSG_get0_regInfo_certReq,
 OSSL_CRMF_MSG_set1_regInfo_certReq
 \&\- functions getting or setting CRMF Registration Info
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/crmf.h>
@@ -156,41 +80,41 @@ OSSL_CRMF_MSG_set1_regInfo_certReq
 \& int OSSL_CRMF_MSG_set1_regInfo_certReq(OSSL_CRMF_MSG *msg,
 \&                                        const OSSL_CRMF_CERTREQUEST *cr);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBOSSL_CRMF_MSG_get0_regInfo_utf8Pairs()\fR returns the first utf8Pairs regInfo
 in the given \fImsg\fR, if present.
 .PP
 \&\fBOSSL_CRMF_MSG_set1_regInfo_utf8Pairs()\fR adds a copy of the given \fIutf8pairs\fR
-value as utf8Pairs regInfo to the given \fImsg\fR. See \s-1RFC 4211\s0 section 7.1.
+value as utf8Pairs regInfo to the given \fImsg\fR. See RFC 4211 section 7.1.
 .PP
 \&\fBOSSL_CRMF_MSG_get0_regInfo_certReq()\fR returns the first certReq regInfo
 in the given \fImsg\fR, if present.
 .PP
 \&\fBOSSL_CRMF_MSG_set1_regInfo_certReq()\fR adds a copy of the given \fIcr\fR value
-as certReq regInfo to the given \fImsg\fR. See \s-1RFC 4211\s0 section 7.2.
+as certReq regInfo to the given \fImsg\fR. See RFC 4211 section 7.2.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-All get0_*() functions return the respective pointer value, \s-1NULL\s0 if not present.
+All get0_*() functions return the respective pointer value, NULL if not present.
 .PP
 All set1_*() functions return 1 on success, 0 on error.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 Calling the set1_*() functions multiple times
 adds multiple instances of the respective
-control to the regInfo structure of the given \fImsg\fR. While \s-1RFC 4211\s0 expects
+control to the regInfo structure of the given \fImsg\fR. While RFC 4211 expects
 multiple utf8Pairs in one regInfo structure, it does not allow multiple certReq.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1RFC 4211\s0
-.SH "HISTORY"
+RFC 4211
+.SH HISTORY
 .IX Header "HISTORY"
-The OpenSSL \s-1CRMF\s0 support was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The OpenSSL CRMF support was added in OpenSSL 3.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2007\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_CRMF_pbmp_new.3 b/secure/lib/libcrypto/man/man3/OSSL_CRMF_pbmp_new.3
index 276385bef644..2fd48be3f46a 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_CRMF_pbmp_new.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_CRMF_pbmp_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_CRMF_PBMP_NEW 3ossl"
-.TH OSSL_CRMF_PBMP_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_CRMF_PBMP_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_CRMF_pbm_new,
 OSSL_CRMF_pbmp_new
 \&\- functions for producing Password\-Based MAC (PBM)
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/crmf.h>
@@ -155,43 +79,43 @@ OSSL_CRMF_pbmp_new
 \&                                            int owfnid, size_t itercnt,
 \&                                            int macnid);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBOSSL_CRMF_pbm_new()\fR generates a \s-1PBM\s0 (Password-Based \s-1MAC\s0) based on given \s-1PBM\s0
+\&\fBOSSL_CRMF_pbm_new()\fR generates a PBM (Password-Based MAC) based on given PBM
 parameters \fIpbmp\fR, message \fImsg\fR, and secret \fIsec\fR, along with the respective
 lengths \fImsglen\fR and \fIseclen\fR.
 The optional library context \fIlibctx\fR and \fIpropq\fR parameters may be used
-to influence the selection of the \s-1MAC\s0 algorithm referenced in the \fIpbmp\fR;
-see \*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7) for further information.
+to influence the selection of the MAC algorithm referenced in the \fIpbmp\fR;
+see "ALGORITHM FETCHING" in \fBcrypto\fR\|(7) for further information.
 On success writes the address of the newly
-allocated \s-1MAC\s0 via the \fImac\fR reference parameter and writes the length via the
-\&\fImaclen\fR reference parameter unless it its \s-1NULL.\s0
+allocated MAC via the \fImac\fR reference parameter and writes the length via the
+\&\fImaclen\fR reference parameter unless it its NULL.
 .PP
 \&\fBOSSL_CRMF_pbmp_new()\fR initializes and returns a new \fBPBMParameter\fR structure
 with a new random salt of given length \fIsaltlen\fR,
-\&\s-1OWF\s0 (one-way function) \s-1NID\s0 \fIowfnid\fR, \s-1OWF\s0 iteration count \fIitercnt\fR,
-and \s-1MAC NID\s0 \fImacnid\fR.
+OWF (one-way function) NID \fIowfnid\fR, OWF iteration count \fIitercnt\fR,
+and MAC NID \fImacnid\fR.
 The library context \fIlibctx\fR parameter may be used to select the provider
-for the random number generation (\s-1DRBG\s0) and may be \s-1NULL\s0 for the default.
-.SH "NOTES"
+for the random number generation (DRBG) and may be NULL for the default.
+.SH NOTES
 .IX Header "NOTES"
-The algorithms for the \s-1OWF\s0 (one-way function) and for the \s-1MAC\s0 (message
-authentication code) may be any with a \s-1NID\s0 defined in \fI<openssl/objects.h>\fR.
-As specified by \s-1RFC 4210,\s0 these should include NID_hmac_sha1.
+The algorithms for the OWF (one-way function) and for the MAC (message
+authentication code) may be any with a NID defined in \fI<openssl/objects.h>\fR.
+As specified by RFC 4210, these should include NID_hmac_sha1.
 .PP
-\&\s-1RFC 4210\s0 recommends that the salt \s-1SHOULD\s0 be at least 8 bytes (64 bits) long,
+RFC 4210 recommends that the salt SHOULD be at least 8 bytes (64 bits) long,
 where 16 bytes is common.
 .PP
-The iteration count must be at least 100, as stipulated by \s-1RFC 4211,\s0 and is
+The iteration count must be at least 100, as stipulated by RFC 4211, and is
 limited to at most 100000 to avoid DoS through manipulated or otherwise
 malformed input.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBOSSL_CRMF_pbm_new()\fR returns 1 on success, 0 on error.
 .PP
-\&\fBOSSL_CRMF_pbmp_new()\fR returns a new and initialized \s-1OSSL_CRMF_PBMPARAMETER\s0
-structure, or \s-1NULL\s0 on error.
-.SH "EXAMPLES"
+\&\fBOSSL_CRMF_pbmp_new()\fR returns a new and initialized OSSL_CRMF_PBMPARAMETER
+structure, or NULL on error.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 .Vb 5
 \& OSSL_CRMF_PBMPARAMETER *pbm = NULL;
@@ -207,15 +131,15 @@ structure, or \s-1NULL\s0 on error.
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1RFC 4211\s0 section 4.4
-.SH "HISTORY"
+RFC 4211 section 4.4
+.SH HISTORY
 .IX Header "HISTORY"
-The OpenSSL \s-1CRMF\s0 support was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The OpenSSL CRMF support was added in OpenSSL 3.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2007\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_DECODER.3 b/secure/lib/libcrypto/man/man3/OSSL_DECODER.3
index 74d55ab4b3e0..be10c720939b 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_DECODER.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_DECODER.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_DECODER 3ossl"
-.TH OSSL_DECODER 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_DECODER 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_DECODER,
 OSSL_DECODER_fetch,
 OSSL_DECODER_up_ref,
@@ -151,7 +75,7 @@ OSSL_DECODER_names_do_all,
 OSSL_DECODER_gettable_params,
 OSSL_DECODER_get_params
 \&\- Decoder method routines
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/decoder.h>
@@ -176,26 +100,27 @@ OSSL_DECODER_get_params
 \& const OSSL_PARAM *OSSL_DECODER_gettable_params(OSSL_DECODER *decoder);
 \& int OSSL_DECODER_get_params(OSSL_DECODER_CTX *ctx, const OSSL_PARAM params[]);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fB\s-1OSSL_DECODER\s0\fR is a method for decoders, which know how to
+\&\fBOSSL_DECODER\fR is a method for decoders, which know how to
 decode encoded data into an object of some type that the rest
 of OpenSSL knows how to handle.
 .PP
 \&\fBOSSL_DECODER_fetch()\fR looks for an algorithm within the provider that
-has been loaded into the \fB\s-1OSSL_LIB_CTX\s0\fR given by \fIctx\fR, having the
+has been loaded into the \fBOSSL_LIB_CTX\fR given by \fIctx\fR, having the
 name given by \fIname\fR and the properties given by \fIproperties\fR.
 The \fIname\fR determines what type of object the fetched decoder
 method is expected to be able to decode, and the properties are
 used to determine the expected output type.
 For known properties and the values they may have, please have a look
-in \*(L"Names and properties\*(R" in \fBprovider\-encoder\fR\|(7).
+in "Names and properties" in \fBprovider\-encoder\fR\|(7).
 .PP
 \&\fBOSSL_DECODER_up_ref()\fR increments the reference count for the given
 \&\fIdecoder\fR.
 .PP
 \&\fBOSSL_DECODER_free()\fR decrements the reference count for the given
 \&\fIdecoder\fR, and when the count reaches zero, frees it.
+If the argument is NULL, nothing is done.
 .PP
 \&\fBOSSL_DECODER_get0_provider()\fR returns the provider of the given
 \&\fIdecoder\fR.
@@ -220,26 +145,26 @@ implementations by all activated providers in the library context
 \&\fIlibctx\fR, and for each of the implementations, calls \fIfn\fR with the
 implementation method and \fIarg\fR as arguments.
 .PP
-\&\fBOSSL_DECODER_gettable_params()\fR returns an \s-1\fBOSSL_PARAM\s0\fR\|(3)
+\&\fBOSSL_DECODER_gettable_params()\fR returns an \fBOSSL_PARAM\fR\|(3)
 array of parameter descriptors.
 .PP
 \&\fBOSSL_DECODER_get_params()\fR attempts to get parameters specified
-with an \s-1\fBOSSL_PARAM\s0\fR\|(3) array \fIparams\fR.  Parameters that the
+with an \fBOSSL_PARAM\fR\|(3) array \fIparams\fR.  Parameters that the
 implementation doesn't recognise should be ignored.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBOSSL_DECODER_fetch()\fR returns a pointer to an \s-1OSSL_DECODER\s0 object,
-or \s-1NULL\s0 on error.
+\&\fBOSSL_DECODER_fetch()\fR returns a pointer to an OSSL_DECODER object,
+or NULL on error.
 .PP
 \&\fBOSSL_DECODER_up_ref()\fR returns 1 on success, or 0 on error.
 .PP
 \&\fBOSSL_DECODER_free()\fR doesn't return any value.
 .PP
 \&\fBOSSL_DECODER_get0_provider()\fR returns a pointer to a provider object, or
-\&\s-1NULL\s0 on error.
+NULL on error.
 .PP
 \&\fBOSSL_DECODER_get0_properties()\fR returns a pointer to a property
-definition string, or \s-1NULL\s0 on error.
+definition string, or NULL on error.
 .PP
 \&\fBOSSL_DECODER_is_a()\fR returns 1 if \fIdecoder\fR was identifiable,
 otherwise 0.
@@ -250,17 +175,17 @@ multiple synonyms associated with it. In this case the first name from the
 algorithm definition is returned. Ownership of the returned string is retained
 by the \fIdecoder\fR object and should not be freed by the caller.
 .PP
-\&\fBOSSL_DECODER_get0_description()\fR returns a pointer to a description, or \s-1NULL\s0 if
+\&\fBOSSL_DECODER_get0_description()\fR returns a pointer to a description, or NULL if
 there isn't one.
 .PP
 \&\fBOSSL_DECODER_names_do_all()\fR returns 1 if the callback was called for all
 names. A return value of 0 means that the callback was not called for any names.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 \&\fBOSSL_DECODER_fetch()\fR may be called implicitly by other fetching
 functions, using the same library context and properties.
-Any other \s-1API\s0 that uses keys will typically do this.
-.SH "EXAMPLES"
+Any other API that uses keys will typically do this.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 To list all decoders in a provider to a bio_out:
 .PP
@@ -304,16 +229,16 @@ To list all decoders in a provider to a bio_out:
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBprovider\fR\|(7), \s-1\fBOSSL_DECODER_CTX\s0\fR\|(3), \fBOSSL_DECODER_from_bio\fR\|(3),
-\&\fBOSSL_DECODER_CTX_new_for_pkey\fR\|(3), \s-1\fBOSSL_LIB_CTX\s0\fR\|(3)
-.SH "HISTORY"
+\&\fBprovider\fR\|(7), \fBOSSL_DECODER_CTX\fR\|(3), \fBOSSL_DECODER_from_bio\fR\|(3),
+\&\fBOSSL_DECODER_CTX_new_for_pkey\fR\|(3), \fBOSSL_LIB_CTX\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 The functions described here were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_DECODER_CTX.3 b/secure/lib/libcrypto/man/man3/OSSL_DECODER_CTX.3
index f5b730f40096..f59330492994 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_DECODER_CTX.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_DECODER_CTX.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_DECODER_CTX 3ossl"
-.TH OSSL_DECODER_CTX 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_DECODER_CTX 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_DECODER_CTX,
 OSSL_DECODER_CTX_new,
 OSSL_DECODER_settable_ctx_params,
@@ -163,7 +87,7 @@ OSSL_DECODER_INSTANCE_get_decoder_ctx,
 OSSL_DECODER_INSTANCE_get_input_type,
 OSSL_DECODER_INSTANCE_get_input_structure
 \&\- Decoder context routines
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/decoder.h>
@@ -216,14 +140,14 @@ OSSL_DECODER_INSTANCE_get_input_structure
 \&                         void *reference, size_t reference_sz,
 \&                         OSSL_CALLBACK *export_cb, void *export_cbarg);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \fB\s-1OSSL_DECODER_CTX\s0\fR holds data about multiple decoders, as needed to
+The \fBOSSL_DECODER_CTX\fR holds data about multiple decoders, as needed to
 figure out what the input data is and to attempt to unpack it into one of
 several possible related results.  This also includes chaining decoders, so
 the output from one can become the input for another.  This allows having
-generic format decoders such as \s-1PEM\s0 to \s-1DER,\s0 as well as more specialized
-decoders like \s-1DER\s0 to \s-1RSA.\s0
+generic format decoders such as PEM to DER, as well as more specialized
+decoders like DER to RSA.
 .PP
 The chains may be limited by specifying an input type, which is considered a
 starting point.  This is both considered by \fBOSSL_DECODER_CTX_add_extra()\fR,
@@ -231,9 +155,9 @@ which will stop adding one more decoder implementations when it has already
 added those that take the specified input type, and functions like
 \&\fBOSSL_DECODER_from_bio\fR\|(3), which will only start the decoding process with
 the decoder implementations that take that input type.  For example, if the
-input type is set to \f(CW\*(C`DER\*(C'\fR, a \s-1PEM\s0 to \s-1DER\s0 decoder will be ignored.
+input type is set to \f(CW\*(C`DER\*(C'\fR, a PEM to DER decoder will be ignored.
 .PP
-The input type can also be \s-1NULL,\s0 which means that the caller doesn't know
+The input type can also be NULL, which means that the caller doesn't know
 what type of input they have.  In this case, \fBOSSL_DECODER_from_bio()\fR will
 simply try with one decoder implementation after the other, and thereby
 discover what kind of input the caller gave it.
@@ -243,25 +167,26 @@ the caller is called to attempt to construct an appropriate type / structure
 that the caller knows how to handle from the current decoding result.
 The constructor is set with \fBOSSL_DECODER_CTX_set_construct()\fR.
 .PP
-\&\fB\s-1OSSL_DECODER_INSTANCE\s0\fR is an opaque structure that contains data about the
+\&\fBOSSL_DECODER_INSTANCE\fR is an opaque structure that contains data about the
 decoder that was just used, and that may be useful for the constructor.
 There are some functions to extract data from this type, described further
 down.
-.SS "Functions"
+.SS Functions
 .IX Subsection "Functions"
-\&\fBOSSL_DECODER_CTX_new()\fR creates a new empty \fB\s-1OSSL_DECODER_CTX\s0\fR.
+\&\fBOSSL_DECODER_CTX_new()\fR creates a new empty \fBOSSL_DECODER_CTX\fR.
 .PP
-\&\fBOSSL_DECODER_settable_ctx_params()\fR returns an \s-1\fBOSSL_PARAM\s0\fR\|(3) array of
+\&\fBOSSL_DECODER_settable_ctx_params()\fR returns an \fBOSSL_PARAM\fR\|(3) array of
 parameter descriptors.
 .PP
 \&\fBOSSL_DECODER_CTX_set_params()\fR attempts to set parameters specified with an
-\&\s-1\fBOSSL_PARAM\s0\fR\|(3) array \fIparams\fR.  These parameters are passed to all
+\&\fBOSSL_PARAM\fR\|(3) array \fIparams\fR.  These parameters are passed to all
 decoders that have been added to the \fIctx\fR so far.  Parameters that an
 implementation doesn't recognise should be ignored by it.
 .PP
 \&\fBOSSL_DECODER_CTX_free()\fR frees the given context \fIctx\fR.
+If the argument is NULL, nothing is done.
 .PP
-\&\fBOSSL_DECODER_CTX_add_decoder()\fR populates the \fB\s-1OSSL_DECODER_CTX\s0\fR \fIctx\fR with
+\&\fBOSSL_DECODER_CTX_add_decoder()\fR populates the \fBOSSL_DECODER_CTX\fR \fIctx\fR with
 a decoder, to be used to attempt to decode some encoded input.
 .PP
 \&\fBOSSL_DECODER_CTX_add_extra()\fR finds decoders that generate input for already
@@ -274,7 +199,7 @@ above.
 .PP
 \&\fBOSSL_DECODER_CTX_set_input_structure()\fR sets the name of the structure that
 the input is expected to have.  This may be used to determines what decoder
-implementations may be used.  \s-1NULL\s0 is a valid input structure, when it's not
+implementations may be used.  NULL is a valid input structure, when it's not
 relevant, or when the decoder implementations are expected to figure it out.
 .PP
 \&\fBOSSL_DECODER_CTX_get_num_decoders()\fR gets the number of decoders currently
@@ -297,21 +222,21 @@ function.  This is called by \fBOSSL_DECODER_CTX_free\fR\|(3).
 use the data they get directly for diverse reasons.  It takes the same
 decode instance \fIdecoder_inst\fR that the constructor got and an object
 \&\fIreference\fR, unpacks the object which it refers to, and exports it by
-creating an \s-1\fBOSSL_PARAM\s0\fR\|(3) array that it then passes to \fIexport_cb\fR,
+creating an \fBOSSL_PARAM\fR\|(3) array that it then passes to \fIexport_cb\fR,
 along with \fIexport_arg\fR.
-.SS "Constructor"
+.SS Constructor
 .IX Subsection "Constructor"
-A \fB\s-1OSSL_DECODER_CONSTRUCT\s0\fR gets the following arguments:
-.IP "\fIdecoder_inst\fR" 4
+A \fBOSSL_DECODER_CONSTRUCT\fR gets the following arguments:
+.IP \fIdecoder_inst\fR 4
 .IX Item "decoder_inst"
-The \fB\s-1OSSL_DECODER_INSTANCE\s0\fR for the decoder from which the constructor gets
+The \fBOSSL_DECODER_INSTANCE\fR for the decoder from which the constructor gets
 its data.
-.IP "\fIobject\fR" 4
+.IP \fIobject\fR 4
 .IX Item "object"
 A provider-native object abstraction produced by the decoder.  Further
 information on the provider-native object abstraction can be found in
 \&\fBprovider\-object\fR\|(7).
-.IP "\fIconstruct_data\fR" 4
+.IP \fIconstruct_data\fR 4
 .IX Item "construct_data"
 The pointer that was set with \fBOSSL_DECODE_CTX_set_construct_data()\fR.
 .PP
@@ -332,14 +257,14 @@ implementation's input type from a decoder instance \fIdecoder_inst\fR.
 \&\fBOSSL_DECODER_INSTANCE_get_input_structure()\fR can be used to get the input
 structure for the decoder implementation from a decoder instance
 \&\fIdecoder_inst\fR.
-This may be \s-1NULL.\s0
+This may be NULL.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBOSSL_DECODER_CTX_new()\fR returns a pointer to a \fB\s-1OSSL_DECODER_CTX\s0\fR, or \s-1NULL\s0
+\&\fBOSSL_DECODER_CTX_new()\fR returns a pointer to a \fBOSSL_DECODER_CTX\fR, or NULL
 if the context structure couldn't be allocated.
 .PP
-\&\fBOSSL_DECODER_settable_ctx_params()\fR returns an \s-1\fBOSSL_PARAM\s0\fR\|(3) array, or
-\&\s-1NULL\s0 if none is available.
+\&\fBOSSL_DECODER_settable_ctx_params()\fR returns an \fBOSSL_PARAM\fR\|(3) array, or
+NULL if none is available.
 .PP
 \&\fBOSSL_DECODER_CTX_set_params()\fR returns 1 if all recognised parameters were
 valid, or 0 if one of them was invalid or caused some other failure in the
@@ -354,26 +279,26 @@ implementation.
 constructor, the constructor data and the cleanup functions, respectively.
 .PP
 \&\fBOSSL_DECODER_CTX_num_decoders()\fR returns the current number of decoders.  It
-returns 0 if \fIctx\fR is \s-1NULL.\s0
+returns 0 if \fIctx\fR is NULL.
 .PP
 \&\fBOSSL_DECODER_export()\fR returns 1 on success, or 0 on failure.
 .PP
-\&\fBOSSL_DECODER_INSTANCE_decoder()\fR returns an \fB\s-1OSSL_DECODER\s0\fR pointer on
-success, or \s-1NULL\s0 on failure.
+\&\fBOSSL_DECODER_INSTANCE_decoder()\fR returns an \fBOSSL_DECODER\fR pointer on
+success, or NULL on failure.
 .PP
 \&\fBOSSL_DECODER_INSTANCE_decoder_ctx()\fR returns a provider context pointer on
-success, or \s-1NULL\s0 on failure.
+success, or NULL on failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBprovider\fR\|(7), \s-1\fBOSSL_DECODER\s0\fR\|(3), \fBOSSL_DECODER_from_bio\fR\|(3)
-.SH "HISTORY"
+\&\fBprovider\fR\|(7), \fBOSSL_DECODER\fR\|(3), \fBOSSL_DECODER_from_bio\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 The functions described here were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_DECODER_CTX_new_for_pkey.3 b/secure/lib/libcrypto/man/man3/OSSL_DECODER_CTX_new_for_pkey.3
index 666cded58c60..cf4fb2525b03 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_DECODER_CTX_new_for_pkey.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_DECODER_CTX_new_for_pkey.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,82 +52,22 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_DECODER_CTX_NEW_FOR_PKEY 3ossl"
-.TH OSSL_DECODER_CTX_NEW_FOR_PKEY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_DECODER_CTX_NEW_FOR_PKEY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_DECODER_CTX_new_for_pkey,
 OSSL_DECODER_CTX_set_passphrase,
 OSSL_DECODER_CTX_set_pem_password_cb,
 OSSL_DECODER_CTX_set_passphrase_ui,
 OSSL_DECODER_CTX_set_passphrase_cb
 \&\- Decoder routines to decode EVP_PKEYs
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/decoder.h>
@@ -168,42 +92,42 @@ OSSL_DECODER_CTX_set_passphrase_cb
 \&                                        OSSL_PASSPHRASE_CALLBACK *cb,
 \&                                        void *cbarg);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBOSSL_DECODER_CTX_new_for_pkey()\fR is a utility function that creates a
-\&\fB\s-1OSSL_DECODER_CTX\s0\fR, finds all applicable decoder implementations and sets
+\&\fBOSSL_DECODER_CTX\fR, finds all applicable decoder implementations and sets
 them up, so all the caller has to do next is call functions like
 \&\fBOSSL_DECODER_from_bio\fR\|(3).  The caller may use the optional \fIinput_type\fR,
 \&\fIinput_struct\fR, \fIkeytype\fR and \fIselection\fR to specify what the input is
-expected to contain.  The \fIpkey\fR must reference an \fB\s-1EVP_PKEY\s0 *\fR variable
-that will be set to the newly created \fB\s-1EVP_PKEY\s0\fR on successful decoding.
-The referenced variable must be initialized to \s-1NULL\s0 before calling the
+expected to contain.  The \fIpkey\fR must reference an \fBEVP_PKEY *\fR variable
+that will be set to the newly created \fBEVP_PKEY\fR on successful decoding.
+The referenced variable must be initialized to NULL before calling the
 function.
 .PP
 Internally \fBOSSL_DECODER_CTX_new_for_pkey()\fR searches for all available
-\&\s-1\fBEVP_KEYMGMT\s0\fR\|(3) implementations, and then builds a list of all potential
+\&\fBEVP_KEYMGMT\fR\|(3) implementations, and then builds a list of all potential
 decoder implementations that may be able to process the encoded input into
-data suitable for \fB\s-1EVP_PKEY\s0\fRs.  All these implementations are implicitly
+data suitable for \fBEVP_PKEY\fRs.  All these implementations are implicitly
 fetched using \fIlibctx\fR and \fIpropquery\fR.
 .PP
 The search of decoder implementations can be limited with \fIinput_type\fR and
 \&\fIinput_struct\fR which specifies a starting input type and input structure.
-\&\s-1NULL\s0 is valid for both of them and signifies that the decoder implementations
+NULL is valid for both of them and signifies that the decoder implementations
 will find out the input type on their own.
 They are set with \fBOSSL_DECODER_CTX_set_input_type\fR\|(3) and
 \&\fBOSSL_DECODER_CTX_set_input_structure\fR\|(3).
-See \*(L"Input Types\*(R" and \*(L"Input Structures\*(R" below for further information.
+See "Input Types" and "Input Structures" below for further information.
 .PP
 The search of decoder implementations can also be limited with \fIkeytype\fR
 and \fIselection\fR, which specifies the expected resulting keytype and contents.
-\&\s-1NULL\s0 and zero are valid and signify that the decoder implementations will
+NULL and zero are valid and signify that the decoder implementations will
 find out the keytype and key contents on their own from the input they get.
 .PP
 If no suitable decoder implementation is found,
-\&\fBOSSL_DECODER_CTX_new_for_pkey()\fR still creates a \fB\s-1OSSL_DECODER_CTX\s0\fR, but
+\&\fBOSSL_DECODER_CTX_new_for_pkey()\fR still creates a \fBOSSL_DECODER_CTX\fR, but
 with no associated decoder (\fBOSSL_DECODER_CTX_get_num_decoders\fR\|(3) returns
 zero).  This helps the caller to distinguish between an error when creating
-the \fB\s-1OSSL_ENCODER_CTX\s0\fR and missing encoder implementation, and allows it to
+the \fBOSSL_ENCODER_CTX\fR and missing encoder implementation, and allows it to
 act accordingly.
 .PP
 \&\fBOSSL_DECODER_CTX_set_passphrase()\fR gives the implementation a pass phrase to
@@ -214,10 +138,10 @@ callback may be specified with the following functions.
 and \fBOSSL_DECODER_CTX_set_passphrase_cb()\fR set up a callback method that the
 implementation can use to prompt for a pass phrase, giving the caller the
 choice of preferred pass phrase callback form.  These are called indirectly,
-through an internal \s-1\fBOSSL_PASSPHRASE_CALLBACK\s0\fR\|(3) function.
+through an internal \fBOSSL_PASSPHRASE_CALLBACK\fR\|(3) function.
 .PP
-The internal \s-1\fBOSSL_PASSPHRASE_CALLBACK\s0\fR\|(3) function caches the pass phrase, to
-be re-used in all decodings that are performed in the same decoding run (for
+The internal \fBOSSL_PASSPHRASE_CALLBACK\fR\|(3) function caches the pass phrase, to
+be reused in all decodings that are performed in the same decoding run (for
 example, within one \fBOSSL_DECODER_from_bio\fR\|(3) call).
 .SS "Input Types"
 .IX Subsection "Input Types"
@@ -225,7 +149,7 @@ Available input types depend on the implementations that available providers
 offer, and provider documentation should have the details.
 .PP
 Among the known input types that OpenSSL decoder implementations offer
-for \fB\s-1EVP_PKEY\s0\fRs are \f(CW\*(C`DER\*(C'\fR, \f(CW\*(C`PEM\*(C'\fR, \f(CW\*(C`MSBLOB\*(C'\fR and \f(CW\*(C`PVK\*(C'\fR.
+for \fBEVP_PKEY\fRs are \f(CW\*(C`DER\*(C'\fR, \f(CW\*(C`PEM\*(C'\fR, \f(CW\*(C`MSBLOB\*(C'\fR and \f(CW\*(C`PVK\*(C'\fR.
 See \fBopenssl\-glossary\fR\|(7) for further information on what these input
 types mean.
 .SS "Input Structures"
@@ -234,22 +158,22 @@ Available input structures depend on the implementations that available
 providers offer, and provider documentation should have the details.
 .PP
 Among the known input structures that OpenSSL decoder implementations
-offer for \fB\s-1EVP_PKEY\s0\fRs are \f(CW\*(C`pkcs8\*(C'\fR and \f(CW\*(C`SubjectPublicKeyInfo\*(C'\fR.
+offer for \fBEVP_PKEY\fRs are \f(CW\*(C`pkcs8\*(C'\fR and \f(CW\*(C`SubjectPublicKeyInfo\*(C'\fR.
 .PP
 OpenSSL decoder implementations also support the input structure
 \&\f(CW\*(C`type\-specific\*(C'\fR.  This is the structure used for keys encoded
-according to key type specific specifications.  For example, \s-1RSA\s0 keys
+according to key type specific specifications.  For example, RSA keys
 encoded according to PKCS#1.
-.SS "Selections"
+.SS Selections
 .IX Subsection "Selections"
 \&\fIselection\fR can be any one of the values described in
-\&\*(L"Selections\*(R" in \fBEVP_PKEY_fromdata\fR\|(3).
+"Selections" in \fBEVP_PKEY_fromdata\fR\|(3).
 Additionally \fIselection\fR can also be set to \fB0\fR to indicate that the code will
 auto detect the selection.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBOSSL_DECODER_CTX_new_for_pkey()\fR returns a pointer to a
-\&\fB\s-1OSSL_DECODER_CTX\s0\fR, or \s-1NULL\s0 if it couldn't be created.
+\&\fBOSSL_DECODER_CTX\fR, or NULL if it couldn't be created.
 .PP
 \&\fBOSSL_DECODER_CTX_set_passphrase()\fR, \fBOSSL_DECODER_CTX_set_pem_password_cb()\fR,
 \&\fBOSSL_DECODER_CTX_set_passphrase_ui()\fR and
@@ -257,15 +181,15 @@ auto detect the selection.
 failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBprovider\fR\|(7), \s-1\fBOSSL_DECODER\s0\fR\|(3), \s-1\fBOSSL_DECODER_CTX\s0\fR\|(3)
-.SH "HISTORY"
+\&\fBprovider\fR\|(7), \fBOSSL_DECODER\fR\|(3), \fBOSSL_DECODER_CTX\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 The functions described here were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_DECODER_from_bio.3 b/secure/lib/libcrypto/man/man3/OSSL_DECODER_from_bio.3
index 1010225aa681..c802418671ff 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_DECODER_from_bio.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_DECODER_from_bio.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_DECODER_FROM_BIO 3ossl"
-.TH OSSL_DECODER_FROM_BIO 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_DECODER_FROM_BIO 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_DECODER_from_data,
 OSSL_DECODER_from_bio,
 OSSL_DECODER_from_fp
 \&\- Routines to perform a decoding
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/decoder.h>
@@ -153,9 +77,9 @@ OSSL_DECODER_from_fp
 .Ve
 .PP
 Feature availability macros:
-.IP "\fBOSSL_DECODER_from_fp()\fR is only available when \fB\s-1OPENSSL_NO_STDIO\s0\fR is undefined." 4
+.IP "\fBOSSL_DECODER_from_fp()\fR is only available when \fBOPENSSL_NO_STDIO\fR is undefined." 4
 .IX Item "OSSL_DECODER_from_fp() is only available when OPENSSL_NO_STDIO is undefined."
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBOSSL_DECODER_from_data()\fR runs the decoding process for the context \fIctx\fR,
 with input coming from \fI*pdata\fR, \fI*pdata_len\fR bytes long.  Both \fI*pdata\fR
@@ -164,18 +88,18 @@ and \fI*pdata_len\fR must be non-NULL.  When \fBOSSL_DECODER_from_data()\fR retu
 and \fI*pdata_len\fR to have the number of remaining bytes.
 .PP
 \&\fBOSSL_DECODER_from_bio()\fR runs the decoding process for the context \fIctx\fR,
-with the input coming from the \fB\s-1BIO\s0\fR \fIin\fR.  Should it make a difference,
-it's recommended to have the \s-1BIO\s0 set in binary mode rather than text mode.
+with the input coming from the \fBBIO\fR \fIin\fR.  Should it make a difference,
+it's recommended to have the BIO set in binary mode rather than text mode.
 .PP
 \&\fBOSSL_DECODER_from_fp()\fR does the same thing as \fBOSSL_DECODER_from_bio()\fR,
-except that the input is coming from the \fB\s-1FILE\s0\fR \fIfp\fR.
+except that the input is coming from the \fBFILE\fR \fIfp\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBOSSL_DECODER_from_bio()\fR, \fBOSSL_DECODER_from_data()\fR and \fBOSSL_DECODER_from_fp()\fR
 return 1 on success, or 0 on failure.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-To decode an \s-1RSA\s0 key encoded with \s-1PEM\s0 from a bio:
+To decode an RSA key encoded with PEM from a bio:
 .PP
 .Vb 6
 \& OSSL_DECODER_CTX *dctx;
@@ -202,7 +126,7 @@ To decode an \s-1RSA\s0 key encoded with \s-1PEM\s0 from a bio:
 \& OSSL_DECODER_CTX_free(dctx);
 .Ve
 .PP
-To decode an \s-1EC\s0 key encoded with \s-1DER\s0 from a buffer:
+To decode an EC key encoded with DER from a buffer:
 .PP
 .Vb 8
 \& OSSL_DECODER_CTX *dctx;
@@ -233,15 +157,15 @@ To decode an \s-1EC\s0 key encoded with \s-1DER\s0 from a buffer:
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBprovider\fR\|(7), \s-1\fBOSSL_DECODER_CTX\s0\fR\|(3)
-.SH "HISTORY"
+\&\fBprovider\fR\|(7), \fBOSSL_DECODER_CTX\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 The functions described here were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_DISPATCH.3 b/secure/lib/libcrypto/man/man3/OSSL_DISPATCH.3
index 79c9920f27b0..96317cbfa122 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_DISPATCH.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_DISPATCH.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_DISPATCH 3ossl"
-.TH OSSL_DISPATCH 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_DISPATCH 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
-OSSL_DISPATCH \- OpenSSL Core type to define a dispatchable function table
-.SH "SYNOPSIS"
+.SH NAME
+OSSL_DISPATCH, OSSL_DISPATCH_END \- OpenSSL Core type to define a dispatchable function table
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/core.h>
@@ -148,21 +72,22 @@ OSSL_DISPATCH \- OpenSSL Core type to define a dispatchable function table
 \&     int function_id;
 \&     void (*function)(void);
 \& };
+\&
+\& #define OSSL_DISPATCH_END
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 This type is a tuple of function identity and function pointer.
 Arrays of this type are passed between the OpenSSL libraries and the
 providers to describe what functionality one side provides to the other.
 .PP
-Arrays of this type must be terminated with a tuple having function identity
-zero and function pointer \s-1NULL.\s0
-.SS "\fB\s-1OSSL_DISPATCH\s0\fP fields"
+Arrays of this type must be terminated with the OSSL_DISPATCH_END macro.
+.SS "\fBOSSL_DISPATCH\fP fields"
 .IX Subsection "OSSL_DISPATCH fields"
-.IP "\fIfunction_id\fR" 4
+.IP \fIfunction_id\fR 4
 .IX Item "function_id"
 OpenSSL defined function identity of the implemented function.
-.IP "\fIfunction\fR" 4
+.IP \fIfunction\fR 4
 .IX Item "function"
 Pointer to the implemented function itself.  Despite the generic definition
 of this field, the implemented function it points to must have a function
@@ -172,7 +97,7 @@ Available function identities and corresponding function signatures are
 defined in \fBopenssl\-core_dispatch.h\fR\|(7).
 Furthermore, the chosen function identities and associated function
 signature must be chosen specifically for the operation that it's intended
-for, as determined by the intended \s-1\fBOSSL_ALGORITHM\s0\fR\|(3) array.
+for, as determined by the intended \fBOSSL_ALGORITHM\fR\|(3) array.
 .PP
 Any function identity not recognised by the recipient of this type
 will be ignored.
@@ -181,15 +106,15 @@ will work together with any other OpenSSL version that supports this
 mechanism.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBcrypto\fR\|(7), \fBopenssl\-core_dispatch.h\fR\|(7), \s-1\fBOSSL_ALGORITHM\s0\fR\|(3)
-.SH "HISTORY"
+\&\fBcrypto\fR\|(7), \fBopenssl\-core_dispatch.h\fR\|(7), \fBOSSL_ALGORITHM\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
-\&\fB\s-1OSSL_DISPATCH\s0\fR was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+\&\fBOSSL_DISPATCH\fR was added in OpenSSL 3.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2022\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_ENCODER.3 b/secure/lib/libcrypto/man/man3/OSSL_ENCODER.3
index 49a969170c9a..bc26b2c50e51 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_ENCODER.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_ENCODER.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_ENCODER 3ossl"
-.TH OSSL_ENCODER 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_ENCODER 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_ENCODER,
 OSSL_ENCODER_fetch,
 OSSL_ENCODER_up_ref,
@@ -151,7 +75,7 @@ OSSL_ENCODER_names_do_all,
 OSSL_ENCODER_gettable_params,
 OSSL_ENCODER_get_params
 \&\- Encoder method routines
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/encoder.h>
@@ -176,26 +100,27 @@ OSSL_ENCODER_get_params
 \& const OSSL_PARAM *OSSL_ENCODER_gettable_params(OSSL_ENCODER *encoder);
 \& int OSSL_ENCODER_get_params(OSSL_ENCODER_CTX *ctx, const OSSL_PARAM params[]);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fB\s-1OSSL_ENCODER\s0\fR is a method for encoders, which know how to
-encode an object of some kind to a encoded form, such as \s-1PEM,
-DER,\s0 or even human readable text.
+\&\fBOSSL_ENCODER\fR is a method for encoders, which know how to
+encode an object of some kind to a encoded form, such as PEM,
+DER, or even human readable text.
 .PP
 \&\fBOSSL_ENCODER_fetch()\fR looks for an algorithm within the provider that
-has been loaded into the \fB\s-1OSSL_LIB_CTX\s0\fR given by \fIctx\fR, having the
+has been loaded into the \fBOSSL_LIB_CTX\fR given by \fIctx\fR, having the
 name given by \fIname\fR and the properties given by \fIproperties\fR.
 The \fIname\fR determines what type of object the fetched encoder
 method is expected to be able to encode, and the properties are
 used to determine the expected output type.
 For known properties and the values they may have, please have a look
-in \*(L"Names and properties\*(R" in \fBprovider\-encoder\fR\|(7).
+in "Names and properties" in \fBprovider\-encoder\fR\|(7).
 .PP
 \&\fBOSSL_ENCODER_up_ref()\fR increments the reference count for the given
 \&\fIencoder\fR.
 .PP
 \&\fBOSSL_ENCODER_free()\fR decrements the reference count for the given
 \&\fIencoder\fR, and when the count reaches zero, frees it.
+If the argument is NULL, nothing is done.
 .PP
 \&\fBOSSL_ENCODER_get0_provider()\fR returns the provider of the given
 \&\fIencoder\fR.
@@ -220,16 +145,16 @@ implementations by all activated providers in the library context
 \&\fIlibctx\fR, and for each of the implementations, calls \fIfn\fR with the
 implementation method and \fIarg\fR as arguments.
 .PP
-\&\fBOSSL_ENCODER_gettable_params()\fR returns an \s-1\fBOSSL_PARAM\s0\fR\|(3)
+\&\fBOSSL_ENCODER_gettable_params()\fR returns an \fBOSSL_PARAM\fR\|(3)
 array of parameter descriptors.
 .PP
 \&\fBOSSL_ENCODER_get_params()\fR attempts to get parameters specified
-with an \s-1\fBOSSL_PARAM\s0\fR\|(3) array \fIparams\fR.  Parameters that the
+with an \fBOSSL_PARAM\fR\|(3) array \fIparams\fR.  Parameters that the
 implementation doesn't recognise should be ignored.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBOSSL_ENCODER_fetch()\fR returns a pointer to the key management
-implementation represented by an \s-1OSSL_ENCODER\s0 object, or \s-1NULL\s0 on
+implementation represented by an OSSL_ENCODER object, or NULL on
 error.
 .PP
 \&\fBOSSL_ENCODER_up_ref()\fR returns 1 on success, or 0 on error.
@@ -237,10 +162,10 @@ error.
 \&\fBOSSL_ENCODER_free()\fR doesn't return any value.
 .PP
 \&\fBOSSL_ENCODER_get0_provider()\fR returns a pointer to a provider object, or
-\&\s-1NULL\s0 on error.
+NULL on error.
 .PP
 \&\fBOSSL_ENCODER_get0_properties()\fR returns a pointer to a property
-definition string, or \s-1NULL\s0 on error.
+definition string, or NULL on error.
 .PP
 \&\fBOSSL_ENCODER_is_a()\fR returns 1 of \fIencoder\fR was identifiable,
 otherwise 0.
@@ -251,23 +176,23 @@ multiple synonyms associated with it. In this case the first name from the
 algorithm definition is returned. Ownership of the returned string is retained
 by the \fIencoder\fR object and should not be freed by the caller.
 .PP
-\&\fBOSSL_ENCODER_get0_description()\fR returns a pointer to a description, or \s-1NULL\s0 if
+\&\fBOSSL_ENCODER_get0_description()\fR returns a pointer to a description, or NULL if
 there isn't one.
 .PP
 \&\fBOSSL_ENCODER_names_do_all()\fR returns 1 if the callback was called for all
 names. A return value of 0 means that the callback was not called for any names.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBprovider\fR\|(7), \s-1\fBOSSL_ENCODER_CTX\s0\fR\|(3), \fBOSSL_ENCODER_to_bio\fR\|(3),
-\&\fBOSSL_ENCODER_CTX_new_for_pkey\fR\|(3), \s-1\fBOSSL_LIB_CTX\s0\fR\|(3)
-.SH "HISTORY"
+\&\fBprovider\fR\|(7), \fBOSSL_ENCODER_CTX\fR\|(3), \fBOSSL_ENCODER_to_bio\fR\|(3),
+\&\fBOSSL_ENCODER_CTX_new_for_pkey\fR\|(3), \fBOSSL_LIB_CTX\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 The functions described here were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_ENCODER_CTX.3 b/secure/lib/libcrypto/man/man3/OSSL_ENCODER_CTX.3
index 876ee48d88b4..805889e65f36 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_ENCODER_CTX.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_ENCODER_CTX.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_ENCODER_CTX 3ossl"
-.TH OSSL_ENCODER_CTX 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_ENCODER_CTX 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_ENCODER_CTX,
 OSSL_ENCODER_CTX_new,
 OSSL_ENCODER_settable_ctx_params,
@@ -159,7 +83,7 @@ OSSL_ENCODER_CTX_set_construct,
 OSSL_ENCODER_CTX_set_construct_data,
 OSSL_ENCODER_CTX_set_cleanup
 \&\- Encoder context routines
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/encoder.h>
@@ -204,13 +128,13 @@ OSSL_ENCODER_CTX_set_cleanup
 \& int OSSL_ENCODER_CTX_set_cleanup(OSSL_ENCODER_CTX *ctx,
 \&                                  OSSL_ENCODER_CLEANUP *cleanup);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 Encoding an input object to the desired encoding may be done with a chain of
 encoder implementations, which means that the output from one encoder may be
-the input for the next in the chain.  The \fB\s-1OSSL_ENCODER_CTX\s0\fR holds all the
+the input for the next in the chain.  The \fBOSSL_ENCODER_CTX\fR holds all the
 data about these encoders.  This allows having generic format encoders such
-as \s-1DER\s0 to \s-1PEM,\s0 as well as more specialized encoders like \s-1RSA\s0 to \s-1DER.\s0
+as DER to PEM, as well as more specialized encoders like RSA to DER.
 .PP
 The final output type must be given, and a chain of encoders must end with
 an implementation that produces that output type.
@@ -220,24 +144,25 @@ caller is called to ensure that there is an appropriate provider-side object
 to start with.
 The constructor is set with \fBOSSL_ENCODER_CTX_set_construct()\fR.
 .PP
-\&\fB\s-1OSSL_ENCODER_INSTANCE\s0\fR is an opaque structure that contains data about the
+\&\fBOSSL_ENCODER_INSTANCE\fR is an opaque structure that contains data about the
 encoder that is going to be used, and that may be useful for the
 constructor.  There are some functions to extract data from this type,
-described in \*(L"Constructor\*(R" below.
-.SS "Functions"
+described in "Constructor" below.
+.SS Functions
 .IX Subsection "Functions"
-\&\fBOSSL_ENCODER_CTX_new()\fR creates a \fB\s-1OSSL_ENCODER_CTX\s0\fR.
+\&\fBOSSL_ENCODER_CTX_new()\fR creates a \fBOSSL_ENCODER_CTX\fR.
 .PP
-\&\fBOSSL_ENCODER_settable_ctx_params()\fR returns an \s-1\fBOSSL_PARAM\s0\fR\|(3)
+\&\fBOSSL_ENCODER_settable_ctx_params()\fR returns an \fBOSSL_PARAM\fR\|(3)
 array of parameter descriptors.
 .PP
 \&\fBOSSL_ENCODER_CTX_set_params()\fR attempts to set parameters specified
-with an \s-1\fBOSSL_PARAM\s0\fR\|(3) array \fIparams\fR.  Parameters that the
+with an \fBOSSL_PARAM\fR\|(3) array \fIparams\fR.  Parameters that the
 implementation doesn't recognise should be ignored.
 .PP
 \&\fBOSSL_ENCODER_CTX_free()\fR frees the given context \fIctx\fR.
+If the argument is NULL, nothing is done.
 .PP
-\&\fBOSSL_ENCODER_CTX_add_encoder()\fR populates the \fB\s-1OSSL_ENCODER_CTX\s0\fR
+\&\fBOSSL_ENCODER_CTX_add_encoder()\fR populates the \fBOSSL_ENCODER_CTX\fR
 \&\fIctx\fR with a encoder, to be used to encode an input object.
 .PP
 \&\fBOSSL_ENCODER_CTX_add_extra()\fR finds encoders that further encodes output
@@ -262,20 +187,20 @@ passed to the constructor every time it's called.
 .PP
 \&\fBOSSL_ENCODER_CTX_set_cleanup()\fR sets the constructor data \fIcleanup\fR
 function.  This is called by \fBOSSL_ENCODER_CTX_free\fR\|(3).
-.SS "Constructor"
+.SS Constructor
 .IX Subsection "Constructor"
-A \fB\s-1OSSL_ENCODER_CONSTRUCT\s0\fR gets the following arguments:
-.IP "\fIencoder_inst\fR" 4
+A \fBOSSL_ENCODER_CONSTRUCT\fR gets the following arguments:
+.IP \fIencoder_inst\fR 4
 .IX Item "encoder_inst"
-The \fB\s-1OSSL_ENCODER_INSTANCE\s0\fR for the encoder from which the constructor gets
+The \fBOSSL_ENCODER_INSTANCE\fR for the encoder from which the constructor gets
 its data.
-.IP "\fIconstruct_data\fR" 4
+.IP \fIconstruct_data\fR 4
 .IX Item "construct_data"
 The pointer that was set with \fBOSSL_ENCODE_CTX_set_construct_data()\fR.
 .PP
 The constructor is expected to return a valid (non-NULL) pointer to a
 provider-native object that can be used as first input of an encoding chain,
-or \s-1NULL\s0 to indicate that an error has occurred.
+or NULL to indicate that an error has occurred.
 .PP
 These utility functions may be used by a constructor:
 .PP
@@ -287,19 +212,19 @@ implementation's provider context of the encoder instance \fIencoder_inst\fR.
 .PP
 \&\fBOSSL_ENCODER_INSTANCE_get_output_type()\fR can be used to get the output type
 for the encoder implementation of the encoder instance \fIencoder_inst\fR.
-This will never be \s-1NULL.\s0
+This will never be NULL.
 .PP
 \&\fBOSSL_ENCODER_INSTANCE_get_output_structure()\fR can be used to get the output
 structure for the encoder implementation of the encoder instance
 \&\fIencoder_inst\fR.
-This may be \s-1NULL.\s0
+This may be NULL.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBOSSL_ENCODER_CTX_new()\fR returns a pointer to a \fB\s-1OSSL_ENCODER_CTX\s0\fR, or \s-1NULL\s0
+\&\fBOSSL_ENCODER_CTX_new()\fR returns a pointer to a \fBOSSL_ENCODER_CTX\fR, or NULL
 if the context structure couldn't be allocated.
 .PP
-\&\fBOSSL_ENCODER_settable_ctx_params()\fR returns an \s-1\fBOSSL_PARAM\s0\fR\|(3) array, or
-\&\s-1NULL\s0 if none is available.
+\&\fBOSSL_ENCODER_settable_ctx_params()\fR returns an \fBOSSL_PARAM\fR\|(3) array, or
+NULL if none is available.
 .PP
 \&\fBOSSL_ENCODER_CTX_set_params()\fR returns 1 if all recognised parameters were
 valid, or 0 if one of them was invalid or caused some other failure in the
@@ -310,16 +235,16 @@ implementation.
 \&\fBOSSL_ENCODER_CTX_set_cleanup()\fR return 1 on success, or 0 on failure.
 .PP
 \&\fBOSSL_ENCODER_CTX_get_num_encoders()\fR returns the current number of encoders.
-It returns 0 if \fIctx\fR is \s-1NULL.\s0
+It returns 0 if \fIctx\fR is NULL.
 .PP
-\&\fBOSSL_ENCODER_INSTANCE_get_encoder()\fR returns an \fB\s-1OSSL_ENCODER\s0\fR pointer on
-success, or \s-1NULL\s0 on failure.
+\&\fBOSSL_ENCODER_INSTANCE_get_encoder()\fR returns an \fBOSSL_ENCODER\fR pointer on
+success, or NULL on failure.
 .PP
 \&\fBOSSL_ENCODER_INSTANCE_get_encoder_ctx()\fR returns a provider context pointer on
-success, or \s-1NULL\s0 on failure.
+success, or NULL on failure.
 .PP
 \&\fBOSSL_ENCODER_INSTANCE_get_output_type()\fR returns a string with the name of the
-input type, if relevant.  \s-1NULL\s0 is a valid returned value.
+input type, if relevant.  NULL is a valid returned value.
 .PP
 \&\fBOSSL_ENCODER_INSTANCE_get_output_type()\fR returns a string with the name of the
 output type.
@@ -328,15 +253,15 @@ output type.
 of the output structure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBprovider\fR\|(7), \s-1\fBOSSL_ENCODER\s0\fR\|(3)
-.SH "HISTORY"
+\&\fBprovider\fR\|(7), \fBOSSL_ENCODER\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 The functions described here were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_ENCODER_CTX_new_for_pkey.3 b/secure/lib/libcrypto/man/man3/OSSL_ENCODER_CTX_new_for_pkey.3
index f33efd48051c..38e8fd76211a 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_ENCODER_CTX_new_for_pkey.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_ENCODER_CTX_new_for_pkey.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_ENCODER_CTX_NEW_FOR_PKEY 3ossl"
-.TH OSSL_ENCODER_CTX_NEW_FOR_PKEY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_ENCODER_CTX_NEW_FOR_PKEY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_ENCODER_CTX_new_for_pkey,
 OSSL_ENCODER_CTX_set_cipher,
 OSSL_ENCODER_CTX_set_passphrase,
@@ -144,7 +68,7 @@ OSSL_ENCODER_CTX_set_pem_password_cb,
 OSSL_ENCODER_CTX_set_passphrase_cb,
 OSSL_ENCODER_CTX_set_passphrase_ui
 \&\- Encoder routines to encode EVP_PKEYs
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/encoder.h>
@@ -170,29 +94,29 @@ OSSL_ENCODER_CTX_set_passphrase_ui
 \&                                        OSSL_PASSPHRASE_CALLBACK *cb,
 \&                                        void *cbarg);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBOSSL_ENCODER_CTX_new_for_pkey()\fR is a utility function that creates a
-\&\fB\s-1OSSL_ENCODER_CTX\s0\fR, finds all applicable encoder implementations and sets
+\&\fBOSSL_ENCODER_CTX\fR, finds all applicable encoder implementations and sets
 them up, so almost all the caller has to do next is call functions like
 \&\fBOSSL_ENCODER_to_bio\fR\|(3).  \fIoutput_type\fR determines the final output
 encoding, and \fIselection\fR can be used to select what parts of the \fIpkey\fR
 should be included in the output.  \fIoutput_type\fR is further discussed in
-\&\*(L"Output types\*(R" below, and \fIselection\fR is further described in
-\&\*(L"Selections\*(R".
+"Output types" below, and \fIselection\fR is further described in
+"Selections".
 .PP
 Internally, \fBOSSL_ENCODER_CTX_new_for_pkey()\fR uses the names from the
-\&\s-1\fBEVP_KEYMGMT\s0\fR\|(3) implementation associated with \fIpkey\fR to build a list of
+\&\fBEVP_KEYMGMT\fR\|(3) implementation associated with \fIpkey\fR to build a list of
 applicable encoder implementations that are used to process the \fIpkey\fR into
 the encoding named by \fIoutput_type\fR, with the outermost structure named by
 \&\fIoutput_structure\fR if that's relevant.  All these implementations are
 implicitly fetched, with \fIpropquery\fR for finer selection.
 .PP
 If no suitable encoder implementation is found,
-\&\fBOSSL_ENCODER_CTX_new_for_pkey()\fR still creates a \fB\s-1OSSL_ENCODER_CTX\s0\fR, but
+\&\fBOSSL_ENCODER_CTX_new_for_pkey()\fR still creates a \fBOSSL_ENCODER_CTX\fR, but
 with no associated encoder (\fBOSSL_ENCODER_CTX_get_num_encoders\fR\|(3) returns
 zero).  This helps the caller to distinguish between an error when creating
-the \fB\s-1OSSL_ENCODER_CTX\s0\fR and missing encoder implementation, and allows it to
+the \fBOSSL_ENCODER_CTX\fR and missing encoder implementation, and allows it to
 act accordingly.
 .PP
 \&\fBOSSL_ENCODER_CTX_set_cipher()\fR tells the implementation what cipher
@@ -202,7 +126,7 @@ implementation dependent.  The implementation may implement the cipher
 directly itself or by other implementations, or it may choose to fetch
 it.  If the implementation supports fetching the cipher, then it may
 use \fIpropquery\fR as properties to be queried for when fetching.
-\&\fIcipher_name\fR may also be \s-1NULL,\s0 which will result in unencrypted
+\&\fIcipher_name\fR may also be NULL, which will result in unencrypted
 encoding.
 .PP
 \&\fBOSSL_ENCODER_CTX_set_passphrase()\fR gives the implementation a
@@ -214,40 +138,40 @@ following functions.
 and \fBOSSL_ENCODER_CTX_set_passphrase_cb()\fR sets up a callback method that the
 implementation can use to prompt for a pass phrase, giving the caller the
 choice of preferred pass phrase callback form.  These are called indirectly,
-through an internal \s-1\fBOSSL_PASSPHRASE_CALLBACK\s0\fR\|(3) function.
+through an internal \fBOSSL_PASSPHRASE_CALLBACK\fR\|(3) function.
 .SS "Output types"
 .IX Subsection "Output types"
-The possible \fB\s-1EVP_PKEY\s0\fR output types depends on the available
+The possible \fBEVP_PKEY\fR output types depends on the available
 implementations.
 .PP
 OpenSSL has built in implementations for the following output types:
 .ie n .IP """TEXT""" 4
-.el .IP "\f(CWTEXT\fR" 4
+.el .IP \f(CWTEXT\fR 4
 .IX Item "TEXT"
 The output is a human readable description of the key.
 \&\fBEVP_PKEY_print_private\fR\|(3), \fBEVP_PKEY_print_public\fR\|(3) and
 \&\fBEVP_PKEY_print_params\fR\|(3) use this for their output.
 .ie n .IP """DER""" 4
-.el .IP "\f(CWDER\fR" 4
+.el .IP \f(CWDER\fR 4
 .IX Item "DER"
-The output is the \s-1DER\s0 encoding of the \fIselection\fR of the \fIpkey\fR.
+The output is the DER encoding of the \fIselection\fR of the \fIpkey\fR.
 .ie n .IP """PEM""" 4
-.el .IP "\f(CWPEM\fR" 4
+.el .IP \f(CWPEM\fR 4
 .IX Item "PEM"
-The output is the \fIselection\fR of the \fIpkey\fR in \s-1PEM\s0 format.
-.SS "Selections"
+The output is the \fIselection\fR of the \fIpkey\fR in PEM format.
+.SS Selections
 .IX Subsection "Selections"
 \&\fIselection\fR can be any one of the values described in
-\&\*(L"Selections\*(R" in \fBEVP_PKEY_fromdata\fR\|(3).
+"Selections" in \fBEVP_PKEY_fromdata\fR\|(3).
 .PP
 These are only 'hints' since the encoder implementations are free to
 determine what makes sense to include in the output, and this may depend on
-the desired output.  For example, an \s-1EC\s0 key in a PKCS#8 structure doesn't
+the desired output.  For example, an EC key in a PKCS#8 structure doesn't
 usually include the public key.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBOSSL_ENCODER_CTX_new_for_pkey()\fR returns a pointer to an \fB\s-1OSSL_ENCODER_CTX\s0\fR,
-or \s-1NULL\s0 if it couldn't be created.
+\&\fBOSSL_ENCODER_CTX_new_for_pkey()\fR returns a pointer to an \fBOSSL_ENCODER_CTX\fR,
+or NULL if it couldn't be created.
 .PP
 \&\fBOSSL_ENCODER_CTX_set_cipher()\fR, \fBOSSL_ENCODER_CTX_set_passphrase()\fR,
 \&\fBOSSL_ENCODER_CTX_set_pem_password_cb()\fR, \fBOSSL_ENCODER_CTX_set_passphrase_ui()\fR
@@ -255,15 +179,15 @@ and \fBOSSL_ENCODER_CTX_set_passphrase_cb()\fR all return 1 on success, or 0 on
 failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBprovider\fR\|(7), \s-1\fBOSSL_ENCODER\s0\fR\|(3), \s-1\fBOSSL_ENCODER_CTX\s0\fR\|(3)
-.SH "HISTORY"
+\&\fBprovider\fR\|(7), \fBOSSL_ENCODER\fR\|(3), \fBOSSL_ENCODER_CTX\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 The functions described here were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_ENCODER_to_bio.3 b/secure/lib/libcrypto/man/man3/OSSL_ENCODER_to_bio.3
index e8c48be3da89..6fe021b6d89f 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_ENCODER_to_bio.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_ENCODER_to_bio.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_ENCODER_TO_BIO 3ossl"
-.TH OSSL_ENCODER_TO_BIO 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_ENCODER_TO_BIO 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_ENCODER_to_data,
 OSSL_ENCODER_to_bio,
 OSSL_ENCODER_to_fp
 \&\- Routines to perform an encoding
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/encoder.h>
@@ -153,13 +77,13 @@ OSSL_ENCODER_to_fp
 .Ve
 .PP
 Feature availability macros:
-.IP "\fBOSSL_ENCODER_to_fp()\fR is only available when \fB\s-1OPENSSL_NO_STDIO\s0\fR is undefined." 4
+.IP "\fBOSSL_ENCODER_to_fp()\fR is only available when \fBOPENSSL_NO_STDIO\fR is undefined." 4
 .IX Item "OSSL_ENCODER_to_fp() is only available when OPENSSL_NO_STDIO is undefined."
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBOSSL_ENCODER_to_data()\fR runs the encoding process for the context \fIctx\fR,
 with the output going to the \fI*pdata\fR and \fI*pdata_len\fR.
-If \fI*pdata\fR is \s-1NULL\s0 when \fBOSSL_ENCODER_to_data()\fR is called, a buffer will be
+If \fI*pdata\fR is NULL when \fBOSSL_ENCODER_to_data()\fR is called, a buffer will be
 allocated using \fBOPENSSL_zalloc\fR\|(3), and \fI*pdata\fR will be set to point at
 the start of that buffer, and \fI*pdata_len\fR will be assigned its length when
 \&\fBOSSL_ENCODER_to_data()\fR returns.
@@ -169,21 +93,21 @@ after the encoded bytes, and \fI*pdata_len\fR will be assigned the number of
 remaining bytes.
 .PP
 \&\fBOSSL_ENCODER_to_bio()\fR runs the encoding process for the context \fIctx\fR, with
-the output going to the \fB\s-1BIO\s0\fR \fIout\fR.
+the output going to the \fBBIO\fR \fIout\fR.
 .PP
 \&\fBOSSL_ENCODER_to_fp()\fR does the same thing as \fBOSSL_ENCODER_to_bio()\fR, except
-that the output is going to the \fB\s-1FILE\s0\fR \fIfp\fR.
+that the output is going to the \fBFILE\fR \fIfp\fR.
 .PP
 For \fBOSSL_ENCODER_to_bio()\fR and \fBOSSL_ENCODER_to_fp()\fR, the application is
-required to set up the \fB\s-1BIO\s0\fR or \fB\s-1FILE\s0\fR properly, for example to have
+required to set up the \fBBIO\fR or \fBFILE\fR properly, for example to have
 it in text or binary mode as is appropriate for the encoder output type.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBOSSL_ENCODER_to_bio()\fR, \fBOSSL_ENCODER_to_fp()\fR and \fBOSSL_ENCODER_to_data()\fR
 return 1 on success, or 0 on failure.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-To encode a pkey as PKCS#8 with \s-1PEM\s0 format into a bio:
+To encode a pkey as PKCS#8 with PEM format into a bio:
 .PP
 .Vb 4
 \& OSSL_ENCODER_CTX *ectx;
@@ -209,8 +133,8 @@ To encode a pkey as PKCS#8 with \s-1PEM\s0 format into a bio:
 \& OSSL_ENCODER_CTX_free(ectx);
 .Ve
 .PP
-To encode a pkey as PKCS#8 with \s-1DER\s0 format encrypted with
-\&\s-1AES\-256\-CBC\s0 into a buffer:
+To encode a pkey as PKCS#8 with DER format encrypted with
+AES\-256\-CBC into a buffer:
 .PP
 .Vb 6
 \& OSSL_ENCODER_CTX *ectx;
@@ -244,15 +168,15 @@ To encode a pkey as PKCS#8 with \s-1DER\s0 format encrypted with
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBprovider\fR\|(7), \s-1\fBOSSL_ENCODER_CTX\s0\fR\|(3)
-.SH "HISTORY"
+\&\fBprovider\fR\|(7), \fBOSSL_ENCODER_CTX\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 The functions described here were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2019\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_ERR_STATE_save.3 b/secure/lib/libcrypto/man/man3/OSSL_ERR_STATE_save.3
new file mode 100644
index 000000000000..0b83dfc52170
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/OSSL_ERR_STATE_save.3
@@ -0,0 +1,139 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OSSL_ERR_STATE_SAVE 3ossl"
+.TH OSSL_ERR_STATE_SAVE 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+OSSL_ERR_STATE_new, OSSL_ERR_STATE_save, OSSL_ERR_STATE_save_to_mark,
+OSSL_ERR_STATE_restore, OSSL_ERR_STATE_free \- saving and restoring error state
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/err.h>
+\&
+\& ERR_STATE *OSSL_ERR_STATE_new(void);
+\& void OSSL_ERR_STATE_save(ERR_STATE *es);
+\& void OSSL_ERR_STATE_save_to_mark(ERR_STATE *es);
+\& void OSSL_ERR_STATE_restore(const ERR_STATE *es);
+\& void OSSL_ERR_STATE_free(ERR_STATE *es);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+These functions save and restore the error state from the thread
+local error state to a preallocated error state structure.
+.PP
+\&\fBOSSL_ERR_STATE_new()\fR allocates an empty error state structure to
+be used when saving and restoring thread error state.
+.PP
+\&\fBOSSL_ERR_STATE_save()\fR saves the thread error state to \fIes\fR. It
+subsequently clears the thread error state. Any previously saved
+state in \fIes\fR is cleared prior to saving the new state.
+.PP
+\&\fBOSSL_ERR_STATE_save_to_mark()\fR is similar to \fBOSSL_ERR_STATE_save()\fR but only saves
+ERR entries up to the most recent mark on the ERR stack. These entries are moved
+to \fIes\fR and removed from the thread error state. However, the most recent
+marked ERR and any ERR state before it remains part of the thread error state
+and is not moved to the ERR_STATE. The mark is not cleared and must be cleared
+explicitly after a call to this function using \fBERR_pop_to_mark\fR\|(3) or
+\&\fBERR_clear_last_mark\fR\|(3). (Since a call to \fBOSSL_ERR_STATE_save_to_mark()\fR leaves
+the marked ERR as the top error, either of these functions will have the same
+effect.) If there is no marked ERR in the thread local error state, all ERR
+entries are copied and the effect is the same as for a call to
+\&\fBOSSL_ERR_STATE_save()\fR.
+.PP
+\&\fBOSSL_ERR_STATE_restore()\fR adds all the error entries from the
+saved state \fIes\fR to the thread error state. Existing entries in
+the thread error state are not affected if there is enough space
+for all the added entries. Any allocated data in the saved error
+entries is duplicated on adding to the thread state.
+.PP
+\&\fBOSSL_ERR_STATE_free()\fR frees the saved error state \fIes\fR.
+If the argument is NULL, nothing is done.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBOSSL_ERR_STATE_new()\fR returns a pointer to the allocated ERR_STATE
+structure or NULL on error.
+.PP
+\&\fBOSSL_ERR_STATE_save()\fR, \fBOSSL_ERR_STATE_save_to_mark()\fR, \fBOSSL_ERR_STATE_restore()\fR,
+\&\fBOSSL_ERR_STATE_free()\fR do not return any values.
+.SH NOTES
+.IX Header "NOTES"
+\&\fBOSSL_ERR_STATE_save()\fR and \fBOSSL_ERR_STATE_save_to_mark()\fR cannot fail as it takes
+over any allocated data from the thread error state.
+.PP
+\&\fBOSSL_ERR_STATE_restore()\fR is a best effort function. The only failure
+that can happen during its operation is when memory allocation fails.
+Because it manipulates the thread error state it avoids raising memory
+errors on such failure. At worst the restored error entries will be
+missing the auxiliary error data.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBERR_raise\fR\|(3), \fBERR_get_error\fR\|(3), \fBERR_clear_error\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+All of these functions were added in OpenSSL 3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2023\-2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_ESS_check_signing_certs.3 b/secure/lib/libcrypto/man/man3/OSSL_ESS_check_signing_certs.3
index cf3f93c3822e..e5dedafb640d 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_ESS_check_signing_certs.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_ESS_check_signing_certs.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_ESS_CHECK_SIGNING_CERTS 3ossl"
-.TH OSSL_ESS_CHECK_SIGNING_CERTS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_ESS_CHECK_SIGNING_CERTS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_ESS_signing_cert_new_init,
 OSSL_ESS_signing_cert_v2_new_init,
 OSSL_ESS_check_signing_certs
 \&\- Enhanced Security Services (ESS) functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ess.h>
@@ -159,25 +83,25 @@ OSSL_ESS_check_signing_certs
 \&                                  const STACK_OF(X509) *chain,
 \&                                  int require_signing_cert);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBOSSL_ESS_signing_cert_new_init()\fR generates a new \fB\s-1ESS_SIGNING_CERT\s0\fR structure
+\&\fBOSSL_ESS_signing_cert_new_init()\fR generates a new \fBESS_SIGNING_CERT\fR structure
 referencing the given \fIsigncert\fR and any given further \fIcerts\fR
-using their \s-1SHA\-1\s0 fingerprints.
+using their SHA\-1 fingerprints.
 If \fIset_issuer_serial\fR is nonzero then also the issuer and serial number
-of \fIsigncert\fR are included in the \fB\s-1ESS_CERT_ID\s0\fR as the \fBissuerSerial\fR field.
+of \fIsigncert\fR are included in the \fBESS_CERT_ID\fR as the \fBissuerSerial\fR field.
 For all members of \fIcerts\fR the  \fBissuerSerial\fR field is always included.
 .PP
 \&\fBOSSL_ESS_signing_cert_v2_new_init()\fR is the same as
 \&\fBOSSL_ESS_signing_cert_new_init()\fR except that it uses the given \fIhash_alg\fR and
-generates a \fB\s-1ESS_SIGNING_CERT_V2\s0\fR structure with \fB\s-1ESS_CERT_ID_V2\s0\fR elements.
+generates a \fBESS_SIGNING_CERT_V2\fR structure with \fBESS_CERT_ID_V2\fR elements.
 .PP
 \&\fBOSSL_ESS_check_signing_certs()\fR checks if the validation chain \fIchain\fR contains
 the certificates required by the identifiers given in \fIss\fR and/or \fIssv2\fR.
-If \fIrequire_signing_cert\fR is nonzero, \fIss\fR or \fIssv2\fR must not be \s-1NULL.\s0
-If both \fIss\fR and \fIssv2\fR are not \s-1NULL,\s0 they are evaluated independently.
-The list of certificate identifiers in \fIss\fR is of type \fB\s-1ESS_CERT_ID\s0\fR,
-while the list contained in \fIssv2\fR is of type \fB\s-1ESS_CERT_ID_V2\s0\fR.
+If \fIrequire_signing_cert\fR is nonzero, \fIss\fR or \fIssv2\fR must not be NULL.
+If both \fIss\fR and \fIssv2\fR are not NULL, they are evaluated independently.
+The list of certificate identifiers in \fIss\fR is of type \fBESS_CERT_ID\fR,
+while the list contained in \fIssv2\fR is of type \fBESS_CERT_ID_V2\fR.
 As far as these lists are present, they must be nonempty.
 The certificate identified by their first entry must be the first element of
 \&\fIchain\fR, i.e. the signer certificate.
@@ -186,15 +110,15 @@ The matching is done using the given certificate hash algorithm and value.
 In addition to the checks required by RFCs 2624 and 5035,
 if the \fBissuerSerial\fR field is included in an \fBESSCertID\fR or \fBESSCertIDv2\fR
 it must match the certificate issuer and serial number attributes.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-\&\s-1ESS\s0 has been defined in \s-1RFC 2634,\s0 which has been updated in \s-1RFC 5035\s0
-(\s-1ESS\s0 version 2) to support hash algorithms other than \s-1SHA\-1.\s0
-This is used for \s-1TSP\s0 (\s-1RFC 3161\s0) and CAdES-BES (informational \s-1RFC 5126\s0).
+ESS has been defined in RFC 2634, which has been updated in RFC 5035
+(ESS version 2) to support hash algorithms other than SHA\-1.
+This is used for TSP (RFC 3161) and CAdES-BES (informational RFC 5126).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBOSSL_ESS_signing_cert_new_init()\fR and \fBOSSL_ESS_signing_cert_v2_new_init()\fR
-return a pointer to the new structure or \s-1NULL\s0 on malloc failure.
+return a pointer to the new structure or NULL on malloc failure.
 .PP
 \&\fBOSSL_ESS_check_signing_certs()\fR returns 1 on success,
 0 if a required certificate cannot be found, \-1 on other error.
@@ -202,15 +126,15 @@ return a pointer to the new structure or \s-1NULL\s0 on malloc failure.
 .IX Header "SEE ALSO"
 \&\fBTS_VERIFY_CTX_set_certs\fR\|(3),
 \&\fBCMS_verify\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBOSSL_ESS_signing_cert_new_init()\fR, \fBOSSL_ESS_signing_cert_v2_new_init()\fR, and
 \&\fBOSSL_ESS_check_signing_certs()\fR were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2021\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_GENERAL_NAMES_print.3 b/secure/lib/libcrypto/man/man3/OSSL_GENERAL_NAMES_print.3
new file mode 100644
index 000000000000..53e528c42d25
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/OSSL_GENERAL_NAMES_print.3
@@ -0,0 +1,90 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OSSL_GENERAL_NAMES_PRINT 3ossl"
+.TH OSSL_GENERAL_NAMES_PRINT 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+OSSL_GENERAL_NAMES_print \- print GeneralNames in a human\-friendly, multi\-line
+string
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/x509v3.h>
+\&
+\& int OSSL_GENERAL_NAMES_print(BIO *out, GENERAL_NAMES *gens, int indent);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBOSSL_GENERAL_NAMES_print()\fR prints a human readable version of the GeneralNames
+\&\fIgens\fR to BIO \fIout\fR. Each line is indented by \fIindent\fR spaces.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBOSSL_GENERAL_NAMES_print()\fR always returns 1.
+.SH HISTORY
+.IX Header "HISTORY"
+The functions described here were all added in OpenSSL 3.4.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_HPKE_CTX_new.3 b/secure/lib/libcrypto/man/man3/OSSL_HPKE_CTX_new.3
new file mode 100644
index 000000000000..a9703ab351f5
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/OSSL_HPKE_CTX_new.3
@@ -0,0 +1,594 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OSSL_HPKE_CTX_NEW 3ossl"
+.TH OSSL_HPKE_CTX_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+OSSL_HPKE_CTX_new, OSSL_HPKE_CTX_free,
+OSSL_HPKE_encap, OSSL_HPKE_decap,
+OSSL_HPKE_seal, OSSL_HPKE_open, OSSL_HPKE_export,
+OSSL_HPKE_suite_check, OSSL_HPKE_str2suite,
+OSSL_HPKE_keygen, OSSL_HPKE_get_grease_value,
+OSSL_HPKE_get_ciphertext_size, OSSL_HPKE_get_public_encap_size,
+OSSL_HPKE_get_recommended_ikmelen,
+OSSL_HPKE_CTX_set1_psk, OSSL_HPKE_CTX_set1_ikme,
+OSSL_HPKE_CTX_set1_authpriv, OSSL_HPKE_CTX_set1_authpub,
+OSSL_HPKE_CTX_get_seq, OSSL_HPKE_CTX_set_seq
+\&\- Hybrid Public Key Encryption (HPKE) functions
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/hpke.h>
+\&
+\& typedef struct {
+\&     uint16_t    kem_id;
+\&     uint16_t    kdf_id;
+\&     uint16_t    aead_id;
+\& } OSSL_HPKE_SUITE;
+\&
+\& OSSL_HPKE_CTX *OSSL_HPKE_CTX_new(int mode, OSSL_HPKE_SUITE suite, int role,
+\&                                  OSSL_LIB_CTX *libctx, const char *propq);
+\& void OSSL_HPKE_CTX_free(OSSL_HPKE_CTX *ctx);
+\&
+\& int OSSL_HPKE_encap(OSSL_HPKE_CTX *ctx,
+\&                     unsigned char *enc, size_t *enclen,
+\&                     const unsigned char *pub, size_t publen,
+\&                     const unsigned char *info, size_t infolen);
+\& int OSSL_HPKE_seal(OSSL_HPKE_CTX *ctx,
+\&                    unsigned char *ct, size_t *ctlen,
+\&                    const unsigned char *aad, size_t aadlen,
+\&                    const unsigned char *pt, size_t ptlen);
+\&
+\& int OSSL_HPKE_keygen(OSSL_HPKE_SUITE suite,
+\&                      unsigned char *pub, size_t *publen, EVP_PKEY **priv,
+\&                      const unsigned char *ikm, size_t ikmlen,
+\&                      OSSL_LIB_CTX *libctx, const char *propq);
+\& int OSSL_HPKE_decap(OSSL_HPKE_CTX *ctx,
+\&                     const unsigned char *enc, size_t enclen,
+\&                     EVP_PKEY *recippriv,
+\&                     const unsigned char *info, size_t infolen);
+\& int OSSL_HPKE_open(OSSL_HPKE_CTX *ctx,
+\&                    unsigned char *pt, size_t *ptlen,
+\&                    const unsigned char *aad, size_t aadlen,
+\&                    const unsigned char *ct, size_t ctlen);
+\&
+\& int OSSL_HPKE_export(OSSL_HPKE_CTX *ctx,
+\&                      unsigned char *secret, size_t secretlen,
+\&                      const unsigned char *label, size_t labellen);
+\&
+\& int OSSL_HPKE_CTX_set1_authpriv(OSSL_HPKE_CTX *ctx, EVP_PKEY *priv);
+\& int OSSL_HPKE_CTX_set1_authpub(OSSL_HPKE_CTX *ctx,
+\&                                unsigned char *pub, size_t publen);
+\& int OSSL_HPKE_CTX_set1_psk(OSSL_HPKE_CTX *ctx,
+\&                            const char *pskid,
+\&                            const unsigned char *psk, size_t psklen);
+\&
+\& int OSSL_HPKE_CTX_get_seq(OSSL_HPKE_CTX *ctx, uint64_t *seq);
+\& int OSSL_HPKE_CTX_set_seq(OSSL_HPKE_CTX *ctx, uint64_t seq);
+\&
+\& int OSSL_HPKE_CTX_set1_ikme(OSSL_HPKE_CTX *ctx,
+\&                             const unsigned char *ikme, size_t ikmelen);
+\&
+\& int OSSL_HPKE_suite_check(OSSL_HPKE_SUITE suite);
+\& int OSSL_HPKE_get_grease_value(const OSSL_HPKE_SUITE *suite_in,
+\&                                OSSL_HPKE_SUITE *suite,
+\&                                unsigned char *enc, size_t *enclen,
+\&                                unsigned char *ct, size_t ctlen,
+\&                                OSSL_LIB_CTX *libctx, const char *propq);
+\&
+\& int OSSL_HPKE_str2suite(const char *str, OSSL_HPKE_SUITE *suite);
+\& size_t OSSL_HPKE_get_ciphertext_size(OSSL_HPKE_SUITE suite, size_t clearlen);
+\& size_t OSSL_HPKE_get_public_encap_size(OSSL_HPKE_SUITE suite);
+\& size_t OSSL_HPKE_get_recommended_ikmelen(OSSL_HPKE_SUITE suite);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+These functions provide an API for using the form of Hybrid Public Key
+Encryption (HPKE) defined in RFC9180. Understanding the HPKE specification
+is likely required before using these APIs.  HPKE is used by various
+other IETF specifications, including the TLS Encrypted Client
+Hello (ECH) specification and others.
+.PP
+HPKE is a standardised, highly flexible construct for encrypting "to" a public
+key that supports combinations of a key encapsulation method (KEM), a key
+derivation function (KDF) and an authenticated encryption with additional data
+(AEAD) algorithm, with optional sender authentication.
+.PP
+The sender and a receiver here will generally be using some application or
+protocol making use of HPKE. For example, with ECH,
+the sender will be a browser and the receiver will be a web server.
+.SS "Data Structures"
+.IX Subsection "Data Structures"
+\&\fBOSSL_HPKE_SUITE\fR is a structure that holds identifiers for the algorithms
+used for KEM, KDF and AEAD operations.
+.PP
+\&\fBOSSL_HPKE_CTX\fR is a context that maintains internal state as HPKE
+operations are carried out. Separate \fBOSSL_HPKE_CTX\fR objects must be used for
+the sender and receiver. Attempting to use a single context for both will
+result in errors.
+.SS "OSSL_HPKE_SUITE Identifiers"
+.IX Subsection "OSSL_HPKE_SUITE Identifiers"
+The identifiers used by \fBOSSL_HPKE_SUITE\fR are:
+.PP
+The KEM identifier \fIkem_id\fR is one of the following:
+.IP "0x10 \fBOSSL_HPKE_KEM_ID_P256\fR" 4
+.IX Item "0x10 OSSL_HPKE_KEM_ID_P256"
+.PD 0
+.IP "0x11 \fBOSSL_HPKE_KEM_ID_P384\fR" 4
+.IX Item "0x11 OSSL_HPKE_KEM_ID_P384"
+.IP "0x12 \fBOSSL_HPKE_KEM_ID_P521\fR" 4
+.IX Item "0x12 OSSL_HPKE_KEM_ID_P521"
+.IP "0x20 \fBOSSL_HPKE_KEM_ID_X25519\fR" 4
+.IX Item "0x20 OSSL_HPKE_KEM_ID_X25519"
+.IP "0x21 \fBOSSL_HPKE_KEM_ID_X448\fR" 4
+.IX Item "0x21 OSSL_HPKE_KEM_ID_X448"
+.PD
+.PP
+The KDF identifier \fIkdf_id\fR is one of the following:
+.IP "0x01 \fBOSSL_HPKE_KDF_ID_HKDF_SHA256\fR" 4
+.IX Item "0x01 OSSL_HPKE_KDF_ID_HKDF_SHA256"
+.PD 0
+.IP "0x02 \fBOSSL_HPKE_KDF_ID_HKDF_SHA384\fR" 4
+.IX Item "0x02 OSSL_HPKE_KDF_ID_HKDF_SHA384"
+.IP "0x03 \fBOSSL_HPKE_KDF_ID_HKDF_SHA512\fR" 4
+.IX Item "0x03 OSSL_HPKE_KDF_ID_HKDF_SHA512"
+.PD
+.PP
+The AEAD identifier \fIaead_id\fR is one of the following:
+.IP "0x01 \fBOSSL_HPKE_AEAD_ID_AES_GCM_128\fR" 4
+.IX Item "0x01 OSSL_HPKE_AEAD_ID_AES_GCM_128"
+.PD 0
+.IP "0x02 \fBOSSL_HPKE_AEAD_ID_AES_GCM_256\fR" 4
+.IX Item "0x02 OSSL_HPKE_AEAD_ID_AES_GCM_256"
+.IP "0x03 \fBOSSL_HPKE_AEAD_ID_CHACHA_POLY1305\fR" 4
+.IX Item "0x03 OSSL_HPKE_AEAD_ID_CHACHA_POLY1305"
+.IP "0xFFFF \fBOSSL_HPKE_AEAD_ID_EXPORTONLY\fR" 4
+.IX Item "0xFFFF OSSL_HPKE_AEAD_ID_EXPORTONLY"
+.PD
+The last identifier above indicates that AEAD operations are not needed.
+\&\fBOSSL_HPKE_export()\fR can be used, but \fBOSSL_HPKE_open()\fR and \fBOSSL_HPKE_seal()\fR will
+return an error if called with a context using that AEAD identifier.
+.SS "HPKE Modes"
+.IX Subsection "HPKE Modes"
+HPKE supports the following variants of Authentication using a mode Identifier:
+.IP "\fBOSSL_HPKE_MODE_BASE\fR, 0x00" 4
+.IX Item "OSSL_HPKE_MODE_BASE, 0x00"
+Authentication is not used.
+.IP "\fBOSSL_HPKE_MODE_PSK\fR, 0x01" 4
+.IX Item "OSSL_HPKE_MODE_PSK, 0x01"
+Authenticates possession of a pre-shared key (PSK).
+.IP "\fBOSSL_HPKE_MODE_AUTH\fR, 0x02" 4
+.IX Item "OSSL_HPKE_MODE_AUTH, 0x02"
+Authenticates possession of a KEM-based sender private key.
+.IP "\fBOSSL_HPKE_MODE_PSKAUTH\fR, 0x03" 4
+.IX Item "OSSL_HPKE_MODE_PSKAUTH, 0x03"
+A combination of \fBOSSL_HPKE_MODE_PSK\fR and \fBOSSL_HPKE_MODE_AUTH\fR.
+Both the PSK and the senders authentication public/private must be
+supplied before the encapsulation/decapsulation operation will work.
+.PP
+For further information related to authentication see "Pre-Shared Key HPKE
+modes" and "Sender-authenticated HPKE Modes".
+.SS "HPKE Roles"
+.IX Subsection "HPKE Roles"
+HPKE contexts have a role \- either sender or receiver. This is used
+to control which functions can be called and so that senders do not
+reuse a key and nonce with different plaintexts.
+.PP
+\&\fBOSSL_HPKE_CTX_free()\fR, \fBOSSL_HPKE_export()\fR, \fBOSSL_HPKE_CTX_set1_psk()\fR,
+and \fBOSSL_HPKE_CTX_get_seq()\fR can be called regardless of role.
+.IP "\fBOSSL_HPKE_ROLE_SENDER\fR, 0" 4
+.IX Item "OSSL_HPKE_ROLE_SENDER, 0"
+An \fIOSSL_HPKE_CTX\fR with this role can be used with
+\&\fBOSSL_HPKE_encap()\fR, \fBOSSL_HPKE_seal()\fR, \fBOSSL_HPKE_CTX_set1_ikme()\fR and
+\&\fBOSSL_HPKE_CTX_set1_authpriv()\fR.
+.IP "\fBOSSL_HPKE_ROLE_RECEIVER\fR, 1" 4
+.IX Item "OSSL_HPKE_ROLE_RECEIVER, 1"
+An \fIOSSL_HPKE_CTX\fR with this role can be used with \fBOSSL_HPKE_decap()\fR,
+\&\fBOSSL_HPKE_open()\fR, \fBOSSL_HPKE_CTX_set1_authpub()\fR and \fBOSSL_HPKE_CTX_set_seq()\fR.
+.PP
+Calling a function with an incorrect role set on \fIOSSL_HPKE_CTX\fR will result
+in an error.
+.SS "Parameter Size Limits"
+.IX Subsection "Parameter Size Limits"
+In order to improve interoperability, RFC9180, section 7.2.1 suggests a
+RECOMMENDED maximum size of 64 octets for various input parameters.  In this
+implementation we apply a limit of 66 octets for the \fIikmlen\fR, \fIpsklen\fR, and
+\&\fIlabellen\fR parameters, and for the length of the string \fIpskid\fR for HPKE
+functions below. The constant \fIOSSL_HPKE_MAX_PARMLEN\fR is defined as the limit
+of this value.  (We chose 66 octets so that we can validate all the test
+vectors present in RFC9180, Appendix A.)
+.PP
+In accordance with RFC9180, section 9.5, we define a constant
+\&\fIOSSL_HPKE_MIN_PSKLEN\fR with a value of 32 for the minimum length of a
+pre-shared key, passed in \fIpsklen\fR.
+.PP
+While RFC9180 also RECOMMENDS a 64 octet limit for the \fIinfolen\fR parameter,
+that is not sufficient for TLS Encrypted ClientHello (ECH) processing, so we
+enforce a limit of \fIOSSL_HPKE_MAX_INFOLEN\fR with a value of 1024 as the limit
+for the \fIinfolen\fR parameter.
+.SS "Context Construct/Free"
+.IX Subsection "Context Construct/Free"
+\&\fBOSSL_HPKE_CTX_new()\fR creates a \fBOSSL_HPKE_CTX\fR context object used for
+subsequent HPKE operations, given a \fImode\fR (See "HPKE Modes"), \fIsuite\fR (see
+"OSSL_HPKE_SUITE Identifiers") and a \fIrole\fR (see "HPKE Roles"). The
+\&\fIlibctx\fR and \fIpropq\fR are used when fetching algorithms from providers and may
+be set to NULL.
+.PP
+\&\fBOSSL_HPKE_CTX_free()\fR frees the \fIctx\fR \fBOSSL_HPKE_CTX\fR that was created
+previously by a call to \fBOSSL_HPKE_CTX_new()\fR.  If the argument to
+\&\fBOSSL_HPKE_CTX_free()\fR is NULL, nothing is done.
+.SS "Sender APIs"
+.IX Subsection "Sender APIs"
+A sender's goal is to use HPKE to encrypt using a public key, via use of a
+KEM, then a KDF and finally an AEAD.  The first step is to encapsulate (using
+\&\fBOSSL_HPKE_encap()\fR) the sender's public value using the recipient's public key,
+(\fIpub\fR) and to internally derive secrets. This produces the encapsulated public value
+(\fIenc\fR) to be sent to the recipient in whatever protocol is using HPKE. Having done the
+encapsulation step, the sender can then make one or more calls to
+\&\fBOSSL_HPKE_seal()\fR to encrypt plaintexts using the secret stored within \fIctx\fR.
+.PP
+\&\fBOSSL_HPKE_encap()\fR uses the HPKE context \fIctx\fR, the recipient public value
+\&\fIpub\fR of size \fIpublen\fR, and an optional \fIinfo\fR parameter of size \fIinfolen\fR,
+to produce the encapsulated public value \fIenc\fR.
+On input \fIenclen\fR should contain the maximum size of the \fIenc\fR buffer, and returns
+the output size. An error will occur if the input \fIenclen\fR is
+smaller than the value returned from \fBOSSL_HPKE_get_public_encap_size()\fR.
+\&\fIinfo\fR may be used to bind other protocol or application artefacts such as identifiers.
+Generally, the encapsulated public value \fIenc\fR corresponds to a
+single-use ephemeral private value created as part of the encapsulation
+process. Only a single call to \fBOSSL_HPKE_encap()\fR is allowed for a given
+\&\fBOSSL_HPKE_CTX\fR.
+.PP
+\&\fBOSSL_HPKE_seal()\fR takes the \fBOSSL_HPKE_CTX\fR context \fIctx\fR, the plaintext
+buffer \fIpt\fR of size \fIptlen\fR and optional additional authenticated data buffer
+\&\fIaad\fR of size \fIaadlen\fR, and returns the ciphertext \fIct\fR of size \fIctlen\fR.
+On input \fIctlen\fR should contain the maximum size of the \fIct\fR buffer, and returns
+the output size. An error will occur if the input \fIctlen\fR is
+smaller than the value returned from \fBOSSL_HPKE_get_public_encap_size()\fR.
+.PP
+\&\fBOSSL_HPKE_encap()\fR must be called before the \fBOSSL_HPKE_seal()\fR.  \fBOSSL_HPKE_seal()\fR
+may be called multiple times, with an internal "nonce" being incremented by one
+after each call.
+.SS "Recipient APIs"
+.IX Subsection "Recipient APIs"
+Recipients using HPKE require a typically less ephemeral private value so that
+the public value can be distributed to potential senders via whatever protocol
+is using HPKE. For this reason, recipients will generally first generate a key
+pair and will need to manage their private key value using standard mechanisms
+outside the scope of this API. Private keys use normal \fBEVP_PKEY\fR\|(3) pointers
+so normal private key management mechanisms can be used for the relevant
+values.
+.PP
+In order to enable encapsulation, the recipient needs to make it's public value
+available to the sender. There is no generic HPKE format defined for that \- the
+relevant formatting is intended to be defined by the application/protocols that
+makes use of HPKE. ECH for example defines an ECHConfig data structure that
+combines the public value with other ECH data items. Normal library functions
+must therefore be used to extract the public value in the required format based
+on the \fBEVP_PKEY\fR\|(3) for the private value.
+.PP
+\&\fBOSSL_HPKE_keygen()\fR provides a way for recipients to generate a key pair based
+on the HPKE \fIsuite\fR to be used. It returns a \fBEVP_PKEY\fR\|(3) pointer
+for the private value \fIpriv\fR and a encoded public key \fIpub\fR of size \fIpublen\fR.
+On input \fIpublen\fR should contain the maximum size of the \fIpub\fR buffer, and
+returns the output size. An error will occur if the input \fIpublen\fR is too small.
+The \fIlibctx\fR and \fIpropq\fR are used when fetching algorithms from providers
+and may be set to NULL.
+The HPKE specification also defines a deterministic key generation scheme where
+the private value is derived from initial keying material (IKM), so
+\&\fBOSSL_HPKE_keygen()\fR also has an option to use that scheme, using the \fIikm\fR
+parameter of size \fIikmlen\fR. If either \fIikm\fR is NULL or \fIikmlen\fR is zero,
+then a randomly generated key for the relevant \fIsuite\fR will be produced.
+If required \fIikmlen\fR should be greater than or equal to
+\&\fBOSSL_HPKE_get_recommended_ikmelen()\fR.
+.PP
+\&\fBOSSL_HPKE_decap()\fR takes as input the sender's encapsulated public value
+produced by \fBOSSL_HPKE_encap()\fR (\fIenc\fR) and the recipient's \fBEVP_PKEY\fR\|(3)
+pointer (\fIprov\fR), and then re-generates the internal secret derived by the
+sender. As before, an optional \fIinfo\fR parameter allows binding that derived
+secret to other application/protocol artefacts. Only a single call to
+\&\fBOSSL_HPKE_decap()\fR is allowed for a given \fBOSSL_HPKE_CTX\fR.
+.PP
+\&\fBOSSL_HPKE_open()\fR is used by the recipient to decrypt the ciphertext \fIct\fR of
+size \fIctlen\fR using the \fIctx\fR and additional authenticated data \fIaad\fR of
+size \fIaadlen\fR, to produce the plaintext \fIpt\fR of size \fIptlen\fR.
+On input \fIptlen\fR should contain the maximum size of the \fIpt\fR buffer, and
+returns the output size. A \fIpt\fR buffer that is the same size as the
+\&\fIct\fR buffer will suffice \- generally the plaintext output will be
+a little smaller than the ciphertext input.
+An error will occur if the input \fIptlen\fR is too small.
+\&\fBOSSL_HPKE_open()\fR may be called multiple times, but as with \fBOSSL_HPKE_seal()\fR
+there is an internally incrementing nonce value so ciphertexts need to be
+presented in the same order as used by the \fBOSSL_HPKE_seal()\fR.
+See "Re-sequencing" if you need to process multiple ciphertexts in a
+different order.
+.SS "Exporting Secrets"
+.IX Subsection "Exporting Secrets"
+HPKE defines a way to produce exported secrets for use by the
+application.
+.PP
+\&\fBOSSL_HPKE_export()\fR takes as input the \fBOSSL_HPKE_CTX\fR, and an application
+supplied label \fIlabel\fR of size \fIlabellen\fR, to produce a secret \fIsecret\fR
+of size \fIsecretlen\fR. The sender must first call \fBOSSL_HPKE_encap()\fR, and the
+receiver must call \fBOSSL_HPKE_decap()\fR in order to derive the same shared secret.
+.PP
+Multiple calls to \fBOSSL_HPKE_export()\fR with the same inputs will produce the
+same secret.
+\&\fIOSSL_HPKE_AEAD_ID_EXPORTONLY\fR may be used as the \fBOSSL_HPKE_SUITE\fR \fIaead_id\fR
+that is passed to \fBOSSL_HPKE_CTX_new()\fR if the user needs to produce a shared
+secret, but does not wish to perform HPKE encryption.
+.SS "Sender-authenticated HPKE Modes"
+.IX Subsection "Sender-authenticated HPKE Modes"
+HPKE defines modes that support KEM-based sender-authentication
+\&\fBOSSL_HPKE_MODE_AUTH\fR and \fBOSSL_HPKE_MODE_PSKAUTH\fR. This works by binding
+the sender's authentication private/public values into the encapsulation and
+decapsulation operations. The key used for such modes must also use the same
+KEM as used for the overall exchange. \fBOSSL_HPKE_keygen()\fR can be used to
+generate the private value required.
+.PP
+\&\fBOSSL_HPKE_CTX_set1_authpriv()\fR can be used by the sender to set the senders
+private \fIpriv\fR \fBEVP_PKEY\fR key into the \fBOSSL_HPKE_CTX\fR \fIctx\fR before calling
+\&\fBOSSL_HPKE_encap()\fR.
+.PP
+\&\fBOSSL_HPKE_CTX_set1_authpub()\fR can be used by the receiver to set the senders
+encoded pub key \fIpub\fR of size \fIpublen\fR into the \fBOSSL_HPKE_CTX\fR \fIctx\fR before
+calling \fBOSSL_HPKE_decap()\fR.
+.SS "Pre-Shared Key HPKE modes"
+.IX Subsection "Pre-Shared Key HPKE modes"
+HPKE also defines a symmetric equivalent to the authentication described above
+using a pre-shared key (PSK) and a PSK identifier. PSKs can be used with the
+\&\fBOSSL_HPKE_MODE_PSK\fR and \fBOSSL_HPKE_MODE_PSKAUTH\fR modes.
+.PP
+\&\fBOSSL_HPKE_CTX_set1_psk()\fR sets the PSK identifier \fIpskid\fR string, and PSK buffer
+\&\fIpsk\fR of size \fIpsklen\fR into the \fIctx\fR. If required this must be called
+before \fBOSSL_HPKE_encap()\fR or \fBOSSL_HPKE_decap()\fR.
+As per RFC9180, if required, both \fIpsk\fR and \fIpskid\fR must be set to non-NULL values.
+As PSKs are symmetric the same calls must happen on both sender and receiver
+sides.
+.SS "Deterministic key generation for senders"
+.IX Subsection "Deterministic key generation for senders"
+Normally the senders ephemeral private key is generated randomly inside
+\&\fBOSSL_HPKE_encap()\fR and remains secret.
+\&\fBOSSL_HPKE_CTX_set1_ikme()\fR allows the user to override this behaviour by
+setting a deterministic input key material \fIikm\fR of size \fIikmlen\fR into
+the \fBOSSL_HPKE_CTX\fR \fIctx\fR.
+If required \fBOSSL_HPKE_CTX_set1_ikme()\fR can optionally be called before
+\&\fBOSSL_HPKE_encap()\fR.
+\&\fIikmlen\fR should be greater than or equal to \fBOSSL_HPKE_get_recommended_ikmelen()\fR.
+.PP
+It is generally undesirable to use \fBOSSL_HPKE_CTX_set1_ikme()\fR, since it
+exposes the relevant secret to the application rather then preserving it
+within the library, and is more likely to result in use of predictable values
+or values that leak.
+.SS Re-sequencing
+.IX Subsection "Re-sequencing"
+Some protocols may have to deal with packet loss while still being able to
+decrypt arriving packets later. We provide a way to set the increment used for
+the nonce to the next subsequent call to \fBOSSL_HPKE_open()\fR (but not to
+\&\fBOSSL_HPKE_seal()\fR as explained below).  The \fBOSSL_HPKE_CTX_set_seq()\fR API can be
+used for such purposes with the \fIseq\fR parameter value resetting the internal
+nonce increment to be used for the next call.
+.PP
+A baseline nonce value is established based on the encapsulation or
+decapsulation operation and is then incremented by 1 for each call to seal or
+open. (In other words, the first \fIseq\fR increment defaults to zero.)
+.PP
+If a caller needs to determine how many calls to seal or open have been made
+the \fBOSSL_HPKE_CTX_get_seq()\fR API can be used to retrieve the increment (in the
+\&\fIseq\fR output) that will be used in the next call to seal or open. That would
+return 0 before the first call a sender made to \fBOSSL_HPKE_seal()\fR and 1 after
+that first call.
+.PP
+Note that reuse of the same nonce and key with different plaintexts would
+be very dangerous and could lead to loss of confidentiality and integrity.
+We therefore only support application control over \fIseq\fR for decryption
+(i.e. \fBOSSL_HPKE_open()\fR) operations.
+.PP
+For compatibility with other implementations these \fIseq\fR increments are
+represented as \fIuint64_t\fR.
+.SS "Protocol Convenience Functions"
+.IX Subsection "Protocol Convenience Functions"
+Additional convenience APIs allow the caller to access internal details of
+local HPKE support and/or algorithms, such as parameter lengths.
+.PP
+\&\fBOSSL_HPKE_suite_check()\fR checks if a specific \fBOSSL_HPKE_SUITE\fR \fIsuite\fR
+is supported locally.
+.PP
+To assist with memory allocation, \fBOSSL_HPKE_get_ciphertext_size()\fR provides a
+way for the caller to know by how much ciphertext will be longer than a
+plaintext of length \fIclearlen\fR.  (AEAD algorithms add a data integrity tag,
+so there is a small amount of ciphertext expansion.)
+.PP
+\&\fBOSSL_HPKE_get_public_encap_size()\fR provides a way for senders to know how big
+the encapsulated public value will be for a given HPKE \fIsuite\fR.
+.PP
+\&\fBOSSL_HPKE_get_recommended_ikmelen()\fR returns the recommended Input Key Material
+size (in bytes) for a given \fIsuite\fR. This is needed in cases where the same
+public value needs to be regenerated by a sender before calling \fBOSSL_HPKE_seal()\fR.
+\&\fIikmlen\fR should be at least this size.
+.PP
+\&\fBOSSL_HPKE_get_grease_value()\fR produces values of the appropriate length for a
+given \fIsuite_in\fR value (or a random value if \fIsuite_in\fR is NULL) so that a
+protocol using HPKE can send so-called GREASE (see RFC8701) values that are
+harder to distinguish from a real use of HPKE. The buffer sizes should
+be supplied on input. The output \fIenc\fR value will have an appropriate
+length for \fIsuite_out\fR and a random value, and the \fIct\fR output will be
+a random value. The relevant sizes for buffers can be found using
+\&\fBOSSL_HPKE_get_ciphertext_size()\fR and \fBOSSL_HPKE_get_public_encap_size()\fR.
+.PP
+\&\fBOSSL_HPKE_str2suite()\fR maps input \fIstr\fR strings to an \fBOSSL_HPKE_SUITE\fR object.
+The input \fIstr\fR should be a comma-separated string with a KEM,
+KDF and AEAD name in that order, for example "x25519,hkdf\-sha256,aes128gcm".
+This can be used by command line tools that accept string form names for HPKE
+codepoints. Valid (case-insensitive) names are:
+"p\-256", "p\-384", "p\-521", "x25519" and "x448" for KEM,
+"hkdf\-sha256", "hkdf\-sha384" and "hkdf\-sha512" for KDF, and
+"aes\-gcm\-128", "aes\-gcm\-256", "chacha20\-poly1305" and "exporter" for AEAD.
+String variants of the numbers listed in "OSSL_HPKE_SUITE Identifiers"
+can also be used.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBOSSL_HPKE_CTX_new()\fR returns an OSSL_HPKE_CTX pointer or NULL on error.
+.PP
+\&\fBOSSL_HPKE_get_ciphertext_size()\fR, \fBOSSL_HPKE_get_public_encap_size()\fR,
+\&\fBOSSL_HPKE_get_recommended_ikmelen()\fR all return a size_t with the
+relevant value or zero on error.
+.PP
+All other functions return 1 for success or zero for error.
+.SH EXAMPLES
+.IX Header "EXAMPLES"
+This example demonstrates a minimal round-trip using HPKE.
+.PP
+.Vb 4
+\&    #include <stddef.h>
+\&    #include <string.h>
+\&    #include <openssl/hpke.h>
+\&    #include <openssl/evp.h>
+\&
+\&    /*
+\&     * this is big enough for this example, real code would need different
+\&     * handling
+\&     */
+\&    #define LBUFSIZE 48
+\&
+\&    /* Do a round\-trip, generating a key, encrypting and decrypting */
+\&    int main(int argc, char **argv)
+\&    {
+\&        int ok = 0;
+\&        int hpke_mode = OSSL_HPKE_MODE_BASE;
+\&        OSSL_HPKE_SUITE hpke_suite = OSSL_HPKE_SUITE_DEFAULT;
+\&        OSSL_HPKE_CTX *sctx = NULL, *rctx = NULL;
+\&        EVP_PKEY *priv = NULL;
+\&        unsigned char pub[LBUFSIZE];
+\&        size_t publen = sizeof(pub);
+\&        unsigned char enc[LBUFSIZE];
+\&        size_t enclen = sizeof(enc);
+\&        unsigned char ct[LBUFSIZE];
+\&        size_t ctlen = sizeof(ct);
+\&        unsigned char clear[LBUFSIZE];
+\&        size_t clearlen = sizeof(clear);
+\&        const unsigned char *pt = "a message not in a bottle";
+\&        size_t ptlen = strlen((char *)pt);
+\&        const unsigned char *info = "Some info";
+\&        size_t infolen = strlen((char *)info);
+\&        unsigned char aad[] = { 1, 2, 3, 4, 5, 6, 7, 8 };
+\&        size_t aadlen = sizeof(aad);
+\&
+\&        /*
+\&         * Generate receiver\*(Aqs key pair.
+\&         * The receiver gives this public key to the sender.
+\&         */
+\&        if (OSSL_HPKE_keygen(hpke_suite, pub, &publen, &priv,
+\&                             NULL, 0, NULL, NULL) != 1)
+\&            goto err;
+\&
+\&        /* sender\*(Aqs actions \- encrypt data using the receivers public key */
+\&        if ((sctx = OSSL_HPKE_CTX_new(hpke_mode, hpke_suite,
+\&                                      OSSL_HPKE_ROLE_SENDER,
+\&                                      NULL, NULL)) == NULL)
+\&            goto err;
+\&        if (OSSL_HPKE_encap(sctx, enc, &enclen, pub, publen, info, infolen) != 1)
+\&            goto err;
+\&        if (OSSL_HPKE_seal(sctx, ct, &ctlen, aad, aadlen, pt, ptlen) != 1)
+\&            goto err;
+\&
+\&        /* receiver\*(Aqs actions \- decrypt data using the receivers private key */
+\&        if ((rctx = OSSL_HPKE_CTX_new(hpke_mode, hpke_suite,
+\&                                      OSSL_HPKE_ROLE_RECEIVER,
+\&                                      NULL, NULL)) == NULL)
+\&            goto err;
+\&        if (OSSL_HPKE_decap(rctx, enc, enclen, priv, info, infolen) != 1)
+\&            goto err;
+\&        if (OSSL_HPKE_open(rctx, clear, &clearlen, aad, aadlen, ct, ctlen) != 1)
+\&            goto err;
+\&        ok = 1;
+\&    err:
+\&        /* clean up */
+\&        printf(ok ? "All Good!\en" : "Error!\en");
+\&        OSSL_HPKE_CTX_free(rctx);
+\&        OSSL_HPKE_CTX_free(sctx);
+\&        EVP_PKEY_free(priv);
+\&        return 0;
+\&    }
+.Ve
+.SH WARNINGS
+.IX Header "WARNINGS"
+Note that the \fBOSSL_HPKE_CTX_set_seq()\fR API could be dangerous \- if used with GCM
+that could lead to nonce-reuse, which is a known danger. So avoid that
+entirely, or be very very careful when using that API.
+.PP
+Use of an IKM value for deterministic key generation (via
+\&\fBOSSL_HPKE_CTX_set1_ikme()\fR or \fBOSSL_HPKE_keygen()\fR) creates the potential for
+leaking keys (or IKM values). Only use that if really needed and if you
+understand how keys or IKM values could be abused.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+The RFC9180 specification: https://datatracker.ietf.org/doc/rfc9180/
+.SH HISTORY
+.IX Header "HISTORY"
+This functionality described here was added in OpenSSL 3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2022\-2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_HTTP_REQ_CTX.3 b/secure/lib/libcrypto/man/man3/OSSL_HTTP_REQ_CTX.3
index f8bf77c2d172..a9f99ef453d8 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_HTTP_REQ_CTX.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_HTTP_REQ_CTX.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_HTTP_REQ_CTX 3ossl"
-.TH OSSL_HTTP_REQ_CTX 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_HTTP_REQ_CTX 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_HTTP_REQ_CTX,
 OSSL_HTTP_REQ_CTX_new,
 OSSL_HTTP_REQ_CTX_free,
@@ -150,9 +74,10 @@ OSSL_HTTP_REQ_CTX_exchange,
 OSSL_HTTP_REQ_CTX_get0_mem_bio,
 OSSL_HTTP_REQ_CTX_get_resp_len,
 OSSL_HTTP_REQ_CTX_set_max_response_length,
+OSSL_HTTP_REQ_CTX_set_max_response_hdr_lines,
 OSSL_HTTP_is_alive
 \&\- HTTP client low\-level functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/http.h>
@@ -169,7 +94,7 @@ OSSL_HTTP_is_alive
 \&                                   const char *name, const char *value);
 \&
 \& int OSSL_HTTP_REQ_CTX_set_expected(OSSL_HTTP_REQ_CTX *rctx,
-\&                                    const char *content_type, int asn1,
+\&                                    const char *expected_content_type, int expect_asn1,
 \&                                    int timeout, int keep_alive);
 \& int OSSL_HTTP_REQ_CTX_set1_req(OSSL_HTTP_REQ_CTX *rctx, const char *content_type,
 \&                                const ASN1_ITEM *it, const ASN1_VALUE *req);
@@ -182,41 +107,44 @@ OSSL_HTTP_is_alive
 \& size_t OSSL_HTTP_REQ_CTX_get_resp_len(const OSSL_HTTP_REQ_CTX *rctx);
 \& void OSSL_HTTP_REQ_CTX_set_max_response_length(OSSL_HTTP_REQ_CTX *rctx,
 \&                                                unsigned long len);
+\& void OSSL_HTTP_REQ_CTX_set_max_response_hdr_lines(OSSL_HTTP_REQ_CTX *rctx,
+\&                                                   size_t count);
 \&
 \& int OSSL_HTTP_is_alive(const OSSL_HTTP_REQ_CTX *rctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fB\s-1OSSL_HTTP_REQ_CTX\s0\fR is a context structure for an \s-1HTTP\s0 request and response,
+\&\fBOSSL_HTTP_REQ_CTX\fR is a context structure for an HTTP request and response,
 used to collect all the necessary data to perform that request.
 .PP
-This file documents low-level \s-1HTTP\s0 functions rarely used directly.  High-level
-\&\s-1HTTP\s0 client functions like \fBOSSL_HTTP_get\fR\|(3) and \fBOSSL_HTTP_transfer\fR\|(3)
+This file documents low-level HTTP functions rarely used directly.  High-level
+HTTP client functions like \fBOSSL_HTTP_get\fR\|(3) and \fBOSSL_HTTP_transfer\fR\|(3)
 should be preferred.
 .PP
-\&\fBOSSL_HTTP_REQ_CTX_new()\fR allocates a new \s-1HTTP\s0 request context structure,
-which gets populated with the \fB\s-1BIO\s0\fR to write/send the request to (\fIwbio\fR),
-the \fB\s-1BIO\s0\fR to read/receive the response from (\fIrbio\fR, which may be equal to
+\&\fBOSSL_HTTP_REQ_CTX_new()\fR allocates a new HTTP request context structure,
+which gets populated with the \fBBIO\fR to write/send the request to (\fIwbio\fR),
+the \fBBIO\fR to read/receive the response from (\fIrbio\fR, which may be equal to
 \&\fIwbio\fR), and the maximum expected response header line length \fIbuf_size\fR.
 A value <= 0 indicates that
-the \fB\s-1OSSL_HTTP_DEFAULT_MAX_LINE_LEN\s0\fR of 4KiB should be used.
+the \fBOSSL_HTTP_DEFAULT_MAX_LINE_LEN\fR of 4KiB should be used.
 \&\fIbuf_size\fR is also used as the number of content bytes that are read at a time.
-The allocated context structure includes an internal memory \fB\s-1BIO\s0\fR,
-which collects the \s-1HTTP\s0 request header lines.
+The allocated context structure includes an internal memory \fBBIO\fR,
+which collects the HTTP request header lines.
 .PP
-\&\fBOSSL_HTTP_REQ_CTX_free()\fR frees up the \s-1HTTP\s0 request context \fIrctx\fR.
+\&\fBOSSL_HTTP_REQ_CTX_free()\fR frees up the HTTP request context \fIrctx\fR.
 The \fIrbio\fR is not free'd, \fIwbio\fR will be free'd if \fIfree_wbio\fR is set.
+If the argument is NULL, nothing is done.
 .PP
-\&\fBOSSL_HTTP_REQ_CTX_set_request_line()\fR adds the 1st \s-1HTTP\s0 request line to \fIrctx\fR.
-The \s-1HTTP\s0 method is determined by \fImethod_POST\fR,
+\&\fBOSSL_HTTP_REQ_CTX_set_request_line()\fR adds the 1st HTTP request line to \fIrctx\fR.
+The HTTP method is determined by \fImethod_POST\fR,
 which should be 1 to indicate \f(CW\*(C`POST\*(C'\fR or 0 to indicate \f(CW\*(C`GET\*(C'\fR.
 \&\fIserver\fR and \fIport\fR may be set to give the server and the optional port that
-an \s-1HTTP\s0 proxy shall forward the request to, otherwise they must be left \s-1NULL.\s0
-\&\fIpath\fR provides the \s-1HTTP\s0 request path; if left \s-1NULL,\s0 \f(CW\*(C`/\*(C'\fR is used.
+an HTTP proxy shall forward the request to, otherwise they must be left NULL.
+\&\fIpath\fR provides the HTTP request path; if left NULL, \f(CW\*(C`/\*(C'\fR is used.
 For backward compatibility, \fIpath\fR may begin with \f(CW\*(C`http://\*(C'\fR and thus convey
-an absoluteURI. In this case it indicates \s-1HTTP\s0 proxy use and provides also the
+an absoluteURI. In this case it indicates HTTP proxy use and provides also the
 server (and optionally the port) that the proxy shall forward the request to.
-In this case the \fIserver\fR and \fIport\fR arguments must be \s-1NULL.\s0
+In this case the \fIserver\fR and \fIport\fR arguments must be NULL.
 .PP
 \&\fBOSSL_HTTP_REQ_CTX_add1_header()\fR adds header \fIname\fR with value \fIvalue\fR to the
 context \fIrctx\fR. It can be called more than once to add multiple header lines.
@@ -227,90 +155,115 @@ For example, to add a \f(CW\*(C`Host\*(C'\fR header for \f(CW\*(C`example.com\*(
 .Ve
 .PP
 \&\fBOSSL_HTTP_REQ_CTX_set_expected()\fR optionally sets in \fIrctx\fR some expectations
-of the \s-1HTTP\s0 client on the response.
-Due to the structure of an \s-1HTTP\s0 request, if the \fIkeep_alive\fR argument is
+of the HTTP client on the response.
+Due to the structure of an HTTP request, if the \fIkeep_alive\fR argument is
 nonzero the function must be used before calling \fBOSSL_HTTP_REQ_CTX_set1_req()\fR.
-If the \fIcontent_type\fR parameter
-is not \s-1NULL\s0 then the client will check that the given content type string
-is included in the \s-1HTTP\s0 header of the response and return an error if not.
-If the \fIasn1\fR parameter is nonzero a structure in \s-1ASN.1\s0 encoding will be
+.PP
+If the \fIexpected_content_type\fR argument is not NULL, the client will
+check in a case-insensitive way that the specified \f(CW\*(C`Content\-Type\*(C'\fR string value
+is included in the HTTP header of the response and return an error if not.
+In the \f(CW\*(C`Content\-Type\*(C'\fR header line the specified string should be present either
+as a whole, or in case the specified string does not include a \f(CW\*(C`;\*(C'\fR character,
+it is sufficient that the specified string appears as a prefix
+in the header line, followed by a \f(CW\*(C`;\*(C'\fR character and any further text.
+For instance, if the \fIexpected_content_type\fR argument specifies \f(CW\*(C`text/html\*(C'\fR,
+this is matched by \f(CW\*(C`Text/HTML\*(C'\fR, \f(CW\*(C`text/html; charset=UTF\-8\*(C'\fR, etc.
+.PP
+If the \fIexpect_asn1\fR parameter is nonzero a structure in ASN.1 encoding will be
 expected as the response content and input streaming is disabled.  This means
-that an \s-1ASN.1\s0 sequence header is required, its length field is checked, and
+that an ASN.1 sequence header is required, its length field is checked, and
 \&\fBOSSL_HTTP_REQ_CTX_get0_mem_bio()\fR should be used to get the buffered response.
-Otherwise (by default) any input format is allowed without length checks.
-In this case the \s-1BIO\s0 given as \fIrbio\fR argument to \fBOSSL_HTTP_REQ_CTX_new()\fR should
+Otherwise (by default) any input format is allowed,
+with body length checks being performed on error messages only.
+In this case the BIO given as \fIrbio\fR argument to \fBOSSL_HTTP_REQ_CTX_new()\fR should
 be used directly to read the response contents, which may support streaming.
+.PP
 If the \fItimeout\fR parameter is > 0 this indicates the maximum number of seconds
-the subsequent \s-1HTTP\s0 transfer (sending the request and receiving a response)
+the subsequent HTTP transfer (sending the request and receiving a response)
 is allowed to take.
 \&\fItimeout\fR == 0 enables waiting indefinitely, i.e., no timeout can occur.
 This is the default.
 \&\fItimeout\fR < 0 takes over any value set via the \fIoverall_timeout\fR argument of
 \&\fBOSSL_HTTP_open\fR\|(3) with the default being 0, which means no timeout.
+.PP
 If the \fIkeep_alive\fR parameter is 0, which is the default, the connection is not
-kept open after receiving a response. This is the default behavior for \s-1HTTP 1.0.\s0
+kept open after receiving a response. This is the default behavior for HTTP 1.0.
 If the value is 1 or 2 then a persistent connection is requested.
 If the value is 2 then a persistent connection is required,
 i.e., an error occurs in case the server does not grant it.
 .PP
-\&\fBOSSL_HTTP_REQ_CTX_set1_req()\fR finalizes the \s-1HTTP\s0 request context.
+\&\fBOSSL_HTTP_REQ_CTX_set1_req()\fR finalizes the HTTP request context.
 It is needed if the \fImethod_POST\fR parameter in the
 \&\fBOSSL_HTTP_REQ_CTX_set_request_line()\fR call was 1
-and an \s-1ASN\s0.1\-encoded request should be sent.
-It must also be used when requesting \*(L"keep-alive\*(R",
-even if a \s-1GET\s0 request is going to be sent, in which case \fIreq\fR must be \s-1NULL.\s0
-Unless \fIreq\fR is \s-1NULL,\s0 the function adds the \s-1DER\s0 encoding of \fIreq\fR using
-the \s-1ASN.1\s0 template \fIit\fR to do the encoding (which does not support streaming).
-The \s-1HTTP\s0 header \f(CW\*(C`Content\-Length\*(C'\fR is filled out with the length of the request.
-\&\fIcontent_type\fR must be \s-1NULL\s0 if \fIreq\fR is \s-1NULL.\s0
-If \fIcontent_type\fR isn't \s-1NULL,\s0
-the \s-1HTTP\s0 header \f(CW\*(C`Content\-Type\*(C'\fR is also added with the given string value.
-The header lines are added to the internal memory \fB\s-1BIO\s0\fR for the request header.
+and an ASN.1\-encoded request should be sent.
+It must also be used when requesting "keep-alive",
+even if a GET request is going to be sent, in which case \fIreq\fR must be NULL.
+Unless \fIreq\fR is NULL, the function adds the DER encoding of \fIreq\fR using
+the ASN.1 template \fIit\fR to do the encoding (which does not support streaming).
+The HTTP header \f(CW\*(C`Content\-Length\*(C'\fR is filled out with the length of the request.
+\&\fIcontent_type\fR must be NULL if \fIreq\fR is NULL.
+If \fIcontent_type\fR isn't NULL,
+the HTTP header \f(CW\*(C`Content\-Type\*(C'\fR is also added with the given string value.
+The header lines are added to the internal memory \fBBIO\fR for the request header.
 .PP
 \&\fBOSSL_HTTP_REQ_CTX_nbio()\fR attempts to send the request prepared in \fIrctx\fR
-and to gather the response via \s-1HTTP,\s0 using the \fIwbio\fR and \fIrbio\fR
+and to gather the response via HTTP, using the \fIwbio\fR and \fIrbio\fR
 that were given when calling \fBOSSL_HTTP_REQ_CTX_new()\fR.
 The function may need to be called again if its result is \-1, which indicates
 \&\fBBIO_should_retry\fR\|(3).  In such a case it is advisable to sleep a little in
-between, using \fBBIO_wait\fR\|(3) on the read \s-1BIO\s0 to prevent a busy loop.
+between, using \fBBIO_wait\fR\|(3) on the read BIO to prevent a busy loop.
+See \fBOSSL_HTTP_REQ_CTX_set_expected()\fR how the response content type,
+the response body, the HTTP transfer timeout, and "keep-alive" are treated.
+Any error message body is consumed
+if a \f(CW\*(C`Content\-Type\*(C'\fR header is not included or its value starts with \f(CW\*(C`text/\*(C'\fR.
+This is used for tracing the body contents if HTTP tracing is enabled.
+If the \f(CW\*(C`Content\-Length\*(C'\fR header is present in the response
+and its value exceeds the maximum allowed response content length
+or the response is an error message with its body length exceeding this value
+or the content is an ASN.1\-encoded structure with a length exceeding this value
+or both length indications are present but disagree then an error occurs.
 .PP
 \&\fBOSSL_HTTP_REQ_CTX_nbio_d2i()\fR is like \fBOSSL_HTTP_REQ_CTX_nbio()\fR but on success
-in addition parses the response, which must be a DER-encoded \s-1ASN.1\s0 structure,
-using the \s-1ASN.1\s0 template \fIit\fR and places the result in \fI*pval\fR.
+in addition parses the response, which must be a DER-encoded ASN.1 structure,
+using the ASN.1 template \fIit\fR and places the result in \fI*pval\fR.
 .PP
 \&\fBOSSL_HTTP_REQ_CTX_exchange()\fR calls \fBOSSL_HTTP_REQ_CTX_nbio()\fR as often as needed
 in order to exchange a request and response or until a timeout is reached.
-On success it returns a pointer to the \s-1BIO\s0 that can be used to read the result.
-If an \s-1ASN\s0.1\-encoded response was expected, this is the \s-1BIO\s0
+On success it returns a pointer to the BIO that can be used to read the result.
+If an ASN.1\-encoded response was expected, this is the BIO
 returned by \fBOSSL_HTTP_REQ_CTX_get0_mem_bio()\fR when called after the exchange.
-This memory \s-1BIO\s0 does not support streaming.
-Otherwise the returned \s-1BIO\s0 is the \fIrbio\fR given to \fBOSSL_HTTP_REQ_CTX_new()\fR,
+This memory BIO does not support streaming.
+Otherwise the returned BIO is the \fIrbio\fR given to \fBOSSL_HTTP_REQ_CTX_new()\fR,
 which may support streaming.
-When this \s-1BIO\s0 is returned, it has been read past the end of the response header,
+When this BIO is returned, it has been read past the end of the response header,
 such that the actual response body can be read from it.
-The returned \s-1BIO\s0 pointer \s-1MUST NOT\s0 be freed by the caller.
+The returned BIO pointer MUST NOT be freed by the caller.
 .PP
-\&\fBOSSL_HTTP_REQ_CTX_get0_mem_bio()\fR returns the internal memory \fB\s-1BIO\s0\fR.
-Before the \s-1HTTP\s0 request is sent, this could be used to adapt its header lines.
+\&\fBOSSL_HTTP_REQ_CTX_get0_mem_bio()\fR returns the internal memory \fBBIO\fR.
+Before the HTTP request is sent, this could be used to adapt its header lines.
 \&\fIUse with caution!\fR
-After receiving a response via \s-1HTTP,\s0 the \s-1BIO\s0 represents the current state of
-reading the response header. If the response was expected to be \s-1ASN.1\s0 encoded,
-its contents can be read via this \s-1BIO,\s0 which does not support streaming.
-The returned \s-1BIO\s0 pointer must not be freed by the caller.
+After receiving a response via HTTP, the BIO represents the current state of
+reading the response header. If the response was expected to be ASN.1 encoded,
+its contents can be read via this BIO, which does not support streaming.
+The returned BIO pointer must not be freed by the caller.
 .PP
 \&\fBOSSL_HTTP_REQ_CTX_get_resp_len()\fR returns the size of the response contents
-in \fIrctx\fR if provided by the server as <Content\-Length> header field, else 0.
+in \fIrctx\fR if provided by the server as \f(CW\*(C`Content\-Length\*(C'\fR header field, else 0.
 .PP
 \&\fBOSSL_HTTP_REQ_CTX_set_max_response_length()\fR sets the maximum allowed
 response content length for \fIrctx\fR to \fIlen\fR. If not set or \fIlen\fR is 0
-then the \fB\s-1OSSL_HTTP_DEFAULT_MAX_RESP_LEN\s0\fR is used, which currently is 100 KiB.
-If the \f(CW\*(C`Content\-Length\*(C'\fR header is present and exceeds this value or
-the content is an \s-1ASN.1\s0 encoded structure with a length exceeding this value
-or both length indications are present but disagree then an error occurs.
+then the \fBOSSL_HTTP_DEFAULT_MAX_RESP_LEN\fR is used, which currently is 100 KiB.
+.PP
+\&\fBOSSL_HTTP_REQ_CTX_set_max_response_hdr_lines()\fR changes the limit for
+the number of HTTP header lines allowed to be received in a response.
+The default limit is \fBOSSL_HTTP_DEFAULT_MAX_RESP_HDR_LINES\fR, currently 256.
+If the limit is not 0 and the number of lines exceeds the limit,
+then the HTTP_R_RESPONSE_TOO_MANY_HDRLINES error is indicated.
+Setting the limit to 0 disables the check.
 .PP
-\&\fBOSSL_HTTP_is_alive()\fR can be used to query if the \s-1HTTP\s0 connection
+\&\fBOSSL_HTTP_is_alive()\fR can be used to query if the HTTP connection
 given by \fIrctx\fR is still alive, i.e., has not been closed.
-It returns 0 if \fIrctx\fR is \s-1NULL.\s0
+It returns 0 if \fIrctx\fR is NULL.
 .PP
 If the client application requested or required a persistent connection
 and this was granted by the server, it can keep \fIrctx\fR as long as it wants
@@ -319,36 +272,42 @@ else it should call \fIOSSL_HTTP_REQ_CTX_free(rctx)\fR or \fBOSSL_HTTP_close\fR\
 In case the client application keeps \fIrctx\fR but the connection then dies
 for any reason at the server side, it will notice this obtaining an
 I/O error when trying to send the next request via \fIrctx\fR.
-.SH "WARNINGS"
+.SH WARNINGS
 .IX Header "WARNINGS"
 The server's response may be unexpected if the hostname that was used to
 create the \fIwbio\fR, any \f(CW\*(C`Host\*(C'\fR header, and the host specified in the
-request \s-1URL\s0 do not match.
+request URL do not match.
 .PP
 Many of these functions must be called in a certain order.
 .PP
-First, the \s-1HTTP\s0 request context must be allocated:
+First, the HTTP request context must be allocated:
 \&\fBOSSL_HTTP_REQ_CTX_new()\fR.
 .PP
-Then, the \s-1HTTP\s0 request must be prepared with request data:
-.IP "1." 4
+Then, the HTTP request must be prepared with request data:
+.IP 1. 4
 Calling \fBOSSL_HTTP_REQ_CTX_set_request_line()\fR.
-.IP "2." 4
+.IP 2. 4
 Adding extra header lines with \fBOSSL_HTTP_REQ_CTX_add1_header()\fR.
 This is optional and may be done multiple times with different names.
-.IP "3." 4
+.IP 3. 4
 Finalize the request using \fBOSSL_HTTP_REQ_CTX_set1_req()\fR.
-This may be omitted if the \s-1GET\s0 method is used and \*(L"keep-alive\*(R" is not requested.
+This may be omitted if the GET method is used and "keep-alive" is not requested.
 .PP
-When the request context is fully prepared, the \s-1HTTP\s0 exchange may be performed
+When the request context is fully prepared, the HTTP exchange may be performed
 with \fBOSSL_HTTP_REQ_CTX_nbio()\fR or \fBOSSL_HTTP_REQ_CTX_exchange()\fR.
+.SH NOTES
+.IX Header "NOTES"
+When built with tracing enabled, \fBOSSL_HTTP_REQ_CTX_nbio()\fR and all functions
+using it, such as \fBOSSL_HTTP_REQ_CTX_exchange()\fR and \fBOSSL_HTTP_transfer\fR\|(3),
+may be traced using \fBOSSL_TRACE_CATEGORY_HTTP\fR.
+See also \fBOSSL_trace_enabled\fR\|(3) and \fBopenssl\-env\fR\|(7).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBOSSL_HTTP_REQ_CTX_new()\fR returns a pointer to a \fB\s-1OSSL_HTTP_REQ_CTX\s0\fR, or \s-1NULL\s0
+\&\fBOSSL_HTTP_REQ_CTX_new()\fR returns a pointer to a \fBOSSL_HTTP_REQ_CTX\fR, or NULL
 on error.
 .PP
-\&\fBOSSL_HTTP_REQ_CTX_free()\fR and \fBOSSL_HTTP_REQ_CTX_set_max_response_length()\fR
-do not return values.
+\&\fBOSSL_HTTP_REQ_CTX_free()\fR, \fBOSSL_HTTP_REQ_CTX_set_max_response_length()\fR, and
+\&\fBOSSL_HTTP_REQ_CTX_set_max_response_hdr_lines()\fR do not return values.
 .PP
 \&\fBOSSL_HTTP_REQ_CTX_set_request_line()\fR, \fBOSSL_HTTP_REQ_CTX_add1_header()\fR,
 \&\fBOSSL_HTTP_REQ_CTX_set1_req()\fR, and \fBOSSL_HTTP_REQ_CTX_set_expected()\fR
@@ -358,8 +317,8 @@ return 1 for success and 0 for failure.
 return 1 for success, 0 on error or redirection, \-1 if retry is needed.
 .PP
 \&\fBOSSL_HTTP_REQ_CTX_exchange()\fR and \fBOSSL_HTTP_REQ_CTX_get0_mem_bio()\fR
-return a pointer to a \fB\s-1BIO\s0\fR on success as described above or \s-1NULL\s0 on failure.
-The returned \s-1BIO\s0 must not be freed by the caller.
+return a pointer to a \fBBIO\fR on success as described above or NULL on failure.
+The returned BIO must not be freed by the caller.
 .PP
 \&\fBOSSL_HTTP_REQ_CTX_get_resp_len()\fR returns the size of the response contents
 or 0 if not available or an error occurred.
@@ -376,15 +335,18 @@ and the server did not disagree on keeping the connection open, else 0.
 \&\fBOSSL_HTTP_open\fR\|(3),
 \&\fBOSSL_HTTP_get\fR\|(3),
 \&\fBOSSL_HTTP_transfer\fR\|(3),
-\&\fBOSSL_HTTP_close\fR\|(3)
-.SH "HISTORY"
+\&\fBOSSL_HTTP_close\fR\|(3),
+\&\fBOSSL_trace_enabled\fR\|(3), and \fBopenssl\-env\fR\|(7).
+.SH HISTORY
 .IX Header "HISTORY"
-The functions described here were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+\&\fBOSSL_HTTP_REQ_CTX_set_max_response_hdr_lines()\fR was added in OpenSSL 3.3.
+.PP
+All other functions described here were added in OpenSSL 3.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2015\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_HTTP_parse_url.3 b/secure/lib/libcrypto/man/man3/OSSL_HTTP_parse_url.3
index 57c500d915c8..b40853575ff4 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_HTTP_parse_url.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_HTTP_parse_url.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_HTTP_PARSE_URL 3ossl"
-.TH OSSL_HTTP_PARSE_URL 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_HTTP_PARSE_URL 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_HTTP_adapt_proxy,
 OSSL_parse_url,
 OSSL_HTTP_parse_url,
 OCSP_parse_url
 \&\- http utility functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/http.h>
@@ -160,61 +84,66 @@ OCSP_parse_url
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 2
 \& int OCSP_parse_url(const char *url, char **phost, char **pport, char **ppath,
 \&                    int *pssl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBOSSL_HTTP_adapt_proxy()\fR takes an optional proxy hostname \fIproxy\fR
 and returns it transformed according to the optional \fIno_proxy\fR parameter,
 \&\fIserver\fR, \fIuse_ssl\fR, and the applicable environment variable, as follows.
-If \fIproxy\fR is \s-1NULL,\s0 take any default value from the \f(CW\*(C`http_proxy\*(C'\fR
+If \fIproxy\fR is NULL, take any default value from the \f(CW\*(C`http_proxy\*(C'\fR
 environment variable, or from \f(CW\*(C`https_proxy\*(C'\fR if \fIuse_ssl\fR is nonzero.
 If this still does not yield a proxy hostname,
 take any further default value from the \f(CW\*(C`HTTP_PROXY\*(C'\fR
 environment variable, or from \f(CW\*(C`HTTPS_PROXY\*(C'\fR if \fIuse_ssl\fR is nonzero.
-If \fIno_proxy\fR is \s-1NULL,\s0 take any default exclusion value from the \f(CW\*(C`no_proxy\*(C'\fR
+If \fIno_proxy\fR is NULL, take any default exclusion value from the \f(CW\*(C`no_proxy\*(C'\fR
 environment variable, or else from \f(CW\*(C`NO_PROXY\*(C'\fR.
-Return the determined proxy hostname unless the exclusion contains \fIserver\fR.
-Otherwise return \s-1NULL.\s0
+Return the determined proxy host unless the exclusion value,
+which is a list of proxy hosts separated by \f(CW\*(C`,\*(C'\fR and/or whitespace,
+contains \fIserver\fR.
+Otherwise return NULL.
+When \fIserver\fR is a string delimited by \f(CW\*(C`[\*(C'\fR and \f(CW\*(C`]\*(C'\fR, which are used for IPv6
+addresses, the enclosing \f(CW\*(C`[\*(C'\fR and \f(CW\*(C`]\*(C'\fR are stripped prior to comparison.
 .PP
-\&\fBOSSL_parse_url()\fR parses its input string \fIurl\fR as a \s-1URL\s0 of the form
+\&\fBOSSL_parse_url()\fR parses its input string \fIurl\fR as a URL of the form
 \&\f(CW\*(C`[scheme://][userinfo@]host[:port][/path][?query][#fragment]\*(C'\fR and splits it up
 into scheme, userinfo, host, port, path, query, and fragment components.
-The host (or server) component may be a \s-1DNS\s0 name or an \s-1IP\s0 address
-where IPv6 addresses should be enclosed in square brackets \f(CW\*(C`[\*(C'\fR and \f(CW\*(C`]\*(C'\fR.
+The host (or server) component may be a DNS name or an IP address
+where IPv6 addresses must be enclosed in square brackets \f(CW\*(C`[\*(C'\fR and \f(CW\*(C`]\*(C'\fR.
 The port component is optional and defaults to \f(CW0\fR.
-If given, it must be in decimal form.  If the \fIpport_num\fR argument is not \s-1NULL\s0
+If given, it must be in decimal form.  If the \fIpport_num\fR argument is not NULL
 the integer value of the port number is assigned to \fI*pport_num\fR on success.
 The path component is also optional and defaults to \f(CW\*(C`/\*(C'\fR.
 Each non-NULL result pointer argument \fIpscheme\fR, \fIpuser\fR, \fIphost\fR, \fIpport\fR,
 \&\fIppath\fR, \fIpquery\fR, and \fIpfrag\fR, is assigned the respective url component.
-On success, they are guaranteed to contain non-NULL string pointers, else \s-1NULL.\s0
+Any IPv6 address in \fI*phost\fR is enclosed in \f(CW\*(C`[\*(C'\fR and \f(CW\*(C`]\*(C'\fR.
+On success, they are guaranteed to contain non-NULL string pointers, else NULL.
 It is the responsibility of the caller to free them using \fBOPENSSL_free\fR\|(3).
-If \fIpquery\fR is \s-1NULL,\s0 any given query component is handled as part of the path.
+If \fIpquery\fR is NULL, any given query component is handled as part of the path.
 A string returned via \fI*ppath\fR is guaranteed to begin with a \f(CW\*(C`/\*(C'\fR character.
 For absent scheme, userinfo, port, query, and fragment components
 an empty string is provided.
 .PP
 \&\fBOSSL_HTTP_parse_url()\fR is a special form of \fBOSSL_parse_url()\fR
 where the scheme, if given, must be \f(CW\*(C`http\*(C'\fR or \f(CW\*(C`https\*(C'\fR.
-If \fIpssl\fR is not \s-1NULL,\s0 \fI*pssl\fR is assigned 1 in case parsing was successful
+If \fIpssl\fR is not NULL, \fI*pssl\fR is assigned 1 in case parsing was successful
 and the scheme is \f(CW\*(C`https\*(C'\fR, else 0.
 The port component is optional and defaults to \f(CW443\fR if the scheme is \f(CW\*(C`https\*(C'\fR,
 else \f(CW80\fR.
 Note that relative paths must be given with a leading \f(CW\*(C`/\*(C'\fR,
-otherwise the first path element is interpreted as the hostname.
+otherwise the first path element is interpreted as the host.
 .PP
 Calling the deprecated function OCSP_parse_url(url, host, port, path, ssl)
 is equivalent to
-OSSL_HTTP_parse_url(url, ssl, \s-1NULL,\s0 host, port, \s-1NULL,\s0 path, \s-1NULL, NULL\s0).
+OSSL_HTTP_parse_url(url, ssl, NULL, host, port, NULL, path, NULL, NULL).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBOSSL_HTTP_adapt_proxy()\fR returns \s-1NULL\s0 if no proxy is to be used,
+\&\fBOSSL_HTTP_adapt_proxy()\fR returns NULL if no proxy is to be used,
 otherwise a constant proxy hostname string,
 which is either the proxy name handed in or an environment variable value.
 .PP
@@ -223,16 +152,16 @@ return 1 on success, 0 on error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBOSSL_HTTP_transfer\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBOSSL_HTTP_adapt_proxy()\fR,
 \&\fBOSSL_parse_url()\fR and \fBOSSL_HTTP_parse_url()\fR were added in OpenSSL 3.0.
 \&\fBOCSP_parse_url()\fR was deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_HTTP_transfer.3 b/secure/lib/libcrypto/man/man3/OSSL_HTTP_transfer.3
index 9f1fafebd14b..599367bcb8f8 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_HTTP_transfer.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_HTTP_transfer.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_HTTP_TRANSFER 3ossl"
-.TH OSSL_HTTP_TRANSFER 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_HTTP_TRANSFER 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_HTTP_open,
 OSSL_HTTP_bio_cb_t,
 OSSL_HTTP_proxy_connect,
@@ -146,7 +70,7 @@ OSSL_HTTP_get,
 OSSL_HTTP_transfer,
 OSSL_HTTP_close
 \&\-  HTTP client high\-level functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/http.h>
@@ -185,70 +109,74 @@ OSSL_HTTP_close
 \&                         size_t max_resp_len, int timeout, int keep_alive);
 \& int OSSL_HTTP_close(OSSL_HTTP_REQ_CTX *rctx, int ok);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBOSSL_HTTP_open()\fR initiates an \s-1HTTP\s0 session using the \fIbio\fR argument if not
-\&\s-1NULL,\s0 else by connecting to a given \fIserver\fR optionally via a \fIproxy\fR.
+\&\fBOSSL_HTTP_open()\fR initiates an HTTP session using the \fIbio\fR argument if not
+NULL, else by connecting to a given \fIserver\fR optionally via a \fIproxy\fR.
 .PP
-Typically the OpenSSL build supports sockets and the \fIbio\fR parameter is \s-1NULL.\s0
-In this case \fIrbio\fR must be \s-1NULL\s0 as well and the \fIserver\fR must be non-NULL.
-The function creates a network \s-1BIO\s0 internally using \fBBIO_new_connect\fR\|(3)
+Typically the OpenSSL build supports sockets and the \fIbio\fR parameter is NULL.
+In this case \fIrbio\fR must be NULL as well and the \fIserver\fR must be non-NULL.
+The function creates a network BIO internally using \fBBIO_new_connect\fR\|(3)
 for connecting to the given server and the optionally given \fIport\fR,
-defaulting to 80 for \s-1HTTP\s0 or 443 for \s-1HTTPS.\s0
-Then this internal \s-1BIO\s0 is used for setting up a connection
+defaulting to 80 for HTTP or 443 for HTTPS.
+Then this internal BIO is used for setting up a connection
 and for exchanging one or more request and response.
-If \fIbio\fR is given and \fIrbio\fR is \s-1NULL\s0 then this \fIbio\fR is used instead.
+.PP
+If \fIbio\fR is given and \fIrbio\fR is NULL then this \fIbio\fR is used instead.
 If both \fIbio\fR and \fIrbio\fR are given (which may be memory BIOs for instance)
 then no explicit connection is set up, but
 \&\fIbio\fR is used for writing requests and \fIrbio\fR for reading responses.
 As soon as the client has flushed \fIbio\fR the server must be ready to provide
 a response or indicate a waiting condition via \fIrbio\fR.
 .PP
-If \fIbio\fR is given, it is an error to provide \fIproxy\fR or \fIno_proxy\fR arguments,
+If \fIbio\fR is given,
+it is an error to provide non-NULL \fIproxy\fR or \fIno_proxy\fR arguments,
 while \fIserver\fR and \fIport\fR arguments may be given to support diagnostic output.
-If \fIbio\fR is \s-1NULL\s0 the optional \fIproxy\fR parameter can be used to set an
-\&\s-1HTTP\s0(S) proxy to use (unless overridden by \*(L"no_proxy\*(R" settings).
-If \s-1TLS\s0 is not used this defaults to the environment variable \f(CW\*(C`http_proxy\*(C'\fR
+If \fIbio\fR is NULL the optional \fIproxy\fR parameter can be used to set an
+HTTP(S) proxy to use (unless overridden by "no_proxy" settings).
+If TLS is not used this defaults to the environment variable \f(CW\*(C`http_proxy\*(C'\fR
 if set, else \f(CW\*(C`HTTP_PROXY\*(C'\fR.
 If \fIuse_ssl\fR != 0 it defaults to \f(CW\*(C`https_proxy\*(C'\fR if set, else \f(CW\*(C`HTTPS_PROXY\*(C'\fR.
 An empty proxy string \f(CW""\fR forbids using a proxy.
-Else the format is
+Otherwise, the format is
 \&\f(CW\*(C`[http[s]://][userinfo@]host[:port][/path][?query][#fragment]\*(C'\fR,
 where any userinfo, path, query, and fragment given is ignored.
-The default proxy port number is 80, or 443 in case \*(L"https:\*(R" is given.
-The \s-1HTTP\s0 client functions connect via the given proxy unless the \fIserver\fR
-is found in the optional list \fIno_proxy\fR of proxy hostnames (if not \s-1NULL\s0;
+If the host string is an IPv6 address, it must be enclosed in \f(CW\*(C`[\*(C'\fR and \f(CW\*(C`]\*(C'\fR.
+The default proxy port number is 80, or 443 in case "https:" is given.
+The HTTP client functions connect via the given proxy unless the \fIserver\fR
+is found in the optional list \fIno_proxy\fR of proxy hostnames or IP addresses
+separated by \f(CW\*(C`,\*(C'\fR and/or whitespace (if not NULL;
 default is the environment variable \f(CW\*(C`no_proxy\*(C'\fR if set, else \f(CW\*(C`NO_PROXY\*(C'\fR).
-Proxying plain \s-1HTTP\s0 is supported directly,
-while using a proxy for \s-1HTTPS\s0 connections requires a suitable callback function
+Proxying plain HTTP is supported directly,
+while using a proxy for HTTPS connections requires a suitable callback function
 such as \fBOSSL_HTTP_proxy_connect()\fR, described below.
 .PP
-If \fIuse_ssl\fR is nonzero a \s-1TLS\s0 connection is requested
+If \fIuse_ssl\fR is nonzero a TLS connection is requested
 and the \fIbio_update_fn\fR parameter must be provided.
 .PP
 The parameter \fIbio_update_fn\fR, which is optional if \fIuse_ssl\fR is 0,
-may be used to modify the connection \s-1BIO\s0 used by the \s-1HTTP\s0 client,
+may be used to modify the connection BIO used by the HTTP client,
 but cannot be used when both \fIbio\fR and \fIrbio\fR are given.
-\&\fIbio_update_fn\fR is a \s-1BIO\s0 connect/disconnect callback function with prototype
+\&\fIbio_update_fn\fR is a BIO connect/disconnect callback function with prototype
 .PP
 .Vb 1
 \& BIO *(*OSSL_HTTP_bio_cb_t)(BIO *bio, void *arg, int connect, int detail)
 .Ve
 .PP
-The callback function may modify the \s-1BIO\s0 provided in the \fIbio\fR argument,
-whereby it may make use of a custom defined argument \fIarg\fR,
-which may for instance point to an \fB\s-1SSL_CTX\s0\fR structure.
+The callback function may modify the BIO provided in the \fIbio\fR argument,
+whereby it may use an optional custom defined argument \fIarg\fR,
+which can for instance point to an \fBSSL_CTX\fR structure.
 During connection establishment, just after calling \fBBIO_do_connect_retry()\fR, the
 callback function is invoked with the \fIconnect\fR argument being 1 and
-\&\fIdetail\fR being 1 if \fIuse_ssl\fR is nonzero (i.e., \s-1HTTPS\s0 is requested), else 0.
+\&\fIdetail\fR being 1 if \fIuse_ssl\fR is nonzero (i.e., HTTPS is requested), else 0.
 On disconnect \fIconnect\fR is 0 and \fIdetail\fR is 1 if no error occurred, else 0.
-For instance, on connect the callback may push an \s-1SSL BIO\s0 to implement \s-1HTTPS\s0;
-after disconnect it may do some diagnostic output and pop and free the \s-1SSL BIO.\s0
+For instance, on connect the callback may push an SSL BIO to implement HTTPS;
+after disconnect it may do some diagnostic output and pop and free the SSL BIO.
 .PP
-The callback function must return either the potentially modified \s-1BIO\s0 \fIbio\fR.
-or \s-1NULL\s0 to indicate failure, in which case it should not modify the \s-1BIO.\s0
+The callback function must return either the potentially modified BIO \fIbio\fR
+or NULL to indicate failure, in which case it should not modify the BIO.
 .PP
-Here is a simple example that supports \s-1TLS\s0 connections (but not via a proxy):
+Here is a simple example that supports TLS connections (but not via a proxy):
 .PP
 .Vb 5
 \& BIO *http_tls_cb(BIO *bio, void *arg, int connect, int detail)
@@ -273,147 +201,141 @@ Here is a simple example that supports \s-1TLS\s0 connections (but not via a pro
 \& }
 .Ve
 .PP
-After disconnect the modified \s-1BIO\s0 will be deallocated using \fBBIO_free_all()\fR.
+After disconnect the modified BIO will be deallocated using \fBBIO_free_all()\fR.
+The optional callback function argument \fIarg\fR is not consumed,
+so must be freed by the caller when not needed any more.
 .PP
 The \fIbuf_size\fR parameter specifies the response header maximum line length.
-A value <= 0 means that the \fB\s-1OSSL_HTTP_DEFAULT_MAX_LINE_LEN\s0\fR (4KiB) is used.
+A value <= 0 means that the \fBOSSL_HTTP_DEFAULT_MAX_LINE_LEN\fR (4KiB) is used.
 \&\fIbuf_size\fR is also used as the number of content bytes that are read at a time.
 .PP
 If the \fIoverall_timeout\fR parameter is > 0 this indicates the maximum number of
-seconds the overall \s-1HTTP\s0 transfer (i.e., connection setup if needed,
+seconds the overall HTTP transfer (i.e., connection setup if needed,
 sending requests, and receiving responses) is allowed to take until completion.
 A value <= 0 enables waiting indefinitely, i.e., no timeout.
 .PP
-\&\fBOSSL_HTTP_proxy_connect()\fR may be used by an above \s-1BIO\s0 connect callback function
-to set up an \s-1SSL/TLS\s0 connection via an \s-1HTTPS\s0 proxy.
-It promotes the given \s-1BIO\s0 \fIbio\fR representing a connection
-pre-established with a \s-1TLS\s0 proxy using the \s-1HTTP CONNECT\s0 method,
+\&\fBOSSL_HTTP_proxy_connect()\fR may be used by an above BIO connect callback function
+to set up an SSL/TLS connection via an HTTPS proxy.
+It promotes the given BIO \fIbio\fR representing a connection
+pre-established with a TLS proxy using the HTTP CONNECT method,
 optionally using proxy client credentials \fIproxyuser\fR and \fIproxypass\fR,
-to connect with \s-1TLS\s0 protection ultimately to \fIserver\fR and \fIport\fR.
-If the \fIport\fR argument is \s-1NULL\s0 or the empty string it defaults to \*(L"443\*(R".
+to connect with TLS protection ultimately to \fIserver\fR and \fIport\fR.
+If the \fIport\fR argument is NULL or the empty string it defaults to "443".
 If the \fItimeout\fR parameter is > 0 this indicates the maximum number of
 seconds the connection setup is allowed to take.
 A value <= 0 enables waiting indefinitely, i.e., no timeout.
 Since this function is typically called by applications such as
 \&\fBopenssl\-s_client\fR\|(1) it uses the \fIbio_err\fR and \fIprog\fR parameters (unless
-\&\s-1NULL\s0) to print additional diagnostic information in a user-oriented way.
+NULL) to print additional diagnostic information in a user-oriented way.
 .PP
 \&\fBOSSL_HTTP_set1_request()\fR sets up in \fIrctx\fR the request header and content data
 and expectations on the response using the following parameters.
-If <rctx> indicates using a proxy for \s-1HTTP\s0 (but not \s-1HTTPS\s0), the server host
+If <rctx> indicates using a proxy for HTTP (but not HTTPS), the server host
 (and optionally port) needs to be placed in the header; thus it must be present
 in \fIrctx\fR.
 For backward compatibility, the server (and optional port) may also be given in
 the \fIpath\fR argument beginning with \f(CW\*(C`http://\*(C'\fR (thus giving an absoluteURI).
-If \fIpath\fR is \s-1NULL\s0 it defaults to \*(L"/\*(R".
-If \fIreq\fR is \s-1NULL\s0 the \s-1HTTP GET\s0 method will be used to send the request
-else \s-1HTTP POST\s0 with the contents of \fIreq\fR and optional \fIcontent_type\fR, where
+If \fIpath\fR is NULL it defaults to "/".
+If \fIreq\fR is NULL the HTTP GET method will be used to send the request
+else HTTP POST with the contents of \fIreq\fR and optional \fIcontent_type\fR, where
 the length of the data in \fIreq\fR does not need to be determined in advance: the
-\&\s-1BIO\s0 will be read on-the-fly while sending the request, which supports streaming.
-The optional list \fIheaders\fR may contain additional custom \s-1HTTP\s0 header lines.
-If the parameter \fIexpected_content_type\fR
-is not \s-1NULL\s0 then the client will check that the given content type string
-is included in the \s-1HTTP\s0 header of the response and return an error if not.
-If the \fIexpect_asn1\fR parameter is nonzero,
-a structure in \s-1ASN.1\s0 encoding will be expected as response content.
+BIO will be read on-the-fly while sending the request, which supports streaming.
+The optional list \fIheaders\fR may contain additional custom HTTP header lines.
 The \fImax_resp_len\fR parameter specifies the maximum allowed
 response content length, where the value 0 indicates no limit.
-If the \fItimeout\fR parameter is > 0 this indicates the maximum number of seconds
-the subsequent \s-1HTTP\s0 transfer (sending the request and receiving a response)
-is allowed to take.
-A value of 0 enables waiting indefinitely, i.e., no timeout.
-A value < 0 indicates that the \fIoverall_timeout\fR parameter value given
-when opening the \s-1HTTP\s0 transfer will be used instead.
-If \fIkeep_alive\fR is 0 the connection is not kept open
-after receiving a response, which is the default behavior for \s-1HTTP 1.0.\s0
-If the value is 1 or 2 then a persistent connection is requested.
-If the value is 2 then a persistent connection is required,
-i.e., an error occurs in case the server does not grant it.
+For the meaning of the \fIexpected_content_type\fR, \fIexpect_asn1\fR, \fItimeout\fR,
+and \fIkeep_alive\fR parameters, see \fBOSSL_HTTP_REQ_CTX_set_expected\fR\|(3).
 .PP
-\&\fBOSSL_HTTP_exchange()\fR exchanges any form of \s-1HTTP\s0 request and response
+\&\fBOSSL_HTTP_exchange()\fR exchanges any form of HTTP request and response
 as specified by \fIrctx\fR, which must include both connection and request data,
 typically set up using \fBOSSL_HTTP_open()\fR and \fBOSSL_HTTP_set1_request()\fR.
 It implements the core of the functions described below.
-If the \s-1HTTP\s0 method is \s-1GET\s0 and \fIredirection_url\fR
-is not \s-1NULL\s0 the latter pointer is used to provide any new location that
-the server may return with \s-1HTTP\s0 code 301 (\s-1MOVED_PERMANENTLY\s0) or 302 (\s-1FOUND\s0).
-In this case the function returns \s-1NULL\s0 and the caller is
-responsible for deallocating the \s-1URL\s0 with \fBOPENSSL_free\fR\|(3).
-If the response header contains one or more \*(L"Content-Length\*(R" header lines and/or
-an \s-1ASN\s0.1\-encoded response is expected, which should include a total length,
+If the HTTP method is GET and \fIredirection_url\fR
+is not NULL the latter pointer is used to provide any new location that
+the server may return with HTTP code 301 (MOVED_PERMANENTLY) or 302 (FOUND).
+In this case the function returns NULL and the caller is
+responsible for deallocating the URL with \fBOPENSSL_free\fR\|(3).
+If the response header contains one or more \f(CW\*(C`Content\-Length\*(C'\fR lines and/or
+an ASN.1\-encoded response is expected, which should include a total length,
 the length indications received are checked for consistency
 and for not exceeding any given maximum response length.
-If an \s-1ASN\s0.1\-encoded response is expected, the function returns on success
-the contents buffered in a memory \s-1BIO,\s0 which does not support streaming.
-Otherwise it returns directly the read \s-1BIO\s0 that holds the response contents,
+If an ASN.1\-encoded response is expected, the function returns on success
+the contents buffered in a memory BIO, which does not support streaming.
+Otherwise it returns directly the read BIO that holds the response contents,
 which allows a response of indefinite length and may support streaming.
-The caller is responsible for freeing the \s-1BIO\s0 pointer obtained.
+The caller is responsible for freeing the BIO pointer obtained.
 .PP
-\&\fBOSSL_HTTP_get()\fR uses \s-1HTTP GET\s0 to obtain data from \fIbio\fR if non-NULL,
-else from the server contained in the \fIurl\fR, and returns it as a \s-1BIO.\s0
-It supports redirection via \s-1HTTP\s0 status code 301 or 302.  It is meant for
+\&\fBOSSL_HTTP_get()\fR uses HTTP GET to obtain data from \fIbio\fR if non-NULL,
+else from the server contained in the \fIurl\fR, and returns it as a BIO.
+It supports redirection via HTTP status code 301 or 302.  It is meant for
 transfers with a single round trip, so does not support persistent connections.
 If \fIbio\fR is non-NULL, any host and port components in the \fIurl\fR are not used
 for connecting but the hostname is used, as usual, for the \f(CW\*(C`Host\*(C'\fR header.
 Any userinfo and fragment components in the \fIurl\fR are ignored.
 Any query component is handled as part of the path component.
-If the scheme component of the \fIurl\fR is \f(CW\*(C`https\*(C'\fR a \s-1TLS\s0 connection is requested
+If the scheme component of the \fIurl\fR is \f(CW\*(C`https\*(C'\fR a TLS connection is requested
 and the \fIbio_update_fn\fR, as described for \fBOSSL_HTTP_open()\fR, must be provided.
 Also the remaining parameters are interpreted as described for \fBOSSL_HTTP_open()\fR
 and \fBOSSL_HTTP_set1_request()\fR, respectively.
-The caller is responsible for freeing the \s-1BIO\s0 pointer obtained.
+The caller is responsible for freeing the BIO pointer obtained.
 .PP
-\&\fBOSSL_HTTP_transfer()\fR exchanges an \s-1HTTP\s0 request and response
+\&\fBOSSL_HTTP_transfer()\fR exchanges an HTTP request and response
 over a connection managed via \fIprctx\fR without supporting redirection.
 It combines \fBOSSL_HTTP_open()\fR, \fBOSSL_HTTP_set1_request()\fR, \fBOSSL_HTTP_exchange()\fR,
 and \fBOSSL_HTTP_close()\fR.
-If \fIprctx\fR is not \s-1NULL\s0 it reuses any open connection represented by a non-NULL
+If \fIprctx\fR is not NULL it reuses any open connection represented by a non-NULL
 \&\fI*prctx\fR.  It keeps the connection open if a persistent connection is requested
 or required and this was granted by the server, else it closes the connection
-and assigns \s-1NULL\s0 to \fI*prctx\fR.
+and assigns NULL to \fI*prctx\fR.
 The remaining parameters are interpreted as described for \fBOSSL_HTTP_open()\fR
 and \fBOSSL_HTTP_set1_request()\fR, respectively.
-The caller is responsible for freeing the \s-1BIO\s0 pointer obtained.
+The caller is responsible for freeing the BIO pointer obtained.
 .PP
 \&\fBOSSL_HTTP_close()\fR closes the connection and releases \fIrctx\fR.
-The \fIok\fR parameter is passed to any \s-1BIO\s0 update function
+The \fIok\fR parameter is passed to any BIO update function
 given during setup as described above for \fBOSSL_HTTP_open()\fR.
-It must be 1 if no error occurred during the \s-1HTTP\s0 transfer and 0 otherwise.
-.SH "NOTES"
+It must be 1 if no error occurred during the HTTP transfer and 0 otherwise.
+.SH NOTES
 .IX Header "NOTES"
 The names of the environment variables used by this implementation:
 \&\f(CW\*(C`http_proxy\*(C'\fR, \f(CW\*(C`HTTP_PROXY\*(C'\fR, \f(CW\*(C`https_proxy\*(C'\fR, \f(CW\*(C`HTTPS_PROXY\*(C'\fR, \f(CW\*(C`no_proxy\*(C'\fR, and
 \&\f(CW\*(C`NO_PROXY\*(C'\fR, have been chosen for maximal compatibility with
-other \s-1HTTP\s0 client implementations such as wget, curl, and git.
+other HTTP client implementations such as wget, curl, and git.
+.PP
+When built with tracing enabled, \fBOSSL_HTTP_transfer()\fR and all functions using it
+may be traced using \fBOSSL_TRACE_CATEGORY_HTTP\fR.
+See also \fBOSSL_trace_enabled\fR\|(3) and \fBopenssl\-env\fR\|(7).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBOSSL_HTTP_open()\fR returns on success a \fB\s-1OSSL_HTTP_REQ_CTX\s0\fR, else \s-1NULL.\s0
+\&\fBOSSL_HTTP_open()\fR returns on success a \fBOSSL_HTTP_REQ_CTX\fR, else NULL.
 .PP
 \&\fBOSSL_HTTP_proxy_connect()\fR and \fBOSSL_HTTP_set1_request()\fR
 return 1 on success, 0 on error.
 .PP
 On success, \fBOSSL_HTTP_exchange()\fR, \fBOSSL_HTTP_get()\fR, and \fBOSSL_HTTP_transfer()\fR
-return a memory \s-1BIO\s0 that buffers all the data received if an \s-1ASN\s0.1\-encoded
-response is expected, otherwise a \s-1BIO\s0 that may support streaming.
-The \s-1BIO\s0 must be freed by the caller.
-On failure, they return \s-1NULL.\s0
+return a memory BIO that buffers all the data received if an ASN.1\-encoded
+response is expected, otherwise a BIO that may support streaming.
+The BIO must be freed by the caller.
+On failure, they return NULL.
 Failure conditions include connection/transfer timeout, parse errors, etc.
-The caller is responsible for freeing the \s-1BIO\s0 pointer obtained.
+The caller is responsible for freeing the BIO pointer obtained.
 .PP
 \&\fBOSSL_HTTP_close()\fR returns 0 if anything went wrong while disconnecting, else 1.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBOSSL_HTTP_parse_url\fR\|(3), \fBBIO_new_connect\fR\|(3),
 \&\fBASN1_item_i2d_mem_bio\fR\|(3), \fBASN1_item_d2i_bio\fR\|(3),
-\&\fBOSSL_HTTP_is_alive\fR\|(3)
-.SH "HISTORY"
+\&\fBOSSL_HTTP_REQ_CTX_set_expected\fR\|(3),
+\&\fBOSSL_HTTP_is_alive\fR\|(3),
+\&\fBOSSL_trace_enabled\fR\|(3), and \fBopenssl\-env\fR\|(7).
+.SH HISTORY
 .IX Header "HISTORY"
 All the functions described here were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_IETF_ATTR_SYNTAX.3 b/secure/lib/libcrypto/man/man3/OSSL_IETF_ATTR_SYNTAX.3
new file mode 100644
index 000000000000..9cf1cf6f2b75
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/OSSL_IETF_ATTR_SYNTAX.3
@@ -0,0 +1,144 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OSSL_IETF_ATTR_SYNTAX 3ossl"
+.TH OSSL_IETF_ATTR_SYNTAX 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+OSSL_IETF_ATTR_SYNTAX,
+OSSL_IETF_ATTR_SYNTAX_get0_policyAuthority,
+OSSL_IETF_ATTR_SYNTAX_set0_policyAuthority,
+OSSL_IETF_ATTR_SYNTAX_get_value_num,
+OSSL_IETF_ATTR_SYNTAX_get0_value,
+OSSL_IETF_ATTR_SYNTAX_add1_value
+\&\- Accessors and setters for OSSL_IETF_ATTR_SYNTAX
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/x509_acert.h>
+\&
+\& typedef struct OSSL_IETF_ATTR_SYNTAX_st OSSL_IETF_ATTR_SYNTAX;
+\&
+\& const GENERAL_NAMES *
+\& OSSL_IETF_ATTR_SYNTAX_get0_policyAuthority(const OSSL_IETF_ATTR_SYNTAX *a);
+\& void OSSL_IETF_ATTR_SYNTAX_set0_policyAuthority(OSSL_IETF_ATTR_SYNTAX *a,
+\&                                                 GENERAL_NAMES *names);
+\&
+\& int OSSL_IETF_ATTR_SYNTAX_get_value_num(const OSSL_IETF_ATTR_SYNTAX *a);
+\& void *OSSL_IETF_ATTR_SYNTAX_get0_value(const OSSL_IETF_ATTR_SYNTAX *a,
+\&                                        int ind, int *type);
+\& int OSSL_IETF_ATTR_SYNTAX_add1_value(OSSL_IETF_ATTR_SYNTAX *a, int type,
+\&                                      void *data);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBOSSL_IETF_ATTR_SYNTAX\fR is an opaque structure that represents the
+IetfAttrSyntax type defined in RFC 5755 (Section 4.4) for use
+as an AttributeValue.
+.PP
+\&\fBOSSL_IETF_ATTR_SYNTAX_get0_policyAuthority()\fR and \fBOSSL_IETF_ATTR_SYNTAX_set0_policyAuthority()\fR
+get and set the policyAuthority field of the structure. Both routines act on
+internal pointers of the structure and must not be freed by the application.
+.PP
+An \fBOSSL_IETF_ATTR_SYNTAX\fR object also holds a sequence of values.
+\&\fBOSSL_IETF_ATTR_SYNTAX_get_value_num()\fR returns the number of values in the
+sequence.  \fBOSSL_IETF_ATTR_SYNTAX_add1_value()\fR, adds a copy of \fIdata\fR of a specified
+\&\fItype\fR to the sequence.  The caller should free the \fIdata\fR after use.
+.PP
+\&\fBOSSL_IETF_ATTR_SYNTAX_get0_value()\fR will return the value and a specific index \fIind\fR
+in the sequence or NULL on error.  If \fItype\fR is not NULL, the type of the
+value will be written to this location.
+.PP
+The \fItype\fR of the values stored in the \fBOSSL_IETF_ATTR_SYNTAX\fR value sequence is
+one of the following:
+.IP OSSL_IETFAS_OCTETS 4
+.IX Item "OSSL_IETFAS_OCTETS"
+A pointer to an ASN1_OCTET_STRING
+.IP OSSL_IETFAS_OID 4
+.IX Item "OSSL_IETFAS_OID"
+A pointer to an ASN1_OBJECT
+.IP OSSL_IETFAS_STRING 4
+.IX Item "OSSL_IETFAS_STRING"
+A pointer to an ASN1_UTF8STRING
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBOSSL_IETF_ATTR_SYNTAX_get0_policyAuthority()\fR returns an pointer to a
+\&\fBGENERAL_NAMES\fR structure or \fBNULL\fR if the policy authority has not been
+set.
+.PP
+\&\fBOSSL_IETF_ATTR_SYNTAX_get_value_num()\fR returns the number of entries in the value
+sequence or \-1 on error.
+.PP
+\&\fBOSSL_IETF_ATTR_SYNTAX_get0_value()\fR returns a pointer to the value at the given index
+or NULL if the index is out of range.
+.PP
+\&\fBOSSL_IETF_ATTR_SYNTAX_add1_value()\fR returns 1 on success and 0 on failure.
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBOSSL_IETF_ATTR_SYNTAX_get0_policyAuthority()\fR, \fBOSSL_IETF_ATTR_SYNTAX_set0_policyAuthority()\fR,
+\&\fBOSSL_IETF_ATTR_SYNTAX_get_value_num()\fR, \fBOSSL_IETF_ATTR_SYNTAX_get0_value()\fR, and
+\&\fBOSSL_IETF_ATTR_SYNTAX_add1_value()\fR were added in OpenSSL 3.4.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2021\-2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_IETF_ATTR_SYNTAX_print.3 b/secure/lib/libcrypto/man/man3/OSSL_IETF_ATTR_SYNTAX_print.3
new file mode 100644
index 000000000000..62c63f074d33
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/OSSL_IETF_ATTR_SYNTAX_print.3
@@ -0,0 +1,94 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OSSL_IETF_ATTR_SYNTAX_PRINT 3ossl"
+.TH OSSL_IETF_ATTR_SYNTAX_PRINT 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+OSSL_IETF_ATTR_SYNTAX_print \- OSSL_IETF_ATTR_SYNTAX printing
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/x509_acert.h>
+\&
+\& int OSSL_IETF_ATTR_SYNTAX_print(BIO *bp, OSSL_IETF_ATTR_SYNTAX *a,
+\&                                 int indent);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBOSSL_IETF_ATTR_SYNTAX_print()\fR prints a human readable version of \fIa\fR to
+BIO \fIbp\fR.
+Each line of the output is indented by \fIindent\fR spaces.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBOSSL_IETF_ATTR_SYNTAX_print()\fR return 1 on success or 0 on failure.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBASN1_STRING_print_ex\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBOSSL_IETF_ATTR_SYNTAX_print()\fR was added in OpenSSL 3.4.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2021\-2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_INDICATOR_set_callback.3 b/secure/lib/libcrypto/man/man3/OSSL_INDICATOR_set_callback.3
new file mode 100644
index 000000000000..7281e5419394
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/OSSL_INDICATOR_set_callback.3
@@ -0,0 +1,136 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OSSL_INDICATOR_SET_CALLBACK 3ossl"
+.TH OSSL_INDICATOR_SET_CALLBACK 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+OSSL_INDICATOR_set_callback,
+OSSL_INDICATOR_get_callback \- specify a callback for FIPS indicators
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/indicator.h>
+.Ve
+.PP
+typedef int (OSSL_INDICATOR_CALLBACK)(const char *type, const char *desc,
+                                      const OSSL_PARAM params[]);
+.PP
+.Vb 4
+\& void OSSL_INDICATOR_set_callback(OSSL_LIB_CTX *libctx,
+\&                                  OSSL_INDICATOR_CALLBACK *cb);
+\& void OSSL_INDICATOR_get_callback(OSSL_LIB_CTX *libctx,
+\&                                  OSSL_INDICATOR_CALLBACK **cb);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBOSSL_INDICATOR_set_callback()\fR sets a user callback \fIcb\fR associated with a
+\&\fIlibctx\fR that will be called when a non approved FIPS operation is detected.
+.PP
+The user's callback may be triggered multiple times during an algorithm operation
+to indicate different approved mode checks have failed.
+.PP
+Non approved operations may only occur if the user has deliberately chosen to do
+so (either by setting a global FIPS configuration option or via an option in an
+algorithm's operation context).
+.PP
+The user's callback \fBOSSL_INDICATOR_CALLBACK\fR \fItype\fR and \fIdesc\fR
+contain the algorithm type and operation that is not approved.
+\&\fIparams\fR is not currently used.
+.PP
+If the user callback returns 0, an error will occur in the caller. This can be
+used for testing purposes.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBOSSL_INDICATOR_get_callback()\fR returns the callback that has been set via
+\&\fBOSSL_INDICATOR_set_callback()\fR for the given library context \fIlibctx\fR, or NULL
+if no callback is currently set.
+.SH EXAMPLES
+.IX Header "EXAMPLES"
+A simple indicator callback to log non approved FIPS operations
+.PP
+.Vb 9
+\& static int indicator_cb(const char *type, const char *desc,
+\&                         const OSSL_PARAM params[])
+\& {
+\&     if (type != NULL && desc != NULL)
+\&         fprintf(stdout, "%s %s is not approved\en", type, desc);
+\&end:
+\&     /* For Testing purposes you could return 0 here to cause an error */
+\&     return 1;
+\& }
+\&
+\& OSSL_INDICATOR_set_callback(libctx, indicator_cb);
+.Ve
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBopenssl\-core.h\fR\|(7),
+\&\fBOSSL_PROVIDER\-FIPS\fR\|(7)
+\&\fBOSSL_LIB_CTX\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+The functions described here were added in OpenSSL 3.4.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_ITEM.3 b/secure/lib/libcrypto/man/man3/OSSL_ITEM.3
index 59270b67ed9b..faae66307e0c 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_ITEM.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_ITEM.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_ITEM 3ossl"
-.TH OSSL_ITEM 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_ITEM 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_ITEM \- OpenSSL Core type for generic itemized data
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/core.h>
@@ -149,28 +73,28 @@ OSSL_ITEM \- OpenSSL Core type for generic itemized data
 \&     void *ptr;
 \& };
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 This type is a tuple of integer and pointer.
 It's a generic type used as a generic descriptor, its exact meaning
 being defined by how it's used.
 Arrays of this type are passed between the OpenSSL libraries and the
 providers, and must be terminated with a tuple where the integer is
-zero and the pointer \s-1NULL.\s0
+zero and the pointer NULL.
 .PP
 This is currently mainly used for the return value of the provider's error
-reason strings array, see \*(L"Provider Functions\*(R" in \fBprovider\-base\fR\|(7).
+reason strings array, see "Provider Functions" in \fBprovider\-base\fR\|(7).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBcrypto\fR\|(7), \fBprovider\-base\fR\|(7), \fBopenssl\-core.h\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-\&\fB\s-1OSSL_ITEM\s0\fR was added in OpenSSL 3.0
-.SH "COPYRIGHT"
+\&\fBOSSL_ITEM\fR was added in OpenSSL 3.0
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_LIB_CTX.3 b/secure/lib/libcrypto/man/man3/OSSL_LIB_CTX.3
index 977ae66d83ca..afcc907043a1 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_LIB_CTX.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_LIB_CTX.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_LIB_CTX 3ossl"
-.TH OSSL_LIB_CTX 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_LIB_CTX 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
-OSSL_LIB_CTX, OSSL_LIB_CTX_new, OSSL_LIB_CTX_new_from_dispatch,
-OSSL_LIB_CTX_new_child, OSSL_LIB_CTX_free, OSSL_LIB_CTX_load_config,
+.SH NAME
+OSSL_LIB_CTX, OSSL_LIB_CTX_get_data, OSSL_LIB_CTX_new,
+OSSL_LIB_CTX_new_from_dispatch, OSSL_LIB_CTX_new_child,
+OSSL_LIB_CTX_free, OSSL_LIB_CTX_load_config,
 OSSL_LIB_CTX_get0_global_default, OSSL_LIB_CTX_set0_default
 \&\- OpenSSL library context
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/crypto.h>
@@ -157,23 +82,24 @@ OSSL_LIB_CTX_get0_global_default, OSSL_LIB_CTX_set0_default
 \& void OSSL_LIB_CTX_free(OSSL_LIB_CTX *ctx);
 \& OSSL_LIB_CTX *OSSL_LIB_CTX_get0_global_default(void);
 \& OSSL_LIB_CTX *OSSL_LIB_CTX_set0_default(OSSL_LIB_CTX *ctx);
+\& void *OSSL_LIB_CTX_get_data(OSSL_LIB_CTX *ctx, int index);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fB\s-1OSSL_LIB_CTX\s0\fR is an internal OpenSSL library context type.
-Applications may allocate their own, but may also use \s-1NULL\s0 to use
-a default context with functions that take an \fB\s-1OSSL_LIB_CTX\s0\fR
+\&\fBOSSL_LIB_CTX\fR is an internal OpenSSL library context type.
+Applications may allocate their own, but may also use NULL to use
+a default context with functions that take an \fBOSSL_LIB_CTX\fR
 argument.
 .PP
 When a non default library context is in use care should be taken with
 multi-threaded applications to properly clean up thread local resources before
-the \s-1OSSL_LIB_CTX\s0 is freed.
+the OSSL_LIB_CTX is freed.
 See \fBOPENSSL_thread_stop_ex\fR\|(3) for more information.
 .PP
 \&\fBOSSL_LIB_CTX_new()\fR creates a new OpenSSL library context.
 .PP
 \&\fBOSSL_LIB_CTX_new_from_dispatch()\fR creates a new OpenSSL library context
-initialised to use callbacks from the \s-1OSSL_DISPATCH\s0 structure. This is primarily
+initialised to use callbacks from the OSSL_DISPATCH structure. This is primarily
 useful for provider authors. The \fIhandle\fR and dispatch structure arguments
 passed should be the same ones as passed to a provider's
 OSSL_provider_init function. Some OpenSSL functions, such as
@@ -220,21 +146,22 @@ library context.
 .PP
 \&\fBOSSL_LIB_CTX_load_config()\fR loads a configuration file using the given \fIctx\fR.
 This can be used to associate a library context with providers that are loaded
-from a configuration.
+from a configuration. This function must not be called concurrently from
+multiple threads on a single \fIctx\fR.
 .PP
 \&\fBOSSL_LIB_CTX_free()\fR frees the given \fIctx\fR, unless it happens to be the
-default OpenSSL library context.
+default OpenSSL library context. If the argument is NULL, nothing is done.
 .PP
-\&\fBOSSL_LIB_CTX_get0_global_default()\fR returns a concrete (non \s-1NULL\s0) reference to
+\&\fBOSSL_LIB_CTX_get0_global_default()\fR returns a concrete (non NULL) reference to
 the global default library context.
 .PP
 \&\fBOSSL_LIB_CTX_set0_default()\fR sets the default OpenSSL library context to be
 \&\fIctx\fR in the current thread.  The previous default library context is
 returned.  Care should be taken by the caller to restore the previous
 default library context with a subsequent call of this function. If \fIctx\fR is
-\&\s-1NULL\s0 then no change is made to the default library context, but a pointer to
+NULL then no change is made to the default library context, but a pointer to
 the current library context is still returned. On a successful call of this
-function the returned value will always be a concrete (non \s-1NULL\s0) library
+function the returned value will always be a concrete (non NULL) library
 context.
 .PP
 Care should be taken when changing the default library context and starting
@@ -244,23 +171,36 @@ matter how the calling thread makes further default library context changes
 in the mean time.  This means that the calling thread must not free the
 library context that was the default at the start of the async job before
 that job has finished.
+.PP
+\&\fBOSSL_LIB_CTX_get_data()\fR returns a memory address whose interpretation depends
+on the index.  The index argument refers to a context member which is
+to be retrieved. The values for index are all private to OpenSSL currently
+and so applications should not typically call this function.
+If ctx is NULL then the function operates on the default library context.
+\&\fBOSSL_LIB_CTX_get_data()\fR returns a memory address whose interpretation
+depends on the index.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBOSSL_LIB_CTX_new()\fR, \fBOSSL_LIB_CTX_get0_global_default()\fR and
-\&\fBOSSL_LIB_CTX_set0_default()\fR return a library context pointer on success, or \s-1NULL\s0
+\&\fBOSSL_LIB_CTX_set0_default()\fR return a library context pointer on success, or NULL
 on error.
 .PP
 \&\fBOSSL_LIB_CTX_free()\fR doesn't return any value.
 .PP
 \&\fBOSSL_LIB_CTX_load_config()\fR returns 1 on success, 0 on error.
-.SH "HISTORY"
+.PP
+\&\fBOSSL_LIB_CTX_get_data()\fR returns a memory address whose interpretation
+depends on the index.
+.SH HISTORY
 .IX Header "HISTORY"
 All of the functions described on this page were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.PP
+\&\fBOSSL_LIB_CTX_get_data()\fR was introduced in OpenSSL 3.4.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_LIB_CTX_set_conf_diagnostics.3 b/secure/lib/libcrypto/man/man3/OSSL_LIB_CTX_set_conf_diagnostics.3
new file mode 100644
index 000000000000..83a6b0ac8bf0
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/OSSL_LIB_CTX_set_conf_diagnostics.3
@@ -0,0 +1,106 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OSSL_LIB_CTX_SET_CONF_DIAGNOSTICS 3ossl"
+.TH OSSL_LIB_CTX_SET_CONF_DIAGNOSTICS 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+OSSL_LIB_CTX_set_conf_diagnostics, OSSL_LIB_CTX_get_conf_diagnostics
+\&\- Set and get configuration diagnostics
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/crypto.h>
+\&
+\& void OSSL_LIB_CTX_set_conf_diagnostics(OSSL_LIB_CTX *ctx, int value);
+\& int OSSL_LIB_CTX_get_conf_diagnostics(OSSL_LIB_CTX *ctx);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBOSSL_LIB_CTX_set_conf_diagnostics()\fR sets the value of the configuration
+diagnostics flag. If \fIvalue\fR is nonzero subsequent parsing and application
+of configuration data can report errors that would otherwise be ignored. In
+particular any errors in the ssl configuration module will cause a failure
+of \fBSSL_CTX_new\fR\|(3) and \fBSSL_CTX_new_ex\fR\|(3) calls. The configuration
+diagnostics flag can be also set when a configuration file is being loaded
+into \fBOSSL_LIB_CTX\fR with \fBOSSL_LIB_CTX_load_config\fR\|(3). If the configuration
+sets a \fBconfig_diagnostics\fR value as described in \fBconfig\fR\|(5), it will
+override the value set by \fBOSSL_LIB_CTX_set_conf_diagnostics()\fR before
+loading the configuration file.
+.PP
+\&\fBOSSL_LIB_CTX_get_conf_diagnostics()\fR returns the current value of the
+configuration diagnostics flag.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBOSSL_LIB_CTX_get_conf_diagnostics()\fR returns 0 if the configuration diagnostics
+should not be performed, nonzero otherwise.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBSSL_CTX_new\fR\|(3), \fBOSSL_LIB_CTX_load_config\fR\|(3), \fBconfig\fR\|(5)
+.SH HISTORY
+.IX Header "HISTORY"
+The functions described on this page were added in OpenSSL 3.4.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_PARAM.3 b/secure/lib/libcrypto/man/man3/OSSL_PARAM.3
index a23a7d4711da..0d8778bdb7bf 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_PARAM.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_PARAM.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_PARAM 3ossl"
-.TH OSSL_PARAM 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_PARAM 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_PARAM \- a structure to pass or request object parameters
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/core.h>
@@ -146,15 +70,15 @@ OSSL_PARAM \- a structure to pass or request object parameters
 \& typedef struct ossl_param_st OSSL_PARAM;
 \& struct ossl_param_st {
 \&     const char *key;             /* the name of the parameter */
-\&     unsigned char data_type;     /* declare what kind of content is in data */
+\&     unsigned int data_type;      /* declare what kind of content is in data */
 \&     void *data;                  /* value being passed in or out */
 \&     size_t data_size;            /* data size */
 \&     size_t return_size;          /* returned size */
 \& };
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fB\s-1OSSL_PARAM\s0\fR is a type that allows passing arbitrary data for some
+\&\fBOSSL_PARAM\fR is a type that allows passing arbitrary data for some
 object between two parties that have no or very little shared
 knowledge about their respective internal structures for that object.
 .PP
@@ -163,68 +87,68 @@ parameters for an object, or wants to find out some parameters of an
 object.
 .PP
 Arrays of this type can be used for the following purposes:
-.IP "\(bu" 4
+.IP \(bu 4
 Setting parameters for some object
 .Sp
-The caller sets up the \fB\s-1OSSL_PARAM\s0\fR array and calls some function
+The caller sets up the \fBOSSL_PARAM\fR array and calls some function
 (the \fIsetter\fR) that has intimate knowledge about the object that can
-take the data from the \fB\s-1OSSL_PARAM\s0\fR array and assign them in a
+take the data from the \fBOSSL_PARAM\fR array and assign them in a
 suitable form for the internal structure of the object.
-.IP "\(bu" 4
+.IP \(bu 4
 Request parameters of some object
 .Sp
-The caller (the \fIrequester\fR) sets up the \fB\s-1OSSL_PARAM\s0\fR array and
+The caller (the \fIrequester\fR) sets up the \fBOSSL_PARAM\fR array and
 calls some function (the \fIresponder\fR) that has intimate knowledge
 about the object, which can take the internal data of the object and
 copy (possibly convert) that to the memory prepared by the
-\&\fIrequester\fR and pointed at with the \fB\s-1OSSL_PARAM\s0\fR \fIdata\fR.
-.IP "\(bu" 4
+\&\fIrequester\fR and pointed at with the \fBOSSL_PARAM\fR \fIdata\fR.
+.IP \(bu 4
 Request parameter descriptors
 .Sp
-The caller gets an array of constant \fB\s-1OSSL_PARAM\s0\fR, which describe
+The caller gets an array of constant \fBOSSL_PARAM\fR, which describe
 available parameters and some of their properties; name, data type and
 expected data size.
 For a detailed description of each field for this use, see the field
 descriptions below.
 .Sp
 The caller may then use the information from this descriptor array to
-build up its own \fB\s-1OSSL_PARAM\s0\fR array to pass down to a \fIsetter\fR or
+build up its own \fBOSSL_PARAM\fR array to pass down to a \fIsetter\fR or
 \&\fIresponder\fR.
 .PP
-Normally, the order of the an \fB\s-1OSSL_PARAM\s0\fR array is not relevant.
+Normally, the order of the an \fBOSSL_PARAM\fR array is not relevant.
 However, if the \fIresponder\fR can handle multiple elements with the
 same key, those elements must be handled in the order they are in.
 .PP
-An \fB\s-1OSSL_PARAM\s0\fR array must have a terminating element, where \fIkey\fR
-is \s-1NULL.\s0  The usual full terminating template is:
+An \fBOSSL_PARAM\fR array must have a terminating element, where \fIkey\fR
+is NULL.  The usual full terminating template is:
 .PP
 .Vb 1
 \&    { NULL, 0, NULL, 0, 0 }
 .Ve
 .PP
-This can also be specified using \s-1\fBOSSL_PARAM_END\s0\fR\|(3).
+This can also be specified using \fBOSSL_PARAM_END\fR\|(3).
 .SS "Functional support"
 .IX Subsection "Functional support"
 Libcrypto offers a limited set of helper functions to handle
-\&\fB\s-1OSSL_PARAM\s0\fR items and arrays, please see \fBOSSL_PARAM_get_int\fR\|(3).
+\&\fBOSSL_PARAM\fR items and arrays, please see \fBOSSL_PARAM_get_int\fR\|(3).
 Developers are free to extend or replace those as they see fit.
-.SS "\fB\s-1OSSL_PARAM\s0\fP fields"
+.SS "\fBOSSL_PARAM\fP fields"
 .IX Subsection "OSSL_PARAM fields"
-.IP "\fIkey\fR" 4
+.IP \fIkey\fR 4
 .IX Item "key"
 The identity of the parameter in the form of a string.
 .Sp
-In an \fB\s-1OSSL_PARAM\s0\fR array, an item with this field set to \s-1NULL\s0 is
+In an \fBOSSL_PARAM\fR array, an item with this field set to NULL is
 considered a terminating item.
-.IP "\fIdata_type\fR" 4
+.IP \fIdata_type\fR 4
 .IX Item "data_type"
 The \fIdata_type\fR is a value that describes the type and organization of
 the data.
-See \*(L"Supported types\*(R" below for a description of the types.
-.IP "\fIdata\fR" 4
+See "Supported types" below for a description of the types.
+.IP \fIdata\fR 4
 .IX Item "data"
 .PD 0
-.IP "\fIdata_size\fR" 4
+.IP \fIdata_size\fR 4
 .IX Item "data_size"
 .PD
 \&\fIdata\fR is a pointer to the memory where the parameter data is (when
@@ -233,35 +157,35 @@ and \fIdata_size\fR is its size in bytes.
 The organization of the data depends on the parameter type and flag.
 .Sp
 The \fIdata_size\fR needs special attention with the parameter type
-\&\fB\s-1OSSL_PARAM_UTF8_STRING\s0\fR in relation to C strings.  When setting
+\&\fBOSSL_PARAM_UTF8_STRING\fR in relation to C strings.  When setting
 parameters, the size should be set to the length of the string, not
-counting the terminating \s-1NUL\s0 byte.  When requesting parameters, the
+counting the terminating NUL byte.  When requesting parameters, the
 size should be set to the size of the buffer to be populated, which
-should accommodate enough space for a terminating \s-1NUL\s0 byte.
+should accommodate enough space for a terminating NUL byte.
 .Sp
-When \fIrequesting parameters\fR, it's acceptable for \fIdata\fR to be \s-1NULL.\s0
+When \fIrequesting parameters\fR, it's acceptable for \fIdata\fR to be NULL.
 This can be used by the \fIrequester\fR to figure out dynamically exactly
 how much buffer space is needed to store the parameter data.
 In this case, \fIdata_size\fR is ignored.
 .Sp
-When the \fB\s-1OSSL_PARAM\s0\fR is used as a parameter descriptor, \fIdata\fR
+When the \fBOSSL_PARAM\fR is used as a parameter descriptor, \fIdata\fR
 should be ignored.
 If \fIdata_size\fR is zero, it means that an arbitrary data size is
 accepted, otherwise it specifies the maximum size allowed.
-.IP "\fIreturn_size\fR" 4
+.IP \fIreturn_size\fR 4
 .IX Item "return_size"
-When an array of \fB\s-1OSSL_PARAM\s0\fR is used to request data, the
+When an array of \fBOSSL_PARAM\fR is used to request data, the
 \&\fIresponder\fR must set this field to indicate size of the parameter
 data, including padding as the case may be.
 In case the \fIdata_size\fR is an unsuitable size for the data, the
 \&\fIresponder\fR must still set this field to indicate the minimum data
 size required.
-(further notes on this in \*(L"\s-1NOTES\*(R"\s0 below).
+(further notes on this in "NOTES" below).
 .Sp
-When the \fB\s-1OSSL_PARAM\s0\fR is used as a parameter descriptor,
+When the \fBOSSL_PARAM\fR is used as a parameter descriptor,
 \&\fIreturn_size\fR should be ignored.
 .PP
-\&\fB\s-1NOTE:\s0\fR
+\&\fBNOTE:\fR
 .PP
 The key names and associated types are defined by the entity that
 offers these parameters, i.e. names for parameters provided by the
@@ -271,38 +195,38 @@ except for the pointer form of strings (see data type descriptions
 below).
 Entities that want to set or request parameters need to know what
 those keys are and of what type, any functionality between those two
-entities should remain oblivious and just pass the \fB\s-1OSSL_PARAM\s0\fR array
+entities should remain oblivious and just pass the \fBOSSL_PARAM\fR array
 along.
 .SS "Supported types"
 .IX Subsection "Supported types"
 The \fIdata_type\fR field can be one of the following types:
-.IP "\fB\s-1OSSL_PARAM_INTEGER\s0\fR" 4
+.IP \fBOSSL_PARAM_INTEGER\fR 4
 .IX Item "OSSL_PARAM_INTEGER"
 .PD 0
-.IP "\fB\s-1OSSL_PARAM_UNSIGNED_INTEGER\s0\fR" 4
+.IP \fBOSSL_PARAM_UNSIGNED_INTEGER\fR 4
 .IX Item "OSSL_PARAM_UNSIGNED_INTEGER"
 .PD
 The parameter data is an integer (signed or unsigned) of arbitrary
 length, organized in native form, i.e. most significant byte first on
 Big-Endian systems, and least significant byte first on Little-Endian
 systems.
-.IP "\fB\s-1OSSL_PARAM_REAL\s0\fR" 4
+.IP \fBOSSL_PARAM_REAL\fR 4
 .IX Item "OSSL_PARAM_REAL"
 The parameter data is a floating point value in native form.
-.IP "\fB\s-1OSSL_PARAM_UTF8_STRING\s0\fR" 4
+.IP \fBOSSL_PARAM_UTF8_STRING\fR 4
 .IX Item "OSSL_PARAM_UTF8_STRING"
 The parameter data is a printable string.
-.IP "\fB\s-1OSSL_PARAM_OCTET_STRING\s0\fR" 4
+.IP \fBOSSL_PARAM_OCTET_STRING\fR 4
 .IX Item "OSSL_PARAM_OCTET_STRING"
 The parameter data is an arbitrary string of bytes.
-.IP "\fB\s-1OSSL_PARAM_UTF8_PTR\s0\fR" 4
+.IP \fBOSSL_PARAM_UTF8_PTR\fR 4
 .IX Item "OSSL_PARAM_UTF8_PTR"
 The parameter data is a pointer to a printable string.
 .Sp
-The difference between this and \fB\s-1OSSL_PARAM_UTF8_STRING\s0\fR is that \fIdata\fR
+The difference between this and \fBOSSL_PARAM_UTF8_STRING\fR is that \fIdata\fR
 doesn't point directly at the data, but to a pointer that points to the data.
 .Sp
-If there is any uncertainty about which to use, \fB\s-1OSSL_PARAM_UTF8_STRING\s0\fR is
+If there is any uncertainty about which to use, \fBOSSL_PARAM_UTF8_STRING\fR is
 almost certainly the correct choice.
 .Sp
 This is used to indicate that constant data is or will be passed,
@@ -319,15 +243,15 @@ Note that the use of this type is \fBfragile\fR and can only be safely
 used for data that remains constant and in a constant location for a
 long enough duration (such as the life-time of the entity that
 offers these parameters).
-.IP "\fB\s-1OSSL_PARAM_OCTET_PTR\s0\fR" 4
+.IP \fBOSSL_PARAM_OCTET_PTR\fR 4
 .IX Item "OSSL_PARAM_OCTET_PTR"
 The parameter data is a pointer to an arbitrary string of bytes.
 .Sp
-The difference between this and \fB\s-1OSSL_PARAM_OCTET_STRING\s0\fR is that
+The difference between this and \fBOSSL_PARAM_OCTET_STRING\fR is that
 \&\fIdata\fR doesn't point directly at the data, but to a pointer that
 points to the data.
 .Sp
-If there is any uncertainty about which to use, \fB\s-1OSSL_PARAM_OCTET_STRING\s0\fR is
+If there is any uncertainty about which to use, \fBOSSL_PARAM_OCTET_STRING\fR is
 almost certainly the correct choice.
 .Sp
 This is used to indicate that constant data is or will be passed, and
@@ -344,54 +268,54 @@ Note that the use of this type is \fBfragile\fR and can only be safely
 used for data that remains constant and in a constant location for a
 long enough duration (such as the life-time of the entity that
 offers these parameters).
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 Both when setting and requesting parameters, the functions that are
 called will have to decide what is and what is not an error.
 The recommended behaviour is:
-.IP "\(bu" 4
+.IP \(bu 4
 Keys that a \fIsetter\fR or \fIresponder\fR doesn't recognise should simply
 be ignored.
 That in itself isn't an error.
-.IP "\(bu" 4
+.IP \(bu 4
 If the keys that a called \fIsetter\fR recognises form a consistent
 enough set of data, that call should succeed.
-.IP "\(bu" 4
+.IP \(bu 4
 Apart from the \fIreturn_size\fR, a \fIresponder\fR must never change the fields
-of an \fB\s-1OSSL_PARAM\s0\fR.
+of an \fBOSSL_PARAM\fR.
 To return a value, it should change the contents of the memory that
 \&\fIdata\fR points at.
-.IP "\(bu" 4
+.IP \(bu 4
 If the data type for a key that it's associated with is incorrect,
 the called function may return an error.
 .Sp
 The called function may also try to convert the data to a suitable
 form (for example, it's plausible to pass a large number as an octet
 string, so even though a given key is defined as an
-\&\fB\s-1OSSL_PARAM_UNSIGNED_INTEGER\s0\fR, is plausible to pass the value as an
-\&\fB\s-1OSSL_PARAM_OCTET_STRING\s0\fR), but this is in no way mandatory.
-.IP "\(bu" 4
-If \fIdata\fR for a \fB\s-1OSSL_PARAM_OCTET_STRING\s0\fR or a
-\&\fB\s-1OSSL_PARAM_UTF8_STRING\s0\fR is \s-1NULL,\s0 the \fIresponder\fR should
+\&\fBOSSL_PARAM_UNSIGNED_INTEGER\fR, is plausible to pass the value as an
+\&\fBOSSL_PARAM_OCTET_STRING\fR), but this is in no way mandatory.
+.IP \(bu 4
+If \fIdata\fR for a \fBOSSL_PARAM_OCTET_STRING\fR or a
+\&\fBOSSL_PARAM_UTF8_STRING\fR is NULL, the \fIresponder\fR should
 set \fIreturn_size\fR to the size of the item to be returned
 and return success. Later the responder will be called again
 with \fIdata\fR pointing at the place for the value to be put.
-.IP "\(bu" 4
+.IP \(bu 4
 If a \fIresponder\fR finds that some data sizes are too small for the
 requested data, it must set \fIreturn_size\fR for each such
-\&\fB\s-1OSSL_PARAM\s0\fR item to the minimum required size, and eventually return
+\&\fBOSSL_PARAM\fR item to the minimum required size, and eventually return
 an error.
-.IP "\(bu" 4
-For the integer type parameters (\fB\s-1OSSL_PARAM_UNSIGNED_INTEGER\s0\fR and
-\&\fB\s-1OSSL_PARAM_INTEGER\s0\fR), a \fIresponder\fR may choose to return an error
+.IP \(bu 4
+For the integer type parameters (\fBOSSL_PARAM_UNSIGNED_INTEGER\fR and
+\&\fBOSSL_PARAM_INTEGER\fR), a \fIresponder\fR may choose to return an error
 if the \fIdata_size\fR isn't a suitable size (even if \fIdata_size\fR is
 bigger than needed).  If the \fIresponder\fR finds the size suitable, it
 must fill all \fIdata_size\fR bytes and ensure correct padding for the
 native endianness, and set \fIreturn_size\fR to the same value as
 \&\fIdata_size\fR.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-A couple of examples to just show how \fB\s-1OSSL_PARAM\s0\fR arrays could be
+A couple of examples to just show how \fBOSSL_PARAM\fR arrays could be
 set up.
 .PP
 \fIExample 1\fR
@@ -450,15 +374,15 @@ could fill in the parameters like this:
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBopenssl\-core.h\fR\|(7), \fBOSSL_PARAM_get_int\fR\|(3), \fBOSSL_PARAM_dup\fR\|(3)
-.SH "HISTORY"
+\&\fBopenssl\-core.h\fR\|(7), \fBOSSL_PARAM_get_int\fR\|(3), \fBOSSL_PARAM_dup\fR\|(3), \fBOSSL_PARAM_construct_utf8_string\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
-\&\fB\s-1OSSL_PARAM\s0\fR was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+\&\fBOSSL_PARAM\fR was added in OpenSSL 3.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_PARAM_BLD.3 b/secure/lib/libcrypto/man/man3/OSSL_PARAM_BLD.3
index c5fabb2a87dd..62a87ef8be5e 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_PARAM_BLD.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_PARAM_BLD.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_PARAM_BLD 3ossl"
-.TH OSSL_PARAM_BLD 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_PARAM_BLD 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_PARAM_BLD, OSSL_PARAM_BLD_new, OSSL_PARAM_BLD_to_param,
 OSSL_PARAM_BLD_free, OSSL_PARAM_BLD_push_int,
 OSSL_PARAM_BLD_push_uint, OSSL_PARAM_BLD_push_long,
@@ -148,7 +72,7 @@ OSSL_PARAM_BLD_push_BN, OSSL_PARAM_BLD_push_BN_pad,
 OSSL_PARAM_BLD_push_utf8_string, OSSL_PARAM_BLD_push_utf8_ptr,
 OSSL_PARAM_BLD_push_octet_string, OSSL_PARAM_BLD_push_octet_ptr
 \&\- functions to assist in the creation of OSSL_PARAM arrays
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/param_build.h>
@@ -175,84 +99,98 @@ OSSL_PARAM_BLD_push_octet_string, OSSL_PARAM_BLD_push_octet_ptr
 \& int OSSL_PARAM_BLD_push_octet_ptr(OSSL_PARAM_BLD *bld, const char *key,
 \&                                   void *buf, size_t bsize);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-A collection of utility functions that simplify the creation of \s-1OSSL_PARAM\s0
-arrays.  The \fB\f(BI\s-1TYPE\s0\fB\fR names are as per \fBOSSL_PARAM_int\fR\|(3).
+A collection of utility functions that simplify the creation of OSSL_PARAM
+arrays.  The \fR\f(BITYPE\fR\fB\fR names are as per \fBOSSL_PARAM_int\fR\|(3).
 .PP
-\&\fBOSSL_PARAM_BLD_new()\fR allocates and initialises a new \s-1OSSL_PARAM_BLD\s0 structure
+\&\fBOSSL_PARAM_BLD_new()\fR allocates and initialises a new OSSL_PARAM_BLD structure
 so that values can be added.
 Any existing values are cleared.
 .PP
 \&\fBOSSL_PARAM_BLD_free()\fR deallocates the memory allocates by \fBOSSL_PARAM_BLD_new()\fR.
+If the argument is NULL, nothing is done.
 .PP
-\&\fBOSSL_PARAM_BLD_to_param()\fR converts a built up \s-1OSSL_PARAM_BLD\s0 structure
-\&\fIbld\fR into an allocated \s-1OSSL_PARAM\s0 array.
-The \s-1OSSL_PARAM\s0 array and all associated storage must be freed by calling
+\&\fBOSSL_PARAM_BLD_to_param()\fR converts a built up OSSL_PARAM_BLD structure
+\&\fIbld\fR into an allocated OSSL_PARAM array.
+The OSSL_PARAM array and all associated storage must be freed by calling
 \&\fBOSSL_PARAM_free()\fR with the functions return value.
 \&\fBOSSL_PARAM_BLD_free()\fR can safely be called any time after this function is.
 .PP
-\&\fBOSSL_PARAM_BLD_push_\f(BI\s-1TYPE\s0\fB\fR() are a series of functions which will create
-\&\s-1OSSL_PARAM\s0 objects of the specified size and correct type for the \fIval\fR
+\&\fBOSSL_PARAM_BLD_push_\fR\f(BITYPE\fR() are a series of functions which will create
+OSSL_PARAM objects of the specified size and correct type for the \fIval\fR
 argument.
 \&\fIval\fR is stored by value and an expression or auto variable can be used.
 .PP
-\&\fBOSSL_PARAM_BLD_push_BN()\fR is a function that will create an \s-1OSSL_PARAM\s0 object
-that holds the specified \s-1BIGNUM\s0 \fIbn\fR.
-If \fIbn\fR is marked as being securely allocated, its \s-1OSSL_PARAM\s0 representation
+When \fR\f(BITYPE\fR\fB\fR denotes an integer type, signed integer types will normally
+get the OSSL_PARAM type \fBOSSL_PARAM_INTEGER\fR params.
+When \fB\fR\f(BITYPE\fR\fB\fR denotes an unsigned integer type will get the OSSL_PARAM type
+\&\fBOSSL_PARAM_UNSIGNED_INTEGER\fR.
+.PP
+\&\fBOSSL_PARAM_BLD_push_BN()\fR is a function that will create an OSSL_PARAM object
+that holds the specified BIGNUM \fIbn\fR.
+When the \fIbn\fR is zero or positive, its OSSL_PARAM type becomes
+\&\fBOSSL_PARAM_UNSIGNED_INTEGER\fR.
+When the \fIbn\fR is negative, its OSSL_PARAM type becomes \fBOSSL_PARAM_INTEGER\fR.
+If \fIbn\fR is marked as being securely allocated, its OSSL_PARAM representation
 will also be securely allocated.
-The \fIbn\fR argument is stored by reference and the underlying \s-1BIGNUM\s0 object
+The \fIbn\fR argument is stored by reference and the underlying BIGNUM object
 must exist until after \fBOSSL_PARAM_BLD_to_param()\fR has been called.
 .PP
-\&\fBOSSL_PARAM_BLD_push_BN_pad()\fR is a function that will create an \s-1OSSL_PARAM\s0 object
-that holds the specified \s-1BIGNUM\s0 \fIbn\fR.
+\&\fBOSSL_PARAM_BLD_push_BN_pad()\fR is a function that will create an OSSL_PARAM object
+that holds the specified BIGNUM \fIbn\fR.
 The object will be padded to occupy exactly \fIsz\fR bytes, if insufficient space
 is specified an error results.
-If \fIbn\fR is marked as being securely allocated, its \s-1OSSL_PARAM\s0 representation
+When the \fIbn\fR is zero or positive, its OSSL_PARAM type becomes
+\&\fBOSSL_PARAM_UNSIGNED_INTEGER\fR.
+When the \fIbn\fR is negative, its OSSL_PARAM type becomes \fBOSSL_PARAM_INTEGER\fR.
+If \fIbn\fR is marked as being securely allocated, its OSSL_PARAM representation
 will also be securely allocated.
-The \fIbn\fR argument is stored by reference and the underlying \s-1BIGNUM\s0 object
+The \fIbn\fR argument is stored by reference and the underlying BIGNUM object
 must exist until after \fBOSSL_PARAM_BLD_to_param()\fR has been called.
 .PP
-\&\fBOSSL_PARAM_BLD_push_utf8_string()\fR is a function that will create an \s-1OSSL_PARAM\s0
-object that references the \s-1UTF8\s0 string specified by \fIbuf\fR.
-The length of the string \fIbsize\fR should not include the terminating \s-1NUL\s0 byte.
+\&\fBOSSL_PARAM_BLD_push_utf8_string()\fR is a function that will create an OSSL_PARAM
+object that references the UTF8 string specified by \fIbuf\fR.
+The length of the string \fIbsize\fR should not include the terminating NUL byte.
 If it is zero then it will be calculated.
 The string that \fIbuf\fR points to is stored by reference and must remain in
 scope until after \fBOSSL_PARAM_BLD_to_param()\fR has been called.
 .PP
-\&\fBOSSL_PARAM_BLD_push_octet_string()\fR is a function that will create an \s-1OSSL_PARAM\s0
+\&\fBOSSL_PARAM_BLD_push_octet_string()\fR is a function that will create an OSSL_PARAM
 object that references the octet string specified by \fIbuf\fR and <bsize>.
 The memory that \fIbuf\fR points to is stored by reference and must remain in
 scope until after \fBOSSL_PARAM_BLD_to_param()\fR has been called.
 .PP
-\&\fBOSSL_PARAM_BLD_push_utf8_ptr()\fR is a function that will create an \s-1OSSL_PARAM\s0
-object that references the \s-1UTF8\s0 string specified by \fIbuf\fR.
-The length of the string \fIbsize\fR should not include the terminating \s-1NUL\s0 byte.
+\&\fBOSSL_PARAM_BLD_push_utf8_ptr()\fR is a function that will create an OSSL_PARAM
+object that references the UTF8 string specified by \fIbuf\fR.
+The length of the string \fIbsize\fR should not include the terminating NUL byte.
 If it is zero then it will be calculated.
 The string \fIbuf\fR points to is stored by reference and must remain in
-scope until the \s-1OSSL_PARAM\s0 array is freed.
+scope until the OSSL_PARAM array is freed.
 .PP
-\&\fBOSSL_PARAM_BLD_push_octet_ptr()\fR is a function that will create an \s-1OSSL_PARAM\s0
+\&\fBOSSL_PARAM_BLD_push_octet_ptr()\fR is a function that will create an OSSL_PARAM
 object that references the octet string specified by \fIbuf\fR.
 The memory \fIbuf\fR points to is stored by reference and must remain in
-scope until the \s-1OSSL_PARAM\s0 array is freed.
+scope until the OSSL_PARAM array is freed.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBOSSL_PARAM_BLD_new()\fR returns the allocated \s-1OSSL_PARAM_BLD\s0 structure, or \s-1NULL\s0
+\&\fBOSSL_PARAM_BLD_new()\fR returns the allocated OSSL_PARAM_BLD structure, or NULL
 on error.
 .PP
-\&\fBOSSL_PARAM_BLD_to_param()\fR returns the allocated \s-1OSSL_PARAM\s0 array, or \s-1NULL\s0
+\&\fBOSSL_PARAM_BLD_to_param()\fR returns the allocated OSSL_PARAM array, or NULL
 on error.
 .PP
 All of the OSSL_PARAM_BLD_push_TYPE functions return 1 on success and 0
 on error.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-\&\fBOSSL_PARAM_BLD_push_BN()\fR and \fBOSSL_PARAM_BLD_push_BN_pad()\fR currently only
-support nonnegative \fB\s-1BIGNUM\s0\fRs.  They return an error on negative \fB\s-1BIGNUM\s0\fRs.
-.SH "EXAMPLES"
+\&\fBOSSL_PARAM_BLD_push_BN()\fR and \fBOSSL_PARAM_BLD_push_BN_pad()\fR only
+support nonnegative \fBBIGNUM\fRs.  They return an error on negative
+\&\fBBIGNUM\fRs.
+To pass signed \fBBIGNUM\fRs, use \fBOSSL_PARAM_BLD_push_signed_BN()\fR.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-Both examples creating an \s-1OSSL_PARAM\s0 array that contains an \s-1RSA\s0 key.
+Both examples creating an OSSL_PARAM array that contains an RSA key.
 For both, the predefined key variables are:
 .PP
 .Vb 6
@@ -265,7 +203,7 @@ For both, the predefined key variables are:
 .Ve
 .SS "Example 1"
 .IX Subsection "Example 1"
-This example shows how to create an \s-1OSSL_PARAM\s0 array that contains an \s-1RSA\s0
+This example shows how to create an OSSL_PARAM array that contains an RSA
 private key.
 .PP
 .Vb 2
@@ -290,7 +228,7 @@ private key.
 .Ve
 .SS "Example 2"
 .IX Subsection "Example 2"
-This example shows how to create an \s-1OSSL_PARAM\s0 array that contains an \s-1RSA\s0
+This example shows how to create an OSSL_PARAM array that contains an RSA
 public key.
 .PP
 .Vb 2
@@ -309,15 +247,15 @@ public key.
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBOSSL_PARAM_int\fR\|(3), \s-1\fBOSSL_PARAM\s0\fR\|(3), \fBOSSL_PARAM_free\fR\|(3)
-.SH "HISTORY"
+\&\fBOSSL_PARAM_int\fR\|(3), \fBOSSL_PARAM\fR\|(3), \fBOSSL_PARAM_free\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 The functions described here were all added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_PARAM_allocate_from_text.3 b/secure/lib/libcrypto/man/man3/OSSL_PARAM_allocate_from_text.3
index 5e122f3df527..8a730231c54b 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_PARAM_allocate_from_text.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_PARAM_allocate_from_text.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_PARAM_ALLOCATE_FROM_TEXT 3ossl"
-.TH OSSL_PARAM_ALLOCATE_FROM_TEXT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_PARAM_ALLOCATE_FROM_TEXT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_PARAM_allocate_from_text
 \&\- OSSL_PARAM construction utilities
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/params.h>
@@ -150,7 +74,7 @@ OSSL_PARAM_allocate_from_text
 \&                                   size_t value_n,
 \&                                   int *found);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 With OpenSSL before version 3.0, parameters were passed down to or
 retrieved from algorithm implementations via control functions.
@@ -159,7 +83,7 @@ parameters, for example \fBEVP_PKEY_CTX_ctrl_str\fR\|(3).
 .PP
 OpenSSL 3.0 introduces a new mechanism to do the same thing with an
 array of parameters that contain name, value, value type and value
-size (see \s-1\fBOSSL_PARAM\s0\fR\|(3) for more information).
+size (see \fBOSSL_PARAM\fR\|(3) for more information).
 .PP
 \&\fBOSSL_PARAM_allocate_from_text()\fR uses \fIkey\fR to look up an item in
 \&\fIparamdefs\fR.  If an item was found, it converts \fIvalue\fR to something
@@ -173,67 +97,67 @@ to zero.
 needs to be freed by the caller when it's not useful any more, using
 \&\fBOPENSSL_free\fR\|(3).
 .PP
-If \fIfound\fR is not \s-1NULL,\s0 \fI*found\fR is set to 1 if \fIkey\fR could be
+If \fIfound\fR is not NULL, \fI*found\fR is set to 1 if \fIkey\fR could be
 located in \fIparamdefs\fR, and to 0 otherwise.
 .SS "The use of \fIkey\fP and \fIvalue\fP in detail"
 .IX Subsection "The use of key and value in detail"
 \&\fBOSSL_PARAM_allocate_from_text()\fR takes note if \fIkey\fR starts with
-\&\*(L"hex\*(R", and will only use the rest of \fIkey\fR to look up an item in
-\&\fIparamdefs\fR in that case.  As an example, if \fIkey\fR is \*(L"hexid\*(R", \*(L"id\*(R"
+"hex", and will only use the rest of \fIkey\fR to look up an item in
+\&\fIparamdefs\fR in that case.  As an example, if \fIkey\fR is "hexid", "id"
 will be looked up in \fIparamdefs\fR.
 .PP
 When an item in \fIparamdefs\fR has been found, \fIvalue\fR is converted
 depending on that item's \fIdata_type\fR, as follows:
-.IP "\fB\s-1OSSL_PARAM_INTEGER\s0\fR and \fB\s-1OSSL_PARAM_UNSIGNED_INTEGER\s0\fR" 4
+.IP "\fBOSSL_PARAM_INTEGER\fR and \fBOSSL_PARAM_UNSIGNED_INTEGER\fR" 4
 .IX Item "OSSL_PARAM_INTEGER and OSSL_PARAM_UNSIGNED_INTEGER"
-If \fIkey\fR didn't start with \*(L"hex\*(R", \fIvalue\fR is assumed to contain
+If \fIkey\fR didn't start with "hex", \fIvalue\fR is assumed to contain
 \&\fIvalue_n\fR decimal characters, which are decoded, and the resulting
 bytes become the number stored in the \fIto\->data\fR storage.
 .Sp
-If \fIvalue\fR starts with \*(L"0x\*(R", it is assumed to contain \fIvalue_n\fR
+If \fIvalue\fR starts with "0x", it is assumed to contain \fIvalue_n\fR
 hexadecimal characters.
 .Sp
-If \fIkey\fR started with \*(L"hex\*(R", \fIvalue\fR is assumed to contain
-\&\fIvalue_n\fR hexadecimal characters without the \*(L"0x\*(R" prefix.
+If \fIkey\fR started with "hex", \fIvalue\fR is assumed to contain
+\&\fIvalue_n\fR hexadecimal characters without the "0x" prefix.
 .Sp
 If \fIvalue\fR contains characters that couldn't be decoded as
 hexadecimal or decimal characters, \fBOSSL_PARAM_allocate_from_text()\fR
 considers that an error.
-.IP "\fB\s-1OSSL_PARAM_UTF8_STRING\s0\fR" 4
+.IP \fBOSSL_PARAM_UTF8_STRING\fR 4
 .IX Item "OSSL_PARAM_UTF8_STRING"
-If \fIkey\fR started with \*(L"hex\*(R", \fBOSSL_PARAM_allocate_from_text()\fR
+If \fIkey\fR started with "hex", \fBOSSL_PARAM_allocate_from_text()\fR
 considers that an error.
 .Sp
 Otherwise, \fIvalue\fR is considered a C string and is copied to the
 \&\fIto\->data\fR storage.
-On systems where the native character encoding is \s-1EBCDIC,\s0 the bytes in
-\&\fIto\->data\fR are converted to \s-1ASCII.\s0
-.IP "\fB\s-1OSSL_PARAM_OCTET_STRING\s0\fR" 4
+On systems where the native character encoding is EBCDIC, the bytes in
+\&\fIto\->data\fR are converted to ASCII.
+.IP \fBOSSL_PARAM_OCTET_STRING\fR 4
 .IX Item "OSSL_PARAM_OCTET_STRING"
-If \fIkey\fR started with \*(L"hex\*(R", \fIvalue\fR is assumed to contain
+If \fIkey\fR started with "hex", \fIvalue\fR is assumed to contain
 \&\fIvalue_n\fR hexadecimal characters, which are decoded, and the
 resulting bytes are stored in the \fIto\->data\fR storage.
 If \fIvalue\fR contains characters that couldn't be decoded as
 hexadecimal or decimal characters, \fBOSSL_PARAM_allocate_from_text()\fR
 considers that an error.
 .Sp
-If \fIkey\fR didn't start with \*(L"hex\*(R", \fIvalue_n\fR bytes from \fIvalue\fR are
+If \fIkey\fR didn't start with "hex", \fIvalue_n\fR bytes from \fIvalue\fR are
 copied to the \fIto\->data\fR storage.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBOSSL_PARAM_allocate_from_text()\fR returns 1 if \fIkey\fR was found in
 \&\fIparamdefs\fR and there was no other failure, otherwise 0.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The parameter descriptor array comes from functions dedicated to
 return them.
-The following \s-1\fBOSSL_PARAM\s0\fR\|(3) attributes are used:
-.IP "\fIkey\fR" 4
+The following \fBOSSL_PARAM\fR\|(3) attributes are used:
+.IP \fIkey\fR 4
 .IX Item "key"
 .PD 0
-.IP "\fIdata_type\fR" 4
+.IP \fIdata_type\fR 4
 .IX Item "data_type"
-.IP "\fIdata_size\fR" 4
+.IP \fIdata_size\fR 4
 .IX Item "data_size"
 .PD
 .PP
@@ -241,7 +165,7 @@ All other attributes are ignored.
 .PP
 The \fIdata_size\fR attribute can be zero, meaning that the parameter it
 describes expects arbitrary length data.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 Code that looked like this:
 .PP
@@ -317,12 +241,12 @@ Can be written like this instead:
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBOSSL_PARAM\s0\fR\|(3), \fBOSSL_PARAM_int\fR\|(3)
-.SH "COPYRIGHT"
+\&\fBOSSL_PARAM\fR\|(3), \fBOSSL_PARAM_int\fR\|(3)
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2019\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_PARAM_dup.3 b/secure/lib/libcrypto/man/man3/OSSL_PARAM_dup.3
index 59161be7b725..30710e93efae 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_PARAM_dup.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_PARAM_dup.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_PARAM_DUP 3ossl"
-.TH OSSL_PARAM_DUP 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_PARAM_DUP 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_PARAM_dup, OSSL_PARAM_merge, OSSL_PARAM_free
 \&\- OSSL_PARAM array copy functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/params.h>
@@ -148,11 +72,11 @@ OSSL_PARAM_dup, OSSL_PARAM_merge, OSSL_PARAM_free
 \& OSSL_PARAM *OSSL_PARAM_merge(const OSSL_PARAM *params, const OSSL_PARAM *params1);
 \& void OSSL_PARAM_free(OSSL_PARAM *params);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 Algorithm parameters can be exported/imported from/to providers using arrays of
-\&\s-1\fBOSSL_PARAM\s0\fR\|(3). The following utility functions allow the parameters to be
-duplicated and merged with other \s-1\fBOSSL_PARAM\s0\fR\|(3) to assist in this process.
+\&\fBOSSL_PARAM\fR\|(3). The following utility functions allow the parameters to be
+duplicated and merged with other \fBOSSL_PARAM\fR\|(3) to assist in this process.
 .PP
 \&\fBOSSL_PARAM_dup()\fR duplicates the parameter array \fIparams\fR. This function does a
 deep copy of the data.
@@ -161,28 +85,29 @@ deep copy of the data.
 new parameter array. If \fIparams\fR and \fIparams1\fR contain values with the same
 \&'key' then the value from \fIparams1\fR will replace the \fIparam\fR value. This
 function does a shallow copy of the parameters. Either \fIparams\fR or \fIparams1\fR
-may be \s-1NULL.\s0 The behaviour of the merge is unpredictable if \fIparams\fR and
+may be NULL. The behaviour of the merge is unpredictable if \fIparams\fR and
 \&\fIparams1\fR contain the same key, and there are multiple entries within either
 array that have the same key.
 .PP
 \&\fBOSSL_PARAM_free()\fR frees the parameter array \fIparams\fR that was created using
 \&\fBOSSL_PARAM_dup()\fR, \fBOSSL_PARAM_merge()\fR or \fBOSSL_PARAM_BLD_to_param()\fR.
+If the argument to \fBOSSL_PARAM_free()\fR is NULL, nothing is done.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The functions \fBOSSL_PARAM_dup()\fR and \fBOSSL_PARAM_merge()\fR return a newly allocated
-\&\s-1\fBOSSL_PARAM\s0\fR\|(3) array, or \s-1NULL\s0 if there was an error. If both parameters are \s-1NULL\s0
- then \s-1NULL\s0 is returned.
+\&\fBOSSL_PARAM\fR\|(3) array, or NULL if there was an error. If both parameters are NULL
+ then NULL is returned.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBOSSL_PARAM\s0\fR\|(3), \s-1\fBOSSL_PARAM_BLD\s0\fR\|(3)
-.SH "HISTORY"
+\&\fBOSSL_PARAM\fR\|(3), \fBOSSL_PARAM_BLD\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 The functions were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_PARAM_int.3 b/secure/lib/libcrypto/man/man3/OSSL_PARAM_int.3
index dc8b2fccbc7b..861e0f375b88 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_PARAM_int.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_PARAM_int.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_PARAM_INT 3ossl"
-.TH OSSL_PARAM_INT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_PARAM_INT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_PARAM_double, OSSL_PARAM_int, OSSL_PARAM_int32, OSSL_PARAM_int64,
 OSSL_PARAM_long, OSSL_PARAM_size_t, OSSL_PARAM_time_t, OSSL_PARAM_uint,
 OSSL_PARAM_uint32, OSSL_PARAM_uint64, OSSL_PARAM_ulong, OSSL_PARAM_BN,
@@ -168,7 +92,7 @@ OSSL_PARAM_set_utf8_string, OSSL_PARAM_set_octet_string,
 OSSL_PARAM_set_utf8_ptr, OSSL_PARAM_set_octet_ptr,
 OSSL_PARAM_UNMODIFIED, OSSL_PARAM_modified, OSSL_PARAM_set_all_unmodified
 \&\- OSSL_PARAM helpers
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/params.h>
@@ -240,85 +164,85 @@ OSSL_PARAM_UNMODIFIED, OSSL_PARAM_modified, OSSL_PARAM_set_all_unmodified
 \& int OSSL_PARAM_modified(const OSSL_PARAM *param);
 \& void OSSL_PARAM_set_all_unmodified(OSSL_PARAM *params);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 A collection of utility functions that simplify and add type safety to the
-\&\s-1\fBOSSL_PARAM\s0\fR\|(3) arrays.  The following \fB\f(BI\s-1TYPE\s0\fB\fR names are supported:
-.IP "\(bu" 1
+\&\fBOSSL_PARAM\fR\|(3) arrays.  The following \fR\f(BITYPE\fR\fB\fR names are supported:
+.IP \(bu 2
 double
-.IP "\(bu" 1
+.IP \(bu 2
 int
-.IP "\(bu" 1
+.IP \(bu 2
 int32 (int32_t)
-.IP "\(bu" 1
+.IP \(bu 2
 int64 (int64_t)
-.IP "\(bu" 1
+.IP \(bu 2
 long int (long)
-.IP "\(bu" 1
+.IP \(bu 2
 time_t
-.IP "\(bu" 1
+.IP \(bu 2
 size_t
-.IP "\(bu" 1
+.IP \(bu 2
 uint32 (uint32_t)
-.IP "\(bu" 1
+.IP \(bu 2
 uint64 (uint64_t)
-.IP "\(bu" 1
+.IP \(bu 2
 unsigned int (uint)
-.IP "\(bu" 1
+.IP \(bu 2
 unsigned long int (ulong)
 .PP
-\&\s-1\fBOSSL_PARAM_TYPE\s0()\fR are a series of macros designed to assist initialising an
-array of \s-1\fBOSSL_PARAM\s0\fR\|(3) structures.
-Each of these macros defines a parameter of the specified \fB\f(BI\s-1TYPE\s0\fB\fR with the
+\&\fBOSSL_PARAM_TYPE()\fR are a series of macros designed to assist initialising an
+array of \fBOSSL_PARAM\fR\|(3) structures.
+Each of these macros defines a parameter of the specified \fR\f(BITYPE\fR\fB\fR with the
 provided \fIkey\fR and parameter variable \fIaddress\fR.
 .PP
 \&\fBOSSL_PARAM_utf8_string()\fR, \fBOSSL_PARAM_octet_string()\fR, \fBOSSL_PARAM_utf8_ptr()\fR,
-\&\fBOSSL_PARAM_octet_ptr()\fR, \s-1\fBOSSL_PARAM_BN\s0()\fR are macros that provide support
-for defining \s-1UTF8\s0 strings, \s-1OCTET\s0 strings and big numbers.
+\&\fBOSSL_PARAM_octet_ptr()\fR, \fBOSSL_PARAM_BN()\fR are macros that provide support
+for defining UTF8 strings, OCTET strings and big numbers.
 A parameter with name \fIkey\fR is defined.
 The storage for this parameter is at \fIaddress\fR and is of \fIsize\fR bytes.
 .PP
-\&\s-1OSSL_PARAM_END\s0 provides an end of parameter list marker.
-This should terminate all \s-1\fBOSSL_PARAM\s0\fR\|(3) arrays.
+OSSL_PARAM_END provides an end of parameter list marker.
+This should terminate all \fBOSSL_PARAM\fR\|(3) arrays.
 .PP
-The \s-1\fBOSSL_PARAM_DEFN\s0()\fR macro provides the ability to construct a single
-\&\s-1\fBOSSL_PARAM\s0\fR\|(3) (typically used in the construction of \fB\s-1OSSL_PARAM\s0\fR arrays). The
+The \fBOSSL_PARAM_DEFN()\fR macro provides the ability to construct a single
+\&\fBOSSL_PARAM\fR\|(3) (typically used in the construction of \fBOSSL_PARAM\fR arrays). The
 \&\fIkey\fR, \fItype\fR, \fIaddr\fR and \fIsz\fR arguments correspond to the \fIkey\fR,
-\&\fIdata_type\fR, \fIdata\fR and \fIdata_size\fR fields of the \s-1\fBOSSL_PARAM\s0\fR\|(3) structure as
-described on the \s-1\fBOSSL_PARAM\s0\fR\|(3) page.
+\&\fIdata_type\fR, \fIdata\fR and \fIdata_size\fR fields of the \fBOSSL_PARAM\fR\|(3) structure as
+described on the \fBOSSL_PARAM\fR\|(3) page.
 .PP
-\&\fBOSSL_PARAM_construct_TYPE()\fR are a series of functions that create \s-1\fBOSSL_PARAM\s0\fR\|(3)
+\&\fBOSSL_PARAM_construct_TYPE()\fR are a series of functions that create \fBOSSL_PARAM\fR\|(3)
 records dynamically.
 A parameter with name \fIkey\fR is created.
 The parameter will use storage pointed to by \fIbuf\fR and return size of \fIret\fR.
 .PP
 \&\fBOSSL_PARAM_construct_BN()\fR is a function that constructs a large integer
-\&\s-1\fBOSSL_PARAM\s0\fR\|(3) structure.
+\&\fBOSSL_PARAM\fR\|(3) structure.
 A parameter with name \fIkey\fR, storage \fIbuf\fR, size \fIbsize\fR and return
 size \fIrsize\fR is created.
 .PP
-\&\fBOSSL_PARAM_construct_utf8_string()\fR is a function that constructs a \s-1UTF8\s0
-string \s-1\fBOSSL_PARAM\s0\fR\|(3) structure.
+\&\fBOSSL_PARAM_construct_utf8_string()\fR is a function that constructs a UTF8
+string \fBOSSL_PARAM\fR\|(3) structure.
 A parameter with name \fIkey\fR, storage \fIbuf\fR and size \fIbsize\fR is created.
 If \fIbsize\fR is zero, the string length is determined using \fBstrlen\fR\|(3).
 Generally pass zero for \fIbsize\fR instead of calling \fBstrlen\fR\|(3) yourself.
 .PP
-\&\fBOSSL_PARAM_construct_octet_string()\fR is a function that constructs an \s-1OCTET\s0
-string \s-1\fBOSSL_PARAM\s0\fR\|(3) structure.
+\&\fBOSSL_PARAM_construct_octet_string()\fR is a function that constructs an OCTET
+string \fBOSSL_PARAM\fR\|(3) structure.
 A parameter with name \fIkey\fR, storage \fIbuf\fR and size \fIbsize\fR is created.
 .PP
-\&\fBOSSL_PARAM_construct_utf8_ptr()\fR is a function that constructs a \s-1UTF8\s0 string
-pointer \s-1\fBOSSL_PARAM\s0\fR\|(3) structure.
+\&\fBOSSL_PARAM_construct_utf8_ptr()\fR is a function that constructs a UTF8 string
+pointer \fBOSSL_PARAM\fR\|(3) structure.
 A parameter with name \fIkey\fR, storage pointer \fI*buf\fR and size \fIbsize\fR
 is created.
 .PP
-\&\fBOSSL_PARAM_construct_octet_ptr()\fR is a function that constructs an \s-1OCTET\s0 string
-pointer \s-1\fBOSSL_PARAM\s0\fR\|(3) structure.
+\&\fBOSSL_PARAM_construct_octet_ptr()\fR is a function that constructs an OCTET string
+pointer \fBOSSL_PARAM\fR\|(3) structure.
 A parameter with name \fIkey\fR, storage pointer \fI*buf\fR and size \fIbsize\fR
 is created.
 .PP
 \&\fBOSSL_PARAM_construct_end()\fR is a function that constructs the terminating
-\&\s-1\fBOSSL_PARAM\s0\fR\|(3) structure.
+\&\fBOSSL_PARAM\fR\|(3) structure.
 .PP
 \&\fBOSSL_PARAM_locate()\fR is a function that searches an \fIarray\fR of parameters for
 the one matching the \fIkey\fR name.
@@ -326,75 +250,75 @@ the one matching the \fIkey\fR name.
 \&\fBOSSL_PARAM_locate_const()\fR behaves exactly like \fBOSSL_PARAM_locate()\fR except for
 the presence of \fIconst\fR for the \fIarray\fR argument and its return value.
 .PP
-\&\fBOSSL_PARAM_get_TYPE()\fR retrieves a value of type \fB\f(BI\s-1TYPE\s0\fB\fR from the parameter
+\&\fBOSSL_PARAM_get_TYPE()\fR retrieves a value of type \fR\f(BITYPE\fR\fB\fR from the parameter
 \&\fIp\fR.
 The value is copied to the address \fIval\fR.
-Type coercion takes place as discussed in the \s-1NOTES\s0 section.
+Type coercion takes place as discussed in the NOTES section.
 .PP
-\&\fBOSSL_PARAM_set_TYPE()\fR stores a value \fIval\fR of type \fB\f(BI\s-1TYPE\s0\fB\fR into the
+\&\fBOSSL_PARAM_set_TYPE()\fR stores a value \fIval\fR of type \fR\f(BITYPE\fR\fB\fR into the
 parameter \fIp\fR.
-If the parameter's \fIdata\fR field is \s-1NULL,\s0 then only its \fIreturn_size\fR field
+If the parameter's \fIdata\fR field is NULL, then only its \fIreturn_size\fR field
 will be assigned the size the parameter's \fIdata\fR buffer should have.
-Type coercion takes place as discussed in the \s-1NOTES\s0 section.
+Type coercion takes place as discussed in the NOTES section.
 .PP
-\&\fBOSSL_PARAM_get_BN()\fR retrieves a \s-1BIGNUM\s0 from the parameter pointed to by \fIp\fR.
-The \s-1BIGNUM\s0 referenced by \fIval\fR is updated and is allocated if \fI*val\fR is
-\&\s-1NULL.\s0
+\&\fBOSSL_PARAM_get_BN()\fR retrieves a BIGNUM from the parameter pointed to by \fIp\fR.
+The BIGNUM referenced by \fIval\fR is updated and is allocated if \fI*val\fR is
+NULL.
 .PP
-\&\fBOSSL_PARAM_set_BN()\fR stores the \s-1BIGNUM\s0 \fIval\fR into the parameter \fIp\fR.
-If the parameter's \fIdata\fR field is \s-1NULL,\s0 then only its \fIreturn_size\fR field
+\&\fBOSSL_PARAM_set_BN()\fR stores the BIGNUM \fIval\fR into the parameter \fIp\fR.
+If the parameter's \fIdata\fR field is NULL, then only its \fIreturn_size\fR field
 will be assigned the size the parameter's \fIdata\fR buffer should have.
 .PP
-\&\fBOSSL_PARAM_get_utf8_string()\fR retrieves a \s-1UTF8\s0 string from the parameter
+\&\fBOSSL_PARAM_get_utf8_string()\fR retrieves a UTF8 string from the parameter
 pointed to by \fIp\fR.
 The string is stored into \fI*val\fR with a size limit of \fImax_len\fR,
-which must be large enough to accommodate a terminating \s-1NUL\s0 byte,
+which must be large enough to accommodate a terminating NUL byte,
 otherwise this function will fail.
-If \fI*val\fR is \s-1NULL,\s0 memory is allocated for the string (including the
-terminating  \s-1NUL\s0 byte) and \fImax_len\fR is ignored.
+If \fI*val\fR is NULL, memory is allocated for the string (including the
+terminating  NUL byte) and \fImax_len\fR is ignored.
 If memory is allocated by this function, it must be freed by the caller.
 .PP
-\&\fBOSSL_PARAM_set_utf8_string()\fR sets a \s-1UTF8\s0 string from the parameter pointed to
+\&\fBOSSL_PARAM_set_utf8_string()\fR sets a UTF8 string from the parameter pointed to
 by \fIp\fR to the value referenced by \fIval\fR.
-If the parameter's \fIdata\fR field isn't \s-1NULL,\s0 its \fIdata_size\fR must indicate
+If the parameter's \fIdata\fR field isn't NULL, its \fIdata_size\fR must indicate
 that the buffer is large enough to accommodate the string that \fIval\fR points at,
-not including the terminating \s-1NUL\s0 byte, or this function will fail.
-A terminating \s-1NUL\s0 byte is added only if the parameter's \fIdata_size\fR indicates
+not including the terminating NUL byte, or this function will fail.
+A terminating NUL byte is added only if the parameter's \fIdata_size\fR indicates
 the buffer is longer than the string length, otherwise the string will not be
-\&\s-1NUL\s0 terminated.
-If the parameter's \fIdata\fR field is \s-1NULL,\s0 then only its \fIreturn_size\fR field
+NUL terminated.
+If the parameter's \fIdata\fR field is NULL, then only its \fIreturn_size\fR field
 will be assigned the minimum size the parameter's \fIdata\fR buffer should have
-to accommodate the string, not including a terminating \s-1NUL\s0 byte.
+to accommodate the string, not including a terminating NUL byte.
 .PP
-\&\fBOSSL_PARAM_get_octet_string()\fR retrieves an \s-1OCTET\s0 string from the parameter
+\&\fBOSSL_PARAM_get_octet_string()\fR retrieves an OCTET string from the parameter
 pointed to by \fIp\fR.
 The OCTETs are either stored into \fI*val\fR with a length limit of \fImax_len\fR or,
-in the case when \fI*val\fR is \s-1NULL,\s0 memory is allocated and
+in the case when \fI*val\fR is NULL, memory is allocated and
 \&\fImax_len\fR is ignored. \fI*used_len\fR is populated with the number of OCTETs
-stored. If \fIval\fR is \s-1NULL\s0 then the \s-1OCTETS\s0 are not stored, but \fI*used_len\fR is
+stored. If \fIval\fR is NULL then the OCTETS are not stored, but \fI*used_len\fR is
 still populated.
 If memory is allocated by this function, it must be freed by the caller.
 .PP
-\&\fBOSSL_PARAM_set_octet_string()\fR sets an \s-1OCTET\s0 string from the parameter
+\&\fBOSSL_PARAM_set_octet_string()\fR sets an OCTET string from the parameter
 pointed to by \fIp\fR to the value referenced by \fIval\fR.
-If the parameter's \fIdata\fR field is \s-1NULL,\s0 then only its \fIreturn_size\fR field
+If the parameter's \fIdata\fR field is NULL, then only its \fIreturn_size\fR field
 will be assigned the size the parameter's \fIdata\fR buffer should have.
 .PP
-\&\fBOSSL_PARAM_get_utf8_ptr()\fR retrieves the \s-1UTF8\s0 string pointer from the parameter
+\&\fBOSSL_PARAM_get_utf8_ptr()\fR retrieves the UTF8 string pointer from the parameter
 referenced by \fIp\fR and stores it in \fI*val\fR.
 .PP
-\&\fBOSSL_PARAM_set_utf8_ptr()\fR sets the \s-1UTF8\s0 string pointer in the parameter
+\&\fBOSSL_PARAM_set_utf8_ptr()\fR sets the UTF8 string pointer in the parameter
 referenced by \fIp\fR to the values \fIval\fR.
 .PP
-\&\fBOSSL_PARAM_get_octet_ptr()\fR retrieves the \s-1OCTET\s0 string pointer from the parameter
+\&\fBOSSL_PARAM_get_octet_ptr()\fR retrieves the OCTET string pointer from the parameter
 referenced by \fIp\fR and stores it in \fI*val\fR.
-The length of the \s-1OCTET\s0 string is stored in \fI*used_len\fR.
+The length of the OCTET string is stored in \fI*used_len\fR.
 .PP
-\&\fBOSSL_PARAM_set_octet_ptr()\fR sets the \s-1OCTET\s0 string pointer in the parameter
+\&\fBOSSL_PARAM_set_octet_ptr()\fR sets the OCTET string pointer in the parameter
 referenced by \fIp\fR to the values \fIval\fR.
-The length of the \s-1OCTET\s0 string is provided by \fIused_len\fR.
+The length of the OCTET string is provided by \fIused_len\fR.
 .PP
-\&\fBOSSL_PARAM_get_utf8_string_ptr()\fR retrieves the pointer to a \s-1UTF8\s0 string from
+\&\fBOSSL_PARAM_get_utf8_string_ptr()\fR retrieves the pointer to a UTF8 string from
 the parameter pointed to by \fIp\fR, and stores that pointer in \fI*val\fR.
 This is different from \fBOSSL_PARAM_get_utf8_string()\fR, which copies the
 string.
@@ -405,7 +329,7 @@ along with the string's length in \fI*used_len\fR.
 This is different from \fBOSSL_PARAM_get_octet_string()\fR, which copies the
 string.
 .PP
-The \s-1OSSL_PARAM_UNMODIFIED\s0 macro is used to detect if a parameter was set.  On
+The OSSL_PARAM_UNMODIFIED macro is used to detect if a parameter was set.  On
 creation, via either the macros or construct calls, the \fIreturn_size\fR field
 is set to this.  If the parameter is set using the calls defined herein, the
 \&\fIreturn_size\fR field is changed.
@@ -420,38 +344,37 @@ in the array \fIparams\fR.
 \&\fBOSSL_PARAM_construct_TYPE()\fR, \fBOSSL_PARAM_construct_BN()\fR,
 \&\fBOSSL_PARAM_construct_utf8_string()\fR, \fBOSSL_PARAM_construct_octet_string()\fR,
 \&\fBOSSL_PARAM_construct_utf8_ptr()\fR and \fBOSSL_PARAM_construct_octet_ptr()\fR
-return a populated \s-1\fBOSSL_PARAM\s0\fR\|(3) structure.
+return a populated \fBOSSL_PARAM\fR\|(3) structure.
 .PP
 \&\fBOSSL_PARAM_locate()\fR and \fBOSSL_PARAM_locate_const()\fR return a pointer to
-the matching \s-1\fBOSSL_PARAM\s0\fR\|(3) object.  They return \s-1NULL\s0 on error or when
+the matching \fBOSSL_PARAM\fR\|(3) object.  They return NULL on error or when
 no object matching \fIkey\fR exists in the \fIarray\fR.
 .PP
 \&\fBOSSL_PARAM_modified()\fR returns 1 if the parameter was set and 0 otherwise.
 .PP
 All other functions return 1 on success and 0 on failure.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 Native types will be converted as required only if the value is exactly
 representable by the target type or parameter.
 Apart from that, the functions must be used appropriately for the
 expected type of the parameter.
 .PP
-\&\fBOSSL_PARAM_get_BN()\fR and \fBOSSL_PARAM_set_BN()\fR currently only support
-nonnegative \fB\s-1BIGNUM\s0\fRs, and by consequence, only
-\&\fB\s-1OSSL_PARAM_UNSIGNED_INTEGER\s0\fR.  \fBOSSL_PARAM_construct_BN()\fR currently
-constructs an \s-1\fBOSSL_PARAM\s0\fR\|(3) structure with the data type
-\&\fB\s-1OSSL_PARAM_UNSIGNED_INTEGER\s0\fR.
+\&\fBOSSL_PARAM_get_BN()\fR and \fBOSSL_PARAM_set_BN()\fR only support nonnegative
+\&\fBBIGNUM\fRs when the desired data type is \fBOSSL_PARAM_UNSIGNED_INTEGER\fR.
+\&\fBOSSL_PARAM_construct_BN()\fR currently constructs an \fBOSSL_PARAM\fR\|(3) structure
+with the data type \fBOSSL_PARAM_UNSIGNED_INTEGER\fR.
 .PP
 For \fBOSSL_PARAM_construct_utf8_ptr()\fR and \fBOSSL_PARAM_consstruct_octet_ptr()\fR,
-\&\fIbsize\fR is not relevant if the purpose is to send the \s-1\fBOSSL_PARAM\s0\fR\|(3) array
+\&\fIbsize\fR is not relevant if the purpose is to send the \fBOSSL_PARAM\fR\|(3) array
 to a \fIresponder\fR, i.e. to get parameter data back.
 In that case, \fIbsize\fR can safely be given zero.
-See \*(L"\s-1DESCRIPTION\*(R"\s0 in \s-1\fBOSSL_PARAM\s0\fR\|(3) for further information on the
+See "DESCRIPTION" in \fBOSSL_PARAM\fR\|(3) for further information on the
 possible purposes.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-Reusing the examples from \s-1\fBOSSL_PARAM\s0\fR\|(3) to just show how
-\&\s-1\fBOSSL_PARAM\s0\fR\|(3) arrays can be handled using the macros and functions
+Reusing the examples from \fBOSSL_PARAM\fR\|(3) to just show how
+\&\fBOSSL_PARAM\fR\|(3) arrays can be handled using the macros and functions
 defined herein.
 .SS "Example 1"
 .IX Subsection "Example 1"
@@ -500,17 +423,43 @@ could fill in the parameters like this:
 \&    if ((p = OSSL_PARAM_locate(params, "cookie")) != NULL)
 \&        OSSL_PARAM_set_utf8_ptr(p, "cookie value");
 .Ve
+.SS "Example 3"
+.IX Subsection "Example 3"
+This example shows a special case where
+\&\fI\-Wincompatible\-pointer\-types\-discards\-qualifiers\fR may be set during
+compilation. The value for \fIbuf\fR cannot be a \fIconst char *\fR type string. An
+alternative in this case would be to use \fBOSSL_PARAM\fR macro abbreviated calls
+rather than the specific callers which allows you to define the sha1 argument
+as a standard character array (\fIchar[]\fR).
+.PP
+For example, this code:
+.PP
+.Vb 3
+\&    OSSL_PARAM params[2];
+\&    params[0] = OSSL_PARAM_construct_utf8_string("digest", "SHA1", 0);
+\&    params[1] = OSSL_PARAM_construct_end();
+.Ve
+.PP
+Can be made compatible with the following version:
+.PP
+.Vb 2
+\&    char sha1[] = "SHA1"; /* sha1 is defined as char[] in this case */
+\&    OSSL_PARAM params[2];
+\&
+\&    params[0] = OSSL_PARAM_construct_utf8_string("digest", sha1, 0);
+\&    params[1] = OSSL_PARAM_construct_end();
+.Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBopenssl\-core.h\fR\|(7), \s-1\fBOSSL_PARAM\s0\fR\|(3)
-.SH "HISTORY"
+\&\fBopenssl\-core.h\fR\|(7), \fBOSSL_PARAM\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 These APIs were introduced in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_PARAM_print_to_bio.3 b/secure/lib/libcrypto/man/man3/OSSL_PARAM_print_to_bio.3
new file mode 100644
index 000000000000..05d56d57d7e4
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/OSSL_PARAM_print_to_bio.3
@@ -0,0 +1,96 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OSSL_PARAM_PRINT_TO_BIO 3ossl"
+.TH OSSL_PARAM_PRINT_TO_BIO 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+OSSL_PARAM_print_to_bio
+\&\- OSSL_PARAM interrogation utilities
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/params.h>
+\&
+\& int OSSL_PARAM_print_to_bio(const OSSL_PARAM *p, BIO *bio,
+\&                             int print_values);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBOSSL_PARAM_print_to_bio()\fR formats each parameter contained in the
+passed in array of \fBOSSL_PARAM\fR values \fIp\fR, and prints both the key,
+and optionally its value, to a provided \fBBIO\fR.
+\&\fIp\fR must be a non-null array of OSSL_PARAM values, terminated
+with a value containing a null \fIkey\fR member.
+\&\fIprint_values\fR is a control parameter, indicating that key values should be
+printed, in addition to key names.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBOSSL_PARAM_print_to_bio()\fR returns 1 on success, and 0 on failure
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBOSSL_PARAM_print_to_bio()\fR was added in OpenSSL 3.5
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_PROVIDER.3 b/secure/lib/libcrypto/man/man3/OSSL_PROVIDER.3
index c0a462613e3b..9fcf62126dcd 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_PROVIDER.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_PROVIDER.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,85 +52,28 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_PROVIDER 3ossl"
-.TH OSSL_PROVIDER 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_PROVIDER 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_PROVIDER_set_default_search_path,
+OSSL_PROVIDER_get0_default_search_path,
 OSSL_PROVIDER, OSSL_PROVIDER_load, OSSL_PROVIDER_try_load, OSSL_PROVIDER_unload,
+OSSL_PROVIDER_load_ex, OSSL_PROVIDER_try_load_ex,
 OSSL_PROVIDER_available, OSSL_PROVIDER_do_all,
 OSSL_PROVIDER_gettable_params, OSSL_PROVIDER_get_params,
 OSSL_PROVIDER_query_operation, OSSL_PROVIDER_unquery_operation,
 OSSL_PROVIDER_get0_provider_ctx, OSSL_PROVIDER_get0_dispatch,
 OSSL_PROVIDER_add_builtin, OSSL_PROVIDER_get0_name, OSSL_PROVIDER_get_capabilities,
-OSSL_PROVIDER_self_test
+OSSL_PROVIDER_add_conf_parameter, OSSL_PROVIDER_get_conf_parameters,
+OSSL_PROVIDER_conf_get_bool, OSSL_PROVIDER_self_test
 \&\- provider routines
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/provider.h>
@@ -155,10 +82,16 @@ OSSL_PROVIDER_self_test
 \&
 \& int OSSL_PROVIDER_set_default_search_path(OSSL_LIB_CTX *libctx,
 \&                                           const char *path);
+\& const char *OSSL_PROVIDER_get0_default_search_path(OSSL_LIB_CTX *libctx);
 \&
 \& OSSL_PROVIDER *OSSL_PROVIDER_load(OSSL_LIB_CTX *libctx, const char *name);
+\& OSSL_PROVIDER *OSSL_PROVIDER_load_ex(OSSL_LIB_CTX *, const char *name,
+\&                                      OSSL_PARAM *params);
 \& OSSL_PROVIDER *OSSL_PROVIDER_try_load(OSSL_LIB_CTX *libctx, const char *name,
 \&                                       int retain_fallbacks);
+\& OSSL_PROVIDER *OSSL_PROVIDER_try_load_ex(OSSL_LIB_CTX *, const char *name,
+\&                                          OSSL_PARAM *params,
+\&                                          int retain_fallbacks);
 \& int OSSL_PROVIDER_unload(OSSL_PROVIDER *prov);
 \& int OSSL_PROVIDER_available(OSSL_LIB_CTX *libctx, const char *name);
 \& int OSSL_PROVIDER_do_all(OSSL_LIB_CTX *ctx,
@@ -186,11 +119,17 @@ OSSL_PROVIDER_self_test
 \&                                    const char *capability,
 \&                                    OSSL_CALLBACK *cb,
 \&                                    void *arg);
+\& int OSSL_PROVIDER_add_conf_parameter(OSSL_PROVIDER *prov, const char *name,
+\&                                      const char *value);
+\& int OSSL_PROVIDER_get_conf_parameters(OSSL_PROVIDER *prov,
+\&                                       OSSL_PARAM params[]);
+\& int OSSL_PROVIDER_conf_get_bool(const OSSL_PROVIDER *prov,
+\&                                 const char *name, int defval);
 \& int OSSL_PROVIDER_self_test(const OSSL_PROVIDER *prov);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fB\s-1OSSL_PROVIDER\s0\fR is a type that holds internal information about
+\&\fBOSSL_PROVIDER\fR is a type that holds internal information about
 implementation providers (see \fBprovider\fR\|(7) for information on what a
 provider is).
 A provider can be built in to the application or the OpenSSL
@@ -198,16 +137,21 @@ libraries, or can be a loadable module.
 The functions described here handle both forms.
 .PP
 Some of these functions operate within a library context, please see
-\&\s-1\fBOSSL_LIB_CTX\s0\fR\|(3) for further details.
-.SS "Functions"
+\&\fBOSSL_LIB_CTX\fR\|(3) for further details.
+.SS Functions
 .IX Subsection "Functions"
 \&\fBOSSL_PROVIDER_set_default_search_path()\fR specifies the default search \fIpath\fR
 that is to be used for looking for providers in the specified \fIlibctx\fR.
 If left unspecified, an environment variable and a fall back default value will
 be used instead.
 .PP
+\&\fBOSSL_PROVIDER_get0_default_search_path()\fR retrieves the default search \fIpath\fR
+that is to be used for looking for providers in the specified \fIlibctx\fR.
+If successful returns the path or empty string; the path is valid until the
+context is released or \fBOSSL_PROVIDER_set_default_search_path()\fR is called.
+.PP
 \&\fBOSSL_PROVIDER_add_builtin()\fR is used to add a built in provider to
-\&\fB\s-1OSSL_PROVIDER\s0\fR store in the given library context, by associating a
+\&\fBOSSL_PROVIDER\fR store in the given library context, by associating a
 provider name with a provider initialization function.
 This name can then be used with \fBOSSL_PROVIDER_load()\fR.
 .PP
@@ -219,8 +163,8 @@ entry point, \f(CW\*(C`OSSL_provider_init\*(C'\fR. The \fIname\fR can be a path
 to a provider module, in that case the provider name as returned
 by \fBOSSL_PROVIDER_get0_name()\fR will be the path. Interpretation
 of relative paths is platform dependent and they are relative
-to the configured \*(L"\s-1MODULESDIR\*(R"\s0 directory or the path set in
-the environment variable \s-1OPENSSL_MODULES\s0 if set.
+to the configured "MODULESDIR" directory or the path set in
+the environment variable OPENSSL_MODULES if set.
 .PP
 \&\fBOSSL_PROVIDER_try_load()\fR functions like \fBOSSL_PROVIDER_load()\fR, except that
 it does not disable the fallback providers if the provider cannot be
@@ -228,6 +172,13 @@ loaded and initialized or if \fIretain_fallbacks\fR is nonzero.
 If the provider loads successfully and \fIretain_fallbacks\fR is zero, the
 fallback providers are disabled.
 .PP
+\&\fBOSSL_PROVIDER_load_ex()\fR and \fBOSSL_PROVIDER_try_load_ex()\fR are the variants
+of the previous functions accepting an \f(CW\*(C`OSSL_PARAM\*(C'\fR array of the parameters
+that are passed as the configuration of the loaded provider. The parameters
+of any type but \f(CW\*(C`OSSL_PARAM_UTF8_STRING\*(C'\fR are silently ignored. If the
+parameters are provided, they replace \fBall\fR the ones specified in the
+configuration file.
+.PP
 \&\fBOSSL_PROVIDER_unload()\fR unloads the given provider.
 For a provider added with \fBOSSL_PROVIDER_add_builtin()\fR, this simply
 runs its teardown function.
@@ -244,13 +195,40 @@ See \fBOSSL_PROVIDER\-default\fR\|(7) for more information on this fallback
 behaviour.
 .PP
 \&\fBOSSL_PROVIDER_gettable_params()\fR is used to get a provider parameter
-descriptor set as a constant \s-1\fBOSSL_PARAM\s0\fR\|(3) array.
+descriptor set as a constant \fBOSSL_PARAM\fR\|(3) array.
 .PP
 \&\fBOSSL_PROVIDER_get_params()\fR is used to get provider parameter values.
-The caller must prepare the \s-1\fBOSSL_PARAM\s0\fR\|(3) array before calling this
+The caller must prepare the \fBOSSL_PARAM\fR\|(3) array before calling this
 function, and the variables acting as buffers for this parameter array
 should be filled with data when it returns successfully.
 .PP
+\&\fBOSSL_PROVIDER_add_conf_parameter()\fR sets the provider configuration parameter
+\&\fIname\fR to \fIvalue\fR.
+Provider configuration parameters are managed by the OpenSSL core and normally
+set in the configuration file, but can also be set early in the main program
+before a provider is in use by multiple threads.
+Parameters that only affect provider initialisation must, for now, be set in
+the configuration file, only parameters that are also queried later have any
+affect when set via this interface.
+Only text parameters can be given, and it's up to the provider to
+interpret them.
+.PP
+\&\fBOSSL_PROVIDER_get_conf_parameters()\fR retrieves global configuration parameters
+associated with \fIprov\fR.
+These configuration parameters are stored for each provider by the OpenSSL core,
+not the provider itself, parameters managed by the provider are queried via
+\&\fBOSSL_PROVIDER_get_params()\fR described above.
+The parameters are returned by reference, not as copies, and so the elements of
+the \fIparam\fR array must have \fBOSSL_PARAM_UTF8_PTR\fR as their \fBdata_type\fR.
+.PP
+\&\fBOSSL_PROVIDER_conf_get_bool()\fR parses the global configuration parameter \fIname\fR
+associated with provider \fIprov\fR as a boolean value, returning a default value
+\&\fIdefval\fR when unable to retrieve or parse the parameter.
+Parameter values equal (case-insensitively) to \f(CW1\fR, \f(CW\*(C`on\*(C'\fR, \f(CW\*(C`yes\*(C'\fR, or \f(CW\*(C`true\*(C'\fR
+yield a true (nonzero) result.
+Parameter values equal (case-insensitively) to \f(CW0\fR, \f(CW\*(C`off\*(C'\fR, \f(CW\*(C`no\*(C'\fR, or \f(CW\*(C`false\*(C'\fR
+yield a false (zero) result.
+.PP
 \&\fBOSSL_PROVIDER_self_test()\fR is used to run a provider's self tests on demand.
 If the self tests fail then the provider will fail to provide any further
 services and algorithms. \fBOSSL_SELF_TEST_set_callback\fR\|(3) may be called
@@ -258,8 +236,8 @@ beforehand in order to display diagnostics for the running self tests.
 .PP
 \&\fBOSSL_PROVIDER_query_operation()\fR calls the provider's \fIquery_operation\fR
 function (see \fBprovider\fR\|(7)), if the provider has one. It returns an
-array of \fI\s-1OSSL_ALGORITHM\s0\fR for the given \fIoperation_id\fR terminated by an all
-\&\s-1NULL OSSL_ALGORITHM\s0 entry. This is considered a low-level function that most
+array of \fIOSSL_ALGORITHM\fR for the given \fIoperation_id\fR terminated by an all
+NULL OSSL_ALGORITHM entry. This is considered a low-level function that most
 applications should not need to call.
 .PP
 \&\fBOSSL_PROVIDER_unquery_operation()\fR calls the provider's \fIunquery_operation\fR
@@ -283,18 +261,23 @@ have a short lifetime.
 \&\fBOSSL_PROVIDER_get_capabilities()\fR provides information about the capabilities
 supported by the provider specified in \fIprov\fR with the capability name
 \&\fIcapability\fR. For each capability of that name supported by the provider it
-will call the callback \fIcb\fR and supply a set of \s-1\fBOSSL_PARAM\s0\fR\|(3)s describing the
+will call the callback \fIcb\fR and supply a set of \fBOSSL_PARAM\fR\|(3)s describing the
 capability. It will also pass back the argument \fIarg\fR. For more details about
 capabilities and what they can be used for please see
-\&\*(L"\s-1CAPABILTIIES\*(R"\s0 in \fBprovider\-base\fR\|(7).
+"CAPABILTIIES" in \fBprovider\-base\fR\|(7).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBOSSL_PROVIDER_set_default_search_path()\fR, \fBOSSL_PROVIDER_add()\fR,
-\&\fBOSSL_PROVIDER_unload()\fR, \fBOSSL_PROVIDER_get_params()\fR and
+\&\fBOSSL_PROVIDER_unload()\fR, \fBOSSL_PROVIDER_get_params()\fR,
+\&\fBOSSL_PROVIDER_add_conf_parameter()\fR, \fBOSSL_PROVIDER_get_conf_parameters()\fR
+and
 \&\fBOSSL_PROVIDER_get_capabilities()\fR return 1 on success, or 0 on error.
 .PP
+\&\fBOSSL_PROVIDER_get0_default_search_path()\fR returns a pointer to a path on success,
+or NULL on error or if the path has not previously been set.
+.PP
 \&\fBOSSL_PROVIDER_load()\fR and \fBOSSL_PROVIDER_try_load()\fR return a pointer to a
-provider object on success, or \s-1NULL\s0 on error.
+provider object on success, or NULL on error.
 .PP
 \&\fBOSSL_PROVIDER_do_all()\fR returns 1 if the callback \fIcb\fR returns 1 for every
 provider it is called with, or 0 if any provider callback invocation returns 0;
@@ -305,17 +288,17 @@ that returns 0.
 otherwise 0.
 .PP
 \&\fBOSSL_PROVIDER_gettable_params()\fR returns a pointer to an array
-of constant \s-1\fBOSSL_PARAM\s0\fR\|(3), or \s-1NULL\s0 if none is provided.
+of constant \fBOSSL_PARAM\fR\|(3), or NULL if none is provided.
 .PP
 \&\fBOSSL_PROVIDER_get_params()\fR and returns 1 on success, or 0 on error.
 .PP
-\&\fBOSSL_PROVIDER_query_operation()\fR returns an array of \s-1OSSL_ALGORITHM\s0 or \s-1NULL\s0 on
+\&\fBOSSL_PROVIDER_query_operation()\fR returns an array of OSSL_ALGORITHM or NULL on
 error.
 .PP
 \&\fBOSSL_PROVIDER_self_test()\fR returns 1 if the self tests pass, or 0 on error.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-This demonstrates how to load the provider module \*(L"foo\*(R" and ask for
+This demonstrates how to load the provider module "foo" and ask for
 its build information.
 .PP
 .Vb 3
@@ -338,15 +321,24 @@ its build information.
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBopenssl\-core.h\fR\|(7), \s-1\fBOSSL_LIB_CTX\s0\fR\|(3), \fBprovider\fR\|(7)
-.SH "HISTORY"
+\&\fBopenssl\-core.h\fR\|(7), \fBOSSL_LIB_CTX\fR\|(3), \fBprovider\fR\|(7)
+.SH HISTORY
 .IX Header "HISTORY"
 The type and functions described here were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.PP
+The \fIOSSL_PROVIDER_load_ex\fR and \fIOSSL_PROVIDER_try_load_ex\fR functions were
+added in OpenSSL 3.2.
+.PP
+The
+\&\fIOSSL_PROVIDER_add_conf_parameter\fR,
+\&\fIOSSL_PROVIDER_get_conf_parameters\fR, and
+\&\fIOSSL_PROVIDER_conf_get_bool\fR functions
+were added in OpenSSL 3.5.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_QUIC_client_method.3 b/secure/lib/libcrypto/man/man3/OSSL_QUIC_client_method.3
new file mode 100644
index 000000000000..47ea4265f9ca
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/OSSL_QUIC_client_method.3
@@ -0,0 +1,110 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OSSL_QUIC_CLIENT_METHOD 3ossl"
+.TH OSSL_QUIC_CLIENT_METHOD 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+OSSL_QUIC_client_method, OSSL_QUIC_client_thread_method, OSSL_QUIC_server_method
+\&\- Provide SSL_METHOD objects for QUIC enabled functions
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/quic.h>
+\&
+\& const SSL_METHOD *OSSL_QUIC_client_method(void);
+\& const SSL_METHOD *OSSL_QUIC_client_thread_method(void);
+\& const SSL_METHOD *OSSL_QUIC_server_method(void);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+The \fBOSSL_QUIC_client_method()\fR, \fBOSSL_QUIC_client_thread_method()\fR, and
+\&\fBOSSL_QUIC_server_method()\fR functions provide methods for the
+\&\fBSSL_CTX_new_ex\fR\|(3) function to provide QUIC protocol support.
+.PP
+The \fBOSSL_QUIC_client_thread_method()\fR uses threads to allow for a blocking
+mode of operation and avoid the need to return control to the
+OpenSSL library for processing time based events.
+The \fBOSSL_QUIC_client_method()\fR does not use threads and depends on
+nonblocking mode of operation and the application periodically calling SSL
+functions.
+.PP
+The \fBOSSL_QUIC_server_method()\fR provides server-side QUIC protocol support and
+must be used with the \fBSSL_new_listener\fR\|(3) API. Attempting to use
+\&\fBOSSL_QUIC_server_method()\fR with \fBSSL_new\fR\|(3) will result in an error.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+These functions return pointers to the constant method objects.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBSSL_CTX_new_ex\fR\|(3), \fBSSL_new_listener\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBOSSL_QUIC_client_method()\fR and \fBOSSL_QUIC_client_thread_method()\fR were added in
+OpenSSL 3.2.
+.PP
+\&\fBOSSL_QUIC_server_method()\fR was added in OpenSSL 3.5.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2022\-2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_SELF_TEST_new.3 b/secure/lib/libcrypto/man/man3/OSSL_SELF_TEST_new.3
index 0aa376f9b0ab..3165f23df4c3 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_SELF_TEST_new.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_SELF_TEST_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_SELF_TEST_NEW 3ossl"
-.TH OSSL_SELF_TEST_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_SELF_TEST_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_SELF_TEST_new,
 OSSL_SELF_TEST_free,
 OSSL_SELF_TEST_onbegin,
 OSSL_SELF_TEST_oncorrupt_byte,
 OSSL_SELF_TEST_onend \- functionality to trigger a callback during a self test
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/self_test.h>
@@ -155,27 +79,27 @@ OSSL_SELF_TEST_onend \- functionality to trigger a callback during a self test
 \& int OSSL_SELF_TEST_oncorrupt_byte(OSSL_SELF_TEST *st, unsigned char *bytes);
 \& void OSSL_SELF_TEST_onend(OSSL_SELF_TEST *st, int ret);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 These methods are intended for use by provider implementers, to display
 diagnostic information during self testing.
 .PP
-\&\fBOSSL_SELF_TEST_new()\fR allocates an opaque \fB\s-1OSSL_SELF_TEST\s0\fR object that has a
+\&\fBOSSL_SELF_TEST_new()\fR allocates an opaque \fBOSSL_SELF_TEST\fR object that has a
 callback and callback argument associated with it.
 .PP
 The callback \fIcb\fR may be triggered multiple times by a self test to indicate
 different phases.
 .PP
 \&\fBOSSL_SELF_TEST_free()\fR frees the space allocated by \fBOSSL_SELF_TEST_new()\fR.
+If the argument is NULL, nothing is done.
 .PP
 \&\fBOSSL_SELF_TEST_onbegin()\fR may be inserted at the start of a block of self test
 code. It can be used for diagnostic purposes.
 If this method is called the callback \fIcb\fR will receive the following
-\&\s-1\fBOSSL_PARAM\s0\fR\|(3) object.
-.ie n .IP """st-phase"" (\fB\s-1OSSL_PROV_PARAM_SELF_TEST_PHASE\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``st-phase'' (\fB\s-1OSSL_PROV_PARAM_SELF_TEST_PHASE\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "st-phase (OSSL_PROV_PARAM_SELF_TEST_PHASE) <UTF8 string>"
-The value is the string \*(L"Start\*(R"
+\&\fBOSSL_PARAM\fR\|(3) object.
+.IP """st-phase"" (\fBOSSL_PROV_PARAM_SELF_TEST_PHASE\fR) <UTF8 string>" 4
+.IX Item """st-phase"" (OSSL_PROV_PARAM_SELF_TEST_PHASE) <UTF8 string>"
+The value is the string "Start"
 .PP
 \&\fBOSSL_SELF_TEST_oncorrupt_byte()\fR may be inserted just after the known answer is
 calculated, but before the self test compares the result. The first byte in the
@@ -184,47 +108,43 @@ otherwise it leaves the array unaltered. It can be used for failure testing.
 The \fItype\fR and \fIdesc\fR can be used to identify an individual self test to
 target for failure testing.
 If this method is called the callback \fIcb\fR will receive the following
-\&\s-1\fBOSSL_PARAM\s0\fR\|(3) object.
-.ie n .IP """st-phase"" (\fB\s-1OSSL_PROV_PARAM_SELF_TEST_PHASE\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``st-phase'' (\fB\s-1OSSL_PROV_PARAM_SELF_TEST_PHASE\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "st-phase (OSSL_PROV_PARAM_SELF_TEST_PHASE) <UTF8 string>"
-The value is the string \*(L"Corrupt\*(R"
+\&\fBOSSL_PARAM\fR\|(3) object.
+.IP """st-phase"" (\fBOSSL_PROV_PARAM_SELF_TEST_PHASE\fR) <UTF8 string>" 4
+.IX Item """st-phase"" (OSSL_PROV_PARAM_SELF_TEST_PHASE) <UTF8 string>"
+The value is the string "Corrupt"
 .PP
 \&\fBOSSL_SELF_TEST_onend()\fR may be inserted at the end of a block of self test code
 just before cleanup to indicate if the test passed or failed. It can be used for
 diagnostic purposes.
 If this method is called the callback \fIcb\fR will receive the following
-\&\s-1\fBOSSL_PARAM\s0\fR\|(3) object.
-.ie n .IP """st-phase"" (\fB\s-1OSSL_PROV_PARAM_SELF_TEST_PHASE\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``st-phase'' (\fB\s-1OSSL_PROV_PARAM_SELF_TEST_PHASE\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "st-phase (OSSL_PROV_PARAM_SELF_TEST_PHASE) <UTF8 string>"
-The value of the string is \*(L"Pass\*(R" if \fIret\fR is non zero, otherwise it has the
-value \*(L"Fail\*(R".
+\&\fBOSSL_PARAM\fR\|(3) object.
+.IP """st-phase"" (\fBOSSL_PROV_PARAM_SELF_TEST_PHASE\fR) <UTF8 string>" 4
+.IX Item """st-phase"" (OSSL_PROV_PARAM_SELF_TEST_PHASE) <UTF8 string>"
+The value of the string is "Pass" if \fIret\fR is non zero, otherwise it has the
+value "Fail".
 .PP
 After the callback \fIcb\fR has been called the values that were set by
-\&\fBOSSL_SELF_TEST_onbegin()\fR for \fItype\fR and \fIdesc\fR are set to the value \*(L"None\*(R".
+\&\fBOSSL_SELF_TEST_onbegin()\fR for \fItype\fR and \fIdesc\fR are set to the value "None".
 .PP
 If \fBOSSL_SELF_TEST_onbegin()\fR, \fBOSSL_SELF_TEST_oncorrupt_byte()\fR or
-\&\fBOSSL_SELF_TEST_onend()\fR is called the following additional \s-1\fBOSSL_PARAM\s0\fR\|(3) are
+\&\fBOSSL_SELF_TEST_onend()\fR is called the following additional \fBOSSL_PARAM\fR\|(3) are
 passed to the callback.
-.ie n .IP """st-type"" (\fB\s-1OSSL_PROV_PARAM_SELF_TEST_TYPE\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``st-type'' (\fB\s-1OSSL_PROV_PARAM_SELF_TEST_TYPE\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "st-type (OSSL_PROV_PARAM_SELF_TEST_TYPE) <UTF8 string>"
+.IP """st-type"" (\fBOSSL_PROV_PARAM_SELF_TEST_TYPE\fR) <UTF8 string>" 4
+.IX Item """st-type"" (OSSL_PROV_PARAM_SELF_TEST_TYPE) <UTF8 string>"
 The value is setup by the \fItype\fR passed to \fBOSSL_SELF_TEST_onbegin()\fR.
 This allows the callback to identify the type of test being run.
-.ie n .IP """st-desc"" (\fB\s-1OSSL_PROV_PARAM_SELF_TEST_DESC\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``st-desc'' (\fB\s-1OSSL_PROV_PARAM_SELF_TEST_DESC\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "st-desc (OSSL_PROV_PARAM_SELF_TEST_DESC) <UTF8 string>"
+.IP """st-desc"" (\fBOSSL_PROV_PARAM_SELF_TEST_DESC\fR) <UTF8 string>" 4
+.IX Item """st-desc"" (OSSL_PROV_PARAM_SELF_TEST_DESC) <UTF8 string>"
 The value is setup by the \fItype\fR passed to \fBOSSL_SELF_TEST_onbegin()\fR.
 This allows the callback to identify the sub category of the test being run.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBOSSL_SELF_TEST_new()\fR returns the allocated \fB\s-1OSSL_SELF_TEST\s0\fR object, or \s-1NULL\s0 if
+\&\fBOSSL_SELF_TEST_new()\fR returns the allocated \fBOSSL_SELF_TEST\fR object, or NULL if
 it fails.
 .PP
 \&\fBOSSL_SELF_TEST_oncorrupt_byte()\fR returns 1 if corruption occurs, otherwise it
 returns 0.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 A single self test could be set up in the following way:
 .PP
@@ -275,15 +195,15 @@ for each test.
 .IX Header "SEE ALSO"
 \&\fBOSSL_SELF_TEST_set_callback\fR\|(3),
 \&\fBopenssl\-core.h\fR\|(7),
-\&\s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7)
-.SH "HISTORY"
+\&\fBOSSL_PROVIDER\-FIPS\fR\|(7)
+.SH HISTORY
 .IX Header "HISTORY"
 The functions described here were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_SELF_TEST_set_callback.3 b/secure/lib/libcrypto/man/man3/OSSL_SELF_TEST_set_callback.3
index 4ed98d3403cb..f2f639c565fa 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_SELF_TEST_set_callback.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_SELF_TEST_set_callback.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_SELF_TEST_SET_CALLBACK 3ossl"
-.TH OSSL_SELF_TEST_SET_CALLBACK 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_SELF_TEST_SET_CALLBACK 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_SELF_TEST_set_callback,
 OSSL_SELF_TEST_get_callback \- specify a callback for processing self tests
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/self_test.h>
@@ -147,11 +71,11 @@ OSSL_SELF_TEST_get_callback \- specify a callback for processing self tests
 \& void OSSL_SELF_TEST_set_callback(OSSL_LIB_CTX *ctx, OSSL_CALLBACK *cb, void *cbarg);
 \& void OSSL_SELF_TEST_get_callback(OSSL_LIB_CTX *ctx, OSSL_CALLBACK **cb, void **cbarg);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 Set or gets the optional application callback (and the callback argument) that
 is called during self testing.
-The application callback \s-1\fBOSSL_CALLBACK\s0\fR\|(3) is associated with a \fB\s-1OSSL_LIB_CTX\s0\fR.
+The application callback \fBOSSL_CALLBACK\fR\|(3) is associated with a \fBOSSL_LIB_CTX\fR.
 The application callback function receives information about a running self test,
 and may return a result to the calling self test.
 See \fBopenssl\-core.h\fR\|(7) for further information on the callback.
@@ -160,22 +84,22 @@ See \fBopenssl\-core.h\fR\|(7) for further information on the callback.
 \&\fBOSSL_SELF_TEST_get_callback()\fR returns the callback and callback argument that
 has been set via \fBOSSL_SELF_TEST_set_callback()\fR for the given library context
 \&\fIctx\fR.
-These returned parameters will be \s-1NULL\s0 if \fBOSSL_SELF_TEST_set_callback()\fR has
+These returned parameters will be NULL if \fBOSSL_SELF_TEST_set_callback()\fR has
 not been called.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBopenssl\-core.h\fR\|(7),
-\&\s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7)
+\&\fBOSSL_PROVIDER\-FIPS\fR\|(7)
 \&\fBOSSL_SELF_TEST_new\fR\|(3)
-\&\s-1\fBOSSL_LIB_CTX\s0\fR\|(3)
-.SH "HISTORY"
+\&\fBOSSL_LIB_CTX\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 The functions described here were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2019\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_STORE_INFO.3 b/secure/lib/libcrypto/man/man3/OSSL_STORE_INFO.3
index c3c147e6ace0..fba87d33c437 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_STORE_INFO.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_STORE_INFO.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_STORE_INFO 3ossl"
-.TH OSSL_STORE_INFO 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_STORE_INFO 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_STORE_INFO, OSSL_STORE_INFO_get_type, OSSL_STORE_INFO_get0_NAME,
 OSSL_STORE_INFO_get0_NAME_description,
 OSSL_STORE_INFO_get0_PARAMS, OSSL_STORE_INFO_get0_PUBKEY,
@@ -150,7 +74,7 @@ OSSL_STORE_INFO_new_PARAMS, OSSL_STORE_INFO_new_PUBKEY,
 OSSL_STORE_INFO_new_PKEY, OSSL_STORE_INFO_new_CERT, OSSL_STORE_INFO_new_CRL,
 OSSL_STORE_INFO_new, OSSL_STORE_INFO_get0_data
 \&\- Functions to manipulate OSSL_STORE_INFO objects
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/store.h>
@@ -189,86 +113,87 @@ OSSL_STORE_INFO_new, OSSL_STORE_INFO_get0_data
 \& OSSL_STORE_INFO *OSSL_STORE_INFO_new(int type, void *data);
 \& void *OSSL_STORE_INFO_get0_data(int type, const OSSL_STORE_INFO *info);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 These functions are primarily useful for applications to retrieve
-supported objects from \fB\s-1OSSL_STORE_INFO\s0\fR objects and for scheme specific
-loaders to create \fB\s-1OSSL_STORE_INFO\s0\fR holders.
-.SS "Types"
+supported objects from \fBOSSL_STORE_INFO\fR objects and for scheme specific
+loaders to create \fBOSSL_STORE_INFO\fR holders.
+.SS Types
 .IX Subsection "Types"
-\&\fB\s-1OSSL_STORE_INFO\s0\fR is an opaque type that's just an intermediary holder for
+\&\fBOSSL_STORE_INFO\fR is an opaque type that's just an intermediary holder for
 the objects that have been retrieved by \fBOSSL_STORE_load()\fR and similar functions.
 Supported OpenSSL type object can be extracted using one of
-STORE_INFO_get0_<\s-1TYPE\s0>() where <\s-1TYPE\s0> can be \s-1NAME, PARAMS, PKEY, CERT,\s0 or \s-1CRL.\s0
+STORE_INFO_get0_<TYPE>() where <TYPE> can be NAME, PARAMS, PKEY, CERT, or CRL.
 The life time of this extracted object is as long as the life time of
-the \fB\s-1OSSL_STORE_INFO\s0\fR it was extracted from, so care should be taken not
+the \fBOSSL_STORE_INFO\fR it was extracted from, so care should be taken not
 to free the latter too early.
-As an alternative, STORE_INFO_get1_<\s-1TYPE\s0>() extracts a duplicate (or the
+As an alternative, STORE_INFO_get1_<TYPE>() extracts a duplicate (or the
 same object with its reference count increased), which can be used
-after the containing \fB\s-1OSSL_STORE_INFO\s0\fR has been freed.
-The object returned by STORE_INFO_get1_<\s-1TYPE\s0>() must be freed separately
+after the containing \fBOSSL_STORE_INFO\fR has been freed.
+The object returned by STORE_INFO_get1_<TYPE>() must be freed separately
 by the caller.
-See \*(L"\s-1SUPPORTED OBJECTS\*(R"\s0 for more information on the types that are supported.
-.SS "Functions"
+See "SUPPORTED OBJECTS" for more information on the types that are supported.
+.SS Functions
 .IX Subsection "Functions"
-\&\fBOSSL_STORE_INFO_get_type()\fR takes a \fB\s-1OSSL_STORE_INFO\s0\fR and returns the \s-1STORE\s0
+\&\fBOSSL_STORE_INFO_get_type()\fR takes a \fBOSSL_STORE_INFO\fR and returns the STORE
 type number for the object inside.
 .PP
-\&\fBSTORE_INFO_get_type_string()\fR takes a \s-1STORE\s0 type number and returns a
+\&\fBSTORE_INFO_get_type_string()\fR takes a STORE type number and returns a
 short string describing it.
 .PP
 \&\fBOSSL_STORE_INFO_get0_NAME()\fR, \fBOSSL_STORE_INFO_get0_NAME_description()\fR,
 \&\fBOSSL_STORE_INFO_get0_PARAMS()\fR, \fBOSSL_STORE_INFO_get0_PUBKEY()\fR,
 \&\fBOSSL_STORE_INFO_get0_PKEY()\fR, \fBOSSL_STORE_INFO_get0_CERT()\fR,
 \&\fBOSSL_STORE_INFO_get0_CRL()\fR
-all take a \fB\s-1OSSL_STORE_INFO\s0\fR and return the object it holds if the
-\&\fB\s-1OSSL_STORE_INFO\s0\fR type (as returned by \fBOSSL_STORE_INFO_get_type()\fR)
-matches the function, otherwise \s-1NULL.\s0
+all take a \fBOSSL_STORE_INFO\fR and return the object it holds if the
+\&\fBOSSL_STORE_INFO\fR type (as returned by \fBOSSL_STORE_INFO_get_type()\fR)
+matches the function, otherwise NULL.
 .PP
 \&\fBOSSL_STORE_INFO_get1_NAME()\fR, \fBOSSL_STORE_INFO_get1_NAME_description()\fR,
 \&\fBOSSL_STORE_INFO_get1_PARAMS()\fR, \fBOSSL_STORE_INFO_get1_PUBKEY()\fR,
 \&\fBOSSL_STORE_INFO_get1_PKEY()\fR, \fBOSSL_STORE_INFO_get1_CERT()\fR and
 \&\fBOSSL_STORE_INFO_get1_CRL()\fR
-all take a \fB\s-1OSSL_STORE_INFO\s0\fR and return a duplicate the object it
-holds if the \fB\s-1OSSL_STORE_INFO\s0\fR type (as returned by
-\&\fBOSSL_STORE_INFO_get_type()\fR) matches the function, otherwise \s-1NULL.\s0
+all take a \fBOSSL_STORE_INFO\fR and return a duplicate the object it
+holds if the \fBOSSL_STORE_INFO\fR type (as returned by
+\&\fBOSSL_STORE_INFO_get_type()\fR) matches the function, otherwise NULL.
 .PP
-\&\fBOSSL_STORE_INFO_free()\fR frees a \fB\s-1OSSL_STORE_INFO\s0\fR and its contained type.
+\&\fBOSSL_STORE_INFO_free()\fR frees a \fBOSSL_STORE_INFO\fR and its contained type.
+If the argument is NULL, nothing is done.
 .PP
 \&\fBOSSL_STORE_INFO_new_NAME()\fR , \fBOSSL_STORE_INFO_new_PARAMS()\fR,
 , \fBOSSL_STORE_INFO_new_PUBKEY()\fR, \fBOSSL_STORE_INFO_new_PKEY()\fR,
 \&\fBOSSL_STORE_INFO_new_CERT()\fR and \fBOSSL_STORE_INFO_new_CRL()\fR
-create a \fB\s-1OSSL_STORE_INFO\s0\fR object to hold the given input object.
+create a \fBOSSL_STORE_INFO\fR object to hold the given input object.
 On success the input object is consumed.
 .PP
-Additionally, for \fB\s-1OSSL_STORE_INFO_NAME\s0\fR objects,
+Additionally, for \fBOSSL_STORE_INFO_NAME\fR objects,
 \&\fBOSSL_STORE_INFO_set0_NAME_description()\fR can be used to add an extra
 description.
 This description is meant to be human readable and should be used for
 information printout.
 .PP
-\&\fBOSSL_STORE_INFO_new()\fR creates a \fB\s-1OSSL_STORE_INFO\s0\fR with an arbitrary \fItype\fR
+\&\fBOSSL_STORE_INFO_new()\fR creates a \fBOSSL_STORE_INFO\fR with an arbitrary \fItype\fR
 number and \fIdata\fR structure.  It's the responsibility of the caller to
 define type numbers other than the ones defined by \fI<openssl/store.h>\fR,
 and to handle freeing the associated data structure on their own.
-\&\fIUsing type numbers that are defined by \fI<openssl/store.h>\fI may cause
+\&\fIUsing type numbers that are defined by <openssl/store.h> may cause
 undefined behaviours, including crashes\fR.
 .PP
 \&\fBOSSL_STORE_INFO_get0_data()\fR returns the data pointer that was passed to
 \&\fBOSSL_STORE_INFO_new()\fR if \fItype\fR matches the type number in \fIinfo\fR.
 .PP
 \&\fBOSSL_STORE_INFO_new()\fR and \fBOSSL_STORE_INFO_get0_data()\fR may be useful for
-applications that define their own \s-1STORE\s0 data, but must be used with care.
+applications that define their own STORE data, but must be used with care.
 .SH "SUPPORTED OBJECTS"
 .IX Header "SUPPORTED OBJECTS"
 Currently supported object types are:
-.IP "\s-1OSSL_STORE_INFO_NAME\s0" 4
+.IP OSSL_STORE_INFO_NAME 4
 .IX Item "OSSL_STORE_INFO_NAME"
 A name is exactly that, a name.
-It's like a name in a directory, but formatted as a complete \s-1URI.\s0
-For example, the path in \s-1URI\s0 \f(CW\*(C`file:/foo/bar/\*(C'\fR could include a file
-named \f(CW\*(C`cookie.pem\*(C'\fR, and in that case, the returned \fB\s-1OSSL_STORE_INFO_NAME\s0\fR
-object would have the \s-1URI\s0 \f(CW\*(C`file:/foo/bar/cookie.pem\*(C'\fR, which can be
+It's like a name in a directory, but formatted as a complete URI.
+For example, the path in URI \f(CW\*(C`file:/foo/bar/\*(C'\fR could include a file
+named \f(CW\*(C`cookie.pem\*(C'\fR, and in that case, the returned \fBOSSL_STORE_INFO_NAME\fR
+object would have the URI \f(CW\*(C`file:/foo/bar/cookie.pem\*(C'\fR, which can be
 used by the application to get the objects in that file.
 This can be applied to all schemes that can somehow support a listing
 of object URIs.
@@ -278,70 +203,70 @@ returned name will be the path of each object, so if \f(CW\*(C`/foo/bar\*(C'\fR
 given and that path has the file \f(CW\*(C`cookie.pem\*(C'\fR, the name
 \&\f(CW\*(C`/foo/bar/cookie.pem\*(C'\fR will be returned.
 .Sp
-The returned \s-1URI\s0 is considered canonical and must be unique and permanent
+The returned URI is considered canonical and must be unique and permanent
 for the storage where the object (or collection of objects) resides.
 Each loader is responsible for ensuring that it only returns canonical
 URIs.
 However, it's possible that certain schemes allow an object (or collection
-thereof) to be reached with alternative URIs; just because one \s-1URI\s0 is
+thereof) to be reached with alternative URIs; just because one URI is
 canonical doesn't mean that other variants can't be used.
 .Sp
 At the discretion of the loader that was used to get these names, an
 extra description may be attached as well.
-.IP "\s-1OSSL_STORE_INFO_PARAMS\s0" 4
+.IP OSSL_STORE_INFO_PARAMS 4
 .IX Item "OSSL_STORE_INFO_PARAMS"
 Key parameters.
-.IP "\s-1OSSL_STORE_INFO_PKEY\s0" 4
+.IP OSSL_STORE_INFO_PKEY 4
 .IX Item "OSSL_STORE_INFO_PKEY"
 A keypair or just a private key (possibly with key parameters).
-.IP "\s-1OSSL_STORE_INFO_PUBKEY\s0" 4
+.IP OSSL_STORE_INFO_PUBKEY 4
 .IX Item "OSSL_STORE_INFO_PUBKEY"
 A public key (possibly with key parameters).
-.IP "\s-1OSSL_STORE_INFO_CERT\s0" 4
+.IP OSSL_STORE_INFO_CERT 4
 .IX Item "OSSL_STORE_INFO_CERT"
 An X.509 certificate.
-.IP "\s-1OSSL_STORE_INFO_CRL\s0" 4
+.IP OSSL_STORE_INFO_CRL 4
 .IX Item "OSSL_STORE_INFO_CRL"
 A X.509 certificate revocation list.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBOSSL_STORE_INFO_get_type()\fR returns the \s-1STORE\s0 type number of the given
-\&\fB\s-1OSSL_STORE_INFO\s0\fR.
+\&\fBOSSL_STORE_INFO_get_type()\fR returns the STORE type number of the given
+\&\fBOSSL_STORE_INFO\fR.
 There is no error value.
 .PP
 \&\fBOSSL_STORE_INFO_get0_NAME()\fR, \fBOSSL_STORE_INFO_get0_NAME_description()\fR,
 \&\fBOSSL_STORE_INFO_get0_PARAMS()\fR, \fBOSSL_STORE_INFO_get0_PKEY()\fR,
 \&\fBOSSL_STORE_INFO_get0_CERT()\fR and \fBOSSL_STORE_INFO_get0_CRL()\fR all return
-a pointer to the OpenSSL object on success, \s-1NULL\s0 otherwise.
+a pointer to the OpenSSL object on success, NULL otherwise.
 .PP
 \&\fBOSSL_STORE_INFO_get1_NAME()\fR, \fBOSSL_STORE_INFO_get1_NAME_description()\fR,
 \&\fBOSSL_STORE_INFO_get1_PARAMS()\fR, \fBOSSL_STORE_INFO_get1_PKEY()\fR,
 \&\fBOSSL_STORE_INFO_get1_CERT()\fR and \fBOSSL_STORE_INFO_get1_CRL()\fR all return
-a pointer to a duplicate of the OpenSSL object on success, \s-1NULL\s0 otherwise.
+a pointer to a duplicate of the OpenSSL object on success, NULL otherwise.
 .PP
-\&\fBOSSL_STORE_INFO_type_string()\fR returns a string on success, or \s-1NULL\s0 on
+\&\fBOSSL_STORE_INFO_type_string()\fR returns a string on success, or NULL on
 failure.
 .PP
 \&\fBOSSL_STORE_INFO_new_NAME()\fR, \fBOSSL_STORE_INFO_new_PARAMS()\fR,
 \&\fBOSSL_STORE_INFO_new_PKEY()\fR, \fBOSSL_STORE_INFO_new_CERT()\fR and
-\&\fBOSSL_STORE_INFO_new_CRL()\fR return a \fB\s-1OSSL_STORE_INFO\s0\fR
-pointer on success, or \s-1NULL\s0 on failure.
+\&\fBOSSL_STORE_INFO_new_CRL()\fR return a \fBOSSL_STORE_INFO\fR
+pointer on success, or NULL on failure.
 .PP
 \&\fBOSSL_STORE_INFO_set0_NAME_description()\fR returns 1 on success, or 0 on
 failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBossl_store\fR\|(7), \fBOSSL_STORE_open\fR\|(3), \fBOSSL_STORE_register_loader\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-The \s-1OSSL_STORE API\s0 was added in OpenSSL 1.1.1.
+The OSSL_STORE API was added in OpenSSL 1.1.1.
 .PP
-The \s-1OSSL_STORE_INFO_PUBKEY\s0 object type was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The OSSL_STORE_INFO_PUBKEY object type was added in OpenSSL 3.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_STORE_LOADER.3 b/secure/lib/libcrypto/man/man3/OSSL_STORE_LOADER.3
index ee48211472ea..d24e8aa3688e 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_STORE_LOADER.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_STORE_LOADER.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_STORE_LOADER 3ossl"
-.TH OSSL_STORE_LOADER 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_STORE_LOADER 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_STORE_LOADER,
 OSSL_STORE_LOADER_fetch,
 OSSL_STORE_LOADER_up_ref,
@@ -161,7 +85,7 @@ OSSL_STORE_expect_fn, OSSL_STORE_find_fn,
 OSSL_STORE_load_fn, OSSL_STORE_eof_fn, OSSL_STORE_error_fn,
 OSSL_STORE_close_fn \- Types and functions to manipulate, register and
 unregister STORE loaders for different URI schemes
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/store.h>
@@ -189,7 +113,7 @@ unregister STORE loaders for different URI schemes
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 5
@@ -242,20 +166,19 @@ see \fBopenssl_user_macros\fR\|(7):
 \& typedef int (*OSSL_STORE_close_fn)(OSSL_STORE_LOADER_CTX *ctx);
 \& int OSSL_STORE_LOADER_set_close(OSSL_STORE_LOADER *store_loader,
 \&                                 OSSL_STORE_close_fn store_close_function);
-\& void OSSL_STORE_LOADER_free(OSSL_STORE_LOADER *store_loader);
 \&
 \& int OSSL_STORE_register_loader(OSSL_STORE_LOADER *loader);
 \& OSSL_STORE_LOADER *OSSL_STORE_unregister_loader(const char *scheme);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fB\s-1OSSL_STORE_LOADER\s0\fR is a method for \s-1OSSL_STORE\s0 loaders, which implement
+\&\fBOSSL_STORE_LOADER\fR is a method for OSSL_STORE loaders, which implement
 \&\fBOSSL_STORE_open()\fR, \fBOSSL_STORE_open_ex()\fR, \fBOSSL_STORE_load()\fR,
 \&\fBOSSL_STORE_eof()\fR, \fBOSSL_STORE_error()\fR and \fBOSSL_STORE_close()\fR for specific
 storage schemes.
 .PP
 \&\fBOSSL_STORE_LOADER_fetch()\fR looks for an implementation for a storage
-\&\fIscheme\fR within the providers that has been loaded into the \fB\s-1OSSL_LIB_CTX\s0\fR
+\&\fIscheme\fR within the providers that has been loaded into the \fBOSSL_LIB_CTX\fR
 given by \fIlibctx\fR, and with the properties given by \fIproperties\fR.
 .PP
 \&\fBOSSL_STORE_LOADER_up_ref()\fR increments the reference count for the given
@@ -263,6 +186,7 @@ given by \fIlibctx\fR, and with the properties given by \fIproperties\fR.
 .PP
 \&\fBOSSL_STORE_LOADER_free()\fR decrements the reference count for the given
 \&\fIloader\fR, and when the count reaches zero, frees it.
+If the argument is NULL, nothing is done.
 .PP
 \&\fBOSSL_STORE_LOADER_get0_provider()\fR returns the provider of the given
 \&\fIloader\fR.
@@ -290,97 +214,97 @@ These functions help applications and engines to create loaders for
 schemes they support.  These are all deprecated and discouraged in favour of
 provider implementations, see \fBprovider\-storemgmt\fR\|(7).
 .PP
-\&\fB\s-1OSSL_STORE_LOADER_CTX\s0\fR is a type template, to be defined by each loader
+\&\fBOSSL_STORE_LOADER_CTX\fR is a type template, to be defined by each loader
 using \f(CW\*(C`struct ossl_store_loader_ctx_st { ... }\*(C'\fR.
 .PP
 \&\fBOSSL_STORE_open_fn\fR, \fBOSSL_STORE_open_ex_fn\fR,
 \&\fBOSSL_STORE_ctrl_fn\fR, \fBOSSL_STORE_expect_fn\fR, \fBOSSL_STORE_find_fn\fR,
 \&\fBOSSL_STORE_load_fn\fR, \fBOSSL_STORE_eof_fn\fR, and \fBOSSL_STORE_close_fn\fR
-are the function pointer types used within a \s-1STORE\s0 loader.
+are the function pointer types used within a STORE loader.
 The functions pointed at define the functionality of the given loader.
 .IP "\fBOSSL_STORE_open_fn\fR and \fBOSSL_STORE_open_ex_fn\fR" 4
 .IX Item "OSSL_STORE_open_fn and OSSL_STORE_open_ex_fn"
-\&\fBOSSL_STORE_open_ex_fn\fR takes a \s-1URI\s0 and is expected to
+\&\fBOSSL_STORE_open_ex_fn\fR takes a URI and is expected to
 interpret it in the best manner possible according to the scheme the
-loader implements.  It also takes a \fB\s-1UI_METHOD\s0\fR and associated data,
+loader implements.  It also takes a \fBUI_METHOD\fR and associated data,
 to be used any time something needs to be prompted for, as well as a
 library context \fIlibctx\fR with an associated property query \fIpropq\fR,
 to be used when fetching necessary algorithms to perform the loads.
 Furthermore, this function is expected to initialize what needs to be
-initialized, to create a private data store (\fB\s-1OSSL_STORE_LOADER_CTX\s0\fR,
+initialized, to create a private data store (\fBOSSL_STORE_LOADER_CTX\fR,
 see above), and to return it.
-If something goes wrong, this function is expected to return \s-1NULL.\s0
+If something goes wrong, this function is expected to return NULL.
 .Sp
 \&\fBOSSL_STORE_open_fn\fR does the same thing as
-\&\fBOSSL_STORE_open_ex_fn\fR but uses \s-1NULL\s0 for the library
+\&\fBOSSL_STORE_open_ex_fn\fR but uses NULL for the library
 context \fIlibctx\fR and property query \fIpropq\fR.
-.IP "\fBOSSL_STORE_attach_fn\fR" 4
+.IP \fBOSSL_STORE_attach_fn\fR 4
 .IX Item "OSSL_STORE_attach_fn"
-This function takes a \fB\s-1BIO\s0\fR, otherwise works like
+This function takes a \fBBIO\fR, otherwise works like
 \&\fBOSSL_STORE_open_ex_fn\fR.
-.IP "\fBOSSL_STORE_ctrl_fn\fR" 4
+.IP \fBOSSL_STORE_ctrl_fn\fR 4
 .IX Item "OSSL_STORE_ctrl_fn"
-This function takes a \fB\s-1OSSL_STORE_LOADER_CTX\s0\fR pointer, a command number
+This function takes a \fBOSSL_STORE_LOADER_CTX\fR pointer, a command number
 \&\fIcmd\fR and a \fBva_list\fR \fIargs\fR and is used to manipulate loader
 specific parameters.
 .Sp
-Loader specific command numbers must begin at \fB\s-1OSSL_STORE_C_CUSTOM_START\s0\fR.
+Loader specific command numbers must begin at \fBOSSL_STORE_C_CUSTOM_START\fR.
 Any number below that is reserved for future globally known command
 numbers.
 .Sp
 This function is expected to return 1 on success, 0 on error.
-.IP "\fBOSSL_STORE_expect_fn\fR" 4
+.IP \fBOSSL_STORE_expect_fn\fR 4
 .IX Item "OSSL_STORE_expect_fn"
-This function takes a \fB\s-1OSSL_STORE_LOADER_CTX\s0\fR pointer and a \fB\s-1OSSL_STORE_INFO\s0\fR
+This function takes a \fBOSSL_STORE_LOADER_CTX\fR pointer and a \fBOSSL_STORE_INFO\fR
 identity \fIexpected\fR, and is used to tell the loader what object type is
 expected.
 \&\fIexpected\fR may be zero to signify that no specific object type is expected.
 .Sp
 This function is expected to return 1 on success, 0 on error.
-.IP "\fBOSSL_STORE_find_fn\fR" 4
+.IP \fBOSSL_STORE_find_fn\fR 4
 .IX Item "OSSL_STORE_find_fn"
-This function takes a \fB\s-1OSSL_STORE_LOADER_CTX\s0\fR pointer and a
-\&\fB\s-1OSSL_STORE_SEARCH\s0\fR search criterion, and is used to tell the loader what
+This function takes a \fBOSSL_STORE_LOADER_CTX\fR pointer and a
+\&\fBOSSL_STORE_SEARCH\fR search criterion, and is used to tell the loader what
 to search for.
 .Sp
-When called with the loader context being \s-1NULL,\s0 this function is expected
+When called with the loader context being NULL, this function is expected
 to return 1 if the loader supports the criterion, otherwise 0.
 .Sp
-When called with the loader context being something other than \s-1NULL,\s0 this
+When called with the loader context being something other than NULL, this
 function is expected to return 1 on success, 0 on error.
-.IP "\fBOSSL_STORE_load_fn\fR" 4
+.IP \fBOSSL_STORE_load_fn\fR 4
 .IX Item "OSSL_STORE_load_fn"
-This function takes a \fB\s-1OSSL_STORE_LOADER_CTX\s0\fR pointer and a \fB\s-1UI_METHOD\s0\fR
+This function takes a \fBOSSL_STORE_LOADER_CTX\fR pointer and a \fBUI_METHOD\fR
 with associated data.
 It's expected to load the next available data, mold it into a data
-structure that can be wrapped in a \fB\s-1OSSL_STORE_INFO\s0\fR using one of the
-\&\s-1\fBOSSL_STORE_INFO\s0\fR\|(3) functions.
+structure that can be wrapped in a \fBOSSL_STORE_INFO\fR using one of the
+\&\fBOSSL_STORE_INFO\fR\|(3) functions.
 If no more data is available or an error occurs, this function is
-expected to return \s-1NULL.\s0
+expected to return NULL.
 The \fBOSSL_STORE_eof_fn\fR and \fBOSSL_STORE_error_fn\fR functions must indicate if
 it was in fact the end of data or if an error occurred.
 .Sp
 Note that this function retrieves \fIone\fR data item only.
-.IP "\fBOSSL_STORE_eof_fn\fR" 4
+.IP \fBOSSL_STORE_eof_fn\fR 4
 .IX Item "OSSL_STORE_eof_fn"
-This function takes a \fB\s-1OSSL_STORE_LOADER_CTX\s0\fR pointer and is expected to
+This function takes a \fBOSSL_STORE_LOADER_CTX\fR pointer and is expected to
 return 1 to indicate that the end of available data has been reached.
 It is otherwise expected to return 0.
-.IP "\fBOSSL_STORE_error_fn\fR" 4
+.IP \fBOSSL_STORE_error_fn\fR 4
 .IX Item "OSSL_STORE_error_fn"
-This function takes a \fB\s-1OSSL_STORE_LOADER_CTX\s0\fR pointer and is expected to
+This function takes a \fBOSSL_STORE_LOADER_CTX\fR pointer and is expected to
 return 1 to indicate that an error occurred in a previous call to the
 \&\fBOSSL_STORE_load_fn\fR function.
 It is otherwise expected to return 0.
-.IP "\fBOSSL_STORE_close_fn\fR" 4
+.IP \fBOSSL_STORE_close_fn\fR 4
 .IX Item "OSSL_STORE_close_fn"
-This function takes a \fB\s-1OSSL_STORE_LOADER_CTX\s0\fR pointer and is expected to
+This function takes a \fBOSSL_STORE_LOADER_CTX\fR pointer and is expected to
 close or shut down what needs to be closed, and finally free the
-contents of the \fB\s-1OSSL_STORE_LOADER_CTX\s0\fR pointer.
+contents of the \fBOSSL_STORE_LOADER_CTX\fR pointer.
 It returns 1 on success and 0 on error.
 .PP
-\&\fBOSSL_STORE_LOADER_new()\fR creates a new \fB\s-1OSSL_STORE_LOADER\s0\fR.
-It takes an \fB\s-1ENGINE\s0\fR \fIe\fR and a string \fIscheme\fR.
+\&\fBOSSL_STORE_LOADER_new()\fR creates a new \fBOSSL_STORE_LOADER\fR.
+It takes an \fBENGINE\fR \fIe\fR and a string \fIscheme\fR.
 \&\fIscheme\fR must \fIalways\fR be set.
 Both \fIe\fR and \fIscheme\fR are used as is and must therefore be alive as
 long as the created loader is.
@@ -413,6 +337,7 @@ function for the \fIstore_loader\fR.
 \&\fIstore_loader\fR.
 .PP
 \&\fBOSSL_STORE_LOADER_free()\fR frees the given \fIstore_loader\fR.
+If the argument is NULL, nothing is done.
 .PP
 \&\fBOSSL_STORE_register_loader()\fR register the given \fIstore_loader\fR and
 thereby makes it available for use with \fBOSSL_STORE_open()\fR,
@@ -423,8 +348,8 @@ and \fBOSSL_STORE_close()\fR.
 \&\fIscheme\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBOSSL_STORE_LOADER_fetch()\fR returns a pointer to an \s-1OSSL_STORE_LOADER\s0 object,
-or \s-1NULL\s0 on error.
+\&\fBOSSL_STORE_LOADER_fetch()\fR returns a pointer to an OSSL_STORE_LOADER object,
+or NULL on error.
 .PP
 \&\fBOSSL_STORE_LOADER_up_ref()\fR returns 1 on success, or 0 on error.
 .PP
@@ -434,15 +359,15 @@ names. A return value of 0 means that the callback was not called for any names.
 \&\fBOSSL_STORE_LOADER_free()\fR doesn't return any value.
 .PP
 \&\fBOSSL_STORE_LOADER_get0_provider()\fR returns a pointer to a provider object, or
-\&\s-1NULL\s0 on error.
+NULL on error.
 .PP
 \&\fBOSSL_STORE_LOADER_get0_properties()\fR returns a pointer to a property
-definition string, or \s-1NULL\s0 on error.
+definition string, or NULL on error.
 .PP
 \&\fBOSSL_STORE_LOADER_is_a()\fR returns 1 if \fIloader\fR was identifiable,
 otherwise 0.
 .PP
-\&\fBOSSL_STORE_LOADER_get0_description()\fR returns a pointer to a description, or \s-1NULL\s0 if
+\&\fBOSSL_STORE_LOADER_get0_description()\fR returns a pointer to a description, or NULL if
 there isn't one.
 .PP
 The functions with the types \fBOSSL_STORE_open_fn\fR,
@@ -452,8 +377,8 @@ and \fBOSSL_STORE_close_fn\fR have the same return values as \fBOSSL_STORE_open(
 \&\fBOSSL_STORE_open_ex()\fR, \fBOSSL_STORE_ctrl()\fR, \fBOSSL_STORE_expect()\fR,
 \&\fBOSSL_STORE_load()\fR, \fBOSSL_STORE_eof()\fR and \fBOSSL_STORE_close()\fR, respectively.
 .PP
-\&\fBOSSL_STORE_LOADER_new()\fR returns a pointer to a \fB\s-1OSSL_STORE_LOADER\s0\fR on success,
-or \s-1NULL\s0 on failure.
+\&\fBOSSL_STORE_LOADER_new()\fR returns a pointer to a \fBOSSL_STORE_LOADER\fR on success,
+or NULL on failure.
 .PP
 \&\fBOSSL_STORE_LOADER_set_open()\fR, \fBOSSL_STORE_LOADER_set_open_ex()\fR,
 \&\fBOSSL_STORE_LOADER_set_ctrl()\fR, \fBOSSL_STORE_LOADER_set_load()\fR,
@@ -463,38 +388,42 @@ on success, or 0 on failure.
 \&\fBOSSL_STORE_register_loader()\fR returns 1 on success, or 0 on failure.
 .PP
 \&\fBOSSL_STORE_unregister_loader()\fR returns the unregistered loader on success,
-or \s-1NULL\s0 on failure.
+or NULL on failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBossl_store\fR\|(7), \fBOSSL_STORE_open\fR\|(3), \s-1\fBOSSL_LIB_CTX\s0\fR\|(3),
+\&\fBossl_store\fR\|(7), \fBOSSL_STORE_open\fR\|(3), \fBOSSL_LIB_CTX\fR\|(3),
 \&\fBprovider\-storemgmt\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBOSSL_STORE_LOADER_fetch()\fR, \fBOSSL_STORE_LOADER_up_ref()\fR,
-\&\fBOSSL_STORE_LOADER_free()\fR, \fBOSSL_STORE_LOADER_get0_provider()\fR,
-\&\fBOSSL_STORE_LOADER_get0_properties()\fR, \fBOSSL_STORE_LOADER_is_a()\fR,
-\&\fBOSSL_STORE_LOADER_do_all_provided()\fR and
-\&\fBOSSL_STORE_LOADER_names_do_all()\fR were added in OpenSSL 3.0.
+\&\fBOSSL_STORE_LOADER_get0_provider()\fR, \fBOSSL_STORE_LOADER_get0_properties()\fR,
+\&\fBOSSL_STORE_LOADER_get0_description()\fR, \fBOSSL_STORE_LOADER_is_a()\fR,
+\&\fBOSSL_STORE_LOADER_do_all_provided()\fR and \fBOSSL_STORE_LOADER_names_do_all()\fR
+were added in OpenSSL 3.0.
+.PP
+\&\fBOSSL_STORE_LOADER\fR and \fBOSSL_STORE_LOADER_free()\fR were added in OpenSSL
+1.1.1.
 .PP
-\&\fBOSSL_STORE_open_ex_fn()\fR was added in OpenSSL 3.0.
+\&\fBOSSL_STORE_LOADER_set_open_ex()\fR and \fBOSSL_STORE_open_ex_fn()\fR were added in
+OpenSSL 3.0, and are deprecated.
 .PP
-\&\fB\s-1OSSL_STORE_LOADER\s0\fR, \fB\s-1OSSL_STORE_LOADER_CTX\s0\fR, \fBOSSL_STORE_LOADER_new()\fR,
+\&\fBOSSL_STORE_LOADER_CTX\fR, \fBOSSL_STORE_LOADER_new()\fR,
 \&\fBOSSL_STORE_LOADER_set0_scheme()\fR, \fBOSSL_STORE_LOADER_get0_scheme()\fR,
 \&\fBOSSL_STORE_LOADER_get0_engine()\fR, \fBOSSL_STORE_LOADER_set_expect()\fR,
 \&\fBOSSL_STORE_LOADER_set_find()\fR, \fBOSSL_STORE_LOADER_set_attach()\fR,
 \&\fBOSSL_STORE_LOADER_set_open_ex()\fR, \fBOSSL_STORE_LOADER_set_open()\fR,
 \&\fBOSSL_STORE_LOADER_set_ctrl()\fR,
 \&\fBOSSL_STORE_LOADER_set_load()\fR, \fBOSSL_STORE_LOADER_set_eof()\fR,
-\&\fBOSSL_STORE_LOADER_set_close()\fR, \fBOSSL_STORE_LOADER_free()\fR,
+\&\fBOSSL_STORE_LOADER_set_close()\fR,
 \&\fBOSSL_STORE_register_loader()\fR, \fBOSSL_STORE_LOADER_set_error()\fR,
 \&\fBOSSL_STORE_unregister_loader()\fR, \fBOSSL_STORE_open_fn()\fR, \fBOSSL_STORE_ctrl_fn()\fR,
 \&\fBOSSL_STORE_load_fn()\fR, \fBOSSL_STORE_eof_fn()\fR and \fBOSSL_STORE_close_fn()\fR
 were added in OpenSSL 1.1.1, and became deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_STORE_SEARCH.3 b/secure/lib/libcrypto/man/man3/OSSL_STORE_SEARCH.3
index 28a3ca4554c4..ab3a87388568 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_STORE_SEARCH.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_STORE_SEARCH.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_STORE_SEARCH 3ossl"
-.TH OSSL_STORE_SEARCH 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_STORE_SEARCH 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_STORE_SEARCH,
 OSSL_STORE_SEARCH_by_name,
 OSSL_STORE_SEARCH_by_issuer_serial,
@@ -150,7 +74,7 @@ OSSL_STORE_SEARCH_get0_bytes,
 OSSL_STORE_SEARCH_get0_string,
 OSSL_STORE_SEARCH_get0_digest
 \&\- Type and functions to create OSSL_STORE search criteria
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/store.h>
@@ -178,21 +102,21 @@ OSSL_STORE_SEARCH_get0_digest
 \& const EVP_MD *OSSL_STORE_SEARCH_get0_digest(const OSSL_STORE_SEARCH
 \&                                             *criterion);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 These functions are used to specify search criteria to help search for specific
-objects through other names than just the \s-1URI\s0 that's given to \fBOSSL_STORE_open()\fR.
-For example, this can be useful for an application that has received a \s-1URI\s0
+objects through other names than just the URI that's given to \fBOSSL_STORE_open()\fR.
+For example, this can be useful for an application that has received a URI
 and then wants to add on search criteria in a uniform and supported manner.
-.SS "Types"
+.SS Types
 .IX Subsection "Types"
-\&\fB\s-1OSSL_STORE_SEARCH\s0\fR is an opaque type that holds the constructed search
-criterion, and that can be given to an \s-1OSSL_STORE\s0 context with
+\&\fBOSSL_STORE_SEARCH\fR is an opaque type that holds the constructed search
+criterion, and that can be given to an OSSL_STORE context with
 \&\fBOSSL_STORE_find()\fR.
 .PP
-The calling application owns the allocation of an \fB\s-1OSSL_STORE_SEARCH\s0\fR at all
+The calling application owns the allocation of an \fBOSSL_STORE_SEARCH\fR at all
 times, and should therefore be careful not to deallocate it before
-\&\fBOSSL_STORE_close()\fR has been called for the \s-1OSSL_STORE\s0 context it was given
+\&\fBOSSL_STORE_close()\fR has been called for the OSSL_STORE context it was given
 to.
 .SS "Application Functions"
 .IX Subsection "Application Functions"
@@ -200,56 +124,57 @@ to.
 \&\fBOSSL_STORE_SEARCH_by_issuer_serial()\fR,
 \&\fBOSSL_STORE_SEARCH_by_key_fingerprint()\fR,
 and \fBOSSL_STORE_SEARCH_by_alias()\fR
-are used to create an \fB\s-1OSSL_STORE_SEARCH\s0\fR from a subject name, an issuer name
+are used to create an \fBOSSL_STORE_SEARCH\fR from a subject name, an issuer name
 and serial number pair, a key fingerprint, and an alias (for example a friendly
 name).
 The parameters that are provided are not copied, only referred to in a
 criterion, so they must have at least the same life time as the created
-\&\fB\s-1OSSL_STORE_SEARCH\s0\fR.
+\&\fBOSSL_STORE_SEARCH\fR.
 .PP
-\&\fBOSSL_STORE_SEARCH_free()\fR is used to free the \fB\s-1OSSL_STORE_SEARCH\s0\fR.
+\&\fBOSSL_STORE_SEARCH_free()\fR is used to free the \fBOSSL_STORE_SEARCH\fR.
+If the argument is NULL, nothing is done.
 .SS "Loader Functions"
 .IX Subsection "Loader Functions"
 \&\fBOSSL_STORE_SEARCH_get_type()\fR returns the criterion type for the given
-\&\fB\s-1OSSL_STORE_SEARCH\s0\fR.
+\&\fBOSSL_STORE_SEARCH\fR.
 .PP
 \&\fBOSSL_STORE_SEARCH_get0_name()\fR, \fBOSSL_STORE_SEARCH_get0_serial()\fR,
 \&\fBOSSL_STORE_SEARCH_get0_bytes()\fR, \fBOSSL_STORE_SEARCH_get0_string()\fR,
 and \fBOSSL_STORE_SEARCH_get0_digest()\fR
-are used to retrieve different data from a \fB\s-1OSSL_STORE_SEARCH\s0\fR, as
+are used to retrieve different data from a \fBOSSL_STORE_SEARCH\fR, as
 available for each type.
-For more information, see \*(L"\s-1SUPPORTED CRITERION TYPES\*(R"\s0 below.
+For more information, see "SUPPORTED CRITERION TYPES" below.
 .SH "SUPPORTED CRITERION TYPES"
 .IX Header "SUPPORTED CRITERION TYPES"
 Currently supported criterion types are:
-.IP "\s-1OSSL_STORE_SEARCH_BY_NAME\s0" 4
+.IP OSSL_STORE_SEARCH_BY_NAME 4
 .IX Item "OSSL_STORE_SEARCH_BY_NAME"
 This criterion supports a search by exact match of subject name.
 The subject name itself is a \fBX509_NAME\fR pointer.
 A criterion of this type is created with \fBOSSL_STORE_SEARCH_by_name()\fR,
 and the actual subject name is retrieved with \fBOSSL_STORE_SEARCH_get0_name()\fR.
-.IP "\s-1OSSL_STORE_SEARCH_BY_ISSUER_SERIAL\s0" 4
+.IP OSSL_STORE_SEARCH_BY_ISSUER_SERIAL 4
 .IX Item "OSSL_STORE_SEARCH_BY_ISSUER_SERIAL"
 This criterion supports a search by exact match of both issuer name and serial
 number.
 The issuer name itself is a \fBX509_NAME\fR pointer, and the serial number is
-a \fB\s-1ASN1_INTEGER\s0\fR pointer.
+a \fBASN1_INTEGER\fR pointer.
 A criterion of this type is created with \fBOSSL_STORE_SEARCH_by_issuer_serial()\fR
 and the actual issuer name and serial number are retrieved with
 \&\fBOSSL_STORE_SEARCH_get0_name()\fR and \fBOSSL_STORE_SEARCH_get0_serial()\fR.
-.IP "\s-1OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT\s0" 4
+.IP OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT 4
 .IX Item "OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT"
 This criterion supports a search by exact match of key fingerprint.
 The key fingerprint in itself is a string of bytes and its length, as
 well as the algorithm that was used to compute the fingerprint.
-The digest may be left unspecified (\s-1NULL\s0), and in that case, the
+The digest may be left unspecified (NULL), and in that case, the
 loader has to decide on a default digest and compare fingerprints
 accordingly.
 A criterion of this type is created with \fBOSSL_STORE_SEARCH_by_key_fingerprint()\fR
 and the actual fingerprint and its length can be retrieved with
 \&\fBOSSL_STORE_SEARCH_get0_bytes()\fR.
 The digest can be retrieved with \fBOSSL_STORE_SEARCH_get0_digest()\fR.
-.IP "\s-1OSSL_STORE_SEARCH_BY_ALIAS\s0" 4
+.IP OSSL_STORE_SEARCH_BY_ALIAS 4
 .IX Item "OSSL_STORE_SEARCH_BY_ALIAS"
 This criterion supports a search by match of an alias of some kind.
 The alias in itself is a simple C string.
@@ -261,34 +186,34 @@ and the actual alias is retrieved with \fBOSSL_STORE_SEARCH_get0_string()\fR.
 \&\fBOSSL_STORE_SEARCH_by_issuer_serial()\fR,
 \&\fBOSSL_STORE_SEARCH_by_key_fingerprint()\fR,
 and \fBOSSL_STORE_SEARCH_by_alias()\fR
-return a \fB\s-1OSSL_STORE_SEARCH\s0\fR pointer on success, or \s-1NULL\s0 on failure.
+return a \fBOSSL_STORE_SEARCH\fR pointer on success, or NULL on failure.
 .PP
 \&\fBOSSL_STORE_SEARCH_get_type()\fR returns the criterion type of the given
-\&\fB\s-1OSSL_STORE_SEARCH\s0\fR.
+\&\fBOSSL_STORE_SEARCH\fR.
 There is no error value.
 .PP
 \&\fBOSSL_STORE_SEARCH_get0_name()\fR returns a \fBX509_NAME\fR pointer on success,
-or \s-1NULL\s0 when the given \fB\s-1OSSL_STORE_SEARCH\s0\fR was of a different type.
+or NULL when the given \fBOSSL_STORE_SEARCH\fR was of a different type.
 .PP
-\&\fBOSSL_STORE_SEARCH_get0_serial()\fR returns a \fB\s-1ASN1_INTEGER\s0\fR pointer on success,
-or \s-1NULL\s0 when the given \fB\s-1OSSL_STORE_SEARCH\s0\fR was of a different type.
+\&\fBOSSL_STORE_SEARCH_get0_serial()\fR returns a \fBASN1_INTEGER\fR pointer on success,
+or NULL when the given \fBOSSL_STORE_SEARCH\fR was of a different type.
 .PP
 \&\fBOSSL_STORE_SEARCH_get0_bytes()\fR returns a \fBconst unsigned char\fR pointer and
-sets \fI*length\fR to the strings length on success, or \s-1NULL\s0 when the given
-\&\fB\s-1OSSL_STORE_SEARCH\s0\fR was of a different type.
+sets \fI*length\fR to the strings length on success, or NULL when the given
+\&\fBOSSL_STORE_SEARCH\fR was of a different type.
 .PP
 \&\fBOSSL_STORE_SEARCH_get0_string()\fR returns a \fBconst char\fR pointer on success,
-or \s-1NULL\s0 when the given \fB\s-1OSSL_STORE_SEARCH\s0\fR was of a different type.
+or NULL when the given \fBOSSL_STORE_SEARCH\fR was of a different type.
 .PP
-\&\fBOSSL_STORE_SEARCH_get0_digest()\fR returns a \fBconst \s-1EVP_MD\s0\fR pointer.
-\&\s-1NULL\s0 is a valid value and means that the store loader default will
+\&\fBOSSL_STORE_SEARCH_get0_digest()\fR returns a \fBconst EVP_MD\fR pointer.
+NULL is a valid value and means that the store loader default will
 be used when applicable.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBossl_store\fR\|(7), \fBOSSL_STORE_supports_search\fR\|(3), \fBOSSL_STORE_find\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-\&\fB\s-1OSSL_STORE_SEARCH\s0\fR,
+\&\fBOSSL_STORE_SEARCH\fR,
 \&\fBOSSL_STORE_SEARCH_by_name()\fR,
 \&\fBOSSL_STORE_SEARCH_by_issuer_serial()\fR,
 \&\fBOSSL_STORE_SEARCH_by_key_fingerprint()\fR,
@@ -300,11 +225,11 @@ be used when applicable.
 \&\fBOSSL_STORE_SEARCH_get0_bytes()\fR,
 and \fBOSSL_STORE_SEARCH_get0_string()\fR
 were added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2018\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2018\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_STORE_attach.3 b/secure/lib/libcrypto/man/man3/OSSL_STORE_attach.3
index 2917b4691c85..a9a3fcc9889a 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_STORE_attach.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_STORE_attach.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_STORE_ATTACH 3ossl"
-.TH OSSL_STORE_ATTACH 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_STORE_ATTACH 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_STORE_attach \- Functions to read objects from a BIO
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/store.h>
@@ -150,27 +74,27 @@ OSSL_STORE_attach \- Functions to read objects from a BIO
 \&                                   OSSL_STORE_post_process_info_fn post_process,
 \&                                   void *post_process_data);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBOSSL_STORE_attach()\fR works like \fBOSSL_STORE_open\fR\|(3), except it takes a \fB\s-1BIO\s0\fR
+\&\fBOSSL_STORE_attach()\fR works like \fBOSSL_STORE_open\fR\|(3), except it takes a \fBBIO\fR
 \&\fIbio\fR instead of a \fIuri\fR, along with a \fIscheme\fR to determine what loader
-should be used to process the data. The reference count of the \fB\s-1BIO\s0\fR object
+should be used to process the data. The reference count of the \fBBIO\fR object
 is increased by 1 if the call is successful.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBOSSL_STORE_attach()\fR returns a pointer to a \fB\s-1OSSL_STORE_CTX\s0\fR on success, or
-\&\s-1NULL\s0 on failure.
+\&\fBOSSL_STORE_attach()\fR returns a pointer to a \fBOSSL_STORE_CTX\fR on success, or
+NULL on failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBossl_store\fR\|(7), \fBOSSL_STORE_open\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBOSSL_STORE_attach()\fR was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_STORE_expect.3 b/secure/lib/libcrypto/man/man3/OSSL_STORE_expect.3
index 93404593cfb1..9b5973472e85 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_STORE_expect.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_STORE_expect.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_STORE_EXPECT 3ossl"
-.TH OSSL_STORE_EXPECT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_STORE_EXPECT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_STORE_expect,
 OSSL_STORE_supports_search,
 OSSL_STORE_find
 \&\- Specify what object type is expected
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/store.h>
@@ -152,29 +76,29 @@ OSSL_STORE_find
 \&
 \& int OSSL_STORE_find(OSSL_STORE_CTX *ctx, OSSL_STORE_SEARCH *search);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBOSSL_STORE_expect()\fR helps applications filter what \fBOSSL_STORE_load()\fR returns
-by specifying a \fB\s-1OSSL_STORE_INFO\s0\fR type.
+by specifying a \fBOSSL_STORE_INFO\fR type.
 By default, no expectations on the types of objects to be loaded are made.
 \&\fIexpected_type\fR may be 0 to indicate explicitly that no expectation is made,
 or it may be any of the known object types (see
-\&\*(L"\s-1SUPPORTED OBJECTS\*(R"\s0 in \s-1\fBOSSL_STORE_INFO\s0\fR\|(3)) except for \fB\s-1OSSL_STORE_INFO_NAME\s0\fR.
+"SUPPORTED OBJECTS" in \fBOSSL_STORE_INFO\fR\|(3)) except for \fBOSSL_STORE_INFO_NAME\fR.
 For example, if \f(CW\*(C`file:/foo/bar/store.pem\*(C'\fR contains several objects of different
 type and only certificates are interesting, the application can simply say
-that it expects the type \fB\s-1OSSL_STORE_INFO_CERT\s0\fR.
+that it expects the type \fBOSSL_STORE_INFO_CERT\fR.
 .PP
 \&\fBOSSL_STORE_find()\fR helps applications specify a criterion for a more fine
 grained search of objects.
 .PP
-\&\fBOSSL_STORE_supports_search()\fR checks if the loader of the given \s-1OSSL_STORE\s0
+\&\fBOSSL_STORE_supports_search()\fR checks if the loader of the given OSSL_STORE
 context supports the given search type.
-See \*(L"\s-1SUPPORTED CRITERION TYPES\*(R"\s0 in \s-1\fBOSSL_STORE_SEARCH\s0\fR\|(3) for information on the
+See "SUPPORTED CRITERION TYPES" in \fBOSSL_STORE_SEARCH\fR\|(3) for information on the
 supported search criterion types.
 .PP
 \&\fBOSSL_STORE_expect()\fR and OSSL_STORE_find \fImust\fR be called before the first
 \&\fBOSSL_STORE_load()\fR of a given session, or they will fail.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 If a more elaborate filter is required by the application, a better choice
 would be to use a post-processing function.
@@ -193,17 +117,17 @@ otherwise.
 \&\fBOSSL_STORE_find()\fR returns 1 on success, or 0 on failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBossl_store\fR\|(7), \s-1\fBOSSL_STORE_INFO\s0\fR\|(3), \s-1\fBOSSL_STORE_SEARCH\s0\fR\|(3),
+\&\fBossl_store\fR\|(7), \fBOSSL_STORE_INFO\fR\|(3), \fBOSSL_STORE_SEARCH\fR\|(3),
 \&\fBOSSL_STORE_load\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBOSSL_STORE_expect()\fR, \fBOSSL_STORE_supports_search()\fR and \fBOSSL_STORE_find()\fR
 were added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2018\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_STORE_open.3 b/secure/lib/libcrypto/man/man3/OSSL_STORE_open.3
index f8f64dfddf5f..ea1e6d65d36b 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_STORE_open.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_STORE_open.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_STORE_OPEN 3ossl"
-.TH OSSL_STORE_OPEN 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_STORE_OPEN 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_STORE_CTX, OSSL_STORE_post_process_info_fn,
 OSSL_STORE_open, OSSL_STORE_open_ex,
-OSSL_STORE_ctrl, OSSL_STORE_load, OSSL_STORE_eof,
+OSSL_STORE_ctrl, OSSL_STORE_load, OSSL_STORE_eof, OSSL_STORE_delete,
 OSSL_STORE_error, OSSL_STORE_close
 \&\- Types and functions to read objects from a URI
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/store.h>
@@ -165,96 +89,101 @@ OSSL_STORE_error, OSSL_STORE_close
 \&
 \& OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx);
 \& int OSSL_STORE_eof(OSSL_STORE_CTX *ctx);
+\& int OSSL_STORE_delete(const char *uri, OSSL_LIB_CTX *libctx, const char *propq,
+\&                       const UI_METHOD *ui_method, void *ui_data,
+\&                       const OSSL_PARAM params[]);
 \& int OSSL_STORE_error(OSSL_STORE_CTX *ctx);
 \& int OSSL_STORE_close(OSSL_STORE_CTX *ctx);
 .Ve
 .PP
 The following function has been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
 \& int OSSL_STORE_ctrl(OSSL_STORE_CTX *ctx, int cmd, ... /* args */);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 These functions help the application to fetch supported objects (see
-\&\*(L"\s-1SUPPORTED OBJECTS\*(R"\s0 in \s-1\fBOSSL_STORE_INFO\s0\fR\|(3) for information on which those are)
-from a given \s-1URI.\s0
-The general method to do so is to \*(L"open\*(R" the \s-1URI\s0 using \fBOSSL_STORE_open()\fR,
+"SUPPORTED OBJECTS" in \fBOSSL_STORE_INFO\fR\|(3) for information on which those are)
+from a given URI.
+The general method to do so is to "open" the URI using \fBOSSL_STORE_open()\fR,
 read each available and supported object using \fBOSSL_STORE_load()\fR as long as
 \&\fBOSSL_STORE_eof()\fR hasn't been reached, and finish it off with \fBOSSL_STORE_close()\fR.
 .PP
-The retrieved information is stored in a \fB\s-1OSSL_STORE_INFO\s0\fR, which is further
-described in \s-1\fBOSSL_STORE_INFO\s0\fR\|(3).
-.SS "Types"
+The retrieved information is stored in a \fBOSSL_STORE_INFO\fR, which is further
+described in \fBOSSL_STORE_INFO\fR\|(3).
+.SS Types
 .IX Subsection "Types"
-\&\fB\s-1OSSL_STORE_CTX\s0\fR is a context variable that holds all the internal
+\&\fBOSSL_STORE_CTX\fR is a context variable that holds all the internal
 information for \fBOSSL_STORE_open()\fR, \fBOSSL_STORE_open_ex()\fR,
 \&\fBOSSL_STORE_load()\fR, \fBOSSL_STORE_eof()\fR and \fBOSSL_STORE_close()\fR to work
 together.
-.SS "Functions"
+.SS Functions
 .IX Subsection "Functions"
-\&\fBOSSL_STORE_open_ex()\fR takes a uri or path \fIuri\fR, password \s-1UI\s0 method
+\&\fBOSSL_STORE_open_ex()\fR takes a uri or path \fIuri\fR, password UI method
 \&\fIui_method\fR with associated data \fIui_data\fR, and post processing
 callback \fIpost_process\fR with associated data \fIpost_process_data\fR,
 a library context \fIlibctx\fR with an associated property query \fIpropq\fR,
-and opens a channel to the data located at the \s-1URI\s0 and returns a
-\&\fB\s-1OSSL_STORE_CTX\s0\fR with all necessary internal information.
+and opens a channel to the data located at the URI and returns a
+\&\fBOSSL_STORE_CTX\fR with all necessary internal information.
 The given \fIui_method\fR and \fIui_data\fR will be reused by all
-functions that use \fB\s-1OSSL_STORE_CTX\s0\fR when interaction is needed,
+functions that use \fBOSSL_STORE_CTX\fR when interaction is needed,
 for instance to provide a password.
-The auxiliary \s-1\fBOSSL_PARAM\s0\fR\|(3) parameters in \fIparams\fR can be set to further
+The auxiliary \fBOSSL_PARAM\fR\|(3) parameters in \fIparams\fR can be set to further
 modify the store operation.
 The given \fIpost_process\fR and \fIpost_process_data\fR will be reused by
 \&\fBOSSL_STORE_load()\fR to manipulate or drop the value to be returned.
-The \fIpost_process\fR function drops values by returning \s-1NULL,\s0 which
+The \fIpost_process\fR function drops values by returning NULL, which
 will cause \fBOSSL_STORE_load()\fR to start its process over with loading
 the next object, until \fIpost_process\fR returns something other than
-\&\s-1NULL,\s0 or the end of data is reached as indicated by \fBOSSL_STORE_eof()\fR.
+NULL, or the end of data is reached as indicated by \fBOSSL_STORE_eof()\fR.
 .PP
-\&\fBOSSL_STORE_open()\fR is similar to \fBOSSL_STORE_open_ex()\fR but uses \s-1NULL\s0 for
+\&\fBOSSL_STORE_open()\fR is similar to \fBOSSL_STORE_open_ex()\fR but uses NULL for
 the \fIparams\fR, the library context \fIlibctx\fR and property query \fIpropq\fR.
 .PP
-\&\fBOSSL_STORE_ctrl()\fR takes a \fB\s-1OSSL_STORE_CTX\s0\fR, and command number \fIcmd\fR and
+\&\fBOSSL_STORE_ctrl()\fR takes a \fBOSSL_STORE_CTX\fR, and command number \fIcmd\fR and
 more arguments not specified here.
 The available loader specific command numbers and arguments they each
 take depends on the loader that's used and is documented together with
 that loader.
 .PP
 There are also global controls available:
-.IP "\fB\s-1OSSL_STORE_C_USE_SECMEM\s0\fR" 4
+.IP \fBOSSL_STORE_C_USE_SECMEM\fR 4
 .IX Item "OSSL_STORE_C_USE_SECMEM"
 Controls if the loader should attempt to use secure memory for any
-allocated \fB\s-1OSSL_STORE_INFO\s0\fR and its contents.
+allocated \fBOSSL_STORE_INFO\fR and its contents.
 This control expects one argument, a pointer to an \fIint\fR that is expected to
 have the value 1 (yes) or 0 (no).
 Any other value is an error.
 .PP
-\&\fBOSSL_STORE_load()\fR takes a \fB\s-1OSSL_STORE_CTX\s0\fR and tries to load the next
-available object and return it wrapped with \fB\s-1OSSL_STORE_INFO\s0\fR.
+\&\fBOSSL_STORE_load()\fR takes a \fBOSSL_STORE_CTX\fR and tries to load the next
+available object and return it wrapped with \fBOSSL_STORE_INFO\fR.
 .PP
-\&\fBOSSL_STORE_eof()\fR takes a \fB\s-1OSSL_STORE_CTX\s0\fR and checks if we've reached the end
+\&\fBOSSL_STORE_delete()\fR deletes the object identified by \fIuri\fR.
+.PP
+\&\fBOSSL_STORE_eof()\fR takes a \fBOSSL_STORE_CTX\fR and checks if we've reached the end
 of data.
 .PP
-\&\fBOSSL_STORE_error()\fR takes a \fB\s-1OSSL_STORE_CTX\s0\fR and checks if an error occurred in
+\&\fBOSSL_STORE_error()\fR takes a \fBOSSL_STORE_CTX\fR and checks if an error occurred in
 the last \fBOSSL_STORE_load()\fR call.
 Note that it may still be meaningful to try and load more objects, unless
 \&\fBOSSL_STORE_eof()\fR shows that the end of data has been reached.
 .PP
-\&\fBOSSL_STORE_close()\fR takes a \fB\s-1OSSL_STORE_CTX\s0\fR, closes the channel that was opened
+\&\fBOSSL_STORE_close()\fR takes a \fBOSSL_STORE_CTX\fR, closes the channel that was opened
 by \fBOSSL_STORE_open()\fR and frees all other information that was stored in the
-\&\fB\s-1OSSL_STORE_CTX\s0\fR, as well as the \fB\s-1OSSL_STORE_CTX\s0\fR itself.
-If \fIctx\fR is \s-1NULL\s0 it does nothing.
-.SH "NOTES"
+\&\fBOSSL_STORE_CTX\fR, as well as the \fBOSSL_STORE_CTX\fR itself.
+If \fIctx\fR is NULL it does nothing.
+.SH NOTES
 .IX Header "NOTES"
 A string without a scheme prefix (that is, a non-URI string) is
 implicitly interpreted as using the \fIfile:\fR scheme.
 .PP
 There are some tools that can be used together with
 \&\fBOSSL_STORE_open()\fR to determine if any failure is caused by an unparsable
-\&\s-1URI,\s0 or if it's a different error (such as memory allocation
-failures); if the \s-1URI\s0 was parsable but the scheme unregistered, the
+URI, or if it's a different error (such as memory allocation
+failures); if the URI was parsable but the scheme unregistered, the
 top error will have the reason \f(CW\*(C`OSSL_STORE_R_UNREGISTERED_SCHEME\*(C'\fR.
 .PP
 These functions make no direct assumption regarding the pass phrase received
@@ -266,13 +195,13 @@ relevant for PKCS#12 objects.
 See \fBpassphrase\-encoding\fR\|(7) for further information.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBOSSL_STORE_open()\fR returns a pointer to a \fB\s-1OSSL_STORE_CTX\s0\fR on success, or
-\&\s-1NULL\s0 on failure.
+\&\fBOSSL_STORE_open()\fR returns a pointer to a \fBOSSL_STORE_CTX\fR on success, or
+NULL on failure.
 .PP
-\&\fBOSSL_STORE_load()\fR returns a pointer to a \fB\s-1OSSL_STORE_INFO\s0\fR on success, or \s-1NULL\s0
+\&\fBOSSL_STORE_load()\fR returns a pointer to a \fBOSSL_STORE_INFO\fR on success, or NULL
 on error or when end of data is reached.
 Use \fBOSSL_STORE_error()\fR and \fBOSSL_STORE_eof()\fR to determine the meaning of a
-returned \s-1NULL.\s0
+returned NULL.
 .PP
 \&\fBOSSL_STORE_eof()\fR returns 1 if the end of data has been reached
 or an error occurred, 0 otherwise.
@@ -280,30 +209,31 @@ or an error occurred, 0 otherwise.
 \&\fBOSSL_STORE_error()\fR returns 1 if an error occurred in an \fBOSSL_STORE_load()\fR call,
 otherwise 0.
 .PP
-\&\fBOSSL_STORE_ctrl()\fR and \fBOSSL_STORE_close()\fR returns 1 on success, or 0 on failure.
+\&\fBOSSL_STORE_delete()\fR, \fBOSSL_STORE_ctrl()\fR and \fBOSSL_STORE_close()\fR return 1 on
+success, or 0 on failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBossl_store\fR\|(7), \s-1\fBOSSL_STORE_INFO\s0\fR\|(3), \fBOSSL_STORE_register_loader\fR\|(3),
+\&\fBossl_store\fR\|(7), \fBOSSL_STORE_INFO\fR\|(3), \fBOSSL_STORE_register_loader\fR\|(3),
 \&\fBpassphrase\-encoding\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
+\&\fBOSSL_STORE_delete()\fR was added in OpenSSL 3.2.
+.PP
 \&\fBOSSL_STORE_open_ex()\fR was added in OpenSSL 3.0.
 .PP
-\&\fB\s-1OSSL_STORE_CTX\s0\fR, \fBOSSL_STORE_post_process_info_fn()\fR, \fBOSSL_STORE_open()\fR,
+\&\fBOSSL_STORE_CTX\fR, \fBOSSL_STORE_post_process_info_fn()\fR, \fBOSSL_STORE_open()\fR,
 \&\fBOSSL_STORE_ctrl()\fR, \fBOSSL_STORE_load()\fR, \fBOSSL_STORE_eof()\fR and \fBOSSL_STORE_close()\fR
 were added in OpenSSL 1.1.1.
 .PP
-Handling of \s-1NULL\s0 \fIctx\fR argument for \fBOSSL_STORE_close()\fR
+Handling of NULL \fIctx\fR argument for \fBOSSL_STORE_close()\fR
 was introduced in OpenSSL 1.1.1h.
 .PP
-\&\fBOSSL_STORE_open_ex()\fR was added in OpenSSL 3.0.
-.PP
 \&\fBOSSL_STORE_ctrl()\fR and \fBOSSL_STORE_vctrl()\fR were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_sleep.3 b/secure/lib/libcrypto/man/man3/OSSL_sleep.3
new file mode 100644
index 000000000000..d4395b53f436
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/OSSL_sleep.3
@@ -0,0 +1,96 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OSSL_SLEEP 3ossl"
+.TH OSSL_SLEEP 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+OSSL_sleep \- delay execution for a specified number of milliseconds
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/crypto.h>
+\&
+\& void OSSL_sleep(uint64_t millis);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBOSSL_sleep()\fR is a convenience function to delay execution of the calling
+thread for (at least) \fImillis\fR milliseconds.  The delay is not guaranteed;
+it may be affected by system activity, by the time spent processing the call,
+limitation on the underlying system call parameter size or by system timer
+granularity.
+.PP
+In particular on Windows the maximum amount of time it will sleep is
+49 days and on systems where the regular \fBsleep\fR\|(3) is used as the underlying
+system call the maximum sleep time is about 136 years.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBOSSL_sleep()\fR does not return any value.
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBOSSL_sleep()\fR was added in OpenSSL 3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2022\-2023 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_trace_enabled.3 b/secure/lib/libcrypto/man/man3/OSSL_trace_enabled.3
index fe5f8c20303e..9ba476453e43 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_trace_enabled.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_trace_enabled.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,83 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_TRACE_ENABLED 3ossl"
-.TH OSSL_TRACE_ENABLED 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_TRACE_ENABLED 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_trace_enabled, OSSL_trace_begin, OSSL_trace_end,
 OSSL_TRACE_BEGIN, OSSL_TRACE_END, OSSL_TRACE_CANCEL,
 OSSL_TRACE, OSSL_TRACE1, OSSL_TRACE2, OSSL_TRACE3, OSSL_TRACE4,
 OSSL_TRACE5, OSSL_TRACE6, OSSL_TRACE7, OSSL_TRACE8, OSSL_TRACE9,
 OSSL_TRACEV,
+OSSL_TRACE_STRING, OSSL_TRACE_STRING_MAX, OSSL_trace_string,
 OSSL_TRACE_ENABLED
 \&\- OpenSSL Tracing API
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/trace.h>
@@ -166,62 +91,71 @@ OSSL_TRACE_ENABLED
 \& } OSSL_TRACE_END(category);
 \&
 \& /* one\-shot trace macros */
+\& OSSL_TRACE(category, text)
 \& OSSL_TRACE1(category, format, arg1)
 \& OSSL_TRACE2(category, format, arg1, arg2)
 \& ...
 \& OSSL_TRACE9(category, format, arg1, ..., arg9)
+\& OSSL_TRACE_STRING(category, text, full, data, len)
+\&
+\& #define OSSL_TRACE_STRING_MAX 80
+\& int OSSL_trace_string(BIO *out, int text, int full,
+\&                       const unsigned char *data, size_t size);
 \&
 \& /* check whether a trace category is enabled */
 \& if (OSSL_TRACE_ENABLED(category)) {
 \&     ...
 \& }
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The functions described here are mainly interesting for those who provide
 OpenSSL functionality, either in OpenSSL itself or in engine modules
 or similar.
 .PP
-If tracing is enabled (see \*(L"\s-1NOTES\*(R"\s0 below), these functions are used to
-generate free text tracing output.
+If the tracing facility is enabled (see "Configure Tracing" below),
+these functions are used to generate free text tracing output.
 .PP
 The tracing output is divided into types which are enabled
 individually by the application.
 The tracing types are described in detail in
-\&\*(L"Trace types\*(R" in \fBOSSL_trace_set_callback\fR\|(3).
-The fallback type \fB\s-1OSSL_TRACE_CATEGORY_ALL\s0\fR should \fInot\fR be used
+"Trace types" in \fBOSSL_trace_set_callback\fR\|(3).
+The fallback type \fBOSSL_TRACE_CATEGORY_ALL\fR should \fInot\fR be used
 with the functions described here.
 .PP
-Tracing for a specific category is enabled if a so called
+Tracing for a specific category is enabled at run-time if a so-called
 \&\fItrace channel\fR is attached to it. A trace channel is simply a
-\&\s-1BIO\s0 object to which the application can write its trace output.
+BIO object to which the application can write its trace output.
 .PP
 The application has two different ways of registering a trace channel,
-either by directly providing a \s-1BIO\s0 object using \fBOSSL_trace_set_channel()\fR,
-or by providing a callback routine using \fBOSSL_trace_set_callback()\fR.
-The latter is wrapped internally by a dedicated \s-1BIO\s0 object, so for the
+either by directly providing a BIO object using \fBOSSL_trace_set_channel\fR\|(3),
+or by providing a callback routine using \fBOSSL_trace_set_callback\fR\|(3).
+The latter is wrapped internally by a dedicated BIO object, so for the
 tracing code both channel types are effectively indistinguishable.
 We call them a \fIsimple trace channel\fR and a \fIcallback trace channel\fR,
 respectively.
 .PP
 To produce trace output, it is necessary to obtain a pointer to the
-trace channel (i.e., the \s-1BIO\s0 object) using \fBOSSL_trace_begin()\fR, write
-to it using arbitrary \s-1BIO\s0 output routines, and finally releases the
+trace channel (i.e., the BIO object) using \fBOSSL_trace_begin()\fR, write
+to it using arbitrary BIO output routines, and finally releases the
 channel using \fBOSSL_trace_end()\fR. The \fBOSSL_trace_begin()\fR/\fBOSSL_trace_end()\fR
 calls surrounding the trace output create a group, which acts as a
 critical section (guarded by a mutex) to ensure that the trace output
 of different threads does not get mixed up.
 .PP
 The tracing code normally does not call OSSL_trace_{begin,end}() directly,
-but rather uses a set of convenience macros, see the \*(L"Macros\*(R" section below.
-.SS "Functions"
+but rather uses a set of convenience macros, see the "Macros" section below.
+.SS Functions
 .IX Subsection "Functions"
 \&\fBOSSL_trace_enabled()\fR can be used to check if tracing for the given
-\&\fIcategory\fR is enabled.
+\&\fIcategory\fR is enabled, i.e., if the tracing facility has been statically
+enabled (see "Configure Tracing" below) and a trace channel has been
+registered using \fBOSSL_trace_set_channel\fR\|(3) or \fBOSSL_trace_set_callback\fR\|(3).
 .PP
-\&\fBOSSL_trace_begin()\fR is used to starts a tracing section, and get the
-channel for the given \fIcategory\fR in form of a \s-1BIO.\s0
-This \s-1BIO\s0 can only be used for output.
+\&\fBOSSL_trace_begin()\fR is used to start a tracing section,
+and get the channel for the given \fIcategory\fR in form of a BIO.
+This BIO can only be used for output.
+The pointer returned is NULL if the category is invalid or not enabled.
 .PP
 \&\fBOSSL_trace_end()\fR is used to end a tracing section.
 .PP
@@ -229,18 +163,24 @@ Using \fBOSSL_trace_begin()\fR and \fBOSSL_trace_end()\fR to wrap tracing sectio
 is \fImandatory\fR.
 The result of trying to produce tracing output outside of such
 sections is undefined.
-.SS "Macros"
+.PP
+\&\fBOSSL_trace_string()\fR outputs \fIdata\fR of length \fIsize\fR as a string on BIO \fIout\fR.
+If \fItext\fR is 0, the function masks any included control characters apart from
+newlines and makes sure for nonempty input that the output ends with a newline.
+Unless \fIfull\fR is nonzero, the length is limited (with a suitable warning)
+to \fBOSSL_TRACE_STRING_MAX\fR characters, which currently is 80.
+.SS Macros
 .IX Subsection "Macros"
 There are a number of convenience macros defined, to make tracing
 easy and consistent.
 .PP
-\&\s-1\fBOSSL_TRACE_BEGIN\s0()\fR and \s-1\fBOSSL_TRACE_END\s0()\fR reserve the \fB\s-1BIO\s0\fR \f(CW\*(C`trc_out\*(C'\fR and are
+\&\fBOSSL_TRACE_BEGIN()\fR and \fBOSSL_TRACE_END()\fR reserve the \fBBIO\fR \f(CW\*(C`trc_out\*(C'\fR and are
 used as follows to wrap a trace section:
 .PP
 .Vb 1
 \& OSSL_TRACE_BEGIN(TLS) {
 \&
-\&     BIO_fprintf(trc_out, ... );
+\&     BIO_printf(trc_out, ... );
 \&
 \& } OSSL_TRACE_END(TLS);
 .Ve
@@ -252,13 +192,13 @@ This will normally expand to:
 \&     BIO *trc_out = OSSL_trace_begin(OSSL_TRACE_CATEGORY_TLS);
 \&     if (trc_out != NULL) {
 \&         ...
-\&         BIO_fprintf(trc_out, ...);
+\&         BIO_printf(trc_out, ...);
 \&     }
 \&     OSSL_trace_end(OSSL_TRACE_CATEGORY_TLS, trc_out);
 \& } while (0);
 .Ve
 .PP
-\&\s-1\fBOSSL_TRACE_CANCEL\s0()\fR must be used before returning from or jumping out of a
+\&\fBOSSL_TRACE_CANCEL()\fR must be used before returning from or jumping out of a
 trace section:
 .PP
 .Vb 1
@@ -268,7 +208,7 @@ trace section:
 \&         OSSL_TRACE_CANCEL(TLS);
 \&         goto err;
 \&     }
-\&     BIO_fprintf(trc_out, ... );
+\&     BIO_printf(trc_out, ... );
 \&
 \& } OSSL_TRACE_END(TLS);
 .Ve
@@ -283,13 +223,13 @@ This will normally expand to:
 \&             OSSL_trace_end(OSSL_TRACE_CATEGORY_TLS, trc_out);
 \&             goto err;
 \&         }
-\&         BIO_fprintf(trc_out, ... );
+\&         BIO_printf(trc_out, ... );
 \&     }
 \&     OSSL_trace_end(OSSL_TRACE_CATEGORY_TLS, trc_out);
 \& } while (0);
 .Ve
 .PP
-\&\s-1\fBOSSL_TRACE\s0()\fR and \s-1\fBOSSL_TRACE1\s0()\fR, \s-1\fBOSSL_TRACE2\s0()\fR, ... \s-1\fBOSSL_TRACE9\s0()\fR are
+\&\fBOSSL_TRACE()\fR and \fBOSSL_TRACE1()\fR, \fBOSSL_TRACE2()\fR, ... \fBOSSL_TRACE9()\fR are
 so-called one-shot macros:
 .PP
 The macro call \f(CW\*(C`OSSL_TRACE(category, text)\*(C'\fR, produces literal text trace output.
@@ -300,18 +240,29 @@ It expands to:
 .PP
 .Vb 3
 \& OSSL_TRACE_BEGIN(category) {
-\&     BIO_printf(trc_out, format, arg1, ..., argN)
+\&     BIO_printf(trc_out, format, arg1, ..., argN);
 \& } OSSL_TRACE_END(category)
 .Ve
 .PP
-Internally, all one-shot macros are implemented using a generic \s-1\fBOSSL_TRACEV\s0()\fR
+Internally, all one-shot macros are implemented using a generic \fBOSSL_TRACEV()\fR
 macro, since C90 does not support variadic macros. This helper macro has a rather
 weird synopsis and should not be used directly.
 .PP
-The \s-1\fBOSSL_TRACE_ENABLED\s0()\fR macro can be used to conditionally execute some code
+The macro call \f(CW\*(C`OSSL_TRACE_STRING(category, text, full, data, len)\*(C'\fR
+outputs \fIdata\fR of length \fIsize\fR as a string
+if tracing for the given \fIcategory\fR is enabled.
+It expands to:
+.PP
+.Vb 3
+\& OSSL_TRACE_BEGIN(category) {
+\&     OSSL_trace_string(trc_out, text, full, data, len);
+\& } OSSL_TRACE_END(category)
+.Ve
+.PP
+The \fBOSSL_TRACE_ENABLED()\fR macro can be used to conditionally execute some code
 only if a specific trace category is enabled.
 In some situations this is simpler than entering a trace section using
-\&\s-1\fBOSSL_TRACE_BEGIN\s0()\fR and \s-1\fBOSSL_TRACE_END\s0()\fR.
+\&\fBOSSL_TRACE_BEGIN()\fR and \fBOSSL_TRACE_END()\fR.
 For example, the code
 .PP
 .Vb 3
@@ -327,8 +278,11 @@ expands to
 \&     ...
 \& }
 .Ve
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
+It is not needed to guard trace output function calls like
+\&\fIOSSL_TRACE(category, ...)\fR by \fIOSSL_TRACE_ENABLED(category)\fR.
+.PP
 If producing the trace output requires carrying out auxiliary calculations,
 this auxiliary code should be placed inside a conditional block which is
 executed only if the trace category is enabled.
@@ -370,15 +324,15 @@ use the tracing functionality documented here, it is therefore
 necessary to configure and build OpenSSL with the 'enable\-trace' option.
 .PP
 When the library is built with tracing disabled:
-.IP "\(bu" 4
-The macro \fB\s-1OPENSSL_NO_TRACE\s0\fR is defined in \fI<openssl/opensslconf.h>\fR.
-.IP "\(bu" 4
+.IP \(bu 4
+The macro \fBOPENSSL_NO_TRACE\fR is defined in \fI<openssl/opensslconf.h>\fR.
+.IP \(bu 4
 all functions are still present, but \fBOSSL_trace_enabled()\fR will always
 report the categories as disabled, and all other functions will do
 nothing.
-.IP "\(bu" 4
+.IP \(bu 4
 the convenience macros are defined to produce dead code.
-For example, take this example from \*(L"Macros\*(R" section above:
+For example, take this example from "Macros" section above:
 .Sp
 .Vb 1
 \& OSSL_TRACE_BEGIN(TLS) {
@@ -387,12 +341,12 @@ For example, take this example from \*(L"Macros\*(R" section above:
 \&         OSSL_TRACE_CANCEL(TLS);
 \&         goto err;
 \&     }
-\&     BIO_fprintf(trc_out, ... );
+\&     BIO_printf(trc_out, ... );
 \&
 \& } OSSL_TRACE_END(TLS);
 .Ve
 .Sp
-When the tracing \s-1API\s0 isn't operational, that will expand to:
+When the tracing API isn't operational, that will expand to:
 .Sp
 .Vb 10
 \& do {
@@ -402,7 +356,7 @@ When the tracing \s-1API\s0 isn't operational, that will expand to:
 \&             ((void)0);
 \&             goto err;
 \&         }
-\&         BIO_fprintf(trc_out, ... );
+\&         BIO_printf(trc_out, ... );
 \&     }
 \& } while (0);
 .Ve
@@ -411,16 +365,24 @@ When the tracing \s-1API\s0 isn't operational, that will expand to:
 \&\fBOSSL_trace_enabled()\fR returns 1 if tracing for the given \fItype\fR is
 operational and enabled, otherwise 0.
 .PP
-\&\fBOSSL_trace_begin()\fR returns a \fB\s-1BIO\s0\fR pointer if the given \fItype\fR is enabled,
-otherwise \s-1NULL.\s0
-.SH "HISTORY"
+\&\fBOSSL_trace_begin()\fR returns a \fBBIO\fR pointer if the given \fItype\fR is enabled,
+otherwise NULL.
+.PP
+\&\fBOSSL_trace_string()\fR returns the number of characters emitted, or \-1 on error.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBOSSL_trace_set_channel\fR\|(3), \fBOSSL_trace_set_callback\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
-The OpenSSL Tracing \s-1API\s0 was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The OpenSSL Tracing API was added in OpenSSL 3.0.
+.PP
+\&\fBOSSL_TRACE_STRING()\fR, OSSL_TRACE_STRING_MAX, and OSSL_trace_string
+were added in OpenSSL 3.2.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_trace_get_category_num.3 b/secure/lib/libcrypto/man/man3/OSSL_trace_get_category_num.3
index 617e187d1991..2fa489a9c06f 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_trace_get_category_num.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_trace_get_category_num.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_TRACE_GET_CATEGORY_NUM 3ossl"
-.TH OSSL_TRACE_GET_CATEGORY_NUM 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_TRACE_GET_CATEGORY_NUM 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_trace_get_category_num, OSSL_trace_get_category_name
 \&\- OpenSSL tracing information functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/trace.h>
@@ -147,7 +71,7 @@ OSSL_trace_get_category_num, OSSL_trace_get_category_name
 \& int OSSL_trace_get_category_num(const char *name);
 \& const char *OSSL_trace_get_category_name(int num);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBOSSL_trace_get_category_num()\fR gives the category number corresponding
 to the given \f(CW\*(C`name\*(C'\fR.
@@ -160,15 +84,15 @@ to the given \f(CW\*(C`num\*(C'\fR.
 \&\f(CW\*(C`name\*(C'\fR is a recognised category name, otherwise \-1.
 .PP
 \&\fBOSSL_trace_get_category_name()\fR returns the category name if the given
-\&\f(CW\*(C`num\*(C'\fR is a recognised category number, otherwise \s-1NULL.\s0
-.SH "HISTORY"
+\&\f(CW\*(C`num\*(C'\fR is a recognised category number, otherwise NULL.
+.SH HISTORY
 .IX Header "HISTORY"
-The OpenSSL Tracing \s-1API\s0 was added ino OpenSSL 3.0.
-.SH "COPYRIGHT"
+The OpenSSL Tracing API was added ino OpenSSL 3.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_trace_set_channel.3 b/secure/lib/libcrypto/man/man3/OSSL_trace_set_channel.3
index 49e757ae36d0..c2ad7f031504 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_trace_set_channel.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_trace_set_channel.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_TRACE_SET_CHANNEL 3ossl"
-.TH OSSL_TRACE_SET_CHANNEL 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_TRACE_SET_CHANNEL 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_trace_set_channel, OSSL_trace_set_prefix, OSSL_trace_set_suffix,
 OSSL_trace_set_callback, OSSL_trace_cb \- Enabling trace output
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/trace.h>
@@ -152,29 +76,34 @@ OSSL_trace_set_callback, OSSL_trace_cb \- Enabling trace output
 \& void OSSL_trace_set_suffix(int category, const char *suffix);
 \& void OSSL_trace_set_callback(int category, OSSL_trace_cb cb, void  *data);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-If available (see \*(L"\s-1NOTES\*(R"\s0 below), the application can request
+If available (see "Configure Tracing" below), the application can request
 internal trace output.
 This output comes in form of free text for humans to read.
 .PP
 The trace output is divided into categories which can be
 enabled individually.
-Every category can be enabled individually by attaching a so called
-\&\fItrace channel\fR to it, which in the simplest case is just a \s-1BIO\s0 object
+Every category can be enabled individually by attaching a so-called
+\&\fItrace channel\fR to it, which in the simplest case is just a BIO object
 to which the application can write the tracing output for this category.
 Alternatively, the application can provide a tracer callback in order to
 get more finegrained trace information. This callback will be wrapped
-internally by a dedicated \s-1BIO\s0 object.
+internally by a dedicated BIO object.
 .PP
 For the tracing code, both trace channel types are indistinguishable.
 These are called a \fIsimple trace channel\fR and a \fIcallback trace channel\fR,
 respectively.
-.SS "Functions"
+.PP
+\&\fBOSSL_TRACE_ENABLED\fR\|(3) can be used to check whether tracing is currently
+enabled for the given category.
+Functions like \fBOSSL_TRACE1\fR\|(3) and macros like \fBOSSL_TRACE_BEGIN\fR\|(3)
+can be used for producing free-text trace output.
+.SS Functions
 .IX Subsection "Functions"
 \&\fBOSSL_trace_set_channel()\fR is used to enable the given trace \f(CW\*(C`category\*(C'\fR
-by attaching the \fB\s-1BIO\s0\fR \fIbio\fR object as (simple) trace channel.
-On success the ownership of the \s-1BIO\s0 is transferred to the channel,
+by attaching the \fBBIO\fR \fIbio\fR object as (simple) trace channel.
+On success the ownership of the BIO is transferred to the channel,
 so the caller must not free it directly.
 .PP
 \&\fBOSSL_trace_set_prefix()\fR and \fBOSSL_trace_set_suffix()\fR can be used to add
@@ -190,7 +119,7 @@ tracing prefixes, consider setting a callback with
 \&\fIcategory\fR by giving it the tracer callback \fIcb\fR with the associated
 data \fIdata\fR, which will simply be passed through to \fIcb\fR whenever
 it's called. The callback function is internally wrapped by a
-dedicated \s-1BIO\s0 object, the so called \fIcallback trace channel\fR.
+dedicated BIO object, the so-called \fIcallback trace channel\fR.
 This should be used when it's desirable to do form the trace output to
 something suitable for application needs where a prefix and suffix
 line aren't enough.
@@ -199,8 +128,8 @@ line aren't enough.
 exclusive, calling one of them will clear whatever was set by the
 previous call.
 .PP
-Calling \fBOSSL_trace_set_channel()\fR with \s-1NULL\s0 for \fIchannel\fR or
-\&\fBOSSL_trace_set_callback()\fR with \s-1NULL\s0 for \fIcb\fR disables tracing for
+Calling \fBOSSL_trace_set_channel()\fR with NULL for \fIchannel\fR or
+\&\fBOSSL_trace_set_callback()\fR with NULL for \fIcb\fR disables tracing for
 the given \fIcategory\fR.
 .SS "Trace callback"
 .IX Subsection "Trace callback"
@@ -211,105 +140,108 @@ the \fIcategory\fR, a control number \fIcmd\fR, and the \fIdata\fR that was
 passed to \fBOSSL_trace_set_callback()\fR.
 .PP
 The possible control numbers are:
-.IP "\fB\s-1OSSL_TRACE_CTRL_BEGIN\s0\fR" 4
+.IP \fBOSSL_TRACE_CTRL_BEGIN\fR 4
 .IX Item "OSSL_TRACE_CTRL_BEGIN"
 The callback is called from \fBOSSL_trace_begin()\fR, which gives the
 callback the possibility to output a dynamic starting line, or set a
 prefix that should be output at the beginning of each line, or
 something other.
-.IP "\fB\s-1OSSL_TRACE_CTRL_WRITE\s0\fR" 4
+.IP \fBOSSL_TRACE_CTRL_WRITE\fR 4
 .IX Item "OSSL_TRACE_CTRL_WRITE"
-This callback is called whenever data is written to the \s-1BIO\s0 by some
-regular \s-1BIO\s0 output routine.
-An arbitrary number of \fB\s-1OSSL_TRACE_CTRL_WRITE\s0\fR callbacks can occur
-inside a group marked by a pair of \fB\s-1OSSL_TRACE_CTRL_BEGIN\s0\fR and
-\&\fB\s-1OSSL_TRACE_CTRL_END\s0\fR calls, but never outside such a group.
-.IP "\fB\s-1OSSL_TRACE_CTRL_END\s0\fR" 4
+This callback is called whenever data is written to the BIO by some
+regular BIO output routine.
+An arbitrary number of \fBOSSL_TRACE_CTRL_WRITE\fR callbacks can occur
+inside a group marked by a pair of \fBOSSL_TRACE_CTRL_BEGIN\fR and
+\&\fBOSSL_TRACE_CTRL_END\fR calls, but never outside such a group.
+.IP \fBOSSL_TRACE_CTRL_END\fR 4
 .IX Item "OSSL_TRACE_CTRL_END"
 The callback is called from \fBOSSL_trace_end()\fR, which gives the callback
 the possibility to output a dynamic ending line, or reset the line
-prefix that was set with \fB\s-1OSSL_TRACE_CTRL_BEGIN\s0\fR, or something other.
+prefix that was set with \fBOSSL_TRACE_CTRL_BEGIN\fR, or something other.
 .SS "Trace categories"
 .IX Subsection "Trace categories"
 The trace categories are simple numbers available through macros.
-.IP "\fB\s-1OSSL_TRACE_CATEGORY_TRACE\s0\fR" 4
+.IP \fBOSSL_TRACE_CATEGORY_TRACE\fR 4
 .IX Item "OSSL_TRACE_CATEGORY_TRACE"
-Traces the OpenSSL trace \s-1API\s0 itself.
+Traces the OpenSSL trace API itself.
 .Sp
 More precisely, this will generate trace output any time a new
 trace hook is set.
-.IP "\fB\s-1OSSL_TRACE_CATEGORY_INIT\s0\fR" 4
+.IP \fBOSSL_TRACE_CATEGORY_INIT\fR 4
 .IX Item "OSSL_TRACE_CATEGORY_INIT"
 Traces OpenSSL library initialization and cleanup.
 .Sp
 This needs special care, as OpenSSL will do automatic cleanup after
-exit from \f(CW\*(C`main()\*(C'\fR, and any tracing output done during this cleanup
+exit from \f(CWmain()\fR, and any tracing output done during this cleanup
 will be lost if the tracing channel or callback were cleaned away
 prematurely.
 A suggestion is to make such cleanup part of a function that's
 registered very early with \fBatexit\fR\|(3).
-.IP "\fB\s-1OSSL_TRACE_CATEGORY_TLS\s0\fR" 4
+.IP \fBOSSL_TRACE_CATEGORY_TLS\fR 4
 .IX Item "OSSL_TRACE_CATEGORY_TLS"
-Traces the \s-1TLS/SSL\s0 protocol.
-.IP "\fB\s-1OSSL_TRACE_CATEGORY_TLS_CIPHER\s0\fR" 4
+Traces the TLS/SSL protocol.
+.IP \fBOSSL_TRACE_CATEGORY_TLS_CIPHER\fR 4
 .IX Item "OSSL_TRACE_CATEGORY_TLS_CIPHER"
-Traces the ciphers used by the \s-1TLS/SSL\s0 protocol.
-.IP "\fB\s-1OSSL_TRACE_CATEGORY_CONF\s0\fR" 4
+Traces the ciphers used by the TLS/SSL protocol.
+.IP \fBOSSL_TRACE_CATEGORY_CONF\fR 4
 .IX Item "OSSL_TRACE_CATEGORY_CONF"
 Traces details about the provider and engine configuration.
-.IP "\fB\s-1OSSL_TRACE_CATEGORY_ENGINE_TABLE\s0\fR" 4
+.IP \fBOSSL_TRACE_CATEGORY_ENGINE_TABLE\fR 4
 .IX Item "OSSL_TRACE_CATEGORY_ENGINE_TABLE"
-Traces the \s-1ENGINE\s0 algorithm table selection.
+Traces the ENGINE algorithm table selection.
 .Sp
 More precisely, functions like \fBENGINE_get_pkey_asn1_meth_engine()\fR,
 \&\fBENGINE_get_pkey_meth_engine()\fR, \fBENGINE_get_cipher_engine()\fR,
 \&\fBENGINE_get_digest_engine()\fR, will generate trace summaries of the
 handling of internal tables.
-.IP "\fB\s-1OSSL_TRACE_CATEGORY_ENGINE_REF_COUNT\s0\fR" 4
+.IP \fBOSSL_TRACE_CATEGORY_ENGINE_REF_COUNT\fR 4
 .IX Item "OSSL_TRACE_CATEGORY_ENGINE_REF_COUNT"
-Traces the \s-1ENGINE\s0 reference counting.
+Traces the ENGINE reference counting.
 .Sp
-More precisely, both reference counts in the \s-1ENGINE\s0 structure will be
+More precisely, both reference counts in the ENGINE structure will be
 monitored with a line of trace output generated for each change.
-.IP "\fB\s-1OSSL_TRACE_CATEGORY_PKCS5V2\s0\fR" 4
+.IP \fBOSSL_TRACE_CATEGORY_PKCS5V2\fR 4
 .IX Item "OSSL_TRACE_CATEGORY_PKCS5V2"
 Traces PKCS#5 v2 key generation.
-.IP "\fB\s-1OSSL_TRACE_CATEGORY_PKCS12_KEYGEN\s0\fR" 4
+.IP \fBOSSL_TRACE_CATEGORY_PKCS12_KEYGEN\fR 4
 .IX Item "OSSL_TRACE_CATEGORY_PKCS12_KEYGEN"
 Traces PKCS#12 key generation.
-.IP "\fB\s-1OSSL_TRACE_CATEGORY_PKCS12_DECRYPT\s0\fR" 4
+.IP \fBOSSL_TRACE_CATEGORY_PKCS12_DECRYPT\fR 4
 .IX Item "OSSL_TRACE_CATEGORY_PKCS12_DECRYPT"
 Traces PKCS#12 decryption.
-.IP "\fB\s-1OSSL_TRACE_CATEGORY_X509V3_POLICY\s0\fR" 4
+.IP \fBOSSL_TRACE_CATEGORY_X509V3_POLICY\fR 4
 .IX Item "OSSL_TRACE_CATEGORY_X509V3_POLICY"
 Traces X509v3 policy processing.
 .Sp
 More precisely, this generates the complete policy tree at various
 point during evaluation.
-.IP "\fB\s-1OSSL_TRACE_CATEGORY_BN_CTX\s0\fR" 4
+.IP \fBOSSL_TRACE_CATEGORY_BN_CTX\fR 4
 .IX Item "OSSL_TRACE_CATEGORY_BN_CTX"
-Traces \s-1BIGNUM\s0 context operations.
-.IP "\fB\s-1OSSL_TRACE_CATEGORY_CMP\s0\fR" 4
+Traces BIGNUM context operations.
+.IP \fBOSSL_TRACE_CATEGORY_CMP\fR 4
 .IX Item "OSSL_TRACE_CATEGORY_CMP"
-Traces \s-1CMP\s0 client and server activity.
-.IP "\fB\s-1OSSL_TRACE_CATEGORY_STORE\s0\fR" 4
+Traces CMP client and server activity.
+.IP \fBOSSL_TRACE_CATEGORY_STORE\fR 4
 .IX Item "OSSL_TRACE_CATEGORY_STORE"
-Traces \s-1STORE\s0 operations.
-.IP "\fB\s-1OSSL_TRACE_CATEGORY_DECODER\s0\fR" 4
+Traces STORE operations.
+.IP \fBOSSL_TRACE_CATEGORY_DECODER\fR 4
 .IX Item "OSSL_TRACE_CATEGORY_DECODER"
 Traces decoder operations.
-.IP "\fB\s-1OSSL_TRACE_CATEGORY_ENCODER\s0\fR" 4
+.IP \fBOSSL_TRACE_CATEGORY_ENCODER\fR 4
 .IX Item "OSSL_TRACE_CATEGORY_ENCODER"
 Traces encoder operations.
-.IP "\fB\s-1OSSL_TRACE_CATEGORY_REF_COUNT\s0\fR" 4
+.IP \fBOSSL_TRACE_CATEGORY_REF_COUNT\fR 4
 .IX Item "OSSL_TRACE_CATEGORY_REF_COUNT"
-Traces decrementing certain \s-1ASN.1\s0 structure references.
+Traces decrementing certain ASN.1 structure references.
+.IP \fBOSSL_TRACE_CATEGORY_HTTP\fR 4
+.IX Item "OSSL_TRACE_CATEGORY_HTTP"
+Traces the HTTP client, such as message headers being sent and received.
 .PP
-There is also \fB\s-1OSSL_TRACE_CATEGORY_ALL\s0\fR, which works as a fallback
+There is also \fBOSSL_TRACE_CATEGORY_ALL\fR, which works as a fallback
 and can be used to get \fIall\fR trace output.
 .PP
 Note, however, that in this case all trace output will effectively be
-associated with the '\s-1ALL\s0' category, which is undesirable if the
+associated with the 'ALL' category, which is undesirable if the
 application intends to include the category name in the trace output.
 In this case it is better to register separate channels for each
 trace category instead.
@@ -318,7 +250,7 @@ trace category instead.
 \&\fBOSSL_trace_set_channel()\fR, \fBOSSL_trace_set_prefix()\fR,
 \&\fBOSSL_trace_set_suffix()\fR, and \fBOSSL_trace_set_callback()\fR return 1 on
 success, or 0 on failure.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 In all examples below, the trace producing code is assumed to be
 the following:
@@ -409,7 +341,7 @@ The output is almost the same as for the simple example above.
 \& 0000 \- 00 01 02 03 04 05 06 07\-08 09 0a 0b 0c 0d 0e 0f   ................
 \& END TRACE[TLS]:7f9eb0193b80
 .Ve
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 .SS "Configure Tracing"
 .IX Subsection "Configure Tracing"
@@ -418,18 +350,22 @@ use the tracing functionality documented here, it is therefore
 necessary to configure and build OpenSSL with the 'enable\-trace' option.
 .PP
 When the library is built with tracing disabled, the macro
-\&\fB\s-1OPENSSL_NO_TRACE\s0\fR is defined in \fI<openssl/opensslconf.h>\fR and all
+\&\fBOPENSSL_NO_TRACE\fR is defined in \fI<openssl/opensslconf.h>\fR and all
 functions described here are inoperational, i.e. will do nothing.
-.SH "HISTORY"
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBOSSL_TRACE_ENABLED\fR\|(3), \fBOSSL_TRACE_BEGIN\fR\|(3), \fBOSSL_TRACE1\fR\|(3),
+\&\fBatexit\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBOSSL_trace_set_channel()\fR, \fBOSSL_trace_set_prefix()\fR,
 \&\fBOSSL_trace_set_suffix()\fR, and \fBOSSL_trace_set_callback()\fR were all added
 in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2019\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OpenSSL_add_all_algorithms.3 b/secure/lib/libcrypto/man/man3/OpenSSL_add_all_algorithms.3
index 16da7c0ec864..beccce87849f 100644
--- a/secure/lib/libcrypto/man/man3/OpenSSL_add_all_algorithms.3
+++ b/secure/lib/libcrypto/man/man3/OpenSSL_add_all_algorithms.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,85 +52,25 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL_ADD_ALL_ALGORITHMS 3ossl"
-.TH OPENSSL_ADD_ALL_ALGORITHMS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OPENSSL_ADD_ALL_ALGORITHMS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OpenSSL_add_all_algorithms, OpenSSL_add_all_ciphers, OpenSSL_add_all_digests, EVP_cleanup \-
 add algorithms to internal table
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 1.1.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 3
@@ -156,7 +80,7 @@ see \fBopenssl_user_macros\fR\|(7):
 \&
 \& void EVP_cleanup(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 OpenSSL keeps an internal table of digest algorithms and ciphers. It uses
 this table to lookup ciphers via functions such as \fBEVP_get_cipher_byname()\fR.
@@ -178,17 +102,17 @@ None of the functions return a value.
 .IX Header "SEE ALSO"
 \&\fBevp\fR\|(7), \fBEVP_DigestInit\fR\|(3),
 \&\fBEVP_EncryptInit\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBOpenSSL_add_all_algorithms()\fR, \fBOpenSSL_add_all_ciphers()\fR,
 \&\fBOpenSSL_add_all_digests()\fR, and \fBEVP_cleanup()\fR, functions
 were deprecated in OpenSSL 1.1.0 by \fBOPENSSL_init_crypto()\fR and should
 not be used.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OpenSSL_version.3 b/secure/lib/libcrypto/man/man3/OpenSSL_version.3
index 008721cb7d69..2d11d047d6c5 100644
--- a/secure/lib/libcrypto/man/man3/OpenSSL_version.3
+++ b/secure/lib/libcrypto/man/man3/OpenSSL_version.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL_VERSION 3ossl"
-.TH OPENSSL_VERSION 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OPENSSL_VERSION 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OPENSSL_VERSION_MAJOR, OPENSSL_VERSION_MINOR, OPENSSL_VERSION_PATCH,
 OPENSSL_VERSION_PRE_RELEASE, OPENSSL_VERSION_BUILD_METADATA,
 OPENSSL_VERSION_TEXT, OPENSSL_VERSION_PREREQ, OPENSSL_version_major,
@@ -144,7 +68,7 @@ OPENSSL_version_minor, OPENSSL_version_patch, OPENSSL_version_pre_release,
 OPENSSL_version_build_metadata, OpenSSL_version, OPENSSL_VERSION_NUMBER,
 OpenSSL_version_num, OPENSSL_info
 \&\- get OpenSSL version number and other information
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/opensslv.h>
@@ -179,96 +103,96 @@ OpenSSL_version_num, OPENSSL_info
 \& /* from openssl/crypto.h */
 \& unsigned long OpenSSL_version_num();
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-.SS "Macros"
+.SS Macros
 .IX Subsection "Macros"
-The three macros \fB\s-1OPENSSL_VERSION_MAJOR\s0\fR, \fB\s-1OPENSSL_VERSION_MINOR\s0\fR and
-\&\fB\s-1OPENSSL_VERSION_PATCH\s0\fR represent the three parts of a version
-identifier, \fB\f(BI\s-1MAJOR\s0\fB.\f(BI\s-1MINOR\s0\fB.\f(BI\s-1PATCH\s0\fB\fR.
+The three macros \fBOPENSSL_VERSION_MAJOR\fR, \fBOPENSSL_VERSION_MINOR\fR and
+\&\fBOPENSSL_VERSION_PATCH\fR represent the three parts of a version
+identifier, \fR\f(BIMAJOR\fR\fB.\fR\f(BIMINOR\fR\fB.\fR\f(BIPATCH\fR\fB\fR.
 .PP
-The macro \fB\s-1OPENSSL_VERSION_PRE_RELEASE\s0\fR is an added bit of text that
+The macro \fBOPENSSL_VERSION_PRE_RELEASE\fR is an added bit of text that
 indicates that this is a pre-release version, such as \f(CW"\-dev"\fR for an
 ongoing development snapshot or \f(CW"\-alpha3"\fR for an alpha release.
 The value must be a string.
 .PP
-The macro \fB\s-1OPENSSL_VERSION_BUILD_METADATA\s0\fR is extra information, reserved
+The macro \fBOPENSSL_VERSION_BUILD_METADATA\fR is extra information, reserved
 for other parties, such as \f(CW"+fips"\fR, or \f(CW"+vendor.1"\fR).
 The OpenSSL project will not touch this macro (will leave it an empty string).
 The value must be a string.
 .PP
-\&\fB\s-1OPENSSL_VERSION_STR\s0\fR is a convenience macro to get the short version
-identifier string, \f(CW"\f(CIMAJOR\f(CW.\f(CIMINOR\f(CW.\f(CIPATCH\f(CW"\fR.
+\&\fBOPENSSL_VERSION_STR\fR is a convenience macro to get the short version
+identifier string, \f(CW"\fR\f(CIMAJOR\fR\f(CW.\fR\f(CIMINOR\fR\f(CW.\fR\f(CIPATCH\fR\f(CW"\fR.
 .PP
-\&\fB\s-1OPENSSL_FULL_VERSION_STR\s0\fR is a convenience macro to get the longer
-version identifier string, which combines \fB\s-1OPENSSL_VERSION_STR\s0\fR,
-\&\fB\s-1OPENSSL_VERSION_PRE_RELEASE\s0\fR and \fB\s-1OPENSSL_VERSION_BUILD_METADATA\s0\fR.
+\&\fBOPENSSL_FULL_VERSION_STR\fR is a convenience macro to get the longer
+version identifier string, which combines \fBOPENSSL_VERSION_STR\fR,
+\&\fBOPENSSL_VERSION_PRE_RELEASE\fR and \fBOPENSSL_VERSION_BUILD_METADATA\fR.
 .PP
-\&\fB\s-1OPENSSL_VERSION_TEXT\s0\fR is a convenience macro to get a full descriptive
-version text, which includes \fB\s-1OPENSSL_FULL_VERSION_STR\s0\fR and the release
+\&\fBOPENSSL_VERSION_TEXT\fR is a convenience macro to get a full descriptive
+version text, which includes \fBOPENSSL_FULL_VERSION_STR\fR and the release
 date.
 .PP
-\&\fB\s-1OPENSSL_VERSION_PREREQ\s0\fR is a useful macro for checking whether the OpenSSL
+\&\fBOPENSSL_VERSION_PREREQ\fR is a useful macro for checking whether the OpenSSL
 version for the headers in use is at least at the given pre-requisite major
 (\fBmaj\fR) and minor (\fBmin\fR) number or not. It will evaluate to true if the
-header version number (\fB\s-1OPENSSL_VERSION_MAJOR\s0\fR.\fB\s-1OPENSSL_VERSION_MINOR\s0\fR) is
+header version number (\fBOPENSSL_VERSION_MAJOR\fR.\fBOPENSSL_VERSION_MINOR\fR) is
 greater than or equal to \fBmaj\fR.\fBmin\fR.
 .PP
-\&\fB\s-1OPENSSL_VERSION_NUMBER\s0\fR is a combination of the major, minor and
+\&\fBOPENSSL_VERSION_NUMBER\fR is a combination of the major, minor and
 patch version into a single integer 0xMNN00PP0L, where:
-.IP "M" 4
+.IP M 4
 .IX Item "M"
-is the number from \fB\s-1OPENSSL_VERSION_MAJOR\s0\fR, in hexadecimal notation
-.IP "\s-1NN\s0" 4
+is the number from \fBOPENSSL_VERSION_MAJOR\fR, in hexadecimal notation
+.IP NN 4
 .IX Item "NN"
-is the number from \fB\s-1OPENSSL_VERSION_MINOR\s0\fR, in hexadecimal notation
-.IP "\s-1PP\s0" 4
+is the number from \fBOPENSSL_VERSION_MINOR\fR, in hexadecimal notation
+.IP PP 4
 .IX Item "PP"
-is the number from \fB\s-1OPENSSL_VERSION_PATCH\s0\fR, in hexadecimal notation
-.SS "Functions"
+is the number from \fBOPENSSL_VERSION_PATCH\fR, in hexadecimal notation
+.SS Functions
 .IX Subsection "Functions"
 \&\fBOPENSSL_version_major()\fR, \fBOPENSSL_version_minor()\fR, \fBOPENSSL_version_patch()\fR,
 \&\fBOPENSSL_version_pre_release()\fR, and \fBOPENSSL_version_build_metadata()\fR return
 the values of the macros above for the build of the library, respectively.
 .PP
 \&\fBOpenSSL_version()\fR returns different strings depending on \fIt\fR:
-.IP "\s-1OPENSSL_VERSION\s0" 4
+.IP OPENSSL_VERSION 4
 .IX Item "OPENSSL_VERSION"
-The value of \fB\s-1OPENSSL_VERSION_TEXT\s0\fR
-.IP "\s-1OPENSSL_VERSION_STRING\s0" 4
+The value of \fBOPENSSL_VERSION_TEXT\fR
+.IP OPENSSL_VERSION_STRING 4
 .IX Item "OPENSSL_VERSION_STRING"
-The value of \fB\s-1OPENSSL_VERSION_STR\s0\fR
-.IP "\s-1OPENSSL_FULL_VERSION_STRING\s0" 4
+The value of \fBOPENSSL_VERSION_STR\fR
+.IP OPENSSL_FULL_VERSION_STRING 4
 .IX Item "OPENSSL_FULL_VERSION_STRING"
-The value of \fB\s-1OPENSSL_FULL_VERSION_STR\s0\fR
-.IP "\s-1OPENSSL_CFLAGS\s0" 4
+The value of \fBOPENSSL_FULL_VERSION_STR\fR
+.IP OPENSSL_CFLAGS 4
 .IX Item "OPENSSL_CFLAGS"
 The compiler flags set for the compilation process in the form
 \&\f(CW\*(C`compiler: ...\*(C'\fR  if available, or \f(CW\*(C`compiler: information not available\*(C'\fR
 otherwise.
-.IP "\s-1OPENSSL_BUILT_ON\s0" 4
+.IP OPENSSL_BUILT_ON 4
 .IX Item "OPENSSL_BUILT_ON"
 The date of the build process in the form \f(CW\*(C`built on: ...\*(C'\fR if available
 or \f(CW\*(C`built on: date not available\*(C'\fR otherwise.
 The date would not be available in a reproducible build, for example.
-.IP "\s-1OPENSSL_PLATFORM\s0" 4
+.IP OPENSSL_PLATFORM 4
 .IX Item "OPENSSL_PLATFORM"
-The \*(L"Configure\*(R" target of the library build in the form \f(CW\*(C`platform: ...\*(C'\fR
+The "Configure" target of the library build in the form \f(CW\*(C`platform: ...\*(C'\fR
 if available, or \f(CW\*(C`platform: information not available\*(C'\fR otherwise.
-.IP "\s-1OPENSSL_DIR\s0" 4
+.IP OPENSSL_DIR 4
 .IX Item "OPENSSL_DIR"
-The \fB\s-1OPENSSLDIR\s0\fR setting of the library build in the form \f(CW\*(C`OPENSSLDIR: "..."\*(C'\fR
+The \fBOPENSSLDIR\fR setting of the library build in the form \f(CW\*(C`OPENSSLDIR: "..."\*(C'\fR
 if available, or \f(CW\*(C`OPENSSLDIR: N/A\*(C'\fR otherwise.
-.IP "\s-1OPENSSL_ENGINES_DIR\s0" 4
+.IP OPENSSL_ENGINES_DIR 4
 .IX Item "OPENSSL_ENGINES_DIR"
-The \fB\s-1ENGINESDIR\s0\fR setting of the library build in the form \f(CW\*(C`ENGINESDIR: "..."\*(C'\fR
+The \fBENGINESDIR\fR setting of the library build in the form \f(CW\*(C`ENGINESDIR: "..."\*(C'\fR
 if available, or \f(CW\*(C`ENGINESDIR: N/A\*(C'\fR otherwise. This option is deprecated in
 OpenSSL 3.0.
-.IP "\s-1OPENSSL_MODULES_DIR\s0" 4
+.IP OPENSSL_MODULES_DIR 4
 .IX Item "OPENSSL_MODULES_DIR"
-The \fB\s-1MODULESDIR\s0\fR setting of the library build in the form \f(CW\*(C`MODULESDIR: "..."\*(C'\fR
+The \fBMODULESDIR\fR setting of the library build in the form \f(CW\*(C`MODULESDIR: "..."\*(C'\fR
 if available, or \f(CW\*(C`MODULESDIR: N/A\*(C'\fR otherwise.
-.IP "\s-1OPENSSL_CPU_INFO\s0" 4
+.IP OPENSSL_CPU_INFO 4
 .IX Item "OPENSSL_CPU_INFO"
 The current OpenSSL cpu settings.
 This is the current setting of the cpu capability flags. It is usually
@@ -276,71 +200,87 @@ automatically configured but may be set via an environment variable.
 The value has the same syntax as the environment variable.
 For x86 the string looks like \f(CW\*(C`CPUINFO: OPENSSL_ia32cap=0x123:0x456\*(C'\fR
 or \f(CW\*(C`CPUINFO: N/A\*(C'\fR if not available.
+.IP OPENSSL_WINCTX 4
+.IX Item "OPENSSL_WINCTX"
+The Windows install context.
+The Windows install context is used to compute the OpenSSL registry key name
+on Windows.  The full registry key is
+\&\f(CW\*(C`SOFTWARE\eWOW6432Node\eOpenSSL\-{major}.{minor}\-{context}\*(C'\fR, where \f(CW\*(C`{major}\*(C'\fR,
+\&\f(CW\*(C`{minor}\*(C'\fR and \f(CW\*(C`{context}\*(C'\fR are OpenSSL's major version number, minor version
+number and the Windows install context, respectively.
 .PP
 For an unknown \fIt\fR, the text \f(CW\*(C`not available\*(C'\fR is returned.
 .PP
 \&\fBOPENSSL_info()\fR also returns different strings depending on \fIt\fR:
-.IP "\s-1OPENSSL_INFO_CONFIG_DIR\s0" 4
+.IP OPENSSL_INFO_CONFIG_DIR 4
 .IX Item "OPENSSL_INFO_CONFIG_DIR"
 The configured \f(CW\*(C`OPENSSLDIR\*(C'\fR, which is the default location for
 OpenSSL configuration files.
-.IP "\s-1OPENSSL_INFO_ENGINES_DIR\s0" 4
+.IP OPENSSL_INFO_ENGINES_DIR 4
 .IX Item "OPENSSL_INFO_ENGINES_DIR"
 The configured \f(CW\*(C`ENGINESDIR\*(C'\fR, which is the default location for
 OpenSSL engines.
-.IP "\s-1OPENSSL_INFO_MODULES_DIR\s0" 4
+.IP OPENSSL_INFO_MODULES_DIR 4
 .IX Item "OPENSSL_INFO_MODULES_DIR"
 The configured \f(CW\*(C`MODULESDIR\*(C'\fR, which is the default location for
 dynamically loadable OpenSSL modules other than engines.
-.IP "\s-1OPENSSL_INFO_DSO_EXTENSION\s0" 4
+.IP OPENSSL_INFO_DSO_EXTENSION 4
 .IX Item "OPENSSL_INFO_DSO_EXTENSION"
 The configured dynamically loadable module extension.
-.IP "\s-1OPENSSL_INFO_DIR_FILENAME_SEPARATOR\s0" 4
+.IP OPENSSL_INFO_DIR_FILENAME_SEPARATOR 4
 .IX Item "OPENSSL_INFO_DIR_FILENAME_SEPARATOR"
 The separator between a directory specification and a filename.
 Note that on some operating systems, this is not the same as the
 separator between directory elements.
-.IP "\s-1OPENSSL_INFO_LIST_SEPARATOR\s0" 4
+.IP OPENSSL_INFO_LIST_SEPARATOR 4
 .IX Item "OPENSSL_INFO_LIST_SEPARATOR"
 The OpenSSL list separator.
 This is typically used in strings that are lists of items, such as the
 value of the environment variable \f(CW$PATH\fR on Unix (where the
 separator is \f(CW\*(C`:\*(C'\fR) or \f(CW\*(C`%PATH%\*(C'\fR on Windows (where the separator is
 \&\f(CW\*(C`;\*(C'\fR).
-.IP "\s-1OPENSSL_INFO_CPU_SETTINGS\s0" 4
+.IP OPENSSL_INFO_CPU_SETTINGS 4
 .IX Item "OPENSSL_INFO_CPU_SETTINGS"
 The current OpenSSL cpu settings.
 This is the current setting of the cpu capability flags. It is usually
 automatically configured but may be set via an environment variable.
 The value has the same syntax as the environment variable.
 For x86 the string looks like \f(CW\*(C`OPENSSL_ia32cap=0x123:0x456\*(C'\fR.
+.IP OPENSSL_INFO_WINDOWS_CONTEXT 4
+.IX Item "OPENSSL_INFO_WINDOWS_CONTEXT"
+The Windows install context.
+The Windows install context is used to compute the OpenSSL registry key name
+on Windows.  The full registry key is
+\&\f(CW\*(C`SOFTWARE\eWOW6432Node\eOpenSSL\-{major}.{minor}\-{context}\*(C'\fR, where \f(CW\*(C`{major}\*(C'\fR,
+\&\f(CW\*(C`{minor}\*(C'\fR and \f(CW\*(C`{context}\*(C'\fR are OpenSSL's major version number, minor version
+number and the Windows install context, respectively.
 .PP
-For an unknown \fIt\fR, \s-1NULL\s0 is returned.
+For an unknown \fIt\fR, NULL is returned.
 .PP
-\&\fBOpenSSL_version_num()\fR returns the value of \fB\s-1OPENSSL_VERSION_NUMBER\s0\fR.
+\&\fBOpenSSL_version_num()\fR returns the value of \fBOPENSSL_VERSION_NUMBER\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBOPENSSL_version_major()\fR, \fBOPENSSL_version_minor()\fR and \fBOPENSSL_version_patch()\fR
 return the version number parts as integers.
 .PP
 \&\fBOPENSSL_version_pre_release()\fR and \fBOPENSSL_version_build_metadata()\fR return
-the values of \fB\s-1OPENSSL_VERSION_PRE_RELEASE\s0\fR and
-\&\fB\s-1OPENSSL_VERSION_BUILD_METADATA\s0\fR respectively as constant strings.
+the values of \fBOPENSSL_VERSION_PRE_RELEASE\fR and
+\&\fBOPENSSL_VERSION_BUILD_METADATA\fR respectively as constant strings.
 For any of them that is undefined, the empty string is returned.
 .PP
 \&\fBOpenSSL_version()\fR returns constant strings.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBcrypto\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The macros and functions described here were added in OpenSSL 3.0,
-except for \s-1OPENSSL_VERSION_NUMBER\s0 and \fBOpenSSL_version_num()\fR.
-.SH "COPYRIGHT"
+except for OPENSSL_VERSION_NUMBER and \fBOpenSSL_version_num()\fR.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2018\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PBMAC1_get1_pbkdf2_param.3 b/secure/lib/libcrypto/man/man3/PBMAC1_get1_pbkdf2_param.3
new file mode 100644
index 000000000000..b11f4b1a6bb1
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/PBMAC1_get1_pbkdf2_param.3
@@ -0,0 +1,98 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "PBMAC1_GET1_PBKDF2_PARAM 3ossl"
+.TH PBMAC1_GET1_PBKDF2_PARAM 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+PBMAC1_get1_pbkdf2_param \- Function to manipulate a PBMAC1
+MAC structure
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/x509.h>
+\&
+\& PBKDF2PARAM *PBMAC1_get1_pbkdf2_param(const X509_ALGOR *macalg);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBPBMAC1_get1_pbkdf2_param()\fR retrieves a \fBPBKDF2PARAM\fR structure from an
+\&\fIX509_ALGOR\fR structure.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBPBMAC1_get1_pbkdf2_param()\fR returns NULL in case when PBMAC1 uses an algorithm
+apart from \fBPBKDF2\fR or when passed incorrect parameters and a pointer to
+\&\fBPBKDF2PARAM\fR structure otherwise.
+.SH "CONFORMING TO"
+.IX Header "CONFORMING TO"
+IETF RFC 9579 (<https://tools.ietf.org/html/rfc9579>)
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBopenssl\-pkcs12\fR\|(1)
+.SH HISTORY
+.IX Header "HISTORY"
+The \fIPBMAC1_get1_pbkdf2_param\fR function was added in OpenSSL 3.4.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2021\-2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PEM_X509_INFO_read_bio_ex.3 b/secure/lib/libcrypto/man/man3/PEM_X509_INFO_read_bio_ex.3
index 4ac89b8c4e65..769166fc975b 100644
--- a/secure/lib/libcrypto/man/man3/PEM_X509_INFO_read_bio_ex.3
+++ b/secure/lib/libcrypto/man/man3/PEM_X509_INFO_read_bio_ex.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PEM_X509_INFO_READ_BIO_EX 3ossl"
-.TH PEM_X509_INFO_READ_BIO_EX 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PEM_X509_INFO_READ_BIO_EX 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PEM_X509_INFO_read_ex, PEM_X509_INFO_read, PEM_X509_INFO_read_bio_ex, PEM_X509_INFO_read_bio
 \&\- read PEM\-encoded data structures into one or more X509_INFO objects
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pem.h>
@@ -158,32 +82,32 @@ PEM_X509_INFO_read_ex, PEM_X509_INFO_read, PEM_X509_INFO_read_bio_ex, PEM_X509_I
 \& STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk,
 \&                                             pem_password_cb *cb, void *u);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBPEM_X509_INFO_read_ex()\fR loads the \fBX509_INFO\fR objects from a file \fIfp\fR.
 .PP
 \&\fBPEM_X509_INFO_read()\fR is similar to \fBPEM_X509_INFO_read_ex()\fR
-but uses the default (\s-1NULL\s0) library context \fIlibctx\fR
+but uses the default (NULL) library context \fIlibctx\fR
 and empty property query \fIpropq\fR.
 .PP
 \&\fBPEM_X509_INFO_read_bio_ex()\fR loads the \fBX509_INFO\fR objects using a bio \fIbp\fR.
 .PP
 \&\fBPEM_X509_INFO_read_bio()\fR is similar to \fBPEM_X509_INFO_read_bio_ex()\fR
-but uses the default (\s-1NULL\s0) library context \fIlibctx\fR
+but uses the default (NULL) library context \fIlibctx\fR
 and empty property query \fIpropq\fR.
 .PP
-Each of the loaded \fBX509_INFO\fR objects can contain a \s-1CRL,\s0 a certificate,
+Each of the loaded \fBX509_INFO\fR objects can contain a CRL, a certificate,
 and/or a private key.
 The elements are read sequentially, and as far as they are of different type than
 the elements read before, they are combined into the same \fBX509_INFO\fR object.
 The idea behind this is that if, for instance, a certificate is followed by
 a private key, the private key is supposed to correspond to the certificate.
 .PP
-If the input stack \fIsk\fR is \s-1NULL\s0 a new stack is allocated,
+If the input stack \fIsk\fR is NULL a new stack is allocated,
 else the given stack is extended.
 .PP
 The optional \fIcb\fR and \fIu\fR parameters can be used for providing a pass phrase
-needed for decrypting encrypted \s-1PEM\s0 structures (normally only private keys).
+needed for decrypting encrypted PEM structures (normally only private keys).
 See \fBPEM_read_bio_PrivateKey\fR\|(3) and \fBpassphrase\-encoding\fR\|(7) for details.
 .PP
 The library context \fIlibctx\fR and property query \fIpropq\fR are used for fetching
@@ -192,21 +116,21 @@ algorithms from providers.
 .IX Header "RETURN VALUES"
 \&\fBPEM_X509_INFO_read_ex()\fR, \fBPEM_X509_INFO_read()\fR,
 \&\fBPEM_X509_INFO_read_bio_ex()\fR and \fBPEM_X509_INFO_read_bio()\fR return
-a stack of \fBX509_INFO\fR objects or \s-1NULL\s0 on failure.
+a stack of \fBX509_INFO\fR objects or NULL on failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBPEM_read_bio_ex\fR\|(3),
 \&\fBPEM_read_bio_PrivateKey\fR\|(3),
 \&\fBpassphrase\-encoding\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The functions \fBPEM_X509_INFO_read_ex()\fR and
 \&\fBPEM_X509_INFO_read_bio_ex()\fR were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PEM_bytes_read_bio.3 b/secure/lib/libcrypto/man/man3/PEM_bytes_read_bio.3
index 74cdb4a2d001..e2fac483f2ec 100644
--- a/secure/lib/libcrypto/man/man3/PEM_bytes_read_bio.3
+++ b/secure/lib/libcrypto/man/man3/PEM_bytes_read_bio.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PEM_BYTES_READ_BIO 3ossl"
-.TH PEM_BYTES_READ_BIO 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PEM_BYTES_READ_BIO 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PEM_bytes_read_bio, PEM_bytes_read_bio_secmem \- read a PEM\-encoded data structure from a BIO
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pem.h>
@@ -150,23 +74,23 @@ PEM_bytes_read_bio, PEM_bytes_read_bio_secmem \- read a PEM\-encoded data struct
 \&                               const char *name, BIO *bp, pem_password_cb *cb,
 \&                               void *u);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBPEM_bytes_read_bio()\fR reads PEM-formatted (\s-1IETF RFC 1421\s0 and \s-1IETF RFC 7468\s0)
-data from the \s-1BIO\s0
-\&\fIbp\fR for the data type given in \fIname\fR (\s-1RSA PRIVATE KEY, CERTIFICATE,\s0
+\&\fBPEM_bytes_read_bio()\fR reads PEM-formatted (IETF RFC 1421 and IETF RFC 7468)
+data from the BIO
+\&\fIbp\fR for the data type given in \fIname\fR (RSA PRIVATE KEY, CERTIFICATE,
 etc.).  If multiple PEM-encoded data structures are present in the same
 stream, \fBPEM_bytes_read_bio()\fR will skip non-matching data types and
 continue reading.  Non-PEM data present in the stream may cause an
 error.
 .PP
-The \s-1PEM\s0 header may indicate that the following data is encrypted; if so,
+The PEM header may indicate that the following data is encrypted; if so,
 the data will be decrypted, waiting on user input to supply a passphrase
 if needed.  The password callback \fIcb\fR and rock \fIu\fR are used to obtain
 the decryption passphrase, if applicable.
 .PP
 Some data types have compatibility aliases, such as a file containing
-X509 \s-1CERTIFICATE\s0 matching a request for the deprecated type \s-1CERTIFICATE.\s0
+X509 CERTIFICATE matching a request for the deprecated type CERTIFICATE.
 The actual type indicated by the file is returned in \fI*pnm\fR if \fIpnm\fR is
 non-NULL.  The caller must free the storage pointed to by \fI*pnm\fR.
 .PP
@@ -178,14 +102,14 @@ to by \fI*pdata\fR.
 memory from the secure heap for its temporary buffers and the storage
 returned in \fI*pdata\fR and \fI*pnm\fR.  Accordingly, the caller must use
 \&\fBOPENSSL_secure_free()\fR to free that storage.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 \&\fBPEM_bytes_read_bio_secmem()\fR only enforces that the secure heap is used for
-storage allocated within the \s-1PEM\s0 processing stack.  The \s-1BIO\s0 stack from
+storage allocated within the PEM processing stack.  The BIO stack from
 which input is read may also use temporary buffers, which are not necessarily
 allocated from the secure heap.  In cases where it is desirable to ensure
-that the contents of the \s-1PEM\s0 file only appears in memory from the secure heap,
-care is needed in generating the \s-1BIO\s0 passed as \fIbp\fR.  In particular, the
+that the contents of the PEM file only appears in memory from the secure heap,
+care is needed in generating the BIO passed as \fIbp\fR.  In particular, the
 use of \fBBIO_s_file()\fR indicates the use of the operating system stdio
 functionality, which includes buffering as a feature; \fBBIO_s_fd()\fR is likely
 to be more appropriate in such cases.
@@ -201,14 +125,14 @@ It will simply be treated as a byte sequence.
 .IX Header "SEE ALSO"
 \&\fBPEM_read_bio_ex\fR\|(3),
 \&\fBpassphrase\-encoding\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBPEM_bytes_read_bio_secmem()\fR was introduced in OpenSSL 1.1.1
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PEM_read.3 b/secure/lib/libcrypto/man/man3/PEM_read.3
index 36793e7e5f89..06914a76e476 100644
--- a/secure/lib/libcrypto/man/man3/PEM_read.3
+++ b/secure/lib/libcrypto/man/man3/PEM_read.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,88 +52,23 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PEM_READ 3ossl"
-.TH PEM_READ 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PEM_READ 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
-PEM_write, PEM_write_bio,
-PEM_read, PEM_read_bio, PEM_do_header, PEM_get_EVP_CIPHER_INFO
+.SH NAME
+PEM_read, PEM_read_bio, PEM_do_header, PEM_get_EVP_CIPHER_INFO, PEM_write,
+PEM_write_bio, PEM_ASN1_write, PEM_ASN1_write_bio, PEM_ASN1_write_bio_ctx
 \&\- PEM encoding routines
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pem.h>
 \&
-\& int PEM_write(FILE *fp, const char *name, const char *header,
-\&               const unsigned char *data, long len);
-\& int PEM_write_bio(BIO *bp, const char *name, const char *header,
-\&                   const unsigned char *data, long len);
-\&
 \& int PEM_read(FILE *fp, char **name, char **header,
 \&              unsigned char **data, long *len);
 \& int PEM_read_bio(BIO *bp, char **name, char **header,
@@ -158,15 +77,32 @@ PEM_read, PEM_read_bio, PEM_do_header, PEM_get_EVP_CIPHER_INFO
 \& int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cinfo);
 \& int PEM_do_header(EVP_CIPHER_INFO *cinfo, unsigned char *data, long *len,
 \&                   pem_password_cb *cb, void *u);
+\&
+\& int PEM_write(FILE *fp, const char *name, const char *header,
+\&               const unsigned char *data, long len);
+\& int PEM_write_bio(BIO *bp, const char *name, const char *header,
+\&                   const unsigned char *data, long len);
+\& int PEM_ASN1_write(i2d_of_void *i2d, const char *name, FILE *fp,
+\&                    const void *x, const EVP_CIPHER *enc,
+\&                    const unsigned char *kstr, int klen,
+\&                    pem_password_cb *callback, void *u);
+\& int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp,
+\&                        const void *x, const EVP_CIPHER *enc,
+\&                        const unsigned char *kstr, int klen,
+\&                        pem_password_cb *callback, void *u);
+\& int PEM_ASN1_write_bio_ctx(OSSL_i2d_of_void_ctx *i2d, void *vctx,
+\&                            const char *name, BIO *bp, const void *x,
+\&                            const EVP_CIPHER *enc, const unsigned char *kstr,
+\&                            int klen, pem_password_cb *callback, void *u);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-These functions read and write PEM-encoded objects, using the \s-1PEM\s0
+These functions read and write PEM-encoded objects, using the PEM
 type \fBname\fR, any additional \fBheader\fR information, and the raw
 \&\fBdata\fR of length \fBlen\fR.
 .PP
-\&\s-1PEM\s0 is the term used for binary content encoding first defined in \s-1IETF
-RFC 1421.\s0  The content is a series of base64\-encoded lines, surrounded
+PEM is the term used for binary content encoding first defined in IETF
+RFC 1421.  The content is a series of base64\-encoded lines, surrounded
 by begin/end markers each on their own line.  For example:
 .PP
 .Vb 4
@@ -180,19 +116,19 @@ Optional header line(s) may appear after the begin line, and their
 existence depends on the type of object being written or read.
 .PP
 \&\fBPEM_write()\fR writes to the file \fBfp\fR, while \fBPEM_write_bio()\fR writes to
-the \s-1BIO\s0 \fBbp\fR.  The \fBname\fR is the name to use in the marker, the
-\&\fBheader\fR is the header value or \s-1NULL,\s0 and \fBdata\fR and \fBlen\fR specify
+the BIO \fBbp\fR.  The \fBname\fR is the name to use in the marker, the
+\&\fBheader\fR is the header value or NULL, and \fBdata\fR and \fBlen\fR specify
 the data and its length.
 .PP
-The final \fBdata\fR buffer is typically an \s-1ASN.1\s0 object which can be decoded with
+The final \fBdata\fR buffer is typically an ASN.1 object which can be decoded with
 the \fBd2i\fR function appropriate to the type \fBname\fR; see \fBd2i_X509\fR\|(3)
 for examples.
 .PP
 \&\fBPEM_read()\fR reads from the file \fBfp\fR, while \fBPEM_read_bio()\fR reads
-from the \s-1BIO\s0 \fBbp\fR.
-Both skip any non-PEM data that precedes the start of the next \s-1PEM\s0 object.
-When an object is successfully retrieved, the type name from the \*(L"\-\-\-\-BEGIN
-<type>\-\-\-\-\-\*(R" is returned via the \fBname\fR argument, any encapsulation headers
+from the BIO \fBbp\fR.
+Both skip any non-PEM data that precedes the start of the next PEM object.
+When an object is successfully retrieved, the type name from the "\-\-\-\-BEGIN
+<type>\-\-\-\-\-" is returned via the \fBname\fR argument, any encapsulation headers
 are returned in \fBheader\fR and the base64\-decoded content and its length are
 returned via \fBdata\fR and \fBlen\fR respectively.
 The \fBname\fR, \fBheader\fR and \fBdata\fR pointers are allocated via \fBOPENSSL_malloc()\fR
@@ -200,14 +136,14 @@ and should be freed by the caller via \fBOPENSSL_free()\fR when no longer needed
 .PP
 \&\fBPEM_get_EVP_CIPHER_INFO()\fR can be used to determine the \fBdata\fR returned by
 \&\fBPEM_read()\fR or \fBPEM_read_bio()\fR is encrypted and to retrieve the associated cipher
-and \s-1IV.\s0
-The caller passes a pointer to structure of type \fB\s-1EVP_CIPHER_INFO\s0\fR via the
+and IV.
+The caller passes a pointer to structure of type \fBEVP_CIPHER_INFO\fR via the
 \&\fBcinfo\fR argument and the \fBheader\fR returned via \fBPEM_read()\fR or \fBPEM_read_bio()\fR.
-If the call is successful 1 is returned and the cipher and \s-1IV\s0 are stored at the
+If the call is successful 1 is returned and the cipher and IV are stored at the
 address pointed to by \fBcinfo\fR.
 When the header is malformed, or not supported or when the cipher is unknown
 or some internal error happens 0 is returned.
-This function is deprecated, see \fB\s-1NOTES\s0\fR below.
+This function is deprecated, see \fBNOTES\fR below.
 .PP
 \&\fBPEM_do_header()\fR can then be used to decrypt the data if the header
 indicates encryption.
@@ -219,45 +155,55 @@ The \fBcb\fR and \fBu\fR arguments make it possible to override the default pass
 prompt function as described in \fBPEM_read_PrivateKey\fR\|(3).
 On successful completion the \fBdata\fR is decrypted in place, and \fBlen\fR is
 updated to indicate the plaintext length.
-This function is deprecated, see \fB\s-1NOTES\s0\fR below.
+This function is deprecated, see \fBNOTES\fR below.
 .PP
 If the data is a priori known to not be encrypted, then neither \fBPEM_do_header()\fR
 nor \fBPEM_get_EVP_CIPHER_INFO()\fR need be called.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBPEM_read()\fR and \fBPEM_read_bio()\fR return 1 on success and 0 on failure, the latter
-includes the case when no more \s-1PEM\s0 objects remain in the input file.
-To distinguish end of file from more serious errors the caller must peek at the
-error stack and check for \fB\s-1PEM_R_NO_START_LINE\s0\fR, which indicates that no more
-\&\s-1PEM\s0 objects were found.  See \fBERR_peek_last_error\fR\|(3), \s-1\fBERR_GET_REASON\s0\fR\|(3).
+\&\fBPEM_read()\fR, and \fBPEM_read_bio()\fR return 1 on success and 0 on failure, the latter
+includes the case when no more PEM objects remain in the input file.  To
+distinguish end of file from more serious errors the caller must peek at the
+error stack and check for \fBPEM_R_NO_START_LINE\fR, which indicates that no more
+PEM objects were found.  See \fBERR_peek_last_error\fR\|(3), \fBERR_GET_REASON\fR\|(3).
 .PP
 \&\fBPEM_get_EVP_CIPHER_INFO()\fR and \fBPEM_do_header()\fR return 1 on success, and 0 on
 failure.
 The \fBdata\fR is likely meaningless if these functions fail.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The \fBPEM_get_EVP_CIPHER_INFO()\fR and \fBPEM_do_header()\fR functions are deprecated.
-This is because the underlying \s-1PEM\s0 encryption format is obsolete, and should
+This is because the underlying PEM encryption format is obsolete, and should
 be avoided.
 It uses an encryption format with an OpenSSL-specific key-derivation function,
-which employs \s-1MD5\s0 with an iteration count of 1!
+which employs MD5 with an iteration count of 1!
 Instead, private keys should be stored in PKCS#8 form, with a strong PKCS#5
-v2.0 \s-1PBE.\s0
+v2.0 PBE.
 See \fBPEM_write_PrivateKey\fR\|(3) and \fBd2i_PKCS8PrivateKey_bio\fR\|(3).
 .PP
 \&\fBPEM_do_header()\fR makes no assumption regarding the pass phrase received from the
 password callback.
 It will simply be treated as a byte sequence.
+.PP
+\&\fBPEM_write()\fR and \fBPEM_write_bio()\fR return the number of encoded bytes (not
+counting the PEM header and end marker) written on success or 0 on failure.
+.PP
+\&\fBPEM_ASN1_write_bio()\fR, and \fBPEM_ASN1_write_bio_ctx()\fR return 1 on success and 0 on
+failure.  The latter function passes an additional application-provided context
+value to the \fBi2d\fR function that serialises the input ASN.1 object.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBERR_peek_last_error\fR\|(3), \s-1\fBERR_GET_LIB\s0\fR\|(3),
+\&\fBERR_peek_last_error\fR\|(3), \fBERR_GET_LIB\fR\|(3),
 \&\fBd2i_PKCS8PrivateKey_bio\fR\|(3),
 \&\fBpassphrase\-encoding\fR\|(7)
-.SH "COPYRIGHT"
+.SH HISTORY
+.IX Header "HISTORY"
+The \fBPEM_ASN1_write_bio_ctx()\fR function was added in OpenSSL 3.5.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 1998\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 1998\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PEM_read_CMS.3 b/secure/lib/libcrypto/man/man3/PEM_read_CMS.3
index 79e84d0d0fad..948657e0d2f6 100644
--- a/secure/lib/libcrypto/man/man3/PEM_read_CMS.3
+++ b/secure/lib/libcrypto/man/man3/PEM_read_CMS.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PEM_READ_CMS 3ossl"
-.TH PEM_READ_CMS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PEM_READ_CMS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 DECLARE_PEM_rw,
 PEM_read_CMS,
 PEM_read_bio_CMS,
@@ -176,7 +100,7 @@ PEM_read_bio_X509_PUBKEY,
 PEM_write_X509_PUBKEY,
 PEM_write_bio_X509_PUBKEY
 \&\- PEM object encoding routines
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pem.h>
@@ -190,7 +114,7 @@ PEM_write_bio_X509_PUBKEY
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
@@ -217,50 +141,50 @@ see \fBopenssl_user_macros\fR\|(7):
 \&                                const unsigned char *kstr, int klen,
 \&                                pem_password_cb *cb, void *u);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
 Applications should use \fBOSSL_ENCODER_to_bio()\fR and \fBOSSL_DECODER_from_bio()\fR
 instead.
 .PP
-In the description below, \fB\f(BI\s-1TYPE\s0\fB\fR is used
+In the description below, \fR\f(BITYPE\fR\fB\fR is used
 as a placeholder for any of the OpenSSL datatypes, such as \fBX509\fR.
 The macro \fBDECLARE_PEM_rw\fR expands to the set of declarations shown in
 the next four lines of the synopsis.
 .PP
-These routines convert between local instances of \s-1ASN1\s0 datatypes and
-the \s-1PEM\s0 encoding.  For more information on the templates, see
-\&\s-1\fBASN1_ITEM\s0\fR\|(3).  For more information on the lower-level routines used
+These routines convert between local instances of ASN1 datatypes and
+the PEM encoding.  For more information on the templates, see
+\&\fBASN1_ITEM\fR\|(3).  For more information on the lower-level routines used
 by the functions here, see \fBPEM_read\fR\|(3).
 .PP
-\&\fBPEM_read_\f(BI\s-1TYPE\s0\fB\fR() reads a PEM-encoded object of \fB\f(BI\s-1TYPE\s0\fB\fR from the file
+\&\fBPEM_read_\fR\f(BITYPE\fR() reads a PEM-encoded object of \fB\fR\f(BITYPE\fR\fB\fR from the file
 \&\fIfp\fR and returns it.  The \fIcb\fR and \fIu\fR parameters are as described in
 \&\fBpem_password_cb\fR\|(3).
 .PP
-\&\fBPEM_read_bio_\f(BI\s-1TYPE\s0\fB\fR() is similar to \fBPEM_read_\f(BI\s-1TYPE\s0\fB\fR() but reads from
-the \s-1BIO\s0 \fIbp\fR.
+\&\fBPEM_read_bio_\fR\f(BITYPE\fR() is similar to \fBPEM_read_\fR\f(BITYPE\fR\fB\fR() but reads from
+the BIO \fIbp\fR.
 .PP
-\&\fBPEM_write_\f(BI\s-1TYPE\s0\fB\fR() writes the \s-1PEM\s0 encoding of the object \fIa\fR to the file
+\&\fBPEM_write_\fR\f(BITYPE\fR() writes the PEM encoding of the object \fIa\fR to the file
 \&\fIfp\fR.
 .PP
-\&\fBPEM_write_bio_\f(BI\s-1TYPE\s0\fB\fR() similarly writes to the \s-1BIO\s0 \fIbp\fR.
-.SH "NOTES"
+\&\fBPEM_write_bio_\fR\f(BITYPE\fR() similarly writes to the BIO \fIbp\fR.
+.SH NOTES
 .IX Header "NOTES"
 These functions make no assumption regarding the pass phrase received from the
 password callback.
 It will simply be treated as a byte sequence.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBPEM_read_\f(BI\s-1TYPE\s0\fB\fR() and \fBPEM_read_bio_\f(BI\s-1TYPE\s0\fB\fR() return a pointer to an
-allocated object, which should be released by calling \fB\f(BI\s-1TYPE\s0\fB_free\fR(), or
-\&\s-1NULL\s0 on error.
+\&\fBPEM_read_\fR\f(BITYPE\fR() and \fBPEM_read_bio_\fR\f(BITYPE\fR\fB\fR() return a pointer to an
+allocated object, which should be released by calling \fB\fR\f(BITYPE\fR\fB_free\fR(), or
+NULL on error.
 .PP
-\&\fBPEM_write_\f(BI\s-1TYPE\s0\fB\fR() and \fBPEM_write_bio_\f(BI\s-1TYPE\s0\fB\fR() return 1 for success or 0 for failure.
+\&\fBPEM_write_\fR\f(BITYPE\fR() and \fBPEM_write_bio_\fR\f(BITYPE\fR\fB\fR() return 1 for success or 0 for failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBPEM_read\fR\|(3),
 \&\fBpassphrase\-encoding\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The functions \fBPEM_write_DHxparams()\fR, \fBPEM_write_bio_DHxparams()\fR,
 \&\fBPEM_read_ECPKParameters()\fR, \fBPEM_read_bio_ECPKParameters()\fR,
@@ -270,11 +194,11 @@ The functions \fBPEM_write_DHxparams()\fR, \fBPEM_write_bio_DHxparams()\fR,
 \&\fBPEM_read_ECPrivateKey()\fR, \fBPEM_read_bio_ECPrivateKey()\fR,
 \&\fBPEM_write_ECPrivateKey()\fR and \fBPEM_write_bio_ECPrivateKey()\fR
 were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 1998\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PEM_read_bio_PrivateKey.3 b/secure/lib/libcrypto/man/man3/PEM_read_bio_PrivateKey.3
index 2b22e6489464..be2246fce6fa 100644
--- a/secure/lib/libcrypto/man/man3/PEM_read_bio_PrivateKey.3
+++ b/secure/lib/libcrypto/man/man3/PEM_read_bio_PrivateKey.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PEM_READ_BIO_PRIVATEKEY 3ossl"
-.TH PEM_READ_BIO_PRIVATEKEY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PEM_READ_BIO_PRIVATEKEY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 pem_password_cb,
 PEM_read_bio_PrivateKey_ex, PEM_read_bio_PrivateKey,
 PEM_read_PrivateKey_ex, PEM_read_PrivateKey,
@@ -161,13 +85,15 @@ PEM_write_bio_Parameters, PEM_read_bio_DSAparams, PEM_read_DSAparams,
 PEM_write_bio_DSAparams, PEM_write_DSAparams, PEM_read_bio_DHparams,
 PEM_read_DHparams, PEM_write_bio_DHparams, PEM_write_DHparams,
 PEM_read_bio_X509, PEM_read_X509, PEM_write_bio_X509, PEM_write_X509,
+PEM_read_bio_X509_ACERT, PEM_read_X509_ACERT,
+PEM_write_bio_X509_ACERT, PEM_write_X509_ACERT,
 PEM_read_bio_X509_AUX, PEM_read_X509_AUX, PEM_write_bio_X509_AUX,
 PEM_write_X509_AUX, PEM_read_bio_X509_REQ, PEM_read_X509_REQ,
 PEM_write_bio_X509_REQ, PEM_write_X509_REQ, PEM_write_bio_X509_REQ_NEW,
 PEM_write_X509_REQ_NEW, PEM_read_bio_X509_CRL, PEM_read_X509_CRL,
 PEM_write_bio_X509_CRL, PEM_write_X509_CRL, PEM_read_bio_PKCS7, PEM_read_PKCS7,
 PEM_write_bio_PKCS7, PEM_write_PKCS7 \- PEM routines
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pem.h>
@@ -243,6 +169,13 @@ PEM_write_bio_PKCS7, PEM_write_PKCS7 \- PEM routines
 \& int PEM_write_bio_X509(BIO *bp, X509 *x);
 \& int PEM_write_X509(FILE *fp, X509 *x);
 \&
+\& X509_ACERT *PEM_read_bio_X509_ACERT(BIO *bp, X509_ACERT **x,
+\&                                     pem_password_cb *cb, void *u);
+\& X509_ACERT *PEM_read_X509_ACERT(FILE *fp, X509_ACERT **x,
+\&                                     pem_password_cb *cb, void *u);
+\& int PEM_write_bio_X509_ACERT(BIO *bp, X509_ACERT *x);
+\& int PEM_write_X509_ACERT(FILE *fp, X509_ACERT *x);
+\&
 \& X509 *PEM_read_bio_X509_AUX(BIO *bp, X509 **x, pem_password_cb *cb, void *u);
 \& X509 *PEM_read_X509_AUX(FILE *fp, X509 **x, pem_password_cb *cb, void *u);
 \& int PEM_write_bio_X509_AUX(BIO *bp, X509 *x);
@@ -271,7 +204,7 @@ PEM_write_bio_PKCS7, PEM_write_PKCS7 \- PEM routines
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 10
@@ -327,23 +260,23 @@ see \fBopenssl_user_macros\fR\|(7):
 \& int PEM_write_bio_DHparams(BIO *bp, DH *x);
 \& int PEM_write_DHparams(FILE *fp, DH *x);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-All of the functions described on this page that have a \fI\s-1TYPE\s0\fR of \fB\s-1DH\s0\fR, \fB\s-1DSA\s0\fR
-and \fB\s-1RSA\s0\fR are deprecated. Applications should use \fBOSSL_ENCODER_to_bio\fR\|(3) and
+All of the functions described on this page that have a \fITYPE\fR of \fBDH\fR, \fBDSA\fR
+and \fBRSA\fR are deprecated. Applications should use \fBOSSL_ENCODER_to_bio\fR\|(3) and
 \&\fBOSSL_DECODER_from_bio\fR\|(3) instead.
 .PP
-The \s-1PEM\s0 functions read or write structures in \s-1PEM\s0 format. In
-this sense \s-1PEM\s0 format is simply base64 encoded data surrounded
+The PEM functions read or write structures in PEM format. In
+this sense PEM format is simply base64 encoded data surrounded
 by header lines.
 .PP
 For more details about the meaning of arguments see the
-\&\fB\s-1PEM FUNCTION ARGUMENTS\s0\fR section.
+\&\fBPEM FUNCTION ARGUMENTS\fR section.
 .PP
 Each operation has four functions associated with it. For
-brevity the term "\fB\f(BI\s-1TYPE\s0\fB\fR functions" will be used below to collectively
-refer to the \fBPEM_read_bio_\f(BI\s-1TYPE\s0\fB\fR(), \fBPEM_read_\f(BI\s-1TYPE\s0\fB\fR(),
-\&\fBPEM_write_bio_\f(BI\s-1TYPE\s0\fB\fR(), and \fBPEM_write_\f(BI\s-1TYPE\s0\fB\fR() functions.
+brevity the term "\fR\f(BITYPE\fR\fB\fR functions" will be used below to collectively
+refer to the \fBPEM_read_bio_\fR\f(BITYPE\fR\fB\fR(), \fBPEM_read_\fR\f(BITYPE\fR\fB\fR(),
+\&\fBPEM_write_bio_\fR\f(BITYPE\fR\fB\fR(), and \fBPEM_write_\fR\f(BITYPE\fR\fB\fR() functions.
 .PP
 Some operations have additional variants that take a library context \fIlibctx\fR
 and a property query string \fIpropq\fR. The \fBX509\fR, \fBX509_REQ\fR and \fBX509_CRL\fR
@@ -353,70 +286,70 @@ query string parameter. In this case it is possible to set the appropriate
 library context or property query string by creating an empty \fBX509\fR,
 \&\fBX509_REQ\fR or \fBX509_CRL\fR object using \fBX509_new_ex\fR\|(3), \fBX509_REQ_new_ex\fR\|(3)
 or \fBX509_CRL_new_ex\fR\|(3) respectively. Then pass the empty object as a parameter
-to the relevant \s-1PEM\s0 function. See the \*(L"\s-1EXAMPLES\*(R"\s0 section below.
+to the relevant PEM function. See the "EXAMPLES" section below.
 .PP
-The \fBPrivateKey\fR functions read or write a private key in \s-1PEM\s0 format using
-an \s-1EVP_PKEY\s0 structure. The write routines use PKCS#8 private key format and are
+The \fBPrivateKey\fR functions read or write a private key in PEM format using
+an EVP_PKEY structure. The write routines use PKCS#8 private key format and are
 equivalent to \fBPEM_write_bio_PKCS8PrivateKey()\fR. The read functions transparently
 handle traditional and PKCS#8 format encrypted and unencrypted keys.
 .PP
 \&\fBPEM_write_bio_PrivateKey_traditional()\fR writes out a private key in the
-\&\*(L"traditional\*(R" format with a simple private key marker and should only
+"traditional" format with a simple private key marker and should only
 be used for compatibility with legacy programs.
 .PP
 \&\fBPEM_write_bio_PKCS8PrivateKey()\fR and \fBPEM_write_PKCS8PrivateKey()\fR write a private
-key in an \s-1EVP_PKEY\s0 structure in PKCS#8 EncryptedPrivateKeyInfo format using
+key in an EVP_PKEY structure in PKCS#8 EncryptedPrivateKeyInfo format using
 PKCS#5 v2.0 password based encryption algorithms. The \fIcipher\fR argument
-specifies the encryption algorithm to use: unlike some other \s-1PEM\s0 routines the
-encryption is applied at the PKCS#8 level and not in the \s-1PEM\s0 headers. If
-\&\fIcipher\fR is \s-1NULL\s0 then no encryption is used and a PKCS#8 PrivateKeyInfo
+specifies the encryption algorithm to use: unlike some other PEM routines the
+encryption is applied at the PKCS#8 level and not in the PEM headers. If
+\&\fIcipher\fR is NULL then no encryption is used and a PKCS#8 PrivateKeyInfo
 structure is used instead.
 .PP
 \&\fBPEM_write_bio_PKCS8PrivateKey_nid()\fR and \fBPEM_write_PKCS8PrivateKey_nid()\fR
 also write out a private key as a PKCS#8 EncryptedPrivateKeyInfo however
 it uses PKCS#5 v1.5 or PKCS#12 encryption algorithms instead. The algorithm
-to use is specified in the \fInid\fR parameter and should be the \s-1NID\s0 of the
-corresponding \s-1OBJECT IDENTIFIER\s0 (see \s-1NOTES\s0 section).
+to use is specified in the \fInid\fR parameter and should be the NID of the
+corresponding OBJECT IDENTIFIER (see NOTES section).
 .PP
-The \fB\s-1PUBKEY\s0\fR functions process a public key using an \s-1EVP_PKEY\s0
+The \fBPUBKEY\fR functions process a public key using an EVP_PKEY
 structure. The public key is encoded as a SubjectPublicKeyInfo
 structure.
 .PP
-The \fBRSAPrivateKey\fR functions process an \s-1RSA\s0 private key using an
-\&\s-1RSA\s0 structure. The write routines uses traditional format. The read
+The \fBRSAPrivateKey\fR functions process an RSA private key using an
+RSA structure. The write routines uses traditional format. The read
 routines handles the same formats as the \fBPrivateKey\fR
-functions but an error occurs if the private key is not \s-1RSA.\s0
+functions but an error occurs if the private key is not RSA.
 .PP
-The \fBRSAPublicKey\fR functions process an \s-1RSA\s0 public key using an
-\&\s-1RSA\s0 structure. The public key is encoded using a PKCS#1 RSAPublicKey
+The \fBRSAPublicKey\fR functions process an RSA public key using an
+RSA structure. The public key is encoded using a PKCS#1 RSAPublicKey
 structure.
 .PP
-The \fB\s-1RSA_PUBKEY\s0\fR functions also process an \s-1RSA\s0 public key using
-an \s-1RSA\s0 structure. However, the public key is encoded using a
+The \fBRSA_PUBKEY\fR functions also process an RSA public key using
+an RSA structure. However, the public key is encoded using a
 SubjectPublicKeyInfo structure and an error occurs if the public
-key is not \s-1RSA.\s0
+key is not RSA.
 .PP
-The \fBDSAPrivateKey\fR functions process a \s-1DSA\s0 private key using a
-\&\s-1DSA\s0 structure. The write routines uses traditional format. The read
+The \fBDSAPrivateKey\fR functions process a DSA private key using a
+DSA structure. The write routines uses traditional format. The read
 routines handles the same formats as the \fBPrivateKey\fR
-functions but an error occurs if the private key is not \s-1DSA.\s0
+functions but an error occurs if the private key is not DSA.
 .PP
-The \fB\s-1DSA_PUBKEY\s0\fR functions process a \s-1DSA\s0 public key using
-a \s-1DSA\s0 structure. The public key is encoded using a
+The \fBDSA_PUBKEY\fR functions process a DSA public key using
+a DSA structure. The public key is encoded using a
 SubjectPublicKeyInfo structure and an error occurs if the public
-key is not \s-1DSA.\s0
+key is not DSA.
 .PP
-The \fBParameters\fR functions read or write key parameters in \s-1PEM\s0 format using
-an \s-1EVP_PKEY\s0 structure.  The encoding depends on the type of key; for \s-1DSA\s0 key
-parameters, it will be a Dss-Parms structure as defined in \s-1RFC2459,\s0 and for \s-1DH\s0
+The \fBParameters\fR functions read or write key parameters in PEM format using
+an EVP_PKEY structure.  The encoding depends on the type of key; for DSA key
+parameters, it will be a Dss-Parms structure as defined in RFC2459, and for DH
 key parameters, it will be a PKCS#3 DHparameter structure.  \fIThese functions
-only exist for the \f(BI\s-1BIO\s0\fI type\fR.
+only exist for the \fR\f(BIBIO\fR\fI type\fR.
 .PP
-The \fBDSAparams\fR functions process \s-1DSA\s0 parameters using a \s-1DSA\s0
+The \fBDSAparams\fR functions process DSA parameters using a DSA
 structure. The parameters are encoded using a Dss-Parms structure
-as defined in \s-1RFC2459.\s0
+as defined in RFC2459.
 .PP
-The \fBDHparams\fR functions process \s-1DH\s0 parameters using a \s-1DH\s0
+The \fBDHparams\fR functions process DH parameters using a DH
 structure. The parameters are encoded using a PKCS#3 DHparameter
 structure.
 .PP
@@ -424,60 +357,65 @@ The \fBX509\fR functions process an X509 certificate using an X509
 structure. They will also process a trusted X509 certificate but
 any trust settings are discarded.
 .PP
+The \fBX509_ACERT\fR functions process an X509 attribute certificate using
+an X509_ACERT structure.
+.PP
 The \fBX509_AUX\fR functions process a trusted X509 certificate using
 an X509 structure.
 .PP
 The \fBX509_REQ\fR and \fBX509_REQ_NEW\fR functions process a PKCS#10
 certificate request using an X509_REQ structure. The \fBX509_REQ\fR
-write functions use \fB\s-1CERTIFICATE REQUEST\s0\fR in the header whereas
-the \fBX509_REQ_NEW\fR functions use \fB\s-1NEW CERTIFICATE REQUEST\s0\fR
+write functions use \fBCERTIFICATE REQUEST\fR in the header whereas
+the \fBX509_REQ_NEW\fR functions use \fBNEW CERTIFICATE REQUEST\fR
 (as required by some CAs). The \fBX509_REQ\fR read functions will
 handle either form so there are no \fBX509_REQ_NEW\fR read functions.
 .PP
-The \fBX509_CRL\fR functions process an X509 \s-1CRL\s0 using an X509_CRL
+The \fBX509_CRL\fR functions process an X509 CRL using an X509_CRL
 structure.
 .PP
-The \fB\s-1PKCS7\s0\fR functions process a PKCS#7 ContentInfo using a \s-1PKCS7\s0
+The \fBPKCS7\fR functions process a PKCS#7 ContentInfo using a PKCS7
 structure.
 .SH "PEM FUNCTION ARGUMENTS"
 .IX Header "PEM FUNCTION ARGUMENTS"
-The \s-1PEM\s0 functions have many common arguments.
+The PEM functions have many common arguments.
 .PP
-The \fIbp\fR \s-1BIO\s0 parameter (if present) specifies the \s-1BIO\s0 to read from
-or write to.
+The \fIbp\fR BIO parameter (if present) specifies the BIO to read from
+or write to. The \fIbp\fR BIO parameter \fBMUST NOT\fR be NULL.
 .PP
-The \fIfp\fR \s-1FILE\s0 parameter (if present) specifies the \s-1FILE\s0 pointer to
+The \fIfp\fR FILE parameter (if present) specifies the FILE pointer to
 read from or write to.
 .PP
-The \s-1PEM\s0 read functions all take an argument \fI\f(BI\s-1TYPE\s0\fI **x\fR and return
-a \fI\f(BI\s-1TYPE\s0\fI *\fR pointer. Where \fI\f(BI\s-1TYPE\s0\fI\fR is whatever structure the function
-uses. If \fIx\fR is \s-1NULL\s0 then the parameter is ignored. If \fIx\fR is not
-\&\s-1NULL\s0 but \fI*x\fR is \s-1NULL\s0 then the structure returned will be written
-to \fI*x\fR. If neither \fIx\fR nor \fI*x\fR is \s-1NULL\s0 then an attempt is made
-to reuse the structure at \fI*x\fR (but see \s-1BUGS\s0 and \s-1EXAMPLES\s0 sections).
+The PEM read functions all take an argument \fR\f(BITYPE\fR\fI **x\fR and return
+a \fI\fR\f(BITYPE\fR\fI *\fR pointer. Where \fI\fR\f(BITYPE\fR\fI\fR is whatever structure the function
+uses. If \fIx\fR is NULL then the parameter is ignored. If \fIx\fR is not
+NULL but \fI*x\fR is NULL then the structure returned will be written
+to \fI*x\fR. If neither \fIx\fR nor \fI*x\fR is NULL then an attempt is made
+to reuse the structure at \fI*x\fR (but see BUGS and EXAMPLES sections).
 Irrespective of the value of \fIx\fR a pointer to the structure is always
-returned (or \s-1NULL\s0 if an error occurred).
+returned (or NULL if an error occurred). The caller retains ownership of the
+returned object and needs to free it when it is no longer needed, e.g.
+using \fBX509_free()\fR for X509 objects or \fBEVP_PKEY_free()\fR for EVP_PKEY objects.
 .PP
-The \s-1PEM\s0 functions which write private keys take an \fIenc\fR parameter
+The PEM functions which write private keys take an \fIenc\fR parameter
 which specifies the encryption algorithm to use, encryption is done
-at the \s-1PEM\s0 level. If this parameter is set to \s-1NULL\s0 then the private
+at the PEM level. If this parameter is set to NULL then the private
 key is written in unencrypted form.
 .PP
 The \fIcb\fR argument is the callback to use when querying for the pass
-phrase used for encrypted \s-1PEM\s0 structures (normally only private keys).
+phrase used for encrypted PEM structures (normally only private keys).
 .PP
-For the \s-1PEM\s0 write routines if the \fIkstr\fR parameter is not \s-1NULL\s0 then
+For the PEM write routines if the \fIkstr\fR parameter is not NULL then
 \&\fIklen\fR bytes at \fIkstr\fR are used as the passphrase and \fIcb\fR is
 ignored.
 .PP
-If the \fIcb\fR parameters is set to \s-1NULL\s0 and the \fIu\fR parameter is not
-\&\s-1NULL\s0 then the \fIu\fR parameter is interpreted as a \s-1NUL\s0 terminated string
-to use as the passphrase. If both \fIcb\fR and \fIu\fR are \s-1NULL\s0 then the
+If the \fIcb\fR parameters is set to NULL and the \fIu\fR parameter is not
+NULL then the \fIu\fR parameter is interpreted as a NUL terminated string
+to use as the passphrase. If both \fIcb\fR and \fIu\fR are NULL then the
 default callback routine is used which will typically prompt for the
 passphrase on the current terminal with echoing turned off.
 .PP
 The default passphrase callback is sometimes inappropriate (for example
-in a \s-1GUI\s0 application) so an alternative can be supplied. The callback
+in a GUI application) so an alternative can be supplied. The callback
 routine has the following form:
 .PP
 .Vb 1
@@ -489,23 +427,23 @@ length of the passphrase (i.e. the size of buf). \fIrwflag\fR is a flag
 which is set to 0 when reading and 1 when writing. A typical routine
 will ask the user to verify the passphrase (for example by prompting
 for it twice) if \fIrwflag\fR is 1. The \fIu\fR parameter has the same
-value as the \fIu\fR parameter passed to the \s-1PEM\s0 routine. It allows
+value as the \fIu\fR parameter passed to the PEM routine. It allows
 arbitrary data to be passed to the callback by the application
-(for example a window handle in a \s-1GUI\s0 application). The callback
+(for example a window handle in a GUI application). The callback
 \&\fImust\fR return the number of characters in the passphrase or \-1 if
 an error occurred. The passphrase can be arbitrary data; in the case where it
-is a string, it is not \s-1NUL\s0 terminated. See the \*(L"\s-1EXAMPLES\*(R"\s0 section below.
+is a string, it is not NUL terminated. See the "EXAMPLES" section below.
 .PP
 Some implementations may need to use cryptographic algorithms during their
 operation. If this is the case and \fIlibctx\fR and \fIpropq\fR parameters have been
 passed then any algorithm fetches will use that library context and property
 query string. Otherwise the default library context and property query string
 will be used.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-The \s-1PEM\s0 reading functions will skip any extraneous content or \s-1PEM\s0 data of
+The PEM reading functions will skip any extraneous content or PEM data of
 a different type than they expect. This allows for example having a certificate
-(or multiple certificates) and a key in the \s-1PEM\s0 format in a single file.
+(or multiple certificates) and a key in the PEM format in a single file.
 .PP
 The old \fBPrivateKey\fR write routines are retained for compatibility.
 New applications should write private keys using the
@@ -517,7 +455,7 @@ versions of OpenSSL is important.
 The \fBPrivateKey\fR read routines can be used in all applications because
 they handle all formats transparently.
 .PP
-A frequent cause of problems is attempting to use the \s-1PEM\s0 routines like
+A frequent cause of problems is attempting to use the PEM routines like
 this:
 .PP
 .Vb 1
@@ -556,7 +494,7 @@ the base64\-encoded encrypted data.
 .PP
 The encryption key is derived using \fBEVP_BytesToKey()\fR. The cipher's
 initialization vector is passed to \fBEVP_BytesToKey()\fR as the \fIsalt\fR
-parameter. Internally, \fB\s-1PKCS5_SALT_LEN\s0\fR bytes of the salt are used
+parameter. Internally, \fBPKCS5_SALT_LEN\fR bytes of the salt are used
 (regardless of the size of the initialization vector). The user's
 password is passed to \fBEVP_BytesToKey()\fR using the \fIdata\fR and \fIdatal\fR
 parameters. Finally, the library uses an iteration count of 1 for
@@ -564,7 +502,7 @@ parameters. Finally, the library uses an iteration count of 1 for
 .PP
 The \fIkey\fR derived by \fBEVP_BytesToKey()\fR along with the original initialization
 vector is then used to decrypt the encrypted data. The \fIiv\fR produced by
-\&\fBEVP_BytesToKey()\fR is not utilized or needed, and \s-1NULL\s0 should be passed to
+\&\fBEVP_BytesToKey()\fR is not utilized or needed, and NULL should be passed to
 the function.
 .PP
 The pseudo code to derive the key would look similar to:
@@ -585,9 +523,9 @@ The pseudo code to derive the key would look similar to:
 \&
 \& /* On success, use key and iv to initialize the cipher */
 .Ve
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
-The \s-1PEM\s0 read routines in some versions of OpenSSL will not correctly reuse
+The PEM read routines in some versions of OpenSSL will not correctly reuse
 an existing structure. Therefore, the following:
 .PP
 .Vb 1
@@ -605,16 +543,16 @@ is guaranteed to work. It is always acceptable for \fIx\fR to contain a newly
 allocated, empty \fBX509\fR object (for example allocated via \fBX509_new_ex\fR\|(3)).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-The read routines return either a pointer to the structure read or \s-1NULL\s0
+The read routines return either a pointer to the structure read or NULL
 if an error occurred.
 .PP
 The write routines return 1 for success or 0 for failure.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-Although the \s-1PEM\s0 routines take several arguments in almost all applications
-most of them are set to 0 or \s-1NULL.\s0
+Although the PEM routines take several arguments in almost all applications
+most of them are set to 0 or NULL.
 .PP
-To read a certificate with a library context in \s-1PEM\s0 format from a \s-1BIO:\s0
+To read a certificate with a library context in PEM format from a BIO:
 .PP
 .Vb 1
 \& X509 *x = X509_new_ex(libctx, NULL);
@@ -626,7 +564,7 @@ To read a certificate with a library context in \s-1PEM\s0 format from a \s-1BIO
 \&     /* Error */
 .Ve
 .PP
-Read a certificate in \s-1PEM\s0 format from a \s-1BIO:\s0
+Read a certificate in PEM format from a BIO:
 .PP
 .Vb 1
 \& X509 *x;
@@ -645,23 +583,23 @@ Alternative method:
 \&     /* Error */
 .Ve
 .PP
-Write a certificate to a \s-1BIO:\s0
+Write a certificate to a BIO:
 .PP
 .Vb 2
 \& if (!PEM_write_bio_X509(bp, x))
 \&     /* Error */
 .Ve
 .PP
-Write a private key (using traditional format) to a \s-1BIO\s0 using
-triple \s-1DES\s0 encryption, the pass phrase is prompted for:
+Write a private key (using traditional format) to a BIO using
+triple DES encryption, the pass phrase is prompted for:
 .PP
 .Vb 2
 \& if (!PEM_write_bio_PrivateKey(bp, key, EVP_des_ede3_cbc(), NULL, 0, 0, NULL))
 \&     /* Error */
 .Ve
 .PP
-Write a private key (using PKCS#8 format) to a \s-1BIO\s0 using triple
-\&\s-1DES\s0 encryption, using the pass phrase \*(L"hello\*(R":
+Write a private key (using PKCS#8 format) to a BIO using triple
+DES encryption, using the pass phrase "hello":
 .PP
 .Vb 3
 \& if (!PEM_write_bio_PKCS8PrivateKey(bp, key, EVP_des_ede3_cbc(),
@@ -669,7 +607,7 @@ Write a private key (using PKCS#8 format) to a \s-1BIO\s0 using triple
 \&     /* Error */
 .Ve
 .PP
-Read a private key from a \s-1BIO\s0 using a pass phrase callback:
+Read a private key from a BIO using a pass phrase callback:
 .PP
 .Vb 3
 \& key = PEM_read_bio_PrivateKey(bp, NULL, pass_cb, "My Private Key");
@@ -703,10 +641,10 @@ Skeleton pass phrase callback:
 .IX Header "SEE ALSO"
 \&\fBEVP_EncryptInit\fR\|(3), \fBEVP_BytesToKey\fR\|(3),
 \&\fBpassphrase\-encoding\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The old Netscape certificate sequences were no longer documented
-in OpenSSL 1.1.0; applications should use the \s-1PKCS7\s0 standard instead
+in OpenSSL 1.1.0; applications should use the PKCS7 standard instead
 as they will be formally deprecated in a future releases.
 .PP
 \&\fBPEM_read_bio_PrivateKey_ex()\fR, \fBPEM_read_PrivateKey_ex()\fR,
@@ -727,11 +665,15 @@ The functions \fBPEM_read_bio_RSAPrivateKey()\fR, \fBPEM_read_RSAPrivateKey()\fR
 \&\fBPEM_write_bio_DSAparams()\fR, \fBPEM_write_DSAparams()\fR,
 \&\fBPEM_read_bio_DHparams()\fR, \fBPEM_read_DHparams()\fR,
 \&\fBPEM_write_bio_DHparams()\fR and \fBPEM_write_DHparams()\fR were deprecated in 3.0.
-.SH "COPYRIGHT"
+.PP
+\&\fBPEM_read_bio_X509_ACERT()\fR, \fBPEM_read_X509_ACERT()\fR,
+\&\fBPEM_write_bio_X509_ACERT()\fR, \fBPEM_write_X509_ACERT()\fR
+were added in OpenSSL 3.4.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2001\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PEM_read_bio_ex.3 b/secure/lib/libcrypto/man/man3/PEM_read_bio_ex.3
index ae3849264809..c04935bc59b5 100644
--- a/secure/lib/libcrypto/man/man3/PEM_read_bio_ex.3
+++ b/secure/lib/libcrypto/man/man3/PEM_read_bio_ex.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PEM_READ_BIO_EX 3ossl"
-.TH PEM_READ_BIO_EX 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PEM_READ_BIO_EX 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PEM_read_bio_ex, PEM_FLAG_SECURE, PEM_FLAG_EAY_COMPATIBLE,
 PEM_FLAG_ONLY_B64 \- read PEM format files with custom processing
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pem.h>
@@ -150,34 +74,34 @@ PEM_FLAG_ONLY_B64 \- read PEM format files with custom processing
 \& int PEM_read_bio_ex(BIO *in, char **name, char **header,
 \&                     unsigned char **data, long *len, unsigned int flags);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBPEM_read_bio_ex()\fR reads in \s-1PEM\s0 formatted data from an input \s-1BIO,\s0 outputting
+\&\fBPEM_read_bio_ex()\fR reads in PEM formatted data from an input BIO, outputting
 the name of the type of contained data, the header information regarding
 the possibly encrypted data, and the binary data payload (after base64 decoding).
 It should generally only be used to implement PEM_read_bio_\-family functions
 for specific data types or other usage, but is exposed to allow greater flexibility
 over how processing is performed, if needed.
 .PP
-If \s-1PEM_FLAG_SECURE\s0 is set, the intermediate buffers used to read in lines of
+If PEM_FLAG_SECURE is set, the intermediate buffers used to read in lines of
 input are allocated from the secure heap.
 .PP
-If \s-1PEM_FLAG_EAY_COMPATIBLE\s0 is set, a simple algorithm is used to remove whitespace
+If PEM_FLAG_EAY_COMPATIBLE is set, a simple algorithm is used to remove whitespace
 and control characters from the end of each line, so as to be compatible with
 the historical behavior of \fBPEM_read_bio()\fR.
 .PP
-If \s-1PEM_FLAG_ONLY_B64\s0 is set, all characters are required to be valid base64
+If PEM_FLAG_ONLY_B64 is set, all characters are required to be valid base64
 characters (or newlines); non\-base64 characters are treated as end of input.
 .PP
-If neither \s-1PEM_FLAG_EAY_COMPATIBLE\s0 or \s-1PEM_FLAG_ONLY_B64\s0 is set, control characters
+If neither PEM_FLAG_EAY_COMPATIBLE or PEM_FLAG_ONLY_B64 is set, control characters
 are ignored.
 .PP
-If both \s-1PEM_FLAG_EAY_COMPATIBLE\s0 and \s-1PEM_FLAG_ONLY_B64\s0 are set, an error is returned;
+If both PEM_FLAG_EAY_COMPATIBLE and PEM_FLAG_ONLY_B64 are set, an error is returned;
 these options are not compatible with each other.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The caller must release the storage allocated for *name, *header, and *data.
-If \s-1PEM_FLAG_SECURE\s0 was set, use \fBOPENSSL_secure_free()\fR; otherwise,
+If PEM_FLAG_SECURE was set, use \fBOPENSSL_secure_free()\fR; otherwise,
 \&\fBOPENSSL_free()\fR is used.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
@@ -185,14 +109,14 @@ If \s-1PEM_FLAG_SECURE\s0 was set, use \fBOPENSSL_secure_free()\fR; otherwise,
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBPEM_bytes_read_bio\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBPEM_read_bio_ex()\fR function was added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PEM_write_bio_CMS_stream.3 b/secure/lib/libcrypto/man/man3/PEM_write_bio_CMS_stream.3
index a1bfc7a28f1a..06e081874f4e 100644
--- a/secure/lib/libcrypto/man/man3/PEM_write_bio_CMS_stream.3
+++ b/secure/lib/libcrypto/man/man3/PEM_write_bio_CMS_stream.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,89 +52,29 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PEM_WRITE_BIO_CMS_STREAM 3ossl"
-.TH PEM_WRITE_BIO_CMS_STREAM 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PEM_WRITE_BIO_CMS_STREAM 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PEM_write_bio_CMS_stream \- output CMS_ContentInfo structure in PEM format
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cms.h>
 \&
 \& int PEM_write_bio_CMS_stream(BIO *out, CMS_ContentInfo *cms, BIO *data, int flags);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBPEM_write_bio_CMS_stream()\fR outputs a CMS_ContentInfo structure in \s-1PEM\s0 format.
+\&\fBPEM_write_bio_CMS_stream()\fR outputs a CMS_ContentInfo structure in PEM format.
 .PP
 It is otherwise identical to the function \fBSMIME_write_CMS()\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 This function is effectively a version of the \fBPEM_write_bio_CMS()\fR supporting
 streaming.
@@ -165,14 +89,14 @@ streaming.
 \&\fBPEM_write\fR\|(3),
 \&\fBSMIME_write_CMS\fR\|(3),
 \&\fBi2d_CMS_bio_stream\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBPEM_write_bio_CMS_stream()\fR function was added in OpenSSL 1.0.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PEM_write_bio_PKCS7_stream.3 b/secure/lib/libcrypto/man/man3/PEM_write_bio_PKCS7_stream.3
index 75b7405eafe9..c5b489eb0e48 100644
--- a/secure/lib/libcrypto/man/man3/PEM_write_bio_PKCS7_stream.3
+++ b/secure/lib/libcrypto/man/man3/PEM_write_bio_PKCS7_stream.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,89 +52,29 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PEM_WRITE_BIO_PKCS7_STREAM 3ossl"
-.TH PEM_WRITE_BIO_PKCS7_STREAM 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PEM_WRITE_BIO_PKCS7_STREAM 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PEM_write_bio_PKCS7_stream \- output PKCS7 structure in PEM format
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pkcs7.h>
 \&
 \& int PEM_write_bio_PKCS7_stream(BIO *out, PKCS7 *p7, BIO *data, int flags);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBPEM_write_bio_PKCS7_stream()\fR outputs a \s-1PKCS7\s0 structure in \s-1PEM\s0 format.
+\&\fBPEM_write_bio_PKCS7_stream()\fR outputs a PKCS7 structure in PEM format.
 .PP
 It is otherwise identical to the function \fBSMIME_write_PKCS7()\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 This function is effectively a version of the \fBPEM_write_bio_PKCS7()\fR supporting
 streaming.
@@ -164,14 +88,14 @@ streaming.
 \&\fBPKCS7_decrypt\fR\|(3),
 \&\fBSMIME_write_PKCS7\fR\|(3),
 \&\fBi2d_PKCS7_bio_stream\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBPEM_write_bio_PKCS7_stream()\fR function was added in OpenSSL 1.0.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2007\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS12_PBE_keyivgen.3 b/secure/lib/libcrypto/man/man3/PKCS12_PBE_keyivgen.3
index fe978b633953..6bce1f1aefa6 100644
--- a/secure/lib/libcrypto/man/man3/PKCS12_PBE_keyivgen.3
+++ b/secure/lib/libcrypto/man/man3/PKCS12_PBE_keyivgen.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PKCS12_PBE_KEYIVGEN 3ossl"
-.TH PKCS12_PBE_KEYIVGEN 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PKCS12_PBE_KEYIVGEN 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PKCS12_PBE_keyivgen, PKCS12_PBE_keyivgen_ex,
 PKCS12_pbe_crypt, PKCS12_pbe_crypt_ex \- PKCS#12 Password based encryption
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -163,7 +87,7 @@ PKCS12_pbe_crypt, PKCS12_pbe_crypt_ex \- PKCS#12 Password based encryption
 \&                                    int en_de, OSSL_LIB_CTX *libctx,
 \&                                    const char *propq);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBPKCS12_PBE_keyivgen()\fR and \fBPKCS12_PBE_keyivgen_ex()\fR take a password \fIpass\fR of
 length \fIpasslen\fR, parameters \fIparam\fR and a message digest function \fImd_type\fR
@@ -186,23 +110,23 @@ encryption (\fIen_de\fR=1) or decryption (\fIen_de\fR=0).
 implementations.
 .PP
 \&\fIpass\fR is the password used in the derivation of length \fIpasslen\fR. \fIpass\fR
-is an optional parameter and can be \s-1NULL.\s0 If \fIpasslen\fR is \-1, then the
+is an optional parameter and can be NULL. If \fIpasslen\fR is \-1, then the
 function will calculate the length of \fIpass\fR using \fBstrlen()\fR.
 .PP
 \&\fIsalt\fR is the salt used in the derivation of length \fIsaltlen\fR. If the
-\&\fIsalt\fR is \s-1NULL,\s0 then \fIsaltlen\fR must be 0. The function will not
+\&\fIsalt\fR is NULL, then \fIsaltlen\fR must be 0. The function will not
 attempt to calculate the length of the \fIsalt\fR because it is not assumed to
-be \s-1NULL\s0 terminated.
+be NULL terminated.
 .PP
 \&\fIiter\fR is the iteration count and its value should be greater than or
-equal to 1. \s-1RFC 2898\s0 suggests an iteration count of at least 1000. Any
+equal to 1. RFC 2898 suggests an iteration count of at least 1000. Any
 \&\fIiter\fR less than 1 is treated as a single iteration.
 .PP
 \&\fIdigest\fR is the message digest function used in the derivation.
 .PP
 Functions ending in \fB_ex()\fR take optional parameters \fIlibctx\fR and \fIpropq\fR which
 are used to select appropriate algorithm implementations.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The functions are typically used in PKCS#12 to encrypt objects.
 .PP
@@ -213,23 +137,23 @@ It will simply be treated as a byte sequence.
 \&\fBPKCS12_PBE_keyivgen()\fR, \fBPKCS12_PBE_keyivgen_ex()\fR return 1 on success or 0 on error.
 .PP
 \&\fBPKCS12_pbe_crypt()\fR and \fBPKCS12_pbe_crypt_ex()\fR return a buffer containing the
-output or \s-1NULL\s0 if an error occurred.
+output or NULL if an error occurred.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1IETF RFC 7292\s0 (<https://tools.ietf.org/html/rfc7292>)
+IETF RFC 7292 (<https://tools.ietf.org/html/rfc7292>)
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_PBE_CipherInit_ex\fR\|(3),
 \&\fBPKCS8_encrypt_ex\fR\|(3),
 \&\fBpassphrase\-encoding\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBPKCS12_PBE_keyivgen_ex()\fR and \fBPKCS12_pbe_crypt_ex()\fR were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2014\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_create_cert.3 b/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_create_cert.3
index bd9e15e3569b..0df72c233e43 100644
--- a/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_create_cert.3
+++ b/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_create_cert.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PKCS12_SAFEBAG_CREATE_CERT 3ossl"
-.TH PKCS12_SAFEBAG_CREATE_CERT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PKCS12_SAFEBAG_CREATE_CERT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PKCS12_SAFEBAG_create_cert, PKCS12_SAFEBAG_create_crl,
 PKCS12_SAFEBAG_create_secret, PKCS12_SAFEBAG_create0_p8inf,
 PKCS12_SAFEBAG_create0_pkcs8, PKCS12_SAFEBAG_create_pkcs8_encrypt,
 PKCS12_SAFEBAG_create_pkcs8_encrypt_ex \- Create PKCS#12 safeBag objects
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pkcs12.h>
@@ -168,35 +92,35 @@ PKCS12_SAFEBAG_create_pkcs8_encrypt_ex \- Create PKCS#12 safeBag objects
 \&                                                        OSSL_LIB_CTX *ctx,
 \&                                                        const char *propq);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBPKCS12_SAFEBAG_create_cert()\fR creates a new \fB\s-1PKCS12_SAFEBAG\s0\fR of type \fBNID_certBag\fR
+\&\fBPKCS12_SAFEBAG_create_cert()\fR creates a new \fBPKCS12_SAFEBAG\fR of type \fBNID_certBag\fR
 containing the supplied certificate.
 .PP
-\&\fBPKCS12_SAFEBAG_create_crl()\fR creates a new \fB\s-1PKCS12_SAFEBAG\s0\fR of type \fBNID_crlBag\fR
+\&\fBPKCS12_SAFEBAG_create_crl()\fR creates a new \fBPKCS12_SAFEBAG\fR of type \fBNID_crlBag\fR
 containing the supplied crl.
 .PP
-\&\fBPKCS12_SAFEBAG_create_secret()\fR creates a new \fB\s-1PKCS12_SAFEBAG\s0\fR of type
+\&\fBPKCS12_SAFEBAG_create_secret()\fR creates a new \fBPKCS12_SAFEBAG\fR of type
 corresponding to a PKCS#12 \fBsecretBag\fR. The \fBsecretBag\fR contents are tagged as
-\&\fItype\fR with an \s-1ASN1\s0 value of type \fIvtype\fR constructed using the bytes in
+\&\fItype\fR with an ASN1 value of type \fIvtype\fR constructed using the bytes in
 \&\fIvalue\fR of length \fIlen\fR.
 .PP
-\&\fBPKCS12_SAFEBAG_create0_p8inf()\fR creates a new \fB\s-1PKCS12_SAFEBAG\s0\fR of type \fBNID_keyBag\fR
-containing the supplied \s-1PKCS8\s0 structure.
+\&\fBPKCS12_SAFEBAG_create0_p8inf()\fR creates a new \fBPKCS12_SAFEBAG\fR of type \fBNID_keyBag\fR
+containing the supplied PKCS8 structure.
 .PP
-\&\fBPKCS12_SAFEBAG_create0_pkcs8()\fR creates a new \fB\s-1PKCS12_SAFEBAG\s0\fR of type
-\&\fBNID_pkcs8ShroudedKeyBag\fR containing the supplied \s-1PKCS8\s0 structure.
+\&\fBPKCS12_SAFEBAG_create0_pkcs8()\fR creates a new \fBPKCS12_SAFEBAG\fR of type
+\&\fBNID_pkcs8ShroudedKeyBag\fR containing the supplied PKCS8 structure.
 .PP
-\&\fBPKCS12_SAFEBAG_create_pkcs8_encrypt()\fR creates a new \fB\s-1PKCS12_SAFEBAG\s0\fR of type
-\&\fBNID_pkcs8ShroudedKeyBag\fR by encrypting the supplied \s-1PKCS8\s0 \fIp8inf\fR.
+\&\fBPKCS12_SAFEBAG_create_pkcs8_encrypt()\fR creates a new \fBPKCS12_SAFEBAG\fR of type
+\&\fBNID_pkcs8ShroudedKeyBag\fR by encrypting the supplied PKCS8 \fIp8inf\fR.
 If \fIpbe_nid\fR is 0, a default encryption algorithm is used. \fIpass\fR is the
 passphrase and \fIiter\fR is the iteration count. If \fIiter\fR is zero then a default
-value of 2048 is used. If \fIsalt\fR is \s-1NULL\s0 then a salt is generated randomly.
+value of 2048 is used. If \fIsalt\fR is NULL then a salt is generated randomly.
 .PP
 \&\fBPKCS12_SAFEBAG_create_pkcs8_encrypt_ex()\fR is identical to \fBPKCS12_SAFEBAG_create_pkcs8_encrypt()\fR
 but allows for a library context \fIctx\fR and property query \fIpropq\fR to be used to select
 algorithm implementations.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 \&\fBPKCS12_SAFEBAG_create_pkcs8_encrypt()\fR makes assumptions regarding the encoding of the given pass
 phrase.
@@ -205,23 +129,23 @@ See \fBpassphrase\-encoding\fR\|(7) for more information.
 \&\fBPKCS12_SAFEBAG_create_secret()\fR was added in OpenSSL 3.0.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-All of these functions return a valid \fB\s-1PKCS12_SAFEBAG\s0\fR structure or \s-1NULL\s0 if an error occurred.
+All of these functions return a valid \fBPKCS12_SAFEBAG\fR structure or NULL if an error occurred.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1IETF RFC 7292\s0 (<https://tools.ietf.org/html/rfc7292>)
+IETF RFC 7292 (<https://tools.ietf.org/html/rfc7292>)
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBPKCS12_create\fR\|(3),
 \&\fBPKCS12_add_safe\fR\|(3),
 \&\fBPKCS12_add_safes\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBPKCS12_SAFEBAG_create_pkcs8_encrypt_ex()\fR was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2019\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_get0_attrs.3 b/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_get0_attrs.3
index 7ff5af1e83c3..39864d1a7072 100644
--- a/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_get0_attrs.3
+++ b/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_get0_attrs.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PKCS12_SAFEBAG_GET0_ATTRS 3ossl"
-.TH PKCS12_SAFEBAG_GET0_ATTRS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PKCS12_SAFEBAG_GET0_ATTRS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PKCS12_SAFEBAG_get0_attrs, PKCS12_get_attr_gen
 \&\- Retrieve attributes from a PKCS#12 safeBag
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pkcs12.h>
@@ -149,32 +73,32 @@ PKCS12_SAFEBAG_get0_attrs, PKCS12_get_attr_gen
 \& ASN1_TYPE *PKCS12_get_attr_gen(const STACK_OF(X509_ATTRIBUTE) *attrs,
 \&                                int attr_nid);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBPKCS12_SAFEBAG_get0_attrs()\fR retrieves the stack of \fBX509_ATTRIBUTE\fRs from a
-PKCS#12 safeBag. \fIbag\fR is the \fB\s-1PKCS12_SAFEBAG\s0\fR to retrieve the attributes from.
+PKCS#12 safeBag. \fIbag\fR is the \fBPKCS12_SAFEBAG\fR to retrieve the attributes from.
 .PP
-\&\fBPKCS12_get_attr_gen()\fR retrieves an attribute by \s-1NID\s0 from a stack of
-\&\fBX509_ATTRIBUTE\fRs. \fIattr_nid\fR is the \s-1NID\s0 of the attribute to retrieve.
+\&\fBPKCS12_get_attr_gen()\fR retrieves an attribute by NID from a stack of
+\&\fBX509_ATTRIBUTE\fRs. \fIattr_nid\fR is the NID of the attribute to retrieve.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBPKCS12_SAFEBAG_get0_attrs()\fR returns the stack of \fBX509_ATTRIBUTE\fRs from a
 PKCS#12 safeBag, which could be empty.
 .PP
-\&\fBPKCS12_get_attr_gen()\fR returns an \fB\s-1ASN1_TYPE\s0\fR object containing the attribute,
-or \s-1NULL\s0 if the attribute was either not present or an error occurred.
+\&\fBPKCS12_get_attr_gen()\fR returns an \fBASN1_TYPE\fR object containing the attribute,
+or NULL if the attribute was either not present or an error occurred.
 .PP
 \&\fBPKCS12_get_attr_gen()\fR does not allocate a new attribute. The returned attribute
-is still owned by the \fB\s-1PKCS12_SAFEBAG\s0\fR in which it resides.
+is still owned by the \fBPKCS12_SAFEBAG\fR in which it resides.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBPKCS12_get_friendlyname\fR\|(3),
 \&\fBPKCS12_add_friendlyname_asc\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_get1_cert.3 b/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_get1_cert.3
index 2554353884f9..73900384e46d 100644
--- a/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_get1_cert.3
+++ b/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_get1_cert.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,82 +52,23 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PKCS12_SAFEBAG_GET1_CERT 3ossl"
-.TH PKCS12_SAFEBAG_GET1_CERT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PKCS12_SAFEBAG_GET1_CERT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PKCS12_SAFEBAG_get0_attr, PKCS12_SAFEBAG_get0_type,
 PKCS12_SAFEBAG_get_nid, PKCS12_SAFEBAG_get_bag_nid,
 PKCS12_SAFEBAG_get0_bag_obj, PKCS12_SAFEBAG_get0_bag_type,
-PKCS12_SAFEBAG_get1_cert, PKCS12_SAFEBAG_get1_crl,
+PKCS12_SAFEBAG_get1_cert_ex, PKCS12_SAFEBAG_get1_cert,
+PKCS12_SAFEBAG_get1_crl_ex, PKCS12_SAFEBAG_get1_crl,
 PKCS12_SAFEBAG_get0_safes, PKCS12_SAFEBAG_get0_p8inf,
 PKCS12_SAFEBAG_get0_pkcs8 \- Get objects from a PKCS#12 safeBag
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pkcs12.h>
@@ -155,50 +80,63 @@ PKCS12_SAFEBAG_get0_pkcs8 \- Get objects from a PKCS#12 safeBag
 \& int PKCS12_SAFEBAG_get_bag_nid(const PKCS12_SAFEBAG *bag);
 \& const ASN1_TYPE *PKCS12_SAFEBAG_get0_bag_obj(const PKCS12_SAFEBAG *bag);
 \& const ASN1_OBJECT *PKCS12_SAFEBAG_get0_bag_type(const PKCS12_SAFEBAG *bag);
+\& X509_CRL *PKCS12_SAFEBAG_get1_cert_ex(const PKCS12_SAFEBAG *bag,
+\&                                       OSSL_LIB_CTX *libctx, const char *propq);
 \& X509 *PKCS12_SAFEBAG_get1_cert(const PKCS12_SAFEBAG *bag);
+\& X509_CRL *PKCS12_SAFEBAG_get1_crl_ex(const PKCS12_SAFEBAG *bag,
+\&                                      OSSL_LIB_CTX *libctx, const char *propq);
 \& X509_CRL *PKCS12_SAFEBAG_get1_crl(const PKCS12_SAFEBAG *bag);
 \& const STACK_OF(PKCS12_SAFEBAG) *PKCS12_SAFEBAG_get0_safes(const PKCS12_SAFEBAG *bag);
 \& const PKCS8_PRIV_KEY_INFO *PKCS12_SAFEBAG_get0_p8inf(const PKCS12_SAFEBAG *bag);
 \& const X509_SIG *PKCS12_SAFEBAG_get0_pkcs8(const PKCS12_SAFEBAG *bag);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBPKCS12_SAFEBAG_get0_attr()\fR gets the attribute value corresponding to the \fBattr_nid\fR.
 .PP
-\&\fBPKCS12_SAFEBAG_get0_type()\fR gets the \fBsafeBag\fR type as an \s-1OID,\s0 whereas
-\&\fBPKCS12_SAFEBAG_get_nid()\fR gets the \fBsafeBag\fR type as an \s-1NID,\s0 which could be
+\&\fBPKCS12_SAFEBAG_get0_type()\fR gets the \fBsafeBag\fR type as an OID, whereas
+\&\fBPKCS12_SAFEBAG_get_nid()\fR gets the \fBsafeBag\fR type as an NID, which could be
 \&\fBNID_certBag\fR, \fBNID_crlBag\fR, \fBNID_keyBag\fR, \fBNID_secretBag\fR, \fBNID_safeContentsBag\fR
 or \fBNID_pkcs8ShroudedKeyBag\fR.
 .PP
 \&\fBPKCS12_SAFEBAG_get_bag_nid()\fR gets the type of the object contained within the
-\&\fB\s-1PKCS12_SAFEBAG\s0\fR. This corresponds to the bag type for most bags, but can be
-arbitrary for \fBsecretBag\fRs. \fBPKCS12_SAFEBAG_get0_bag_type()\fR gets this type as an \s-1OID.\s0
+\&\fBPKCS12_SAFEBAG\fR. This corresponds to the bag type for most bags, but can be
+arbitrary for \fBsecretBag\fRs. \fBPKCS12_SAFEBAG_get0_bag_type()\fR gets this type as an OID.
 .PP
 \&\fBPKCS12_SAFEBAG_get0_bag_obj()\fR retrieves the object contained within the safeBag.
 .PP
-\&\fBPKCS12_SAFEBAG_get1_cert()\fR and \fBPKCS12_SAFEBAG_get1_crl()\fR return new \fBX509\fR or
-\&\fBX509_CRL\fR objects from the item in the safeBag.
+\&\fBPKCS12_SAFEBAG_get1_cert_ex()\fR and \fBPKCS12_SAFEBAG_get1_crl_ex()\fR return new \fBX509\fR or
+\&\fBX509_CRL\fR objects from the item in the safeBag. \fIlibctx\fR and \fIpropq\fR are used when
+fetching algorithms, and may optionally be set to NULL.
+.PP
+\&\fBPKCS12_SAFEBAG_get1_cert()\fR and \fBPKCS12_SAFEBAG_get1_crl()\fR are the same as
+\&\fBPKCS12_SAFEBAG_get1_cert_ex()\fR and \fBPKCS12_SAFEBAG_get1_crl_ex()\fR and set the \fIlibctx\fR and
+\&\fIprop\fR to NULL. This will use the default library context.
 .PP
-\&\fBPKCS12_SAFEBAG_get0_p8inf()\fR and \fBPKCS12_SAFEBAG_get0_pkcs8()\fR return the \s-1PKCS8\s0 object
+\&\fBPKCS12_SAFEBAG_get0_p8inf()\fR and \fBPKCS12_SAFEBAG_get0_pkcs8()\fR return the PKCS8 object
 from a PKCS8shroudedKeyBag or a keyBag.
 .PP
 \&\fBPKCS12_SAFEBAG_get0_safes()\fR retrieves the set of \fBsafeBags\fR contained within a
 safeContentsBag.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBPKCS12_SAFEBAG_get_nid()\fR and \fBPKCS12_SAFEBAG_get_bag_nid()\fR return the \s-1NID\s0 of the safeBag
-or bag object, or \-1 if there is no corresponding \s-1NID.\s0
-Other functions return a valid object of the specified type or \s-1NULL\s0 if an error occurred.
+\&\fBPKCS12_SAFEBAG_get_nid()\fR and \fBPKCS12_SAFEBAG_get_bag_nid()\fR return the NID of the safeBag
+or bag object, or \-1 if there is no corresponding NID.
+Other functions return a valid object of the specified type or NULL if an error occurred.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBPKCS12_create\fR\|(3),
 \&\fBPKCS12_add_safe\fR\|(3),
 \&\fBPKCS12_add_safes\fR\|(3)
-.SH "COPYRIGHT"
+.SH HISTORY
+.IX Header "HISTORY"
+The functions \fBPKCS12_SAFEBAG_get1_cert_ex()\fR and \fBPKCS12_SAFEBAG_get1_crl_ex()\fR were
+added in OpenSSL 3.2.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_set0_attrs.3 b/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_set0_attrs.3
new file mode 100644
index 000000000000..81cccda44e93
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/PKCS12_SAFEBAG_set0_attrs.3
@@ -0,0 +1,90 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "PKCS12_SAFEBAG_SET0_ATTRS 3ossl"
+.TH PKCS12_SAFEBAG_SET0_ATTRS 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+PKCS12_SAFEBAG_set0_attrs
+\&\- Set attributes for a PKCS#12 safeBag
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/pkcs12.h>
+\&
+\& void PKCS12_SAFEBAG_set0_attrs(PKCS12_SAFEBAG *bag, STACK_OF(X509_ATTRIBUTE) *attrs);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBPKCS12_SAFEBAG_set0_attrs()\fR assigns the stack of \fBX509_ATTRIBUTE\fRs to a
+PKCS#12 safeBag. \fIbag\fR is the \fBPKCS12_SAFEBAG\fR to assign the attributes to.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBPKCS12_SAFEBAG_set0_attrs()\fR does not return a value.
+.SH HISTORY
+.IX Header "HISTORY"
+This function was added in OpenSSL 3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2019\-2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS12_add1_attr_by_NID.3 b/secure/lib/libcrypto/man/man3/PKCS12_add1_attr_by_NID.3
index 50719248dd4c..32dfd209e5c4 100644
--- a/secure/lib/libcrypto/man/man3/PKCS12_add1_attr_by_NID.3
+++ b/secure/lib/libcrypto/man/man3/PKCS12_add1_attr_by_NID.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PKCS12_ADD1_ATTR_BY_NID 3ossl"
-.TH PKCS12_ADD1_ATTR_BY_NID 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PKCS12_ADD1_ATTR_BY_NID 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PKCS12_add1_attr_by_NID, PKCS12_add1_attr_by_txt \- Add an attribute to a PKCS#12
 safeBag structure
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pkcs12.h>
@@ -149,16 +73,16 @@ safeBag structure
 \& int PKCS12_add1_attr_by_txt(PKCS12_SAFEBAG *bag, const char *attrname, int type,
 \&                             const unsigned char *bytes, int len);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 These functions add a PKCS#12 Attribute to the Attribute Set of the \fBbag\fR.
 .PP
-\&\fBPKCS12_add1_attr_by_NID()\fR adds an attribute of type \fBnid\fR with a value of \s-1ASN1\s0
+\&\fBPKCS12_add1_attr_by_NID()\fR adds an attribute of type \fBnid\fR with a value of ASN1
 type \fBtype\fR constructed using \fBlen\fR bytes from \fBbytes\fR.
 .PP
 \&\fBPKCS12_add1_attr_by_txt()\fR adds an attribute of type \fBattrname\fR with a value of
-\&\s-1ASN1\s0 type \fBtype\fR constructed using \fBlen\fR bytes from \fBbytes\fR.
-.SH "NOTES"
+ASN1 type \fBtype\fR constructed using \fBlen\fR bytes from \fBbytes\fR.
+.SH NOTES
 .IX Header "NOTES"
 These functions do not check whether an existing attribute of the same type is
 present. There can be multiple attributes with the same type assigned to a
@@ -171,11 +95,11 @@ A return value of 1 indicates success, 0 indicates failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBPKCS12_create\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS12_add_CSPName_asc.3 b/secure/lib/libcrypto/man/man3/PKCS12_add_CSPName_asc.3
index 56b235e3231c..ee16cf9c7d0b 100644
--- a/secure/lib/libcrypto/man/man3/PKCS12_add_CSPName_asc.3
+++ b/secure/lib/libcrypto/man/man3/PKCS12_add_CSPName_asc.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,99 +52,39 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PKCS12_ADD_CSPNAME_ASC 3ossl"
-.TH PKCS12_ADD_CSPNAME_ASC 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PKCS12_ADD_CSPNAME_ASC 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PKCS12_add_CSPName_asc \- Add a Microsoft CSP Name attribute to a PKCS#12 safeBag
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pkcs12.h>
 \&
 \& int PKCS12_add_CSPName_asc(PKCS12_SAFEBAG *bag, const char *name, int namelen);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBPKCS12_add_CSPName_asc()\fR adds an \s-1ASCII\s0 string representation of the Microsoft \s-1CSP\s0 Name attribute to a PKCS#12 safeBag.
+\&\fBPKCS12_add_CSPName_asc()\fR adds an ASCII string representation of the Microsoft CSP Name attribute to a PKCS#12 safeBag.
 .PP
-\&\fIbag\fR is the \fB\s-1PKCS12_SAFEBAG\s0\fR to add the attribute to.
+\&\fIbag\fR is the \fBPKCS12_SAFEBAG\fR to add the attribute to.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 Returns 1 for success or 0 for failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBPKCS12_add_friendlyname_asc\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS12_add_cert.3 b/secure/lib/libcrypto/man/man3/PKCS12_add_cert.3
index 986a51da17eb..ddb50437490f 100644
--- a/secure/lib/libcrypto/man/man3/PKCS12_add_cert.3
+++ b/secure/lib/libcrypto/man/man3/PKCS12_add_cert.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PKCS12_ADD_CERT 3ossl"
-.TH PKCS12_ADD_CERT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PKCS12_ADD_CERT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PKCS12_add_cert, PKCS12_add_key, PKCS12_add_key_ex,
 PKCS12_add_secret \- Add an object to a set of PKCS#12 safeBags
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pkcs12.h>
@@ -156,16 +80,16 @@ PKCS12_add_secret \- Add an object to a set of PKCS#12 safeBags
 \& PKCS12_SAFEBAG *PKCS12_add_secret(STACK_OF(PKCS12_SAFEBAG) **pbags,
 \&                                  int nid_type, const unsigned char *value, int len);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-These functions create a new \fB\s-1PKCS12_SAFEBAG\s0\fR and add it to the set of safeBags
+These functions create a new \fBPKCS12_SAFEBAG\fR and add it to the set of safeBags
 in \fIpbags\fR.
 .PP
 \&\fBPKCS12_add_cert()\fR creates a PKCS#12 certBag containing the supplied
 certificate and adds this to the set of PKCS#12 safeBags.
 .PP
 \&\fBPKCS12_add_key()\fR creates a PKCS#12 keyBag (unencrypted) or a pkcs8shroudedKeyBag
-(encrypted) containing the supplied \fB\s-1EVP_PKEY\s0\fR and adds this to the set of PKCS#12
+(encrypted) containing the supplied \fBEVP_PKEY\fR and adds this to the set of PKCS#12
 safeBags. If \fIkey_nid\fR is not \-1 then the key is encrypted with the supplied
 algorithm, using \fIpass\fR as the passphrase and \fIiter\fR as the iteration count. If
 \&\fIiter\fR is zero then a default value for iteration count of 2048 is used.
@@ -174,35 +98,35 @@ algorithm, using \fIpass\fR as the passphrase and \fIiter\fR as the iteration co
 context \fIctx\fR and property query \fIpropq\fR to be used to select algorithm
 implementations.
 .PP
-\&\fBPKCS12_add_secret()\fR creates a PKCS#12 secretBag with an \s-1OID\s0 corresponding to
-the supplied \fInid_type\fR containing the supplied value as an \s-1ASN1\s0 octet string.
+\&\fBPKCS12_add_secret()\fR creates a PKCS#12 secretBag with an OID corresponding to
+the supplied \fInid_type\fR containing the supplied value as an ASN1 octet string.
 This is then added to the set of PKCS#12 safeBags.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 If a certificate contains an \fIalias\fR or a \fIkeyid\fR then this will be
 used for the corresponding \fBfriendlyName\fR or \fBlocalKeyID\fR in the
-\&\s-1PKCS12\s0 structure.
+PKCS12 structure.
 .PP
 \&\fBPKCS12_add_key()\fR makes assumptions regarding the encoding of the given pass
 phrase.
 See \fBpassphrase\-encoding\fR\|(7) for more information.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-A valid \fB\s-1PKCS12_SAFEBAG\s0\fR structure or \s-1NULL\s0 if an error occurred.
+A valid \fBPKCS12_SAFEBAG\fR structure or NULL if an error occurred.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1IETF RFC 7292\s0 (<https://tools.ietf.org/html/rfc7292>)
+IETF RFC 7292 (<https://tools.ietf.org/html/rfc7292>)
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBPKCS12_create\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBPKCS12_add_secret()\fR and \fBPKCS12_add_key_ex()\fR were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS12_add_friendlyname_asc.3 b/secure/lib/libcrypto/man/man3/PKCS12_add_friendlyname_asc.3
index d882ee67bbea..203c0f58f35b 100644
--- a/secure/lib/libcrypto/man/man3/PKCS12_add_friendlyname_asc.3
+++ b/secure/lib/libcrypto/man/man3/PKCS12_add_friendlyname_asc.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PKCS12_ADD_FRIENDLYNAME_ASC 3ossl"
-.TH PKCS12_ADD_FRIENDLYNAME_ASC 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PKCS12_ADD_FRIENDLYNAME_ASC 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PKCS12_add_friendlyname_asc, PKCS12_add_friendlyname_utf8,
 PKCS12_add_friendlyname_uni \- Functions to add the friendlyname attribute to a
 PKCS#12 safeBag
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pkcs12.h>
@@ -154,29 +78,29 @@ PKCS#12 safeBag
 \& int PKCS12_add_friendlyname_uni(PKCS12_SAFEBAG *bag,
 \&                                 const unsigned char *name, int namelen);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBPKCS12_add_friendlyname_asc()\fR adds an \s-1ASCII\s0 string representation of the PKCS#9
+\&\fBPKCS12_add_friendlyname_asc()\fR adds an ASCII string representation of the PKCS#9
 friendlyName attribute to a PKCS#12 safeBag.
 .PP
-\&\fBPKCS12_add_friendlyname_utf8()\fR adds a \s-1UTF\-8\s0 string representation of the PKCS#9
+\&\fBPKCS12_add_friendlyname_utf8()\fR adds a UTF\-8 string representation of the PKCS#9
 friendlyName attribute to a PKCS#12 safeBag.
 .PP
 \&\fBPKCS12_add_friendlyname_uni()\fR adds a Unicode string representation of the PKCS#9
 friendlyName attribute to a PKCS#12 safeBag.
 .PP
-\&\fIbag\fR is the \fB\s-1PKCS12_SAFEBAG\s0\fR to add the attribute to.
+\&\fIbag\fR is the \fBPKCS12_SAFEBAG\fR to add the attribute to.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 Returns 1 for success or 0 for failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBPKCS12_get_friendlyname\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS12_add_localkeyid.3 b/secure/lib/libcrypto/man/man3/PKCS12_add_localkeyid.3
index ce9a3755c342..5a6f4163d18a 100644
--- a/secure/lib/libcrypto/man/man3/PKCS12_add_localkeyid.3
+++ b/secure/lib/libcrypto/man/man3/PKCS12_add_localkeyid.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PKCS12_ADD_LOCALKEYID 3ossl"
-.TH PKCS12_ADD_LOCALKEYID 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PKCS12_ADD_LOCALKEYID 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PKCS12_add_localkeyid \- Add the localKeyId attribute to a PKCS#12 safeBag
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pkcs12.h>
@@ -146,23 +70,23 @@ PKCS12_add_localkeyid \- Add the localKeyId attribute to a PKCS#12 safeBag
 \& int PKCS12_add_localkeyid(PKCS12_SAFEBAG *bag, const char *name,
 \&                           int namelen);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBPKCS12_add_localkeyid()\fR adds an octet string representation of the PKCS#9
 localKeyId attribute to a PKCS#12 safeBag.
 .PP
-\&\fIbag\fR is the \fB\s-1PKCS12_SAFEBAG\s0\fR to add the attribute to.
+\&\fIbag\fR is the \fBPKCS12_SAFEBAG\fR to add the attribute to.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 Returns 1 for success or 0 for failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBPKCS12_add_friendlyname_asc\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS12_add_safe.3 b/secure/lib/libcrypto/man/man3/PKCS12_add_safe.3
index 698adaf45f3c..230053e1a86a 100644
--- a/secure/lib/libcrypto/man/man3/PKCS12_add_safe.3
+++ b/secure/lib/libcrypto/man/man3/PKCS12_add_safe.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PKCS12_ADD_SAFE 3ossl"
-.TH PKCS12_ADD_SAFE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PKCS12_ADD_SAFE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PKCS12_add_safe, PKCS12_add_safe_ex,
 PKCS12_add_safes, PKCS12_add_safes_ex \- Create and add objects to a PKCS#12 structure
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pkcs12.h>
@@ -154,34 +78,34 @@ PKCS12_add_safes, PKCS12_add_safes_ex \- Create and add objects to a PKCS#12 str
 \& PKCS12 *PKCS12_add_safes_ex(STACK_OF(PKCS7) *safes, int p7_nid,
 \&                             OSSL_LIB_CTX *ctx, const char *propq);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBPKCS12_add_safe()\fR creates a new \s-1PKCS7\s0 contentInfo containing the supplied
-\&\fB\s-1PKCS12_SAFEBAG\s0\fRs and adds this to a set of \s-1PKCS7\s0 contentInfos. Its type
+\&\fBPKCS12_add_safe()\fR creates a new PKCS7 contentInfo containing the supplied
+\&\fBPKCS12_SAFEBAG\fRs and adds this to a set of PKCS7 contentInfos. Its type
 depends on the value of \fBsafe_nid\fR:
-.IP "\(bu" 4
-If \fIsafe_nid\fR is \-1, a plain \s-1PKCS7\s0 \fIdata\fR contentInfo is created.
-.IP "\(bu" 4
-If \fIsafe_nid\fR is a valid \s-1PBE\s0 algorithm \s-1NID,\s0 a \s-1PKCS7\s0 \fBencryptedData\fR
+.IP \(bu 4
+If \fIsafe_nid\fR is \-1, a plain PKCS7 \fIdata\fR contentInfo is created.
+.IP \(bu 4
+If \fIsafe_nid\fR is a valid PBE algorithm NID, a PKCS7 \fBencryptedData\fR
 contentInfo is created. The algorithm uses \fIpass\fR as the passphrase and \fIiter\fR
 as the iteration count. If \fIiter\fR is zero then a default value for iteration
 count of 2048 is used.
-.IP "\(bu" 4
-If \fIsafe_nid\fR is 0, a \s-1PKCS7\s0 \fBencryptedData\fR contentInfo is created using
+.IP \(bu 4
+If \fIsafe_nid\fR is 0, a PKCS7 \fBencryptedData\fR contentInfo is created using
 a default encryption algorithm, currently \fBNID_pbe_WithSHA1And3_Key_TripleDES_CBC\fR.
 .PP
 \&\fBPKCS12_add_safe_ex()\fR is identical to \fBPKCS12_add_safe()\fR but allows for a library
 context \fIctx\fR and property query \fIpropq\fR to be used to select algorithm
 implementations.
 .PP
-\&\fBPKCS12_add_safes()\fR creates a \fB\s-1PKCS12\s0\fR structure containing the supplied set of
-\&\s-1PKCS7\s0 contentInfos. The \fIsafes\fR are enclosed first within a \s-1PKCS7\s0 contentInfo
+\&\fBPKCS12_add_safes()\fR creates a \fBPKCS12\fR structure containing the supplied set of
+PKCS7 contentInfos. The \fIsafes\fR are enclosed first within a PKCS7 contentInfo
 of type \fIp7_nid\fR. Currently the only supported type is \fBNID_pkcs7_data\fR.
 .PP
 \&\fBPKCS12_add_safes_ex()\fR is identical to \fBPKCS12_add_safes()\fR but allows for a
 library context \fIctx\fR and property query \fIpropq\fR to be used to select
 algorithm implementations.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 \&\fBPKCS12_add_safe()\fR makes assumptions regarding the encoding of the given pass
 phrase.
@@ -190,21 +114,21 @@ See \fBpassphrase\-encoding\fR\|(7) for more information.
 .IX Header "RETURN VALUES"
 \&\fBPKCS12_add_safe()\fR returns a value of 1 indicating success or 0 for failure.
 .PP
-\&\fBPKCS12_add_safes()\fR returns a valid \fB\s-1PKCS12\s0\fR structure or \s-1NULL\s0 if an error occurred.
+\&\fBPKCS12_add_safes()\fR returns a valid \fBPKCS12\fR structure or NULL if an error occurred.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1IETF RFC 7292\s0 (<https://tools.ietf.org/html/rfc7292>)
+IETF RFC 7292 (<https://tools.ietf.org/html/rfc7292>)
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBPKCS12_create\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBPKCS12_add_safe_ex()\fR and \fBPKCS12_add_safes_ex()\fR were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS12_create.3 b/secure/lib/libcrypto/man/man3/PKCS12_create.3
index 3b3ac2d60229..6cdeb257215f 100644
--- a/secure/lib/libcrypto/man/man3/PKCS12_create.3
+++ b/secure/lib/libcrypto/man/man3/PKCS12_create.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PKCS12_CREATE 3ossl"
-.TH PKCS12_CREATE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PKCS12_CREATE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
-PKCS12_create, PKCS12_create_ex \- create a PKCS#12 structure
-.SH "SYNOPSIS"
+.SH NAME
+PKCS12_create, PKCS12_create_ex, PKCS12_create_cb, PKCS12_create_ex2 \- create a PKCS#12 structure
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pkcs12.h>
@@ -150,89 +74,115 @@ PKCS12_create, PKCS12_create_ex \- create a PKCS#12 structure
 \&                          X509 *cert, STACK_OF(X509) *ca, int nid_key, int nid_cert,
 \&                          int iter, int mac_iter, int keytype,
 \&                          OSSL_LIB_CTX *ctx, const char *propq);
+\&
+\& typedef int PKCS12_create_cb(PKCS12_SAFEBAG *bag, void *cbarg);
+\&
+\& PKCS12 *PKCS12_create_ex2(const char *pass, const char *name, EVP_PKEY *pkey,
+\&                           X509 *cert, STACK_OF(X509) *ca, int nid_key, int nid_cert,
+\&                           int iter, int mac_iter, int keytype,
+\&                           OSSL_LIB_CTX *ctx, const char *propq,
+\&                           PKCS12_create_cb *cb, void *cbarg);
+\&=head1 DESCRIPTION
 .Ve
-.SH "DESCRIPTION"
-.IX Header "DESCRIPTION"
+.PP
 \&\fBPKCS12_create()\fR creates a PKCS#12 structure.
 .PP
 \&\fIpass\fR is the passphrase to use. \fIname\fR is the \fBfriendlyName\fR to use for
 the supplied certificate and key. \fIpkey\fR is the private key to include in
-the structure and \fIcert\fR its corresponding certificates. \fIca\fR, if not \fB\s-1NULL\s0\fR
+the structure and \fIcert\fR its corresponding certificates. \fIca\fR, if not \fBNULL\fR
 is an optional set of certificates to also include in the structure.
 .PP
 \&\fInid_key\fR and \fInid_cert\fR are the encryption algorithms that should be used
 for the key and certificate respectively. The modes
-\&\s-1GCM, CCM, XTS,\s0 and \s-1OCB\s0 are unsupported. \fIiter\fR is the encryption algorithm
-iteration count to use and \fImac_iter\fR is the \s-1MAC\s0 iteration count to use.
+GCM, CCM, XTS, and OCB are unsupported. \fIiter\fR is the encryption algorithm
+iteration count to use and \fImac_iter\fR is the MAC iteration count to use.
 \&\fIkeytype\fR is the type of key.
 .PP
 \&\fBPKCS12_create_ex()\fR is identical to \fBPKCS12_create()\fR but allows for a library context
 \&\fIctx\fR and property query \fIpropq\fR to be used to select algorithm implementations.
-.SH "NOTES"
+.PP
+\&\fBPKCS12_create_ex2()\fR is identical to \fBPKCS12_create_ex()\fR but allows for a user defined
+callback \fIcb\fR of type \fBPKCS12_create_cb\fR to be specified and also allows for an
+optional argument \fIcbarg\fR to be passed back to the callback.
+.PP
+The \fIcb\fR if specified will be called for every safebag added to the
+PKCS12 structure and allows for optional application processing on the associated
+safebag. For example one such use could be to add attributes to the safebag.
+.SH NOTES
 .IX Header "NOTES"
 The parameters \fInid_key\fR, \fInid_cert\fR, \fIiter\fR, \fImac_iter\fR and \fIkeytype\fR
 can all be set to zero and sensible defaults will be used.
 .PP
-These defaults are: \s-1AES\s0 password based encryption (\s-1PBES2\s0 with \s-1PBKDF2\s0 and
-\&\s-1AES\-256\-CBC\s0) for private keys and certificates, the \s-1PBKDF2\s0 and \s-1MAC\s0 key
-derivation iteration count of \fB\s-1PKCS12_DEFAULT_ITER\s0\fR (currently 2048), and
-\&\s-1MAC\s0 algorithm \s-1HMAC\s0 with \s-1SHA2\-256.\s0 The \s-1MAC\s0 key derivation algorithm used
-for the outer PKCS#12 structure is \s-1PKCS12KDF.\s0
+These defaults are: AES password based encryption (PBES2 with PBKDF2 and
+AES\-256\-CBC) for private keys and certificates, the PBKDF2 and MAC key
+derivation iteration count of \fBPKCS12_DEFAULT_ITER\fR (currently 2048), and
+MAC algorithm HMAC with SHA2\-256. The MAC key derivation algorithm used
+for the outer PKCS#12 structure is PKCS12KDF.
 .PP
-The default \s-1MAC\s0 iteration count is 1 in order to retain compatibility with
-old software which did not interpret \s-1MAC\s0 iteration counts. If such compatibility
-is not required then \fImac_iter\fR should be set to \s-1PKCS12_DEFAULT_ITER.\s0
+The default MAC iteration count is 1 in order to retain compatibility with
+old software which did not interpret MAC iteration counts. If such compatibility
+is not required then \fImac_iter\fR should be set to PKCS12_DEFAULT_ITER.
 .PP
 \&\fIkeytype\fR adds a flag to the store private key. This is a non standard extension
-that is only currently interpreted by \s-1MSIE.\s0 If set to zero the flag is omitted,
-if set to \fB\s-1KEY_SIG\s0\fR the key can be used for signing only, if set to \fB\s-1KEY_EX\s0\fR
+that is only currently interpreted by MSIE. If set to zero the flag is omitted,
+if set to \fBKEY_SIG\fR the key can be used for signing only, if set to \fBKEY_EX\fR
 it can be used for signing and encryption. This option was useful for old
 export grade software which could use signing only keys of arbitrary size but
 had restrictions on the permissible sizes of keys which could be used for
 encryption.
 .PP
-If a certificate contains an \fIalias\fR or \fIkeyid\fR then this will be
-used for the corresponding \fBfriendlyName\fR or \fBlocalKeyID\fR in the
-\&\s-1PKCS12\s0 structure.
+If \fIname\fR is \fBNULL\fR and \fIcert\fR contains an \fIalias\fR then this will be
+used for the corresponding \fBfriendlyName\fR in the PKCS12 structure instead.
+Similarly, if \fIpkey\fR is NULL and \fIcert\fR contains a \fIkeyid\fR then this will be
+used for the corresponding \fBlocalKeyID\fR in the PKCS12 structure instead of the
+id calculated from the \fIpkey\fR.
+.PP
+For all certificates in \fIca\fR then if a certificate contains an \fIalias\fR or
+\&\fIkeyid\fR then this will be used for the corresponding \fBfriendlyName\fR or
+\&\fBlocalKeyID\fR in the PKCS12 structure.
 .PP
-Either \fIpkey\fR, \fIcert\fR or both can be \fB\s-1NULL\s0\fR to indicate that no key or
+Either \fIpkey\fR, \fIcert\fR or both can be \fBNULL\fR to indicate that no key or
 certificate is required. In previous versions both had to be present or
 a fatal error is returned.
 .PP
 \&\fInid_key\fR or \fInid_cert\fR can be set to \-1 indicating that no encryption
 should be used.
 .PP
-\&\fImac_iter\fR can be set to \-1 and the \s-1MAC\s0 will then be omitted entirely.
-This can be useful when running with the \s-1FIPS\s0 provider as the \s-1PKCS12KDF\s0
-is not a \s-1FIPS\s0 approvable algorithm.
+\&\fImac_iter\fR can be set to \-1 and the MAC will then be omitted entirely.
+This can be useful when running with the FIPS provider as the PKCS12KDF
+is not a FIPS approvable algorithm.
 .PP
 \&\fBPKCS12_create()\fR makes assumptions regarding the encoding of the given pass
 phrase.
 See \fBpassphrase\-encoding\fR\|(7) for more information.
+.PP
+If \fIcb\fR is specified, then it should return 1 for success and \-1 for a fatal error.
+A return of 0 is intended to mean to not add the bag after all.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBPKCS12_create()\fR returns a valid \fB\s-1PKCS12\s0\fR structure or \s-1NULL\s0 if an error occurred.
+\&\fBPKCS12_create()\fR returns a valid \fBPKCS12\fR structure or NULL if an error occurred.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1IETF RFC 7292\s0 (<https://tools.ietf.org/html/rfc7292>)
+IETF RFC 7292 (<https://tools.ietf.org/html/rfc7292>)
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_KDF\-PKCS12KDF\s0\fR\|(7),
+\&\fBEVP_KDF\-PKCS12KDF\fR\|(7),
 \&\fBd2i_PKCS12\fR\|(3),
-\&\s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7),
+\&\fBOSSL_PROVIDER\-FIPS\fR\|(7),
 \&\fBpassphrase\-encoding\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBPKCS12_create_ex()\fR was added in OpenSSL 3.0.
+\&\fBPKCS12_create_ex2()\fR was added in OpenSSL 3.2.
 .PP
-The defaults for encryption algorithms, \s-1MAC\s0 algorithm, and the \s-1MAC\s0 key
+The defaults for encryption algorithms, MAC algorithm, and the MAC key
 derivation iteration count were changed in OpenSSL 3.0 to more modern
 standards.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2002\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2002\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS12_decrypt_skey.3 b/secure/lib/libcrypto/man/man3/PKCS12_decrypt_skey.3
index 5cb81e306fc2..a1730ca68145 100644
--- a/secure/lib/libcrypto/man/man3/PKCS12_decrypt_skey.3
+++ b/secure/lib/libcrypto/man/man3/PKCS12_decrypt_skey.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PKCS12_DECRYPT_SKEY 3ossl"
-.TH PKCS12_DECRYPT_SKEY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PKCS12_DECRYPT_SKEY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PKCS12_decrypt_skey, PKCS12_decrypt_skey_ex \- PKCS12 shrouded keyBag
 decrypt functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pkcs12.h>
@@ -151,7 +75,7 @@ decrypt functions
 \&                                             OSSL_LIB_CTX *ctx,
 \&                                             const char *propq);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBPKCS12_decrypt_skey()\fR Decrypt the PKCS#8 shrouded keybag contained within \fIbag\fR
 using the supplied password \fIpass\fR of length \fIpasslen\fR.
@@ -160,24 +84,24 @@ using the supplied password \fIpass\fR of length \fIpasslen\fR.
 \&\fIctx\fR and property query \fIpropq\fR to be used to select algorithm implementations.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-Both functions will return the decrypted key or \s-1NULL\s0 if an error occurred.
+Both functions will return the decrypted key or NULL if an error occurred.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1IETF RFC 7292\s0 (<https://tools.ietf.org/html/rfc7292>)
+IETF RFC 7292 (<https://tools.ietf.org/html/rfc7292>)
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBPKCS8_decrypt_ex\fR\|(3),
 \&\fBPKCS8_encrypt_ex\fR\|(3),
 \&\fBPKCS12_add_key_ex\fR\|(3),
 \&\fBPKCS12_SAFEBAG_create_pkcs8_encrypt_ex\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBPKCS12_decrypt_skey_ex()\fR was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2021\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS12_gen_mac.3 b/secure/lib/libcrypto/man/man3/PKCS12_gen_mac.3
index 5cef6fb77747..4049e5b5c547 100644
--- a/secure/lib/libcrypto/man/man3/PKCS12_gen_mac.3
+++ b/secure/lib/libcrypto/man/man3/PKCS12_gen_mac.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PKCS12_GEN_MAC 3ossl"
-.TH PKCS12_GEN_MAC 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PKCS12_GEN_MAC 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PKCS12_gen_mac, PKCS12_setup_mac, PKCS12_set_mac,
-PKCS12_verify_mac \- Functions to create and manipulate a PKCS#12 structure
-.SH "SYNOPSIS"
+PKCS12_set_pbmac1_pbkdf2, PKCS12_verify_mac, PKCS12_get0_mac \-
+Functions to create and manipulate a PKCS#12 MAC structure
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pkcs12.h>
@@ -150,53 +75,72 @@ PKCS12_verify_mac \- Functions to create and manipulate a PKCS#12 structure
 \& int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen,
 \&                    unsigned char *salt, int saltlen, int iter,
 \&                    const EVP_MD *md_type);
+\& int PKCS12_set_pbmac1_pbkdf2(PKCS12 *p12, const char *pass, int passlen,
+\&                                   unsigned char *salt, int saltlen, int iter,
+\&                                   const EVP_MD *md_type,
+\&                                   const char *prf_md_name);
 \& int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt,
 \&                      int saltlen, const EVP_MD *md_type);
+\&
+\& void PKCS12_get0_mac(const ASN1_OCTET_STRING **pmac,
+\&                      const X509_ALGOR **pmacalg,
+\&                      const ASN1_OCTET_STRING **psalt,
+\&                      const ASN1_INTEGER **piter,
+\&                      const PKCS12 *p12);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBPKCS12_gen_mac()\fR generates an \s-1HMAC\s0 over the entire PKCS#12 object using the
+\&\fBPKCS12_gen_mac()\fR generates an HMAC over the entire PKCS#12 object using the
 supplied password along with a set of already configured parameters.
-The default key generation mechanism used is \s-1PKCS12KDF.\s0
+The default key generation mechanism used is PKCS12KDF.
 .PP
-\&\fBPKCS12_verify_mac()\fR verifies the PKCS#12 object's \s-1HMAC\s0 using the supplied
+\&\fBPKCS12_verify_mac()\fR verifies the PKCS#12 object's HMAC using the supplied
 password.
 .PP
-\&\fBPKCS12_setup_mac()\fR sets the \s-1MAC\s0 part of the PKCS#12 structure with the supplied
+\&\fBPKCS12_setup_mac()\fR sets the MAC part of the PKCS#12 structure with the supplied
 parameters.
 .PP
-\&\fBPKCS12_set_mac()\fR sets the \s-1MAC\s0 and \s-1MAC\s0 parameters into the PKCS#12 object.
+\&\fBPKCS12_set_mac()\fR sets the MAC and MAC parameters into the PKCS#12 object.
+\&\fBPKCS12_set_pbmac1_pbkdf2()\fR sets the MAC and MAC parameters into the PKCS#12
+object when \fBPBMAC1\fR with PBKDF2 is used for protection of the PKCS#12 object.
+.PP
+\&\fIpass\fR is the passphrase to use in the HMAC. \fIsalt\fR is the salt value to use,
+\&\fIiter\fR is the iteration count and \fImd_type\fR is the message digest function to
+use. \fIprf_md_name\fR specifies the digest used for the PBKDF2 in PBMAC1 KDF.
 .PP
-\&\fIpass\fR is the passphrase to use in the \s-1HMAC.\s0 \fIsalt\fR is the salt value to use,
-\&\fIiter\fR is the iteration count and \fImd_type\fR is the message digest
-function to use.
-.SH "NOTES"
+\&\fBPKCS12_get0_mac()\fR retrieves any included MAC value, \fBX509_ALGOR\fR object,
+\&\fIsalt\fR, and \fIiter\fR count from the PKCS12 object.
+.SH NOTES
 .IX Header "NOTES"
-If \fIsalt\fR is \s-1NULL\s0 then a suitable salt will be generated and used.
+If \fIsalt\fR is NULL then a suitable salt will be generated and used.
 .PP
 If \fIiter\fR is 1 then an iteration count will be omitted from the PKCS#12
 structure.
 .PP
-\&\fBPKCS12_gen_mac()\fR, \fBPKCS12_verify_mac()\fR and \fBPKCS12_set_mac()\fR make assumptions
-regarding the encoding of the given passphrase. See \fBpassphrase\-encoding\fR\|(7)
-for more information.
+\&\fBPKCS12_gen_mac()\fR, \fBPKCS12_verify_mac()\fR, \fBPKCS12_set_mac()\fR and
+\&\fBPKCS12_set_pbmac1_pbkdf2()\fR make assumptions regarding the encoding of the
+given passphrase. See \fBpassphrase\-encoding\fR\|(7) for more information.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-All functions return 1 on success and 0 if an error occurred.
+All functions returning an integer return 1 on success and 0 if an error occurred.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1IETF RFC 7292\s0 (<https://tools.ietf.org/html/rfc7292>)
+IETF RFC 7292 (<https://tools.ietf.org/html/rfc7292>)
+IETF RFC 9579 (<https://tools.ietf.org/html/rfc9579>)
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBd2i_PKCS12\fR\|(3),
-\&\s-1\fBEVP_KDF\-PKCS12KDF\s0\fR\|(7),
+\&\fBEVP_KDF\-PKCS12KDF\fR\|(7),
 \&\fBPKCS12_create\fR\|(3),
 \&\fBpassphrase\-encoding\fR\|(7)
-.SH "COPYRIGHT"
+.SH HISTORY
+.IX Header "HISTORY"
+The \fIPKCS12_set_pbmac1_pbkdf2\fR function was added in OpenSSL 3.4.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2021\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS12_get_friendlyname.3 b/secure/lib/libcrypto/man/man3/PKCS12_get_friendlyname.3
index 7c5702d1af8a..f17288c0f2c6 100644
--- a/secure/lib/libcrypto/man/man3/PKCS12_get_friendlyname.3
+++ b/secure/lib/libcrypto/man/man3/PKCS12_get_friendlyname.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,102 +52,42 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PKCS12_GET_FRIENDLYNAME 3ossl"
-.TH PKCS12_GET_FRIENDLYNAME 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PKCS12_GET_FRIENDLYNAME 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PKCS12_get_friendlyname \- Retrieve the friendlyname attribute from a PKCS#12 safeBag
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pkcs12.h>
 \&
 \& char *PKCS12_get_friendlyname(PKCS12_SAFEBAG *bag);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBPKCS12_get_friendlyname()\fR retrieves a \s-1UTF\-8\s0 string representation of the PKCS#9
+\&\fBPKCS12_get_friendlyname()\fR retrieves a UTF\-8 string representation of the PKCS#9
 friendlyName attribute for a PKCS#12 safeBag item.
 .PP
-\&\fIbag\fR is the \fB\s-1PKCS12_SAFEBAG\s0\fR to retrieve the attribute from.
+\&\fIbag\fR is the \fBPKCS12_SAFEBAG\fR to retrieve the attribute from.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-A \s-1UTF\-8\s0 string, or \s-1NULL\s0 if the attribute was either not present or an error occurred.
+A UTF\-8 string, or NULL if the attribute was either not present or an error occurred.
 .PP
 The returned string is allocated by OpenSSL and should be freed by the user.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBPKCS12_add_friendlyname_asc\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS12_init.3 b/secure/lib/libcrypto/man/man3/PKCS12_init.3
index 1ec09b8c416e..3560d9d91b8b 100644
--- a/secure/lib/libcrypto/man/man3/PKCS12_init.3
+++ b/secure/lib/libcrypto/man/man3/PKCS12_init.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PKCS12_INIT 3ossl"
-.TH PKCS12_INIT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PKCS12_INIT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PKCS12_init, PKCS12_init_ex \- Create a new empty PKCS#12 structure
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pkcs12.h>
@@ -146,7 +70,7 @@ PKCS12_init, PKCS12_init_ex \- Create a new empty PKCS#12 structure
 \& PKCS12 *PKCS12_init(int mode);
 \& PKCS12 *PKCS12_init_ex(int mode, OSSL_LIB_CTX *ctx, const char *propq);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBPKCS12_init()\fR creates an empty PKCS#12 structure. Any PKCS#7 authSafes added
 to this structure are enclosed first within a single PKCS#7 contentInfo
@@ -154,24 +78,24 @@ of type \fImode\fR. Currently the only supported type is \fBNID_pkcs7_data\fR.
 .PP
 \&\fBPKCS12_init_ex()\fR creates an empty PKCS#12 structure and assigns the supplied
 \&\fIctx\fR and \fIpropq\fR to be used to select algorithm implementations for
-operations performed on the \fB\s-1PKCS12\s0\fR object.
+operations performed on the \fBPKCS12\fR object.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBPKCS12_init()\fR and \fBPKCS12_init_ex()\fR return a valid \fB\s-1PKCS12\s0\fR structure or \s-1NULL\s0
+\&\fBPKCS12_init()\fR and \fBPKCS12_init_ex()\fR return a valid \fBPKCS12\fR structure or NULL
 if an error occurred.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBd2i_PKCS12\fR\|(3),
 \&\fBPKCS12_create\fR\|(3),
 \&\fBpassphrase\-encoding\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBPKCS12_init_ex()\fR was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS12_item_decrypt_d2i.3 b/secure/lib/libcrypto/man/man3/PKCS12_item_decrypt_d2i.3
index 88be93f412cd..9e12452c02c1 100644
--- a/secure/lib/libcrypto/man/man3/PKCS12_item_decrypt_d2i.3
+++ b/secure/lib/libcrypto/man/man3/PKCS12_item_decrypt_d2i.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PKCS12_ITEM_DECRYPT_D2I 3ossl"
-.TH PKCS12_ITEM_DECRYPT_D2I 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PKCS12_ITEM_DECRYPT_D2I 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PKCS12_item_decrypt_d2i, PKCS12_item_decrypt_d2i_ex,
 PKCS12_item_i2d_encrypt, PKCS12_item_i2d_encrypt_ex \- PKCS12 item
 encrypt/decrypt functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pkcs12.h>
@@ -164,14 +88,14 @@ encrypt/decrypt functions
 \&                                               OSSL_LIB_CTX *ctx,
 \&                                               const char *propq);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBPKCS12_item_decrypt_d2i()\fR and \fBPKCS12_item_decrypt_d2i_ex()\fR decrypt an octet
-string containing an \s-1ASN.1\s0 encoded object using the algorithm \fIalgor\fR and
+string containing an ASN.1 encoded object using the algorithm \fIalgor\fR and
 password \fIpass\fR of length \fIpasslen\fR. If \fIzbuf\fR is nonzero then the output
 buffer will zeroed after the decrypt.
 .PP
-\&\fBPKCS12_item_i2d_encrypt()\fR and \fBPKCS12_item_i2d_encrypt_ex()\fR encrypt an \s-1ASN.1\s0
+\&\fBPKCS12_item_i2d_encrypt()\fR and \fBPKCS12_item_i2d_encrypt_ex()\fR encrypt an ASN.1
 object \fIit\fR using the algorithm \fIalgor\fR and password \fIpass\fR of length
 \&\fIpasslen\fR, returning an encoded object in \fIobj\fR. If \fIzbuf\fR is nonzero then
 the buffer containing the input encoding will be zeroed after the encrypt.
@@ -181,22 +105,22 @@ Functions ending in \fB_ex()\fR allow for a library context \fIctx\fR and proper
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBPKCS12_item_decrypt_d2i()\fR and \fBPKCS12_item_decrypt_d2i_ex()\fR return the decrypted
-object or \s-1NULL\s0 if an error occurred.
+object or NULL if an error occurred.
 .PP
 \&\fBPKCS12_item_i2d_encrypt()\fR and \fBPKCS12_item_i2d_encrypt_ex()\fR return the encrypted
-data as an \s-1ASN.1\s0 Octet String or \s-1NULL\s0 if an error occurred.
+data as an ASN.1 Octet String or NULL if an error occurred.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBPKCS12_pbe_crypt_ex\fR\|(3),
 \&\fBPKCS8_encrypt_ex\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBPKCS12_item_decrypt_d2i_ex()\fR and \fBPKCS12_item_i2d_encrypt_ex()\fR were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS12_key_gen_utf8_ex.3 b/secure/lib/libcrypto/man/man3/PKCS12_key_gen_utf8_ex.3
index 41f39d36cec7..b0593418c6fb 100644
--- a/secure/lib/libcrypto/man/man3/PKCS12_key_gen_utf8_ex.3
+++ b/secure/lib/libcrypto/man/man3/PKCS12_key_gen_utf8_ex.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PKCS12_KEY_GEN_UTF8_EX 3ossl"
-.TH PKCS12_KEY_GEN_UTF8_EX 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PKCS12_KEY_GEN_UTF8_EX 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PKCS12_key_gen_asc, PKCS12_key_gen_asc_ex,
 PKCS12_key_gen_uni, PKCS12_key_gen_uni_ex,
 PKCS12_key_gen_utf8, PKCS12_key_gen_utf8_ex \- PKCS#12 Password based key derivation
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pkcs12.h>
@@ -167,41 +91,41 @@ PKCS12_key_gen_utf8, PKCS12_key_gen_utf8_ex \- PKCS#12 Password based key deriva
 \&                            unsigned char *out, const EVP_MD *md_type,
 \&                            OSSL_LIB_CTX *ctx, const char *propq);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-These methods perform a key derivation according to PKCS#12 (\s-1RFC7292\s0)
+These methods perform a key derivation according to PKCS#12 (RFC7292)
 with an input password \fIpass\fR of length \fIpasslen\fR, a salt \fIsalt\fR of length
 \&\fIsaltlen\fR, an iteration count \fIiter\fR and a digest algorithm \fImd_type\fR.
-The \s-1ID\s0 byte \fIid\fR determines how the resulting key is intended to be used:
-.IP "\(bu" 4
+The ID byte \fIid\fR determines how the resulting key is intended to be used:
+.IP \(bu 4
 If ID=1, then the pseudorandom bits being produced are to be used
 as key material for performing encryption or decryption.
-.IP "\(bu" 4
+.IP \(bu 4
 If ID=2, then the pseudorandom bits being produced are to be used
-as an \s-1IV\s0 (Initial Value) for encryption or decryption.
-.IP "\(bu" 4
+as an IV (Initial Value) for encryption or decryption.
+.IP \(bu 4
 If ID=3, then the pseudorandom bits being produced are to be used
 as an integrity key for MACing.
 .PP
 The intended format of the supplied password is determined by the method chosen:
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBPKCS12_key_gen_asc()\fR and \fBPKCS12_key_gen_asc_ex()\fR expect an ASCII-formatted password.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBPKCS12_key_gen_uni()\fR and \fBPKCS12_key_gen_uni_ex()\fR expect a Unicode-formatted password.
-.IP "\(bu" 4
-\&\fBPKCS12_key_gen_utf8()\fR and \fBPKCS12_key_gen_utf8_ex()\fR expect a \s-1UTF\-8\s0 encoded password.
+.IP \(bu 4
+\&\fBPKCS12_key_gen_utf8()\fR and \fBPKCS12_key_gen_utf8_ex()\fR expect a UTF\-8 encoded password.
 .PP
 \&\fIpass\fR is the password used in the derivation of length \fIpasslen\fR. \fIpass\fR
-is an optional parameter and can be \s-1NULL.\s0 If \fIpasslen\fR is \-1, then the
+is an optional parameter and can be NULL. If \fIpasslen\fR is \-1, then the
 function will calculate the length of \fIpass\fR using \fBstrlen()\fR.
 .PP
 \&\fIsalt\fR is the salt used in the derivation of length \fIsaltlen\fR. If the
-\&\fIsalt\fR is \s-1NULL,\s0 then \fIsaltlen\fR must be 0. The function will not
+\&\fIsalt\fR is NULL, then \fIsaltlen\fR must be 0. The function will not
 attempt to calculate the length of the \fIsalt\fR because it is not assumed to
-be \s-1NULL\s0 terminated.
+be NULL terminated.
 .PP
 \&\fIiter\fR is the iteration count and its value should be greater than or
-equal to 1. \s-1RFC 2898\s0 suggests an iteration count of at least 1000. Any
+equal to 1. RFC 2898 suggests an iteration count of at least 1000. Any
 \&\fIiter\fR less than 1 is treated as a single iteration.
 .PP
 \&\fIdigest\fR is the message digest function used in the derivation.
@@ -211,7 +135,7 @@ is specified via \fIn\fR.
 .PP
 Functions ending in \fB_ex()\fR allow for a library context \fIctx\fR and property query
 \&\fIpropq\fR to be used to select algorithm implementations.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 A typical application of this function is to derive keying material for an
 encryption algorithm from a password in the \fIpass\fR, a salt in \fIsalt\fR,
@@ -225,21 +149,21 @@ of candidate passwords.
 Returns 1 on success or 0 on error.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1IETF RFC 7292\s0 (<https://tools.ietf.org/html/rfc7292>)
+IETF RFC 7292 (<https://tools.ietf.org/html/rfc7292>)
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBPKCS12_create_ex\fR\|(3),
 \&\fBPKCS12_pbe_crypt_ex\fR\|(3),
 \&\fBpassphrase\-encoding\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBPKCS12_key_gen_asc_ex()\fR, \fBPKCS12_key_gen_uni_ex()\fR and \fBPKCS12_key_gen_utf8_ex()\fR
 were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS12_newpass.3 b/secure/lib/libcrypto/man/man3/PKCS12_newpass.3
index 65291e441603..a11f85cb2230 100644
--- a/secure/lib/libcrypto/man/man3/PKCS12_newpass.3
+++ b/secure/lib/libcrypto/man/man3/PKCS12_newpass.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,113 +52,53 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PKCS12_NEWPASS 3ossl"
-.TH PKCS12_NEWPASS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PKCS12_NEWPASS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PKCS12_newpass \- change the password of a PKCS12 structure
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pkcs12.h>
 \&
 \& int PKCS12_newpass(PKCS12 *p12, const char *oldpass, const char *newpass);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBPKCS12_newpass()\fR changes the password of a \s-1PKCS12\s0 structure.
+\&\fBPKCS12_newpass()\fR changes the password of a PKCS12 structure.
 .PP
-\&\fBp12\fR is a pointer to a \s-1PKCS12\s0 structure. \fBoldpass\fR is the existing password
+\&\fBp12\fR is a pointer to a PKCS12 structure. \fBoldpass\fR is the existing password
 and \fBnewpass\fR is the new password.
 .PP
 Each of \fBoldpass\fR and \fBnewpass\fR is independently interpreted as a string in
-the \s-1UTF\-8\s0 encoding. If it is not valid \s-1UTF\-8,\s0 it is assumed to be \s-1ISO8859\-1\s0
+the UTF\-8 encoding. If it is not valid UTF\-8, it is assumed to be ISO8859\-1
 instead.
 .PP
 In particular, this means that passwords in the locale character set
-(or code page on Windows) must potentially be converted to \s-1UTF\-8\s0 before
+(or code page on Windows) must potentially be converted to UTF\-8 before
 use. This may include passwords from local text files, or input from
 the terminal or command line. Refer to the documentation of
 \&\fBUI_OpenSSL\fR\|(3), for example.
 .PP
 If the PKCS#12 structure does not have a password, then you must use the empty
-string "" for \fBoldpass\fR. Using \s-1NULL\s0 for \fBoldpass\fR will result in a
+string "" for \fBoldpass\fR. Using NULL for \fBoldpass\fR will result in a
 \&\fBPKCS12_newpass()\fR failure.
 .PP
 If the wrong password is used for \fBoldpass\fR then the function will fail,
-with a \s-1MAC\s0 verification error. In rare cases the \s-1PKCS12\s0 structure does not
-contain a \s-1MAC:\s0 in this case it will usually fail with a decryption padding
+with a MAC verification error. In rare cases the PKCS12 structure does not
+contain a MAC: in this case it will usually fail with a decryption padding
 error.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBPKCS12_newpass()\fR returns 1 on success or 0 on failure. Applications can
 retrieve the most recent error from \fBPKCS12_newpass()\fR with \fBERR_get_error()\fR.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 This example loads a PKCS#12 file, changes its password and writes out
 the result to a new file.
@@ -223,20 +147,20 @@ the result to a new file.
 \&     return 0;
 \& }
 .Ve
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
-The password format is a \s-1NULL\s0 terminated \s-1ASCII\s0 string which is converted to
+The password format is a NULL terminated ASCII string which is converted to
 Unicode form internally. As a result some passwords cannot be supplied to
 this function.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBPKCS12_create\fR\|(3), \fBERR_get_error\fR\|(3),
 \&\fBpassphrase\-encoding\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS12_pack_p7encdata.3 b/secure/lib/libcrypto/man/man3/PKCS12_pack_p7encdata.3
index 8f9e11f8efba..cf46aab31400 100644
--- a/secure/lib/libcrypto/man/man3/PKCS12_pack_p7encdata.3
+++ b/secure/lib/libcrypto/man/man3/PKCS12_pack_p7encdata.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PKCS12_PACK_P7ENCDATA 3ossl"
-.TH PKCS12_PACK_P7ENCDATA 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PKCS12_PACK_P7ENCDATA 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PKCS12_pack_p7encdata, PKCS12_pack_p7encdata_ex \- Pack a set of PKCS#12 safeBags
 into a PKCS#7 encrypted data object
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pkcs12.h>
@@ -152,12 +76,12 @@ into a PKCS#7 encrypted data object
 \&                                 STACK_OF(PKCS12_SAFEBAG) *bags,
 \&                                 OSSL_LIB_CTX *ctx, const char *propq);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBPKCS12_pack_p7encdata()\fR generates a PKCS#7 ContentInfo object of encrypted-data
-type from the set of safeBags \fIbags\fR. The algorithm \s-1ID\s0 in \fIpbe_nid\fR can be
+type from the set of safeBags \fIbags\fR. The algorithm ID in \fIpbe_nid\fR can be
 a PKCS#12 or PKCS#5 password based encryption algorithm, or a cipher algorithm.
-If a cipher algorithm is passed, the PKCS#5 \s-1PBES2\s0 algorithm will be used with
+If a cipher algorithm is passed, the PKCS#5 PBES2 algorithm will be used with
 this cipher as a parameter.
 The password \fIpass\fR of length \fIpasslen\fR, salt \fIsalt\fR of length \fIsaltlen\fR
 and iteration count \fIiter\fR are inputs into the encryption operation.
@@ -167,21 +91,21 @@ library context \fIctx\fR and property query \fIpropq\fR to be used to select th
 algorithm implementation.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-A \fB\s-1PKCS7\s0\fR object if successful, or \s-1NULL\s0 if an error occurred.
+A \fBPKCS7\fR object if successful, or NULL if an error occurred.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1IETF RFC 2315\s0 (<https://tools.ietf.org/html/rfc2315>)
+IETF RFC 2315 (<https://tools.ietf.org/html/rfc2315>)
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBPKCS12_pbe_crypt_ex\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBPKCS12_pack_p7encdata_ex()\fR was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS12_parse.3 b/secure/lib/libcrypto/man/man3/PKCS12_parse.3
index 08047e8b193f..2c4d66d4a681 100644
--- a/secure/lib/libcrypto/man/man3/PKCS12_parse.3
+++ b/secure/lib/libcrypto/man/man3/PKCS12_parse.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PKCS12_PARSE 3ossl"
-.TH PKCS12_PARSE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PKCS12_PARSE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PKCS12_parse \- parse a PKCS#12 structure
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pkcs12.h>
@@ -146,33 +70,33 @@ PKCS12_parse \- parse a PKCS#12 structure
 \& int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
 \&                  STACK_OF(X509) **ca);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBPKCS12_parse()\fR parses a \s-1PKCS12\s0 structure.
+\&\fBPKCS12_parse()\fR parses a PKCS12 structure.
 .PP
-\&\fBp12\fR is the \fB\s-1PKCS12\s0\fR structure to parse. \fBpass\fR is the passphrase to use.
+\&\fBp12\fR is the \fBPKCS12\fR structure to parse. \fBpass\fR is the passphrase to use.
 If successful the private key will be written to \fB*pkey\fR, the corresponding
 certificate to \fB*cert\fR and any additional certificates to \fB*ca\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-Each of the parameters \fBpkey\fR, \fBcert\fR, and \fBca\fR can be \s-1NULL\s0 in which case
+Each of the parameters \fBpkey\fR, \fBcert\fR, and \fBca\fR can be NULL in which case
 the private key, the corresponding certificate, or the additional certificates,
 respectively, will be discarded.
 If any of \fBpkey\fR and \fBcert\fR is non-NULL the variable it points to is
 initialized.
-If \fBca\fR is non-NULL and \fB*ca\fR is \s-1NULL\s0 a new \s-1STACK\s0 will be allocated.
-If \fBca\fR is non-NULL and \fB*ca\fR is a valid \s-1STACK\s0
+If \fBca\fR is non-NULL and \fB*ca\fR is NULL a new STACK will be allocated.
+If \fBca\fR is non-NULL and \fB*ca\fR is a valid STACK
 then additional certificates are appended in the given order to \fB*ca\fR.
 .PP
 The \fBfriendlyName\fR and \fBlocalKeyID\fR attributes (if present) on each
 certificate will be stored in the \fBalias\fR and \fBkeyid\fR attributes of the
 \&\fBX509\fR structure.
 .PP
-The parameter \fBpass\fR is interpreted as a string in the \s-1UTF\-8\s0 encoding. If it
-is not valid \s-1UTF\-8,\s0 then it is assumed to be \s-1ISO8859\-1\s0 instead.
+The parameter \fBpass\fR is interpreted as a string in the UTF\-8 encoding. If it
+is not valid UTF\-8, then it is assumed to be ISO8859\-1 instead.
 .PP
 In particular, this means that passwords in the locale character set
-(or code page on Windows) must potentially be converted to \s-1UTF\-8\s0 before
+(or code page on Windows) must potentially be converted to UTF\-8 before
 use. This may include passwords from local text files, or input from
 the terminal or command line. Refer to the documentation of
 \&\fBUI_OpenSSL\fR\|(3), for example.
@@ -181,7 +105,7 @@ the terminal or command line. Refer to the documentation of
 \&\fBPKCS12_parse()\fR returns 1 for success and zero if an error occurred.
 .PP
 The error can be obtained from \fBERR_get_error\fR\|(3)
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
 Only a single private key and corresponding certificate is returned by this
 function. More complex PKCS#12 files with multiple private keys will only
@@ -190,16 +114,16 @@ return the first match.
 Only \fBfriendlyName\fR and \fBlocalKeyID\fR attributes are currently stored in
 certificates. Other attributes are discarded.
 .PP
-Attributes currently cannot be stored in the private key \fB\s-1EVP_PKEY\s0\fR structure.
+Attributes currently cannot be stored in the private key \fBEVP_PKEY\fR structure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBd2i_PKCS12\fR\|(3),
 \&\fBpassphrase\-encoding\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2002\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS5_PBE_keyivgen.3 b/secure/lib/libcrypto/man/man3/PKCS5_PBE_keyivgen.3
index ae5c3283e135..f4b97417f065 100644
--- a/secure/lib/libcrypto/man/man3/PKCS5_PBE_keyivgen.3
+++ b/secure/lib/libcrypto/man/man3/PKCS5_PBE_keyivgen.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PKCS5_PBE_KEYIVGEN 3ossl"
-.TH PKCS5_PBE_KEYIVGEN 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PKCS5_PBE_KEYIVGEN 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PKCS5_PBE_keyivgen, PKCS5_PBE_keyivgen_ex, PKCS5_pbe2_set, PKCS5_pbe2_set_iv,
 PKCS5_pbe2_set_iv_ex, PKCS5_pbe_set, PKCS5_pbe_set_ex, PKCS5_pbe2_set_scrypt,
 PKCS5_pbe_set0_algor, PKCS5_pbe_set0_algor_ex,
@@ -144,7 +68,7 @@ PKCS5_v2_PBE_keyivgen, PKCS5_v2_PBE_keyivgen_ex,
 PKCS5_v2_scrypt_keyivgen, PKCS5_v2_scrypt_keyivgen_ex,
 PKCS5_pbkdf2_set, PKCS5_pbkdf2_set_ex, EVP_PBE_scrypt, EVP_PBE_scrypt_ex
 \&\- PKCS#5 Password based encryption routines
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -214,33 +138,33 @@ PKCS5_pbkdf2_set, PKCS5_pbkdf2_set_ex, EVP_PBE_scrypt, EVP_PBE_scrypt_ex
 \&                                 int prf_nid, int keylen,
 \&                                 OSSL_LIB_CTX *libctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 .SS "Key Derivation"
 .IX Subsection "Key Derivation"
 \&\fBPKCS5_PBE_keyivgen()\fR and \fBPKCS5_PBE_keyivgen_ex()\fR take a password \fIpass\fR of
 length \fIpasslen\fR, parameters \fIparam\fR and a message digest function \fImd_type\fR
-and performs a key derivation according to PKCS#5 \s-1PBES1.\s0 The resulting key is
+and performs a key derivation according to PKCS#5 PBES1. The resulting key is
 then used to initialise the cipher context \fIctx\fR with a cipher \fIcipher\fR for
 encryption (\fIen_de\fR=1) or decryption (\fIen_de\fR=0).
 .PP
-\&\fIpass\fR is an optional parameter and can be \s-1NULL.\s0 If \fIpasslen\fR is \-1, then the
+\&\fIpass\fR is an optional parameter and can be NULL. If \fIpasslen\fR is \-1, then the
 function will calculate the length of \fIpass\fR using \fBstrlen()\fR.
 .PP
 \&\fBPKCS5_v2_PBE_keyivgen()\fR and \fBPKCS5_v2_PBE_keyivgen_ex()\fR are similar to the above
-but instead use PKCS#5 \s-1PBES2\s0 as the encryption algorithm using the supplied
+but instead use PKCS#5 PBES2 as the encryption algorithm using the supplied
 parameters.
 .PP
-\&\fBPKCS5_v2_scrypt_keyivgen()\fR and \fBPKCS5_v2_scrypt_keyivgen_ex()\fR use \s-1SCRYPT\s0 as the
+\&\fBPKCS5_v2_scrypt_keyivgen()\fR and \fBPKCS5_v2_scrypt_keyivgen_ex()\fR use SCRYPT as the
 key derivation part of the encryption algorithm.
 .PP
 \&\fIsalt\fR is the salt used in the derivation of length \fIsaltlen\fR. If the
-\&\fIsalt\fR is \s-1NULL,\s0 then \fIsaltlen\fR must be 0. The function will not
+\&\fIsalt\fR is NULL, then \fIsaltlen\fR must be 0. The function will not
 attempt to calculate the length of the \fIsalt\fR because it is not assumed to
-be \s-1NULL\s0 terminated.
+be NULL terminated.
 .PP
 \&\fIiter\fR is the iteration count and its value should be greater than or
-equal to 1. \s-1RFC 2898\s0 suggests an iteration count of at least 1000. Any
+equal to 1. RFC 2898 suggests an iteration count of at least 1000. Any
 \&\fIiter\fR less than 1 is treated as a single iteration.
 .PP
 \&\fIdigest\fR is the message digest function used in the derivation.
@@ -251,16 +175,22 @@ are used to select appropriate algorithm implementations.
 .IX Subsection "Algorithm Identifier Creation"
 \&\fBPKCS5_pbe_set()\fR, \fBPKCS5_pbe_set_ex()\fR, \fBPKCS5_pbe2_set()\fR, \fBPKCS5_pbe2_set_iv()\fR,
 \&\fBPKCS5_pbe2_set_iv_ex()\fR and \fBPKCS5_pbe2_set_scrypt()\fR generate an \fBX509_ALGOR\fR
-object which represents an AlgorithmIdentifier containing the algorithm \s-1OID\s0 and
-associated parameters for the \s-1PBE\s0 algorithm.
+object which represents an AlgorithmIdentifier containing the algorithm OID and
+associated parameters for the PBE algorithm.
 .PP
 \&\fBPKCS5_pbkdf2_set()\fR and \fBPKCS5_pbkdf2_set_ex()\fR generate an \fBX509_ALGOR\fR
-object which represents an AlgorithmIdentifier containing the algorithm \s-1OID\s0 and
-associated parameters for the \s-1PBKDF2\s0 algorithm.
+object which represents an AlgorithmIdentifier containing the algorithm OID and
+associated parameters for the PBKDF2 algorithm.
 .PP
-\&\fBPKCS5_pbe_set0_algor()\fR and \fBPKCS5_pbe_set0_algor_ex()\fR set the \s-1PBE\s0 algorithm \s-1OID\s0 and
+\&\fBPKCS5_pbe_set0_algor()\fR and \fBPKCS5_pbe_set0_algor_ex()\fR set the PBE algorithm OID and
 parameters into the supplied \fBX509_ALGOR\fR.
-.SH "NOTES"
+.PP
+If \fIsalt\fR is NULL, then \fIsaltlen\fR specifies the size in bytes of the random salt to
+generate. If \fIsaltlen\fR is 0 then a default size is used.
+For PBE related functions such as \fBPKCS5_pbe_set_ex()\fR the default salt length is 8 bytes.
+For PBE2 related functions that use PBKDF2 such as \fBPKCS5_pbkdf2_set()\fR,
+\&\fBPKCS5_pbe2_set_scrypt()\fR and \fBPKCS5_pbe2_set()\fR the default salt length is 16 bytes.
+.SH NOTES
 .IX Header "NOTES"
 The *\fB_keyivgen()\fR functions are typically used in PKCS#12 to encrypt objects.
 .PP
@@ -276,28 +206,32 @@ It will simply be treated as a byte sequence.
 \&\fBPKCS5_pbe_set()\fR, \fBPKCS5_pbe_set_ex()\fR, \fBPKCS5_pbe2_set()\fR, \fBPKCS5_pbe2_set_iv()\fR,
 \&\fBPKCS5_pbe2_set_iv_ex()\fR, \fBPKCS5_pbe2_set_scrypt()\fR,
 \&\fBPKCS5_pbkdf2_set()\fR and \fBPKCS5_pbkdf2_set_ex()\fR return an \fBX509_ALGOR\fR object or
-\&\s-1NULL\s0 if an error occurs.
+NULL if an error occurs.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1IETF RFC 8018\s0 (<https://tools.ietf.org/html/rfc8018>)
+IETF RFC 8018 (<https://tools.ietf.org/html/rfc8018>)
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_PBE_CipherInit_ex\fR\|(3),
 \&\fBPKCS12_pbe_crypt_ex\fR\|(3),
 \&\fBpassphrase\-encoding\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBPKCS5_v2_PBE_keyivgen_ex()\fR, \fBEVP_PBE_scrypt_ex()\fR, \fBPKCS5_v2_scrypt_keyivgen_ex()\fR,
 \&\fBPKCS5_pbe_set0_algor_ex()\fR, \fBPKCS5_pbe_set_ex()\fR, \fBPKCS5_pbe2_set_iv_ex()\fR and
 \&\fBPKCS5_pbkdf2_set_ex()\fR were added in OpenSSL 3.0.
 .PP
-From OpenSSL 3.0 the \s-1PBKDF1\s0 algorithm used in \fBPKCS5_PBE_keyivgen()\fR and
-\&\fBPKCS5_PBE_keyivgen_ex()\fR has been moved to the legacy provider as an \s-1EVP_KDF.\s0
-.SH "COPYRIGHT"
+From OpenSSL 3.0 the PBKDF1 algorithm used in \fBPKCS5_PBE_keyivgen()\fR and
+\&\fBPKCS5_PBE_keyivgen_ex()\fR has been moved to the legacy provider as an EVP_KDF.
+.PP
+In OpenSSL 3.2 the default salt length changed from 8 bytes to 16 bytes for PBE2
+related functions such as \fBPKCS5_pbe2_set()\fR.
+This is required for PBKDF2 FIPS compliance.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS5_PBKDF2_HMAC.3 b/secure/lib/libcrypto/man/man3/PKCS5_PBKDF2_HMAC.3
index 8523d1a92fd7..acafdabb5aac 100644
--- a/secure/lib/libcrypto/man/man3/PKCS5_PBKDF2_HMAC.3
+++ b/secure/lib/libcrypto/man/man3/PKCS5_PBKDF2_HMAC.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PKCS5_PBKDF2_HMAC 3ossl"
-.TH PKCS5_PBKDF2_HMAC 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PKCS5_PBKDF2_HMAC 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PKCS5_PBKDF2_HMAC, PKCS5_PBKDF2_HMAC_SHA1 \- password based derivation routines with salt and iteration count
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -152,30 +76,31 @@ PKCS5_PBKDF2_HMAC, PKCS5_PBKDF2_HMAC_SHA1 \- password based derivation routines
 \&                            const unsigned char *salt, int saltlen, int iter,
 \&                            int keylen, unsigned char *out);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\s-1\fBPKCS5_PBKDF2_HMAC\s0()\fR derives a key from a password using a salt and iteration count
-as specified in \s-1RFC 2898.\s0
+\&\fBPKCS5_PBKDF2_HMAC()\fR derives a key from a password using a salt and iteration count
+as specified in RFC 2898.
 .PP
 \&\fBpass\fR is the password used in the derivation of length \fBpasslen\fR. \fBpass\fR
-is an optional parameter and can be \s-1NULL.\s0 If \fBpasslen\fR is \-1, then the
+is an optional parameter and can be NULL. If \fBpasslen\fR is \-1, then the
 function will calculate the length of \fBpass\fR using \fBstrlen()\fR.
 .PP
 \&\fBsalt\fR is the salt used in the derivation of length \fBsaltlen\fR. If the
-\&\fBsalt\fR is \s-1NULL,\s0 then \fBsaltlen\fR must be 0. The function will not
+\&\fBsalt\fR is NULL, then \fBsaltlen\fR must be 0. The function will not
 attempt to calculate the length of the \fBsalt\fR because it is not assumed to
-be \s-1NULL\s0 terminated.
+be NULL terminated.
 .PP
 \&\fBiter\fR is the iteration count and its value should be greater than or
-equal to 1. \s-1RFC 2898\s0 suggests an iteration count of at least 1000. Any
-\&\fBiter\fR less than 1 is treated as a single iteration.
+equal to 1. RFC 2898 suggests an iteration count of at least 1000. Any
+\&\fBiter\fR value less than 1 is invalid; such values will result in failure
+and raise the PROV_R_INVALID_ITERATION_COUNT error.
 .PP
 \&\fBdigest\fR is the message digest function used in the derivation.
-\&\s-1\fBPKCS5_PBKDF2_HMAC_SHA1\s0()\fR calls \s-1\fBPKCS5_PBKDF2_HMAC\s0()\fR with \fBEVP_sha1()\fR.
+\&\fBPKCS5_PBKDF2_HMAC_SHA1()\fR calls \fBPKCS5_PBKDF2_HMAC()\fR with \fBEVP_sha1()\fR.
 .PP
 The derived key will be written to \fBout\fR. The size of the \fBout\fR buffer
 is specified via \fBkeylen\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 A typical application of this function is to derive keying material for an
 encryption algorithm from a password in the \fBpass\fR, a salt in \fBsalt\fR,
@@ -189,17 +114,17 @@ These functions make no assumption regarding the given password.
 It will simply be treated as a byte sequence.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\s-1\fBPKCS5_PBKDF2_HMAC\s0()\fR and \s-1\fBPBKCS5_PBKDF2_HMAC_SHA1\s0()\fR return 1 on success or 0 on error.
+\&\fBPKCS5_PBKDF2_HMAC()\fR and \fBPBKCS5_PBKDF2_HMAC_SHA1()\fR return 1 on success or 0 on error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBevp\fR\|(7), \fBRAND_bytes\fR\|(3),
 \&\fBEVP_BytesToKey\fR\|(3),
 \&\fBpassphrase\-encoding\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2014\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS7_decrypt.3 b/secure/lib/libcrypto/man/man3/PKCS7_decrypt.3
index 85b2075db568..c9d0594db602 100644
--- a/secure/lib/libcrypto/man/man3/PKCS7_decrypt.3
+++ b/secure/lib/libcrypto/man/man3/PKCS7_decrypt.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,104 +52,44 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PKCS7_DECRYPT 3ossl"
-.TH PKCS7_DECRYPT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PKCS7_DECRYPT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PKCS7_decrypt \- decrypt content from a PKCS#7 envelopedData structure
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pkcs7.h>
 \&
 \& int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBPKCS7_decrypt()\fR extracts and decrypts the content from a PKCS#7 envelopedData
 structure. \fBpkey\fR is the private key of the recipient, \fBcert\fR is the
-recipients certificate, \fBdata\fR is a \s-1BIO\s0 to write the content to and
+recipients certificate, \fBdata\fR is a BIO to write the content to and
 \&\fBflags\fR is an optional set of flags.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 Although the recipients certificate is not needed to decrypt the data it is needed
 to locate the appropriate (of possible several) recipients in the PKCS#7 structure.
 .PP
 The following flags can be passed in the \fBflags\fR parameter.
 .PP
-If the \fB\s-1PKCS7_TEXT\s0\fR flag is set \s-1MIME\s0 headers for type \fBtext/plain\fR are deleted
+If the \fBPKCS7_TEXT\fR flag is set MIME headers for type \fBtext/plain\fR are deleted
 from the content. If the content is not of type \fBtext/plain\fR then an error is
 returned.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBPKCS7_decrypt()\fR returns either 1 for success or 0 for failure.
 The error can be obtained from \fBERR_get_error\fR\|(3)
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
 \&\fBPKCS7_decrypt()\fR must be passed the correct recipient key and certificate. It would
 be better if it could look up the correct key and certificate from a database.
@@ -175,11 +99,11 @@ mentioned in \fBPKCS7_sign()\fR also applies to \fBPKCS7_verify()\fR.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3), \fBPKCS7_encrypt\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2002\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS7_encrypt.3 b/secure/lib/libcrypto/man/man3/PKCS7_encrypt.3
index 69a6c309b8f3..1f5d9738e46e 100644
--- a/secure/lib/libcrypto/man/man3/PKCS7_encrypt.3
+++ b/secure/lib/libcrypto/man/man3/PKCS7_encrypt.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PKCS7_ENCRYPT 3ossl"
-.TH PKCS7_ENCRYPT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PKCS7_ENCRYPT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PKCS7_encrypt_ex, PKCS7_encrypt
 \&\- create a PKCS#7 envelopedData structure
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pkcs7.h>
@@ -150,7 +74,7 @@ PKCS7_encrypt_ex, PKCS7_encrypt
 \& PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher,
 \&                      int flags);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBPKCS7_encrypt_ex()\fR creates and returns a PKCS#7 envelopedData structure.
 \&\fIcerts\fR is a list of recipient certificates. \fIin\fR is the content to be
@@ -158,68 +82,68 @@ encrypted. \fIcipher\fR is the symmetric cipher to use. \fIflags\fR is an option
 of flags. The library context \fIlibctx\fR and the property query \fIpropq\fR are used
 when retrieving algorithms from providers.
 .PP
-Only \s-1RSA\s0 keys are supported in PKCS#7 and envelopedData so the recipient
-certificates supplied to this function must all contain \s-1RSA\s0 public keys, though
-they do not have to be signed using the \s-1RSA\s0 algorithm.
+Only RSA keys are supported in PKCS#7 and envelopedData so the recipient
+certificates supplied to this function must all contain RSA public keys, though
+they do not have to be signed using the RSA algorithm.
 .PP
-\&\fBEVP_des_ede3_cbc()\fR (triple \s-1DES\s0) is the algorithm of choice for S/MIME use
+\&\fBEVP_des_ede3_cbc()\fR (triple DES) is the algorithm of choice for S/MIME use
 because most clients will support it.
 .PP
-Some old \*(L"export grade\*(R" clients may only support weak encryption using 40 or 64
-bit \s-1RC2.\s0 These can be used by passing \fBEVP_rc2_40_cbc()\fR and \fBEVP_rc2_64_cbc()\fR
+Some old "export grade" clients may only support weak encryption using 40 or 64
+bit RC2. These can be used by passing \fBEVP_rc2_40_cbc()\fR and \fBEVP_rc2_64_cbc()\fR
 respectively.
 .PP
-The algorithm passed in the \fBcipher\fR parameter must support \s-1ASN1\s0 encoding of
+The algorithm passed in the \fBcipher\fR parameter must support ASN1 encoding of
 its parameters.
 .PP
-Many browsers implement a \*(L"sign and encrypt\*(R" option which is simply an S/MIME
+Many browsers implement a "sign and encrypt" option which is simply an S/MIME
 envelopedData containing an S/MIME signed message. This can be readily produced
-by storing the S/MIME signed message in a memory \s-1BIO\s0 and passing it to
+by storing the S/MIME signed message in a memory BIO and passing it to
 \&\fBPKCS7_encrypt()\fR.
 .PP
 The following flags can be passed in the \fBflags\fR parameter.
 .PP
-If the \fB\s-1PKCS7_TEXT\s0\fR flag is set \s-1MIME\s0 headers for type \fBtext/plain\fR are
+If the \fBPKCS7_TEXT\fR flag is set MIME headers for type \fBtext/plain\fR are
 prepended to the data.
 .PP
-Normally the supplied content is translated into \s-1MIME\s0 canonical format (as
-required by the S/MIME specifications) if \fB\s-1PKCS7_BINARY\s0\fR is set no translation
+Normally the supplied content is translated into MIME canonical format (as
+required by the S/MIME specifications) if \fBPKCS7_BINARY\fR is set no translation
 occurs. This option should be used if the supplied data is in binary format
-otherwise the translation will corrupt it. If \fB\s-1PKCS7_BINARY\s0\fR is set then
-\&\fB\s-1PKCS7_TEXT\s0\fR is ignored.
+otherwise the translation will corrupt it. If \fBPKCS7_BINARY\fR is set then
+\&\fBPKCS7_TEXT\fR is ignored.
 .PP
-If the \fB\s-1PKCS7_STREAM\s0\fR flag is set a partial \fB\s-1PKCS7\s0\fR structure is output
-suitable for streaming I/O: no data is read from the \s-1BIO\s0 \fBin\fR.
+If the \fBPKCS7_STREAM\fR flag is set a partial \fBPKCS7\fR structure is output
+suitable for streaming I/O: no data is read from the BIO \fBin\fR.
 .PP
-If the flag \fB\s-1PKCS7_STREAM\s0\fR is set the returned \fB\s-1PKCS7\s0\fR structure is \fBnot\fR
+If the flag \fBPKCS7_STREAM\fR is set the returned \fBPKCS7\fR structure is \fBnot\fR
 complete and outputting its contents via a function that does not
-properly finalize the \fB\s-1PKCS7\s0\fR structure will give unpredictable
+properly finalize the \fBPKCS7\fR structure will give unpredictable
 results.
 .PP
 Several functions including \fBSMIME_write_PKCS7()\fR, \fBi2d_PKCS7_bio_stream()\fR,
 \&\fBPEM_write_bio_PKCS7_stream()\fR finalize the structure. Alternatively finalization
-can be performed by obtaining the streaming \s-1ASN1\s0 \fB\s-1BIO\s0\fR directly using
+can be performed by obtaining the streaming ASN1 \fBBIO\fR directly using
 \&\fBBIO_new_PKCS7()\fR.
 .PP
 \&\fBPKCS7_encrypt()\fR is similar to \fBPKCS7_encrypt_ex()\fR but uses default
-values of \s-1NULL\s0 for the library context \fIlibctx\fR and the property query \fIpropq\fR.
+values of NULL for the library context \fIlibctx\fR and the property query \fIpropq\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBPKCS7_encrypt_ex()\fR and \fBPKCS7_encrypt()\fR return either a \s-1PKCS7\s0 structure
-or \s-1NULL\s0 if an error occurred. The error can be obtained from \fBERR_get_error\fR\|(3).
+\&\fBPKCS7_encrypt_ex()\fR and \fBPKCS7_encrypt()\fR return either a PKCS7 structure
+or NULL if an error occurred. The error can be obtained from \fBERR_get_error\fR\|(3).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3), \fBPKCS7_decrypt\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The function \fBPKCS7_encrypt_ex()\fR was added in OpenSSL 3.0.
 .PP
-The \fB\s-1PKCS7_STREAM\s0\fR flag was added in OpenSSL 1.0.0.
-.SH "COPYRIGHT"
+The \fBPKCS7_STREAM\fR flag was added in OpenSSL 1.0.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2002\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS7_get_octet_string.3 b/secure/lib/libcrypto/man/man3/PKCS7_get_octet_string.3
index 7fd3a97af44a..1819a2b9a05f 100644
--- a/secure/lib/libcrypto/man/man3/PKCS7_get_octet_string.3
+++ b/secure/lib/libcrypto/man/man3/PKCS7_get_octet_string.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,102 +52,42 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PKCS7_GET_OCTET_STRING 3ossl"
-.TH PKCS7_GET_OCTET_STRING 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PKCS7_GET_OCTET_STRING 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PKCS7_get_octet_string \- return octet string from a PKCS#7 envelopedData structure
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pkcs7.h>
 \&
 \& ASN1_OCTET_STRING *PKCS7_get_octet_string(PKCS7 *p7);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBPKCS7_get_octet_string()\fR returns a pointer to an \s-1ASN1\s0 octet string from a
-PKCS#7 envelopedData structure or \fB\s-1NULL\s0\fR if the structure cannot be parsed.
-.SH "NOTES"
+\&\fBPKCS7_get_octet_string()\fR returns a pointer to an ASN1 octet string from a
+PKCS#7 envelopedData structure or \fBNULL\fR if the structure cannot be parsed.
+.SH NOTES
 .IX Header "NOTES"
 As the \fB0\fR implies, \fBPKCS7_get_octet_string()\fR returns internal pointers which
 should not be freed by the caller.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBPKCS7_get_octet_string()\fR returns an \s-1ASN1_OCTET_STRING\s0 pointer.
+\&\fBPKCS7_get_octet_string()\fR returns an ASN1_OCTET_STRING pointer.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBPKCS7_type_is_data\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2002\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS7_sign.3 b/secure/lib/libcrypto/man/man3/PKCS7_sign.3
index c34e732412c4..700a11d8af8c 100644
--- a/secure/lib/libcrypto/man/man3/PKCS7_sign.3
+++ b/secure/lib/libcrypto/man/man3/PKCS7_sign.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PKCS7_SIGN 3ossl"
-.TH PKCS7_SIGN 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PKCS7_SIGN 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PKCS7_sign_ex, PKCS7_sign
 \&\- create a PKCS#7 signedData structure
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pkcs7.h>
@@ -150,7 +74,7 @@ PKCS7_sign_ex, PKCS7_sign
 \& PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
 \&                   BIO *data, int flags);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBPKCS7_sign_ex()\fR creates and returns a PKCS#7 signedData structure.
 \&\fIsigncert\fR is the certificate to sign with, \fIpkey\fR is the corresponding
@@ -159,102 +83,102 @@ in the PKCS#7 structure (for example any intermediate CAs in the chain).
 The library context \fIlibctx\fR and property query \fIpropq\fR are used when
 retrieving algorithms from providers.
 .PP
-The data to be signed is read from \s-1BIO\s0 \fIdata\fR.
+The data to be signed is read from BIO \fIdata\fR.
 .PP
 \&\fIflags\fR is an optional set of flags.
 .PP
 Any of the following flags (ored together) can be passed in the \fIflags\fR
 parameter.
 .PP
-Many S/MIME clients expect the signed content to include valid \s-1MIME\s0 headers. If
-the \fB\s-1PKCS7_TEXT\s0\fR flag is set \s-1MIME\s0 headers for type \f(CW\*(C`text/plain\*(C'\fR are prepended
+Many S/MIME clients expect the signed content to include valid MIME headers. If
+the \fBPKCS7_TEXT\fR flag is set MIME headers for type \f(CW\*(C`text/plain\*(C'\fR are prepended
 to the data.
 .PP
-If \fB\s-1PKCS7_NOCERTS\s0\fR is set the signer's certificate and the extra \fIcerts\fR
-will not be included in the \s-1PKCS7\s0 structure.
+If \fBPKCS7_NOCERTS\fR is set the signer's certificate and the extra \fIcerts\fR
+will not be included in the PKCS7 structure.
 The signer's certificate must still be supplied in the \fIsigncert\fR parameter
 though. This can reduce the size of the signatures if the signer's certificates
 can be obtained by other means: for example a previously signed message.
 .PP
-The data being signed is included in the \s-1PKCS7\s0 structure, unless
-\&\fB\s-1PKCS7_DETACHED\s0\fR is set in which case it is omitted. This is used for \s-1PKCS7\s0
+The data being signed is included in the PKCS7 structure, unless
+\&\fBPKCS7_DETACHED\fR is set in which case it is omitted. This is used for PKCS7
 detached signatures which are used in S/MIME plaintext signed messages for
 example.
 .PP
-Normally the supplied content is translated into \s-1MIME\s0 canonical format (as
-required by the S/MIME specifications) if \fB\s-1PKCS7_BINARY\s0\fR is set no translation
+Normally the supplied content is translated into MIME canonical format (as
+required by the S/MIME specifications) if \fBPKCS7_BINARY\fR is set no translation
 occurs. This option should be used if the supplied data is in binary format
 otherwise the translation will corrupt it.
 .PP
 The signedData structure includes several PKCS#7 authenticatedAttributes
 including the signing time, the PKCS#7 content type and the supported list of
-ciphers in an SMIMECapabilities attribute. If \fB\s-1PKCS7_NOATTR\s0\fR is set then no
-authenticatedAttributes will be used. If \fB\s-1PKCS7_NOSMIMECAP\s0\fR is set then just
+ciphers in an SMIMECapabilities attribute. If \fBPKCS7_NOATTR\fR is set then no
+authenticatedAttributes will be used. If \fBPKCS7_NOSMIMECAP\fR is set then just
 the SMIMECapabilities are omitted.
 .PP
 If present the SMIMECapabilities attribute indicates support for the following
-algorithms: triple \s-1DES, 128\s0 bit \s-1RC2, 64\s0 bit \s-1RC2, DES\s0 and 40 bit \s-1RC2.\s0 If any of
+algorithms: triple DES, 128 bit RC2, 64 bit RC2, DES and 40 bit RC2. If any of
 these algorithms is disabled then it will not be included.
 .PP
-If the flags \fB\s-1PKCS7_STREAM\s0\fR is set then the returned \fB\s-1PKCS7\s0\fR structure is
+If the flags \fBPKCS7_STREAM\fR is set then the returned \fBPKCS7\fR structure is
 just initialized ready to perform the signing operation. The signing is however
 \&\fBnot\fR performed and the data to be signed is not read from the \fIdata\fR
 parameter. Signing is deferred until after the data has been written. In this
 way data can be signed in a single pass.
 .PP
-If the \fB\s-1PKCS7_PARTIAL\s0\fR flag is set a partial \fB\s-1PKCS7\s0\fR structure is output to
+If the \fBPKCS7_PARTIAL\fR flag is set a partial \fBPKCS7\fR structure is output to
 which additional signers and capabilities can be added before finalization.
 .PP
-If the flag \fB\s-1PKCS7_STREAM\s0\fR is set the returned \fB\s-1PKCS7\s0\fR structure is \fBnot\fR
+If the flag \fBPKCS7_STREAM\fR is set the returned \fBPKCS7\fR structure is \fBnot\fR
 complete and outputting its contents via a function that does not properly
-finalize the \fB\s-1PKCS7\s0\fR structure will give unpredictable results.
+finalize the \fBPKCS7\fR structure will give unpredictable results.
 .PP
 Several functions including \fBSMIME_write_PKCS7()\fR, \fBi2d_PKCS7_bio_stream()\fR,
 \&\fBPEM_write_bio_PKCS7_stream()\fR finalize the structure. Alternatively finalization
-can be performed by obtaining the streaming \s-1ASN1\s0 \fB\s-1BIO\s0\fR directly using
+can be performed by obtaining the streaming ASN1 \fBBIO\fR directly using
 \&\fBBIO_new_PKCS7()\fR.
 .PP
 If a signer is specified it will use the default digest for the signing
-algorithm. This is \fB\s-1SHA1\s0\fR for both \s-1RSA\s0 and \s-1DSA\s0 keys.
+algorithm. This is \fBSHA256\fR for both RSA and DSA keys.
 .PP
 The \fIcerts\fR, \fIsigncert\fR and \fIpkey\fR parameters can all be
-\&\s-1NULL\s0 if the \fB\s-1PKCS7_PARTIAL\s0\fR flag is set. One or more signers can be added
+NULL if the \fBPKCS7_PARTIAL\fR flag is set. One or more signers can be added
 using the function \fBPKCS7_sign_add_signer()\fR. \fBPKCS7_final()\fR must also be
 called to finalize the structure if streaming is not enabled. Alternative
 signing digests can also be specified using this method.
 .PP
-If \fIsigncert\fR and \fIpkey\fR are \s-1NULL\s0 then a certificates only
+If \fIsigncert\fR and \fIpkey\fR are NULL then a certificates only
 PKCS#7 structure is output.
 .PP
 In versions of OpenSSL before 1.0.0 the \fIsigncert\fR and \fIpkey\fR parameters must
-not be \s-1NULL.\s0
+not be NULL.
 .PP
 \&\fBPKCS7_sign()\fR is like \fBPKCS7_sign_ex()\fR except that it uses default values of
-\&\s-1NULL\s0 for the library context \fIlibctx\fR and the property query \fIpropq\fR.
-This is retained for \s-1API\s0 backward compatibility.
-.SH "BUGS"
+NULL for the library context \fIlibctx\fR and the property query \fIpropq\fR.
+This is retained for API backward compatibility.
+.SH BUGS
 .IX Header "BUGS"
 Some advanced attributes such as counter signatures are not supported.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBPKCS7_sign_ex()\fR and \fBPKCS7_sign()\fR return either a valid \s-1PKCS7\s0 structure
-or \s-1NULL\s0 if an error occurred.  The error can be obtained from \fBERR_get_error\fR\|(3).
+\&\fBPKCS7_sign_ex()\fR and \fBPKCS7_sign()\fR return either a valid PKCS7 structure
+or NULL if an error occurred.  The error can be obtained from \fBERR_get_error\fR\|(3).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3), \fBPKCS7_verify\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The function \fBPKCS7_sign_ex()\fR was added in OpenSSL 3.0.
 .PP
-The \fB\s-1PKCS7_PARTIAL\s0\fR flag, and the ability for \fIcerts\fR, \fIsigncert\fR,
-and \fIpkey\fR parameters to be \s-1NULL\s0 were added in OpenSSL 1.0.0.
+The \fBPKCS7_PARTIAL\fR flag, and the ability for \fIcerts\fR, \fIsigncert\fR,
+and \fIpkey\fR parameters to be NULL were added in OpenSSL 1.0.0.
 .PP
-The \fB\s-1PKCS7_STREAM\s0\fR flag was added in OpenSSL 1.0.0.
-.SH "COPYRIGHT"
+The \fBPKCS7_STREAM\fR flag was added in OpenSSL 1.0.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2002\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2002\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS7_sign_add_signer.3 b/secure/lib/libcrypto/man/man3/PKCS7_sign_add_signer.3
index 14edbb328a02..a00235c6d5ad 100644
--- a/secure/lib/libcrypto/man/man3/PKCS7_sign_add_signer.3
+++ b/secure/lib/libcrypto/man/man3/PKCS7_sign_add_signer.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PKCS7_SIGN_ADD_SIGNER 3ossl"
-.TH PKCS7_SIGN_ADD_SIGNER 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PKCS7_SIGN_ADD_SIGNER 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PKCS7_sign_add_signer,
 PKCS7_add_certificate, PKCS7_add_crl \- add information to PKCS7 structure
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pkcs7.h>
@@ -149,22 +73,22 @@ PKCS7_add_certificate, PKCS7_add_crl \- add information to PKCS7 structure
 \& int PKCS7_add_certificate(PKCS7 *p7, X509 *cert);
 \& int PKCS7_add_crl(PKCS7 *p7, X509_CRL *crl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBPKCS7_sign_add_signer()\fR adds a signer with certificate \fIsigncert\fR and private
-key \fIpkey\fR using message digest \fImd\fR to a \s-1PKCS7\s0 signed data structure \fIp7\fR.
+key \fIpkey\fR using message digest \fImd\fR to a PKCS7 signed data structure \fIp7\fR.
 .PP
-The \fB\s-1PKCS7\s0\fR structure should be obtained from an initial call to \fBPKCS7_sign()\fR
-with the flag \fB\s-1PKCS7_PARTIAL\s0\fR set or in the case or re-signing a valid PKCS#7
+The \fBPKCS7\fR structure should be obtained from an initial call to \fBPKCS7_sign()\fR
+with the flag \fBPKCS7_PARTIAL\fR set or in the case or re-signing a valid PKCS#7
 signed data structure.
 .PP
-If the \fImd\fR parameter is \s-1NULL\s0 then the default digest for the public
+If the \fImd\fR parameter is NULL then the default digest for the public
 key algorithm will be used.
 .PP
-Unless the \fB\s-1PKCS7_REUSE_DIGEST\s0\fR flag is set the returned \fB\s-1PKCS7\s0\fR structure
+Unless the \fBPKCS7_REUSE_DIGEST\fR flag is set the returned \fBPKCS7\fR structure
 is not complete and must be finalized either by streaming (if applicable) or
 a call to \fBPKCS7_final()\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The main purpose of this function is to provide finer control over a PKCS#7
 signed data structure where the simpler \fBPKCS7_sign()\fR function defaults are
@@ -174,64 +98,64 @@ algorithms are needed.
 Any of the following flags (ored together) can be passed in the \fIflags\fR
 parameter.
 .PP
-If \fB\s-1PKCS7_REUSE_DIGEST\s0\fR is set then an attempt is made to copy the content
-digest value from the \fB\s-1PKCS7\s0\fR structure: to add a signer to an existing structure.
+If \fBPKCS7_REUSE_DIGEST\fR is set then an attempt is made to copy the content
+digest value from the \fBPKCS7\fR structure: to add a signer to an existing structure.
 An error occurs if a matching digest value cannot be found to copy. The
-returned \fB\s-1PKCS7\s0\fR structure will be valid and finalized when this flag is set.
+returned \fBPKCS7\fR structure will be valid and finalized when this flag is set.
 .PP
-If \fB\s-1PKCS7_PARTIAL\s0\fR is set in addition to \fB\s-1PKCS7_REUSE_DIGEST\s0\fR then the
-\&\fB\s-1PKCS7_SIGNER_INO\s0\fR structure will not be finalized so additional attributes
+If \fBPKCS7_PARTIAL\fR is set in addition to \fBPKCS7_REUSE_DIGEST\fR then the
+\&\fBPKCS7_SIGNER_INO\fR structure will not be finalized so additional attributes
 can be added. In this case an explicit call to \fBPKCS7_SIGNER_INFO_sign()\fR is
 needed to finalize it.
 .PP
-If \fB\s-1PKCS7_NOCERTS\s0\fR is set the signer's certificate will not be included in the
-\&\fB\s-1PKCS7\s0\fR structure, the signer's certificate must still be supplied in the
+If \fBPKCS7_NOCERTS\fR is set the signer's certificate will not be included in the
+\&\fBPKCS7\fR structure, the signer's certificate must still be supplied in the
 \&\fIsigncert\fR parameter though. This can reduce the size of the signature if the
 signers certificate can be obtained by other means: for example a previously
 signed message.
 .PP
 The signedData structure includes several PKCS#7 authenticatedAttributes
 including the signing time, the PKCS#7 content type and the supported list of
-ciphers in an SMIMECapabilities attribute. If \fB\s-1PKCS7_NOATTR\s0\fR is set then no
-authenticatedAttributes will be used. If \fB\s-1PKCS7_NOSMIMECAP\s0\fR is set then just
+ciphers in an SMIMECapabilities attribute. If \fBPKCS7_NOATTR\fR is set then no
+authenticatedAttributes will be used. If \fBPKCS7_NOSMIMECAP\fR is set then just
 the SMIMECapabilities are omitted.
 .PP
 If present the SMIMECapabilities attribute indicates support for the following
-algorithms: triple \s-1DES, 128\s0 bit \s-1RC2, 64\s0 bit \s-1RC2, DES\s0 and 40 bit \s-1RC2.\s0 If any of
+algorithms: triple DES, 128 bit RC2, 64 bit RC2, DES and 40 bit RC2. If any of
 these algorithms is disabled then it will not be included.
 .PP
-\&\fBPKCS7_sign_add_signers()\fR returns an internal pointer to the \fB\s-1PKCS7_SIGNER_INFO\s0\fR
+\&\fBPKCS7_sign_add_signers()\fR returns an internal pointer to the \fBPKCS7_SIGNER_INFO\fR
 structure just added, which can be used to set additional attributes
 before it is finalized.
 .PP
-\&\fBPKCS7_add_certificate()\fR adds to the \fB\s-1PKCS7\s0\fR structure \fIp7\fR the certificate
+\&\fBPKCS7_add_certificate()\fR adds to the \fBPKCS7\fR structure \fIp7\fR the certificate
 \&\fIcert\fR, which may be an end-entity (signer) certificate
-or a \s-1CA\s0 certificate useful for chain building.
+or a CA certificate useful for chain building.
 This is done internally by \fBPKCS7_sign_ex\fR\|(3) and similar signing functions.
 It may have to be used before calling \fBPKCS7_verify\fR\|(3)
 in order to provide any missing certificate(s) needed for verification.
 .PP
-\&\fBPKCS7_add_crl()\fR adds the \s-1CRL\s0 \fIcrl\fR to the \fB\s-1PKCS7\s0\fR structure \fIp7\fR.
+\&\fBPKCS7_add_crl()\fR adds the CRL \fIcrl\fR to the \fBPKCS7\fR structure \fIp7\fR.
 This may be called to provide certificate status information
-to be included when signing or to use when verifying the \fB\s-1PKCS7\s0\fR structure.
+to be included when signing or to use when verifying the \fBPKCS7\fR structure.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBPKCS7_sign_add_signers()\fR returns an internal pointer to the \fB\s-1PKCS7_SIGNER_INFO\s0\fR
-structure just added or \s-1NULL\s0 if an error occurs.
+\&\fBPKCS7_sign_add_signers()\fR returns an internal pointer to the \fBPKCS7_SIGNER_INFO\fR
+structure just added or NULL if an error occurs.
 .PP
 \&\fBPKCS7_add_certificate()\fR and \fBPKCS7_add_crl()\fR return 1 on success, 0 on error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3), \fBPKCS7_sign_ex\fR\|(3),
 \&\fBPKCS7_final\fR\|(3), \fBPKCS7_verify\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBPPKCS7_sign_add_signer()\fR function was added in OpenSSL 1.0.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2007\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2007\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS7_type_is_other.3 b/secure/lib/libcrypto/man/man3/PKCS7_type_is_other.3
index 71c16c85d70b..d356c529f829 100644
--- a/secure/lib/libcrypto/man/man3/PKCS7_type_is_other.3
+++ b/secure/lib/libcrypto/man/man3/PKCS7_type_is_other.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,84 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PKCS7_TYPE_IS_OTHER 3ossl"
-.TH PKCS7_TYPE_IS_OTHER 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PKCS7_TYPE_IS_OTHER 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PKCS7_type_is_other \- determine content type of PKCS#7 envelopedData structure
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pkcs7.h>
 \&
 \& int PKCS7_type_is_other(PKCS7 *p7);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBPKCS7_type_is_other()\fR returns the whether the content type of a PKCS#7 envelopedData
 structure is one of the following content types:
@@ -162,11 +86,11 @@ NID_pkcs7_encrypted
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBPKCS7_type_is_data\fR\|(3), \fBPKCS7_get_octet_string\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2002\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS7_verify.3 b/secure/lib/libcrypto/man/man3/PKCS7_verify.3
index 7e5140fd7bb5..9a00942a24aa 100644
--- a/secure/lib/libcrypto/man/man3/PKCS7_verify.3
+++ b/secure/lib/libcrypto/man/man3/PKCS7_verify.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PKCS7_VERIFY 3ossl"
-.TH PKCS7_VERIFY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PKCS7_VERIFY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PKCS7_verify, PKCS7_get0_signers \- verify a PKCS#7 signedData structure
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pkcs7.h>
@@ -148,19 +72,21 @@ PKCS7_verify, PKCS7_get0_signers \- verify a PKCS#7 signedData structure
 \&
 \& STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBPKCS7_verify()\fR is very similar to \fBCMS_verify\fR\|(3).
 It verifies a PKCS#7 signedData structure given in \fIp7\fR.
 The optional \fIcerts\fR parameter refers to a set of certificates
 in which to search for signer's certificates.
-\&\fIp7\fR may contain extra untrusted \s-1CA\s0 certificates that may be used for
+It is also used
+as a source of untrusted intermediate CA certificates for chain building.
+\&\fIp7\fR may contain extra untrusted CA certificates that may be used for
 chain building as well as CRLs that may be used for certificate validation.
-\&\fIstore\fR may be \s-1NULL\s0 or point to
+\&\fIstore\fR may be NULL or point to
 the trusted certificate store to use for chain verification.
 \&\fIindata\fR refers to the signed data if the content is detached from \fIp7\fR.
-Otherwise \fIindata\fR should be \s-1NULL,\s0 and then the signed data must be in \fIp7\fR.
-The content is written to the \s-1BIO\s0 \fIout\fR unless it is \s-1NULL.\s0
+Otherwise \fIindata\fR should be NULL, and then the signed data must be in \fIp7\fR.
+The content is written to the BIO \fIout\fR unless it is NULL.
 \&\fIflags\fR is an optional set of flags, which can be used to modify the operation.
 .PP
 \&\fBPKCS7_get0_signers()\fR retrieves the signer's certificates from \fIp7\fR, it does
@@ -172,58 +98,58 @@ Normally the verify process proceeds as follows.
 .PP
 Initially some sanity checks are performed on \fIp7\fR. The type of \fIp7\fR must
 be SignedData. There must be at least one signature on the data and if
-the content is detached \fIindata\fR cannot be \s-1NULL.\s0  If the content is
-not detached and \fIindata\fR is not \s-1NULL\s0 then the structure has both
+the content is detached \fIindata\fR cannot be NULL.  If the content is
+not detached and \fIindata\fR is not NULL then the structure has both
 embedded and external content. To treat this as an error, use the flag
-\&\fB\s-1PKCS7_NO_DUAL_CONTENT\s0\fR.
+\&\fBPKCS7_NO_DUAL_CONTENT\fR.
 The default behavior allows this, for compatibility with older
 versions of OpenSSL.
 .PP
 An attempt is made to locate all the signer's certificates, first looking in
-the \fIcerts\fR parameter (if it is not \s-1NULL\s0). Then they are looked up in any
-certificates contained in the \fIp7\fR structure unless \fB\s-1PKCS7_NOINTERN\s0\fR is set.
+the \fIcerts\fR parameter (if it is not NULL). Then they are looked up in any
+certificates contained in the \fIp7\fR structure unless \fBPKCS7_NOINTERN\fR is set.
 If any signer's certificates cannot be located the operation fails.
 .PP
 Each signer's certificate is chain verified using the \fBsmimesign\fR purpose and
 using the trusted certificate store \fIstore\fR if supplied.
 Any internal certificates in the message, which may have been added using
-\&\fBPKCS7_add_certificate\fR\|(3), are used as untrusted CAs unless \fB\s-1PKCS7_NOCHAIN\s0\fR
+\&\fBPKCS7_add_certificate\fR\|(3), are used as untrusted CAs unless \fBPKCS7_NOCHAIN\fR
 is set.
-If \s-1CRL\s0 checking is enabled in \fIstore\fR and \fB\s-1PKCS7_NOCRL\s0\fR is not set,
+If CRL checking is enabled in \fIstore\fR and \fBPKCS7_NOCRL\fR is not set,
 any internal CRLs, which may have been added using \fBPKCS7_add_crl\fR\|(3),
 are used in addition to attempting to look them up in \fIstore\fR.
-If \fIstore\fR is not \s-1NULL\s0 and any chain verify fails an error code is returned.
+If \fIstore\fR is not NULL and any chain verify fails an error code is returned.
 .PP
-Finally the signed content is read (and written to \fIout\fR unless it is \s-1NULL\s0)
+Finally the signed content is read (and written to \fIout\fR unless it is NULL)
 and the signature is checked.
 .PP
 If all signatures verify correctly then the function is successful.
 .PP
 Any of the following flags (ored together) can be passed in the \fIflags\fR
 parameter to change the default verify behaviour.
-Only the flag \fB\s-1PKCS7_NOINTERN\s0\fR is meaningful to \fBPKCS7_get0_signers()\fR.
+Only the flag \fBPKCS7_NOINTERN\fR is meaningful to \fBPKCS7_get0_signers()\fR.
 .PP
-If \fB\s-1PKCS7_NOINTERN\s0\fR is set the certificates in the message itself are not
+If \fBPKCS7_NOINTERN\fR is set the certificates in the message itself are not
 searched when locating the signer's certificates.
 This means that all the signer's certificates must be in the \fIcerts\fR parameter.
 .PP
-If \fB\s-1PKCS7_NOCRL\s0\fR is set and \s-1CRL\s0 checking is enabled in \fIstore\fR then any
+If \fBPKCS7_NOCRL\fR is set and CRL checking is enabled in \fIstore\fR then any
 CRLs in the message itself are ignored.
 .PP
-If the \fB\s-1PKCS7_TEXT\s0\fR flag is set \s-1MIME\s0 headers for type \f(CW\*(C`text/plain\*(C'\fR are deleted
+If the \fBPKCS7_TEXT\fR flag is set MIME headers for type \f(CW\*(C`text/plain\*(C'\fR are deleted
 from the content. If the content is not of type \f(CW\*(C`text/plain\*(C'\fR then an error is
 returned.
 .PP
-If \fB\s-1PKCS7_NOVERIFY\s0\fR is set the signer's certificates are not chain verified.
+If \fBPKCS7_NOVERIFY\fR is set the signer's certificates are not chain verified.
 .PP
-If \fB\s-1PKCS7_NOCHAIN\s0\fR is set then the certificates contained in the message are
+If \fBPKCS7_NOCHAIN\fR is set then the certificates contained in the message are
 not used as untrusted CAs. This means that the whole verify chain (apart from
 the signer's certificates) must be contained in the trusted store.
 .PP
-If \fB\s-1PKCS7_NOSIGS\s0\fR is set then the signatures on the data are not checked.
-.SH "NOTES"
+If \fBPKCS7_NOSIGS\fR is set then the signatures on the data are not checked.
+.SH NOTES
 .IX Header "NOTES"
-One application of \fB\s-1PKCS7_NOINTERN\s0\fR is to only accept messages signed by
+One application of \fBPKCS7_NOINTERN\fR is to only accept messages signed by
 a small number of certificates. The acceptable certificates would be passed
 in the \fIcerts\fR parameter. In this case if the signer's certificate is not one
 of the certificates supplied in \fIcerts\fR then the verify will fail because the
@@ -243,10 +169,10 @@ timestamp).
 .IX Header "RETURN VALUES"
 \&\fBPKCS7_verify()\fR returns 1 for a successful verification and 0 if an error occurs.
 .PP
-\&\fBPKCS7_get0_signers()\fR returns all signers or \s-1NULL\s0 if an error occurred.
+\&\fBPKCS7_get0_signers()\fR returns all signers or NULL if an error occurred.
 .PP
 The error can be obtained from \fBERR_get_error\fR\|(3).
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
 The trusted certificate store is not searched for the signer's certificates.
 This is primarily due to the inadequacies of the current \fBX509_STORE\fR
@@ -258,11 +184,11 @@ be held in memory if it is not detached.
 .IX Header "SEE ALSO"
 \&\fBCMS_verify\fR\|(3), \fBPKCS7_add_certificate\fR\|(3), \fBPKCS7_add_crl\fR\|(3),
 \&\fBERR_get_error\fR\|(3), \fBPKCS7_sign\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2002\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2002\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS8_encrypt.3 b/secure/lib/libcrypto/man/man3/PKCS8_encrypt.3
index 15d01095ab82..489a3a33ebd4 100644
--- a/secure/lib/libcrypto/man/man3/PKCS8_encrypt.3
+++ b/secure/lib/libcrypto/man/man3/PKCS8_encrypt.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PKCS8_ENCRYPT 3ossl"
-.TH PKCS8_ENCRYPT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PKCS8_ENCRYPT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PKCS8_decrypt, PKCS8_decrypt_ex, PKCS8_encrypt, PKCS8_encrypt_ex,
 PKCS8_set0_pbe, PKCS8_set0_pbe_ex \- PKCS8 encrypt/decrypt functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
@@ -162,7 +86,7 @@ PKCS8_set0_pbe, PKCS8_set0_pbe_ex \- PKCS8 encrypt/decrypt functions
 \&                             PKCS8_PRIV_KEY_INFO *p8inf, X509_ALGOR *pbe,
 \&                             OSSL_LIB_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBPKCS8_encrypt()\fR and \fBPKCS8_encrypt_ex()\fR perform encryption of an object \fIp8\fR using
 the password \fIpass\fR of length \fIpasslen\fR, salt \fIsalt\fR of length \fIsaltlen\fR
@@ -182,25 +106,25 @@ Functions ending in \fB_ex()\fR allow for a library context \fIctx\fR and proper
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBPKCS8_encrypt()\fR, \fBPKCS8_encrypt_ex()\fR, \fBPKCS8_set0_pbe()\fR and \fBPKCS8_set0_pbe_ex()\fR
-return an encrypted key in a \fBX509_SIG\fR structure or \s-1NULL\s0 if an error occurs.
+return an encrypted key in a \fBX509_SIG\fR structure or NULL if an error occurs.
 .PP
-\&\fBPKCS8_decrypt()\fR and \fBPKCS8_decrypt_ex()\fR return a \fB\s-1PKCS8_PRIV_KEY_INFO\s0\fR or \s-1NULL\s0
+\&\fBPKCS8_decrypt()\fR and \fBPKCS8_decrypt_ex()\fR return a \fBPKCS8_PRIV_KEY_INFO\fR or NULL
 if an error occurs.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1IETF RFC 7292\s0 (<https://tools.ietf.org/html/rfc7292>)
+IETF RFC 7292 (<https://tools.ietf.org/html/rfc7292>)
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBcrypto\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBPKCS8_decrypt_ex()\fR, \fBPKCS8_encrypt_ex()\fR and \fBPKCS8_set0_pbe_ex()\fR were added in
 OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS8_pkey_add1_attr.3 b/secure/lib/libcrypto/man/man3/PKCS8_pkey_add1_attr.3
index f81d09b86099..1d7ad69e5c7a 100644
--- a/secure/lib/libcrypto/man/man3/PKCS8_pkey_add1_attr.3
+++ b/secure/lib/libcrypto/man/man3/PKCS8_pkey_add1_attr.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PKCS8_PKEY_ADD1_ATTR 3ossl"
-.TH PKCS8_PKEY_ADD1_ATTR 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PKCS8_PKEY_ADD1_ATTR 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 PKCS8_pkey_get0_attrs, PKCS8_pkey_add1_attr, PKCS8_pkey_add1_attr_by_NID, PKCS8_pkey_add1_attr_by_OBJ \- PKCS8 attribute functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
@@ -151,33 +75,33 @@ PKCS8_pkey_get0_attrs, PKCS8_pkey_add1_attr, PKCS8_pkey_add1_attr_by_NID, PKCS8_
 \& int PKCS8_pkey_add1_attr_by_OBJ(PKCS8_PRIV_KEY_INFO *p8, const ASN1_OBJECT *obj,
 \&                                int type, const unsigned char *bytes, int len);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBPKCS8_pkey_get0_attrs()\fR returns a const \s-1STACK\s0 of X509_ATTRIBUTE present in
-the passed const \s-1PKCS8_PRIV_KEY_INFO\s0 structure \fBp8\fR.
+\&\fBPKCS8_pkey_get0_attrs()\fR returns a const STACK of X509_ATTRIBUTE present in
+the passed const PKCS8_PRIV_KEY_INFO structure \fBp8\fR.
 .PP
 \&\fBPKCS8_pkey_add1_attr()\fR adds a constructed X509_ATTRIBUTE \fBattr\fR to the
-existing \s-1PKCS8_PRIV_KEY_INFO\s0 structure \fBp8\fR.
+existing PKCS8_PRIV_KEY_INFO structure \fBp8\fR.
 .PP
 \&\fBPKCS8_pkey_add1_attr_by_NID()\fR and \fBPKCS8_pkey_add1_attr_by_OBJ()\fR construct a new
 X509_ATTRIBUTE from the passed arguments and add it to the existing
-\&\s-1PKCS8_PRIV_KEY_INFO\s0 structure \fBp8\fR.
+PKCS8_PRIV_KEY_INFO structure \fBp8\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBPKCS8_pkey_add1_attr()\fR, \fBPKCS8_pkey_add1_attr_by_NID()\fR, and
 \&\fBPKCS8_pkey_add1_attr_by_OBJ()\fR return 1 for success and 0 for failure.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-\&\s-1STACK\s0 of X509_ATTRIBUTE is present in many X509\-related structures and some of
+STACK of X509_ATTRIBUTE is present in many X509\-related structures and some of
 them have the corresponding set of similar functions.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBcrypto\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RAND_add.3 b/secure/lib/libcrypto/man/man3/RAND_add.3
index 236fd3e9c8b4..cbe845c10cf0 100644
--- a/secure/lib/libcrypto/man/man3/RAND_add.3
+++ b/secure/lib/libcrypto/man/man3/RAND_add.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "RAND_ADD 3ossl"
-.TH RAND_ADD 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH RAND_ADD 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 RAND_add, RAND_poll, RAND_seed, RAND_status, RAND_event, RAND_screen,
 RAND_keep_random_devices_open
 \&\- add randomness to the PRNG or get its status
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/rand.h>
@@ -155,22 +79,22 @@ RAND_keep_random_devices_open
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 1.1.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 2
 \& int RAND_event(UINT iMsg, WPARAM wParam, LPARAM lParam);
 \& void RAND_screen(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 These functions can be used to seed the random generator and to check its
 seeded state.
 In general, manual (re\-)seeding of the default OpenSSL random generator
 (\fBRAND_OpenSSL\fR\|(3)) is not necessary (but allowed), since it does (re\-)seed
 itself automatically using trusted system entropy sources.
-This holds unless the default \s-1RAND_METHOD\s0 has been replaced or OpenSSL was
-built with automatic reseeding disabled, see \s-1\fBRAND\s0\fR\|(7) for more details.
+This holds unless the default RAND_METHOD has been replaced or OpenSSL was
+built with automatic reseeding disabled, see \fBRAND\fR\|(7) for more details.
 .PP
 \&\fBRAND_status()\fR indicates whether or not the random generator has been sufficiently
 seeded. If not, functions such as \fBRAND_bytes\fR\|(3) will fail.
@@ -178,7 +102,7 @@ seeded. If not, functions such as \fBRAND_bytes\fR\|(3) will fail.
 \&\fBRAND_poll()\fR uses the system's capabilities to seed the random generator using
 random input obtained from polling various trusted entropy sources.
 The default choice of the entropy source can be modified at build time,
-see \s-1\fBRAND\s0\fR\|(7) for more details.
+see \fBRAND\fR\|(7) for more details.
 .PP
 \&\fBRAND_add()\fR mixes the \fBnum\fR bytes at \fBbuf\fR into the internal state
 of the random generator.
@@ -187,15 +111,15 @@ The \fBrandomness\fR argument is an estimate of how much randomness is
 contained in
 \&\fBbuf\fR, in bytes, and should be a number between zero and \fBnum\fR.
 Details about sources of randomness and how to estimate their randomness
-can be found in the literature; for example [\s-1NIST SP 800\-90B\s0].
+can be found in the literature; for example [NIST SP 800\-90B].
 The content of \fBbuf\fR cannot be recovered from subsequent random generator output.
 Applications that intend to save and restore random state in an external file
 should consider using \fBRAND_load_file\fR\|(3) instead.
 .PP
-\&\s-1NOTE:\s0 In \s-1FIPS\s0 mode, random data provided by the application is not considered to
-be a trusted entropy source. It is mixed into the internal state of the \s-1RNG\s0 as
+NOTE: In FIPS mode, random data provided by the application is not considered to
+be a trusted entropy source. It is mixed into the internal state of the RNG as
 additional data only and this does not count as a full reseed.
-For more details, see \s-1\fBEVP_RAND\s0\fR\|(7).
+For more details, see \fBEVP_RAND\fR\|(7).
 .PP
 \&\fBRAND_seed()\fR is equivalent to \fBRAND_add()\fR with \fBrandomness\fR set to \fBnum\fR.
 .PP
@@ -210,7 +134,7 @@ and it takes effect immediately. This capability only applies to the default
 provider.
 .PP
 \&\fBRAND_event()\fR and \fBRAND_screen()\fR are equivalent to \fBRAND_poll()\fR and exist
-for compatibility reasons only. See \s-1HISTORY\s0 section below.
+for compatibility reasons only. See HISTORY section below.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBRAND_status()\fR returns 1 if the random generator has been seeded
@@ -226,17 +150,17 @@ The other functions do not return values.
 \&\fBRAND_bytes\fR\|(3),
 \&\fBRAND_egd\fR\|(3),
 \&\fBRAND_load_file\fR\|(3),
-\&\s-1\fBRAND\s0\fR\|(7)
-\&\s-1\fBEVP_RAND\s0\fR\|(7)
-.SH "HISTORY"
+\&\fBRAND\fR\|(7)
+\&\fBEVP_RAND\fR\|(7)
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBRAND_event()\fR and \fBRAND_screen()\fR were deprecated in OpenSSL 1.1.0 and should
 not be used.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RAND_bytes.3 b/secure/lib/libcrypto/man/man3/RAND_bytes.3
index 71be6338964a..b179be6df684 100644
--- a/secure/lib/libcrypto/man/man3/RAND_bytes.3
+++ b/secure/lib/libcrypto/man/man3/RAND_bytes.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "RAND_BYTES 3ossl"
-.TH RAND_BYTES 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH RAND_BYTES 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 RAND_bytes, RAND_priv_bytes, RAND_bytes_ex, RAND_priv_bytes_ex,
-RAND_pseudo_bytes \- generate random data
-.SH "SYNOPSIS"
+RAND_pseudo_bytes, RAND_set1_random_provider \- generate random data
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/rand.h>
@@ -151,46 +75,54 @@ RAND_pseudo_bytes \- generate random data
 \&                   unsigned int strength);
 \& int RAND_priv_bytes_ex(OSSL_LIB_CTX *ctx, unsigned char *buf, size_t num,
 \&                        unsigned int strength);
+\&
+\& int RAND_set1_random_provider(OSSL_LIB_CTX *ctx, OSSL_PROVIDER *p);
 .Ve
 .PP
 The following function has been deprecated since OpenSSL 1.1.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
 \& int RAND_pseudo_bytes(unsigned char *buf, int num);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBRAND_bytes()\fR generates \fBnum\fR random bytes using a cryptographically
-secure pseudo random generator (\s-1CSPRNG\s0) and stores them in \fBbuf\fR.
+secure pseudo random generator (CSPRNG) and stores them in \fBbuf\fR. \fBbuf\fR \fBMUST NOT\fR be NULL.
 .PP
 \&\fBRAND_priv_bytes()\fR has the same semantics as \fBRAND_bytes()\fR.  It is intended to
 be used for generating values that should remain private. If using the
-default \s-1RAND_METHOD,\s0 this function uses a separate \*(L"private\*(R" \s-1PRNG\s0
-instance so that a compromise of the \*(L"public\*(R" \s-1PRNG\s0 instance will not
-affect the secrecy of these private values, as described in \s-1\fBRAND\s0\fR\|(7)
-and \s-1\fBEVP_RAND\s0\fR\|(7).
+default RAND_METHOD, this function uses a separate "private" PRNG
+instance so that a compromise of the "public" PRNG instance will not
+affect the secrecy of these private values, as described in \fBRAND\fR\|(7)
+and \fBEVP_RAND\fR\|(7).
 .PP
 \&\fBRAND_bytes_ex()\fR and \fBRAND_priv_bytes_ex()\fR are the same as \fBRAND_bytes()\fR and
 \&\fBRAND_priv_bytes()\fR except that they both take additional \fIstrength\fR and
 \&\fIctx\fR parameters. The bytes generated will have a security strength of at
 least \fIstrength\fR bits.
-The \s-1DRBG\s0 used for the operation is the public or private \s-1DRBG\s0 associated with
-the specified \fIctx\fR. The parameter can be \s-1NULL,\s0 in which case
-the default library context is used (see \s-1\fBOSSL_LIB_CTX\s0\fR\|(3).
-If the default \s-1RAND_METHOD\s0 has been changed then for compatibility reasons the
-\&\s-1RAND_METHOD\s0 will be used in preference and the \s-1DRBG\s0 of the library context
+The DRBG used for the operation is the public or private DRBG associated with
+the specified \fIctx\fR. The parameter can be NULL, in which case
+the default library context is used (see \fBOSSL_LIB_CTX\fR\|(3).
+If the default RAND_METHOD has been changed then for compatibility reasons the
+RAND_METHOD will be used in preference and the DRBG of the library context
 ignored.
-.SH "NOTES"
+.PP
+\&\fBRAND_set1_random_provider()\fR specifies a provider, \fIprov\fR, which will be used
+by the library context \fIctx\fR for all of the generate calls above instead
+of the built-in in DRBGs and entropy source.  Pass NULL for the provider
+to disable the random provider functionality.  In this case, the built-in DRBGs
+and entropy source will be used.  This call should not be considered thread safe.
+.SH NOTES
 .IX Header "NOTES"
-By default, the OpenSSL \s-1CSPRNG\s0 supports a security level of 256 bits, provided it
+By default, the OpenSSL CSPRNG supports a security level of 256 bits, provided it
 was able to seed itself from a trusted entropy source.
 On all major platforms supported by OpenSSL (including the Unix-like platforms
-and Windows), OpenSSL is configured to automatically seed the \s-1CSPRNG\s0 on first use
+and Windows), OpenSSL is configured to automatically seed the CSPRNG on first use
 using the operating systems's random generator.
 .PP
-If the entropy source fails or is not available, the \s-1CSPRNG\s0 will enter an
+If the entropy source fails or is not available, the CSPRNG will enter an
 error state and refuse to generate random bytes. For that reason, it is important
 to always check the error return value of \fBRAND_bytes()\fR and \fBRAND_priv_bytes()\fR and
 not take randomness for granted.
@@ -204,29 +136,33 @@ mailing list.
 .IX Header "RETURN VALUES"
 \&\fBRAND_bytes()\fR and \fBRAND_priv_bytes()\fR
 return 1 on success, \-1 if not supported by the current
-\&\s-1RAND\s0 method, or 0 on other failure. The error code can be
+RAND method, or 0 on other failure. The error code can be
 obtained by \fBERR_get_error\fR\|(3).
+.PP
+\&\fBRAND_set1_random_provider()\fR returns 1 on success and 0 on failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBRAND_add\fR\|(3),
 \&\fBRAND_bytes\fR\|(3),
 \&\fBRAND_priv_bytes\fR\|(3),
 \&\fBERR_get_error\fR\|(3),
-\&\s-1\fBRAND\s0\fR\|(7),
-\&\s-1\fBEVP_RAND\s0\fR\|(7)
-.SH "HISTORY"
+\&\fBRAND\fR\|(7),
+\&\fBEVP_RAND\fR\|(7)
+.SH HISTORY
 .IX Header "HISTORY"
-.IP "\(bu" 2
+.IP \(bu 2
 \&\fBRAND_pseudo_bytes()\fR was deprecated in OpenSSL 1.1.0; use \fBRAND_bytes()\fR instead.
-.IP "\(bu" 2
+.IP \(bu 2
 The \fBRAND_priv_bytes()\fR function was added in OpenSSL 1.1.1.
-.IP "\(bu" 2
+.IP \(bu 2
 The \fBRAND_bytes_ex()\fR and \fBRAND_priv_bytes_ex()\fR functions were added in OpenSSL 3.0
-.SH "COPYRIGHT"
+.IP \(bu 2
+The \fBRAND_set1_random_provider()\fR function was added in OpenSSL 3.5
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RAND_cleanup.3 b/secure/lib/libcrypto/man/man3/RAND_cleanup.3
index 637a60674c76..35c208335802 100644
--- a/secure/lib/libcrypto/man/man3/RAND_cleanup.3
+++ b/secure/lib/libcrypto/man/man3/RAND_cleanup.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,93 +52,33 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "RAND_CLEANUP 3ossl"
-.TH RAND_CLEANUP 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH RAND_CLEANUP 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 RAND_cleanup \- erase the PRNG state
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/rand.h>
 .Ve
 .PP
 The following function has been deprecated since OpenSSL 1.1.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
 \& void RAND_cleanup(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 Prior to OpenSSL 1.1.0, \fBRAND_cleanup()\fR released all resources used by
-the \s-1PRNG.\s0  As of version 1.1.0, it does nothing and should not be called,
+the PRNG.  As of version 1.1.0, it does nothing and should not be called,
 since no explicit initialisation or de-initialisation is necessary. See
 \&\fBOPENSSL_init_crypto\fR\|(3).
 .SH "RETURN VALUES"
@@ -162,16 +86,16 @@ since no explicit initialisation or de-initialisation is necessary. See
 \&\fBRAND_cleanup()\fR returns no value.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBRAND\s0\fR\|(7)
-.SH "HISTORY"
+\&\fBRAND\fR\|(7)
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBRAND_cleanup()\fR was deprecated in OpenSSL 1.1.0; do not use it.
 See \fBOPENSSL_init_crypto\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RAND_egd.3 b/secure/lib/libcrypto/man/man3/RAND_egd.3
index 1e488a530aad..79f8cb567e91 100644
--- a/secure/lib/libcrypto/man/man3/RAND_egd.3
+++ b/secure/lib/libcrypto/man/man3/RAND_egd.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "RAND_EGD 3ossl"
-.TH RAND_EGD 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH RAND_EGD 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 RAND_egd, RAND_egd_bytes, RAND_query_egd_bytes \- query entropy gathering daemon
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/rand.h>
@@ -148,31 +72,31 @@ RAND_egd, RAND_egd_bytes, RAND_query_egd_bytes \- query entropy gathering daemon
 \&
 \& int RAND_query_egd_bytes(const char *path, unsigned char *buf, int num);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 On older platforms without a good source of randomness such as \f(CW\*(C`/dev/urandom\*(C'\fR,
-it is possible to query an Entropy Gathering Daemon (\s-1EGD\s0) over a local
-socket to obtain randomness and seed the OpenSSL \s-1RNG.\s0
+it is possible to query an Entropy Gathering Daemon (EGD) over a local
+socket to obtain randomness and seed the OpenSSL RNG.
 The protocol used is defined by the EGDs available at
 <http://egd.sourceforge.net/> or <http://prngd.sourceforge.net>.
 .PP
-\&\fBRAND_egd_bytes()\fR requests \fBnum\fR bytes of randomness from an \s-1EGD\s0 at the
+\&\fBRAND_egd_bytes()\fR requests \fBnum\fR bytes of randomness from an EGD at the
 specified socket \fBpath\fR, and passes the data it receives into \fBRAND_add()\fR.
 \&\fBRAND_egd()\fR is equivalent to \fBRAND_egd_bytes()\fR with \fBnum\fR set to 255.
 .PP
-\&\fBRAND_query_egd_bytes()\fR requests \fBnum\fR bytes of randomness from an \s-1EGD\s0 at
+\&\fBRAND_query_egd_bytes()\fR requests \fBnum\fR bytes of randomness from an EGD at
 the specified socket \fBpath\fR, where \fBnum\fR must be less than 256.
-If \fBbuf\fR is \fB\s-1NULL\s0\fR, it is equivalent to \fBRAND_egd_bytes()\fR.
-If \fBbuf\fR is not \fB\s-1NULL\s0\fR, then the data is copied to the buffer and
+If \fBbuf\fR is \fBNULL\fR, it is equivalent to \fBRAND_egd_bytes()\fR.
+If \fBbuf\fR is not \fBNULL\fR, then the data is copied to the buffer and
 \&\fBRAND_add()\fR is not called.
 .PP
-OpenSSL can be configured at build time to try to use the \s-1EGD\s0 for seeding
+OpenSSL can be configured at build time to try to use the EGD for seeding
 automatically.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBRAND_egd()\fR and \fBRAND_egd_bytes()\fR return the number of bytes read from the
 daemon on success, or \-1 if the connection failed or the daemon did not
-return enough data to fully seed the \s-1PRNG.\s0
+return enough data to fully seed the PRNG.
 .PP
 \&\fBRAND_query_egd_bytes()\fR returns the number of bytes read from the daemon on
 success, or \-1 if the connection failed.
@@ -180,12 +104,12 @@ success, or \-1 if the connection failed.
 .IX Header "SEE ALSO"
 \&\fBRAND_add\fR\|(3),
 \&\fBRAND_bytes\fR\|(3),
-\&\s-1\fBRAND\s0\fR\|(7)
-.SH "COPYRIGHT"
+\&\fBRAND\fR\|(7)
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RAND_get0_primary.3 b/secure/lib/libcrypto/man/man3/RAND_get0_primary.3
index 7cf696b32961..f6101756a2d9 100644
--- a/secure/lib/libcrypto/man/man3/RAND_get0_primary.3
+++ b/secure/lib/libcrypto/man/man3/RAND_get0_primary.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,22 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "RAND_GET0_PRIMARY 3ossl"
-.TH RAND_GET0_PRIMARY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH RAND_GET0_PRIMARY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 RAND_get0_primary,
 RAND_get0_public,
-RAND_get0_private
+RAND_get0_private,
+RAND_set0_public,
+RAND_set0_private
 \&\- get access to the global EVP_RAND_CTX instances
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/rand.h>
@@ -149,62 +75,73 @@ RAND_get0_private
 \& EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB_CTX *ctx);
 \& EVP_RAND_CTX *RAND_get0_public(OSSL_LIB_CTX *ctx);
 \& EVP_RAND_CTX *RAND_get0_private(OSSL_LIB_CTX *ctx);
+\& int RAND_set0_public(OSSL_LIB_CTX *ctx, EVP_RAND_CTX *rand);
+\& int RAND_set0_private(OSSL_LIB_CTX *ctx, EVP_RAND_CTX *rand);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The default \s-1RAND API\s0 implementation (\fBRAND_OpenSSL()\fR) utilizes three
-shared \s-1DRBG\s0 instances which are accessed via the \s-1RAND API:\s0
+The default RAND API implementation (\fBRAND_OpenSSL()\fR) utilizes three
+shared DRBG instances which are accessed via the RAND API:
 .PP
-The \fIpublic\fR and \fIprivate\fR \s-1DRBG\s0 are thread-local instances, which are used
+The \fIpublic\fR and \fIprivate\fR DRBG are thread-local instances, which are used
 by \fBRAND_bytes()\fR and \fBRAND_priv_bytes()\fR, respectively.
-The \fIprimary\fR \s-1DRBG\s0 is a global instance, which is not intended to be used
+The \fIprimary\fR DRBG is a global instance, which is not intended to be used
 directly, but is used internally to reseed the other two instances.
 .PP
-These functions here provide access to the shared \s-1DRBG\s0 instances.
+The three get functions provide access to the shared DRBG instances.
+.PP
+The two set functions allow the public and private DRBG instances to be
+replaced by another random number generator.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBRAND_get0_primary()\fR returns a pointer to the \fIprimary\fR \s-1DRBG\s0 instance
-for the given \s-1OSSL_LIB_CTX\s0 \fBctx\fR.
+\&\fBRAND_get0_primary()\fR returns a pointer to the \fIprimary\fR DRBG instance
+for the given OSSL_LIB_CTX \fBctx\fR.
 .PP
-\&\fBRAND_get0_public()\fR returns a pointer to the \fIpublic\fR \s-1DRBG\s0 instance
-for the given \s-1OSSL_LIB_CTX\s0 \fBctx\fR.
+\&\fBRAND_get0_public()\fR returns a pointer to the \fIpublic\fR DRBG instance
+for the given OSSL_LIB_CTX \fBctx\fR.
 .PP
-\&\fBRAND_get0_private()\fR returns a pointer to the \fIprivate\fR \s-1DRBG\s0 instance
-for the given \s-1OSSL_LIB_CTX\s0 \fBctx\fR.
+\&\fBRAND_get0_private()\fR returns a pointer to the \fIprivate\fR DRBG instance
+for the given OSSL_LIB_CTX \fBctx\fR.
 .PP
-In all the above cases the \fBctx\fR parameter can
-be \s-1NULL\s0 in which case the default \s-1OSSL_LIB_CTX\s0 is used.
-.SH "NOTES"
+\&\fBRAND_set0_public()\fR and \fBRAND_set0_private()\fR return 1 on success and 0
+on error.
+.SH NOTES
 .IX Header "NOTES"
-It is not thread-safe to access the \fIprimary\fR \s-1DRBG\s0 instance.
-The \fIpublic\fR and \fIprivate\fR \s-1DRBG\s0 instance can be accessed safely, because
+It is not thread-safe to access the \fIprimary\fR DRBG instance.
+The \fIpublic\fR and \fIprivate\fR DRBG instance can be accessed safely, because
 they are thread-local. Note however, that changes to these two instances
 apply only to the current thread.
 .PP
 For that reason it is recommended not to change the settings of these
 three instances directly.
-Instead, an application should change the default settings for new \s-1DRBG\s0 instances
+Instead, an application should change the default settings for new DRBG instances
 at initialization time, before creating additional threads.
 .PP
 During initialization, it is possible to change the reseed interval
 and reseed time interval.
 It is also possible to exchange the reseeding callbacks entirely.
 .PP
-To set the type of \s-1DRBG\s0 that will be instantiated, use the
+To set the type of DRBG that will be instantiated, use the
 \&\fBRAND_set_DRBG_type\fR\|(3) call before accessing the random number generation
 infrastructure.
+.PP
+The two set functions, operate on the current thread.  If you want to
+use the same random number generator across all threads, each thread
+must individually call the set functions.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_RAND\s0\fR\|(3),
+\&\fBEVP_RAND\fR\|(3),
 \&\fBRAND_set_DRBG_type\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-These functions were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+\&\fBRAND_set0_public()\fR and \fBRAND_set0_private()\fR were added in OpenSSL 3.1.
+.PP
+The remaining functions were added in OpenSSL 3.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RAND_load_file.3 b/secure/lib/libcrypto/man/man3/RAND_load_file.3
index c6103105500b..d6fe52a5b570 100644
--- a/secure/lib/libcrypto/man/man3/RAND_load_file.3
+++ b/secure/lib/libcrypto/man/man3/RAND_load_file.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "RAND_LOAD_FILE 3ossl"
-.TH RAND_LOAD_FILE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH RAND_LOAD_FILE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 RAND_load_file, RAND_write_file, RAND_file_name \- PRNG seed file
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/rand.h>
@@ -149,10 +73,10 @@ RAND_load_file, RAND_write_file, RAND_file_name \- PRNG seed file
 \&
 \& const char *RAND_file_name(char *buf, size_t num);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBRAND_load_file()\fR reads a number of bytes from file \fBfilename\fR and
-adds them to the \s-1PRNG.\s0 If \fBmax_bytes\fR is nonnegative,
+adds them to the PRNG. If \fBmax_bytes\fR is nonnegative,
 up to \fBmax_bytes\fR are read;
 if \fBmax_bytes\fR is \-1, the complete file is read.
 Do not load the same file multiple times unless its contents have
@@ -164,14 +88,14 @@ responsible for any side effects, e.g. non-anticipated blocking or
 capture of controlling terminal.
 .PP
 \&\fBRAND_write_file()\fR writes a number of random bytes (currently 128) to
-file \fBfilename\fR which can be used to initialize the \s-1PRNG\s0 by calling
+file \fBfilename\fR which can be used to initialize the PRNG by calling
 \&\fBRAND_load_file()\fR in a later session.
 .PP
 \&\fBRAND_file_name()\fR generates a default path for the random seed
 file. \fBbuf\fR points to a buffer of size \fBnum\fR in which to store the
 filename.
 .PP
-On all systems, if the environment variable \fB\s-1RANDFILE\s0\fR is set, its
+On all systems, if the environment variable \fBRANDFILE\fR is set, its
 value will be used as the seed filename.
 Otherwise, the file is called \f(CW\*(C`.rnd\*(C'\fR, found in platform dependent locations:
 .IP "On Windows (in order of preference)" 4
@@ -179,7 +103,7 @@ Otherwise, the file is called \f(CW\*(C`.rnd\*(C'\fR, found in platform dependen
 .Vb 1
 \& %HOME%, %USERPROFILE%, %SYSTEMROOT%, C:\e
 .Ve
-.IP "On \s-1VMS\s0" 4
+.IP "On VMS" 4
 .IX Item "On VMS"
 .Vb 1
 \& SYS$LOGIN:
@@ -199,18 +123,18 @@ If \f(CW$HOME\fR (on non-Windows and non-VMS system) is not set either, or
 \&\fBRAND_write_file()\fR returns the number of bytes written, or \-1 if the
 bytes written were generated without appropriate seeding.
 .PP
-\&\fBRAND_file_name()\fR returns a pointer to \fBbuf\fR on success, and \s-1NULL\s0 on
+\&\fBRAND_file_name()\fR returns a pointer to \fBbuf\fR on success, and NULL on
 error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBRAND_add\fR\|(3),
 \&\fBRAND_bytes\fR\|(3),
-\&\s-1\fBRAND\s0\fR\|(7)
-.SH "COPYRIGHT"
+\&\fBRAND\fR\|(7)
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RAND_set_DRBG_type.3 b/secure/lib/libcrypto/man/man3/RAND_set_DRBG_type.3
index 2536b4cdabcc..ade18b17f899 100644
--- a/secure/lib/libcrypto/man/man3/RAND_set_DRBG_type.3
+++ b/secure/lib/libcrypto/man/man3/RAND_set_DRBG_type.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "RAND_SET_DRBG_TYPE 3ossl"
-.TH RAND_SET_DRBG_TYPE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH RAND_SET_DRBG_TYPE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 RAND_set_DRBG_type,
 RAND_set_seed_source_type
 \&\- specify the global random number generator types
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/rand.h>
@@ -150,7 +74,7 @@ RAND_set_seed_source_type
 \& int RAND_set_seed_source_type(OSSL_LIB_CTX *ctx, const char *seed,
 \&                               const char *propq);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBRAND_set_DRBG_type()\fR specifies the random bit generator that will be
 used within the library context \fIctx\fR.  A generator of name \fIdrbg\fR
@@ -162,31 +86,40 @@ private random instances.
 \&\fBRAND_set_seed_source_type()\fR specifies the seed source that will be used
 within the library context \fIctx\fR.  The seed source of name \fIseed\fR
 with properties \fIpropq\fR will be fetched and used to seed the primary
-random big generator.
+random bit generator.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 These function return 1 on success and 0 on failure.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 These functions must be called before the random bit generators are first
 created in the library context.  They will return an error if the call
 is made too late.
 .PP
-The default \s-1DRBG\s0 is \*(L"CTR-DRBG\*(R" using the \*(L"\s-1AES\-256\-CTR\*(R"\s0 cipher.
+The default DRBG is "CTR-DRBG" using the "AES\-256\-CTR" cipher.
 .PP
-The default seed source is \*(L"SEED-SRC\*(R".
+The default seed source can be configured when OpenSSL is compiled by
+setting \fB\-DOPENSSL_DEFAULT_SEED_SRC=SEED\-SRC\fR. If not set then
+"SEED-SRC" is used.
+.SH EXAMPLES
+.IX Header "EXAMPLES"
+.Vb 3
+\& unsigned char bytes[100];
+\& RAND_set_seed_source_type(NULL, "JITTER", NULL);
+\& RAND_bytes(bytes, 100);
+.Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_RAND\s0\fR\|(3),
+\&\fBEVP_RAND\fR\|(3),
 \&\fBRAND_get0_primary\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 These functions were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RAND_set_rand_method.3 b/secure/lib/libcrypto/man/man3/RAND_set_rand_method.3
index 021effacabc4..bdd510bb7bd4 100644
--- a/secure/lib/libcrypto/man/man3/RAND_set_rand_method.3
+++ b/secure/lib/libcrypto/man/man3/RAND_set_rand_method.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,84 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "RAND_SET_RAND_METHOD 3ossl"
-.TH RAND_SET_RAND_METHOD 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH RAND_SET_RAND_METHOD 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 RAND_set_rand_method, RAND_get_rand_method, RAND_OpenSSL \- select RAND method
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/rand.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
@@ -155,26 +79,26 @@ see \fBopenssl_user_macros\fR\|(7):
 \&
 \& const RAND_METHOD *RAND_get_rand_method(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
 Applications should instead use \fBRAND_set_DRBG_type\fR\|(3),
-\&\s-1\fBEVP_RAND\s0\fR\|(3) and \s-1\fBEVP_RAND\s0\fR\|(7).
+\&\fBEVP_RAND\fR\|(3) and \fBEVP_RAND\fR\|(7).
 .PP
-A \fB\s-1RAND_METHOD\s0\fR specifies the functions that OpenSSL uses for random number
+A \fBRAND_METHOD\fR specifies the functions that OpenSSL uses for random number
 generation.
 .PP
-\&\fBRAND_OpenSSL()\fR returns the default \fB\s-1RAND_METHOD\s0\fR implementation by OpenSSL.
-This implementation ensures that the \s-1PRNG\s0 state is unique for each thread.
+\&\fBRAND_OpenSSL()\fR returns the default \fBRAND_METHOD\fR implementation by OpenSSL.
+This implementation ensures that the PRNG state is unique for each thread.
 .PP
-If an \fB\s-1ENGINE\s0\fR is loaded that provides the \s-1RAND API,\s0 however, it will
+If an \fBENGINE\fR is loaded that provides the RAND API, however, it will
 be used instead of the method returned by \fBRAND_OpenSSL()\fR.  This is deprecated
 in OpenSSL 3.0.
 .PP
-\&\fBRAND_set_rand_method()\fR makes \fBmeth\fR the method for \s-1PRNG\s0 use.  If an
-\&\s-1ENGINE\s0 was providing the method, it will be released first.
+\&\fBRAND_set_rand_method()\fR makes \fBmeth\fR the method for PRNG use.  If an
+ENGINE was providing the method, it will be released first.
 .PP
-\&\fBRAND_get_rand_method()\fR returns a pointer to the current \fB\s-1RAND_METHOD\s0\fR.
+\&\fBRAND_get_rand_method()\fR returns a pointer to the current \fBRAND_METHOD\fR.
 .SH "THE RAND_METHOD STRUCTURE"
 .IX Header "THE RAND_METHOD STRUCTURE"
 .Vb 8
@@ -189,9 +113,9 @@ in OpenSSL 3.0.
 .Ve
 .PP
 The fields point to functions that are used by, in order,
-\&\fBRAND_seed()\fR, \fBRAND_bytes()\fR, internal \s-1RAND\s0 cleanup, \fBRAND_add()\fR, \fBRAND_pseudo_rand()\fR
+\&\fBRAND_seed()\fR, \fBRAND_bytes()\fR, internal RAND cleanup, \fBRAND_add()\fR, \fBRAND_pseudo_rand()\fR
 and \fBRAND_status()\fR.
-Each pointer may be \s-1NULL\s0 if the function is not implemented.
+Each pointer may be NULL if the function is not implemented.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBRAND_set_rand_method()\fR returns 1 on success and 0 on failure.
@@ -199,20 +123,20 @@ Each pointer may be \s-1NULL\s0 if the function is not implemented.
 methods.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_RAND\s0\fR\|(3),
+\&\fBEVP_RAND\fR\|(3),
 \&\fBRAND_set_DRBG_type\fR\|(3),
 \&\fBRAND_bytes\fR\|(3),
 \&\fBENGINE_by_id\fR\|(3),
-\&\s-1\fBEVP_RAND\s0\fR\|(7),
-\&\s-1\fBRAND\s0\fR\|(7)
-.SH "HISTORY"
+\&\fBEVP_RAND\fR\|(7),
+\&\fBRAND\fR\|(7)
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RC4_set_key.3 b/secure/lib/libcrypto/man/man3/RC4_set_key.3
index f259e450a1c5..93b2f821155c 100644
--- a/secure/lib/libcrypto/man/man3/RC4_set_key.3
+++ b/secure/lib/libcrypto/man/man3/RC4_set_key.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,84 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "RC4_SET_KEY 3ossl"
-.TH RC4_SET_KEY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH RC4_SET_KEY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 RC4_set_key, RC4 \- RC4 encryption
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/rc4.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
@@ -154,37 +78,37 @@ see \fBopenssl_user_macros\fR\|(7):
 \& void RC4(RC4_KEY *key, unsigned long len, const unsigned char *indata,
 \&          unsigned char *outdata);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated. Applications should
 instead use \fBEVP_EncryptInit_ex\fR\|(3), \fBEVP_EncryptUpdate\fR\|(3) and
 \&\fBEVP_EncryptFinal_ex\fR\|(3) or the equivalently named decrypt functions.
 .PP
-This library implements the Alleged \s-1RC4\s0 cipher, which is described for
+This library implements the Alleged RC4 cipher, which is described for
 example in \fIApplied Cryptography\fR.  It is believed to be compatible
-with RC4[\s-1TM\s0], a proprietary cipher of \s-1RSA\s0 Security Inc.
+with RC4[TM], a proprietary cipher of RSA Security Inc.
 .PP
-\&\s-1RC4\s0 is a stream cipher with variable key length.  Typically, 128 bit
+RC4 is a stream cipher with variable key length.  Typically, 128 bit
 (16 byte) keys are used for strong encryption, but shorter insecure
 key sizes have been widely used due to export restrictions.
 .PP
-\&\s-1RC4\s0 consists of a key setup phase and the actual encryption or
+RC4 consists of a key setup phase and the actual encryption or
 decryption phase.
 .PP
-\&\fBRC4_set_key()\fR sets up the \fB\s-1RC4_KEY\s0\fR \fBkey\fR using the \fBlen\fR bytes long
+\&\fBRC4_set_key()\fR sets up the \fBRC4_KEY\fR \fBkey\fR using the \fBlen\fR bytes long
 key at \fBdata\fR.
 .PP
-\&\s-1\fBRC4\s0()\fR encrypts or decrypts the \fBlen\fR bytes of data at \fBindata\fR using
-\&\fBkey\fR and places the result at \fBoutdata\fR.  Repeated \s-1\fBRC4\s0()\fR calls with
+\&\fBRC4()\fR encrypts or decrypts the \fBlen\fR bytes of data at \fBindata\fR using
+\&\fBkey\fR and places the result at \fBoutdata\fR.  Repeated \fBRC4()\fR calls with
 the same \fBkey\fR yield a continuous key stream.
 .PP
-Since \s-1RC4\s0 is a stream cipher (the input is XORed with a pseudo-random
+Since RC4 is a stream cipher (the input is XORed with a pseudo-random
 key stream to produce the output), decryption uses the same function
 calls as encryption.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBRC4_set_key()\fR and \s-1\fBRC4\s0()\fR do not return values.
-.SH "NOTE"
+\&\fBRC4_set_key()\fR and \fBRC4()\fR do not return values.
+.SH NOTE
 .IX Header "NOTE"
 Applications should use the higher level functions
 \&\fBEVP_EncryptInit\fR\|(3) etc. instead of calling these
@@ -195,14 +119,14 @@ multiple encryptions using the same key stream.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_EncryptInit\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RIPEMD160_Init.3 b/secure/lib/libcrypto/man/man3/RIPEMD160_Init.3
index c01f5773dcf5..dc939289e3f4 100644
--- a/secure/lib/libcrypto/man/man3/RIPEMD160_Init.3
+++ b/secure/lib/libcrypto/man/man3/RIPEMD160_Init.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,85 +52,25 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "RIPEMD160_INIT 3ossl"
-.TH RIPEMD160_INIT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH RIPEMD160_INIT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 RIPEMD160, RIPEMD160_Init, RIPEMD160_Update, RIPEMD160_Final \-
 RIPEMD\-160 hash function
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ripemd.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 2
@@ -157,56 +81,56 @@ see \fBopenssl_user_macros\fR\|(7):
 \& int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, unsigned long len);
 \& int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
 Applications should instead use \fBEVP_DigestInit_ex\fR\|(3), \fBEVP_DigestUpdate\fR\|(3)
 and \fBEVP_DigestFinal_ex\fR\|(3).
 .PP
-\&\s-1RIPEMD\-160\s0 is a cryptographic hash function with a
+RIPEMD\-160 is a cryptographic hash function with a
 160 bit output.
 .PP
-\&\s-1\fBRIPEMD160\s0()\fR computes the \s-1RIPEMD\-160\s0 message digest of the \fBn\fR
+\&\fBRIPEMD160()\fR computes the RIPEMD\-160 message digest of the \fBn\fR
 bytes at \fBd\fR and places it in \fBmd\fR (which must have space for
-\&\s-1RIPEMD160_DIGEST_LENGTH\s0 == 20 bytes of output). If \fBmd\fR is \s-1NULL,\s0 the digest
+RIPEMD160_DIGEST_LENGTH == 20 bytes of output). If \fBmd\fR is NULL, the digest
 is placed in a static array.
 .PP
 The following functions may be used if the message is not completely
 stored in memory:
 .PP
-\&\fBRIPEMD160_Init()\fR initializes a \fB\s-1RIPEMD160_CTX\s0\fR structure.
+\&\fBRIPEMD160_Init()\fR initializes a \fBRIPEMD160_CTX\fR structure.
 .PP
 \&\fBRIPEMD160_Update()\fR can be called repeatedly with chunks of the message to
 be hashed (\fBlen\fR bytes at \fBdata\fR).
 .PP
 \&\fBRIPEMD160_Final()\fR places the message digest in \fBmd\fR, which must have
-space for \s-1RIPEMD160_DIGEST_LENGTH\s0 == 20 bytes of output, and erases
-the \fB\s-1RIPEMD160_CTX\s0\fR.
+space for RIPEMD160_DIGEST_LENGTH == 20 bytes of output, and erases
+the \fBRIPEMD160_CTX\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\s-1\fBRIPEMD160\s0()\fR returns a pointer to the hash value.
+\&\fBRIPEMD160()\fR returns a pointer to the hash value.
 .PP
 \&\fBRIPEMD160_Init()\fR, \fBRIPEMD160_Update()\fR and \fBRIPEMD160_Final()\fR return 1 for
 success, 0 otherwise.
-.SH "NOTE"
+.SH NOTE
 .IX Header "NOTE"
 Applications should use the higher level functions
 \&\fBEVP_DigestInit\fR\|(3) etc. instead of calling these
 functions directly.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1ISO/IEC 10118\-3:2016\s0 Dedicated Hash-Function 1 (\s-1RIPEMD\-160\s0).
+ISO/IEC 10118\-3:2016 Dedicated Hash-Function 1 (RIPEMD\-160).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_DigestInit\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RSA_blinding_on.3 b/secure/lib/libcrypto/man/man3/RSA_blinding_on.3
index 0810dcef54d1..7df619f411a1 100644
--- a/secure/lib/libcrypto/man/man3/RSA_blinding_on.3
+++ b/secure/lib/libcrypto/man/man3/RSA_blinding_on.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,84 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "RSA_BLINDING_ON 3ossl"
-.TH RSA_BLINDING_ON 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH RSA_BLINDING_ON 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 RSA_blinding_on, RSA_blinding_off \- protect the RSA operation from timing attacks
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/rsa.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
@@ -153,17 +77,17 @@ see \fBopenssl_user_macros\fR\|(7):
 \&
 \& void RSA_blinding_off(RSA *rsa);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
 .PP
-\&\s-1RSA\s0 is vulnerable to timing attacks. In a setup where attackers can
-measure the time of \s-1RSA\s0 decryption or signature operations, blinding
-must be used to protect the \s-1RSA\s0 operation from that attack.
+RSA is vulnerable to timing attacks. In a setup where attackers can
+measure the time of RSA decryption or signature operations, blinding
+must be used to protect the RSA operation from that attack.
 .PP
 \&\fBRSA_blinding_on()\fR turns blinding on for key \fBrsa\fR and generates a
-random blinding factor. \fBctx\fR is \fB\s-1NULL\s0\fR or a preallocated and
-initialized \fB\s-1BN_CTX\s0\fR.
+random blinding factor. \fBctx\fR is \fBNULL\fR or a preallocated and
+initialized \fBBN_CTX\fR.
 .PP
 \&\fBRSA_blinding_off()\fR turns blinding off and frees the memory used for
 the blinding factor.
@@ -172,14 +96,14 @@ the blinding factor.
 \&\fBRSA_blinding_on()\fR returns 1 on success, and 0 if an error occurred.
 .PP
 \&\fBRSA_blinding_off()\fR returns no value.
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RSA_check_key.3 b/secure/lib/libcrypto/man/man3/RSA_check_key.3
index 323feb882631..0dacf234631d 100644
--- a/secure/lib/libcrypto/man/man3/RSA_check_key.3
+++ b/secure/lib/libcrypto/man/man3/RSA_check_key.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,84 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "RSA_CHECK_KEY 3ossl"
-.TH RSA_CHECK_KEY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH RSA_CHECK_KEY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 RSA_check_key_ex, RSA_check_key \- validate private RSA keys
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/rsa.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
@@ -153,71 +77,71 @@ see \fBopenssl_user_macros\fR\|(7):
 \&
 \& int RSA_check_key(const RSA *rsa);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 Both of the functions described on this page are deprecated.
 Applications should instead use \fBEVP_PKEY_public_check\fR\|(3),
 \&\fBEVP_PKEY_private_check\fR\|(3) and \fBEVP_PKEY_pairwise_check\fR\|(3).
 .PP
-\&\fBRSA_check_key_ex()\fR function validates \s-1RSA\s0 keys.
+\&\fBRSA_check_key_ex()\fR function validates RSA keys.
 It checks that \fBp\fR and \fBq\fR are
 in fact prime, and that \fBn = p*q\fR.
 .PP
-It does not work on \s-1RSA\s0 public keys that have only the modulus
+It does not work on RSA public keys that have only the modulus
 and public exponent elements populated.
 It also checks that \fBd*e = 1 mod (p\-1*q\-1)\fR,
-and that \fBdmp1\fR, \fBdmq1\fR and \fBiqmp\fR are set correctly or are \fB\s-1NULL\s0\fR.
+and that \fBdmp1\fR, \fBdmq1\fR and \fBiqmp\fR are set correctly or are \fBNULL\fR.
 It performs integrity checks on all
-the \s-1RSA\s0 key material, so the \s-1RSA\s0 key structure must contain all the private
+the RSA key material, so the RSA key structure must contain all the private
 key data too.
-Therefore, it cannot be used with any arbitrary \s-1RSA\s0 key object,
-even if it is otherwise fit for regular \s-1RSA\s0 operation.
+Therefore, it cannot be used with any arbitrary RSA key object,
+even if it is otherwise fit for regular RSA operation.
 .PP
 The \fBcb\fR parameter is a callback that will be invoked in the same
 manner as \fBBN_is_prime_ex\fR\|(3).
 .PP
-\&\fBRSA_check_key()\fR is equivalent to \fBRSA_check_key_ex()\fR with a \s-1NULL\s0 \fBcb\fR.
+\&\fBRSA_check_key()\fR is equivalent to \fBRSA_check_key_ex()\fR with a NULL \fBcb\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBRSA_check_key_ex()\fR and \fBRSA_check_key()\fR
-return 1 if \fBrsa\fR is a valid \s-1RSA\s0 key, and 0 otherwise.
+return 1 if \fBrsa\fR is a valid RSA key, and 0 otherwise.
 They return \-1 if an error occurs while checking the key.
 .PP
 If the key is invalid or an error occurred, the reason code can be
 obtained using \fBERR_get_error\fR\|(3).
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-Unlike most other \s-1RSA\s0 functions, this function does \fBnot\fR work
-transparently with any underlying \s-1ENGINE\s0 implementation because it uses the
-key data in the \s-1RSA\s0 structure directly. An \s-1ENGINE\s0 implementation can
+Unlike most other RSA functions, this function does \fBnot\fR work
+transparently with any underlying ENGINE implementation because it uses the
+key data in the RSA structure directly. An ENGINE implementation can
 override the way key data is stored and handled, and can even provide
-support for \s-1HSM\s0 keys \- in which case the \s-1RSA\s0 structure may contain \fBno\fR
-key data at all! If the \s-1ENGINE\s0 in question is only being used for
-acceleration or analysis purposes, then in all likelihood the \s-1RSA\s0 key data
+support for HSM keys \- in which case the RSA structure may contain \fBno\fR
+key data at all! If the ENGINE in question is only being used for
+acceleration or analysis purposes, then in all likelihood the RSA key data
 is complete and untouched, but this can't be assumed in the general case.
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
-A method of verifying the \s-1RSA\s0 key using opaque \s-1RSA API\s0 functions might need
-to be considered. Right now \fBRSA_check_key()\fR simply uses the \s-1RSA\s0 structure
-elements directly, bypassing the \s-1RSA_METHOD\s0 table altogether (and
+A method of verifying the RSA key using opaque RSA API functions might need
+to be considered. Right now \fBRSA_check_key()\fR simply uses the RSA structure
+elements directly, bypassing the RSA_METHOD table altogether (and
 completely violating encapsulation and object-orientation in the process).
-The best fix will probably be to introduce a \*(L"\fBcheck_key()\fR\*(R" handler to the
-\&\s-1RSA_METHOD\s0 function table so that alternative implementations can also
+The best fix will probably be to introduce a "\fBcheck_key()\fR" handler to the
+RSA_METHOD function table so that alternative implementations can also
 provide their own verifiers.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBBN_is_prime_ex\fR\|(3),
 \&\fBERR_get_error\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions were deprecated in OpenSSL 3.0.
 .PP
 \&\fBRSA_check_key_ex()\fR appeared after OpenSSL 1.0.2.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RSA_generate_key.3 b/secure/lib/libcrypto/man/man3/RSA_generate_key.3
index cddd181e04de..1a880943f738 100644
--- a/secure/lib/libcrypto/man/man3/RSA_generate_key.3
+++ b/secure/lib/libcrypto/man/man3/RSA_generate_key.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "RSA_GENERATE_KEY 3ossl"
-.TH RSA_GENERATE_KEY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH RSA_GENERATE_KEY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_RSA_gen,
 RSA_generate_key_ex, RSA_generate_key,
 RSA_generate_multi_prime_key \- generate RSA key pair
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/rsa.h>
@@ -149,7 +73,7 @@ RSA_generate_multi_prime_key \- generate RSA key pair
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 2
@@ -158,29 +82,29 @@ see \fBopenssl_user_macros\fR\|(7):
 .Ve
 .PP
 The following function has been deprecated since OpenSSL 0.9.8, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 2
 \& RSA *RSA_generate_key(int bits, unsigned long e,
 \&                       void (*callback)(int, int, void *), void *cb_arg);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBEVP_RSA_gen()\fR generates a new \s-1RSA\s0 key pair with modulus size \fIbits\fR.
+\&\fBEVP_RSA_gen()\fR generates a new RSA key pair with modulus size \fIbits\fR.
 .PP
 All of the functions described below are deprecated.
 Applications should instead use \fBEVP_RSA_gen()\fR, \fBEVP_PKEY_Q_keygen\fR\|(3), or
 \&\fBEVP_PKEY_keygen_init\fR\|(3) and \fBEVP_PKEY_keygen\fR\|(3).
 .PP
-\&\fBRSA_generate_key_ex()\fR generates a 2\-prime \s-1RSA\s0 key pair and stores it in the
-\&\fB\s-1RSA\s0\fR structure provided in \fIrsa\fR.
+\&\fBRSA_generate_key_ex()\fR generates a 2\-prime RSA key pair and stores it in the
+\&\fBRSA\fR structure provided in \fIrsa\fR.
 .PP
-\&\fBRSA_generate_multi_prime_key()\fR generates a multi-prime \s-1RSA\s0 key pair and stores
-it in the \fB\s-1RSA\s0\fR structure provided in \fIrsa\fR. The number of primes is given by
+\&\fBRSA_generate_multi_prime_key()\fR generates a multi-prime RSA key pair and stores
+it in the \fBRSA\fR structure provided in \fIrsa\fR. The number of primes is given by
 the \fIprimes\fR parameter.
-If the automatic seeding or reseeding of the OpenSSL \s-1CSPRNG\s0 fails due to
-external circumstances (see \s-1\fBRAND\s0\fR\|(7)), the operation will fail.
+If the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to
+external circumstances (see \fBRAND\fR\|(7)), the operation will fail.
 .PP
 The modulus size will be of length \fIbits\fR, the number of primes to form the
 modulus will be \fIprimes\fR, and the public exponent will be \fIe\fR. Key sizes
@@ -197,20 +121,20 @@ In order to maintain adequate security level, the maximum number of permitted
 .Ve
 .PP
 A callback function may be used to provide feedback about the
-progress of the key generation. If \fIcb\fR is not \s-1NULL,\s0 it
+progress of the key generation. If \fIcb\fR is not NULL, it
 will be called as follows using the \fBBN_GENCB_call()\fR function
 described on the \fBBN_generate_prime\fR\|(3) page.
 .PP
 \&\fBRSA_generate_key()\fR is similar to \fBRSA_generate_key_ex()\fR but
 expects an old-style callback function; see
 \&\fBBN_generate_prime\fR\|(3) for information on the old-style callback.
-.IP "\(bu" 2
+.IP \(bu 2
 While a random prime number is generated, it is called as
 described in \fBBN_generate_prime\fR\|(3).
-.IP "\(bu" 2
+.IP \(bu 2
 When the n\-th randomly generated prime is rejected as not
 suitable for the key, \fIBN_GENCB_call(cb, 2, n)\fR is called.
-.IP "\(bu" 2
+.IP \(bu 2
 When a random p has been found with p\-1 relatively prime to \fIe\fR,
 it is called as \fIBN_GENCB_call(cb, 3, 0)\fR.
 .PP
@@ -218,32 +142,32 @@ The process is then repeated for prime q and other primes (if any)
 with \fIBN_GENCB_call(cb, 3, i)\fR where \fIi\fR indicates the i\-th prime.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBEVP_RSA_gen()\fR returns an \fI\s-1EVP_PKEY\s0\fR or \s-1NULL\s0 on failure.
+\&\fBEVP_RSA_gen()\fR returns an \fIEVP_PKEY\fR or NULL on failure.
 .PP
 \&\fBRSA_generate_multi_prime_key()\fR returns 1 on success or 0 on error.
 \&\fBRSA_generate_key_ex()\fR returns 1 on success or 0 on error.
 The error codes can be obtained by \fBERR_get_error\fR\|(3).
 .PP
-\&\fBRSA_generate_key()\fR returns a pointer to the \s-1RSA\s0 structure or
-\&\s-1NULL\s0 if the key generation fails.
-.SH "BUGS"
+\&\fBRSA_generate_key()\fR returns a pointer to the RSA structure or
+NULL if the key generation fails.
+.SH BUGS
 .IX Header "BUGS"
 \&\fIBN_GENCB_call(cb, 2, x)\fR is used with two different meanings.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_PKEY_Q_keygen\fR\|(3)
 \&\fBBN_generate_prime\fR\|(3), \fBERR_get_error\fR\|(3),
-\&\fBRAND_bytes\fR\|(3), \s-1\fBRAND\s0\fR\|(7)
-.SH "HISTORY"
+\&\fBRAND_bytes\fR\|(3), \fBRAND\fR\|(7)
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBEVP_RSA_gen()\fR was added in OpenSSL 3.0.
 All other functions described here were deprecated in OpenSSL 3.0.
-For replacement see \s-1\fBEVP_PKEY\-RSA\s0\fR\|(7).
-.SH "COPYRIGHT"
+For replacement see \fBEVP_PKEY\-RSA\fR\|(7).
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RSA_get0_key.3 b/secure/lib/libcrypto/man/man3/RSA_get0_key.3
index fd99dedcb9f2..f937f4d29067 100644
--- a/secure/lib/libcrypto/man/man3/RSA_get0_key.3
+++ b/secure/lib/libcrypto/man/man3/RSA_get0_key.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "RSA_GET0_KEY 3ossl"
-.TH RSA_GET0_KEY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH RSA_GET0_KEY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 RSA_set0_key, RSA_set0_factors, RSA_set0_crt_params, RSA_get0_key,
 RSA_get0_factors, RSA_get0_crt_params,
 RSA_get0_n, RSA_get0_e, RSA_get0_d, RSA_get0_p, RSA_get0_q,
@@ -146,14 +70,14 @@ RSA_test_flags, RSA_set_flags, RSA_get0_engine, RSA_get_multi_prime_extra_count,
 RSA_get0_multi_prime_factors, RSA_get0_multi_prime_crt_params,
 RSA_set0_multi_prime_params, RSA_get_version
 \&\- Routines for getting and setting data in an RSA object
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/rsa.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 10
@@ -187,29 +111,29 @@ see \fBopenssl_user_macros\fR\|(7):
 \&                                BIGNUM *coeffs[], int pnum);
 \& int RSA_get_version(RSA *r);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
 Applications should instead use \fBEVP_PKEY_get_bn_param\fR\|(3) for any methods that
-return a \fB\s-1BIGNUM\s0\fR. Refer to \s-1\fBEVP_PKEY\-DH\s0\fR\|(7) for more information.
+return a \fBBIGNUM\fR. Refer to \fBEVP_PKEY\-DH\fR\|(7) for more information.
 .PP
-An \s-1RSA\s0 object contains the components for the public and private key,
+An RSA object contains the components for the public and private key,
 \&\fBn\fR, \fBe\fR, \fBd\fR, \fBp\fR, \fBq\fR, \fBdmp1\fR, \fBdmq1\fR and \fBiqmp\fR.  \fBn\fR is
 the modulus common to both public and private key, \fBe\fR is the public
 exponent and \fBd\fR is the private exponent.  \fBp\fR, \fBq\fR, \fBdmp1\fR,
 \&\fBdmq1\fR and \fBiqmp\fR are the factors for the second representation of a
 private key (see PKCS#1 section 3 Key Types), where \fBp\fR and \fBq\fR are
 the first and second factor of \fBn\fR and \fBdmp1\fR, \fBdmq1\fR and \fBiqmp\fR
-are the exponents and coefficient for \s-1CRT\s0 calculations.
+are the exponents and coefficient for CRT calculations.
 .PP
-For multi-prime \s-1RSA\s0 (defined in \s-1RFC 8017\s0), there are also one or more
-\&'triplet' in an \s-1RSA\s0 object. A triplet contains three members, \fBr\fR, \fBd\fR
+For multi-prime RSA (defined in RFC 8017), there are also one or more
+\&'triplet' in an RSA object. A triplet contains three members, \fBr\fR, \fBd\fR
 and \fBt\fR. \fBr\fR is the additional prime besides \fBp\fR and \fBq\fR. \fBd\fR and
-\&\fBt\fR are the exponent and coefficient for \s-1CRT\s0 calculations.
+\&\fBt\fR are the exponent and coefficient for CRT calculations.
 .PP
 The \fBn\fR, \fBe\fR and \fBd\fR parameters can be obtained by calling
 \&\fBRSA_get0_key()\fR.  If they have not been set yet, then \fB*n\fR, \fB*e\fR and
-\&\fB*d\fR will be set to \s-1NULL.\s0  Otherwise, they are set to pointers to
+\&\fB*d\fR will be set to NULL.  Otherwise, they are set to pointers to
 their respective values. These point directly to the internal
 representations of the values and therefore should not be freed
 by the caller.
@@ -217,11 +141,11 @@ by the caller.
 The \fBn\fR, \fBe\fR and \fBd\fR parameter values can be set by calling
 \&\fBRSA_set0_key()\fR and passing the new values for \fBn\fR, \fBe\fR and \fBd\fR as
 parameters to the function.  The values \fBn\fR and \fBe\fR must be non-NULL
-the first time this function is called on a given \s-1RSA\s0 object. The
-value \fBd\fR may be \s-1NULL.\s0 On subsequent calls any of these values may be
-\&\s-1NULL\s0 which means the corresponding \s-1RSA\s0 field is left untouched.
+the first time this function is called on a given RSA object. The
+value \fBd\fR may be NULL. On subsequent calls any of these values may be
+NULL which means the corresponding RSA field is left untouched.
 Calling this function transfers the memory management of the values to
-the \s-1RSA\s0 object, and therefore the values that have been passed in
+the RSA object, and therefore the values that have been passed in
 should not be freed by the caller after this function has been called.
 .PP
 In a similar fashion, the \fBp\fR and \fBq\fR parameters can be obtained and
@@ -230,14 +154,14 @@ set with \fBRSA_get0_factors()\fR and \fBRSA_set0_factors()\fR, and the \fBdmp1\
 \&\fBRSA_get0_crt_params()\fR and \fBRSA_set0_crt_params()\fR.
 .PP
 For \fBRSA_get0_key()\fR, \fBRSA_get0_factors()\fR, and \fBRSA_get0_crt_params()\fR,
-\&\s-1NULL\s0 value \s-1BIGNUM\s0 ** output parameters are permitted. The functions
-ignore \s-1NULL\s0 parameters but return values for other, non-NULL, parameters.
+NULL value BIGNUM ** output parameters are permitted. The functions
+ignore NULL parameters but return values for other, non-NULL, parameters.
 .PP
-For multi-prime \s-1RSA,\s0 \fBRSA_get0_multi_prime_factors()\fR and \fBRSA_get0_multi_prime_params()\fR
-can be used to obtain other primes and related \s-1CRT\s0 parameters. The
-return values are stored in an array of \fB\s-1BIGNUM\s0 *\fR. \fBRSA_set0_multi_prime_params()\fR
+For multi-prime RSA, \fBRSA_get0_multi_prime_factors()\fR and \fBRSA_get0_multi_prime_params()\fR
+can be used to obtain other primes and related CRT parameters. The
+return values are stored in an array of \fBBIGNUM *\fR. \fBRSA_set0_multi_prime_params()\fR
 sets a collect of multi-prime 'triplet' members (prime, exponent and coefficient)
-into an \s-1RSA\s0 object.
+into an RSA object.
 .PP
 Any of the values \fBn\fR, \fBe\fR, \fBd\fR, \fBp\fR, \fBq\fR, \fBdmp1\fR, \fBdmq1\fR, and \fBiqmp\fR can also be
 retrieved separately by the corresponding function
@@ -246,22 +170,22 @@ retrieved separately by the corresponding function
 .PP
 \&\fBRSA_get0_pss_params()\fR is used to retrieve the RSA-PSS parameters.
 .PP
-\&\fBRSA_set_flags()\fR sets the flags in the \fBflags\fR parameter on the \s-1RSA\s0
+\&\fBRSA_set_flags()\fR sets the flags in the \fBflags\fR parameter on the RSA
 object. Multiple flags can be passed in one go (bitwise ORed together).
 Any flags that are already set are left set. \fBRSA_test_flags()\fR tests to
 see whether the flags passed in the \fBflags\fR parameter are currently
-set in the \s-1RSA\s0 object. Multiple flags can be tested in one go. All
+set in the RSA object. Multiple flags can be tested in one go. All
 flags that are currently set are returned, or zero if none of the
 flags are set. \fBRSA_clear_flags()\fR clears the specified flags within the
-\&\s-1RSA\s0 object.
+RSA object.
 .PP
-\&\fBRSA_get0_engine()\fR returns a handle to the \s-1ENGINE\s0 that has been set for
-this \s-1RSA\s0 object, or \s-1NULL\s0 if no such \s-1ENGINE\s0 has been set.
+\&\fBRSA_get0_engine()\fR returns a handle to the ENGINE that has been set for
+this RSA object, or NULL if no such ENGINE has been set.
 .PP
-\&\fBRSA_get_version()\fR returns the version of an \s-1RSA\s0 object \fBr\fR.
-.SH "NOTES"
+\&\fBRSA_get_version()\fR returns the version of an RSA object \fBr\fR.
+.SH NOTES
 .IX Header "NOTES"
-Values retrieved with \fBRSA_get0_key()\fR are owned by the \s-1RSA\s0 object used
+Values retrieved with \fBRSA_get0_key()\fR are owned by the RSA object used
 in the call and may therefore \fInot\fR be passed to \fBRSA_set0_key()\fR.  If
 needed, duplicate the received value using \fBBN_dup()\fR and pass the
 duplicate.  The same applies to \fBRSA_get0_factors()\fR and \fBRSA_set0_factors()\fR
@@ -272,7 +196,7 @@ in advance and allocate sufficient buffer to store the return values before
 calling \fBRSA_get0_multi_prime_factors()\fR and \fBRSA_get0_multi_prime_params()\fR.
 .PP
 \&\fBRSA_set0_multi_prime_params()\fR always clears the original multi-prime
-triplets in \s-1RSA\s0 object \fBr\fR and assign the new set of triplets into it.
+triplets in RSA object \fBr\fR and assign the new set of triplets into it.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBRSA_set0_key()\fR, \fBRSA_set0_factors()\fR, \fBRSA_set0_crt_params()\fR and
@@ -282,27 +206,27 @@ triplets in \s-1RSA\s0 object \fBr\fR and assign the new set of triplets into it
 \&\fBRSA_get0_dmp1()\fR, \fBRSA_get0_dmq1()\fR, and \fBRSA_get0_iqmp()\fR
 return the respective value.
 .PP
-\&\fBRSA_get0_pss_params()\fR returns a \fB\s-1RSA_PSS_PARAMS\s0\fR pointer, or \s-1NULL\s0 if
+\&\fBRSA_get0_pss_params()\fR returns a \fBRSA_PSS_PARAMS\fR pointer, or NULL if
 there is none.
 .PP
 \&\fBRSA_get0_multi_prime_factors()\fR and \fBRSA_get0_multi_prime_crt_params()\fR return
 1 on success or 0 on failure.
 .PP
 \&\fBRSA_get_multi_prime_extra_count()\fR returns two less than the number of primes
-in use, which is 0 for traditional \s-1RSA\s0 and the number of extra primes for
-multi-prime \s-1RSA.\s0
+in use, which is 0 for traditional RSA and the number of extra primes for
+multi-prime RSA.
 .PP
-\&\fBRSA_get_version()\fR returns \fB\s-1RSA_ASN1_VERSION_MULTI\s0\fR for multi-prime \s-1RSA\s0 and
-\&\fB\s-1RSA_ASN1_VERSION_DEFAULT\s0\fR for normal two-prime \s-1RSA,\s0 as defined in \s-1RFC 8017.\s0
+\&\fBRSA_get_version()\fR returns \fBRSA_ASN1_VERSION_MULTI\fR for multi-prime RSA and
+\&\fBRSA_ASN1_VERSION_DEFAULT\fR for normal two-prime RSA, as defined in RFC 8017.
 .PP
-\&\fBRSA_test_flags()\fR returns the current state of the flags in the \s-1RSA\s0 object.
+\&\fBRSA_test_flags()\fR returns the current state of the flags in the RSA object.
 .PP
-\&\fBRSA_get0_engine()\fR returns the \s-1ENGINE\s0 set for the \s-1RSA\s0 object or \s-1NULL\s0 if no
-\&\s-1ENGINE\s0 has been set.
+\&\fBRSA_get0_engine()\fR returns the ENGINE set for the RSA object or NULL if no
+ENGINE has been set.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBRSA_new\fR\|(3), \fBRSA_size\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBRSA_get0_pss_params()\fR function was added in OpenSSL 1.1.1e.
 .PP
@@ -314,11 +238,11 @@ and \fBRSA_get_version()\fR functions were added in OpenSSL 1.1.1.
 Other functions described here were added in OpenSSL 1.1.0.
 .PP
 All of these functions were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RSA_meth_new.3 b/secure/lib/libcrypto/man/man3/RSA_meth_new.3
index 033bc72283f8..04ae0c8de7e6 100644
--- a/secure/lib/libcrypto/man/man3/RSA_meth_new.3
+++ b/secure/lib/libcrypto/man/man3/RSA_meth_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "RSA_METH_NEW 3ossl"
-.TH RSA_METH_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH RSA_METH_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 RSA_meth_get0_app_data, RSA_meth_set0_app_data,
 RSA_meth_new, RSA_meth_free, RSA_meth_dup, RSA_meth_get0_name,
 RSA_meth_set1_name, RSA_meth_get_flags, RSA_meth_set_flags,
@@ -150,14 +74,14 @@ RSA_meth_get_sign, RSA_meth_set_sign, RSA_meth_get_verify,
 RSA_meth_set_verify, RSA_meth_get_keygen, RSA_meth_set_keygen,
 RSA_meth_get_multi_prime_keygen, RSA_meth_set_multi_prime_keygen
 \&\- Routines to build up RSA methods
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/rsa.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 2
@@ -262,62 +186,62 @@ see \fBopenssl_user_macros\fR\|(7):
 \&                                                    int primes, BIGNUM *e,
 \&                                                    BN_GENCB *cb));
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
-Applications should instead use the \s-1OSSL_PROVIDER\s0 APIs.
+Applications should instead use the OSSL_PROVIDER APIs.
 .PP
-The \fB\s-1RSA_METHOD\s0\fR type is a structure used for the provision of custom
-\&\s-1RSA\s0 implementations. It provides a set of functions used by OpenSSL
-for the implementation of the various \s-1RSA\s0 capabilities.
+The \fBRSA_METHOD\fR type is a structure used for the provision of custom
+RSA implementations. It provides a set of functions used by OpenSSL
+for the implementation of the various RSA capabilities.
 .PP
-\&\fBRSA_meth_new()\fR creates a new \fB\s-1RSA_METHOD\s0\fR structure. It should be
+\&\fBRSA_meth_new()\fR creates a new \fBRSA_METHOD\fR structure. It should be
 given a unique \fBname\fR and a set of \fBflags\fR. The \fBname\fR should be a
-\&\s-1NULL\s0 terminated string, which will be duplicated and stored in the
-\&\fB\s-1RSA_METHOD\s0\fR object. It is the callers responsibility to free the
+NULL terminated string, which will be duplicated and stored in the
+\&\fBRSA_METHOD\fR object. It is the callers responsibility to free the
 original string. The flags will be used during the construction of a
-new \fB\s-1RSA\s0\fR object based on this \fB\s-1RSA_METHOD\s0\fR. Any new \fB\s-1RSA\s0\fR object
+new \fBRSA\fR object based on this \fBRSA_METHOD\fR. Any new \fBRSA\fR object
 will have those flags set by default.
 .PP
-\&\fBRSA_meth_dup()\fR creates a duplicate copy of the \fB\s-1RSA_METHOD\s0\fR object
+\&\fBRSA_meth_dup()\fR creates a duplicate copy of the \fBRSA_METHOD\fR object
 passed as a parameter. This might be useful for creating a new
-\&\fB\s-1RSA_METHOD\s0\fR based on an existing one, but with some differences.
+\&\fBRSA_METHOD\fR based on an existing one, but with some differences.
 .PP
-\&\fBRSA_meth_free()\fR destroys an \fB\s-1RSA_METHOD\s0\fR structure and frees up any
-memory associated with it.
+\&\fBRSA_meth_free()\fR destroys an \fBRSA_METHOD\fR structure and frees up any
+memory associated with it. If the argument is NULL, nothing is done.
 .PP
 \&\fBRSA_meth_get0_name()\fR will return a pointer to the name of this
-\&\s-1RSA_METHOD.\s0 This is a pointer to the internal name string and so
+RSA_METHOD. This is a pointer to the internal name string and so
 should not be freed by the caller. \fBRSA_meth_set1_name()\fR sets the name
-of the \s-1RSA_METHOD\s0 to \fBname\fR. The string is duplicated and the copy is
-stored in the \s-1RSA_METHOD\s0 structure, so the caller remains responsible
+of the RSA_METHOD to \fBname\fR. The string is duplicated and the copy is
+stored in the RSA_METHOD structure, so the caller remains responsible
 for freeing the memory associated with the name.
 .PP
 \&\fBRSA_meth_get_flags()\fR returns the current value of the flags associated
-with this \s-1RSA_METHOD.\s0 \fBRSA_meth_set_flags()\fR provides the ability to set
+with this RSA_METHOD. \fBRSA_meth_set_flags()\fR provides the ability to set
 these flags.
 .PP
 The functions \fBRSA_meth_get0_app_data()\fR and \fBRSA_meth_set0_app_data()\fR
 provide the ability to associate implementation specific data with the
-\&\s-1RSA_METHOD.\s0 It is the application's responsibility to free this data
-before the \s-1RSA_METHOD\s0 is freed via a call to \fBRSA_meth_free()\fR.
+RSA_METHOD. It is the application's responsibility to free this data
+before the RSA_METHOD is freed via a call to \fBRSA_meth_free()\fR.
 .PP
 \&\fBRSA_meth_get_sign()\fR and \fBRSA_meth_set_sign()\fR get and set the function
-used for creating an \s-1RSA\s0 signature respectively. This function will be
+used for creating an RSA signature respectively. This function will be
 called in response to the application calling \fBRSA_sign()\fR. The
 parameters for the function have the same meaning as for \fBRSA_sign()\fR.
 .PP
 \&\fBRSA_meth_get_verify()\fR and \fBRSA_meth_set_verify()\fR get and set the
-function used for verifying an \s-1RSA\s0 signature respectively. This
+function used for verifying an RSA signature respectively. This
 function will be called in response to the application calling
 \&\fBRSA_verify()\fR. The parameters for the function have the same meaning as
 for \fBRSA_verify()\fR.
 .PP
 \&\fBRSA_meth_get_mod_exp()\fR and \fBRSA_meth_set_mod_exp()\fR get and set the
-function used for \s-1CRT\s0 computations.
+function used for CRT computations.
 .PP
 \&\fBRSA_meth_get_bn_mod_exp()\fR and \fBRSA_meth_set_bn_mod_exp()\fR get and set
-the function used for \s-1CRT\s0 computations, specifically the following
+the function used for CRT computations, specifically the following
 value:
 .PP
 .Vb 1
@@ -329,30 +253,30 @@ default OpenSSL method during encryption, decryption, signing and
 verification.
 .PP
 \&\fBRSA_meth_get_init()\fR and \fBRSA_meth_set_init()\fR get and set the function
-used for creating a new \s-1RSA\s0 instance respectively. This function will
+used for creating a new RSA instance respectively. This function will
 be called in response to the application calling \fBRSA_new()\fR (if the
-current default \s-1RSA_METHOD\s0 is this one) or \fBRSA_new_method()\fR. The
+current default RSA_METHOD is this one) or \fBRSA_new_method()\fR. The
 \&\fBRSA_new()\fR and \fBRSA_new_method()\fR functions will allocate the memory for
-the new \s-1RSA\s0 object, and a pointer to this newly allocated structure
+the new RSA object, and a pointer to this newly allocated structure
 will be passed as a parameter to the function. This function may be
-\&\s-1NULL.\s0
+NULL.
 .PP
 \&\fBRSA_meth_get_finish()\fR and \fBRSA_meth_set_finish()\fR get and set the
-function used for destroying an instance of an \s-1RSA\s0 object respectively.
+function used for destroying an instance of an RSA object respectively.
 This function will be called in response to the application calling
-\&\fBRSA_free()\fR. A pointer to the \s-1RSA\s0 to be destroyed is passed as a
-parameter. The destroy function should be used for \s-1RSA\s0 implementation
-specific clean up. The memory for the \s-1RSA\s0 itself should not be freed
-by this function. This function may be \s-1NULL.\s0
+\&\fBRSA_free()\fR. A pointer to the RSA to be destroyed is passed as a
+parameter. The destroy function should be used for RSA implementation
+specific clean up. The memory for the RSA itself should not be freed
+by this function. This function may be NULL.
 .PP
 \&\fBRSA_meth_get_keygen()\fR and \fBRSA_meth_set_keygen()\fR get and set the
-function used for generating a new \s-1RSA\s0 key pair respectively. This
+function used for generating a new RSA key pair respectively. This
 function will be called in response to the application calling
 \&\fBRSA_generate_key_ex()\fR. The parameter for the function has the same
 meaning as for \fBRSA_generate_key_ex()\fR.
 .PP
 \&\fBRSA_meth_get_multi_prime_keygen()\fR and \fBRSA_meth_set_multi_prime_keygen()\fR get
-and set the function used for generating a new multi-prime \s-1RSA\s0 key pair
+and set the function used for generating a new multi-prime RSA key pair
 respectively. This function will be called in response to the application calling
 \&\fBRSA_generate_multi_prime_key()\fR. The parameter for the function has the same
 meaning as for \fBRSA_generate_multi_prime_key()\fR.
@@ -368,13 +292,13 @@ These functions will be called in response to the application calling
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBRSA_meth_new()\fR and \fBRSA_meth_dup()\fR return the newly allocated
-\&\s-1RSA_METHOD\s0 object or \s-1NULL\s0 on failure.
+RSA_METHOD object or NULL on failure.
 .PP
 \&\fBRSA_meth_get0_name()\fR and \fBRSA_meth_get_flags()\fR return the name and
-flags associated with the \s-1RSA_METHOD\s0 respectively.
+flags associated with the RSA_METHOD respectively.
 .PP
 All other RSA_meth_get_*() functions return the appropriate function
-pointer that has been set in the \s-1RSA_METHOD,\s0 or \s-1NULL\s0 if no such
+pointer that has been set in the RSA_METHOD, or NULL if no such
 pointer has yet been set.
 .PP
 RSA_meth_set1_name and all RSA_meth_set_*() functions return 1 on
@@ -384,7 +308,7 @@ success or 0 on failure.
 \&\fBRSA_new\fR\|(3), \fBRSA_generate_key_ex\fR\|(3), \fBRSA_sign\fR\|(3),
 \&\fBRSA_set_method\fR\|(3), \fBRSA_size\fR\|(3), \fBRSA_get0_key\fR\|(3),
 \&\fBRSA_generate_multi_prime_key\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions were deprecated in OpenSSL 3.0.
 .PP
@@ -392,11 +316,11 @@ All of these functions were deprecated in OpenSSL 3.0.
 added in OpenSSL 1.1.1.
 .PP
 Other functions described here were added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RSA_new.3 b/secure/lib/libcrypto/man/man3/RSA_new.3
index f7ea910505e1..71a33463ac63 100644
--- a/secure/lib/libcrypto/man/man3/RSA_new.3
+++ b/secure/lib/libcrypto/man/man3/RSA_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,84 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "RSA_NEW 3ossl"
-.TH RSA_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH RSA_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 RSA_new, RSA_free \- allocate and free RSA objects
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/rsa.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
@@ -153,17 +77,17 @@ see \fBopenssl_user_macros\fR\|(7):
 \&
 \& void RSA_free(RSA *rsa);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBRSA_new()\fR allocates and initializes an \fB\s-1RSA\s0\fR structure. It is equivalent to
-calling RSA_new_method(\s-1NULL\s0).
+\&\fBRSA_new()\fR allocates and initializes an \fBRSA\fR structure. It is equivalent to
+calling RSA_new_method(NULL).
 .PP
-\&\fBRSA_free()\fR frees the \fB\s-1RSA\s0\fR structure and its components. The key is
+\&\fBRSA_free()\fR frees the \fBRSA\fR structure and its components. The key is
 erased before the memory is returned to the system.
-If \fBrsa\fR is \s-1NULL\s0 nothing is done.
+If \fBrsa\fR is NULL nothing is done.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-If the allocation fails, \fBRSA_new()\fR returns \fB\s-1NULL\s0\fR and sets an error
+If the allocation fails, \fBRSA_new()\fR returns \fBNULL\fR and sets an error
 code that can be obtained by \fBERR_get_error\fR\|(3). Otherwise it returns
 a pointer to the newly allocated structure.
 .PP
@@ -173,15 +97,15 @@ a pointer to the newly allocated structure.
 \&\fBERR_get_error\fR\|(3),
 \&\fBRSA_generate_key\fR\|(3),
 \&\fBRSA_new_method\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All functions described here were deprecated in OpenSSL 3.0.
-For replacement see \s-1\fBEVP_PKEY\-RSA\s0\fR\|(7).
-.SH "COPYRIGHT"
+For replacement see \fBEVP_PKEY\-RSA\fR\|(7).
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RSA_padding_add_PKCS1_type_1.3 b/secure/lib/libcrypto/man/man3/RSA_padding_add_PKCS1_type_1.3
index d5ce36b3449b..2a87081f266b 100644
--- a/secure/lib/libcrypto/man/man3/RSA_padding_add_PKCS1_type_1.3
+++ b/secure/lib/libcrypto/man/man3/RSA_padding_add_PKCS1_type_1.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,89 +52,29 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "RSA_PADDING_ADD_PKCS1_TYPE_1 3ossl"
-.TH RSA_PADDING_ADD_PKCS1_TYPE_1 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH RSA_PADDING_ADD_PKCS1_TYPE_1 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 RSA_padding_add_PKCS1_type_1, RSA_padding_check_PKCS1_type_1,
 RSA_padding_add_PKCS1_type_2, RSA_padding_check_PKCS1_type_2,
 RSA_padding_add_PKCS1_OAEP, RSA_padding_check_PKCS1_OAEP,
 RSA_padding_add_PKCS1_OAEP_mgf1, RSA_padding_check_PKCS1_OAEP_mgf1,
 RSA_padding_add_none, RSA_padding_check_none \- asymmetric encryption
 padding
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/rsa.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 2
@@ -190,19 +114,19 @@ see \fBopenssl_user_macros\fR\|(7):
 \& int RSA_padding_check_none(unsigned char *to, int tlen,
 \&                            const unsigned char *f, int fl, int rsa_len);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
-Applications should instead use the \s-1EVP PKEY\s0 APIs.
+Applications should instead use the EVP PKEY APIs.
 .PP
-The \fBRSA_padding_xxx_xxx()\fR functions are called from the \s-1RSA\s0 encrypt,
+The \fBRSA_padding_xxx_xxx()\fR functions are called from the RSA encrypt,
 decrypt, sign and verify functions. Normally they should not be called
 from application programs.
 .PP
 However, they can also be called directly to implement padding for other
 asymmetric ciphers. \fBRSA_padding_add_PKCS1_OAEP()\fR and
 \&\fBRSA_padding_check_PKCS1_OAEP()\fR may be used in an application combined
-with \fB\s-1RSA_NO_PADDING\s0\fR in order to implement \s-1OAEP\s0 with an encoding
+with \fBRSA_NO_PADDING\fR in order to implement OAEP with an encoding
 parameter.
 .PP
 \&\fBRSA_padding_add_xxx()\fR encodes \fBfl\fR bytes from \fBf\fR so as to fit into
@@ -210,73 +134,76 @@ parameter.
 does not meet the size requirements of the encoding method.
 .PP
 The following encoding methods are implemented:
-.IP "PKCS1_type_1" 4
+.IP PKCS1_type_1 4
 .IX Item "PKCS1_type_1"
-\&\s-1PKCS\s0 #1 v2.0 EMSA\-PKCS1\-v1_5 (\s-1PKCS\s0 #1 v1.5 block type 1); used for signatures
-.IP "PKCS1_type_2" 4
+PKCS #1 v2.0 EMSA\-PKCS1\-v1_5 (PKCS #1 v1.5 block type 1); used for signatures
+.IP PKCS1_type_2 4
 .IX Item "PKCS1_type_2"
-\&\s-1PKCS\s0 #1 v2.0 EME\-PKCS1\-v1_5 (\s-1PKCS\s0 #1 v1.5 block type 2)
-.IP "\s-1PKCS1_OAEP\s0" 4
+PKCS #1 v2.0 EME\-PKCS1\-v1_5 (PKCS #1 v1.5 block type 2)
+.IP PKCS1_OAEP 4
 .IX Item "PKCS1_OAEP"
-\&\s-1PKCS\s0 #1 v2.0 EME-OAEP
-.IP "none" 4
+PKCS #1 v2.0 EME-OAEP
+.IP none 4
 .IX Item "none"
 simply copy the data
 .PP
 The random number generator must be seeded prior to calling
 \&\fBRSA_padding_add_xxx()\fR.
-If the automatic seeding or reseeding of the OpenSSL \s-1CSPRNG\s0 fails due to
-external circumstances (see \s-1\fBRAND\s0\fR\|(7)), the operation will fail.
+If the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to
+external circumstances (see \fBRAND\fR\|(7)), the operation will fail.
 .PP
 \&\fBRSA_padding_check_xxx()\fR verifies that the \fBfl\fR bytes at \fBf\fR contain
-a valid encoding for a \fBrsa_len\fR byte \s-1RSA\s0 key in the respective
+a valid encoding for a \fBrsa_len\fR byte RSA key in the respective
 encoding method and stores the recovered data of at most \fBtlen\fR bytes
-(for \fB\s-1RSA_NO_PADDING\s0\fR: of size \fBtlen\fR)
+(for \fBRSA_NO_PADDING\fR: of size \fBtlen\fR)
 at \fBto\fR.
 .PP
 For \fBRSA_padding_xxx_OAEP()\fR, \fBp\fR points to the encoding parameter
-of length \fBpl\fR. \fBp\fR may be \fB\s-1NULL\s0\fR if \fBpl\fR is 0.
+of length \fBpl\fR. \fBp\fR may be \fBNULL\fR if \fBpl\fR is 0.
 .PP
 For \fBRSA_padding_xxx_OAEP_mgf1()\fR, \fBmd\fR points to the md hash,
-if \fBmd\fR is \fB\s-1NULL\s0\fR that means md=sha1, and \fBmgf1md\fR points to
-the mgf1 hash, if \fBmgf1md\fR is \fB\s-1NULL\s0\fR that means mgf1md=md.
+if \fBmd\fR is \fBNULL\fR that means md=sha1, and \fBmgf1md\fR points to
+the mgf1 hash, if \fBmgf1md\fR is \fBNULL\fR that means mgf1md=md.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The \fBRSA_padding_add_xxx()\fR functions return 1 on success, 0 on error.
 The \fBRSA_padding_check_xxx()\fR functions return the length of the
 recovered data, \-1 on error. Error codes can be obtained by calling
 \&\fBERR_get_error\fR\|(3).
-.SH "WARNINGS"
+.SH WARNINGS
 .IX Header "WARNINGS"
-The result of \fBRSA_padding_check_PKCS1_type_2()\fR is a very sensitive
-information which can potentially be used to mount a Bleichenbacher
-padding oracle attack. This is an inherent weakness in the \s-1PKCS\s0 #1
-v1.5 padding design. Prefer \s-1PKCS1_OAEP\s0 padding. If that is not
+The result of \fBRSA_padding_check_PKCS1_type_2()\fR is exactly the
+information which is used to mount a classical Bleichenbacher
+padding oracle attack. This is an inherent weakness in the PKCS #1
+v1.5 padding design. Prefer PKCS1_OAEP padding. If that is not
 possible, the result of \fBRSA_padding_check_PKCS1_type_2()\fR should be
 checked in constant time if it matches the expected length of the
 plaintext and additionally some application specific consistency
 checks on the plaintext need to be performed in constant time.
 If the plaintext is rejected it must be kept secret which of the
 checks caused the application to reject the message.
-Do not remove the zero-padding from the decrypted raw \s-1RSA\s0 data
-which was computed by \fBRSA_private_decrypt()\fR with \fB\s-1RSA_NO_PADDING\s0\fR,
+Do not remove the zero-padding from the decrypted raw RSA data
+which was computed by \fBRSA_private_decrypt()\fR with \fBRSA_NO_PADDING\fR,
 as this would create a small timing side channel which could be
 used to mount a Bleichenbacher attack against any padding mode
-including \s-1PKCS1_OAEP.\s0
+including PKCS1_OAEP.
+.PP
+You should prefer the use of EVP PKEY APIs for PKCS#1 v1.5 decryption
+as they implement the necessary workarounds internally.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBRSA_public_encrypt\fR\|(3),
 \&\fBRSA_private_decrypt\fR\|(3),
 \&\fBRSA_sign\fR\|(3), \fBRSA_verify\fR\|(3),
-\&\s-1\fBRAND\s0\fR\|(7)
-.SH "HISTORY"
+\&\fBRAND\fR\|(7)
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RSA_print.3 b/secure/lib/libcrypto/man/man3/RSA_print.3
index 215e64ab3a0e..cdce20d1cd85 100644
--- a/secure/lib/libcrypto/man/man3/RSA_print.3
+++ b/secure/lib/libcrypto/man/man3/RSA_print.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,86 +52,26 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "RSA_PRINT 3ossl"
-.TH RSA_PRINT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH RSA_PRINT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 RSA_print, RSA_print_fp,
 DSAparams_print, DSAparams_print_fp, DSA_print, DSA_print_fp,
 DHparams_print, DHparams_print_fp \- print cryptographic parameters
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/rsa.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 2
@@ -158,7 +82,7 @@ see \fBopenssl_user_macros\fR\|(7):
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 4
@@ -171,21 +95,21 @@ see \fBopenssl_user_macros\fR\|(7):
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 2
 \& int DHparams_print(BIO *bp, DH *x);
 \& int DHparams_print_fp(FILE *fp, const DH *x);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
 Applications should instead use \fBEVP_PKEY_print_params\fR\|(3) and
 \&\fBEVP_PKEY_print_private\fR\|(3).
 .PP
-A human-readable hexadecimal output of the components of the \s-1RSA\s0
-key, \s-1DSA\s0 parameters or key or \s-1DH\s0 parameters is printed to \fBbp\fR or \fBfp\fR.
+A human-readable hexadecimal output of the components of the RSA
+key, DSA parameters or key or DH parameters is printed to \fBbp\fR or \fBfp\fR.
 .PP
 The output lines are indented by \fBoffset\fR spaces.
 .SH "RETURN VALUES"
@@ -201,14 +125,14 @@ return 1 for success and 0 or a negative value for failure.
 \& L<EVP_PKEY_print_private(3)>,
 \& L<BN_bn2bin(3)>
 .Ve
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RSA_private_encrypt.3 b/secure/lib/libcrypto/man/man3/RSA_private_encrypt.3
index d4cbc0087959..6892bd1df5c3 100644
--- a/secure/lib/libcrypto/man/man3/RSA_private_encrypt.3
+++ b/secure/lib/libcrypto/man/man3/RSA_private_encrypt.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,84 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "RSA_PRIVATE_ENCRYPT 3ossl"
-.TH RSA_PRIVATE_ENCRYPT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH RSA_PRIVATE_ENCRYPT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 RSA_private_encrypt, RSA_public_decrypt \- low\-level signature operations
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/rsa.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 2
@@ -155,14 +79,14 @@ see \fBopenssl_user_macros\fR\|(7):
 \& int RSA_public_decrypt(int flen, unsigned char *from,
 \&                        unsigned char *to, RSA *rsa, int padding);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 Both of the functions described on this page are deprecated.
 Applications should instead use \fBEVP_PKEY_sign_init_ex\fR\|(3),
 \&\fBEVP_PKEY_sign\fR\|(3), \fBEVP_PKEY_verify_recover_init\fR\|(3), and
 \&\fBEVP_PKEY_verify_recover\fR\|(3).
 .PP
-These functions handle \s-1RSA\s0 signatures at a low-level.
+These functions handle RSA signatures at a low-level.
 .PP
 \&\fBRSA_private_encrypt()\fR signs the \fBflen\fR bytes at \fBfrom\fR (usually a
 message digest with an algorithm identifier) using the private key
@@ -170,17 +94,17 @@ message digest with an algorithm identifier) using the private key
 \&\fBRSA_size(rsa)\fR bytes of memory.
 .PP
 \&\fBpadding\fR denotes one of the following modes:
-.IP "\s-1RSA_PKCS1_PADDING\s0" 4
+.IP RSA_PKCS1_PADDING 4
 .IX Item "RSA_PKCS1_PADDING"
-\&\s-1PKCS\s0 #1 v1.5 padding. This function does not handle the
-\&\fBalgorithmIdentifier\fR specified in \s-1PKCS\s0 #1. When generating or
-verifying \s-1PKCS\s0 #1 signatures, \fBRSA_sign\fR\|(3) and \fBRSA_verify\fR\|(3) should be
+PKCS #1 v1.5 padding. This function does not handle the
+\&\fBalgorithmIdentifier\fR specified in PKCS #1. When generating or
+verifying PKCS #1 signatures, \fBRSA_sign\fR\|(3) and \fBRSA_verify\fR\|(3) should be
 used.
-.IP "\s-1RSA_NO_PADDING\s0" 4
+.IP RSA_NO_PADDING 4
 .IX Item "RSA_NO_PADDING"
-Raw \s-1RSA\s0 signature. This mode should \fIonly\fR be used to implement
+Raw RSA signature. This mode should \fIonly\fR be used to implement
 cryptographically sound padding modes in the application code.
-Signing user data directly with \s-1RSA\s0 is insecure.
+Signing user data directly with RSA is insecure.
 .PP
 \&\fBRSA_public_decrypt()\fR recovers the message digest from the \fBflen\fR
 bytes long signature at \fBfrom\fR using the signer's public key
@@ -200,14 +124,14 @@ obtained by \fBERR_get_error\fR\|(3).
 \&\fBERR_get_error\fR\|(3),
 \&\fBRSA_sign\fR\|(3), \fBRSA_verify\fR\|(3),
 \&\fBEVP_PKEY_sign\fR\|(3), \fBEVP_PKEY_verify_recover\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 Both of these functions were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RSA_public_encrypt.3 b/secure/lib/libcrypto/man/man3/RSA_public_encrypt.3
index 1d2c5c0a8b53..1e5461bb97fc 100644
--- a/secure/lib/libcrypto/man/man3/RSA_public_encrypt.3
+++ b/secure/lib/libcrypto/man/man3/RSA_public_encrypt.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,84 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "RSA_PUBLIC_ENCRYPT 3ossl"
-.TH RSA_PUBLIC_ENCRYPT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH RSA_PUBLIC_ENCRYPT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 RSA_public_encrypt, RSA_private_decrypt \- RSA public key cryptography
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/rsa.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 2
@@ -155,7 +79,7 @@ see \fBopenssl_user_macros\fR\|(7):
 \& int RSA_private_decrypt(int flen, const unsigned char *from,
 \&                         unsigned char *to, RSA *rsa, int padding);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 Both of the functions described on this page are deprecated.
 Applications should instead use \fBEVP_PKEY_encrypt_init_ex\fR\|(3),
@@ -167,25 +91,25 @@ session key) using the public key \fBrsa\fR and stores the ciphertext in
 \&\fBto\fR. \fBto\fR must point to RSA_size(\fBrsa\fR) bytes of memory.
 .PP
 \&\fBpadding\fR denotes one of the following modes:
-.IP "\s-1RSA_PKCS1_PADDING\s0" 4
+.IP RSA_PKCS1_PADDING 4
 .IX Item "RSA_PKCS1_PADDING"
-\&\s-1PKCS\s0 #1 v1.5 padding. This currently is the most widely used mode.
-However, it is highly recommended to use \s-1RSA_PKCS1_OAEP_PADDING\s0 in
-new applications. \s-1SEE WARNING BELOW.\s0
-.IP "\s-1RSA_PKCS1_OAEP_PADDING\s0" 4
+PKCS #1 v1.5 padding. This currently is the most widely used mode.
+However, it is highly recommended to use RSA_PKCS1_OAEP_PADDING in
+new applications. SEE WARNING BELOW.
+.IP RSA_PKCS1_OAEP_PADDING 4
 .IX Item "RSA_PKCS1_OAEP_PADDING"
-EME-OAEP as defined in \s-1PKCS\s0 #1 v2.0 with \s-1SHA\-1, MGF1\s0 and an empty
+EME-OAEP as defined in PKCS #1 v2.0 with SHA\-1, MGF1 and an empty
 encoding parameter. This mode is recommended for all new applications.
-.IP "\s-1RSA_NO_PADDING\s0" 4
+.IP RSA_NO_PADDING 4
 .IX Item "RSA_NO_PADDING"
-Raw \s-1RSA\s0 encryption. This mode should \fIonly\fR be used to implement
+Raw RSA encryption. This mode should \fIonly\fR be used to implement
 cryptographically sound padding modes in the application code.
-Encrypting user data directly with \s-1RSA\s0 is insecure.
+Encrypting user data directly with RSA is insecure.
 .PP
-\&\fBflen\fR must not be more than RSA_size(\fBrsa\fR) \- 11 for the \s-1PKCS\s0 #1 v1.5
-based padding modes, not more than RSA_size(\fBrsa\fR) \- 42 for
-\&\s-1RSA_PKCS1_OAEP_PADDING\s0 and exactly RSA_size(\fBrsa\fR) for \s-1RSA_NO_PADDING.\s0
-When a padding mode other than \s-1RSA_NO_PADDING\s0 is in use, then
+When encrypting \fBflen\fR must not be more than RSA_size(\fBrsa\fR) \- 11 for the
+PKCS #1 v1.5 based padding modes, not more than RSA_size(\fBrsa\fR) \- 42 for
+RSA_PKCS1_OAEP_PADDING and exactly RSA_size(\fBrsa\fR) for RSA_NO_PADDING.
+When a padding mode other than RSA_NO_PADDING is in use, then
 \&\fBRSA_public_encrypt()\fR will include some random bytes into the ciphertext
 and therefore the ciphertext will be different each time, even if the
 plaintext and the public key are exactly identical.
@@ -199,9 +123,9 @@ be equal to RSA_size(\fBrsa\fR) but may be smaller, when leading zero
 bytes are in the ciphertext. Those are not important and may be removed,
 but \fBRSA_public_encrypt()\fR does not do that. \fBto\fR must point
 to a memory section large enough to hold the maximal possible decrypted
-data (which is equal to RSA_size(\fBrsa\fR) for \s-1RSA_NO_PADDING,\s0
-RSA_size(\fBrsa\fR) \- 11 for the \s-1PKCS\s0 #1 v1.5 based padding modes and
-RSA_size(\fBrsa\fR) \- 42 for \s-1RSA_PKCS1_OAEP_PADDING\s0).
+data (which is equal to RSA_size(\fBrsa\fR) for RSA_NO_PADDING,
+RSA_size(\fBrsa\fR) \- 11 for the PKCS #1 v1.5 based padding modes and
+RSA_size(\fBrsa\fR) \- 42 for RSA_PKCS1_OAEP_PADDING).
 \&\fBpadding\fR is the padding mode that was used to encrypt the data.
 \&\fBto\fR and \fBfrom\fR may overlap.
 .SH "RETURN VALUES"
@@ -213,27 +137,41 @@ means only that the plaintext was empty.
 .PP
 On error, \-1 is returned; the error codes can be
 obtained by \fBERR_get_error\fR\|(3).
-.SH "WARNINGS"
+.SH WARNINGS
 .IX Header "WARNINGS"
-Decryption failures in the \s-1RSA_PKCS1_PADDING\s0 mode leak information
+Decryption failures in the RSA_PKCS1_PADDING mode leak information
 which can potentially be used to mount a Bleichenbacher padding oracle
-attack. This is an inherent weakness in the \s-1PKCS\s0 #1 v1.5 padding
-design. Prefer \s-1RSA_PKCS1_OAEP_PADDING.\s0
+attack. This is an inherent weakness in the PKCS #1 v1.5 padding
+design. Prefer RSA_PKCS1_OAEP_PADDING.
+.PP
+In OpenSSL before version 3.2.0, both the return value and the length of
+returned value could be used to mount the Bleichenbacher attack.
+Since version 3.2.0, the default provider in OpenSSL does not return an
+error when padding checks fail. Instead it generates a random
+message based on used private
+key and provided ciphertext so that application code doesn't have to implement
+a side-channel secure error handling.
+Applications that want to be secure against side-channel attacks with
+providers that don't implement implicit rejection, still need to
+handle the returned values using side-channel free code.
+Side-channel free handling of the error stack can be performed using
+either a pair of unconditional \fBERR_set_mark\fR\|(3) and \fBERR_pop_to_mark\fR\|(3)
+calls or by using the \fBERR_clear_error\fR\|(3) call.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1SSL, PKCS\s0 #1 v2.0
+SSL, PKCS #1 v2.0
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3), \fBRAND_bytes\fR\|(3),
-\&\fBRSA_size\fR\|(3)
-.SH "HISTORY"
+\&\fBRSA_size\fR\|(3), \fBEVP_PKEY_decrypt\fR\|(3), \fBEVP_PKEY_encrypt\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 Both of these functions were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RSA_set_method.3 b/secure/lib/libcrypto/man/man3/RSA_set_method.3
index 80288950d214..423872f6e53b 100644
--- a/secure/lib/libcrypto/man/man3/RSA_set_method.3
+++ b/secure/lib/libcrypto/man/man3/RSA_set_method.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,86 +52,26 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "RSA_SET_METHOD 3ossl"
-.TH RSA_SET_METHOD 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH RSA_SET_METHOD 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 RSA_set_default_method, RSA_get_default_method, RSA_set_method,
 RSA_get_method, RSA_PKCS1_OpenSSL, RSA_flags,
 RSA_new_method \- select RSA method
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/rsa.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
@@ -165,59 +89,59 @@ see \fBopenssl_user_macros\fR\|(7):
 \&
 \& RSA *RSA_new_method(ENGINE *engine);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
-Applications should instead use the \s-1OSSL_PROVIDER\s0 APIs.
+Applications should instead use the OSSL_PROVIDER APIs.
 .PP
-An \fB\s-1RSA_METHOD\s0\fR specifies the functions that OpenSSL uses for \s-1RSA\s0
+An \fBRSA_METHOD\fR specifies the functions that OpenSSL uses for RSA
 operations. By modifying the method, alternative implementations such as
-hardware accelerators may be used. \s-1IMPORTANT:\s0 See the \s-1NOTES\s0 section for
-important information about how these \s-1RSA API\s0 functions are affected by the
-use of \fB\s-1ENGINE\s0\fR \s-1API\s0 calls.
+hardware accelerators may be used. IMPORTANT: See the NOTES section for
+important information about how these RSA API functions are affected by the
+use of \fBENGINE\fR API calls.
 .PP
-Initially, the default \s-1RSA_METHOD\s0 is the OpenSSL internal implementation,
+Initially, the default RSA_METHOD is the OpenSSL internal implementation,
 as returned by \fBRSA_PKCS1_OpenSSL()\fR.
 .PP
-\&\fBRSA_set_default_method()\fR makes \fBmeth\fR the default method for all \s-1RSA\s0
+\&\fBRSA_set_default_method()\fR makes \fBmeth\fR the default method for all RSA
 structures created later.
-\&\fB\s-1NB\s0\fR: This is true only whilst no \s-1ENGINE\s0 has
-been set as a default for \s-1RSA,\s0 so this function is no longer recommended.
+\&\fBNB\fR: This is true only whilst no ENGINE has
+been set as a default for RSA, so this function is no longer recommended.
 This function is not thread-safe and should not be called at the same time
 as other OpenSSL functions.
 .PP
 \&\fBRSA_get_default_method()\fR returns a pointer to the current default
-\&\s-1RSA_METHOD.\s0 However, the meaningfulness of this result is dependent on
-whether the \s-1ENGINE API\s0 is being used, so this function is no longer
+RSA_METHOD. However, the meaningfulness of this result is dependent on
+whether the ENGINE API is being used, so this function is no longer
 recommended.
 .PP
 \&\fBRSA_set_method()\fR selects \fBmeth\fR to perform all operations using the key
-\&\fBrsa\fR. This will replace the \s-1RSA_METHOD\s0 used by the \s-1RSA\s0 key and if the
-previous method was supplied by an \s-1ENGINE,\s0 the handle to that \s-1ENGINE\s0 will
-be released during the change. It is possible to have \s-1RSA\s0 keys that only
-work with certain \s-1RSA_METHOD\s0 implementations (e.g. from an \s-1ENGINE\s0 module
+\&\fBrsa\fR. This will replace the RSA_METHOD used by the RSA key and if the
+previous method was supplied by an ENGINE, the handle to that ENGINE will
+be released during the change. It is possible to have RSA keys that only
+work with certain RSA_METHOD implementations (e.g. from an ENGINE module
 that supports embedded hardware-protected keys), and in such cases
-attempting to change the \s-1RSA_METHOD\s0 for the key can have unexpected
+attempting to change the RSA_METHOD for the key can have unexpected
 results.
 .PP
-\&\fBRSA_get_method()\fR returns a pointer to the \s-1RSA_METHOD\s0 being used by \fBrsa\fR.
-This method may or may not be supplied by an \s-1ENGINE\s0 implementation, but if
+\&\fBRSA_get_method()\fR returns a pointer to the RSA_METHOD being used by \fBrsa\fR.
+This method may or may not be supplied by an ENGINE implementation, but if
 it is, the return value can only be guaranteed to be valid as long as the
-\&\s-1RSA\s0 key itself is valid and does not have its implementation changed by
+RSA key itself is valid and does not have its implementation changed by
 \&\fBRSA_set_method()\fR.
 .PP
 \&\fBRSA_flags()\fR returns the \fBflags\fR that are set for \fBrsa\fR's current
-\&\s-1RSA_METHOD.\s0 See the \s-1BUGS\s0 section.
+RSA_METHOD. See the BUGS section.
 .PP
-\&\fBRSA_new_method()\fR allocates and initializes an \s-1RSA\s0 structure so that
-\&\fBengine\fR will be used for the \s-1RSA\s0 operations. If \fBengine\fR is \s-1NULL,\s0 the
-default \s-1ENGINE\s0 for \s-1RSA\s0 operations is used, and if no default \s-1ENGINE\s0 is set,
-the \s-1RSA_METHOD\s0 controlled by \fBRSA_set_default_method()\fR is used.
+\&\fBRSA_new_method()\fR allocates and initializes an RSA structure so that
+\&\fBengine\fR will be used for the RSA operations. If \fBengine\fR is NULL, the
+default ENGINE for RSA operations is used, and if no default ENGINE is set,
+the RSA_METHOD controlled by \fBRSA_set_default_method()\fR is used.
 .PP
 \&\fBRSA_flags()\fR returns the \fBflags\fR that are set for \fBrsa\fR's current method.
 .PP
-\&\fBRSA_new_method()\fR allocates and initializes an \fB\s-1RSA\s0\fR structure so that
-\&\fBmethod\fR will be used for the \s-1RSA\s0 operations. If \fBmethod\fR is \fB\s-1NULL\s0\fR,
+\&\fBRSA_new_method()\fR allocates and initializes an \fBRSA\fR structure so that
+\&\fBmethod\fR will be used for the RSA operations. If \fBmethod\fR is \fBNULL\fR,
 the default method is used.
 .SH "THE RSA_METHOD STRUCTURE"
 .IX Header "THE RSA_METHOD STRUCTURE"
@@ -285,42 +209,42 @@ and \fBRSA_get_method()\fR return pointers to the respective RSA_METHODs.
 .PP
 \&\fBRSA_set_default_method()\fR returns no value.
 .PP
-\&\fBRSA_set_method()\fR returns a pointer to the old \s-1RSA_METHOD\s0 implementation
+\&\fBRSA_set_method()\fR returns a pointer to the old RSA_METHOD implementation
 that was replaced. However, this return value should probably be ignored
-because if it was supplied by an \s-1ENGINE,\s0 the pointer could be invalidated
-at any time if the \s-1ENGINE\s0 is unloaded (in fact it could be unloaded as a
+because if it was supplied by an ENGINE, the pointer could be invalidated
+at any time if the ENGINE is unloaded (in fact it could be unloaded as a
 result of the \fBRSA_set_method()\fR function releasing its handle to the
-\&\s-1ENGINE\s0). For this reason, the return type may be replaced with a \fBvoid\fR
+ENGINE). For this reason, the return type may be replaced with a \fBvoid\fR
 declaration in a future release.
 .PP
-\&\fBRSA_new_method()\fR returns \s-1NULL\s0 and sets an error code that can be obtained
+\&\fBRSA_new_method()\fR returns NULL and sets an error code that can be obtained
 by \fBERR_get_error\fR\|(3) if the allocation fails. Otherwise
 it returns a pointer to the newly allocated structure.
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
 The behaviour of \fBRSA_flags()\fR is a mis-feature that is left as-is for now
-to avoid creating compatibility problems. \s-1RSA\s0 functionality, such as the
-encryption functions, are controlled by the \fBflags\fR value in the \s-1RSA\s0 key
-itself, not by the \fBflags\fR value in the \s-1RSA_METHOD\s0 attached to the \s-1RSA\s0 key
-(which is what this function returns). If the flags element of an \s-1RSA\s0 key
-is changed, the changes will be honoured by \s-1RSA\s0 functionality but will not
+to avoid creating compatibility problems. RSA functionality, such as the
+encryption functions, are controlled by the \fBflags\fR value in the RSA key
+itself, not by the \fBflags\fR value in the RSA_METHOD attached to the RSA key
+(which is what this function returns). If the flags element of an RSA key
+is changed, the changes will be honoured by RSA functionality but will not
 be reflected in the return value of the \fBRSA_flags()\fR function \- in effect
 \&\fBRSA_flags()\fR behaves more like an \fBRSA_default_flags()\fR function (which does
 not currently exist).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBRSA_new\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions were deprecated in OpenSSL 3.0.
 .PP
 The \fBRSA_null_method()\fR, which was a partial attempt to avoid patent issues,
-was replaced to always return \s-1NULL\s0 in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+was replaced to always return NULL in OpenSSL 1.1.1.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RSA_sign.3 b/secure/lib/libcrypto/man/man3/RSA_sign.3
index 2f2217b2a02a..d5d402598ed7 100644
--- a/secure/lib/libcrypto/man/man3/RSA_sign.3
+++ b/secure/lib/libcrypto/man/man3/RSA_sign.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,84 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "RSA_SIGN 3ossl"
-.TH RSA_SIGN 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH RSA_SIGN 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 RSA_sign, RSA_verify \- RSA signatures
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/rsa.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 2
@@ -155,17 +79,17 @@ see \fBopenssl_user_macros\fR\|(7):
 \& int RSA_verify(int type, const unsigned char *m, unsigned int m_len,
 \&                unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
 Applications should instead use \fBEVP_PKEY_sign_init\fR\|(3), \fBEVP_PKEY_sign\fR\|(3),
 \&\fBEVP_PKEY_verify_init\fR\|(3) and \fBEVP_PKEY_verify\fR\|(3).
 .PP
 \&\fBRSA_sign()\fR signs the message digest \fBm\fR of size \fBm_len\fR using the
-private key \fBrsa\fR using RSASSA\-PKCS1\-v1_5 as specified in \s-1RFC 3447.\s0 It
+private key \fBrsa\fR using RSASSA\-PKCS1\-v1_5 as specified in RFC 3447. It
 stores the signature in \fBsigret\fR and the signature size in \fBsiglen\fR.
 \&\fBsigret\fR must point to RSA_size(\fBrsa\fR) bytes of memory.
-Note that \s-1PKCS\s0 #1 adds meta-data, placing limits on the size of the
+Note that PKCS #1 adds meta-data, placing limits on the size of the
 key that can be used.
 See \fBRSA_private_encrypt\fR\|(3) for lower-level
 operations.
@@ -173,7 +97,7 @@ operations.
 \&\fBtype\fR denotes the message digest algorithm that was used to generate
 \&\fBm\fR.
 If \fBtype\fR is \fBNID_md5_sha1\fR,
-an \s-1SSL\s0 signature (\s-1MD5\s0 and \s-1SHA1\s0 message digests with \s-1PKCS\s0 #1 padding
+an SSL signature (MD5 and SHA1 message digests with PKCS #1 padding
 and no algorithm identifier) is created.
 .PP
 \&\fBRSA_verify()\fR verifies that the signature \fBsigbuf\fR of size \fBsiglen\fR
@@ -188,20 +112,20 @@ the message digest algorithm that was used to generate the signature.
 The error codes can be obtained by \fBERR_get_error\fR\|(3).
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1SSL, PKCS\s0 #1 v2.0
+SSL, PKCS #1 v2.0
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3),
 \&\fBRSA_private_encrypt\fR\|(3),
 \&\fBRSA_public_decrypt\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RSA_sign_ASN1_OCTET_STRING.3 b/secure/lib/libcrypto/man/man3/RSA_sign_ASN1_OCTET_STRING.3
index 75bad29fde8d..2ad58ec36a1d 100644
--- a/secure/lib/libcrypto/man/man3/RSA_sign_ASN1_OCTET_STRING.3
+++ b/secure/lib/libcrypto/man/man3/RSA_sign_ASN1_OCTET_STRING.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,84 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "RSA_SIGN_ASN1_OCTET_STRING 3ossl"
-.TH RSA_SIGN_ASN1_OCTET_STRING 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH RSA_SIGN_ASN1_OCTET_STRING 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 RSA_sign_ASN1_OCTET_STRING, RSA_verify_ASN1_OCTET_STRING \- RSA signatures
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/rsa.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 3
@@ -157,13 +81,13 @@ see \fBopenssl_user_macros\fR\|(7):
 \&                                  unsigned int m_len, unsigned char *sigbuf,
 \&                                  unsigned int siglen, RSA *rsa);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated.
-Applications should instead use \s-1EVP PKEY\s0 APIs.
+Applications should instead use EVP PKEY APIs.
 .PP
 \&\fBRSA_sign_ASN1_OCTET_STRING()\fR signs the octet string \fBm\fR of size
-\&\fBm_len\fR using the private key \fBrsa\fR represented in \s-1DER\s0 using \s-1PKCS\s0 #1
+\&\fBm_len\fR using the private key \fBrsa\fR represented in DER using PKCS #1
 padding. It stores the signature in \fBsigret\fR and the signature size
 in \fBsiglen\fR. \fBsigret\fR must point to \fBRSA_size(rsa)\fR bytes of
 memory.
@@ -172,11 +96,11 @@ memory.
 .PP
 The random number generator must be seeded when calling
 \&\fBRSA_sign_ASN1_OCTET_STRING()\fR.
-If the automatic seeding or reseeding of the OpenSSL \s-1CSPRNG\s0 fails due to
-external circumstances (see \s-1\fBRAND\s0\fR\|(7)), the operation will fail.
+If the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to
+external circumstances (see \fBRAND\fR\|(7)), the operation will fail.
 .PP
 \&\fBRSA_verify_ASN1_OCTET_STRING()\fR verifies that the signature \fBsigbuf\fR
-of size \fBsiglen\fR is the \s-1DER\s0 representation of a given octet string
+of size \fBsiglen\fR is the DER representation of a given octet string
 \&\fBm\fR of size \fBm_len\fR. \fBdummy\fR is ignored. \fBrsa\fR is the signer's
 public key.
 .SH "RETURN VALUES"
@@ -186,7 +110,7 @@ public key.
 otherwise.
 .PP
 The error codes can be obtained by \fBERR_get_error\fR\|(3).
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
 These functions serve no recognizable purpose.
 .SH "SEE ALSO"
@@ -194,15 +118,15 @@ These functions serve no recognizable purpose.
 \&\fBERR_get_error\fR\|(3),
 \&\fBRAND_bytes\fR\|(3), \fBRSA_sign\fR\|(3),
 \&\fBRSA_verify\fR\|(3),
-\&\s-1\fBRAND\s0\fR\|(7)
-.SH "HISTORY"
+\&\fBRAND\fR\|(7)
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RSA_size.3 b/secure/lib/libcrypto/man/man3/RSA_size.3
index ee5d899ff5d0..09b4d5ec7738 100644
--- a/secure/lib/libcrypto/man/man3/RSA_size.3
+++ b/secure/lib/libcrypto/man/man3/RSA_size.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "RSA_SIZE 3ossl"
-.TH RSA_SIZE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH RSA_SIZE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 RSA_size, RSA_bits, RSA_security_bits \- get RSA modulus size or security bits
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/rsa.h>
@@ -147,7 +71,7 @@ RSA_size, RSA_bits, RSA_security_bits \- get RSA modulus size or security bits
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
@@ -155,18 +79,18 @@ see \fBopenssl_user_macros\fR\|(7):
 \&
 \& int RSA_security_bits(const RSA *rsa);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBRSA_bits()\fR returns the number of significant bits.
 .PP
-\&\fBrsa\fR and \fBrsa\->n\fR must not be \fB\s-1NULL\s0\fR.
+\&\fBrsa\fR and \fBrsa\->n\fR must not be \fBNULL\fR.
 .PP
 The remaining functions described on this page are deprecated.
 Applications should instead use \fBEVP_PKEY_get_size\fR\|(3), \fBEVP_PKEY_get_bits\fR\|(3)
 and \fBEVP_PKEY_get_security_bits\fR\|(3).
 .PP
-\&\fBRSA_size()\fR returns the \s-1RSA\s0 modulus size in bytes. It can be used to
-determine how much memory must be allocated for an \s-1RSA\s0 encrypted
+\&\fBRSA_size()\fR returns the RSA modulus size in bytes. It can be used to
+determine how much memory must be allocated for an RSA encrypted
 value.
 .PP
 \&\fBRSA_security_bits()\fR returns the number of security bits of the given \fBrsa\fR
@@ -181,16 +105,16 @@ key. See \fBBN_security_bits\fR\|(3).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBBN_num_bits\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBRSA_size()\fR and \fBRSA_security_bits()\fR functions were deprecated in OpenSSL 3.0.
 .PP
 The \fBRSA_bits()\fR function was added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SCT_new.3 b/secure/lib/libcrypto/man/man3/SCT_new.3
index 7b4f533ccb46..f57ea524cddd 100644
--- a/secure/lib/libcrypto/man/man3/SCT_new.3
+++ b/secure/lib/libcrypto/man/man3/SCT_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SCT_NEW 3ossl"
-.TH SCT_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SCT_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SCT_new, SCT_new_from_base64, SCT_free, SCT_LIST_free,
 SCT_get_version, SCT_set_version,
 SCT_get_log_entry_type, SCT_set_log_entry_type,
@@ -147,7 +71,7 @@ SCT_get0_signature, SCT_set0_signature, SCT_set1_signature,
 SCT_get0_extensions, SCT_set0_extensions, SCT_set1_extensions,
 SCT_get_source, SCT_set_source
 \&\- A Certificate Transparency Signed Certificate Timestamp
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ct.h>
@@ -208,75 +132,81 @@ SCT_get_source, SCT_set_source
 \& sct_source_t SCT_get_source(const SCT *sct);
 \& int SCT_set_source(SCT *sct, sct_source_t source);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Signed Certificate Timestamps (SCTs) are defined by \s-1RFC 6962,\s0 Section 3.2.
-They constitute a promise by a Certificate Transparency (\s-1CT\s0) log to publicly
+Signed Certificate Timestamps (SCTs) are defined by RFC 6962, Section 3.2.
+They constitute a promise by a Certificate Transparency (CT) log to publicly
 record a certificate. By cryptographically verifying that a log did indeed issue
-an \s-1SCT,\s0 some confidence can be gained that the certificate is publicly known.
+an SCT, some confidence can be gained that the certificate is publicly known.
 .PP
-An internal representation of an \s-1SCT\s0 can be created in one of two ways.
-The first option is to create a blank \s-1SCT,\s0 using \fBSCT_new()\fR, and then populate
+An internal representation of an SCT can be created in one of two ways.
+The first option is to create a blank SCT, using \fBSCT_new()\fR, and then populate
 it using:
-.IP "\(bu" 2
-\&\fBSCT_set_version()\fR to set the \s-1SCT\s0 version.
+.IP \(bu 2
+\&\fBSCT_set_version()\fR to set the SCT version.
 .Sp
-Only \s-1SCT_VERSION_V1\s0 is currently supported.
-.IP "\(bu" 2
-\&\fBSCT_set_log_entry_type()\fR to set the type of certificate the \s-1SCT\s0 was issued for:
+Only SCT_VERSION_V1 is currently supported.
+.IP \(bu 2
+\&\fBSCT_set_log_entry_type()\fR to set the type of certificate the SCT was issued for:
 .Sp
-\&\fB\s-1CT_LOG_ENTRY_TYPE_X509\s0\fR for a normal certificate.
-\&\fB\s-1CT_LOG_ENTRY_TYPE_PRECERT\s0\fR for a pre-certificate.
-.IP "\(bu" 2
-\&\fBSCT_set0_log_id()\fR or \fBSCT_set1_log_id()\fR to set the LogID of the \s-1CT\s0 log that the \s-1SCT\s0 came from.
+\&\fBCT_LOG_ENTRY_TYPE_X509\fR for a normal certificate.
+\&\fBCT_LOG_ENTRY_TYPE_PRECERT\fR for a pre-certificate.
+.IP \(bu 2
+\&\fBSCT_set0_log_id()\fR or \fBSCT_set1_log_id()\fR to set the LogID of the CT log that the SCT came from.
 .Sp
 The former takes ownership, whereas the latter makes a copy.
-See \s-1RFC 6962,\s0 Section 3.2 for the definition of LogID.
-.IP "\(bu" 2
-\&\fBSCT_set_timestamp()\fR to set the time the \s-1SCT\s0 was issued (time in milliseconds
+See RFC 6962, Section 3.2 for the definition of LogID.
+.IP \(bu 2
+\&\fBSCT_set_timestamp()\fR to set the time the SCT was issued (time in milliseconds
 since the Unix Epoch).
-.IP "\(bu" 2
-\&\fBSCT_set_signature_nid()\fR to set the \s-1NID\s0 of the signature.
-.IP "\(bu" 2
+.IP \(bu 2
+\&\fBSCT_set_signature_nid()\fR to set the NID of the signature.
+.IP \(bu 2
 \&\fBSCT_set0_signature()\fR or \fBSCT_set1_signature()\fR to set the raw signature value.
 .Sp
 The former takes ownership, whereas the latter makes a copy.
-.IP "\(bu" 2
-\&\fBSCT_set0_extensions()\fR or \fBSCT_set1_extensions\fR to provide \s-1SCT\s0 extensions.
+.IP \(bu 2
+\&\fBSCT_set0_extensions()\fR or \fBSCT_set1_extensions\fR to provide SCT extensions.
 .Sp
 The former takes ownership, whereas the latter makes a copy.
 .PP
-Alternatively, the \s-1SCT\s0 can be pre-populated from the following data using
+Alternatively, the SCT can be pre-populated from the following data using
 \&\fBSCT_new_from_base64()\fR:
-.IP "\(bu" 2
-The \s-1SCT\s0 version (only \s-1SCT_VERSION_V1\s0 is currently supported).
-.IP "\(bu" 2
-The LogID (see \s-1RFC 6962,\s0 Section 3.2), base64 encoded.
-.IP "\(bu" 2
-The type of certificate the \s-1SCT\s0 was issued for:
-\&\fB\s-1CT_LOG_ENTRY_TYPE_X509\s0\fR for a normal certificate.
-\&\fB\s-1CT_LOG_ENTRY_TYPE_PRECERT\s0\fR for a pre-certificate.
-.IP "\(bu" 2
-The time that the \s-1SCT\s0 was issued (time in milliseconds since the Unix Epoch).
-.IP "\(bu" 2
-The \s-1SCT\s0 extensions, base64 encoded.
-.IP "\(bu" 2
-The \s-1SCT\s0 signature, base64 encoded.
+.IP \(bu 2
+The SCT version (only SCT_VERSION_V1 is currently supported).
+.IP \(bu 2
+The LogID (see RFC 6962, Section 3.2), base64 encoded.
+.IP \(bu 2
+The type of certificate the SCT was issued for:
+\&\fBCT_LOG_ENTRY_TYPE_X509\fR for a normal certificate.
+\&\fBCT_LOG_ENTRY_TYPE_PRECERT\fR for a pre-certificate.
+.IP \(bu 2
+The time that the SCT was issued (time in milliseconds since the Unix Epoch).
+.IP \(bu 2
+The SCT extensions, base64 encoded.
+.IP \(bu 2
+The SCT signature, base64 encoded.
+.PP
+\&\fBSCT_set_source()\fR can be used to record where the SCT was found
+(TLS extension, X.509 certificate extension or OCSP response). This is not
+required for verifying the SCT.
+.PP
+\&\fBSCT_free()\fR frees the specified SCT.
+If the argument is NULL, nothing is done.
 .PP
-\&\fBSCT_set_source()\fR can be used to record where the \s-1SCT\s0 was found
-(\s-1TLS\s0 extension, X.509 certificate extension or \s-1OCSP\s0 response). This is not
-required for verifying the \s-1SCT.\s0
-.SH "NOTES"
+\&\fBSCT_LIST_free()\fR frees the specified stack of SCTs.
+If the argument is NULL, nothing is done.
+.SH NOTES
 .IX Header "NOTES"
 Some of the setters return int, instead of void. These will all return 1 on
 success, 0 on failure. They will not make changes on failure.
 .PP
-All of the setters will reset the validation status of the \s-1SCT\s0 to
-\&\s-1SCT_VALIDATION_STATUS_NOT_SET\s0 (see \fBSCT_validate\fR\|(3)).
+All of the setters will reset the validation status of the SCT to
+SCT_VALIDATION_STATUS_NOT_SET (see \fBSCT_validate\fR\|(3)).
 .PP
 \&\fBSCT_set_source()\fR will call \fBSCT_set_log_entry_type()\fR if the type of
-certificate the \s-1SCT\s0 was issued for can be inferred from where the \s-1SCT\s0 was found.
-For example, an \s-1SCT\s0 found in an X.509 extension must have been issued for a pre\-
+certificate the SCT was issued for can be inferred from where the SCT was found.
+For example, an SCT found in an X.509 extension must have been issued for a pre\-
 certificate.
 .PP
 \&\fBSCT_set_source()\fR will not refuse unknown values.
@@ -287,10 +217,10 @@ certificate.
 \&\fBSCT_set_log_entry_type()\fR returns 1 if the specified log entry type is supported, 0 otherwise.
 .PP
 \&\fBSCT_set0_log_id()\fR and \fBSCT_set1_log_id\fR return 1 if the specified LogID is a
-valid \s-1SHA\-256\s0 hash, 0 otherwise. Additionally, \fBSCT_set1_log_id\fR returns 0 if
+valid SHA\-256 hash, 0 otherwise. Additionally, \fBSCT_set1_log_id\fR returns 0 if
 malloc fails.
 .PP
-\&\fBSCT_set_signature_nid\fR returns 1 if the specified \s-1NID\s0 is supported, 0 otherwise.
+\&\fBSCT_set_signature_nid\fR returns 1 if the specified NID is supported, 0 otherwise.
 .PP
 \&\fBSCT_set1_extensions\fR and \fBSCT_set1_signature\fR return 1 if the supplied buffer
 is copied successfully, 0 otherwise (i.e. if malloc fails).
@@ -301,14 +231,14 @@ is copied successfully, 0 otherwise (i.e. if malloc fails).
 \&\fBct\fR\|(7),
 \&\fBSCT_validate\fR\|(3),
 \&\fBOBJ_nid2obj\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 These functions were added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SCT_print.3 b/secure/lib/libcrypto/man/man3/SCT_print.3
index 647bb23bf9c7..e5b4b6dba69f 100644
--- a/secure/lib/libcrypto/man/man3/SCT_print.3
+++ b/secure/lib/libcrypto/man/man3/SCT_print.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SCT_PRINT 3ossl"
-.TH SCT_PRINT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SCT_PRINT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SCT_print, SCT_LIST_print, SCT_validation_status_string \-
 Prints Signed Certificate Timestamps in a human\-readable way
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ct.h>
@@ -149,38 +73,38 @@ Prints Signed Certificate Timestamps in a human\-readable way
 \&                     const char *separator, const CTLOG_STORE *logs);
 \& const char *SCT_validation_status_string(const SCT *sct);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSCT_print()\fR prints a single Signed Certificate Timestamp (\s-1SCT\s0) to a \fB\s-1BIO\s0\fR in
+\&\fBSCT_print()\fR prints a single Signed Certificate Timestamp (SCT) to a \fBBIO\fR in
 a human-readable format. \fBSCT_LIST_print()\fR prints an entire list of SCTs in a
-similar way. A separator can be specified to delimit each \s-1SCT\s0 in the output.
+similar way. A separator can be specified to delimit each SCT in the output.
 .PP
-The output can be indented by a specified number of spaces. If a \fB\s-1CTLOG_STORE\s0\fR
-is provided, it will be used to print the description of the \s-1CT\s0 log that issued
-each \s-1SCT\s0 (if that log is in the \s-1CTLOG_STORE\s0). Alternatively, \s-1NULL\s0 can be passed
-as the \s-1CTLOG_STORE\s0 parameter to disable this feature.
+The output can be indented by a specified number of spaces. If a \fBCTLOG_STORE\fR
+is provided, it will be used to print the description of the CT log that issued
+each SCT (if that log is in the CTLOG_STORE). Alternatively, NULL can be passed
+as the CTLOG_STORE parameter to disable this feature.
 .PP
-\&\fBSCT_validation_status_string()\fR will return the validation status of an \s-1SCT\s0 as
+\&\fBSCT_validation_status_string()\fR will return the validation status of an SCT as
 a human-readable string. Call \fBSCT_validate()\fR or \fBSCT_LIST_validate()\fR
-beforehand in order to set the validation status of an \s-1SCT\s0 first.
+beforehand in order to set the validation status of an SCT first.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSCT_validation_status_string()\fR returns a NUL-terminated string representing
-the validation status of an \fB\s-1SCT\s0\fR object.
+the validation status of an \fBSCT\fR object.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBct\fR\|(7),
 \&\fBbio\fR\|(7),
 \&\fBCTLOG_STORE_new\fR\|(3),
 \&\fBSCT_validate\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 These functions were added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SCT_validate.3 b/secure/lib/libcrypto/man/man3/SCT_validate.3
index f0a1f076902b..bb6737efd119 100644
--- a/secure/lib/libcrypto/man/man3/SCT_validate.3
+++ b/secure/lib/libcrypto/man/man3/SCT_validate.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SCT_VALIDATE 3ossl"
-.TH SCT_VALIDATE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SCT_VALIDATE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SCT_validate, SCT_LIST_validate, SCT_get_validation_status \-
 checks Signed Certificate Timestamps (SCTs) are valid
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ct.h>
@@ -157,66 +81,66 @@ checks Signed Certificate Timestamps (SCTs) are valid
 \& int SCT_LIST_validate(const STACK_OF(SCT) *scts, CT_POLICY_EVAL_CTX *ctx);
 \& sct_validation_status_t SCT_get_validation_status(const SCT *sct);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSCT_validate()\fR will check that an \s-1SCT\s0 is valid and verify its signature.
+\&\fBSCT_validate()\fR will check that an SCT is valid and verify its signature.
 \&\fBSCT_LIST_validate()\fR performs the same checks on an entire stack of SCTs.
-The result of the validation checks can be obtained by passing the \s-1SCT\s0 to
+The result of the validation checks can be obtained by passing the SCT to
 \&\fBSCT_get_validation_status()\fR.
 .PP
-A \s-1CT_POLICY_EVAL_CTX\s0 must be provided that specifies:
-.IP "\(bu" 2
-The certificate the \s-1SCT\s0 was issued for.
+A CT_POLICY_EVAL_CTX must be provided that specifies:
+.IP \(bu 2
+The certificate the SCT was issued for.
 .Sp
 Failure to provide the certificate will result in the validation status being
-\&\s-1SCT_VALIDATION_STATUS_UNVERIFIED.\s0
-.IP "\(bu" 2
+SCT_VALIDATION_STATUS_UNVERIFIED.
+.IP \(bu 2
 The issuer of that certificate.
 .Sp
-This is only required if the \s-1SCT\s0 was issued for a pre-certificate
-(see \s-1RFC 6962\s0). If it is required but not provided, the validation status will
-be \s-1SCT_VALIDATION_STATUS_UNVERIFIED.\s0
-.IP "\(bu" 2
-A \s-1CTLOG_STORE\s0 that contains the \s-1CT\s0 log that issued this \s-1SCT.\s0
+This is only required if the SCT was issued for a pre-certificate
+(see RFC 6962). If it is required but not provided, the validation status will
+be SCT_VALIDATION_STATUS_UNVERIFIED.
+.IP \(bu 2
+A CTLOG_STORE that contains the CT log that issued this SCT.
 .Sp
-If the \s-1SCT\s0 was issued by a log that is not in this \s-1CTLOG_STORE,\s0 the validation
-status will be \s-1SCT_VALIDATION_STATUS_UNKNOWN_LOG.\s0
+If the SCT was issued by a log that is not in this CTLOG_STORE, the validation
+status will be SCT_VALIDATION_STATUS_UNKNOWN_LOG.
 .PP
-If the \s-1SCT\s0 is of an unsupported version (only v1 is currently supported), the
-validation status will be \s-1SCT_VALIDATION_STATUS_UNKNOWN_VERSION.\s0
+If the SCT is of an unsupported version (only v1 is currently supported), the
+validation status will be SCT_VALIDATION_STATUS_UNKNOWN_VERSION.
 .PP
-If the \s-1SCT\s0's signature is incorrect, its timestamp is in the future (relative to
-the time in \s-1CT_POLICY_EVAL_CTX\s0), or if it is otherwise invalid, the validation
-status will be \s-1SCT_VALIDATION_STATUS_INVALID.\s0
+If the SCT's signature is incorrect, its timestamp is in the future (relative to
+the time in CT_POLICY_EVAL_CTX), or if it is otherwise invalid, the validation
+status will be SCT_VALIDATION_STATUS_INVALID.
 .PP
-If all checks pass, the validation status will be \s-1SCT_VALIDATION_STATUS_VALID.\s0
-.SH "NOTES"
+If all checks pass, the validation status will be SCT_VALIDATION_STATUS_VALID.
+.SH NOTES
 .IX Header "NOTES"
 A return value of 0 from \fBSCT_LIST_validate()\fR should not be interpreted as a
-failure. At a minimum, only one valid \s-1SCT\s0 may provide sufficient confidence
+failure. At a minimum, only one valid SCT may provide sufficient confidence
 that a certificate has been publicly logged.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSCT_validate()\fR returns a negative integer if an internal error occurs, 0 if the
-\&\s-1SCT\s0 fails validation, or 1 if the \s-1SCT\s0 passes validation.
+SCT fails validation, or 1 if the SCT passes validation.
 .PP
 \&\fBSCT_LIST_validate()\fR returns a negative integer if an internal error occurs, 0
 if any of SCTs fails validation, or 1 if they all pass validation.
 .PP
-\&\fBSCT_get_validation_status()\fR returns the validation status of the \s-1SCT.\s0
-If \fBSCT_validate()\fR or \fBSCT_LIST_validate()\fR have not been passed that \s-1SCT,\s0 the
-returned value will be \s-1SCT_VALIDATION_STATUS_NOT_SET.\s0
+\&\fBSCT_get_validation_status()\fR returns the validation status of the SCT.
+If \fBSCT_validate()\fR or \fBSCT_LIST_validate()\fR have not been passed that SCT, the
+returned value will be SCT_VALIDATION_STATUS_NOT_SET.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBct\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 These functions were added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SHA256_Init.3 b/secure/lib/libcrypto/man/man3/SHA256_Init.3
index 98dd053ff6a1..aeec15518010 100644
--- a/secure/lib/libcrypto/man/man3/SHA256_Init.3
+++ b/secure/lib/libcrypto/man/man3/SHA256_Init.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SHA256_INIT 3ossl"
-.TH SHA256_INIT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SHA256_INIT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SHA1, SHA1_Init, SHA1_Update, SHA1_Final, SHA224, SHA224_Init, SHA224_Update,
 SHA224_Final, SHA256, SHA256_Init, SHA256_Update, SHA256_Final, SHA384,
 SHA384_Init, SHA384_Update, SHA384_Final, SHA512, SHA512_Init, SHA512_Update,
 SHA512_Final \- Secure Hash Algorithm
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/sha.h>
@@ -154,7 +78,7 @@ SHA512_Final \- Secure Hash Algorithm
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 3
@@ -178,70 +102,70 @@ see \fBopenssl_user_macros\fR\|(7):
 \& int SHA512_Update(SHA512_CTX *c, const void *data, size_t len);
 \& int SHA512_Final(unsigned char *md, SHA512_CTX *c);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page
-except for \s-1\fBSHA1\s0()\fR, \s-1\fBSHA224\s0()\fR, \s-1\fBSHA256\s0()\fR, \s-1\fBSHA384\s0()\fR and \s-1\fBSHA512\s0()\fR are deprecated.
+except for \fBSHA1()\fR, \fBSHA224()\fR, \fBSHA256()\fR, \fBSHA384()\fR and \fBSHA512()\fR are deprecated.
 Applications should instead use \fBEVP_DigestInit_ex\fR\|(3), \fBEVP_DigestUpdate\fR\|(3)
 and \fBEVP_DigestFinal_ex\fR\|(3), or the quick one-shot function \fBEVP_Q_digest\fR\|(3).
-\&\s-1\fBSHA1\s0()\fR, \s-1\fBSHA224\s0()\fR, \s-1\fBSHA256\s0()\fR, \s-1\fBSHA384\s0()\fR, and \s-1\fBSHA256\s0()\fR
+\&\fBSHA1()\fR, \fBSHA224()\fR, \fBSHA256()\fR, \fBSHA384()\fR, and \fBSHA256()\fR
 can continue to be used. They can also be replaced by, e.g.,
 .PP
 .Vb 1
 \&    (EVP_Q_digest(d, n, md, NULL, NULL, "SHA256", NULL) ? md : NULL)
 .Ve
 .PP
-\&\s-1SHA\-1\s0 (Secure Hash Algorithm) is a cryptographic hash function with a
+SHA\-1 (Secure Hash Algorithm) is a cryptographic hash function with a
 160 bit output.
 .PP
-\&\s-1\fBSHA1\s0()\fR computes the \s-1SHA\-1\s0 message digest of the \fBn\fR
+\&\fBSHA1()\fR computes the SHA\-1 message digest of the \fBn\fR
 bytes at \fBd\fR and places it in \fBmd\fR (which must have space for
-\&\s-1SHA_DIGEST_LENGTH\s0 == 20 bytes of output). If \fBmd\fR is \s-1NULL,\s0 the digest
-is placed in a static array. Note: setting \fBmd\fR to \s-1NULL\s0 is \fBnot thread safe\fR.
+SHA_DIGEST_LENGTH == 20 bytes of output). If \fBmd\fR is NULL, the digest
+is placed in a static array. Note: setting \fBmd\fR to NULL is \fBnot thread safe\fR.
 .PP
 The following functions may be used if the message is not completely
 stored in memory:
 .PP
-\&\fBSHA1_Init()\fR initializes a \fB\s-1SHA_CTX\s0\fR structure.
+\&\fBSHA1_Init()\fR initializes a \fBSHA_CTX\fR structure.
 .PP
 \&\fBSHA1_Update()\fR can be called repeatedly with chunks of the message to
 be hashed (\fBlen\fR bytes at \fBdata\fR).
 .PP
 \&\fBSHA1_Final()\fR places the message digest in \fBmd\fR, which must have space
-for \s-1SHA_DIGEST_LENGTH\s0 == 20 bytes of output, and erases the \fB\s-1SHA_CTX\s0\fR.
+for SHA_DIGEST_LENGTH == 20 bytes of output, and erases the \fBSHA_CTX\fR.
 .PP
-The \s-1SHA224, SHA256, SHA384\s0 and \s-1SHA512\s0 families of functions operate in the
-same way as for the \s-1SHA1\s0 functions. Note that \s-1SHA224\s0 and \s-1SHA256\s0 use a
-\&\fB\s-1SHA256_CTX\s0\fR object instead of \fB\s-1SHA_CTX\s0\fR. \s-1SHA384\s0 and \s-1SHA512\s0 use \fB\s-1SHA512_CTX\s0\fR.
-The buffer \fBmd\fR must have space for the output from the \s-1SHA\s0 variant being used
-(defined by \s-1SHA224_DIGEST_LENGTH, SHA256_DIGEST_LENGTH, SHA384_DIGEST_LENGTH\s0 and
-\&\s-1SHA512_DIGEST_LENGTH\s0). Also note that, as for the \s-1\fBSHA1\s0()\fR function above, the
-\&\s-1\fBSHA224\s0()\fR, \s-1\fBSHA256\s0()\fR, \s-1\fBSHA384\s0()\fR and \s-1\fBSHA512\s0()\fR functions are not thread safe if
-\&\fBmd\fR is \s-1NULL.\s0
+The SHA224, SHA256, SHA384 and SHA512 families of functions operate in the
+same way as for the SHA1 functions. Note that SHA224 and SHA256 use a
+\&\fBSHA256_CTX\fR object instead of \fBSHA_CTX\fR. SHA384 and SHA512 use \fBSHA512_CTX\fR.
+The buffer \fBmd\fR must have space for the output from the SHA variant being used
+(defined by SHA224_DIGEST_LENGTH, SHA256_DIGEST_LENGTH, SHA384_DIGEST_LENGTH and
+SHA512_DIGEST_LENGTH). Also note that, as for the \fBSHA1()\fR function above, the
+\&\fBSHA224()\fR, \fBSHA256()\fR, \fBSHA384()\fR and \fBSHA512()\fR functions are not thread safe if
+\&\fBmd\fR is NULL.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\s-1\fBSHA1\s0()\fR, \s-1\fBSHA224\s0()\fR, \s-1\fBSHA256\s0()\fR, \s-1\fBSHA384\s0()\fR and \s-1\fBSHA512\s0()\fR return a pointer to the hash
+\&\fBSHA1()\fR, \fBSHA224()\fR, \fBSHA256()\fR, \fBSHA384()\fR and \fBSHA512()\fR return a pointer to the hash
 value.
 .PP
-\&\fBSHA1_Init()\fR, \fBSHA1_Update()\fR and \fBSHA1_Final()\fR and equivalent \s-1SHA224, SHA256,
-SHA384\s0 and \s-1SHA512\s0 functions return 1 for success, 0 otherwise.
+\&\fBSHA1_Init()\fR, \fBSHA1_Update()\fR and \fBSHA1_Final()\fR and equivalent SHA224, SHA256,
+SHA384 and SHA512 functions return 1 for success, 0 otherwise.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1US\s0 Federal Information Processing Standard \s-1FIPS PUB 180\-4\s0 (Secure Hash
+US Federal Information Processing Standard FIPS PUB 180\-4 (Secure Hash
 Standard),
-\&\s-1ANSI X9.30\s0
+ANSI X9.30
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_Q_digest\fR\|(3),
 \&\fBEVP_DigestInit\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All of these functions except SHA*() were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SMIME_read_ASN1.3 b/secure/lib/libcrypto/man/man3/SMIME_read_ASN1.3
index 72749260e175..73b1e2c1d4d7 100644
--- a/secure/lib/libcrypto/man/man3/SMIME_read_ASN1.3
+++ b/secure/lib/libcrypto/man/man3/SMIME_read_ASN1.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SMIME_READ_ASN1 3ossl"
-.TH SMIME_READ_ASN1 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SMIME_READ_ASN1 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SMIME_read_ASN1_ex, SMIME_read_ASN1
 \&\- parse S/MIME message
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/asn1.h>
@@ -149,49 +73,49 @@ SMIME_read_ASN1_ex, SMIME_read_ASN1
 \&                                OSSL_LIB_CTX *libctx, const char *propq);
 \& ASN1_VALUE *SMIME_read_ASN1(BIO *in, BIO **bcont, const ASN1_ITEM *it);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSMIME_read_ASN1_ex()\fR parses a message in S/MIME format.
 .PP
-\&\fIin\fR is a \s-1BIO\s0 to read the message from.
-If the \fIflags\fR argument contains \fB\s-1CMS_BINARY\s0\fR then the input is assumed to be
+\&\fIin\fR is a BIO to read the message from.
+If the \fIflags\fR argument contains \fBCMS_BINARY\fR then the input is assumed to be
 in binary format and is not translated to canonical form.
-If in addition \fB\s-1SMIME_ASCIICRLF\s0\fR is set then the binary input is assumed
-to be followed by \fB\s-1CR\s0\fR and \fB\s-1LF\s0\fR characters, else only by an \fB\s-1LF\s0\fR character.
+If in addition \fBSMIME_ASCIICRLF\fR is set then the binary input is assumed
+to be followed by \fBCR\fR and \fBLF\fR characters, else only by an \fBLF\fR character.
 \&\fIx\fR can be used to optionally supply
-a previously created \fIit\fR \s-1ASN1_VALUE\s0 object (such as CMS_ContentInfo or \s-1PKCS7\s0),
-it can be set to \s-1NULL.\s0 Valid values that can be used by \s-1ASN.1\s0 structure \fIit\fR
-are ASN1_ITEM_rptr(\s-1PKCS7\s0) or ASN1_ITEM_rptr(CMS_ContentInfo). Any algorithm
-fetches that occur during the operation will use the \fB\s-1OSSL_LIB_CTX\s0\fR supplied in
+a previously created \fIit\fR ASN1_VALUE object (such as CMS_ContentInfo or PKCS7),
+it can be set to NULL. Valid values that can be used by ASN.1 structure \fIit\fR
+are ASN1_ITEM_rptr(PKCS7) or ASN1_ITEM_rptr(CMS_ContentInfo). Any algorithm
+fetches that occur during the operation will use the \fBOSSL_LIB_CTX\fR supplied in
 the \fIlibctx\fR parameter, and use the property query string \fIpropq\fR See
-\&\*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7) for further details about algorithm fetching.
+"ALGORITHM FETCHING" in \fBcrypto\fR\|(7) for further details about algorithm fetching.
 .PP
 If cleartext signing is used then the content is saved in a memory bio which is
-written to \fI*bcont\fR, otherwise \fI*bcont\fR is set to \s-1NULL.\s0
+written to \fI*bcont\fR, otherwise \fI*bcont\fR is set to NULL.
 .PP
-The parsed \s-1ASN1_VALUE\s0 structure is returned or \s-1NULL\s0 if an error occurred.
+The parsed ASN1_VALUE structure is returned or NULL if an error occurred.
 .PP
 \&\fBSMIME_read_ASN1()\fR is similar to \fBSMIME_read_ASN1_ex()\fR but sets the value of \fIx\fR
-to \s-1NULL\s0 and the value of \fIflags\fR to 0.
-.SH "NOTES"
+to NULL and the value of \fIflags\fR to 0.
+.SH NOTES
 .IX Header "NOTES"
 The higher level functions \fBSMIME_read_CMS_ex\fR\|(3) and
 \&\fBSMIME_read_PKCS7_ex\fR\|(3) should be used instead of \fBSMIME_read_ASN1_ex()\fR.
 .PP
-To support future functionality if \fIbcont\fR is not \s-1NULL\s0 \fI*bcont\fR should be
-initialized to \s-1NULL.\s0
-.SH "BUGS"
+To support future functionality if \fIbcont\fR is not NULL \fI*bcont\fR should be
+initialized to NULL.
+.SH BUGS
 .IX Header "BUGS"
-The \s-1MIME\s0 parser used by \fBSMIME_read_ASN1_ex()\fR is somewhat primitive. While it will
+The MIME parser used by \fBSMIME_read_ASN1_ex()\fR is somewhat primitive. While it will
 handle most S/MIME messages more complex compound formats may not work.
 .PP
-The use of a memory \s-1BIO\s0 to hold the signed content limits the size of message
+The use of a memory BIO to hold the signed content limits the size of message
 which can be processed due to memory restraints: a streaming single pass option
 should be available.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBSMIME_read_ASN1_ex()\fR and \fBSMIME_read_ASN1()\fR return a valid \fB\s-1ASN1_VALUE\s0\fR
-structure or \fB\s-1NULL\s0\fR if an error occurred. The error can be obtained from
+\&\fBSMIME_read_ASN1_ex()\fR and \fBSMIME_read_ASN1()\fR return a valid \fBASN1_VALUE\fR
+structure or \fBNULL\fR if an error occurred. The error can be obtained from
 \&\fBERR_get_error\fR\|(3).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
@@ -200,14 +124,14 @@ structure or \fB\s-1NULL\s0\fR if an error occurred. The error can be obtained f
 \&\fBSMIME_read_PKCS7_ex\fR\|(3),
 \&\fBSMIME_write_ASN1\fR\|(3),
 \&\fBSMIME_write_ASN1_ex\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The function \fBSMIME_read_ASN1_ex()\fR was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SMIME_read_CMS.3 b/secure/lib/libcrypto/man/man3/SMIME_read_CMS.3
index d0779e4eb1da..9f240d75ad75 100644
--- a/secure/lib/libcrypto/man/man3/SMIME_read_CMS.3
+++ b/secure/lib/libcrypto/man/man3/SMIME_read_CMS.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SMIME_READ_CMS 3ossl"
-.TH SMIME_READ_CMS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SMIME_READ_CMS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SMIME_read_CMS_ex, SMIME_read_CMS \- parse S/MIME message
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cms.h>
@@ -147,36 +71,36 @@ SMIME_read_CMS_ex, SMIME_read_CMS \- parse S/MIME message
 \&                                    CMS_ContentInfo **cms);
 \& CMS_ContentInfo *SMIME_read_CMS(BIO *in, BIO **bcont);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSMIME_read_CMS()\fR parses a message in S/MIME format.
 .PP
-\&\fBin\fR is a \s-1BIO\s0 to read the message from.
+\&\fBin\fR is a BIO to read the message from.
 .PP
 If cleartext signing is used then the content is saved in a memory bio which is
-written to \fB*bcont\fR, otherwise \fB*bcont\fR is set to \s-1NULL.\s0
+written to \fB*bcont\fR, otherwise \fB*bcont\fR is set to NULL.
 .PP
-The parsed CMS_ContentInfo structure is returned or \s-1NULL\s0 if an
+The parsed CMS_ContentInfo structure is returned or NULL if an
 error occurred.
 .PP
 \&\fBSMIME_read_CMS_ex()\fR is similar to \fBSMIME_read_CMS()\fR but optionally a previously
 created \fIcms\fR CMS_ContentInfo object can be supplied as well as some \fIflags\fR.
 To create a \fIcms\fR object use \fBCMS_ContentInfo_new_ex\fR\|(3).
-If the \fIflags\fR argument contains \fB\s-1CMS_BINARY\s0\fR then the input is assumed to be
+If the \fIflags\fR argument contains \fBCMS_BINARY\fR then the input is assumed to be
 in binary format and is not translated to canonical form.
-If in addition \fB\s-1SMIME_ASCIICRLF\s0\fR is set then the binary input is assumed
-to be followed by \fB\s-1CR\s0\fR and \fB\s-1LF\s0\fR characters, else only by an \fB\s-1LF\s0\fR character.
-If \fIflags\fR is 0 and \fIcms\fR is \s-1NULL\s0 then it is identical to \fBSMIME_read_CMS()\fR.
-.SH "NOTES"
+If in addition \fBSMIME_ASCIICRLF\fR is set then the binary input is assumed
+to be followed by \fBCR\fR and \fBLF\fR characters, else only by an \fBLF\fR character.
+If \fIflags\fR is 0 and \fIcms\fR is NULL then it is identical to \fBSMIME_read_CMS()\fR.
+.SH NOTES
 .IX Header "NOTES"
-If \fB*bcont\fR is not \s-1NULL\s0 then the message is clear text signed. \fB*bcont\fR can
-then be passed to \fBCMS_verify()\fR with the \fB\s-1CMS_DETACHED\s0\fR flag set.
+If \fB*bcont\fR is not NULL then the message is clear text signed. \fB*bcont\fR can
+then be passed to \fBCMS_verify()\fR with the \fBCMS_DETACHED\fR flag set.
 .PP
 Otherwise the type of the returned structure can be determined
 using \fBCMS_get0_type()\fR.
 .PP
-To support future functionality if \fBbcont\fR is not \s-1NULL\s0 \fB*bcont\fR should be
-initialized to \s-1NULL.\s0 For example:
+To support future functionality if \fBbcont\fR is not NULL \fB*bcont\fR should be
+initialized to NULL. For example:
 .PP
 .Vb 2
 \& BIO *cont = NULL;
@@ -184,22 +108,22 @@ initialized to \s-1NULL.\s0 For example:
 \&
 \& cms = SMIME_read_CMS(in, &cont);
 .Ve
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
-The \s-1MIME\s0 parser used by \fBSMIME_read_CMS()\fR is somewhat primitive.  While it will
+The MIME parser used by \fBSMIME_read_CMS()\fR is somewhat primitive.  While it will
 handle most S/MIME messages more complex compound formats may not work.
 .PP
 The parser assumes that the CMS_ContentInfo structure is always base64 encoded
 and will not handle the case where it is in binary format or uses quoted
 printable format.
 .PP
-The use of a memory \s-1BIO\s0 to hold the signed content limits the size of message
+The use of a memory BIO to hold the signed content limits the size of message
 which can be processed due to memory restraints: a streaming single pass option
 should be available.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSMIME_read_CMS_ex()\fR and \fBSMIME_read_CMS()\fR return a valid \fBCMS_ContentInfo\fR
-structure or \fB\s-1NULL\s0\fR if an error occurred. The error can be obtained from
+structure or \fBNULL\fR if an error occurred. The error can be obtained from
 \&\fBERR_get_error\fR\|(3).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
@@ -208,14 +132,14 @@ structure or \fB\s-1NULL\s0\fR if an error occurred. The error can be obtained f
 \&\fBCMS_verify\fR\|(3),
 \&\fBCMS_encrypt\fR\|(3),
 \&\fBCMS_decrypt\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The function \fBSMIME_read_CMS_ex()\fR was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2008\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SMIME_read_PKCS7.3 b/secure/lib/libcrypto/man/man3/SMIME_read_PKCS7.3
index 69bbb52123ef..a0a597a4c47f 100644
--- a/secure/lib/libcrypto/man/man3/SMIME_read_PKCS7.3
+++ b/secure/lib/libcrypto/man/man3/SMIME_read_PKCS7.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SMIME_READ_PKCS7 3ossl"
-.TH SMIME_READ_PKCS7 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SMIME_READ_PKCS7 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SMIME_read_PKCS7_ex, SMIME_read_PKCS7 \- parse S/MIME message
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pkcs7.h>
@@ -146,34 +70,34 @@ SMIME_read_PKCS7_ex, SMIME_read_PKCS7 \- parse S/MIME message
 \& PKCS7 *SMIME_read_PKCS7_ex(BIO *bio, BIO **bcont, PKCS7 **p7);
 \& PKCS7 *SMIME_read_PKCS7(BIO *in, BIO **bcont);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSMIME_read_PKCS7()\fR parses a message in S/MIME format.
 .PP
-\&\fBin\fR is a \s-1BIO\s0 to read the message from.
+\&\fBin\fR is a BIO to read the message from.
 .PP
 If cleartext signing is used then the content is saved in
 a memory bio which is written to \fB*bcont\fR, otherwise
-\&\fB*bcont\fR is set to \fB\s-1NULL\s0\fR.
+\&\fB*bcont\fR is set to \fBNULL\fR.
 .PP
-The parsed PKCS#7 structure is returned or \fB\s-1NULL\s0\fR if an
+The parsed PKCS#7 structure is returned or \fBNULL\fR if an
 error occurred.
 .PP
 \&\fBSMIME_read_PKCS7_ex()\fR is similar to \fBSMIME_read_PKCS7()\fR but can optionally supply
-a previously created \fIp7\fR PKCS#7 object. If \fIp7\fR is \s-1NULL\s0 then it is identical
+a previously created \fIp7\fR PKCS#7 object. If \fIp7\fR is NULL then it is identical
 to \fBSMIME_read_PKCS7()\fR.
 To create a \fIp7\fR object use \fBPKCS7_new_ex\fR\|(3).
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-If \fB*bcont\fR is not \fB\s-1NULL\s0\fR then the message is clear text
+If \fB*bcont\fR is not \fBNULL\fR then the message is clear text
 signed. \fB*bcont\fR can then be passed to \fBPKCS7_verify()\fR with
-the \fB\s-1PKCS7_DETACHED\s0\fR flag set.
+the \fBPKCS7_DETACHED\fR flag set.
 .PP
 Otherwise the type of the returned structure can be determined
 using \fBPKCS7_type_is_enveloped()\fR, etc.
 .PP
-To support future functionality if \fBbcont\fR is not \fB\s-1NULL\s0\fR
-\&\fB*bcont\fR should be initialized to \fB\s-1NULL\s0\fR. For example:
+To support future functionality if \fBbcont\fR is not \fBNULL\fR
+\&\fB*bcont\fR should be initialized to \fBNULL\fR. For example:
 .PP
 .Vb 2
 \& BIO *cont = NULL;
@@ -181,37 +105,37 @@ To support future functionality if \fBbcont\fR is not \fB\s-1NULL\s0\fR
 \&
 \& p7 = SMIME_read_PKCS7(in, &cont);
 .Ve
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
-The \s-1MIME\s0 parser used by \fBSMIME_read_PKCS7()\fR is somewhat primitive.
+The MIME parser used by \fBSMIME_read_PKCS7()\fR is somewhat primitive.
 While it will handle most S/MIME messages more complex compound
 formats may not work.
 .PP
-The parser assumes that the \s-1PKCS7\s0 structure is always base64
+The parser assumes that the PKCS7 structure is always base64
 encoded and will not handle the case where it is in binary format
 or uses quoted printable format.
 .PP
-The use of a memory \s-1BIO\s0 to hold the signed content limits the size
+The use of a memory BIO to hold the signed content limits the size
 of message which can be processed due to memory restraints: a
 streaming single pass option should be available.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBSMIME_read_PKCS7_ex()\fR and \fBSMIME_read_PKCS7()\fR return a valid \fB\s-1PKCS7\s0\fR structure
-or \fB\s-1NULL\s0\fR if an error occurred. The error can be obtained from \fBERR_get_error\fR\|(3).
+\&\fBSMIME_read_PKCS7_ex()\fR and \fBSMIME_read_PKCS7()\fR return a valid \fBPKCS7\fR structure
+or \fBNULL\fR if an error occurred. The error can be obtained from \fBERR_get_error\fR\|(3).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3),
 \&\fBSMIME_read_PKCS7\fR\|(3), \fBPKCS7_sign\fR\|(3),
 \&\fBPKCS7_verify\fR\|(3), \fBPKCS7_encrypt\fR\|(3)
 \&\fBPKCS7_decrypt\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The function \fBSMIME_read_PKCS7_ex()\fR was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2002\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SMIME_write_ASN1.3 b/secure/lib/libcrypto/man/man3/SMIME_write_ASN1.3
index e64854c9213b..ab1ac97643cc 100644
--- a/secure/lib/libcrypto/man/man3/SMIME_write_ASN1.3
+++ b/secure/lib/libcrypto/man/man3/SMIME_write_ASN1.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SMIME_WRITE_ASN1 3ossl"
-.TH SMIME_WRITE_ASN1 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SMIME_WRITE_ASN1 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SMIME_write_ASN1_ex, SMIME_write_ASN1
 \&\- convert structure to S/MIME format
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/asn1.h>
@@ -153,45 +77,45 @@ SMIME_write_ASN1_ex, SMIME_write_ASN1
 \&     ASN1_VALUE *val, BIO *data, int flags, int ctype_nid, int econt_nid,
 \&     STACK_OF(X509_ALGOR) *mdalgs, const ASN1_ITEM *it);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSMIME_write_ASN1_ex()\fR adds the appropriate \s-1MIME\s0 headers to an object
+\&\fBSMIME_write_ASN1_ex()\fR adds the appropriate MIME headers to an object
 structure to produce an S/MIME message.
 .PP
-\&\fIout\fR is the \s-1BIO\s0 to write the data to. \fIvalue\fR is the appropriate \s-1ASN1_VALUE\s0
-structure (either CMS_ContentInfo or \s-1PKCS7\s0). If streaming is enabled then the
+\&\fIout\fR is the BIO to write the data to. \fIvalue\fR is the appropriate ASN1_VALUE
+structure (either CMS_ContentInfo or PKCS7). If streaming is enabled then the
 content must be supplied via \fIdata\fR.
-\&\fIflags\fR is an optional set of flags. \fIctype_nid\fR is the \s-1NID\s0 of the content
-type, \fIecont_nid\fR is the \s-1NID\s0 of the embedded content type and \fImdalgs\fR is a
+\&\fIflags\fR is an optional set of flags. \fIctype_nid\fR is the NID of the content
+type, \fIecont_nid\fR is the NID of the embedded content type and \fImdalgs\fR is a
 list of signed data digestAlgorithms. Valid values that can be used by the
-\&\s-1ASN.1\s0 structure \fIit\fR are ASN1_ITEM_rptr(\s-1PKCS7\s0) or ASN1_ITEM_rptr(CMS_ContentInfo).
+ASN.1 structure \fIit\fR are ASN1_ITEM_rptr(PKCS7) or ASN1_ITEM_rptr(CMS_ContentInfo).
 The library context \fIlibctx\fR and the property query \fIpropq\fR are used when
 retrieving algorithms from providers.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The higher level functions \fBSMIME_write_CMS\fR\|(3) and
 \&\fBSMIME_write_PKCS7\fR\|(3) should be used instead of \fBSMIME_write_ASN1()\fR.
 .PP
 The following flags can be passed in the \fBflags\fR parameter.
 .PP
-If \fB\s-1CMS_DETACHED\s0\fR is set then cleartext signing will be used, this option only
-makes sense for SignedData where \fB\s-1CMS_DETACHED\s0\fR is also set when the \fBsign()\fR
+If \fBCMS_DETACHED\fR is set then cleartext signing will be used, this option only
+makes sense for SignedData where \fBCMS_DETACHED\fR is also set when the \fBsign()\fR
 method is called.
 .PP
-If the \fB\s-1CMS_TEXT\s0\fR flag is set \s-1MIME\s0 headers for type \fBtext/plain\fR are added to
-the content, this only makes sense if \fB\s-1CMS_DETACHED\s0\fR is also set.
+If the \fBCMS_TEXT\fR flag is set MIME headers for type \fBtext/plain\fR are added to
+the content, this only makes sense if \fBCMS_DETACHED\fR is also set.
 .PP
-If the \fB\s-1CMS_STREAM\s0\fR flag is set streaming is performed. This flag should only
-be set if \fB\s-1CMS_STREAM\s0\fR was also set in the previous call to a CMS_ContentInfo
-or \s-1PKCS7\s0 creation function.
+If the \fBCMS_STREAM\fR flag is set streaming is performed. This flag should only
+be set if \fBCMS_STREAM\fR was also set in the previous call to a CMS_ContentInfo
+or PKCS7 creation function.
 .PP
-If cleartext signing is being used and \fB\s-1CMS_STREAM\s0\fR not set then the data must
+If cleartext signing is being used and \fBCMS_STREAM\fR not set then the data must
 be read twice: once to compute the signature in sign method and once to output
 the S/MIME message.
 .PP
-If streaming is performed the content is output in \s-1BER\s0 format using indefinite
+If streaming is performed the content is output in BER format using indefinite
 length constructed encoding except in the case of signed data with detached
-content where the content is absent and \s-1DER\s0 format is used.
+content where the content is absent and DER format is used.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSMIME_write_ASN1_ex()\fR and \fBSMIME_write_ASN1()\fR return 1 for success or
@@ -201,11 +125,11 @@ content where the content is absent and \s-1DER\s0 format is used.
 \&\fBERR_get_error\fR\|(3),
 \&\fBSMIME_write_CMS\fR\|(3),
 \&\fBSMIME_write_PKCS7\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SMIME_write_CMS.3 b/secure/lib/libcrypto/man/man3/SMIME_write_CMS.3
index d7a2cb129254..7787f11146a7 100644
--- a/secure/lib/libcrypto/man/man3/SMIME_write_CMS.3
+++ b/secure/lib/libcrypto/man/man3/SMIME_write_CMS.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,116 +52,56 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SMIME_WRITE_CMS 3ossl"
-.TH SMIME_WRITE_CMS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SMIME_WRITE_CMS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SMIME_write_CMS \- convert CMS structure to S/MIME format
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cms.h>
 \&
 \& int SMIME_write_CMS(BIO *out, CMS_ContentInfo *cms, BIO *data, int flags);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSMIME_write_CMS()\fR adds the appropriate \s-1MIME\s0 headers to a \s-1CMS\s0
+\&\fBSMIME_write_CMS()\fR adds the appropriate MIME headers to a CMS
 structure to produce an S/MIME message.
 .PP
-\&\fBout\fR is the \s-1BIO\s0 to write the data to. \fBcms\fR is the appropriate
+\&\fBout\fR is the BIO to write the data to. \fBcms\fR is the appropriate
 \&\fBCMS_ContentInfo\fR structure. If streaming is enabled then the content must be
 supplied in the \fBdata\fR argument. \fBflags\fR is an optional set of flags.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The following flags can be passed in the \fBflags\fR parameter.
 .PP
-If \fB\s-1CMS_DETACHED\s0\fR is set then cleartext signing will be used, this option only
-makes sense for SignedData where \fB\s-1CMS_DETACHED\s0\fR is also set when \fBCMS_sign()\fR is
+If \fBCMS_DETACHED\fR is set then cleartext signing will be used, this option only
+makes sense for SignedData where \fBCMS_DETACHED\fR is also set when \fBCMS_sign()\fR is
 called.
 .PP
-If the \fB\s-1CMS_TEXT\s0\fR flag is set \s-1MIME\s0 headers for type \fBtext/plain\fR are added to
-the content, this only makes sense if \fB\s-1CMS_DETACHED\s0\fR is also set.
+If the \fBCMS_TEXT\fR flag is set MIME headers for type \fBtext/plain\fR are added to
+the content, this only makes sense if \fBCMS_DETACHED\fR is also set.
 .PP
-If the \fB\s-1CMS_STREAM\s0\fR flag is set streaming is performed. This flag should only
-be set if \fB\s-1CMS_STREAM\s0\fR was also set in the previous call to a CMS_ContentInfo
+If the \fBCMS_STREAM\fR flag is set streaming is performed. This flag should only
+be set if \fBCMS_STREAM\fR was also set in the previous call to a CMS_ContentInfo
 creation function.
 .PP
-If cleartext signing is being used and \fB\s-1CMS_STREAM\s0\fR not set then the data must
+If cleartext signing is being used and \fBCMS_STREAM\fR not set then the data must
 be read twice: once to compute the signature in \fBCMS_sign()\fR and once to output
 the S/MIME message.
 .PP
-If streaming is performed the content is output in \s-1BER\s0 format using indefinite
+If streaming is performed the content is output in BER format using indefinite
 length constructed encoding except in the case of signed data with detached
-content where the content is absent and \s-1DER\s0 format is used.
-.SH "BUGS"
+content where the content is absent and DER format is used.
+.SH BUGS
 .IX Header "BUGS"
-\&\fBSMIME_write_CMS()\fR always base64 encodes \s-1CMS\s0 structures, there should be an
+\&\fBSMIME_write_CMS()\fR always base64 encodes CMS structures, there should be an
 option to disable this.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
@@ -187,11 +111,11 @@ option to disable this.
 \&\fBERR_get_error\fR\|(3), \fBCMS_sign\fR\|(3),
 \&\fBCMS_verify\fR\|(3), \fBCMS_encrypt\fR\|(3)
 \&\fBCMS_decrypt\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SMIME_write_PKCS7.3 b/secure/lib/libcrypto/man/man3/SMIME_write_PKCS7.3
index 8e273d31f44d..76d047ca5367 100644
--- a/secure/lib/libcrypto/man/man3/SMIME_write_PKCS7.3
+++ b/secure/lib/libcrypto/man/man3/SMIME_write_PKCS7.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,115 +52,55 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SMIME_WRITE_PKCS7 3ossl"
-.TH SMIME_WRITE_PKCS7 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SMIME_WRITE_PKCS7 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SMIME_write_PKCS7 \- convert PKCS#7 structure to S/MIME format
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pkcs7.h>
 \&
 \& int SMIME_write_PKCS7(BIO *out, PKCS7 *p7, BIO *data, int flags);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSMIME_write_PKCS7()\fR adds the appropriate \s-1MIME\s0 headers to a PKCS#7
+\&\fBSMIME_write_PKCS7()\fR adds the appropriate MIME headers to a PKCS#7
 structure to produce an S/MIME message.
 .PP
-\&\fBout\fR is the \s-1BIO\s0 to write the data to. \fBp7\fR is the appropriate \fB\s-1PKCS7\s0\fR
+\&\fBout\fR is the BIO to write the data to. \fBp7\fR is the appropriate \fBPKCS7\fR
 structure. If streaming is enabled then the content must be supplied in the
 \&\fBdata\fR argument. \fBflags\fR is an optional set of flags.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The following flags can be passed in the \fBflags\fR parameter.
 .PP
-If \fB\s-1PKCS7_DETACHED\s0\fR is set then cleartext signing will be used,
-this option only makes sense for signedData where \fB\s-1PKCS7_DETACHED\s0\fR
+If \fBPKCS7_DETACHED\fR is set then cleartext signing will be used,
+this option only makes sense for signedData where \fBPKCS7_DETACHED\fR
 is also set when \fBPKCS7_sign()\fR is also called.
 .PP
-If the \fB\s-1PKCS7_TEXT\s0\fR flag is set \s-1MIME\s0 headers for type \fBtext/plain\fR
-are added to the content, this only makes sense if \fB\s-1PKCS7_DETACHED\s0\fR
+If the \fBPKCS7_TEXT\fR flag is set MIME headers for type \fBtext/plain\fR
+are added to the content, this only makes sense if \fBPKCS7_DETACHED\fR
 is also set.
 .PP
-If the \fB\s-1PKCS7_STREAM\s0\fR flag is set streaming is performed. This flag should
-only be set if \fB\s-1PKCS7_STREAM\s0\fR was also set in the previous call to
+If the \fBPKCS7_STREAM\fR flag is set streaming is performed. This flag should
+only be set if \fBPKCS7_STREAM\fR was also set in the previous call to
 \&\fBPKCS7_sign()\fR or \fBPKCS7_encrypt()\fR.
 .PP
-If cleartext signing is being used and \fB\s-1PKCS7_STREAM\s0\fR not set then
+If cleartext signing is being used and \fBPKCS7_STREAM\fR not set then
 the data must be read twice: once to compute the signature in \fBPKCS7_sign()\fR
 and once to output the S/MIME message.
 .PP
-If streaming is performed the content is output in \s-1BER\s0 format using indefinite
+If streaming is performed the content is output in BER format using indefinite
 length constructed encoding except in the case of signed data with detached
-content where the content is absent and \s-1DER\s0 format is used.
-.SH "BUGS"
+content where the content is absent and DER format is used.
+.SH BUGS
 .IX Header "BUGS"
 \&\fBSMIME_write_PKCS7()\fR always base64 encodes PKCS#7 structures, there
 should be an option to disable this.
@@ -188,11 +112,11 @@ should be an option to disable this.
 \&\fBERR_get_error\fR\|(3), \fBPKCS7_sign\fR\|(3),
 \&\fBPKCS7_verify\fR\|(3), \fBPKCS7_encrypt\fR\|(3)
 \&\fBPKCS7_decrypt\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2002\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SRP_Calc_B.3 b/secure/lib/libcrypto/man/man3/SRP_Calc_B.3
index ebf3516b3f7f..7957273bc2bd 100644
--- a/secure/lib/libcrypto/man/man3/SRP_Calc_B.3
+++ b/secure/lib/libcrypto/man/man3/SRP_Calc_B.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SRP_CALC_B 3ossl"
-.TH SRP_CALC_B 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SRP_CALC_B 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SRP_Calc_server_key,
 SRP_Calc_A,
 SRP_Calc_B_ex,
@@ -148,14 +72,14 @@ SRP_Calc_x,
 SRP_Calc_client_key_ex,
 SRP_Calc_client_key
 \&\- SRP authentication primitives
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/srp.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 7
@@ -182,38 +106,38 @@ see \fBopenssl_user_macros\fR\|(7):
 \& BIGNUM *SRP_Calc_x(const BIGNUM *s, const char *user, const char *pass);
 \& BIGNUM *SRP_Calc_A(const BIGNUM *a, const BIGNUM *N, const BIGNUM *g);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated. There are no
 available replacement functions at this time.
 .PP
-The \s-1SRP\s0 functions described on this page are used to calculate various
-parameters and keys used by \s-1SRP\s0 as defined in \s-1RFC2945.\s0 The server key and \fIB\fR
+The SRP functions described on this page are used to calculate various
+parameters and keys used by SRP as defined in RFC2945. The server key and \fIB\fR
 and \fIu\fR parameters are used on the server side and are calculated via
 \&\fBSRP_Calc_server_key()\fR, \fBSRP_Calc_B_ex()\fR, \fBSRP_Calc_B()\fR, \fBSRP_Calc_u_ex()\fR and
 \&\fBSRP_Calc_u()\fR. The client key and \fBx\fR and \fBA\fR parameters are used on the
 client side and are calculated via the functions \fBSRP_Calc_client_key_ex()\fR,
 \&\fBSRP_Calc_client_key()\fR, \fBSRP_Calc_x_ex()\fR, \fBSRP_Calc_x()\fR and \fBSRP_Calc_A()\fR. See
-\&\s-1RFC2945\s0 for a detailed description of their usage and the meaning of the various
-\&\s-1BIGNUM\s0 parameters to these functions.
+RFC2945 for a detailed description of their usage and the meaning of the various
+BIGNUM parameters to these functions.
 .PP
 Most of these functions come in two forms. Those that take a \fIlibctx\fR and
 \&\fIpropq\fR parameter, and those that don't. Any cryptogrpahic functions that
 are fetched and used during the calculation use the provided \fIlibctx\fR and
-\&\fIpropq\fR. See \*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7) for more details. The variants
+\&\fIpropq\fR. See "ALGORITHM FETCHING" in \fBcrypto\fR\|(7) for more details. The variants
 that do not take a \fIlibctx\fR and \fIpropq\fR parameter use the default library
 context and property query string. The \fBSRP_Calc_server_key()\fR and \fBSRP_Calc_A()\fR
 functions do not have a form that takes \fIlibctx\fR or \fIpropq\fR parameters because
 they do not need to fetch any cryptographic algorithms.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-All these functions return the calculated key or parameter, or \s-1NULL\s0 on error.
+All these functions return the calculated key or parameter, or NULL on error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBopenssl\-srp\fR\|(1),
 \&\fBSRP_VBASE_new\fR\|(3),
 \&\fBSRP_user_pwd_new\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 SRP_Calc_B_ex, SRP_Calc_u_ex, SRP_Calc_client_key_ex and SRP_Calc_x_ex were
 introduced in OpenSSL 3.0.
@@ -221,11 +145,11 @@ introduced in OpenSSL 3.0.
 All of the other functions were added in OpenSSL 1.0.1.
 .PP
 All of these functions were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SRP_VBASE_new.3 b/secure/lib/libcrypto/man/man3/SRP_VBASE_new.3
index 3f467a6b9c3d..bdc2d38f1259 100644
--- a/secure/lib/libcrypto/man/man3/SRP_VBASE_new.3
+++ b/secure/lib/libcrypto/man/man3/SRP_VBASE_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SRP_VBASE_NEW 3ossl"
-.TH SRP_VBASE_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SRP_VBASE_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SRP_VBASE_new,
 SRP_VBASE_free,
 SRP_VBASE_init,
@@ -144,14 +68,14 @@ SRP_VBASE_add0_user,
 SRP_VBASE_get1_by_user,
 SRP_VBASE_get_by_user
 \&\- Functions to create and manage a stack of SRP user verifier information
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/srp.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 2
@@ -164,22 +88,22 @@ see \fBopenssl_user_macros\fR\|(7):
 \& SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username);
 \& SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated. There are no
 available replacement functions at this time.
 .PP
-The \fBSRP_VBASE_new()\fR function allocates a structure to store server side \s-1SRP\s0
+The \fBSRP_VBASE_new()\fR function allocates a structure to store server side SRP
 verifier information.
-If \fBseed_key\fR is not \s-1NULL\s0 a copy is stored and used to generate dummy parameters
+If \fBseed_key\fR is not NULL a copy is stored and used to generate dummy parameters
 for users that are not found by \fBSRP_VBASE_get1_by_user()\fR. This allows the server
 to hide the fact that it doesn't have a verifier for a particular username,
-as described in section 2.5.1.3 'Unknown \s-1SRP\s0' of \s-1RFC 5054.\s0
-The seed string should contain random \s-1NUL\s0 terminated binary data (therefore
-the random data should not contain \s-1NUL\s0 bytes!).
+as described in section 2.5.1.3 'Unknown SRP' of RFC 5054.
+The seed string should contain random NUL terminated binary data (therefore
+the random data should not contain NUL bytes!).
 .PP
 The \fBSRP_VBASE_free()\fR function frees up the \fBvb\fR structure.
-If \fBvb\fR is \s-1NULL,\s0 nothing is done.
+If \fBvb\fR is NULL, nothing is done.
 .PP
 The \fBSRP_VBASE_init()\fR function parses the information in a verifier file and
 populates the \fBvb\fR structure.
@@ -200,19 +124,19 @@ whose username matches \fBusername\fR. It replaces the deprecated
 If no matching user is found but a seed_key and default gN parameters have been
 set, dummy authentication information is generated from the seed_key, allowing
 the server to hide the fact that it doesn't have a verifier for a particular
-username. When using \s-1SRP\s0 as a \s-1TLS\s0 authentication mechanism, this will cause
+username. When using SRP as a TLS authentication mechanism, this will cause
 the handshake to proceed normally but the first client will be rejected with
-a \*(L"bad_record_mac\*(R" alert, as if the password was incorrect.
-If no matching user is found and the seed_key is not set, \s-1NULL\s0 is returned.
+a "bad_record_mac" alert, as if the password was incorrect.
+If no matching user is found and the seed_key is not set, NULL is returned.
 Ownership of the returned pointer is released to the caller, it must be freed
 with \fBSRP_user_pwd_free()\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBSRP_VBASE_init()\fR returns \fB\s-1SRP_NO_ERROR\s0\fR (0) on success and a positive value
+\&\fBSRP_VBASE_init()\fR returns \fBSRP_NO_ERROR\fR (0) on success and a positive value
 on failure.
-The error codes are \fB\s-1SRP_ERR_OPEN_FILE\s0\fR if the file could not be opened,
-\&\fB\s-1SRP_ERR_VBASE_INCOMPLETE_FILE\s0\fR if the file could not be parsed,
-\&\fB\s-1SRP_ERR_MEMORY\s0\fR on memory allocation failure and \fB\s-1SRP_ERR_VBASE_BN_LIB\s0\fR
+The error codes are \fBSRP_ERR_OPEN_FILE\fR if the file could not be opened,
+\&\fBSRP_ERR_VBASE_INCOMPLETE_FILE\fR if the file could not be parsed,
+\&\fBSRP_ERR_MEMORY\fR on memory allocation failure and \fBSRP_ERR_VBASE_BN_LIB\fR
 for invalid decoded parameter values.
 .PP
 \&\fBSRP_VBASE_add0_user()\fR returns 1 on success and 0 on failure.
@@ -222,18 +146,18 @@ for invalid decoded parameter values.
 \&\fBSRP_create_verifier\fR\|(3),
 \&\fBSRP_user_pwd_new\fR\|(3),
 \&\fBSSL_CTX_set_srp_password\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBSRP_VBASE_add0_user()\fR function was added in OpenSSL 3.0.
 .PP
 All other functions were added in OpenSSL 1.0.1.
 .PP
 All of these functions were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2018\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SRP_create_verifier.3 b/secure/lib/libcrypto/man/man3/SRP_create_verifier.3
index 1cd0888d1bfb..86eddab2c3ea 100644
--- a/secure/lib/libcrypto/man/man3/SRP_create_verifier.3
+++ b/secure/lib/libcrypto/man/man3/SRP_create_verifier.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SRP_CREATE_VERIFIER 3ossl"
-.TH SRP_CREATE_VERIFIER 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SRP_CREATE_VERIFIER 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SRP_create_verifier_ex,
 SRP_create_verifier,
 SRP_create_verifier_BN_ex,
@@ -144,14 +68,14 @@ SRP_create_verifier_BN,
 SRP_check_known_gN_param,
 SRP_get_default_gN
 \&\- SRP authentication primitives
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/srp.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 11
@@ -170,60 +94,60 @@ see \fBopenssl_user_macros\fR\|(7):
 \& char *SRP_check_known_gN_param(const BIGNUM *g, const BIGNUM *N);
 \& SRP_gN *SRP_get_default_gN(const char *id);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated. There are no
 available replacement functions at this time.
 .PP
-The \fBSRP_create_verifier_BN_ex()\fR function creates an \s-1SRP\s0 password verifier from
-the supplied parameters as defined in section 2.4 of \s-1RFC 5054\s0 using the library
+The \fBSRP_create_verifier_BN_ex()\fR function creates an SRP password verifier from
+the supplied parameters as defined in section 2.4 of RFC 5054 using the library
 context \fIlibctx\fR and property query string \fIpropq\fR. Any cryptographic
 algorithms that need to be fetched will use the \fIlibctx\fR and \fIpropq\fR. See
-\&\*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7).
+"ALGORITHM FETCHING" in \fBcrypto\fR\|(7).
 .PP
 \&\fBSRP_create_verifier_BN()\fR is the same as \fBSRP_create_verifier_BN_ex()\fR except the
 default library context and property query string is used.
 .PP
-On successful exit \fI*verifier\fR will point to a newly allocated \s-1BIGNUM\s0 containing
+On successful exit \fI*verifier\fR will point to a newly allocated BIGNUM containing
 the verifier and (if a salt was not provided) \fI*salt\fR will be populated with a
-newly allocated \s-1BIGNUM\s0 containing a random salt. If \fI*salt\fR is not \s-1NULL\s0 then
+newly allocated BIGNUM containing a random salt. If \fI*salt\fR is not NULL then
 the provided salt is used instead.
 The caller is responsible for freeing the allocated \fI*salt\fR and \fI*verifier\fR
-\&\s-1BIGNUMS\s0 (use \fBBN_free\fR\|(3)).
+BIGNUMS (use \fBBN_free\fR\|(3)).
 .PP
 The \fBSRP_create_verifier()\fR function is similar to \fBSRP_create_verifier_BN()\fR but
 all numeric parameters are in a non-standard base64 encoding originally designed
 for compatibility with libsrp. This is mainly present for historical compatibility
 and its use is discouraged.
-It is possible to pass \s-1NULL\s0 as \fIN\fR and an \s-1SRP\s0 group id as \fIg\fR instead to
+It is possible to pass NULL as \fIN\fR and an SRP group id as \fIg\fR instead to
 load the appropriate gN values (see \fBSRP_get_default_gN()\fR).
-If both \fIN\fR and \fIg\fR are \s-1NULL\s0 the 8192\-bit \s-1SRP\s0 group parameters are used.
+If both \fIN\fR and \fIg\fR are NULL the 8192\-bit SRP group parameters are used.
 The caller is responsible for freeing the allocated \fI*salt\fR and \fI*verifier\fR
 (use \fBOPENSSL_free\fR\|(3)).
 .PP
 The \fBSRP_check_known_gN_param()\fR function checks that \fIg\fR and \fIN\fR are valid
-\&\s-1SRP\s0 group parameters from \s-1RFC 5054\s0 appendix A.
+SRP group parameters from RFC 5054 appendix A.
 .PP
-The \fBSRP_get_default_gN()\fR function returns the gN parameters for the \s-1RFC 5054\s0 \fIid\fR
-\&\s-1SRP\s0 group size.
-The known ids are \*(L"1024\*(R", \*(L"1536\*(R", \*(L"2048\*(R", \*(L"3072\*(R", \*(L"4096\*(R", \*(L"6144\*(R" and \*(L"8192\*(R".
+The \fBSRP_get_default_gN()\fR function returns the gN parameters for the RFC 5054 \fIid\fR
+SRP group size.
+The known ids are "1024", "1536", "2048", "3072", "4096", "6144" and "8192".
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSRP_create_verifier_BN_ex()\fR and \fBSRP_create_verifier_BN()\fR return 1 on success and
 0 on failure.
 .PP
-\&\fBSRP_create_verifier_ex()\fR and \fBSRP_create_verifier()\fR return \s-1NULL\s0 on failure and a
+\&\fBSRP_create_verifier_ex()\fR and \fBSRP_create_verifier()\fR return NULL on failure and a
 non-NULL value on success:
-\&\*(L"*\*(R" if \fIN\fR is not \s-1NULL,\s0 the selected group id otherwise. This value should
+"*" if \fIN\fR is not NULL, the selected group id otherwise. This value should
 not be freed.
 .PP
 \&\fBSRP_check_known_gN_param()\fR returns the text representation of the group id
-(i.e. the prime bit size) or \s-1NULL\s0 if the arguments are not valid \s-1SRP\s0 group parameters.
+(i.e. the prime bit size) or NULL if the arguments are not valid SRP group parameters.
 This value should not be freed.
 .PP
-\&\fBSRP_get_default_gN()\fR returns \s-1NULL\s0 if \fIid\fR is not a valid group size,
-or the 8192\-bit group parameters if \fIid\fR is \s-1NULL.\s0
-.SH "EXAMPLES"
+\&\fBSRP_get_default_gN()\fR returns NULL if \fIid\fR is not a valid group size,
+or the 8192\-bit group parameters if \fIid\fR is NULL.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 Generate and store a 8192 bit password verifier (error handling
 omitted for clarity):
@@ -255,17 +179,17 @@ omitted for clarity):
 \&\fBopenssl\-srp\fR\|(1),
 \&\fBSRP_VBASE_new\fR\|(3),
 \&\fBSRP_user_pwd_new\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBSRP_create_verifier_BN_ex()\fR and \fBSRP_create_verifier_ex()\fR were introduced in
 OpenSSL 3.0. All other functions were added in OpenSSL 1.0.1.
 .PP
 All of these functions were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2018\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SRP_user_pwd_new.3 b/secure/lib/libcrypto/man/man3/SRP_user_pwd_new.3
index be454fcc771f..f89ec85dec94 100644
--- a/secure/lib/libcrypto/man/man3/SRP_user_pwd_new.3
+++ b/secure/lib/libcrypto/man/man3/SRP_user_pwd_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,89 +52,29 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SRP_USER_PWD_NEW 3ossl"
-.TH SRP_USER_PWD_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SRP_USER_PWD_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SRP_user_pwd_new,
 SRP_user_pwd_free,
 SRP_user_pwd_set1_ids,
 SRP_user_pwd_set_gN,
 SRP_user_pwd_set0_sv
 \&\- Functions to create a record of SRP user verifier information
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/srp.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 2
@@ -161,7 +85,7 @@ see \fBopenssl_user_macros\fR\|(7):
 \& void SRP_user_pwd_set_gN(SRP_user_pwd *user_pwd, const BIGNUM *g, const BIGNUM *N);
 \& int SRP_user_pwd_set0_sv(SRP_user_pwd *user_pwd, BIGNUM *s, BIGNUM *v);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated. There are no
 available replacement functions at this time.
@@ -170,7 +94,7 @@ The \fBSRP_user_pwd_new()\fR function allocates a structure to store a user veri
 record.
 .PP
 The \fBSRP_user_pwd_free()\fR function frees up the \fBuser_pwd\fR structure.
-If \fBuser_pwd\fR is \s-1NULL,\s0 nothing is done.
+If \fBuser_pwd\fR is NULL, nothing is done.
 .PP
 The \fBSRP_user_pwd_set1_ids()\fR function sets the username to \fBid\fR and the optional
 user info to \fBinfo\fR for \fBuser_pwd\fR.
@@ -181,28 +105,28 @@ The \fBSRP_user_pwd_set0_sv()\fR function sets the user salt to \fBs\fR and the
 to \fBv\fR for \fBuser_pwd\fR.
 The library takes ownership of the values, they should not be freed by the caller.
 .PP
-The \fBSRP_user_pwd_set_gN()\fR function sets the \s-1SRP\s0 group parameters for \fBuser_pwd\fR.
+The \fBSRP_user_pwd_set_gN()\fR function sets the SRP group parameters for \fBuser_pwd\fR.
 The memory is not freed by \fBSRP_user_pwd_free()\fR, the caller must make sure it is
 freed once it is no longer used.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBSRP_user_pwd_set1_ids()\fR returns 1 on success and 0 on failure or if \fBid\fR was \s-1NULL.\s0
+\&\fBSRP_user_pwd_set1_ids()\fR returns 1 on success and 0 on failure or if \fBid\fR was NULL.
 .PP
-\&\fBSRP_user_pwd_set0_sv()\fR returns 1 if both \fBs\fR and \fBv\fR are not \s-1NULL, 0\s0 otherwise.
+\&\fBSRP_user_pwd_set0_sv()\fR returns 1 if both \fBs\fR and \fBv\fR are not NULL, 0 otherwise.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBopenssl\-srp\fR\|(1),
 \&\fBSRP_create_verifier\fR\|(3),
 \&\fBSRP_VBASE_new\fR\|(3),
 \&\fBSSL_CTX_set_srp_password\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 These functions were made public in OpenSSL 3.0 and are deprecated.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2018\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CIPHER_get_name.3 b/secure/lib/libcrypto/man/man3/SSL_CIPHER_get_name.3
index f3f4c66837c9..61502d52eca3 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CIPHER_get_name.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CIPHER_get_name.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CIPHER_GET_NAME 3ossl"
-.TH SSL_CIPHER_GET_NAME 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CIPHER_GET_NAME 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CIPHER_get_name,
 SSL_CIPHER_standard_name,
 OPENSSL_cipher_name,
@@ -153,7 +77,7 @@ SSL_CIPHER_find,
 SSL_CIPHER_get_id,
 SSL_CIPHER_get_protocol_id
 \&\- get SSL_CIPHER properties
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -174,42 +98,42 @@ SSL_CIPHER_get_protocol_id
 \& uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *c);
 \& uint32_t SSL_CIPHER_get_protocol_id(const SSL_CIPHER *c);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CIPHER_get_name()\fR returns a pointer to the name of \fBcipher\fR. If the
-\&\fBcipher\fR is \s-1NULL,\s0 it returns \*(L"(\s-1NONE\s0)\*(R".
+\&\fBcipher\fR is NULL, it returns "(NONE)".
 .PP
-\&\fBSSL_CIPHER_standard_name()\fR returns a pointer to the standard \s-1RFC\s0 name of
-\&\fBcipher\fR. If the \fBcipher\fR is \s-1NULL,\s0 it returns \*(L"(\s-1NONE\s0)\*(R". If the \fBcipher\fR
-has no standard name, it returns \fB\s-1NULL\s0\fR. If \fBcipher\fR was defined in both
-SSLv3 and \s-1TLS,\s0 it returns the \s-1TLS\s0 name.
+\&\fBSSL_CIPHER_standard_name()\fR returns a pointer to the standard RFC name of
+\&\fBcipher\fR. If the \fBcipher\fR is NULL, it returns "(NONE)". If the \fBcipher\fR
+has no standard name, it returns \fBNULL\fR. If \fBcipher\fR was defined in both
+SSLv3 and TLS, it returns the TLS name.
 .PP
 \&\fBOPENSSL_cipher_name()\fR returns a pointer to the OpenSSL name of \fBstdname\fR.
-If the \fBstdname\fR is \s-1NULL,\s0 or \fBstdname\fR has no corresponding OpenSSL name,
-it returns \*(L"(\s-1NONE\s0)\*(R". Where both exist, \fBstdname\fR should be the \s-1TLS\s0 name rather
+If the \fBstdname\fR is NULL, or \fBstdname\fR has no corresponding OpenSSL name,
+it returns "(NONE)". Where both exist, \fBstdname\fR should be the TLS name rather
 than the SSLv3 name.
 .PP
 \&\fBSSL_CIPHER_get_bits()\fR returns the number of secret bits used for \fBcipher\fR.
-If \fBcipher\fR is \s-1NULL, 0\s0 is returned.
+If \fBcipher\fR is NULL, 0 is returned.
 .PP
-\&\fBSSL_CIPHER_get_version()\fR returns string which indicates the \s-1SSL/TLS\s0 protocol
-version that first defined the cipher.  It returns \*(L"(\s-1NONE\s0)\*(R" if \fBcipher\fR is \s-1NULL.\s0
+\&\fBSSL_CIPHER_get_version()\fR returns string which indicates the SSL/TLS protocol
+version that first defined the cipher.  It returns "(NONE)" if \fBcipher\fR is NULL.
 .PP
-\&\fBSSL_CIPHER_get_cipher_nid()\fR returns the cipher \s-1NID\s0 corresponding to \fBc\fR.
+\&\fBSSL_CIPHER_get_cipher_nid()\fR returns the cipher NID corresponding to \fBc\fR.
 If there is no cipher (e.g. for cipher suites with no encryption) then
 \&\fBNID_undef\fR is returned.
 .PP
-\&\fBSSL_CIPHER_get_digest_nid()\fR returns the digest \s-1NID\s0 corresponding to the \s-1MAC\s0
+\&\fBSSL_CIPHER_get_digest_nid()\fR returns the digest NID corresponding to the MAC
 used by \fBc\fR during record encryption/decryption. If there is no digest (e.g.
-for \s-1AEAD\s0 cipher suites) then \fBNID_undef\fR is returned.
+for AEAD cipher suites) then \fBNID_undef\fR is returned.
 .PP
-\&\fBSSL_CIPHER_get_handshake_digest()\fR returns an \s-1EVP_MD\s0 for the digest used during
-the \s-1SSL/TLS\s0 handshake when using the \s-1SSL_CIPHER\s0 \fBc\fR. Note that this may be
-different to the digest used to calculate the \s-1MAC\s0 for encrypted records.
+\&\fBSSL_CIPHER_get_handshake_digest()\fR returns an EVP_MD for the digest used during
+the SSL/TLS handshake when using the SSL_CIPHER \fBc\fR. Note that this may be
+different to the digest used to calculate the MAC for encrypted records.
 .PP
-\&\fBSSL_CIPHER_get_kx_nid()\fR returns the key exchange \s-1NID\s0 corresponding to the method
+\&\fBSSL_CIPHER_get_kx_nid()\fR returns the key exchange NID corresponding to the method
 used by \fBc\fR. If there is no key exchange, then \fBNID_undef\fR is returned.
-If any appropriate key exchange algorithm can be used (as in the case of \s-1TLS 1.3\s0
+If any appropriate key exchange algorithm can be used (as in the case of TLS 1.3
 cipher suites) \fBNID_kx_any\fR is returned. Examples (not comprehensive):
 .PP
 .Vb 4
@@ -219,10 +143,10 @@ cipher suites) \fBNID_kx_any\fR is returned. Examples (not comprehensive):
 \& NID_kx_psk
 .Ve
 .PP
-\&\fBSSL_CIPHER_get_auth_nid()\fR returns the authentication \s-1NID\s0 corresponding to the method
+\&\fBSSL_CIPHER_get_auth_nid()\fR returns the authentication NID corresponding to the method
 used by \fBc\fR. If there is no authentication, then \fBNID_undef\fR is returned.
 If any appropriate authentication algorithm can be used (as in the case of
-\&\s-1TLS 1.3\s0 cipher suites) \fBNID_auth_any\fR is returned. Examples (not comprehensive):
+TLS 1.3 cipher suites) \fBNID_auth_any\fR is returned. Examples (not comprehensive):
 .PP
 .Vb 3
 \& NID_auth_rsa
@@ -230,31 +154,31 @@ If any appropriate authentication algorithm can be used (as in the case of
 \& NID_auth_psk
 .Ve
 .PP
-\&\fBSSL_CIPHER_is_aead()\fR returns 1 if the cipher \fBc\fR is \s-1AEAD\s0 (e.g. \s-1GCM\s0 or
-ChaCha20/Poly1305), and 0 if it is not \s-1AEAD.\s0
+\&\fBSSL_CIPHER_is_aead()\fR returns 1 if the cipher \fBc\fR is AEAD (e.g. GCM or
+ChaCha20/Poly1305), and 0 if it is not AEAD.
 .PP
-\&\fBSSL_CIPHER_find()\fR returns a \fB\s-1SSL_CIPHER\s0\fR structure which has the cipher \s-1ID\s0 stored
+\&\fBSSL_CIPHER_find()\fR returns a \fBSSL_CIPHER\fR structure which has the cipher ID stored
 in \fBptr\fR. The \fBptr\fR parameter is a two element array of \fBchar\fR, which stores the
-two-byte \s-1TLS\s0 cipher \s-1ID\s0 (as allocated by \s-1IANA\s0) in network byte order. This parameter
-is usually retrieved from a \s-1TLS\s0 packet by using functions like
-\&\fBSSL_client_hello_get0_ciphers\fR\|(3).  \fBSSL_CIPHER_find()\fR returns \s-1NULL\s0 if an
+two-byte TLS cipher ID (as allocated by IANA) in network byte order. This parameter
+is usually retrieved from a TLS packet by using functions like
+\&\fBSSL_client_hello_get0_ciphers\fR\|(3).  \fBSSL_CIPHER_find()\fR returns NULL if an
 error occurs or the indicated cipher is not found.
 .PP
-\&\fBSSL_CIPHER_get_id()\fR returns the OpenSSL-specific \s-1ID\s0 of the given cipher \fBc\fR. That \s-1ID\s0 is
-not the same as the IANA-specific \s-1ID.\s0
+\&\fBSSL_CIPHER_get_id()\fR returns the OpenSSL-specific ID of the given cipher \fBc\fR. That ID is
+not the same as the IANA-specific ID.
 .PP
-\&\fBSSL_CIPHER_get_protocol_id()\fR returns the two-byte \s-1ID\s0 used in the \s-1TLS\s0 protocol of the given
+\&\fBSSL_CIPHER_get_protocol_id()\fR returns the two-byte ID used in the TLS protocol of the given
 cipher \fBc\fR.
 .PP
 \&\fBSSL_CIPHER_description()\fR returns a textual description of the cipher used
 into the buffer \fBbuf\fR of length \fBlen\fR provided.  If \fBbuf\fR is provided, it
-must be at least 128 bytes, otherwise a buffer will be allocated using
+must be at least 128 bytes. If \fBbuf\fR is NULL it will be allocated using
 \&\fBOPENSSL_malloc()\fR.  If the provided buffer is too small, or the allocation fails,
-\&\fB\s-1NULL\s0\fR is returned.
+\&\fBNULL\fR is returned.
 .PP
 The string returned by \fBSSL_CIPHER_description()\fR consists of several fields
 separated by whitespace:
-.IP "<ciphername>" 4
+.IP <ciphername> 4
 .IX Item "<ciphername>"
 Textual representation of the cipher name.
 .IP "<protocol version>" 4
@@ -265,17 +189,17 @@ ciphersuite was first defined because some ciphersuites are backwards compatible
 with earlier protocol versions.
 .IP "Kx=<key exchange>" 4
 .IX Item "Kx=<key exchange>"
-Key exchange method such as \fB\s-1RSA\s0\fR, \fB\s-1ECDHE\s0\fR, etc.
-.IP "Au=<authentication>" 4
+Key exchange method such as \fBRSA\fR, \fBECDHE\fR, etc.
+.IP Au=<authentication> 4
 .IX Item "Au=<authentication>"
-Authentication method such as \fB\s-1RSA\s0\fR, \fBNone\fR, etc.. None is the
+Authentication method such as \fBRSA\fR, \fBNone\fR, etc.. None is the
 representation of anonymous ciphers.
 .IP "Enc=<symmetric encryption method>" 4
 .IX Item "Enc=<symmetric encryption method>"
-Encryption method, with number of secret bits, such as \fB\s-1AESGCM\s0(128)\fR.
+Encryption method, with number of secret bits, such as \fBAESGCM(128)\fR.
 .IP "Mac=<message authentication code>" 4
 .IX Item "Mac=<message authentication code>"
-Message digest, such as \fB\s-1SHA256\s0\fR.
+Message digest, such as \fBSHA256\fR.
 .PP
 Some examples for the output of \fBSSL_CIPHER_description()\fR:
 .PP
@@ -287,38 +211,38 @@ Some examples for the output of \fBSSL_CIPHER_description()\fR:
 .IX Header "RETURN VALUES"
 \&\fBSSL_CIPHER_get_name()\fR, \fBSSL_CIPHER_standard_name()\fR, \fBOPENSSL_cipher_name()\fR,
 \&\fBSSL_CIPHER_get_version()\fR and \fBSSL_CIPHER_description()\fR return the corresponding
-value in a NUL-terminated string for a specific cipher or \*(L"(\s-1NONE\s0)\*(R"
+value in a NUL-terminated string for a specific cipher or "(NONE)"
 if the cipher is not found.
 .PP
 \&\fBSSL_CIPHER_get_bits()\fR returns a positive integer representing the number of
 secret bits or 0 if an error occurred.
 .PP
 \&\fBSSL_CIPHER_get_cipher_nid()\fR, \fBSSL_CIPHER_get_digest_nid()\fR,
-\&\fBSSL_CIPHER_get_kx_nid()\fR and \fBSSL_CIPHER_get_auth_nid()\fR return the \s-1NID\s0 value or
+\&\fBSSL_CIPHER_get_kx_nid()\fR and \fBSSL_CIPHER_get_auth_nid()\fR return the NID value or
 \&\fBNID_undef\fR if an error occurred.
 .PP
-\&\fBSSL_CIPHER_get_handshake_digest()\fR returns a valid \fB\s-1EVP_MD\s0\fR structure or \s-1NULL\s0
+\&\fBSSL_CIPHER_get_handshake_digest()\fR returns a valid \fBEVP_MD\fR structure or NULL
 if an error occurred.
 .PP
-\&\fBSSL_CIPHER_is_aead()\fR returns 1 if the cipher is \s-1AEAD\s0 or 0 otherwise.
+\&\fBSSL_CIPHER_is_aead()\fR returns 1 if the cipher is AEAD or 0 otherwise.
 .PP
-\&\fBSSL_CIPHER_find()\fR returns a valid \fB\s-1SSL_CIPHER\s0\fR structure or \s-1NULL\s0 if an error
+\&\fBSSL_CIPHER_find()\fR returns a valid \fBSSL_CIPHER\fR structure or NULL if an error
 occurred.
 .PP
-\&\fBSSL_CIPHER_get_id()\fR returns a 4\-byte integer representing the OpenSSL-specific \s-1ID.\s0
+\&\fBSSL_CIPHER_get_id()\fR returns a 4\-byte integer representing the OpenSSL-specific ID.
 .PP
-\&\fBSSL_CIPHER_get_protocol_id()\fR returns a 2\-byte integer representing the \s-1TLS\s0
-protocol-specific \s-1ID.\s0
+\&\fBSSL_CIPHER_get_protocol_id()\fR returns a 2\-byte integer representing the TLS
+protocol-specific ID.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7), \fBSSL_get_current_cipher\fR\|(3),
 \&\fBSSL_get_ciphers\fR\|(3), \fBopenssl\-ciphers\fR\|(1)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBSSL_CIPHER_get_version()\fR function was updated to always return the
 correct protocol string in OpenSSL 1.1.0.
 .PP
-The \fBSSL_CIPHER_description()\fR function was changed to return \fB\s-1NULL\s0\fR on error,
+The \fBSSL_CIPHER_description()\fR function was changed to return \fBNULL\fR on error,
 rather than a fixed string, in OpenSSL 1.1.0.
 .PP
 The \fBSSL_CIPHER_get_handshake_digest()\fR function was added in OpenSSL 1.1.1.
@@ -328,11 +252,11 @@ The \fBSSL_CIPHER_standard_name()\fR function was globally available in OpenSSL
 required to enable this function.
 .PP
 The \fBOPENSSL_cipher_name()\fR function was added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_COMP_add_compression_method.3 b/secure/lib/libcrypto/man/man3/SSL_COMP_add_compression_method.3
index 9648892a1d6c..0829eadeff42 100644
--- a/secure/lib/libcrypto/man/man3/SSL_COMP_add_compression_method.3
+++ b/secure/lib/libcrypto/man/man3/SSL_COMP_add_compression_method.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_COMP_ADD_COMPRESSION_METHOD 3ossl"
-.TH SSL_COMP_ADD_COMPRESSION_METHOD 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_COMP_ADD_COMPRESSION_METHOD 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_COMP_add_compression_method, SSL_COMP_get_compression_methods,
 SSL_COMP_get0_name, SSL_COMP_get_id, SSL_COMP_free_compression_methods
 \&\- handle SSL/TLS integrated compression methods
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -152,21 +76,21 @@ SSL_COMP_get0_name, SSL_COMP_get_id, SSL_COMP_free_compression_methods
 .Ve
 .PP
 The following function has been deprecated since OpenSSL 1.1.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
 \& void SSL_COMP_free_compression_methods(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_COMP_add_compression_method()\fR adds the compression method \fBcm\fR with
 the identifier \fBid\fR to the list of available compression methods. This
-list is globally maintained for all \s-1SSL\s0 operations within this application.
-It cannot be set for specific \s-1SSL_CTX\s0 or \s-1SSL\s0 objects.
+list is globally maintained for all SSL operations within this application.
+It cannot be set for specific SSL_CTX or SSL objects.
 .PP
 \&\fBSSL_COMP_get_compression_methods()\fR returns a stack of all of the available
-compression methods or \s-1NULL\s0 on error.
+compression methods or NULL on error.
 .PP
 \&\fBSSL_COMP_get0_name()\fR returns the name of the compression method \fBcomp\fR.
 .PP
@@ -174,10 +98,10 @@ compression methods or \s-1NULL\s0 on error.
 .PP
 \&\fBSSL_COMP_free_compression_methods()\fR releases any resources acquired to
 maintain the internal table of compression methods.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-The \s-1TLS\s0 standard (or SSLv3) allows the integration of compression methods
-into the communication. The \s-1TLS RFC\s0 does however not specify compression
+The TLS standard (or SSLv3) allows the integration of compression methods
+into the communication. The TLS RFC does however not specify compression
 methods or their corresponding identifiers, so there is currently no compatible
 way to integrate compression with unknown peers. It is therefore currently not
 recommended to integrate compression into applications. Applications for
@@ -196,34 +120,46 @@ when a matching identifier is found. There is no way to restrict the list
 of compression methods supported on a per connection basis.
 .PP
 If enabled during compilation, the OpenSSL library will have the
-\&\fBCOMP_zlib()\fR compression method available.
+following compression methods available:
+.IP \fBCOMP_zlib()\fR 4
+.IX Item "COMP_zlib()"
+.PD 0
+.IP \fBCOMP_brotli()\fR 4
+.IX Item "COMP_brotli()"
+.IP \fBCOMP_brotli_oneshot()\fR 4
+.IX Item "COMP_brotli_oneshot()"
+.IP \fBCOMP_zstd()\fR 4
+.IX Item "COMP_zstd()"
+.IP \fBCOMP_zstd_oneshot()\fR 4
+.IX Item "COMP_zstd_oneshot()"
+.PD
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSSL_COMP_add_compression_method()\fR may return the following values:
-.IP "0" 4
+.IP 0 4
 The operation succeeded.
-.IP "1" 4
+.IP 1 4
 .IX Item "1"
 The operation failed. Check the error queue to find out the reason.
 .PP
 \&\fBSSL_COMP_get_compression_methods()\fR returns the stack of compressions methods or
-\&\s-1NULL\s0 on error.
+NULL on error.
 .PP
-\&\fBSSL_COMP_get0_name()\fR returns the name of the compression method or \s-1NULL\s0 on error.
+\&\fBSSL_COMP_get0_name()\fR returns the name of the compression method or NULL on error.
 .PP
 \&\fBSSL_COMP_get_id()\fR returns the name of the compression method or \-1 on error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBSSL_COMP_free_compression_methods()\fR function was deprecated in OpenSSL 1.1.0.
 The \fBSSL_COMP_get0_name()\fR and \fBSSL_comp_get_id()\fR functions were added in OpenSSL 1.1.0d.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2001\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_new.3 b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_new.3
index dbe39aa22b4e..e589c47c6ee5 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_new.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CONF_CTX_NEW 3ossl"
-.TH SSL_CONF_CTX_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CONF_CTX_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CONF_CTX_new, SSL_CONF_CTX_free \- SSL configuration allocation functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -146,17 +70,17 @@ SSL_CONF_CTX_new, SSL_CONF_CTX_free \- SSL configuration allocation functions
 \& SSL_CONF_CTX *SSL_CONF_CTX_new(void);
 \& void SSL_CONF_CTX_free(SSL_CONF_CTX *cctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The function \fBSSL_CONF_CTX_new()\fR allocates and initialises an \fB\s-1SSL_CONF_CTX\s0\fR
-structure for use with the \s-1SSL_CONF\s0 functions.
+The function \fBSSL_CONF_CTX_new()\fR allocates and initialises an \fBSSL_CONF_CTX\fR
+structure for use with the SSL_CONF functions.
 .PP
 The function \fBSSL_CONF_CTX_free()\fR frees up the context \fBcctx\fR.
-If \fBcctx\fR is \s-1NULL\s0 nothing is done.
+If \fBcctx\fR is NULL nothing is done.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBSSL_CONF_CTX_new()\fR returns either the newly allocated \fB\s-1SSL_CONF_CTX\s0\fR structure
-or \fB\s-1NULL\s0\fR if an error occurs.
+\&\fBSSL_CONF_CTX_new()\fR returns either the newly allocated \fBSSL_CONF_CTX\fR structure
+or \fBNULL\fR if an error occurs.
 .PP
 \&\fBSSL_CONF_CTX_free()\fR does not return a value.
 .SH "SEE ALSO"
@@ -167,14 +91,14 @@ or \fB\s-1NULL\s0\fR if an error occurs.
 \&\fBSSL_CONF_CTX_set1_prefix\fR\|(3),
 \&\fBSSL_CONF_cmd\fR\|(3),
 \&\fBSSL_CONF_cmd_argv\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 These functions were added in OpenSSL 1.0.2.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2012\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set1_prefix.3 b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set1_prefix.3
index cb0edee1f821..3da0db493145 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set1_prefix.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set1_prefix.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,100 +52,40 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CONF_CTX_SET1_PREFIX 3ossl"
-.TH SSL_CONF_CTX_SET1_PREFIX 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CONF_CTX_SET1_PREFIX 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CONF_CTX_set1_prefix \- Set configuration context command prefix
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
 \& unsigned int SSL_CONF_CTX_set1_prefix(SSL_CONF_CTX *cctx, const char *prefix);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The function \fBSSL_CONF_CTX_set1_prefix()\fR sets the command prefix of \fBcctx\fR
-to \fBprefix\fR. If \fBprefix\fR is \fB\s-1NULL\s0\fR it is restored to the default value.
-.SH "NOTES"
+to \fBprefix\fR. If \fBprefix\fR is \fBNULL\fR it is restored to the default value.
+.SH NOTES
 .IX Header "NOTES"
 Command prefixes alter the commands recognised by subsequent \fBSSL_CONF_cmd()\fR
-calls. For example for files, if the prefix \*(L"\s-1SSL\*(R"\s0 is set then command names
-such as \*(L"SSLProtocol\*(R", \*(L"SSLOptions\*(R" etc. are recognised instead of \*(L"Protocol\*(R"
-and \*(L"Options\*(R". Similarly for command lines if the prefix is \*(L"\-\-ssl\-\*(R" then
-\&\*(L"\-\-ssl\-no_tls1_2\*(R" is recognised instead of \*(L"\-no_tls1_2\*(R".
+calls. For example for files, if the prefix "SSL" is set then command names
+such as "SSLProtocol", "SSLOptions" etc. are recognised instead of "Protocol"
+and "Options". Similarly for command lines if the prefix is "\-\-ssl\-" then
+"\-\-ssl\-no_tls1_2" is recognised instead of "\-no_tls1_2".
 .PP
-If the \fB\s-1SSL_CONF_FLAG_CMDLINE\s0\fR flag is set then prefix checks are case
-sensitive and \*(L"\-\*(R" is the default. In the unlikely even an application
+If the \fBSSL_CONF_FLAG_CMDLINE\fR flag is set then prefix checks are case
+sensitive and "\-" is the default. In the unlikely even an application
 explicitly wants to set no prefix it must be explicitly set to "".
 .PP
-If the \fB\s-1SSL_CONF_FLAG_FILE\s0\fR flag is set then prefix checks are case
+If the \fBSSL_CONF_FLAG_FILE\fR flag is set then prefix checks are case
 insensitive and no prefix is the default.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
@@ -174,14 +98,14 @@ insensitive and no prefix is the default.
 \&\fBSSL_CONF_CTX_set_ssl_ctx\fR\|(3),
 \&\fBSSL_CONF_cmd\fR\|(3),
 \&\fBSSL_CONF_cmd_argv\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 These functions were added in OpenSSL 1.0.2.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2012\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_flags.3 b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_flags.3
index 704a736b1f5b..4d34c8c30dbe 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_flags.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_flags.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CONF_CTX_SET_FLAGS 3ossl"
-.TH SSL_CONF_CTX_SET_FLAGS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CONF_CTX_SET_FLAGS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CONF_CTX_set_flags, SSL_CONF_CTX_clear_flags \- Set or clear SSL configuration context flags
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -146,35 +70,35 @@ SSL_CONF_CTX_set_flags, SSL_CONF_CTX_clear_flags \- Set or clear SSL configurati
 \& unsigned int SSL_CONF_CTX_set_flags(SSL_CONF_CTX *cctx, unsigned int flags);
 \& unsigned int SSL_CONF_CTX_clear_flags(SSL_CONF_CTX *cctx, unsigned int flags);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The function \fBSSL_CONF_CTX_set_flags()\fR sets \fBflags\fR in the context \fBcctx\fR.
 .PP
 The function \fBSSL_CONF_CTX_clear_flags()\fR clears \fBflags\fR in the context \fBcctx\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The flags set affect how subsequent calls to \fBSSL_CONF_cmd()\fR or
 \&\fBSSL_CONF_argv()\fR behave.
 .PP
 Currently the following \fBflags\fR values are recognised:
-.IP "\s-1SSL_CONF_FLAG_CMDLINE, SSL_CONF_FLAG_FILE\s0" 4
+.IP "SSL_CONF_FLAG_CMDLINE, SSL_CONF_FLAG_FILE" 4
 .IX Item "SSL_CONF_FLAG_CMDLINE, SSL_CONF_FLAG_FILE"
 recognise options intended for command line or configuration file use. At
 least one of these flags must be set.
-.IP "\s-1SSL_CONF_FLAG_CLIENT, SSL_CONF_FLAG_SERVER\s0" 4
+.IP "SSL_CONF_FLAG_CLIENT, SSL_CONF_FLAG_SERVER" 4
 .IX Item "SSL_CONF_FLAG_CLIENT, SSL_CONF_FLAG_SERVER"
-recognise options intended for use in \s-1SSL/TLS\s0 clients or servers. One or
+recognise options intended for use in SSL/TLS clients or servers. One or
 both of these flags must be set.
-.IP "\s-1SSL_CONF_FLAG_CERTIFICATE\s0" 4
+.IP SSL_CONF_FLAG_CERTIFICATE 4
 .IX Item "SSL_CONF_FLAG_CERTIFICATE"
 recognise certificate and private key options.
-.IP "\s-1SSL_CONF_FLAG_REQUIRE_PRIVATE\s0" 4
+.IP SSL_CONF_FLAG_REQUIRE_PRIVATE 4
 .IX Item "SSL_CONF_FLAG_REQUIRE_PRIVATE"
 If this option is set then if a private key is not specified for a certificate
 it will attempt to load a private key from the certificate file when
 \&\fBSSL_CONF_CTX_finish()\fR is called. If a key cannot be loaded from the certificate
 file an error occurs.
-.IP "\s-1SSL_CONF_FLAG_SHOW_ERRORS\s0" 4
+.IP SSL_CONF_FLAG_SHOW_ERRORS 4
 .IX Item "SSL_CONF_FLAG_SHOW_ERRORS"
 indicate errors relating to unrecognised options or missing arguments in
 the error queue. If this option isn't set such errors are only reflected
@@ -191,14 +115,14 @@ value after setting or clearing flags.
 \&\fBSSL_CONF_CTX_set1_prefix\fR\|(3),
 \&\fBSSL_CONF_cmd\fR\|(3),
 \&\fBSSL_CONF_cmd_argv\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 These functions were added in OpenSSL 1.0.2.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2012\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_ssl_ctx.3 b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_ssl_ctx.3
index 16148ecdce78..6f00c6073e93 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_ssl_ctx.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_ssl_ctx.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,102 +52,50 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CONF_CTX_SET_SSL_CTX 3ossl"
-.TH SSL_CONF_CTX_SET_SSL_CTX 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CONF_CTX_SET_SSL_CTX 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
+SSL_CONF_CTX_finish,
 SSL_CONF_CTX_set_ssl_ctx, SSL_CONF_CTX_set_ssl \- set context to configure
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
 \& void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx);
 \& void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl);
+\& int SSL_CONF_CTX_finish(SSL_CONF_CTX *cctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CONF_CTX_set_ssl_ctx()\fR sets the context associated with \fBcctx\fR to the
-\&\fB\s-1SSL_CTX\s0\fR structure \fBctx\fR. Any previous \fB\s-1SSL\s0\fR or \fB\s-1SSL_CTX\s0\fR associated with
+\&\fBSSL_CTX\fR structure \fBctx\fR. Any previous \fBSSL\fR or \fBSSL_CTX\fR associated with
 \&\fBcctx\fR is cleared. Subsequent calls to \fBSSL_CONF_cmd()\fR will be sent to
 \&\fBctx\fR.
 .PP
 \&\fBSSL_CONF_CTX_set_ssl()\fR sets the context associated with \fBcctx\fR to the
-\&\fB\s-1SSL\s0\fR structure \fBssl\fR. Any previous \fB\s-1SSL\s0\fR or \fB\s-1SSL_CTX\s0\fR associated with
+\&\fBSSL\fR structure \fBssl\fR. Any previous \fBSSL\fR or \fBSSL_CTX\fR associated with
 \&\fBcctx\fR is cleared. Subsequent calls to \fBSSL_CONF_cmd()\fR will be sent to
 \&\fBssl\fR.
-.SH "NOTES"
+.PP
+The function \fBSSL_CONF_CTX_finish()\fR must be called after all configuration
+operations have been completed. It is used to finalise any operations
+or to process defaults.
+.SH NOTES
 .IX Header "NOTES"
-The context need not be set or it can be set to \fB\s-1NULL\s0\fR in which case only
+The context need not be set or it can be set to \fBNULL\fR in which case only
 syntax checking of commands is performed, where possible.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSSL_CONF_CTX_set_ssl_ctx()\fR and \fBSSL_CTX_set_ssl()\fR do not return a value.
+.PP
+\&\fBSSL_CONF_CTX_finish()\fR returns 1 for success and 0 for failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7),
@@ -172,14 +104,14 @@ syntax checking of commands is performed, where possible.
 \&\fBSSL_CONF_CTX_set1_prefix\fR\|(3),
 \&\fBSSL_CONF_cmd\fR\|(3),
 \&\fBSSL_CONF_cmd_argv\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 These functions were added in OpenSSL 1.0.2.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2012\-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2012\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CONF_cmd.3 b/secure/lib/libcrypto/man/man3/SSL_CONF_cmd.3
index 1624309e7b42..527aa9d88dc8 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CONF_cmd.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CONF_cmd.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CONF_CMD 3ossl"
-.TH SSL_CONF_CMD 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CONF_CMD 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CONF_cmd_value_type,
 SSL_CONF_cmd \- send configuration command
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -147,77 +71,85 @@ SSL_CONF_cmd \- send configuration command
 \& int SSL_CONF_cmd(SSL_CONF_CTX *ctx, const char *option, const char *value);
 \& int SSL_CONF_cmd_value_type(SSL_CONF_CTX *ctx, const char *option);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The function \fBSSL_CONF_cmd()\fR performs configuration operation \fBoption\fR with
 optional parameter \fBvalue\fR on \fBctx\fR. Its purpose is to simplify application
-configuration of \fB\s-1SSL_CTX\s0\fR or \fB\s-1SSL\s0\fR structures by providing a common
+configuration of \fBSSL_CTX\fR or \fBSSL\fR structures by providing a common
 framework for command line options or configuration files.
 .PP
 \&\fBSSL_CONF_cmd_value_type()\fR returns the type of value that \fBoption\fR refers to.
 .SH "SUPPORTED COMMAND LINE COMMANDS"
 .IX Header "SUPPORTED COMMAND LINE COMMANDS"
 Currently supported \fBoption\fR names for command lines (i.e. when the
-flag \fB\s-1SSL_CONF_FLAG_CMDLINE\s0\fR is set) are listed below. Note: all \fBoption\fR
+flag \fBSSL_CONF_FLAG_CMDLINE\fR is set) are listed below. Note: all \fBoption\fR
 names are case sensitive. Unless otherwise stated commands can be used by
 both clients and servers and the \fBvalue\fR parameter is not used. The default
 prefix for command line commands is \fB\-\fR and that is reflected below.
-.IP "\fB\-bugs\fR" 4
+.IP \fB\-bugs\fR 4
 .IX Item "-bugs"
-Various bug workarounds are set, same as setting \fB\s-1SSL_OP_ALL\s0\fR.
-.IP "\fB\-no_comp\fR" 4
+Various bug workarounds are set, same as setting \fBSSL_OP_ALL\fR.
+.IP \fB\-no_comp\fR 4
 .IX Item "-no_comp"
-Disables support for \s-1SSL/TLS\s0 compression, same as setting
-\&\fB\s-1SSL_OP_NO_COMPRESSION\s0\fR.
+Disables support for SSL/TLS compression, same as setting
+\&\fBSSL_OP_NO_COMPRESSION\fR.
 As of OpenSSL 1.1.0, compression is off by default.
-.IP "\fB\-comp\fR" 4
+.IP \fB\-comp\fR 4
 .IX Item "-comp"
-Enables support for \s-1SSL/TLS\s0 compression, same as clearing
-\&\fB\s-1SSL_OP_NO_COMPRESSION\s0\fR.
+Enables support for SSL/TLS compression, same as clearing
+\&\fBSSL_OP_NO_COMPRESSION\fR.
 This command was introduced in OpenSSL 1.1.0.
-As of OpenSSL 1.1.0, compression is off by default.
-.IP "\fB\-no_ticket\fR" 4
+As of OpenSSL 1.1.0, compression is off by default. TLS compression can only be
+used in security level 1 or lower. From OpenSSL 3.2.0 and above the default
+security level is 2, so this option will have no effect without also changing
+the security level. See \fBSSL_CTX_set_security_level\fR\|(3).
+.IP \fB\-no_ticket\fR 4
 .IX Item "-no_ticket"
-Disables support for session tickets, same as setting \fB\s-1SSL_OP_NO_TICKET\s0\fR.
-.IP "\fB\-serverpref\fR" 4
+Disables support for session tickets, same as setting \fBSSL_OP_NO_TICKET\fR.
+.IP \fB\-serverpref\fR 4
 .IX Item "-serverpref"
 Use server and not client preference order when determining which cipher suite,
 signature algorithm or elliptic curve to use for an incoming connection.
-Equivalent to \fB\s-1SSL_OP_CIPHER_SERVER_PREFERENCE\s0\fR. Only used by servers.
-.IP "\fB\-client_renegotiation\fR" 4
+Equivalent to \fBSSL_OP_CIPHER_SERVER_PREFERENCE\fR. Only used by servers.
+.IP \fB\-client_renegotiation\fR 4
 .IX Item "-client_renegotiation"
 Allows servers to accept client-initiated renegotiation. Equivalent to
-setting \fB\s-1SSL_OP_ALLOW_CLIENT_RENEGOTIATION\s0\fR.
+setting \fBSSL_OP_ALLOW_CLIENT_RENEGOTIATION\fR.
 Only used by servers.
-.IP "\fB\-legacy_renegotiation\fR" 4
+.IP \fB\-legacy_renegotiation\fR 4
 .IX Item "-legacy_renegotiation"
 Permits the use of unsafe legacy renegotiation. Equivalent to setting
-\&\fB\s-1SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\s0\fR.
-.IP "\fB\-no_renegotiation\fR" 4
+\&\fBSSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\fR.
+.IP \fB\-no_renegotiation\fR 4
 .IX Item "-no_renegotiation"
-Disables all attempts at renegotiation in TLSv1.2 and earlier, same as setting
-\&\fB\s-1SSL_OP_NO_RENEGOTIATION\s0\fR.
-.IP "\fB\-no_resumption_on_reneg\fR" 4
+Disables all attempts at renegotiation in (D)TLSv1.2 and earlier, same as setting
+\&\fBSSL_OP_NO_RENEGOTIATION\fR.
+.IP \fB\-no_resumption_on_reneg\fR 4
 .IX Item "-no_resumption_on_reneg"
-Sets \fB\s-1SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION\s0\fR. Only used by servers.
+Sets \fBSSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION\fR. Only used by servers.
 .IP "\fB\-legacy_server_connect\fR, \fB\-no_legacy_server_connect\fR" 4
 .IX Item "-legacy_server_connect, -no_legacy_server_connect"
 Permits or prohibits the use of unsafe legacy renegotiation for OpenSSL
-clients only. Equivalent to setting or clearing \fB\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0\fR.
-.IP "\fB\-prioritize_chacha\fR" 4
+clients only. Equivalent to setting or clearing \fBSSL_OP_LEGACY_SERVER_CONNECT\fR.
+.IP \fB\-prioritize_chacha\fR 4
 .IX Item "-prioritize_chacha"
 Prioritize ChaCha ciphers when the client has a ChaCha20 cipher at the top of
-its preference list. This usually indicates a client without \s-1AES\s0 hardware
-acceleration (e.g. mobile) is in use. Equivalent to \fB\s-1SSL_OP_PRIORITIZE_CHACHA\s0\fR.
+its preference list. This usually indicates a client without AES hardware
+acceleration (e.g. mobile) is in use. Equivalent to \fBSSL_OP_PRIORITIZE_CHACHA\fR.
 Only used by servers. Requires \fB\-serverpref\fR.
-.IP "\fB\-allow_no_dhe_kex\fR" 4
+.IP \fB\-allow_no_dhe_kex\fR 4
 .IX Item "-allow_no_dhe_kex"
 In TLSv1.3 allow a non\-(ec)dhe based key exchange mode on resumption. This means
 that there will be no forward secrecy for the resumed session.
-.IP "\fB\-strict\fR" 4
+.IP \fB\-prefer_no_dhe_kex\fR 4
+.IX Item "-prefer_no_dhe_kex"
+In TLSv1.3, on resumption let the server prefer a non\-(ec)dhe based key
+exchange mode over an (ec)dhe based one. Requires \fB\-allow_no_dhe_kex\fR.
+Equivalent to \fBSSL_OP_PREFER_NO_DHE_KEX\fR. Only used by servers.
+.IP \fB\-strict\fR 4
 .IX Item "-strict"
 Enables strict mode protocol handling. Equivalent to setting
-\&\fB\s-1SSL_CERT_FLAG_TLS_STRICT\s0\fR.
+\&\fBSSL_CERT_FLAG_TLS_STRICT\fR.
 .IP "\fB\-sigalgs\fR \fIalgs\fR" 4
 .IX Item "-sigalgs algs"
 This sets the supported signature algorithms for TLSv1.2 and TLSv1.3.
@@ -227,18 +159,23 @@ algorithms to support.
 .Sp
 The \fBalgs\fR argument should be a colon separated list of signature
 algorithms in order of decreasing preference of the form \fBalgorithm+hash\fR
-or \fBsignature_scheme\fR. \fBalgorithm\fR is one of \fB\s-1RSA\s0\fR, \fB\s-1DSA\s0\fR or \fB\s-1ECDSA\s0\fR and
-\&\fBhash\fR is a supported algorithm \s-1OID\s0 short name such as \fB\s-1SHA1\s0\fR, \fB\s-1SHA224\s0\fR,
-\&\fB\s-1SHA256\s0\fR, \fB\s-1SHA384\s0\fR of \fB\s-1SHA512\s0\fR.  Note: algorithm and hash names are case
-sensitive.  \fBsignature_scheme\fR is one of the signature schemes defined in
-TLSv1.3, specified using the \s-1IETF\s0 name, e.g., \fBecdsa_secp256r1_sha256\fR,
-\&\fBed25519\fR, or \fBrsa_pss_pss_sha256\fR.
-.Sp
-If this option is not set then all signature algorithms supported by the
-OpenSSL library are permissible.
+or \fBsignature_scheme\fR. For the default providers shipped with OpenSSL,
+\&\fBalgorithm\fR is one of \fBRSA\fR, \fBDSA\fR or \fBECDSA\fR and
+\&\fBhash\fR is a supported algorithm OID short name such as \fBSHA1\fR, \fBSHA224\fR,
+\&\fBSHA256\fR, \fBSHA384\fR or \fBSHA512\fR.
+\&\fBsignature_scheme\fR is one of the signature schemes defined
+in TLSv1.3, specified using the IETF name, e.g., \fBecdsa_secp256r1_sha256\fR,
+\&\fBed25519\fR, or \fBrsa_pss_pss_sha256\fR. Additional providers may make available
+further algorithms via the TLS-SIGALG capability.
+Signature scheme names and public key algorithm names (but not the hash names)
+in the \fBalgorithm+hash\fR form are case-insensitive.
+See \fBprovider\-base\fR\|(7).
+.Sp
+If this option is not set then all signature algorithms supported by all
+activated providers are permissible.
 .Sp
 Note: algorithms which specify a PKCS#1 v1.5 signature scheme (either by
-using \fB\s-1RSA\s0\fR as the \fBalgorithm\fR or by using one of the \fBrsa_pkcs1_*\fR
+using \fBRSA\fR as the \fBalgorithm\fR or by using one of the \fBrsa_pkcs1_*\fR
 identifiers) are ignored in TLSv1.3 and will not be negotiated.
 .IP "\fB\-client_sigalgs\fR \fIalgs\fR" 4
 .IX Item "-client_sigalgs algs"
@@ -256,35 +193,84 @@ value set for \fB\-sigalgs\fR will be used instead.
 This sets the supported groups. For clients, the groups are sent using
 the supported groups extension. For servers, it is used to determine which
 group to use. This setting affects groups used for signatures (in TLSv1.2
-and earlier) and key exchange. The first group listed will also be used
-for the \fBkey_share\fR sent by a client in a TLSv1.3 \fBClientHello\fR.
-.Sp
-The \fBgroups\fR argument is a colon separated list of groups. The group can
-be either the \fB\s-1NIST\s0\fR name (e.g. \fBP\-256\fR), some other commonly used name
-where applicable (e.g. \fBX25519\fR, \fBffdhe2048\fR) or an OpenSSL \s-1OID\s0 name
-(e.g. \fBprime256v1\fR). Group names are case sensitive. The list should be
-in order of preference with the most preferred group first.
-.Sp
-Currently supported groups for \fBTLSv1.3\fR are \fBP\-256\fR, \fBP\-384\fR, \fBP\-521\fR,
-\&\fBX25519\fR, \fBX448\fR, \fBffdhe2048\fR, \fBffdhe3072\fR, \fBffdhe4096\fR, \fBffdhe6144\fR,
-\&\fBffdhe8192\fR.
+and earlier) and key exchange.
+.Sp
+In its simplest form the \fIgroups\fR argument is a colon separated list of
+groups.  The preferred names are those listed in the IANA
+TLS Supported Groups <https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8>
+registry.
+.Sp
+For some groups, OpenSSL supports additional aliases.
+Such an alias could be a \fBNIST\fR name (e.g. \fBP\-256\fR), an OpenSSL OID name
+(e.g. \fBprime256v1\fR), or some other commonly used name.
+Group names are case-insensitive in OpenSSL 3.5 and later.
+The list should be in order of preference with the most preferred group first.
+.Sp
+The first group listed will also be used for the \fBkey_share\fR sent by a client
+in a TLSv1.3 \fBClientHello\fR.
+.Sp
+The commands below list the IANA names for TLS 1.2 and TLS 1.3,
+respectively:
+.Sp
+.Vb 2
+\&    $ openssl list \-tls1_2 \-tls\-groups
+\&    $ openssl list \-tls1_3 \-tls\-groups
+.Ve
+.Sp
+The recommended groups (in order of decreasing performance) for TLS 1.3 are presently:
+.Sp
+\&\fBx25519\fR,
+\&\fBsecp256r1\fR,
+\&\fBx448\fR,
+and
+\&\fBsecp384r1\fR.
+.Sp
+The stronger security margins of the last two, come at a significant
+performance penalty.
+.Sp
+An enriched alternative syntax, that enables clients to send multiple keyshares
+and allows servers to prioritise some groups over others, is described in
+\&\fBSSL_CTX_set1_groups_list\fR\|(3).
+Since TLS 1.2 has neither keyshares nor a hello retry mechanism, with TLS 1.2
+the enriched syntax is ultimately equivalent to just a simple ordered list of
+groups, as with the simple form above.
 .IP "\fB\-curves\fR \fIgroups\fR" 4
 .IX Item "-curves groups"
 This is a synonym for the \fB\-groups\fR command.
 .IP "\fB\-named_curve\fR \fIcurve\fR" 4
 .IX Item "-named_curve curve"
-This sets the temporary curve used for ephemeral \s-1ECDH\s0 modes. Only used
-by servers.
+This sets the temporary curve used for ephemeral ECDH modes.
+This is only applicable in TLS 1.0 and 1.1, and should not be used with later
+protocol versions.
 .Sp
-The \fBgroups\fR argument is a curve name or the special value \fBauto\fR which
+The \fIcurve\fR argument is a curve name or the special value \fBauto\fR which
 picks an appropriate curve based on client and server preferences. The
-curve can be either the \fB\s-1NIST\s0\fR name (e.g. \fBP\-256\fR) or an OpenSSL \s-1OID\s0 name
-(e.g. \fBprime256v1\fR). Curve names are case sensitive.
+curve can be either the \fBNIST\fR name (e.g. \fBP\-256\fR) or an OpenSSL OID name
+(e.g. \fBprime256v1\fR).
+Even with TLS 1.0 and 1.1, the default value of \f(CW\*(C`auto\*(C'\fR is strongly recommended
+over choosing a specific curve.
+Curve names are case-insensitive in OpenSSL 3.5 and later.
+.IP \fB\-tx_cert_comp\fR 4
+.IX Item "-tx_cert_comp"
+Enables support for sending TLSv1.3 compressed certificates.
+.IP \fB\-no_tx_cert_comp\fR 4
+.IX Item "-no_tx_cert_comp"
+Disables support for sending TLSv1.3 compressed certificates.
+.IP \fB\-rx_cert_comp\fR 4
+.IX Item "-rx_cert_comp"
+Enables support for receiving TLSv1.3 compressed certificates.
+.IP \fB\-no_rx_cert_comp\fR 4
+.IX Item "-no_rx_cert_comp"
+Disables support for receiving TLSv1.3 compressed certificates.
+.IP \fB\-comp\fR 4
+.IX Item "-comp"
+.PD 0
 .IP "\fB\-cipher\fR \fIciphers\fR" 4
 .IX Item "-cipher ciphers"
+.PD
 Sets the TLSv1.2 and below ciphersuite list to \fBciphers\fR. This list will be
 combined with any configured TLSv1.3 ciphersuites. Note: syntax checking
-of \fBciphers\fR is currently not performed unless a \fB\s-1SSL\s0\fR or \fB\s-1SSL_CTX\s0\fR
+of \fBciphers\fR is currently not performed unless a \fBSSL\fR or \fBSSL_CTX\fR
 structure is associated with \fBctx\fR.
 .IP "\fB\-ciphersuites\fR \fI1.3ciphers\fR" 4
 .IX Item "-ciphersuites 1.3ciphers"
@@ -296,26 +282,32 @@ See \fBopenssl\-ciphers\fR\|(1) for more information.
 .IX Item "-min_protocol minprot, -max_protocol maxprot"
 Sets the minimum and maximum supported protocol.
 Currently supported protocol values are \fBSSLv3\fR, \fBTLSv1\fR, \fBTLSv1.1\fR,
-\&\fBTLSv1.2\fR, \fBTLSv1.3\fR for \s-1TLS\s0; \fBDTLSv1\fR, \fBDTLSv1.2\fR for \s-1DTLS,\s0 and \fBNone\fR
+\&\fBTLSv1.2\fR, \fBTLSv1.3\fR for TLS; \fBDTLSv1\fR, \fBDTLSv1.2\fR for DTLS, and \fBNone\fR
 for no limit.
 If either the lower or upper bound is not specified then only the other bound
 applies, if specified.
-If your application supports both \s-1TLS\s0 and \s-1DTLS\s0 you can specify any of these
-options twice, once with a bound for \s-1TLS\s0 and again with an appropriate bound
-for \s-1DTLS.\s0
+If your application supports both TLS and DTLS you can specify any of these
+options twice, once with a bound for TLS and again with an appropriate bound
+for DTLS.
 To restrict the supported protocol versions use these commands rather than the
 deprecated alternative commands below.
 .IP "\fB\-record_padding\fR \fIpadding\fR" 4
 .IX Item "-record_padding padding"
-Attempts to pad TLSv1.3 records so that they are a multiple of \fBpadding\fR
-in length on send. A \fBpadding\fR of 0 or 1 turns off padding. Otherwise,
-the \fBpadding\fR must be >1 or <=16384.
-.IP "\fB\-debug_broken_protocol\fR" 4
+Controls use of TLSv1.3 record layer padding.  \fBpadding\fR is a string of the
+form "number[,number]" where the (required) first number is the padding block
+size (in octets) for application data, and the optional second number is the
+padding block size for handshake and alert messages.  If the optional second
+number is omitted, the same padding will be applied to all messages.
+.Sp
+Padding attempts to pad TLSv1.3 records so that they are a multiple of the set
+length on send. A value of 0 or 1 turns off padding as relevant. Otherwise, the
+values must be >1 or <=16384.
+.IP \fB\-debug_broken_protocol\fR 4
 .IX Item "-debug_broken_protocol"
 Ignored.
-.IP "\fB\-no_middlebox\fR" 4
+.IP \fB\-no_middlebox\fR 4
 .IX Item "-no_middlebox"
-Turn off \*(L"middlebox compatibility\*(R", as described below.
+Turn off "middlebox compatibility", as described below.
 .SS "Additional Options"
 .IX Subsection "Additional Options"
 The following options are accepted by \fBSSL_CONF_cmd()\fR, but are not
@@ -323,19 +315,19 @@ processed by the OpenSSL commands.
 .IP "\fB\-cert\fR \fIfile\fR" 4
 .IX Item "-cert file"
 Attempts to use \fBfile\fR as the certificate for the appropriate context. It
-currently uses \fBSSL_CTX_use_certificate_chain_file()\fR if an \fB\s-1SSL_CTX\s0\fR
-structure is set or \fBSSL_use_certificate_file()\fR with filetype \s-1PEM\s0 if an
-\&\fB\s-1SSL\s0\fR structure is set. This option is only supported if certificate
+currently uses \fBSSL_CTX_use_certificate_chain_file()\fR if an \fBSSL_CTX\fR
+structure is set or \fBSSL_use_certificate_file()\fR with filetype PEM if an
+\&\fBSSL\fR structure is set. This option is only supported if certificate
 operations are permitted.
 .IP "\fB\-key\fR \fIfile\fR" 4
 .IX Item "-key file"
 Attempts to use \fBfile\fR as the private key for the appropriate context. This
 option is only supported if certificate operations are permitted. Note:
 if no \fB\-key\fR option is set then a private key is not loaded unless the
-flag \fB\s-1SSL_CONF_FLAG_REQUIRE_PRIVATE\s0\fR is set.
+flag \fBSSL_CONF_FLAG_REQUIRE_PRIVATE\fR is set.
 .IP "\fB\-dhparam\fR \fIfile\fR" 4
 .IX Item "-dhparam file"
-Attempts to use \fBfile\fR as the set of temporary \s-1DH\s0 parameters for
+Attempts to use \fBfile\fR as the set of temporary DH parameters for
 the appropriate context. This option is only supported if certificate
 operations are permitted.
 .IP "\fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR, \fB\-no_tls1_3\fR" 4
@@ -355,68 +347,74 @@ time. Anti-Replay is on by default unless overridden by a configuration file and
 is only used by servers. Anti-replay measures are required for compliance with
 the TLSv1.3 specification. Some applications may be able to mitigate the replay
 risks in other ways and in such cases the built-in OpenSSL functionality is not
-required. Switching off anti-replay is equivalent to \fB\s-1SSL_OP_NO_ANTI_REPLAY\s0\fR.
+required. Switching off anti-replay is equivalent to \fBSSL_OP_NO_ANTI_REPLAY\fR.
 .SH "SUPPORTED CONFIGURATION FILE COMMANDS"
 .IX Header "SUPPORTED CONFIGURATION FILE COMMANDS"
 Currently supported \fBoption\fR names for configuration files (i.e., when the
-flag \fB\s-1SSL_CONF_FLAG_FILE\s0\fR is set) are listed below. All configuration file
+flag \fBSSL_CONF_FLAG_FILE\fR is set) are listed below. All configuration file
 \&\fBoption\fR names are case insensitive so \fBsignaturealgorithms\fR is recognised
 as well as \fBSignatureAlgorithms\fR. Unless otherwise stated the \fBvalue\fR names
 are also case insensitive.
 .PP
 Note: the command prefix (if set) alters the recognised \fBoption\fR values.
-.IP "\fBCipherString\fR" 4
+.IP \fBCipherString\fR 4
 .IX Item "CipherString"
 Sets the ciphersuite list for TLSv1.2 and below to \fBvalue\fR. This list will be
 combined with any configured TLSv1.3 ciphersuites. Note: syntax
-checking of \fBvalue\fR is currently not performed unless an \fB\s-1SSL\s0\fR or \fB\s-1SSL_CTX\s0\fR
+checking of \fBvalue\fR is currently not performed unless an \fBSSL\fR or \fBSSL_CTX\fR
 structure is associated with \fBctx\fR.
-.IP "\fBCiphersuites\fR" 4
+.IP \fBCiphersuites\fR 4
 .IX Item "Ciphersuites"
 Sets the available ciphersuites for TLSv1.3 to \fBvalue\fR. This is a
 colon-separated list of TLSv1.3 ciphersuite names in order of preference. This
 list will be combined any configured TLSv1.2 and below ciphersuites.
 See \fBopenssl\-ciphers\fR\|(1) for more information.
-.IP "\fBCertificate\fR" 4
+.IP \fBCertificate\fR 4
 .IX Item "Certificate"
 Attempts to use the file \fBvalue\fR as the certificate for the appropriate
-context. It currently uses \fBSSL_CTX_use_certificate_chain_file()\fR if an \fB\s-1SSL_CTX\s0\fR
-structure is set or \fBSSL_use_certificate_file()\fR with filetype \s-1PEM\s0 if an \fB\s-1SSL\s0\fR
+context. It currently uses \fBSSL_CTX_use_certificate_chain_file()\fR if an \fBSSL_CTX\fR
+structure is set or \fBSSL_use_certificate_file()\fR with filetype PEM if an \fBSSL\fR
 structure is set. This option is only supported if certificate operations
 are permitted.
-.IP "\fBPrivateKey\fR" 4
+.IP \fBPrivateKey\fR 4
 .IX Item "PrivateKey"
 Attempts to use the file \fBvalue\fR as the private key for the appropriate
 context. This option is only supported if certificate operations
 are permitted. Note: if no \fBPrivateKey\fR option is set then a private key is
-not loaded unless the \fB\s-1SSL_CONF_FLAG_REQUIRE_PRIVATE\s0\fR is set.
+not loaded unless the \fBSSL_CONF_FLAG_REQUIRE_PRIVATE\fR is set.
 .IP "\fBChainCAFile\fR, \fBChainCAPath\fR, \fBVerifyCAFile\fR, \fBVerifyCAPath\fR" 4
 .IX Item "ChainCAFile, ChainCAPath, VerifyCAFile, VerifyCAPath"
 These options indicate a file or directory used for building certificate
 chains or verifying certificate chains. These options are only supported
 if certificate operations are permitted.
-.IP "\fBRequestCAFile\fR" 4
+.IP \fBRequestCAFile\fR 4
 .IX Item "RequestCAFile"
-This option indicates a file containing a set of certificates in \s-1PEM\s0 form.
+This option indicates a file containing a set of certificates in PEM form.
 The subject names of the certificates are sent to the peer in the
-\&\fBcertificate_authorities\fR extension for \s-1TLS 1.3\s0 (in ClientHello or
+\&\fBcertificate_authorities\fR extension for TLS 1.3 (in ClientHello or
 CertificateRequest) or in a certificate request for previous versions or
-\&\s-1TLS.\s0
-.IP "\fBServerInfoFile\fR" 4
+TLS.
+.IP \fBServerInfoFile\fR 4
 .IX Item "ServerInfoFile"
-Attempts to use the file \fBvalue\fR in the \*(L"serverinfo\*(R" extension using the
+Attempts to use the file \fBvalue\fR in the "serverinfo" extension using the
 function SSL_CTX_use_serverinfo_file.
-.IP "\fBDHParameters\fR" 4
+.IP \fBDHParameters\fR 4
 .IX Item "DHParameters"
-Attempts to use the file \fBvalue\fR as the set of temporary \s-1DH\s0 parameters for
+Attempts to use the file \fBvalue\fR as the set of temporary DH parameters for
 the appropriate context. This option is only supported if certificate
 operations are permitted.
-.IP "\fBRecordPadding\fR" 4
+.IP \fBRecordPadding\fR 4
 .IX Item "RecordPadding"
-Attempts to pad TLSv1.3 records so that they are a multiple of \fBvalue\fR in
-length on send. A \fBvalue\fR of 0 or 1 turns off padding. Otherwise, the
-\&\fBvalue\fR must be >1 or <=16384.
-.IP "\fBSignatureAlgorithms\fR" 4
+Controls use of TLSv1.3 record layer padding.  \fBvalue\fR is a string of the form
+"number[,number]" where the (required) first number is the padding block size
+(in octets) for application data, and the optional second number is the padding
+block size for handshake and alert messages.  If the optional second number is
+omitted, the same padding will be applied to all messages.
+.Sp
+Padding attempts to pad TLSv1.3 records so that they are a multiple of the set
+length on send. A value of 0 or 1 turns off padding as relevant. Otherwise, the
+values must be >1 or <=16384.
+.IP \fBSignatureAlgorithms\fR 4
 .IX Item "SignatureAlgorithms"
 This sets the supported signature algorithms for TLSv1.2 and TLSv1.3.
 For clients this
@@ -425,21 +423,25 @@ servers it is used to determine which signature algorithms to support.
 .Sp
 The \fBvalue\fR argument should be a colon separated list of signature algorithms
 in order of decreasing preference of the form \fBalgorithm+hash\fR or
-\&\fBsignature_scheme\fR. \fBalgorithm\fR
-is one of \fB\s-1RSA\s0\fR, \fB\s-1DSA\s0\fR or \fB\s-1ECDSA\s0\fR and \fBhash\fR is a supported algorithm
-\&\s-1OID\s0 short name such as \fB\s-1SHA1\s0\fR, \fB\s-1SHA224\s0\fR, \fB\s-1SHA256\s0\fR, \fB\s-1SHA384\s0\fR of \fB\s-1SHA512\s0\fR.
-Note: algorithm and hash names are case sensitive.
+\&\fBsignature_scheme\fR. For the default providers shipped with OpenSSL,
+\&\fBalgorithm\fR is one of \fBRSA\fR, \fBDSA\fR or \fBECDSA\fR and \fBhash\fR is a supported
+algorithm OID short name such as \fBSHA1\fR, \fBSHA224\fR, \fBSHA256\fR, \fBSHA384\fR
+or \fBSHA512\fR.
 \&\fBsignature_scheme\fR is one of the signature schemes defined in TLSv1.3,
-specified using the \s-1IETF\s0 name, e.g., \fBecdsa_secp256r1_sha256\fR, \fBed25519\fR,
+specified using the IANA name, e.g., \fBecdsa_secp256r1_sha256\fR, \fBed25519\fR,
 or \fBrsa_pss_pss_sha256\fR.
+Signature scheme names and public key algorithm names (but not the hash names)
+in the \fBalgorithm+hash\fR form are case-insensitive.
+Additional providers may make available further signature schemes via the
+TLS_SIGALG capability. See "CAPABILITIES" in \fBprovider\-base\fR\|(7).
 .Sp
-If this option is not set then all signature algorithms supported by the
-OpenSSL library are permissible.
+If this option is not set then all signature algorithms supported by all
+activated providers are permissible.
 .Sp
 Note: algorithms which specify a PKCS#1 v1.5 signature scheme (either by
-using \fB\s-1RSA\s0\fR as the \fBalgorithm\fR or by using one of the \fBrsa_pkcs1_*\fR
+using \fBRSA\fR as the \fBalgorithm\fR or by using one of the \fBrsa_pkcs1_*\fR
 identifiers) are ignored in TLSv1.3 and will not be negotiated.
-.IP "\fBClientSignatureAlgorithms\fR" 4
+.IP \fBClientSignatureAlgorithms\fR 4
 .IX Item "ClientSignatureAlgorithms"
 This sets the supported signature algorithms associated with client
 authentication for TLSv1.2 and TLSv1.3.
@@ -451,7 +453,7 @@ If a server does not request a certificate this option has no effect.
 .Sp
 The syntax of \fBvalue\fR is identical to \fBSignatureAlgorithms\fR. If not set then
 the value set for \fBSignatureAlgorithms\fR will be used instead.
-.IP "\fBGroups\fR" 4
+.IP \fBGroups\fR 4
 .IX Item "Groups"
 This sets the supported groups. For clients, the groups are
 sent using the supported groups extension. For servers, it is used
@@ -460,44 +462,59 @@ signatures (in TLSv1.2 and earlier) and key exchange. The first group listed
 will also be used for the \fBkey_share\fR sent by a client in a TLSv1.3
 \&\fBClientHello\fR.
 .Sp
-The \fBvalue\fR argument is a colon separated list of groups. The group can be
-either the \fB\s-1NIST\s0\fR name (e.g. \fBP\-256\fR), some other commonly used name where
-applicable (e.g. \fBX25519\fR, \fBffdhe2048\fR) or an OpenSSL \s-1OID\s0 name
-(e.g. \fBprime256v1\fR). Group names are case sensitive. The list should be in
-order of preference with the most preferred group first.
+The \fBgroups\fR argument is a colon separated list of groups.  The preferred
+names are those listed in the IANA
+TLS Supported Groups <https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8>
+registry.
+For some groups, OpenSSL supports additional aliases.
+Such an alias could be a \fBNIST\fR name (e.g. \fBP\-256\fR), an OpenSSL OID name
+(e.g. \fBprime256v1\fR), or some other commonly used name.
+Group names are case-insensitive in OpenSSL 3.5 and later.
+The list should be in order of preference with the most preferred group first.
 .Sp
-Currently supported groups for \fBTLSv1.3\fR are \fBP\-256\fR, \fBP\-384\fR, \fBP\-521\fR,
-\&\fBX25519\fR, \fBX448\fR, \fBffdhe2048\fR, \fBffdhe3072\fR, \fBffdhe4096\fR, \fBffdhe6144\fR,
-\&\fBffdhe8192\fR.
-.IP "\fBCurves\fR" 4
+The commands below list the available groups for TLS 1.2 and TLS 1.3,
+respectively:
+.Sp
+.Vb 2
+\&    $ openssl list \-tls1_2 \-tls\-groups
+\&    $ openssl list \-tls1_3 \-tls\-groups
+.Ve
+.Sp
+An enriched alternative syntax, that enables clients to send multiple keyshares
+and allows servers to prioritise some groups over others, is described in
+\&\fBSSL_CTX_set1_groups_list\fR\|(3).
+Since TLS 1.2 has neither keyshares nor a hello retry mechanism, with TLS 1.2
+the enriched syntax is ultimately equivalent to just a simple ordered list of
+groups, as with the simple form above.
+.IP \fBCurves\fR 4
 .IX Item "Curves"
-This is a synonym for the \*(L"Groups\*(R" command.
-.IP "\fBMinProtocol\fR" 4
+This is a synonym for the "Groups" command.
+.IP \fBMinProtocol\fR 4
 .IX Item "MinProtocol"
-This sets the minimum supported \s-1SSL, TLS\s0 or \s-1DTLS\s0 version.
+This sets the minimum supported SSL, TLS or DTLS version.
 .Sp
 Currently supported protocol values are \fBSSLv3\fR, \fBTLSv1\fR, \fBTLSv1.1\fR,
 \&\fBTLSv1.2\fR, \fBTLSv1.3\fR, \fBDTLSv1\fR and \fBDTLSv1.2\fR.
-The \s-1SSL\s0 and \s-1TLS\s0 bounds apply only to TLS-based contexts, while the \s-1DTLS\s0 bounds
+The SSL and TLS bounds apply only to TLS-based contexts, while the DTLS bounds
 apply only to DTLS-based contexts.
-The command can be repeated with one instance setting a \s-1TLS\s0 bound, and the
-other setting a \s-1DTLS\s0 bound.
+The command can be repeated with one instance setting a TLS bound, and the
+other setting a DTLS bound.
 The value \fBNone\fR applies to both types of contexts and disables the limits.
-.IP "\fBMaxProtocol\fR" 4
+.IP \fBMaxProtocol\fR 4
 .IX Item "MaxProtocol"
-This sets the maximum supported \s-1SSL, TLS\s0 or \s-1DTLS\s0 version.
+This sets the maximum supported SSL, TLS or DTLS version.
 .Sp
 Currently supported protocol values are \fBSSLv3\fR, \fBTLSv1\fR, \fBTLSv1.1\fR,
 \&\fBTLSv1.2\fR, \fBTLSv1.3\fR, \fBDTLSv1\fR and \fBDTLSv1.2\fR.
-The \s-1SSL\s0 and \s-1TLS\s0 bounds apply only to TLS-based contexts, while the \s-1DTLS\s0 bounds
+The SSL and TLS bounds apply only to TLS-based contexts, while the DTLS bounds
 apply only to DTLS-based contexts.
-The command can be repeated with one instance setting a \s-1TLS\s0 bound, and the
-other setting a \s-1DTLS\s0 bound.
+The command can be repeated with one instance setting a TLS bound, and the
+other setting a DTLS bound.
 The value \fBNone\fR applies to both types of contexts and disables the limits.
-.IP "\fBProtocol\fR" 4
+.IP \fBProtocol\fR 4
 .IX Item "Protocol"
-This can be used to enable or disable certain versions of the \s-1SSL,
-TLS\s0 or \s-1DTLS\s0 protocol.
+This can be used to enable or disable certain versions of the SSL,
+TLS or DTLS protocol.
 .Sp
 The \fBvalue\fR argument is a comma separated list of supported protocols
 to enable or disable.
@@ -511,7 +528,7 @@ versions.
 .Sp
 Currently supported protocol values are \fBSSLv3\fR, \fBTLSv1\fR, \fBTLSv1.1\fR,
 \&\fBTLSv1.2\fR, \fBTLSv1.3\fR, \fBDTLSv1\fR and \fBDTLSv1.2\fR.
-The special value \fB\s-1ALL\s0\fR refers to all supported versions.
+The special value \fBALL\fR refers to all supported versions.
 .Sp
 This can't enable protocols that are disabled using \fBMinProtocol\fR
 or \fBMaxProtocol\fR, but can disable protocols that are still allowed
@@ -520,9 +537,9 @@ by them.
 The \fBProtocol\fR command is fragile and deprecated; do not use it.
 Use \fBMinProtocol\fR and \fBMaxProtocol\fR instead.
 If you do use \fBProtocol\fR, make sure that the resulting range of enabled
-protocols has no \*(L"holes\*(R", e.g. if \s-1TLS 1.0\s0 and \s-1TLS 1.2\s0 are both enabled, make
-sure to also leave \s-1TLS 1.1\s0 enabled.
-.IP "\fBOptions\fR" 4
+protocols has no "holes", e.g. if TLS 1.0 and TLS 1.2 are both enabled, make
+sure to also leave TLS 1.1 enabled.
+.IP \fBOptions\fR 4
 .IX Item "Options"
 The \fBvalue\fR argument is a comma separated list of various flags to set.
 If a flag string is preceded \fB\-\fR it is disabled.
@@ -533,59 +550,64 @@ Each option is listed below. Where an operation is enabled by default
 the \fB\-flag\fR syntax is needed to disable it.
 .Sp
 \&\fBSessionTicket\fR: session ticket support, enabled by default. Inverse of
-\&\fB\s-1SSL_OP_NO_TICKET\s0\fR: that is \fB\-SessionTicket\fR is the same as setting
-\&\fB\s-1SSL_OP_NO_TICKET\s0\fR.
+\&\fBSSL_OP_NO_TICKET\fR: that is \fB\-SessionTicket\fR is the same as setting
+\&\fBSSL_OP_NO_TICKET\fR.
 .Sp
-\&\fBCompression\fR: \s-1SSL/TLS\s0 compression support, disabled by default. Inverse
-of \fB\s-1SSL_OP_NO_COMPRESSION\s0\fR.
+\&\fBCompression\fR: SSL/TLS compression support, disabled by default. Inverse
+of \fBSSL_OP_NO_COMPRESSION\fR.
 .Sp
 \&\fBEmptyFragments\fR: use empty fragments as a countermeasure against a
-\&\s-1SSL 3.0/TLS 1.0\s0 protocol vulnerability affecting \s-1CBC\s0 ciphers. It
-is set by default. Inverse of \fB\s-1SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS\s0\fR.
+SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. It
+is set by default. Inverse of \fBSSL_OP_DONT_INSERT_EMPTY_FRAGMENTS\fR.
 .Sp
-\&\fBBugs\fR: enable various bug workarounds. Same as \fB\s-1SSL_OP_ALL\s0\fR.
+\&\fBBugs\fR: enable various bug workarounds. Same as \fBSSL_OP_ALL\fR.
 .Sp
-\&\fBDHSingle\fR: enable single use \s-1DH\s0 keys, set by default. Inverse of
-\&\fB\s-1SSL_OP_DH_SINGLE\s0\fR. Only used by servers.
+\&\fBDHSingle\fR: enable single use DH keys, set by default. Inverse of
+\&\fBSSL_OP_DH_SINGLE\fR. Only used by servers.
 .Sp
-\&\fBECDHSingle\fR: enable single use \s-1ECDH\s0 keys, set by default. Inverse of
-\&\fB\s-1SSL_OP_ECDH_SINGLE\s0\fR. Only used by servers.
+\&\fBECDHSingle\fR: enable single use ECDH keys, set by default. Inverse of
+\&\fBSSL_OP_ECDH_SINGLE\fR. Only used by servers.
 .Sp
 \&\fBServerPreference\fR: use server and not client preference order when
 determining which cipher suite, signature algorithm or elliptic curve
 to use for an incoming connection.  Equivalent to
-\&\fB\s-1SSL_OP_CIPHER_SERVER_PREFERENCE\s0\fR. Only used by servers.
+\&\fBSSL_OP_CIPHER_SERVER_PREFERENCE\fR. Only used by servers.
 .Sp
 \&\fBPrioritizeChaCha\fR: prioritizes ChaCha ciphers when the client has a
 ChaCha20 cipher at the top of its preference list. This usually indicates
-a mobile client is in use. Equivalent to \fB\s-1SSL_OP_PRIORITIZE_CHACHA\s0\fR.
+a mobile client is in use. Equivalent to \fBSSL_OP_PRIORITIZE_CHACHA\fR.
 Only used by servers.
 .Sp
 \&\fBNoResumptionOnRenegotiation\fR: set
-\&\fB\s-1SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION\s0\fR flag. Only used by servers.
+\&\fBSSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION\fR flag. Only used by servers.
 .Sp
 \&\fBNoRenegotiation\fR: disables all attempts at renegotiation in TLSv1.2 and
-earlier, same as setting \fB\s-1SSL_OP_NO_RENEGOTIATION\s0\fR.
+earlier, same as setting \fBSSL_OP_NO_RENEGOTIATION\fR.
 .Sp
 \&\fBUnsafeLegacyRenegotiation\fR: permits the use of unsafe legacy renegotiation.
-Equivalent to \fB\s-1SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\s0\fR.
+Equivalent to \fBSSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\fR.
 .Sp
 \&\fBUnsafeLegacyServerConnect\fR: permits the use of unsafe legacy renegotiation
-for OpenSSL clients only. Equivalent to \fB\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0\fR.
+for OpenSSL clients only. Equivalent to \fBSSL_OP_LEGACY_SERVER_CONNECT\fR.
 .Sp
 \&\fBEncryptThenMac\fR: use encrypt-then-mac extension, enabled by
-default. Inverse of \fB\s-1SSL_OP_NO_ENCRYPT_THEN_MAC\s0\fR: that is,
-\&\fB\-EncryptThenMac\fR is the same as setting \fB\s-1SSL_OP_NO_ENCRYPT_THEN_MAC\s0\fR.
+default. Inverse of \fBSSL_OP_NO_ENCRYPT_THEN_MAC\fR: that is,
+\&\fB\-EncryptThenMac\fR is the same as setting \fBSSL_OP_NO_ENCRYPT_THEN_MAC\fR.
 .Sp
 \&\fBAllowNoDHEKEX\fR: In TLSv1.3 allow a non\-(ec)dhe based key exchange mode on
 resumption. This means that there will be no forward secrecy for the resumed
-session. Equivalent to \fB\s-1SSL_OP_ALLOW_NO_DHE_KEX\s0\fR.
+session. Equivalent to \fBSSL_OP_ALLOW_NO_DHE_KEX\fR.
+.Sp
+\&\fBPreferNoDHEKEX\fR: In TLSv1.3, on resumption let the server prefer a
+non\-(ec)dhe based key exchange mode over an (ec)dhe based one. Requires
+\&\fBAllowNoDHEKEX\fR. Equivalent to \fBSSL_OP_PREFER_NO_DHE_KEX\fR. Only used by
+servers.
 .Sp
-\&\fBMiddleboxCompat\fR: If set then dummy Change Cipher Spec (\s-1CCS\s0) messages are sent
+\&\fBMiddleboxCompat\fR: If set then dummy Change Cipher Spec (CCS) messages are sent
 in TLSv1.3. This has the effect of making TLSv1.3 look more like TLSv1.2 so that
 middleboxes that do not understand TLSv1.3 will not drop the connection. This
 option is set by default. A future version of OpenSSL may not set this by
-default. Equivalent to \fB\s-1SSL_OP_ENABLE_MIDDLEBOX_COMPAT\s0\fR.
+default. Equivalent to \fBSSL_OP_ENABLE_MIDDLEBOX_COMPAT\fR.
 .Sp
 \&\fBAntiReplay\fR: If set then OpenSSL will automatically detect if a session ticket
 has been used more than once, TLSv1.3 has been negotiated, and early data is
@@ -594,20 +616,44 @@ second or subsequent time. This option is set by default and is only used by
 servers. Anti-replay measures are required to comply with the TLSv1.3
 specification. Some applications may be able to mitigate the replay risks in
 other ways and in such cases the built-in OpenSSL functionality is not required.
-Disabling anti-replay is equivalent to setting \fB\s-1SSL_OP_NO_ANTI_REPLAY\s0\fR.
+Disabling anti-replay is equivalent to setting \fBSSL_OP_NO_ANTI_REPLAY\fR.
 .Sp
 \&\fBExtendedMasterSecret\fR: use extended master secret extension, enabled by
-default. Inverse of \fB\s-1SSL_OP_NO_EXTENDED_MASTER_SECRET\s0\fR: that is,
-\&\fB\-ExtendedMasterSecret\fR is the same as setting \fB\s-1SSL_OP_NO_EXTENDED_MASTER_SECRET\s0\fR.
+default. Inverse of \fBSSL_OP_NO_EXTENDED_MASTER_SECRET\fR: that is,
+\&\fB\-ExtendedMasterSecret\fR is the same as setting \fBSSL_OP_NO_EXTENDED_MASTER_SECRET\fR.
 .Sp
-\&\fBCANames\fR: use \s-1CA\s0 names extension, enabled by
-default. Inverse of \fB\s-1SSL_OP_DISABLE_TLSEXT_CA_NAMES\s0\fR: that is,
-\&\fB\-CANames\fR is the same as setting \fB\s-1SSL_OP_DISABLE_TLSEXT_CA_NAMES\s0\fR.
+\&\fBCANames\fR: use CA names extension, enabled by
+default. Inverse of \fBSSL_OP_DISABLE_TLSEXT_CA_NAMES\fR: that is,
+\&\fB\-CANames\fR is the same as setting \fBSSL_OP_DISABLE_TLSEXT_CA_NAMES\fR.
 .Sp
-\&\fB\s-1KTLS\s0\fR: Enables kernel \s-1TLS\s0 if support has been compiled in, and it is supported
+\&\fBKTLS\fR: Enables kernel TLS if support has been compiled in, and it is supported
 by the negotiated ciphersuites and extensions. Equivalent to
-\&\fB\s-1SSL_OP_ENABLE_KTLS\s0\fR.
-.IP "\fBVerifyMode\fR" 4
+\&\fBSSL_OP_ENABLE_KTLS\fR.
+.Sp
+\&\fBStrictCertCheck\fR: Enable strict certificate checking. Equivalent to
+setting \fBSSL_CERT_FLAG_TLS_STRICT\fR with \fBSSL_CTX_set_cert_flags()\fR.
+.Sp
+\&\fBTxCertificateCompression\fR: support sending compressed certificates, enabled by
+default. Inverse of \fBSSL_OP_NO_TX_CERTIFICATE_COMPRESSION\fR: that is,
+\&\fB\-TxCertificateCompression\fR is the same as setting \fBSSL_OP_NO_TX_CERTIFICATE_COMPRESSION\fR.
+.Sp
+\&\fBRxCertificateCompression\fR: support receiving compressed certificates, enabled by
+default. Inverse of \fBSSL_OP_NO_RX_CERTIFICATE_COMPRESSION\fR: that is,
+\&\fB\-RxCertificateCompression\fR is the same as setting \fBSSL_OP_NO_RX_CERTIFICATE_COMPRESSION\fR.
+.Sp
+\&\fBKTLSTxZerocopySendfile\fR: use the zerocopy TX mode of \fBsendfile()\fR, which gives
+a performance boost when used with KTLS hardware offload. Note that invalid TLS
+records might be transmitted if the file is changed while being sent. This
+option has no effect if \fBKTLS\fR is not enabled. Equivalent to
+\&\fBSSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE\fR. This option only applies to Linux.
+KTLS sendfile on FreeBSD doesn't offer an option to disable zerocopy and
+always runs in this mode.
+.Sp
+\&\fBIgnoreUnexpectedEOF\fR: Equivalent to \fBSSL_OP_IGNORE_UNEXPECTED_EOF\fR.
+You should only enable this option if the protocol running over TLS can detect
+a truncation attack itself, and that the application is checking for that
+truncation attack.
+.IP \fBVerifyMode\fR 4
 .IX Item "VerifyMode"
 The \fBvalue\fR argument is a comma separated list of flags to set.
 .Sp
@@ -635,31 +681,31 @@ during the initial handshake. The server application must provide a mechanism
 to request a certificate post-handshake. Servers only. TLSv1.3 only.
 .IP "\fBClientCAFile\fR, \fBClientCAPath\fR" 4
 .IX Item "ClientCAFile, ClientCAPath"
-A file or directory of certificates in \s-1PEM\s0 format whose names are used as the
+A file or directory of certificates in PEM format whose names are used as the
 set of acceptable names for client CAs. Servers only. This option is only
 supported if certificate operations are permitted.
 .SH "SUPPORTED COMMAND TYPES"
 .IX Header "SUPPORTED COMMAND TYPES"
 The function \fBSSL_CONF_cmd_value_type()\fR currently returns one of the following
 types:
-.IP "\fB\s-1SSL_CONF_TYPE_UNKNOWN\s0\fR" 4
+.IP \fBSSL_CONF_TYPE_UNKNOWN\fR 4
 .IX Item "SSL_CONF_TYPE_UNKNOWN"
 The \fBoption\fR string is unrecognised, this return value can be use to flag
 syntax errors.
-.IP "\fB\s-1SSL_CONF_TYPE_STRING\s0\fR" 4
+.IP \fBSSL_CONF_TYPE_STRING\fR 4
 .IX Item "SSL_CONF_TYPE_STRING"
 The value is a string without any specific structure.
-.IP "\fB\s-1SSL_CONF_TYPE_FILE\s0\fR" 4
+.IP \fBSSL_CONF_TYPE_FILE\fR 4
 .IX Item "SSL_CONF_TYPE_FILE"
 The value is a filename.
-.IP "\fB\s-1SSL_CONF_TYPE_DIR\s0\fR" 4
+.IP \fBSSL_CONF_TYPE_DIR\fR 4
 .IX Item "SSL_CONF_TYPE_DIR"
 The value is a directory name.
-.IP "\fB\s-1SSL_CONF_TYPE_NONE\s0\fR" 4
+.IP \fBSSL_CONF_TYPE_NONE\fR 4
 .IX Item "SSL_CONF_TYPE_NONE"
 The value string is not used e.g. a command line option which doesn't take an
 argument.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The order of operations is significant. This can be used to set either defaults
 or values which cannot be overridden. For example if an application calls:
@@ -692,7 +738,7 @@ Applications can also use \fBSSL_CONF_cmd()\fR to process command lines though t
 utility function \fBSSL_CONF_cmd_argv()\fR is normally used instead. One way
 to do this is to set the prefix to an appropriate value using
 \&\fBSSL_CONF_CTX_set1_prefix()\fR, pass the current argument to \fBoption\fR and the
-following argument to \fBvalue\fR (which may be \s-1NULL\s0).
+following argument to \fBvalue\fR (which may be NULL).
 .PP
 In this case if the return value is positive then it is used to skip that
 number of arguments as they have been processed by \fBSSL_CONF_cmd()\fR. If \-2 is
@@ -704,25 +750,25 @@ this can be reported back to the user.
 The function \fBSSL_CONF_cmd_value_type()\fR can be used by applications to
 check for the existence of a command or to perform additional syntax
 checking or translation of the command value. For example if the return
-value is \fB\s-1SSL_CONF_TYPE_FILE\s0\fR an application could translate a relative
+value is \fBSSL_CONF_TYPE_FILE\fR an application could translate a relative
 pathname to an absolute pathname.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSSL_CONF_cmd()\fR returns 1 if the value of \fBoption\fR is recognised and \fBvalue\fR is
-\&\fB\s-1NOT\s0\fR used and 2 if both \fBoption\fR and \fBvalue\fR are used. In other words it
+\&\fBNOT\fR used and 2 if both \fBoption\fR and \fBvalue\fR are used. In other words it
 returns the number of arguments processed. This is useful when processing
 command lines.
 .PP
 A return value of \-2 means \fBoption\fR is not recognised.
 .PP
 A return value of \-3 means \fBoption\fR is recognised and the command requires a
-value but \fBvalue\fR is \s-1NULL.\s0
+value but \fBvalue\fR is NULL.
 .PP
 A return code of 0 indicates that both \fBoption\fR and \fBvalue\fR are valid but an
 error occurred attempting to perform the operation: for example due to an
 error in the syntax of \fBvalue\fR in this case the error queue may provide
 additional information.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 Set supported signature algorithms:
 .PP
@@ -748,7 +794,7 @@ The following also disables SSLv3:
 The following will first enable all protocols, and then disable
 SSLv3.
 If no protocol versions were disabled before this has the same effect as
-\&\*(L"\-SSLv3\*(R", but if some versions were disables this will re-enable them before
+"\-SSLv3", but if some versions were disables this will re-enable them before
 disabling SSLv3.
 .PP
 .Vb 1
@@ -768,7 +814,7 @@ This also only enables TLSv1.2:
 \& SSL_CONF_cmd(ctx, "Protocol", "\-ALL,TLSv1.2");
 .Ve
 .PP
-Disable \s-1TLS\s0 session tickets:
+Disable TLS session tickets:
 .PP
 .Vb 1
 \& SSL_CONF_cmd(ctx, "Options", "\-SessionTicket");
@@ -794,16 +840,16 @@ Set supported curves to P\-256, P\-384:
 \&\fBSSL_CONF_CTX_set_ssl_ctx\fR\|(3),
 \&\fBSSL_CONF_cmd_argv\fR\|(3),
 \&\fBSSL_CTX_set_options\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBSSL_CONF_cmd()\fR function was added in OpenSSL 1.0.2.
 .PP
-The \fB\s-1SSL_OP_NO_SSL2\s0\fR option doesn't have effect since 1.1.0, but the macro
+The \fBSSL_OP_NO_SSL2\fR option doesn't have effect since 1.1.0, but the macro
 is retained for backwards compatibility.
 .PP
-The \fB\s-1SSL_CONF_TYPE_NONE\s0\fR was added in OpenSSL 1.1.0. In earlier versions of
+The \fBSSL_CONF_TYPE_NONE\fR was added in OpenSSL 1.1.0. In earlier versions of
 OpenSSL passing a command which didn't take an argument would return
-\&\fB\s-1SSL_CONF_TYPE_UNKNOWN\s0\fR.
+\&\fBSSL_CONF_TYPE_UNKNOWN\fR.
 .PP
 \&\fBMinProtocol\fR and \fBMaxProtocol\fR where added in OpenSSL 1.1.0.
 .PP
@@ -811,11 +857,34 @@ OpenSSL passing a command which didn't take an argument would return
 .PP
 The \fBUnsafeLegacyServerConnect\fR option is no longer set by default from
 OpenSSL 3.0.
-.SH "COPYRIGHT"
+.PP
+The \fBTxCertificateCompression\fR and \fBRxCertificateCompression\fR options were
+added in OpenSSL 3.2.
+.PP
+\&\fBPreferNoDHEKEX\fR was added in OpenSSL 3.3.
+.PP
+OpenSSL 3.5 introduces support for post-quantum (PQ) TLS key exchange via the
+\&\fBMLKEM512\fR, \fBMLKEM768\fR and \fBMLKEM1024\fR TLS groups.
+These are based on the underlying \fBML\-KEM\-512\fR, \fBML\-KEM\-768\fR and
+\&\fBML\-KEM\-1024\fR algorithms from FIPS 203.
+.PP
+OpenSSL 3.5 also introduces support for three \fBhybrid\fR ECDH PQ key exchange
+TLS groups: \fBX25519MLKEM768\fR, \fBSecP256r1MLKEM768\fR and
+\&\fBSecP384r1MLKEM1024\fR.
+They offer CPU performance comparable to the associated ECDH group, though at
+the cost of significantly larger key exchange messages.
+The third group, \fBSecP384r1MLKEM1024\fR is substantially more CPU-intensive,
+largely as a result of the high CPU cost of ECDH for the underlying \fBP\-384\fR
+group.
+Also its key exchange messages at close to 1700 bytes are larger than the
+roughly 1200 bytes for the first two groups.
+.PP
+As of OpenSSL 3.5 key exchange group names are case-insensitive.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2012\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2012\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CONF_cmd_argv.3 b/secure/lib/libcrypto/man/man3/SSL_CONF_cmd_argv.3
index 537f5e5563e7..e0e539ba38c6 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CONF_cmd_argv.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CONF_cmd_argv.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,89 +52,29 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CONF_CMD_ARGV 3ossl"
-.TH SSL_CONF_CMD_ARGV 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CONF_CMD_ARGV 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CONF_cmd_argv \- SSL configuration command line processing
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
 \& int SSL_CONF_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The function \fBSSL_CONF_cmd_argv()\fR processes at most two command line
 arguments from \fBpargv\fR and \fBpargc\fR. The values of \fBpargv\fR and \fBpargc\fR
 are updated to reflect the number of command options processed. The \fBpargc\fR
-argument can be set to \fB\s-1NULL\s0\fR if it is not used.
+argument can be set to \fBNULL\fR if it is not used.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSSL_CONF_cmd_argv()\fR returns the number of command arguments processed: 0, 1, 2
@@ -168,14 +92,14 @@ to an error: for example a syntax error in the argument.
 \&\fBSSL_CONF_CTX_set1_prefix\fR\|(3),
 \&\fBSSL_CONF_CTX_set_ssl_ctx\fR\|(3),
 \&\fBSSL_CONF_cmd\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 These functions were added in OpenSSL 1.0.2.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2012\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_add1_chain_cert.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_add1_chain_cert.3
index d36ad9265fcf..481602a543f1 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_add1_chain_cert.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_add1_chain_cert.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_ADD1_CHAIN_CERT 3ossl"
-.TH SSL_CTX_ADD1_CHAIN_CERT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_ADD1_CHAIN_CERT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set0_chain, SSL_CTX_set1_chain, SSL_CTX_add0_chain_cert,
 SSL_CTX_add1_chain_cert, SSL_CTX_get0_chain_certs, SSL_CTX_clear_chain_certs,
 SSL_set0_chain, SSL_set1_chain, SSL_add0_chain_cert, SSL_add1_chain_cert,
@@ -144,7 +68,7 @@ SSL_get0_chain_certs, SSL_clear_chain_certs, SSL_CTX_build_cert_chain,
 SSL_build_cert_chain, SSL_CTX_select_current_cert,
 SSL_select_current_cert, SSL_CTX_set_current_cert, SSL_set_current_cert \- extra
 chain certificate processing
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -171,7 +95,7 @@ chain certificate processing
 \& int SSL_CTX_set_current_cert(SSL_CTX *ctx, long op);
 \& int SSL_set_current_cert(SSL *ssl, long op);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_set0_chain()\fR and \fBSSL_CTX_set1_chain()\fR set the certificate chain
 associated with the current certificate of \fBctx\fR to \fBsk\fR.
@@ -185,22 +109,22 @@ certificate of \fBctx\fR.
 .PP
 \&\fBSSL_CTX_clear_chain_certs()\fR clears any existing chain associated with the
 current certificate of \fBctx\fR.  (This is implemented by calling
-\&\fBSSL_CTX_set0_chain()\fR with \fBsk\fR set to \fB\s-1NULL\s0\fR).
+\&\fBSSL_CTX_set0_chain()\fR with \fBsk\fR set to \fBNULL\fR).
 .PP
 \&\fBSSL_CTX_build_cert_chain()\fR builds the certificate chain for \fBctx\fR.
 Normally this uses the chain store
 or the verify store if the chain store is not set.
 If the function is successful the built chain will replace any existing chain.
-The \fBflags\fR parameter can be set to \fB\s-1SSL_BUILD_CHAIN_FLAG_UNTRUSTED\s0\fR to use
-existing chain certificates as untrusted CAs, \fB\s-1SSL_BUILD_CHAIN_FLAG_NO_ROOT\s0\fR
-to omit the root \s-1CA\s0 from the built chain, \fB\s-1SSL_BUILD_CHAIN_FLAG_CHECK\s0\fR to
+The \fBflags\fR parameter can be set to \fBSSL_BUILD_CHAIN_FLAG_UNTRUSTED\fR to use
+existing chain certificates as untrusted CAs, \fBSSL_BUILD_CHAIN_FLAG_NO_ROOT\fR
+to omit the root CA from the built chain, \fBSSL_BUILD_CHAIN_FLAG_CHECK\fR to
 use all existing chain certificates only to build the chain (effectively
 sanity checking and rearranging them if necessary), the flag
-\&\fB\s-1SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR\s0\fR ignores any errors during verification:
-if flag \fB\s-1SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR\s0\fR is also set verification errors
+\&\fBSSL_BUILD_CHAIN_FLAG_IGNORE_ERROR\fR ignores any errors during verification:
+if flag \fBSSL_BUILD_CHAIN_FLAG_CLEAR_ERROR\fR is also set verification errors
 are cleared from the error queue.
 Details of the chain building process are described in
-\&\*(L"Certification Path Building\*(R" in \fBopenssl\-verification\-options\fR\|(1).
+"Certification Path Building" in \fBopenssl\-verification\-options\fR\|(1).
 .PP
 Each of these functions operates on the \fIcurrent\fR end entity
 (i.e. server or client) certificate. This is the last certificate loaded or
@@ -213,15 +137,15 @@ function such as \fBSSL_CTX_use_certificate()\fR.
 \&\fBSSL_set0_chain()\fR, \fBSSL_set1_chain()\fR, \fBSSL_add0_chain_cert()\fR,
 \&\fBSSL_add1_chain_cert()\fR, \fBSSL_get0_chain_certs()\fR, \fBSSL_clear_chain_certs()\fR,
 \&\fBSSL_build_cert_chain()\fR, \fBSSL_select_current_cert()\fR and \fBSSL_set_current_cert()\fR
-are similar except they apply to \s-1SSL\s0 structure \fBssl\fR.
+are similar except they apply to SSL structure \fBssl\fR.
 .PP
 \&\fBSSL_CTX_set_current_cert()\fR changes the current certificate to a value based
-on the \fBop\fR argument. Currently \fBop\fR can be \fB\s-1SSL_CERT_SET_FIRST\s0\fR to use
-the first valid certificate or \fB\s-1SSL_CERT_SET_NEXT\s0\fR to set the next valid
+on the \fBop\fR argument. Currently \fBop\fR can be \fBSSL_CERT_SET_FIRST\fR to use
+the first valid certificate or \fBSSL_CERT_SET_NEXT\fR to set the next valid
 certificate after the current certificate. These two operations can be
-used to iterate over all certificates in an \fB\s-1SSL_CTX\s0\fR structure.
+used to iterate over all certificates in an \fBSSL_CTX\fR structure.
 .PP
-\&\fBSSL_set_current_cert()\fR also supports the option \fB\s-1SSL_CERT_SET_SERVER\s0\fR.
+\&\fBSSL_set_current_cert()\fR also supports the option \fBSSL_CERT_SET_SERVER\fR.
 If \fBssl\fR is a server and has sent a certificate to a connected client
 this option sets that certificate to the current certificate and returns 1.
 If the negotiated cipher suite is anonymous (and thus no certificate will
@@ -233,15 +157,15 @@ All these functions are implemented as macros. Those containing a \fB1\fR
 increment the reference count of the supplied certificate or chain so it must
 be freed at some point after the operation. Those containing a \fB0\fR do
 not increment reference counts and the supplied certificate or chain
-\&\fB\s-1MUST NOT\s0\fR be freed after the operation.
-.SH "NOTES"
+\&\fBMUST NOT\fR be freed after the operation.
+.SH NOTES
 .IX Header "NOTES"
-The chains associate with an \s-1SSL_CTX\s0 structure are copied to any \s-1SSL\s0
-structures when \fBSSL_new()\fR is called. \s-1SSL\s0 structures will not be affected
-by any chains subsequently changed in the parent \s-1SSL_CTX.\s0
+The chains associate with an SSL_CTX structure are copied to any SSL
+structures when \fBSSL_new()\fR is called. SSL structures will not be affected
+by any chains subsequently changed in the parent SSL_CTX.
 .PP
 One chain can be set for each key type supported by a server. So, for example,
-an \s-1RSA\s0 and a \s-1DSA\s0 certificate can (and often will) have different chains.
+an RSA and a DSA certificate can (and often will) have different chains.
 .PP
 The functions \fBSSL_CTX_build_cert_chain()\fR and \fBSSL_build_cert_chain()\fR can
 be used to check application configuration and to ensure any necessary
@@ -250,10 +174,10 @@ sending incorrect certificate chains often cause problems with peers.
 .PP
 For example an application can add any set of certificates using
 \&\fBSSL_CTX_use_certificate_chain_file()\fR then call \fBSSL_CTX_build_cert_chain()\fR
-with the option \fB\s-1SSL_BUILD_CHAIN_FLAG_CHECK\s0\fR to check and reorder them.
+with the option \fBSSL_BUILD_CHAIN_FLAG_CHECK\fR to check and reorder them.
 .PP
 Applications can issue non fatal warnings when checking chains by setting
-the flag \fB\s-1SSL_BUILD_CHAIN_FLAG_IGNORE_ERRORS\s0\fR and checking the return
+the flag \fBSSL_BUILD_CHAIN_FLAG_IGNORE_ERRORS\fR and checking the return
 value.
 .PP
 Calling \fBSSL_CTX_build_cert_chain()\fR or \fBSSL_build_cert_chain()\fR is more
@@ -264,12 +188,12 @@ If any certificates are added using these functions no certificates added
 using \fBSSL_CTX_add_extra_chain_cert()\fR will be used.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBSSL_set_current_cert()\fR with \fB\s-1SSL_CERT_SET_SERVER\s0\fR return 1 for success, 2 if
+\&\fBSSL_set_current_cert()\fR with \fBSSL_CERT_SET_SERVER\fR return 1 for success, 2 if
 no server certificate is used because the cipher suites is anonymous and 0
 for failure.
 .PP
 \&\fBSSL_CTX_build_cert_chain()\fR and \fBSSL_build_cert_chain()\fR return 1 for success
-and 0 for failure. If the flag \fB\s-1SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR\s0\fR and
+and 0 for failure. If the flag \fBSSL_BUILD_CHAIN_FLAG_IGNORE_ERROR\fR and
 a verification error occurs then 2 is returned.
 .PP
 All other functions return 1 for success and 0 for failure.
@@ -277,14 +201,14 @@ All other functions return 1 for success and 0 for failure.
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7),
 \&\fBSSL_CTX_add_extra_chain_cert\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 These functions were added in OpenSSL 1.0.2.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2013\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_add_extra_chain_cert.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_add_extra_chain_cert.3
index ddf23520472c..da30519490aa 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_add_extra_chain_cert.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_add_extra_chain_cert.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_ADD_EXTRA_CHAIN_CERT 3ossl"
-.TH SSL_CTX_ADD_EXTRA_CHAIN_CERT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_ADD_EXTRA_CHAIN_CERT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_add_extra_chain_cert,
 SSL_CTX_get_extra_chain_certs,
 SSL_CTX_get_extra_chain_certs_only,
 SSL_CTX_clear_extra_chain_certs
 \&\- add, get or clear extra chain certificates
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -152,7 +76,7 @@ SSL_CTX_clear_extra_chain_certs
 \& long SSL_CTX_get_extra_chain_certs_only(SSL_CTX *ctx, STACK_OF(X509) **sk);
 \& long SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_add_extra_chain_cert()\fR adds the certificate \fBx509\fR to the extra chain
 certificates associated with \fBctx\fR. Several certificates can be added one
@@ -171,24 +95,24 @@ The returned stack should not be freed by the caller.
 associated with \fBctx\fR.
 .PP
 These functions are implemented as macros.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 When sending a certificate chain, extra chain certificates are sent in order
 following the end entity certificate.
 .PP
 If no chain is specified, the library will try to complete the chain from the
-available \s-1CA\s0 certificates in the trusted \s-1CA\s0 storage, see
+available CA certificates in the trusted CA storage, see
 \&\fBSSL_CTX_load_verify_locations\fR\|(3).
 .PP
 The \fBx509\fR certificate provided to \fBSSL_CTX_add_extra_chain_cert()\fR will be
-freed by the library when the \fB\s-1SSL_CTX\s0\fR is destroyed. An application
+freed by the library when the \fBSSL_CTX\fR is destroyed. An application
 \&\fBshould not\fR free the \fBx509\fR object.
-.SH "RESTRICTIONS"
+.SH RESTRICTIONS
 .IX Header "RESTRICTIONS"
-Only one set of extra chain certificates can be specified per \s-1SSL_CTX\s0
+Only one set of extra chain certificates can be specified per SSL_CTX
 structure. Different chains for different certificates (for example if both
-\&\s-1RSA\s0 and \s-1DSA\s0 certificates are specified by the same server) or different \s-1SSL\s0
-structures with the same parent \s-1SSL_CTX\s0 cannot be specified using this
+RSA and DSA certificates are specified by the same server) or different SSL
+structures with the same parent SSL_CTX cannot be specified using this
 function. For more flexibility functions such as \fBSSL_add1_chain_cert()\fR should
 be used instead.
 .SH "RETURN VALUES"
@@ -212,11 +136,11 @@ reason for failure.
 \&\fBSSL_add1_chain_cert\fR\|(3)
 \&\fBSSL_CTX_build_cert_chain\fR\|(3)
 \&\fBSSL_build_cert_chain\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_add_session.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_add_session.3
index b1717f254f4c..4a1910910d49 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_add_session.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_add_session.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_ADD_SESSION 3ossl"
-.TH SSL_CTX_ADD_SESSION 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_ADD_SESSION 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_add_session, SSL_CTX_remove_session \- manipulate session cache
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -147,7 +71,7 @@ SSL_CTX_add_session, SSL_CTX_remove_session \- manipulate session cache
 \&
 \& int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_add_session()\fR adds the session \fBc\fR to the context \fBctx\fR. The
 reference count for session \fBc\fR is incremented by 1. If a session with
@@ -156,31 +80,31 @@ the same session id already exists, the old session is removed by calling
 .PP
 \&\fBSSL_CTX_remove_session()\fR removes the session \fBc\fR from the context \fBctx\fR and
 marks it as non-resumable. \fBSSL_SESSION_free\fR\|(3) is called once for \fBc\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 When adding a new session to the internal session cache, it is examined
 whether a session with the same session id already exists. In this case
 it is assumed that both sessions are identical. If the same session is
-stored in a different \s-1SSL_SESSION\s0 object, The old session is
+stored in a different SSL_SESSION object, The old session is
 removed and replaced by the new session. If the session is actually
-identical (the \s-1SSL_SESSION\s0 object is identical), \fBSSL_CTX_add_session()\fR
+identical (the SSL_SESSION object is identical), \fBSSL_CTX_add_session()\fR
 is a no-op, and the return value is 0.
 .PP
-If a server \s-1SSL_CTX\s0 is configured with the \s-1SSL_SESS_CACHE_NO_INTERNAL_STORE\s0
+If a server SSL_CTX is configured with the SSL_SESS_CACHE_NO_INTERNAL_STORE
 flag then the internal cache will not be populated automatically by new
-sessions negotiated by the \s-1SSL/TLS\s0 implementation, even though the internal
+sessions negotiated by the SSL/TLS implementation, even though the internal
 cache will be searched automatically for session-resume requests (the
-latter can be suppressed by \s-1SSL_SESS_CACHE_NO_INTERNAL_LOOKUP\s0). So the
+latter can be suppressed by SSL_SESS_CACHE_NO_INTERNAL_LOOKUP). So the
 application can use \fBSSL_CTX_add_session()\fR directly to have full control
 over the sessions that can be resumed if desired.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The following values are returned by all functions:
-.IP "0" 4
+.IP 0 4
 The operation failed. In case of the add operation, it was tried to add
 the same (identical) session twice. In case of the remove operation, the
 session was not found in the cache.
-.IP "1" 4
+.IP 1 4
 .IX Item "1"
 The operation succeeded.
 .SH "SEE ALSO"
@@ -188,11 +112,11 @@ The operation succeeded.
 \&\fBssl\fR\|(7),
 \&\fBSSL_CTX_set_session_cache_mode\fR\|(3),
 \&\fBSSL_SESSION_free\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_config.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_config.3
index ad478c42f691..3af88d7463a3 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_config.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_config.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_CONFIG 3ossl"
-.TH SSL_CTX_CONFIG 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_CONFIG 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_config, SSL_config \- configure SSL_CTX or SSL structure
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -146,10 +70,10 @@ SSL_CTX_config, SSL_config \- configure SSL_CTX or SSL structure
 \& int SSL_CTX_config(SSL_CTX *ctx, const char *name);
 \& int SSL_config(SSL *s, const char *name);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The functions \fBSSL_CTX_config()\fR and \fBSSL_config()\fR configure an \fB\s-1SSL_CTX\s0\fR or
-\&\fB\s-1SSL\s0\fR structure using the configuration \fBname\fR.
+The functions \fBSSL_CTX_config()\fR and \fBSSL_config()\fR configure an \fBSSL_CTX\fR or
+\&\fBSSL\fR structure using the configuration \fBname\fR.
 .PP
 By calling \fBSSL_CTX_config()\fR or \fBSSL_config()\fR an application can perform many
 complex tasks based on the contents of the configuration file: greatly
@@ -164,9 +88,9 @@ file syntax.
 .IX Header "RETURN VALUES"
 \&\fBSSL_CTX_config()\fR and \fBSSL_config()\fR return 1 for success or 0 if an error
 occurred.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-If the file \*(L"config.cnf\*(R" contains the following:
+If the file "config.cnf" contains the following:
 .PP
 .Vb 1
 \& testapp = test_sect
@@ -209,14 +133,14 @@ the need for any additional application code.
 \&\fBconfig\fR\|(5),
 \&\fBSSL_CONF_cmd\fR\|(3),
 \&\fBCONF_modules_load_file\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBSSL_CTX_config()\fR and \fBSSL_config()\fR functions were added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2015\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_ctrl.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_ctrl.3
index e615f392c782..017adfb3f01e 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_ctrl.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_ctrl.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_CTRL 3ossl"
-.TH SSL_CTX_CTRL 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_CTRL 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_ctrl, SSL_CTX_callback_ctrl, SSL_ctrl, SSL_callback_ctrl \- internal handling functions for SSL_CTX and SSL objects
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -149,10 +73,10 @@ SSL_CTX_ctrl, SSL_CTX_callback_ctrl, SSL_ctrl, SSL_callback_ctrl \- internal han
 \& long SSL_ctrl(SSL *ssl, int cmd, long larg, void *parg);
 \& long SSL_callback_ctrl(SSL *, int cmd, void (*fp)());
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The SSL_*\fB_ctrl()\fR family of functions is used to manipulate settings of
-the \s-1SSL_CTX\s0 and \s-1SSL\s0 objects. Depending on the command \fBcmd\fR the arguments
+the SSL_CTX and SSL objects. Depending on the command \fBcmd\fR the arguments
 \&\fBlarg\fR, \fBparg\fR, or \fBfp\fR are evaluated. These functions should never
 be called directly. All functionalities needed are made available via
 other functions or macros.
@@ -163,11 +87,11 @@ supplied via the \fBcmd\fR parameter.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_dane_enable.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_dane_enable.3
index 5f612d9bcbf5..f45c6844588c 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_dane_enable.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_dane_enable.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,82 +52,22 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_DANE_ENABLE 3ossl"
-.TH SSL_CTX_DANE_ENABLE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_DANE_ENABLE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_dane_enable, SSL_CTX_dane_mtype_set, SSL_dane_enable,
 SSL_dane_tlsa_add, SSL_get0_dane_authority, SSL_get0_dane_tlsa,
 SSL_CTX_dane_set_flags, SSL_CTX_dane_clear_flags,
 SSL_dane_set_flags, SSL_dane_clear_flags
 \&\- enable DANE TLS authentication of the remote TLS server in the local
 TLS client
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -163,57 +87,57 @@ TLS client
 \& unsigned long SSL_dane_set_flags(SSL *ssl, unsigned long flags);
 \& unsigned long SSL_dane_clear_flags(SSL *ssl, unsigned long flags);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-These functions implement support for \s-1DANE TLSA\s0 (\s-1RFC6698\s0 and \s-1RFC7671\s0)
+These functions implement support for DANE TLSA (RFC6698 and RFC7671)
 peer authentication.
 .PP
 \&\fBSSL_CTX_dane_enable()\fR must be called first to initialize the shared state
-required for \s-1DANE\s0 support.
+required for DANE support.
 Individual connections associated with the context can then enable
-per-connection \s-1DANE\s0 support as appropriate.
-\&\s-1DANE\s0 authentication is implemented in the \fBX509_verify_cert\fR\|(3) function, and
+per-connection DANE support as appropriate.
+DANE authentication is implemented in the \fBX509_verify_cert\fR\|(3) function, and
 applications that override \fBX509_verify_cert\fR\|(3) via
 \&\fBSSL_CTX_set_cert_verify_callback\fR\|(3) are responsible to authenticate the peer
 chain in whatever manner they see fit.
 .PP
 \&\fBSSL_CTX_dane_mtype_set()\fR may then be called zero or more times to adjust the
 supported digest algorithms.
-This must be done before any \s-1SSL\s0 handles are created for the context.
+This must be done before any SSL handles are created for the context.
 .PP
-The \fBmtype\fR argument specifies a \s-1DANE TLSA\s0 matching type and the \fBmd\fR
+The \fBmtype\fR argument specifies a DANE TLSA matching type and the \fBmd\fR
 argument specifies the associated digest algorithm handle.
 The \fBord\fR argument specifies a strength ordinal.
 Algorithms with a larger strength ordinal are considered more secure.
-Strength ordinals are used to implement \s-1RFC7671\s0 digest algorithm agility.
-Specifying a \fB\s-1NULL\s0\fR digest algorithm for a matching type disables
+Strength ordinals are used to implement RFC7671 digest algorithm agility.
+Specifying a \fBNULL\fR digest algorithm for a matching type disables
 support for that matching type.
 Matching type \fBFull\fR\|(0) cannot be modified or disabled.
 .PP
-By default, matching type \f(CW\*(C`SHA2\-256(1)\*(C'\fR (see \s-1RFC7218\s0 for definitions
-of the \s-1DANE TLSA\s0 parameter acronyms) is mapped to \f(CW\*(C`EVP_sha256()\*(C'\fR
+By default, matching type \f(CW\*(C`SHA2\-256(1)\*(C'\fR (see RFC7218 for definitions
+of the DANE TLSA parameter acronyms) is mapped to \f(CWEVP_sha256()\fR
 with a strength ordinal of \f(CW1\fR and matching type \f(CW\*(C`SHA2\-512(2)\*(C'\fR
-is mapped to \f(CW\*(C`EVP_sha512()\*(C'\fR with a strength ordinal of \f(CW2\fR.
+is mapped to \f(CWEVP_sha512()\fR with a strength ordinal of \f(CW2\fR.
 .PP
-\&\fBSSL_dane_enable()\fR must be called before the \s-1SSL\s0 handshake is initiated with
-\&\fBSSL_connect\fR\|(3) if (and only if) you want to enable \s-1DANE\s0 for that connection.
-(The connection must be associated with a DANE-enabled \s-1SSL\s0 context).
-The \fBbasedomain\fR argument specifies the \s-1RFC7671 TLSA\s0 base domain,
+\&\fBSSL_dane_enable()\fR must be called before the SSL handshake is initiated with
+\&\fBSSL_connect\fR\|(3) if (and only if) you want to enable DANE for that connection.
+(The connection must be associated with a DANE-enabled SSL context).
+The \fBbasedomain\fR argument specifies the RFC7671 TLSA base domain,
 which will be the primary peer reference identifier for certificate
 name checks.
 Additional server names can be specified via \fBSSL_add1_host\fR\|(3).
-The \fBbasedomain\fR is used as the default \s-1SNI\s0 hint if none has yet been
+The \fBbasedomain\fR is used as the default SNI hint if none has yet been
 specified via \fBSSL_set_tlsext_host_name\fR\|(3).
 .PP
 \&\fBSSL_dane_tlsa_add()\fR may then be called one or more times, to load each of the
-\&\s-1TLSA\s0 records that apply to the remote \s-1TLS\s0 peer.
-(This too must be done prior to the beginning of the \s-1SSL\s0 handshake).
-The arguments specify the fields of the \s-1TLSA\s0 record.
-The \fBdata\fR field is provided in binary (wire \s-1RDATA\s0) form, not the hexadecimal
-\&\s-1ASCII\s0 presentation form, with an explicit length passed via \fBdlen\fR.
+TLSA records that apply to the remote TLS peer.
+(This too must be done prior to the beginning of the SSL handshake).
+The arguments specify the fields of the TLSA record.
+The \fBdata\fR field is provided in binary (wire RDATA) form, not the hexadecimal
+ASCII presentation form, with an explicit length passed via \fBdlen\fR.
 The library takes a copy of the \fBdata\fR buffer contents and the caller may
 free the original \fBdata\fR buffer when convenient.
-A return value of 0 indicates that \*(L"unusable\*(R" \s-1TLSA\s0 records (with invalid or
+A return value of 0 indicates that "unusable" TLSA records (with invalid or
 unsupported parameters) were provided.
 A negative return value indicates an internal error in processing the record.
 .PP
@@ -221,21 +145,21 @@ The caller is expected to check the return value of each \fBSSL_dane_tlsa_add()\
 call and take appropriate action if none are usable or an internal error
 is encountered in processing some records.
 .PP
-If no \s-1TLSA\s0 records are added successfully, \s-1DANE\s0 authentication is not enabled,
+If no TLSA records are added successfully, DANE authentication is not enabled,
 and authentication will be based on any configured traditional trust-anchors;
 authentication success in this case does not mean that the peer was
 DANE-authenticated.
 .PP
 \&\fBSSL_get0_dane_authority()\fR can be used to get more detailed information about
-the matched \s-1DANE\s0 trust-anchor after successful connection completion.
-The return value is negative if \s-1DANE\s0 verification failed (or was not enabled),
-0 if an \s-1EE TLSA\s0 record directly matched the leaf certificate, or a positive
-number indicating the depth at which a \s-1TA\s0 record matched an issuer certificate.
+the matched DANE trust-anchor after successful connection completion.
+The return value is negative if DANE verification failed (or was not enabled),
+0 if an EE TLSA record directly matched the leaf certificate, or a positive
+number indicating the depth at which a TA record matched an issuer certificate.
 The complete verified chain can be retrieved via \fBSSL_get0_verified_chain\fR\|(3).
 The return value is an index into this verified chain, rather than the list of
 certificates sent by the peer as returned by \fBSSL_get_peer_cert_chain\fR\|(3).
 .PP
-If the \fBmcert\fR argument is not \fB\s-1NULL\s0\fR and a \s-1TLSA\s0 record matched a chain
+If the \fBmcert\fR argument is not \fBNULL\fR and a TLSA record matched a chain
 certificate, a pointer to the matching certificate is returned via \fBmcert\fR.
 The returned address is a short-term internal reference to the certificate and
 must not be freed by the application.
@@ -243,87 +167,87 @@ Applications that want to retain access to the certificate can call
 \&\fBX509_up_ref\fR\|(3) to obtain a long-term reference which must then be freed via
 \&\fBX509_free\fR\|(3) once no longer needed.
 .PP
-If no \s-1TLSA\s0 records directly matched any elements of the certificate chain, but
-a \s-1\fBDANE\-TA\s0\fR\|(2) \s-1\fBSPKI\s0\fR\|(1) \fBFull\fR\|(0) record provided the public key that signed an
+If no TLSA records directly matched any elements of the certificate chain, but
+a \fBDANE\-TA\fR\|(2) \fBSPKI\fR\|(1) \fBFull\fR\|(0) record provided the public key that signed an
 element of the chain, then that key is returned via \fBmspki\fR argument (if not
-\&\s-1NULL\s0).
+NULL).
 In this case the return value is the depth of the top-most element of the
 validated certificate chain.
 As with \fBmcert\fR this is a short-term internal reference, and
 \&\fBEVP_PKEY_up_ref\fR\|(3) and \fBEVP_PKEY_free\fR\|(3) can be used to acquire and
 release long-term references respectively.
 .PP
-\&\fBSSL_get0_dane_tlsa()\fR can be used to retrieve the fields of the \s-1TLSA\s0 record that
+\&\fBSSL_get0_dane_tlsa()\fR can be used to retrieve the fields of the TLSA record that
 matched the peer certificate chain.
 The return value indicates the match depth or failure to match just as with
 \&\fBSSL_get0_dane_authority()\fR.
 When the return value is nonnegative, the storage pointed to by the \fBusage\fR,
 \&\fBselector\fR, \fBmtype\fR and \fBdata\fR parameters is updated to the corresponding
-\&\s-1TLSA\s0 record fields.
+TLSA record fields.
 The \fBdata\fR field is in binary wire form, and is therefore not NUL-terminated,
 its length is returned via the \fBdlen\fR parameter.
-If any of these parameters is \s-1NULL,\s0 the corresponding field is not returned.
+If any of these parameters is NULL, the corresponding field is not returned.
 The \fBdata\fR parameter is set to a short-term internal-copy of the associated
 data field and must not be freed by the application.
 Applications that need long-term access to this field need to copy the content.
 .PP
 \&\fBSSL_CTX_dane_set_flags()\fR and \fBSSL_dane_set_flags()\fR can be used to enable
-optional \s-1DANE\s0 verification features.
+optional DANE verification features.
 \&\fBSSL_CTX_dane_clear_flags()\fR and \fBSSL_dane_clear_flags()\fR can be used to disable
 the same features.
 The \fBflags\fR argument is a bit-mask of the features to enable or disable.
-The \fBflags\fR set for an \fB\s-1SSL_CTX\s0\fR context are copied to each \fB\s-1SSL\s0\fR handle
+The \fBflags\fR set for an \fBSSL_CTX\fR context are copied to each \fBSSL\fR handle
 associated with that context at the time the handle is created.
 Subsequent changes in the context's \fBflags\fR have no effect on the \fBflags\fR set
 for the handle.
 .PP
-At present, the only available option is \fB\s-1DANE_FLAG_NO_DANE_EE_NAMECHECKS\s0\fR
+At present, the only available option is \fBDANE_FLAG_NO_DANE_EE_NAMECHECKS\fR
 which can be used to disable server name checks when authenticating via
-\&\s-1\fBDANE\-EE\s0\fR\|(3) \s-1TLSA\s0 records.
+\&\fBDANE\-EE\fR\|(3) TLSA records.
 For some applications, primarily web browsers, it is not safe to disable name
-checks due to \*(L"unknown key share\*(R" attacks, in which a malicious server can
+checks due to "unknown key share" attacks, in which a malicious server can
 convince a client that a connection to a victim server is instead a secure
 connection to the malicious server.
 The malicious server may then be able to violate cross-origin scripting
 restrictions.
-Thus, despite the text of \s-1RFC7671,\s0 name checks are by default enabled for
-\&\s-1\fBDANE\-EE\s0\fR\|(3) \s-1TLSA\s0 records, and can be disabled in applications where it is safe
+Thus, despite the text of RFC7671, name checks are by default enabled for
+\&\fBDANE\-EE\fR\|(3) TLSA records, and can be disabled in applications where it is safe
 to do so.
-In particular, \s-1SMTP\s0 and \s-1XMPP\s0 clients should set this option as \s-1SRV\s0 and \s-1MX\s0
+In particular, SMTP and XMPP clients should set this option as SRV and MX
 records already make it possible for a remote domain to redirect client
-connections to any server of its choice, and in any case \s-1SMTP\s0 and \s-1XMPP\s0 clients
+connections to any server of its choice, and in any case SMTP and XMPP clients
 do not execute scripts downloaded from remote servers.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The functions \fBSSL_CTX_dane_enable()\fR, \fBSSL_CTX_dane_mtype_set()\fR,
 \&\fBSSL_dane_enable()\fR and \fBSSL_dane_tlsa_add()\fR return a positive value on success.
 Negative return values indicate resource problems (out of memory, etc.) in the
-\&\s-1SSL\s0 library, while a return value of \fB0\fR indicates incorrect usage or invalid
-input, such as an unsupported \s-1TLSA\s0 record certificate usage, selector or
+SSL library, while a return value of \fB0\fR indicates incorrect usage or invalid
+input, such as an unsupported TLSA record certificate usage, selector or
 matching type.
 Invalid input also includes malformed data, either a digest length that does
-not match the digest algorithm, or a \f(CWFull(0)\fR (binary \s-1ASN.1 DER\s0 form)
+not match the digest algorithm, or a \f(CWFull(0)\fR (binary ASN.1 DER form)
 certificate or a public key that fails to parse.
 .PP
 The functions \fBSSL_get0_dane_authority()\fR and \fBSSL_get0_dane_tlsa()\fR return a
-negative value when \s-1DANE\s0 authentication failed or was not enabled, a
-nonnegative value indicates the chain depth at which the \s-1TLSA\s0 record matched a
-chain certificate, or the depth of the top-most certificate, when the \s-1TLSA\s0
+negative value when DANE authentication failed or was not enabled, a
+nonnegative value indicates the chain depth at which the TLSA record matched a
+chain certificate, or the depth of the top-most certificate, when the TLSA
 record is a full public key that is its signer.
 .PP
 The functions \fBSSL_CTX_dane_set_flags()\fR, \fBSSL_CTX_dane_clear_flags()\fR,
 \&\fBSSL_dane_set_flags()\fR and \fBSSL_dane_clear_flags()\fR return the \fBflags\fR in effect
 before they were called.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-Suppose \*(L"smtp.example.com\*(R" is the \s-1MX\s0 host of the domain \*(L"example.com\*(R", and has
-DNSSEC-validated \s-1TLSA\s0 records.
-The calls below will perform \s-1DANE\s0 authentication and arrange to match either
-the \s-1MX\s0 hostname or the destination domain name in the \s-1SMTP\s0 server certificate.
+Suppose "smtp.example.com" is the MX host of the domain "example.com", and has
+DNSSEC-validated TLSA records.
+The calls below will perform DANE authentication and arrange to match either
+the MX hostname or the destination domain name in the SMTP server certificate.
 Wildcards are supported, but must match the entire label.
 The actual name matched in the certificate (which might be a wildcard) is
 retrieved, and must be copied by the application if it is to be retained beyond
-the lifetime of the \s-1SSL\s0 connection.
+the lifetime of the SSL connection.
 .PP
 .Vb 7
 \& SSL_CTX *ctx;
@@ -440,10 +364,13 @@ the lifetime of the \s-1SSL\s0 connection.
 \&     int depth = SSL_get0_dane_authority(ssl, NULL, &mspki);
 \&     if (depth >= 0) {
 \&         (void) SSL_get0_dane_tlsa(ssl, &usage, &selector, &mtype, NULL, NULL);
-\&         printf("DANE TLSA %d %d %d %s at depth %d\en", usage, selector, mtype,
-\&                (mspki != NULL) ? "TA public key verified certificate" :
-\&                depth ? "matched TA certificate" : "matched EE certificate",
-\&                depth);
+\&         printf("DANE TLSA %d %d %d ", usage, selector, mtype);
+\&         if (SSL_get0_peer_rpk(ssl) == NULL)
+\&             printf("%s certificate at depth %d\en",
+\&                    (mspki != NULL) ? "signed the peer" :
+\&                    mdpth ? "matched the TA" : "matched the EE", mdpth);
+\&         else
+\&             printf(bio, "matched the peer raw public key\en");
 \&     }
 \&     if (peername != NULL) {
 \&         /* Name checks were in scope and matched the peername */
@@ -458,27 +385,27 @@ the lifetime of the \s-1SSL\s0 connection.
 \&      */
 \& }
 .Ve
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-It is expected that the majority of clients employing \s-1DANE TLS\s0 will be doing
-\&\*(L"opportunistic \s-1DANE TLS\*(R"\s0 in the sense of \s-1RFC7672\s0 and \s-1RFC7435.\s0
-That is, they will use \s-1DANE\s0 authentication when DNSSEC-validated \s-1TLSA\s0 records
-are published for a given peer, and otherwise will use unauthenticated \s-1TLS\s0 or
+It is expected that the majority of clients employing DANE TLS will be doing
+"opportunistic DANE TLS" in the sense of RFC7672 and RFC7435.
+That is, they will use DANE authentication when DNSSEC-validated TLSA records
+are published for a given peer, and otherwise will use unauthenticated TLS or
 even cleartext.
 .PP
-Such applications should generally treat any \s-1TLSA\s0 records published by the peer
-with usages \s-1\fBPKIX\-TA\s0\fR\|(0) and \s-1\fBPKIX\-EE\s0\fR\|(1) as \*(L"unusable\*(R", and should not include
-them among the \s-1TLSA\s0 records used to authenticate peer connections.
-In addition, some \s-1TLSA\s0 records with supported usages may be \*(L"unusable\*(R" as a
+Such applications should generally treat any TLSA records published by the peer
+with usages \fBPKIX\-TA\fR\|(0) and \fBPKIX\-EE\fR\|(1) as "unusable", and should not include
+them among the TLSA records used to authenticate peer connections.
+In addition, some TLSA records with supported usages may be "unusable" as a
 result of invalid or unsupported parameters.
 .PP
-When a peer has \s-1TLSA\s0 records, but none are \*(L"usable\*(R", an opportunistic
+When a peer has TLSA records, but none are "usable", an opportunistic
 application must avoid cleartext, but cannot authenticate the peer,
 and so should generally proceed with an unauthenticated connection.
 Opportunistic applications need to note the return value of each
 call to \fBSSL_dane_tlsa_add()\fR, and if all return 0 (due to invalid
 or unsupported parameters) disable peer authentication by calling
-\&\fBSSL_set_verify\fR\|(3) with \fBmode\fR equal to \fB\s-1SSL_VERIFY_NONE\s0\fR.
+\&\fBSSL_set_verify\fR\|(3) with \fBmode\fR equal to \fBSSL_VERIFY_NONE\fR.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7),
@@ -499,14 +426,14 @@ or unsupported parameters) disable peer authentication by calling
 \&\fBEVP_get_digestbyname\fR\|(3),
 \&\fBEVP_PKEY_up_ref\fR\|(3),
 \&\fBEVP_PKEY_free\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 These functions were added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_flush_sessions.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_flush_sessions.3
index 1b59294f251d..aef2cb477d52 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_flush_sessions.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_flush_sessions.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,88 +52,39 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_FLUSH_SESSIONS 3ossl"
-.TH SSL_CTX_FLUSH_SESSIONS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_FLUSH_SESSIONS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
-SSL_CTX_flush_sessions \- remove expired sessions
-.SH "SYNOPSIS"
+.SH NAME
+SSL_CTX_flush_sessions_ex, SSL_CTX_flush_sessions \- remove expired sessions
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
+\& void SSL_CTX_flush_sessions_ex(SSL_CTX *ctx, time_t tm);
+.Ve
+.PP
+The following functions have been deprecated since OpenSSL 3.4, and can be
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
+see \fBopenssl_user_macros\fR\|(7):
+.PP
+.Vb 1
 \& void SSL_CTX_flush_sessions(SSL_CTX *ctx, long tm);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_CTX_flush_sessions()\fR causes a run through the session cache of
+\&\fBSSL_CTX_flush_sessions_ex()\fR causes a run through the session cache of
 \&\fBctx\fR to remove sessions expired at time \fBtm\fR.
-.SH "NOTES"
+.PP
+\&\fBSSL_CTX_flush_sessions()\fR is an older variant of the function that is not
+Y2038 safe due to usage of long datatype instead of time_t.
+.SH NOTES
 .IX Header "NOTES"
 If enabled, the internal session cache will collect all sessions established
 up to the specified maximum number (see \fBSSL_CTX_sess_set_cache_size()\fR).
@@ -157,30 +92,33 @@ As sessions will not be reused ones they are expired, they should be
 removed from the cache to save resources. This can either be done
 automatically whenever 255 new sessions were established (see
 \&\fBSSL_CTX_set_session_cache_mode\fR\|(3))
-or manually by calling \fBSSL_CTX_flush_sessions()\fR.
+or manually by calling \fBSSL_CTX_flush_sessions_ex()\fR.
 .PP
 The parameter \fBtm\fR specifies the time which should be used for the
 expiration test, in most cases the actual time given by \fBtime\fR\|(0)
 will be used.
 .PP
-\&\fBSSL_CTX_flush_sessions()\fR will only check sessions stored in the internal
+\&\fBSSL_CTX_flush_sessions_ex()\fR will only check sessions stored in the internal
 cache. When a session is found and removed, the remove_session_cb is however
 called to synchronize with the external cache (see
 \&\fBSSL_CTX_sess_set_get_cb\fR\|(3)).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBSSL_CTX_flush_sessions()\fR does not return a value.
+\&\fBSSL_CTX_flush_sessions_ex()\fR does not return a value.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7),
 \&\fBSSL_CTX_set_session_cache_mode\fR\|(3),
 \&\fBSSL_CTX_set_timeout\fR\|(3),
 \&\fBSSL_CTX_sess_set_get_cb\fR\|(3)
-.SH "COPYRIGHT"
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBSSL_CTX_flush_sessions_ex()\fR was added in OpenSSL 3.4.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_free.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_free.3
index 3d0e2f58c08d..8296e1827754 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_free.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_free.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,101 +52,41 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_FREE 3ossl"
-.TH SSL_CTX_FREE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_FREE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_free \- free an allocated SSL_CTX object
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
 \& void SSL_CTX_free(SSL_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_free()\fR decrements the reference count of \fBctx\fR, and removes the
-\&\s-1SSL_CTX\s0 object pointed to by \fBctx\fR and frees up the allocated memory if the reference count has reached 0.
+SSL_CTX object pointed to by \fBctx\fR and frees up the allocated memory if the reference count has reached 0.
 .PP
 It also calls the \fBfree()\fRing procedures for indirectly affected items, if
 applicable: the session cache, the list of ciphers, the list of Client CAs,
 the certificates and keys.
 .PP
-If \fBctx\fR is \s-1NULL\s0 nothing is done.
-.SH "WARNINGS"
+If \fBctx\fR is NULL nothing is done.
+.SH WARNINGS
 .IX Header "WARNINGS"
 If a session-remove callback is set (\fBSSL_CTX_sess_set_remove_cb()\fR), this
 callback will be called for each session being freed from \fBctx\fR's
 session cache. This implies, that all corresponding sessions from an
 external session cache are removed as well. If this is not desired, the user
 should explicitly unset the callback by calling
-SSL_CTX_sess_set_remove_cb(\fBctx\fR, \s-1NULL\s0) prior to calling \fBSSL_CTX_free()\fR.
+SSL_CTX_sess_set_remove_cb(\fBctx\fR, NULL) prior to calling \fBSSL_CTX_free()\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSSL_CTX_free()\fR does not provide diagnostic information.
@@ -170,11 +94,11 @@ SSL_CTX_sess_set_remove_cb(\fBctx\fR, \s-1NULL\s0) prior to calling \fBSSL_CTX_f
 .IX Header "SEE ALSO"
 \&\fBSSL_CTX_new\fR\|(3), \fBssl\fR\|(7),
 \&\fBSSL_CTX_sess_set_get_cb\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_get0_param.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_get0_param.3
index 352e44ccf1c7..bf2f38dd47f1 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_get0_param.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_get0_param.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_GET0_PARAM 3ossl"
-.TH SSL_CTX_GET0_PARAM 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_GET0_PARAM 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_get0_param, SSL_get0_param, SSL_CTX_set1_param, SSL_set1_param,
 SSL_CTX_set_purpose, SSL_CTX_set_trust, SSL_set_purpose, SSL_set_trust \-
 get and set verification parameters
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -156,7 +80,7 @@ get and set verification parameters
 \& int SSL_CTX_set_trust(SSL_CTX *ctx, int trust);
 \& int SSL_set_trust(SSL *ssl, int trust);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_get0_param()\fR and \fBSSL_get0_param()\fR retrieve an internal pointer to
 the verification parameters for \fBctx\fR or \fBssl\fR respectively. The returned
@@ -172,9 +96,9 @@ are equivalent to calling \fBX509_VERIFY_PARAM_set_purpose()\fR directly.
 The functions \fBSSL_CTX_set_trust()\fR and \fBSSL_set_trust()\fR are similarly shorthands
 which set the trust parameter on the verification parameters object. These
 functions are equivalent to calling \fBX509_VERIFY_PARAM_set_trust()\fR directly.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-Typically parameters are retrieved from an \fB\s-1SSL_CTX\s0\fR or \fB\s-1SSL\s0\fR structure
+Typically parameters are retrieved from an \fBSSL_CTX\fR or \fBSSL\fR structure
 using \fBSSL_CTX_get0_param()\fR or \fBSSL_get0_param()\fR and an application modifies
 them to suit its needs: for example to add a hostname check.
 .SH "RETURN VALUES"
@@ -185,9 +109,9 @@ them to suit its needs: for example to add a hostname check.
 \&\fBSSL_CTX_set1_param()\fR, \fBSSL_set1_param()\fR, \fBSSL_CTX_set_purpose()\fR,
 \&\fBSSL_set_purpose()\fR, \fBSSL_CTX_set_trust()\fR and \fBSSL_set_trust()\fR return 1 for success
 and 0 for failure.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-Check hostname matches \*(L"www.foo.com\*(R" in peer certificate:
+Check hostname matches "www.foo.com" in peer certificate:
 .PP
 .Vb 2
 \& X509_VERIFY_PARAM *vpm = SSL_get0_param(ssl);
@@ -197,14 +121,14 @@ Check hostname matches \*(L"www.foo.com\*(R" in peer certificate:
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7),
 \&\fBX509_VERIFY_PARAM_set_flags\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 These functions were added in OpenSSL 1.0.2.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2015\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_get_verify_mode.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_get_verify_mode.3
index 0daf811df802..37749611048b 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_get_verify_mode.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_get_verify_mode.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_GET_VERIFY_MODE 3ossl"
-.TH SSL_CTX_GET_VERIFY_MODE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_GET_VERIFY_MODE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_get_verify_mode, SSL_get_verify_mode, SSL_CTX_get_verify_depth, SSL_get_verify_depth, SSL_get_verify_callback, SSL_CTX_get_verify_callback \- get currently set verification parameters
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -150,7 +74,7 @@ SSL_CTX_get_verify_mode, SSL_get_verify_mode, SSL_CTX_get_verify_depth, SSL_get_
 \& int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int, X509_STORE_CTX *);
 \& int (*SSL_get_verify_callback(const SSL *ssl))(int, X509_STORE_CTX *);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_get_verify_mode()\fR returns the verification mode currently set in
 \&\fBctx\fR.
@@ -168,22 +92,22 @@ default value will be used.
 .PP
 \&\fBSSL_CTX_get_verify_callback()\fR returns a function pointer to the verification
 callback currently set in \fBctx\fR. If no callback was explicitly set, the
-\&\s-1NULL\s0 pointer is returned and the default callback will be used.
+NULL pointer is returned and the default callback will be used.
 .PP
 \&\fBSSL_get_verify_callback()\fR returns a function pointer to the verification
 callback currently set in \fBssl\fR. If no callback was explicitly set, the
-\&\s-1NULL\s0 pointer is returned and the default callback will be used.
+NULL pointer is returned and the default callback will be used.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-See \s-1DESCRIPTION\s0
+See DESCRIPTION
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7), \fBSSL_CTX_set_verify\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_has_client_custom_ext.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_has_client_custom_ext.3
index ab0db5f99e96..e6deb8f7d4f3 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_has_client_custom_ext.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_has_client_custom_ext.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,85 +52,25 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_HAS_CLIENT_CUSTOM_EXT 3ossl"
-.TH SSL_CTX_HAS_CLIENT_CUSTOM_EXT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_HAS_CLIENT_CUSTOM_EXT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_has_client_custom_ext \- check whether a handler exists for a particular
 client extension type
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
 \& int SSL_CTX_has_client_custom_ext(const SSL_CTX *ctx, unsigned int ext_type);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_has_client_custom_ext()\fR checks whether a handler has been set for a
 client extension of type \fBext_type\fR using \fBSSL_CTX_add_client_custom_ext()\fR.
@@ -157,11 +81,11 @@ Returns 1 if a handler has been set, 0 otherwise.
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7),
 \&\fBSSL_CTX_add_client_custom_ext\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_load_verify_locations.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_load_verify_locations.3
index 5c196b6bcdc2..923f7bbf55ce 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_load_verify_locations.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_load_verify_locations.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_LOAD_VERIFY_LOCATIONS 3ossl"
-.TH SSL_CTX_LOAD_VERIFY_LOCATIONS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_LOAD_VERIFY_LOCATIONS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_load_verify_dir, SSL_CTX_load_verify_file,
 SSL_CTX_load_verify_store, SSL_CTX_set_default_verify_paths,
 SSL_CTX_set_default_verify_dir, SSL_CTX_set_default_verify_file,
 SSL_CTX_set_default_verify_store, SSL_CTX_load_verify_locations
 \&\- set default locations for trusted CA certificates
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -160,28 +84,29 @@ SSL_CTX_set_default_verify_store, SSL_CTX_load_verify_locations
 \& int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
 \&                                   const char *CApath);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_load_verify_locations()\fR, \fBSSL_CTX_load_verify_dir()\fR,
 \&\fBSSL_CTX_load_verify_file()\fR, \fBSSL_CTX_load_verify_store()\fR specifies the
-locations for \fBctx\fR, at which \s-1CA\s0 certificates for verification purposes
+locations for \fBctx\fR, at which CA certificates for verification purposes
 are located. The certificates available via \fBCAfile\fR, \fBCApath\fR and
-\&\fBCAstore\fR are trusted.
+\&\fBCAstore\fR are trusted. \fBctx\fR \fBMUST NOT\fR be NULL
 .PP
 Details of the certificate verification and chain checking process are
-described in \*(L"Certification Path Validation\*(R" in \fBopenssl\-verification\-options\fR\|(1).
+described in "Certification Path Validation" in \fBopenssl\-verification\-options\fR\|(1).
 .PP
 \&\fBSSL_CTX_set_default_verify_paths()\fR specifies that the default locations from
-which \s-1CA\s0 certificates are loaded should be used. There is one default directory,
+which CA certificates are loaded should be used. There is one default directory,
 one default file and one default store.
-The default \s-1CA\s0 certificates directory is called \fIcerts\fR in the default OpenSSL
+The default CA certificates directory is called \fIcerts\fR in the default OpenSSL
 directory, and this is also the default store.
-Alternatively the \fB\s-1SSL_CERT_DIR\s0\fR environment variable can be defined to
+Alternatively the \fBSSL_CERT_DIR\fR environment variable can be defined to
 override this location.
-The default \s-1CA\s0 certificates file is called \fIcert.pem\fR in the default
+The default CA certificates file is called \fIcert.pem\fR in the default
 OpenSSL directory.
-Alternatively the \fB\s-1SSL_CERT_FILE\s0\fR environment variable can be defined to
+Alternatively the \fBSSL_CERT_FILE\fR environment variable can be defined to
 override this location.
+\&\fBctx\fR \fBMUST NOT\fR be NULL.
 .PP
 \&\fBSSL_CTX_set_default_verify_dir()\fR is similar to
 \&\fBSSL_CTX_set_default_verify_paths()\fR except that just the default directory is
@@ -194,10 +119,10 @@ used.
 \&\fBSSL_CTX_set_default_verify_store()\fR is similar to
 \&\fBSSL_CTX_set_default_verify_paths()\fR except that just the default store is
 used.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-If \fBCAfile\fR is not \s-1NULL,\s0 it points to a file of \s-1CA\s0 certificates in \s-1PEM\s0
-format. The file can contain several \s-1CA\s0 certificates identified by
+If \fBCAfile\fR is not NULL, it points to a file of CA certificates in PEM
+format. The file can contain several CA certificates identified by
 .PP
 .Vb 3
 \& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
@@ -211,10 +136,10 @@ which can be used e.g. for descriptions of the certificates.
 The \fBCAfile\fR is processed on execution of the \fBSSL_CTX_load_verify_locations()\fR
 function.
 .PP
-If \fBCApath\fR is not \s-1NULL,\s0 it points to a directory containing \s-1CA\s0 certificates
-in \s-1PEM\s0 format. The files each contain one \s-1CA\s0 certificate. The files are
-looked up by the \s-1CA\s0 subject name hash value, which must hence be available.
-If more than one \s-1CA\s0 certificate with the same name hash value exist, the
+If \fBCApath\fR is not NULL, it points to a directory containing CA certificates
+in PEM format. The files each contain one CA certificate. The files are
+looked up by the CA subject name hash value, which must hence be available.
+If more than one CA certificate with the same name hash value exist, the
 extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search
 is performed in the ordering of the extension number, regardless of other
 properties of the certificates.
@@ -224,12 +149,12 @@ The certificates in \fBCApath\fR are only looked up when required, e.g. when
 building the certificate chain or when actually performing the verification
 of a peer certificate.
 .PP
-When looking up \s-1CA\s0 certificates for chain building, the OpenSSL library
+When looking up CA certificates for chain building, the OpenSSL library
 will search for suitable certificates first in \fBCAfile\fR, then in \fBCApath\fR.
 Details of the chain building process are described in
-\&\*(L"Certification Path Building\*(R" in \fBopenssl\-verification\-options\fR\|(1).
+"Certification Path Building" in \fBopenssl\-verification\-options\fR\|(1).
 .PP
-If \fBCAstore\fR is not \s-1NULL,\s0 it's a \s-1URI\s0 for to a store, which may
+If \fBCAstore\fR is not NULL, it's a URI for to a store, which may
 represent a single container or a whole catalogue of containers.
 Apart from the \fBCAstore\fR not necessarily being a local file or
 directory, it's generally treated the same way as a \fBCApath\fR.
@@ -246,31 +171,31 @@ try to fill in missing certificates from \fBCAfile\fR/\fBCApath\fR, if the
 certificate chain was not explicitly specified (see
 \&\fBSSL_CTX_add_extra_chain_cert\fR\|(3),
 \&\fBSSL_CTX_use_certificate\fR\|(3).
-.SH "WARNINGS"
+.SH WARNINGS
 .IX Header "WARNINGS"
-If several \s-1CA\s0 certificates matching the name, key identifier, and serial
+If several CA certificates matching the name, key identifier, and serial
 number condition are available, only the first one will be examined. This
-may lead to unexpected results if the same \s-1CA\s0 certificate is available
-with different expiration dates. If a \*(L"certificate expired\*(R" verification
+may lead to unexpected results if the same CA certificate is available
+with different expiration dates. If a "certificate expired" verification
 error occurs, no other certificate will be searched. Make sure to not
 have expired certificates mixed with valid ones.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 For SSL_CTX_load_verify_locations the following return values can occur:
-.IP "0" 4
-The operation failed because \fBCAfile\fR and \fBCApath\fR are \s-1NULL\s0 or the
+.IP 0 4
+The operation failed because \fBCAfile\fR and \fBCApath\fR are NULL or the
 processing at one of the locations specified failed. Check the error
 stack to find out the reason.
-.IP "1" 4
+.IP 1 4
 .IX Item "1"
 The operation succeeded.
 .PP
 \&\fBSSL_CTX_set_default_verify_paths()\fR, \fBSSL_CTX_set_default_verify_dir()\fR and
 \&\fBSSL_CTX_set_default_verify_file()\fR all return 1 on success or 0 on failure. A
 missing default location is still treated as a success.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-Generate a \s-1CA\s0 certificate file with descriptive text from the \s-1CA\s0 certificates
+Generate a CA certificate file with descriptive text from the CA certificates
 ca1.pem ca2.pem ca3.pem:
 .PP
 .Vb 5
@@ -281,7 +206,7 @@ ca1.pem ca2.pem ca3.pem:
 \& done
 .Ve
 .PP
-Prepare the directory /some/where/certs containing several \s-1CA\s0 certificates
+Prepare the directory /some/where/certs containing several CA certificates
 for use as \fBCApath\fR:
 .PP
 .Vb 2
@@ -297,11 +222,11 @@ for use as \fBCApath\fR:
 \&\fBSSL_CTX_add_extra_chain_cert\fR\|(3),
 \&\fBSSL_CTX_set_cert_store\fR\|(3),
 \&\fBSSL_CTX_set_client_CA_list\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_new.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_new.3
index a293178b5785..0cef46fe5431 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_new.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_NEW 3ossl"
-.TH SSL_CTX_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 TLSv1_2_method, TLSv1_2_server_method, TLSv1_2_client_method,
 SSL_CTX_new, SSL_CTX_new_ex, SSL_CTX_up_ref, SSLv3_method,
 SSLv3_server_method, SSLv3_client_method, TLSv1_method, TLSv1_server_method,
@@ -148,7 +72,7 @@ DTLSv1_client_method, DTLSv1_2_method, DTLSv1_2_server_method,
 DTLSv1_2_client_method
 \&\- create a new SSL_CTX object as framework for TLS/SSL or DTLS enabled
 functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -206,44 +130,46 @@ functions
 \& const SSL_METHOD *DTLSv1_2_client_method(void);
 \& #endif
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_CTX_new_ex()\fR creates a new \fB\s-1SSL_CTX\s0\fR object, which holds various
-configuration and data relevant to \s-1SSL/TLS\s0 or \s-1DTLS\s0 session establishment.
-These are later inherited by the \fB\s-1SSL\s0\fR object representing an active session.
+\&\fBSSL_CTX_new_ex()\fR creates a new \fBSSL_CTX\fR object, which holds various
+configuration and data relevant to SSL/TLS or DTLS session establishment.
+These are later inherited by the \fBSSL\fR object representing an active session.
 The \fImethod\fR parameter specifies whether the context will be used for the
-client or server side or both \- for details see the \*(L"\s-1NOTES\*(R"\s0 below.
-The library context \fIlibctx\fR (see \s-1\fBOSSL_LIB_CTX\s0\fR\|(3)) is used to provide the
+client or server side or both \- for details see the "NOTES" below.
+The library context \fIlibctx\fR (see \fBOSSL_LIB_CTX\fR\|(3)) is used to provide the
 cryptographic algorithms needed for the session. Any cryptographic algorithms
-that are used by any \fB\s-1SSL\s0\fR objects created from this \fB\s-1SSL_CTX\s0\fR will be fetched
+that are used by any \fBSSL\fR objects created from this \fBSSL_CTX\fR will be fetched
 from the \fIlibctx\fR using the property query string \fIpropq\fR (see
-\&\*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7). Either or both the \fIlibctx\fR or \fIpropq\fR
-parameters may be \s-1NULL.\s0
+"ALGORITHM FETCHING" in \fBcrypto\fR\|(7). Either or both the \fIlibctx\fR or \fIpropq\fR
+parameters may be NULL.
 .PP
 \&\fBSSL_CTX_new()\fR does the same as \fBSSL_CTX_new_ex()\fR except that the default
 library context is used and no property query string is specified.
 .PP
-An \fB\s-1SSL_CTX\s0\fR object is reference counted. Creating an \fB\s-1SSL_CTX\s0\fR object for the
-first time increments the reference count. Freeing the \fB\s-1SSL_CTX\s0\fR (using
+An \fBSSL_CTX\fR object is reference counted. Creating an \fBSSL_CTX\fR object for the
+first time increments the reference count. Freeing the \fBSSL_CTX\fR (using
 SSL_CTX_free) decrements it. When the reference count drops to zero, any memory
-or resources allocated to the \fB\s-1SSL_CTX\s0\fR object are freed. \fBSSL_CTX_up_ref()\fR
-increments the reference count for an existing \fB\s-1SSL_CTX\s0\fR structure.
+or resources allocated to the \fBSSL_CTX\fR object are freed. \fBSSL_CTX_up_ref()\fR
+increments the reference count for an existing \fBSSL_CTX\fR structure.
 .PP
-An \fB\s-1SSL_CTX\s0\fR object should not be changed after it is used to create any \fB\s-1SSL\s0\fR
+An \fBSSL_CTX\fR object should not be changed after it is used to create any \fBSSL\fR
 objects or from multiple threads concurrently, since the implementation does not
 provide serialization of access for these cases.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 On session establishment, by default, no peer credentials verification is done.
 This must be explicitly requested, typically using \fBSSL_CTX_set_verify\fR\|(3).
 For verifying peer certificates many options can be set using various functions
 such as \fBSSL_CTX_load_verify_locations\fR\|(3) and \fBSSL_CTX_set1_param\fR\|(3).
-The \fBX509_VERIFY_PARAM_set_purpose\fR\|(3) function can be used, also in conjunction
-with \fBSSL_CTX_get0_param\fR\|(3), to set the intended purpose of the session.
-The default is \fBX509_PURPOSE_SSL_SERVER\fR on the client side
+.PP
+The SSL/(D)TLS implementation uses the \fBX509_STORE_CTX_set_default\fR\|(3)
+function to prepare checks for \fBX509_PURPOSE_SSL_SERVER\fR on the client side
 and \fBX509_PURPOSE_SSL_CLIENT\fR on the server side.
+The \fBX509_VERIFY_PARAM_set_purpose\fR\|(3) function can be used, also in conjunction
+with \fBSSL_CTX_get0_param\fR\|(3), to override the default purpose of the session.
 .PP
-The \s-1SSL_CTX\s0 object uses \fImethod\fR as the connection method.
+The SSL_CTX object uses \fImethod\fR as the connection method.
 Three method variants are available: a generic method (for either client or
 server use), a server-only method, and a client-only method.
 .PP
@@ -251,7 +177,7 @@ The \fImethod\fR parameter of \fBSSL_CTX_new_ex()\fR and \fBSSL_CTX_new()\fR
 can be one of the following:
 .IP "\fBTLS_method()\fR, \fBTLS_server_method()\fR, \fBTLS_client_method()\fR" 4
 .IX Item "TLS_method(), TLS_server_method(), TLS_client_method()"
-These are the general-purpose \fIversion-flexible\fR \s-1SSL/TLS\s0 methods.
+These are the general-purpose \fIversion-flexible\fR SSL/TLS methods.
 The actual protocol version used will be negotiated to the highest version
 mutually supported by the client and the server.
 The supported protocols are SSLv3, TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3.
@@ -267,25 +193,25 @@ old function names still compiles. However, using the old function names
 is deprecated and new code should call the new functions instead.
 .IP "\fBTLSv1_2_method()\fR, \fBTLSv1_2_server_method()\fR, \fBTLSv1_2_client_method()\fR" 4
 .IX Item "TLSv1_2_method(), TLSv1_2_server_method(), TLSv1_2_client_method()"
-A \s-1TLS/SSL\s0 connection established with these methods will only understand the
+A TLS/SSL connection established with these methods will only understand the
 TLSv1.2 protocol. These methods are deprecated.
 .IP "\fBTLSv1_1_method()\fR, \fBTLSv1_1_server_method()\fR, \fBTLSv1_1_client_method()\fR" 4
 .IX Item "TLSv1_1_method(), TLSv1_1_server_method(), TLSv1_1_client_method()"
-A \s-1TLS/SSL\s0 connection established with these methods will only understand the
+A TLS/SSL connection established with these methods will only understand the
 TLSv1.1 protocol.  These methods are deprecated.
 .IP "\fBTLSv1_method()\fR, \fBTLSv1_server_method()\fR, \fBTLSv1_client_method()\fR" 4
 .IX Item "TLSv1_method(), TLSv1_server_method(), TLSv1_client_method()"
-A \s-1TLS/SSL\s0 connection established with these methods will only understand the
+A TLS/SSL connection established with these methods will only understand the
 TLSv1 protocol. These methods are deprecated.
 .IP "\fBSSLv3_method()\fR, \fBSSLv3_server_method()\fR, \fBSSLv3_client_method()\fR" 4
 .IX Item "SSLv3_method(), SSLv3_server_method(), SSLv3_client_method()"
-A \s-1TLS/SSL\s0 connection established with these methods will only understand the
+A TLS/SSL connection established with these methods will only understand the
 SSLv3 protocol.
 The SSLv3 protocol is deprecated and should not be used.
 .IP "\fBDTLS_method()\fR, \fBDTLS_server_method()\fR, \fBDTLS_client_method()\fR" 4
 .IX Item "DTLS_method(), DTLS_server_method(), DTLS_client_method()"
-These are the version-flexible \s-1DTLS\s0 methods.
-Currently supported protocols are \s-1DTLS 1.0\s0 and \s-1DTLS 1.2.\s0
+These are the version-flexible DTLS methods.
+Currently supported protocols are DTLS 1.0 and DTLS 1.2.
 .IP "\fBDTLSv1_2_method()\fR, \fBDTLSv1_2_server_method()\fR, \fBDTLSv1_2_client_method()\fR" 4
 .IX Item "DTLSv1_2_method(), DTLSv1_2_server_method(), DTLSv1_2_client_method()"
 These are the version-specific methods for DTLSv1.2.
@@ -310,14 +236,14 @@ methods you can use \fBSSL_CTX_set_min_proto_version\fR\|(3),
 \&\fBSSL_set_max_proto_version\fR\|(3) functions.
 Using these functions it is possible to choose e.g. \fBTLS_server_method()\fR
 and be able to negotiate with all possible clients, but to only
-allow newer protocols like \s-1TLS 1.0, TLS 1.1, TLS 1.2\s0 or \s-1TLS 1.3.\s0
+allow newer protocols like TLS 1.0, TLS 1.1, TLS 1.2 or TLS 1.3.
 .PP
 The list of protocols available can also be limited using the
 \&\fBSSL_OP_NO_SSLv3\fR, \fBSSL_OP_NO_TLSv1\fR, \fBSSL_OP_NO_TLSv1_1\fR,
 \&\fBSSL_OP_NO_TLSv1_3\fR, \fBSSL_OP_NO_TLSv1_2\fR and \fBSSL_OP_NO_TLSv1_3\fR
 options of the
 \&\fBSSL_CTX_set_options\fR\|(3) or \fBSSL_set_options\fR\|(3) functions, but this approach
-is not recommended. Clients should avoid creating \*(L"holes\*(R" in the set of
+is not recommended. Clients should avoid creating "holes" in the set of
 protocols they support. When disabling a protocol, make sure that you also
 disable either all previous or all subsequent protocol versions.
 In clients, when a protocol version is disabled without disabling \fIall\fR
@@ -326,26 +252,26 @@ protocol versions.
 .PP
 The SSLv3 protocol is deprecated and should generally not be used.
 Applications should typically use \fBSSL_CTX_set_min_proto_version\fR\|(3) to set
-the minimum protocol to at least \fB\s-1TLS1_VERSION\s0\fR.
+the minimum protocol to at least \fBTLS1_VERSION\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The following return values can occur:
-.IP "\s-1NULL\s0" 4
+.IP NULL 4
 .IX Item "NULL"
-The creation of a new \s-1SSL_CTX\s0 object failed. Check the error stack to find out
+The creation of a new SSL_CTX object failed. Check the error stack to find out
 the reason.
-.IP "Pointer to an \s-1SSL_CTX\s0 object" 4
+.IP "Pointer to an SSL_CTX object" 4
 .IX Item "Pointer to an SSL_CTX object"
-The return value points to an allocated \s-1SSL_CTX\s0 object.
+The return value points to an allocated SSL_CTX object.
 .Sp
 \&\fBSSL_CTX_up_ref()\fR returns 1 for success and 0 for failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBSSL_CTX_set_options\fR\|(3), \fBSSL_CTX_free\fR\|(3),
+\&\fBSSL_CTX_set_options\fR\|(3), \fBSSL_CTX_free\fR\|(3), \fBX509_STORE_CTX_set_default\fR\|(3),
 \&\fBSSL_CTX_set_verify\fR\|(3), \fBSSL_CTX_set1_param\fR\|(3), \fBSSL_CTX_get0_param\fR\|(3),
 \&\fBSSL_connect\fR\|(3), \fBSSL_accept\fR\|(3),
 \&\fBSSL_CTX_set_min_proto_version\fR\|(3), \fBssl\fR\|(7), \fBSSL_set_connect_state\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 Support for SSLv2 and the corresponding \fBSSLv2_method()\fR,
 \&\fBSSLv2_server_method()\fR and \fBSSLv2_client_method()\fR functions where
@@ -358,11 +284,11 @@ and \fBTLS_client_method()\fR functions were added in OpenSSL 1.1.0.
 All version-specific methods were deprecated in OpenSSL 1.1.0.
 .PP
 \&\fBSSL_CTX_new_ex()\fR was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_sess_number.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_sess_number.3
index 1bdd399b4a1f..e6c484650853 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_sess_number.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_sess_number.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SESS_NUMBER 3ossl"
-.TH SSL_CTX_SESS_NUMBER 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SESS_NUMBER 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_sess_number, SSL_CTX_sess_connect, SSL_CTX_sess_connect_good, SSL_CTX_sess_connect_renegotiate, SSL_CTX_sess_accept, SSL_CTX_sess_accept_good, SSL_CTX_sess_accept_renegotiate, SSL_CTX_sess_hits, SSL_CTX_sess_cb_hits, SSL_CTX_sess_misses, SSL_CTX_sess_timeouts, SSL_CTX_sess_cache_full \- obtain session cache statistics
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -156,25 +80,25 @@ SSL_CTX_sess_number, SSL_CTX_sess_connect, SSL_CTX_sess_connect_good, SSL_CTX_se
 \& long SSL_CTX_sess_timeouts(SSL_CTX *ctx);
 \& long SSL_CTX_sess_cache_full(SSL_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_sess_number()\fR returns the current number of sessions in the internal
 session cache.
 .PP
-\&\fBSSL_CTX_sess_connect()\fR returns the number of started \s-1SSL/TLS\s0 handshakes in
+\&\fBSSL_CTX_sess_connect()\fR returns the number of started SSL/TLS handshakes in
 client mode.
 .PP
 \&\fBSSL_CTX_sess_connect_good()\fR returns the number of successfully established
-\&\s-1SSL/TLS\s0 sessions in client mode.
+SSL/TLS sessions in client mode.
 .PP
 \&\fBSSL_CTX_sess_connect_renegotiate()\fR returns the number of started renegotiations
 in client mode.
 .PP
-\&\fBSSL_CTX_sess_accept()\fR returns the number of started \s-1SSL/TLS\s0 handshakes in
+\&\fBSSL_CTX_sess_accept()\fR returns the number of started SSL/TLS handshakes in
 server mode.
 .PP
 \&\fBSSL_CTX_sess_accept_good()\fR returns the number of successfully established
-\&\s-1SSL/TLS\s0 sessions in server mode.
+SSL/TLS sessions in server mode.
 .PP
 \&\fBSSL_CTX_sess_accept_renegotiate()\fR returns the number of started renegotiations
 in server mode.
@@ -199,17 +123,17 @@ the \fBSSL_CTX_sess_hits()\fR count.
 because the maximum session cache size was exceeded.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-The functions return the values indicated in the \s-1DESCRIPTION\s0 section.
+The functions return the values indicated in the DESCRIPTION section.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7), \fBSSL_set_session\fR\|(3),
 \&\fBSSL_CTX_set_session_cache_mode\fR\|(3)
 \&\fBSSL_CTX_sess_set_cache_size\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_cache_size.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_cache_size.3
index 48aeb284f7a5..8da80e179e65 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_cache_size.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_cache_size.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SESS_SET_CACHE_SIZE 3ossl"
-.TH SSL_CTX_SESS_SET_CACHE_SIZE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SESS_SET_CACHE_SIZE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_sess_set_cache_size, SSL_CTX_sess_get_cache_size \- manipulate session cache size
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -146,16 +70,16 @@ SSL_CTX_sess_set_cache_size, SSL_CTX_sess_get_cache_size \- manipulate session c
 \& long SSL_CTX_sess_set_cache_size(SSL_CTX *ctx, long t);
 \& long SSL_CTX_sess_get_cache_size(SSL_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_sess_set_cache_size()\fR sets the size of the internal session cache
 of context \fBctx\fR to \fBt\fR.
 This value is a hint and not an absolute; see the notes below.
 .PP
 \&\fBSSL_CTX_sess_get_cache_size()\fR returns the currently valid session cache size.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-The internal session cache size is \s-1SSL_SESSION_CACHE_MAX_SIZE_DEFAULT,\s0
+The internal session cache size is SSL_SESSION_CACHE_MAX_SIZE_DEFAULT,
 currently 1024*20, so that up to 20000 sessions can be held. This size
 can be modified using the \fBSSL_CTX_sess_set_cache_size()\fR call. A special
 case is the size 0, which is used for unlimited size.
@@ -181,11 +105,11 @@ expiration of sessions.
 \&\fBSSL_CTX_set_session_cache_mode\fR\|(3),
 \&\fBSSL_CTX_sess_number\fR\|(3),
 \&\fBSSL_CTX_flush_sessions\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_get_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_get_cb.3
index b4f578264ebf..714a032279b2 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_get_cb.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_get_cb.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SESS_SET_GET_CB 3ossl"
-.TH SSL_CTX_SESS_SET_GET_CB 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SESS_SET_GET_CB 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_sess_set_new_cb, SSL_CTX_sess_set_remove_cb, SSL_CTX_sess_set_get_cb, SSL_CTX_sess_get_new_cb, SSL_CTX_sess_get_remove_cb, SSL_CTX_sess_get_get_cb \- provide callback functions for server side external session caching
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -161,27 +85,27 @@ SSL_CTX_sess_set_new_cb, SSL_CTX_sess_set_remove_cb, SSL_CTX_sess_set_get_cb, SS
 \&                                                       const unsigned char *data,
 \&                                                       int len, int *copy);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_sess_set_new_cb()\fR sets the callback function that is
 called whenever a new session was negotiated.
 .PP
 \&\fBSSL_CTX_sess_set_remove_cb()\fR sets the callback function that is
-called whenever a session is removed by the \s-1SSL\s0 engine.  For example,
+called whenever a session is removed by the SSL engine.  For example,
 this can occur because a session is considered faulty or has become obsolete
 because of exceeding the timeout value.
 .PP
 \&\fBSSL_CTX_sess_set_get_cb()\fR sets the callback function that is called
-whenever a \s-1TLS\s0 client proposed to resume a session but the session
+whenever a TLS client proposed to resume a session but the session
 could not be found in the internal session cache (see
 \&\fBSSL_CTX_set_session_cache_mode\fR\|(3)).
-(\s-1TLS\s0 server only.)
+(TLS server only.)
 .PP
 \&\fBSSL_CTX_sess_get_new_cb()\fR, \fBSSL_CTX_sess_get_remove_cb()\fR, and
 \&\fBSSL_CTX_sess_get_get_cb()\fR retrieve the function pointers set by the
 corresponding set callback functions. If a callback function has not been
-set, the \s-1NULL\s0 pointer is returned.
-.SH "NOTES"
+set, the NULL pointer is returned.
+.SH NOTES
 .IX Header "NOTES"
 In order to allow external session caching, synchronization with the internal
 session cache is realized via callback functions. Inside these callback
@@ -197,7 +121,7 @@ session is incremented before the callback, on behalf of the application.  If
 the callback returns \fB0\fR, the session will be immediately removed from the
 internal cache and the reference count released. If the callback returns \fB1\fR,
 the application retains the reference (for an entry in the
-application-maintained \*(L"external session cache\*(R"), and is responsible for
+application-maintained "external session cache"), and is responsible for
 calling \fBSSL_SESSION_free()\fR when the session reference is no longer in use.
 .PP
 Note that in TLSv1.3, sessions are established after the main
@@ -209,24 +133,24 @@ handshake (for TLSv1.3). It is also possible in TLSv1.3 for multiple sessions to
 be established with a single connection. In these case the \fBnew_session_cb()\fR
 function will be invoked multiple times.
 .PP
-In TLSv1.3 it is recommended that each \s-1SSL_SESSION\s0 object is only used for
+In TLSv1.3 it is recommended that each SSL_SESSION object is only used for
 resumption once. One way of enforcing that is for applications to call
 \&\fBSSL_CTX_remove_session\fR\|(3) after a session has been used.
 .PP
-The \fBremove_session_cb()\fR is called whenever the \s-1SSL\s0 engine removes a session
+The \fBremove_session_cb()\fR is called whenever the SSL engine removes a session
 from the internal cache. This can happen when the session is removed because
 it is expired or when a connection was not shutdown cleanly. It also happens
 for all sessions in the internal session cache when
 \&\fBSSL_CTX_free\fR\|(3) is called. The \fBremove_session_cb()\fR is passed
 the \fBctx\fR and the ssl session \fBsess\fR. It does not provide any feedback.
 .PP
-The \fBget_session_cb()\fR is only called on \s-1SSL/TLS\s0 servers, and is given
+The \fBget_session_cb()\fR is only called on SSL/TLS servers, and is given
 the session id
 proposed by the client. The \fBget_session_cb()\fR is always called, even when
 session caching was disabled. The \fBget_session_cb()\fR is passed the
 \&\fBssl\fR connection and the session id of length \fBlength\fR at the memory location
 \&\fBdata\fR. By setting the parameter \fBcopy\fR to \fB1\fR, the callback can require the
-\&\s-1SSL\s0 engine to increment the reference count of the \s-1SSL_SESSION\s0 object;
+SSL engine to increment the reference count of the SSL_SESSION object;
 setting \fBcopy\fR to \fB0\fR causes the reference count to remain unchanged.
 If the \fBget_session_cb()\fR does not write to \fBcopy\fR, the reference count
 is incremented and the session must be explicitly freed with
@@ -242,11 +166,11 @@ return different callback function pointers respectively.
 \&\fBSSL_CTX_flush_sessions\fR\|(3),
 \&\fBSSL_SESSION_free\fR\|(3),
 \&\fBSSL_CTX_free\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2001\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_sessions.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_sessions.3
index be7e573bf492..36bc389880e7 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_sessions.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_sessions.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,109 +52,49 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SESSIONS 3ossl"
-.TH SSL_CTX_SESSIONS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SESSIONS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_sessions \- access internal session cache
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
 \& LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_sessions()\fR returns a pointer to the lhash databases containing the
 internal session cache for \fBctx\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The sessions in the internal session cache are kept in an
-\&\s-1\fBLHASH\s0\fR\|(3) type database. It is possible to directly
+\&\fBLHASH\fR\|(3) type database. It is possible to directly
 access this database e.g. for searching. In parallel, the sessions
 form a linked list which is maintained separately from the
-\&\s-1\fBLHASH\s0\fR\|(3) operations, so that the database must not be
+\&\fBLHASH\fR\|(3) operations, so that the database must not be
 modified directly but by using the
 \&\fBSSL_CTX_add_session\fR\|(3) family of functions.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBSSL_CTX_sessions()\fR returns a pointer to the lhash of \fB\s-1SSL_SESSION\s0\fR.
+\&\fBSSL_CTX_sessions()\fR returns a pointer to the lhash of \fBSSL_SESSION\fR.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBssl\fR\|(7), \s-1\fBLHASH\s0\fR\|(3),
+\&\fBssl\fR\|(7), \fBLHASH\fR\|(3),
 \&\fBSSL_CTX_add_session\fR\|(3),
 \&\fBSSL_CTX_set_session_cache_mode\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2001\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set0_CA_list.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set0_CA_list.3
index f4c6e55383c7..5827126caf6e 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set0_CA_list.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set0_CA_list.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET0_CA_LIST 3ossl"
-.TH SSL_CTX_SET0_CA_LIST 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET0_CA_LIST 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_client_CA_list,
 SSL_set_client_CA_list,
 SSL_get_client_CA_list,
@@ -151,7 +75,7 @@ SSL_add1_to_CA_list,
 SSL_CTX_add1_to_CA_list,
 SSL_get0_peer_CA_list
 \&\- get or set CA list
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -172,29 +96,29 @@ SSL_get0_peer_CA_list
 \&
 \& const STACK_OF(X509_NAME) *SSL_get0_peer_CA_list(const SSL *s);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The functions described here set and manage the list of \s-1CA\s0 names that are sent
+The functions described here set and manage the list of CA names that are sent
 between two communicating peers.
 .PP
-For \s-1TLS\s0 versions 1.2 and earlier the list of \s-1CA\s0 names is only sent from the
-server to the client when requesting a client certificate. So any list of \s-1CA\s0
-names set is never sent from client to server and the list of \s-1CA\s0 names retrieved
-by \fBSSL_get0_peer_CA_list()\fR is always \fB\s-1NULL\s0\fR.
+For TLS versions 1.2 and earlier the list of CA names is only sent from the
+server to the client when requesting a client certificate. So any list of CA
+names set is never sent from client to server and the list of CA names retrieved
+by \fBSSL_get0_peer_CA_list()\fR is always \fBNULL\fR.
 .PP
-For \s-1TLS 1.3\s0 the list of \s-1CA\s0 names is sent using the \fBcertificate_authorities\fR
+For TLS 1.3 the list of CA names is sent using the \fBcertificate_authorities\fR
 extension and may be sent by a client (in the ClientHello message) or by
 a server (when requesting a certificate).
 .PP
-In most cases it is not necessary to set \s-1CA\s0 names on the client side. The list
-of \s-1CA\s0 names that are acceptable to the client will be sent in plaintext to the
+In most cases it is not necessary to set CA names on the client side. The list
+of CA names that are acceptable to the client will be sent in plaintext to the
 server. This has privacy implications and may also have performance implications
 if the list is large. This optional capability was introduced as part of TLSv1.3
-and therefore setting \s-1CA\s0 names on the client side will have no impact if that
+and therefore setting CA names on the client side will have no impact if that
 protocol version has been disabled. Most servers do not need this and so this
 should be avoided unless required.
 .PP
-The \*(L"client \s-1CA\s0 list\*(R" functions below only have an effect when called on the
+The "client CA list" functions below only have an effect when called on the
 server side.
 .PP
 \&\fBSSL_CTX_set_client_CA_list()\fR sets the \fBlist\fR of CAs sent to the client when
@@ -203,7 +127,7 @@ to \fBctx\fR and it should not be freed by the caller.
 .PP
 \&\fBSSL_set_client_CA_list()\fR sets the \fBlist\fR of CAs sent to the client when
 requesting a client certificate for the chosen \fBssl\fR, overriding the
-setting valid for \fBssl\fR's \s-1SSL_CTX\s0 object. Ownership of \fBlist\fR is transferred
+setting valid for \fBssl\fR's SSL_CTX object. Ownership of \fBlist\fR is transferred
 to \fBs\fR and it should not be freed by the caller.
 .PP
 \&\fBSSL_CTX_get_client_CA_list()\fR returns the list of client CAs explicitly set for
@@ -211,31 +135,31 @@ to \fBs\fR and it should not be freed by the caller.
 by the caller.
 .PP
 \&\fBSSL_get_client_CA_list()\fR returns the list of client CAs explicitly
-set for \fBssl\fR using \fBSSL_set_client_CA_list()\fR or \fBssl\fR's \s-1SSL_CTX\s0 object with
+set for \fBssl\fR using \fBSSL_set_client_CA_list()\fR or \fBssl\fR's SSL_CTX object with
 \&\fBSSL_CTX_set_client_CA_list()\fR, when in server mode. In client mode,
 SSL_get_client_CA_list returns the list of client CAs sent from the server, if
 any. The returned list should not be freed by the caller.
 .PP
-\&\fBSSL_CTX_add_client_CA()\fR adds the \s-1CA\s0 name extracted from \fBcacert\fR to the
+\&\fBSSL_CTX_add_client_CA()\fR adds the CA name extracted from \fBcacert\fR to the
 list of CAs sent to the client when requesting a client certificate for
 \&\fBctx\fR.
 .PP
-\&\fBSSL_add_client_CA()\fR adds the \s-1CA\s0 name extracted from \fBcacert\fR to the
+\&\fBSSL_add_client_CA()\fR adds the CA name extracted from \fBcacert\fR to the
 list of CAs sent to the client when requesting a client certificate for
-the chosen \fBssl\fR, overriding the setting valid for \fBssl\fR's \s-1SSL_CTX\s0 object.
+the chosen \fBssl\fR, overriding the setting valid for \fBssl\fR's SSL_CTX object.
 .PP
-\&\fBSSL_get0_peer_CA_list()\fR retrieves the list of \s-1CA\s0 names (if any) the peer
+\&\fBSSL_get0_peer_CA_list()\fR retrieves the list of CA names (if any) the peer
 has sent. This can be called on either the server or the client side. The
 returned list should not be freed by the caller.
 .PP
-The \*(L"generic \s-1CA\s0 list\*(R" functions below are very similar to the \*(L"client \s-1CA\s0
-list\*(R" functions except that they have an effect on both the server and client
-sides. The lists of \s-1CA\s0 names managed are separate \- so you cannot (for example)
-set \s-1CA\s0 names using the \*(L"client \s-1CA\s0 list\*(R" functions and then get them using the
-\&\*(L"generic \s-1CA\s0 list\*(R" functions. Where a mix of the two types of functions has been
-used on the server side then the \*(L"client \s-1CA\s0 list\*(R" functions take precedence.
-Typically, on the server side, the \*(L"client \s-1CA\s0 list \*(R" functions should be used in
-preference. As noted above in most cases it is not necessary to set \s-1CA\s0 names on
+The "generic CA list" functions below are very similar to the "client CA
+list" functions except that they have an effect on both the server and client
+sides. The lists of CA names managed are separate \- so you cannot (for example)
+set CA names using the "client CA list" functions and then get them using the
+"generic CA list" functions. Where a mix of the two types of functions has been
+used on the server side then the "client CA list" functions take precedence.
+Typically, on the server side, the "client CA list " functions should be used in
+preference. As noted above in most cases it is not necessary to set CA names on
 the client side.
 .PP
 \&\fBSSL_CTX_set0_CA_list()\fR sets the list of CAs to be sent to the peer to
@@ -243,26 +167,26 @@ the client side.
 it should not be freed by the caller.
 .PP
 \&\fBSSL_set0_CA_list()\fR sets the list of CAs to be sent to the peer to \fBname_list\fR
-overriding any list set in the parent \fB\s-1SSL_CTX\s0\fR of \fBs\fR. Ownership of
+overriding any list set in the parent \fBSSL_CTX\fR of \fBs\fR. Ownership of
 \&\fBname_list\fR is transferred to \fBs\fR and it should not be freed by the caller.
 .PP
 \&\fBSSL_CTX_get0_CA_list()\fR retrieves any previously set list of CAs set for
 \&\fBctx\fR. The returned list should not be freed by the caller.
 .PP
 \&\fBSSL_get0_CA_list()\fR retrieves any previously set list of CAs set for
-\&\fBs\fR or if none are set the list from the parent \fB\s-1SSL_CTX\s0\fR is retrieved. The
+\&\fBs\fR or if none are set the list from the parent \fBSSL_CTX\fR is retrieved. The
 returned list should not be freed by the caller.
 .PP
-\&\fBSSL_CTX_add1_to_CA_list()\fR appends the \s-1CA\s0 subject name extracted from \fBx\fR to the
+\&\fBSSL_CTX_add1_to_CA_list()\fR appends the CA subject name extracted from \fBx\fR to the
 list of CAs sent to peer for \fBctx\fR.
 .PP
-\&\fBSSL_add1_to_CA_list()\fR appends the \s-1CA\s0 subject name extracted from \fBx\fR to the
+\&\fBSSL_add1_to_CA_list()\fR appends the CA subject name extracted from \fBx\fR to the
 list of CAs sent to the peer for \fBs\fR, overriding the setting in the parent
-\&\fB\s-1SSL_CTX\s0\fR.
-.SH "NOTES"
+\&\fBSSL_CTX\fR.
+.SH NOTES
 .IX Header "NOTES"
-When a \s-1TLS/SSL\s0 server requests a client certificate (see
-\&\fB\fBSSL_CTX_set_verify\fB\|(3)\fR), it sends a list of CAs, for which it will accept
+When a TLS/SSL server requests a client certificate (see
+\&\fBSSL_CTX_set_verify\|(3)\fR), it sends a list of CAs, for which it will accept
 certificates, to the client.
 .PP
 This list must explicitly be set using \fBSSL_CTX_set_client_CA_list()\fR or
@@ -280,7 +204,7 @@ necessary data.
 \&\fBSSL_add1_to_CA_list()\fR can be used to add additional items the list of CAs. If no
 list was specified before using \fBSSL_CTX_set_client_CA_list()\fR,
 \&\fBSSL_CTX_set0_CA_list()\fR, \fBSSL_set_client_CA_list()\fR or \fBSSL_set0_CA_list()\fR, a
-new \s-1CA\s0 list for \fBctx\fR or \fBssl\fR (as appropriate) is opened.
+new CA list for \fBctx\fR or \fBssl\fR (as appropriate) is opened.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSSL_CTX_set_client_CA_list()\fR, \fBSSL_set_client_CA_list()\fR,
@@ -288,15 +212,15 @@ new \s-1CA\s0 list for \fBctx\fR or \fBssl\fR (as appropriate) is opened.
 and \fBSSL_set0_CA_list()\fR do not return a value.
 .PP
 \&\fBSSL_CTX_get_client_CA_list()\fR, \fBSSL_get_client_CA_list()\fR, \fBSSL_CTX_get0_CA_list()\fR
-and \fBSSL_get0_CA_list()\fR return a stack of \s-1CA\s0 names or \fB\s-1NULL\s0\fR is no \s-1CA\s0 names are
+and \fBSSL_get0_CA_list()\fR return a stack of CA names or \fBNULL\fR is no CA names are
 set.
 .PP
 \&\fBSSL_CTX_add_client_CA()\fR,\fBSSL_add_client_CA()\fR, \fBSSL_CTX_add1_to_CA_list()\fR and
 \&\fBSSL_add1_to_CA_list()\fR return 1 for success and 0 for failure.
 .PP
-\&\fBSSL_get0_peer_CA_list()\fR returns a stack of \s-1CA\s0 names sent by the peer or
-\&\fB\s-1NULL\s0\fR or an empty stack if no list was sent.
-.SH "EXAMPLES"
+\&\fBSSL_get0_peer_CA_list()\fR returns a stack of CA names sent by the peer or
+\&\fBNULL\fR or an empty stack if no list was sent.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 Scan all certificates in \fBCAfile\fR and list them as acceptable CAs:
 .PP
@@ -308,11 +232,11 @@ Scan all certificates in \fBCAfile\fR and list them as acceptable CAs:
 \&\fBssl\fR\|(7),
 \&\fBSSL_load_client_CA_file\fR\|(3),
 \&\fBSSL_CTX_load_verify_locations\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set1_cert_comp_preference.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set1_cert_comp_preference.3
new file mode 100644
index 000000000000..eab50d15cb37
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set1_cert_comp_preference.3
@@ -0,0 +1,203 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "SSL_CTX_SET1_CERT_COMP_PREFERENCE 3ossl"
+.TH SSL_CTX_SET1_CERT_COMP_PREFERENCE 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+SSL_CTX_set1_cert_comp_preference,
+SSL_set1_cert_comp_preference,
+SSL_CTX_compress_certs,
+SSL_compress_certs,
+SSL_CTX_get1_compressed_cert,
+SSL_get1_compressed_cert,
+SSL_CTX_set1_compressed_cert,
+SSL_set1_compressed_cert \- Certificate compression functions
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ssl.h>
+\&
+\& int SSL_CTX_set1_cert_comp_preference(SSL_CTX *ctx, int *algs, size_t len);
+\& int SSL_set1_cert_comp_preference(SSL *ssl, int *algs, size_t len);
+\&
+\& int SSL_CTX_compress_certs(SSL_CTX *ctx, int alg);
+\& int SSL_compress_certs(SSL *ssl, int alg);
+\&
+\& size_t SSL_CTX_get1_compressed_cert(SSL_CTX *ctx, int alg, unsigned char **data,
+\&                                     size_t *orig_len);
+\& size_t SSL_get1_compressed_cert(SSL *ssl, int alg, unsigned char **data,
+\&                                 size_t *orig_len);
+\&
+\& int SSL_CTX_set1_compressed_cert(SSL_CTX *ctx, int alg,
+\&                                  unsigned char *comp_data,
+\&                                  size_t comp_length, size_t orig_length);
+\& int SSL_set1_compressed_cert(SSL *ssl, int alg, unsigned char *comp_data,
+\&                              size_t comp_length, size_t orig_length);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+These functions control the certificate compression feature. Certificate
+compression is only available for TLSv1.3 as defined in RFC8879.
+.PP
+\&\fBSSL_CTX_set1_cert_comp_preference()\fR and \fBSSL_set1_cert_comp_preference()\fR are used
+to specify the preferred compression algorithms. The \fBalgs\fR argument is an array
+of algorithms, and \fBlength\fR is number of elements in the \fBalgs\fR array. Only
+those algorithms enabled in the library will be accepted in \fBalgs\fR, unknown
+algorithms in \fBalgs\fR are ignored. On an error, the preference order is left
+unmodified.
+.PP
+The following compression algorithms (\fBalg\fR arguments) may be used:
+.IP \(bu 4
+TLSEXT_comp_cert_brotli
+.IP \(bu 4
+TLSEXT_comp_cert_zlib
+.IP \(bu 4
+TLSEXT_comp_cert_zstd
+.PP
+The above is also the default preference order. If a preference order is not
+specified, then the default preference order is sent to the peer and the
+received peer's preference order will be used when compressing a certificate.
+Otherwise, the configured preference order is sent to the peer and is used
+to filter the peer's preference order.
+.PP
+\&\fBSSL_CTX_compress_certs()\fR and \fBSSL_compress_certs()\fR are used to pre-compress all
+the configured certificates on an SSL_CTX/SSL object with algorithm \fBalg\fR. If
+\&\fBalg\fR is 0, then the certificates are compressed with the algorithms specified
+in the preference list. Calling these functions on a client SSL_CTX/SSL object
+will result in an error, as only server certificates may be pre-compressed.
+.PP
+\&\fBSSL_CTX_get1_compressed_cert()\fR and \fBSSL_get1_compressed_cert()\fR are used to get
+the pre-compressed certificate most recently set that may be stored for later
+use. Calling these functions on a client SSL_CTX/SSL object will result in an
+error, as only server certificates may be pre-compressed. The \fBdata\fR and
+\&\fBorig_len\fR arguments are required.
+.PP
+The compressed certificate data may be passed to \fBSSL_CTX_set1_compressed_cert()\fR
+or \fBSSL_set1_compressed_cert()\fR to provide a pre-compressed version of the
+most recently set certificate. This pre-compressed certificate can only be used
+by a server.
+.SH NOTES
+.IX Header "NOTES"
+Each side of the connection sends their compression algorithm preference list
+to their peer indicating compressed certificate support. The received preference
+list is filtered by the configured preference list (i.e. the intersection is
+saved). As the default list includes all the enabled algorithms, not specifying
+a preference will allow any enabled algorithm by the peer. The filtered peer's
+preference order is used to determine what algorithm to use when sending a
+compressed certificate.
+.PP
+Only server certificates may be pre-compressed. Calling any of these functions
+(except \fBSSL_CTX_set1_cert_comp_preference()\fR/\fBSSL_set1_cert_comp_preference()\fR)
+on a client SSL_CTX/SSL object will return an error. Client certificates are
+compressed on-demand as unique context data from the server is compressed along
+with the certificate.
+.PP
+For \fBSSL_CTX_set1_cert_comp_preference()\fR and \fBSSL_set1_cert_comp_preference()\fR
+the \fBlen\fR argument is the size of the \fBalgs\fR argument in bytes.
+.PP
+The compressed certificate returned by \fBSSL_CTX_get1_compressed_cert()\fR and
+\&\fBSSL_get1_compressed_cert()\fR is the last certificate set on the SSL_CTX/SSL object.
+The certificate is copied by the function and the caller must free \fB*data\fR via
+\&\fBOPENSSL_free()\fR.
+.PP
+The compressed certificate data set by \fBSSL_CTX_set1_compressed_cert()\fR and
+\&\fBSSL_set1_compressed_cert()\fR is copied into the SSL_CTX/SSL object.
+.PP
+\&\fBSSL_CTX_compress_certs()\fR and \fBSSL_compress_certs()\fR return an error under the
+following conditions:
+.IP \(bu 4
+If no certificates have been configured.
+.IP \(bu 4
+If the specified algorithm \fBalg\fR is not enabled.
+.IP \(bu 4
+If \fBalg\fR is 0 and no compression algorithms are enabled.
+.PP
+Sending compressed certificates may be disabled on a connection via the
+SSL_OP_NO_TX_CERTIFICATE_COMPRESSION option. Receiving compressed certificates
+may be disabled on a connection via the SSL_OP_NO_RX_CERTIFICATE_COMPRESSION
+option.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBSSL_CTX_set1_cert_comp_preference()\fR,
+\&\fBSSL_set1_cert_comp_preference()\fR,
+\&\fBSSL_CTX_compress_certs()\fR,
+\&\fBSSL_compress_certs()\fR,
+\&\fBSSL_CTX_set1_compressed_cert()\fR, and
+\&\fBSSL_set1_compressed_cert()\fR
+return 1 for success and 0 on error.
+.PP
+\&\fBSSL_CTX_get1_compressed_cert()\fR and
+\&\fBSSL_get1_compressed_cert()\fR
+return the length of the allocated memory on success and 0 on error.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBSSL_CTX_set_options\fR\|(3),
+\&\fBSSL_CTX_use_certificate\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+These functions were added in OpenSSL 3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set1_curves.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set1_curves.3
index 939a1585f14d..d1b905c66d7f 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set1_curves.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set1_curves.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,22 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET1_CURVES 3ossl"
-.TH SSL_CTX_SET1_CURVES 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET1_CURVES 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set1_groups, SSL_CTX_set1_groups_list, SSL_set1_groups,
-SSL_set1_groups_list, SSL_get1_groups, SSL_get_shared_group,
-SSL_get_negotiated_group, SSL_CTX_set1_curves, SSL_CTX_set1_curves_list,
-SSL_set1_curves, SSL_set1_curves_list, SSL_get1_curves, SSL_get_shared_curve
+SSL_set1_groups_list, SSL_get1_groups, SSL_get0_iana_groups,
+SSL_get_shared_group, SSL_get_negotiated_group, SSL_CTX_set1_curves,
+SSL_CTX_set1_curves_list, SSL_set1_curves, SSL_set1_curves_list,
+SSL_get1_curves, SSL_get_shared_curve, SSL_CTX_get0_implemented_groups
 \&\- EC supported curve functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -154,6 +79,7 @@ SSL_set1_curves, SSL_set1_curves_list, SSL_get1_curves, SSL_get_shared_curve
 \& int SSL_set1_groups_list(SSL *ssl, char *list);
 \&
 \& int SSL_get1_groups(SSL *ssl, int *groups);
+\& int SSL_get0_iana_groups(SSL *ssl, uint16_t **out);
 \& int SSL_get_shared_group(SSL *s, int n);
 \& int SSL_get_negotiated_group(SSL *s);
 \&
@@ -165,105 +91,326 @@ SSL_set1_curves, SSL_set1_curves_list, SSL_get1_curves, SSL_get_shared_curve
 \&
 \& int SSL_get1_curves(SSL *ssl, int *curves);
 \& int SSL_get_shared_curve(SSL *s, int n);
+\&
+\& int SSL_CTX_get0_implemented_groups(SSL_CTX *ctx, int all,
+\&                                     STACK_OF(OPENSSL_CSTRING) *names);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 For all of the functions below that set the supported groups there must be at
 least one group in the list. A number of these functions identify groups via a
-unique integer \s-1NID\s0 value. However, support for some groups may be added by
-external providers. In this case there will be no \s-1NID\s0 assigned for the group.
-When setting such groups applications should use the \*(L"list\*(R" form of these
-functions (i.e. \fBSSL_CTX_set1_groups_list()\fR and SSL_set1_groups_list).
+unique integer NID value. However, support for some groups may be added by
+external providers. In this case there will be no NID assigned for the group.
+When setting such groups applications should use the "list" form of these
+functions (i.e. \fBSSL_CTX_set1_groups_list()\fR and \fBSSL_set1_groups_list()\fR).
 .PP
 \&\fBSSL_CTX_set1_groups()\fR sets the supported groups for \fBctx\fR to \fBglistlen\fR
-groups in the array \fBglist\fR. The array consist of all NIDs of groups in
-preference order. For a \s-1TLS\s0 client the groups are used directly in the
-supported groups extension. For a \s-1TLS\s0 server the groups are used to
-determine the set of shared groups. Currently supported groups for
-\&\fBTLSv1.3\fR are \fBNID_X9_62_prime256v1\fR, \fBNID_secp384r1\fR, \fBNID_secp521r1\fR,
-\&\fB\s-1NID_X25519\s0\fR, \fB\s-1NID_X448\s0\fR, \fBNID_ffdhe2048\fR, \fBNID_ffdhe3072\fR,
-\&\fBNID_ffdhe4096\fR, \fBNID_ffdhe6144\fR and \fBNID_ffdhe8192\fR.
+groups in the array \fBglist\fR. The array consist of all NIDs of supported groups.
+The supported groups for \fBTLSv1.3\fR include:
+\&\fBNID_X9_62_prime256v1\fR,
+\&\fBNID_secp384r1\fR,
+\&\fBNID_secp521r1\fR,
+\&\fBNID_X25519\fR,
+\&\fBNID_X448\fR,
+\&\fBNID_brainpoolP256r1tls13\fR,
+\&\fBNID_brainpoolP384r1tls13\fR,
+\&\fBNID_brainpoolP512r1tls13\fR,
+\&\fBNID_ffdhe2048\fR,
+\&\fBNID_ffdhe3072\fR,
+\&\fBNID_ffdhe4096\fR,
+\&\fBNID_ffdhe6144\fR, and
+\&\fBNID_ffdhe8192\fR.
+OpenSSL will use this array in different ways based on the TLS version, and
+whether the groups are used in a client or server.
+.PP
+For a TLS client, the groups are used directly in the supported groups
+extension. The extension's preference order, to be evaluated by the server, is
+determined by the order of the elements in the array.
+.PP
+For a TLS 1.2 server, the groups determine the selected group. If
+\&\fBSSL_OP_CIPHER_SERVER_PREFERENCE\fR is set, the order of the elements in the
+array determines the selected group. Otherwise, the order is ignored and the
+client's order determines the selection.
+.PP
+For a TLS 1.3 server, the groups determine the selected group, but
+selection is more complex. A TLS 1.3 client sends both a group list as well as a
+predicted subset of groups. Choosing a group outside the predicted subset incurs
+an extra roundtrip. However, in some situations, the most preferred group may
+not be predicted. OpenSSL considers all supported groups in \fIclist\fR to be comparable
+in security and prioritizes avoiding roundtrips above either client or server
+preference order. If an application uses an external provider to extend OpenSSL
+with, e.g., a post-quantum algorithm, this behavior may allow a network attacker
+to downgrade connections to a weaker algorithm. It is therefore recommended
+to use \fBSSL_CTX_set1_groups_list()\fR with the ability to specify group tuples.
 .PP
 \&\fBSSL_CTX_set1_groups_list()\fR sets the supported groups for \fBctx\fR to
-string \fBlist\fR. The string is a colon separated list of group NIDs or
-names, for example \*(L"P\-521:P\-384:P\-256:X25519:ffdhe2048\*(R". Currently supported
-groups for \fBTLSv1.3\fR are \fBP\-256\fR, \fBP\-384\fR, \fBP\-521\fR, \fBX25519\fR, \fBX448\fR,
-\&\fBffdhe2048\fR, \fBffdhe3072\fR, \fBffdhe4096\fR, \fBffdhe6144\fR, \fBffdhe8192\fR. Support
-for other groups may be added by external providers.
+string \fIlist\fR. In contrast to \fBSSL_CTX_set1_groups()\fR, the names of the
+groups, rather than their NIDs, are used.
+.PP
+The commands below list the available groups for TLS 1.2 and TLS 1.3,
+respectively:
+.PP
+.Vb 2
+\&    $ openssl list \-tls1_2 \-tls\-groups
+\&    $ openssl list \-tls1_3 \-tls\-groups
+.Ve
+.PP
+Each group can be either the \fBNIST\fR name (e.g. \fBP\-256\fR), some other commonly
+used name where applicable (e.g. \fBX25519\fR, \fBffdhe2048\fR) or an OpenSSL OID name
+(e.g. \fBprime256v1\fR).
+Group names are case-insensitive in OpenSSL 3.5 and later.
+The preferred group names are those defined by
+IANA <https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8>.
+.PP
+The \fIlist\fR can be used to define several group tuples of comparable security
+levels, and can specify which key shares should be sent by a client.
+The specified list elements can optionally be ignored, if not implemented
+(listing unknown groups otherwise results in error).
+It is also possible to specify the built-in default set of groups, and to explicitly
+remove a group from that list.
+.PP
+In its simplest form, the string \fIlist\fR is just a colon separated list
+of group names, for example "P\-521:P\-384:P\-256:X25519:ffdhe2048". The first
+group listed will also be used for the \fBkey_share\fR sent by a client in a
+TLSv1.3 \fBClientHello\fR. For servers note the discussion above. The list should
+be in order of preference with the most preferred group first.
+.PP
+Group tuples of comparable security are defined by separating them from each
+other by a tuple separator \f(CW\*(C`/\*(C'\fR. Keyshares to be sent by a client are specified
+by prepending a \f(CW\*(C`*\*(C'\fR to the group name, while any \f(CW\*(C`*\*(C'\fR will be ignored by a
+server. The following string \fIlist\fR for example defines three tuples when
+used on the server-side, and triggers the generation of three key shares
+when used on the client-side: P\-521:*P\-256/*P\-384/*X25519:P\-384:ffdhe2048.
+.PP
+If a group name is preceded with the \f(CW\*(C`?\*(C'\fR character, it will be ignored if an
+implementation is missing. If a group name is preceded with the \f(CW\*(C`\-\*(C'\fR character, it
+will be removed from the list of groups if present (including not sending a
+key share for this group), ignored otherwise. The pseudo group name
+\&\f(CW\*(C`DEFAULT\*(C'\fR can be used to select the OpenSSL built-in default list of groups.
+.PP
+For a TLS 1.3 client, all the groups in the string \fIlist\fR are added to the
+supported groups extension of a \f(CW\*(C`ClientHello\*(C'\fR, in the order in which they are listed,
+thereby interpreting tuple separators as group separators. The extension's
+preference order, to be evaluated by the server, is determined by the
+order of the elements in the array, see below.
+.PP
+If a group name is preceded by \f(CW\*(C`*\*(C'\fR, a key share will be sent for this group.
+When preceding \f(CW\*(C`DEFAULT\*(C'\fR with \f(CW\*(C`*\*(C'\fR, a key share will be sent for the first group
+of the OpenSSL built-in default list of groups. If no \f(CW\*(C`*\*(C'\fR is used anywhere in the list,
+a single key share for the leftmost valid group is sent. A maximum of 4 key shares
+are supported. Example: "P\-521:*P\-256/*P\-384" will add P\-521, P\-256 and P\-384 to the
+supported groups extension in a \f(CW\*(C`ClientHello\*(C'\fR and will send key shares for P\-256 and P\-384.
+.PP
+For a TLS 1.3 server, the groups in the string \fIlist\fR will be used to determine which group
+is used for the key agreement. The preference order of the group tuples is determined
+by the order of the tuples in the array, and the preference order of the groups within
+a group tuple is determined by the order of the groups in the tuple. Server preference
+can be enforced by setting \fBSSL_OP_CIPHER_SERVER_PREFERENCE\fR using
+\&\fBSSL_set_options\fR (default: client preference).
+.PP
+The server will select the group to be used for a key agreement using the following
+pseudo-code algorithm:
+.PP
+.Vb 12
+\& FOR each group tuple
+\&     IF client preference (= default)
+\&         FOR each client key\-share group
+\&             IF current key\-share group is also part of current group tuple: SH, return success
+\&         FOR each client supported groups
+\&             IF current supported group is also part of current group tuple: HRR, return success
+\&     ELSE (= server preference = with SSL_OP_CIPHER_SERVER_PREFERENCE option set)
+\&         FOR each group in current tuple
+\&             IF current group is also part of client key\-share groups: SH, return success
+\&         FOR each group in current tuple
+\&             IF current group is also part of client supported groups: HRR, return success
+\& return failure
+\&
+\& with : SH:  Server hello with current group
+\&        HRR: Server retry request with current group
+.Ve
+.PP
+Hence, if a client supports a group in a server group tuple, but does not send a key
+share for this group, a Hello Retry Request (HRR) is triggered, asking the client
+to send a new Hello message with a more preferred keyshare. See examples below.
+.PP
+A group name can optionally be preceded by any of \f(CW\*(C`*\*(C'\fR, \f(CW\*(C`?\*(C'\fR or \f(CW\*(C`\-\*(C'\fR, in any order, with
+the exception that only \f(CW\*(C`*\*(C'\fR is allowed to precede \f(CW\*(C`DEFAULT\*(C'\fR. Separator characters
+\&\f(CW\*(C`:\*(C'\fR and \f(CW\*(C`/\*(C'\fR are only allowed inside the \fIlist\fR and not at the very beginning or end.
 .PP
 \&\fBSSL_set1_groups()\fR and \fBSSL_set1_groups_list()\fR are similar except they set
-supported groups for the \s-1SSL\s0 structure \fBssl\fR.
+supported groups for the SSL structure \fBssl\fR.
 .PP
 \&\fBSSL_get1_groups()\fR returns the set of supported groups sent by a client
 in the supported groups extension. It returns the total number of
-supported groups. The \fBgroups\fR parameter can be \fB\s-1NULL\s0\fR to simply
+supported groups. The \fBgroups\fR parameter can be \fBNULL\fR to simply
 return the number of groups for memory allocation purposes. The
 \&\fBgroups\fR array is in the form of a set of group NIDs in preference
 order. It can return zero if the client did not send a supported groups
-extension. If a supported group \s-1NID\s0 is unknown then the value is set to the
-bitwise \s-1OR\s0 of TLSEXT_nid_unknown (0x1000000) and the id of the group.
+extension. If a supported group NID is unknown then the value is set to the
+bitwise OR of TLSEXT_nid_unknown (0x1000000) and the id of the group.
+.PP
+\&\fBSSL_get0_iana_groups()\fR retrieves the list of groups sent by the
+client in the supported_groups extension.  The \fB*out\fR array of bytes
+is populated with the host-byte-order representation of the uint16_t group
+identifiers, as assigned by IANA.  The group list is returned in the same order
+that was received in the ClientHello.  The return value is the number of groups,
+not the number of bytes written.
 .PP
-\&\fBSSL_get_shared_group()\fR returns the \s-1NID\s0 of the shared group \fBn\fR for a
-server-side \s-1SSL\s0 \fBssl\fR. If \fBn\fR is \-1 then the total number of shared groups is
+\&\fBSSL_get_shared_group()\fR returns the NID of the shared group \fBn\fR for a
+server-side SSL \fBssl\fR. If \fBn\fR is \-1 then the total number of shared groups is
 returned, which may be zero. Other than for diagnostic purposes,
 most applications will only be interested in the first shared group
 so \fBn\fR is normally set to zero. If the value \fBn\fR is out of range,
-NID_undef is returned. If the \s-1NID\s0 for the shared group is unknown then the value
-is set to the bitwise \s-1OR\s0 of TLSEXT_nid_unknown (0x1000000) and the id of the
+NID_undef is returned. If the NID for the shared group is unknown then the value
+is set to the bitwise OR of TLSEXT_nid_unknown (0x1000000) and the id of the
 group.
 .PP
-\&\fBSSL_get_negotiated_group()\fR returns the \s-1NID\s0 of the negotiated group used for
+\&\fBSSL_get_negotiated_group()\fR returns the NID of the negotiated group used for
 the handshake key exchange process.  For TLSv1.3 connections this typically
 reflects the state of the current connection, though in the case of PSK-only
 resumption, the returned value will be from a previous connection.  For earlier
-\&\s-1TLS\s0 versions, when a session has been resumed, it always reflects the group
+TLS versions, when a session has been resumed, it always reflects the group
 used for key exchange during the initial handshake (otherwise it is from the
 current, non-resumption, connection).  This can be called by either client or
-server. If the \s-1NID\s0 for the shared group is unknown then the value is set to the
-bitwise \s-1OR\s0 of TLSEXT_nid_unknown (0x1000000) and the id of the group.
+server. If the NID for the shared group is unknown then the value is set to the
+bitwise OR of TLSEXT_nid_unknown (0x1000000) and the id of the group. See also
+\&\fBSSL_get0_group_name\fR\|(3) which returns the name of the negotiated group
+directly and is generally preferred over \fBSSL_get_negotiated_group()\fR.
+.PP
+\&\fBSSL_CTX_get0_implemented_groups()\fR populates a stack with the names of TLS
+groups that are compatible with the TLS version of the \fBctx\fR argument.
+The returned names are references to internal constants and must not be
+modified or freed.  When \fBall\fR is nonzero, the returned list includes not
+only the preferred IANA names of the groups, but also any associated aliases.
+If the SSL_CTX is version-flexible, the groups will be those compatible
+with any configured minimum and maximum protocol versions.
+The \fBnames\fR stack should be allocated by the caller and be empty, the
+matching group names are appended to the provided stack.
+The \fB\-tls\-groups\fR and \fB\-all\-tls\-groups\fR options of the
+openssl list command output these lists for either
+TLS 1.2 or TLS 1.3 (by default).
 .PP
 All these functions are implemented as macros.
 .PP
 The curve functions are synonyms for the equivalently named group functions and
-are identical in every respect. They exist because, prior to \s-1TLS1.3,\s0 there was
-only the concept of supported curves. In \s-1TLS1.3\s0 this was renamed to supported
+are identical in every respect. They exist because, prior to TLS1.3, there was
+only the concept of supported curves. In TLS1.3 this was renamed to supported
 groups, and extended to include Diffie Hellman groups. The group functions
 should be used in preference.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 If an application wishes to make use of several of these functions for
 configuration purposes either on a command line or in a file it should
-consider using the \s-1SSL_CONF\s0 interface instead of manually parsing options.
+consider using the SSL_CONF interface instead of manually parsing options.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBSSL_CTX_set1_groups()\fR, \fBSSL_CTX_set1_groups_list()\fR, \fBSSL_set1_groups()\fR and
-\&\fBSSL_set1_groups_list()\fR, return 1 for success and 0 for failure.
+\&\fBSSL_CTX_set1_groups()\fR, \fBSSL_CTX_set1_groups_list()\fR, \fBSSL_set1_groups()\fR,
+\&\fBSSL_set1_groups_list()\fR, and \fBSSL_CTX_get0_implemented_groups()\fR return 1 for
+success and 0 for failure.
 .PP
 \&\fBSSL_get1_groups()\fR returns the number of groups, which may be zero.
 .PP
-\&\fBSSL_get_shared_group()\fR returns the \s-1NID\s0 of shared group \fBn\fR or NID_undef if there
+\&\fBSSL_get0_iana_groups()\fR returns the number of (uint16_t) groups, which may be zero.
+.PP
+\&\fBSSL_get_shared_group()\fR returns the NID of shared group \fBn\fR or NID_undef if there
 is no shared group \fBn\fR; or the total number of shared groups if \fBn\fR
 is \-1.
 .PP
 When called on a client \fBssl\fR, \fBSSL_get_shared_group()\fR has no meaning and
 returns \-1.
 .PP
-\&\fBSSL_get_negotiated_group()\fR returns the \s-1NID\s0 of the negotiated group used for
+\&\fBSSL_get_negotiated_group()\fR returns the NID of the negotiated group used for
 key exchange, or NID_undef if there was no negotiated group.
+.SH EXAMPLES
+.IX Header "EXAMPLES"
+Assume the server \fIlist\fR is "P\-521:P\-256/P\-384/X25519:ffdhe2048" and client
+\&\fIlist\fR is "P\-521:*P\-384" when connecting to such a server, meaning that the
+client supports \f(CW\*(C`P\-521\*(C'\fR but does not send a key share for this group to the
+server, and the client supports \f(CW\*(C`P\-384\*(C'\fR including key share for this group.
+With both server and client preference, an HRR will be triggered for \f(CW\*(C`P\-521\*(C'\fR
+despite the availability of a key share for P\-384, which overlaps with a lower
+priority server-side tuple.
+.PP
+As a separate example, consider a server \fIlist\fR "A:B/C:D/E:F". Listed in order
+of highest preference to least, 3 group tuples are created: "A:B", "C:D", and
+"E:F". Here are some examples of a client \fIlist\fR where setting server/client
+preference will not change the outcome:
+.PP
+\&\- "A:D:*F": Both prefer "A", but the server didn't receive a keyshare for the
+most-preferred tuple in which there's at least one group supported by both.
+Therefore, an HRR is triggered for "A".
+.PP
+\&\- "B:*C": Both prefer "B" from the first group tuple "A:B", so an HRR is
+triggered for "B".
+.PP
+\&\- "C:*F": Both prefer "C" from the second group tuple "C:D", so an HRR is
+triggered for "C".
+.PP
+\&\- "C:*D": Even though both prefer "C" over "D", the server will accept
+the key share for "D". Within a tuple, existing keyshares trump preference
+order.
+.PP
+\&\- "*C:*D": The server accepts the "C" key share.
+.PP
+\&\- "F": Even though it is not prepended with a "*", the client will send a key
+share for "F". The server will then accept the key share for "F".
+.PP
+\&\- "*E:C:A": The server prefers "A" from the "A:B" group tuple, so an HRR is
+triggered for "A".
+.PP
+\&\- "*E:B:*A": The server uses the key share for "A".
+.PP
+Here are some examples where setting server/client preference will change the
+result:
+.PP
+\&\- "*D:*C"
+  \- Client preference: The server uses the key share for "D".
+  \- Server preference: The server uses the key share for "C".
+.PP
+\&\- "B:A:*C"
+  \- Client preference: The server triggers an HRR for "B". For the server,
+"A" and "B" are considered comparable in security. But because the client
+prefers "B", the server will trigger an HRR for "B".
+  \- Server preference: The server triggers an HRR for "A".
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7),
-\&\fBSSL_CTX_add_extra_chain_cert\fR\|(3)
-.SH "HISTORY"
+\&\fBSSL_CTX_add_extra_chain_cert\fR\|(3),
+\&\fBSSL_get0_group_name\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 The curve functions were added in OpenSSL 1.0.2. The equivalent group
 functions were added in OpenSSL 1.1.1. The \fBSSL_get_negotiated_group()\fR function
 was added in OpenSSL 3.0.0.
-.SH "COPYRIGHT"
+.PP
+Support for ignoring unknown groups in \fBSSL_CTX_set1_groups_list()\fR and
+\&\fBSSL_set1_groups_list()\fR was added in OpenSSL 3.3.
+.PP
+Support for \fBML-KEM\fR was added in OpenSSL 3.5.
+.PP
+OpenSSL 3.5 also introduces support for three \fIhybrid\fR ECDH PQ key exchange
+TLS groups: \fBX25519MLKEM768\fR, \fBSecP256r1MLKEM768\fR and
+\&\fBSecP384r1MLKEM1024\fR.
+They offer CPU performance comparable to the associated ECDH group, though at
+the cost of significantly larger key exchange messages.
+The third group, \fBSecP384r1MLKEM1024\fR is substantially more CPU-intensive,
+largely as a result of the high CPU cost of ECDH for the underlying \fBP\-384\fR
+group.
+Also its key exchange messages at close to 1700 bytes are larger than the
+roughly 1200 bytes for the first two groups.
+.PP
+As of OpenSSL 3.5 key exchange group names are case-insensitive.
+.PP
+\&\fBSSL_CTX_get0_implemented_groups\fR was first implemented in OpenSSL 3.5.
+.PP
+Earlier versions of this document described the list as a preference order.
+However, OpenSSL's behavior as a TLS 1.3 server is to consider \fIall\fR
+supported groups as comparable in security.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2013\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2013\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set1_sigalgs.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set1_sigalgs.3
index e5c1b89b2b78..9486bdfbce64 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set1_sigalgs.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set1_sigalgs.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET1_SIGALGS 3ossl"
-.TH SSL_CTX_SET1_SIGALGS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET1_SIGALGS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set1_sigalgs, SSL_set1_sigalgs, SSL_CTX_set1_sigalgs_list,
 SSL_set1_sigalgs_list, SSL_CTX_set1_client_sigalgs,
 SSL_set1_client_sigalgs, SSL_CTX_set1_client_sigalgs_list,
 SSL_set1_client_sigalgs_list \- set supported signature algorithms
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -156,7 +80,7 @@ SSL_set1_client_sigalgs_list \- set supported signature algorithms
 \& long SSL_CTX_set1_client_sigalgs_list(SSL_CTX *ctx, const char *str);
 \& long SSL_set1_client_sigalgs_list(SSL *ssl, const char *str);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_set1_sigalgs()\fR and \fBSSL_set1_sigalgs()\fR set the supported signature
 algorithms for \fBctx\fR or \fBssl\fR. The array \fBslist\fR of length \fBslistlen\fR
@@ -167,8 +91,12 @@ algorithms.
 signature algorithms for \fBctx\fR or \fBssl\fR. The \fBstr\fR parameter
 must be a null terminated string consisting of a colon separated list of
 elements, where each element is either a combination of a public key
-algorithm and a digest separated by \fB+\fR, or a \s-1TLS 1\s0.3\-style named
+algorithm and a digest separated by \fB+\fR, or a TLS 1.3\-style named
 SignatureScheme such as rsa_pss_pss_sha256.
+Signature scheme names and public key algorithm names (but not the digest
+names) in the \fBalgorithm+hash\fR form are case-insensitive.
+If a list entry is preceded with the \f(CW\*(C`?\*(C'\fR character, it will be ignored if an
+implementation is missing.
 .PP
 \&\fBSSL_CTX_set1_client_sigalgs()\fR, \fBSSL_set1_client_sigalgs()\fR,
 \&\fBSSL_CTX_set1_client_sigalgs_list()\fR and \fBSSL_set1_client_sigalgs_list()\fR set
@@ -179,18 +107,18 @@ identical to \fBSSL_CTX_set1_sigalgs()\fR, \fBSSL_set1_sigalgs()\fR,
 All these functions are implemented as macros. The signature algorithm
 parameter (integer array or string) is not freed: the application should
 free it, if necessary.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 If an application wishes to allow the setting of signature algorithms
 as one of many user configurable options it should consider using the more
-flexible \s-1SSL_CONF API\s0 instead.
+flexible SSL_CONF API instead.
 .PP
 The signature algorithms set by a client are used directly in the supported
 signature algorithm in the client hello message.
 .PP
 The supported signature algorithms set by a server are not sent to the
 client but are used to determine the set of shared signature algorithms
-and (if server preferences are set with \s-1SSL_OP_CIPHER_SERVER_PREFERENCE\s0)
+and (if server preferences are set with SSL_OP_CIPHER_SERVER_PREFERENCE)
 their order.
 .PP
 The client authentication signature algorithms set by a server are sent
@@ -202,26 +130,26 @@ used to determined the set of client authentication shared signature
 algorithms.
 .PP
 Signature algorithms will neither be advertised nor used if the security level
-prohibits them (for example \s-1SHA1\s0 if the security level is 4 or more).
+prohibits them (for example SHA1 if the security level is 4 or more).
 .PP
 Currently the NID_md5, NID_sha1, NID_sha224, NID_sha256, NID_sha384 and
 NID_sha512 digest NIDs are supported and the public key algorithm NIDs
-\&\s-1EVP_PKEY_RSA, EVP_PKEY_RSA_PSS, EVP_PKEY_DSA\s0 and \s-1EVP_PKEY_EC.\s0
+EVP_PKEY_RSA, EVP_PKEY_RSA_PSS, EVP_PKEY_DSA and EVP_PKEY_EC.
 .PP
 The short or long name values for digests can be used in a string (for
-example \*(L"\s-1MD5\*(R", \*(L"SHA1\*(R", \*(L"SHA224\*(R", \*(L"SHA256\*(R", \*(L"SHA384\*(R", \*(L"SHA512\*(R"\s0) and
-the public key algorithm strings \*(L"\s-1RSA\*(R",\s0 \*(L"RSA-PSS\*(R", \*(L"\s-1DSA\*(R"\s0 or \*(L"\s-1ECDSA\*(R".\s0
+example "MD5", "SHA1", "SHA224", "SHA256", "SHA384", "SHA512") and
+the public key algorithm strings "RSA", "RSA-PSS", "DSA" or "ECDSA".
 .PP
-The \s-1TLS 1.3\s0 signature scheme names (such as \*(L"rsa_pss_pss_sha256\*(R") can also
-be used with the \fB_list\fR forms of the \s-1API.\s0
+The TLS 1.3 signature scheme names (such as "rsa_pss_pss_sha256") can also
+be used with the \fB_list\fR forms of the API.
 .PP
-The use of \s-1MD5\s0 as a digest is strongly discouraged due to security weaknesses.
+The use of MD5 as a digest is strongly discouraged due to security weaknesses.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 All these functions return 1 for success and 0 for failure.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-Set supported signature algorithms to \s-1SHA256\s0 with \s-1ECDSA\s0 and \s-1SHA256\s0 with \s-1RSA\s0
+Set supported signature algorithms to SHA256 with ECDSA and SHA256 with RSA
 using an array:
 .PP
 .Vb 1
@@ -230,7 +158,7 @@ using an array:
 \& SSL_CTX_set1_sigalgs(ctx, slist, 4);
 .Ve
 .PP
-Set supported signature algorithms to \s-1SHA256\s0 with \s-1ECDSA\s0 and \s-1SHA256\s0 with \s-1RSA\s0
+Set supported signature algorithms to SHA256 with ECDSA and SHA256 with RSA
 using a string:
 .PP
 .Vb 1
@@ -240,11 +168,17 @@ using a string:
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7), \fBSSL_get_shared_sigalgs\fR\|(3),
 \&\fBSSL_CONF_CTX_new\fR\|(3)
-.SH "COPYRIGHT"
+.SH HISTORY
+.IX Header "HISTORY"
+Support for ignoring unknown signature algorithms in
+\&\fBSSL_CTX_set1_sigalgs_list()\fR, \fBSSL_set1_sigalgs_list()\fR,
+\&\fBSSL_CTX_set1_client_sigalgs_list()\fR and \fBSSL_set1_client_sigalgs_list()\fR
+was added in OpenSSL 3.3.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2015\-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set1_verify_cert_store.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set1_verify_cert_store.3
index 230d33acb071..b0393b8345e7 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set1_verify_cert_store.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set1_verify_cert_store.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET1_VERIFY_CERT_STORE 3ossl"
-.TH SSL_CTX_SET1_VERIFY_CERT_STORE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET1_VERIFY_CERT_STORE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set0_verify_cert_store, SSL_CTX_set1_verify_cert_store,
 SSL_CTX_set0_chain_cert_store, SSL_CTX_set1_chain_cert_store,
 SSL_set0_verify_cert_store, SSL_set1_verify_cert_store,
@@ -144,7 +68,7 @@ SSL_set0_chain_cert_store, SSL_set1_chain_cert_store,
 SSL_CTX_get0_verify_cert_store, SSL_CTX_get0_chain_cert_store,
 SSL_get0_verify_cert_store, SSL_get0_chain_cert_store \- set certificate
 verification or chain store
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -163,7 +87,7 @@ verification or chain store
 \& int SSL_get0_verify_cert_store(SSL *ctx, X509_STORE **st);
 \& int SSL_get0_chain_cert_store(SSL *ctx, X509_STORE **st);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_set0_verify_cert_store()\fR and \fBSSL_CTX_set1_verify_cert_store()\fR
 set the certificate store used for certificate verification to \fBst\fR.
@@ -173,45 +97,45 @@ set the certificate store used for certificate chain building to \fBst\fR.
 .PP
 \&\fBSSL_set0_verify_cert_store()\fR, \fBSSL_set1_verify_cert_store()\fR,
 \&\fBSSL_set0_chain_cert_store()\fR and \fBSSL_set1_chain_cert_store()\fR are similar
-except they apply to \s-1SSL\s0 structure \fBssl\fR.
+except they apply to SSL structure \fBssl\fR.
 .PP
 \&\fBSSL_CTX_get0_verify_chain_store()\fR, \fBSSL_get0_verify_chain_store()\fR,
 \&\fBSSL_CTX_get0_chain_cert_store()\fR and \fBSSL_get0_chain_cert_store()\fR retrieve the
-objects previously set via the above calls. A pointer to the object (or \s-1NULL\s0 if
+objects previously set via the above calls. A pointer to the object (or NULL if
 no such object has been set) is written to \fB*st\fR.
 .PP
 All these functions are implemented as macros. Those containing a \fB1\fR
 increment the reference count of the supplied store so it must
 be freed at some point after the operation. Those containing a \fB0\fR do
-not increment reference counts and the supplied store \fB\s-1MUST NOT\s0\fR be freed
+not increment reference counts and the supplied store \fBMUST NOT\fR be freed
 after the operation.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-The stores pointers associated with an \s-1SSL_CTX\s0 structure are copied to any \s-1SSL\s0
-structures when \fBSSL_new()\fR is called. As a result \s-1SSL\s0 structures will not be
-affected if the parent \s-1SSL_CTX\s0 store pointer is set to a new value.
+The stores pointers associated with an SSL_CTX structure are copied to any SSL
+structures when \fBSSL_new()\fR is called. As a result SSL structures will not be
+affected if the parent SSL_CTX store pointer is set to a new value.
 .PP
 The verification store is used to verify the certificate chain sent by the
-peer: that is an \s-1SSL/TLS\s0 client will use the verification store to verify
-the server's certificate chain and a \s-1SSL/TLS\s0 server will use it to verify
+peer: that is an SSL/TLS client will use the verification store to verify
+the server's certificate chain and an SSL/TLS server will use it to verify
 any client certificate chain.
 .PP
 The chain store is used to build the certificate chain.
 Details of the chain building and checking process are described in
-\&\*(L"Certification Path Building\*(R" in \fBopenssl\-verification\-options\fR\|(1) and
-\&\*(L"Certification Path Validation\*(R" in \fBopenssl\-verification\-options\fR\|(1).
+"Certification Path Building" in \fBopenssl\-verification\-options\fR\|(1) and
+"Certification Path Validation" in \fBopenssl\-verification\-options\fR\|(1).
 .PP
-If the mode \fB\s-1SSL_MODE_NO_AUTO_CHAIN\s0\fR is set or a certificate chain is
+If the mode \fBSSL_MODE_NO_AUTO_CHAIN\fR is set or a certificate chain is
 configured already (for example using the functions such as
 \&\fBSSL_CTX_add1_chain_cert\fR\|(3) or
 \&\fBSSL_CTX_add_extra_chain_cert\fR\|(3)) then
 automatic chain building is disabled.
 .PP
-If the mode \fB\s-1SSL_MODE_NO_AUTO_CHAIN\s0\fR is set then automatic chain building
+If the mode \fBSSL_MODE_NO_AUTO_CHAIN\fR is set then automatic chain building
 is disabled.
 .PP
 If the chain or the verification store is not set then the store associated
-with the parent \s-1SSL_CTX\s0 is used instead to retain compatibility with previous
+with the parent SSL_CTX is used instead to retain compatibility with previous
 versions of OpenSSL.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
@@ -230,14 +154,14 @@ All these functions return 1 for success and 0 for failure.
 \&\fBSSL_add1_chain_cert\fR\|(3)
 \&\fBSSL_CTX_build_cert_chain\fR\|(3)
 \&\fBSSL_build_cert_chain\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 These functions were added in OpenSSL 1.0.2.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2013\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_alpn_select_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_alpn_select_cb.3
index ecd9d31eecf6..51791368bf9f 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_alpn_select_cb.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_alpn_select_cb.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_ALPN_SELECT_CB 3ossl"
-.TH SSL_CTX_SET_ALPN_SELECT_CB 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_ALPN_SELECT_CB 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_alpn_protos, SSL_set_alpn_protos, SSL_CTX_set_alpn_select_cb,
 SSL_CTX_set_next_proto_select_cb, SSL_CTX_set_next_protos_advertised_cb,
 SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated
 \&\- handle application layer protocol negotiation (ALPN)
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -182,16 +106,17 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated
 \& void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
 \&                             unsigned *len);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_set_alpn_protos()\fR and \fBSSL_set_alpn_protos()\fR are used by the client to
 set the list of protocols available to be negotiated. The \fBprotos\fR must be in
 protocol-list format, described below. The length of \fBprotos\fR is specified in
-\&\fBprotos_len\fR.
+\&\fBprotos_len\fR. Setting \fBprotos_len\fR to 0 clears any existing list of ALPN
+protocols and no ALPN extension will be sent to the server.
 .PP
 \&\fBSSL_CTX_set_alpn_select_cb()\fR sets the application callback \fBcb\fR used by a
 server to select which protocol to use for the incoming connection. When \fBcb\fR
-is \s-1NULL, ALPN\s0 is not used. The \fBarg\fR value is a pointer which is passed to
+is NULL, ALPN is not used. The \fBarg\fR value is a pointer which is passed to
 the application callback.
 .PP
 \&\fBcb\fR is the application defined callback. The \fBin\fR, \fBinlen\fR parameters are a
@@ -208,9 +133,16 @@ is called from the application callback \fBcb\fR. The protocol data in \fBserver
 described below. The first item in the \fBserver\fR, \fBserver_len\fR list that
 matches an item in the \fBclient\fR, \fBclient_len\fR list is selected, and returned
 in \fBout\fR, \fBoutlen\fR. The \fBout\fR value will point into either \fBserver\fR or
-\&\fBclient\fR, so it should be copied immediately. If no match is found, the first
-item in \fBclient\fR, \fBclient_len\fR is returned in \fBout\fR, \fBoutlen\fR. This
-function can also be used in the \s-1NPN\s0 callback.
+\&\fBclient\fR, so it should be copied immediately. The client list must include at
+least one valid (nonempty) protocol entry in the list.
+.PP
+The \fBSSL_select_next_proto()\fR helper function can be useful from either the ALPN
+callback or the NPN callback (described below). If no match is found, the first
+item in \fBclient\fR, \fBclient_len\fR is returned in \fBout\fR, \fBoutlen\fR and
+\&\fBOPENSSL_NPN_NO_OVERLAP\fR is returned. This can be useful when implementing
+the NPN callback. In the ALPN case, the value returned in \fBout\fR and \fBoutlen\fR
+must be ignored if \fBOPENSSL_NPN_NO_OVERLAP\fR has been returned from
+\&\fBSSL_select_next_proto()\fR.
 .PP
 \&\fBSSL_CTX_set_next_proto_select_cb()\fR sets a callback \fBcb\fR that is called when a
 client needs to select a protocol from the server's provided list, and a
@@ -220,32 +152,38 @@ must be set to point to the selected protocol (which may be within \fBin\fR).
 The length of the protocol name must be written into \fBoutlen\fR. The
 server's advertised protocols are provided in \fBin\fR and \fBinlen\fR. The
 callback can assume that \fBin\fR is syntactically valid. The client must
-select a protocol. It is fatal to the connection if this callback returns
-a value other than \fB\s-1SSL_TLSEXT_ERR_OK\s0\fR. The \fBarg\fR parameter is the pointer
-set via \fBSSL_CTX_set_next_proto_select_cb()\fR.
+select a protocol (although it may be an empty, zero length protocol). It is
+fatal to the connection if this callback returns a value other than
+\&\fBSSL_TLSEXT_ERR_OK\fR or if the zero length protocol is selected. The \fBarg\fR
+parameter is the pointer set via \fBSSL_CTX_set_next_proto_select_cb()\fR.
 .PP
 \&\fBSSL_CTX_set_next_protos_advertised_cb()\fR sets a callback \fBcb\fR that is called
-when a \s-1TLS\s0 server needs a list of supported protocols for Next Protocol
+when a TLS server needs a list of supported protocols for Next Protocol
 Negotiation. The returned list must be in protocol-list format, described
 below.  The list is
 returned by setting \fBout\fR to point to it and \fBoutlen\fR to its length. This
-memory will not be modified, but the \fB\s-1SSL\s0\fR does keep a
-reference to it. The callback should return \fB\s-1SSL_TLSEXT_ERR_OK\s0\fR if it
+memory will not be modified, but the \fBSSL\fR does keep a
+reference to it. The callback should return \fBSSL_TLSEXT_ERR_OK\fR if it
 wishes to advertise. Otherwise, no such extension will be included in the
 ServerHello.
 .PP
 \&\fBSSL_get0_alpn_selected()\fR returns a pointer to the selected protocol in \fBdata\fR
-with length \fBlen\fR. It is not NUL-terminated. \fBdata\fR is set to \s-1NULL\s0 and \fBlen\fR
+with length \fBlen\fR. It is not NUL-terminated. \fBdata\fR is set to NULL and \fBlen\fR
 is set to 0 if no protocol has been selected. \fBdata\fR must not be freed.
 .PP
 \&\fBSSL_get0_next_proto_negotiated()\fR sets \fBdata\fR and \fBlen\fR to point to the
 client's requested protocol for this connection. If the client did not
-request any protocol or \s-1NPN\s0 is not enabled, then \fBdata\fR is set to \s-1NULL\s0 and
+request any protocol or NPN is not enabled, then \fBdata\fR is set to NULL and
 \&\fBlen\fR to 0. Note that
 the client can request any protocol it chooses. The value returned from
 this function need not be a member of the list of supported protocols
 provided by the callback.
-.SH "NOTES"
+.PP
+NPN functionality cannot be used with QUIC SSL objects. Use of ALPN is mandatory
+when using QUIC SSL objects. \fBSSL_CTX_set_next_protos_advertised_cb()\fR and
+\&\fBSSL_CTX_set_next_proto_select_cb()\fR have no effect if called on a QUIC SSL
+context.
+.SH NOTES
 .IX Header "NOTES"
 The protocol-lists must be in wire-format, which is defined as a vector of
 nonempty, 8\-bit length-prefixed, byte strings. The length-prefix byte is not
@@ -263,53 +201,54 @@ Example:
 \& unsigned int length = sizeof(vector);
 .Ve
 .PP
-The \s-1ALPN\s0 callback is executed after the servername callback; as that servername
-callback may update the \s-1SSL_CTX,\s0 and subsequently, the \s-1ALPN\s0 callback.
+The ALPN callback is executed after the servername callback; as that servername
+callback may update the SSL_CTX, and subsequently, the ALPN callback.
 .PP
-If there is no \s-1ALPN\s0 proposed in the ClientHello, the \s-1ALPN\s0 callback is not
+If there is no ALPN proposed in the ClientHello, the ALPN callback is not
 invoked.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSSL_CTX_set_alpn_protos()\fR and \fBSSL_set_alpn_protos()\fR return 0 on success, and
-non\-0 on failure. \s-1WARNING:\s0 these functions reverse the return value convention.
+non\-0 on failure. WARNING: these functions reverse the return value convention.
 .PP
 \&\fBSSL_select_next_proto()\fR returns one of the following:
-.IP "\s-1OPENSSL_NPN_NEGOTIATED\s0" 4
+.IP OPENSSL_NPN_NEGOTIATED 4
 .IX Item "OPENSSL_NPN_NEGOTIATED"
 A match was found and is returned in \fBout\fR, \fBoutlen\fR.
-.IP "\s-1OPENSSL_NPN_NO_OVERLAP\s0" 4
+.IP OPENSSL_NPN_NO_OVERLAP 4
 .IX Item "OPENSSL_NPN_NO_OVERLAP"
 No match was found. The first item in \fBclient\fR, \fBclient_len\fR is returned in
-\&\fBout\fR, \fBoutlen\fR.
+\&\fBout\fR, \fBoutlen\fR (or \fBNULL\fR and 0 in the case where the first entry in
+\&\fBclient\fR is invalid).
 .PP
-The \s-1ALPN\s0 select callback \fBcb\fR, must return one of the following:
-.IP "\s-1SSL_TLSEXT_ERR_OK\s0" 4
+The ALPN select callback \fBcb\fR, must return one of the following:
+.IP SSL_TLSEXT_ERR_OK 4
 .IX Item "SSL_TLSEXT_ERR_OK"
-\&\s-1ALPN\s0 protocol selected.
-.IP "\s-1SSL_TLSEXT_ERR_ALERT_FATAL\s0" 4
+ALPN protocol selected.
+.IP SSL_TLSEXT_ERR_ALERT_FATAL 4
 .IX Item "SSL_TLSEXT_ERR_ALERT_FATAL"
 There was no overlap between the client's supplied list and the server
 configuration.
-.IP "\s-1SSL_TLSEXT_ERR_NOACK\s0" 4
+.IP SSL_TLSEXT_ERR_NOACK 4
 .IX Item "SSL_TLSEXT_ERR_NOACK"
-\&\s-1ALPN\s0 protocol not selected, e.g., because no \s-1ALPN\s0 protocols are configured for
+ALPN protocol not selected, e.g., because no ALPN protocols are configured for
 this connection.
 .PP
 The callback set using \fBSSL_CTX_set_next_proto_select_cb()\fR should return
-\&\fB\s-1SSL_TLSEXT_ERR_OK\s0\fR if successful. Any other value is fatal to the connection.
+\&\fBSSL_TLSEXT_ERR_OK\fR if successful. Any other value is fatal to the connection.
 .PP
 The callback set using \fBSSL_CTX_set_next_protos_advertised_cb()\fR should return
-\&\fB\s-1SSL_TLSEXT_ERR_OK\s0\fR if it wishes to advertise. Otherwise, no such extension
+\&\fBSSL_TLSEXT_ERR_OK\fR if it wishes to advertise. Otherwise, no such extension
 will be included in the ServerHello.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7), \fBSSL_CTX_set_tlsext_servername_callback\fR\|(3),
 \&\fBSSL_CTX_set_tlsext_servername_arg\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_cb.3
index 3c8650b43fd9..70467e146c5e 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_cb.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_cb.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_CERT_CB 3ossl"
-.TH SSL_CTX_SET_CERT_CB 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_CERT_CB 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_cert_cb, SSL_set_cert_cb \- handle certificate callback function
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -147,34 +71,34 @@ SSL_CTX_set_cert_cb, SSL_set_cert_cb \- handle certificate callback function
 \&                          void *arg);
 \& void SSL_set_cert_cb(SSL *s, int (*cert_cb)(SSL *ssl, void *arg), void *arg);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_set_cert_cb()\fR and \fBSSL_set_cert_cb()\fR sets the \fIcert_cb\fR callback,
 \&\fIarg\fR value is pointer which is passed to the application callback.
 .PP
-When \fIcert_cb\fR is \s-1NULL,\s0 no callback function is used.
+When \fIcert_cb\fR is NULL, no callback function is used.
 .PP
 \&\fIcert_cb\fR is the application defined callback. It is called before a
 certificate will be used by a client or server. The callback can then inspect
 the passed \fIssl\fR structure and set or clear any appropriate certificates. If
-the callback is successful it \fB\s-1MUST\s0\fR return 1 even if no certificates have
+the callback is successful it \fBMUST\fR return 1 even if no certificates have
 been set. A zero is returned on error which will abort the handshake with a
 fatal internal error alert. A negative return value will suspend the handshake
 and the handshake function will return immediately.
-\&\fBSSL_get_error\fR\|(3) will return \s-1SSL_ERROR_WANT_X509_LOOKUP\s0 to
+\&\fBSSL_get_error\fR\|(3) will return SSL_ERROR_WANT_X509_LOOKUP to
 indicate, that the handshake was suspended. The next call to the handshake
 function will again lead to the call of \fIcert_cb\fR. It is the job of the
 \&\fIcert_cb\fR to store information about the state of the last call,
 if required to continue.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 An application will typically call \fBSSL_use_certificate()\fR and
 \&\fBSSL_use_PrivateKey()\fR to set the end entity certificate and private key.
-It can add intermediate and optionally the root \s-1CA\s0 certificates using
+It can add intermediate and optionally the root CA certificates using
 \&\fBSSL_add1_chain_cert()\fR.
 .PP
 It might also call \fBSSL_certs_clear()\fR to delete any certificates associated
-with the \fB\s-1SSL\s0\fR object.
+with the \fBSSL\fR object.
 .PP
 The certificate callback functionality supersedes the (largely broken)
 functionality provided by the old client certificate callback interface.
@@ -183,12 +107,12 @@ can modify or delete the existing certificate.
 .PP
 A more advanced callback might examine the handshake parameters and set
 whatever chain is appropriate. For example a legacy client supporting only
-TLSv1.0 might receive a certificate chain signed using \s-1SHA1\s0 whereas a
-TLSv1.2 or later client which advertises support for \s-1SHA256\s0 could receive a
-chain using \s-1SHA256.\s0
+TLSv1.0 might receive a certificate chain signed using SHA1 whereas a
+TLSv1.2 or later client which advertises support for SHA256 could receive a
+chain using SHA256.
 .PP
 Normal server sanity checks are performed on any certificates set
-by the callback. So if an \s-1EC\s0 chain is set for a curve the client does not
+by the callback. So if an EC chain is set for a curve the client does not
 support it will \fBnot\fR be used.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
@@ -199,11 +123,11 @@ support it will \fBnot\fR be used.
 \&\fBSSL_add1_chain_cert\fR\|(3),
 \&\fBSSL_get_client_CA_list\fR\|(3),
 \&\fBSSL_clear\fR\|(3), \fBSSL_free\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2014\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_store.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_store.3
index 3ebf42816b54..74ebe5c48d8b 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_store.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_store.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_CERT_STORE 3ossl"
-.TH SSL_CTX_SET_CERT_STORE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_CERT_STORE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_cert_store, SSL_CTX_set1_cert_store, SSL_CTX_get_cert_store \- manipulate X509 certificate verification storage
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -147,22 +71,24 @@ SSL_CTX_set_cert_store, SSL_CTX_set1_cert_store, SSL_CTX_get_cert_store \- manip
 \& void SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store);
 \& X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_set_cert_store()\fR sets/replaces the certificate verification storage
 of \fBctx\fR to/with \fBstore\fR. If another X509_STORE object is currently
-set in \fBctx\fR, it will be \fBX509_STORE_free()\fRed.
+set in \fBctx\fR, it will be \fBX509_STORE_free()\fRed. \fBSSL_CTX_set_cert_store()\fR will
+take ownership of the \fBstore\fR, i.e., the call \f(CWX509_STORE_free(store)\fR is no
+longer needed.
 .PP
 \&\fBSSL_CTX_set1_cert_store()\fR sets/replaces the certificate verification storage
 of \fBctx\fR to/with \fBstore\fR. The \fBstore\fR's reference count is incremented.
 If another X509_STORE object is currently set in \fBctx\fR, it will be \fBX509_STORE_free()\fRed.
 .PP
 \&\fBSSL_CTX_get_cert_store()\fR returns a pointer to the current certificate
-verification storage.
-.SH "NOTES"
+verification storage. \fBctx\fR \fBMUST NOT\fR be NULL.
+.SH NOTES
 .IX Header "NOTES"
-In order to verify the certificates presented by the peer, trusted \s-1CA\s0
-certificates must be accessed. These \s-1CA\s0 certificates are made available
+In order to verify the certificates presented by the peer, trusted CA
+certificates must be accessed. These CA certificates are made available
 via lookup methods, handled inside the X509_STORE. From the X509_STORE
 the X509_STORE_CTX used when verifying certificates is created.
 .PP
@@ -183,17 +109,17 @@ X509_STORE object and its handling becomes available.
 .PP
 \&\fBSSL_CTX_set_cert_store()\fR does not increment the \fBstore\fR's reference
 count, so it should not be used to assign an X509_STORE that is owned
-by another \s-1SSL_CTX.\s0
+by another SSL_CTX.
 .PP
 To share X509_STOREs between two SSL_CTXs, use \fBSSL_CTX_get_cert_store()\fR
-to get the X509_STORE from the first \s-1SSL_CTX,\s0 and then use
-\&\fBSSL_CTX_set1_cert_store()\fR to assign to the second \s-1SSL_CTX\s0 and
+to get the X509_STORE from the first SSL_CTX, and then use
+\&\fBSSL_CTX_set1_cert_store()\fR to assign to the second SSL_CTX and
 increment the reference count of the X509_STORE.
-.SH "RESTRICTIONS"
+.SH RESTRICTIONS
 .IX Header "RESTRICTIONS"
-The X509_STORE structure used by an \s-1SSL_CTX\s0 is used for verifying peer
+The X509_STORE structure used by an SSL_CTX is used for verifying peer
 certificates and building certificate chains, it is also shared by
-every child \s-1SSL\s0 structure. Applications wanting finer control can use
+every child SSL structure. Applications wanting finer control can use
 functions such as \fBSSL_CTX_set1_verify_cert_store()\fR instead.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
@@ -207,11 +133,11 @@ functions such as \fBSSL_CTX_set1_verify_cert_store()\fR instead.
 \&\fBssl\fR\|(7),
 \&\fBSSL_CTX_load_verify_locations\fR\|(3),
 \&\fBSSL_CTX_set_verify\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_verify_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_verify_callback.3
index bb51149e3561..ed734361f5fd 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_verify_callback.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_verify_callback.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_CERT_VERIFY_CALLBACK 3ossl"
-.TH SSL_CTX_SET_CERT_VERIFY_CALLBACK 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_CERT_VERIFY_CALLBACK 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_cert_verify_callback \- set peer certificate verification procedure
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -147,14 +71,14 @@ SSL_CTX_set_cert_verify_callback \- set peer certificate verification procedure
 \&                                       int (*callback)(X509_STORE_CTX *, void *),
 \&                                       void *arg);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_set_cert_verify_callback()\fR sets the verification callback function for
-\&\fIctx\fR. \s-1SSL\s0 objects that are created from \fIctx\fR inherit the setting valid at
+\&\fIctx\fR. SSL objects that are created from \fIctx\fR inherit the setting valid at
 the time when \fBSSL_new\fR\|(3) is called.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-When a peer certificate has been received during a \s-1SSL/TLS\s0 handshake,
+When a peer certificate has been received during an SSL/TLS handshake,
 a verification function is called regardless of the verification mode.
 If the application does not explicitly specify a verification callback function,
 the built-in verification function is used.
@@ -162,23 +86,23 @@ If a verification callback \fIcallback\fR is specified via
 \&\fBSSL_CTX_set_cert_verify_callback()\fR, the supplied callback function is called
 instead with the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg).
 The argument \fIarg\fR is specified by the application when setting \fIcallback\fR.
-By setting \fIcallback\fR to \s-1NULL,\s0 the default behaviour is restored.
+By setting \fIcallback\fR to NULL, the default behaviour is restored.
 .PP
 \&\fIcallback\fR should return 1 to indicate verification success
 and 0 to indicate verification failure.
 In server mode, a return value of 0 leads to handshake failure.
 In client mode, the behaviour is as follows.
 All values, including 0, are ignored
-if the verification mode is \fB\s-1SSL_VERIFY_NONE\s0\fR.
+if the verification mode is \fBSSL_VERIFY_NONE\fR.
 Otherwise, when the return value is less than or equal to 0, the handshake will
 fail.
 .PP
 In client mode \fIcallback\fR may also call the \fBSSL_set_retry_verify\fR\|(3)
-function on the \fB\s-1SSL\s0\fR object set in the \fIx509_store_ctx\fR ex data (see
+function on the \fBSSL\fR object set in the \fIx509_store_ctx\fR ex data (see
 \&\fBSSL_get_ex_data_X509_STORE_CTX_idx\fR\|(3)) and return 1. This would be
 typically done in case the certificate verification was not yet able
 to succeed. This makes the handshake suspend and return control to the
-calling application with \fB\s-1SSL_ERROR_WANT_RETRY_VERIFY\s0\fR. The app can for
+calling application with \fBSSL_ERROR_WANT_RETRY_VERIFY\fR. The app can for
 instance fetch further certificates or cert status information needed for
 the verification. Calling \fBSSL_connect\fR\|(3) again resumes the connection
 attempt by retrying the server certificate verification step.
@@ -191,7 +115,7 @@ This is particularly important in case
 the \fIcallback\fR allows the connection to continue (by returning 1).
 Note that the verification status in the store context is a possibly durable
 indication of the chain's validity!
-This gets recorded in the \s-1SSL\s0 session (and thus also in session tickets)
+This gets recorded in the SSL session (and thus also in session tickets)
 and the validity of the originally presented chain is then visible
 on resumption, even though no chain is presented int that case.
 Moreover, the calling application will be informed about the detailed result of
@@ -202,7 +126,7 @@ function set using \fBSSL_CTX_set_verify\fR\|(3).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSSL_CTX_set_cert_verify_callback()\fR does not return a value.
-.SH "WARNINGS"
+.SH WARNINGS
 .IX Header "WARNINGS"
 Do not mix the verification callback described in this function with the
 \&\fBverify_callback\fR function called during the verification process. The
@@ -213,7 +137,7 @@ Providing a complete verification procedure including certificate purpose
 settings etc is a complex task. The built-in procedure is quite powerful
 and in most cases it should be sufficient to modify its behaviour using
 the \fBverify_callback\fR function.
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
 \&\fBSSL_CTX_set_cert_verify_callback()\fR does not provide diagnostic information.
 .SH "SEE ALSO"
@@ -223,11 +147,11 @@ the \fBverify_callback\fR function.
 \&\fBSSL_get_verify_result\fR\|(3),
 \&\fBSSL_set_retry_verify\fR\|(3),
 \&\fBSSL_CTX_load_verify_locations\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2001\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cipher_list.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cipher_list.3
index 22c8dd1bec5f..c5a2e3129fd5 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cipher_list.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cipher_list.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_CIPHER_LIST 3ossl"
-.TH SSL_CTX_SET_CIPHER_LIST 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_CIPHER_LIST 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_cipher_list,
 SSL_set_cipher_list,
 SSL_CTX_set_ciphersuites,
@@ -144,7 +68,7 @@ SSL_set_ciphersuites,
 OSSL_default_cipher_list,
 OSSL_default_ciphersuites
 \&\- choose list of available SSL_CIPHERs
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -158,36 +82,40 @@ OSSL_default_ciphersuites
 \& const char *OSSL_default_cipher_list(void);
 \& const char *OSSL_default_ciphersuites(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_set_cipher_list()\fR sets the list of available ciphers (TLSv1.2 and below)
 for \fBctx\fR using the control string \fBstr\fR. The format of the string is described
 in \fBopenssl\-ciphers\fR\|(1). The list of ciphers is inherited by all
 \&\fBssl\fR objects created from \fBctx\fR. This function does not impact TLSv1.3
-ciphersuites. Use \fBSSL_CTX_set_ciphersuites()\fR to configure those.
+ciphersuites. Use \fBSSL_CTX_set_ciphersuites()\fR to configure those. \fBctx\fR \fBMUST NOT\fR be NULL.
 .PP
 \&\fBSSL_set_cipher_list()\fR sets the list of ciphers (TLSv1.2 and below) only for
 \&\fBssl\fR.
 .PP
 \&\fBSSL_CTX_set_ciphersuites()\fR is used to configure the available TLSv1.3
-ciphersuites for \fBctx\fR. This is a simple colon (\*(L":\*(R") separated list of TLSv1.3
+ciphersuites for \fBctx\fR. This is a simple colon (":") separated list of TLSv1.3
 ciphersuite names in order of preference. Valid TLSv1.3 ciphersuite names are:
-.IP "\s-1TLS_AES_128_GCM_SHA256\s0" 4
+.IP TLS_AES_128_GCM_SHA256 4
 .IX Item "TLS_AES_128_GCM_SHA256"
 .PD 0
-.IP "\s-1TLS_AES_256_GCM_SHA384\s0" 4
+.IP TLS_AES_256_GCM_SHA384 4
 .IX Item "TLS_AES_256_GCM_SHA384"
-.IP "\s-1TLS_CHACHA20_POLY1305_SHA256\s0" 4
+.IP TLS_CHACHA20_POLY1305_SHA256 4
 .IX Item "TLS_CHACHA20_POLY1305_SHA256"
-.IP "\s-1TLS_AES_128_CCM_SHA256\s0" 4
+.IP TLS_AES_128_CCM_SHA256 4
 .IX Item "TLS_AES_128_CCM_SHA256"
-.IP "\s-1TLS_AES_128_CCM_8_SHA256\s0" 4
+.IP TLS_AES_128_CCM_8_SHA256 4
 .IX Item "TLS_AES_128_CCM_8_SHA256"
+.IP "TLS_SHA384_SHA384 \- integrity-only" 4
+.IX Item "TLS_SHA384_SHA384 - integrity-only"
+.IP "TLS_SHA256_SHA256 \- integrity-only" 4
+.IX Item "TLS_SHA256_SHA256 - integrity-only"
 .PD
 .PP
-An empty list is permissible. The default value for the this setting is:
+An empty list is permissible. The default value for this setting is:
 .PP
-\&\*(L"\s-1TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256\*(R"\s0
+"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
 .PP
 \&\fBSSL_set_ciphersuites()\fR is the same as \fBSSL_CTX_set_ciphersuites()\fR except it
 configures the ciphersuites for \fBssl\fR.
@@ -195,7 +123,7 @@ configures the ciphersuites for \fBssl\fR.
 \&\fBOSSL_default_cipher_list()\fR returns the default cipher string for TLSv1.2
 (and earlier) ciphers. \fBOSSL_default_ciphersuites()\fR returns the default
 cipher string for TLSv1.3 ciphersuites.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The control string \fBstr\fR for \fBSSL_CTX_set_cipher_list()\fR, \fBSSL_set_cipher_list()\fR,
 \&\fBSSL_CTX_set_ciphersuites()\fR and \fBSSL_set_ciphersuites()\fR should be universally
@@ -209,25 +137,25 @@ It should be noted, that inclusion of a cipher to be used into the list is
 a necessary condition. On the client side, the inclusion into the list is
 also sufficient unless the security level excludes it. On the server side,
 additional restrictions apply. All ciphers have additional requirements.
-\&\s-1ADH\s0 ciphers don't need a certificate, but DH-parameters must have been set.
+ADH ciphers don't need a certificate, but DH-parameters must have been set.
 All other ciphers need a corresponding certificate and key.
 .PP
-An \s-1RSA\s0 cipher can only be chosen, when an \s-1RSA\s0 certificate is available.
-\&\s-1RSA\s0 ciphers using \s-1DHE\s0 need a certificate and key and additional DH-parameters
+An RSA cipher can only be chosen, when an RSA certificate is available.
+RSA ciphers using DHE need a certificate and key and additional DH-parameters
 (see \fBSSL_CTX_set_tmp_dh_callback\fR\|(3)).
 .PP
-A \s-1DSA\s0 cipher can only be chosen, when a \s-1DSA\s0 certificate is available.
-\&\s-1DSA\s0 ciphers always use \s-1DH\s0 key exchange and therefore need DH-parameters
+A DSA cipher can only be chosen, when a DSA certificate is available.
+DSA ciphers always use DH key exchange and therefore need DH-parameters
 (see \fBSSL_CTX_set_tmp_dh_callback\fR\|(3)).
 .PP
 When these conditions are not met for any cipher in the list (e.g. a
-client only supports export \s-1RSA\s0 ciphers with an asymmetric key length
-of 512 bits and the server is not configured to use temporary \s-1RSA\s0
-keys), the \*(L"no shared cipher\*(R" (\s-1SSL_R_NO_SHARED_CIPHER\s0) error is generated
+client only supports export RSA ciphers with an asymmetric key length
+of 512 bits and the server is not configured to use temporary RSA
+keys), the "no shared cipher" (SSL_R_NO_SHARED_CIPHER) error is generated
 and the handshake will fail.
 .PP
 \&\fBOSSL_default_cipher_list()\fR and \fBOSSL_default_ciphersuites()\fR replace
-\&\s-1SSL_DEFAULT_CIPHER_LIST\s0 and \s-1TLS_DEFAULT_CIPHERSUITES,\s0 respectively. The
+SSL_DEFAULT_CIPHER_LIST and TLS_DEFAULT_CIPHERSUITES, respectively. The
 cipher list defines are deprecated as of 3.0.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
@@ -242,14 +170,14 @@ ciphersuite list was configured, and 0 otherwise.
 \&\fBSSL_CTX_use_certificate\fR\|(3),
 \&\fBSSL_CTX_set_tmp_dh_callback\fR\|(3),
 \&\fBopenssl\-ciphers\fR\|(1)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBOSSL_default_cipher_list()\fR and \fBOSSL_default_ciphersites()\fR are new in 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_cert_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_cert_cb.3
index 20a6f0ee6b99..d2cb7ef02675 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_cert_cb.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_cert_cb.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_CLIENT_CERT_CB 3ossl"
-.TH SSL_CTX_SET_CLIENT_CERT_CB 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_CLIENT_CERT_CB 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_client_cert_cb, SSL_CTX_get_client_cert_cb \- handle client certificate callback function
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -149,29 +73,29 @@ SSL_CTX_set_client_cert_cb, SSL_CTX_get_client_cert_cb \- handle client certific
 \& int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509,
 \&                                                 EVP_PKEY **pkey);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_set_client_cert_cb()\fR sets the \fIclient_cert_cb\fR callback, that is
 called when a client certificate is requested by a server and no certificate
-was yet set for the \s-1SSL\s0 object.
+was yet set for the SSL object.
 .PP
-When \fIclient_cert_cb\fR is \s-1NULL,\s0 no callback function is used.
+When \fIclient_cert_cb\fR is NULL, no callback function is used.
 .PP
 \&\fBSSL_CTX_get_client_cert_cb()\fR returns a pointer to the currently set callback
 function.
 .PP
 \&\fIclient_cert_cb\fR is the application defined callback. If it wants to
 set a certificate, a certificate/private key combination must be set
-using the \fIx509\fR and \fIpkey\fR arguments and \*(L"1\*(R" must be returned. The
-certificate will be installed into \fIssl\fR, see the \s-1NOTES\s0 and \s-1BUGS\s0 sections.
-If no certificate should be set, \*(L"0\*(R" has to be returned and no certificate
+using the \fIx509\fR and \fIpkey\fR arguments and "1" must be returned. The
+certificate will be installed into \fIssl\fR, see the NOTES and BUGS sections.
+If no certificate should be set, "0" has to be returned and no certificate
 will be sent. A negative return value will suspend the handshake and the
 handshake function will return immediately. \fBSSL_get_error\fR\|(3)
-will return \s-1SSL_ERROR_WANT_X509_LOOKUP\s0 to indicate, that the handshake was
+will return SSL_ERROR_WANT_X509_LOOKUP to indicate, that the handshake was
 suspended. The next call to the handshake function will again lead to the call
 of \fIclient_cert_cb\fR. It is the job of the \fIclient_cert_cb\fR to store information
 about the state of the last call, if required to continue.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 During a handshake (or renegotiation) a server may request a certificate
 from the client. A client certificate must only be sent, when the server
@@ -179,7 +103,7 @@ did send the request.
 .PP
 When a certificate was set using the
 \&\fBSSL_CTX_use_certificate\fR\|(3) family of functions,
-it will be sent to the server. The \s-1TLS\s0 standard requires that only a
+it will be sent to the server. The TLS standard requires that only a
 certificate is sent, if it matches the list of acceptable CAs sent by the
 server. This constraint is violated by the default behavior of the OpenSSL
 library. Using the callback function it is possible to implement a proper
@@ -187,40 +111,40 @@ selection routine or to allow a user interaction to choose the certificate to
 be sent.
 .PP
 If a callback function is defined and no certificate was yet defined for the
-\&\s-1SSL\s0 object, the callback function will be called.
+SSL object, the callback function will be called.
 If the callback function returns a certificate, the OpenSSL library
-will try to load the private key and certificate data into the \s-1SSL\s0
+will try to load the private key and certificate data into the SSL
 object using the \fBSSL_use_certificate()\fR and \fBSSL_use_private_key()\fR functions.
-Thus it will permanently install the certificate and key for this \s-1SSL\s0
+Thus it will permanently install the certificate and key for this SSL
 object. It will not be reset by calling \fBSSL_clear\fR\|(3).
 If the callback returns no certificate, the OpenSSL library will not send
 a certificate.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSSL_CTX_get_client_cert_cb()\fR returns function pointer of \fIclient_cert_cb\fR or
-\&\s-1NULL\s0 if the callback is not set.
-.SH "BUGS"
+NULL if the callback is not set.
+.SH BUGS
 .IX Header "BUGS"
 The \fIclient_cert_cb\fR cannot return a complete certificate chain, it can
 only return one client certificate. If the chain only has a length of 2,
-the root \s-1CA\s0 certificate may be omitted according to the \s-1TLS\s0 standard and
+the root CA certificate may be omitted according to the TLS standard and
 thus a standard conforming answer can be sent to the server. For a
 longer chain, the client must send the complete chain (with the option
-to leave out the root \s-1CA\s0 certificate). This can only be accomplished by
-either adding the intermediate \s-1CA\s0 certificates into the trusted
-certificate store for the \s-1SSL_CTX\s0 object (resulting in having to add
-\&\s-1CA\s0 certificates that otherwise maybe would not be trusted), or by adding
+to leave out the root CA certificate). This can only be accomplished by
+either adding the intermediate CA certificates into the trusted
+certificate store for the SSL_CTX object (resulting in having to add
+CA certificates that otherwise maybe would not be trusted), or by adding
 the chain certificates using the
 \&\fBSSL_CTX_add_extra_chain_cert\fR\|(3)
-function, which is only available for the \s-1SSL_CTX\s0 object as a whole and that
+function, which is only available for the SSL_CTX object as a whole and that
 therefore probably can only apply for one client certificate, making
 the concept of the callback function (to allow the choice from several
 certificates) questionable.
 .PP
-Once the \s-1SSL\s0 object has been used in conjunction with the callback function,
-the certificate will be set for the \s-1SSL\s0 object and will not be cleared
+Once the SSL object has been used in conjunction with the callback function,
+the certificate will be set for the SSL object and will not be cleared
 even when \fBSSL_clear\fR\|(3) is being called. It is therefore
-mandatory to destroy the \s-1SSL\s0 object using \fBSSL_free\fR\|(3)
+mandatory to destroy the SSL object using \fBSSL_free\fR\|(3)
 and create a new one to return to the previous state.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
@@ -228,11 +152,11 @@ and create a new one to return to the previous state.
 \&\fBSSL_CTX_add_extra_chain_cert\fR\|(3),
 \&\fBSSL_get_client_CA_list\fR\|(3),
 \&\fBSSL_clear\fR\|(3), \fBSSL_free\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2002\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_hello_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_hello_cb.3
index 76c3ceaa529e..1c8b9faad9cc 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_hello_cb.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_hello_cb.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_CLIENT_HELLO_CB 3ossl"
-.TH SSL_CTX_SET_CLIENT_HELLO_CB 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_CLIENT_HELLO_CB 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
-SSL_CTX_set_client_hello_cb, SSL_client_hello_cb_fn, SSL_client_hello_isv2, SSL_client_hello_get0_legacy_version, SSL_client_hello_get0_random, SSL_client_hello_get0_session_id, SSL_client_hello_get0_ciphers, SSL_client_hello_get0_compression_methods, SSL_client_hello_get1_extensions_present, SSL_client_hello_get0_ext \- callback functions for early server\-side ClientHello processing
-.SH "SYNOPSIS"
+.SH NAME
+SSL_CTX_set_client_hello_cb, SSL_client_hello_cb_fn, SSL_client_hello_isv2, SSL_client_hello_get0_legacy_version, SSL_client_hello_get0_random, SSL_client_hello_get0_session_id, SSL_client_hello_get0_ciphers, SSL_client_hello_get0_compression_methods, SSL_client_hello_get1_extensions_present, SSL_client_hello_get_extension_order, SSL_client_hello_get0_ext \- callback functions for early server\-side ClientHello processing
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 10
 \& typedef int (*SSL_client_hello_cb_fn)(SSL *s, int *al, void *arg);
@@ -153,10 +77,12 @@ SSL_CTX_set_client_hello_cb, SSL_client_hello_cb_fn, SSL_client_hello_isv2, SSL_
 \&                                                  const unsigned char **out);
 \& int SSL_client_hello_get1_extensions_present(SSL *s, int **out,
 \&                                              size_t *outlen);
+\& int SSL_client_hello_get_extension_order(SSL *s, uint16_t *exts,
+\&                                          size_t *num_exts);
 \& int SSL_client_hello_get0_ext(SSL *s, unsigned int type, const unsigned char **out,
 \&                               size_t *outlen);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_set_client_hello_cb()\fR sets the callback function, which is automatically
 called during the early stages of ClientHello processing on the server.
@@ -166,7 +92,7 @@ connection to terminate, and callbacks returning failure should indicate
 what alert value is to be sent in the \fBal\fR parameter.  A callback may
 also return a negative value to suspend the handshake, and the handshake
 function will return immediately.  \fBSSL_get_error\fR\|(3) will return
-\&\s-1SSL_ERROR_WANT_CLIENT_HELLO_CB\s0 to indicate that the handshake was suspended.
+SSL_ERROR_WANT_CLIENT_HELLO_CB to indicate that the handshake was suspended.
 It is the job of the ClientHello callback to store information about the state
 of the last call if needed to continue.  On the next call into the handshake
 function, the ClientHello callback will be called again, and, if it returns
@@ -177,7 +103,7 @@ SSLv2 record and is in the SSLv2 format.  The SSLv2 format has substantial
 differences from the normal SSLv3 format, including using three bytes per
 cipher suite, and not allowing extensions.  Additionally, the SSLv2 format
 \&'challenge' field is exposed via \fBSSL_client_hello_get0_random()\fR, padded to
-\&\s-1SSL3_RANDOM_SIZE\s0 bytes with zeros if needed.  For SSLv2 format ClientHellos,
+SSL3_RANDOM_SIZE bytes with zeros if needed.  For SSLv2 format ClientHellos,
 \&\fBSSL_client_hello_get0_compression_methods()\fR returns a dummy list that only includes
 the null compression method, since the SSLv2 format does not include a
 mechanism by which to negotiate compression.
@@ -198,19 +124,32 @@ in the output parameters (if present).
 ClientHello before querying for them.  The \fBout\fR and \fBoutlen\fR parameters are
 both required, and on success the caller must release the storage allocated for
 \&\fB*out\fR using \fBOPENSSL_free()\fR.  The contents of \fB*out\fR is an array of integers
-holding the numerical value of the \s-1TLS\s0 extension types in the order they appear
+holding the numerical value of the TLS extension types in the order they appear
 in the ClientHello.  \fB*outlen\fR contains the number of elements in the array.
 In situations when the ClientHello has no extensions, the function will return
-success with \fB*out\fR set to \s-1NULL\s0 and \fB*outlen\fR set to 0.
-.SH "NOTES"
+success with \fB*out\fR set to NULL and \fB*outlen\fR set to 0.
+.PP
+\&\fBSSL_client_hello_get_extension_order()\fR is similar to
+\&\fBSSL_client_hello_get1_extensions_present()\fR, without internal memory allocation.
+When called with \fBexts\fR set to NULL, returns the number of extensions
+(e.g., to allocate storage for a subsequent call).  Otherwise, \fB*exts\fR is populated
+with the ExtensionType values in the order that the corresponding extensions
+appeared in the ClientHello.  \fB*num_exts\fR is an input/output parameter, used
+as input to supply the size of storage allocated by the caller, and as output to
+indicate how many ExtensionType values were written.  If the input \fB*num_exts\fR
+is smaller then the number of extensions in question, that is treated as an error.
+A subsequent call with \fBexts\fR set to NULL can retrieve the size of storage needed.
+A ClientHello that contained no extensions is treated as success, with \fB*num_exts\fR
+set to 0.
+.SH NOTES
 .IX Header "NOTES"
 The ClientHello callback provides a vast window of possibilities for application
-code to affect the \s-1TLS\s0 handshake.  A primary use of the callback is to
+code to affect the TLS handshake.  A primary use of the callback is to
 allow the server to examine the server name indication extension provided
 by the client in order to select an appropriate certificate to present,
 and make other configuration adjustments relevant to that server name
 and its configuration.  Such configuration changes can include swapping out
-the associated \s-1SSL_CTX\s0 pointer, modifying the server's list of permitted \s-1TLS\s0
+the associated SSL_CTX pointer, modifying the server's list of permitted TLS
 versions, changing the server's cipher list in response to the client's
 cipher list, etc.
 .PP
@@ -224,8 +163,8 @@ within a ClientHello callback.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The application's supplied ClientHello callback returns
-\&\s-1SSL_CLIENT_HELLO_SUCCESS\s0 on success, \s-1SSL_CLIENT_HELLO_ERROR\s0 on failure, and
-\&\s-1SSL_CLIENT_HELLO_RETRY\s0 to suspend processing.
+SSL_CLIENT_HELLO_SUCCESS on success, SSL_CLIENT_HELLO_ERROR on failure, and
+SSL_CLIENT_HELLO_RETRY to suspend processing.
 .PP
 \&\fBSSL_client_hello_isv2()\fR returns 1 for SSLv2\-format ClientHellos and 0 otherwise.
 .PP
@@ -239,22 +178,26 @@ should not be assumed to be valid.
 0 otherwise.
 .PP
 \&\fBSSL_client_hello_get1_extensions_present()\fR returns 1 on success and 0 on failure.
+.PP
+\&\fBSSL_client_hello_get_extension_order()\fR returns 1 on success and 0 on failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7), \fBSSL_CTX_set_tlsext_servername_callback\fR\|(3),
 \&\fBSSL_bytes_to_cipher_list\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-The \s-1SSL\s0 ClientHello callback, \fBSSL_client_hello_isv2()\fR,
+The SSL ClientHello callback, \fBSSL_client_hello_isv2()\fR,
 \&\fBSSL_client_hello_get0_random()\fR, \fBSSL_client_hello_get0_session_id()\fR,
 \&\fBSSL_client_hello_get0_ciphers()\fR, \fBSSL_client_hello_get0_compression_methods()\fR,
 \&\fBSSL_client_hello_get0_ext()\fR, and \fBSSL_client_hello_get1_extensions_present()\fR
 were added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+\&\fBSSL_client_hello_get_extension_order()\fR
+was added in OpenSSL 3.2.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2017\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_ct_validation_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_ct_validation_callback.3
index be458dd5d995..653c251555f6 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_ct_validation_callback.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_ct_validation_callback.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_CT_VALIDATION_CALLBACK 3ossl"
-.TH SSL_CTX_SET_CT_VALIDATION_CALLBACK 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_CT_VALIDATION_CALLBACK 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ssl_ct_validation_cb,
 SSL_enable_ct, SSL_CTX_enable_ct, SSL_disable_ct, SSL_CTX_disable_ct,
 SSL_set_ct_validation_callback, SSL_CTX_set_ct_validation_callback,
 SSL_ct_is_enabled, SSL_CTX_ct_is_enabled \-
 control Certificate Transparency policy
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -162,20 +86,20 @@ control Certificate Transparency policy
 \& int SSL_ct_is_enabled(const SSL *s);
 \& int SSL_CTX_ct_is_enabled(const SSL_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_enable_ct()\fR and \fBSSL_CTX_enable_ct()\fR enable the processing of signed
-certificate timestamps (SCTs) either for a given \s-1SSL\s0 connection or for all
-connections that share the given \s-1SSL\s0 context, respectively.
-This is accomplished by setting a built-in \s-1CT\s0 validation callback.
+certificate timestamps (SCTs) either for a given SSL connection or for all
+connections that share the given SSL context, respectively.
+This is accomplished by setting a built-in CT validation callback.
 The behaviour of the callback is determined by the \fBvalidation_mode\fR argument,
-which can be either of \fB\s-1SSL_CT_VALIDATION_PERMISSIVE\s0\fR or
-\&\fB\s-1SSL_CT_VALIDATION_STRICT\s0\fR as described below.
+which can be either of \fBSSL_CT_VALIDATION_PERMISSIVE\fR or
+\&\fBSSL_CT_VALIDATION_STRICT\fR as described below.
 .PP
-If \fBvalidation_mode\fR is equal to \fB\s-1SSL_CT_VALIDATION_STRICT\s0\fR, then in a full
-\&\s-1TLS\s0 handshake with the verification mode set to \fB\s-1SSL_VERIFY_PEER\s0\fR, if the peer
+If \fBvalidation_mode\fR is equal to \fBSSL_CT_VALIDATION_STRICT\fR, then in a full
+TLS handshake with the verification mode set to \fBSSL_VERIFY_PEER\fR, if the peer
 presents no valid SCTs the handshake will be aborted.
-If the verification mode is \fB\s-1SSL_VERIFY_NONE\s0\fR, the handshake will continue
+If the verification mode is \fBSSL_VERIFY_NONE\fR, the handshake will continue
 despite lack of valid SCTs.
 However, in that case if the verification status before the built-in callback
 was \fBX509_V_OK\fR it will be set to \fBX509_V_ERR_NO_VALID_SCTS\fR after the
@@ -185,15 +109,15 @@ handshake completion, even after session resumption since the verification
 status is part of the saved session state.
 See \fBSSL_set_verify\fR\|(3), <\fBSSL_get_verify_result\fR\|(3)>, \fBSSL_session_reused\fR\|(3).
 .PP
-If \fBvalidation_mode\fR is equal to \fB\s-1SSL_CT_VALIDATION_PERMISSIVE\s0\fR, then the
+If \fBvalidation_mode\fR is equal to \fBSSL_CT_VALIDATION_PERMISSIVE\fR, then the
 handshake continues, and the verification status is not modified, regardless of
 the validation status of any SCTs.
 The application can still inspect the validation status of the SCTs at
 handshake completion.
 Note that with session resumption there will not be any SCTs presented during
 the handshake.
-Therefore, in applications that delay \s-1SCT\s0 policy enforcement until after
-handshake completion, such delayed \s-1SCT\s0 checks should only be performed when the
+Therefore, in applications that delay SCT policy enforcement until after
+handshake completion, such delayed SCT checks should only be performed when the
 session is not resumed.
 .PP
 \&\fBSSL_set_ct_validation_callback()\fR and \fBSSL_CTX_set_ct_validation_callback()\fR
@@ -201,7 +125,7 @@ register a custom callback that may implement a different policy than either of
 the above.
 This callback can examine the peer's SCTs and determine whether they are
 sufficient to allow the connection to continue.
-The \s-1TLS\s0 handshake is aborted if the verification mode is not \fB\s-1SSL_VERIFY_NONE\s0\fR
+The TLS handshake is aborted if the verification mode is not \fBSSL_VERIFY_NONE\fR
 and the callback returns a non-positive result.
 .PP
 An arbitrary callback data argument, \fBarg\fR, can be passed in when setting
@@ -217,30 +141,30 @@ employing an anonymous (aNULL) cipher suite.
 In that case the handshake continues as it would had no callback been
 requested.
 Callbacks are also not invoked when the peer certificate chain is invalid or
-validated via \s-1\fBDANE\-TA\s0\fR\|(2) or \s-1\fBDANE\-EE\s0\fR\|(3) \s-1TLSA\s0 records which use a private X.509
-\&\s-1PKI,\s0 or no X.509 \s-1PKI\s0 at all, respectively.
+validated via \fBDANE\-TA\fR\|(2) or \fBDANE\-EE\fR\|(3) TLSA records which use a private X.509
+PKI, or no X.509 PKI at all, respectively.
 Clients that require SCTs are expected to not have enabled any aNULL ciphers
-nor to have specified server verification via \s-1\fBDANE\-TA\s0\fR\|(2) or \s-1\fBDANE\-EE\s0\fR\|(3) \s-1TLSA\s0
+nor to have specified server verification via \fBDANE\-TA\fR\|(2) or \fBDANE\-EE\fR\|(3) TLSA
 records.
 .PP
-\&\fBSSL_disable_ct()\fR and \fBSSL_CTX_disable_ct()\fR turn off \s-1CT\s0 processing, whether
-enabled via the built-in or the custom callbacks, by setting a \s-1NULL\s0 callback.
+\&\fBSSL_disable_ct()\fR and \fBSSL_CTX_disable_ct()\fR turn off CT processing, whether
+enabled via the built-in or the custom callbacks, by setting a NULL callback.
 These may be implemented as macros.
 .PP
-\&\fBSSL_ct_is_enabled()\fR and \fBSSL_CTX_ct_is_enabled()\fR return 1 if \s-1CT\s0 processing is
+\&\fBSSL_ct_is_enabled()\fR and \fBSSL_CTX_ct_is_enabled()\fR return 1 if CT processing is
 enabled via either \fBSSL_enable_ct()\fR or a non-null custom callback, and 0
 otherwise.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-When \s-1SCT\s0 processing is enabled, \s-1OCSP\s0 stapling will be enabled. This is because
-one possible source of SCTs is the \s-1OCSP\s0 response from a server.
+When SCT processing is enabled, OCSP stapling will be enabled. This is because
+one possible source of SCTs is the OCSP response from a server.
 .PP
-The time returned by \fBSSL_SESSION_get_time()\fR will be used to evaluate whether any
+The time returned by \fBSSL_SESSION_get_time_ex()\fR will be used to evaluate whether any
 presented SCTs have timestamps that are in the future (and therefore invalid).
-.SH "RESTRICTIONS"
+.SH RESTRICTIONS
 .IX Header "RESTRICTIONS"
 Certificate Transparency validation cannot be enabled and so a callback cannot
-be set if a custom client extension handler has been registered to handle \s-1SCT\s0
+be set if a custom client extension handler has been registered to handle SCT
 extensions (\fBTLSEXT_TYPE_signed_certificate_timestamp\fR).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
@@ -252,8 +176,8 @@ been setup to handle SCTs.
 .PP
 \&\fBSSL_disable_ct()\fR and \fBSSL_CTX_disable_ct()\fR do not return a result.
 .PP
-\&\fBSSL_CTX_ct_is_enabled()\fR and \fBSSL_ct_is_enabled()\fR return a 1 if a non-null \s-1CT\s0
-validation callback is set, or 0 if no callback (or equivalently a \s-1NULL\s0
+\&\fBSSL_CTX_ct_is_enabled()\fR and \fBSSL_ct_is_enabled()\fR return a 1 if a non-null CT
+validation callback is set, or 0 if no callback (or equivalently a NULL
 callback) is set.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
@@ -263,11 +187,11 @@ callback) is set.
 \&\fBSSL_set_verify\fR\|(3),
 \&\fBSSL_CTX_set_verify\fR\|(3),
 \&\fBSSL_SESSION_get_time\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_ctlog_list_file.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_ctlog_list_file.3
index dbfcb74e54d9..b66cf4b88231 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_ctlog_list_file.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_ctlog_list_file.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_CTLOG_LIST_FILE 3ossl"
-.TH SSL_CTX_SET_CTLOG_LIST_FILE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_CTLOG_LIST_FILE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_default_ctlog_list_file, SSL_CTX_set_ctlog_list_file \-
 load a Certificate Transparency log list from a file
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -147,17 +71,17 @@ load a Certificate Transparency log list from a file
 \& int SSL_CTX_set_default_ctlog_list_file(SSL_CTX *ctx);
 \& int SSL_CTX_set_ctlog_list_file(SSL_CTX *ctx, const char *path);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_set_default_ctlog_list_file()\fR loads a list of Certificate Transparency
-(\s-1CT\s0) logs from the default file location, \*(L"ct_log_list.cnf\*(R", found in the
+(CT) logs from the default file location, "ct_log_list.cnf", found in the
 directory where OpenSSL is installed.
 .PP
-\&\fBSSL_CTX_set_ctlog_list_file()\fR loads a list of \s-1CT\s0 logs from a specific path.
+\&\fBSSL_CTX_set_ctlog_list_file()\fR loads a list of CT logs from a specific path.
 See \fBCTLOG_STORE_new\fR\|(3) for the file format.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-These functions will not clear the existing \s-1CT\s0 log list \- it will be appended
+These functions will not clear the existing CT log list \- it will be appended
 to. To replace the existing list, use \fBSSL_CTX_set0_ctlog_store\fR\|(3) first.
 .PP
 If an error occurs whilst parsing a particular log entry in the file, that log
@@ -172,11 +96,11 @@ the case of an error, the log list may have been partially loaded.
 \&\fBssl\fR\|(7),
 \&\fBSSL_CTX_set_ct_validation_callback\fR\|(3),
 \&\fBCTLOG_STORE_new\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_default_passwd_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_default_passwd_cb.3
index 80719028c1c6..3dcb2a0c5592 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_default_passwd_cb.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_default_passwd_cb.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_DEFAULT_PASSWD_CB 3ossl"
-.TH SSL_CTX_SET_DEFAULT_PASSWD_CB 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_DEFAULT_PASSWD_CB 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_default_passwd_cb, SSL_CTX_set_default_passwd_cb_userdata,
 SSL_CTX_get_default_passwd_cb, SSL_CTX_get_default_passwd_cb_userdata,
 SSL_set_default_passwd_cb, SSL_set_default_passwd_cb_userdata,
 SSL_get_default_passwd_cb, SSL_get_default_passwd_cb_userdata \- set or
 get passwd callback for encrypted PEM file handling
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -157,25 +81,25 @@ get passwd callback for encrypted PEM file handling
 \& pem_password_cb *SSL_get_default_passwd_cb(SSL *s);
 \& void *SSL_get_default_passwd_cb_userdata(SSL *s);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_set_default_passwd_cb()\fR sets the default password callback called
-when loading/storing a \s-1PEM\s0 certificate with encryption.
+when loading/storing a PEM certificate with encryption.
 .PP
 \&\fBSSL_CTX_set_default_passwd_cb_userdata()\fR sets a pointer to userdata, \fBu\fR,
 which will be provided to the password callback on invocation.
 .PP
 \&\fBSSL_CTX_get_default_passwd_cb()\fR returns a function pointer to the password
 callback currently set in \fBctx\fR. If no callback was explicitly set, the
-\&\s-1NULL\s0 pointer is returned.
+NULL pointer is returned.
 .PP
 \&\fBSSL_CTX_get_default_passwd_cb_userdata()\fR returns a pointer to the userdata
-currently set in \fBctx\fR. If no userdata was explicitly set, the \s-1NULL\s0 pointer
+currently set in \fBctx\fR. If no userdata was explicitly set, the NULL pointer
 is returned.
 .PP
 \&\fBSSL_set_default_passwd_cb()\fR, \fBSSL_set_default_passwd_cb_userdata()\fR,
 \&\fBSSL_get_default_passwd_cb()\fR and \fBSSL_get_default_passwd_cb_userdata()\fR perform
-the same function as their \s-1SSL_CTX\s0 counterparts, but using an \s-1SSL\s0 object.
+the same function as their SSL_CTX counterparts, but using an SSL object.
 .PP
 The password callback, which must be provided by the application, hands back the
 password to be used during decryption.
@@ -186,7 +110,7 @@ be returned to the calling function. \fBrwflag\fR indicates whether the
 callback is used for reading/decryption (rwflag=0) or writing/encryption
 (rwflag=1).
 For more details, see \fBpem_password_cb\fR\|(3).
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 When loading or storing private keys, a password might be supplied to
 protect the private key. The way this password can be supplied may depend
@@ -203,12 +127,12 @@ In this case the password dialog may ask for the same password twice
 for comparison in order to catch typos, that would make decryption
 impossible.
 .PP
-Other items in \s-1PEM\s0 formatting (certificates) can also be encrypted, it is
+Other items in PEM formatting (certificates) can also be encrypted, it is
 however not usual, as certificate information is considered public.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 These functions do not provide diagnostic information.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 The following example returns the password provided as userdata to the
 calling function. The password is considered to be a '\e0' terminated
@@ -227,16 +151,16 @@ truncated.
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7),
 \&\fBSSL_CTX_use_certificate\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBSSL_CTX_get_default_passwd_cb()\fR, \fBSSL_CTX_get_default_passwd_cb_userdata()\fR,
 \&\fBSSL_set_default_passwd_cb()\fR and \fBSSL_set_default_passwd_cb_userdata()\fR were
 added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2019 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_domain_flags.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_domain_flags.3
new file mode 100644
index 000000000000..3fef3c4f82a9
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_domain_flags.3
@@ -0,0 +1,164 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "SSL_CTX_SET_DOMAIN_FLAGS 3ossl"
+.TH SSL_CTX_SET_DOMAIN_FLAGS 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+SSL_CTX_set_domain_flags, SSL_CTX_get_domain_flags, SSL_get_domain_flags,
+SSL_DOMAIN_FLAG_SINGLE_THREAD,
+SSL_DOMAIN_FLAG_MULTI_THREAD,
+SSL_DOMAIN_FLAG_THREAD_ASSISTED,
+SSL_DOMAIN_FLAG_BLOCKING,
+SSL_DOMAIN_FLAG_LEGACY_BLOCKING
+\&\- control the concurrency model used by a QUIC domain
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ssl.h>
+\&
+\& #define SSL_DOMAIN_FLAG_SINGLE_THREAD
+\& #define SSL_DOMAIN_FLAG_MULTI_THREAD
+\& #define SSL_DOMAIN_FLAG_LEGACY_BLOCKING
+\& #define SSL_DOMAIN_FLAG_BLOCKING
+\& #define SSL_DOMAIN_FLAG_THREAD_ASSISTED
+\&
+\& int SSL_CTX_set_domain_flags(SSL_CTX *ctx, uint64_t flags);
+\& int SSL_CTX_get_domain_flags(SSL_CTX *ctx, uint64_t *flags);
+\&
+\& int SSL_get_domain_flags(SSL *ssl, uint64_t *flags);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBSSL_CTX_set_domain_flags()\fR and \fBSSL_CTX_get_domain_flags()\fR set and get the QUIC
+domain flags on a \fBSSL_CTX\fR using a QUIC \fBSSL_METHOD\fR. These flags determine
+the concurrency model which is used for a QUIC domain. A detailed introduction
+to these concepts can be found in \fBopenssl\-quic\-concurrency\fR\|(7).
+.PP
+Applications may use either one the flags here:
+.IP \fBSSL_DOMAIN_FLAG_SINGLE_THREAD\fR 4
+.IX Item "SSL_DOMAIN_FLAG_SINGLE_THREAD"
+Specifying this flag configures the Single-Threaded Concurrency Model (SCM).
+.IP \fBSSL_DOMAIN_FLAG_MULTI_THREAD\fR 4
+.IX Item "SSL_DOMAIN_FLAG_MULTI_THREAD"
+Speciyfing this flag configures the Contentive Concurrency Model (CCM) (unless
+\&\fBSSL_DOMAIN_FLAG_THREAD_ASSISTED\fR is also specified).
+.Sp
+If OpenSSL was built without thread support, this is identical to
+\&\fBSSL_DOMAIN_FLAG_SINGLE_THREAD\fR.
+.IP \fBSSL_DOMAIN_FLAG_THREAD_ASSISTED\fR 4
+.IX Item "SSL_DOMAIN_FLAG_THREAD_ASSISTED"
+Specifying this flag configures the Thread-Assisted Concurrency Model (TACM).
+It implies \fBSSL_DOMAIN_FLAG_MULTI_THREAD\fR and \fBSSL_DOMAIN_FLAG_BLOCKING\fR.
+.Sp
+This concurrency model is not available if OpenSSL was built without thread
+support, in which case attempting to configure it will result in an error.
+.IP \fBSSL_DOMAIN_FLAG_BLOCKING\fR 4
+.IX Item "SSL_DOMAIN_FLAG_BLOCKING"
+Enable reliable support for blocking I/O calls, allocating whatever OS resources
+are necessary to realise this. If this flag is specified,
+\&\fBSSL_DOMAIN_FLAG_LEGACY_BLOCKING\fR is ignored.
+.IP \fBSSL_DOMAIN_FLAG_LEGACY_BLOCKING\fR 4
+.IX Item "SSL_DOMAIN_FLAG_LEGACY_BLOCKING"
+Enables legacy blocking compatibility mode. See
+"Legacy Blocking Support Compatibility" in \fBopenssl\-quic\-concurrency\fR\|(7).
+.PP
+Mutually exclusive flag combinations result in an error (for example, combining
+\&\fBSSL_DOMAIN_FLAG_SINGLE_THREAD\fR and \fBSSL_DOMAIN_FLAG_MULTI_THREADED\fR).
+.PP
+Because exactly one concurrency model must be chosen, the domain flags cannot be
+set to 0 and attempting to do so will result in an error.
+.PP
+Changing these flags using \fBSSL_CTX_set_domain_flags()\fR has no effect on QUIC
+domains which have already been created.
+.PP
+The default set of domain flags set on a newly created \fBSSL_CTX\fR may vary by
+OpenSSL version, chosen \fBSSL_METHOD\fR, and operating environment. See
+\&\fBopenssl\-quic\-concurrency\fR\|(7) for details. An application can retrieve the
+default domain flags by calling \fBSSL_CTX_get_domain_flags()\fR immediately after
+constructing a \fBSSL_CTX\fR.
+.PP
+\&\fBSSL_get_domain_flags()\fR retrieves the domain flags which are effective for a QUIC
+domain when called on any QUIC SSL object under that domain.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBSSL_CTX_set_domain_flags()\fR, \fBSSL_CTX_get_domain_flags()\fR and
+\&\fBSSL_get_domain_flags()\fR return 1 on success and 0 on failure.
+.PP
+\&\fBSSL_CTX_set_domain_flags()\fR fails if called with a set of flags which are
+inconsistent or which cannot be supported given the current environment.
+.PP
+\&\fBSSL_CTX_set_domain_flags()\fR and \fBSSL_CTX_get_domain_flags()\fR fail if called on a
+\&\fBSSL_CTX\fR which is not using a QUIC \fBSSL_METHOD\fR.
+.PP
+\&\fBSSL_get_domain_flags()\fR fails if called on a non-QUIC SSL object.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBSSL_new_domain\fR\|(3), \fBopenssl\-quic\-concurrency\fR\|(7)
+.SH HISTORY
+.IX Header "HISTORY"
+These functions were added in \f(CW@QUIC_SERVER_VERSION\fR@.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2024\-2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_generate_session_id.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_generate_session_id.3
index 70e169bb1d1c..18390c34e21e 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_generate_session_id.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_generate_session_id.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_GENERATE_SESSION_ID 3ossl"
-.TH SSL_CTX_SET_GENERATE_SESSION_ID 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_GENERATE_SESSION_ID 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_generate_session_id, SSL_set_generate_session_id,
 SSL_has_matching_session_id, GEN_SESSION_CB
 \&\- manipulate generation of SSL session IDs (server only)
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -153,18 +77,18 @@ SSL_has_matching_session_id, GEN_SESSION_CB
 \& int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
 \&                                 unsigned int id_len);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_set_generate_session_id()\fR sets the callback function for generating
-new session ids for \s-1SSL/TLS\s0 sessions for \fBctx\fR to be \fBcb\fR.
+new session ids for SSL/TLS sessions for \fBctx\fR to be \fBcb\fR.
 .PP
 \&\fBSSL_set_generate_session_id()\fR sets the callback function for generating
-new session ids for \s-1SSL/TLS\s0 sessions for \fBssl\fR to be \fBcb\fR.
+new session ids for SSL/TLS sessions for \fBssl\fR to be \fBcb\fR.
 .PP
 \&\fBSSL_has_matching_session_id()\fR checks, whether a session with id \fBid\fR
 (of length \fBid_len\fR) is already contained in the internal session cache
 of the parent context of \fBssl\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 When a new session is established between client and server, the server
 generates a session id. The session id is an arbitrary sequence of bytes.
@@ -222,7 +146,7 @@ return 1 on success and 0 for failure.
 .PP
 \&\fBSSL_has_matching_session_id()\fR returns 1 if another session with the
 same id is already in the cache, or 0 otherwise.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 The callback function listed will generate a session id with the
 server id given, and will fill the rest with pseudo random bytes:
@@ -257,11 +181,11 @@ server id given, and will fill the rest with pseudo random bytes:
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7), \fBSSL_get_version\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2001\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_info_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_info_callback.3
index 5f33015ff07e..ed99037af154 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_info_callback.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_info_callback.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,161 +52,105 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_INFO_CALLBACK 3ossl"
-.TH SSL_CTX_SET_INFO_CALLBACK 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_INFO_CALLBACK 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_info_callback,
 SSL_CTX_get_info_callback,
 SSL_set_info_callback,
 SSL_get_info_callback
 \&\- handle information callback for SSL connections
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
-\& void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*callback)());
-\& void (*SSL_CTX_get_info_callback(const SSL_CTX *ctx))();
+\& void SSL_CTX_set_info_callback(SSL_CTX *ctx,
+\&                                void (*callback) (const SSL *ssl, int type, int val));
+\&
+\& void (*SSL_CTX_get_info_callback(SSL_CTX *ctx)) (const SSL *ssl, int type, int val);
+\&
+\& void SSL_set_info_callback(SSL *ssl,
+\&                            void (*callback) (const SSL *ssl, int type, int val));
 \&
-\& void SSL_set_info_callback(SSL *ssl, void (*callback)());
-\& void (*SSL_get_info_callback(const SSL *ssl))();
+\& void (*SSL_get_info_callback(const SSL *ssl)) (const SSL *ssl, int type, int val);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_set_info_callback()\fR sets the \fBcallback\fR function, that can be used to
-obtain state information for \s-1SSL\s0 objects created from \fBctx\fR during connection
+obtain state information for SSL objects created from \fBctx\fR during connection
 setup and use. The setting for \fBctx\fR is overridden from the setting for
-a specific \s-1SSL\s0 object, if specified.
-When \fBcallback\fR is \s-1NULL,\s0 no callback function is used.
+a specific SSL object, if specified.
+When \fBcallback\fR is NULL, no callback function is used.
 .PP
 \&\fBSSL_set_info_callback()\fR sets the \fBcallback\fR function, that can be used to
 obtain state information for \fBssl\fR during connection setup and use.
-When \fBcallback\fR is \s-1NULL,\s0 the callback setting currently valid for
-\&\fBctx\fR is used.
+When \fBcallback\fR is NULL, the callback setting currently valid for
+\&\fBctx\fR is used. \fBssl\fR \fBMUST NOT\fR be NULL.
 .PP
 \&\fBSSL_CTX_get_info_callback()\fR returns a pointer to the currently set information
 callback function for \fBctx\fR.
 .PP
 \&\fBSSL_get_info_callback()\fR returns a pointer to the currently set information
 callback function for \fBssl\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 When setting up a connection and during use, it is possible to obtain state
-information from the \s-1SSL/TLS\s0 engine. When set, an information callback function
+information from the SSL/TLS engine. When set, an information callback function
 is called whenever a significant event occurs such as: the state changes,
 an alert appears, or an error occurs.
 .PP
-The callback function is called as \fBcallback(\s-1SSL\s0 *ssl, int where, int ret)\fR.
+The callback function is called as \fBcallback(SSL *ssl, int where, int ret)\fR.
 The \fBwhere\fR argument specifies information about where (in which context)
 the callback function was called. If \fBret\fR is 0, an error condition occurred.
-If an alert is handled, \s-1SSL_CB_ALERT\s0 is set and \fBret\fR specifies the alert
+If an alert is handled, SSL_CB_ALERT is set and \fBret\fR specifies the alert
 information.
 .PP
 \&\fBwhere\fR is a bit-mask made up of the following bits:
-.IP "\s-1SSL_CB_LOOP\s0" 4
+.IP SSL_CB_LOOP 4
 .IX Item "SSL_CB_LOOP"
 Callback has been called to indicate state change or some other significant
 state machine event. This may mean that the callback gets invoked more than once
 per state in some situations.
-.IP "\s-1SSL_CB_EXIT\s0" 4
+.IP SSL_CB_EXIT 4
 .IX Item "SSL_CB_EXIT"
 Callback has been called to indicate exit of a handshake function. This will
 happen after the end of a handshake, but may happen at other times too such as
-on error or when \s-1IO\s0 might otherwise block and nonblocking is being used.
-.IP "\s-1SSL_CB_READ\s0" 4
+on error or when IO might otherwise block and nonblocking is being used.
+.IP SSL_CB_READ 4
 .IX Item "SSL_CB_READ"
 Callback has been called during read operation.
-.IP "\s-1SSL_CB_WRITE\s0" 4
+.IP SSL_CB_WRITE 4
 .IX Item "SSL_CB_WRITE"
 Callback has been called during write operation.
-.IP "\s-1SSL_CB_ALERT\s0" 4
+.IP SSL_CB_ALERT 4
 .IX Item "SSL_CB_ALERT"
 Callback has been called due to an alert being sent or received.
-.IP "\s-1SSL_CB_READ_ALERT\s0               (SSL_CB_ALERT|SSL_CB_READ)" 4
+.IP "SSL_CB_READ_ALERT               (SSL_CB_ALERT|SSL_CB_READ)" 4
 .IX Item "SSL_CB_READ_ALERT (SSL_CB_ALERT|SSL_CB_READ)"
 .PD 0
-.IP "\s-1SSL_CB_WRITE_ALERT\s0              (SSL_CB_ALERT|SSL_CB_WRITE)" 4
+.IP "SSL_CB_WRITE_ALERT              (SSL_CB_ALERT|SSL_CB_WRITE)" 4
 .IX Item "SSL_CB_WRITE_ALERT (SSL_CB_ALERT|SSL_CB_WRITE)"
-.IP "\s-1SSL_CB_ACCEPT_LOOP\s0              (SSL_ST_ACCEPT|SSL_CB_LOOP)" 4
+.IP "SSL_CB_ACCEPT_LOOP              (SSL_ST_ACCEPT|SSL_CB_LOOP)" 4
 .IX Item "SSL_CB_ACCEPT_LOOP (SSL_ST_ACCEPT|SSL_CB_LOOP)"
-.IP "\s-1SSL_CB_ACCEPT_EXIT\s0              (SSL_ST_ACCEPT|SSL_CB_EXIT)" 4
+.IP "SSL_CB_ACCEPT_EXIT              (SSL_ST_ACCEPT|SSL_CB_EXIT)" 4
 .IX Item "SSL_CB_ACCEPT_EXIT (SSL_ST_ACCEPT|SSL_CB_EXIT)"
-.IP "\s-1SSL_CB_CONNECT_LOOP\s0             (SSL_ST_CONNECT|SSL_CB_LOOP)" 4
+.IP "SSL_CB_CONNECT_LOOP             (SSL_ST_CONNECT|SSL_CB_LOOP)" 4
 .IX Item "SSL_CB_CONNECT_LOOP (SSL_ST_CONNECT|SSL_CB_LOOP)"
-.IP "\s-1SSL_CB_CONNECT_EXIT\s0             (SSL_ST_CONNECT|SSL_CB_EXIT)" 4
+.IP "SSL_CB_CONNECT_EXIT             (SSL_ST_CONNECT|SSL_CB_EXIT)" 4
 .IX Item "SSL_CB_CONNECT_EXIT (SSL_ST_CONNECT|SSL_CB_EXIT)"
-.IP "\s-1SSL_CB_HANDSHAKE_START\s0" 4
+.IP SSL_CB_HANDSHAKE_START 4
 .IX Item "SSL_CB_HANDSHAKE_START"
 .PD
 Callback has been called because a new handshake is started. It also occurs when
 resuming a handshake following a pause to handle early data.
-.IP "\s-1SSL_CB_HANDSHAKE_DONE\s0" 4
+.IP SSL_CB_HANDSHAKE_DONE 4
 .IX Item "SSL_CB_HANDSHAKE_DONE"
 Callback has been called because a handshake is finished.  It also occurs if the
 handshake is paused to allow the exchange of early data.
@@ -237,13 +165,13 @@ The \fBret\fR information can be evaluated using the
 \&\fBSSL_set_info_callback()\fR does not provide diagnostic information.
 .PP
 \&\fBSSL_get_info_callback()\fR returns the current setting.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 The following example callback function prints state strings, information
-about alerts being handled and error messages to the \fBbio_err\fR \s-1BIO.\s0
+about alerts being handled and error messages to the \fBbio_err\fR BIO.
 .PP
 .Vb 4
-\& void apps_ssl_info_callback(SSL *s, int where, int ret)
+\& void apps_ssl_info_callback(const SSL *s, int where, int ret)
 \& {
 \&     const char *str;
 \&     int w = where & ~SSL_ST_MASK;
@@ -277,11 +205,11 @@ about alerts being handled and error messages to the \fBbio_err\fR \s-1BIO.\s0
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7), \fBSSL_state_string\fR\|(3),
 \&\fBSSL_alert_type_string\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2001\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_keylog_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_keylog_callback.3
index 392f295a0e70..19252e1a552e 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_keylog_callback.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_keylog_callback.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_KEYLOG_CALLBACK 3ossl"
-.TH SSL_CTX_SET_KEYLOG_CALLBACK 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_KEYLOG_CALLBACK 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_keylog_callback, SSL_CTX_get_keylog_callback,
 SSL_CTX_keylog_cb_func \- logging TLS key material
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -149,34 +73,34 @@ SSL_CTX_keylog_cb_func \- logging TLS key material
 \& void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb);
 \& SSL_CTX_keylog_cb_func SSL_CTX_get_keylog_callback(const SSL_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_CTX_set_keylog_callback()\fR sets the \s-1TLS\s0 key logging callback. This callback
-is called whenever \s-1TLS\s0 key material is generated or received, in order to allow
+\&\fBSSL_CTX_set_keylog_callback()\fR sets the TLS key logging callback. This callback
+is called whenever TLS key material is generated or received, in order to allow
 applications to store this keying material for debugging purposes.
 .PP
-\&\fBSSL_CTX_get_keylog_callback()\fR retrieves the previously set \s-1TLS\s0 key logging
-callback. If no callback has been set, this will return \s-1NULL.\s0 When there is no
-key logging callback, or if SSL_CTX_set_keylog_callback is called with \s-1NULL\s0 as
+\&\fBSSL_CTX_get_keylog_callback()\fR retrieves the previously set TLS key logging
+callback. If no callback has been set, this will return NULL. When there is no
+key logging callback, or if SSL_CTX_set_keylog_callback is called with NULL as
 the value of cb, no logging of key material will be done.
 .PP
 The key logging callback is called with two items: the \fBssl\fR object associated
 with the connection, and \fBline\fR, a string containing the key material in the
-format used by \s-1NSS\s0 for its \fB\s-1SSLKEYLOGFILE\s0\fR debugging output. To recreate that
+format used by NSS for its \fBSSLKEYLOGFILE\fR debugging output. To recreate that
 file, the key logging callback should log \fBline\fR, followed by a newline.
 \&\fBline\fR will always be a NUL-terminated string.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSSL_CTX_get_keylog_callback()\fR returns a pointer to \fBSSL_CTX_keylog_cb_func\fR or
-\&\s-1NULL\s0 if the callback is not set.
+NULL if the callback is not set.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_max_cert_list.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_max_cert_list.3
index e289950c767d..7f1e66afb919 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_max_cert_list.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_max_cert_list.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_MAX_CERT_LIST 3ossl"
-.TH SSL_CTX_SET_MAX_CERT_LIST 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_MAX_CERT_LIST 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_max_cert_list, SSL_CTX_get_max_cert_list, SSL_set_max_cert_list, SSL_get_max_cert_list \- manipulate allowed size for the peer's certificate chain
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -149,11 +73,11 @@ SSL_CTX_set_max_cert_list, SSL_CTX_get_max_cert_list, SSL_set_max_cert_list, SSL
 \& long SSL_set_max_cert_list(SSL *ssl, long size);
 \& long SSL_get_max_cert_list(SSL *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_set_max_cert_list()\fR sets the maximum size allowed for the peer's
-certificate chain for all \s-1SSL\s0 objects created from \fBctx\fR to be <size> bytes.
-The \s-1SSL\s0 objects inherit the setting valid for \fBctx\fR at the time
+certificate chain for all SSL objects created from \fBctx\fR to be <size> bytes.
+The SSL objects inherit the setting valid for \fBctx\fR at the time
 \&\fBSSL_new\fR\|(3) is being called.
 .PP
 \&\fBSSL_CTX_get_max_cert_list()\fR returns the currently set maximum size for \fBctx\fR.
@@ -163,25 +87,25 @@ certificate chain for \fBssl\fR to be <size> bytes. This setting stays valid
 until a new value is set.
 .PP
 \&\fBSSL_get_max_cert_list()\fR returns the currently set maximum size for \fBssl\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 During the handshake process, the peer may send a certificate chain.
-The \s-1TLS/SSL\s0 standard does not give any maximum size of the certificate chain.
+The TLS/SSL standard does not give any maximum size of the certificate chain.
 The OpenSSL library handles incoming data by a dynamically allocated buffer.
 In order to prevent this buffer from growing without bounds due to data
 received from a faulty or malicious peer, a maximum size for the certificate
 chain is set.
 .PP
 The default value for the maximum certificate chain size is 100kB (30kB
-on the 16\-bit \s-1DOS\s0 platform). This should be sufficient for usual certificate
+on the 16\-bit DOS platform). This should be sufficient for usual certificate
 chains (OpenSSL's default maximum chain length is 10, see
 \&\fBSSL_CTX_set_verify\fR\|(3), and certificates
 without special extensions have a typical size of 1\-2kB).
 .PP
 For special applications it can be necessary to extend the maximum certificate
 chain size allowed to be sent by the peer, see e.g. the work on
-\&\*(L"Internet X.509 Public Key Infrastructure Proxy Certificate Profile\*(R"
-and \*(L"\s-1TLS\s0 Delegation Protocol\*(R" at http://www.ietf.org/ and
+"Internet X.509 Public Key Infrastructure Proxy Certificate Profile"
+and "TLS Delegation Protocol" at http://www.ietf.org/ and
 http://www.globus.org/ .
 .PP
 Under normal conditions it should never be necessary to set a value smaller
@@ -189,7 +113,7 @@ than the default, as the buffer is handled dynamically and only uses the
 memory actually required by the data sent by the peer.
 .PP
 If the maximum certificate chain size allowed is exceeded, the handshake will
-fail with a \s-1SSL_R_EXCESSIVE_MESSAGE_SIZE\s0 error.
+fail with an SSL_R_EXCESSIVE_MESSAGE_SIZE error.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSSL_CTX_set_max_cert_list()\fR and \fBSSL_set_max_cert_list()\fR return the previously
@@ -201,11 +125,11 @@ set value.
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7), \fBSSL_new\fR\|(3),
 \&\fBSSL_CTX_set_verify\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2001\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_min_proto_version.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_min_proto_version.3
index 1018aba5fda4..4c71629917cc 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_min_proto_version.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_min_proto_version.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_MIN_PROTO_VERSION 3ossl"
-.TH SSL_CTX_SET_MIN_PROTO_VERSION 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_MIN_PROTO_VERSION 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_min_proto_version, SSL_CTX_set_max_proto_version,
 SSL_CTX_get_min_proto_version, SSL_CTX_get_max_proto_version,
 SSL_set_min_proto_version, SSL_set_max_proto_version,
 SSL_get_min_proto_version, SSL_get_max_proto_version \- Get and set minimum
 and maximum supported protocol version
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -157,7 +81,7 @@ and maximum supported protocol version
 \& int SSL_get_min_proto_version(SSL *ssl);
 \& int SSL_get_max_proto_version(SSL *ssl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The functions get or set the minimum and maximum supported protocol versions
 for the \fBctx\fR or \fBssl\fR.
@@ -166,37 +90,41 @@ This works in combination with the options set via
 specific protocol versions.
 Use these functions instead of disabling specific protocol versions.
 .PP
-Setting the minimum or maximum version to 0, will enable protocol
+Setting the minimum or maximum version to 0 (default), will enable protocol
 versions down to the lowest version, or up to the highest version
-supported by the library, respectively.
+supported by the library, respectively. The supported versions might be
+controlled by system configuration.
 .PP
 Getters return 0 in case \fBctx\fR or \fBssl\fR have been configured to
 automatically use the lowest or highest version supported by the library.
 .PP
-Currently supported versions are \fB\s-1SSL3_VERSION\s0\fR, \fB\s-1TLS1_VERSION\s0\fR,
-\&\fB\s-1TLS1_1_VERSION\s0\fR, \fB\s-1TLS1_2_VERSION\s0\fR, \fB\s-1TLS1_3_VERSION\s0\fR for \s-1TLS\s0 and
-\&\fB\s-1DTLS1_VERSION\s0\fR, \fB\s-1DTLS1_2_VERSION\s0\fR for \s-1DTLS.\s0
+Currently supported versions are \fBSSL3_VERSION\fR, \fBTLS1_VERSION\fR,
+\&\fBTLS1_1_VERSION\fR, \fBTLS1_2_VERSION\fR, \fBTLS1_3_VERSION\fR for TLS and
+\&\fBDTLS1_VERSION\fR, \fBDTLS1_2_VERSION\fR for DTLS.
+.PP
+In the current version of OpenSSL only QUICv1 is supported in conjunction with
+TLSv1.3. Calling these functions on a QUIC object has no effect.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 These setter functions return 1 on success and 0 on failure. The getter
 functions return the configured version or 0 for auto-configuration of
 lowest or highest protocol, respectively.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 All these functions are implemented using macros.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7),
 \&\fBSSL_CTX_set_options\fR\|(3), \fBSSL_CONF_cmd\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The setter functions were added in OpenSSL 1.1.0. The getter functions
 were added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_mode.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_mode.3
index 032e46e2ebd9..0c76c288e3b2 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_mode.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_mode.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_MODE 3ossl"
-.TH SSL_CTX_SET_MODE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_MODE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_mode, SSL_CTX_clear_mode, SSL_set_mode, SSL_clear_mode, SSL_CTX_get_mode, SSL_get_mode \- manipulate SSL engine mode
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -151,7 +75,7 @@ SSL_CTX_set_mode, SSL_CTX_clear_mode, SSL_set_mode, SSL_clear_mode, SSL_CTX_get_
 \& long SSL_CTX_get_mode(SSL_CTX *ctx);
 \& long SSL_get_mode(SSL *ssl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_set_mode()\fR adds the mode set via bit-mask in \fBmode\fR to \fBctx\fR.
 Options already set before are not cleared.
@@ -164,10 +88,10 @@ Options already set before are not cleared.
 \&\fBSSL_CTX_get_mode()\fR returns the mode set for \fBctx\fR.
 .PP
 \&\fBSSL_get_mode()\fR returns the mode set for \fBssl\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The following mode changes are available:
-.IP "\s-1SSL_MODE_ENABLE_PARTIAL_WRITE\s0" 4
+.IP SSL_MODE_ENABLE_PARTIAL_WRITE 4
 .IX Item "SSL_MODE_ENABLE_PARTIAL_WRITE"
 Allow SSL_write_ex(..., n, &r) to return with 0 < r < n (i.e. report success
 when just a single record has been written). This works in a similar way for
@@ -176,70 +100,73 @@ report success once the complete chunk was written. Once \fBSSL_write_ex()\fR or
 \&\fBSSL_write()\fR returns successful, \fBr\fR bytes have been written and the next call
 to \fBSSL_write_ex()\fR or \fBSSL_write()\fR must only send the n\-r bytes left, imitating
 the behaviour of \fBwrite()\fR.
-.IP "\s-1SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER\s0" 4
+.Sp
+This mode cannot be enabled while in the middle of an incomplete write
+operation.
+.IP SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 4
 .IX Item "SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER"
 Make it possible to retry \fBSSL_write_ex()\fR or \fBSSL_write()\fR with changed buffer
 location (the buffer contents must stay the same). This is not the default to
 avoid the misconception that nonblocking \fBSSL_write()\fR behaves like
 nonblocking \fBwrite()\fR.
-.IP "\s-1SSL_MODE_AUTO_RETRY\s0" 4
+.IP SSL_MODE_AUTO_RETRY 4
 .IX Item "SSL_MODE_AUTO_RETRY"
 During normal operations, non-application data records might need to be sent or
 received that the application is not aware of.
 If a non-application data record was processed,
 \&\fBSSL_read_ex\fR\|(3) and \fBSSL_read\fR\|(3) can return with a failure and indicate the
-need to retry with \fB\s-1SSL_ERROR_WANT_READ\s0\fR.
+need to retry with \fBSSL_ERROR_WANT_READ\fR.
 If such a non-application data record was processed, the flag
-\&\fB\s-1SSL_MODE_AUTO_RETRY\s0\fR causes it to try to process the next record instead of
+\&\fBSSL_MODE_AUTO_RETRY\fR causes it to try to process the next record instead of
 returning.
 .Sp
 In a nonblocking environment applications must be prepared to handle
 incomplete read/write operations.
-Setting \fB\s-1SSL_MODE_AUTO_RETRY\s0\fR for a nonblocking \fB\s-1BIO\s0\fR will process
+Setting \fBSSL_MODE_AUTO_RETRY\fR for a nonblocking \fBBIO\fR will process
 non-application data records until either no more data is available or
 an application data record has been processed.
 .Sp
 In a blocking environment, applications are not always prepared to
 deal with the functions returning intermediate reports such as retry
-requests, and setting the \fB\s-1SSL_MODE_AUTO_RETRY\s0\fR flag will cause the functions
+requests, and setting the \fBSSL_MODE_AUTO_RETRY\fR flag will cause the functions
 to only return after successfully processing an application data record or a
 failure.
 .Sp
-Turning off \fB\s-1SSL_MODE_AUTO_RETRY\s0\fR can be useful with blocking \fB\s-1BIO\s0\fRs in case
+Turning off \fBSSL_MODE_AUTO_RETRY\fR can be useful with blocking \fBBIO\fRs in case
 they are used in combination with something like \fBselect()\fR or \fBpoll()\fR.
 Otherwise the call to \fBSSL_read()\fR or \fBSSL_read_ex()\fR might hang when a
 non-application record was sent and no application data was sent.
-.IP "\s-1SSL_MODE_RELEASE_BUFFERS\s0" 4
+.IP SSL_MODE_RELEASE_BUFFERS 4
 .IX Item "SSL_MODE_RELEASE_BUFFERS"
-When we no longer need a read buffer or a write buffer for a given \s-1SSL,\s0
+When we no longer need a read buffer or a write buffer for a given SSL,
 then release the memory we were using to hold it.
 Using this flag can
-save around 34k per idle \s-1SSL\s0 connection.
-This flag has no effect on \s-1SSL\s0 v2 connections, or on \s-1DTLS\s0 connections.
-.IP "\s-1SSL_MODE_SEND_FALLBACK_SCSV\s0" 4
+save around 34k per idle SSL connection.
+This flag has no effect on SSL v2 connections, or on DTLS connections.
+.IP SSL_MODE_SEND_FALLBACK_SCSV 4
 .IX Item "SSL_MODE_SEND_FALLBACK_SCSV"
-Send \s-1TLS_FALLBACK_SCSV\s0 in the ClientHello.
+Send TLS_FALLBACK_SCSV in the ClientHello.
 To be set only by applications that reconnect with a downgraded protocol
 version; see draft\-ietf\-tls\-downgrade\-scsv\-00 for details.
 .Sp
-\&\s-1DO NOT ENABLE THIS\s0 if your application attempts a normal handshake.
+DO NOT ENABLE THIS if your application attempts a normal handshake.
 Only use this in explicit fallback retries, following the guidance
 in draft\-ietf\-tls\-downgrade\-scsv\-00.
-.IP "\s-1SSL_MODE_ASYNC\s0" 4
+.IP SSL_MODE_ASYNC 4
 .IX Item "SSL_MODE_ASYNC"
-Enable asynchronous processing. \s-1TLS I/O\s0 operations may indicate a retry with
-\&\s-1SSL_ERROR_WANT_ASYNC\s0 with this mode set if an asynchronous capable engine is
+Enable asynchronous processing. TLS I/O operations may indicate a retry with
+SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is
 used to perform cryptographic operations. See \fBSSL_get_error\fR\|(3).
-.IP "\s-1SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG\s0" 4
+.IP SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG 4
 .IX Item "SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG"
 Older versions of OpenSSL had a bug in the computation of the label length
 used for computing the endpoint-pair shared secret. The bug was that the
 terminating zero was included in the length of the label. Setting this option
 enables this behaviour to allow interoperability with such broken
 implementations. Please note that setting this option breaks interoperability
-with correct implementations. This option only applies to \s-1DTLS\s0 over \s-1SCTP.\s0
+with correct implementations. This option only applies to DTLS over SCTP.
 .PP
-All modes are off by default except for \s-1SSL_MODE_AUTO_RETRY\s0 which is on by
+All modes are off by default except for SSL_MODE_AUTO_RETRY which is on by
 default since 1.1.1.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
@@ -251,14 +178,14 @@ after adding \fBmode\fR.
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7), \fBSSL_read_ex\fR\|(3), \fBSSL_read\fR\|(3), \fBSSL_write_ex\fR\|(3) or
 \&\fBSSL_write\fR\|(3), \fBSSL_get_error\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-\&\s-1SSL_MODE_ASYNC\s0 was added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+SSL_MODE_ASYNC was added in OpenSSL 1.1.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2001\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_msg_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_msg_callback.3
index c66e12b8a519..51cc2206b9eb 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_msg_callback.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_msg_callback.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,22 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_MSG_CALLBACK 3ossl"
-.TH SSL_CTX_SET_MSG_CALLBACK 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_MSG_CALLBACK 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_msg_callback,
 SSL_CTX_set_msg_callback_arg,
 SSL_set_msg_callback,
-SSL_set_msg_callback_arg
+SSL_set_msg_callback_arg,
+SSL_trace
 \&\- install callback for observing protocol messages
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -158,11 +83,14 @@ SSL_set_msg_callback_arg
 \&                                      int content_type, const void *buf,
 \&                                      size_t len, SSL *ssl, void *arg));
 \& void SSL_set_msg_callback_arg(SSL *ssl, void *arg);
+\&
+\& void SSL_trace(int write_p, int version, int content_type,
+\&                const void *buf, size_t len, SSL *ssl, void *arg);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_set_msg_callback()\fR or \fBSSL_set_msg_callback()\fR can be used to
-define a message callback function \fIcb\fR for observing all \s-1SSL/TLS\s0
+define a message callback function \fIcb\fR for observing all SSL/TLS/QUIC
 protocol messages (such as handshake messages) that are received or
 sent, as well as other events that occur during processing.
 \&\fBSSL_CTX_set_msg_callback_arg()\fR and \fBSSL_set_msg_callback_arg()\fR
@@ -170,43 +98,52 @@ can be used to set argument \fIarg\fR to the callback function, which is
 available for arbitrary application use.
 .PP
 \&\fBSSL_CTX_set_msg_callback()\fR and \fBSSL_CTX_set_msg_callback_arg()\fR specify
-default settings that will be copied to new \fB\s-1SSL\s0\fR objects by
+default settings that will be copied to new \fBSSL\fR objects by
 \&\fBSSL_new\fR\|(3). \fBSSL_set_msg_callback()\fR and
-\&\fBSSL_set_msg_callback_arg()\fR modify the actual settings of an \fB\s-1SSL\s0\fR
-object. Using a \fB\s-1NULL\s0\fR pointer for \fIcb\fR disables the message callback.
+\&\fBSSL_set_msg_callback_arg()\fR modify the actual settings of an \fBSSL\fR
+object. Using a \fBNULL\fR pointer for \fIcb\fR disables the message callback.
 .PP
-When \fIcb\fR is called by the \s-1SSL/TLS\s0 library the function arguments have the
+When \fIcb\fR is called by the SSL/TLS/QUIC library the function arguments have the
 following meaning:
-.IP "\fIwrite_p\fR" 4
+.IP \fIwrite_p\fR 4
 .IX Item "write_p"
 This flag is \fB0\fR when a protocol message has been received and \fB1\fR
 when a protocol message has been sent.
-.IP "\fIversion\fR" 4
+.IP \fIversion\fR 4
 .IX Item "version"
 The protocol version according to which the protocol message is
-interpreted by the library such as \fB\s-1TLS1_3_VERSION\s0\fR, \fB\s-1TLS1_2_VERSION\s0\fR etc.
-This is set to 0 for the \s-1SSL3_RT_HEADER\s0 pseudo content type (see \s-1NOTES\s0 below).
-.IP "\fIcontent_type\fR" 4
+interpreted by the library such as \fBTLS1_3_VERSION\fR, \fBTLS1_2_VERSION\fR,
+\&\fBOSSL_QUIC1_VERSION\fR etc. For the SSL3_RT_HEADER pseudo
+content type (see NOTES below) this value will be the decoded
+version/legacy_version field of the record header.
+.IP \fIcontent_type\fR 4
 .IX Item "content_type"
 This is one of the content type values defined in the protocol specification
-(\fB\s-1SSL3_RT_CHANGE_CIPHER_SPEC\s0\fR, \fB\s-1SSL3_RT_ALERT\s0\fR, \fB\s-1SSL3_RT_HANDSHAKE\s0\fR; but never
-\&\fB\s-1SSL3_RT_APPLICATION_DATA\s0\fR because the callback will only be called for protocol
-messages). Alternatively it may be a \*(L"pseudo\*(R" content type. These pseudo
+(\fBSSL3_RT_CHANGE_CIPHER_SPEC\fR, \fBSSL3_RT_ALERT\fR, \fBSSL3_RT_HANDSHAKE\fR; but never
+\&\fBSSL3_RT_APPLICATION_DATA\fR because the callback will only be called for protocol
+messages). Alternatively it may be a "pseudo" content type. These pseudo
 content types are used to signal some other event in the processing of data (see
-\&\s-1NOTES\s0 below).
+NOTES below).
 .IP "\fIbuf\fR, \fIlen\fR" 4
 .IX Item "buf, len"
 \&\fIbuf\fR points to a buffer containing the protocol message or other data (in the
 case of pseudo content types), which consists of \fIlen\fR bytes. The buffer is no
 longer valid after the callback function has returned.
-.IP "\fIssl\fR" 4
+.IP \fIssl\fR 4
 .IX Item "ssl"
-The \fB\s-1SSL\s0\fR object that received or sent the message.
-.IP "\fIarg\fR" 4
+The \fBSSL\fR object that received or sent the message.
+.IP \fIarg\fR 4
 .IX Item "arg"
 The user-defined argument optionally defined by
 \&\fBSSL_CTX_set_msg_callback_arg()\fR or \fBSSL_set_msg_callback_arg()\fR.
-.SH "NOTES"
+.PP
+The \fBSSL_trace()\fR function can be used as a pre-written callback in a call to
+\&\fBSSL_CTX_set_msg_callback()\fR or \fBSSL_set_msg_callback()\fR. It requires a BIO to be
+set as the callback argument via \fBSSL_CTX_set_msg_callback_arg()\fR or
+\&\fBSSL_set_msg_callback_arg()\fR. Setting this callback will cause human readable
+diagostic tracing information about an SSL/TLS/QUIC connection to be written to
+the BIO.
+.SH NOTES
 .IX Header "NOTES"
 Protocol messages are passed to the callback function after decryption
 and fragment collection where applicable. (Thus record boundaries are
@@ -219,21 +156,42 @@ processed.
 .PP
 Due to automatic protocol version negotiation, \fIversion\fR is not
 necessarily the protocol version used by the sender of the message: If
-a \s-1TLS 1.0\s0 ClientHello message is received by an \s-1SSL 3\s0.0\-only server,
-\&\fIversion\fR will be \fB\s-1SSL3_VERSION\s0\fR.
+a TLS 1.0 ClientHello message is received by an SSL 3.0\-only server,
+\&\fIversion\fR will be \fBSSL3_VERSION\fR.
 .PP
 Pseudo content type values may be sent at various points during the processing
 of data. The following pseudo content types are currently defined:
-.IP "\fB\s-1SSL3_RT_HEADER\s0\fR" 4
+.IP \fBSSL3_RT_HEADER\fR 4
 .IX Item "SSL3_RT_HEADER"
-Used when a record is sent or received. The \fBbuf\fR contains the record header
+Used when a TLS record is sent or received. The \fBbuf\fR contains the record header
 bytes only.
-.IP "\fB\s-1SSL3_RT_INNER_CONTENT_TYPE\s0\fR" 4
+.IP \fBSSL3_RT_INNER_CONTENT_TYPE\fR 4
 .IX Item "SSL3_RT_INNER_CONTENT_TYPE"
 Used when an encrypted TLSv1.3 record is sent or received. In encrypted TLSv1.3
 records the content type in the record header is always
-\&\s-1SSL3_RT_APPLICATION_DATA.\s0 The real content type for the record is contained in
-an \*(L"inner\*(R" content type. \fBbuf\fR contains the encoded \*(L"inner\*(R" content type byte.
+SSL3_RT_APPLICATION_DATA. The real content type for the record is contained in
+an "inner" content type. \fBbuf\fR contains the encoded "inner" content type byte.
+.IP \fBSSL3_RT_QUIC_DATAGRAM\fR 4
+.IX Item "SSL3_RT_QUIC_DATAGRAM"
+Used when a QUIC datagram is sent or received.
+.IP \fBSSL3_RT_QUIC_PACKET\fR 4
+.IX Item "SSL3_RT_QUIC_PACKET"
+Used when a QUIC packet is sent or received.
+.IP \fBSSL3_RT_QUIC_FRAME_FULL\fR 4
+.IX Item "SSL3_RT_QUIC_FRAME_FULL"
+Used when a QUIC frame is sent or received. This is only used for non-crypto
+and stream data related frames. The full QUIC frame data is supplied.
+.IP \fBSSL3_RT_QUIC_FRAME_HEADER\fR 4
+.IX Item "SSL3_RT_QUIC_FRAME_HEADER"
+Used when a QUIC stream data or crypto frame is sent or received. Only the QUIC
+frame header data is supplied.
+.IP \fBSSL3_RT_QUIC_FRAME_PADDING\fR 4
+.IX Item "SSL3_RT_QUIC_FRAME_PADDING"
+Used when a sequence of one or more QUIC padding frames is sent or received.
+A padding frame consists of a single byte and it is common to have multiple
+such frames in a sequence. Rather than supplying each frame individually the
+callback will supply all the padding frames in one go via this pseudo content
+type.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSSL_CTX_set_msg_callback()\fR, \fBSSL_CTX_set_msg_callback_arg()\fR, \fBSSL_set_msg_callback()\fR
@@ -241,14 +199,24 @@ and \fBSSL_set_msg_callback_arg()\fR do not return values.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7), \fBSSL_new\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-The pseudo content type \fB\s-1SSL3_RT_INNER_CONTENT_TYPE\s0\fR was added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+The pseudo content type \fBSSL3_RT_INNER_CONTENT_TYPE\fR was added in OpenSSL 1.1.1.
+.PP
+The pseudo content types \fBSSL3_RT_QUIC_DATAGRAM\fR, \fBSSL3_RT_QUIC_PACKET\fR,
+\&\fBSSL3_RT_QUIC_FRAME_FULL\fR, \fBSSL3_RT_QUIC_FRAME_HEADER\fR and
+\&\fBSSL3_RT_QUIC_FRAME_PADDING\fR were added in OpenSSL 3.2.
+.PP
+In versions previous to OpenSSL 3.0 \fIcb\fR was called with 0 as \fIversion\fR for
+the pseudo content type \fBSSL3_RT_HEADER\fR for TLS records.
+.PP
+In versions previous to OpenSSL 3.2 \fIcb\fR was called with 0 as \fIversion\fR for
+the pseudo content type \fBSSL3_RT_HEADER\fR for DTLS records.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_new_pending_conn_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_new_pending_conn_cb.3
new file mode 100644
index 000000000000..a7d20daed62a
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_new_pending_conn_cb.3
@@ -0,0 +1,123 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "SSL_CTX_SET_NEW_PENDING_CONN_CB 3ossl"
+.TH SSL_CTX_SET_NEW_PENDING_CONN_CB 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+SSL_CTX_set_new_pending_conn_cb, SSL_set_new_pending_conn_cb_fn \- callback function to report creation of QUIC connection SSL objects
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 5
+\& typedef int (*SSL_set_new_pending_conn_cb_fn)(SSL_CTX *c, SSL *new_ssl,
+\&                                               void *arg);
+\& void SSL_CTX_set_new_pending_conn_cb(SSL_CTX *c,
+\&                                     SSL_set_new_pending_conn_cb_fn *f,
+\&                                     void *arg);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBSSL_CTX_set_new_pending_conn_cb()\fR sets the new_pending_conn callback function and
+associated application data argument \fIarg\fR.  When using the QUIC transport, TLS
+handshake processing may occur independently from the thread which accepts the
+connection that the handshake is establishing.  As such, \fBSSL\fR objects
+representing the connection may be allocated and initialized prior to a call to
+\&\fBSSL_accept_connection()\fR.  This registered callback may be used to decorate the 
+preallocated \fBSSL\fR object or create other associations with its parent
+\&\fBSSL\fR prior to a call to \fBSSL_accept_connection()\fR.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBSSL_CTX_set_new_pending_conn_cb()\fR returns no value.
+.PP
+\&\fBSSL_set_new_pending_conn_cb_fn()\fR returns an integer value.  A return value of
+0 indicates that the QUIC stack must discard this newly created \fBSSL\fR object,
+implying that the associated new connection will not be available for handling
+on a subsequent call to \fBSSL_accept_connection()\fR.  A nonzero return
+value is treated as success, allowing the new connection to be enqueued to the
+accept queue.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBSSL_set_ex_data\fR\|(3)
+.SH NOTES
+.IX Header "NOTES"
+Callbacks in QUIC connections have some limitations to them that should be taken
+into consideration when writing an application.
+.Sp
+.RS 4
+QUIC connections may begin processing prior to when an application calls
+\&\fBSSL_accept_connection()\fR on them.  As such, it may occur that callbacks are
+delivered to applications' registered TLS callbacks prior to those SSL objects
+being returned in \fBSSL_accept_connection()\fR.  Applications should expect this
+possibility.
+.Sp
+In particular no references should be held on SSL objects passed to callbacks
+for QUIC connections until such time as they are returned through a call to
+SSL_accept_connection.
+.RE
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBSSL_CTX_set_new_pending_conn_cb()\fR was added in OpenSSL 3.5
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_num_tickets.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_num_tickets.3
index 048350e830bc..378d8192115d 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_num_tickets.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_num_tickets.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,82 +52,22 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_NUM_TICKETS 3ossl"
-.TH SSL_CTX_SET_NUM_TICKETS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_NUM_TICKETS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_set_num_tickets,
 SSL_get_num_tickets,
 SSL_CTX_set_num_tickets,
 SSL_CTX_get_num_tickets,
 SSL_new_session_ticket
 \&\- control the number of TLSv1.3 session tickets that are issued
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -154,7 +78,7 @@ SSL_new_session_ticket
 \& size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx);
 \& int SSL_new_session_ticket(SSL *s);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_set_num_tickets()\fR and \fBSSL_set_num_tickets()\fR can be called for a server
 application and set the number of TLSv1.3 session tickets that will be sent to
@@ -181,7 +105,7 @@ To issue tickets after other events (such as application-layer changes),
 \&\fBSSL_new_session_ticket()\fR is used by a server application to request that a new
 ticket be sent when it is safe to do so.  New tickets are only allowed to be
 sent in this manner after the initial handshake has completed, and only for
-\&\s-1TLS 1.3\s0 connections.  By default, the ticket generation and transmission are
+TLS 1.3 connections.  By default, the ticket generation and transmission are
 delayed until the server is starting a new write operation, so that it is
 bundled with other application data being written and properly aligned to a
 record boundary.  If the connection was at a record boundary when
@@ -210,16 +134,16 @@ that have been previously set.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBSSL_new_session_ticket()\fR was added in OpenSSL 3.0.0.
 \&\fBSSL_set_num_tickets()\fR, \fBSSL_get_num_tickets()\fR, \fBSSL_CTX_set_num_tickets()\fR, and
 \&\fBSSL_CTX_get_num_tickets()\fR were added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2018\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_options.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_options.3
index 33b23927973f..8e3dbfc2d0f1 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_options.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_options.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_OPTIONS 3ossl"
-.TH SSL_CTX_SET_OPTIONS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_OPTIONS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_options, SSL_set_options, SSL_CTX_clear_options,
 SSL_clear_options, SSL_CTX_get_options, SSL_get_options,
 SSL_get_secure_renegotiation_support \- manipulate SSL options
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -156,9 +80,10 @@ SSL_get_secure_renegotiation_support \- manipulate SSL options
 \&
 \& long SSL_get_secure_renegotiation_support(SSL *ssl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_set_options()\fR adds the options set via bit-mask in \fBoptions\fR to \fBctx\fR.
+\&\fBctx\fR \fBMUST NOT\fR be NULL.
 Options already set before are not cleared!
 .PP
 \&\fBSSL_set_options()\fR adds the options set via bit-mask in \fBoptions\fR to \fBssl\fR.
@@ -176,79 +101,84 @@ to \fBctx\fR.
 \&\fBSSL_get_secure_renegotiation_support()\fR indicates whether the peer supports
 secure renegotiation.
 Note, this is implemented via a macro.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-The behaviour of the \s-1SSL\s0 library can be changed by setting several options.
+The behaviour of the SSL library can be changed by setting several options.
 The options are coded as bit-masks and can be combined by a bitwise \fBor\fR
 operation (|).
 .PP
 \&\fBSSL_CTX_set_options()\fR and \fBSSL_set_options()\fR affect the (external)
-protocol behaviour of the \s-1SSL\s0 library. The (internal) behaviour of
-the \s-1API\s0 can be changed by using the similar
+protocol behaviour of the SSL library. The (internal) behaviour of
+the API can be changed by using the similar
 \&\fBSSL_CTX_set_mode\fR\|(3) and \fBSSL_set_mode()\fR functions.
 .PP
-During a handshake, the option settings of the \s-1SSL\s0 object are used. When
-a new \s-1SSL\s0 object is created from a context using \fBSSL_new()\fR, the current
+During a handshake, the option settings of the SSL object are used. When
+a new SSL object is created from a context using \fBSSL_new()\fR, the current
 option setting is copied. Changes to \fBctx\fR do not affect already created
-\&\s-1SSL\s0 objects. \fBSSL_clear()\fR does not affect the settings.
+SSL objects. \fBSSL_clear()\fR does not affect the settings.
 .PP
 The following \fBbug workaround\fR options are available:
-.IP "\s-1SSL_OP_CRYPTOPRO_TLSEXT_BUG\s0" 4
+.IP SSL_OP_CRYPTOPRO_TLSEXT_BUG 4
 .IX Item "SSL_OP_CRYPTOPRO_TLSEXT_BUG"
 Add server-hello extension from the early version of cryptopro draft
-when \s-1GOST\s0 ciphersuite is negotiated. Required for interoperability with CryptoPro
-\&\s-1CSP 3\s0.x.
-.IP "\s-1SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS\s0" 4
+when GOST ciphersuite is negotiated. Required for interoperability with CryptoPro
+CSP 3.x.
+.IP SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 4
 .IX Item "SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS"
-Disables a countermeasure against a \s-1SSL 3.0/TLS 1.0\s0 protocol
-vulnerability affecting \s-1CBC\s0 ciphers, which cannot be handled by some
-broken \s-1SSL\s0 implementations.  This option has no effect for connections
+Disables a countermeasure against an SSL 3.0/TLS 1.0 protocol
+vulnerability affecting CBC ciphers, which cannot be handled by some
+broken SSL implementations.  This option has no effect for connections
 using other ciphers.
-.IP "\s-1SSL_OP_SAFARI_ECDHE_ECDSA_BUG\s0" 4
+.IP SSL_OP_SAFARI_ECDHE_ECDSA_BUG 4
 .IX Item "SSL_OP_SAFARI_ECDHE_ECDSA_BUG"
-Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on \s-1OS X.
-OS X 10.8..10.8.3\s0 has broken support for ECDHE-ECDSA ciphers.
-.IP "\s-1SSL_OP_TLSEXT_PADDING\s0" 4
+Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
+OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
+.IP SSL_OP_TLSEXT_PADDING 4
 .IX Item "SSL_OP_TLSEXT_PADDING"
 Adds a padding extension to ensure the ClientHello size is never between
 256 and 511 bytes in length. This is needed as a workaround for some
 implementations.
-.IP "\s-1SSL_OP_ALL\s0" 4
+.IP SSL_OP_ALL 4
 .IX Item "SSL_OP_ALL"
 All of the above bug workarounds.
 .PP
-It is usually safe to use \fB\s-1SSL_OP_ALL\s0\fR to enable the bug workaround
+It is usually safe to use \fBSSL_OP_ALL\fR to enable the bug workaround
 options if compatibility with somewhat broken implementations is
 desired.
 .PP
 The following \fBmodifying\fR options are available:
-.IP "\s-1SSL_OP_ALLOW_CLIENT_RENEGOTIATION\s0" 4
+.IP SSL_OP_ALLOW_CLIENT_RENEGOTIATION 4
 .IX Item "SSL_OP_ALLOW_CLIENT_RENEGOTIATION"
 Client-initiated renegotiation is disabled by default. Use
 this option to enable it.
-.IP "\s-1SSL_OP_ALLOW_NO_DHE_KEX\s0" 4
+.IP SSL_OP_ALLOW_NO_DHE_KEX 4
 .IX Item "SSL_OP_ALLOW_NO_DHE_KEX"
 In TLSv1.3 allow a non\-(ec)dhe based key exchange mode on resumption. This means
 that there will be no forward secrecy for the resumed session.
-.IP "\s-1SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\s0" 4
+.IP SSL_OP_PREFER_NO_DHE_KEX 4
+.IX Item "SSL_OP_PREFER_NO_DHE_KEX"
+In TLSv1.3, on resumption let the server prefer a non\-(ec)dhe based key
+exchange mode over an (ec)dhe based one. Ignored without \fBSSL_OP_ALLOW_NO_DHE_KEX\fR
+being set as well. Always ignored on the client.
+.IP SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 4
 .IX Item "SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION"
 Allow legacy insecure renegotiation between OpenSSL and unpatched clients or
-servers. See the \fB\s-1SECURE RENEGOTIATION\s0\fR section for more details.
-.IP "\s-1SSL_OP_CIPHER_SERVER_PREFERENCE\s0" 4
+servers. See the \fBSECURE RENEGOTIATION\fR section for more details.
+.IP SSL_OP_CIPHER_SERVER_PREFERENCE 4
 .IX Item "SSL_OP_CIPHER_SERVER_PREFERENCE"
 When choosing a cipher, use the server's preferences instead of the client
-preferences. When not set, the \s-1SSL\s0 server will always follow the clients
-preferences. When set, the \s-1SSL/TLS\s0 server will choose following its
+preferences. When not set, the SSL server will always follow the clients
+preferences. When set, the SSL/TLS server will choose following its
 own preferences.
-.IP "\s-1SSL_OP_CISCO_ANYCONNECT\s0" 4
+.IP SSL_OP_CISCO_ANYCONNECT 4
 .IX Item "SSL_OP_CISCO_ANYCONNECT"
-Use Cisco's version identifier of \s-1DTLS_BAD_VER\s0 when establishing a DTLSv1
-connection. Only available when using the deprecated \fBDTLSv1_client_method()\fR \s-1API.\s0
-.IP "\s-1SSL_OP_CLEANSE_PLAINTEXT\s0" 4
+Use Cisco's version identifier of DTLS_BAD_VER when establishing a DTLSv1
+connection. Only available when using the deprecated \fBDTLSv1_client_method()\fR API.
+.IP SSL_OP_CLEANSE_PLAINTEXT 4
 .IX Item "SSL_OP_CLEANSE_PLAINTEXT"
-By default \s-1TLS\s0 connections keep a copy of received plaintext
+By default TLS and QUIC SSL objects keep a copy of received plaintext
 application data in a static buffer until it is overwritten by the
-next portion of data. When enabling \s-1SSL_OP_CLEANSE_PLAINTEXT\s0
+next portion of data. When enabling SSL_OP_CLEANSE_PLAINTEXT
 deciphered application data is cleansed by calling \fBOPENSSL_cleanse\fR\|(3)
 after passing data to the application. Data is also cleansed when
 releasing the connection (e.g. \fBSSL_free\fR\|(3)).
@@ -257,63 +187,80 @@ Since OpenSSL only cleanses internal buffers, the application is still
 responsible for cleansing all other buffers. Most notably, this
 applies to buffers passed to functions like \fBSSL_read\fR\|(3),
 \&\fBSSL_peek\fR\|(3) but also like \fBSSL_write\fR\|(3).
-.IP "\s-1SSL_OP_COOKIE_EXCHANGE\s0" 4
+.Sp
+TLS connections do not buffer data to be sent in plaintext. QUIC stream
+objects do buffer plaintext data to be sent and this option will also cause
+that data to be cleansed when it is discarded.
+.Sp
+This option can be set differently on individual QUIC stream objects and
+has no effect on QUIC connection objects (except where a default stream is
+being used).
+.IP SSL_OP_COOKIE_EXCHANGE 4
 .IX Item "SSL_OP_COOKIE_EXCHANGE"
-Turn on Cookie Exchange as described in \s-1RFC4347\s0 Section 4.2.1. Only affects
-\&\s-1DTLS\s0 connections.
-.IP "\s-1SSL_OP_DISABLE_TLSEXT_CA_NAMES\s0" 4
+Turn on Cookie Exchange as described in RFC4347 Section 4.2.1. Only affects
+DTLS connections.
+.IP SSL_OP_DISABLE_TLSEXT_CA_NAMES 4
 .IX Item "SSL_OP_DISABLE_TLSEXT_CA_NAMES"
-Disable \s-1TLS\s0 Extension \s-1CA\s0 Names. You may want to disable it for security reasons
-or for compatibility with some Windows \s-1TLS\s0 implementations crashing when this
+Disable TLS Extension CA Names. You may want to disable it for security reasons
+or for compatibility with some Windows TLS implementations crashing when this
 extension is larger than 1024 bytes.
-.IP "\s-1SSL_OP_ENABLE_KTLS\s0" 4
+.IP SSL_OP_ENABLE_KTLS 4
 .IX Item "SSL_OP_ENABLE_KTLS"
-Enable the use of kernel \s-1TLS.\s0 In order to benefit from kernel \s-1TLS\s0 OpenSSL must
+Enable the use of kernel TLS. In order to benefit from kernel TLS OpenSSL must
 have been compiled with support for it, and it must be supported by the
 negotiated ciphersuites and extensions. The specific ciphersuites and extensions
 that are supported may vary by platform and kernel version.
 .Sp
-The kernel \s-1TLS\s0 data-path implements the record layer, and the encryption
+The kernel TLS data-path implements the record layer, and the encryption
 algorithm. The kernel will utilize the best hardware
 available for encryption. Using the kernel data-path should reduce the memory
 footprint of OpenSSL because no buffering is required. Also, the throughput
 should improve because data copy is avoided when user data is encrypted into
 kernel memory instead of the usual encrypt then copy to kernel.
 .Sp
-Kernel \s-1TLS\s0 might not support all the features of OpenSSL. For instance,
+Kernel TLS might not support all the features of OpenSSL. For instance,
 renegotiation, and setting the maximum fragment size is not possible as of
 Linux 4.20.
 .Sp
-Note that with kernel \s-1TLS\s0 enabled some cryptographic operations are performed
+Note that with kernel TLS enabled some cryptographic operations are performed
 by the kernel directly and not via any available OpenSSL Providers. This might
 be undesirable if, for example, the application requires all cryptographic
-operations to be performed by the \s-1FIPS\s0 provider.
-.IP "\s-1SSL_OP_ENABLE_MIDDLEBOX_COMPAT\s0" 4
+operations to be performed by the FIPS provider.
+.IP SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE 4
+.IX Item "SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE"
+With this option, \fBsendfile()\fR will use the zerocopy mode, which gives a
+performance boost when used with KTLS hardware offload. Note that invalid TLS
+records might be transmitted if the file is changed while being sent. This
+option has no effect if \fBSSL_OP_ENABLE_KTLS\fR is not enabled.
+.Sp
+This option only applies to Linux. KTLS sendfile on FreeBSD doesn't offer an
+option to disable zerocopy and always runs in this mode.
+.IP SSL_OP_ENABLE_MIDDLEBOX_COMPAT 4
 .IX Item "SSL_OP_ENABLE_MIDDLEBOX_COMPAT"
-If set then dummy Change Cipher Spec (\s-1CCS\s0) messages are sent in TLSv1.3. This
+If set then dummy Change Cipher Spec (CCS) messages are sent in TLSv1.3. This
 has the effect of making TLSv1.3 look more like TLSv1.2 so that middleboxes that
 do not understand TLSv1.3 will not drop the connection. Regardless of whether
-this option is set or not \s-1CCS\s0 messages received from the peer will always be
+this option is set or not CCS messages received from the peer will always be
 ignored in TLSv1.3. This option is set by default. To switch it off use
 \&\fBSSL_clear_options()\fR. A future version of OpenSSL may not set this by default.
-.IP "\s-1SSL_OP_IGNORE_UNEXPECTED_EOF\s0" 4
+.IP SSL_OP_IGNORE_UNEXPECTED_EOF 4
 .IX Item "SSL_OP_IGNORE_UNEXPECTED_EOF"
-Some \s-1TLS\s0 implementations do not send the mandatory close_notify alert on
+Some TLS implementations do not send the mandatory close_notify alert on
 shutdown. If the application tries to wait for the close_notify alert but the
 peer closes the connection without sending it, an error is generated. When this
 option is enabled the peer does not need to send the close_notify alert and a
 closed connection will be treated as if the close_notify alert was received.
 .Sp
-You should only enable this option if the protocol running over \s-1TLS\s0
+You should only enable this option if the protocol running over TLS
 can detect a truncation attack itself, and that the application is checking for
 that truncation attack.
 .Sp
 For more information on shutting down a connection, see \fBSSL_shutdown\fR\|(3).
-.IP "\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0" 4
+.IP SSL_OP_LEGACY_SERVER_CONNECT 4
 .IX Item "SSL_OP_LEGACY_SERVER_CONNECT"
 Allow legacy insecure renegotiation between OpenSSL and unpatched servers
-\&\fBonly\fR. See the \fB\s-1SECURE RENEGOTIATION\s0\fR section for more details.
-.IP "\s-1SSL_OP_NO_ANTI_REPLAY\s0" 4
+\&\fBonly\fR. See the \fBSECURE RENEGOTIATION\fR section for more details.
+.IP SSL_OP_NO_ANTI_REPLAY 4
 .IX Item "SSL_OP_NO_ANTI_REPLAY"
 By default, when a server is configured for early data (i.e., max_early_data > 0),
 OpenSSL will switch on replay protection. See \fBSSL_read_early_data\fR\|(3) for a
@@ -323,32 +270,50 @@ mitigate the replay risks in other ways and in such cases the built in OpenSSL
 functionality is not required. Those applications can turn this feature off by
 setting this option. This is a server-side option only. It is ignored by
 clients.
-.IP "\s-1SSL_OP_NO_COMPRESSION\s0" 4
+.IP SSL_OP_NO_TX_CERTIFICATE_COMPRESSION 4
+.IX Item "SSL_OP_NO_TX_CERTIFICATE_COMPRESSION"
+Normally clients and servers will transparently attempt to negotiate the
+RFC8879 certificate compression option on TLSv1.3 connections.
+.Sp
+If this option is set, the certificate compression extension is ignored
+upon receipt and compressed certificates will not be sent to the peer.
+.IP SSL_OP_NO_RX_CERTIFICATE_COMPRESSION 4
+.IX Item "SSL_OP_NO_RX_CERTIFICATE_COMPRESSION"
+Normally clients and servers will transparently attempt to negotiate the
+RFC8879 certificate compression option on TLSv1.3 connections.
+.Sp
+If this option is set, the certificate compression extension will not be sent
+and compressed certificates will not be accepted from the peer.
+.IP SSL_OP_NO_COMPRESSION 4
 .IX Item "SSL_OP_NO_COMPRESSION"
-Do not use compression even if it is supported. This option is set by default.
-To switch it off use \fBSSL_clear_options()\fR.
-.IP "\s-1SSL_OP_NO_ENCRYPT_THEN_MAC\s0" 4
+Do not use TLS record compression even if it is supported. This option is set by
+default. To switch it off use \fBSSL_clear_options()\fR. Note that TLS record
+compression is not recommended and is not available at security level 2 or
+above. From OpenSSL 3.2 the default security level is 2, so clearing this option
+will have no effect without also changing the default security level. See
+\&\fBSSL_CTX_set_security_level\fR\|(3).
+.IP SSL_OP_NO_ENCRYPT_THEN_MAC 4
 .IX Item "SSL_OP_NO_ENCRYPT_THEN_MAC"
 Normally clients and servers will transparently attempt to negotiate the
-\&\s-1RFC7366\s0 Encrypt-then-MAC option on \s-1TLS\s0 and \s-1DTLS\s0 connection.
+RFC7366 Encrypt-then-MAC option on TLS and DTLS connection.
 .Sp
 If this option is set, Encrypt-then-MAC is disabled. Clients will not
 propose, and servers will not accept the extension.
-.IP "\s-1SSL_OP_NO_EXTENDED_MASTER_SECRET\s0" 4
+.IP SSL_OP_NO_EXTENDED_MASTER_SECRET 4
 .IX Item "SSL_OP_NO_EXTENDED_MASTER_SECRET"
 Normally clients and servers will transparently attempt to negotiate the
-\&\s-1RFC7627\s0 Extended Master Secret option on \s-1TLS\s0 and \s-1DTLS\s0 connection.
+RFC7627 Extended Master Secret option on TLS and DTLS connection.
 .Sp
 If this option is set, Extended Master Secret is disabled. Clients will
 not propose, and servers will not accept the extension.
-.IP "\s-1SSL_OP_NO_QUERY_MTU\s0" 4
+.IP SSL_OP_NO_QUERY_MTU 4
 .IX Item "SSL_OP_NO_QUERY_MTU"
-Do not query the \s-1MTU.\s0 Only affects \s-1DTLS\s0 connections.
-.IP "\s-1SSL_OP_NO_RENEGOTIATION\s0" 4
+Do not query the MTU. Only affects DTLS connections.
+.IP SSL_OP_NO_RENEGOTIATION 4
 .IX Item "SSL_OP_NO_RENEGOTIATION"
-Disable all renegotiation in TLSv1.2 and earlier. Do not send HelloRequest
+Disable all renegotiation in (D)TLSv1.2 and earlier. Do not send HelloRequest
 messages, and ignore renegotiation requests via ClientHello.
-.IP "\s-1SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION\s0" 4
+.IP SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 4
 .IX Item "SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION"
 When performing renegotiation as a server, always start a new session
 (i.e., session resumption requests are only accepted in the initial
@@ -356,14 +321,14 @@ handshake). This option is not needed for clients.
 .IP "SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2, SSL_OP_NO_TLSv1_3, SSL_OP_NO_DTLSv1, SSL_OP_NO_DTLSv1_2" 4
 .IX Item "SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2, SSL_OP_NO_TLSv1_3, SSL_OP_NO_DTLSv1, SSL_OP_NO_DTLSv1_2"
 These options turn off the SSLv3, TLSv1, TLSv1.1, TLSv1.2 or TLSv1.3 protocol
-versions with \s-1TLS\s0 or the DTLSv1, DTLSv1.2 versions with \s-1DTLS,\s0
+versions with TLS or the DTLSv1, DTLSv1.2 versions with DTLS,
 respectively.
 As of OpenSSL 1.1.0, these options are deprecated, use
 \&\fBSSL_CTX_set_min_proto_version\fR\|(3) and
 \&\fBSSL_CTX_set_max_proto_version\fR\|(3) instead.
-.IP "\s-1SSL_OP_NO_TICKET\s0" 4
+.IP SSL_OP_NO_TICKET 4
 .IX Item "SSL_OP_NO_TICKET"
-\&\s-1SSL/TLS\s0 supports two mechanisms for resuming sessions: session ids and stateless
+SSL/TLS supports two mechanisms for resuming sessions: session ids and stateless
 session tickets.
 .Sp
 When using session ids a copy of the session information is
@@ -373,7 +338,7 @@ session information from its cache.
 .Sp
 When using stateless session tickets the server uses a session ticket encryption
 key to encrypt the session information. This encrypted data is sent to the
-client as a \*(L"ticket\*(R". When the client wishes to resume it sends the encrypted
+client as a "ticket". When the client wishes to resume it sends the encrypted
 data back to the server. The server uses its key to decrypt the data and resume
 the session. In this way the server can operate statelessly \- no session
 information needs to be cached locally.
@@ -388,7 +353,7 @@ presents a ticket in the same way as for stateless tickets. The server can then
 extract the session id from the ticket and retrieve the session information from
 its cache.
 .Sp
-By default OpenSSL will use stateless tickets. The \s-1SSL_OP_NO_TICKET\s0 option will
+By default OpenSSL will use stateless tickets. The SSL_OP_NO_TICKET option will
 cause stateless tickets to not be issued. In TLSv1.2 and below this means no
 ticket gets sent to the client at all. In TLSv1.3 a stateful ticket will be
 sent. This is a server-side option only.
@@ -396,67 +361,67 @@ sent. This is a server-side option only.
 In TLSv1.3 it is possible to suppress all tickets (stateful and stateless) from
 being sent by calling \fBSSL_CTX_set_num_tickets\fR\|(3) or
 \&\fBSSL_set_num_tickets\fR\|(3).
-.IP "\s-1SSL_OP_PRIORITIZE_CHACHA\s0" 4
+.IP SSL_OP_PRIORITIZE_CHACHA 4
 .IX Item "SSL_OP_PRIORITIZE_CHACHA"
-When \s-1SSL_OP_CIPHER_SERVER_PREFERENCE\s0 is set, temporarily reprioritize
+When SSL_OP_CIPHER_SERVER_PREFERENCE is set, temporarily reprioritize
 ChaCha20\-Poly1305 ciphers to the top of the server cipher list if a
 ChaCha20\-Poly1305 cipher is at the top of the client cipher list. This helps
 those clients (e.g. mobile) use ChaCha20\-Poly1305 if that cipher is anywhere
-in the server cipher list; but still allows other clients to use \s-1AES\s0 and other
-ciphers. Requires \fB\s-1SSL_OP_CIPHER_SERVER_PREFERENCE\s0\fR.
-.IP "\s-1SSL_OP_TLS_ROLLBACK_BUG\s0" 4
+in the server cipher list; but still allows other clients to use AES and other
+ciphers. Requires \fBSSL_OP_CIPHER_SERVER_PREFERENCE\fR.
+.IP SSL_OP_TLS_ROLLBACK_BUG 4
 .IX Item "SSL_OP_TLS_ROLLBACK_BUG"
 Disable version rollback attack detection.
 .Sp
 During the client key exchange, the client must send the same information
-about acceptable \s-1SSL/TLS\s0 protocol levels as during the first hello. Some
+about acceptable SSL/TLS protocol levels as during the first hello. Some
 clients violate this rule by adapting to the server's answer. (Example:
-the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server
+the client sends an SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server
 only understands up to SSLv3. In this case the client must still use the
 same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect
 to the server's answer and violate the version rollback protection.)
 .PP
 The following options no longer have any effect but their identifiers are
 retained for compatibility purposes:
-.IP "\s-1SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG\s0" 4
+.IP SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 4
 .IX Item "SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG"
 .PD 0
-.IP "\s-1SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER\s0" 4
+.IP SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 4
 .IX Item "SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER"
-.IP "\s-1SSL_OP_SSLEAY_080_CLIENT_DH_BUG\s0" 4
+.IP SSL_OP_SSLEAY_080_CLIENT_DH_BUG 4
 .IX Item "SSL_OP_SSLEAY_080_CLIENT_DH_BUG"
-.IP "\s-1SSL_OP_TLS_D5_BUG\s0" 4
+.IP SSL_OP_TLS_D5_BUG 4
 .IX Item "SSL_OP_TLS_D5_BUG"
-.IP "\s-1SSL_OP_TLS_BLOCK_PADDING_BUG\s0" 4
+.IP SSL_OP_TLS_BLOCK_PADDING_BUG 4
 .IX Item "SSL_OP_TLS_BLOCK_PADDING_BUG"
-.IP "\s-1SSL_OP_MSIE_SSLV2_RSA_PADDING\s0" 4
+.IP SSL_OP_MSIE_SSLV2_RSA_PADDING 4
 .IX Item "SSL_OP_MSIE_SSLV2_RSA_PADDING"
-.IP "\s-1SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG\s0" 4
+.IP SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 4
 .IX Item "SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG"
-.IP "\s-1SSL_OP_MICROSOFT_SESS_ID_BUG\s0" 4
+.IP SSL_OP_MICROSOFT_SESS_ID_BUG 4
 .IX Item "SSL_OP_MICROSOFT_SESS_ID_BUG"
-.IP "\s-1SSL_OP_NETSCAPE_CHALLENGE_BUG\s0" 4
+.IP SSL_OP_NETSCAPE_CHALLENGE_BUG 4
 .IX Item "SSL_OP_NETSCAPE_CHALLENGE_BUG"
-.IP "\s-1SSL_OP_PKCS1_CHECK_1\s0" 4
+.IP SSL_OP_PKCS1_CHECK_1 4
 .IX Item "SSL_OP_PKCS1_CHECK_1"
-.IP "\s-1SSL_OP_PKCS1_CHECK_2\s0" 4
+.IP SSL_OP_PKCS1_CHECK_2 4
 .IX Item "SSL_OP_PKCS1_CHECK_2"
-.IP "\s-1SSL_OP_SINGLE_DH_USE\s0" 4
+.IP SSL_OP_SINGLE_DH_USE 4
 .IX Item "SSL_OP_SINGLE_DH_USE"
-.IP "\s-1SSL_OP_SINGLE_ECDH_USE\s0" 4
+.IP SSL_OP_SINGLE_ECDH_USE 4
 .IX Item "SSL_OP_SINGLE_ECDH_USE"
-.IP "\s-1SSL_OP_EPHEMERAL_RSA\s0" 4
+.IP SSL_OP_EPHEMERAL_RSA 4
 .IX Item "SSL_OP_EPHEMERAL_RSA"
-.IP "\s-1SSL_OP_NETSCAPE_CA_DN_BUG\s0" 4
+.IP SSL_OP_NETSCAPE_CA_DN_BUG 4
 .IX Item "SSL_OP_NETSCAPE_CA_DN_BUG"
-.IP "\s-1SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG\s0" 4
+.IP SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 4
 .IX Item "SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG"
 .PD
 .SH "SECURE RENEGOTIATION"
 .IX Header "SECURE RENEGOTIATION"
 OpenSSL always attempts to use secure renegotiation as
-described in \s-1RFC5746.\s0 This counters the prefix attack described in
-\&\s-1CVE\-2009\-3555\s0 and elsewhere.
+described in RFC5746. This counters the prefix attack described in
+CVE\-2009\-3555 and elsewhere.
 .PP
 This attack has far reaching consequences which application writers should be
 aware of. In the description below an implementation supporting secure
@@ -471,42 +436,76 @@ Connections and renegotiation are always permitted by OpenSSL implementations.
 .SS "Unpatched client and patched OpenSSL server"
 .IX Subsection "Unpatched client and patched OpenSSL server"
 The initial connection succeeds but client renegotiation is denied by the
-server with a \fBno_renegotiation\fR warning alert if \s-1TLS\s0 v1.0 is used or a fatal
-\&\fBhandshake_failure\fR alert in \s-1SSL\s0 v3.0.
+server with a \fBno_renegotiation\fR warning alert if TLS v1.0 is used or a fatal
+\&\fBhandshake_failure\fR alert in SSL v3.0.
 .PP
 If the patched OpenSSL server attempts to renegotiate a fatal
 \&\fBhandshake_failure\fR alert is sent. This is because the server code may be
 unaware of the unpatched nature of the client.
 .PP
-If the option \fB\s-1SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\s0\fR is set then
+If the option \fBSSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\fR is set then
 renegotiation \fBalways\fR succeeds.
 .SS "Patched OpenSSL client and unpatched server"
 .IX Subsection "Patched OpenSSL client and unpatched server"
-If the option \fB\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0\fR or
-\&\fB\s-1SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\s0\fR is set then initial connections
+If the option \fBSSL_OP_LEGACY_SERVER_CONNECT\fR or
+\&\fBSSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\fR is set then initial connections
 and renegotiation between patched OpenSSL clients and unpatched servers
 succeeds. If neither option is set then initial connections to unpatched
 servers will fail.
 .PP
-Setting the option \fB\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0\fR has security implications;
+Setting the option \fBSSL_OP_LEGACY_SERVER_CONNECT\fR has security implications;
 clients that are willing to connect to servers that do not implement
-\&\s-1RFC 5746\s0 secure renegotiation are subject to attacks such as
-\&\s-1CVE\-2009\-3555.\s0
+RFC 5746 secure renegotiation are subject to attacks such as
+CVE\-2009\-3555.
 .PP
 OpenSSL client applications wishing to ensure they can connect to unpatched
-servers should always \fBset\fR \fB\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0\fR
+servers should always \fBset\fR \fBSSL_OP_LEGACY_SERVER_CONNECT\fR
 .PP
 OpenSSL client applications that want to ensure they can \fBnot\fR connect to
 unpatched servers (and thus avoid any security issues) should always \fBclear\fR
-\&\fB\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0\fR using \fBSSL_CTX_clear_options()\fR or
+\&\fBSSL_OP_LEGACY_SERVER_CONNECT\fR using \fBSSL_CTX_clear_options()\fR or
 \&\fBSSL_clear_options()\fR.
 .PP
-The difference between the \fB\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0\fR and
-\&\fB\s-1SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\s0\fR options is that
-\&\fB\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0\fR enables initial connections and secure
+The difference between the \fBSSL_OP_LEGACY_SERVER_CONNECT\fR and
+\&\fBSSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\fR options is that
+\&\fBSSL_OP_LEGACY_SERVER_CONNECT\fR enables initial connections and secure
 renegotiation between OpenSSL clients and unpatched servers \fBonly\fR, while
-\&\fB\s-1SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\s0\fR allows initial connections
+\&\fBSSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\fR allows initial connections
 and renegotiation between OpenSSL and unpatched clients or servers.
+.SS "Applicability of options to QUIC connections and streams"
+.IX Subsection "Applicability of options to QUIC connections and streams"
+These options apply to SSL objects referencing a QUIC connection:
+.IP SSL_OP_ALLOW_NO_DHE_KEX 4
+.IX Item "SSL_OP_ALLOW_NO_DHE_KEX"
+.PD 0
+.IP SSL_OP_NO_TX_CERTIFICATE_COMPRESSION 4
+.IX Item "SSL_OP_NO_TX_CERTIFICATE_COMPRESSION"
+.IP SSL_OP_NO_RX_CERTIFICATE_COMPRESSION 4
+.IX Item "SSL_OP_NO_RX_CERTIFICATE_COMPRESSION"
+.IP SSL_OP_NO_TICKET 4
+.IX Item "SSL_OP_NO_TICKET"
+.IP SSL_OP_PRIORITIZE_CHACHA 4
+.IX Item "SSL_OP_PRIORITIZE_CHACHA"
+.PD
+.PP
+These options apply to SSL objects referencing a QUIC stream:
+.IP SSL_OP_CLEANSE_PLAINTEXT 4
+.IX Item "SSL_OP_CLEANSE_PLAINTEXT"
+.PP
+Options on QUIC connections are initialized from the options set on SSL_CTX
+before a QUIC connection SSL object is created. Options on QUIC streams are
+initialised from the options configured on the QUIC connection SSL object
+they are created from.
+.PP
+Setting options which relate to QUIC streams on a QUIC connection SSL object has
+no direct effect on the QUIC connection SSL object itself, but will change the
+options set on the default stream (if there is one) and will also determine the
+default options set on any future streams which are created.
+.PP
+Other options not mentioned above do not have an effect and will be ignored.
+.PP
+Options which relate to QUIC streams may also be set directly on QUIC stream SSL
+objects. Setting connection-related options on such an object has no effect.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSSL_CTX_set_options()\fR and \fBSSL_set_options()\fR return the new options bit-mask
@@ -525,27 +524,27 @@ secure renegotiation and 0 if it does not.
 \&\fBSSL_CTX_set_tmp_dh_callback\fR\|(3),
 \&\fBSSL_CTX_set_min_proto_version\fR\|(3),
 \&\fBopenssl\-dhparam\fR\|(1)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The attempt to always try to use secure renegotiation was added in
 OpenSSL 0.9.8m.
 .PP
-The \fB\s-1SSL_OP_PRIORITIZE_CHACHA\s0\fR and \fB\s-1SSL_OP_NO_RENEGOTIATION\s0\fR options
+The \fBSSL_OP_PRIORITIZE_CHACHA\fR and \fBSSL_OP_NO_RENEGOTIATION\fR options
 were added in OpenSSL 1.1.1.
 .PP
-The \fB\s-1SSL_OP_NO_EXTENDED_MASTER_SECRET\s0\fR and \fB\s-1SSL_OP_IGNORE_UNEXPECTED_EOF\s0\fR
+The \fBSSL_OP_NO_EXTENDED_MASTER_SECRET\fR and \fBSSL_OP_IGNORE_UNEXPECTED_EOF\fR
 options were added in OpenSSL 3.0.
 .PP
-The \fB\s-1SSL_OP_\s0\fR constants and the corresponding parameter and return values
+The \fBSSL_OP_\fR constants and the corresponding parameter and return values
 of the affected functions were changed to \f(CW\*(C`uint64_t\*(C'\fR type in OpenSSL 3.0.
-For that reason it is no longer possible use the \fB\s-1SSL_OP_\s0\fR macro values
+For that reason it is no longer possible use the \fBSSL_OP_\fR macro values
 in preprocessor \f(CW\*(C`#if\*(C'\fR conditions. However it is still possible to test
 whether these macros are defined or not.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2001\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_psk_client_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_psk_client_callback.3
index 2ae3d28d129e..c5d4a43d0338 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_psk_client_callback.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_psk_client_callback.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_PSK_CLIENT_CALLBACK 3ossl"
-.TH SSL_CTX_SET_PSK_CLIENT_CALLBACK 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_PSK_CLIENT_CALLBACK 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_psk_client_cb_func,
 SSL_psk_use_session_cb_func,
 SSL_CTX_set_psk_client_callback,
@@ -144,7 +68,7 @@ SSL_set_psk_client_callback,
 SSL_CTX_set_psk_use_session_callback,
 SSL_set_psk_use_session_callback
 \&\- set PSK client callback
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -170,28 +94,28 @@ SSL_set_psk_use_session_callback
 \& void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, SSL_psk_client_cb_func cb);
 \& void SSL_set_psk_client_callback(SSL *ssl, SSL_psk_client_cb_func cb);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 A client application wishing to use TLSv1.3 PSKs should use either
 \&\fBSSL_CTX_set_psk_use_session_callback()\fR or \fBSSL_set_psk_use_session_callback()\fR as
 appropriate. These functions cannot be used for TLSv1.2 and below PSKs.
 .PP
-The callback function is given a pointer to the \s-1SSL\s0 connection in \fBssl\fR.
+The callback function is given a pointer to the SSL connection in \fBssl\fR.
 .PP
 The first time the callback is called for a connection the \fBmd\fR parameter is
-\&\s-1NULL.\s0 In some circumstances the callback will be called a second time. In that
-case the server will have specified a ciphersuite to use already and the \s-1PSK\s0
+NULL. In some circumstances the callback will be called a second time. In that
+case the server will have specified a ciphersuite to use already and the PSK
 must be compatible with the digest for that ciphersuite. The digest will be
-given in \fBmd\fR. The \s-1PSK\s0 returned by the callback is allowed to be different
+given in \fBmd\fR. The PSK returned by the callback is allowed to be different
 between the first and second time it is called.
 .PP
 On successful completion the callback must store a pointer to an identifier for
-the \s-1PSK\s0 in \fB*id\fR. The identifier length in bytes should be stored in \fB*idlen\fR.
+the PSK in \fB*id\fR. The identifier length in bytes should be stored in \fB*idlen\fR.
 The memory pointed to by \fB*id\fR remains owned by the application and should
 be freed by it as required at any point after the handshake is complete.
 .PP
-Additionally the callback should store a pointer to an \s-1SSL_SESSION\s0 object in
-\&\fB*sess\fR. This is used as the basis for the \s-1PSK,\s0 and should, at a minimum, have
+Additionally the callback should store a pointer to an SSL_SESSION object in
+\&\fB*sess\fR. This is used as the basis for the PSK, and should, at a minimum, have
 the following fields set:
 .IP "The master key" 4
 .IX Item "The master key"
@@ -199,45 +123,45 @@ This can be set via a call to \fBSSL_SESSION_set1_master_key\fR\|(3).
 .IP "A ciphersuite" 4
 .IX Item "A ciphersuite"
 Only the handshake digest associated with the ciphersuite is relevant for the
-\&\s-1PSK\s0 (the server may go on to negotiate any ciphersuite which is compatible with
+PSK (the server may go on to negotiate any ciphersuite which is compatible with
 the digest). The application can use any TLSv1.3 ciphersuite. If \fBmd\fR is
-not \s-1NULL\s0 the handshake digest for the ciphersuite should be the same.
+not NULL the handshake digest for the ciphersuite should be the same.
 The ciphersuite can be set via a call to <\fBSSL_SESSION_set_cipher\fR\|(3)>. The
-handshake digest of an \s-1SSL_CIPHER\s0 object can be checked using
+handshake digest of an SSL_CIPHER object can be checked using
 <\fBSSL_CIPHER_get_handshake_digest\fR\|(3)>.
 .IP "The protocol version" 4
 .IX Item "The protocol version"
 This can be set via a call to \fBSSL_SESSION_set_protocol_version\fR\|(3) and should
-be \s-1TLS1_3_VERSION.\s0
+be TLS1_3_VERSION.
 .PP
 Additionally the maximum early data value should be set via a call to
-\&\fBSSL_SESSION_set_max_early_data\fR\|(3) if the \s-1PSK\s0 will be used for sending early
+\&\fBSSL_SESSION_set_max_early_data\fR\|(3) if the PSK will be used for sending early
 data.
 .PP
-Alternatively an \s-1SSL_SESSION\s0 created from a previous non-PSK handshake may also
-be used as the basis for a \s-1PSK.\s0
+Alternatively an SSL_SESSION created from a previous non-PSK handshake may also
+be used as the basis for a PSK.
 .PP
-Ownership of the \s-1SSL_SESSION\s0 object is passed to the OpenSSL library and so it
+Ownership of the SSL_SESSION object is passed to the OpenSSL library and so it
 should not be freed by the application.
 .PP
-It is also possible for the callback to succeed but not supply a \s-1PSK.\s0 In this
-case no \s-1PSK\s0 will be sent to the server but the handshake will continue. To do
+It is also possible for the callback to succeed but not supply a PSK. In this
+case no PSK will be sent to the server but the handshake will continue. To do
 this the callback should return successfully and ensure that \fB*sess\fR is
-\&\s-1NULL.\s0 The contents of \fB*id\fR and \fB*idlen\fR will be ignored.
+NULL. The contents of \fB*id\fR and \fB*idlen\fR will be ignored.
 .PP
-A client application wishing to use \s-1PSK\s0 ciphersuites for TLSv1.2 and below must
+A client application wishing to use PSK ciphersuites for TLSv1.2 and below must
 provide a different callback function. This function will be called when the
 client is sending the ClientKeyExchange message to the server.
 .PP
-The purpose of the callback function is to select the \s-1PSK\s0 identity and
+The purpose of the callback function is to select the PSK identity and
 the pre-shared key to use during the connection setup phase.
 .PP
 The callback is set using functions \fBSSL_CTX_set_psk_client_callback()\fR
 or \fBSSL_set_psk_client_callback()\fR. The callback function is given the
-connection in parameter \fBssl\fR, a \fB\s-1NUL\s0\fR\-terminated \s-1PSK\s0 identity hint
+connection in parameter \fBssl\fR, a \fBNUL\fR\-terminated PSK identity hint
 sent by the server in parameter \fBhint\fR, a buffer \fBidentity\fR of
-length \fBmax_identity_len\fR bytes (including the \fB\s-1NUL\s0\fR\-terminator) where the
-resulting \fB\s-1NUL\s0\fR\-terminated identity is to be stored, and a buffer \fBpsk\fR
+length \fBmax_identity_len\fR bytes (including the \fBNUL\fR\-terminator) where the
+resulting \fBNUL\fR\-terminated identity is to be stored, and a buffer \fBpsk\fR
 of length \fBmax_psk_len\fR bytes where the resulting pre-shared key is to
 be stored.
 .PP
@@ -249,30 +173,30 @@ via \fBSSL_CTX_set_psk_use_session_callback()\fR or \fBSSL_set_psk_use_session_c
 and it will use that in preference. If no such callback is present then it will
 check to see if a callback has been set via \fBSSL_CTX_set_psk_client_callback()\fR or
 \&\fBSSL_set_psk_client_callback()\fR and use that. In this case the \fBhint\fR value will
-always be \s-1NULL\s0 and the handshake digest will default to \s-1SHA\-256\s0 for any returned
-\&\s-1PSK.\s0 TLSv1.3 early data exchanges are possible in \s-1PSK\s0 connections only with the
+always be NULL and the handshake digest will default to SHA\-256 for any returned
+PSK. TLSv1.3 early data exchanges are possible in PSK connections only with the
 \&\fBSSL_psk_use_session_cb_func\fR callback, and are not possible with the
 \&\fBSSL_psk_client_cb_func\fR callback.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-Note that parameter \fBhint\fR given to the callback may be \fB\s-1NULL\s0\fR.
+Note that parameter \fBhint\fR given to the callback may be \fBNULL\fR.
 .PP
-A connection established via a TLSv1.3 \s-1PSK\s0 will appear as if session resumption
+A connection established via a TLSv1.3 PSK will appear as if session resumption
 has occurred so that \fBSSL_session_reused\fR\|(3) will return true.
 .PP
-There are no known security issues with sharing the same \s-1PSK\s0 between TLSv1.2 (or
-below) and TLSv1.3. However, the \s-1RFC\s0 has this note of caution:
+There are no known security issues with sharing the same PSK between TLSv1.2 (or
+below) and TLSv1.3. However, the RFC has this note of caution:
 .PP
-\&\*(L"While there is no known way in which the same \s-1PSK\s0 might produce related output
+"While there is no known way in which the same PSK might produce related output
 in both versions, only limited analysis has been done.  Implementations can
 ensure safety from cross-protocol related output by not reusing PSKs between
-\&\s-1TLS 1.3\s0 and \s-1TLS 1.2.\*(R"\s0
+TLS 1.3 and TLS 1.2."
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 Return values from the \fBSSL_psk_client_cb_func\fR callback are interpreted as
 follows:
 .PP
-On success (callback found a \s-1PSK\s0 identity and a pre-shared key to use)
+On success (callback found a PSK identity and a pre-shared key to use)
 the length (> 0) of \fBpsk\fR in bytes is returned.
 .PP
 Otherwise or on errors the callback should return 0. In this case
@@ -285,15 +209,15 @@ failure. In the event of failure the connection setup fails.
 \&\fBssl\fR\|(7),
 \&\fBSSL_CTX_set_psk_find_session_callback\fR\|(3),
 \&\fBSSL_set_psk_find_session_callback\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBSSL_CTX_set_psk_use_session_callback()\fR and \fBSSL_set_psk_use_session_callback()\fR
 were added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2006\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_quiet_shutdown.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_quiet_shutdown.3
index 7a88a5f839d4..754d57ab1d05 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_quiet_shutdown.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_quiet_shutdown.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_QUIET_SHUTDOWN 3ossl"
-.TH SSL_CTX_SET_QUIET_SHUTDOWN 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_QUIET_SHUTDOWN 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
-SSL_CTX_set_quiet_shutdown, SSL_CTX_get_quiet_shutdown, SSL_set_quiet_shutdown, SSL_get_quiet_shutdown \- manipulate shutdown behaviour
-.SH "SYNOPSIS"
+.SH NAME
+SSL_CTX_set_quiet_shutdown, SSL_CTX_get_quiet_shutdown, SSL_set_quiet_shutdown,
+SSL_get_quiet_shutdown \- manipulate shutdown behaviour
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -149,53 +74,56 @@ SSL_CTX_set_quiet_shutdown, SSL_CTX_get_quiet_shutdown, SSL_set_quiet_shutdown,
 \& void SSL_set_quiet_shutdown(SSL *ssl, int mode);
 \& int SSL_get_quiet_shutdown(const SSL *ssl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_CTX_set_quiet_shutdown()\fR sets the \*(L"quiet shutdown\*(R" flag for \fBctx\fR to be
-\&\fBmode\fR. \s-1SSL\s0 objects created from \fBctx\fR inherit the \fBmode\fR valid at the time
+\&\fBSSL_CTX_set_quiet_shutdown()\fR sets the "quiet shutdown" flag for \fBctx\fR to be
+\&\fBmode\fR. SSL objects created from \fBctx\fR inherit the \fBmode\fR valid at the time
 \&\fBSSL_new\fR\|(3) is called. \fBmode\fR may be 0 or 1.
 .PP
-\&\fBSSL_CTX_get_quiet_shutdown()\fR returns the \*(L"quiet shutdown\*(R" setting of \fBctx\fR.
+\&\fBSSL_CTX_get_quiet_shutdown()\fR returns the "quiet shutdown" setting of \fBctx\fR.
 .PP
-\&\fBSSL_set_quiet_shutdown()\fR sets the \*(L"quiet shutdown\*(R" flag for \fBssl\fR to be
+\&\fBSSL_set_quiet_shutdown()\fR sets the "quiet shutdown" flag for \fBssl\fR to be
 \&\fBmode\fR. The setting stays valid until \fBssl\fR is removed with
 \&\fBSSL_free\fR\|(3) or \fBSSL_set_quiet_shutdown()\fR is called again.
 It is not changed when \fBSSL_clear\fR\|(3) is called.
 \&\fBmode\fR may be 0 or 1.
 .PP
-\&\fBSSL_get_quiet_shutdown()\fR returns the \*(L"quiet shutdown\*(R" setting of \fBssl\fR.
-.SH "NOTES"
+\&\fBSSL_get_quiet_shutdown()\fR returns the "quiet shutdown" setting of \fBssl\fR.
+.PP
+These functions are not supported for QUIC SSL objects. \fBSSL_set_quiet_shutdown()\fR
+has no effect if called on a QUIC SSL object.
+.SH NOTES
 .IX Header "NOTES"
-Normally when a \s-1SSL\s0 connection is finished, the parties must send out
+Normally when an SSL connection is finished, the parties must send out
 close_notify alert messages using \fBSSL_shutdown\fR\|(3)
 for a clean shutdown.
 .PP
-When setting the \*(L"quiet shutdown\*(R" flag to 1, \fBSSL_shutdown\fR\|(3)
+When setting the "quiet shutdown" flag to 1, \fBSSL_shutdown\fR\|(3)
 will set the internal flags to SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN.
 (\fBSSL_shutdown\fR\|(3) then behaves like
 \&\fBSSL_set_shutdown\fR\|(3) called with
 SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN.)
 The session is thus considered to be shutdown, but no close_notify alert
-is sent to the peer. This behaviour violates the \s-1TLS\s0 standard.
+is sent to the peer. This behaviour violates the TLS standard.
 .PP
-The default is normal shutdown behaviour as described by the \s-1TLS\s0 standard.
+The default is normal shutdown behaviour as described by the TLS standard.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSSL_CTX_set_quiet_shutdown()\fR and \fBSSL_set_quiet_shutdown()\fR do not return
 diagnostic information.
 .PP
-\&\fBSSL_CTX_get_quiet_shutdown()\fR and SSL_get_quiet_shutdown return the current
+\&\fBSSL_CTX_get_quiet_shutdown()\fR and \fBSSL_get_quiet_shutdown()\fR return the current
 setting.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7), \fBSSL_shutdown\fR\|(3),
 \&\fBSSL_set_shutdown\fR\|(3), \fBSSL_new\fR\|(3),
 \&\fBSSL_clear\fR\|(3), \fBSSL_free\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_read_ahead.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_read_ahead.3
index 96ae0fea7ce3..9924ff870b0e 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_read_ahead.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_read_ahead.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_READ_AHEAD 3ossl"
-.TH SSL_CTX_SET_READ_AHEAD 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_READ_AHEAD 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_read_ahead, SSL_CTX_get_read_ahead,
 SSL_set_read_ahead, SSL_get_read_ahead,
 SSL_CTX_get_default_read_ahead
 \&\- manage whether to read as many input bytes as possible
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -153,12 +77,12 @@ SSL_CTX_get_default_read_ahead
 \& long SSL_CTX_get_read_ahead(SSL_CTX *ctx);
 \& long SSL_CTX_get_default_read_ahead(SSL_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_set_read_ahead()\fR and \fBSSL_set_read_ahead()\fR set whether we should read as
 many input bytes as possible (for nonblocking reads) or not. For example if
 \&\fBx\fR bytes are currently required by OpenSSL, but \fBy\fR bytes are available from
-the underlying \s-1BIO\s0 (where \fBy\fR > \fBx\fR), then OpenSSL will read all \fBy\fR bytes
+the underlying BIO (where \fBy\fR > \fBx\fR), then OpenSSL will read all \fBy\fR bytes
 into its buffer (providing that the buffer is large enough) if reading ahead is
 on, or \fBx\fR bytes otherwise.
 Setting the parameter \fByes\fR to 0 turns reading ahead is off, other values turn
@@ -168,24 +92,27 @@ it on.
 \&\fBSSL_CTX_get_read_ahead()\fR and \fBSSL_get_read_ahead()\fR indicate whether reading
 ahead has been set or not.
 \&\fBSSL_CTX_get_default_read_ahead()\fR is identical to \fBSSL_CTX_get_read_ahead()\fR.
-.SH "NOTES"
+.PP
+These functions cannot be used with QUIC SSL objects. \fBSSL_set_read_ahead()\fR
+has no effect if called on a QUIC SSL object.
+.SH NOTES
 .IX Header "NOTES"
-These functions have no impact when used with \s-1DTLS.\s0 The return values for
-\&\fBSSL_CTX_get_read_head()\fR and \fBSSL_get_read_ahead()\fR are undefined for \s-1DTLS.\s0 Setting
+These functions have no impact when used with DTLS. The return values for
+\&\fBSSL_CTX_get_read_head()\fR and \fBSSL_get_read_ahead()\fR are undefined for DTLS. Setting
 \&\fBread_ahead\fR can impact the behaviour of the \fBSSL_pending()\fR function
 (see \fBSSL_pending\fR\|(3)).
 .PP
-Since \fBSSL_read()\fR can return \fB\s-1SSL_ERROR_WANT_READ\s0\fR for non-application data
+Since \fBSSL_read()\fR can return \fBSSL_ERROR_WANT_READ\fR for non-application data
 records, and \fBSSL_has_pending()\fR can't tell the difference between processed and
 unprocessed data, it's recommended that if read ahead is turned on that
-\&\fB\s-1SSL_MODE_AUTO_RETRY\s0\fR is not turned off using \fBSSL_CTX_clear_mode()\fR.
-That will prevent getting \fB\s-1SSL_ERROR_WANT_READ\s0\fR when there is still a complete
+\&\fBSSL_MODE_AUTO_RETRY\fR is not turned off using \fBSSL_CTX_clear_mode()\fR.
+That will prevent getting \fBSSL_ERROR_WANT_READ\fR when there is still a complete
 record available that hasn't been processed.
 .PP
-If the application wants to continue to use the underlying transport (e.g. \s-1TCP\s0
-connection) after the \s-1SSL\s0 connection is finished using \fBSSL_shutdown()\fR reading
+If the application wants to continue to use the underlying transport (e.g. TCP
+connection) after the SSL connection is finished using \fBSSL_shutdown()\fR reading
 ahead should be turned off.
-Otherwise the \s-1SSL\s0 structure might read data that it shouldn't.
+Otherwise the SSL structure might read data that it shouldn't.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSSL_get_read_ahead()\fR and \fBSSL_CTX_get_read_ahead()\fR return 0 if reading ahead is off,
@@ -193,11 +120,11 @@ and non zero otherwise.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7), \fBSSL_pending\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2015\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_record_padding_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_record_padding_callback.3
index 3c31d8583b35..cee8564b2201 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_record_padding_callback.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_record_padding_callback.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_RECORD_PADDING_CALLBACK 3ossl"
-.TH SSL_CTX_SET_RECORD_PADDING_CALLBACK 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_RECORD_PADDING_CALLBACK 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_record_padding_callback,
 SSL_set_record_padding_callback,
 SSL_CTX_set_record_padding_callback_arg,
@@ -144,8 +68,10 @@ SSL_set_record_padding_callback_arg,
 SSL_CTX_get_record_padding_callback_arg,
 SSL_get_record_padding_callback_arg,
 SSL_CTX_set_block_padding,
-SSL_set_block_padding \- install callback to specify TLS 1.3 record padding
-.SH "SYNOPSIS"
+SSL_CTX_set_block_padding_ex,
+SSL_set_block_padding,
+SSL_set_block_padding_ex \- install callback to specify TLS 1.3 record padding
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -161,32 +87,42 @@ SSL_set_block_padding \- install callback to specify TLS 1.3 record padding
 \&
 \& int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size);
 \& int SSL_set_block_padding(SSL *ssl, size_t block_size);
+\& int SSL_CTX_set_block_padding_ex(SSL_CTX *ctx, size_t app_block_size, size_t hs_block_size);
+\& int SSL_set_block_padding_ex(SSL *ssl, size_t app_block_size, size_t hs_block_size);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_set_record_padding_callback()\fR or \fBSSL_set_record_padding_callback()\fR
 can be used to assign a callback function \fIcb\fR to specify the padding
-for \s-1TLS 1.3\s0 records. The value set in \fBctx\fR is copied to a new \s-1SSL\s0 by \fBSSL_new()\fR.
-Kernel \s-1TLS\s0 is not possible if the record padding callback is set, and the callback
-function cannot be set if Kernel \s-1TLS\s0 is already configured for the current \s-1SSL\s0 object.
+for TLS 1.3 records. The value set in \fBctx\fR is copied to a new SSL by \fBSSL_new()\fR.
+Kernel TLS is not possible if the record padding callback is set, and the callback
+function cannot be set if Kernel TLS is already configured for the current SSL object.
 .PP
 \&\fBSSL_CTX_set_record_padding_callback_arg()\fR and \fBSSL_set_record_padding_callback_arg()\fR
 assign a value \fBarg\fR that is passed to the callback when it is invoked. The value
-set in \fBctx\fR is copied to a new \s-1SSL\s0 by \fBSSL_new()\fR.
+set in \fBctx\fR is copied to a new SSL by \fBSSL_new()\fR.
 .PP
 \&\fBSSL_CTX_get_record_padding_callback_arg()\fR and \fBSSL_get_record_padding_callback_arg()\fR
 retrieve the \fBarg\fR value that is passed to the callback.
 .PP
 \&\fBSSL_CTX_set_block_padding()\fR and \fBSSL_set_block_padding()\fR pads the record to a multiple
 of the \fBblock_size\fR. A \fBblock_size\fR of 0 or 1 disables block padding. The limit of
-\&\fBblock_size\fR is \s-1SSL3_RT_MAX_PLAIN_LENGTH.\s0
+\&\fBblock_size\fR is SSL3_RT_MAX_PLAIN_LENGTH.
+.PP
+\&\fBSSL_CTX_set_block_padding_ex()\fR and \fBSSL_set_block_padding_ex()\fR do similarly but
+allow the caller to separately specify the padding block size to be applied to
+handshake and application data messages.
 .PP
 The callback is invoked for every record before encryption.
-The \fBtype\fR parameter is the \s-1TLS\s0 record type that is being processed; may be
-one of \s-1SSL3_RT_APPLICATION_DATA, SSL3_RT_HANDSHAKE,\s0 or \s-1SSL3_RT_ALERT.\s0
+The \fBtype\fR parameter is the TLS record type that is being processed; may be
+one of SSL3_RT_APPLICATION_DATA, SSL3_RT_HANDSHAKE, or SSL3_RT_ALERT.
 The \fBlen\fR parameter is the current plaintext length of the record before encryption.
 The \fBarg\fR parameter is the value set via \fBSSL_CTX_set_record_padding_callback_arg()\fR
 or \fBSSL_set_record_padding_callback_arg()\fR.
+.PP
+These functions cannot be used with QUIC SSL objects.
+\&\fBSSL_set_record_padding_callback()\fR and \fBSSL_set_block_padding()\fR fail if called on
+a QUIC SSL object.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The \fBSSL_CTX_get_record_padding_callback_arg()\fR and \fBSSL_get_record_padding_callback_arg()\fR
@@ -197,36 +133,39 @@ or 0 if \fBblock_size\fR is too large.
 .PP
 The \fBcb\fR returns the number of padding bytes to add to the record. A return of 0
 indicates no padding will be added. A return value that causes the record to
-exceed the maximum record size (\s-1SSL3_RT_MAX_PLAIN_LENGTH\s0) will pad out to the
+exceed the maximum record size (SSL3_RT_MAX_PLAIN_LENGTH) will pad out to the
 maximum record size.
 .PP
 The \fBSSL_CTX_get_record_padding_callback_arg()\fR function returns 1 on success or 0 if
-the callback function is not set because Kernel \s-1TLS\s0 is configured for the \s-1SSL\s0 object.
-.SH "NOTES"
+the callback function is not set because Kernel TLS is configured for the SSL object.
+.SH NOTES
 .IX Header "NOTES"
 The default behavior is to add no padding to the record.
 .PP
 A user-supplied padding callback function will override the behavior set by
 \&\fBSSL_set_block_padding()\fR or \fBSSL_CTX_set_block_padding()\fR. Setting the user-supplied
-callback to \s-1NULL\s0 will restore the configured block padding behavior.
+callback to NULL will restore the configured block padding behavior.
 .PP
-These functions only apply to \s-1TLS 1.3\s0 records being written.
+These functions only apply to TLS 1.3 records being written.
 .PP
 Padding bytes are not added in constant-time.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7), \fBSSL_new\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-The record padding \s-1API\s0 was added for \s-1TLS 1.3\s0 support in OpenSSL 1.1.1.
+The record padding API was added for TLS 1.3 support in OpenSSL 1.1.1.
 .PP
 The return type of \fBSSL_CTX_set_record_padding_callback()\fR function was
 changed to int in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.PP
+The functions \fBSSL_set_block_padding_ex()\fR and \fBSSL_CTX_set_block_padding_ex()\fR
+were added in OpenSSL 3.4.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2017\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_security_level.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_security_level.3
index b745d05c0250..ab2857a1e2b2 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_security_level.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_security_level.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_SECURITY_LEVEL 3ossl"
-.TH SSL_CTX_SET_SECURITY_LEVEL 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_SECURITY_LEVEL 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_security_level, SSL_set_security_level, SSL_CTX_get_security_level, SSL_get_security_level, SSL_CTX_set_security_callback, SSL_set_security_callback, SSL_CTX_get_security_callback, SSL_get_security_callback, SSL_CTX_set0_security_ex_data, SSL_set0_security_ex_data, SSL_CTX_get0_security_ex_data, SSL_get0_security_ex_data \- SSL/TLS security framework
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -171,7 +95,7 @@ SSL_CTX_set_security_level, SSL_set_security_level, SSL_CTX_get_security_level,
 \& void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx);
 \& void *SSL_get0_security_ex_data(const SSL *s);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The functions \fBSSL_CTX_set_security_level()\fR and \fBSSL_set_security_level()\fR set
 the security level to \fBlevel\fR. If not set the library default security level
@@ -203,76 +127,74 @@ OpenSSL.
 .IP "\fBLevel 1\fR" 4
 .IX Item "Level 1"
 The security level corresponds to a minimum of 80 bits of security. Any
-parameters offering below 80 bits of security are excluded. As a result \s-1RSA,
-DSA\s0 and \s-1DH\s0 keys shorter than 1024 bits and \s-1ECC\s0 keys shorter than 160 bits
-are prohibited. All export cipher suites are prohibited since they all offer
-less than 80 bits of security. \s-1SSL\s0 version 2 is prohibited. Any cipher suite
-using \s-1MD5\s0 for the \s-1MAC\s0 is also prohibited. Note that signatures using \s-1SHA1\s0
-and \s-1MD5\s0 are also forbidden at this level as they have less than 80 security
-bits.
+parameters offering below 80 bits of security are excluded. As a result RSA,
+DSA and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits
+are prohibited. Any cipher suite using MD5 for the MAC is also prohibited. Any
+cipher suites using CCM with a 64 bit authentication tag are prohibited. Note
+that signatures using SHA1 and MD5 are also forbidden at this level as they
+have less than 80 security bits. Additionally, SSLv3, TLS 1.0, TLS 1.1 and
+DTLS 1.0 are all disabled at this level.
 .IP "\fBLevel 2\fR" 4
 .IX Item "Level 2"
-Security level set to 112 bits of security. As a result \s-1RSA, DSA\s0 and \s-1DH\s0 keys
-shorter than 2048 bits and \s-1ECC\s0 keys shorter than 224 bits are prohibited.
-In addition to the level 1 exclusions any cipher suite using \s-1RC4\s0 is also
-prohibited. \s-1SSL\s0 version 3 is also not allowed. Compression is disabled.
+Security level set to 112 bits of security. As a result RSA, DSA and DH keys
+shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited.
+In addition to the level 1 exclusions any cipher suite using RC4 is also
+prohibited. Compression is disabled.
 .IP "\fBLevel 3\fR" 4
 .IX Item "Level 3"
-Security level set to 128 bits of security. As a result \s-1RSA, DSA\s0 and \s-1DH\s0 keys
-shorter than 3072 bits and \s-1ECC\s0 keys shorter than 256 bits are prohibited.
+Security level set to 128 bits of security. As a result RSA, DSA and DH keys
+shorter than 3072 bits and ECC keys shorter than 256 bits are prohibited.
 In addition to the level 2 exclusions cipher suites not offering forward
-secrecy are prohibited. \s-1TLS\s0 versions below 1.1 are not permitted. Session
-tickets are disabled.
+secrecy are prohibited. Session tickets are disabled.
 .IP "\fBLevel 4\fR" 4
 .IX Item "Level 4"
-Security level set to 192 bits of security. As a result \s-1RSA, DSA\s0 and
-\&\s-1DH\s0 keys shorter than 7680 bits and \s-1ECC\s0 keys shorter than 384 bits are
-prohibited.  Cipher suites using \s-1SHA1\s0 for the \s-1MAC\s0 are prohibited. \s-1TLS\s0
-versions below 1.2 are not permitted.
+Security level set to 192 bits of security. As a result RSA, DSA and
+DH keys shorter than 7680 bits and ECC keys shorter than 384 bits are
+prohibited.  Cipher suites using SHA1 for the MAC are prohibited.
 .IP "\fBLevel 5\fR" 4
 .IX Item "Level 5"
-Security level set to 256 bits of security. As a result \s-1RSA, DSA\s0 and \s-1DH\s0 keys
-shorter than 15360 bits and \s-1ECC\s0 keys shorter than 512 bits are prohibited.
+Security level set to 256 bits of security. As a result RSA, DSA and DH keys
+shorter than 15360 bits and ECC keys shorter than 512 bits are prohibited.
 .SH "APPLICATION DEFINED SECURITY CALLBACKS"
 .IX Header "APPLICATION DEFINED SECURITY CALLBACKS"
 \&\fIDocumentation to be provided.\fR
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The default security level can be configured when OpenSSL is compiled by
-setting \fB\-DOPENSSL_TLS_SECURITY_LEVEL=level\fR. If not set then 1 is used.
+setting \fB\-DOPENSSL_TLS_SECURITY_LEVEL=level\fR. If not set then 2 is used.
 .PP
 The security framework disables or reject parameters inconsistent with the
 set security level. In the past this was difficult as applications had to set
 a number of distinct parameters (supported ciphers, supported curves supported
-signature algorithms) to achieve this end and some cases (\s-1DH\s0 parameter size
+signature algorithms) to achieve this end and some cases (DH parameter size
 for example) could not be checked at all.
 .PP
 By setting an appropriate security level much of this complexity can be
 avoided.
 .PP
 The bits of security limits affect all relevant parameters including
-cipher suite encryption algorithms, supported \s-1ECC\s0 curves, supported
-signature algorithms, \s-1DH\s0 parameter sizes, certificate key sizes and
+cipher suite encryption algorithms, supported ECC curves, supported
+signature algorithms, DH parameter sizes, certificate key sizes and
 signature algorithms. This limit applies no matter what other custom
-settings an application has set: so if the cipher suite is set to \fB\s-1ALL\s0\fR
+settings an application has set: so if the cipher suite is set to \fBALL\fR
 then only cipher suites consistent with the security level are permissible.
 .PP
-See \s-1SP800\-57\s0 for how the security limits are related to individual
+See SP800\-57 for how the security limits are related to individual
 algorithms.
 .PP
 Some security levels require large key sizes for non-ECC public key
 algorithms which can severely degrade performance. For example 256 bits
-of security requires the use of \s-1RSA\s0 keys of at least 15360 bits in size.
+of security requires the use of RSA keys of at least 15360 bits in size.
 .PP
 Some restrictions can be gracefully handled: for example cipher suites
 offering insufficient security are not sent by the client and will not
 be selected by the server. Other restrictions such as the peer certificate
-key size or the \s-1DH\s0 parameter size will abort the handshake with a fatal
+key size or the DH parameter size will abort the handshake with a fatal
 alert.
 .PP
 Attempts to set certificates or parameters with insufficient security are
-also blocked. For example trying to set a certificate using a 512 bit \s-1RSA\s0 key
-or a certificate with a signature with \s-1SHA1\s0 digest at level 1 using
+also blocked. For example trying to set a certificate using a 512 bit RSA key
+or a certificate with a signature with SHA1 digest at level 1 using
 \&\fBSSL_CTX_use_certificate()\fR. Applications which do not check the return values
 for errors will misbehave: for example it might appear that a certificate is
 not set at all because it had been rejected.
@@ -281,27 +203,27 @@ not set at all because it had been rejected.
 \&\fBSSL_CTX_set_security_level()\fR and \fBSSL_set_security_level()\fR do not return values.
 .PP
 \&\fBSSL_CTX_get_security_level()\fR and \fBSSL_get_security_level()\fR return a integer that
-represents the security level with \fB\s-1SSL_CTX\s0\fR or \fB\s-1SSL\s0\fR, respectively.
+represents the security level with \fBSSL_CTX\fR or \fBSSL\fR, respectively.
 .PP
 \&\fBSSL_CTX_set_security_callback()\fR and \fBSSL_set_security_callback()\fR do not return
 values.
 .PP
 \&\fBSSL_CTX_get_security_callback()\fR and \fBSSL_get_security_callback()\fR return the pointer
-to the security callback or \s-1NULL\s0 if the callback is not set.
+to the security callback or NULL if the callback is not set.
 .PP
 \&\fBSSL_CTX_get0_security_ex_data()\fR and \fBSSL_get0_security_ex_data()\fR return the extra
-data pointer or \s-1NULL\s0 if the ex data is not set.
+data pointer or NULL if the ex data is not set.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 These functions were added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2014\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2014\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_cache_mode.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_cache_mode.3
index b3b34ad1e2e3..9abbb18c7ceb 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_cache_mode.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_cache_mode.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_SESSION_CACHE_MODE 3ossl"
-.TH SSL_CTX_SET_SESSION_CACHE_MODE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_SESSION_CACHE_MODE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_session_cache_mode, SSL_CTX_get_session_cache_mode \- enable/disable session caching
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -146,17 +70,17 @@ SSL_CTX_set_session_cache_mode, SSL_CTX_get_session_cache_mode \- enable/disable
 \& long SSL_CTX_set_session_cache_mode(SSL_CTX ctx, long mode);
 \& long SSL_CTX_get_session_cache_mode(SSL_CTX ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_set_session_cache_mode()\fR enables/disables session caching
 by setting the operational mode for \fBctx\fR to <mode>.
 .PP
 \&\fBSSL_CTX_get_session_cache_mode()\fR returns the currently used cache mode.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-The OpenSSL library can store/retrieve \s-1SSL/TLS\s0 sessions for later reuse.
+The OpenSSL library can store/retrieve SSL/TLS sessions for later reuse.
 The sessions can be held in memory for each \fBctx\fR, if more than one
-\&\s-1SSL_CTX\s0 object is being maintained, the sessions are unique for each \s-1SSL_CTX\s0
+SSL_CTX object is being maintained, the sessions are unique for each SSL_CTX
 object.
 .PP
 In order to reuse a session, a client must send the session's id to the
@@ -166,7 +90,7 @@ session).
 .PP
 A server will look up the session in its internal session storage. If the
 session is not found in internal storage or lookups for the internal storage
-have been deactivated (\s-1SSL_SESS_CACHE_NO_INTERNAL_LOOKUP\s0), the server will try
+have been deactivated (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP), the server will try
 the external storage if available.
 .PP
 Since a client may try to reuse a session intended for use in a different
@@ -174,28 +98,28 @@ context, the session id context must be set by the server (see
 \&\fBSSL_CTX_set_session_id_context\fR\|(3)).
 .PP
 The following session cache modes and modifiers are available:
-.IP "\s-1SSL_SESS_CACHE_OFF\s0" 4
+.IP SSL_SESS_CACHE_OFF 4
 .IX Item "SSL_SESS_CACHE_OFF"
 No session caching for client or server takes place.
-.IP "\s-1SSL_SESS_CACHE_CLIENT\s0" 4
+.IP SSL_SESS_CACHE_CLIENT 4
 .IX Item "SSL_SESS_CACHE_CLIENT"
 Client sessions are added to the session cache. As there is no reliable way
 for the OpenSSL library to know whether a session should be reused or which
-session to choose (due to the abstract \s-1BIO\s0 layer the \s-1SSL\s0 engine does not
+session to choose (due to the abstract BIO layer the SSL engine does not
 have details about the connection), the application must select the session
 to be reused by using the \fBSSL_set_session\fR\|(3)
 function. This option is not activated by default.
-.IP "\s-1SSL_SESS_CACHE_SERVER\s0" 4
+.IP SSL_SESS_CACHE_SERVER 4
 .IX Item "SSL_SESS_CACHE_SERVER"
 Server sessions are added to the session cache. When a client proposes a
 session to be reused, the server looks for the corresponding session in (first)
-the internal session cache (unless \s-1SSL_SESS_CACHE_NO_INTERNAL_LOOKUP\s0 is set),
+the internal session cache (unless SSL_SESS_CACHE_NO_INTERNAL_LOOKUP is set),
 then (second) in the external cache if available. If the session is found, the
 server will try to reuse the session.  This is the default.
-.IP "\s-1SSL_SESS_CACHE_BOTH\s0" 4
+.IP SSL_SESS_CACHE_BOTH 4
 .IX Item "SSL_SESS_CACHE_BOTH"
-Enable both \s-1SSL_SESS_CACHE_CLIENT\s0 and \s-1SSL_SESS_CACHE_SERVER\s0 at the same time.
-.IP "\s-1SSL_SESS_CACHE_NO_AUTO_CLEAR\s0" 4
+Enable both SSL_SESS_CACHE_CLIENT and SSL_SESS_CACHE_SERVER at the same time.
+.IP SSL_SESS_CACHE_NO_AUTO_CLEAR 4
 .IX Item "SSL_SESS_CACHE_NO_AUTO_CLEAR"
 Normally the session cache is checked for expired sessions every
 255 connections using the
@@ -204,37 +128,37 @@ this may lead to a delay which cannot be controlled, the automatic
 flushing may be disabled and
 \&\fBSSL_CTX_flush_sessions\fR\|(3) can be called
 explicitly by the application.
-.IP "\s-1SSL_SESS_CACHE_NO_INTERNAL_LOOKUP\s0" 4
+.IP SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 4
 .IX Item "SSL_SESS_CACHE_NO_INTERNAL_LOOKUP"
-By setting this flag, session-resume operations in an \s-1SSL/TLS\s0 server will not
+By setting this flag, session-resume operations in an SSL/TLS server will not
 automatically look up sessions in the internal cache, even if sessions are
 automatically stored there. If external session caching callbacks are in use,
 this flag guarantees that all lookups are directed to the external cache.
-As automatic lookup only applies for \s-1SSL/TLS\s0 servers, the flag has no effect on
+As automatic lookup only applies for SSL/TLS servers, the flag has no effect on
 clients.
-.IP "\s-1SSL_SESS_CACHE_NO_INTERNAL_STORE\s0" 4
+.IP SSL_SESS_CACHE_NO_INTERNAL_STORE 4
 .IX Item "SSL_SESS_CACHE_NO_INTERNAL_STORE"
-Depending on the presence of \s-1SSL_SESS_CACHE_CLIENT\s0 and/or \s-1SSL_SESS_CACHE_SERVER,\s0
-sessions negotiated in an \s-1SSL/TLS\s0 handshake may be cached for possible reuse.
+Depending on the presence of SSL_SESS_CACHE_CLIENT and/or SSL_SESS_CACHE_SERVER,
+sessions negotiated in an SSL/TLS handshake may be cached for possible reuse.
 Normally a new session is added to the internal cache as well as any external
-session caching (callback) that is configured for the \s-1SSL_CTX.\s0 This flag will
+session caching (callback) that is configured for the SSL_CTX. This flag will
 prevent sessions being stored in the internal cache (though the application can
 add them manually using \fBSSL_CTX_add_session\fR\|(3)). Note:
-in any \s-1SSL/TLS\s0 servers where external caching is configured, any successful
+in any SSL/TLS servers where external caching is configured, any successful
 session lookups in the external cache (i.e. for session-resume requests) would
 normally be copied into the local cache before processing continues \- this flag
 prevents these additions to the internal cache as well.
-.IP "\s-1SSL_SESS_CACHE_NO_INTERNAL\s0" 4
+.IP SSL_SESS_CACHE_NO_INTERNAL 4
 .IX Item "SSL_SESS_CACHE_NO_INTERNAL"
-Enable both \s-1SSL_SESS_CACHE_NO_INTERNAL_LOOKUP\s0 and
-\&\s-1SSL_SESS_CACHE_NO_INTERNAL_STORE\s0 at the same time.
-.IP "\s-1SSL_SESS_CACHE_UPDATE_TIME\s0" 4
+Enable both SSL_SESS_CACHE_NO_INTERNAL_LOOKUP and
+SSL_SESS_CACHE_NO_INTERNAL_STORE at the same time.
+.IP SSL_SESS_CACHE_UPDATE_TIME 4
 .IX Item "SSL_SESS_CACHE_UPDATE_TIME"
 Updates the timestamp of the session when it is used, increasing the lifespan
 of the session. The session timeout applies to last use, rather then creation
 time.
 .PP
-The default mode is \s-1SSL_SESS_CACHE_SERVER.\s0
+The default mode is SSL_SESS_CACHE_SERVER.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSSL_CTX_set_session_cache_mode()\fR returns the previously set cache mode.
@@ -251,11 +175,11 @@ The default mode is \s-1SSL_SESS_CACHE_SERVER.\s0
 \&\fBSSL_CTX_set_session_id_context\fR\|(3),
 \&\fBSSL_CTX_set_timeout\fR\|(3),
 \&\fBSSL_CTX_flush_sessions\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2001\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_id_context.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_id_context.3
index 0aa012dda3fd..6f8e70f7f9b0 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_id_context.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_id_context.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_SESSION_ID_CONTEXT 3ossl"
-.TH SSL_CTX_SET_SESSION_ID_CONTEXT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_SESSION_ID_CONTEXT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_session_id_context, SSL_set_session_id_context \- set context within which session can be reused (server side only)
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -148,14 +72,14 @@ SSL_CTX_set_session_id_context, SSL_set_session_id_context \- set context within
 \& int SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx,
 \&                                unsigned int sid_ctx_len);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_set_session_id_context()\fR sets the context \fBsid_ctx\fR of length
 \&\fBsid_ctx_len\fR within which a session can be reused for the \fBctx\fR object.
 .PP
 \&\fBSSL_set_session_id_context()\fR sets the context \fBsid_ctx\fR of length
 \&\fBsid_ctx_len\fR within which a session can be reused for the \fBssl\fR object.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 Sessions are generated within a certain context. When exporting/importing
 sessions with \fBi2d_SSL_SESSION\fR/\fBd2i_SSL_SESSION\fR it would be possible,
@@ -168,7 +92,7 @@ to use e.g. the name of the application and/or the hostname and/or service
 name ...
 .PP
 The session id context becomes part of the session. The session id context
-is set by the \s-1SSL/TLS\s0 server. The \fBSSL_CTX_set_session_id_context()\fR and
+is set by the SSL/TLS server. The \fBSSL_CTX_set_session_id_context()\fR and
 \&\fBSSL_set_session_id_context()\fR functions are therefore only useful on the
 server side.
 .PP
@@ -176,10 +100,10 @@ OpenSSL clients will check the session id context returned by the server
 when reusing a session.
 .PP
 The maximum length of the \fBsid_ctx\fR is limited to
-\&\fB\s-1SSL_MAX_SID_CTX_LENGTH\s0\fR.
-.SH "WARNINGS"
+\&\fBSSL_MAX_SID_CTX_LENGTH\fR.
+.SH WARNINGS
 .IX Header "WARNINGS"
-If the session id context is not set on an \s-1SSL/TLS\s0 server and client
+If the session id context is not set on an SSL/TLS server and client
 certificates are used, stored sessions
 will not be reused but a fatal error will be flagged and the handshake
 will fail.
@@ -193,21 +117,21 @@ a session as described above.
 .IX Header "RETURN VALUES"
 \&\fBSSL_CTX_set_session_id_context()\fR and \fBSSL_set_session_id_context()\fR
 return the following values:
-.IP "0" 4
+.IP 0 4
 The length \fBsid_ctx_len\fR of the session id context \fBsid_ctx\fR exceeded
-the maximum allowed length of \fB\s-1SSL_MAX_SID_CTX_LENGTH\s0\fR. The error
+the maximum allowed length of \fBSSL_MAX_SID_CTX_LENGTH\fR. The error
 is logged to the error stack.
-.IP "1" 4
+.IP 1 4
 .IX Item "1"
 The operation succeeded.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2001\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_ticket_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_ticket_cb.3
index 652b168b8ee6..e1bc0a6112f4 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_ticket_cb.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_ticket_cb.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_SESSION_TICKET_CB 3ossl"
-.TH SSL_CTX_SET_SESSION_TICKET_CB 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_SESSION_TICKET_CB 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_session_ticket_cb,
 SSL_SESSION_get0_ticket_appdata,
 SSL_SESSION_set1_ticket_appdata,
 SSL_CTX_generate_session_ticket_fn,
 SSL_CTX_decrypt_session_ticket_fn \- manage session ticket application data
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -160,12 +84,12 @@ SSL_CTX_decrypt_session_ticket_fn \- manage session ticket application data
 \& int SSL_SESSION_set1_ticket_appdata(SSL_SESSION *ss, const void *data, size_t len);
 \& int SSL_SESSION_get0_ticket_appdata(SSL_SESSION *ss, void **data, size_t *len);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_set_set_session_ticket_cb()\fR sets the application callbacks \fBgen_cb\fR
 and \fBdec_cb\fR that are used by a server to set and get application data stored
 with a session, and placed into a session ticket. Either callback function may
-be set to \s-1NULL.\s0 The value of \fBarg\fR is passed to the callbacks.
+be set to NULL. The value of \fBarg\fR is passed to the callbacks.
 .PP
 \&\fBgen_cb\fR is the application defined callback invoked when a session ticket is
 about to be created. The application can call \fBSSL_SESSION_set1_ticket_appdata()\fR
@@ -178,7 +102,7 @@ decryption has been attempted and any session ticket application data is
 available. If ticket decryption was successful then the \fBss\fR argument contains
 the session data. The \fBkeyname\fR and \fBkeyname_len\fR arguments identify the key
 used to decrypt the session ticket. The \fBstatus\fR argument is the result of the
-ticket decryption. See the \*(L"\s-1NOTES\*(R"\s0 section below for further details. The value
+ticket decryption. See the "NOTES" section below for further details. The value
 of \fBarg\fR is the same as that given to \fBSSL_CTX_set_session_ticket_cb()\fR. The
 \&\fBdec_cb\fR callback is defined as type \fBSSL_CTX_decrypt_session_ticket_fn\fR.
 .PP
@@ -192,15 +116,15 @@ the application that a session ticket is about to be generated.
 \&\fBSSL_SESSION_get0_ticket_appdata()\fR assigns \fBdata\fR to the session ticket
 application data and assigns \fBlen\fR to the length of the session ticket
 application data from \fBss\fR. The application data can be set via
-\&\fBSSL_SESSION_set1_ticket_appdata()\fR or by a session ticket. \s-1NULL\s0 will be assigned
+\&\fBSSL_SESSION_set1_ticket_appdata()\fR or by a session ticket. NULL will be assigned
 to \fBdata\fR and 0 will be assigned to \fBlen\fR if there is no session ticket
 application data. \fBSSL_SESSION_get0_ticket_appdata()\fR can be called any time
 after a session has been created. The \fBdec_cb\fR is provided to notify the
 application that a session ticket has just been decrypted.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-When the \fBdec_cb\fR callback is invoked, the \s-1SSL_SESSION\s0 \fBss\fR has not yet been
-assigned to the \s-1SSL\s0 \fBs\fR. The \fBstatus\fR indicates the result of the ticket
+When the \fBdec_cb\fR callback is invoked, the SSL_SESSION \fBss\fR has not yet been
+assigned to the SSL \fBs\fR. The \fBstatus\fR indicates the result of the ticket
 decryption. The callback must check the \fBstatus\fR value before performing any
 action, as it is called even if ticket decryption fails.
 .PP
@@ -208,67 +132,67 @@ The \fBkeyname\fR and \fBkeyname_len\fR arguments to \fBdec_cb\fR may be used to
 the key that was used to encrypt the session ticket.
 .PP
 The \fBstatus\fR argument can be any of these values:
-.IP "\s-1SSL_TICKET_EMPTY\s0" 4
+.IP SSL_TICKET_EMPTY 4
 .IX Item "SSL_TICKET_EMPTY"
 Empty ticket present. No ticket data will be used and a new ticket should be
 sent to the client. This only occurs in TLSv1.2 or below. In TLSv1.3 it is not
 valid for a client to send an empty ticket.
-.IP "\s-1SSL_TICKET_NO_DECRYPT\s0" 4
+.IP SSL_TICKET_NO_DECRYPT 4
 .IX Item "SSL_TICKET_NO_DECRYPT"
 The ticket couldn't be decrypted. No ticket data will be used and a new ticket
 should be sent to the client.
-.IP "\s-1SSL_TICKET_SUCCESS\s0" 4
+.IP SSL_TICKET_SUCCESS 4
 .IX Item "SSL_TICKET_SUCCESS"
 A ticket was successfully decrypted, any session ticket application data should
 be available. A new ticket should not be sent to the client.
-.IP "\s-1SSL_TICKET_SUCCESS_RENEW\s0" 4
+.IP SSL_TICKET_SUCCESS_RENEW 4
 .IX Item "SSL_TICKET_SUCCESS_RENEW"
-Same as \fB\s-1SSL_TICKET_SUCCESS\s0\fR, but a new ticket should be sent to the client.
+Same as \fBSSL_TICKET_SUCCESS\fR, but a new ticket should be sent to the client.
 .PP
 The return value can be any of these values:
-.IP "\s-1SSL_TICKET_RETURN_ABORT\s0" 4
+.IP SSL_TICKET_RETURN_ABORT 4
 .IX Item "SSL_TICKET_RETURN_ABORT"
 The handshake should be aborted, either because of an error or because of some
 policy. Note that in TLSv1.3 a client may send more than one ticket in a single
 handshake. Therefore, just because one ticket is unacceptable it does not mean
 that all of them are. For this reason this option should be used with caution.
-.IP "\s-1SSL_TICKET_RETURN_IGNORE\s0" 4
+.IP SSL_TICKET_RETURN_IGNORE 4
 .IX Item "SSL_TICKET_RETURN_IGNORE"
 Do not use a ticket (if one was available). Do not send a renewed ticket to the
 client.
-.IP "\s-1SSL_TICKET_RETURN_IGNORE_RENEW\s0" 4
+.IP SSL_TICKET_RETURN_IGNORE_RENEW 4
 .IX Item "SSL_TICKET_RETURN_IGNORE_RENEW"
 Do not use a ticket (if one was available). Send a renewed ticket to the client.
 .Sp
 If the callback does not wish to change the default ticket behaviour then it
-should return this value if \fBstatus\fR is \fB\s-1SSL_TICKET_EMPTY\s0\fR or
-\&\fB\s-1SSL_TICKET_NO_DECRYPT\s0\fR.
-.IP "\s-1SSL_TICKET_RETURN_USE\s0" 4
+should return this value if \fBstatus\fR is \fBSSL_TICKET_EMPTY\fR or
+\&\fBSSL_TICKET_NO_DECRYPT\fR.
+.IP SSL_TICKET_RETURN_USE 4
 .IX Item "SSL_TICKET_RETURN_USE"
 Use the ticket. Do not send a renewed ticket to the client. It is an error for
 the callback to return this value if \fBstatus\fR has a value other than
-\&\fB\s-1SSL_TICKET_SUCCESS\s0\fR or \fB\s-1SSL_TICKET_SUCCESS_RENEW\s0\fR.
+\&\fBSSL_TICKET_SUCCESS\fR or \fBSSL_TICKET_SUCCESS_RENEW\fR.
 .Sp
 If the callback does not wish to change the default ticket behaviour then it
-should return this value if \fBstatus\fR is \fB\s-1SSL_TICKET_SUCCESS\s0\fR.
-.IP "\s-1SSL_TICKET_RETURN_USE_RENEW\s0" 4
+should return this value if \fBstatus\fR is \fBSSL_TICKET_SUCCESS\fR.
+.IP SSL_TICKET_RETURN_USE_RENEW 4
 .IX Item "SSL_TICKET_RETURN_USE_RENEW"
 Use the ticket. Send a renewed ticket to the client. It is an error for the
 callback to return this value if \fBstatus\fR has a value other than
-\&\fB\s-1SSL_TICKET_SUCCESS\s0\fR or \fB\s-1SSL_TICKET_SUCCESS_RENEW\s0\fR.
+\&\fBSSL_TICKET_SUCCESS\fR or \fBSSL_TICKET_SUCCESS_RENEW\fR.
 .Sp
 If the callback does not wish to change the default ticket behaviour then it
-should return this value if \fBstatus\fR is \fB\s-1SSL_TICKET_SUCCESS_RENEW\s0\fR.
+should return this value if \fBstatus\fR is \fBSSL_TICKET_SUCCESS_RENEW\fR.
 .PP
-If \fBstatus\fR has the value \fB\s-1SSL_TICKET_EMPTY\s0\fR or \fB\s-1SSL_TICKET_NO_DECRYPT\s0\fR then
+If \fBstatus\fR has the value \fBSSL_TICKET_EMPTY\fR or \fBSSL_TICKET_NO_DECRYPT\fR then
 no session data will be available and the callback must not use the \fBss\fR
-argument. If \fBstatus\fR has the value \fB\s-1SSL_TICKET_SUCCESS\s0\fR or
-\&\fB\s-1SSL_TICKET_SUCCESS_RENEW\s0\fR then the application can call
+argument. If \fBstatus\fR has the value \fBSSL_TICKET_SUCCESS\fR or
+\&\fBSSL_TICKET_SUCCESS_RENEW\fR then the application can call
 \&\fBSSL_SESSION_get0_ticket_appdata()\fR using the session provided in the \fBss\fR
 argument to retrieve the application data.
 .PP
 When the \fBgen_cb\fR callback is invoked, the \fBSSL_get_session()\fR function can be
-used to retrieve the \s-1SSL_SESSION\s0 for \fBSSL_SESSION_set1_ticket_appdata()\fR.
+used to retrieve the SSL_SESSION for \fBSSL_SESSION_set1_ticket_appdata()\fR.
 .PP
 By default, in TLSv1.2 and below, a new session ticket is not issued on a
 successful resumption and therefore \fBgen_cb\fR will not be called. In TLSv1.3 the
@@ -282,22 +206,22 @@ The \fBSSL_CTX_set_session_ticket_cb()\fR, \fBSSL_SESSION_set1_ticket_appdata()\
 failure.
 .PP
 The \fBgen_cb\fR callback must return 1 to continue the connection. A return of 0
-will terminate the connection with an \s-1INTERNAL_ERROR\s0 alert.
+will terminate the connection with an INTERNAL_ERROR alert.
 .PP
-The \fBdec_cb\fR callback must return a value as described in \*(L"\s-1NOTES\*(R"\s0 above.
+The \fBdec_cb\fR callback must return a value as described in "NOTES" above.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7),
 \&\fBSSL_get_session\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBSSL_CTX_set_session_ticket_cb()\fR, \fBSSL_SESSION_set1_ticket_appdata()\fR
 and \fBSSL_SESSION_get_ticket_appdata()\fR functions were added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_split_send_fragment.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_split_send_fragment.3
index f77342693d31..136d151469f9 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_split_send_fragment.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_split_send_fragment.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_SPLIT_SEND_FRAGMENT 3ossl"
-.TH SSL_CTX_SET_SPLIT_SEND_FRAGMENT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_SPLIT_SEND_FRAGMENT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_max_send_fragment, SSL_set_max_send_fragment,
 SSL_CTX_set_split_send_fragment, SSL_set_split_send_fragment,
 SSL_CTX_set_max_pipelines, SSL_set_max_pipelines,
@@ -144,7 +68,7 @@ SSL_CTX_set_default_read_buffer_len, SSL_set_default_read_buffer_len,
 SSL_CTX_set_tlsext_max_fragment_length,
 SSL_set_tlsext_max_fragment_length,
 SSL_SESSION_get_max_fragment_length \- Control fragment size settings and pipelining operations
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -165,32 +89,32 @@ SSL_SESSION_get_max_fragment_length \- Control fragment size settings and pipeli
 \& int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode);
 \& uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION *session);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 Some engines are able to process multiple simultaneous crypto operations. This
 capability could be utilised to parallelise the processing of a single
 connection. For example a single write can be split into multiple records and
 each one encrypted independently and in parallel. Note: this will only work in
-\&\s-1TLS1.1+.\s0 There is no support in SSLv3, TLSv1.0 or \s-1DTLS\s0 (any version). This
-capability is known as \*(L"pipelining\*(R" within OpenSSL.
+TLS1.1+. There is no support in SSLv3, TLSv1.0 or DTLS (any version). This
+capability is known as "pipelining" within OpenSSL.
 .PP
 In order to benefit from the pipelining capability. You need to have an engine
-that provides ciphers that support this. The OpenSSL \*(L"dasync\*(R" engine provides
-\&\s-1AES128\-SHA\s0 based ciphers that have this capability. However, these are for
+that provides ciphers that support this. The OpenSSL "dasync" engine provides
+AES128\-SHA based ciphers that have this capability. However, these are for
 development and test purposes only.
 .PP
 \&\fBSSL_CTX_set_max_send_fragment()\fR and \fBSSL_set_max_send_fragment()\fR set the
-\&\fBmax_send_fragment\fR parameter for \s-1SSL_CTX\s0 and \s-1SSL\s0 objects respectively. This
+\&\fBmax_send_fragment\fR parameter for SSL_CTX and SSL objects respectively. This
 value restricts the amount of plaintext bytes that will be sent in any one
-\&\s-1SSL/TLS\s0 record. By default its value is \s-1SSL3_RT_MAX_PLAIN_LENGTH\s0 (16384). These
-functions will only accept a value in the range 512 \- \s-1SSL3_RT_MAX_PLAIN_LENGTH.\s0
+SSL/TLS record. By default its value is SSL3_RT_MAX_PLAIN_LENGTH (16384). These
+functions will only accept a value in the range 512 \- SSL3_RT_MAX_PLAIN_LENGTH.
 .PP
 \&\fBSSL_CTX_set_max_pipelines()\fR and \fBSSL_set_max_pipelines()\fR set the maximum number
 of pipelines that will be used at any one time. This value applies to both
-\&\*(L"read\*(R" pipelining and \*(L"write\*(R" pipelining. By default only one pipeline will be
+"read" pipelining and "write" pipelining. By default only one pipeline will be
 used (i.e. normal non-parallel operation). The number of pipelines set must be
-in the range 1 \- \s-1SSL_MAX_PIPELINES\s0 (32). Setting this to a value > 1 will also
-automatically turn on \*(L"read_ahead\*(R" (see \fBSSL_CTX_set_read_ahead\fR\|(3)). This is
+in the range 1 \- SSL_MAX_PIPELINES (32). Setting this to a value > 1 will also
+automatically turn on "read_ahead" (see \fBSSL_CTX_set_read_ahead\fR\|(3)). This is
 explained further below. OpenSSL will only ever use more than one pipeline if
 a cipher suite is negotiated that uses a pipeline capable cipher provided by an
 engine.
@@ -241,26 +165,31 @@ functions control the size of the read buffer that will be used. The \fBlen\fR
 parameter sets the size of the buffer. The value will only be used if it is
 greater than the default that would have been used anyway. The normal default
 value depends on a number of factors but it will be at least
-\&\s-1SSL3_RT_MAX_PLAIN_LENGTH + SSL3_RT_MAX_ENCRYPTED_OVERHEAD\s0 (16704) bytes.
+SSL3_RT_MAX_PLAIN_LENGTH + SSL3_RT_MAX_ENCRYPTED_OVERHEAD (16704) bytes.
 .PP
 \&\fBSSL_CTX_set_tlsext_max_fragment_length()\fR sets the default maximum fragment
 length negotiation mode via value \fBmode\fR to \fBctx\fR.
-This setting affects only \s-1SSL\s0 instances created after this function is called.
+This setting affects only SSL instances created after this function is called.
 It affects the client-side as only its side may initiate this extension use.
 .PP
 \&\fBSSL_set_tlsext_max_fragment_length()\fR sets the maximum fragment length
 negotiation mode via value \fBmode\fR to \fBssl\fR.
 This setting will be used during a handshake when extensions are exchanged
 between client and server.
-So it only affects \s-1SSL\s0 sessions created after this function is called.
+So it only affects SSL sessions created after this function is called.
 It affects the client-side as only its side may initiate this extension use.
 .PP
 \&\fBSSL_SESSION_get_max_fragment_length()\fR gets the maximum fragment length
 negotiated in \fBsession\fR.
+.PP
+These functions cannot be used with QUIC SSL objects.
+\&\fBSSL_set_max_send_fragment()\fR, \fBSSL_set_max_pipelines()\fR,
+\&\fBSSL_set_split_send_fragment()\fR, \fBSSL_set_default_read_buffer_len()\fR and
+\&\fBSSL_set_tlsext_max_fragment_length()\fR fail if called on a QUIC SSL object.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 All non-void functions return 1 on success and 0 on failure.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The Maximum Fragment Length extension support is optional on the server side.
 If the server does not support this extension then
@@ -268,19 +197,19 @@ If the server does not support this extension then
 TLSEXT_max_fragment_length_DISABLED.
 .PP
 The following modes are available:
-.IP "TLSEXT_max_fragment_length_DISABLED" 4
+.IP TLSEXT_max_fragment_length_DISABLED 4
 .IX Item "TLSEXT_max_fragment_length_DISABLED"
 Disables Maximum Fragment Length Negotiation (default).
-.IP "TLSEXT_max_fragment_length_512" 4
+.IP TLSEXT_max_fragment_length_512 4
 .IX Item "TLSEXT_max_fragment_length_512"
 Sets Maximum Fragment Length to 512 bytes.
-.IP "TLSEXT_max_fragment_length_1024" 4
+.IP TLSEXT_max_fragment_length_1024 4
 .IX Item "TLSEXT_max_fragment_length_1024"
 Sets Maximum Fragment Length to 1024.
-.IP "TLSEXT_max_fragment_length_2048" 4
+.IP TLSEXT_max_fragment_length_2048 4
 .IX Item "TLSEXT_max_fragment_length_2048"
 Sets Maximum Fragment Length to 2048.
-.IP "TLSEXT_max_fragment_length_4096" 4
+.IP TLSEXT_max_fragment_length_4096 4
 .IX Item "TLSEXT_max_fragment_length_4096"
 Sets Maximum Fragment Length to 4096.
 .PP
@@ -292,7 +221,7 @@ all these functions are implemented using macros.
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7),
 \&\fBSSL_CTX_set_read_ahead\fR\|(3), \fBSSL_pending\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBSSL_CTX_set_max_pipelines()\fR, \fBSSL_set_max_pipelines()\fR,
 \&\fBSSL_CTX_set_split_send_fragment()\fR, \fBSSL_set_split_send_fragment()\fR,
@@ -301,11 +230,11 @@ functions were added in OpenSSL 1.1.0.
 .PP
 The \fBSSL_CTX_set_tlsext_max_fragment_length()\fR, \fBSSL_set_tlsext_max_fragment_length()\fR
 and \fBSSL_SESSION_get_max_fragment_length()\fR functions were added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2016\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_srp_password.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_srp_password.3
index 0b49dab20d8b..af08a61ba5b4 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_srp_password.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_srp_password.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_SRP_PASSWORD 3ossl"
-.TH SSL_CTX_SET_SRP_PASSWORD 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_SRP_PASSWORD 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_srp_username,
 SSL_CTX_set_srp_password,
 SSL_CTX_set_srp_strength,
@@ -151,14 +75,14 @@ SSL_get_srp_N,
 SSL_get_srp_username,
 SSL_get_srp_userinfo
 \&\- SRP control operations
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 10
@@ -184,62 +108,62 @@ see \fBopenssl_user_macros\fR\|(7):
 \& char *SSL_get_srp_username(SSL *s);
 \& char *SSL_get_srp_userinfo(SSL *s);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All of the functions described on this page are deprecated. There are no
 available replacement functions at this time.
 .PP
-These functions provide access to \s-1SRP\s0 (Secure Remote Password) parameters,
-an alternate authentication mechanism for \s-1TLS. SRP\s0 allows the use of usernames
+These functions provide access to SRP (Secure Remote Password) parameters,
+an alternate authentication mechanism for TLS. SRP allows the use of usernames
 and passwords over unencrypted channels without revealing the password to an
-eavesdropper. \s-1SRP\s0 also supplies a shared secret at the end of the authentication
+eavesdropper. SRP also supplies a shared secret at the end of the authentication
 sequence that can be used to generate encryption keys.
 .PP
-The \s-1SRP\s0 protocol, version 3 is specified in \s-1RFC 2945. SRP\s0 version 6 is described
-in \s-1RFC 5054\s0 with applications to \s-1TLS\s0 authentication.
+The SRP protocol, version 3 is specified in RFC 2945. SRP version 6 is described
+in RFC 5054 with applications to TLS authentication.
 .PP
-The \fBSSL_CTX_set_srp_username()\fR function sets the \s-1SRP\s0 username for \fBctx\fR. This
+The \fBSSL_CTX_set_srp_username()\fR function sets the SRP username for \fBctx\fR. This
 should be called on the client prior to creating a connection to the server.
 The length of \fBname\fR must be shorter or equal to 255 characters.
 .PP
-The \fBSSL_CTX_set_srp_password()\fR function sets the \s-1SRP\s0 password for \fBctx\fR. This
+The \fBSSL_CTX_set_srp_password()\fR function sets the SRP password for \fBctx\fR. This
 may be called on the client prior to creating a connection to the server.
 This overrides the effect of \fBSSL_CTX_set_srp_client_pwd_callback()\fR.
 .PP
-The \fBSSL_CTX_set_srp_strength()\fR function sets the \s-1SRP\s0 strength for \fBctx\fR. This
-is the minimal length of the \s-1SRP\s0 prime in bits. If not specified 1024 is used.
+The \fBSSL_CTX_set_srp_strength()\fR function sets the SRP strength for \fBctx\fR. This
+is the minimal length of the SRP prime in bits. If not specified 1024 is used.
 If not satisfied by the server key exchange the connection will be rejected.
 .PP
 The \fBSSL_CTX_set_srp_cb_arg()\fR function sets an extra parameter that will
 be passed to all following callbacks as \fBarg\fR.
 .PP
 The \fBSSL_CTX_set_srp_username_callback()\fR function sets the server side callback
-that is invoked when an \s-1SRP\s0 username is found in a ClientHello.
-The callback parameters are the \s-1SSL\s0 connection \fBs\fR, a writable error flag \fBad\fR
+that is invoked when an SRP username is found in a ClientHello.
+The callback parameters are the SSL connection \fBs\fR, a writable error flag \fBad\fR
 and the extra argument \fBarg\fR set by \fBSSL_CTX_set_srp_cb_arg()\fR.
 This callback should setup the server for the key exchange by calling
 \&\fBSSL_set_srp_server_param()\fR with the appropriate parameters for the received
 username. The username can be obtained by calling \fBSSL_get_srp_username()\fR.
 See \fBSRP_VBASE_init\fR\|(3) to parse the verifier file created by \fBopenssl\-srp\fR\|(1) or
 \&\fBSRP_create_verifier\fR\|(3) to generate it.
-The callback should return \fB\s-1SSL_ERROR_NONE\s0\fR to proceed with the server key exchange,
-\&\fB\s-1SSL3_AL_FATAL\s0\fR for a fatal error or any value < 0 for a retryable error.
-In the event of a \fB\s-1SSL3_AL_FATAL\s0\fR the alert flag given by \fB*al\fR will be sent
-back. By default this will be \fB\s-1SSL_AD_UNKNOWN_PSK_IDENTITY\s0\fR.
+The callback should return \fBSSL_ERROR_NONE\fR to proceed with the server key exchange,
+\&\fBSSL3_AL_FATAL\fR for a fatal error or any value < 0 for a retryable error.
+In the event of a \fBSSL3_AL_FATAL\fR the alert flag given by \fB*al\fR will be sent
+back. By default this will be \fBSSL_AD_UNKNOWN_PSK_IDENTITY\fR.
 .PP
 The \fBSSL_CTX_set_srp_client_pwd_callback()\fR function sets the client password
 callback on the client.
-The callback parameters are the \s-1SSL\s0 connection \fBs\fR and the extra argument \fBarg\fR
+The callback parameters are the SSL connection \fBs\fR and the extra argument \fBarg\fR
 set by \fBSSL_CTX_set_srp_cb_arg()\fR.
 The callback will be called as part of the generation of the client secrets.
-It should return the client password in text form or \s-1NULL\s0 to abort the connection.
+It should return the client password in text form or NULL to abort the connection.
 The resulting memory will be freed by the library as part of the callback resolution.
 This overrides the effect of \fBSSL_CTX_set_srp_password()\fR.
 .PP
-The \fBSSL_CTX_set_srp_verify_param_callback()\fR sets the \s-1SRP\s0 gN parameter verification
+The \fBSSL_CTX_set_srp_verify_param_callback()\fR sets the SRP gN parameter verification
 callback on the client. This allows the client to perform custom verification when
-receiving the server \s-1SRP\s0 proposed parameters.
-The callback parameters are the \s-1SSL\s0 connection \fBs\fR and the extra argument \fBarg\fR
+receiving the server SRP proposed parameters.
+The callback parameters are the SSL connection \fBs\fR and the extra argument \fBarg\fR
 set by \fBSSL_CTX_set_srp_cb_arg()\fR.
 The callback should return a positive value to accept the server parameters.
 Returning 0 or a negative value will abort the connection. The server parameters
@@ -247,28 +171,28 @@ can be obtained by calling \fBSSL_get_srp_N()\fR and \fBSSL_get_srp_g()\fR.
 Sanity checks are already performed by the library after the handshake
 (B % N non zero, check against the strength parameter) and are not necessary.
 If no callback is set the g and N parameters will be checked against
-known \s-1RFC 5054\s0 values.
+known RFC 5054 values.
 .PP
-The \fBSSL_set_srp_server_param()\fR function sets all \s-1SRP\s0 parameters for
-the connection \fBs\fR. \fBN\fR and \fBg\fR are the \s-1SRP\s0 group parameters, \fBsa\fR is the
+The \fBSSL_set_srp_server_param()\fR function sets all SRP parameters for
+the connection \fBs\fR. \fBN\fR and \fBg\fR are the SRP group parameters, \fBsa\fR is the
 user salt, \fBv\fR the password verifier and \fBinfo\fR is the optional user info.
 .PP
-The \fBSSL_set_srp_server_param_pw()\fR function sets all \s-1SRP\s0 parameters for the
+The \fBSSL_set_srp_server_param_pw()\fR function sets all SRP parameters for the
 connection \fBs\fR by generating a random salt and a password verifier.
-\&\fBuser\fR is the username, \fBpass\fR the password and \fBgrp\fR the \s-1SRP\s0 group parameters
+\&\fBuser\fR is the username, \fBpass\fR the password and \fBgrp\fR the SRP group parameters
 identifier for \fBSRP_get_default_gN\fR\|(3).
 .PP
-The \fBSSL_get_srp_g()\fR function returns the \s-1SRP\s0 group generator for \fBs\fR, or from
-the underlying \s-1SSL_CTX\s0 if it is \s-1NULL.\s0
+The \fBSSL_get_srp_g()\fR function returns the SRP group generator for \fBs\fR, or from
+the underlying SSL_CTX if it is NULL.
 .PP
-The \fBSSL_get_srp_N()\fR function returns the \s-1SRP\s0 prime for \fBs\fR, or from
-the underlying \s-1SSL_CTX\s0 if it is \s-1NULL.\s0
+The \fBSSL_get_srp_N()\fR function returns the SRP prime for \fBs\fR, or from
+the underlying SSL_CTX if it is NULL.
 .PP
-The \fBSSL_get_srp_username()\fR function returns the \s-1SRP\s0 username for \fBs\fR, or from
-the underlying \s-1SSL_CTX\s0 if it is \s-1NULL.\s0
+The \fBSSL_get_srp_username()\fR function returns the SRP username for \fBs\fR, or from
+the underlying SSL_CTX if it is NULL.
 .PP
-The \fBSSL_get_srp_userinfo()\fR function returns the \s-1SRP\s0 user info for \fBs\fR, or from
-the underlying \s-1SSL_CTX\s0 if it is \s-1NULL.\s0
+The \fBSSL_get_srp_userinfo()\fR function returns the SRP user info for \fBs\fR, or from
+the underlying SSL_CTX if it is NULL.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 All SSL_CTX_set_* functions return 1 on success and 0 on failure.
@@ -277,9 +201,9 @@ All SSL_CTX_set_* functions return 1 on success and 0 on failure.
 .PP
 The SSL_get_SRP_* functions return a pointer to the requested data, the memory
 is owned by the library and should not be freed by the caller.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-Setup \s-1SRP\s0 parameters on the client:
+Setup SRP parameters on the client:
 .PP
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -296,7 +220,7 @@ Setup \s-1SRP\s0 parameters on the client:
 \&     /* Error */
 .Ve
 .PP
-Setup \s-1SRP\s0 server with verifier file:
+Setup SRP server with verifier file:
 .PP
 .Vb 2
 \& #include <openssl/srp.h>
@@ -345,14 +269,14 @@ Setup \s-1SRP\s0 server with verifier file:
 \&\fBopenssl\-srp\fR\|(1),
 \&\fBSRP_VBASE_new\fR\|(3),
 \&\fBSRP_create_verifier\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 These functions were added in OpenSSL 1.0.1 and deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2018\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_ssl_version.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_ssl_version.3
index 7c6b456c0538..9f7f446ab51f 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_ssl_version.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_ssl_version.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_SSL_VERSION 3ossl"
-.TH SSL_CTX_SET_SSL_VERSION 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_SSL_VERSION 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_ssl_version, SSL_CTX_get_ssl_method, SSL_set_ssl_method, SSL_get_ssl_method
 \&\- choose a new TLS/SSL method
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -150,43 +74,47 @@ SSL_CTX_set_ssl_version, SSL_CTX_get_ssl_method, SSL_set_ssl_method, SSL_get_ssl
 \& int SSL_set_ssl_method(SSL *s, const SSL_METHOD *method);
 \& const SSL_METHOD *SSL_get_ssl_method(const SSL *ssl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_CTX_set_ssl_version()\fR sets a new default \s-1TLS/SSL\s0 \fBmethod\fR for \s-1SSL\s0 objects
+\&\fBSSL_CTX_set_ssl_version()\fR sets a new default TLS/SSL \fBmethod\fR for SSL objects
 newly created from this \fBctx\fR.  Most of the configuration attached to the
-\&\s-1SSL_CTX\s0 object is retained, with the exception of the configured \s-1TLS\s0 ciphers,
-which are reset to the default values.  \s-1SSL\s0 objects already created from this
-\&\s-1SSL_CTX\s0 with \fBSSL_new\fR\|(3) are not affected, except when \fBSSL_clear\fR\|(3) is
+SSL_CTX object is retained, with the exception of the configured TLS ciphers,
+which are reset to the default values.  SSL objects already created from this
+SSL_CTX with \fBSSL_new\fR\|(3) are not affected, except when \fBSSL_clear\fR\|(3) is
 being called, as described below.
 .PP
-\&\fBSSL_CTX_get_ssl_method()\fR returns the \s-1SSL_METHOD\s0 which was used to construct the
-\&\s-1SSL_CTX.\s0
+\&\fBSSL_CTX_get_ssl_method()\fR returns the SSL_METHOD which was used to construct the
+SSL_CTX.
 .PP
-\&\fBSSL_set_ssl_method()\fR sets a new \s-1TLS/SSL\s0 \fBmethod\fR for a particular \fBssl\fR
+\&\fBSSL_set_ssl_method()\fR sets a new TLS/SSL \fBmethod\fR for a particular \fBssl\fR
 object. It may be reset, when \fBSSL_clear()\fR is called.
 .PP
-\&\fBSSL_get_ssl_method()\fR returns a pointer to the \s-1TLS/SSL\s0 method
+\&\fBSSL_get_ssl_method()\fR returns a pointer to the TLS/SSL method
 set in \fBssl\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The available \fBmethod\fR choices are described in
 \&\fBSSL_CTX_new\fR\|(3).
 .PP
 When \fBSSL_clear\fR\|(3) is called and no session is connected to
-an \s-1SSL\s0 object, the method of the \s-1SSL\s0 object is reset to the method currently
-set in the corresponding \s-1SSL_CTX\s0 object.
+an SSL object, the method of the SSL object is reset to the method currently
+set in the corresponding SSL_CTX object.
 .PP
 \&\fBSSL_CTX_set_version()\fR has unusual semantics and no clear use case;
-it would usually be preferable to create a new \s-1SSL_CTX\s0 object than to
+it would usually be preferable to create a new SSL_CTX object than to
 try to reuse an existing one in this fashion.  Its usage is considered
 deprecated.
+.PP
+\&\fBSSL_set_ssl_method()\fR cannot be used to change a non-QUIC SSL object to a QUIC
+SSL object or vice versa, or change a QUIC SSL object from one QUIC method to
+another.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The following return values can occur for \fBSSL_CTX_set_ssl_version()\fR
 and \fBSSL_set_ssl_method()\fR:
-.IP "0" 4
+.IP 0 4
 The new choice failed, check the error stack to find out the reason.
-.IP "1" 4
+.IP 1 4
 .IX Item "1"
 The operation succeeded.
 .PP
@@ -197,14 +125,14 @@ pointers.
 \&\fBSSL_CTX_new\fR\|(3), \fBSSL_new\fR\|(3),
 \&\fBSSL_clear\fR\|(3), \fBssl\fR\|(7),
 \&\fBSSL_set_connect_state\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBSSL_CTX_set_ssl_version()\fR was deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_stateless_cookie_generate_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_stateless_cookie_generate_cb.3
index d5e1590a4a8c..f37cd9bc44f4 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_stateless_cookie_generate_cb.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_stateless_cookie_generate_cb.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_STATELESS_COOKIE_GENERATE_CB 3ossl"
-.TH SSL_CTX_SET_STATELESS_COOKIE_GENERATE_CB 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_STATELESS_COOKIE_GENERATE_CB 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_stateless_cookie_generate_cb,
 SSL_CTX_set_stateless_cookie_verify_cb,
 SSL_CTX_set_cookie_generate_cb,
 SSL_CTX_set_cookie_verify_cb
 \&\- Callback functions for stateless TLS1.3 cookies
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -171,13 +95,13 @@ SSL_CTX_set_cookie_verify_cb
 \&                                                                unsigned int
 \&                                                                cookie_len));
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_set_stateless_cookie_generate_cb()\fR sets the callback used by
 \&\fBSSL_stateless\fR\|(3) to generate the application-controlled portion of the cookie
 provided to clients in the HelloRetryRequest transmitted as a response to a
 ClientHello with a missing or invalid cookie. \fBgen_stateless_cookie_cb()\fR must
-write at most \s-1SSL_COOKIE_LENGTH\s0 bytes into \fBcookie\fR, and must write the number
+write at most SSL_COOKIE_LENGTH bytes into \fBcookie\fR, and must write the number
 of bytes written to \fBcookie_len\fR. If a cookie cannot be generated, a zero
 return value can be used to abort the handshake.
 .PP
@@ -186,13 +110,13 @@ return value can be used to abort the handshake.
 ClientHello cookie is valid. The cookie data is pointed to by \fBcookie\fR and is of
 length \fBcookie_len\fR. A nonzero return value from \fBverify_stateless_cookie_cb()\fR
 communicates that the cookie is valid. The integrity of the entire cookie,
-including the application-controlled portion, is automatically verified by \s-1HMAC\s0
+including the application-controlled portion, is automatically verified by HMAC
 before \fBverify_stateless_cookie_cb()\fR is called.
 .PP
 \&\fBSSL_CTX_set_cookie_generate_cb()\fR sets the callback used by \fBDTLSv1_listen\fR\|(3)
 to generate the cookie provided to clients in the HelloVerifyRequest transmitted
 as a response to a ClientHello with a missing or invalid cookie.
-\&\fBapp_gen_cookie_cb()\fR  must write at most \s-1DTLS1_COOKIE_LENGTH\s0 bytes into
+\&\fBapp_gen_cookie_cb()\fR  must write at most DTLS1_COOKIE_LENGTH bytes into
 \&\fBcookie\fR, and must write the number of bytes written to \fBcookie_len\fR. If a
 cookie cannot be generated, a zero return value can be used to abort the
 handshake.
@@ -211,15 +135,15 @@ Neither function returns a value.
 \&\fBssl\fR\|(7),
 \&\fBSSL_stateless\fR\|(3),
 \&\fBDTLSv1_listen\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBSSL_CTX_set_stateless_cookie_generate_cb()\fR and
 \&\fBSSL_CTX_set_stateless_cookie_verify_cb()\fR were added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_timeout.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_timeout.3
index 5d57ea022b62..066803fd4d20 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_timeout.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_timeout.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_TIMEOUT 3ossl"
-.TH SSL_CTX_SET_TIMEOUT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_TIMEOUT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_timeout, SSL_CTX_get_timeout \- manipulate timeout values for session caching
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -146,13 +70,13 @@ SSL_CTX_set_timeout, SSL_CTX_get_timeout \- manipulate timeout values for sessio
 \& long SSL_CTX_set_timeout(SSL_CTX *ctx, long t);
 \& long SSL_CTX_get_timeout(SSL_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_set_timeout()\fR sets the timeout for newly created sessions for
 \&\fBctx\fR to \fBt\fR. The timeout value \fBt\fR must be given in seconds.
 .PP
 \&\fBSSL_CTX_get_timeout()\fR returns the currently set timeout value for \fBctx\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 Whenever a new session is created, it is assigned a maximum lifetime. This
 lifetime is specified by storing the creation time of the session and the
@@ -179,7 +103,7 @@ of 300 seconds.
 This timeout value is used as the ticket lifetime hint for stateless session
 tickets. It is also used as the timeout value within the ticket itself.
 .PP
-For TLSv1.3, \s-1RFC8446\s0 limits transmission of this value to 1 week (604800
+For TLSv1.3, RFC8446 limits transmission of this value to 1 week (604800
 seconds).
 .PP
 For TLSv1.2, tickets generated during an initial handshake use the value
@@ -197,11 +121,11 @@ of 0 for the ticket lifetime hint.
 \&\fBSSL_SESSION_get_time\fR\|(3),
 \&\fBSSL_CTX_flush_sessions\fR\|(3),
 \&\fBSSL_get_default_timeout\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2001\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_servername_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_servername_callback.3
index cf450f02c0c9..27f3162be530 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_servername_callback.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_servername_callback.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK 3ossl"
-.TH SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_tlsext_servername_callback, SSL_CTX_set_tlsext_servername_arg,
 SSL_get_servername_type, SSL_get_servername,
 SSL_set_tlsext_host_name \- handle server name indication (SNI)
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -154,7 +78,7 @@ SSL_set_tlsext_host_name \- handle server name indication (SNI)
 \&
 \& int SSL_set_tlsext_host_name(const SSL *s, const char *name);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The functionality provided by the servername callback is mostly superseded by
 the ClientHello callback, which can be set using \fBSSL_CTX_set_client_hello_cb()\fR.
@@ -164,35 +88,35 @@ still necessary in order to acknowledge the servername requested by the client.
 \&\fBSSL_CTX_set_tlsext_servername_callback()\fR sets the application callback \fBcb\fR
 used by a server to perform any actions or configuration required based on
 the servername extension received in the incoming connection. When \fBcb\fR
-is \s-1NULL, SNI\s0 is not used.
+is NULL, SNI is not used.
 .PP
 The servername callback should return one of the following values:
-.IP "\s-1SSL_TLSEXT_ERR_OK\s0" 4
+.IP SSL_TLSEXT_ERR_OK 4
 .IX Item "SSL_TLSEXT_ERR_OK"
 This is used to indicate that the servername requested by the client has been
 accepted. Typically a server will call \fBSSL_set_SSL_CTX()\fR in the callback to set
 up a different configuration for the selected servername in this case.
-.IP "\s-1SSL_TLSEXT_ERR_ALERT_FATAL\s0" 4
+.IP SSL_TLSEXT_ERR_ALERT_FATAL 4
 .IX Item "SSL_TLSEXT_ERR_ALERT_FATAL"
 In this case the servername requested by the client is not accepted and the
 handshake will be aborted. The value of the alert to be used should be stored in
 the location pointed to by the \fBal\fR parameter to the callback. By default this
-value is initialised to \s-1SSL_AD_UNRECOGNIZED_NAME.\s0
-.IP "\s-1SSL_TLSEXT_ERR_ALERT_WARNING\s0" 4
+value is initialised to SSL_AD_UNRECOGNIZED_NAME.
+.IP SSL_TLSEXT_ERR_ALERT_WARNING 4
 .IX Item "SSL_TLSEXT_ERR_ALERT_WARNING"
 If this value is returned then the servername is not accepted by the server.
 However, the handshake will continue and send a warning alert instead. The value
 of the alert should be stored in the location pointed to by the \fBal\fR parameter
-as for \s-1SSL_TLSEXT_ERR_ALERT_FATAL\s0 above. Note that TLSv1.3 does not support
+as for SSL_TLSEXT_ERR_ALERT_FATAL above. Note that TLSv1.3 does not support
 warning alerts, so if TLSv1.3 has been negotiated then this return value is
-treated the same way as \s-1SSL_TLSEXT_ERR_NOACK.\s0
-.IP "\s-1SSL_TLSEXT_ERR_NOACK\s0" 4
+treated the same way as SSL_TLSEXT_ERR_NOACK.
+.IP SSL_TLSEXT_ERR_NOACK 4
 .IX Item "SSL_TLSEXT_ERR_NOACK"
 This return value indicates that the servername is not accepted by the server.
 No alerts are sent and the server will not acknowledge the requested servername.
 .PP
 \&\fBSSL_CTX_set_tlsext_servername_arg()\fR sets a context-specific argument to be
-passed into the callback (via the \fBarg\fR parameter) for this \fB\s-1SSL_CTX\s0\fR.
+passed into the callback (via the \fBarg\fR parameter) for this \fBSSL_CTX\fR.
 .PP
 The behaviour of \fBSSL_get_servername()\fR depends on a number of different factors.
 In particular note that in TLSv1.3 the servername is negotiated in every
@@ -207,48 +131,48 @@ If one has not been set, but a TLSv1.2 resumption is being attempted and the
 session from the original handshake had a servername accepted by the server then
 it will return that servername.
 .Sp
-Otherwise it returns \s-1NULL.\s0
+Otherwise it returns NULL.
 .IP "On the client, during or after the handshake and a TLSv1.2 (or below) resumption occurred" 4
 .IX Item "On the client, during or after the handshake and a TLSv1.2 (or below) resumption occurred"
 If the session from the original handshake had a servername accepted by the
 server then it will return that servername.
 .Sp
-Otherwise it returns the servername set via \fBSSL_set_tlsext_host_name()\fR or \s-1NULL\s0
+Otherwise it returns the servername set via \fBSSL_set_tlsext_host_name()\fR or NULL
 if it was not called.
 .IP "On the client, during or after the handshake and a TLSv1.2 (or below) resumption did not occur" 4
 .IX Item "On the client, during or after the handshake and a TLSv1.2 (or below) resumption did not occur"
-It will return the servername set via \fBSSL_set_tlsext_host_name()\fR or \s-1NULL\s0 if it
+It will return the servername set via \fBSSL_set_tlsext_host_name()\fR or NULL if it
 was not called.
 .IP "On the server, before the handshake" 4
 .IX Item "On the server, before the handshake"
-The function will always return \s-1NULL\s0 before the handshake
+The function will always return NULL before the handshake
 .IP "On the server, after the servername extension has been processed and a TLSv1.2 (or below) resumption occurred" 4
 .IX Item "On the server, after the servername extension has been processed and a TLSv1.2 (or below) resumption occurred"
 If a servername was accepted by the server in the original handshake then it
-will return that servername, or \s-1NULL\s0 otherwise.
+will return that servername, or NULL otherwise.
 .IP "On the server, after the servername extension has been processed and a TLSv1.2 (or below) resumption did not occur" 4
 .IX Item "On the server, after the servername extension has been processed and a TLSv1.2 (or below) resumption did not occur"
 The function will return the servername requested by the client in this
-handshake or \s-1NULL\s0 if none was requested.
+handshake or NULL if none was requested.
 .PP
 Note that the ClientHello callback occurs before a servername extension from the
-client is processed. The servername, certificate and \s-1ALPN\s0 callbacks occur after
+client is processed. The servername, certificate and ALPN callbacks occur after
 a servername extension from the client is processed.
 .PP
 \&\fBSSL_get_servername_type()\fR returns the servername type or \-1 if no servername
-is present. Currently the only supported type (defined in \s-1RFC3546\s0) is
+is present. Currently the only supported type (defined in RFC3546) is
 \&\fBTLSEXT_NAMETYPE_host_name\fR.
 .PP
 \&\fBSSL_set_tlsext_host_name()\fR sets the server name indication ClientHello extension
 to contain the value \fBname\fR. The type of server name indication extension is set
-to \fBTLSEXT_NAMETYPE_host_name\fR (defined in \s-1RFC3546\s0).
-.SH "NOTES"
+to \fBTLSEXT_NAMETYPE_host_name\fR (defined in RFC3546).
+.SH NOTES
 .IX Header "NOTES"
 Several callbacks are executed during ClientHello processing, including
-the ClientHello, \s-1ALPN,\s0 and servername callbacks.  The ClientHello callback is
-executed first, then the servername callback, followed by the \s-1ALPN\s0 callback.
+the ClientHello, ALPN, and servername callbacks.  The ClientHello callback is
+executed first, then the servername callback, followed by the ALPN callback.
 .PP
-The \fBSSL_set_tlsext_host_name()\fR function should only be called on \s-1SSL\s0 objects
+The \fBSSL_set_tlsext_host_name()\fR function should only be called on SSL objects
 that will act as clients; otherwise the configured \fBname\fR will be ignored.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
@@ -259,7 +183,7 @@ that will act as clients; otherwise the configured \fBname\fR will be ignored.
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7), \fBSSL_CTX_set_alpn_select_cb\fR\|(3),
 \&\fBSSL_get0_alpn_selected\fR\|(3), \fBSSL_CTX_set_client_hello_cb\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBSSL_get_servername()\fR historically provided some unexpected results in certain
 corner cases. This has been fixed from OpenSSL 1.1.1e.
@@ -274,12 +198,12 @@ Also prior to 1.1.1e, if the client sent a servername in the first handshake but
 the server did not accept it, and then a second handshake occurred where TLSv1.2
 resumption was successful then when called by the server it returned the
 servername requested in the original handshake. This has now been changed to
-\&\s-1NULL.\s0
-.SH "COPYRIGHT"
+NULL.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_status_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_status_cb.3
index 36ef61880529..03ba784a2bdd 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_status_cb.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_status_cb.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_TLSEXT_STATUS_CB 3ossl"
-.TH SSL_CTX_SET_TLSEXT_STATUS_CB 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_TLSEXT_STATUS_CB 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_tlsext_status_cb,
 SSL_CTX_get_tlsext_status_cb,
 SSL_CTX_set_tlsext_status_arg,
@@ -148,7 +72,7 @@ SSL_get_tlsext_status_type,
 SSL_get_tlsext_status_ocsp_resp,
 SSL_set_tlsext_status_ocsp_resp
 \&\- OCSP Certificate Status Request functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/tls1.h>
@@ -168,21 +92,21 @@ SSL_set_tlsext_status_ocsp_resp
 \& long SSL_get_tlsext_status_ocsp_resp(ssl, unsigned char **resp);
 \& long SSL_set_tlsext_status_ocsp_resp(ssl, unsigned char *resp, int len);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-A client application may request that a server send back an \s-1OCSP\s0 status response
-(also known as \s-1OCSP\s0 stapling). To do so the client should call the
-\&\fBSSL_CTX_set_tlsext_status_type()\fR function prior to the creation of any \s-1SSL\s0
+A client application may request that a server send back an OCSP status response
+(also known as OCSP stapling). To do so the client should call the
+\&\fBSSL_CTX_set_tlsext_status_type()\fR function prior to the creation of any SSL
 objects. Alternatively an application can call the \fBSSL_set_tlsext_status_type()\fR
-function on an individual \s-1SSL\s0 object prior to the start of the handshake.
+function on an individual SSL object prior to the start of the handshake.
 Currently the only supported type is \fBTLSEXT_STATUSTYPE_ocsp\fR. This value
 should be passed in the \fBtype\fR argument. Calling
 \&\fBSSL_CTX_get_tlsext_status_type()\fR will return the type \fBTLSEXT_STATUSTYPE_ocsp\fR
 previously set via \fBSSL_CTX_set_tlsext_status_type()\fR or \-1 if not set.
 .PP
 The client should additionally provide a callback function to decide what to do
-with the returned \s-1OCSP\s0 response by calling \fBSSL_CTX_set_tlsext_status_cb()\fR. The
-callback function should determine whether the returned \s-1OCSP\s0 response is
+with the returned OCSP response by calling \fBSSL_CTX_set_tlsext_status_cb()\fR. The
+callback function should determine whether the returned OCSP response is
 acceptable or not. The callback will be passed as an argument the value
 previously set via a call to \fBSSL_CTX_set_tlsext_status_arg()\fR. Note that the
 callback will not be called in the event of a handshake where session resumption
@@ -195,22 +119,22 @@ On the client side \fBSSL_get_tlsext_status_type()\fR can be used to determine w
 the client has previously called \fBSSL_set_tlsext_status_type()\fR. It will return
 \&\fBTLSEXT_STATUSTYPE_ocsp\fR if it has been called or \-1 otherwise. On the server
 side \fBSSL_get_tlsext_status_type()\fR can be used to determine whether the client
-requested \s-1OCSP\s0 stapling. If the client requested it then this function will
+requested OCSP stapling. If the client requested it then this function will
 return \fBTLSEXT_STATUSTYPE_ocsp\fR, or \-1 otherwise.
 .PP
 The response returned by the server can be obtained via a call to
 \&\fBSSL_get_tlsext_status_ocsp_resp()\fR. The value \fB*resp\fR will be updated to point
-to the \s-1OCSP\s0 response data and the return value will be the length of that data.
-Typically a callback would obtain an \s-1OCSP_RESPONSE\s0 object from this data via a
+to the OCSP response data and the return value will be the length of that data.
+Typically a callback would obtain an OCSP_RESPONSE object from this data via a
 call to the \fBd2i_OCSP_RESPONSE()\fR function. If the server has not provided any
-response data then \fB*resp\fR will be \s-1NULL\s0 and the return value from
+response data then \fB*resp\fR will be NULL and the return value from
 \&\fBSSL_get_tlsext_status_ocsp_resp()\fR will be \-1.
 .PP
 A server application must also call the \fBSSL_CTX_set_tlsext_status_cb()\fR function
-if it wants to be able to provide clients with \s-1OCSP\s0 Certificate Status
+if it wants to be able to provide clients with OCSP Certificate Status
 responses. Typically the server callback would obtain the server certificate
 that is being sent back to the client via a call to \fBSSL_get_certificate()\fR;
-obtain the \s-1OCSP\s0 response to be sent back; and then set that response data by
+obtain the OCSP response to be sent back; and then set that response data by
 calling \fBSSL_set_tlsext_status_ocsp_resp()\fR. A pointer to the response data should
 be provided in the \fBresp\fR argument, and the length of that data should be in
 the \fBlen\fR argument.
@@ -221,9 +145,9 @@ error; 0 if the response is not acceptable (in which case the handshake will
 fail) or a positive value if it is acceptable.
 .PP
 The callback when used on the server side should return with either
-\&\s-1SSL_TLSEXT_ERR_OK\s0 (meaning that the \s-1OCSP\s0 response that has been set should be
-returned), \s-1SSL_TLSEXT_ERR_NOACK\s0 (meaning that an \s-1OCSP\s0 response should not be
-returned) or \s-1SSL_TLSEXT_ERR_ALERT_FATAL\s0 (meaning that a fatal error has
+SSL_TLSEXT_ERR_OK (meaning that the OCSP response that has been set should be
+returned), SSL_TLSEXT_ERR_NOACK (meaning that an OCSP response should not be
+returned) or SSL_TLSEXT_ERR_ALERT_FATAL (meaning that a fatal error has
 occurred).
 .PP
 \&\fBSSL_CTX_set_tlsext_status_cb()\fR, \fBSSL_CTX_set_tlsext_status_arg()\fR,
@@ -233,24 +157,24 @@ occurred).
 \&\fBSSL_CTX_get_tlsext_status_type()\fR returns the value previously set by
 \&\fBSSL_CTX_set_tlsext_status_type()\fR, or \-1 if not set.
 .PP
-\&\fBSSL_get_tlsext_status_ocsp_resp()\fR returns the length of the \s-1OCSP\s0 response data
-or \-1 if there is no \s-1OCSP\s0 response data.
+\&\fBSSL_get_tlsext_status_ocsp_resp()\fR returns the length of the OCSP response data
+or \-1 if there is no OCSP response data.
 .PP
 \&\fBSSL_get_tlsext_status_type()\fR returns \fBTLSEXT_STATUSTYPE_ocsp\fR on the client
 side if \fBSSL_set_tlsext_status_type()\fR was previously called, or on the server
-side if the client requested \s-1OCSP\s0 stapling. Otherwise \-1 is returned.
+side if the client requested OCSP stapling. Otherwise \-1 is returned.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBSSL_get_tlsext_status_type()\fR, \fBSSL_CTX_get_tlsext_status_type()\fR
 and \fBSSL_CTX_set_tlsext_status_type()\fR functions were added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_ticket_key_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_ticket_key_cb.3
index efed2284a49d..9b18a9537d0c 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_ticket_key_cb.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_ticket_key_cb.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_TLSEXT_TICKET_KEY_CB 3ossl"
-.TH SSL_CTX_SET_TLSEXT_TICKET_KEY_CB 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_TLSEXT_TICKET_KEY_CB 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_tlsext_ticket_key_evp_cb,
 SSL_CTX_set_tlsext_ticket_key_cb
 \&\- set a callback for session ticket processing
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/tls1.h>
@@ -152,7 +76,7 @@ SSL_CTX_set_tlsext_ticket_key_cb
 .Ve
 .PP
 The following function has been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 4
@@ -161,28 +85,28 @@ see \fBopenssl_user_macros\fR\|(7):
 \&               unsigned char iv[EVP_MAX_IV_LENGTH],
 \&               EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc));
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_set_tlsext_ticket_key_evp_cb()\fR sets a callback function \fIcb\fR for handling
 session tickets for the ssl context \fIsslctx\fR. Session tickets, defined in
-\&\s-1RFC5077\s0 provide an enhanced session resumption capability where the server
+RFC5077 provide an enhanced session resumption capability where the server
 implementation is not required to maintain per session state. It only applies
-to \s-1TLS\s0 and there is no SSLv3 implementation.
+to TLS and there is no SSLv3 implementation.
 .PP
-The callback function \fIcb\fR will be called for every client instigated \s-1TLS\s0
-session when session ticket extension is presented in the \s-1TLS\s0 hello
+The callback function \fIcb\fR will be called for every client instigated TLS
+session when session ticket extension is presented in the TLS hello
 message. It is the responsibility of this function to create or retrieve the
 cryptographic parameters and to maintain their state.
 .PP
-The OpenSSL library uses your callback function to help implement a common \s-1TLS\s0
-ticket construction state according to \s-1RFC5077\s0 Section 4 such that per session
+The OpenSSL library uses your callback function to help implement a common TLS
+ticket construction state according to RFC5077 Section 4 such that per session
 state is unnecessary and a small set of cryptographic variables needs to be
 maintained by the callback function implementation.
 .PP
-In order to reuse a session, a \s-1TLS\s0 client must send the a session ticket
-extension to the server. The client can only send exactly one session ticket.
+In order to reuse a session, a TLS client must send the session ticket
+extension to the server. The client must send exactly one session ticket.
 The server, through the callback function, either agrees to reuse the session
-ticket information or it starts a full \s-1TLS\s0 handshake to create a new session
+ticket information or it starts a full TLS handshake to create a new session
 ticket.
 .PP
 Before the callback function is started \fIctx\fR and \fIhctx\fR have been
@@ -197,14 +121,14 @@ library expects that the function will set an arbitrary \fIname\fR, initialize
 .PP
 The \fIname\fR is 16 characters long and is used as a key identifier.
 .PP
-The \fIiv\fR length is the length of the \s-1IV\s0 of the corresponding cipher. The
-maximum \s-1IV\s0 length is \fB\s-1EVP_MAX_IV_LENGTH\s0\fR bytes defined in \fI<openssl/evp.h>\fR.
+The \fIiv\fR length is the length of the IV of the corresponding cipher. The
+maximum IV length is \fBEVP_MAX_IV_LENGTH\fR bytes defined in \fI<openssl/evp.h>\fR.
 .PP
 The initialization vector \fIiv\fR should be a random value. The cipher context
 \&\fIctx\fR should use the initialisation vector \fIiv\fR. The cipher context can be
 set using \fBEVP_EncryptInit_ex\fR\|(3). The hmac context and digest can be set using
-\&\fBEVP_MAC_CTX_set_params\fR\|(3) with the \fB\s-1OSSL_MAC_PARAM_KEY\s0\fR and
-\&\fB\s-1OSSL_MAC_PARAM_DIGEST\s0\fR parameters respectively.
+\&\fBEVP_MAC_CTX_set_params\fR\|(3) with the \fBOSSL_MAC_PARAM_KEY\fR and
+\&\fBOSSL_MAC_PARAM_DIGEST\fR parameters respectively.
 .PP
 When the client presents a session ticket, the callback function with be called
 with \fIenc\fR set to 0 indicating that the \fIcb\fR function should retrieve a set
@@ -214,7 +138,7 @@ to retrieve a cryptographic parameters and that the cryptographic context
 \&\fIctx\fR will be set with the retrieved parameters and the initialization vector
 \&\fIiv\fR. using a function like \fBEVP_DecryptInit_ex\fR\|(3). The key material and
 digest for \fIhctx\fR need to be set using \fBEVP_MAC_CTX_set_params\fR\|(3) with the
-\&\fB\s-1OSSL_MAC_PARAM_KEY\s0\fR and \fB\s-1OSSL_MAC_PARAM_DIGEST\s0\fR parameters respectively.
+\&\fBOSSL_MAC_PARAM_KEY\fR and \fBOSSL_MAC_PARAM_DIGEST\fR parameters respectively.
 .PP
 If the \fIname\fR is still valid but a renewal of the ticket is required the
 callback function should return 2. The library will call the callback again
@@ -222,21 +146,21 @@ with an argument of enc equal to 1 to set the new ticket.
 .PP
 The return value of the \fIcb\fR function is used by OpenSSL to determine what
 further processing will occur. The following return values have meaning:
-.IP "2" 4
+.IP 2 4
 .IX Item "2"
 This indicates that the \fIctx\fR and \fIhctx\fR have been set and the session can
 continue on those parameters. Additionally it indicates that the session
 ticket is in a renewal period and should be replaced. The OpenSSL library will
-call \fIcb\fR again with an enc argument of 1 to set the new ticket (see \s-1RFC5077
-3.3\s0 paragraph 2).
-.IP "1" 4
+call \fIcb\fR again with an enc argument of 1 to set the new ticket (see RFC5077
+3.3 paragraph 2).
+.IP 1 4
 .IX Item "1"
 This indicates that the \fIctx\fR and \fIhctx\fR have been set and the session can
 continue on those parameters.
-.IP "0" 4
+.IP 0 4
 This indicates that it was not possible to set/retrieve a session ticket and
-the \s-1SSL/TLS\s0 session will continue by negotiating a set of cryptographic
-parameters or using the alternate \s-1SSL/TLS\s0 resumption mechanism, session ids.
+the SSL/TLS session will continue by negotiating a set of cryptographic
+parameters or using the alternate SSL/TLS resumption mechanism, session ids.
 .Sp
 If called with enc equal to 0 the library will call the \fIcb\fR again to get
 a new set of parameters.
@@ -246,16 +170,16 @@ This indicates an error.
 .PP
 The \fBSSL_CTX_set_tlsext_ticket_key_cb()\fR function is identical to
 \&\fBSSL_CTX_set_tlsext_ticket_key_evp_cb()\fR except that it takes a deprecated
-\&\s-1HMAC_CTX\s0 pointer instead of an \s-1EVP_MAC_CTX\s0 one.
+HMAC_CTX pointer instead of an EVP_MAC_CTX one.
 Before this callback function is started \fIhctx\fR will have been
 initialised with \fBEVP_MAC_CTX_new\fR\|(3) and the digest set with
 \&\fBEVP_MAC_CTX_set_params\fR\|(3).
 The \fIhctx\fR key material can be set using \fBHMAC_Init_ex\fR\|(3).
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-Session resumption shortcuts the \s-1TLS\s0 so that the client certificate
-negotiation don't occur. It makes up for this by storing client certificate
-an all other negotiated state information encrypted within the ticket. In a
+Session resumption shortcuts the TLS handshake so that the client certificate
+negotiation doesn't occur. It makes up for this by storing the client certificate
+and all other negotiated state information encrypted within the ticket. In a
 resumed session the applications will have all this state information available
 exactly as if a full negotiation had occurred.
 .PP
@@ -272,7 +196,7 @@ enable an attacker to obtain the session keys.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 Returns 1 to indicate the callback function was set and 0 otherwise.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 Reference Implementation:
 .PP
@@ -357,17 +281,17 @@ Reference Implementation:
 \&\fBSSL_CTX_sess_number\fR\|(3),
 \&\fBSSL_CTX_sess_set_get_cb\fR\|(3),
 \&\fBSSL_CTX_set_session_id_context\fR\|(3),
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBSSL_CTX_set_tlsext_ticket_key_cb()\fR function was deprecated in OpenSSL 3.0.
 .PP
 The \fBSSL_CTX_set_tlsext_ticket_key_evp_cb()\fR function was introduced in
 OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2014\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2014\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_use_srtp.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_use_srtp.3
index a3d62ce6436f..27f00ef0170a 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_use_srtp.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_use_srtp.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_TLSEXT_USE_SRTP 3ossl"
-.TH SSL_CTX_SET_TLSEXT_USE_SRTP 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_TLSEXT_USE_SRTP 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_tlsext_use_srtp,
 SSL_set_tlsext_use_srtp,
 SSL_get_srtp_profiles,
 SSL_get_selected_srtp_profile
 \&\- Configure and query SRTP support
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/srtp.h>
@@ -153,82 +77,110 @@ SSL_get_selected_srtp_profile
 \& STACK_OF(SRTP_PROTECTION_PROFILE) *SSL_get_srtp_profiles(SSL *ssl);
 \& SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *s);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\s-1SRTP\s0 is the Secure Real-Time Transport Protocol. OpenSSL implements support for
-the \*(L"use_srtp\*(R" \s-1DTLS\s0 extension defined in \s-1RFC5764.\s0 This provides a mechanism for
-establishing \s-1SRTP\s0 keying material, algorithms and parameters using \s-1DTLS.\s0 This
-capability may be used as part of an implementation that conforms to \s-1RFC5763.\s0
-OpenSSL does not implement \s-1SRTP\s0 itself or \s-1RFC5763.\s0 Note that OpenSSL does not
-support the use of \s-1SRTP\s0 Master Key Identifiers (MKIs). Also note that this
-extension is only supported in \s-1DTLS.\s0 Any \s-1SRTP\s0 configuration will be ignored if a
-\&\s-1TLS\s0 connection is attempted.
+SRTP is the Secure Real-Time Transport Protocol. OpenSSL implements support for
+the "use_srtp" DTLS extension defined in RFC5764. This provides a mechanism for
+establishing SRTP keying material, algorithms and parameters using DTLS. This
+capability may be used as part of an implementation that conforms to RFC5763.
+OpenSSL does not implement SRTP itself or RFC5763. Note that OpenSSL does not
+support the use of SRTP Master Key Identifiers (MKIs). Also note that this
+extension is only supported in DTLS. Any SRTP configuration will be ignored if a
+TLS connection is attempted.
 .PP
-An OpenSSL client wishing to send the \*(L"use_srtp\*(R" extension should call
-\&\fBSSL_CTX_set_tlsext_use_srtp()\fR to set its use for all \s-1SSL\s0 objects subsequently
-created from an \s-1SSL_CTX.\s0 Alternatively a client may call
-\&\fBSSL_set_tlsext_use_srtp()\fR to set its use for an individual \s-1SSL\s0 object. The
+An OpenSSL client wishing to send the "use_srtp" extension should call
+\&\fBSSL_CTX_set_tlsext_use_srtp()\fR to set its use for all SSL objects subsequently
+created from an SSL_CTX. Alternatively a client may call
+\&\fBSSL_set_tlsext_use_srtp()\fR to set its use for an individual SSL object. The
 \&\fBprofiles\fR parameters should point to a NUL-terminated, colon delimited list of
-\&\s-1SRTP\s0 protection profile names.
+SRTP protection profile names.
 .PP
 The currently supported protection profile names are:
-.IP "\s-1SRTP_AES128_CM_SHA1_80\s0" 4
+.IP SRTP_AES128_CM_SHA1_80 4
 .IX Item "SRTP_AES128_CM_SHA1_80"
-This corresponds to \s-1SRTP_AES128_CM_HMAC_SHA1_80\s0 defined in \s-1RFC5764.\s0
-.IP "\s-1SRTP_AES128_CM_SHA1_32\s0" 4
+This corresponds to SRTP_AES128_CM_HMAC_SHA1_80 defined in RFC5764.
+.IP SRTP_AES128_CM_SHA1_32 4
 .IX Item "SRTP_AES128_CM_SHA1_32"
-This corresponds to \s-1SRTP_AES128_CM_HMAC_SHA1_32\s0 defined in \s-1RFC5764.\s0
-.IP "\s-1SRTP_AEAD_AES_128_GCM\s0" 4
+This corresponds to SRTP_AES128_CM_HMAC_SHA1_32 defined in RFC5764.
+.IP SRTP_AEAD_AES_128_GCM 4
 .IX Item "SRTP_AEAD_AES_128_GCM"
-This corresponds to the profile of the same name defined in \s-1RFC7714.\s0
-.IP "\s-1SRTP_AEAD_AES_256_GCM\s0" 4
+This corresponds to the profile of the same name defined in RFC7714.
+.IP SRTP_AEAD_AES_256_GCM 4
 .IX Item "SRTP_AEAD_AES_256_GCM"
-This corresponds to the profile of the same name defined in \s-1RFC7714.\s0
+This corresponds to the profile of the same name defined in RFC7714.
+.IP SRTP_DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM 4
+.IX Item "SRTP_DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM"
+This corresponds to the profile of the same name defined in RFC8723.
+.IP SRTP_DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM 4
+.IX Item "SRTP_DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM"
+This corresponds to the profile of the same name defined in RFC8723.
+.IP SRTP_ARIA_128_CTR_HMAC_SHA1_80 4
+.IX Item "SRTP_ARIA_128_CTR_HMAC_SHA1_80"
+This corresponds to the profile of the same name defined in RFC8269.
+.IP SRTP_ARIA_128_CTR_HMAC_SHA1_32 4
+.IX Item "SRTP_ARIA_128_CTR_HMAC_SHA1_32"
+This corresponds to the profile of the same name defined in RFC8269.
+.IP SRTP_ARIA_256_CTR_HMAC_SHA1_80 4
+.IX Item "SRTP_ARIA_256_CTR_HMAC_SHA1_80"
+This corresponds to the profile of the same name defined in RFC8269.
+.IP SRTP_ARIA_256_CTR_HMAC_SHA1_32 4
+.IX Item "SRTP_ARIA_256_CTR_HMAC_SHA1_32"
+This corresponds to the profile of the same name defined in RFC8269.
+.IP SRTP_AEAD_ARIA_128_GCM 4
+.IX Item "SRTP_AEAD_ARIA_128_GCM"
+This corresponds to the profile of the same name defined in RFC8269.
+.IP SRTP_AEAD_ARIA_256_GCM 4
+.IX Item "SRTP_AEAD_ARIA_256_GCM"
+This corresponds to the profile of the same name defined in RFC8269.
 .PP
 Supplying an unrecognised protection profile name will result in an error.
 .PP
-An OpenSSL server wishing to support the \*(L"use_srtp\*(R" extension should also call
+An OpenSSL server wishing to support the "use_srtp" extension should also call
 \&\fBSSL_CTX_set_tlsext_use_srtp()\fR or \fBSSL_set_tlsext_use_srtp()\fR to indicate the
 protection profiles that it is willing to negotiate.
 .PP
 The currently configured list of protection profiles for either a client or a
 server can be obtained by calling \fBSSL_get_srtp_profiles()\fR. This returns a stack
-of \s-1SRTP_PROTECTION_PROFILE\s0 objects. The memory pointed to in the return value of
+of SRTP_PROTECTION_PROFILE objects. The memory pointed to in the return value of
 this function should not be freed by the caller.
 .PP
-After a handshake has been completed the negotiated \s-1SRTP\s0 protection profile (if
+After a handshake has been completed the negotiated SRTP protection profile (if
 any) can be obtained (on the client or the server) by calling
-\&\fBSSL_get_selected_srtp_profile()\fR. This function will return \s-1NULL\s0 if no \s-1SRTP\s0
+\&\fBSSL_get_selected_srtp_profile()\fR. This function will return NULL if no SRTP
 protection profile was negotiated. The memory returned from this function should
 not be freed by the caller.
 .PP
-If an \s-1SRTP\s0 protection profile has been successfully negotiated then the \s-1SRTP\s0
+If an SRTP protection profile has been successfully negotiated then the SRTP
 keying material (on both the client and server) should be obtained via a call to
 \&\fBSSL_export_keying_material\fR\|(3). This call should provide a label value of
-\&\*(L"EXTRACTOR\-dtls_srtp\*(R" and a \s-1NULL\s0 context value (use_context is 0). The total
+"EXTRACTOR\-dtls_srtp" and a NULL context value (use_context is 0). The total
 length of keying material obtained should be equal to two times the sum of the
 master key length and the salt length as defined for the protection profile in
 use. This provides the client write master key, the server write master key, the
 client write master salt and the server write master salt in that order.
+.PP
+These functions cannot be used with QUIC SSL objects.
+\&\fBSSL_CTX_set_tlsext_use_srtp()\fR fails if called on a QUIC SSL context.
+\&\fBSSL_set_tlsext_use_srtp()\fR fails if called on a QUIC SSL object.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSSL_CTX_set_tlsext_use_srtp()\fR and \fBSSL_set_tlsext_use_srtp()\fR return 0 on success
 or 1 on error.
 .PP
-\&\fBSSL_get_srtp_profiles()\fR returns a stack of \s-1SRTP_PROTECTION_PROFILE\s0 objects on
-success or \s-1NULL\s0 on error or if no protection profiles have been configured.
+\&\fBSSL_get_srtp_profiles()\fR returns a stack of SRTP_PROTECTION_PROFILE objects on
+success or NULL on error or if no protection profiles have been configured.
 .PP
-\&\fBSSL_get_selected_srtp_profile()\fR returns a pointer to an \s-1SRTP_PROTECTION_PROFILE\s0
-object if one has been negotiated or \s-1NULL\s0 otherwise.
+\&\fBSSL_get_selected_srtp_profile()\fR returns a pointer to an SRTP_PROTECTION_PROFILE
+object if one has been negotiated or NULL otherwise.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7),
 \&\fBSSL_export_keying_material\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tmp_dh_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tmp_dh_callback.3
index acc28d583d1d..2aaf062d0348 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tmp_dh_callback.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tmp_dh_callback.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_TMP_DH_CALLBACK 3ossl"
-.TH SSL_CTX_SET_TMP_DH_CALLBACK 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_TMP_DH_CALLBACK 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_dh_auto, SSL_set_dh_auto, SSL_CTX_set0_tmp_dh_pkey,
 SSL_set0_tmp_dh_pkey, SSL_CTX_set_tmp_dh_callback, SSL_CTX_set_tmp_dh,
 SSL_set_tmp_dh_callback, SSL_set_tmp_dh
 \&\- handle DH keys for ephemeral key exchange
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -153,7 +77,7 @@ SSL_set_tmp_dh_callback, SSL_set_tmp_dh
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 4
@@ -167,74 +91,74 @@ see \fBopenssl_user_macros\fR\|(7):
 \&                                                     int keylength));
 \& long SSL_set_tmp_dh(SSL *ssl, DH *dh);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The functions described on this page are relevant for servers only.
 .PP
-Some ciphersuites may use ephemeral Diffie-Hellman (\s-1DH\s0) key exchange. In these
-cases, the session data is negotiated using the ephemeral/temporary \s-1DH\s0 key and
+Some ciphersuites may use ephemeral Diffie-Hellman (DH) key exchange. In these
+cases, the session data is negotiated using the ephemeral/temporary DH key and
 the key supplied and certified by the certificate chain is only used for
 signing. Anonymous ciphers (without a permanent server key) also use ephemeral
-\&\s-1DH\s0 keys.
+DH keys.
 .PP
-Using ephemeral \s-1DH\s0 key exchange yields forward secrecy as the connection
-can only be decrypted when the \s-1DH\s0 key is known. By generating a temporary
-\&\s-1DH\s0 key inside the server application that is lost when the application
+Using ephemeral DH key exchange yields forward secrecy as the connection
+can only be decrypted when the DH key is known. By generating a temporary
+DH key inside the server application that is lost when the application
 is left, it becomes impossible for an attacker to decrypt past sessions,
 even if they get hold of the normal (certified) key, as this key was
 only used for signing.
 .PP
-In order to perform a \s-1DH\s0 key exchange the server must use a \s-1DH\s0 group
-(\s-1DH\s0 parameters) and generate a \s-1DH\s0 key. The server will always generate
-a new \s-1DH\s0 key during the negotiation.
+In order to perform a DH key exchange the server must use a DH group
+(DH parameters) and generate a DH key. The server will always generate
+a new DH key during the negotiation.
 .PP
-As generating \s-1DH\s0 parameters is extremely time consuming, an application
-should not generate the parameters on the fly. \s-1DH\s0 parameters can be reused, as
+As generating DH parameters is extremely time consuming, an application
+should not generate the parameters on the fly. DH parameters can be reused, as
 the actual key is newly generated during the negotiation.
 .PP
-Typically applications should use well know \s-1DH\s0 parameters that have built-in
+Typically applications should use well known DH parameters that have built-in
 support in OpenSSL. The macros \fBSSL_CTX_set_dh_auto()\fR and \fBSSL_set_dh_auto()\fR
-configure OpenSSL to use the default built-in \s-1DH\s0 parameters for the \fB\s-1SSL_CTX\s0\fR
-and \fB\s-1SSL\s0\fR objects respectively. Passing a value of 1 in the \fIonoff\fR parameter
+configure OpenSSL to use the default built-in DH parameters for the \fBSSL_CTX\fR
+and \fBSSL\fR objects respectively. Passing a value of 1 in the \fIonoff\fR parameter
 switches the feature on, and passing a value of 0 switches it off. The default
 setting is off.
 .PP
-If \*(L"auto\*(R" \s-1DH\s0 parameters are switched on then the parameters will be selected to
+If "auto" DH parameters are switched on then the parameters will be selected to
 be consistent with the size of the key associated with the server's certificate.
-If there is no certificate (e.g. for \s-1PSK\s0 ciphersuites), then it it will be
+If there is no certificate (e.g. for PSK ciphersuites), then it it will be
 consistent with the size of the negotiated symmetric cipher key.
 .PP
-Applications may supply their own \s-1DH\s0 parameters instead of using the built-in
+Applications may supply their own DH parameters instead of using the built-in
 values. This approach is discouraged and applications should in preference use
 the built-in parameter support described above. Applications wishing to supply
-their own \s-1DH\s0 parameters should call \fBSSL_CTX_set0_tmp_dh_pkey()\fR or
-\&\fBSSL_set0_tmp_dh_pkey()\fR to supply the parameters for the \fB\s-1SSL_CTX\s0\fR or \fB\s-1SSL\s0\fR
+their own DH parameters should call \fBSSL_CTX_set0_tmp_dh_pkey()\fR or
+\&\fBSSL_set0_tmp_dh_pkey()\fR to supply the parameters for the \fBSSL_CTX\fR or \fBSSL\fR
 respectively. The parameters should be supplied in the \fIdhpkey\fR argument as
-an \fB\s-1EVP_PKEY\s0\fR containing \s-1DH\s0 parameters. Ownership of the \fIdhpkey\fR value is
-passed to the \fB\s-1SSL_CTX\s0\fR or \fB\s-1SSL\s0\fR object as a result of this call, and so the
+an \fBEVP_PKEY\fR containing DH parameters. Ownership of the \fIdhpkey\fR value is
+passed to the \fBSSL_CTX\fR or \fBSSL\fR object as a result of this call, and so the
 caller should not free it if the function call is successful.
 .PP
 The deprecated macros \fBSSL_CTX_set_tmp_dh()\fR and \fBSSL_set_tmp_dh()\fR do the same
 thing as \fBSSL_CTX_set0_tmp_dh_pkey()\fR and \fBSSL_set0_tmp_dh_pkey()\fR except that the
-\&\s-1DH\s0 parameters are supplied in a \fB\s-1DH\s0\fR object instead in the \fIdh\fR argument, and
-ownership of the \fB\s-1DH\s0\fR object is retained by the application. Applications
-should use \*(L"auto\*(R" parameters instead, or call \fBSSL_CTX_set0_tmp_dh_pkey()\fR or
+DH parameters are supplied in a \fBDH\fR object instead in the \fIdh\fR argument, and
+ownership of the \fBDH\fR object is retained by the application. Applications
+should use "auto" parameters instead, or call \fBSSL_CTX_set0_tmp_dh_pkey()\fR or
 \&\fBSSL_set0_tmp_dh_pkey()\fR as appropriate.
 .PP
-An application may instead specify the \s-1DH\s0 parameters via a callback function
+An application may instead specify the DH parameters via a callback function
 using the functions \fBSSL_CTX_set_tmp_dh_callback()\fR or \fBSSL_set_tmp_dh_callback()\fR
-to set the callback for the \fB\s-1SSL_CTX\s0\fR or \fB\s-1SSL\s0\fR object respectively. These
-functions are deprecated. Applications should instead use \*(L"auto\*(R" parameters, or
+to set the callback for the \fBSSL_CTX\fR or \fBSSL\fR object respectively. These
+functions are deprecated. Applications should instead use "auto" parameters, or
 specify the parameters via \fBSSL_CTX_set0_tmp_dh_pkey()\fR or \fBSSL_set0_tmp_dh_pkey()\fR
 as appropriate.
 .PP
-The callback will be invoked during a connection when \s-1DH\s0 parameters are
-required. The \fB\s-1SSL\s0\fR object for the current connection is supplied as an
+The callback will be invoked during a connection when DH parameters are
+required. The \fBSSL\fR object for the current connection is supplied as an
 argument. Previous versions of OpenSSL used the \fBis_export\fR and \fBkeylength\fR
 arguments to control parameter generation for export and non-export
 cipher suites. Modern OpenSSL does not support export ciphersuites and so these
 arguments are unused and can be ignored by the callback. The callback should
-return the parameters to be used in a \s-1DH\s0 object. Ownership of the \s-1DH\s0 object is
+return the parameters to be used in a DH object. Ownership of the DH object is
 retained by the application and should later be freed.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
@@ -244,11 +168,11 @@ All of these functions/macros return 1 for success or 0 on error.
 \&\fBssl\fR\|(7), \fBSSL_CTX_set_cipher_list\fR\|(3),
 \&\fBSSL_CTX_set_options\fR\|(3),
 \&\fBopenssl\-ciphers\fR\|(1), \fBopenssl\-dhparam\fR\|(1)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2001\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tmp_ecdh.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tmp_ecdh.3
index 96fa262a4e33..337425cc6386 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tmp_ecdh.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tmp_ecdh.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_TMP_ECDH 3ossl"
-.TH SSL_CTX_SET_TMP_ECDH 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_TMP_ECDH 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_tmp_ecdh, SSL_set_tmp_ecdh, SSL_CTX_set_ecdh_auto, SSL_set_ecdh_auto
 \&\- handle ECDH keys for ephemeral key exchange
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -150,9 +74,9 @@ SSL_CTX_set_tmp_ecdh, SSL_set_tmp_ecdh, SSL_CTX_set_ecdh_auto, SSL_set_ecdh_auto
 \& long SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int state);
 \& long SSL_set_ecdh_auto(SSL *ssl, int state);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_CTX_set_tmp_ecdh()\fR sets \s-1ECDH\s0 parameters to be used to be \fBecdh\fR.
+\&\fBSSL_CTX_set_tmp_ecdh()\fR sets ECDH parameters to be used to be \fBecdh\fR.
 The key is inherited by all \fBssl\fR objects created from \fBctx\fR.
 This macro is deprecated in favor of \fBSSL_CTX_set1_groups\fR\|(3).
 .PP
@@ -170,11 +94,11 @@ on failure.
 \&\fBssl\fR\|(7), \fBSSL_CTX_set1_curves\fR\|(3), \fBSSL_CTX_set_cipher_list\fR\|(3),
 \&\fBSSL_CTX_set_options\fR\|(3), \fBSSL_CTX_set_tmp_dh_callback\fR\|(3),
 \&\fBopenssl\-ciphers\fR\|(1), \fBopenssl\-ecparam\fR\|(1)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_verify.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_verify.3
index 727f132ebc8c..323da2a5d075 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_verify.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_verify.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_SET_VERIFY 3ossl"
-.TH SSL_CTX_SET_VERIFY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_SET_VERIFY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_get_ex_data_X509_STORE_CTX_idx,
 SSL_CTX_set_verify, SSL_set_verify,
 SSL_CTX_set_verify_depth, SSL_set_verify_depth,
@@ -145,7 +69,7 @@ SSL_verify_client_post_handshake,
 SSL_set_post_handshake_auth,
 SSL_CTX_set_post_handshake_auth
 \&\- set various SSL/TLS parameters for peer certificate verification
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -163,29 +87,29 @@ SSL_CTX_set_post_handshake_auth
 \& void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val);
 \& void SSL_set_post_handshake_auth(SSL *ssl, int val);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_CTX_set_verify()\fR sets the verification flags for \fBctx\fR to be \fBmode\fR and
 specifies the \fBverify_callback\fR function to be used. If no callback function
-shall be specified, the \s-1NULL\s0 pointer can be used for \fBverify_callback\fR.
+shall be specified, the NULL pointer can be used for \fBverify_callback\fR. \fBctx\fR \fBMUST NOT\fR be NULL.
 .PP
 \&\fBSSL_set_verify()\fR sets the verification flags for \fBssl\fR to be \fBmode\fR and
 specifies the \fBverify_callback\fR function to be used. If no callback function
-shall be specified, the \s-1NULL\s0 pointer can be used for \fBverify_callback\fR. In
+shall be specified, the NULL pointer can be used for \fBverify_callback\fR. In
 this case last \fBverify_callback\fR set specifically for this \fBssl\fR remains. If
 no special \fBcallback\fR was set before, the default callback for the underlying
 \&\fBctx\fR is used, that was valid at the time \fBssl\fR was created with
 \&\fBSSL_new\fR\|(3). Within the callback function,
 \&\fBSSL_get_ex_data_X509_STORE_CTX_idx\fR can be called to get the data index
-of the current \s-1SSL\s0 object that is doing the verification.
+of the current SSL object that is doing the verification.
 .PP
 In client mode \fBverify_callback\fR may also call the \fBSSL_set_retry_verify\fR\|(3)
-function on the \fB\s-1SSL\s0\fR object set in the \fIx509_store_ctx\fR ex data (see
+function on the \fBSSL\fR object set in the \fIx509_store_ctx\fR ex data (see
 \&\fBSSL_get_ex_data_X509_STORE_CTX_idx\fR\|(3)) and return 1.
 This would be typically done in case the certificate verification was not yet
 able to succeed.
 This makes the handshake suspend and return control to the calling application
-with \fB\s-1SSL_ERROR_WANT_RETRY_VERIFY\s0\fR.
+with \fBSSL_ERROR_WANT_RETRY_VERIFY\fR.
 The application can for instance fetch further certificates or cert status
 information needed for the verification.
 Calling \fBSSL_connect\fR\|(3) again resumes the connection attempt by retrying the
@@ -208,66 +132,69 @@ sent. A certificate callback will need to be set via
 \&\fBSSL_CTX_set_client_cert_cb()\fR if no certificate is provided at initialization.
 .PP
 \&\fBSSL_verify_client_post_handshake()\fR causes a CertificateRequest message to be
-sent by a server on the given \fBssl\fR connection. The \s-1SSL_VERIFY_PEER\s0 flag must
-be set; the \s-1SSL_VERIFY_POST_HANDSHAKE\s0 flag is optional.
-.SH "NOTES"
+sent by a server on the given \fBssl\fR connection. The SSL_VERIFY_PEER flag must
+be set; the SSL_VERIFY_POST_HANDSHAKE flag is optional.
+.SH NOTES
 .IX Header "NOTES"
 The verification of certificates can be controlled by a set of logically
 or'ed \fBmode\fR flags:
-.IP "\s-1SSL_VERIFY_NONE\s0" 4
+.IP SSL_VERIFY_NONE 4
 .IX Item "SSL_VERIFY_NONE"
 \&\fBServer mode:\fR the server will not send a client certificate request to the
 client, so the client will not send a certificate.
 .Sp
 \&\fBClient mode:\fR if not using an anonymous cipher (by default disabled), the
 server will send a certificate which will be checked. The result of the
-certificate verification process can be checked after the \s-1TLS/SSL\s0 handshake
+certificate verification process can be checked after the TLS/SSL handshake
 using the \fBSSL_get_verify_result\fR\|(3) function.
 The handshake will be continued regardless of the verification result.
-.IP "\s-1SSL_VERIFY_PEER\s0" 4
+.IP SSL_VERIFY_PEER 4
 .IX Item "SSL_VERIFY_PEER"
 \&\fBServer mode:\fR the server sends a client certificate request to the client.
 The certificate returned (if any) is checked. If the verification process
-fails, the \s-1TLS/SSL\s0 handshake is
+fails, the TLS/SSL handshake is
 immediately terminated with an alert message containing the reason for
 the verification failure.
 The behaviour can be controlled by the additional
-\&\s-1SSL_VERIFY_FAIL_IF_NO_PEER_CERT, SSL_VERIFY_CLIENT_ONCE\s0 and
-\&\s-1SSL_VERIFY_POST_HANDSHAKE\s0 flags.
+SSL_VERIFY_FAIL_IF_NO_PEER_CERT, SSL_VERIFY_CLIENT_ONCE and
+SSL_VERIFY_POST_HANDSHAKE flags.
 .Sp
 \&\fBClient mode:\fR the server certificate is verified. If the verification process
-fails, the \s-1TLS/SSL\s0 handshake is
+fails, the TLS/SSL handshake is
 immediately terminated with an alert message containing the reason for
 the verification failure. If no server certificate is sent, because an
-anonymous cipher is used, \s-1SSL_VERIFY_PEER\s0 is ignored.
-.IP "\s-1SSL_VERIFY_FAIL_IF_NO_PEER_CERT\s0" 4
+anonymous cipher is used, SSL_VERIFY_PEER is ignored.
+.IP SSL_VERIFY_FAIL_IF_NO_PEER_CERT 4
 .IX Item "SSL_VERIFY_FAIL_IF_NO_PEER_CERT"
-\&\fBServer mode:\fR if the client did not return a certificate, the \s-1TLS/SSL\s0
-handshake is immediately terminated with a \*(L"handshake failure\*(R" alert.
-This flag must be used together with \s-1SSL_VERIFY_PEER.\s0
+\&\fBServer mode:\fR if the client did not return a certificate, the TLS/SSL
+handshake is immediately terminated with a "handshake failure" alert.
+This flag must be used together with SSL_VERIFY_PEER.
 .Sp
-\&\fBClient mode:\fR ignored (see \s-1BUGS\s0)
-.IP "\s-1SSL_VERIFY_CLIENT_ONCE\s0" 4
+\&\fBClient mode:\fR ignored (see BUGS)
+.IP SSL_VERIFY_CLIENT_ONCE 4
 .IX Item "SSL_VERIFY_CLIENT_ONCE"
 \&\fBServer mode:\fR only request a client certificate once during the
 connection. Do not ask for a client certificate again during
 renegotiation or post-authentication if a certificate was requested
 during the initial handshake. This flag must be used together with
-\&\s-1SSL_VERIFY_PEER.\s0
+SSL_VERIFY_PEER.
 .Sp
-\&\fBClient mode:\fR ignored (see \s-1BUGS\s0)
-.IP "\s-1SSL_VERIFY_POST_HANDSHAKE\s0" 4
+\&\fBClient mode:\fR ignored (see BUGS)
+.IP SSL_VERIFY_POST_HANDSHAKE 4
 .IX Item "SSL_VERIFY_POST_HANDSHAKE"
 \&\fBServer mode:\fR the server will not send a client certificate request
 during the initial handshake, but will send the request via
-\&\fBSSL_verify_client_post_handshake()\fR. This allows the \s-1SSL_CTX\s0 or \s-1SSL\s0
+\&\fBSSL_verify_client_post_handshake()\fR. This allows the SSL_CTX or SSL
 to be configured for post-handshake peer verification before the
 handshake occurs. This flag must be used together with
-\&\s-1SSL_VERIFY_PEER.\s0 TLSv1.3 only; no effect on pre\-TLSv1.3 connections.
+SSL_VERIFY_PEER. TLSv1.3 only; no effect on pre\-TLSv1.3 connections.
 .Sp
-\&\fBClient mode:\fR ignored (see \s-1BUGS\s0)
+\&\fBClient mode:\fR ignored (see BUGS)
+.PP
+If the \fBmode\fR is SSL_VERIFY_NONE none of the other flags may be set.
 .PP
-If the \fBmode\fR is \s-1SSL_VERIFY_NONE\s0 none of the other flags may be set.
+If verification flags are not modified explicitly by \f(CWSSL_CTX_set_verify()\fR
+or \f(CWSSL_set_verify()\fR, the default value will be SSL_VERIFY_NONE.
 .PP
 The actual verification procedure is performed either using the built-in
 verification procedure or using another application provided verification
@@ -284,38 +211,38 @@ Neither the
 end-entity nor the trust-anchor certificates count against \fBdepth\fR. If the
 certificate chain needed to reach a trusted issuer is longer than \fBdepth+2\fR,
 X509_V_ERR_CERT_CHAIN_TOO_LONG will be issued.
-The depth count is \*(L"level 0:peer certificate\*(R", \*(L"level 1: \s-1CA\s0 certificate\*(R",
-\&\*(L"level 2: higher level \s-1CA\s0 certificate\*(R", and so on. Setting the maximum
+The depth count is "level 0:peer certificate", "level 1: CA certificate",
+"level 2: higher level CA certificate", and so on. Setting the maximum
 depth to 2 allows the levels 0, 1, 2 and 3 (0 being the end-entity and 3 the
 trust-anchor).
 The default depth limit is 100,
-allowing for the peer certificate, at most 100 intermediate \s-1CA\s0 certificates and
+allowing for the peer certificate, at most 100 intermediate CA certificates and
 a final trust anchor certificate.
 .PP
 The \fBverify_callback\fR function is used to control the behaviour when the
-\&\s-1SSL_VERIFY_PEER\s0 flag is set. It must be supplied by the application and
+SSL_VERIFY_PEER flag is set. It must be supplied by the application and
 receives two arguments: \fBpreverify_ok\fR indicates, whether the verification of
 the certificate in question was passed (preverify_ok=1) or not
 (preverify_ok=0). \fBx509_ctx\fR is a pointer to the complete context used
 for the certificate chain verification.
 .PP
 The certificate chain is checked starting with the deepest nesting level
-(the root \s-1CA\s0 certificate) and worked upward to the peer's certificate.
+(the root CA certificate) and worked upward to the peer's certificate.
 At each level signatures and issuer attributes are checked. Whenever
 a verification error is found, the error number is stored in \fBx509_ctx\fR
 and \fBverify_callback\fR is called with \fBpreverify_ok\fR=0. By applying
 X509_CTX_store_* functions \fBverify_callback\fR can locate the certificate
-in question and perform additional steps (see \s-1EXAMPLES\s0). If no error is
+in question and perform additional steps (see EXAMPLES). If no error is
 found for a certificate, \fBverify_callback\fR is called with \fBpreverify_ok\fR=1
 before advancing to the next level.
 .PP
 The return value of \fBverify_callback\fR controls the strategy of the further
 verification process. If \fBverify_callback\fR returns 0, the verification
-process is immediately stopped with \*(L"verification failed\*(R" state. If
-\&\s-1SSL_VERIFY_PEER\s0 is set, a verification failure alert is sent to the peer and
-the \s-1TLS/SSL\s0 handshake is terminated. If \fBverify_callback\fR returns 1,
+process is immediately stopped with "verification failed" state. If
+SSL_VERIFY_PEER is set, a verification failure alert is sent to the peer and
+the TLS/SSL handshake is terminated. If \fBverify_callback\fR returns 1,
 the verification process is continued. If \fBverify_callback\fR always returns
-1, the \s-1TLS/SSL\s0 handshake will not be terminated with respect to verification
+1, the TLS/SSL handshake will not be terminated with respect to verification
 failures and the connection will be established. The calling process can
 however retrieve the error code of the last verification error using
 \&\fBSSL_get_verify_result\fR\|(3) or by maintaining its
@@ -323,8 +250,8 @@ own error storage managed by \fBverify_callback\fR.
 .PP
 If no \fBverify_callback\fR is specified, the default callback will be used.
 Its return value is identical to \fBpreverify_ok\fR, so that any verification
-failure will lead to a termination of the \s-1TLS/SSL\s0 handshake with an
-alert message, if \s-1SSL_VERIFY_PEER\s0 is set.
+failure will lead to a termination of the TLS/SSL handshake with an
+alert message, if SSL_VERIFY_PEER is set.
 .PP
 After calling \fBSSL_set_post_handshake_auth()\fR, the client will need to add a
 certificate or certificate callback to its configuration before it can
@@ -339,11 +266,14 @@ Only one certificate request may be outstanding at any time.
 .PP
 When post-handshake authentication occurs, a refreshed NewSessionTicket
 message is sent to the client.
-.SH "BUGS"
+.PP
+Post-handshake authentication cannot be used with QUIC.
+\&\fBSSL_set_post_handshake_auth()\fR has no effect if called on a QUIC SSL object.
+.SH BUGS
 .IX Header "BUGS"
-In client mode, it is not checked whether the \s-1SSL_VERIFY_PEER\s0 flag
-is set, but whether any flags other than \s-1SSL_VERIFY_NONE\s0 are set. This can
-lead to unexpected behaviour if \s-1SSL_VERIFY_PEER\s0 and other flags are not used as
+In client mode, it is not checked whether the SSL_VERIFY_PEER flag
+is set, but whether any flags other than SSL_VERIFY_NONE are set. This can
+lead to unexpected behaviour if SSL_VERIFY_PEER and other flags are not used as
 required.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
@@ -352,10 +282,10 @@ The SSL*_set_verify*() functions do not provide diagnostic information.
 The \fBSSL_verify_client_post_handshake()\fR function returns 1 if the request
 succeeded, and 0 if the request failed. The error stack can be examined
 to determine the failure reason.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 The following code sequence realizes an example \fBverify_callback\fR function
-that will always continue the \s-1TLS/SSL\s0 handshake regardless of verification
+that will always continue the TLS/SSL handshake regardless of verification
 failure, if wished. The callback realizes a verification depth limit with
 more informational output.
 .PP
@@ -365,7 +295,7 @@ The example is realized for a server that does allow but not require client
 certificates.
 .PP
 The example makes use of the ex_data technique to store application data
-into/retrieve application data from the \s-1SSL\s0 structure
+into/retrieve application data from the SSL structure
 (see \fBCRYPTO_get_ex_new_index\fR\|(3),
 \&\fBSSL_get_ex_data_X509_STORE_CTX_idx\fR\|(3)).
 .PP
@@ -478,15 +408,15 @@ into/retrieve application data from the \s-1SSL\s0 structure
 \&\fBSSL_get_ex_data_X509_STORE_CTX_idx\fR\|(3),
 \&\fBSSL_CTX_set_client_cert_cb\fR\|(3),
 \&\fBCRYPTO_get_ex_new_index\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-The \s-1SSL_VERIFY_POST_HANDSHAKE\s0 option, and the \fBSSL_verify_client_post_handshake()\fR
+The SSL_VERIFY_POST_HANDSHAKE option, and the \fBSSL_verify_client_post_handshake()\fR
 and \fBSSL_set_post_handshake_auth()\fR functions were added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_use_certificate.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_use_certificate.3
index 8cb25b5798a0..b9c62eefea08 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_use_certificate.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_use_certificate.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_USE_CERTIFICATE 3ossl"
-.TH SSL_CTX_USE_CERTIFICATE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_USE_CERTIFICATE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_use_certificate, SSL_CTX_use_certificate_ASN1,
 SSL_CTX_use_certificate_file, SSL_use_certificate, SSL_use_certificate_ASN1,
 SSL_use_certificate_file, SSL_CTX_use_certificate_chain_file,
@@ -149,7 +73,7 @@ SSL_use_RSAPrivateKey, SSL_use_RSAPrivateKey_ASN1,
 SSL_use_RSAPrivateKey_file, SSL_CTX_check_private_key, SSL_check_private_key,
 SSL_CTX_use_cert_and_key, SSL_use_cert_and_key
 \&\- load certificate and key data
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -184,54 +108,55 @@ SSL_CTX_use_cert_and_key, SSL_use_cert_and_key
 \& int SSL_CTX_use_cert_and_key(SSL_CTX *ctx, X509 *x, EVP_PKEY *pkey, STACK_OF(X509) *chain, int override);
 \& int SSL_use_cert_and_key(SSL *ssl, X509 *x, EVP_PKEY *pkey, STACK_OF(X509) *chain, int override);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-These functions load the certificates and private keys into the \s-1SSL_CTX\s0
-or \s-1SSL\s0 object, respectively.
+These functions load the certificates and private keys into the SSL_CTX
+or SSL object, respectively.
 .PP
 The SSL_CTX_* class of functions loads the certificates and keys into the
-\&\s-1SSL_CTX\s0 object \fBctx\fR. The information is passed to \s-1SSL\s0 objects \fBssl\fR
+SSL_CTX object \fBctx\fR. The information is passed to SSL objects \fBssl\fR
 created from \fBctx\fR with \fBSSL_new\fR\|(3) by copying, so that
-changes applied to \fBctx\fR do not propagate to already existing \s-1SSL\s0 objects.
+changes applied to \fBctx\fR do not propagate to already existing SSL objects.
 .PP
 The SSL_* class of functions only loads certificates and keys into a
-specific \s-1SSL\s0 object. The specific information is kept, when
-\&\fBSSL_clear\fR\|(3) is called for this \s-1SSL\s0 object.
+specific SSL object. The specific information is kept, when
+\&\fBSSL_clear\fR\|(3) is called for this SSL object.
 .PP
 \&\fBSSL_CTX_use_certificate()\fR loads the certificate \fBx\fR into \fBctx\fR,
 \&\fBSSL_use_certificate()\fR loads \fBx\fR into \fBssl\fR. The rest of the
 certificates needed to form the complete certificate chain can be
 specified using the
 \&\fBSSL_CTX_add_extra_chain_cert\fR\|(3)
-function.
+function. On success the reference counter of the \fBx\fR is incremented.
 .PP
-\&\fBSSL_CTX_use_certificate_ASN1()\fR loads the \s-1ASN1\s0 encoded certificate from
+\&\fBSSL_CTX_use_certificate_ASN1()\fR loads the ASN1 encoded certificate from
 the memory location \fBd\fR (with length \fBlen\fR) into \fBctx\fR,
-\&\fBSSL_use_certificate_ASN1()\fR loads the \s-1ASN1\s0 encoded certificate into \fBssl\fR.
+\&\fBSSL_use_certificate_ASN1()\fR loads the ASN1 encoded certificate into \fBssl\fR.
 .PP
 \&\fBSSL_CTX_use_certificate_file()\fR loads the first certificate stored in \fBfile\fR
 into \fBctx\fR. The formatting \fBtype\fR of the certificate must be specified
-from the known types \s-1SSL_FILETYPE_PEM, SSL_FILETYPE_ASN1.\s0
+from the known types SSL_FILETYPE_PEM, SSL_FILETYPE_ASN1.
 \&\fBSSL_use_certificate_file()\fR loads the certificate from \fBfile\fR into \fBssl\fR.
-See the \s-1NOTES\s0 section on why \fBSSL_CTX_use_certificate_chain_file()\fR
+See the NOTES section on why \fBSSL_CTX_use_certificate_chain_file()\fR
 should be preferred.
 .PP
 \&\fBSSL_CTX_use_certificate_chain_file()\fR loads a certificate chain from
-\&\fBfile\fR into \fBctx\fR. The certificates must be in \s-1PEM\s0 format and must
+\&\fBfile\fR into \fBctx\fR. The certificates must be in PEM format and must
 be sorted starting with the subject's certificate (actual client or server
-certificate), followed by intermediate \s-1CA\s0 certificates if applicable, and
-ending at the highest level (root) \s-1CA.\s0 \fBSSL_use_certificate_chain_file()\fR is
+certificate), followed by intermediate CA certificates if applicable, and
+ending at the highest level (root) CA. \fBSSL_use_certificate_chain_file()\fR is
 similar except it loads the certificate chain into \fBssl\fR.
 .PP
-\&\fBSSL_CTX_use_PrivateKey()\fR adds \fBpkey\fR as private key to \fBctx\fR.
-\&\fBSSL_CTX_use_RSAPrivateKey()\fR adds the private key \fBrsa\fR of type \s-1RSA\s0
+\&\fBSSL_CTX_use_PrivateKey()\fR adds \fBpkey\fR as private key to \fBctx\fR. \fBctx\fR \fBMUST NOT\fR be NULL.
+\&\fBSSL_CTX_use_RSAPrivateKey()\fR adds the private key \fBrsa\fR of type RSA
 to \fBctx\fR. \fBSSL_use_PrivateKey()\fR adds \fBpkey\fR as private key to \fBssl\fR;
-\&\fBSSL_use_RSAPrivateKey()\fR adds \fBrsa\fR as private key of type \s-1RSA\s0 to \fBssl\fR.
+\&\fBSSL_use_RSAPrivateKey()\fR adds \fBrsa\fR as private key of type RSA to \fBssl\fR.
 If a certificate has already been set and the private key does not belong
 to the certificate an error is returned. To change a [certificate/private\-key]
 pair, the new certificate needs to be set first with \fBSSL_use_certificate()\fR or
 \&\fBSSL_CTX_use_certificate()\fR before setting the private key with
 \&\fBSSL_CTX_use_PrivateKey()\fR or \fBSSL_use_PrivateKey()\fR.
+On success the reference counter of the \fBpkey\fR/\fBrsa\fR is incremented.
 .PP
 \&\fBSSL_CTX_use_cert_and_key()\fR and \fBSSL_use_cert_and_key()\fR assign the X.509
 certificate \fBx\fR, private key \fBkey\fR, and certificate \fBchain\fR onto the
@@ -239,8 +164,8 @@ corresponding \fBssl\fR or \fBctx\fR. The \fBpkey\fR argument must be the privat
 key of the X.509 certificate \fBx\fR. If the \fBoverride\fR argument is 0, then
 \&\fBx\fR, \fBpkey\fR and \fBchain\fR are set only if all were not previously set.
 If \fBoverride\fR is non\-0, then the certificate, private key and chain certs
-are always set. If \fBpkey\fR is \s-1NULL,\s0 then the public key of \fBx\fR is used as
-the private key. This is intended to be used with hardware (via the \s-1ENGINE\s0
+are always set. If \fBpkey\fR is NULL, then the public key of \fBx\fR is used as
+the private key. This is intended to be used with hardware (via the ENGINE
 interface) that stores the private key securely, such that it cannot be
 accessed by OpenSSL. The reference count of the public key is incremented
 (twice if there is no private key); it is not copied nor duplicated. This
@@ -249,37 +174,37 @@ private key being assigned via \fBSSL_CTX_use_PrivateKey()\fR, etc.
 .PP
 \&\fBSSL_CTX_use_PrivateKey_ASN1()\fR adds the private key of type \fBpk\fR
 stored at memory location \fBd\fR (length \fBlen\fR) to \fBctx\fR.
-\&\fBSSL_CTX_use_RSAPrivateKey_ASN1()\fR adds the private key of type \s-1RSA\s0
+\&\fBSSL_CTX_use_RSAPrivateKey_ASN1()\fR adds the private key of type RSA
 stored at memory location \fBd\fR (length \fBlen\fR) to \fBctx\fR.
 \&\fBSSL_use_PrivateKey_ASN1()\fR and \fBSSL_use_RSAPrivateKey_ASN1()\fR add the private
 key to \fBssl\fR.
 .PP
 \&\fBSSL_CTX_use_PrivateKey_file()\fR adds the first private key found in
 \&\fBfile\fR to \fBctx\fR. The formatting \fBtype\fR of the private key must be specified
-from the known types \s-1SSL_FILETYPE_PEM, SSL_FILETYPE_ASN1.\s0
-\&\fBSSL_CTX_use_RSAPrivateKey_file()\fR adds the first private \s-1RSA\s0 key found in
+from the known types SSL_FILETYPE_PEM, SSL_FILETYPE_ASN1.
+\&\fBSSL_CTX_use_RSAPrivateKey_file()\fR adds the first private RSA key found in
 \&\fBfile\fR to \fBctx\fR. \fBSSL_use_PrivateKey_file()\fR adds the first private key found
 in \fBfile\fR to \fBssl\fR; \fBSSL_use_RSAPrivateKey_file()\fR adds the first private
-\&\s-1RSA\s0 key found to \fBssl\fR.
+RSA key found to \fBssl\fR. \fBctx\fR \fBMUST NOT\fR be NULL.
 .PP
 \&\fBSSL_CTX_check_private_key()\fR checks the consistency of a private key with
 the corresponding certificate loaded into \fBctx\fR. If more than one
-key/certificate pair (\s-1RSA/DSA\s0) is installed, the last item installed will
-be checked. If e.g. the last item was an \s-1RSA\s0 certificate or key, the \s-1RSA\s0
+key/certificate pair (RSA/DSA) is installed, the last item installed will
+be checked. If e.g. the last item was an RSA certificate or key, the RSA
 key/certificate pair will be checked. \fBSSL_check_private_key()\fR performs
 the same check for \fBssl\fR. If no key/certificate was explicitly added for
 this \fBssl\fR, the last item added into \fBctx\fR will be checked.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The internal certificate store of OpenSSL can hold several private
 key/certificate pairs at a time. The certificate used depends on the
 cipher selected, see also \fBSSL_CTX_set_cipher_list\fR\|(3).
 .PP
 When reading certificates and private keys from file, files of type
-\&\s-1SSL_FILETYPE_ASN1\s0 (also known as \fB\s-1DER\s0\fR, binary encoding) can only contain
+SSL_FILETYPE_ASN1 (also known as \fBDER\fR, binary encoding) can only contain
 one certificate or private key, consequently
-\&\fBSSL_CTX_use_certificate_chain_file()\fR is only applicable to \s-1PEM\s0 formatting.
-Files of type \s-1SSL_FILETYPE_PEM\s0 can contain more than one item.
+\&\fBSSL_CTX_use_certificate_chain_file()\fR is only applicable to PEM formatting.
+Files of type SSL_FILETYPE_PEM can contain more than one item.
 .PP
 \&\fBSSL_CTX_use_certificate_chain_file()\fR adds the first certificate found
 in the file to the certificate store. The other certificates are added
@@ -288,13 +213,13 @@ Note: versions of OpenSSL before 1.0.2 only had a single
 certificate chain store for all certificate types, OpenSSL 1.0.2 and later
 have a separate chain store for each type. \fBSSL_CTX_use_certificate_chain_file()\fR
 should be used instead of the \fBSSL_CTX_use_certificate_file()\fR function in order
-to allow the use of complete certificate chains even when no trusted \s-1CA\s0
-storage is used or when the \s-1CA\s0 issuing the certificate shall not be added to
-the trusted \s-1CA\s0 storage.
+to allow the use of complete certificate chains even when no trusted CA
+storage is used or when the CA issuing the certificate shall not be added to
+the trusted CA storage.
 .PP
 If additional certificates are needed to complete the chain during the
-\&\s-1TLS\s0 negotiation, \s-1CA\s0 certificates are additionally looked up in the
-locations of trusted \s-1CA\s0 certificates, see
+TLS negotiation, CA certificates are additionally looked up in the
+locations of trusted CA certificates, see
 \&\fBSSL_CTX_load_verify_locations\fR\|(3).
 .PP
 The private keys loaded from file can be encrypted. In order to successfully
@@ -324,11 +249,11 @@ Otherwise check out the error stack to find out the reason.
 \&\fBSSL_CTX_set_client_CA_list\fR\|(3),
 \&\fBSSL_CTX_set_client_cert_cb\fR\|(3),
 \&\fBSSL_CTX_add_extra_chain_cert\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_use_psk_identity_hint.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_use_psk_identity_hint.3
index 50b31665067f..43b9600e29f6 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_use_psk_identity_hint.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_use_psk_identity_hint.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_USE_PSK_IDENTITY_HINT 3ossl"
-.TH SSL_CTX_USE_PSK_IDENTITY_HINT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_USE_PSK_IDENTITY_HINT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_psk_server_cb_func,
 SSL_psk_find_session_cb_func,
 SSL_CTX_use_psk_identity_hint,
@@ -146,7 +70,7 @@ SSL_set_psk_server_callback,
 SSL_CTX_set_psk_find_session_callback,
 SSL_set_psk_find_session_callback
 \&\- set PSK identity hint to use
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -172,41 +96,41 @@ SSL_set_psk_find_session_callback
 \& void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, SSL_psk_server_cb_func cb);
 \& void SSL_set_psk_server_callback(SSL *ssl, SSL_psk_server_cb_func cb);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 A server application wishing to use TLSv1.3 PSKs should set a callback
 using either \fBSSL_CTX_set_psk_find_session_callback()\fR or
 \&\fBSSL_set_psk_find_session_callback()\fR as appropriate.
 .PP
-The callback function is given a pointer to the \s-1SSL\s0 connection in \fBssl\fR and
+The callback function is given a pointer to the SSL connection in \fBssl\fR and
 an identity in \fBidentity\fR of length \fBidentity_len\fR. The callback function
-should identify an \s-1SSL_SESSION\s0 object that provides the \s-1PSK\s0 details and store it
-in \fB*sess\fR. The \s-1SSL_SESSION\s0 object should, as a minimum, set the master key,
+should identify an SSL_SESSION object that provides the PSK details and store it
+in \fB*sess\fR. The SSL_SESSION object should, as a minimum, set the master key,
 the ciphersuite and the protocol version. See
 \&\fBSSL_CTX_set_psk_use_session_callback\fR\|(3) for details.
 .PP
-It is also possible for the callback to succeed but not supply a \s-1PSK.\s0 In this
-case no \s-1PSK\s0 will be used but the handshake will continue. To do this the
+It is also possible for the callback to succeed but not supply a PSK. In this
+case no PSK will be used but the handshake will continue. To do this the
 callback should return successfully and ensure that \fB*sess\fR is
-\&\s-1NULL.\s0
+NULL.
 .PP
 Identity hints are not relevant for TLSv1.3. A server application wishing to use
-\&\s-1PSK\s0 ciphersuites for TLSv1.2 and below may call \fBSSL_CTX_use_psk_identity_hint()\fR
-to set the given \fB\s-1NUL\s0\fR\-terminated \s-1PSK\s0 identity hint \fBhint\fR for \s-1SSL\s0 context
-object \fBctx\fR. \fBSSL_use_psk_identity_hint()\fR sets the given \fB\s-1NUL\s0\fR\-terminated \s-1PSK\s0
-identity hint \fBhint\fR for the \s-1SSL\s0 connection object \fBssl\fR. If \fBhint\fR is
-\&\fB\s-1NULL\s0\fR the current hint from \fBctx\fR or \fBssl\fR is deleted.
+PSK ciphersuites for TLSv1.2 and below may call \fBSSL_CTX_use_psk_identity_hint()\fR
+to set the given \fBNUL\fR\-terminated PSK identity hint \fBhint\fR for SSL context
+object \fBctx\fR. \fBSSL_use_psk_identity_hint()\fR sets the given \fBNUL\fR\-terminated PSK
+identity hint \fBhint\fR for the SSL connection object \fBssl\fR. If \fBhint\fR is
+\&\fBNULL\fR the current hint from \fBctx\fR or \fBssl\fR is deleted.
 .PP
-In the case where \s-1PSK\s0 identity hint is \fB\s-1NULL\s0\fR, the server does not send the
+In the case where PSK identity hint is \fBNULL\fR, the server does not send the
 ServerKeyExchange message to the client.
 .PP
 A server application wishing to use PSKs for TLSv1.2 and below must provide a
 callback function which is called when the server receives the
 ClientKeyExchange message from the client. The purpose of the callback function
-is to validate the received \s-1PSK\s0 identity and to fetch the pre-shared key used
+is to validate the received PSK identity and to fetch the pre-shared key used
 during the connection setup phase. The callback is set using the functions
 \&\fBSSL_CTX_set_psk_server_callback()\fR or \fBSSL_set_psk_server_callback()\fR. The callback
-function is given the connection in parameter \fBssl\fR, \fB\s-1NUL\s0\fR\-terminated \s-1PSK\s0
+function is given the connection in parameter \fBssl\fR, \fBNUL\fR\-terminated PSK
 identity sent by the client in parameter \fBidentity\fR, and a buffer \fBpsk\fR of
 length \fBmax_psk_len\fR bytes where the pre-shared key is to be stored.
 .PP
@@ -218,30 +142,30 @@ via \fBSSL_CTX_set_psk_find_session_callback()\fR or \fBSSL_set_psk_find_session
 and it will use that in preference. If no such callback is present then it will
 check to see if a callback has been set via \fBSSL_CTX_set_psk_server_callback()\fR or
 \&\fBSSL_set_psk_server_callback()\fR and use that. In this case the handshake digest
-will default to \s-1SHA\-256\s0 for any returned \s-1PSK.\s0 TLSv1.3 early data exchanges are
-possible in \s-1PSK\s0 connections only with the \fBSSL_psk_find_session_cb_func\fR
+will default to SHA\-256 for any returned PSK. TLSv1.3 early data exchanges are
+possible in PSK connections only with the \fBSSL_psk_find_session_cb_func\fR
 callback, and are not possible with the \fBSSL_psk_server_cb_func\fR callback.
 .PP
-A connection established via a TLSv1.3 \s-1PSK\s0 will appear as if session resumption
+A connection established via a TLSv1.3 PSK will appear as if session resumption
 has occurred so that \fBSSL_session_reused\fR\|(3) will return true.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fB\fBSSL_CTX_use_psk_identity_hint()\fB\fR and \fB\fBSSL_use_psk_identity_hint()\fB\fR return
+\&\fBSSL_CTX_use_psk_identity_hint()\fR and \fBSSL_use_psk_identity_hint()\fR return
 1 on success, 0 otherwise.
 .PP
 Return values from the TLSv1.2 and below server callback are interpreted as
 follows:
-.IP "0" 4
-\&\s-1PSK\s0 identity was not found. An \*(L"unknown_psk_identity\*(R" alert message
+.IP 0 4
+PSK identity was not found. An "unknown_psk_identity" alert message
 will be sent and the connection setup fails.
-.IP ">0" 4
+.IP >0 4
 .IX Item ">0"
-\&\s-1PSK\s0 identity was found and the server callback has provided the \s-1PSK\s0
+PSK identity was found and the server callback has provided the PSK
 successfully in parameter \fBpsk\fR. Return value is the length of
 \&\fBpsk\fR in bytes. It is an error to return a value greater than
 \&\fBmax_psk_len\fR.
 .Sp
-If the \s-1PSK\s0 identity was not found but the callback instructs the
+If the PSK identity was not found but the callback instructs the
 protocol to continue anyway, the callback must provide some random
 data to \fBpsk\fR and return the length of the random data, so the
 connection will fail with decryption_error before it will be finished
@@ -249,29 +173,29 @@ completely.
 .PP
 The \fBSSL_psk_find_session_cb_func\fR callback should return 1 on success or 0 on
 failure. In the event of failure the connection setup fails.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-There are no known security issues with sharing the same \s-1PSK\s0 between TLSv1.2 (or
-below) and TLSv1.3. However, the \s-1RFC\s0 has this note of caution:
+There are no known security issues with sharing the same PSK between TLSv1.2 (or
+below) and TLSv1.3. However, the RFC has this note of caution:
 .PP
-\&\*(L"While there is no known way in which the same \s-1PSK\s0 might produce related output
+"While there is no known way in which the same PSK might produce related output
 in both versions, only limited analysis has been done.  Implementations can
 ensure safety from cross-protocol related output by not reusing PSKs between
-\&\s-1TLS 1.3\s0 and \s-1TLS 1.2.\*(R"\s0
+TLS 1.3 and TLS 1.2."
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7),
 \&\fBSSL_CTX_set_psk_use_session_callback\fR\|(3),
 \&\fBSSL_set_psk_use_session_callback\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBSSL_CTX_set_psk_find_session_callback()\fR and \fBSSL_set_psk_find_session_callback()\fR
 were added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2006\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_use_serverinfo.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_use_serverinfo.3
index 0bf7e320015a..4ffae562279e 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_use_serverinfo.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_use_serverinfo.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CTX_USE_SERVERINFO 3ossl"
-.TH SSL_CTX_USE_SERVERINFO 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CTX_USE_SERVERINFO 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_use_serverinfo_ex,
 SSL_CTX_use_serverinfo,
 SSL_CTX_use_serverinfo_file
 \&\- use serverinfo extension
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -155,17 +79,17 @@ SSL_CTX_use_serverinfo_file
 \&
 \& int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-These functions load \*(L"serverinfo\*(R" \s-1TLS\s0 extensions into the \s-1SSL_CTX. A\s0
-\&\*(L"serverinfo\*(R" extension is returned in response to an empty ClientHello
+These functions load "serverinfo" TLS extensions into the SSL_CTX. A
+"serverinfo" extension is returned in response to an empty ClientHello
 Extension.
 .PP
 \&\fBSSL_CTX_use_serverinfo_ex()\fR loads one or more serverinfo extensions from
 a byte array into \fBctx\fR. The \fBversion\fR parameter specifies the format of the
 byte array provided in \fB*serverinfo\fR which is of length \fBserverinfo_length\fR.
 .PP
-If \fBversion\fR is \fB\s-1SSL_SERVERINFOV2\s0\fR then the extensions in the array must
+If \fBversion\fR is \fBSSL_SERVERINFOV2\fR then the extensions in the array must
 consist of a 4\-byte context, a 2\-byte Extension Type, a 2\-byte length, and then
 length bytes of extension_data. The context and type values have the same
 meaning as for \fBSSL_CTX_add_custom_ext\fR\|(3). If serverinfo is being loaded for
@@ -173,7 +97,7 @@ extensions to be added to a Certificate message, then the extension will only
 be added for the first certificate in the message (which is always the
 end-entity certificate).
 .PP
-If \fBversion\fR is \fB\s-1SSL_SERVERINFOV1\s0\fR then the extensions in the array must
+If \fBversion\fR is \fBSSL_SERVERINFOV1\fR then the extensions in the array must
 consist of a 2\-byte Extension Type, a 2\-byte length, and then length bytes of
 extension_data. The type value has the same meaning as for
 \&\fBSSL_CTX_add_custom_ext\fR\|(3). The following default context value will be used
@@ -186,17 +110,17 @@ in this case:
 .PP
 \&\fBSSL_CTX_use_serverinfo()\fR does the same thing as \fBSSL_CTX_use_serverinfo_ex()\fR
 except that there is no \fBversion\fR parameter so a default version of
-\&\s-1SSL_SERVERINFOV1\s0 is used instead.
+SSL_SERVERINFOV1 is used instead.
 .PP
 \&\fBSSL_CTX_use_serverinfo_file()\fR loads one or more serverinfo extensions from
-\&\fBfile\fR into \fBctx\fR.  The extensions must be in \s-1PEM\s0 format.  Each extension
+\&\fBfile\fR into \fBctx\fR.  The extensions must be in PEM format.  Each extension
 must be in a format as described above for \fBSSL_CTX_use_serverinfo_ex()\fR.  Each
-\&\s-1PEM\s0 extension name must begin with the phrase \*(L"\s-1BEGIN SERVERINFOV2 FOR \*(R"\s0 for
-\&\s-1SSL_SERVERINFOV2\s0 data or \*(L"\s-1BEGIN SERVERINFO FOR \*(R"\s0 for \s-1SSL_SERVERINFOV1\s0 data.
+PEM extension name must begin with the phrase "BEGIN SERVERINFOV2 FOR " for
+SSL_SERVERINFOV2 data or "BEGIN SERVERINFO FOR " for SSL_SERVERINFOV1 data.
 .PP
-If more than one certificate (\s-1RSA/DSA\s0) is installed using
+If more than one certificate (RSA/DSA) is installed using
 \&\fBSSL_CTX_use_certificate()\fR, the serverinfo extension will be loaded into the
-last certificate installed.  If e.g. the last item was an \s-1RSA\s0 certificate, the
+last certificate installed.  If e.g. the last item was an RSA certificate, the
 loaded serverinfo extension data will be loaded for that certificate.  To
 use the serverinfo extension for multiple certificates,
 \&\fBSSL_CTX_use_serverinfo()\fR needs to be called multiple times, once \fBafter\fR
@@ -209,11 +133,11 @@ the reason.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2013\-2017 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_free.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_free.3
index 0cddf8b5eee9..e68884e1c43a 100644
--- a/secure/lib/libcrypto/man/man3/SSL_SESSION_free.3
+++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_free.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_SESSION_FREE 3ossl"
-.TH SSL_SESSION_FREE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_SESSION_FREE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_SESSION_new,
 SSL_SESSION_dup,
 SSL_SESSION_up_ref,
 SSL_SESSION_free \- create, free and manage SSL_SESSION structures
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -151,51 +75,51 @@ SSL_SESSION_free \- create, free and manage SSL_SESSION structures
 \& int SSL_SESSION_up_ref(SSL_SESSION *ses);
 \& void SSL_SESSION_free(SSL_SESSION *session);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_SESSION_new()\fR creates a new \s-1SSL_SESSION\s0 structure and returns a pointer to
+\&\fBSSL_SESSION_new()\fR creates a new SSL_SESSION structure and returns a pointer to
 it.
 .PP
-\&\fBSSL_SESSION_dup()\fR creates a new \s-1SSL_SESSION\s0 structure that is a copy of \fBsrc\fR.
+\&\fBSSL_SESSION_dup()\fR creates a new SSL_SESSION structure that is a copy of \fBsrc\fR.
 The copy is not owned by any cache that \fBsrc\fR may have been in.
 .PP
-\&\fBSSL_SESSION_up_ref()\fR increments the reference count on the given \s-1SSL_SESSION\s0
+\&\fBSSL_SESSION_up_ref()\fR increments the reference count on the given SSL_SESSION
 structure.
 .PP
 \&\fBSSL_SESSION_free()\fR decrements the reference count of \fBsession\fR and removes
-the \fB\s-1SSL_SESSION\s0\fR structure pointed to by \fBsession\fR and frees up the allocated
+the \fBSSL_SESSION\fR structure pointed to by \fBsession\fR and frees up the allocated
 memory, if the reference count has reached 0.
-If \fBsession\fR is \s-1NULL\s0 nothing is done.
-.SH "NOTES"
+If \fBsession\fR is NULL nothing is done.
+.SH NOTES
 .IX Header "NOTES"
-\&\s-1SSL_SESSION\s0 objects are allocated, when a \s-1TLS/SSL\s0 handshake operation
+SSL_SESSION objects are allocated, when a TLS/SSL handshake operation
 is successfully completed. Depending on the settings, see
 \&\fBSSL_CTX_set_session_cache_mode\fR\|(3),
-the \s-1SSL_SESSION\s0 objects are internally referenced by the \s-1SSL_CTX\s0 and
-linked into its session cache. \s-1SSL\s0 objects may be using the \s-1SSL_SESSION\s0 object;
-as a session may be reused, several \s-1SSL\s0 objects may be using one \s-1SSL_SESSION\s0
+the SSL_SESSION objects are internally referenced by the SSL_CTX and
+linked into its session cache. SSL objects may be using the SSL_SESSION object;
+as a session may be reused, several SSL objects may be using one SSL_SESSION
 object at the same time. It is therefore crucial to keep the reference
-count (usage information) correct and not delete a \s-1SSL_SESSION\s0 object
+count (usage information) correct and not delete an SSL_SESSION object
 that is still used, as this may lead to program failures due to
 dangling pointers. These failures may also appear delayed, e.g.
-when an \s-1SSL_SESSION\s0 object was completely freed as the reference count
+when an SSL_SESSION object was completely freed as the reference count
 incorrectly became 0, but it is still referenced in the internal
 session cache and the cache list is processed during a
 \&\fBSSL_CTX_flush_sessions\fR\|(3) operation.
 .PP
-\&\fBSSL_SESSION_free()\fR must only be called for \s-1SSL_SESSION\s0 objects, for
+\&\fBSSL_SESSION_free()\fR must only be called for SSL_SESSION objects, for
 which the reference count was explicitly incremented (e.g.
 by calling \fBSSL_get1_session()\fR, see \fBSSL_get_session\fR\|(3))
-or when the \s-1SSL_SESSION\s0 object was generated outside a \s-1TLS\s0 handshake
+or when the SSL_SESSION object was generated outside a TLS handshake
 operation, e.g. by using \fBd2i_SSL_SESSION\fR\|(3).
-It must not be called on other \s-1SSL_SESSION\s0 objects, as this would cause
+It must not be called on other SSL_SESSION objects, as this would cause
 incorrect reference counts and therefore program failures.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-SSL_SESSION_new returns a pointer to the newly allocated \s-1SSL_SESSION\s0 structure
-or \s-1NULL\s0 on error.
+SSL_SESSION_new returns a pointer to the newly allocated SSL_SESSION structure
+or NULL on error.
 .PP
-SSL_SESSION_dup returns a pointer to the new copy or \s-1NULL\s0 on error.
+SSL_SESSION_dup returns a pointer to the new copy or NULL on error.
 .PP
 SSL_SESSION_up_ref returns 1 on success or 0 on error.
 .SH "SEE ALSO"
@@ -204,14 +128,14 @@ SSL_SESSION_up_ref returns 1 on success or 0 on error.
 \&\fBSSL_CTX_set_session_cache_mode\fR\|(3),
 \&\fBSSL_CTX_flush_sessions\fR\|(3),
 \&\fBd2i_SSL_SESSION\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBSSL_SESSION_dup()\fR function was added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_cipher.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_cipher.3
index baf445c2c87b..3dbd5d4dd3ae 100644
--- a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_cipher.3
+++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_cipher.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_SESSION_GET0_CIPHER 3ossl"
-.TH SSL_SESSION_GET0_CIPHER 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_SESSION_GET0_CIPHER 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_SESSION_get0_cipher,
 SSL_SESSION_set_cipher
 \&\- set and retrieve the SSL cipher associated with a session
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -148,21 +72,21 @@ SSL_SESSION_set_cipher
 \& const SSL_CIPHER *SSL_SESSION_get0_cipher(const SSL_SESSION *s);
 \& int SSL_SESSION_set_cipher(SSL_SESSION *s, const SSL_CIPHER *cipher);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_SESSION_get0_cipher()\fR retrieves the cipher that was used by the
-connection when the session was created, or \s-1NULL\s0 if it cannot be determined.
+connection when the session was created, or NULL if it cannot be determined.
 .PP
 The value returned is a pointer to an object maintained within \fBs\fR and
 should not be released.
 .PP
 \&\fBSSL_SESSION_set_cipher()\fR can be used to set the ciphersuite associated with the
-\&\s-1SSL_SESSION\s0 \fBs\fR to \fBcipher\fR. For example, this could be used to set up a
-session based \s-1PSK\s0 (see \fBSSL_CTX_set_psk_use_session_callback\fR\|(3)).
+SSL_SESSION \fBs\fR to \fBcipher\fR. For example, this could be used to set up a
+session based PSK (see \fBSSL_CTX_set_psk_use_session_callback\fR\|(3)).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBSSL_SESSION_get0_cipher()\fR returns the \s-1SSL_CIPHER\s0 associated with the \s-1SSL_SESSION\s0
-or \s-1NULL\s0 if it cannot be determined.
+\&\fBSSL_SESSION_get0_cipher()\fR returns the SSL_CIPHER associated with the SSL_SESSION
+or NULL if it cannot be determined.
 .PP
 \&\fBSSL_SESSION_set_cipher()\fR returns 1 on success or 0 on failure.
 .SH "SEE ALSO"
@@ -173,15 +97,15 @@ or \s-1NULL\s0 if it cannot be determined.
 \&\fBSSL_SESSION_get0_hostname\fR\|(3),
 \&\fBSSL_SESSION_free\fR\|(3),
 \&\fBSSL_CTX_set_psk_use_session_callback\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBSSL_SESSION_get0_cipher()\fR function was added in OpenSSL 1.1.0.
 The \fBSSL_SESSION_set_cipher()\fR function was added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2016\-2017 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_hostname.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_hostname.3
index 81cfa8bc19da..2e2216429951 100644
--- a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_hostname.3
+++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_hostname.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_SESSION_GET0_HOSTNAME 3ossl"
-.TH SSL_SESSION_GET0_HOSTNAME 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_SESSION_GET0_HOSTNAME 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_SESSION_get0_hostname,
 SSL_SESSION_set1_hostname,
 SSL_SESSION_get0_alpn_selected,
 SSL_SESSION_set1_alpn_selected
 \&\- get and set SNI and ALPN data associated with a session
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -156,32 +80,30 @@ SSL_SESSION_set1_alpn_selected
 \& int SSL_SESSION_set1_alpn_selected(SSL_SESSION *s, const unsigned char *alpn,
 \&                                    size_t len);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_SESSION_get0_hostname()\fR retrieves the \s-1SNI\s0 value that was sent by the
-client when the session was created if it was accepted by the server and TLSv1.2
-or below was negotiated. Otherwise \s-1NULL\s0 is returned. Note that in TLSv1.3 the
-\&\s-1SNI\s0 hostname is negotiated with each handshake including resumption handshakes
-and is therefore never associated with the session.
+\&\fBSSL_SESSION_get0_hostname()\fR retrieves the SNI value that was sent by the
+client when the session was created if it was accepted by the server. Otherwise
+NULL is returned.
 .PP
 The value returned is a pointer to memory maintained within \fBs\fR and
 should not be free'd.
 .PP
-\&\fBSSL_SESSION_set1_hostname()\fR sets the \s-1SNI\s0 value for the hostname to a copy of
+\&\fBSSL_SESSION_set1_hostname()\fR sets the SNI value for the hostname to a copy of
 the string provided in hostname.
 .PP
-\&\fBSSL_SESSION_get0_alpn_selected()\fR retrieves the selected \s-1ALPN\s0 protocol for this
+\&\fBSSL_SESSION_get0_alpn_selected()\fR retrieves the selected ALPN protocol for this
 session and its associated length in bytes. The returned value of \fB*alpn\fR is a
 pointer to memory maintained within \fBs\fR and should not be free'd.
 .PP
-\&\fBSSL_SESSION_set1_alpn_selected()\fR sets the \s-1ALPN\s0 protocol for this session to the
+\&\fBSSL_SESSION_set1_alpn_selected()\fR sets the ALPN protocol for this session to the
 value in \fBalpn\fR which should be of length \fBlen\fR bytes. A copy of the input
 value is made, and the caller retains ownership of the memory pointed to by
 \&\fBalpn\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBSSL_SESSION_get0_hostname()\fR returns either a string or \s-1NULL\s0 based on if there
-is the \s-1SNI\s0 value sent by client.
+\&\fBSSL_SESSION_get0_hostname()\fR returns either a string or NULL based on if there
+is the SNI value sent by client.
 .PP
 \&\fBSSL_SESSION_set1_hostname()\fR returns 1 on success or 0 on error.
 .PP
@@ -192,15 +114,15 @@ is the \s-1SNI\s0 value sent by client.
 \&\fBd2i_SSL_SESSION\fR\|(3),
 \&\fBSSL_SESSION_get_time\fR\|(3),
 \&\fBSSL_SESSION_free\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBSSL_SESSION_set1_hostname()\fR, \fBSSL_SESSION_get0_alpn_selected()\fR and
 \&\fBSSL_SESSION_set1_alpn_selected()\fR functions were added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_id_context.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_id_context.3
index 9c6a80b622a5..596f5fb45f9b 100644
--- a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_id_context.3
+++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_id_context.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_SESSION_GET0_ID_CONTEXT 3ossl"
-.TH SSL_SESSION_GET0_ID_CONTEXT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_SESSION_GET0_ID_CONTEXT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_SESSION_get0_id_context,
 SSL_SESSION_set1_id_context
 \&\- get and set the SSL ID context associated with a session
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -150,21 +74,21 @@ SSL_SESSION_set1_id_context
 \& int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx,
 \&                                unsigned int sid_ctx_len);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-See \fBSSL_CTX_set_session_id_context\fR\|(3) for further details on session \s-1ID\s0
+See \fBSSL_CTX_set_session_id_context\fR\|(3) for further details on session ID
 contexts.
 .PP
-\&\fBSSL_SESSION_get0_id_context()\fR returns the \s-1ID\s0 context associated with
-the \s-1SSL/TLS\s0 session \fBs\fR. The length of the \s-1ID\s0 context is written to
-\&\fB*len\fR if \fBlen\fR is not \s-1NULL.\s0
+\&\fBSSL_SESSION_get0_id_context()\fR returns the ID context associated with
+the SSL/TLS session \fBs\fR. The length of the ID context is written to
+\&\fB*len\fR if \fBlen\fR is not NULL.
 .PP
 The value returned is a pointer to an object maintained within \fBs\fR and
 should not be released.
 .PP
-\&\fBSSL_SESSION_set1_id_context()\fR takes a copy of the provided \s-1ID\s0 context given in
-\&\fBsid_ctx\fR and associates it with the session \fBs\fR. The length of the \s-1ID\s0 context
-is given by \fBsid_ctx_len\fR which must not exceed \s-1SSL_MAX_SID_CTX_LENGTH\s0 bytes.
+\&\fBSSL_SESSION_set1_id_context()\fR takes a copy of the provided ID context given in
+\&\fBsid_ctx\fR and associates it with the session \fBs\fR. The length of the ID context
+is given by \fBsid_ctx_len\fR which must not exceed SSL_MAX_SID_CTX_LENGTH bytes.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSSL_SESSION_set1_id_context()\fR returns 1 on success or 0 on error.
@@ -172,14 +96,14 @@ is given by \fBsid_ctx_len\fR which must not exceed \s-1SSL_MAX_SID_CTX_LENGTH\s
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7),
 \&\fBSSL_set_session_id_context\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBSSL_SESSION_get0_id_context()\fR function was added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2015\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_peer.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_peer.3
index ebffa144e0e8..4e0042d7944d 100644
--- a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_peer.3
+++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_peer.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,101 +52,41 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_SESSION_GET0_PEER 3ossl"
-.TH SSL_SESSION_GET0_PEER 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_SESSION_GET0_PEER 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_SESSION_get0_peer
 \&\- get details about peer's certificate for a session
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
 \& X509 *SSL_SESSION_get0_peer(SSL_SESSION *s);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_SESSION_get0_peer()\fR returns the peer certificate associated with the session
-\&\fBs\fR or \s-1NULL\s0 if no peer certificate is available. The caller should not free the
+\&\fBs\fR or NULL if no peer certificate is available. The caller should not free the
 returned value (unless \fBX509_up_ref\fR\|(3) has also been called).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBSSL_SESSION_get0_peer()\fR returns a pointer to the peer certificate or \s-1NULL\s0 if
+\&\fBSSL_SESSION_get0_peer()\fR returns a pointer to the peer certificate or NULL if
 no peer certificate is available.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_get_compress_id.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_get_compress_id.3
index b366d8fb8360..4797e228faf2 100644
--- a/secure/lib/libcrypto/man/man3/SSL_SESSION_get_compress_id.3
+++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_get_compress_id.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,85 +52,25 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_SESSION_GET_COMPRESS_ID 3ossl"
-.TH SSL_SESSION_GET_COMPRESS_ID 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_SESSION_GET_COMPRESS_ID 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_SESSION_get_compress_id
 \&\- get details about the compression associated with a session
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
 \& unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *s);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 If compression has been negotiated for an ssl session then
 \&\fBSSL_SESSION_get_compress_id()\fR will return the id for the compression method or
@@ -159,11 +83,11 @@ none.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_get_protocol_version.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_get_protocol_version.3
index 20ff11b2ced6..b38ae830908a 100644
--- a/secure/lib/libcrypto/man/man3/SSL_SESSION_get_protocol_version.3
+++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_get_protocol_version.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_SESSION_GET_PROTOCOL_VERSION 3ossl"
-.TH SSL_SESSION_GET_PROTOCOL_VERSION 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_SESSION_GET_PROTOCOL_VERSION 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_SESSION_get_protocol_version,
 SSL_SESSION_set_protocol_version
 \&\- get and set the session protocol version
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -148,20 +72,20 @@ SSL_SESSION_set_protocol_version
 \& int SSL_SESSION_get_protocol_version(const SSL_SESSION *s);
 \& int SSL_SESSION_set_protocol_version(SSL_SESSION *s, int version);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_SESSION_get_protocol_version()\fR returns the protocol version number used
 by session \fBs\fR.
 .PP
 \&\fBSSL_SESSION_set_protocol_version()\fR sets the protocol version associated with the
-\&\s-1SSL_SESSION\s0 object \fBs\fR to the value \fBversion\fR. This value should be a version
-constant such as \fB\s-1TLS1_3_VERSION\s0\fR etc. For example, this could be used to set
-up a session based \s-1PSK\s0 (see \fBSSL_CTX_set_psk_use_session_callback\fR\|(3)).
+SSL_SESSION object \fBs\fR to the value \fBversion\fR. This value should be a version
+constant such as \fBTLS1_3_VERSION\fR etc. For example, this could be used to set
+up a session based PSK (see \fBSSL_CTX_set_psk_use_session_callback\fR\|(3)).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSSL_SESSION_get_protocol_version()\fR returns a number indicating the protocol
 version used for the session; this number matches the constants \fIe.g.\fR
-\&\fB\s-1TLS1_VERSION\s0\fR, \fB\s-1TLS1_2_VERSION\s0\fR or \fB\s-1TLS1_3_VERSION\s0\fR.
+\&\fBTLS1_VERSION\fR, \fBTLS1_2_VERSION\fR or \fBTLS1_3_VERSION\fR.
 .PP
 Note that the \fBSSL_SESSION_get_protocol_version()\fR function
 does \fBnot\fR perform a null check on the provided session \fBs\fR pointer.
@@ -171,15 +95,15 @@ does \fBnot\fR perform a null check on the provided session \fBs\fR pointer.
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7),
 \&\fBSSL_CTX_set_psk_use_session_callback\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBSSL_SESSION_get_protocol_version()\fR function was added in OpenSSL 1.1.0.
 The \fBSSL_SESSION_set_protocol_version()\fR function was added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_get_time.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_get_time.3
index f62ee7b0e213..5bd8cf8ea5e4 100644
--- a/secure/lib/libcrypto/man/man3/SSL_SESSION_get_time.3
+++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_get_time.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,101 +52,51 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_SESSION_GET_TIME 3ossl"
-.TH SSL_SESSION_GET_TIME 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_SESSION_GET_TIME 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_SESSION_get_time, SSL_SESSION_set_time, SSL_SESSION_get_timeout,
-SSL_SESSION_set_timeout,
+SSL_SESSION_set_timeout, SSL_SESSION_get_time_ex, SSL_SESSION_set_time_ex,
 SSL_get_time, SSL_set_time, SSL_get_timeout, SSL_set_timeout
 \&\- retrieve and manipulate session time and timeout settings
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
-\& long SSL_SESSION_get_time(const SSL_SESSION *s);
-\& long SSL_SESSION_set_time(SSL_SESSION *s, long tm);
 \& long SSL_SESSION_get_timeout(const SSL_SESSION *s);
 \& long SSL_SESSION_set_timeout(SSL_SESSION *s, long tm);
 \&
-\& long SSL_get_time(const SSL_SESSION *s);
-\& long SSL_set_time(SSL_SESSION *s, long tm);
 \& long SSL_get_timeout(const SSL_SESSION *s);
 \& long SSL_set_timeout(SSL_SESSION *s, long tm);
+\&
+\& time_t SSL_SESSION_get_time_ex(const SSL_SESSION *s);
+\& time_t SSL_SESSION_set_time_ex(SSL_SESSION *s, time_t tm);
 .Ve
-.SH "DESCRIPTION"
+.PP
+The following functions have been deprecated since OpenSSL 3.4, and can be
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
+see \fBopenssl_user_macros\fR\|(7):
+.PP
+.Vb 4
+\& long SSL_SESSION_get_time(const SSL_SESSION *s);
+\& long SSL_SESSION_set_time(SSL_SESSION *s, long tm);
+\& long SSL_get_time(const SSL_SESSION *s);
+\& long SSL_set_time(SSL_SESSION *s, long tm);
+.Ve
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_SESSION_get_time()\fR returns the time at which the session \fBs\fR was
+\&\fBSSL_SESSION_get_time_ex()\fR returns the time at which the session \fBs\fR was
 established. The time is given in seconds since the Epoch and therefore
 compatible to the time delivered by the \fBtime()\fR call.
 .PP
-\&\fBSSL_SESSION_set_time()\fR replaces the creation time of the session \fBs\fR with
+\&\fBSSL_SESSION_set_time_ex()\fR replaces the creation time of the session \fBs\fR with
 the chosen value \fBtm\fR.
 .PP
 \&\fBSSL_SESSION_get_timeout()\fR returns the timeout value set for session \fBs\fR
@@ -171,9 +105,14 @@ in seconds.
 \&\fBSSL_SESSION_set_timeout()\fR sets the timeout value for session \fBs\fR in seconds
 to \fBtm\fR.
 .PP
+\&\fBSSL_SESSION_get_time()\fR and \fBSSL_SESSION_set_time()\fR functions use
+the long datatype instead of time_t and are therefore deprecated due to not
+being Y2038\-safe on 32 bit systems. Note that such systems still need
+to be configured to use 64 bit time_t to be able to avoid overflow in system time.
+.PP
 The \fBSSL_get_time()\fR, \fBSSL_set_time()\fR, \fBSSL_get_timeout()\fR, and \fBSSL_set_timeout()\fR
 functions are synonyms for the SSL_SESSION_*() counterparts.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 Sessions are expired by examining the creation time and the timeout value.
 Both are set at creation time of the session to the actual time and the
@@ -183,23 +122,34 @@ Using these functions it is possible to extend or shorten the lifetime
 of the session.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBSSL_SESSION_get_time()\fR and \fBSSL_SESSION_get_timeout()\fR return the currently
+\&\fBSSL_SESSION_get_time_ex()\fR and \fBSSL_SESSION_get_timeout()\fR return the currently
 valid values.
 .PP
-\&\fBSSL_SESSION_set_time()\fR and \fBSSL_SESSION_set_timeout()\fR return 1 on success.
+\&\fBSSL_SESSION_set_time_ex()\fR returns time on success.
+.PP
+\&\fBSSL_SESSION_set_timeout()\fR returns 1 on success.
 .PP
-If any of the function is passed the \s-1NULL\s0 pointer for the session \fBs\fR,
+If any of the function is passed the NULL pointer for the session \fBs\fR,
 0 is returned.
+.SH BUGS
+.IX Header "BUGS"
+The data type long is typically 32 bits on many systems, hence the old
+functions \fBSSL_SESSION_get_time()\fR and \fBSSL_SESSION_set_time()\fR are not always
+Y2038 safe.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7),
 \&\fBSSL_CTX_set_timeout\fR\|(3),
 \&\fBSSL_get_default_timeout\fR\|(3)
-.SH "COPYRIGHT"
+.SH HISTORY
+.IX Header "HISTORY"
+The functions \fBSSL_SESSION_get_time_ex()\fR and \fBSSL_SESSION_set_time_ex()\fR were
+added in OpenSSL 3.3.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_has_ticket.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_has_ticket.3
index a1ed7871b012..ec4845a42f91 100644
--- a/secure/lib/libcrypto/man/man3/SSL_SESSION_has_ticket.3
+++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_has_ticket.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_SESSION_HAS_TICKET 3ossl"
-.TH SSL_SESSION_HAS_TICKET 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_SESSION_HAS_TICKET 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_SESSION_get0_ticket,
 SSL_SESSION_has_ticket, SSL_SESSION_get_ticket_lifetime_hint
 \&\- get details about the ticket associated with a session
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -150,7 +74,7 @@ SSL_SESSION_has_ticket, SSL_SESSION_get_ticket_lifetime_hint
 \& void SSL_SESSION_get0_ticket(const SSL_SESSION *s, const unsigned char **tick,
 \&                              size_t *len);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_SESSION_has_ticket()\fR returns 1 if there is a Session Ticket associated with
 this session, and 0 otherwise.
@@ -160,7 +84,7 @@ associated with the session ticket.
 .PP
 SSL_SESSION_get0_ticket obtains a pointer to the ticket associated with a
 session. The length of the ticket is written to \fB*len\fR. If \fBtick\fR is non
-\&\s-1NULL\s0 then a pointer to the ticket is written to \fB*tick\fR. The pointer is only
+NULL then a pointer to the ticket is written to \fB*tick\fR. The pointer is only
 valid while the connection is in use. The session (and hence the ticket pointer)
 may also become invalid as a result of a call to \fBSSL_CTX_flush_sessions()\fR.
 .SH "RETURN VALUES"
@@ -174,15 +98,15 @@ may also become invalid as a result of a call to \fBSSL_CTX_flush_sessions()\fR.
 \&\fBd2i_SSL_SESSION\fR\|(3),
 \&\fBSSL_SESSION_get_time\fR\|(3),
 \&\fBSSL_SESSION_free\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBSSL_SESSION_has_ticket()\fR, \fBSSL_SESSION_get_ticket_lifetime_hint()\fR
 and \fBSSL_SESSION_get0_ticket()\fR functions were added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2015\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_is_resumable.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_is_resumable.3
index e67c89b7b4ea..781da0f6e423 100644
--- a/secure/lib/libcrypto/man/man3/SSL_SESSION_is_resumable.3
+++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_is_resumable.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,87 +52,27 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_SESSION_IS_RESUMABLE 3ossl"
-.TH SSL_SESSION_IS_RESUMABLE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_SESSION_IS_RESUMABLE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_SESSION_is_resumable
 \&\- determine whether an SSL_SESSION object can be used for resumption
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
 \& int SSL_SESSION_is_resumable(const SSL_SESSION *s);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_SESSION_is_resumable()\fR determines whether an \s-1SSL_SESSION\s0 object can be used
+\&\fBSSL_SESSION_is_resumable()\fR determines whether an SSL_SESSION object can be used
 to resume a session or not. Returns 1 if it can or 0 if not. Note that
 attempting to resume with a non-resumable session will result in a full
 handshake.
@@ -160,14 +84,14 @@ handshake.
 \&\fBssl\fR\|(7),
 \&\fBSSL_get_session\fR\|(3),
 \&\fBSSL_CTX_sess_set_new_cb\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBSSL_SESSION_is_resumable()\fR function was added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_print.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_print.3
index 3418084866ae..f26499dcba98 100644
--- a/secure/lib/libcrypto/man/man3/SSL_SESSION_print.3
+++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_print.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_SESSION_PRINT 3ossl"
-.TH SSL_SESSION_PRINT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_SESSION_PRINT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_SESSION_print,
 SSL_SESSION_print_fp,
 SSL_SESSION_print_keylog
 \&\- printf information about a session
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -150,16 +74,16 @@ SSL_SESSION_print_keylog
 \& int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *ses);
 \& int SSL_SESSION_print_keylog(BIO *bp, const SSL_SESSION *x);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_SESSION_print()\fR prints summary information about the session provided in
-\&\fBses\fR to the \s-1BIO\s0 \fBfp\fR.
+\&\fBses\fR to the BIO \fBfp\fR.
 .PP
 \&\fBSSL_SESSION_print_fp()\fR does the same as \fBSSL_SESSION_print()\fR except it prints it
-to the \s-1FILE\s0 \fBfp\fR.
+to the FILE \fBfp\fR.
 .PP
-\&\fBSSL_SESSION_print_keylog()\fR prints session information to the provided \s-1BIO\s0 <bp>
-in \s-1NSS\s0 keylog format.
+\&\fBSSL_SESSION_print_keylog()\fR prints session information to the provided BIO <bp>
+in NSS keylog format.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSSL_SESSION_print()\fR, \fBSSL_SESSION_print_fp()\fR and SSL_SESSION_print_keylog return
@@ -167,11 +91,11 @@ in \s-1NSS\s0 keylog format.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_set1_id.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_set1_id.3
index b8a1b5614ce7..c0a06b9325a5 100644
--- a/secure/lib/libcrypto/man/man3/SSL_SESSION_set1_id.3
+++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_set1_id.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_SESSION_SET1_ID 3ossl"
-.TH SSL_SESSION_SET1_ID 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_SESSION_SET1_ID 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_SESSION_get_id,
 SSL_SESSION_set1_id
 \&\- get and set the SSL session ID
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -150,30 +74,30 @@ SSL_SESSION_set1_id
 \& int SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid,
 \&                         unsigned int sid_len);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_SESSION_get_id()\fR returns a pointer to the internal session id value for the
 session \fBs\fR. The length of the id in bytes is stored in \fB*len\fR. The length may
 be 0. The caller should not free the returned pointer directly.
 .PP
-\&\fBSSL_SESSION_set1_id()\fR sets the session \s-1ID\s0 for the \fBssl\fR \s-1SSL/TLS\s0 session
+\&\fBSSL_SESSION_set1_id()\fR sets the session ID for the \fBssl\fR SSL/TLS session
 to \fBsid\fR of length \fBsid_len\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSSL_SESSION_get_id()\fR returns a pointer to the session id value.
 \&\fBSSL_SESSION_set1_id()\fR returns 1 for success and 0 for failure, for example
-if the supplied session \s-1ID\s0 length exceeds \fB\s-1SSL_MAX_SSL_SESSION_ID_LENGTH\s0\fR.
+if the supplied session ID length exceeds \fBSSL_MAX_SSL_SESSION_ID_LENGTH\fR.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBSSL_SESSION_set1_id()\fR function was added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2015\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_accept.3 b/secure/lib/libcrypto/man/man3/SSL_accept.3
index 3e71f509bd15..9e58e46b6431 100644
--- a/secure/lib/libcrypto/man/man3/SSL_accept.3
+++ b/secure/lib/libcrypto/man/man3/SSL_accept.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,120 +52,60 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_ACCEPT 3ossl"
-.TH SSL_ACCEPT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_ACCEPT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_accept \- wait for a TLS/SSL client to initiate a TLS/SSL handshake
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
 \& int SSL_accept(SSL *ssl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_accept()\fR waits for a \s-1TLS/SSL\s0 client to initiate the \s-1TLS/SSL\s0 handshake.
+\&\fBSSL_accept()\fR waits for a TLS/SSL client to initiate the TLS/SSL handshake.
 The communication channel must already have been set and assigned to the
-\&\fBssl\fR by setting an underlying \fB\s-1BIO\s0\fR.
-.SH "NOTES"
+\&\fBssl\fR by setting an underlying \fBBIO\fR.
+.SH NOTES
 .IX Header "NOTES"
-The behaviour of \fBSSL_accept()\fR depends on the underlying \s-1BIO.\s0
+The behaviour of \fBSSL_accept()\fR depends on the underlying BIO.
 .PP
-If the underlying \s-1BIO\s0 is \fBblocking\fR, \fBSSL_accept()\fR will only return once the
+If the underlying BIO is \fBblocking\fR, \fBSSL_accept()\fR will only return once the
 handshake has been finished or an error occurred.
 .PP
-If the underlying \s-1BIO\s0 is \fBnonblocking\fR, \fBSSL_accept()\fR will also return
-when the underlying \s-1BIO\s0 could not satisfy the needs of \fBSSL_accept()\fR
+If the underlying BIO is \fBnonblocking\fR, \fBSSL_accept()\fR will also return
+when the underlying BIO could not satisfy the needs of \fBSSL_accept()\fR
 to continue the handshake, indicating the problem by the return value \-1.
 In this case a call to \fBSSL_get_error()\fR with the
-return value of \fBSSL_accept()\fR will yield \fB\s-1SSL_ERROR_WANT_READ\s0\fR or
-\&\fB\s-1SSL_ERROR_WANT_WRITE\s0\fR. The calling process then must repeat the call after
+return value of \fBSSL_accept()\fR will yield \fBSSL_ERROR_WANT_READ\fR or
+\&\fBSSL_ERROR_WANT_WRITE\fR. The calling process then must repeat the call after
 taking appropriate action to satisfy the needs of \fBSSL_accept()\fR.
-The action depends on the underlying \s-1BIO.\s0 When using a nonblocking socket,
+The action depends on the underlying BIO. When using a nonblocking socket,
 nothing is to be done, but \fBselect()\fR can be used to check for the required
-condition. When using a buffering \s-1BIO,\s0 like a \s-1BIO\s0 pair, data must be written
-into or retrieved out of the \s-1BIO\s0 before being able to continue.
+condition. When using a buffering BIO, like a BIO pair, data must be written
+into or retrieved out of the BIO before being able to continue.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The following return values can occur:
-.IP "0" 4
-The \s-1TLS/SSL\s0 handshake was not successful but was shut down controlled and
-by the specifications of the \s-1TLS/SSL\s0 protocol. Call \fBSSL_get_error()\fR with the
+.IP 0 4
+The TLS/SSL handshake was not successful but was shut down controlled and
+by the specifications of the TLS/SSL protocol. Call \fBSSL_get_error()\fR with the
 return value \fBret\fR to find out the reason.
-.IP "1" 4
+.IP 1 4
 .IX Item "1"
-The \s-1TLS/SSL\s0 handshake was successfully completed, a \s-1TLS/SSL\s0 connection has been
+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
 established.
-.IP "<0" 4
+.IP <0 4
 .IX Item "<0"
-The \s-1TLS/SSL\s0 handshake was not successful because a fatal error occurred either
+The TLS/SSL handshake was not successful because a fatal error occurred either
 at the protocol level or a connection failure occurred. The shutdown was
 not clean. It can also occur if action is needed to continue the operation
 for nonblocking BIOs. Call \fBSSL_get_error()\fR with the return value \fBret\fR
@@ -193,11 +117,11 @@ to find out the reason.
 \&\fBSSL_set_connect_state\fR\|(3),
 \&\fBSSL_do_handshake\fR\|(3),
 \&\fBSSL_CTX_new\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_accept_stream.3 b/secure/lib/libcrypto/man/man3/SSL_accept_stream.3
new file mode 100644
index 000000000000..2b2841d48028
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/SSL_accept_stream.3
@@ -0,0 +1,134 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "SSL_ACCEPT_STREAM 3ossl"
+.TH SSL_ACCEPT_STREAM 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+SSL_accept_stream, SSL_get_accept_stream_queue_len, SSL_ACCEPT_STREAM_NO_BLOCK \-
+accept an incoming QUIC stream from a QUIC peer
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ssl.h>
+\&
+\& #define SSL_ACCEPT_STREAM_NO_BLOCK
+\&
+\& SSL *SSL_accept_stream(SSL *ssl, uint64_t flags);
+\&
+\& size_t SSL_get_accept_stream_queue_len(SSL *ssl);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+The \fBSSL_accept_stream()\fR function attempts to dequeue an incoming stream from the
+given QUIC connection SSL object and returns the newly allocated QUIC stream SSL
+object.
+.PP
+If the queue of incoming streams is empty, this function returns NULL (in
+nonblocking mode) or waits for an incoming stream (in blocking mode). This
+function may still return NULL in blocking mode, for example if the underlying
+connection is terminated.
+.PP
+The caller is responsible for managing the lifetime of the returned QUIC stream
+SSL object; for more information, see \fBSSL_free\fR\|(3).
+.PP
+This function will block if the QUIC connection SSL object is configured in
+blocking mode (see \fBSSL_set_blocking_mode\fR\|(3)), but this may be bypassed by
+passing the flag \fBSSL_ACCEPT_STREAM_NO_BLOCK\fR in \fIflags\fR. If this flag is set,
+this function never blocks.
+.PP
+Calling \fBSSL_accept_stream()\fR if there is no default stream already present
+inhibits the future creation of a default stream. See \fBopenssl\-quic\fR\|(7).
+.PP
+\&\fBSSL_get_accept_stream_queue_len()\fR returns the number of incoming streams
+currently waiting in the accept queue.
+.PP
+These functions can be used from multiple threads for the same QUIC connection.
+.PP
+Depending on whether default stream functionality is being used, it may be
+necessary to explicitly configure the incoming stream policy before streams can
+be accepted; see \fBSSL_set_incoming_stream_policy\fR\|(3). See also
+"MODES OF OPERATION" in \fBopenssl\-quic\fR\|(7) for more information on default stream
+functionality.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBSSL_accept_stream()\fR returns a newly allocated QUIC stream SSL object, or NULL if
+no new incoming streams are available, or if the connection has been terminated,
+or if called on an SSL object other than a QUIC connection SSL object.
+\&\fBSSL_get_error\fR\|(3) can be used to obtain further information in this case.
+.PP
+\&\fBSSL_get_accept_stream_queue_len()\fR returns the number of incoming streams
+currently waiting in the accept queue, or 0 if called on an SSL object other than
+a QUIC connection SSL object.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+"MODES OF OPERATION" in \fBopenssl\-quic\fR\|(7), \fBSSL_new_stream\fR\|(3),
+\&\fBSSL_set_blocking_mode\fR\|(3), \fBSSL_free\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBSSL_accept_stream()\fR and \fBSSL_get_accept_stream_queue_len()\fR were added in OpenSSL
+3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2002\-2023 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_alert_type_string.3 b/secure/lib/libcrypto/man/man3/SSL_alert_type_string.3
index 4de1d9d001b5..2388057d4f23 100644
--- a/secure/lib/libcrypto/man/man3/SSL_alert_type_string.3
+++ b/secure/lib/libcrypto/man/man3/SSL_alert_type_string.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_ALERT_TYPE_STRING 3ossl"
-.TH SSL_ALERT_TYPE_STRING 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_ALERT_TYPE_STRING 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_alert_type_string, SSL_alert_type_string_long, SSL_alert_desc_string, SSL_alert_desc_string_long \- get textual description of alert information
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -149,7 +73,7 @@ SSL_alert_type_string, SSL_alert_type_string_long, SSL_alert_desc_string, SSL_al
 \& const char *SSL_alert_desc_string(int value);
 \& const char *SSL_alert_desc_string_long(int value);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_alert_type_string()\fR returns a one letter string indicating the
 type of the alert specified by \fBvalue\fR.
@@ -162,177 +86,150 @@ describing the reason of the alert specified by \fBvalue\fR.
 .PP
 \&\fBSSL_alert_desc_string_long()\fR returns a string describing the reason
 of the alert specified by \fBvalue\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-When one side of an \s-1SSL/TLS\s0 communication wants to inform the peer about
+When one side of an SSL/TLS communication wants to inform the peer about
 a special situation, it sends an alert. The alert is sent as a special message
 and does not influence the normal data stream (unless its contents results
 in the communication being canceled).
 .PP
 A warning alert is sent, when a non-fatal error condition occurs. The
-\&\*(L"close notify\*(R" alert is sent as a warning alert. Other examples for
-non-fatal errors are certificate errors (\*(L"certificate expired\*(R",
-\&\*(L"unsupported certificate\*(R"), for which a warning alert may be sent.
+"close notify" alert is sent as a warning alert. Other examples for
+non-fatal errors are certificate errors ("certificate expired",
+"unsupported certificate"), for which a warning alert may be sent.
 (The sending party may however decide to send a fatal error.) The
 receiving side may cancel the connection on reception of a warning
 alert on it discretion.
 .PP
 Several alert messages must be sent as fatal alert messages as specified
-by the \s-1TLS RFC. A\s0 fatal alert always leads to a connection abort.
+by the TLS RFC. A fatal alert always leads to a connection abort.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The following strings can occur for \fBSSL_alert_type_string()\fR or
 \&\fBSSL_alert_type_string_long()\fR:
-.ie n .IP """W""/""warning""" 4
-.el .IP "``W''/``warning''" 4
-.IX Item "W/warning"
+.IP """W""/""warning""" 4
+.IX Item """W""/""warning"""
 .PD 0
-.ie n .IP """F""/""fatal""" 4
-.el .IP "``F''/``fatal''" 4
-.IX Item "F/fatal"
-.ie n .IP """U""/""unknown""" 4
-.el .IP "``U''/``unknown''" 4
-.IX Item "U/unknown"
+.IP """F""/""fatal""" 4
+.IX Item """F""/""fatal"""
+.IP """U""/""unknown""" 4
+.IX Item """U""/""unknown"""
 .PD
 This indicates that no support is available for this alert type.
 Probably \fBvalue\fR does not contain a correct alert message.
 .PP
 The following strings can occur for \fBSSL_alert_desc_string()\fR or
 \&\fBSSL_alert_desc_string_long()\fR:
-.ie n .IP """\s-1CN""/\s0""close notify""" 4
-.el .IP "``\s-1CN''/\s0``close notify''" 4
-.IX Item "CN/close notify"
+.IP """CN""/""close notify""" 4
+.IX Item """CN""/""close notify"""
 The connection shall be closed. This is a warning alert.
-.ie n .IP """\s-1UM""/\s0""unexpected message""" 4
-.el .IP "``\s-1UM''/\s0``unexpected message''" 4
-.IX Item "UM/unexpected message"
+.IP """UM""/""unexpected message""" 4
+.IX Item """UM""/""unexpected message"""
 An inappropriate message was received. This alert is always fatal
 and should never be observed in communication between proper
 implementations.
-.ie n .IP """\s-1BM""/\s0""bad record mac""" 4
-.el .IP "``\s-1BM''/\s0``bad record mac''" 4
-.IX Item "BM/bad record mac"
+.IP """BM""/""bad record mac""" 4
+.IX Item """BM""/""bad record mac"""
 This alert is returned if a record is received with an incorrect
-\&\s-1MAC.\s0 This message is always fatal.
-.ie n .IP """\s-1DF""/\s0""decompression failure""" 4
-.el .IP "``\s-1DF''/\s0``decompression failure''" 4
-.IX Item "DF/decompression failure"
+MAC. This message is always fatal.
+.IP """DF""/""decompression failure""" 4
+.IX Item """DF""/""decompression failure"""
 The decompression function received improper input (e.g. data
 that would expand to excessive length). This message is always
 fatal.
-.ie n .IP """\s-1HF""/\s0""handshake failure""" 4
-.el .IP "``\s-1HF''/\s0``handshake failure''" 4
-.IX Item "HF/handshake failure"
+.IP """HF""/""handshake failure""" 4
+.IX Item """HF""/""handshake failure"""
 Reception of a handshake_failure alert message indicates that the
 sender was unable to negotiate an acceptable set of security
 parameters given the options available. This is a fatal error.
-.ie n .IP """\s-1NC""/\s0""no certificate""" 4
-.el .IP "``\s-1NC''/\s0``no certificate''" 4
-.IX Item "NC/no certificate"
+.IP """NC""/""no certificate""" 4
+.IX Item """NC""/""no certificate"""
 A client, that was asked to send a certificate, does not send a certificate
 (SSLv3 only).
-.ie n .IP """\s-1BC""/\s0""bad certificate""" 4
-.el .IP "``\s-1BC''/\s0``bad certificate''" 4
-.IX Item "BC/bad certificate"
+.IP """BC""/""bad certificate""" 4
+.IX Item """BC""/""bad certificate"""
 A certificate was corrupt, contained signatures that did not
 verify correctly, etc
-.ie n .IP """\s-1UC""/\s0""unsupported certificate""" 4
-.el .IP "``\s-1UC''/\s0``unsupported certificate''" 4
-.IX Item "UC/unsupported certificate"
+.IP """UC""/""unsupported certificate""" 4
+.IX Item """UC""/""unsupported certificate"""
 A certificate was of an unsupported type.
-.ie n .IP """\s-1CR""/\s0""certificate revoked""" 4
-.el .IP "``\s-1CR''/\s0``certificate revoked''" 4
-.IX Item "CR/certificate revoked"
+.IP """CR""/""certificate revoked""" 4
+.IX Item """CR""/""certificate revoked"""
 A certificate was revoked by its signer.
-.ie n .IP """\s-1CE""/\s0""certificate expired""" 4
-.el .IP "``\s-1CE''/\s0``certificate expired''" 4
-.IX Item "CE/certificate expired"
+.IP """CE""/""certificate expired""" 4
+.IX Item """CE""/""certificate expired"""
 A certificate has expired or is not currently valid.
-.ie n .IP """\s-1CU""/\s0""certificate unknown""" 4
-.el .IP "``\s-1CU''/\s0``certificate unknown''" 4
-.IX Item "CU/certificate unknown"
+.IP """CU""/""certificate unknown""" 4
+.IX Item """CU""/""certificate unknown"""
 Some other (unspecified) issue arose in processing the
 certificate, rendering it unacceptable.
-.ie n .IP """\s-1IP""/\s0""illegal parameter""" 4
-.el .IP "``\s-1IP''/\s0``illegal parameter''" 4
-.IX Item "IP/illegal parameter"
+.IP """IP""/""illegal parameter""" 4
+.IX Item """IP""/""illegal parameter"""
 A field in the handshake was out of range or inconsistent with
 other fields. This is always fatal.
-.ie n .IP """\s-1DC""/\s0""decryption failed""" 4
-.el .IP "``\s-1DC''/\s0``decryption failed''" 4
-.IX Item "DC/decryption failed"
+.IP """DC""/""decryption failed""" 4
+.IX Item """DC""/""decryption failed"""
 A TLSCiphertext decrypted in an invalid way: either it wasn't an
 even multiple of the block length or its padding values, when
 checked, weren't correct. This message is always fatal.
-.ie n .IP """\s-1RO""/\s0""record overflow""" 4
-.el .IP "``\s-1RO''/\s0``record overflow''" 4
-.IX Item "RO/record overflow"
+.IP """RO""/""record overflow""" 4
+.IX Item """RO""/""record overflow"""
 A TLSCiphertext record was received which had a length more than
 2^14+2048 bytes, or a record decrypted to a TLSCompressed record
 with more than 2^14+1024 bytes. This message is always fatal.
-.ie n .IP """\s-1CA""/\s0""unknown \s-1CA""\s0" 4
-.el .IP "``\s-1CA''/\s0``unknown \s-1CA''\s0" 4
-.IX Item "CA/unknown CA"
+.IP """CA""/""unknown CA""" 4
+.IX Item """CA""/""unknown CA"""
 A valid certificate chain or partial chain was received, but the
-certificate was not accepted because the \s-1CA\s0 certificate could not
-be located or couldn't be matched with a known, trusted \s-1CA.\s0  This
+certificate was not accepted because the CA certificate could not
+be located or couldn't be matched with a known, trusted CA.  This
 message is always fatal.
-.ie n .IP """\s-1AD""/\s0""access denied""" 4
-.el .IP "``\s-1AD''/\s0``access denied''" 4
-.IX Item "AD/access denied"
+.IP """AD""/""access denied""" 4
+.IX Item """AD""/""access denied"""
 A valid certificate was received, but when access control was
 applied, the sender decided not to proceed with negotiation.
 This message is always fatal.
-.ie n .IP """\s-1DE""/\s0""decode error""" 4
-.el .IP "``\s-1DE''/\s0``decode error''" 4
-.IX Item "DE/decode error"
+.IP """DE""/""decode error""" 4
+.IX Item """DE""/""decode error"""
 A message could not be decoded because some field was out of the
 specified range or the length of the message was incorrect. This
 message is always fatal.
-.ie n .IP """\s-1CY""/\s0""decrypt error""" 4
-.el .IP "``\s-1CY''/\s0``decrypt error''" 4
-.IX Item "CY/decrypt error"
+.IP """CY""/""decrypt error""" 4
+.IX Item """CY""/""decrypt error"""
 A handshake cryptographic operation failed, including being
 unable to correctly verify a signature, decrypt a key exchange,
 or validate a finished message.
-.ie n .IP """\s-1ER""/\s0""export restriction""" 4
-.el .IP "``\s-1ER''/\s0``export restriction''" 4
-.IX Item "ER/export restriction"
+.IP """ER""/""export restriction""" 4
+.IX Item """ER""/""export restriction"""
 A negotiation not in compliance with export restrictions was
 detected; for example, attempting to transfer a 1024 bit
-ephemeral \s-1RSA\s0 key for the \s-1RSA_EXPORT\s0 handshake method. This
+ephemeral RSA key for the RSA_EXPORT handshake method. This
 message is always fatal.
-.ie n .IP """\s-1PV""/\s0""protocol version""" 4
-.el .IP "``\s-1PV''/\s0``protocol version''" 4
-.IX Item "PV/protocol version"
+.IP """PV""/""protocol version""" 4
+.IX Item """PV""/""protocol version"""
 The protocol version the client has attempted to negotiate is
 recognized, but not supported. (For example, old protocol
 versions might be avoided for security reasons). This message is
 always fatal.
-.ie n .IP """\s-1IS""/\s0""insufficient security""" 4
-.el .IP "``\s-1IS''/\s0``insufficient security''" 4
-.IX Item "IS/insufficient security"
+.IP """IS""/""insufficient security""" 4
+.IX Item """IS""/""insufficient security"""
 Returned instead of handshake_failure when a negotiation has
 failed specifically because the server requires ciphers more
 secure than those supported by the client. This message is always
 fatal.
-.ie n .IP """\s-1IE""/\s0""internal error""" 4
-.el .IP "``\s-1IE''/\s0``internal error''" 4
-.IX Item "IE/internal error"
+.IP """IE""/""internal error""" 4
+.IX Item """IE""/""internal error"""
 An internal error unrelated to the peer or the correctness of the
 protocol makes it impossible to continue (such as a memory
 allocation failure). This message is always fatal.
-.ie n .IP """\s-1US""/\s0""user canceled""" 4
-.el .IP "``\s-1US''/\s0``user canceled''" 4
-.IX Item "US/user canceled"
+.IP """US""/""user canceled""" 4
+.IX Item """US""/""user canceled"""
 This handshake is being canceled for some reason unrelated to a
 protocol failure. If the user cancels an operation after the
 handshake is complete, just closing the connection by sending a
 close_notify is more appropriate. This alert should be followed
 by a close_notify. This message is generally a warning.
-.ie n .IP """\s-1NR""/\s0""no renegotiation""" 4
-.el .IP "``\s-1NR''/\s0``no renegotiation''" 4
-.IX Item "NR/no renegotiation"
+.IP """NR""/""no renegotiation""" 4
+.IX Item """NR""/""no renegotiation"""
 Sent by the client in response to a hello request or by the
 server in response to a client hello after initial handshaking.
 Either of these would normally lead to renegotiation; when that
@@ -344,24 +241,22 @@ satisfy a request; the process might receive security parameters
 (key length, authentication, etc.) at startup and it might be
 difficult to communicate changes to these parameters after that
 point. This message is always a warning.
-.ie n .IP """\s-1UP""/\s0""unknown \s-1PSK\s0 identity""" 4
-.el .IP "``\s-1UP''/\s0``unknown \s-1PSK\s0 identity''" 4
-.IX Item "UP/unknown PSK identity"
-Sent by the server to indicate that it does not recognize a \s-1PSK\s0
-identity or an \s-1SRP\s0 identity.
-.ie n .IP """\s-1UK""/\s0""unknown""" 4
-.el .IP "``\s-1UK''/\s0``unknown''" 4
-.IX Item "UK/unknown"
+.IP """UP""/""unknown PSK identity""" 4
+.IX Item """UP""/""unknown PSK identity"""
+Sent by the server to indicate that it does not recognize a PSK
+identity or an SRP identity.
+.IP """UK""/""unknown""" 4
+.IX Item """UK""/""unknown"""
 This indicates that no description is available for this alert type.
 Probably \fBvalue\fR does not contain a correct alert message.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7), \fBSSL_CTX_set_info_callback\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_alloc_buffers.3 b/secure/lib/libcrypto/man/man3/SSL_alloc_buffers.3
index 74aa5e4a93ce..159bd6828368 100644
--- a/secure/lib/libcrypto/man/man3/SSL_alloc_buffers.3
+++ b/secure/lib/libcrypto/man/man3/SSL_alloc_buffers.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_ALLOC_BUFFERS 3ossl"
-.TH SSL_ALLOC_BUFFERS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_ALLOC_BUFFERS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_free_buffers, SSL_alloc_buffers \- manage SSL structure buffers
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -146,12 +70,12 @@ SSL_free_buffers, SSL_alloc_buffers \- manage SSL structure buffers
 \& int SSL_free_buffers(SSL *ssl);
 \& int SSL_alloc_buffers(SSL *ssl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_free_buffers()\fR frees the read and write buffers of the given \fBssl\fR.
 \&\fBSSL_alloc_buffers()\fR allocates the read and write buffers of the given \fBssl\fR.
 .PP
-The \fB\s-1SSL_MODE_RELEASE_BUFFERS\s0\fR mode releases read or write buffers whenever
+The \fBSSL_MODE_RELEASE_BUFFERS\fR mode releases read or write buffers whenever
 the buffers have been drained. These functions allow applications to manually
 control when buffers are freed and allocated.
 .PP
@@ -160,6 +84,9 @@ new read or write. The \fBSSL_alloc_buffers()\fR does not need to be called, but
 can be used to make sure the buffers are preallocated. This can be used to
 avoid allocation during data processing or with \fBCRYPTO_set_mem_functions()\fR
 to control where and how buffers are allocated.
+.PP
+These functions are no-ops when used with QUIC SSL objects. For QUIC,
+\&\fBSSL_free_buffers()\fR always fails, and \fBSSL_alloc_buffers()\fR always succeeds.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The following return values can occur:
@@ -182,11 +109,11 @@ This value is also returned if the buffers had been allocated before calling
 \&\fBSSL_free\fR\|(3), \fBSSL_clear\fR\|(3),
 \&\fBSSL_new\fR\|(3), \fBSSL_CTX_set_mode\fR\|(3),
 \&\fBCRYPTO_set_mem_functions\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2017\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_check_chain.3 b/secure/lib/libcrypto/man/man3/SSL_check_chain.3
index 577908b7b11b..2683d985b307 100644
--- a/secure/lib/libcrypto/man/man3/SSL_check_chain.3
+++ b/secure/lib/libcrypto/man/man3/SSL_check_chain.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,84 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CHECK_CHAIN 3ossl"
-.TH SSL_CHECK_CHAIN 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CHECK_CHAIN 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_check_chain \- check certificate chain suitability
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
 \& int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_check_chain()\fR checks whether certificate \fBx\fR, private key \fBpk\fR and
 certificate chain \fBchain\fR is suitable for use with the current session
@@ -155,36 +79,36 @@ certificate chain \fBchain\fR is suitable for use with the current session
 \&\fBSSL_check_chain()\fR returns a bitmap of flags indicating the validity of the
 chain.
 .PP
-\&\fB\s-1CERT_PKEY_VALID\s0\fR: the chain can be used with the current session.
+\&\fBCERT_PKEY_VALID\fR: the chain can be used with the current session.
 If this flag is \fBnot\fR set then the certificate will never be used even
 if the application tries to set it because it is inconsistent with the
 peer preferences.
 .PP
-\&\fB\s-1CERT_PKEY_SIGN\s0\fR: the \s-1EE\s0 key can be used for signing.
+\&\fBCERT_PKEY_SIGN\fR: the EE key can be used for signing.
 .PP
-\&\fB\s-1CERT_PKEY_EE_SIGNATURE\s0\fR: the signature algorithm of the \s-1EE\s0 certificate is
+\&\fBCERT_PKEY_EE_SIGNATURE\fR: the signature algorithm of the EE certificate is
 acceptable.
 .PP
-\&\fB\s-1CERT_PKEY_CA_SIGNATURE\s0\fR: the signature algorithms of all \s-1CA\s0 certificates
+\&\fBCERT_PKEY_CA_SIGNATURE\fR: the signature algorithms of all CA certificates
 are acceptable.
 .PP
-\&\fB\s-1CERT_PKEY_EE_PARAM\s0\fR: the parameters of the end entity certificate are
+\&\fBCERT_PKEY_EE_PARAM\fR: the parameters of the end entity certificate are
 acceptable (e.g. it is a supported curve).
 .PP
-\&\fB\s-1CERT_PKEY_CA_PARAM\s0\fR: the parameters of all \s-1CA\s0 certificates are acceptable.
+\&\fBCERT_PKEY_CA_PARAM\fR: the parameters of all CA certificates are acceptable.
 .PP
-\&\fB\s-1CERT_PKEY_EXPLICIT_SIGN\s0\fR: the end entity certificate algorithm
+\&\fBCERT_PKEY_EXPLICIT_SIGN\fR: the end entity certificate algorithm
 can be used explicitly for signing (i.e. it is mentioned in the signature
 algorithms extension).
 .PP
-\&\fB\s-1CERT_PKEY_ISSUER_NAME\s0\fR: the issuer name is acceptable. This is only
+\&\fBCERT_PKEY_ISSUER_NAME\fR: the issuer name is acceptable. This is only
 meaningful for client authentication.
 .PP
-\&\fB\s-1CERT_PKEY_CERT_TYPE\s0\fR: the certificate type is acceptable. Only meaningful
+\&\fBCERT_PKEY_CERT_TYPE\fR: the certificate type is acceptable. Only meaningful
 for client authentication.
 .PP
-\&\fB\s-1CERT_PKEY_SUITEB\s0\fR: chain is suitable for Suite B use.
-.SH "NOTES"
+\&\fBCERT_PKEY_SUITEB\fR: chain is suitable for Suite B use.
+.SH NOTES
 .IX Header "NOTES"
 \&\fBSSL_check_chain()\fR must be called in servers after a client hello message or in
 clients after a certificate request message. It will typically be called
@@ -195,29 +119,29 @@ function on each chain in turn: starting with the one it considers the
 most secure. It could then use the chain of the first set which returns
 suitable flags.
 .PP
-As a minimum the flag \fB\s-1CERT_PKEY_VALID\s0\fR must be set for a chain to be
-usable. An application supporting multiple chains with different \s-1CA\s0 signature
-algorithms may also wish to check \fB\s-1CERT_PKEY_CA_SIGNATURE\s0\fR too. If no
+As a minimum the flag \fBCERT_PKEY_VALID\fR must be set for a chain to be
+usable. An application supporting multiple chains with different CA signature
+algorithms may also wish to check \fBCERT_PKEY_CA_SIGNATURE\fR too. If no
 chain is suitable a server should fall back to the most secure chain which
-sets \fB\s-1CERT_PKEY_VALID\s0\fR.
+sets \fBCERT_PKEY_VALID\fR.
 .PP
 The validity of a chain is determined by checking if it matches a supported
 signature algorithm, supported curves and in the case of client authentication
 certificate types and issuer names.
 .PP
-Since the supported signature algorithms extension is only used in \s-1TLS 1.2,
-TLS 1.3\s0 and \s-1DTLS 1.2\s0 the results for earlier versions of \s-1TLS\s0 and \s-1DTLS\s0 may not
-be very useful. Applications may wish to specify a different \*(L"legacy\*(R" chain
-for earlier versions of \s-1TLS\s0 or \s-1DTLS.\s0
+Since the supported signature algorithms extension is only used in TLS 1.2,
+TLS 1.3 and DTLS 1.2 the results for earlier versions of TLS and DTLS may not
+be very useful. Applications may wish to specify a different "legacy" chain
+for earlier versions of TLS or DTLS.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBSSL_CTX_set_cert_cb\fR\|(3),
 \&\fBssl\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2015\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_clear.3 b/secure/lib/libcrypto/man/man3/SSL_clear.3
index 0e333b6228ae..d1c4d57ce7ad 100644
--- a/secure/lib/libcrypto/man/man3/SSL_clear.3
+++ b/secure/lib/libcrypto/man/man3/SSL_clear.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,108 +52,51 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CLEAR 3ossl"
-.TH SSL_CLEAR 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CLEAR 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_clear \- reset SSL object to allow another connection
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
 \& int SSL_clear(SSL *ssl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 Reset \fBssl\fR to allow another connection. All settings (method, ciphers,
 BIOs) are kept.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-SSL_clear is used to prepare an \s-1SSL\s0 object for a new connection. While all
-settings are kept, a side effect is the handling of the current \s-1SSL\s0 session.
+SSL_clear is used to prepare an SSL object for a new connection. While all
+settings are kept, a side effect is the handling of the current SSL session.
 If a session is still \fBopen\fR, it is considered bad and will be removed
-from the session cache, as required by \s-1RFC2246. A\s0 session is considered open,
+from the session cache, as required by RFC2246. A session is considered open,
 if \fBSSL_shutdown\fR\|(3) was not called for the connection
 or at least \fBSSL_set_shutdown\fR\|(3) was used to
-set the \s-1SSL_SENT_SHUTDOWN\s0 state.
+set the SSL_SENT_SHUTDOWN state.
 .PP
 If a session was closed cleanly, the session object will be kept and all
 settings corresponding. This explicitly means, that e.g. the special method
 used during the session will be kept for the next handshake. So if the
-session was a TLSv1 session, a \s-1SSL\s0 client object will use a TLSv1 client
-method for the next handshake and a \s-1SSL\s0 server object will use a TLSv1
+session was a TLSv1 session, an SSL client object will use a TLSv1 client
+method for the next handshake and an SSL server object will use a TLSv1
 server method, even if TLS_*_methods were chosen on startup. This
 will might lead to connection failures (see \fBSSL_new\fR\|(3))
 for a description of the method's properties.
-.SH "WARNINGS"
+.PP
+This function is not supported on QUIC SSL objects and returns failure if called
+on such an object.
+.SH WARNINGS
 .IX Header "WARNINGS"
-\&\fBSSL_clear()\fR resets the \s-1SSL\s0 object to allow for another connection. The
+\&\fBSSL_clear()\fR resets the SSL object to allow for another connection. The
 reset operation however keeps several settings of the last sessions
 (some of these settings were made automatically during the last
 handshake). It only makes sense for a new connection with the exact
@@ -185,10 +112,10 @@ if session reuse is not desired).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The following return values can occur:
-.IP "0" 4
+.IP 0 4
 The \fBSSL_clear()\fR operation could not be performed. Check the error stack to
 find out the reason.
-.IP "1" 4
+.IP 1 4
 .IX Item "1"
 The \fBSSL_clear()\fR operation was successful.
 .PP
@@ -196,11 +123,11 @@ The \fBSSL_clear()\fR operation was successful.
 \&\fBSSL_shutdown\fR\|(3), \fBSSL_set_shutdown\fR\|(3),
 \&\fBSSL_CTX_set_options\fR\|(3), \fBssl\fR\|(7),
 \&\fBSSL_CTX_set_client_cert_cb\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_connect.3 b/secure/lib/libcrypto/man/man3/SSL_connect.3
index b0a624244248..d646431aa7ec 100644
--- a/secure/lib/libcrypto/man/man3/SSL_connect.3
+++ b/secure/lib/libcrypto/man/man3/SSL_connect.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,135 +52,75 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_CONNECT 3ossl"
-.TH SSL_CONNECT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_CONNECT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_connect \- initiate the TLS/SSL handshake with an TLS/SSL server
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
 \& int SSL_connect(SSL *ssl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_connect()\fR initiates the \s-1TLS/SSL\s0 handshake with a server. The communication
+\&\fBSSL_connect()\fR initiates the TLS/SSL handshake with a server. The communication
 channel must already have been set and assigned to the \fBssl\fR by setting an
-underlying \fB\s-1BIO\s0\fR.
-.SH "NOTES"
+underlying \fBBIO\fR. \fBssl\fR \fBMUST NOT\fR be NULL.
+.SH NOTES
 .IX Header "NOTES"
-The behaviour of \fBSSL_connect()\fR depends on the underlying \s-1BIO.\s0
+The behaviour of \fBSSL_connect()\fR depends on the underlying BIO.
 .PP
-If the underlying \s-1BIO\s0 is \fBblocking\fR, \fBSSL_connect()\fR will only return once the
+If the underlying BIO is \fBblocking\fR, \fBSSL_connect()\fR will only return once the
 handshake has been finished or an error occurred.
 .PP
-If the underlying \s-1BIO\s0 is \fBnonblocking\fR, \fBSSL_connect()\fR will also return
-when the underlying \s-1BIO\s0 could not satisfy the needs of \fBSSL_connect()\fR
+If the underlying BIO is \fBnonblocking\fR, \fBSSL_connect()\fR will also return
+when the underlying BIO could not satisfy the needs of \fBSSL_connect()\fR
 to continue the handshake, indicating the problem by the return value \-1.
 In this case a call to \fBSSL_get_error()\fR with the
-return value of \fBSSL_connect()\fR will yield \fB\s-1SSL_ERROR_WANT_READ\s0\fR or
-\&\fB\s-1SSL_ERROR_WANT_WRITE\s0\fR. The calling process then must repeat the call after
+return value of \fBSSL_connect()\fR will yield \fBSSL_ERROR_WANT_READ\fR or
+\&\fBSSL_ERROR_WANT_WRITE\fR. The calling process then must repeat the call after
 taking appropriate action to satisfy the needs of \fBSSL_connect()\fR.
-The action depends on the underlying \s-1BIO.\s0 When using a nonblocking socket,
+The action depends on the underlying BIO. When using a nonblocking socket,
 nothing is to be done, but \fBselect()\fR can be used to check for the required
-condition. When using a buffering \s-1BIO,\s0 like a \s-1BIO\s0 pair, data must be written
-into or retrieved out of the \s-1BIO\s0 before being able to continue.
+condition. When using a buffering BIO, like a BIO pair, data must be written
+into or retrieved out of the BIO before being able to continue.
 .PP
 Many systems implement Nagle's algorithm by default which means that it will
-buffer outgoing \s-1TCP\s0 data if a \s-1TCP\s0 packet has already been sent for which no
-corresponding \s-1ACK\s0 has been received yet from the peer. This can have performance
+buffer outgoing TCP data if a TCP packet has already been sent for which no
+corresponding ACK has been received yet from the peer. This can have performance
 impacts after a successful TLSv1.3 handshake or a successful TLSv1.2 (or below)
 resumption handshake, because the last peer to communicate in the handshake is
 the client. If the client is also the first to send application data (as is
-typical for many protocols) then this data could be buffered until an \s-1ACK\s0 has
+typical for many protocols) then this data could be buffered until an ACK has
 been received for the final handshake message.
 .PP
-The \fB\s-1TCP_NODELAY\s0\fR socket option is often available to disable Nagle's
+The \fBTCP_NODELAY\fR socket option is often available to disable Nagle's
 algorithm. If an application opts to disable Nagle's algorithm consideration
 should be given to turning it back on again later if appropriate. The helper
-function \fBBIO_set_tcp_ndelay()\fR can be used to turn on or off the \fB\s-1TCP_NODELAY\s0\fR
+function \fBBIO_set_tcp_ndelay()\fR can be used to turn on or off the \fBTCP_NODELAY\fR
 option.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The following return values can occur:
-.IP "0" 4
-The \s-1TLS/SSL\s0 handshake was not successful but was shut down controlled and
-by the specifications of the \s-1TLS/SSL\s0 protocol. Call \fBSSL_get_error()\fR with the
+.IP 0 4
+The TLS/SSL handshake was not successful but was shut down controlled and
+by the specifications of the TLS/SSL protocol. Call \fBSSL_get_error()\fR with the
 return value \fBret\fR to find out the reason.
-.IP "1" 4
+.IP 1 4
 .IX Item "1"
-The \s-1TLS/SSL\s0 handshake was successfully completed, a \s-1TLS/SSL\s0 connection has been
+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
 established.
-.IP "<0" 4
+.IP <0 4
 .IX Item "<0"
-The \s-1TLS/SSL\s0 handshake was not successful, because a fatal error occurred either
+The TLS/SSL handshake was not successful, because a fatal error occurred either
 at the protocol level or a connection failure occurred. The shutdown was
 not clean. It can also occur if action is needed to continue the operation
 for nonblocking BIOs. Call \fBSSL_get_error()\fR with the return value \fBret\fR
@@ -208,11 +132,11 @@ to find out the reason.
 \&\fBSSL_set_connect_state\fR\|(3),
 \&\fBSSL_do_handshake\fR\|(3),
 \&\fBSSL_CTX_new\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_do_handshake.3 b/secure/lib/libcrypto/man/man3/SSL_do_handshake.3
index 07f0c59ffe97..3e8884f5d2c0 100644
--- a/secure/lib/libcrypto/man/man3/SSL_do_handshake.3
+++ b/secure/lib/libcrypto/man/man3/SSL_do_handshake.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,121 +52,61 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_DO_HANDSHAKE 3ossl"
-.TH SSL_DO_HANDSHAKE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_DO_HANDSHAKE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_do_handshake \- perform a TLS/SSL handshake
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
 \& int SSL_do_handshake(SSL *ssl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_do_handshake()\fR will wait for a \s-1SSL/TLS\s0 handshake to take place. If the
+\&\fBSSL_do_handshake()\fR will wait for an SSL/TLS handshake to take place. If the
 connection is in client mode, the handshake will be started. The handshake
 routines may have to be explicitly set in advance using either
 \&\fBSSL_set_connect_state\fR\|(3) or
 \&\fBSSL_set_accept_state\fR\|(3).
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-The behaviour of \fBSSL_do_handshake()\fR depends on the underlying \s-1BIO.\s0
+The behaviour of \fBSSL_do_handshake()\fR depends on the underlying BIO.
 .PP
-If the underlying \s-1BIO\s0 is \fBblocking\fR, \fBSSL_do_handshake()\fR will only return
+If the underlying BIO is \fBblocking\fR, \fBSSL_do_handshake()\fR will only return
 once the handshake has been finished or an error occurred.
 .PP
-If the underlying \s-1BIO\s0 is \fBnonblocking\fR, \fBSSL_do_handshake()\fR will also return
-when the underlying \s-1BIO\s0 could not satisfy the needs of \fBSSL_do_handshake()\fR
+If the underlying BIO is \fBnonblocking\fR, \fBSSL_do_handshake()\fR will also return
+when the underlying BIO could not satisfy the needs of \fBSSL_do_handshake()\fR
 to continue the handshake. In this case a call to \fBSSL_get_error()\fR with the
-return value of \fBSSL_do_handshake()\fR will yield \fB\s-1SSL_ERROR_WANT_READ\s0\fR or
-\&\fB\s-1SSL_ERROR_WANT_WRITE\s0\fR. The calling process then must repeat the call after
+return value of \fBSSL_do_handshake()\fR will yield \fBSSL_ERROR_WANT_READ\fR or
+\&\fBSSL_ERROR_WANT_WRITE\fR. The calling process then must repeat the call after
 taking appropriate action to satisfy the needs of \fBSSL_do_handshake()\fR.
-The action depends on the underlying \s-1BIO.\s0 When using a nonblocking socket,
+The action depends on the underlying BIO. When using a nonblocking socket,
 nothing is to be done, but \fBselect()\fR can be used to check for the required
-condition. When using a buffering \s-1BIO,\s0 like a \s-1BIO\s0 pair, data must be written
-into or retrieved out of the \s-1BIO\s0 before being able to continue.
+condition. When using a buffering BIO, like a BIO pair, data must be written
+into or retrieved out of the BIO before being able to continue.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The following return values can occur:
-.IP "0" 4
-The \s-1TLS/SSL\s0 handshake was not successful but was shut down controlled and
-by the specifications of the \s-1TLS/SSL\s0 protocol. Call \fBSSL_get_error()\fR with the
+.IP 0 4
+The TLS/SSL handshake was not successful but was shut down controlled and
+by the specifications of the TLS/SSL protocol. Call \fBSSL_get_error()\fR with the
 return value \fBret\fR to find out the reason.
-.IP "1" 4
+.IP 1 4
 .IX Item "1"
-The \s-1TLS/SSL\s0 handshake was successfully completed, a \s-1TLS/SSL\s0 connection has been
+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
 established.
-.IP "<0" 4
+.IP <0 4
 .IX Item "<0"
-The \s-1TLS/SSL\s0 handshake was not successful because a fatal error occurred either
+The TLS/SSL handshake was not successful because a fatal error occurred either
 at the protocol level or a connection failure occurred. The shutdown was
 not clean. It can also occur if action is needed to continue the operation
 for nonblocking BIOs. Call \fBSSL_get_error()\fR with the return value \fBret\fR
@@ -192,11 +116,11 @@ to find out the reason.
 \&\fBSSL_get_error\fR\|(3), \fBSSL_connect\fR\|(3),
 \&\fBSSL_accept\fR\|(3), \fBssl\fR\|(7), \fBbio\fR\|(7),
 \&\fBSSL_set_connect_state\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2002\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_export_keying_material.3 b/secure/lib/libcrypto/man/man3/SSL_export_keying_material.3
index aecc24ca8bf1..f917153ad22e 100644
--- a/secure/lib/libcrypto/man/man3/SSL_export_keying_material.3
+++ b/secure/lib/libcrypto/man/man3/SSL_export_keying_material.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_EXPORT_KEYING_MATERIAL 3ossl"
-.TH SSL_EXPORT_KEYING_MATERIAL 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_EXPORT_KEYING_MATERIAL 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_export_keying_material,
 SSL_export_keying_material_early
 \&\- obtain keying material for application use
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -155,20 +79,20 @@ SSL_export_keying_material_early
 \&                                      const unsigned char *context,
 \&                                      size_t contextlen);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-During the creation of a \s-1TLS\s0 or \s-1DTLS\s0 connection shared keying material is
+During the creation of a TLS or DTLS connection shared keying material is
 established between the two endpoints. The functions
 \&\fBSSL_export_keying_material()\fR and \fBSSL_export_keying_material_early()\fR enable an
 application to use some of this keying material for its own purposes in
-accordance with \s-1RFC5705\s0 (for TLSv1.2 and below) or \s-1RFC8446\s0 (for TLSv1.3).
+accordance with RFC5705 (for TLSv1.2 and below) or RFC8446 (for TLSv1.3).
 .PP
 \&\fBSSL_export_keying_material()\fR derives keying material using
 the \fIexporter_master_secret\fR established in the handshake.
 .PP
 \&\fBSSL_export_keying_material_early()\fR is only usable with TLSv1.3, and derives
 keying material using the \fIearly_exporter_master_secret\fR (as defined in the
-\&\s-1TLS 1.3 RFC\s0). For the client, the \fIearly_exporter_master_secret\fR is only
+TLS 1.3 RFC). For the client, the \fIearly_exporter_master_secret\fR is only
 available when the client attempts to send 0\-RTT data. For the server, it is
 only available when the server accepts 0\-RTT data.
 .PP
@@ -178,7 +102,7 @@ application session, application algorithms or parameters, or the lifetime of
 the context. The context value is left to the application but must be the same
 on both sides of the communication.
 .PP
-For a given \s-1SSL\s0 connection \fBs\fR, \fBolen\fR bytes of data will be written to
+For a given SSL connection \fBs\fR, \fBolen\fR bytes of data will be written to
 \&\fBout\fR. The application specific context should be supplied in the location
 pointed to by \fBcontext\fR and should be \fBcontextlen\fR bytes long. Provision of
 a context is optional. If the context should be omitted entirely then
@@ -191,9 +115,9 @@ result in the same keying material being returned.
 .PP
 An application specific label should be provided in the location pointed to by
 \&\fBlabel\fR and should be \fBllen\fR bytes long. Typically this will be a value from
-the \s-1IANA\s0 Exporter Label Registry
+the IANA Exporter Label Registry
 (<https://www.iana.org/assignments/tls\-parameters/tls\-parameters.xhtml#exporter\-labels>).
-Alternatively labels beginning with \*(L"\s-1EXPERIMENTAL\*(R"\s0 are permitted by the standard
+Alternatively labels beginning with "EXPERIMENTAL" are permitted by the standard
 to be used without registration. TLSv1.3 imposes a maximum label length of
 249 bytes.
 .PP
@@ -207,14 +131,14 @@ above. Attempting to use it in SSLv3 will result in an error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBSSL_export_keying_material_early()\fR function was added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_extension_supported.3 b/secure/lib/libcrypto/man/man3/SSL_extension_supported.3
index e4adb3435172..d823070462ba 100644
--- a/secure/lib/libcrypto/man/man3/SSL_extension_supported.3
+++ b/secure/lib/libcrypto/man/man3/SSL_extension_supported.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_EXTENSION_SUPPORTED 3ossl"
-.TH SSL_EXTENSION_SUPPORTED 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_EXTENSION_SUPPORTED 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_extension_supported,
 SSL_custom_ext_add_cb_ex,
 SSL_custom_ext_free_cb_ex,
@@ -145,7 +69,7 @@ SSL_CTX_add_custom_ext,
 SSL_CTX_add_client_custom_ext, SSL_CTX_add_server_custom_ext,
 custom_ext_add_cb, custom_ext_free_cb, custom_ext_parse_cb
 \&\- custom TLS extension handling
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -205,16 +129,16 @@ custom_ext_add_cb, custom_ext_free_cb, custom_ext_parse_cb
 \&
 \& int SSL_extension_supported(unsigned int ext_type);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_CTX_add_custom_ext()\fR adds a custom extension for a \s-1TLS/DTLS\s0 client or server
+\&\fBSSL_CTX_add_custom_ext()\fR adds a custom extension for a TLS/DTLS client or server
 for all supported protocol versions with extension type \fBext_type\fR and
 callbacks \fBadd_cb\fR, \fBfree_cb\fR and \fBparse_cb\fR (see the
-\&\*(L"\s-1EXTENSION CALLBACKS\*(R"\s0 section below). The \fBcontext\fR value determines
+"EXTENSION CALLBACKS" section below). The \fBcontext\fR value determines
 which messages and under what conditions the extension will be added/parsed (see
-the \*(L"\s-1EXTENSION CONTEXTS\*(R"\s0 section below).
+the "EXTENSION CONTEXTS" section below).
 .PP
-\&\fBSSL_CTX_add_client_custom_ext()\fR adds a custom extension for a \s-1TLS/DTLS\s0 client
+\&\fBSSL_CTX_add_client_custom_ext()\fR adds a custom extension for a TLS/DTLS client
 with extension type \fBext_type\fR and callbacks \fBadd_cb\fR, \fBfree_cb\fR and
 \&\fBparse_cb\fR. This function is similar to \fBSSL_CTX_add_custom_ext()\fR except it only
 applies to clients, uses the older style of callbacks, and implicitly sets the
@@ -225,14 +149,14 @@ applies to clients, uses the older style of callbacks, and implicitly sets the
 \& | SSL_EXT_TLS1_2_SERVER_HELLO | SSL_EXT_IGNORE_ON_RESUMPTION
 .Ve
 .PP
-\&\fBSSL_CTX_add_server_custom_ext()\fR adds a custom extension for a \s-1TLS/DTLS\s0 server
+\&\fBSSL_CTX_add_server_custom_ext()\fR adds a custom extension for a TLS/DTLS server
 with extension type \fBext_type\fR and callbacks \fBadd_cb\fR, \fBfree_cb\fR and
 \&\fBparse_cb\fR. This function is similar to \fBSSL_CTX_add_custom_ext()\fR except it
 only applies to servers, uses the older style of callbacks, and implicitly sets
 the \fBcontext\fR value to the same as for \fBSSL_CTX_add_client_custom_ext()\fR above.
 .PP
 The \fBext_type\fR parameter corresponds to the \fBextension_type\fR field of
-\&\s-1RFC5246\s0 et al. It is \fBnot\fR a \s-1NID.\s0 In all cases the extension type must not be
+RFC5246 et al. It is \fBnot\fR a NID. In all cases the extension type must not be
 handled by OpenSSL internally or an error occurs.
 .PP
 \&\fBSSL_extension_supported()\fR returns 1 if the extension \fBext_type\fR is handled
@@ -240,11 +164,11 @@ internally by OpenSSL and 0 otherwise.
 .SH "EXTENSION CALLBACKS"
 .IX Header "EXTENSION CALLBACKS"
 The callback \fBadd_cb\fR is called to send custom extension data to be
-included in various \s-1TLS\s0 messages. The \fBext_type\fR parameter is set to the
+included in various TLS messages. The \fBext_type\fR parameter is set to the
 extension type which will be added and \fBadd_arg\fR to the value set when the
 extension handler was added. When using the new style callbacks the \fBcontext\fR
 parameter will indicate which message is currently being constructed e.g. for
-the ClientHello it will be set to \fB\s-1SSL_EXT_CLIENT_HELLO\s0\fR.
+the ClientHello it will be set to \fBSSL_EXT_CLIENT_HELLO\fR.
 .PP
 If the application wishes to include the extension \fBext_type\fR it should
 set \fB*out\fR to the extension data, set \fB*outlen\fR to the length of the
@@ -252,12 +176,12 @@ extension data and return 1.
 .PP
 If the \fBadd_cb\fR does not wish to include the extension it must return 0.
 .PP
-If \fBadd_cb\fR returns \-1 a fatal handshake error occurs using the \s-1TLS\s0
+If \fBadd_cb\fR returns \-1 a fatal handshake error occurs using the TLS
 alert value specified in \fB*al\fR.
 .PP
-When constructing the ClientHello, if \fBadd_cb\fR is set to \s-1NULL\s0 a zero length
+When constructing the ClientHello, if \fBadd_cb\fR is set to NULL a zero length
 extension is added for \fBext_type\fR. For all other messages if \fBadd_cb\fR is set
-to \s-1NULL\s0 then no extension is added.
+to NULL then no extension is added.
 .PP
 When constructing a Certificate message the callback will be called for each
 certificate in the message. The \fBx\fR parameter will indicate the
@@ -282,9 +206,9 @@ used to free up any dynamic extension data set by \fBadd_cb\fR. Since \fBout\fR
 constant (to permit use of constant data in \fBadd_cb\fR) applications may need to
 cast away const to free the data.
 .PP
-The callback \fBparse_cb\fR receives data for \s-1TLS\s0 extensions. The callback is only
+The callback \fBparse_cb\fR receives data for TLS extensions. The callback is only
 called if the extension is present and relevant for the context (see
-\&\*(L"\s-1EXTENSION CONTEXTS\*(R"\s0 below).
+"EXTENSION CONTEXTS" below).
 .PP
 The extension data consists of \fBinlen\fR bytes in the buffer \fBin\fR for the
 extension \fBext_type\fR.
@@ -298,7 +222,7 @@ value of 0.
 .PP
 If the \fBparse_cb\fR considers the extension data acceptable it must return
 1. If it returns 0 or a negative value a fatal handshake error occurs
-using the \s-1TLS\s0 alert value specified in \fB*al\fR.
+using the TLS alert value specified in \fB*al\fR.
 .PP
 The buffer \fBin\fR is a temporary internal buffer which will not be valid after
 the callback returns.
@@ -306,65 +230,65 @@ the callback returns.
 .IX Header "EXTENSION CONTEXTS"
 An extension context defines which messages and under which conditions an
 extension should be added or expected. The context is built up by performing
-a bitwise \s-1OR\s0 of multiple pre-defined values together. The valid context values
+a bitwise OR of multiple pre-defined values together. The valid context values
 are:
-.IP "\s-1SSL_EXT_TLS_ONLY\s0" 4
+.IP SSL_EXT_TLS_ONLY 4
 .IX Item "SSL_EXT_TLS_ONLY"
-The extension is only allowed in \s-1TLS\s0
-.IP "\s-1SSL_EXT_DTLS_ONLY\s0" 4
+The extension is only allowed in TLS
+.IP SSL_EXT_DTLS_ONLY 4
 .IX Item "SSL_EXT_DTLS_ONLY"
-The extension is only allowed in \s-1DTLS\s0
-.IP "\s-1SSL_EXT_TLS_IMPLEMENTATION_ONLY\s0" 4
+The extension is only allowed in DTLS
+.IP SSL_EXT_TLS_IMPLEMENTATION_ONLY 4
 .IX Item "SSL_EXT_TLS_IMPLEMENTATION_ONLY"
-The extension is allowed in \s-1DTLS,\s0 but there is only a \s-1TLS\s0 implementation
-available (so it is ignored in \s-1DTLS\s0).
-.IP "\s-1SSL_EXT_SSL3_ALLOWED\s0" 4
+The extension is allowed in DTLS, but there is only a TLS implementation
+available (so it is ignored in DTLS).
+.IP SSL_EXT_SSL3_ALLOWED 4
 .IX Item "SSL_EXT_SSL3_ALLOWED"
 Extensions are not typically defined for SSLv3. Setting this value will allow
 the extension in SSLv3. Applications will not typically need to use this.
-.IP "\s-1SSL_EXT_TLS1_2_AND_BELOW_ONLY\s0" 4
+.IP SSL_EXT_TLS1_2_AND_BELOW_ONLY 4
 .IX Item "SSL_EXT_TLS1_2_AND_BELOW_ONLY"
 The extension is only defined for TLSv1.2/DTLSv1.2 and below. Servers will
 ignore this extension if it is present in the ClientHello and TLSv1.3 is
 negotiated.
-.IP "\s-1SSL_EXT_TLS1_3_ONLY\s0" 4
+.IP SSL_EXT_TLS1_3_ONLY 4
 .IX Item "SSL_EXT_TLS1_3_ONLY"
-The extension is only defined for \s-1TLS1.3\s0 and above. Servers will ignore this
+The extension is only defined for TLS1.3 and above. Servers will ignore this
 extension if it is present in the ClientHello and TLSv1.2 or below is
 negotiated.
-.IP "\s-1SSL_EXT_IGNORE_ON_RESUMPTION\s0" 4
+.IP SSL_EXT_IGNORE_ON_RESUMPTION 4
 .IX Item "SSL_EXT_IGNORE_ON_RESUMPTION"
 The extension will be ignored during parsing if a previous session is being
 successfully resumed.
-.IP "\s-1SSL_EXT_CLIENT_HELLO\s0" 4
+.IP SSL_EXT_CLIENT_HELLO 4
 .IX Item "SSL_EXT_CLIENT_HELLO"
 The extension may be present in the ClientHello message.
-.IP "\s-1SSL_EXT_TLS1_2_SERVER_HELLO\s0" 4
+.IP SSL_EXT_TLS1_2_SERVER_HELLO 4
 .IX Item "SSL_EXT_TLS1_2_SERVER_HELLO"
 The extension may be present in a TLSv1.2 or below compatible ServerHello
 message.
-.IP "\s-1SSL_EXT_TLS1_3_SERVER_HELLO\s0" 4
+.IP SSL_EXT_TLS1_3_SERVER_HELLO 4
 .IX Item "SSL_EXT_TLS1_3_SERVER_HELLO"
 The extension may be present in a TLSv1.3 compatible ServerHello message.
-.IP "\s-1SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS\s0" 4
+.IP SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS 4
 .IX Item "SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS"
 The extension may be present in an EncryptedExtensions message.
-.IP "\s-1SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST\s0" 4
+.IP SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST 4
 .IX Item "SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST"
 The extension may be present in a HelloRetryRequest message.
-.IP "\s-1SSL_EXT_TLS1_3_CERTIFICATE\s0" 4
+.IP SSL_EXT_TLS1_3_CERTIFICATE 4
 .IX Item "SSL_EXT_TLS1_3_CERTIFICATE"
 The extension may be present in a TLSv1.3 compatible Certificate message.
-.IP "\s-1SSL_EXT_TLS1_3_NEW_SESSION_TICKET\s0" 4
+.IP SSL_EXT_TLS1_3_NEW_SESSION_TICKET 4
 .IX Item "SSL_EXT_TLS1_3_NEW_SESSION_TICKET"
 The extension may be present in a TLSv1.3 compatible NewSessionTicket message.
-.IP "\s-1SSL_EXT_TLS1_3_CERTIFICATE_REQUEST\s0" 4
+.IP SSL_EXT_TLS1_3_CERTIFICATE_REQUEST 4
 .IX Item "SSL_EXT_TLS1_3_CERTIFICATE_REQUEST"
 The extension may be present in a TLSv1.3 compatible CertificateRequest message.
 .PP
 The context must include at least one message value (otherwise the extension
 will never be used).
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The \fBadd_arg\fR and \fBparse_arg\fR parameters can be set to arbitrary values
 which will be passed to the corresponding callbacks. They can, for example,
@@ -377,7 +301,7 @@ is received in a ServerHello/EncryptedExtensions message which was not sent in
 the ClientHello a fatal \fBunsupported_extension\fR alert is sent and the
 handshake is aborted. The ServerHello/EncryptedExtensions \fBadd_cb\fR callback is
 only called if the corresponding extension was received in the ClientHello. This
-is compliant with the \s-1TLS\s0 specifications. This behaviour ensures that each
+is compliant with the TLS specifications. This behaviour ensures that each
 callback is called at most once and that an application can never send
 unsolicited extensions.
 .SH "RETURN VALUES"
@@ -394,14 +318,14 @@ internally by OpenSSL and 0 otherwise.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBSSL_CTX_add_custom_ext()\fR function was added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2014\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_free.3 b/secure/lib/libcrypto/man/man3/SSL_free.3
index 965b9e57026e..5dd6cf57e8ce 100644
--- a/secure/lib/libcrypto/man/man3/SSL_free.3
+++ b/secure/lib/libcrypto/man/man3/SSL_free.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,105 +52,69 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_FREE 3ossl"
-.TH SSL_FREE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_FREE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_free \- free an allocated SSL structure
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
 \& void SSL_free(SSL *ssl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_free()\fR decrements the reference count of \fBssl\fR, and removes the \s-1SSL\s0
+\&\fBSSL_free()\fR decrements the reference count of \fBssl\fR, and removes the SSL
 structure pointed to by \fBssl\fR and frees up the allocated memory if the
 reference count has reached 0.
-If \fBssl\fR is \s-1NULL\s0 nothing is done.
-.SH "NOTES"
+If \fBssl\fR is NULL nothing is done.
+.SH NOTES
 .IX Header "NOTES"
 \&\fBSSL_free()\fR also calls the \fBfree()\fRing procedures for indirectly affected items, if
-applicable: the buffering \s-1BIO,\s0 the read and write BIOs,
-cipher lists specially created for this \fBssl\fR, the \fB\s-1SSL_SESSION\s0\fR.
+applicable: the buffering BIO, the read and write BIOs,
+cipher lists specially created for this \fBssl\fR, the \fBSSL_SESSION\fR.
 Do not explicitly free these indirectly freed up items before or after
 calling \fBSSL_free()\fR, as trying to free things twice may lead to program
 failure.
 .PP
-The ssl session has reference counts from two users: the \s-1SSL\s0 object, for
+The ssl session has reference counts from two users: the SSL object, for
 which the reference count is removed by \fBSSL_free()\fR and the internal
 session cache. If the session is considered bad, because
 \&\fBSSL_shutdown\fR\|(3) was not called for the connection
 and \fBSSL_set_shutdown\fR\|(3) was not used to set the
-\&\s-1SSL_SENT_SHUTDOWN\s0 state, the session will also be removed
-from the session cache as required by \s-1RFC2246.\s0
+SSL_SENT_SHUTDOWN state, the session will also be removed
+from the session cache as required by RFC2246.
+.PP
+When used to free a QUIC stream SSL object, the respective sending and receiving
+parts of the stream are reset unless those parts have already been concluded
+normally:
+.IP \(bu 4
+If the stream has a sending part (in other words, if it is bidirectional or a
+locally-initiated unidirectional stream) and that part has not been concluded
+via a call to \fBSSL_stream_conclude\fR\|(3) or \fBSSL_stream_reset\fR\|(3) on the QUIC
+stream SSL object, a call to \fBSSL_free()\fR automatically resets the sending part of
+the stream as though \fBSSL_stream_reset\fR\|(3) were called with a QUIC application
+error code of 0.
+.IP \(bu 4
+If the stream has a receiving part (in other words, if it is bidirectional or a
+remotely-initiated unidirectional stream), and the peer has not yet concluded
+that part of the stream normally (such as via a call to
+\&\fBSSL_stream_conclude\fR\|(3) on its own end), a call to \fBSSL_free()\fR automatically
+requests the reset of the receiving part of the stream using a QUIC STOP_SENDING
+frame with a QUIC application error code of 0. Note that as per the QUIC
+protocol, this will automatically cause the peer to reset that part of the
+stream in turn (which is its sending part).
+.PP
+A QUIC stream SSL object maintains a reference to a QUIC connection SSL object
+internally, therefore a QUIC stream SSL object and its parent QUIC connection
+SSL object can be freed in either order.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSSL_free()\fR does not provide diagnostic information.
@@ -174,11 +122,11 @@ from the session cache as required by \s-1RFC2246.\s0
 \&\fBSSL_new\fR\|(3), \fBSSL_clear\fR\|(3),
 \&\fBSSL_shutdown\fR\|(3), \fBSSL_set_shutdown\fR\|(3),
 \&\fBssl\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get0_connection.3 b/secure/lib/libcrypto/man/man3/SSL_get0_connection.3
new file mode 100644
index 000000000000..b54bc521187b
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/SSL_get0_connection.3
@@ -0,0 +1,107 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "SSL_GET0_CONNECTION 3ossl"
+.TH SSL_GET0_CONNECTION 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+SSL_get0_connection, SSL_is_connection \- get a QUIC connection SSL object from a
+QUIC stream SSL object
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ssl.h>
+\&
+\& SSL *SSL_get0_connection(SSL *ssl);
+\& int SSL_is_connection(SSL *ssl);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+The \fBSSL_get0_connection()\fR function, when called on a QUIC stream SSL object,
+returns the QUIC connection SSL object which the QUIC stream SSL object belongs
+to.
+.PP
+When called on a QUIC connection SSL object, it returns the same object.
+.PP
+When called on a non-QUIC object, it returns the same object it was passed.
+.PP
+\&\fBSSL_is_connection()\fR returns 1 for QUIC connection SSL objects and for non-QUIC
+SSL objects, but returns 0 for QUIC stream SSL objects.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBSSL_get0_connection()\fR returns the QUIC connection SSL object (for a QUIC stream
+SSL object) and otherwise returns the same SSL object passed. It always returns
+non-NULL.
+.PP
+\&\fBSSL_is_connection()\fR returns 1 if the SSL object is not a QUIC stream SSL object
+and 0 otherwise.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBSSL_new\fR\|(3), \fBSSL_new_stream\fR\|(3), \fBSSL_accept_stream\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+These functions were added in OpenSSL 3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2002\-2023 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get0_group_name.3 b/secure/lib/libcrypto/man/man3/SSL_get0_group_name.3
new file mode 100644
index 000000000000..75d7da2cb395
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/SSL_get0_group_name.3
@@ -0,0 +1,100 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "SSL_GET0_GROUP_NAME 3ossl"
+.TH SSL_GET0_GROUP_NAME 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+SSL_get0_group_name \- get name of the group that was used for the key
+agreement of the current TLS session establishment
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ssl.h>
+\&
+\& const char *SSL_get0_group_name(SSL *s);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBSSL_get0_group_name()\fR returns the name of the group that was used for
+the key agreement of the current TLS session establishment.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+If non-NULL, \fBSSL_get0_group_name()\fR returns the name of the group that was used for
+the key agreement of the current TLS session establishment.
+If \fBSSL_get0_group_name()\fR returns NULL, an error occurred; possibly no TLS session
+has been established. See also \fBSSL_get_negotiated_group\fR\|(3).
+.PP
+Note that the return value is valid only during the lifetime of the
+SSL object \fIssl\fR.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBssl\fR\|(7),
+\&\fBSSL_get_negotiated_group\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+This function was added in OpenSSL 3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2023\-2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get0_peer_rpk.3 b/secure/lib/libcrypto/man/man3/SSL_get0_peer_rpk.3
new file mode 100644
index 000000000000..f5392999d39a
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/SSL_get0_peer_rpk.3
@@ -0,0 +1,149 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "SSL_GET0_PEER_RPK 3ossl"
+.TH SSL_GET0_PEER_RPK 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+SSL_add_expected_rpk,
+SSL_get_negotiated_client_cert_type,
+SSL_get_negotiated_server_cert_type,
+SSL_get0_peer_rpk,
+SSL_SESSION_get0_peer_rpk \- raw public key (RFC7250) support
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ssl.h>
+\&
+\& int SSL_add_expected_rpk(SSL *s, EVP_PKEY *rpk);
+\& int SSL_get_negotiated_client_cert_type(const SSL *s);
+\& int SSL_get_negotiated_server_cert_type(const SSL *s);
+\& EVP_PKEY *SSL_get0_peer_rpk(const SSL *s);
+\& EVP_PKEY *SSL_SESSION_get0_peer_rpk(const SSL_SESSION *ss);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBSSL_add_expected_rpk()\fR adds a DANE TLSA record matching public key \fBrpk\fR
+to SSL \fBs\fR's DANE validation policy.
+.PP
+\&\fBSSL_get_negotiated_client_cert_type()\fR returns the connection's negotiated
+client certificate type.
+.PP
+\&\fBSSL_get_negotiated_server_cert_type()\fR returns the connection's negotiated
+server certificate type.
+.PP
+\&\fBSSL_get0_peer_rpk()\fR returns the peer's raw public key from SSL \fBs\fR.
+.PP
+\&\fBSSL_SESSION_get0_peer_rpk()\fR returns the peer's raw public key from
+SSL_SESSION \fBss\fR.
+.SH NOTES
+.IX Header "NOTES"
+Raw public keys are used in place of certificates when the option is
+negotiated.
+\&\fBSSL_add_expected_rpk()\fR may be called multiple times to configure
+multiple trusted keys, this makes it possible to allow for key rotation,
+where a peer might be expected to offer an "old" or "new" key and the
+endpoint must be able to accept either one.
+.PP
+When raw public keys are used, the certificate verify callback is called, and
+may be used to inspect the public key via \fBX509_STORE_CTX_get0_rpk\fR\|(3).
+Raw public keys have no subject, issuer, validity dates nor digital signature
+to verify. They can, however, be matched verbatim or by their digest value, this
+is done by specifying one or more TLSA records, see \fBSSL_CTX_dane_enable\fR\|(3).
+.PP
+The raw public key is typically taken from the certificate assigned to the
+connection (e.g. via \fBSSL_use_certificate\fR\|(3)), but if a certificate is not
+configured, then the public key will be extracted from the assigned
+private key.
+.PP
+The \fBSSL_add_expected_rpk()\fR function is a wrapper around
+\&\fBSSL_dane_tlsa_add\fR\|(3).
+When DANE is enabled via \fBSSL_dane_enable\fR\|(3), the configured TLSA records
+will be used to validate the peer's public key or certificate.
+If DANE is not enabled, then no validation will occur.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBSSL_add_expected_rpk()\fR returns 1 on success and 0 on failure.
+.PP
+\&\fBSSL_get0_peer_rpk()\fR and \fBSSL_SESSION_get0_peer_rpk()\fR return the peer's raw
+public key as an EVP_PKEY or NULL when the raw public key is not available.
+.PP
+\&\fBSSL_get_negotiated_client_cert_type()\fR and \fBSSL_get_negotiated_server_cert_type()\fR
+return one of the following values:
+.IP TLSEXT_cert_type_x509 4
+.IX Item "TLSEXT_cert_type_x509"
+.PD 0
+.IP TLSEXT_cert_type_rpk 4
+.IX Item "TLSEXT_cert_type_rpk"
+.PD
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBSSL_CTX_dane_enable\fR\|(3),
+\&\fBSSL_CTX_set_options\fR\|(3),
+\&\fBSSL_dane_enable\fR\|(3),
+\&\fBSSL_get_verify_result\fR\|(3),
+\&\fBSSL_set_verify\fR\|(3),
+\&\fBSSL_use_certificate\fR\|(3),
+\&\fBX509_STORE_CTX_get0_rpk\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+These functions were added in OpenSSL 3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get0_peer_scts.3 b/secure/lib/libcrypto/man/man3/SSL_get0_peer_scts.3
index 7b8cb213064b..d9e2525b21b7 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get0_peer_scts.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get0_peer_scts.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,90 +52,30 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_GET0_PEER_SCTS 3ossl"
-.TH SSL_GET0_PEER_SCTS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_GET0_PEER_SCTS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_get0_peer_scts \- get SCTs received
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
 \& const STACK_OF(SCT) *SSL_get0_peer_scts(SSL *s);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_get0_peer_scts()\fR returns the signed certificate timestamps (SCTs) that have
 been received. If this is the first time that this function has been called for
-a given \fB\s-1SSL\s0\fR instance, it will examine the \s-1TLS\s0 extensions, \s-1OCSP\s0 response and
+a given \fBSSL\fR instance, it will examine the TLS extensions, OCSP response and
 the peer's certificate for SCTs. Future calls will return the same SCTs.
-.SH "RESTRICTIONS"
+.SH RESTRICTIONS
 .IX Header "RESTRICTIONS"
 If no Certificate Transparency validation callback has been set (using
 \&\fBSSL_CTX_set_ct_validation_callback\fR or \fBSSL_set_ct_validation_callback\fR),
@@ -159,16 +83,16 @@ this function is not guaranteed to return all of the SCTs that the peer is
 capable of sending.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBSSL_get0_peer_scts()\fR returns a list of SCTs found, or \s-1NULL\s0 if an error occurs.
+\&\fBSSL_get0_peer_scts()\fR returns a list of SCTs found, or NULL if an error occurs.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7),
 \&\fBSSL_CTX_set_ct_validation_callback\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get1_builtin_sigalgs.3 b/secure/lib/libcrypto/man/man3/SSL_get1_builtin_sigalgs.3
new file mode 100644
index 000000000000..21466cddab29
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/SSL_get1_builtin_sigalgs.3
@@ -0,0 +1,95 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "SSL_GET1_BUILTIN_SIGALGS 3ossl"
+.TH SSL_GET1_BUILTIN_SIGALGS 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+SSL_get1_builtin_sigalgs \- get list of built\-in signature algorithms
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/tls1.h>
+\&
+\& char *SSL_get1_builtin_sigalgs(OSSL_LIB_CTX *libctx);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+Return the colon-separated list of built-in and available TLS signature
+algorithms.
+The string returned must be freed by the user using \fBOPENSSL_free\fR\|(3).
+.SH NOTES
+.IX Header "NOTES"
+The string may be empty (strlen==0) if none of the built-in TLS signature
+algorithms can be activated, e.g., if suitable providers are missing.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+NULL may be returned if no memory could be allocated. Otherwise, a
+newly allocated string is always returned but it may have strlen == 0.
+.SH HISTORY
+.IX Header "HISTORY"
+This function was added in OpenSSL 3.4.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_SSL_CTX.3 b/secure/lib/libcrypto/man/man3/SSL_get_SSL_CTX.3
index 9ea9eb53e98a..4a3026989f20 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_SSL_CTX.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_SSL_CTX.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,98 +52,38 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_GET_SSL_CTX 3ossl"
-.TH SSL_GET_SSL_CTX 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_GET_SSL_CTX 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_get_SSL_CTX \- get the SSL_CTX from which an SSL is created
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
 \& SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_get_SSL_CTX()\fR returns a pointer to the \s-1SSL_CTX\s0 object, from which
+\&\fBSSL_get_SSL_CTX()\fR returns a pointer to the SSL_CTX object, from which
 \&\fBssl\fR was created with \fBSSL_new\fR\|(3).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-The pointer to the \s-1SSL_CTX\s0 object is returned.
+The pointer to the SSL_CTX object is returned.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7), \fBSSL_new\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_all_async_fds.3 b/secure/lib/libcrypto/man/man3/SSL_get_all_async_fds.3
index a8f4a76fd4e4..cb806aa3a766 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_all_async_fds.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_all_async_fds.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_GET_ALL_ASYNC_FDS 3ossl"
-.TH SSL_GET_ALL_ASYNC_FDS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_GET_ALL_ASYNC_FDS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_waiting_for_async,
 SSL_get_all_async_fds,
 SSL_get_changed_async_fds
 \&\- manage asynchronous operations
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 2
 \& #include <openssl/async.h>
@@ -152,44 +76,44 @@ SSL_get_changed_async_fds
 \& int SSL_get_changed_async_fds(SSL *s, OSSL_ASYNC_FD *addfd, size_t *numaddfds,
 \&                               OSSL_ASYNC_FD *delfd, size_t *numdelfds);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_waiting_for_async()\fR determines whether an \s-1SSL\s0 connection is currently
-waiting for asynchronous operations to complete (see the \fB\s-1SSL_MODE_ASYNC\s0\fR mode
+\&\fBSSL_waiting_for_async()\fR determines whether an SSL connection is currently
+waiting for asynchronous operations to complete (see the \fBSSL_MODE_ASYNC\fR mode
 in \fBSSL_CTX_set_mode\fR\|(3)).
 .PP
 \&\fBSSL_get_all_async_fds()\fR returns a list of file descriptor which can be used in a
 call to \fBselect()\fR or \fBpoll()\fR to determine whether the current asynchronous
 operation has completed or not. A completed operation will result in data
-appearing as \*(L"read ready\*(R" on the file descriptor (no actual data should be read
-from the file descriptor). This function should only be called if the \fB\s-1SSL\s0\fR
+appearing as "read ready" on the file descriptor (no actual data should be read
+from the file descriptor). This function should only be called if the \fBSSL\fR
 object is currently waiting for asynchronous work to complete (i.e.
-\&\fB\s-1SSL_ERROR_WANT_ASYNC\s0\fR has been received \- see \fBSSL_get_error\fR\|(3)). Typically
+\&\fBSSL_ERROR_WANT_ASYNC\fR has been received \- see \fBSSL_get_error\fR\|(3)). Typically
 the list will only contain one file descriptor. However, if multiple asynchronous
 capable engines are in use then more than one is possible. The number of file
 descriptors returned is stored in \fI*numfds\fR and the file descriptors themselves
-are in \fI*fds\fR. The \fIfds\fR parameter may be \s-1NULL\s0 in which case no file
+are in \fI*fds\fR. The \fIfds\fR parameter may be NULL in which case no file
 descriptors are returned but \fI*numfds\fR is still populated. It is the callers
 responsibility to ensure sufficient memory is allocated at \fI*fds\fR so typically
-this function is called twice (once with a \s-1NULL\s0 \fIfds\fR parameter and once
+this function is called twice (once with a NULL \fIfds\fR parameter and once
 without).
 .PP
 \&\fBSSL_get_changed_async_fds()\fR returns a list of the asynchronous file descriptors
 that have been added and a list that have been deleted since the last
-\&\fB\s-1SSL_ERROR_WANT_ASYNC\s0\fR was received (or since the \fB\s-1SSL\s0\fR object was created if
-no \fB\s-1SSL_ERROR_WANT_ASYNC\s0\fR has been received). Similar to \fBSSL_get_all_async_fds()\fR
+\&\fBSSL_ERROR_WANT_ASYNC\fR was received (or since the \fBSSL\fR object was created if
+no \fBSSL_ERROR_WANT_ASYNC\fR has been received). Similar to \fBSSL_get_all_async_fds()\fR
 it is the callers responsibility to ensure that \fI*addfd\fR and \fI*delfd\fR have
-sufficient memory allocated, although they may be \s-1NULL.\s0 The number of added fds
+sufficient memory allocated, although they may be NULL. The number of added fds
 and the number of deleted fds are stored in \fI*numaddfds\fR and \fI*numdelfds\fR
 respectively.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBSSL_waiting_for_async()\fR will return 1 if the current \s-1SSL\s0 operation is waiting
+\&\fBSSL_waiting_for_async()\fR will return 1 if the current SSL operation is waiting
 for an async operation to complete and 0 otherwise.
 .PP
 \&\fBSSL_get_all_async_fds()\fR and \fBSSL_get_changed_async_fds()\fR return 1 on success or
 0 on error.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 On Windows platforms the \fI<openssl/async.h>\fR header is dependent on some
 of the types customarily made available by including \fI<windows.h>\fR. The
@@ -201,15 +125,15 @@ it is defined as an application developer's responsibility to include
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7),
 \&\fBSSL_get_error\fR\|(3), \fBSSL_CTX_set_mode\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBSSL_waiting_for_async()\fR, \fBSSL_get_all_async_fds()\fR
 and \fBSSL_get_changed_async_fds()\fR functions were added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2016\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_certificate.3 b/secure/lib/libcrypto/man/man3/SSL_get_certificate.3
index 7b96508d7fd3..279108394385 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_certificate.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_certificate.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_GET_CERTIFICATE 3ossl"
-.TH SSL_GET_CERTIFICATE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_GET_CERTIFICATE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_get_certificate, SSL_get_privatekey \- retrieve TLS/SSL certificate and
 private key
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -147,20 +71,20 @@ private key
 \& X509 *SSL_get_certificate(const SSL *s);
 \& EVP_PKEY *SSL_get_privatekey(const SSL *s);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_get_certificate()\fR returns a pointer to an \fBX509\fR object representing a
 certificate used as the local peer's identity.
 .PP
 Multiple certificates can be configured; for example, a server might have both
-\&\s-1RSA\s0 and \s-1ECDSA\s0 certificates. The certificate which is returned by
+RSA and ECDSA certificates. The certificate which is returned by
 \&\fBSSL_get_certificate()\fR is determined as follows:
-.IP "\(bu" 4
+.IP \(bu 4
 If it is called before certificate selection has occurred, it returns the most
-recently added certificate, or \s-1NULL\s0 if no certificate has been added.
-.IP "\(bu" 4
+recently added certificate, or NULL if no certificate has been added.
+.IP \(bu 4
 After certificate selection has occurred, it returns the certificate which was
-selected during the handshake, or \s-1NULL\s0 if no certificate was selected (for
+selected during the handshake, or NULL if no certificate was selected (for
 example, on a client where no client certificate is in use).
 .PP
 Certificate selection occurs during the handshake; therefore, the value returned
@@ -171,24 +95,24 @@ selection occurs.
 A specific use for \fBSSL_get_certificate()\fR is inside a callback set via a call to
 \&\fBSSL_CTX_set_tlsext_status_cb\fR\|(3). This callback occurs after certificate
 selection, where it can be used to examine a server's chosen certificate, for
-example for the purpose of identifying a certificate's \s-1OCSP\s0 responder \s-1URL\s0 so
-that an \s-1OCSP\s0 response can be obtained.
+example for the purpose of identifying a certificate's OCSP responder URL so
+that an OCSP response can be obtained.
 .PP
-\&\fBSSL_get_privatekey()\fR returns a pointer to the \fB\s-1EVP_PKEY\s0\fR object corresponding
+\&\fBSSL_get_privatekey()\fR returns a pointer to the \fBEVP_PKEY\fR object corresponding
 to the certificate returned by \fBSSL_get_certificate()\fR, if any.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-These functions return pointers to their respective objects, or \s-1NULL\s0 if no such
-object is available. Returned objects are owned by the \s-1SSL\s0 object and should not
+These functions return pointers to their respective objects, or NULL if no such
+object is available. Returned objects are owned by the SSL object and should not
 be freed by users of these functions.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7), \fBSSL_CTX_set_tlsext_status_cb\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2001\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_ciphers.3 b/secure/lib/libcrypto/man/man3/SSL_get_ciphers.3
index 1d2cdec1102f..ecbc18b27749 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_ciphers.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_ciphers.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_GET_CIPHERS 3ossl"
-.TH SSL_GET_CIPHERS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_GET_CIPHERS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_get1_supported_ciphers,
 SSL_get_client_ciphers,
 SSL_get_ciphers,
@@ -145,7 +69,7 @@ SSL_bytes_to_cipher_list,
 SSL_get_cipher_list,
 SSL_get_shared_ciphers
 \&\- get list of available SSL_CIPHERs
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -160,10 +84,10 @@ SSL_get_shared_ciphers
 \& const char *SSL_get_cipher_list(const SSL *ssl, int priority);
 \& char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_get_ciphers()\fR returns the stack of available SSL_CIPHERs for \fBssl\fR,
-sorted by preference. If \fBssl\fR is \s-1NULL\s0 or no ciphers are available, \s-1NULL\s0
+sorted by preference. If \fBssl\fR is NULL or no ciphers are available, NULL
 is returned.
 .PP
 \&\fBSSL_CTX_get_ciphers()\fR returns the stack of available SSL_CIPHERs for \fBctx\fR.
@@ -172,36 +96,36 @@ is returned.
 \&\fBssl\fR as would be sent in a ClientHello (that is, sorted by preference).
 The list depends on settings like the cipher list, the supported protocol
 versions, the security level, and the enabled signature algorithms.
-\&\s-1SRP\s0 and \s-1PSK\s0 ciphers are only enabled if the appropriate callbacks or settings
+SRP and PSK ciphers are only enabled if the appropriate callbacks or settings
 have been applied.
 The list of ciphers that would be sent in a ClientHello can differ from
 the list of ciphers that would be acceptable when acting as a server.
 For example, additional ciphers may be usable by a server if there is
 a gap in the list of supported protocols, and some ciphers may not be
 usable by a server if there is not a suitable certificate configured.
-If \fBssl\fR is \s-1NULL\s0 or no ciphers are available, \s-1NULL\s0 is returned.
+If \fBssl\fR is NULL or no ciphers are available, NULL is returned.
 .PP
 \&\fBSSL_get_client_ciphers()\fR returns the stack of available SSL_CIPHERs matching the
-list received from the client on \fBssl\fR. If \fBssl\fR is \s-1NULL,\s0 no ciphers are
-available, or \fBssl\fR is not operating in server mode, \s-1NULL\s0 is returned.
+list received from the client on \fBssl\fR. If \fBssl\fR is NULL, no ciphers are
+available, or \fBssl\fR is not operating in server mode, NULL is returned.
 .PP
 \&\fBSSL_bytes_to_cipher_list()\fR treats the supplied \fBlen\fR octets in \fBbytes\fR
 as a wire-protocol cipher suite specification (in the three-octet-per-cipher
 SSLv2 wire format if \fBisv2format\fR is nonzero; otherwise the two-octet
 SSLv3/TLS wire format), and parses the cipher suites supported by the library
-into the returned stacks of \s-1SSL_CIPHER\s0 objects sk and Signalling Cipher-Suite
+into the returned stacks of SSL_CIPHER objects sk and Signalling Cipher-Suite
 Values scsvs.  Unsupported cipher suites are ignored.  Returns 1 on success
 and 0 on failure.
 .PP
-\&\fBSSL_get_cipher_list()\fR returns a pointer to the name of the \s-1SSL_CIPHER\s0
-listed for \fBssl\fR with \fBpriority\fR. If \fBssl\fR is \s-1NULL,\s0 no ciphers are
-available, or there are less ciphers than \fBpriority\fR available, \s-1NULL\s0
+\&\fBSSL_get_cipher_list()\fR returns a pointer to the name of the SSL_CIPHER
+listed for \fBssl\fR with \fBpriority\fR. If \fBssl\fR is NULL, no ciphers are
+available, or there are less ciphers than \fBpriority\fR available, NULL
 is returned.
 .PP
-\&\fBSSL_get_shared_ciphers()\fR creates a colon separated and \s-1NUL\s0 terminated list of
-\&\s-1SSL_CIPHER\s0 names that are available in both the client and the server. \fBbuf\fR is
+\&\fBSSL_get_shared_ciphers()\fR creates a colon separated and NUL terminated list of
+SSL_CIPHER names that are available in both the client and the server. \fBbuf\fR is
 the buffer that should be populated with the list of names and \fBsize\fR is the
-size of that buffer. A pointer to \fBbuf\fR is returned on success or \s-1NULL\s0 on
+size of that buffer. A pointer to \fBbuf\fR is returned on success or NULL on
 error. If the supplied buffer is not large enough to contain the complete list
 of names then a truncated list of names will be returned. Note that just because
 a ciphersuite is available (i.e. it is configured in the cipher list) and shared
@@ -210,18 +134,18 @@ description of \fBSSL_get1_supported_ciphers()\fR above). This function will ret
 available shared ciphersuites whether or not they are enabled. This is a server
 side function only and must only be called after the completion of the initial
 handshake.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The details of the ciphers obtained by \fBSSL_get_ciphers()\fR, \fBSSL_CTX_get_ciphers()\fR
 \&\fBSSL_get1_supported_ciphers()\fR and \fBSSL_get_client_ciphers()\fR can be obtained using
 the \fBSSL_CIPHER_get_name\fR\|(3) family of functions.
 .PP
 Call \fBSSL_get_cipher_list()\fR with \fBpriority\fR starting from 0 to obtain the
-sorted list of available ciphers, until \s-1NULL\s0 is returned.
+sorted list of available ciphers, until NULL is returned.
 .PP
 Note: \fBSSL_get_ciphers()\fR, \fBSSL_CTX_get_ciphers()\fR and \fBSSL_get_client_ciphers()\fR
 return a pointer to an internal cipher stack, which will be freed later on when
-the \s-1SSL\s0 or \s-1SSL_SESSION\s0 object is freed.  Therefore, the calling code \fB\s-1MUST NOT\s0\fR
+the SSL or SSL_SESSION object is freed.  Therefore, the calling code \fBMUST NOT\fR
 free the return value itself.
 .PP
 The stack returned by \fBSSL_get1_supported_ciphers()\fR should be freed using
@@ -231,16 +155,16 @@ The stacks returned by \fBSSL_bytes_to_cipher_list()\fR should be freed using
 \&\fBsk_SSL_CIPHER_free()\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-See \s-1DESCRIPTION\s0
+See DESCRIPTION
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7), \fBSSL_CTX_set_cipher_list\fR\|(3),
 \&\fBSSL_CIPHER_get_name\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_client_random.3 b/secure/lib/libcrypto/man/man3/SSL_get_client_random.3
index eb2ac1ea8374..3f0876574d2f 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_client_random.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_client_random.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_GET_CLIENT_RANDOM 3ossl"
-.TH SSL_GET_CLIENT_RANDOM 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_GET_CLIENT_RANDOM 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_get_client_random,
 SSL_get_server_random,
 SSL_SESSION_get_master_key,
 SSL_SESSION_set1_master_key
 \&\- get internal TLS/SSL random values and get/set master key
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -154,10 +78,10 @@ SSL_SESSION_set1_master_key
 \& int SSL_SESSION_set1_master_key(SSL_SESSION *sess, const unsigned char *in,
 \&                                 size_t len);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_get_client_random()\fR extracts the random value sent from the client
-to the server during the initial \s-1SSL/TLS\s0 handshake.  It copies as many
+to the server during the initial SSL/TLS handshake.  It copies as many
 bytes as it can of this value into the buffer provided in \fBout\fR,
 which must have at least \fBoutlen\fR bytes available. It returns the
 total number of bytes that were actually copied.  If \fBoutlen\fR is
@@ -165,47 +89,47 @@ zero, \fBSSL_get_client_random()\fR copies nothing, and returns the
 total size of the client_random value.
 .PP
 \&\fBSSL_get_server_random()\fR behaves the same, but extracts the random value
-sent from the server to the client during the initial \s-1SSL/TLS\s0 handshake.
+sent from the server to the client during the initial SSL/TLS handshake.
 .PP
 \&\fBSSL_SESSION_get_master_key()\fR behaves the same, but extracts the master
-secret used to guarantee the security of the \s-1SSL/TLS\s0 session.  This one
-can be dangerous if misused; see \s-1NOTES\s0 below.
+secret used to guarantee the security of the SSL/TLS session.  This one
+can be dangerous if misused; see NOTES below.
 .PP
 \&\fBSSL_SESSION_set1_master_key()\fR sets the master key value associated with the
-\&\s-1SSL_SESSION\s0 \fBsess\fR. For example, this could be used to set up a session based
-\&\s-1PSK\s0 (see \fBSSL_CTX_set_psk_use_session_callback\fR\|(3)). The master key of length
+SSL_SESSION \fBsess\fR. For example, this could be used to set up a session based
+PSK (see \fBSSL_CTX_set_psk_use_session_callback\fR\|(3)). The master key of length
 \&\fBlen\fR should be provided at \fBin\fR. The supplied master key is copied by the
 function, so the caller is responsible for freeing and cleaning any memory
 associated with \fBin\fR. The caller must ensure that the length of the key is
-suitable for the ciphersuite associated with the \s-1SSL_SESSION.\s0
-.SH "NOTES"
+suitable for the ciphersuite associated with the SSL_SESSION.
+.SH NOTES
 .IX Header "NOTES"
 You probably shouldn't use these functions.
 .PP
-These functions expose internal values from the \s-1TLS\s0 handshake, for
+These functions expose internal values from the TLS handshake, for
 use in low-level protocols.  You probably should not use them, unless
 you are implementing something that needs access to the internal protocol
 details.
 .PP
 Despite the names of \fBSSL_get_client_random()\fR and \fBSSL_get_server_random()\fR, they
-\&\s-1ARE NOT\s0 random number generators.  Instead, they return the mostly-random values that
-were already generated and used in the \s-1TLS\s0 protocol.  Using them
+ARE NOT random number generators.  Instead, they return the mostly-random values that
+were already generated and used in the TLS protocol.  Using them
 in place of \fBRAND_bytes()\fR would be grossly foolish.
 .PP
-The security of your \s-1TLS\s0 session depends on keeping the master key secret:
+The security of your TLS session depends on keeping the master key secret:
 do not expose it, or any information about it, to anybody.
 If you need to calculate another secret value that depends on the master
 secret, you should probably use \fBSSL_export_keying_material()\fR instead, and
 forget that you ever saw these functions.
 .PP
-In current versions of the \s-1TLS\s0 protocols, the length of client_random
-(and also server_random) is always \s-1SSL3_RANDOM_SIZE\s0 bytes. Support for
+In current versions of the TLS protocols, the length of client_random
+(and also server_random) is always SSL3_RANDOM_SIZE bytes. Support for
 other outlen arguments to the SSL_get_*\fB_random()\fR functions is provided
-in case of the unlikely event that a future version or variant of \s-1TLS\s0
+in case of the unlikely event that a future version or variant of TLS
 uses some other length there.
 .PP
-Finally, though the \*(L"client_random\*(R" and \*(L"server_random\*(R" values are called
-\&\*(L"random\*(R", many \s-1TLS\s0 implementations will generate four bytes of those
+Finally, though the "client_random" and "server_random" values are called
+"random", many TLS implementations will generate four bytes of those
 values based on their view of the current time.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
@@ -214,18 +138,18 @@ values based on their view of the current time.
 For the other functions, if \fBoutlen\fR is greater than 0 then these functions
 return the number of bytes actually copied, which will be less than or equal to
 \&\fBoutlen\fR. If \fBoutlen\fR is 0 then these functions return the maximum number
-of bytes they would copy \*(-- that is, the length of the underlying field.
+of bytes they would copy \-\- that is, the length of the underlying field.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7),
 \&\fBRAND_bytes\fR\|(3),
 \&\fBSSL_export_keying_material\fR\|(3),
 \&\fBSSL_CTX_set_psk_use_session_callback\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2015\-2017 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_conn_close_info.3 b/secure/lib/libcrypto/man/man3/SSL_get_conn_close_info.3
new file mode 100644
index 000000000000..9321bb6fc7a6
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/SSL_get_conn_close_info.3
@@ -0,0 +1,215 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "SSL_GET_CONN_CLOSE_INFO 3ossl"
+.TH SSL_GET_CONN_CLOSE_INFO 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+SSL_get_conn_close_info, SSL_CONN_CLOSE_FLAG_LOCAL,
+SSL_CONN_CLOSE_FLAG_TRANSPORT,
+OSSL_QUIC_ERR_NO_ERROR,
+OSSL_QUIC_ERR_INTERNAL_ERROR,
+OSSL_QUIC_ERR_CONNECTION_REFUSED,
+OSSL_QUIC_ERR_FLOW_CONTROL_ERROR,
+OSSL_QUIC_ERR_STREAM_LIMIT_ERROR,
+OSSL_QUIC_ERR_STREAM_STATE_ERROR,
+OSSL_QUIC_ERR_FINAL_SIZE_ERROR,
+OSSL_QUIC_ERR_FRAME_ENCODING_ERROR,
+OSSL_QUIC_ERR_TRANSPORT_PARAMETER_ERROR,
+OSSL_QUIC_ERR_CONNECTION_ID_LIMIT_ERROR,
+OSSL_QUIC_ERR_PROTOCOL_VIOLATION,
+OSSL_QUIC_ERR_INVALID_TOKEN,
+OSSL_QUIC_ERR_APPLICATION_ERROR,
+OSSL_QUIC_ERR_CRYPTO_BUFFER_EXCEEDED,
+OSSL_QUIC_ERR_KEY_UPDATE_ERROR,
+OSSL_QUIC_ERR_AEAD_LIMIT_REACHED,
+OSSL_QUIC_ERR_NO_VIABLE_PATH,
+OSSL_QUIC_ERR_CRYPTO_ERR_BEGIN,
+OSSL_QUIC_ERR_CRYPTO_ERR_END,
+OSSL_QUIC_ERR_CRYPTO_ERR,
+OSSL_QUIC_LOCAL_ERR_IDLE_TIMEOUT
+\&\- get information about why a QUIC connection was closed
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ssl.h>
+\&
+\& #define SSL_CONN_CLOSE_FLAG_LOCAL
+\& #define SSL_CONN_CLOSE_FLAG_TRANSPORT
+\&
+\& typedef struct ssl_conn_close_info_st {
+\&     uint64_t error_code, frame_type;
+\&     char     *reason;
+\&     size_t   reason_len;
+\&     uint32_t flags;
+\& } SSL_CONN_CLOSE_INFO;
+\&
+\& int SSL_get_conn_close_info(SSL *ssl, SSL_CONN_CLOSE_INFO *info,
+\&                             size_t info_len);
+\&
+\& #define OSSL_QUIC_ERR_NO_ERROR                  0x00
+\& #define OSSL_QUIC_ERR_INTERNAL_ERROR            0x01
+\& #define OSSL_QUIC_ERR_CONNECTION_REFUSED        0x02
+\& #define OSSL_QUIC_ERR_FLOW_CONTROL_ERROR        0x03
+\& #define OSSL_QUIC_ERR_STREAM_LIMIT_ERROR        0x04
+\& #define OSSL_QUIC_ERR_STREAM_STATE_ERROR        0x05
+\& #define OSSL_QUIC_ERR_FINAL_SIZE_ERROR          0x06
+\& #define OSSL_QUIC_ERR_FRAME_ENCODING_ERROR      0x07
+\& #define OSSL_QUIC_ERR_TRANSPORT_PARAMETER_ERROR 0x08
+\& #define OSSL_QUIC_ERR_CONNECTION_ID_LIMIT_ERROR 0x09
+\& #define OSSL_QUIC_ERR_PROTOCOL_VIOLATION        0x0A
+\& #define OSSL_QUIC_ERR_INVALID_TOKEN             0x0B
+\& #define OSSL_QUIC_ERR_APPLICATION_ERROR         0x0C
+\& #define OSSL_QUIC_ERR_CRYPTO_BUFFER_EXCEEDED    0x0D
+\& #define OSSL_QUIC_ERR_KEY_UPDATE_ERROR          0x0E
+\& #define OSSL_QUIC_ERR_AEAD_LIMIT_REACHED        0x0F
+\& #define OSSL_QUIC_ERR_NO_VIABLE_PATH            0x10
+\&
+\& /* Inclusive range for handshake\-specific errors. */
+\& #define OSSL_QUIC_ERR_CRYPTO_ERR_BEGIN          0x0100
+\& #define OSSL_QUIC_ERR_CRYPTO_ERR_END            0x01FF
+\&
+\& #define OSSL_QUIC_ERR_CRYPTO_ERR(X)
+\&
+\& #define OSSL_QUIC_LOCAL_ERR_IDLE_TIMEOUT
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+The \fBSSL_get_conn_close_info()\fR function provides information about why and how a
+QUIC connection was closed.
+.PP
+Connection closure information is written to \fI*info\fR, which must be non-NULL.
+\&\fIinfo_len\fR must be set to \f(CWsizeof(*info)\fR.
+.PP
+The following fields are set:
+.IP \fIerror_code\fR 4
+.IX Item "error_code"
+This is a 62\-bit QUIC error code. It is either a 62\-bit application error code
+(if \fBSSL_CONN_CLOSE_FLAG_TRANSPORT\fR not set in \fIflags\fR) or a  62\-bit standard
+QUIC transport error code (if \fBSSL_CONN_CLOSE_FLAG_TRANSPORT\fR is set in
+\&\fIflags\fR).
+.IP \fIframe_type\fR 4
+.IX Item "frame_type"
+If \fBSSL_CONN_CLOSE_FLAG_TRANSPORT\fR is set, this may be set to a QUIC frame type
+number which caused the connection to be closed. It may also be set to 0 if no
+frame type was specified as causing the connection to be closed. If
+\&\fBSSL_CONN_CLOSE_FLAG_TRANSPORT\fR is not set, this is set to 0.
+.IP \fIreason\fR 4
+.IX Item "reason"
+If non-NULL, this is intended to be a UTF\-8 textual string briefly describing
+the reason for connection closure. The length of the reason string in bytes is
+given in \fIreason_len\fR. While, if non-NULL, OpenSSL guarantees that this string
+will be zero terminated, consider that this buffer may originate from the
+(untrusted) peer and thus may also contain zero bytes elsewhere. Therefore, use
+of \fIreason_len\fR is recommended.
+.Sp
+While it is intended as per the QUIC protocol that this be a UTF\-8 string, there
+is no guarantee that this is the case for strings received from the peer.
+.IP \fBSSL_CONN_CLOSE_FLAG_LOCAL\fR 4
+.IX Item "SSL_CONN_CLOSE_FLAG_LOCAL"
+If \fIflags\fR has \fBSSL_CONN_CLOSE_FLAG_LOCAL\fR set, connection closure was locally
+triggered. This could be due to an application request (e.g. if
+\&\fBSSL_CONN_CLOSE_FLAG_TRANSPORT\fR is unset), or (if
+\&\fISSL_CONN_CLOSE_FLAG_TRANSPORT\fR is set) due to logic internal to the QUIC
+implementation (for example, if the peer engages in a protocol violation, or an
+idle timeout occurs).
+.Sp
+If unset, connection closure was remotely triggered.
+.IP \fBSSL_CONN_CLOSE_FLAG_TRANSPORT\fR 4
+.IX Item "SSL_CONN_CLOSE_FLAG_TRANSPORT"
+If \fIflags\fR has \fBSSL_CONN_CLOSE_FLAG_TRANSPORT\fR set, connection closure was
+triggered for QUIC protocol reasons. Otherwise, connection closure was triggered
+by the local or remote application.
+.PP
+The \fBOSSL_QUIC_ERR\fR macro definitions provide the QUIC transport error codes as
+defined by RFC 9000. The \fBOSSL_QUIC_ERR_CRYPTO_ERR()\fR macro can be used to convert
+a TLS alert code into a QUIC transport error code by mapping it into the range
+reserved for such codes by RFC 9000. This range begins at
+\&\fBOSSL_QUIC_ERR_CRYPTO_ERR_BEGIN\fR and ends at \fBOSSL_QUIC_ERR_CRYPTO_ERR_END\fR
+inclusive.
+.SH "NON-STANDARD TRANSPORT ERROR CODES"
+.IX Header "NON-STANDARD TRANSPORT ERROR CODES"
+Some conditions which can cause QUIC connection termination are not signalled on
+the wire and therefore do not have standard error codes. OpenSSL indicates these
+errors via \fBSSL_get_conn_close_info()\fR by setting \fBSSL_CONN_CLOSE_FLAG_TRANSPORT\fR
+and using one of the following error values. These codes are specific to
+OpenSSL, and cannot be sent over the wire, as they are above 2**62.
+.IP \fBOSSL_QUIC_LOCAL_ERR_IDLE_TIMEOUT\fR 4
+.IX Item "OSSL_QUIC_LOCAL_ERR_IDLE_TIMEOUT"
+The connection was terminated immediately due to the idle timeout expiring.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBSSL_get_conn_close_info()\fR returns 1 on success and 0 on failure. This function
+fails if called on a QUIC connection SSL object which has not yet been
+terminated. It also fails if called on a QUIC stream SSL object or a non-QUIC
+SSL object.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBSSL_shutdown_ex\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+This function was added in OpenSSL 3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2002\-2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_current_cipher.3 b/secure/lib/libcrypto/man/man3/SSL_get_current_cipher.3
index 86be61d0984e..f6456020560b 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_current_cipher.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_current_cipher.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_GET_CURRENT_CIPHER 3ossl"
-.TH SSL_GET_CURRENT_CIPHER 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_GET_CURRENT_CIPHER 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_get_current_cipher, SSL_get_cipher_name, SSL_get_cipher,
 SSL_get_cipher_bits, SSL_get_cipher_version,
 SSL_get_pending_cipher \- get SSL_CIPHER of a connection
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -153,11 +77,11 @@ SSL_get_pending_cipher \- get SSL_CIPHER of a connection
 \& int SSL_get_cipher_bits(const SSL *s, int *np);
 \& const char *SSL_get_cipher_version(const SSL *s);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_get_current_cipher()\fR returns a pointer to an \s-1SSL_CIPHER\s0 object containing
+\&\fBSSL_get_current_cipher()\fR returns a pointer to an SSL_CIPHER object containing
 the description of the actually used cipher of a connection established with
-the \fBssl\fR object.
+the \fBssl\fR object. \fBssl\fR \fBMUST NOT\fR be NULL.
 See \fBSSL_CIPHER_get_name\fR\|(3) for more details.
 .PP
 \&\fBSSL_get_cipher_name()\fR obtains the
@@ -167,7 +91,7 @@ name of the currently used cipher.
 macro to obtain the number of secret/algorithm bits used and
 \&\fBSSL_get_cipher_version()\fR returns the protocol name.
 .PP
-\&\fBSSL_get_pending_cipher()\fR returns a pointer to an \s-1SSL_CIPHER\s0 object containing
+\&\fBSSL_get_pending_cipher()\fR returns a pointer to an SSL_CIPHER object containing
 the description of the cipher (if any) that has been negotiated for future use
 on the connection established with the \fBssl\fR object, but is not yet in use.
 This may be the case during handshake processing, when control flow can be
@@ -178,23 +102,23 @@ by \fBSSL_CTX_set_alpn_select_cb()\fR is guaranteed to have a non-NULL return va
 Other callbacks may be added to this list over time.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBSSL_get_current_cipher()\fR returns the cipher actually used, or \s-1NULL\s0 if
+\&\fBSSL_get_current_cipher()\fR returns the cipher actually used, or NULL if
 no session has been established.
 .PP
 \&\fBSSL_get_pending_cipher()\fR returns the cipher to be used at the next change
-of cipher suite, or \s-1NULL\s0 if no such cipher is known.
-.SH "NOTES"
+of cipher suite, or NULL if no such cipher is known.
+.SH NOTES
 .IX Header "NOTES"
 SSL_get_cipher, SSL_get_cipher_bits, SSL_get_cipher_version, and
 SSL_get_cipher_name are implemented as macros.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7), \fBSSL_CIPHER_get_name\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_default_timeout.3 b/secure/lib/libcrypto/man/man3/SSL_get_default_timeout.3
index a829ffff1390..1dd0a9a349ff 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_default_timeout.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_default_timeout.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,88 +52,28 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_GET_DEFAULT_TIMEOUT 3ossl"
-.TH SSL_GET_DEFAULT_TIMEOUT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_GET_DEFAULT_TIMEOUT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_get_default_timeout \- get default session timeout value
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
 \& long SSL_get_default_timeout(const SSL *ssl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_get_default_timeout()\fR returns the default timeout value assigned to
-\&\s-1SSL_SESSION\s0 objects negotiated for the protocol valid for \fBssl\fR.
-.SH "NOTES"
+SSL_SESSION objects negotiated for the protocol valid for \fBssl\fR.
+.SH NOTES
 .IX Header "NOTES"
 Whenever a new session is negotiated, it is assigned a timeout value,
 after which it will not be accepted for session reuse. If the timeout
@@ -169,11 +93,11 @@ See description.
 \&\fBSSL_SESSION_get_time\fR\|(3),
 \&\fBSSL_CTX_flush_sessions\fR\|(3),
 \&\fBSSL_get_default_timeout\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_error.3 b/secure/lib/libcrypto/man/man3/SSL_get_error.3
index 4d63ab36b208..aa2b70f27a5e 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_error.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_error.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,211 +52,163 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_GET_ERROR 3ossl"
-.TH SSL_GET_ERROR 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_GET_ERROR 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_get_error \- obtain result code for TLS/SSL I/O operation
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
 \& int SSL_get_error(const SSL *ssl, int ret);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_get_error()\fR returns a result code (suitable for the C \*(L"switch\*(R"
+\&\fBSSL_get_error()\fR returns a result code (suitable for the C "switch"
 statement) for a preceding call to \fBSSL_connect()\fR, \fBSSL_accept()\fR, \fBSSL_do_handshake()\fR,
 \&\fBSSL_read_ex()\fR, \fBSSL_read()\fR, \fBSSL_peek_ex()\fR, \fBSSL_peek()\fR, \fBSSL_shutdown()\fR,
-\&\fBSSL_write_ex()\fR or \fBSSL_write()\fR on \fBssl\fR.  The value returned by that \s-1TLS/SSL I/O\s0
+\&\fBSSL_write_ex()\fR or \fBSSL_write()\fR on \fBssl\fR.  The value returned by that TLS/SSL I/O
 function must be passed to \fBSSL_get_error()\fR in parameter \fBret\fR.
 .PP
 In addition to \fBssl\fR and \fBret\fR, \fBSSL_get_error()\fR inspects the
 current thread's OpenSSL error queue.  Thus, \fBSSL_get_error()\fR must be
-used in the same thread that performed the \s-1TLS/SSL I/O\s0 operation, and no
+used in the same thread that performed the TLS/SSL I/O operation, and no
 other OpenSSL function calls should appear in between.  The current
-thread's error queue must be empty before the \s-1TLS/SSL I/O\s0 operation is
+thread's error queue must be empty before the TLS/SSL I/O operation is
 attempted, or \fBSSL_get_error()\fR will not work reliably.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-Some \s-1TLS\s0 implementations do not send a close_notify alert on shutdown.
+Some TLS implementations do not send a close_notify alert on shutdown.
 .PP
-On an unexpected \s-1EOF,\s0 versions before OpenSSL 3.0 returned
-\&\fB\s-1SSL_ERROR_SYSCALL\s0\fR, nothing was added to the error stack, and errno was 0.
-Since OpenSSL 3.0 the returned error is \fB\s-1SSL_ERROR_SSL\s0\fR with a meaningful
-error on the error stack.
+On an unexpected EOF, versions before OpenSSL 3.0 returned
+\&\fBSSL_ERROR_SYSCALL\fR, nothing was added to the error stack, and errno was 0.
+Since OpenSSL 3.0 the returned error is \fBSSL_ERROR_SSL\fR with a meaningful
+error on the error stack (SSL_R_UNEXPECTED_EOF_WHILE_READING). This error reason
+code may be used for control flow decisions (see the man page for
+\&\fBERR_GET_REASON\fR\|(3) for further details on this).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The following return values can currently occur:
-.IP "\s-1SSL_ERROR_NONE\s0" 4
+.IP SSL_ERROR_NONE 4
 .IX Item "SSL_ERROR_NONE"
-The \s-1TLS/SSL I/O\s0 operation completed.  This result code is returned
+The TLS/SSL I/O operation completed.  This result code is returned
 if and only if \fBret > 0\fR.
-.IP "\s-1SSL_ERROR_ZERO_RETURN\s0" 4
+.IP SSL_ERROR_ZERO_RETURN 4
 .IX Item "SSL_ERROR_ZERO_RETURN"
-The \s-1TLS/SSL\s0 peer has closed the connection for writing by sending the
+The TLS/SSL peer has closed the connection for writing by sending the
 close_notify alert.
 No more data can be read.
-Note that \fB\s-1SSL_ERROR_ZERO_RETURN\s0\fR does not necessarily
+Note that \fBSSL_ERROR_ZERO_RETURN\fR does not necessarily
 indicate that the underlying transport has been closed.
 .Sp
-This error can also appear when the option \fB\s-1SSL_OP_IGNORE_UNEXPECTED_EOF\s0\fR
+This error can also appear when the option \fBSSL_OP_IGNORE_UNEXPECTED_EOF\fR
 is set. See \fBSSL_CTX_set_options\fR\|(3) for more details.
-.IP "\s-1SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE\s0" 4
+.IP "SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE" 4
 .IX Item "SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE"
 The operation did not complete and can be retried later.
 .Sp
-\&\fB\s-1SSL_ERROR_WANT_READ\s0\fR is returned when the last operation was a read
-operation from a nonblocking \fB\s-1BIO\s0\fR.
+For non-QUIC SSL objects, \fBSSL_ERROR_WANT_READ\fR is returned when the last
+operation was a read operation from a nonblocking \fBBIO\fR.
 It means that not enough data was available at this time to complete the
 operation.
-If at a later time the underlying \fB\s-1BIO\s0\fR has data available for reading the same
+If at a later time the underlying \fBBIO\fR has data available for reading the same
 function can be called again.
 .Sp
-\&\fBSSL_read()\fR and \fBSSL_read_ex()\fR can also set \fB\s-1SSL_ERROR_WANT_READ\s0\fR when there is
-still unprocessed data available at either the \fB\s-1SSL\s0\fR or the \fB\s-1BIO\s0\fR layer, even
-for a blocking \fB\s-1BIO\s0\fR.
+\&\fBSSL_read()\fR and \fBSSL_read_ex()\fR can also set \fBSSL_ERROR_WANT_READ\fR when there is
+still unprocessed data available at either the \fBSSL\fR or the \fBBIO\fR layer, even
+for a blocking \fBBIO\fR.
 See \fBSSL_read\fR\|(3) for more information.
 .Sp
-\&\fB\s-1SSL_ERROR_WANT_WRITE\s0\fR is returned when the last operation was a write
-to a nonblocking \fB\s-1BIO\s0\fR and it was unable to sent all data to the \fB\s-1BIO\s0\fR.
-When the \fB\s-1BIO\s0\fR is writable again, the same function can be called again.
+For non-QUIC SSL objects, \fBSSL_ERROR_WANT_WRITE\fR is returned when the last
+operation was a write to a nonblocking \fBBIO\fR and it was unable to send all data
+to the \fBBIO\fR. When the \fBBIO\fR is writable again, the same function can be
+called again.
 .Sp
-Note that the retry may again lead to an \fB\s-1SSL_ERROR_WANT_READ\s0\fR or
-\&\fB\s-1SSL_ERROR_WANT_WRITE\s0\fR condition.
+Note that the retry may again lead to an \fBSSL_ERROR_WANT_READ\fR or
+\&\fBSSL_ERROR_WANT_WRITE\fR condition.
 There is no fixed upper limit for the number of iterations that
 may be necessary until progress becomes visible at application
 protocol level.
 .Sp
+For QUIC SSL objects, the meaning of \fBSSL_ERROR_WANT_READ\fR and
+\&\fBSSL_ERROR_WANT_WRITE\fR have different but largely compatible semantics. Since
+QUIC implements its own flow control and uses UDP datagrams, backpressure
+conditions in terms of the underlying BIO providing network I/O are not directly
+relevant to the circumstances in which these errors are produced. In particular,
+\&\fBSSL_ERROR_WANT_WRITE\fR indicates that the OpenSSL internal send buffer for a
+given QUIC stream has been filled. Likewise, \fBSSL_ERROR_WANT_READ\fR indicates
+that the OpenSSL internal receive buffer for a given QUIC stream is empty.
+.Sp
 It is safe to call \fBSSL_read()\fR or \fBSSL_read_ex()\fR when more data is available
 even when the call that set this error was an \fBSSL_write()\fR or \fBSSL_write_ex()\fR.
 However, if the call was an \fBSSL_write()\fR or \fBSSL_write_ex()\fR, it should be called
-again to continue sending the application data. If you get \fB\s-1SSL_ERROR_WANT_WRITE\s0\fR
+again to continue sending the application data. If you get \fBSSL_ERROR_WANT_WRITE\fR
 from \fBSSL_write()\fR or \fBSSL_write_ex()\fR then you should not do any other operation
-that could trigger \fB\s-1IO\s0\fR other than to repeat the previous \fBSSL_write()\fR call.
+that could trigger \fBIO\fR other than to repeat the previous \fBSSL_write()\fR call.
 .Sp
-For socket \fB\s-1BIO\s0\fRs (e.g. when \fBSSL_set_fd()\fR was used), \fBselect()\fR or
+For socket \fBBIO\fRs (e.g. when \fBSSL_set_fd()\fR was used), \fBselect()\fR or
 \&\fBpoll()\fR on the underlying socket can be used to find out when the
-\&\s-1TLS/SSL I/O\s0 function should be retried.
+TLS/SSL I/O function should be retried.
 .Sp
-Caveat: Any \s-1TLS/SSL I/O\s0 function can lead to either of
-\&\fB\s-1SSL_ERROR_WANT_READ\s0\fR and \fB\s-1SSL_ERROR_WANT_WRITE\s0\fR.
+Caveat: Any TLS/SSL I/O function can lead to either of
+\&\fBSSL_ERROR_WANT_READ\fR and \fBSSL_ERROR_WANT_WRITE\fR.
 In particular,
 \&\fBSSL_read_ex()\fR, \fBSSL_read()\fR, \fBSSL_peek_ex()\fR, or \fBSSL_peek()\fR may want to write data
 and \fBSSL_write()\fR or \fBSSL_write_ex()\fR may want to read data.
 This is mainly because
-\&\s-1TLS/SSL\s0 handshakes may occur at any time during the protocol (initiated by
+TLS/SSL handshakes may occur at any time during the protocol (initiated by
 either the client or the server); \fBSSL_read_ex()\fR, \fBSSL_read()\fR, \fBSSL_peek_ex()\fR,
 \&\fBSSL_peek()\fR, \fBSSL_write_ex()\fR, and \fBSSL_write()\fR will handle any pending handshakes.
-.IP "\s-1SSL_ERROR_WANT_CONNECT, SSL_ERROR_WANT_ACCEPT\s0" 4
+.IP "SSL_ERROR_WANT_CONNECT, SSL_ERROR_WANT_ACCEPT" 4
 .IX Item "SSL_ERROR_WANT_CONNECT, SSL_ERROR_WANT_ACCEPT"
-The operation did not complete; the same \s-1TLS/SSL I/O\s0 function should be
-called again later. The underlying \s-1BIO\s0 was not connected yet to the peer
-and the call would block in \fBconnect()\fR/\fBaccept()\fR. The \s-1SSL\s0 function should be
+The operation did not complete; the same TLS/SSL I/O function should be
+called again later. The underlying BIO was not connected yet to the peer
+and the call would block in \fBconnect()\fR/\fBaccept()\fR. The SSL function should be
 called again when the connection is established. These messages can only
-appear with a \fBBIO_s_connect()\fR or \fBBIO_s_accept()\fR \s-1BIO,\s0 respectively.
+appear with a \fBBIO_s_connect()\fR or \fBBIO_s_accept()\fR BIO, respectively.
 In order to find out, when the connection has been successfully established,
 on many platforms \fBselect()\fR or \fBpoll()\fR for writing on the socket file descriptor
 can be used.
-.IP "\s-1SSL_ERROR_WANT_X509_LOOKUP\s0" 4
+.IP SSL_ERROR_WANT_X509_LOOKUP 4
 .IX Item "SSL_ERROR_WANT_X509_LOOKUP"
 The operation did not complete because an application callback set by
 \&\fBSSL_CTX_set_client_cert_cb()\fR has asked to be called again.
-The \s-1TLS/SSL I/O\s0 function should be called again later.
+The TLS/SSL I/O function should be called again later.
 Details depend on the application.
-.IP "\s-1SSL_ERROR_WANT_ASYNC\s0" 4
+.IP SSL_ERROR_WANT_ASYNC 4
 .IX Item "SSL_ERROR_WANT_ASYNC"
 The operation did not complete because an asynchronous engine is still
-processing data. This will only occur if the mode has been set to \s-1SSL_MODE_ASYNC\s0
+processing data. This will only occur if the mode has been set to SSL_MODE_ASYNC
 using \fBSSL_CTX_set_mode\fR\|(3) or \fBSSL_set_mode\fR\|(3) and an asynchronous capable
 engine is being used. An application can determine whether the engine has
 completed its processing using \fBselect()\fR or \fBpoll()\fR on the asynchronous wait file
 descriptor. This file descriptor is available by calling
-\&\fBSSL_get_all_async_fds\fR\|(3) or \fBSSL_get_changed_async_fds\fR\|(3). The \s-1TLS/SSL I/O\s0
+\&\fBSSL_get_all_async_fds\fR\|(3) or \fBSSL_get_changed_async_fds\fR\|(3). The TLS/SSL I/O
 function should be called again later. The function \fBmust\fR be called from the
 same thread that the original call was made from.
-.IP "\s-1SSL_ERROR_WANT_ASYNC_JOB\s0" 4
+.IP SSL_ERROR_WANT_ASYNC_JOB 4
 .IX Item "SSL_ERROR_WANT_ASYNC_JOB"
 The asynchronous job could not be started because there were no async jobs
 available in the pool (see \fBASYNC_init_thread\fR\|(3)). This will only occur if the
-mode has been set to \s-1SSL_MODE_ASYNC\s0 using \fBSSL_CTX_set_mode\fR\|(3) or
+mode has been set to SSL_MODE_ASYNC using \fBSSL_CTX_set_mode\fR\|(3) or
 \&\fBSSL_set_mode\fR\|(3) and a maximum limit has been set on the async job pool
 through a call to \fBASYNC_init_thread\fR\|(3). The application should retry the
 operation after a currently executing asynchronous operation for the current
 thread has completed.
-.IP "\s-1SSL_ERROR_WANT_CLIENT_HELLO_CB\s0" 4
+.IP SSL_ERROR_WANT_CLIENT_HELLO_CB 4
 .IX Item "SSL_ERROR_WANT_CLIENT_HELLO_CB"
 The operation did not complete because an application callback set by
 \&\fBSSL_CTX_set_client_hello_cb()\fR has asked to be called again.
-The \s-1TLS/SSL I/O\s0 function should be called again later.
+The TLS/SSL I/O function should be called again later.
 Details depend on the application.
-.IP "\s-1SSL_ERROR_SYSCALL\s0" 4
+.IP SSL_ERROR_SYSCALL 4
 .IX Item "SSL_ERROR_SYSCALL"
 Some non-recoverable, fatal I/O error occurred. The OpenSSL error queue may
 contain more information on the error. For socket I/O on Unix systems, consult
@@ -281,24 +217,24 @@ be performed on the connection and \fBSSL_shutdown()\fR must not be called.
 .Sp
 This value can also be returned for other errors, check the error queue for
 details.
-.IP "\s-1SSL_ERROR_SSL\s0" 4
+.IP SSL_ERROR_SSL 4
 .IX Item "SSL_ERROR_SSL"
-A non-recoverable, fatal error in the \s-1SSL\s0 library occurred, usually a protocol
+A non-recoverable, fatal error in the SSL library occurred, usually a protocol
 error.  The OpenSSL error queue contains more information on the error. If this
 error occurs then no further I/O operations should be performed on the
 connection and \fBSSL_shutdown()\fR must not be called.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-The \s-1SSL_ERROR_WANT_ASYNC\s0 error code was added in OpenSSL 1.1.0.
-The \s-1SSL_ERROR_WANT_CLIENT_HELLO_CB\s0 error code was added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+The SSL_ERROR_WANT_ASYNC error code was added in OpenSSL 1.1.0.
+The SSL_ERROR_WANT_CLIENT_HELLO_CB error code was added in OpenSSL 1.1.1.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_event_timeout.3 b/secure/lib/libcrypto/man/man3/SSL_get_event_timeout.3
new file mode 100644
index 000000000000..8586438ba31c
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/SSL_get_event_timeout.3
@@ -0,0 +1,131 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "SSL_GET_EVENT_TIMEOUT 3ossl"
+.TH SSL_GET_EVENT_TIMEOUT 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+SSL_get_event_timeout \- determine when an SSL object next needs to have events
+handled
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ssl.h>
+\&
+\& int SSL_get_event_timeout(SSL *s, struct timeval *tv, int *is_infinite);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBSSL_get_event_timeout()\fR determines when the SSL object next needs to perform
+internal processing due to the passage of time.
+.PP
+All arguments are required; \fItv\fR and \fIis_infinite\fR must be non-NULL.
+.PP
+Upon the successful return of \fBSSL_get_event_timeout()\fR, one of the following
+cases applies:
+.IP \(bu 4
+The SSL object has events which need to be handled immediately; The fields of
+\&\fI*tv\fR are set to 0 and \fI*is_infinite\fR is set to 0.
+.IP \(bu 4
+The SSL object has events which need to be handled after some amount of time
+(relative to the time at which \fBSSL_get_event_timeout()\fR was called). \fI*tv\fR is
+set to the amount of time after which \fBSSL_handle_events\fR\|(3) should be called
+and \fI*is_infinite\fR is set to 0.
+.IP \(bu 4
+There are currently no timer events which require handling in the future. The
+value of \fI*tv\fR is unspecified and \fI*is_infinite\fR is set to 1.
+.PP
+This function is currently applicable only to DTLS and QUIC connection SSL
+objects. If it is called on any other kind of SSL object, it always outputs
+infinity. This is considered a success condition.
+.PP
+For DTLS, this function can be used instead of the older
+\&\fBDTLSv1_get_timeout\fR\|(3) function. Note that this function differs from
+\&\fBDTLSv1_get_timeout\fR\|(3) in that the case where no timeout is active is
+considered a success condition.
+.PP
+Note that the value output by a call to \fBSSL_get_event_timeout()\fR may change as a
+result of other calls to the SSL object.
+.PP
+Once the timeout expires, \fBSSL_handle_events\fR\|(3) should be called to handle any
+internal processing which is due; for more information, see
+\&\fBSSL_handle_events\fR\|(3).
+.PP
+Note that \fBSSL_get_event_timeout()\fR supersedes the older \fBDTLSv1_get_timeout\fR\|(3)
+function for all use cases.
+.PP
+If the call to \fBSSL_get_event_timeout()\fR fails, the values of \fI*tv\fR and
+\&\fI*is_infinite\fR may still be changed and their values become unspecified.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+Returns 1 on success and 0 on failure.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBSSL_handle_events\fR\|(3), \fBDTLSv1_get_timeout\fR\|(3), \fBssl\fR\|(7)
+.SH HISTORY
+.IX Header "HISTORY"
+The \fBSSL_get_event_timeout()\fR function was added in OpenSSL 3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2022\-2023 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_extms_support.3 b/secure/lib/libcrypto/man/man3/SSL_get_extms_support.3
index 43f7374ccd43..6dd99d7f7be3 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_extms_support.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_extms_support.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,84 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_GET_EXTMS_SUPPORT 3ossl"
-.TH SSL_GET_EXTMS_SUPPORT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_GET_EXTMS_SUPPORT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_get_extms_support \- extended master secret support
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
 \& int SSL_get_extms_support(SSL *ssl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_get_extms_support()\fR indicates whether the current session used extended
 master secret.
@@ -160,11 +84,11 @@ was used.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_fd.3 b/secure/lib/libcrypto/man/man3/SSL_get_fd.3
index 3df3bc9a7055..2947c61e202a 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_fd.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_fd.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_GET_FD 3ossl"
-.TH SSL_GET_FD 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_GET_FD 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_get_fd, SSL_get_rfd, SSL_get_wfd \- get file descriptor linked to an SSL object
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -147,7 +71,7 @@ SSL_get_fd, SSL_get_rfd, SSL_get_wfd \- get file descriptor linked to an SSL obj
 \& int SSL_get_rfd(const SSL *ssl);
 \& int SSL_get_wfd(const SSL *ssl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_get_fd()\fR returns the file descriptor which is linked to \fBssl\fR.
 \&\fBSSL_get_rfd()\fR and \fBSSL_get_wfd()\fR return the file descriptors for the
@@ -157,21 +81,21 @@ of the read channel.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The following return values can occur:
-.IP "\-1" 4
+.IP \-1 4
 .IX Item "-1"
-The operation failed, because the underlying \s-1BIO\s0 is not of the correct type
+The operation failed, because the underlying BIO is not of the correct type
 (suitable for file descriptors).
-.IP ">=0" 4
+.IP >=0 4
 .IX Item ">=0"
 The file descriptor linked to \fBssl\fR.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBSSL_set_fd\fR\|(3), \fBssl\fR\|(7) , \fBbio\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_handshake_rtt.3 b/secure/lib/libcrypto/man/man3/SSL_get_handshake_rtt.3
new file mode 100644
index 000000000000..faa91ae80833
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/SSL_get_handshake_rtt.3
@@ -0,0 +1,114 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "SSL_GET_HANDSHAKE_RTT 3ossl"
+.TH SSL_GET_HANDSHAKE_RTT 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+SSL_get_handshake_rtt
+\&\- get round trip time for SSL Handshake
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ssl.h>
+\&
+\& int SSL_get_handshake_rtt(const SSL *s, uint64_t *rtt);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBSSL_get_handshake_rtt()\fR retrieves the round-trip time (RTT) for \fIssl\fR.
+.PP
+This metric is represented in microseconds (us) as a uint64_t data type.
+.SH NOTES
+.IX Header "NOTES"
+This metric is created by taking two timestamps during the handshake and
+providing the difference between these two times.
+.PP
+When acting as the server, one timestamp is taken when the server is finished
+writing to the client. This is during the ServerFinished in TLS 1.3 and
+ServerHelloDone in TLS 1.2. The other timestamp is taken when the server is
+done reading the client's response. This is after the client has responded
+with ClientFinished.
+.PP
+When acting as the client, one timestamp is taken when the client is finished
+writing the ClientHello and early data (if any). The other is taken when
+client is done reading the server's response. This is after ServerFinished in
+TLS 1.3 and after ServerHelloDone in TLS 1.2.
+.PP
+In addition to network propagation delay and network stack overhead, this
+metric includes processing time on both endpoints, as this is based on TLS
+protocol-level messages and the TLS protocol is not designed to measure
+network timings. In some cases the processing time can be significant,
+especially when the processing includes asymmetric cryptographic operations.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+Returns 1 if the TLS handshake RTT is successfully retrieved.
+Returns 0 if the TLS handshake RTT cannot be determined yet.
+Returns \-1 if, while retrieving the TLS handshake RTT, an error occurs.
+.SH HISTORY
+.IX Header "HISTORY"
+This function was added in OpenSSL 3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2023\-2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_peer_cert_chain.3 b/secure/lib/libcrypto/man/man3/SSL_get_peer_cert_chain.3
index e113fbe04fc1..627318a67716 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_peer_cert_chain.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_peer_cert_chain.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_GET_PEER_CERT_CHAIN 3ossl"
-.TH SSL_GET_PEER_CERT_CHAIN 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_GET_PEER_CERT_CHAIN 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_get_peer_cert_chain, SSL_get0_verified_chain \- get the X509 certificate
 chain of the peer
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -147,16 +71,16 @@ chain of the peer
 \& STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl);
 \& STACK_OF(X509) *SSL_get0_verified_chain(const SSL *ssl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_get_peer_cert_chain()\fR returns a pointer to \s-1STACK_OF\s0(X509) certificates
+\&\fBSSL_get_peer_cert_chain()\fR returns a pointer to STACK_OF(X509) certificates
 forming the certificate chain sent by the peer. If called on the client side,
 the stack also contains the peer's certificate; if called on the server
 side, the peer's certificate must be obtained separately using
 \&\fBSSL_get_peer_certificate\fR\|(3).
-If the peer did not present a certificate, \s-1NULL\s0 is returned.
+If the peer did not present a certificate, NULL is returned.
 .PP
-\&\s-1NB:\s0 \fBSSL_get_peer_cert_chain()\fR returns the peer chain as sent by the peer: it
+NB: \fBSSL_get_peer_cert_chain()\fR returns the peer chain as sent by the peer: it
 only consists of certificates the peer has sent (in the order the peer
 has sent them) it is \fBnot\fR a verified chain.
 .PP
@@ -165,13 +89,13 @@ of the peer including the peer's end entity certificate. It must be called
 after a session has been successfully established. If peer verification was
 not successful (as indicated by \fBSSL_get_verify_result()\fR not returning
 X509_V_OK) the chain may be incomplete or invalid.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-If the session is resumed peers do not send certificates so a \s-1NULL\s0 pointer
+If the session is resumed peers do not send certificates so a NULL pointer
 is returned by these functions. Applications can call \fBSSL_session_reused()\fR
 to determine whether a session is resumed.
 .PP
-The reference count of each certificate in the returned \s-1STACK_OF\s0(X509) object
+The reference count of each certificate in the returned STACK_OF(X509) object
 is not incremented and the returned stack may be invalidated by renegotiation.
 If applications wish to use any certificates in the returned chain
 indefinitely they must increase the reference counts using \fBX509_up_ref()\fR or
@@ -179,22 +103,22 @@ obtain a copy of the whole chain with \fBX509_chain_up_ref()\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The following return values can occur:
-.IP "\s-1NULL\s0" 4
+.IP NULL 4
 .IX Item "NULL"
 No certificate was presented by the peer or no connection was established
 or the certificate chain is no longer available when a session is reused.
-.IP "Pointer to a \s-1STACK_OF\s0(X509)" 4
+.IP "Pointer to a STACK_OF(X509)" 4
 .IX Item "Pointer to a STACK_OF(X509)"
 The return value points to the certificate chain presented by the peer.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7), \fBSSL_get_peer_certificate\fR\|(3), \fBX509_up_ref\fR\|(3),
 \&\fBX509_chain_up_ref\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_peer_certificate.3 b/secure/lib/libcrypto/man/man3/SSL_get_peer_certificate.3
index 0f2eeb9db3b4..e2233dd6c121 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_peer_certificate.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_peer_certificate.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,94 +52,41 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_GET_PEER_CERTIFICATE 3ossl"
-.TH SSL_GET_PEER_CERTIFICATE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_GET_PEER_CERTIFICATE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_get_peer_certificate,
 SSL_get0_peer_certificate,
 SSL_get1_peer_certificate \- get the X509 certificate of the peer
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
-\& X509 *SSL_get_peer_certificate(const SSL *ssl);
 \& X509 *SSL_get0_peer_certificate(const SSL *ssl);
 \& X509 *SSL_get1_peer_certificate(const SSL *ssl);
 .Ve
-.SH "DESCRIPTION"
+.PP
+The following function has been deprecated since OpenSSL 3.0,
+and can be hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable
+version value, see \fBopenssl_user_macros\fR\|(7):
+.PP
+.Vb 1
+\& X509 *SSL_get_peer_certificate(const SSL *ssl);
+.Ve
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 These functions return a pointer to the X509 certificate the
-peer presented. If the peer did not present a certificate, \s-1NULL\s0 is returned.
-.SH "NOTES"
+peer presented. If the peer did not present a certificate, NULL is returned.
+.SH NOTES
 .IX Header "NOTES"
-Due to the protocol definition, a \s-1TLS/SSL\s0 server will always send a
+Due to the protocol definition, a TLS/SSL server will always send a
 certificate, if present. A client will only send a certificate when
 explicitly requested to do so by the server (see
 \&\fBSSL_CTX_set_verify\fR\|(3)). If an anonymous cipher
@@ -177,7 +108,7 @@ is not incremented, and must not be freed.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The following return values can occur:
-.IP "\s-1NULL\s0" 4
+.IP NULL 4
 .IX Item "NULL"
 No certificate was presented by the peer or no connection was established.
 .IP "Pointer to an X509 certificate" 4
@@ -187,15 +118,15 @@ The return value points to the certificate presented by the peer.
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7), \fBSSL_get_verify_result\fR\|(3),
 \&\fBSSL_CTX_set_verify\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBSSL_get0_peer_certificate()\fR and \fBSSL_get1_peer_certificate()\fR were added in 3.0.0.
 \&\fBSSL_get_peer_certificate()\fR was deprecated in 3.0.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_peer_signature_nid.3 b/secure/lib/libcrypto/man/man3/SSL_get_peer_signature_nid.3
index 0cb3a50278ca..618afdba32b0 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_peer_signature_nid.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_peer_signature_nid.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,116 +52,73 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_GET_PEER_SIGNATURE_NID 3ossl"
-.TH SSL_GET_PEER_SIGNATURE_NID 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_GET_PEER_SIGNATURE_NID 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
-SSL_get_peer_signature_nid, SSL_get_peer_signature_type_nid,
-SSL_get_signature_nid, SSL_get_signature_type_nid \- get TLS message signing
-types
-.SH "SYNOPSIS"
+.SH NAME
+SSL_get0_peer_signature_name, SSL_get_peer_signature_nid,
+SSL_get_peer_signature_type_nid, SSL_get0_signature_name,
+SSL_get_signature_nid, SSL_get_signature_type_nid \-
+get TLS message signing types
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
+\& int SSL_get0_peer_signature_name(const SSL *ssl, const char **sigalg);
 \& int SSL_get_peer_signature_nid(SSL *ssl, int *psig_nid);
 \& int SSL_get_peer_signature_type_nid(const SSL *ssl, int *psigtype_nid);
+\& int SSL_get0_signature_name(SSL *ssl, const char **sigalg);
 \& int SSL_get_signature_nid(SSL *ssl, int *psig_nid);
 \& int SSL_get_signature_type_nid(const SSL *ssl, int *psigtype_nid);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_get_peer_signature_nid()\fR sets \fB*psig_nid\fR to the \s-1NID\s0 of the digest used
-by the peer to sign \s-1TLS\s0 messages. It is implemented as a macro.
+\&\fBSSL_get0_peer_signature_name()\fR sets \fI*sigalg\fR to the IANA name of the
+signature scheme <https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-signaturescheme>
+used by the peer to sign the TLS handshake.
+The caller must not free the returned pointer.
+The returned string should be copied if it is to be retained beyond the
+lifetime of the SSL connection.
+.PP
+\&\fBSSL_get_peer_signature_nid()\fR sets \fB*psig_nid\fR to the NID of the digest used
+by the peer to sign TLS messages. It is implemented as a macro.
 .PP
 \&\fBSSL_get_peer_signature_type_nid()\fR sets \fB*psigtype_nid\fR to the signature
-type used by the peer to sign \s-1TLS\s0 messages. Currently the signature type
-is the \s-1NID\s0 of the public key type used for signing except for \s-1PSS\s0 signing
-where it is \fB\s-1EVP_PKEY_RSA_PSS\s0\fR. To differentiate between
+type used by the peer to sign TLS messages. Currently the signature type
+is the NID of the public key type used for signing except for PSS signing
+where it is \fBEVP_PKEY_RSA_PSS\fR. To differentiate between
 \&\fBrsa_pss_rsae_*\fR and \fBrsa_pss_pss_*\fR signatures, it's necessary to check
 the type of public key in the peer's certificate.
 .PP
-\&\fBSSL_get_signature_nid()\fR and \fBSSL_get_signature_type_nid()\fR return the equivalent
-information for the local end of the connection.
+\&\fBSSL_get0_signature_name()\fR, \fBSSL_get_signature_nid()\fR and
+\&\fBSSL_get_signature_type_nid()\fR return the equivalent information for the local
+end of the connection.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 These functions return 1 for success and 0 for failure. There are several
-possible reasons for failure: the cipher suite has no signature (e.g. it
-uses \s-1RSA\s0 key exchange or is anonymous), the \s-1TLS\s0 version is below 1.2 or
-the functions were called too early, e.g. before the peer signed a message.
+possible reasons for failure: the peer or local end is a client and did not
+sign the handshake (did not use a client certificate), the cipher suite has no
+signature (e.g. it uses RSA key exchange or is anonymous), the TLS version is
+below 1.2 or the functions were called too early, e.g. before the peer signed a
+message.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7), \fBSSL_get_peer_certificate\fR\|(3),
-.SH "COPYRIGHT"
+.SH HISTORY
+.IX Header "HISTORY"
+The \fBSSL_get0_peer_signature_name()\fR and \fBSSL_get0_signature_name()\fR functions were
+added in OpenSSL 3.5.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_peer_tmp_key.3 b/secure/lib/libcrypto/man/man3/SSL_get_peer_tmp_key.3
index 0ca5cd298e25..606bd79a9323 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_peer_tmp_key.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_peer_tmp_key.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_GET_PEER_TMP_KEY 3ossl"
-.TH SSL_GET_PEER_TMP_KEY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_GET_PEER_TMP_KEY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_get_peer_tmp_key, SSL_get_server_tmp_key, SSL_get_tmp_key \- get information
 about temporary keys used during a handshake
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -148,11 +72,11 @@ about temporary keys used during a handshake
 \& long SSL_get_server_tmp_key(SSL *ssl, EVP_PKEY **key);
 \& long SSL_get_tmp_key(SSL *ssl, EVP_PKEY **key);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_get_peer_tmp_key()\fR returns the temporary key provided by the peer and
-used during key exchange. For example, if \s-1ECDHE\s0 is in use, then this represents
-the peer's public \s-1ECDHE\s0 key. On success a pointer to the key is stored in
+used during key exchange. For example, if ECDHE is in use, then this represents
+the peer's public ECDHE key. On success a pointer to the key is stored in
 \&\fB*key\fR. It is the caller's responsibility to free this key after use using
 \&\fBEVP_PKEY_free\fR\|(3).
 .PP
@@ -166,17 +90,17 @@ end of the connection.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 All these functions return 1 on success and 0 otherwise.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 This function is implemented as a macro.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7), \fBEVP_PKEY_free\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_psk_identity.3 b/secure/lib/libcrypto/man/man3/SSL_get_psk_identity.3
index d72d6a491cac..6c45372a888e 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_psk_identity.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_psk_identity.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_GET_PSK_IDENTITY 3ossl"
-.TH SSL_GET_PSK_IDENTITY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_GET_PSK_IDENTITY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_get_psk_identity, SSL_get_psk_identity_hint \- get PSK client identity and hint
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -146,29 +70,29 @@ SSL_get_psk_identity, SSL_get_psk_identity_hint \- get PSK client identity and h
 \& const char *SSL_get_psk_identity_hint(const SSL *ssl);
 \& const char *SSL_get_psk_identity(const SSL *ssl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_get_psk_identity_hint()\fR is used to retrieve the \s-1PSK\s0 identity hint
-used during the connection setup related to \s-1SSL\s0 object
-\&\fBssl\fR. Similarly, \fBSSL_get_psk_identity()\fR is used to retrieve the \s-1PSK\s0
+\&\fBSSL_get_psk_identity_hint()\fR is used to retrieve the PSK identity hint
+used during the connection setup related to SSL object
+\&\fBssl\fR. Similarly, \fBSSL_get_psk_identity()\fR is used to retrieve the PSK
 identity used during the connection setup.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-If non\-\fB\s-1NULL\s0\fR, \fBSSL_get_psk_identity_hint()\fR returns the \s-1PSK\s0 identity
-hint and \fBSSL_get_psk_identity()\fR returns the \s-1PSK\s0 identity. Both are
-\&\fB\s-1NULL\s0\fR\-terminated. \fBSSL_get_psk_identity_hint()\fR may return \fB\s-1NULL\s0\fR if
-no \s-1PSK\s0 identity hint was used during the connection setup.
+If non\-\fBNULL\fR, \fBSSL_get_psk_identity_hint()\fR returns the PSK identity
+hint and \fBSSL_get_psk_identity()\fR returns the PSK identity. Both are
+\&\fBNULL\fR\-terminated. \fBSSL_get_psk_identity_hint()\fR may return \fBNULL\fR if
+no PSK identity hint was used during the connection setup.
 .PP
 Note that the return value is valid only during the lifetime of the
-\&\s-1SSL\s0 object \fBssl\fR.
+SSL object \fBssl\fR.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2006\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_rbio.3 b/secure/lib/libcrypto/man/man3/SSL_get_rbio.3
index 16579e2921a8..4dc6ddbc7ccc 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_rbio.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_rbio.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_GET_RBIO 3ossl"
-.TH SSL_GET_RBIO 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_GET_RBIO 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_get_rbio, SSL_get_wbio \- get BIO linked to an SSL object
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -146,28 +70,28 @@ SSL_get_rbio, SSL_get_wbio \- get BIO linked to an SSL object
 \& BIO *SSL_get_rbio(SSL *ssl);
 \& BIO *SSL_get_wbio(SSL *ssl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_get_rbio()\fR and \fBSSL_get_wbio()\fR return pointers to the BIOs for the
 read or the write channel, which can be different. The reference count
-of the \s-1BIO\s0 is not incremented.
+of the BIO is not incremented.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The following return values can occur:
-.IP "\s-1NULL\s0" 4
+.IP NULL 4
 .IX Item "NULL"
-No \s-1BIO\s0 was connected to the \s-1SSL\s0 object
+No BIO was connected to the SSL object
 .IP "Any other pointer" 4
 .IX Item "Any other pointer"
-The \s-1BIO\s0 linked to \fBssl\fR.
+The BIO linked to \fBssl\fR.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBSSL_set_bio\fR\|(3), \fBssl\fR\|(7) , \fBbio\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_rpoll_descriptor.3 b/secure/lib/libcrypto/man/man3/SSL_get_rpoll_descriptor.3
new file mode 100644
index 000000000000..887ee4f6ffc6
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/SSL_get_rpoll_descriptor.3
@@ -0,0 +1,143 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "SSL_GET_RPOLL_DESCRIPTOR 3ossl"
+.TH SSL_GET_RPOLL_DESCRIPTOR 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+SSL_get_rpoll_descriptor, SSL_get_wpoll_descriptor, SSL_net_read_desired,
+SSL_net_write_desired \- obtain information which can be used to determine when
+network I/O can be performed
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ssl.h>
+\&
+\& int SSL_get_rpoll_descriptor(SSL *s, BIO_POLL_DESCRIPTOR *desc);
+\& int SSL_get_wpoll_descriptor(SSL *s, BIO_POLL_DESCRIPTOR *desc);
+\& int SSL_net_read_desired(SSL *s);
+\& int SSL_net_write_desired(SSL *s);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+The functions \fBSSL_get_rpoll_descriptor()\fR and \fBSSL_get_wpoll_descriptor()\fR can be
+used to determine when an SSL object which represents a QUIC connection can
+perform useful network I/O, so that an application using a QUIC connection SSL
+object in nonblocking mode can determine when it should call \fBSSL_handle_events()\fR.
+.PP
+On success, these functions output poll descriptors. For more information on
+poll descriptors, see \fBBIO_get_rpoll_descriptor\fR\|(3).
+.PP
+The functions \fBSSL_net_read_desired()\fR and \fBSSL_net_write_desired()\fR return 1 or 0
+depending on whether the SSL object is currently interested in receiving data
+from the network and/or writing data to the network respectively.
+If an SSL object is not interested in reading data from the network at the
+current time, \fBSSL_net_read_desired()\fR will return 0; likewise, if an SSL object is
+not interested in writing data to the network at the current time,
+\&\fBSSL_net_write_desired()\fR will return 0.
+.PP
+The intention is that an application using QUIC in nonblocking mode can use
+these calls, in conjunction with \fBSSL_get_event_timeout\fR\|(3) to wait for network
+I/O conditions which allow the SSL object to perform useful work. When such a
+condition arises, \fBSSL_handle_events\fR\|(3) should be called.
+.PP
+In particular, the expected usage is as follows:
+.IP \(bu 4
+\&\fBSSL_handle_events()\fR should be called whenever the timeout returned by
+\&\fBSSL_get_event_timeout\fR\|(3) (if any) expires
+.IP \(bu 4
+If the last call to \fBSSL_net_read_desired()\fR returned 1, \fBSSL_handle_events()\fR should be called
+whenever the poll descriptor output by \fBSSL_get_rpoll_descriptor()\fR becomes
+readable.
+.IP \(bu 4
+If the last call to \fBSSL_net_write_desired()\fR returned 1, \fBSSL_handle_events()\fR should be called
+whenever the poll descriptor output by \fBSSL_get_wpoll_descriptor()\fR becomes
+writable.
+.PP
+The return values of the \fBSSL_net_read_desired()\fR and \fBSSL_net_write_desired()\fR functions
+may change in response to any call to the SSL object other than
+\&\fBSSL_net_read_desired()\fR, \fBSSL_net_write_desired()\fR, \fBSSL_get_rpoll_descriptor()\fR,
+\&\fBSSL_get_wpoll_descriptor()\fR and \fBSSL_get_event_timeout()\fR.
+.PP
+On non-QUIC SSL objects, calls to \fBSSL_get_rpoll_descriptor()\fR and
+\&\fBSSL_get_wpoll_descriptor()\fR function the same as calls to
+\&\fBBIO_get_rpoll_descriptor()\fR and \fBBIO_get_wpoll_descriptor()\fR on the respective read
+and write BIOs configured on the SSL object.
+.PP
+On non-QUIC SSL objects, calls to \fBSSL_net_read_desired()\fR and
+\&\fBSSL_net_write_desired()\fR function identically to calls to \fBSSL_want_read()\fR and
+\&\fBSSL_want_write()\fR respectively.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+These functions return 1 on success and 0 on failure.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBSSL_handle_events\fR\|(3), \fBSSL_get_event_timeout\fR\|(3), \fBssl\fR\|(7)
+.SH HISTORY
+.IX Header "HISTORY"
+The \fBSSL_get_rpoll_descriptor()\fR, \fBSSL_get_wpoll_descriptor()\fR, \fBSSL_net_read_desired()\fR
+and \fBSSL_net_write_desired()\fR functions were added in OpenSSL 3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2022\-2023 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_session.3 b/secure/lib/libcrypto/man/man3/SSL_get_session.3
index d3e30be846c3..e63e1a63e106 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_session.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_session.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_GET_SESSION 3ossl"
-.TH SSL_GET_SESSION 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_GET_SESSION 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_get_session, SSL_get0_session, SSL_get1_session \- retrieve TLS/SSL session data
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -147,28 +71,28 @@ SSL_get_session, SSL_get0_session, SSL_get1_session \- retrieve TLS/SSL session
 \& SSL_SESSION *SSL_get0_session(const SSL *ssl);
 \& SSL_SESSION *SSL_get1_session(SSL *ssl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_get_session()\fR returns a pointer to the \fB\s-1SSL_SESSION\s0\fR actually used in
-\&\fBssl\fR. The reference count of the \fB\s-1SSL_SESSION\s0\fR is not incremented, so
+\&\fBSSL_get_session()\fR returns a pointer to the \fBSSL_SESSION\fR actually used in
+\&\fBssl\fR. The reference count of the \fBSSL_SESSION\fR is not incremented, so
 that the pointer can become invalid by other operations.
 .PP
 \&\fBSSL_get0_session()\fR is the same as \fBSSL_get_session()\fR.
 .PP
 \&\fBSSL_get1_session()\fR is the same as \fBSSL_get_session()\fR, but the reference
-count of the \fB\s-1SSL_SESSION\s0\fR is incremented by one.
-.SH "NOTES"
+count of the \fBSSL_SESSION\fR is incremented by one.
+.SH NOTES
 .IX Header "NOTES"
 The ssl session contains all information required to re-establish the
-connection without a full handshake for \s-1SSL\s0 versions up to and including
+connection without a full handshake for SSL versions up to and including
 TLSv1.2. In TLSv1.3 the same is true, but sessions are established after the
 main handshake has occurred. The server will send the session information to the
 client at a time of its choosing, which may be some while after the initial
 connection is established (or never). Calling these functions on the client side
 in TLSv1.3 before the session has been established will still return an
-\&\s-1SSL_SESSION\s0 object but that object cannot be used for resuming the session. See
+SSL_SESSION object but that object cannot be used for resuming the session. See
 \&\fBSSL_SESSION_is_resumable\fR\|(3) for information on how to determine whether an
-\&\s-1SSL_SESSION\s0 object can be used for resumption or not.
+SSL_SESSION object can be used for resumption or not.
 .PP
 Additionally, in TLSv1.3, a server can send multiple messages that establish a
 session for a single connection. In that case, on the client side, the above
@@ -177,11 +101,11 @@ the server side they will only return information on the last session that was
 sent, or if no session tickets were sent then the session for the current
 connection.
 .PP
-The preferred way for applications to obtain a resumable \s-1SSL_SESSION\s0 object is
+The preferred way for applications to obtain a resumable SSL_SESSION object is
 to use a new session callback as described in \fBSSL_CTX_sess_set_new_cb\fR\|(3).
 The new session callback is only invoked when a session is actually established,
 so this avoids the problem described above where an application obtains an
-\&\s-1SSL_SESSION\s0 object that cannot be used for resumption in TLSv1.3. It also
+SSL_SESSION object that cannot be used for resumption in TLSv1.3. It also
 enables applications to obtain information about all sessions sent by the
 server.
 .PP
@@ -190,7 +114,7 @@ non-resumable if the connection is not closed down cleanly, e.g. if a fatal
 error occurs on the connection or \fBSSL_shutdown\fR\|(3) is not called prior to
 \&\fBSSL_free\fR\|(3).
 .PP
-In TLSv1.3 it is recommended that each \s-1SSL_SESSION\s0 object is only used for
+In TLSv1.3 it is recommended that each SSL_SESSION object is only used for
 resumption once.
 .PP
 \&\fBSSL_get0_session()\fR returns a pointer to the actual session. As the
@@ -207,30 +131,30 @@ but stays in memory. In order to remove the session
 \&\fBSSL_SESSION_free\fR\|(3) must be explicitly called once
 to decrement the reference count again.
 .PP
-\&\s-1SSL_SESSION\s0 objects keep internal link information about the session cache
-list, when being inserted into one \s-1SSL_CTX\s0 object's session cache.
-One \s-1SSL_SESSION\s0 object, regardless of its reference count, must therefore
-only be used with one \s-1SSL_CTX\s0 object (and the \s-1SSL\s0 objects created
-from this \s-1SSL_CTX\s0 object).
+SSL_SESSION objects keep internal link information about the session cache
+list, when being inserted into one SSL_CTX object's session cache.
+One SSL_SESSION object, regardless of its reference count, must therefore
+only be used with one SSL_CTX object (and the SSL objects created
+from this SSL_CTX object).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The following return values can occur:
-.IP "\s-1NULL\s0" 4
+.IP NULL 4
 .IX Item "NULL"
 There is no session available in \fBssl\fR.
-.IP "Pointer to an \s-1SSL_SESSION\s0" 4
+.IP "Pointer to an SSL_SESSION" 4
 .IX Item "Pointer to an SSL_SESSION"
-The return value points to the data of an \s-1SSL\s0 session.
+The return value points to the data of an SSL session.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7), \fBSSL_free\fR\|(3),
 \&\fBSSL_clear\fR\|(3),
 \&\fBSSL_SESSION_free\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_shared_sigalgs.3 b/secure/lib/libcrypto/man/man3/SSL_get_shared_sigalgs.3
index 2aed3d58d32a..e3e215cd9df6 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_shared_sigalgs.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_shared_sigalgs.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_GET_SHARED_SIGALGS 3ossl"
-.TH SSL_GET_SHARED_SIGALGS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_GET_SHARED_SIGALGS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_get_shared_sigalgs, SSL_get_sigalgs \- get supported signature algorithms
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -151,13 +75,13 @@ SSL_get_shared_sigalgs, SSL_get_sigalgs \- get supported signature algorithms
 \&                     int *psign, int *phash, int *psignhash,
 \&                     unsigned char *rsig, unsigned char *rhash);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_get_shared_sigalgs()\fR returns information about the shared signature
 algorithms supported by peer \fBs\fR. The parameter \fBidx\fR indicates the index
 of the shared signature algorithm to return starting from zero. The signature
-algorithm \s-1NID\s0 is written to \fB*psign\fR, the hash \s-1NID\s0 to \fB*phash\fR and the
-sign and hash \s-1NID\s0 to \fB*psignhash\fR. The raw signature and hash values
+algorithm NID is written to \fB*psign\fR, the hash NID to \fB*phash\fR and the
+sign and hash NID to \fB*psignhash\fR. The raw signature and hash values
 are written to \fB*rsig\fR and \fB*rhash\fR.
 .PP
 \&\fBSSL_get_sigalgs()\fR is similar to \fBSSL_get_shared_sigalgs()\fR except it returns
@@ -167,7 +91,7 @@ they were sent by the peer.
 .IX Header "RETURN VALUES"
 \&\fBSSL_get_shared_sigalgs()\fR and \fBSSL_get_sigalgs()\fR return the number of
 signature algorithms or \fB0\fR if the \fBidx\fR parameter is out of range.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 These functions are typically called for debugging purposes (to report
 the peer's preferences) or where an application wants finer control over
@@ -178,8 +102,8 @@ If an application is only interested in the highest preference shared
 signature algorithm it can just set \fBidx\fR to zero.
 .PP
 Any or all of the parameters \fBpsign\fR, \fBphash\fR, \fBpsignhash\fR, \fBrsig\fR or
-\&\fBrhash\fR can be set to \fB\s-1NULL\s0\fR if the value is not required. By setting
-them all to \fB\s-1NULL\s0\fR and setting \fBidx\fR to zero the total number of
+\&\fBrhash\fR can be set to \fBNULL\fR if the value is not required. By setting
+them all to \fBNULL\fR and setting \fBidx\fR to zero the total number of
 signature algorithms can be determined: which can be zero.
 .PP
 These functions must be called after the peer has sent a list of supported
@@ -187,31 +111,31 @@ signature algorithms: after a client hello (for servers) or a certificate
 request (for clients). They can (for example) be called in the certificate
 callback.
 .PP
-Only \s-1TLS 1.2, TLS 1.3\s0 and \s-1DTLS 1.2\s0 currently support signature algorithms.
+Only TLS 1.2, TLS 1.3 and DTLS 1.2 currently support signature algorithms.
 If these
-functions are called on an earlier version of \s-1TLS\s0 or \s-1DTLS\s0 zero is returned.
+functions are called on an earlier version of TLS or DTLS zero is returned.
 .PP
 The shared signature algorithms returned by \fBSSL_get_shared_sigalgs()\fR are
 ordered according to configuration and peer preferences.
 .PP
-The raw values correspond to the on the wire form as defined by \s-1RFC5246\s0 et al.
+The raw values correspond to the on the wire form as defined by RFC5246 et al.
 The NIDs are OpenSSL equivalents. For example if the peer sent \fBsha256\fR\|(4) and
 \&\fBrsa\fR\|(1) then \fB*rhash\fR would be 4, \fB*rsign\fR 1, \fB*phash\fR NID_sha256, \fB*psig\fR
-NID_rsaEncryption and \fB*psighash\fR NID_sha256WithRSAEncryption.
+NID_rsaEncryption and \fB*psignhash\fR NID_sha256WithRSAEncryption.
 .PP
 If a signature algorithm is not recognised the corresponding NIDs
 will be set to \fBNID_undef\fR. This may be because the value is not supported,
-is not an appropriate combination (for example \s-1MD5\s0 and \s-1DSA\s0) or the
+is not an appropriate combination (for example MD5 and DSA) or the
 signature algorithm does not use a hash (for example Ed25519).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBSSL_CTX_set_cert_cb\fR\|(3),
 \&\fBssl\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2015\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_stream_id.3 b/secure/lib/libcrypto/man/man3/SSL_get_stream_id.3
new file mode 100644
index 000000000000..235451c1db2b
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/SSL_get_stream_id.3
@@ -0,0 +1,154 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "SSL_GET_STREAM_ID 3ossl"
+.TH SSL_GET_STREAM_ID 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+SSL_get_stream_id, SSL_get_stream_type, SSL_STREAM_TYPE_NONE,
+SSL_STREAM_TYPE_READ, SSL_STREAM_TYPE_WRITE, SSL_STREAM_TYPE_BIDI,
+SSL_is_stream_local \- get QUIC stream ID and stream type information
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ssl.h>
+\&
+\& uint64_t SSL_get_stream_id(SSL *ssl);
+\&
+\& #define SSL_STREAM_TYPE_NONE
+\& #define SSL_STREAM_TYPE_BIDI
+\& #define SSL_STREAM_TYPE_READ
+\& #define SSL_STREAM_TYPE_WRITE
+\& int SSL_get_stream_type(SSL *ssl);
+\&
+\& int SSL_is_stream_local(SSL *ssl);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+The \fBSSL_get_stream_id()\fR function returns the QUIC stream ID for a QUIC stream
+SSL object, or for a QUIC connection SSL object which has a default stream
+attached.
+.PP
+The \fBSSL_get_stream_type()\fR function identifies what operations can be performed
+on the stream, and returns one of the following values:
+.IP \fBSSL_STREAM_TYPE_NONE\fR 4
+.IX Item "SSL_STREAM_TYPE_NONE"
+The SSL object is a QUIC connection SSL object without a default stream
+attached.
+.IP \fBSSL_STREAM_TYPE_BIDI\fR 4
+.IX Item "SSL_STREAM_TYPE_BIDI"
+The SSL object is a non-QUIC SSL object, or is a QUIC stream object (or QUIC
+connection SSL object with a default stream attached), and that stream is a
+bidirectional QUIC stream.
+.IP \fBSSL_STREAM_TYPE_READ\fR 4
+.IX Item "SSL_STREAM_TYPE_READ"
+The SSL object is a QUIC stream object (or QUIC connection SSL object with a
+default stream attached), and that stream is a unidirectional QUIC stream which
+was initiated by the remote peer; thus, it can be read from, but not written to.
+.IP \fBSSL_STREAM_TYPE_WRITE\fR 4
+.IX Item "SSL_STREAM_TYPE_WRITE"
+The SSL object is a QUIC stream object (or QUIC connection SSL object with a
+default stream attached), and that stream is a unidirectional QUIC stream which
+was initiated by the local application; thus, it can be written to, but not read
+from.
+.PP
+The \fBSSL_is_stream_local()\fR function determines whether a stream was locally
+created.
+.SH NOTES
+.IX Header "NOTES"
+While QUICv1 assigns specific meaning to the low two bits of a QUIC stream ID,
+QUIC stream IDs in future versions of QUIC are not required to have the same
+semantics. Do not determine stream properties using these bits. Instead, use
+\&\fBSSL_get_stream_type()\fR to determine the stream type and \fBSSL_get_stream_is_local()\fR
+to determine the stream initiator.
+.PP
+The \fBSSL_get_stream_type()\fR identifies the type of a QUIC stream based on its
+identity, and does not indicate whether an operation can currently be
+successfully performed on a stream. For example, you might locally initiate a
+unidirectional stream, write to it, and then conclude the stream using
+\&\fBSSL_stream_conclude\fR\|(3), meaning that it can no longer be written to, but
+\&\fBSSL_get_stream_type()\fR would still return \fBSSL_STREAM_TYPE_WRITE\fR. The value
+returned by \fBSSL_get_stream_type()\fR does not vary over the lifespan of a stream.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBSSL_get_stream_id()\fR returns a QUIC stream ID, or \fBUINT64_MAX\fR if called on an
+SSL object which is not a QUIC SSL object, or if called on a QUIC connection SSL
+object without a default stream attached. Note that valid QUIC stream IDs are
+always below 2**62.
+.PP
+\&\fBSSL_get_stream_type()\fR returns one of the \fBSSL_STREAM_TYPE\fR values.
+.PP
+\&\fBSSL_is_stream_local()\fR returns 1 if called on a QUIC stream SSL object which
+represents a stream which was locally initiated. It returns 0 if called on a
+QUIC stream SSL object which represents a stream which was remotely initiated by
+a peer, and \-1 if called on any other kind of SSL object.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBSSL_new_stream\fR\|(3), \fBSSL_accept_stream\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+These functions were added in OpenSSL 3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2002\-2023 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_stream_read_state.3 b/secure/lib/libcrypto/man/man3/SSL_get_stream_read_state.3
new file mode 100644
index 000000000000..c9ad51a3cafe
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/SSL_get_stream_read_state.3
@@ -0,0 +1,203 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "SSL_GET_STREAM_READ_STATE 3ossl"
+.TH SSL_GET_STREAM_READ_STATE 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+SSL_get_stream_read_state, SSL_get_stream_write_state,
+SSL_get_stream_read_error_code, SSL_get_stream_write_error_code,
+SSL_STREAM_STATE_NONE, SSL_STREAM_STATE_OK, SSL_STREAM_STATE_WRONG_DIR,
+SSL_STREAM_STATE_FINISHED, SSL_STREAM_STATE_RESET_LOCAL,
+SSL_STREAM_STATE_RESET_REMOTE, SSL_STREAM_STATE_CONN_CLOSED \- get QUIC stream
+state
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ssl.h>
+\&
+\& #define SSL_STREAM_STATE_NONE
+\& #define SSL_STREAM_STATE_OK
+\& #define SSL_STREAM_STATE_WRONG_DIR
+\& #define SSL_STREAM_STATE_FINISHED
+\& #define SSL_STREAM_STATE_RESET_LOCAL
+\& #define SSL_STREAM_STATE_RESET_REMOTE
+\& #define SSL_STREAM_STATE_CONN_CLOSED
+\&
+\& int SSL_get_stream_read_state(SSL *ssl);
+\& int SSL_get_stream_write_state(SSL *ssl);
+\&
+\& int SSL_get_stream_read_error_code(SSL *ssl, uint64_t *app_error_code);
+\& int SSL_get_stream_write_error_code(SSL *ssl, uint64_t *app_error_code);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBSSL_get_stream_read_state()\fR and \fBSSL_get_stream_write_state()\fR retrieve the
+overall state of the receiving and sending parts of a QUIC stream, respectively.
+.PP
+They both return one of the following values:
+.IP \fBSSL_STREAM_STATE_NONE\fR 4
+.IX Item "SSL_STREAM_STATE_NONE"
+This value is returned if called on a non-QUIC SSL object, or on a QUIC
+connection SSL object without a default stream attached.
+.IP \fBSSL_STREAM_STATE_OK\fR 4
+.IX Item "SSL_STREAM_STATE_OK"
+This value is returned on a stream which has not been concluded and remains
+healthy.
+.IP \fBSSL_STREAM_STATE_WRONG_DIR\fR 4
+.IX Item "SSL_STREAM_STATE_WRONG_DIR"
+This value is returned if \fBSSL_get_stream_read_state()\fR is called on a
+locally-initiated (and thus send-only) unidirectional stream, or, conversely, if
+\&\fBSSL_get_stream_write_state()\fR is called on a remotely-initiated (and thus
+receive-only) unidirectional stream.
+.IP \fBSSL_STREAM_STATE_FINISHED\fR 4
+.IX Item "SSL_STREAM_STATE_FINISHED"
+For \fBSSL_get_stream_read_state()\fR, this value is returned when the remote peer has
+signalled the end of the receiving part of the stream. Note that there may still
+be residual data available to read via \fBSSL_read\fR\|(3) when this state is
+returned.
+.Sp
+For \fBSSL_get_stream_write_state()\fR, this value is returned when the local
+application has concluded the stream using \fBSSL_stream_conclude\fR\|(3). Future
+\&\fBSSL_write\fR\|(3) calls will not succeed.
+.IP \fBSSL_STREAM_STATE_RESET_LOCAL\fR 4
+.IX Item "SSL_STREAM_STATE_RESET_LOCAL"
+This value is returned when the applicable stream part was reset by the local
+application.
+.Sp
+For \fBSSL_get_stream_read_state()\fR, this means that the receiving part of the
+stream was aborted using a locally transmitted QUIC \fBSTOP_SENDING\fR frame. It
+may or may not still be possible to obtain any residual data which remains to be
+read by calling \fBSSL_read\fR\|(3).
+.Sp
+For \fBSSL_get_stream_write_state()\fR, this means that the sending part of the stream
+was aborted, for example because the application called \fBSSL_stream_reset\fR\|(3),
+or because a QUIC stream SSL object with an un-concluded sending part was freed
+using \fBSSL_free\fR\|(3). Calls to \fBSSL_write\fR\|(3) will fail.
+.Sp
+When this value is returned, the application error code which was signalled can
+be obtained by calling \fBSSL_get_stream_read_error_code()\fR or
+\&\fBSSL_get_stream_write_error_code()\fR as appropriate.
+.IP \fBSSL_STREAM_STATE_RESET_REMOTE\fR 4
+.IX Item "SSL_STREAM_STATE_RESET_REMOTE"
+This value is returned when the applicable stream part was reset by the remote
+peer.
+.Sp
+For \fBSSL_get_stream_read_state()\fR, this means that the peer sent a QUIC
+\&\fBRESET_STREAM\fR frame for the receiving part of the stream; the receiving part
+of the stream was logically aborted by the peer.
+.Sp
+For \fBSSL_get_stream_write_state()\fR, this means that the peer sent a QUIC
+\&\fBSTOP_SENDING\fR frame for the sending part of the stream; the peer has indicated
+that it does not wish to receive further data on the sending part of the stream.
+Calls to \fBSSL_write\fR\|(3) will fail.
+.Sp
+When this value is returned, the application error code which was signalled can
+be obtained by calling \fBSSL_get_stream_read_error_code()\fR or
+\&\fBSSL_get_stream_write_error_code()\fR as appropriate.
+.IP \fBSSL_STREAM_STATE_CONN_CLOSED\fR 4
+.IX Item "SSL_STREAM_STATE_CONN_CLOSED"
+The QUIC connection to which the stream belongs was closed. You can obtain
+information about the circumstances of this closure using
+\&\fBSSL_get_conn_close_info\fR\|(3). There may still be residual data available to
+read via \fBSSL_read\fR\|(3) when this state is returned. Calls to \fBSSL_write\fR\|(3)
+will fail. \fBSSL_get_stream_read_state()\fR will return this state if and only if
+\&\fBSSL_get_stream_write_state()\fR will also return this state.
+.PP
+\&\fBSSL_get_stream_read_error_code()\fR and \fBSSL_get_stream_write_error_code()\fR provide
+the application error code which was signalled during non-normal termination of
+the receiving or sending parts of a stream, respectively. On success, the
+application error code is written to \fI*app_error_code\fR.
+.SH NOTES
+.IX Header "NOTES"
+If a QUIC connection is closed, the stream state for all streams transitions to
+\&\fBSSL_STREAM_STATE_CONN_CLOSED\fR, but no application error code can be retrieved
+using \fBSSL_get_stream_read_error_code()\fR or \fBSSL_get_stream_write_error_code()\fR, as
+the QUIC connection closure process does not cause an application error code to
+be associated with each individual stream still existing at the time of
+connection closure. However, you can obtain the overall error code associated
+with the connection closure using \fBSSL_get_conn_close_info\fR\|(3).
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBSSL_get_stream_read_state()\fR and \fBSSL_get_stream_write_state()\fR return one of the
+\&\fBSSL_STREAM_STATE\fR values. If called on a non-QUIC SSL object, or a QUIC
+connection SSL object without a default stream, \fBSSL_STREAM_STATE_NONE\fR is
+returned.
+.PP
+\&\fBSSL_get_stream_read_error_code()\fR and \fBSSL_get_stream_write_error_code()\fR return 1
+on success and 0 if the stream was terminated normally. They return \-1 on error,
+for example if the stream is still healthy, was still healthy at the time of
+connection closure, if called on a stream for which the respective stream part
+does not exist (e.g. on a unidirectional stream), or if called on a non-QUIC
+object or a QUIC connection SSL object without a default stream attached.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBSSL_stream_conclude\fR\|(3), \fBSSL_stream_reset\fR\|(3), \fBSSL_new_stream\fR\|(3),
+\&\fBSSL_accept_stream\fR\|(3), \fBSSL_get_conn_close_info\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+These functions were added in OpenSSL 3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2002\-2023 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_value_uint.3 b/secure/lib/libcrypto/man/man3/SSL_get_value_uint.3
new file mode 100644
index 000000000000..4add4a3c58ac
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/SSL_get_value_uint.3
@@ -0,0 +1,371 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "SSL_GET_VALUE_UINT 3ossl"
+.TH SSL_GET_VALUE_UINT 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+SSL_get_value_uint, SSL_set_value_uint, SSL_get_generic_value_uint,
+SSL_set_generic_value_uint, SSL_get_feature_request_uint,
+SSL_set_feature_request_uint, SSL_get_feature_peer_request_uint,
+SSL_get_feature_negotiated_uint, SSL_get_quic_stream_bidi_local_avail,
+SSL_get_quic_stream_bidi_remote_avail, SSL_get_quic_stream_uni_local_avail,
+SSL_get_quic_stream_uni_remote_avail, SSL_VALUE_CLASS_GENERIC,
+SSL_VALUE_CLASS_FEATURE_REQUEST, SSL_VALUE_CLASS_FEATURE_PEER_REQUEST,
+SSL_VALUE_CLASS_FEATURE_NEGOTIATED, SSL_VALUE_QUIC_STREAM_BIDI_LOCAL_AVAIL,
+SSL_VALUE_QUIC_STREAM_BIDI_REMOTE_AVAIL, SSL_VALUE_QUIC_STREAM_UNI_LOCAL_AVAIL,
+SSL_VALUE_QUIC_STREAM_UNI_REMOTE_AVAIL, SSL_VALUE_QUIC_IDLE_TIMEOUT,
+SSL_VALUE_EVENT_HANDLING_MODE,
+SSL_VALUE_EVENT_HANDLING_MODE_INHERIT,
+SSL_VALUE_EVENT_HANDLING_MODE_EXPLICIT,
+SSL_VALUE_EVENT_HANDLING_MODE_IMPLICIT,
+SSL_get_event_handling_mode,
+SSL_set_event_handling_mode,
+SSL_VALUE_STREAM_WRITE_BUF_SIZE,
+SSL_get_stream_write_buf_size,
+SSL_VALUE_STREAM_WRITE_BUF_USED,
+SSL_get_stream_write_buf_used,
+SSL_VALUE_STREAM_WRITE_BUF_AVAIL,
+SSL_get_stream_write_buf_avail \-
+manage negotiable features and configuration values for an SSL object
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ssl.h>
+\&
+\& int SSL_get_value_uint(SSL *ssl, uint32_t class_, uint32_t id,
+\&                        uint64_t *value);
+\& int SSL_set_value_uint(SSL *ssl, uint32_t class_, uint32_t id,
+\&                        uint64_t value);
+\&
+\& #define SSL_VALUE_CLASS_GENERIC
+\& #define SSL_VALUE_CLASS_FEATURE_REQUEST
+\& #define SSL_VALUE_CLASS_FEATURE_PEER_REQUEST
+\& #define SSL_VALUE_CLASS_FEATURE_NEGOTIATED
+\&
+\& #define SSL_VALUE_QUIC_STREAM_BIDI_LOCAL_AVAIL
+\& #define SSL_VALUE_QUIC_STREAM_BIDI_REMOTE_AVAIL
+\& #define SSL_VALUE_QUIC_STREAM_UNI_LOCAL_AVAIL
+\& #define SSL_VALUE_QUIC_STREAM_UNI_REMOTE_AVAIL
+\& #define SSL_VALUE_QUIC_IDLE_TIMEOUT
+\&
+\& #define SSL_VALUE_EVENT_HANDLING_MODE
+\& #define SSL_VALUE_EVENT_HANDLING_MODE_INHERIT
+\& #define SSL_VALUE_EVENT_HANDLING_MODE_EXPLICIT
+\& #define SSL_VALUE_EVENT_HANDLING_MODE_IMPLICIT
+\&
+\& #define SSL_VALUE_STREAM_WRITE_BUF_SIZE
+\& #define SSL_VALUE_STREAM_WRITE_BUF_USED
+\& #define SSL_VALUE_STREAM_WRITE_BUF_AVAIL
+.Ve
+.PP
+The following convenience macros can also be used:
+.PP
+.Vb 2
+\& int SSL_get_generic_value_uint(SSL *ssl, uint32_t id, uint64_t *value);
+\& int SSL_set_generic_value_uint(SSL *ssl, uint32_t id, uint64_t value);
+\&
+\& int SSL_get_feature_request_uint(SSL *ssl, uint32_t id, uint64_t *value);
+\& int SSL_set_feature_request_uint(SSL *ssl, uint32_t id, uint64_t value);
+\&
+\& int SSL_get_feature_peer_request_uint(SSL *ssl, uint32_t id, uint64_t *value);
+\& int SSL_get_feature_negotiated_uint(SSL *ssl, uint32_t id, uint64_t *value);
+\&
+\& int SSL_get_quic_stream_bidi_local_avail(SSL *ssl, uint64_t *value);
+\& int SSL_get_quic_stream_bidi_remote_avail(SSL *ssl, uint64_t *value);
+\& int SSL_get_quic_stream_uni_local_avail(SSL *ssl, uint64_t *value);
+\& int SSL_get_quic_stream_uni_remote_avail(SSL *ssl, uint64_t *value);
+\&
+\& int SSL_get_event_handling_mode(SSL *ssl, uint64_t *value);
+\& int SSL_set_event_handling_mode(SSL *ssl, uint64_t value);
+\&
+\& int SSL_get_stream_write_buf_size(SSL *ssl, uint64_t *value);
+\& int SSL_get_stream_write_buf_avail(SSL *ssl, uint64_t *value);
+\& int SSL_get_stream_write_buf_used(SSL *ssl, uint64_t *value);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBSSL_get_value_uint()\fR and \fBSSL_set_value_uint()\fR provide access to configurable
+parameters for a given SSL object. Amongst other things, they are used to
+provide control over the feature negotiation process during establishment of a
+connection, and access to statistics about that connection.
+.PP
+\&\fBSSL_get_value_uint()\fR and \fBSSL_set_value_uint()\fR get and set configurable values
+within a given value class. The value classes are enumerated by
+\&\fBSSL_VALUE_CLASS\fR and are as follows:
+.IP \fBSSL_VALUE_CLASS_GENERIC\fR 4
+.IX Item "SSL_VALUE_CLASS_GENERIC"
+Values in this class do not participate in the feature negotiation process. They
+may represent connection parameters which do not participate in explicit
+negotiation or provide connection statistics. Values in this class might be
+read-write or read-only.
+.Sp
+You can access values in this class using the convenience macros
+\&\fBSSL_get_generic_value_uint()\fR and \fBSSL_set_generic_value_uint()\fR for brevity.
+.IP \fBSSL_VALUE_CLASS_FEATURE_REQUEST\fR 4
+.IX Item "SSL_VALUE_CLASS_FEATURE_REQUEST"
+Values in this class are read-write, and represent what the local party is
+requesting during feature negotiation. Such a request will not necessarily be
+honoured; see \fBSSL_VALUE_CLASS_FEATURE_NEGOTIATED\fR.
+.Sp
+A value in this class may become read-only in certain circumstances; for
+example, after a connection has been established, for a value which cannot be
+renegotiated after connection establishment. Setting a value in this class after
+connection establishment represents a request for online renegotiation of the
+specified feature.
+.Sp
+You can access values in this class using the convenience macros
+\&\fBSSL_get_feature_request_uint()\fR and \fBSSL_set_feature_request_uint()\fR for brevity.
+.IP \fBSSL_VALUE_CLASS_FEATURE_PEER_REQUEST\fR 4
+.IX Item "SSL_VALUE_CLASS_FEATURE_PEER_REQUEST"
+Values in this value class are read-only, and represent what was requested by a
+peer during feature negotiation. Such a request has not necessarily been
+honoured; see \fBSSL_VALUE_CLASS_FEATURE_NEGOTIATED\fR.
+.Sp
+You can access values in this class using the convenience macro
+\&\fBSSL_get_feature_peer_request_uint()\fR for brevity.
+.IP \fBSSL_VALUE_CLASS_FEATURE_NEGOTIATED\fR 4
+.IX Item "SSL_VALUE_CLASS_FEATURE_NEGOTIATED"
+Values in this value class are read-only, and represent the value which was
+actually negotiated based on both local and peer input during feature
+negotiation. This is the effective value in actual use.
+.Sp
+Attempting to read a value in this class will generally fail if the feature
+negotiation process has not yet completed and the value is therefore currently
+unknown, unless the nature of the feature in question causes a provisional value
+to be used prior to completion of feature negotiation, in which case that value
+may be returned. If an online (post-handshake) renegotiation of a feature is
+in progress, retrieving the negotiated value will continue to retrieve the
+previous negotiated value until that process is completed. See the documentation
+of specific values for full details of its behaviour.
+.Sp
+You can access values in this class using the convenience macro
+\&\fBSSL_get_feature_negotiated_uint()\fR for brevity.
+.SH "CONFIGURABLE VALUES FOR QUIC OBJECTS"
+.IX Header "CONFIGURABLE VALUES FOR QUIC OBJECTS"
+The following configurable values are supported for QUIC SSL objects. Whether a
+value is supported for a QUIC connection SSL object or a QUIC stream SSL object
+is indicated in the heading for each value. Values supported for QUIC stream SSL
+objects are also supported on QUIC connection SSL objects if they have a default
+stream attached.
+.PP
+\&\fBSSL_get_value()\fR does not cause internal event processing to occur unless the
+documentation for a specific value specifies otherwise.
+.IP "\fBSSL_VALUE_QUIC_IDLE_TIMEOUT\fR (connection object)" 4
+.IX Item "SSL_VALUE_QUIC_IDLE_TIMEOUT (connection object)"
+Negotiated feature value. This configures the desired QUIC idle timeout in
+milliseconds, where 0 represents a lack of an idle timeout. This feature can
+only be configured prior to connection establishment and cannot be subsequently
+changed.
+.Sp
+This release of OpenSSL uses a default value of 30 seconds. This default value
+may change between releases of OpenSSL.
+.IP "\fBSSL_VALUE_QUIC_STREAM_BIDI_LOCAL_AVAIL\fR (connection object)" 4
+.IX Item "SSL_VALUE_QUIC_STREAM_BIDI_LOCAL_AVAIL (connection object)"
+Generic read-only statistical value. The number of bidirectional,
+locally-initiated streams available to be created (but not yet created). For
+example, a value of 100 would mean that \fBSSL_new_stream\fR\|(3) could be called 100
+times to create 100 bidirectional streams before \fBSSL_new_stream\fR\|(3) would
+block or fail due to backpressure.
+.Sp
+Can be queried using the convenience macro
+\&\fBSSL_get_quic_stream_bidi_local_avail()\fR.
+.IP "\fBSSL_VALUE_QUIC_STREAM_UNI_LOCAL_AVAIL\fR (connection object)" 4
+.IX Item "SSL_VALUE_QUIC_STREAM_UNI_LOCAL_AVAIL (connection object)"
+As above, but provides the number of unidirectional, locally-initiated streams
+available to be created (but not yet created).
+.Sp
+Can be queried using the convenience macro
+\&\fBSSL_get_quic_stream_uni_local_avail()\fR.
+.IP "\fBSSL_VALUE_QUIC_STREAM_BIDI_REMOTE_AVAIL\fR (connection object)" 4
+.IX Item "SSL_VALUE_QUIC_STREAM_BIDI_REMOTE_AVAIL (connection object)"
+As above, but provides the number of bidirectional, remotely-initiated streams
+available to be created (but not yet created) by the peer. This represents the
+number of streams the local endpoint has authorised the peer to create in terms
+of QUIC stream creation flow control.
+.Sp
+Can be queried using the convenience macro
+\&\fBSSL_get_quic_stream_bidi_remote_avail()\fR.
+.IP "\fBSSL_VALUE_QUIC_STREAM_UNI_REMOTE_AVAIL\fR (connection object)" 4
+.IX Item "SSL_VALUE_QUIC_STREAM_UNI_REMOTE_AVAIL (connection object)"
+As above, but provides the number of unidirectional, remotely-initiated streams
+available to be created (but not yet created).
+.Sp
+Can be queried using the convenience macro
+\&\fBSSL_get_quic_stream_uni_remote_avail()\fR.
+.IP "\fBSSL_VALUE_EVENT_HANDLING_MODE\fR (connection or stream object)" 4
+.IX Item "SSL_VALUE_EVENT_HANDLING_MODE (connection or stream object)"
+Generic value. This is an integer value which takes one of the following values,
+and determines the event handling mode in use:
+.RS 4
+.IP \fBSSL_VALUE_EVENT_HANDLING_MODE_INHERIT\fR 4
+.IX Item "SSL_VALUE_EVENT_HANDLING_MODE_INHERIT"
+When set, the event handling mode used is inherited from the value set on the
+parent connection (for a stream), or, for a connection, defaults to the implicit
+event handling model.
+.Sp
+When a new connection is created, or a new stream is created or accepted, it
+defaults to this setting.
+.IP "\fBSSL_VALUE_EVENT_HANDLING_MODE_IMPLICIT\fR (Implicit event handling)" 4
+.IX Item "SSL_VALUE_EVENT_HANDLING_MODE_IMPLICIT (Implicit event handling)"
+If set to this value, the implicit event handling model is used. Under this
+model, QUIC objects will automatically perform background event processing
+(equivalent to a call to \fBSSL_handle_events\fR\|(3)) when calls to I/O functions
+such as \fBSSL_read_ex\fR\|(3) or \fBSSL_write_ex\fR\|(3) are made on a QUIC SSL object.
+This helps to maintain the health of the QUIC connection and ensures that
+incoming datagrams and timeout events are processed.
+.IP "\fBSSL_VALUE_EVENT_HANDLING_MODE_EXPLICIT\fR (Explicit event handling)" 4
+.IX Item "SSL_VALUE_EVENT_HANDLING_MODE_EXPLICIT (Explicit event handling)"
+If set to this value, the explicit event handling model is used. Under this
+model, \fBnonblocking\fR calls to I/O functions such as \fBSSL_read_ex\fR\|(3) or
+\&\fBSSL_write_ex\fR\|(3) do not result in the automatic processing of QUIC events. Any
+new incoming network traffic is not handled; no new outgoing network traffic is
+generated, and pending timeout events are not processed. This allows an
+application to obtain greater control over the circumstances in which QUIC event
+processing occurs. If this event handling model is used, it is the application's
+responsibility to call \fBSSL_handle_events\fR\|(3) as and when called for by the
+QUIC implementation; see the \fBSSL_get_rpoll_descriptor\fR\|(3) man page for more
+information.
+.Sp
+Selecting this model does not affect the operation of blocking I/O calls, which
+will continue to use the implicit event handling model. Therefore, applications
+using this model will generally want to disable blocking operation using
+\&\fBSSL_set_blocking_mode\fR\|(3).
+.RE
+.RS 4
+.Sp
+Can be configured using the convenience macros \fBSSL_get_event_handling_mode()\fR and
+\&\fBSSL_set_event_handling_mode()\fR.
+.Sp
+A call to \fBSSL_set_value_uint()\fR which causes this value to switch back to the
+implicit event handling model does not in itself cause implicit event handling
+to occur; such handling will occur on the next I/O API call. Equally, a call to
+\&\fBSSL_set_value_uint()\fR which causes this value to switch to the explicit event
+handling model will not cause event handling to occur before making that
+transition.
+.Sp
+This value controls whether implicit event handling occurs when making an I/O
+API call on the SSL object it is set on. However, event processing is not
+confined to state which relates to only that object. For example, if you
+configure explicit event handling on QUIC stream SSL object "A" and configure
+implicit event handling on QUIC stream SSL object "B", a call to an I/O function
+on "B" may result in state changes to "A". In other words, if event handling
+does happen as a result of an API call to an object related to a connection,
+processing of background events (for example, received QUIC network traffic) may
+also affect the state of any other object related to a connection.
+.RE
+.IP "\fBSSL_VALUE_STREAM_WRITE_BUF_SIZE\fR (stream object)" 4
+.IX Item "SSL_VALUE_STREAM_WRITE_BUF_SIZE (stream object)"
+Generic read-only statistical value. The size of the write buffer allocated to
+hold data written to a stream with \fBSSL_write_ex\fR\|(3) until it is transmitted
+and subsequently acknowledged by the peer. This value may change at any time, as
+buffer sizes are optimised in response to network conditions to optimise
+throughput.
+.Sp
+Can be queried using the convenience macro \fBSSL_get_stream_write_buf_size()\fR.
+.IP "\fBSSL_VALUE_STREAM_WRITE_BUF_USED\fR (stream object)" 4
+.IX Item "SSL_VALUE_STREAM_WRITE_BUF_USED (stream object)"
+Generic read-only statistical value. The number of bytes currently consumed
+in the write buffer which have yet to be acknowledged by the peer. Successful
+calls to \fBSSL_write_ex\fR\|(3) which accept data cause this number to increase.
+This number will then decrease as data is acknowledged by the peer.
+.Sp
+Can be queried using the convenience macro \fBSSL_get_stream_write_buf_used()\fR.
+.IP "\fBSSL_VALUE_STREAM_WRITE_BUF_AVAIL\fR (stream object)" 4
+.IX Item "SSL_VALUE_STREAM_WRITE_BUF_AVAIL (stream object)"
+Generic read-only statistical value. The number of bytes available in the write
+buffer which have yet to be consumed by calls to \fBSSL_write_ex\fR\|(3). Successful
+calls to \fBSSL_write_ex\fR\|(3) which accept data cause this number to decrease.
+This number will increase as data is acknowledged by the peer. It may also
+change if the buffer is resized automatically to optimise throughput.
+.Sp
+Can be queried using the convenience macro \fBSSL_get_stream_write_buf_avail()\fR.
+.PP
+No configurable values are currently defined for non-QUIC SSL objects.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+Returns 1 on success or 0 on failure. This function can fail for a number of
+reasons:
+.IP \(bu 4
+An argument is invalid (e.g. NULL pointer or invalid class).
+.IP \(bu 4
+The given value is not supported by the SSL object on which it was called.
+.IP \(bu 4
+The given operation (get or set) is not supported by the specified
+configurable value.
+.IP \(bu 4
+You are trying to modify the given value and the value is not modifiable at this
+time.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBSSL_ctrl\fR\|(3), \fBSSL_get_accept_stream_queue_len\fR\|(3),
+\&\fBSSL_get_stream_read_state\fR\|(3), \fBSSL_get_stream_write_state\fR\|(3),
+\&\fBSSL_get_stream_read_error_code\fR\|(3), \fBSSL_get_stream_write_error_code\fR\|(3),
+\&\fBSSL_set_default_stream_mode\fR\|(3), \fBSSL_set_incoming_stream_policy\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+These functions were added in OpenSSL 3.3.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2002\-2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_verify_result.3 b/secure/lib/libcrypto/man/man3/SSL_get_verify_result.3
index fb1f3eda41fd..cc2aa9d5a88a 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_verify_result.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_verify_result.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,88 +52,28 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_GET_VERIFY_RESULT 3ossl"
-.TH SSL_GET_VERIFY_RESULT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_GET_VERIFY_RESULT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_get_verify_result \- get result of peer certificate verification
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
 \& long SSL_get_verify_result(const SSL *ssl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_get_verify_result()\fR returns the result of the verification of the
-X509 certificate presented by the peer, if any.
-.SH "NOTES"
+X509 certificate presented by the peer, if any. \fIssl\fR \fBMUST NOT\fR be NULL.
+.SH NOTES
 .IX Header "NOTES"
 \&\fBSSL_get_verify_result()\fR can only return one error code while the verification
 of a certificate can fail because of many reasons at the same time. Only
@@ -165,7 +89,7 @@ these errors may no longer be available.
 .PP
 The verification result is part of the established session and is restored
 when a session is reused.
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
 If no peer certificate was presented, the returned result code is
 X509_V_OK. This is because no verification error occurred, it does however
@@ -174,7 +98,7 @@ with \fBSSL_get_peer_certificate\fR\|(3).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The following return values can currently occur:
-.IP "X509_V_OK" 4
+.IP X509_V_OK 4
 .IX Item "X509_V_OK"
 The verification succeeded or no peer certificate was presented.
 .IP "Any other value" 4
@@ -185,11 +109,11 @@ Documented in \fBopenssl\-verify\fR\|(1).
 \&\fBssl\fR\|(7), \fBSSL_set_verify_result\fR\|(3),
 \&\fBSSL_get_peer_certificate\fR\|(3),
 \&\fBopenssl\-verify\fR\|(1)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_version.3 b/secure/lib/libcrypto/man/man3/SSL_get_version.3
index b8f813635f21..2b4f087892b6 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_version.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_version.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_GET_VERSION 3ossl"
-.TH SSL_GET_VERSION 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_GET_VERSION 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
-SSL_client_version, SSL_get_version, SSL_is_dtls, SSL_version \- get the
-protocol information of a connection
-.SH "SYNOPSIS"
+.SH NAME
+SSL_client_version, SSL_get_version, SSL_is_dtls, SSL_is_tls, SSL_is_quic,
+SSL_version \- get the protocol information of a connection
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -149,72 +73,105 @@ protocol information of a connection
 \& const char *SSL_get_version(const SSL *ssl);
 \&
 \& int SSL_is_dtls(const SSL *ssl);
+\& int SSL_is_tls(const SSL *ssl);
+\& int SSL_is_quic(const SSL *ssl);
 \&
 \& int SSL_version(const SSL *s);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_client_version()\fR returns the numeric protocol version advertised by the
-client in the legacy_version field of the ClientHello when initiating the
-connection. Note that, for \s-1TLS,\s0 this value will never indicate a version greater
-than TLSv1.2 even if TLSv1.3 is subsequently negotiated. \fBSSL_get_version()\fR
-returns the name of the protocol used for the connection. \fBSSL_version()\fR returns
-the numeric protocol version used for the connection. They should only be called
-after the initial handshake has been completed. Prior to that the results
-returned from these functions may be unreliable.
+For SSL, TLS and DTLS protocols \fBSSL_client_version()\fR returns the numeric
+protocol version advertised by the client in the legacy_version field of the
+ClientHello when initiating the connection. Note that, for TLS, this value
+will never indicate a version greater than TLSv1.2 even if TLSv1.3 is
+subsequently negotiated. For QUIC connections it returns OSSL_QUIC1_VERSION.
+.PP
+\&\fBSSL_get_version()\fR returns the name of the protocol used for the connection.
+\&\fBSSL_version()\fR returns the numeric protocol version used for the connection.
+They should only be called after the initial handshake has been completed.
+Prior to that the results returned from these functions may be unreliable.
+.PP
+\&\fBSSL_is_dtls()\fR returns 1 if the connection is using DTLS or 0 if not.
+.PP
+\&\fBSSL_is_tls()\fR returns 1 if the connection is using SSL/TLS or 0 if not.
 .PP
-\&\fBSSL_is_dtls()\fR returns one if the connection is using \s-1DTLS,\s0 zero if not.
+\&\fBSSL_is_quic()\fR returns 1 if the connection is using QUIC or 0 if not.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSSL_get_version()\fR returns one of the following strings:
-.IP "SSLv3" 4
+.IP SSLv3 4
 .IX Item "SSLv3"
 The connection uses the SSLv3 protocol.
-.IP "TLSv1" 4
+.IP TLSv1 4
 .IX Item "TLSv1"
 The connection uses the TLSv1.0 protocol.
-.IP "TLSv1.1" 4
+.IP TLSv1.1 4
 .IX Item "TLSv1.1"
 The connection uses the TLSv1.1 protocol.
-.IP "TLSv1.2" 4
+.IP TLSv1.2 4
 .IX Item "TLSv1.2"
 The connection uses the TLSv1.2 protocol.
-.IP "TLSv1.3" 4
+.IP TLSv1.3 4
 .IX Item "TLSv1.3"
 The connection uses the TLSv1.3 protocol.
-.IP "unknown" 4
+.IP DTLSv0.9 4
+.IX Item "DTLSv0.9"
+The connection uses an obsolete pre-standardisation DTLS protocol
+.IP DTLSv1 4
+.IX Item "DTLSv1"
+The connection uses the DTLSv1 protocol
+.IP DTLSv1.2 4
+.IX Item "DTLSv1.2"
+The connection uses the DTLSv1.2 protocol
+.IP QUICv1 4
+.IX Item "QUICv1"
+The connection uses the QUICv1 protocol.
+.IP unknown 4
 .IX Item "unknown"
 This indicates an unknown protocol version.
 .PP
 \&\fBSSL_version()\fR and \fBSSL_client_version()\fR return an integer which could include any
 of the following:
-.IP "\s-1SSL3_VERSION\s0" 4
+.IP SSL3_VERSION 4
 .IX Item "SSL3_VERSION"
 The connection uses the SSLv3 protocol.
-.IP "\s-1TLS1_VERSION\s0" 4
+.IP TLS1_VERSION 4
 .IX Item "TLS1_VERSION"
 The connection uses the TLSv1.0 protocol.
-.IP "\s-1TLS1_1_VERSION\s0" 4
+.IP TLS1_1_VERSION 4
 .IX Item "TLS1_1_VERSION"
 The connection uses the TLSv1.1 protocol.
-.IP "\s-1TLS1_2_VERSION\s0" 4
+.IP TLS1_2_VERSION 4
 .IX Item "TLS1_2_VERSION"
 The connection uses the TLSv1.2 protocol.
-.IP "\s-1TLS1_3_VERSION\s0" 4
+.IP TLS1_3_VERSION 4
 .IX Item "TLS1_3_VERSION"
 The connection uses the TLSv1.3 protocol (never returned for
 \&\fBSSL_client_version()\fR).
+.IP DTLS1_BAD_VER 4
+.IX Item "DTLS1_BAD_VER"
+The connection uses an obsolete pre-standardisation DTLS protocol
+.IP DTLS1_VERSION 4
+.IX Item "DTLS1_VERSION"
+The connection uses the DTLSv1 protocol
+.IP DTLS1_2_VERSION 4
+.IX Item "DTLS1_2_VERSION"
+The connection uses the DTLSv1.2 protocol
+.IP OSSL_QUIC1_VERSION 4
+.IX Item "OSSL_QUIC1_VERSION"
+The connection uses the QUICv1 protocol.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-The \fBSSL_is_dtls()\fR function was added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+The \fBSSL_is_dtls()\fR function was added in OpenSSL 1.1.0. The \fBSSL_is_tls()\fR and
+\&\fBSSL_is_quic()\fR functions were added in OpenSSL 3.2.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_group_to_name.3 b/secure/lib/libcrypto/man/man3/SSL_group_to_name.3
index dc27962c782e..e15afe65b81f 100644
--- a/secure/lib/libcrypto/man/man3/SSL_group_to_name.3
+++ b/secure/lib/libcrypto/man/man3/SSL_group_to_name.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,106 +52,46 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_GROUP_TO_NAME 3ossl"
-.TH SSL_GROUP_TO_NAME 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_GROUP_TO_NAME 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_group_to_name \- get name of group
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
-\& const char *SSL_group_to_name(const SSL *ssl, int id);
+\& const char *SSL_group_to_name(SSL *ssl, int id);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_group_to_name()\fR is used to retrieve the \s-1TLS\s0 group name
-associated with a given \s-1TLS\s0 group \s-1ID,\s0 as registered via built-in
+\&\fBSSL_group_to_name()\fR is used to retrieve the TLS group name
+associated with a given TLS group ID, as registered via built-in
 or external providers and as returned by a call to \fBSSL_get1_groups()\fR
 or \fBSSL_get_shared_group()\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-If non-NULL, \fBSSL_group_to_name()\fR returns the \s-1TLS\s0 group name
+If non-NULL, \fBSSL_group_to_name()\fR returns the TLS group name
 corresponding to the given \fIid\fR as a NUL-terminated string.
-If \fBSSL_group_to_name()\fR returns \s-1NULL,\s0 an error occurred; possibly no
+If \fBSSL_group_to_name()\fR returns NULL, an error occurred; possibly no
 corresponding tlsname was registered during provider initialisation.
 .PP
 Note that the return value is valid only during the lifetime of the
-\&\s-1SSL\s0 object \fIssl\fR.
+SSL object \fIssl\fR.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_handle_events.3 b/secure/lib/libcrypto/man/man3/SSL_handle_events.3
new file mode 100644
index 000000000000..dd29db6f978c
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/SSL_handle_events.3
@@ -0,0 +1,147 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "SSL_HANDLE_EVENTS 3ossl"
+.TH SSL_HANDLE_EVENTS 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+SSL_handle_events \- advance asynchronous state machine and perform network I/O
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ssl.h>
+\&
+\& int SSL_handle_events(SSL *ssl);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBSSL_handle_events()\fR performs any internal processing which is due on an SSL object. The
+exact operations performed by \fBSSL_handle_events()\fR vary depending on what kind of protocol
+is being used with the given SSL object. For example, \fBSSL_handle_events()\fR may handle
+timeout events which have become due, or may attempt, to the extent currently
+possible, to perform network I/O operations on one of the BIOs underlying the
+SSL object.
+.PP
+The primary use case for \fBSSL_handle_events()\fR is to allow an application which uses
+OpenSSL in nonblocking mode to give OpenSSL an opportunity to handle timer
+events, or to respond to the availability of new data to be read from an
+underlying BIO, or to respond to the opportunity to write pending data to an
+underlying BIO.
+.PP
+\&\fBSSL_handle_events()\fR can be used only with the following types of SSL object:
+.IP "DTLS SSL objects" 4
+.IX Item "DTLS SSL objects"
+Using \fBSSL_handle_events()\fR on an SSL object being used with a DTLS method allows timeout
+events to be handled properly. This is equivalent to a call to
+\&\fBDTLSv1_handle_timeout\fR\|(3). Since \fBSSL_handle_events()\fR handles a superset of the use
+cases of \fBDTLSv1_handle_timeout\fR\|(3), it should be preferred for new
+applications which do not require support for OpenSSL 3.1 or older.
+.Sp
+When using DTLS, an application must call \fBSSL_handle_events()\fR as indicated by
+calls to \fBSSL_get_event_timeout\fR\|(3); event handling is not performed
+automatically by calls to other SSL functions such as \fBSSL_read\fR\|(3) or
+\&\fBSSL_write\fR\|(3). Note that this is different to QUIC which also performs event
+handling implicitly; see below.
+.IP "QUIC connection SSL objects" 4
+.IX Item "QUIC connection SSL objects"
+Using \fBSSL_handle_events()\fR on an SSL object which represents a QUIC connection allows
+timeout events to be handled properly, as well as incoming network data to be
+processed, and queued outgoing network data to be written, if the underlying BIO
+has the capacity to accept it.
+.Sp
+Ordinarily, when an application uses an SSL object in blocking mode, it does not
+need to call \fBSSL_handle_events()\fR because OpenSSL performs ticking internally on an
+automatic basis. However, if an application uses a QUIC connection in
+nonblocking mode, it must at a minimum ensure that \fBSSL_handle_events()\fR is called
+periodically to allow timeout events to be handled. An application can find out
+when it next needs to call \fBSSL_handle_events()\fR for this purpose (if at all) by calling
+\&\fBSSL_get_event_timeout\fR\|(3).
+.Sp
+Calling \fBSSL_handle_events()\fR on a QUIC connection SSL object being used in blocking mode
+is not necessary unless no I/O calls (such as \fBSSL_read\fR\|(3) or \fBSSL_write\fR\|(3))
+will be made to the object for a substantial period of time. So long as at least
+one call to the SSL object is blocking, no such call is needed. However,
+\&\fBSSL_handle_events()\fR may optionally be used on a QUIC connection object if desired.
+.Sp
+With the thread-assisted mode of operation \fBOSSL_QUIC_client_thread_method\fR\|(3)
+it is unnecessary to call \fBSSL_handle_events()\fR as the assist thread handles the QUIC
+connection events.
+.PP
+Calling \fBSSL_handle_events()\fR on any other kind of SSL object is a no-op. This is
+considered a success case.
+.PP
+Note that \fBSSL_handle_events()\fR supersedes the older \fBDTLSv1_handle_timeout\fR\|(3) function
+for all use cases.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+Returns 1 on success and 0 on failure.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBSSL_get_event_timeout\fR\|(3), \fBDTLSv1_handle_timeout\fR\|(3), \fBssl\fR\|(7)
+.SH HISTORY
+.IX Header "HISTORY"
+The \fBSSL_handle_events()\fR function was added in OpenSSL 3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_in_init.3 b/secure/lib/libcrypto/man/man3/SSL_in_init.3
index eedaea237465..41708d4656c3 100644
--- a/secure/lib/libcrypto/man/man3/SSL_in_init.3
+++ b/secure/lib/libcrypto/man/man3/SSL_in_init.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_IN_INIT 3ossl"
-.TH SSL_IN_INIT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_IN_INIT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_in_before,
 SSL_in_init,
 SSL_is_init_finished,
@@ -144,7 +68,7 @@ SSL_in_connect_init,
 SSL_in_accept_init,
 SSL_get_state
 \&\- retrieve information about the handshake state machine
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -158,20 +82,22 @@ SSL_get_state
 \&
 \& OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_in_init()\fR returns 1 if the \s-1SSL/TLS\s0 state machine is currently processing or
+\&\fBSSL_in_init()\fR returns 1 if the SSL/TLS state machine is currently processing or
 awaiting handshake messages, or 0 otherwise.
 .PP
-\&\fBSSL_in_before()\fR returns 1 if no \s-1SSL/TLS\s0 handshake has yet been initiated, or 0
+\&\fBSSL_in_before()\fR returns 1 if no SSL/TLS handshake has yet been initiated, or 0
 otherwise.
 .PP
-\&\fBSSL_is_init_finished()\fR returns 1 if the \s-1SSL/TLS\s0 connection is in a state where
+\&\fBSSL_is_init_finished()\fR returns 1 if the SSL/TLS connection is in a state where
 fully protected application data can be transferred or 0 otherwise.
 .PP
 Note that in some circumstances (such as when early data is being transferred)
 \&\fBSSL_in_init()\fR, \fBSSL_in_before()\fR and \fBSSL_is_init_finished()\fR can all return 0.
 .PP
+\&\fBs\fR \fBMUST NOT\fR be NULL.
+.PP
 \&\fBSSL_in_connect_init()\fR returns 1 if \fBs\fR is acting as a client and \fBSSL_in_init()\fR
 would return 1, or 0 otherwise.
 .PP
@@ -181,34 +107,34 @@ would return 1, or 0 otherwise.
 \&\fBSSL_in_connect_init()\fR and \fBSSL_in_accept_init()\fR are implemented as macros.
 .PP
 \&\fBSSL_get_state()\fR returns a value indicating the current state of the handshake
-state machine. \s-1OSSL_HANDSHAKE_STATE\s0 is an enumerated type where each value
+state machine. OSSL_HANDSHAKE_STATE is an enumerated type where each value
 indicates a discrete state machine state. Note that future versions of OpenSSL
 may define more states so applications should expect to receive unrecognised
 state values. The naming format is made up of a number of elements as follows:
 .PP
 \&\fBprotocol\fR_ST_\fBrole\fR_\fBmessage\fR
 .PP
-\&\fBprotocol\fR is one of \s-1TLS\s0 or \s-1DTLS. DTLS\s0 is used where a state is specific to the
-\&\s-1DTLS\s0 protocol. Otherwise \s-1TLS\s0 is used.
+\&\fBprotocol\fR is one of TLS or DTLS. DTLS is used where a state is specific to the
+DTLS protocol. Otherwise TLS is used.
 .PP
-\&\fBrole\fR is one of \s-1CR, CW, SR\s0 or \s-1SW\s0 to indicate \*(L"client reading\*(R",
-\&\*(L"client writing\*(R", \*(L"server reading\*(R" or \*(L"server writing\*(R" respectively.
+\&\fBrole\fR is one of CR, CW, SR or SW to indicate "client reading",
+"client writing", "server reading" or "server writing" respectively.
 .PP
 \&\fBmessage\fR is the name of a handshake message that is being or has been sent, or
 is being or has been processed.
 .PP
 Additionally there are some special states that do not conform to the above
 format. These are:
-.IP "\s-1TLS_ST_BEFORE\s0" 4
+.IP TLS_ST_BEFORE 4
 .IX Item "TLS_ST_BEFORE"
 No handshake messages have yet been been sent or received.
-.IP "\s-1TLS_ST_OK\s0" 4
+.IP TLS_ST_OK 4
 .IX Item "TLS_ST_OK"
 Handshake message sending/processing has completed.
-.IP "\s-1TLS_ST_EARLY_DATA\s0" 4
+.IP TLS_ST_EARLY_DATA 4
 .IX Item "TLS_ST_EARLY_DATA"
 Early data is being processed
-.IP "\s-1TLS_ST_PENDING_EARLY_DATA_END\s0" 4
+.IP TLS_ST_PENDING_EARLY_DATA_END 4
 .IX Item "TLS_ST_PENDING_EARLY_DATA_END"
 Awaiting the end of early data processing
 .SH "RETURN VALUES"
@@ -221,11 +147,11 @@ and \fBSSL_in_accept_init()\fR return values as indicated above.
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7),
 \&\fBSSL_read_early_data\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_inject_net_dgram.3 b/secure/lib/libcrypto/man/man3/SSL_inject_net_dgram.3
new file mode 100644
index 000000000000..ac81abe587b5
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/SSL_inject_net_dgram.3
@@ -0,0 +1,108 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "SSL_INJECT_NET_DGRAM 3ossl"
+.TH SSL_INJECT_NET_DGRAM 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+SSL_inject_net_dgram \- inject a datagram as though received from the network
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ssl.h>
+\&
+\& int SSL_inject_net_dgram(SSL *s, const unsigned char *buf,
+\&                          size_t buf_len,
+\&                          const BIO_ADDR *peer,
+\&                          const BIO_ADDR *local);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+This function can be used to inject a datagram payload to a QUIC connection SSL
+object. The payload is processed as though it was received from the network.
+This function can be used for debugging purposes or to allow datagrams to be fed
+to QUIC from alternative sources.
+.PP
+\&\fIbuf\fR is required and must point to a datagram payload to inject. \fIbuf_len\fR is
+the length of the buffer in bytes. The buffer is copied and need not remain
+valid after this function returns.
+.PP
+\&\fIpeer\fR and \fIlocal\fR are optional values pointing to \fBBIO_ADDR\fR structures
+describing the remote and local UDP endpoint addresses for the packet. Though
+the injected packet was not actually received from the network directly by
+OpenSSL, the packet will be processed as though the received datagram had the
+given addresses.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+Returns 1 on success or 0 on failure. This function always fails if called
+on an SSL object which is not a QUIC connection SSL object.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBOSSL_QUIC_client_method\fR\|(3), \fBSSL_handle_events\fR\|(3), \fBSSL_set_blocking_mode\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+The function \fBSSL_inject_net_dgram()\fR was added in OpenSSL 3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_key_update.3 b/secure/lib/libcrypto/man/man3/SSL_key_update.3
index 19baa9d74be0..4afa54bc1b01 100644
--- a/secure/lib/libcrypto/man/man3/SSL_key_update.3
+++ b/secure/lib/libcrypto/man/man3/SSL_key_update.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,82 +52,22 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_KEY_UPDATE 3ossl"
-.TH SSL_KEY_UPDATE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_KEY_UPDATE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_key_update,
 SSL_get_key_update_type,
 SSL_renegotiate,
 SSL_renegotiate_abbreviated,
 SSL_renegotiate_pending
 \&\- initiate and obtain information about updating connection keys
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -155,27 +79,27 @@ SSL_renegotiate_pending
 \& int SSL_renegotiate_abbreviated(SSL *s);
 \& int SSL_renegotiate_pending(const SSL *s);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_key_update()\fR schedules an update of the keys for the current \s-1TLS\s0 connection.
-If the \fBupdatetype\fR parameter is set to \fB\s-1SSL_KEY_UPDATE_NOT_REQUESTED\s0\fR then
+\&\fBSSL_key_update()\fR schedules an update of the keys for the current TLS connection.
+If the \fBupdatetype\fR parameter is set to \fBSSL_KEY_UPDATE_NOT_REQUESTED\fR then
 the sending keys for this connection will be updated and the peer will be
 informed of the change. If the \fBupdatetype\fR parameter is set to
-\&\fB\s-1SSL_KEY_UPDATE_REQUESTED\s0\fR then the sending keys for this connection will be
+\&\fBSSL_KEY_UPDATE_REQUESTED\fR then the sending keys for this connection will be
 updated and the peer will be informed of the change along with a request for the
 peer to additionally update its sending keys. It is an error if \fBupdatetype\fR is
-set to \fB\s-1SSL_KEY_UPDATE_NONE\s0\fR.
+set to \fBSSL_KEY_UPDATE_NONE\fR.
 .PP
 \&\fBSSL_key_update()\fR must only be called after the initial handshake has been
-completed and TLSv1.3 has been negotiated, at the same time, the application
-needs to ensure that the writing of data has been completed. The key update
-will not take place until the next time an \s-1IO\s0 operation such as \fBSSL_read_ex()\fR
-or \fBSSL_write_ex()\fR takes place on the connection. Alternatively \fBSSL_do_handshake()\fR
-can be called to force the update to take place immediately.
+completed and TLSv1.3 or QUIC has been negotiated, at the same time, the
+application needs to ensure that the writing of data has been completed. The key
+update will not take place until the next time an IO operation such as
+\&\fBSSL_read_ex()\fR or \fBSSL_write_ex()\fR takes place on the connection. Alternatively
+\&\fBSSL_do_handshake()\fR can be called to force the update to take place immediately.
 .PP
 \&\fBSSL_get_key_update_type()\fR can be used to determine whether a key update
 operation has been scheduled but not yet performed. The type of the pending key
-update operation will be returned if there is one, or \s-1SSL_KEY_UPDATE_NONE\s0
+update operation will be returned if there is one, or SSL_KEY_UPDATE_NONE
 otherwise.
 .PP
 \&\fBSSL_renegotiate()\fR and \fBSSL_renegotiate_abbreviated()\fR should only be called for
@@ -183,12 +107,14 @@ connections that have negotiated TLSv1.2 or less. Calling them on any other
 connection will result in an error.
 .PP
 When called from the client side, \fBSSL_renegotiate()\fR schedules a completely new
-handshake over an existing \s-1SSL/TLS\s0 connection. The next time an \s-1IO\s0 operation
+handshake over an existing SSL/TLS connection. The next time an IO operation
 such as \fBSSL_read_ex()\fR or \fBSSL_write_ex()\fR takes place on the connection a check
 will be performed to confirm that it is a suitable time to start a
 renegotiation. If so, then it will be initiated immediately. OpenSSL will not
 attempt to resume any session associated with the connection in the new
-handshake.
+handshake. Note that some servers will respond to reneogitation attempts with
+a "no_renegotiation" alert. An OpenSSL will immediately fail the connection in
+this case.
 .PP
 When called from the client side, \fBSSL_renegotiate_abbreviated()\fR works in the
 same was as \fBSSL_renegotiate()\fR except that OpenSSL will attempt to resume the
@@ -196,28 +122,44 @@ session associated with the current connection in the new handshake.
 .PP
 When called from the server side, \fBSSL_renegotiate()\fR and
 \&\fBSSL_renegotiate_abbreviated()\fR behave identically. They both schedule a request
-for a new handshake to be sent to the client. The next time an \s-1IO\s0 operation is
+for a new handshake to be sent to the client. The next time an IO operation is
 performed then the same checks as on the client side are performed and then, if
 appropriate, the request is sent. The client may or may not respond with a new
 handshake and it may or may not attempt to resume an existing session. If
 a new handshake is started then this will be handled transparently by calling
-any OpenSSL \s-1IO\s0 function.
+any OpenSSL IO function.
 .PP
 If an OpenSSL client receives a renegotiation request from a server then again
-this will be handled transparently through calling any OpenSSL \s-1IO\s0 function. For
-a \s-1TLS\s0 connection the client will attempt to resume the current session in the
-new handshake. For historical reasons, \s-1DTLS\s0 clients will not attempt to resume
+this will be handled transparently through calling any OpenSSL IO function. For
+a TLS connection the client will attempt to resume the current session in the
+new handshake. For historical reasons, DTLS clients will not attempt to resume
 the session in the new handshake.
 .PP
 The \fBSSL_renegotiate_pending()\fR function returns 1 if a renegotiation or
 renegotiation request has been scheduled but not yet acted on, or 0 otherwise.
+.SH "USAGE WITH QUIC"
+.IX Header "USAGE WITH QUIC"
+\&\fBSSL_key_update()\fR can also be used to perform a key update when using QUIC. The
+function must be called on a QUIC connection SSL object. This is normally done
+automatically when needed. Since a locally initiated QUIC key update always
+causes a peer to also trigger a key update, passing
+\&\fBSSL_KEY_UPDATE_NOT_REQUESTED\fR as \fBupdatetype\fR has the same effect as passing
+\&\fBSSL_KEY_UPDATE_REQUESTED\fR.
+.PP
+The QUIC connection must have been fully established before a key update can be
+performed, and other QUIC protocol rules govern how frequently QUIC key update
+can be performed. \fBSSL_key_update()\fR will fail if these requirements are not met.
+.PP
+Because QUIC key updates are always handled immediately,
+\&\fBSSL_get_key_update_type()\fR always returns SSL_KEY_UPDATE_NONE when called on a
+QUIC connection SSL object.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSSL_key_update()\fR, \fBSSL_renegotiate()\fR and \fBSSL_renegotiate_abbreviated()\fR return 1
 on success or 0 on error.
 .PP
 \&\fBSSL_get_key_update_type()\fR returns the update type of the pending key update
-operation or \s-1SSL_KEY_UPDATE_NONE\s0 if there is none.
+operation or SSL_KEY_UPDATE_NONE if there is none.
 .PP
 \&\fBSSL_renegotiate_pending()\fR returns 1 if a renegotiation or renegotiation request
 has been scheduled but not yet acted on, or 0 otherwise.
@@ -226,15 +168,15 @@ has been scheduled but not yet acted on, or 0 otherwise.
 \&\fBssl\fR\|(7), \fBSSL_read_ex\fR\|(3),
 \&\fBSSL_write_ex\fR\|(3),
 \&\fBSSL_do_handshake\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBSSL_key_update()\fR and \fBSSL_get_key_update_type()\fR functions were added in
 OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2017\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_library_init.3 b/secure/lib/libcrypto/man/man3/SSL_library_init.3
index ca14cead2bf3..5f2b95638149 100644
--- a/secure/lib/libcrypto/man/man3/SSL_library_init.3
+++ b/secure/lib/libcrypto/man/man3/SSL_library_init.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_LIBRARY_INIT 3ossl"
-.TH SSL_LIBRARY_INIT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_LIBRARY_INIT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_library_init, OpenSSL_add_ssl_algorithms
 \&\- initialize SSL library by registering algorithms
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -148,37 +72,37 @@ SSL_library_init, OpenSSL_add_ssl_algorithms
 \&
 \& int OpenSSL_add_ssl_algorithms(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_library_init()\fR registers the available \s-1SSL/TLS\s0 ciphers and digests.
+\&\fBSSL_library_init()\fR registers the available SSL/TLS ciphers and digests.
 .PP
 \&\fBOpenSSL_add_ssl_algorithms()\fR is a synonym for \fBSSL_library_init()\fR and is
 implemented as a macro.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 \&\fBSSL_library_init()\fR must be called before any other action takes place.
 \&\fBSSL_library_init()\fR is not reentrant.
-.SH "WARNINGS"
+.SH WARNINGS
 .IX Header "WARNINGS"
 \&\fBSSL_library_init()\fR adds ciphers and digests used directly and indirectly by
-\&\s-1SSL/TLS.\s0
+SSL/TLS.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBSSL_library_init()\fR always returns \*(L"1\*(R", so it is safe to discard the return
+\&\fBSSL_library_init()\fR always returns "1", so it is safe to discard the return
 value.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7),
 \&\fBRAND_add\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBSSL_library_init()\fR and \fBOpenSSL_add_ssl_algorithms()\fR functions were
 deprecated in OpenSSL 1.1.0 by \fBOPENSSL_init_ssl()\fR.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_load_client_CA_file.3 b/secure/lib/libcrypto/man/man3/SSL_load_client_CA_file.3
index 02a1b1f7833f..03354a8d4144 100644
--- a/secure/lib/libcrypto/man/man3/SSL_load_client_CA_file.3
+++ b/secure/lib/libcrypto/man/man3/SSL_load_client_CA_file.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_LOAD_CLIENT_CA_FILE 3ossl"
-.TH SSL_LOAD_CLIENT_CA_FILE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_LOAD_CLIENT_CA_FILE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_load_client_CA_file_ex, SSL_load_client_CA_file,
 SSL_add_file_cert_subjects_to_stack,
 SSL_add_dir_cert_subjects_to_stack,
 SSL_add_store_cert_subjects_to_stack
 \&\- load certificate names
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -159,14 +83,14 @@ SSL_add_store_cert_subjects_to_stack
 \& int SSL_add_store_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
 \&                                          const char *store);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_load_client_CA_file_ex()\fR reads certificates from \fIfile\fR and returns
-a \s-1STACK_OF\s0(X509_NAME) with the subject names found. The library context \fIlibctx\fR
+a STACK_OF(X509_NAME) with the subject names found. The library context \fIlibctx\fR
 and property query \fIpropq\fR are used when fetching algorithms from providers.
 .PP
 \&\fBSSL_load_client_CA_file()\fR is similar to \fBSSL_load_client_CA_file_ex()\fR
-but uses \s-1NULL\s0 for the library context \fIlibctx\fR and property query \fIpropq\fR.
+but uses NULL for the library context \fIlibctx\fR and property query \fIpropq\fR.
 .PP
 \&\fBSSL_add_file_cert_subjects_to_stack()\fR reads certificates from \fIfile\fR,
 and adds their subject name to the already existing \fIstack\fR.
@@ -176,27 +100,37 @@ file in the directory \fIdir\fR, and adds their subject name to the
 already existing \fIstack\fR.
 .PP
 \&\fBSSL_add_store_cert_subjects_to_stack()\fR loads certificates from the
-\&\fIstore\fR \s-1URI,\s0 and adds their subject name to the already existing
+\&\fIstore\fR URI, and adds their subject name to the already existing
 \&\fIstack\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-\&\fBSSL_load_client_CA_file()\fR reads a file of \s-1PEM\s0 formatted certificates and
+\&\fBSSL_load_client_CA_file()\fR reads a file of PEM formatted certificates and
 extracts the X509_NAMES of the certificates found. While the name suggests
 the specific usage as support function for
 \&\fBSSL_CTX_set_client_CA_list\fR\|(3),
-it is not limited to \s-1CA\s0 certificates.
+it is not limited to CA certificates.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-The following return values can occur:
-.IP "\s-1NULL\s0" 4
+The following return values can occur for \fBSSL_load_client_CA_file_ex()\fR, and
+\&\fBSSL_load_client_CA_file()\fR:
+.IP NULL 4
 .IX Item "NULL"
 The operation failed, check out the error stack for the reason.
-.IP "Pointer to \s-1STACK_OF\s0(X509_NAME)" 4
+.IP "Pointer to STACK_OF(X509_NAME)" 4
 .IX Item "Pointer to STACK_OF(X509_NAME)"
 Pointer to the subject names of the successfully read certificates.
-.SH "EXAMPLES"
+.PP
+The following return values can occur for \fBSSL_add_file_cert_subjects_to_stack()\fR,
+\&\fBSSL_add_dir_cert_subjects_to_stack()\fR, and \fBSSL_add_store_cert_subjects_to_stack()\fR:
+.IP "0 (Failure)" 4
+.IX Item "0 (Failure)"
+The operation failed.
+.IP "1 (Success)" 4
+.IX Item "1 (Success)"
+The operation succeeded.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-Load names of CAs from file and use it as a client \s-1CA\s0 list:
+Load names of CAs from file and use it as a client CA list:
 .PP
 .Vb 2
 \& SSL_CTX *ctx;
@@ -215,15 +149,15 @@ Load names of CAs from file and use it as a client \s-1CA\s0 list:
 \&\fBssl\fR\|(7),
 \&\fBossl_store\fR\|(7),
 \&\fBSSL_CTX_set_client_CA_list\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBSSL_load_client_CA_file_ex()\fR and \fBSSL_add_store_cert_subjects_to_stack()\fR
 were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_new.3 b/secure/lib/libcrypto/man/man3/SSL_new.3
index e0650851a373..68a59be603a5 100644
--- a/secure/lib/libcrypto/man/man3/SSL_new.3
+++ b/secure/lib/libcrypto/man/man3/SSL_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_NEW 3ossl"
-.TH SSL_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_dup, SSL_new, SSL_up_ref \- create an SSL structure for a connection
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -147,29 +71,29 @@ SSL_dup, SSL_new, SSL_up_ref \- create an SSL structure for a connection
 \& SSL *SSL_new(SSL_CTX *ctx);
 \& int SSL_up_ref(SSL *s);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_new()\fR creates a new \fB\s-1SSL\s0\fR structure which is needed to hold the
-data for a \s-1TLS/SSL\s0 connection. The new structure inherits the settings
+\&\fBSSL_new()\fR creates a new \fBSSL\fR structure which is needed to hold the
+data for a TLS/SSL connection. The new structure inherits the settings
 of the underlying context \fBctx\fR: connection method,
-options, verification settings, timeout settings. An \fB\s-1SSL\s0\fR structure is
-reference counted. Creating an \fB\s-1SSL\s0\fR structure for the first time increments
+options, verification settings, timeout settings. An \fBSSL\fR structure is
+reference counted. Creating an \fBSSL\fR structure for the first time increments
 the reference count. Freeing it (using SSL_free) decrements it. When the
-reference count drops to zero, any memory or resources allocated to the \fB\s-1SSL\s0\fR
+reference count drops to zero, any memory or resources allocated to the \fBSSL\fR
 structure are freed.
 .PP
 \&\fBSSL_up_ref()\fR increments the reference count for an
-existing \fB\s-1SSL\s0\fR structure.
+existing \fBSSL\fR structure.
 .PP
-The function \fBSSL_dup()\fR creates and returns a new \fB\s-1SSL\s0\fR structure from the same
-\&\fB\s-1SSL_CTX\s0\fR that was used to create \fIs\fR. It additionally duplicates a subset of
-the settings in \fIs\fR into the new \fB\s-1SSL\s0\fR object.
+The function \fBSSL_dup()\fR creates and returns a new \fBSSL\fR structure from the same
+\&\fBSSL_CTX\fR that was used to create \fIs\fR. It additionally duplicates a subset of
+the settings in \fIs\fR into the new \fBSSL\fR object.
 .PP
-For \fBSSL_dup()\fR to work, the connection \s-1MUST\s0 be in its initial state and
-\&\s-1MUST NOT\s0 have yet started the \s-1SSL\s0 handshake.  For connections that are not in
+For \fBSSL_dup()\fR to work, the connection MUST be in its initial state and
+MUST NOT have yet started the SSL handshake.  For connections that are not in
 their initial state \fBSSL_dup()\fR just increments an internal
 reference count and returns the \fIsame\fR handle.  It may be possible to
-use \fBSSL_clear\fR\|(3) to recycle an \s-1SSL\s0 handle that is not in its initial
+use \fBSSL_clear\fR\|(3) to recycle an SSL handle that is not in its initial
 state for reuse, but this is best avoided.  Instead, save and restore
 the session, if desired, and construct a fresh handle for each connection.
 .PP
@@ -183,7 +107,7 @@ The subset of settings in \fIs\fR that are duplicated are:
 .IX Item "any configured certificates, private keys or certificate chains"
 .IP "any configured signature algorithms, or client signature algorithms" 4
 .IX Item "any configured signature algorithms, or client signature algorithms"
-.IP "any \s-1DANE\s0 settings" 4
+.IP "any DANE settings" 4
 .IX Item "any DANE settings"
 .IP "any Options set via \fBSSL_set_options\fR\|(3)" 4
 .IX Item "any Options set via SSL_set_options"
@@ -209,29 +133,32 @@ The subset of settings in \fIs\fR that are duplicated are:
 .IX Item "the read_ahead value set via SSL_set_read_ahead"
 .IP "application specific data set via \fBSSL_set_ex_data\fR\|(3)" 4
 .IX Item "application specific data set via SSL_set_ex_data"
-.IP "any \s-1CA\s0 list or client \s-1CA\s0 list set via \fBSSL_set0_CA_list\fR\|(3), \fBSSL_set0_client_CA_list()\fR or similar functions" 4
+.IP "any CA list or client CA list set via \fBSSL_set0_CA_list\fR\|(3), \fBSSL_set0_client_CA_list()\fR or similar functions" 4
 .IX Item "any CA list or client CA list set via SSL_set0_CA_list, SSL_set0_client_CA_list() or similar functions"
 .IP "any security level settings or callbacks" 4
 .IX Item "any security level settings or callbacks"
 .IP "any configured serverinfo data" 4
 .IX Item "any configured serverinfo data"
-.IP "any configured \s-1PSK\s0 identity hint" 4
+.IP "any configured PSK identity hint" 4
 .IX Item "any configured PSK identity hint"
 .IP "any configured custom extensions" 4
 .IX Item "any configured custom extensions"
 .IP "any client certificate types configured via SSL_set1_client_certificate_types" 4
 .IX Item "any client certificate types configured via SSL_set1_client_certificate_types"
 .PD
+.PP
+\&\fBSSL_dup()\fR is not supported on QUIC SSL objects and returns NULL if called on
+such an object.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The following return values can occur:
-.IP "\s-1NULL\s0" 4
+.IP NULL 4
 .IX Item "NULL"
-The creation of a new \s-1SSL\s0 structure failed. Check the error stack to
+The creation of a new SSL structure failed. Check the error stack to
 find out the reason.
-.IP "Pointer to an \s-1SSL\s0 structure" 4
+.IP "Pointer to an SSL structure" 4
 .IX Item "Pointer to an SSL structure"
-The return value points to an allocated \s-1SSL\s0 structure.
+The return value points to an allocated SSL structure.
 .Sp
 \&\fBSSL_up_ref()\fR returns 1 for success and 0 for failure.
 .SH "SEE ALSO"
@@ -240,11 +167,11 @@ The return value points to an allocated \s-1SSL\s0 structure.
 \&\fBSSL_CTX_set_options\fR\|(3),
 \&\fBSSL_get_SSL_CTX\fR\|(3),
 \&\fBssl\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_new_domain.3 b/secure/lib/libcrypto/man/man3/SSL_new_domain.3
new file mode 100644
index 000000000000..45cbc313e663
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/SSL_new_domain.3
@@ -0,0 +1,153 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "SSL_NEW_DOMAIN 3ossl"
+.TH SSL_NEW_DOMAIN 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+SSL_new_domain,
+SSL_is_domain,
+SSL_get0_domain
+\&\- SSL object interface for managing QUIC event domains
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ssl.h>
+\&
+\& SSL *SSL_new_domain(SSL_CTX *ctx, uint64_t flags);
+\&
+\& int SSL_is_domain(SSL *ssl);
+\& SSL *SSL_get0_domain(SSL *ssl);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+The \fBSSL_new_domain()\fR function creates a new QUIC event domain, represented as an
+SSL object. This is known as a QUIC domain SSL object (QDSO). The concept of a
+QUIC event domain is discussed in detail in \fBopenssl\-quic\-concurrency\fR\|(7).
+.PP
+The \fIflags\fR argument to \fBSSL_new_domain()\fR specifies a set of domain flags. If the
+\&\fIflags\fR argument to \fBSSL_new_domain()\fR does not specify one of the flags
+\&\fBSSL_DOMAIN_FLAG_SINGLE_THREAD\fR, \fBSSL_DOMAIN_FLAG_MULTI_THREAD\fR or
+\&\fBSSL_DOMAIN_FLAG_THREAD_ASSISTED\fR, the domain flags configured on the
+\&\fBSSL_CTX\fR are inherited as a default and any other flags in \fIflags\fR are added
+to the set of inherited flags. Otherwise, the domain flags in \fIflags\fR
+are used. See \fBSSL_CTX_set_domain_flags\fR\|(3) for details of the available domain
+flags and how they can be configured on a \fBSSL_CTX\fR.
+.PP
+A QUIC domain SSL object can be managed in the same way as any other SSL object,
+in that it can be refcounted and freed normally. A QUIC domain SSL object is the
+parent of a number of child objects such as QUIC listener SSL objects. Once a
+QUIC domain SSL object has been created, a listener can be created under it
+using \fBSSL_new_listener_from\fR\|(3).
+.PP
+\&\fBSSL_is_domain()\fR returns 1 if a SSL object is a QUIC domain SSL object.
+.PP
+\&\fBSSL_get0_domain()\fR obtains a pointer to the QUIC domain SSL object in a SSL
+object hierarchy (if any).
+.PP
+All SSL objects in a QUIC event domain use the same domain flags, and the domain
+flags for a QUIC domain cannot be changed after construction.
+.SS "Supported Operations"
+.IX Subsection "Supported Operations"
+A QUIC domain SSL object exists to contain other QUIC SSL objects and provide
+unified event handling. As such, it supports only the following operations:
+.IP \(bu 4
+Standard reference counting and free operations, such as \fBSSL_up_ref\fR\|(3) and
+\&\fBSSL_free\fR\|(3);
+.IP \(bu 4
+Event processing and polling enablement APIs such as \fBSSL_handle_events\fR\|(3),
+and \fBSSL_get_event_timeout\fR\|(3).
+.IP \(bu 4
+Creating listeners under the domain using \fBSSL_new_listener_from\fR\|(3).
+.PP
+The basic workflow of using a domain object is as follows:
+.IP \(bu 4
+Create a new domain object using \fBSSL_new_domain()\fR using a \fBSSL_CTX\fR which uses
+a supported \fBSSL_METHOD\fR (such as \fBOSSL_QUIC_server_method\fR\|(3));
+.IP \(bu 4
+Create listeners under the domain using \fBSSL_new_listener_from\fR\|(3).
+.PP
+Refer to \fBSSL_new_listener_from\fR\|(3) for details on using listeners.
+.PP
+Currently, domain SSL objects are only supported for QUIC usage via any QUIC
+\&\fBSSL_METHOD\fR.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBSSL_new_domain()\fR returns a new domain SSL object or NULL on failure.
+.PP
+\&\fBSSL_is_domain()\fR returns 0 or 1 depending on the type of the SSL object on
+which it is called.
+.PP
+\&\fBSSL_get0_domain()\fR returns an SSL object pointer (potentially to the same object
+on which it is called) or NULL.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBSSL_new_listener_from\fR\|(3) \fBSSL_handle_events\fR\|(3),
+\&\fBSSL_CTX_set_domain_flags\fR\|(3), \fBopenssl\-quic\-concurrency\fR\|(7)
+.SH HISTORY
+.IX Header "HISTORY"
+These functions were added in OpenSSL 3.5.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2024\-2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_new_listener.3 b/secure/lib/libcrypto/man/man3/SSL_new_listener.3
new file mode 100644
index 000000000000..e04096cc93f2
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/SSL_new_listener.3
@@ -0,0 +1,265 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "SSL_NEW_LISTENER 3ossl"
+.TH SSL_NEW_LISTENER 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+SSL_new_listener, SSL_new_listener_from, SSL_is_listener, SSL_get0_listener,
+SSL_listen,
+SSL_accept_connection, SSL_get_accept_connection_queue_len,
+SSL_new_from_listener,
+SSL_ACCEPT_CONNECTION_NO_BLOCK \- SSL object interface for abstracted connection
+acceptance
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ssl.h>
+\&
+\& SSL *SSL_new_listener(SSL_CTX *ctx, uint64_t flags);
+\& SSL *SSL_new_listener_from(SSL *ssl, uint64_t flags);
+\&
+\& int SSL_is_listener(SSL *ssl);
+\& SSL *SSL_get0_listener(SSL *ssl);
+\&
+\& int SSL_listen(SSL *ssl);
+\&
+\& #define SSL_ACCEPT_CONNECTION_NO_BLOCK
+\& SSL *SSL_accept_connection(SSL *ssl, uint64_t flags);
+\&
+\& size_t SSL_get_accept_connection_queue_len(SSL *ssl);
+\&
+\& SSL *SSL_new_from_listener(SSL *ssl, uint64_t flags);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+The \fBSSL_new_listener()\fR function creates a listener SSL object.  Listener SSL
+objects are specialised to only accept network connections in a protocol\-
+agnostic manner. They cannot be used, for example, for sending or receiving data
+using \fBSSL_write_ex\fR\|(3) or \fBSSL_read_ex\fR\|(3). In general, only those functions
+expressly documented as being supported on a listener SSL object are available.
+.PP
+The \fBSSL_new_listener_from()\fR function creates a listener SSL object which is
+subordinate to a QUIC domain SSL object \fIssl\fR. See \fBSSL_new_domain\fR\|(3) and
+\&\fBopenssl\-quic\-concurrency\fR\|(7) for details on QUIC domain SSL objects.
+.PP
+A listener SSL object supports the following operations:
+.IP \(bu 4
+Standard reference counting and free operations, such as \fBSSL_up_ref\fR\|(3) and
+\&\fBSSL_free\fR\|(3);
+.IP \(bu 4
+Network BIO configuration operations, such as \fBSSL_set_bio\fR\|(3);
+.IP \(bu 4
+Event processing and polling enablement APIs such as \fBSSL_handle_events\fR\|(3),
+\&\fBSSL_get_event_timeout\fR\|(3), \fBSSL_get_rpoll_descriptor\fR\|(3),
+\&\fBSSL_get_wpoll_descriptor\fR\|(3), \fBSSL_net_read_desired\fR\|(3) and
+\&\fBSSL_net_write_desired\fR\|(3);
+.IP \(bu 4
+Certain configurable parameters described in \fBSSL_get_value_uint\fR\|(3) (see
+\&\fBSSL_get_value_uint\fR\|(3) for details);
+.IP \(bu 4
+Accepting network connections using the functions documented in this manual
+page, such as \fBSSL_accept_connection()\fR.
+.PP
+The basic workflow of using a listener object is as follows:
+.IP \(bu 4
+Create a new listener object using \fBSSL_new_listener()\fR using a \fBSSL_CTX\fR which
+uses a supported \fBSSL_METHOD\fR (such as \fBOSSL_QUIC_server_method\fR\|(3));
+.IP \(bu 4
+Configure appropriate network BIOs using \fBSSL_set_bio\fR\|(3) on the listener SSL
+object;
+.IP \(bu 4
+Configure the blocking mode using \fBSSL_set_blocking_mode\fR\|(3);
+.IP \(bu 4
+Accept connections in a loop by calling \fBSSL_accept_connection()\fR. Each returned
+SSL object is a valid connection which can be used in a normal manner.
+.PP
+The \fBSSL_is_listener()\fR function returns 1 if and only if a SSL object is a
+listener SSL object.
+.PP
+The \fBSSL_get0_listener()\fR function returns a listener object which is related to
+the given SSL object, if there is one. For a listener object, this is the same
+object (the function returns its argument). For a connection object which was
+created by a listener object, that listener object is returned. If the \fIssl\fR
+argument is an SSL object which is not a listener object and which is not
+descended from a listener object (e.g. a connection obtained using
+\&\fBSSL_accept_connection()\fR) or indirectly from a listener object (e.g. a QUIC
+stream SSL object obtained using \fBSSL_accept_stream()\fR called on a connection
+obtained using \fBSSL_accept_connection()\fR) the return value is NULL. See NOTES
+below for caveats related to pending SSL connections on a QUIC listener's accept
+queue.
+.PP
+The \fBSSL_listen()\fR function begins monitoring the listener \fIssl\fR for incoming
+connections. Appropriate BIOs must have been configured before calling
+\&\fBSSL_listen()\fR, along with any other needed configuration for the listener SSL
+object. It is typically not necessary to call \fBSSL_listen()\fR because it will be
+called automatically on the first call to \fBSSL_accept_connection()\fR. However,
+\&\fBSSL_listen()\fR may be called explicitly if it is desired to control precisely when
+the listening process begins, or to ensure that no errors occur when starting to
+listen for connections. After a call to \fBSSL_listen()\fR (or
+\&\fBSSL_accept_connection()\fR) succeeds. The \fBSSL_listen()\fR function is idempotent,
+subsequent calls on the same \fIssl\fR object are no-ops. This call is supported
+only on listener SSL objects.
+.PP
+The \fBSSL_accept_connection()\fR call is supported only on a listener SSL object and
+accepts a new incoming connection. A new SSL object representing the accepted
+connection is created and returned on success. If no incoming connection is
+available and the listener SSL object is configured in nonblocking mode, NULL is
+returned.
+.PP
+The new SSL object returned from \fBSSL_accept_connection()\fR may or may not have
+completed its handshake at the point it is returned. Optionally, you may use the
+function \fBSSL_is_init_finished\fR\|(3) to determine this. You may call the
+functions \fBSSL_accept\fR\|(3), \fBSSL_do_handshake\fR\|(3) or \fBSSL_handle_events\fR\|(3) to
+progress the state of the SSL object towards handshake completion. Other "I/O"
+functions may also implicitly progress the state of the handshake such as
+\&\fBSSL_poll\fR\|(3), \fBSSL_read\fR\|(3) and \fBSSL_write\fR\|(3).
+.PP
+The \fBSSL_ACCEPT_CONNECTION_NO_BLOCK\fR flag may be specified to
+\&\fBSSL_accept_connection()\fR. If specified, the call does not block even if the
+listener SSL object is configured in blocking mode.
+.PP
+The \fBSSL_get_accept_connection_queue_len()\fR call returns the number of pending
+connections on the \fIssl\fR listener's queue. \fBSSL_accept_connection()\fR returns the
+next pending connection, removing it from the queue. The returned connection
+count is a point-in-time value, the actual number of connections that will
+ultimately be returned may be different.
+.PP
+Currently, listener SSL objects are only supported for QUIC server usage via
+\&\fBOSSL_QUIC_server_method\fR\|(3), or QUIC client-only usage via
+\&\fBOSSL_QUIC_client_method\fR\|(3) or \fBOSSL_QUIC_client_thread_method\fR\|(3) (see
+"CLIENT-ONLY USAGE"). It is expected that the listener interface, which
+provides an abstracted API for connection acceptance, will be expanded to
+support other protocols, such as TLS over TCP, plain TCP or DTLS in future.
+.PP
+\&\fBSSL_listen()\fR and \fBSSL_accept_connection()\fR are "I/O" functions, meaning that they
+update the value returned by \fBSSL_get_error\fR\|(3) if they fail.
+.SH "CLIENT-ONLY USAGE"
+.IX Header "CLIENT-ONLY USAGE"
+It is also possible to use the listener interface without accepting any
+connections and without listening for connections. This can be useful in
+circumstances where it is desirable for multiple connections to share the same
+underlying network resources. For example, multiple outgoing QUIC client
+connections could be made to use the same underlying UDP socket.
+.PP
+To disable client address validation on a listener SSL object, the flag
+\&\fBSSL_LISTENER_FLAG_NO_VALIDATE\fR may be passed in the flags field of both
+\&\fBSSL_new_listener()\fR and \fBSSL_new_listener_from()\fR.  Note that this flag only
+impacts the sending of retry frames for server address validation.  Tokens may
+still be communicated from the server via NEW_TOKEN frames, which will still
+be validated on receipt in future connections.  Note that this setting is not
+recommended and may be dangerous in untrusted environments.  Not performing
+address validation exposes the server to malicious clients that may open large
+numbers of connections and never transact data on them (roughly equivalent to
+a TCP syn flood attack), which address validation mitigates.
+.PP
+The \fBSSL_new_from_listener()\fR function creates a client connection under a given
+listener SSL object. For QUIC, it is also possible to use
+\&\fBSSL_new_from_listener()\fR, leading to a UDP network endpoint which has both
+incoming and outgoing connections.
+.PP
+The \fIflags\fR argument of \fBSSL_new_from_listener()\fR is reserved and must be set to
+0.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBSSL_new_listener()\fR and \fBSSL_new_listener_from()\fR return a new listener SSL object
+or NULL on failure.
+.PP
+\&\fBSSL_is_listener()\fR returns 1 if its \fIssl\fR argument is a listener object, 0
+otherwise.
+.PP
+\&\fBSSL_get0_listener()\fR returns an SSL object pointer (potentially to the same
+object on which it is called) or NULL.
+.PP
+\&\fBSSL_listen()\fR returns 1 on success or 0 on failure.
+.PP
+\&\fBSSL_accept_connection()\fR returns a pointer to a new SSL object on success or NULL
+on failure. On success, the caller assumes ownership of the reference.
+.PP
+\&\fBSSL_get_accept_connection_queue_len()\fR returns a nonnegative value, or 0 if the
+queue is empty, or called on an unsupported SSL object type.
+.PP
+\&\fBSSL_new_from_listener()\fR returns a pointer to a new SSL object on success or NULL
+on failure. On success, the caller assumes ownership of the reference.
+.SH NOTES
+.IX Header "NOTES"
+\&\fBSSL_get0_listener()\fR behaves somewhat differently in SSL callbacks for QUIC
+connections.  As QUIC connections begin TLS handshake operations prior to them
+being accepted via \fBSSL_accept_connection()\fR, an application may receive callbacks
+for such pending connection prior to acceptance via \fBSSL_accept_connection()\fR.  As
+listener association takes place during the accept process, prior to being
+returned from \fBSSL_accept_connection()\fR, calls to \fBSSL_get0_listener()\fR made from
+such SSL callbacks will return NULL.  This can be used as an indicator within
+the callback that the referenced SSL object has not yet been accepted.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBOSSL_QUIC_server_method\fR\|(3), \fBSSL_free\fR\|(3), \fBSSL_set_bio\fR\|(3),
+\&\fBSSL_handle_events\fR\|(3), \fBSSL_get_rpoll_descriptor\fR\|(3),
+\&\fBSSL_set_blocking_mode\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+These functions were added in OpenSSL 3.5.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2024\-2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_new_stream.3 b/secure/lib/libcrypto/man/man3/SSL_new_stream.3
new file mode 100644
index 000000000000..d2c528f76290
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/SSL_new_stream.3
@@ -0,0 +1,153 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "SSL_NEW_STREAM 3ossl"
+.TH SSL_NEW_STREAM 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+SSL_new_stream, SSL_STREAM_FLAG_UNI, SSL_STREAM_FLAG_NO_BLOCK,
+SSL_STREAM_FLAG_ADVANCE \- create a new locally\-initiated QUIC stream
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ssl.h>
+\&
+\& #define SSL_STREAM_FLAG_UNI          (1U << 0)
+\& #define SSL_STREAM_FLAG_NO_BLOCK     (1U << 1)
+\& #define SSL_STREAM_FLAG_ADVANCE      (1U << 2)
+\& SSL *SSL_new_stream(SSL *ssl, uint64_t flags);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+The \fBSSL_new_stream()\fR function, when passed a QUIC connection SSL object, creates
+a new locally-initiated bidirectional or unidirectional QUIC stream and returns
+the newly created QUIC stream SSL object.
+.PP
+If the \fBSSL_STREAM_FLAG_UNI\fR flag is passed, a unidirectional stream is
+created; else a bidirectional stream is created.
+.PP
+To retrieve the stream ID of the newly created stream, use
+\&\fBSSL_get_stream_id\fR\|(3).
+.PP
+It is the caller's responsibility to free the QUIC stream SSL object using
+\&\fBSSL_free\fR\|(3). The lifetime of the QUIC connection SSL object must exceed that
+of the QUIC stream SSL object; in other words, the QUIC stream SSL object must
+be freed first.
+.PP
+Once a stream has been created using \fBSSL_new_stream()\fR, it may be used in the
+normal way using \fBSSL_read\fR\|(3) and \fBSSL_write\fR\|(3).
+.PP
+This function can only be used to create stream objects for locally-initiated
+streams. To accept incoming streams initiated by a peer, use
+\&\fBSSL_accept_stream\fR\|(3).
+.PP
+Calling \fBSSL_new_stream()\fR if there is no default stream already present
+inhibits the future creation of a default stream. See \fBopenssl\-quic\fR\|(7).
+.PP
+The creation of new streams is subject to flow control by the QUIC protocol. If
+it is currently not possible to create a new locally initiated stream of the
+specified type, a call to \fBSSL_new_stream()\fR will either block (if the connection
+is configured in blocking mode) until a new stream can be created, or otherwise
+return NULL.
+.PP
+This function operates in blocking mode if the QUIC connection SSL object is
+configured in blocking mode (see \fBSSL_set_blocking_mode\fR\|(3)). It may also be
+used in nonblocking mode on a connection configured in blocking mode by passing
+the flag \fBSSL_STREAM_FLAG_NO_BLOCK\fR.
+.PP
+The flag \fBSSL_STREAM_FLAG_ADVANCE\fR may be used to create a QUIC stream SSL
+object even if a new QUIC stream cannot yet be opened due to flow control. The
+caller may begin to use the new stream and fill the write buffer of the stream
+by calling \fBSSL_write\fR\|(3). However, no actual stream data (or QUIC frames
+regarding the stream) will be sent until QUIC flow control allows it. Any queued
+data will be sent as soon as a peer permits it. There is no guarantee the stream
+will be eventually created; for example, the connection could fail, or a peer
+might simply decide never to increase the number of allowed streams for the
+remainder of the connection lifetime.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBSSL_new_stream()\fR returns a new stream object, or NULL on error.
+.PP
+This function fails if called on a QUIC stream SSL object or on a non-QUIC SSL
+object.
+.PP
+\&\fBSSL_new_stream()\fR may also fail if the underlying connection has reached the
+maximum stream count, based on the \fBmax_streams_bidi\fR or \fBmax_streams_uni\fR
+transport parameter values negotiated with the peer.  In this event the NULL
+return will be accompanied by an error on the error stack (obtainable via
+\&\fBERR_get_error()\fR), which will contain a reason code of
+\&\fBSSL_R_STREAM_COUNT_LIMITED\fR.  When this error is encountered, the operation
+may be retried.  It is recommended that, prior to retry, the error stack be
+cleared via a call to \fBERR_clear_error()\fR, and that the TLS state machine be
+activated via a call to \fBSSL_handle_events()\fR to process any potential updates
+from the server allowing additional streams to be created.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBSSL_accept_stream\fR\|(3), \fBSSL_free\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBSSL_new_stream()\fR was added in OpenSSL 3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2002\-2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_pending.3 b/secure/lib/libcrypto/man/man3/SSL_pending.3
index aa0a900159d9..1334788413e5 100644
--- a/secure/lib/libcrypto/man/man3/SSL_pending.3
+++ b/secure/lib/libcrypto/man/man3/SSL_pending.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_PENDING 3ossl"
-.TH SSL_PENDING 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_PENDING 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_pending, SSL_has_pending \- check for readable bytes buffered in an
 SSL object
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -147,7 +71,7 @@ SSL object
 \& int SSL_pending(const SSL *ssl);
 \& int SSL_has_pending(const SSL *s);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 Data is received in whole blocks known as records from the peer. A whole record
 is processed (e.g. decrypted) in one go and is buffered by OpenSSL until it is
@@ -156,14 +80,14 @@ read by the application via a call to \fBSSL_read_ex\fR\|(3) or \fBSSL_read\fR\|
 \&\fBSSL_pending()\fR returns the number of bytes which have been processed, buffered
 and are available inside \fBssl\fR for immediate read.
 .PP
-If the \fB\s-1SSL\s0\fR object's \fIread_ahead\fR flag is set (see
+If the \fBSSL\fR object's \fIread_ahead\fR flag is set (see
 \&\fBSSL_CTX_set_read_ahead\fR\|(3)), additional protocol bytes (beyond the current
-record) may have been read containing more \s-1TLS/SSL\s0 records. This also applies to
-\&\s-1DTLS\s0 and pipelining (see \fBSSL_CTX_set_split_send_fragment\fR\|(3)). These
+record) may have been read containing more TLS/SSL records. This also applies to
+DTLS and pipelining (see \fBSSL_CTX_set_split_send_fragment\fR\|(3)). These
 additional bytes will be buffered by OpenSSL but will remain unprocessed until
 they are needed. As these bytes are still in an unprocessed state \fBSSL_pending()\fR
 will ignore them. Therefore, it is possible for no more bytes to be readable from
-the underlying \s-1BIO\s0 (because OpenSSL has already read them) and for \fBSSL_pending()\fR
+the underlying BIO (because OpenSSL has already read them) and for \fBSSL_pending()\fR
 to return 0, even though readable application data bytes are available (because
 the data is in unprocessed buffered records).
 .PP
@@ -180,19 +104,19 @@ far).
 .IX Header "RETURN VALUES"
 \&\fBSSL_pending()\fR returns the number of buffered and processed application data
 bytes that are pending and are available for immediate read. \fBSSL_has_pending()\fR
-returns 1 if there is buffered record data in the \s-1SSL\s0 object and 0 otherwise.
+returns 1 if there is buffered record data in the SSL object and 0 otherwise.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBSSL_read_ex\fR\|(3), \fBSSL_read\fR\|(3), \fBSSL_CTX_set_read_ahead\fR\|(3),
 \&\fBSSL_CTX_set_split_send_fragment\fR\|(3), \fBssl\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBSSL_has_pending()\fR function was added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_poll.3 b/secure/lib/libcrypto/man/man3/SSL_poll.3
new file mode 100644
index 000000000000..d5f485eb9b59
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/SSL_poll.3
@@ -0,0 +1,421 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "SSL_POLL 3ossl"
+.TH SSL_POLL 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+SSL_poll,
+SSL_POLL_EVENT_NONE,
+SSL_POLL_EVENT_F,
+SSL_POLL_EVENT_EC,
+SSL_POLL_EVENT_ECD,
+SSL_POLL_EVENT_ER,
+SSL_POLL_EVENT_EW,
+SSL_POLL_EVENT_R,
+SSL_POLL_EVENT_W,
+SSL_POLL_EVENT_ISB,
+SSL_POLL_EVENT_ISU,
+SSL_POLL_EVENT_OSB,
+SSL_POLL_EVENT_OSU,
+SSL_POLL_EVENT_RW,
+SSL_POLL_EVENT_RE,
+SSL_POLL_EVENT_WE,
+SSL_POLL_EVENT_RWE,
+SSL_POLL_EVENT_E,
+SSL_POLL_EVENT_IS,
+SSL_POLL_EVENT_ISE,
+SSL_POLL_EVENT_I,
+SSL_POLL_EVENT_OS,
+SSL_POLL_EVENT_OSE,
+SSL_POLL_FLAG_NO_HANDLE_EVENTS
+\&\- determine or await readiness conditions for one or more pollable objects
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ssl.h>
+\&
+\& #define SSL_POLL_EVENT_NONE        0
+\&
+\& #define SSL_POLL_EVENT_F           /* F   (Failure) */
+\& #define SSL_POLL_EVENT_EC          /* EC  (Exception on Conn) */
+\& #define SSL_POLL_EVENT_ECD         /* ECD (Exception on Conn Drained) */
+\& #define SSL_POLL_EVENT_ER          /* ER  (Exception on Read) */
+\& #define SSL_POLL_EVENT_EW          /* EW  (Exception on Write) */
+\& #define SSL_POLL_EVENT_R           /* R   (Readable) */
+\& #define SSL_POLL_EVENT_W           /* W   (Writable) */
+\& #define SSL_POLL_EVENT_ISB         /* ISB (Incoming Stream: Bidi) */
+\& #define SSL_POLL_EVENT_ISU         /* ISU (Incoming Stream: Uni) */
+\& #define SSL_POLL_EVENT_OSB         /* OSB (Outgoing Stream: Bidi) */
+\& #define SSL_POLL_EVENT_OSU         /* OSU (Outgoing Stream: Uni) */
+\&
+\& #define SSL_POLL_EVENT_RW          /* R   | W         */
+\& #define SSL_POLL_EVENT_RE          /* R   | ER        */
+\& #define SSL_POLL_EVENT_WE          /* W   | EW        */
+\& #define SSL_POLL_EVENT_RWE         /* RE  | WE        */
+\& #define SSL_POLL_EVENT_E           /* EC  | ER  | EW  */
+\& #define SSL_POLL_EVENT_IS          /* ISB | ISU       */
+\& #define SSL_POLL_EVENT_ISE         /* IS  | EC        */
+\& #define SSL_POLL_EVENT_I           /* IS              */
+\& #define SSL_POLL_EVENT_OS          /* OSB | OSU       */
+\& #define SSL_POLL_EVENT_OSE         /* OS  | EC        */
+\&
+\& typedef struct ssl_poll_item_st {
+\&     BIO_POLL_DESCRIPTOR desc;
+\&     uint64_t            events, revents;
+\& } SSL_POLL_ITEM;
+\&
+\& #define SSL_POLL_FLAG_NO_HANDLE_EVENTS
+\&
+\& int SSL_poll(SSL_POLL_ITEM         *items,
+\&              size_t                num_items,
+\&              size_t                stride,
+\&              const struct timeval  *timeout,
+\&              uint64_t              flags,
+\&              size_t                *result_count);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBSSL_poll()\fR allows the readiness conditions of the resources represented by one
+or more BIO_POLL_DESCRIPTOR structures to be determined. In particular, it can
+be used to query for readiness conditions on QUIC connection SSL objects and
+QUIC stream SSL objects in a single call. It can also be used to block until at
+least one of the given resources is ready.
+.PP
+A call to \fBSSL_poll()\fR specifies an array of \fBSSL_POLL_ITEM\fR structures, each of
+which designates a resource which is being polled for readiness, and a set of
+event flags which indicate the specific readiness events which the caller is
+interested in in relation to the specified resource.
+.PP
+The fields of \fBSSL_POLL_ITEM\fR are as follows:
+.IP \fIdesc\fR 4
+.IX Item "desc"
+The resource being polled for readiness, as represented by a
+\&\fBBIO_POLL_DESCRIPTOR\fR. Currently, this must be a poll descriptor of type
+\&\fBBIO_POLL_DESCRIPTOR_TYPE_SSL\fR, representing an SSL object pointer, and the SSL
+object must be a QUIC connection SSL object or QUIC stream SSL object.
+.Sp
+If a \fBSSL_POLL_ITEM\fR has a poll descriptor type of
+\&\fBBIO_POLL_DESCRIPTOR_TYPE_NONE\fR, or the SSL object pointer is NULL, the
+\&\fBSSL_POLL_ITEM\fR array entry is ignored and \fIrevents\fR will be set to 0 on
+return.
+.IP \fIevents\fR 4
+.IX Item "events"
+This is the set of zero or more events which the caller is interested in
+learning about in relation to the resource described by \fIdesc\fR. It is a
+collection of zero or more \fBSSL_POLL_EVENT\fR flags. See "EVENT TYPES" for a
+description of each of the event types.
+.IP \fIrevents\fR 4
+.IX Item "revents"
+After \fBSSL_poll()\fR returns, this is the set of zero or more events which are
+actually applicable to the resource described by \fIdesc\fR. As for \fIevents\fR,
+it is a collection of zero or more \fBSSL_POLL_EVENT\fR flags.
+.Sp
+\&\fIrevents\fR need not be a subset of the events specified in \fIevents\fR, as some
+event types are defined as always being enabled (non-maskable). See "EVENT
+TYPES" for more information.
+.PP
+To use \fBSSL_poll()\fR, call it with an array of \fBSSL_POLL_ITEM\fR structures. The
+array need remain allocated only for the duration of the call. \fInum_items\fR must
+be set to the number of entries in the array, and \fIstride\fR must be set to
+\&\f(CWsizeof(SSL_POLL_ITEM)\fR.
+.PP
+The \fItimeout\fR argument specifies the timeout to use, and, implicitly, whether
+to use \fBSSL_poll()\fR in blocking or nonblocking mode:
+.IP \(bu 4
+If \fItimeout\fR is NULL, the function blocks indefinitely until at least one
+resource is ready.
+.IP \(bu 4
+If \fItimeout\fR is non-NULL, and it points to a \fBstruct timeval\fR which is set to
+zero, the function operates in nonblocking mode and returns immediately with
+readiness information.
+.IP \(bu 4
+If \fItimeout\fR is non-NULL, and it points to a \fBstruct timeval\fR which is set to
+a value other than zero, the function blocks for the specified interval or until
+at least one of the specified resources is ready, whichever comes first.
+.PP
+The present implementation of \fBSSL_poll()\fR is a subset of the functionality which
+will eventually be available. For more information, see "LIMITATIONS".
+.PP
+The following flags are currently defined for the \fIflags\fR argument:
+.IP \fBSSL_POLL_FLAG_NO_HANDLE_EVENTS\fR 4
+.IX Item "SSL_POLL_FLAG_NO_HANDLE_EVENTS"
+This flag indicates that internal state machine processing should not be
+performed in an attempt to generate new readiness events. Only existing
+readiness events will be reported.
+.Sp
+If this flag is used in nonblocking mode (with a timeout of zero), no internal
+state machine processing is performed.
+.Sp
+If this flag is used in blocking mode (for example, with \fItimeout\fR set to
+NULL), event processing does not occur unless the function blocks.
+.PP
+The \fIresult_count\fR argument is optional. If it is non-NULL, it is used to
+output the number of entries in the array which have nonzero \fIrevents\fR fields
+when the call to \fBSSL_poll()\fR returns; see "RETURN VALUES" for details.
+.SH "EVENT TYPES"
+.IX Header "EVENT TYPES"
+The \fBSSL_poll()\fR interface reports zero or more event types on a given resource,
+represented by a bit mask.
+.PP
+All of the event types are level triggered and represent a readiness or
+permanent exception condition; as such, after an event has been reported by
+\&\fBSSL_poll()\fR for a resource, it will continue to be reported in future \fBSSL_poll()\fR
+calls until the condition ceases to be in effect. A caller must mask the given
+event type bit in future \fBSSL_poll()\fR calls if it does not wish to receive
+repeated notifications and has not caused the underlying readiness condition
+(for example, consuming all available data using \fBSSL_read_ex\fR\|(3) after
+\&\fBSSL_POLL_EVENT_R\fR is reported) to be deasserted.
+.PP
+Some event types do not make sense on a given kind of resource. In this case,
+specifying that event type in \fIevents\fR is a no-op and will be ignored, and the
+given event will never be reported in \fIrevents\fR.
+.PP
+Failure of the polling mechanism itself is considered distinct from an exception
+condition on a resource which was successfully polled. See \fBSSL_POLL_EVENT_F\fR
+and "RETURN VALUES" for details.
+.PP
+In general, an application should always listen for the event types
+corresponding to exception conditions if it is listening to the corresponding
+non-exception event types (e.g. \fBSSL_POLL_EVENT_EC\fR and \fBSSL_POLL_EVENT_ER\fR
+for \fBSSL_POLL_EVENT_R\fR), as not doing so is unlikely to be a sound design.
+.PP
+Some event types are non-maskable and may be reported in \fIrevents\fR regardless
+of whether they were requested in \fIevents\fR.
+.PP
+The following event types are supported:
+.IP \fBSSL_POLL_EVENT_F\fR 4
+.IX Item "SSL_POLL_EVENT_F"
+Polling failure. This event is raised when a resource could not be polled. It is
+distinct from an exception condition reported on a resource which was
+successfully polled and represents a failure of the polling process itself in
+relation to a resource. This may mean that \fBSSL_poll()\fR does not support the kind
+of resource specified.
+.Sp
+Where this event is raised on at least one item in \fIitems\fR, \fBSSL_poll()\fR will
+return 0 and the ERR stack will contain information pertaining to the first item
+in \fIitems\fR with \fBSSL_POLL_EVENT_F\fR set. See "RETURN VALUES" for more
+information.
+.Sp
+This event type may be raised even if it was not requested in \fIevents\fR;
+specifying this event type in \fIevents\fR does nothing.
+.IP \fBSSL_POLL_EVENT_EL\fR 4
+.IX Item "SSL_POLL_EVENT_EL"
+Error at listener level. This event is raised when a listener has failed, for
+example if a network BIO has encountered a permanent error.
+.Sp
+This event is never raised on objects which are not listeners, but its
+occurrence will cause \fBSSL_POLL_EVENT_EC\fR to be raised on all dependent
+connections.
+.IP \fBSSL_POLL_EVENT_EC\fR 4
+.IX Item "SSL_POLL_EVENT_EC"
+Error at connection level. This event is raised when a connection has failed.
+In particular, it is raised when a connection begins terminating.
+.Sp
+This event is never raised on objects which are not connections.
+.IP \fBSSL_POLL_EVENT_ECD\fR 4
+.IX Item "SSL_POLL_EVENT_ECD"
+Error at connection level (drained). This event is raised when a connection has
+finished terminating, and has reached the terminated state. This event will
+generally occur after an interval of time passes after the \fBSSL_POLL_EVENT_EC\fR
+event is raised on a connection.
+.Sp
+This event is never raised on objects which are not connections.
+.IP \fBSSL_POLL_EVENT_ER\fR 4
+.IX Item "SSL_POLL_EVENT_ER"
+Error in read direction. For QUIC, this is raised only in the event that a
+stream has a read part and that read part has been reset by the peer (for
+example, using a \fBRESET_STREAM\fR frame).
+.IP \fBSSL_POLL_EVENT_EW\fR 4
+.IX Item "SSL_POLL_EVENT_EW"
+Error in write direction. For QUIC, this is raised only in the event that a
+stream has a write part and that write part has been reset by the peer using a
+\&\fBSTOP_SENDING\fR frame.
+.IP \fBSSL_POLL_EVENT_R\fR 4
+.IX Item "SSL_POLL_EVENT_R"
+Readable. This event is raised when a QUIC stream SSL object (or a QUIC
+connection SSL object with a default stream attached) has application data
+waiting to be read using \fBSSL_read_ex\fR\|(3), or a FIN event as represented by
+\&\fBSSL_ERROR_ZERO_RETURN\fR waiting to be read.
+.Sp
+It is not raised in the event of the receiving part of the QUIC stream being
+reset by the peer; see \fBSSL_POLL_EVENT_ER\fR.
+.IP \fBSSL_POLL_EVENT_W\fR 4
+.IX Item "SSL_POLL_EVENT_W"
+Writable. This event is raised when a QUIC stream SSL object (or a QUIC
+connection SSL object with a default stream attached) could accept more
+application data using \fBSSL_write_ex\fR\|(3).
+.Sp
+This event is never raised by a receive-only stream.
+.Sp
+This event is never raised by a stream which has had its send part concluded
+normally (as with \fBSSL_stream_conclude\fR\|(3)) or locally reset (as with
+\&\fBSSL_stream_reset\fR\|(3)).
+.Sp
+This event does not guarantee that a subsequent call to \fBSSL_write_ex\fR\|(3) will
+succeed.
+.IP \fBSSL_POLL_EVENT_IC\fR 4
+.IX Item "SSL_POLL_EVENT_IC"
+This event, which is only raised by a QUIC listener SSL object, is raised when
+one or more incoming QUIC connections are available to be accepted using
+\&\fBSSL_accept_connection\fR\|(3).
+.IP \fBSSL_POLL_EVENT_ISB\fR 4
+.IX Item "SSL_POLL_EVENT_ISB"
+This event, which is only raised by a QUIC connection SSL object, is raised when
+one or more incoming bidirectional streams are available to be accepted using
+\&\fBSSL_accept_stream\fR\|(3).
+.IP \fBSSL_POLL_EVENT_ISU\fR 4
+.IX Item "SSL_POLL_EVENT_ISU"
+This event, which is only raised by a QUIC connection SSL object, is raised when
+one or more incoming unidirectional streams are available to be accepted using
+\&\fBSSL_accept_stream\fR\|(3).
+.IP \fBSSL_POLL_EVENT_OSB\fR 4
+.IX Item "SSL_POLL_EVENT_OSB"
+This event, which is only raised by a QUIC connection SSL object, is raised when
+QUIC stream creation flow control currently permits at least one additional
+bidirectional stream to be locally created.
+.IP \fBSSL_POLL_EVENT_OSU\fR 4
+.IX Item "SSL_POLL_EVENT_OSU"
+This event, which is only raised by a QUIC connection SSL object, is raised when
+QUIC stream creation flow control currently permits at least one additional
+unidirectional stream to be locally created.
+.SH LIMITATIONS
+.IX Header "LIMITATIONS"
+\&\fBSSL_poll()\fR as presently implemented has the following limitation:
+.IP \(bu 4
+Only \fBBIO_POLL_DESCRIPTOR\fR structures with type
+\&\fBBIO_POLL_DESCRIPTOR_TYPE_SSL\fR, referencing QUIC listener, connection or
+stream SSL objects, are supported.
+.PP
+This limitation may be revised in a future release of OpenSSL.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBSSL_poll()\fR returns 1 on success and 0 on failure.
+.PP
+Unless the \fIitems\fR pointer itself is invalid, \fBSSL_poll()\fR will always initialise
+the \fIrevents\fR fields of all items in the input array upon returning, even if it
+returns failure.
+.PP
+If \fIresult_count\fR is non-NULL, it is always written with the number of items in
+the array with nonzero \fIrevents\fR fields, even if the \fBSSL_poll()\fR call returns
+failure.
+.PP
+It is possible for \fIresult_count\fR to be written as 0 even if the \fBSSL_poll()\fR
+call returns success, namely if no events were output but the polling process
+was successful (e.g. in nonblocking usage) or timed out.
+.PP
+It is possible for \fIresult_count\fR to be written as a nonzero value if the
+\&\fBSSL_poll()\fR call returns failure, for example due to \fBSSL_POLL_EVENT_F\fR events,
+or because some events were detected and output before encountering a failure
+condition while processing a subsequent entry in the \fIitems\fR array.
+.PP
+If at least one \fBSSL_POLL_EVENT_F\fR event is output, \fBSSL_poll()\fR is guaranteed
+to return 0 and guaranteed to place at least one ERR on the error stack
+describing the first \fBSSL_POLL_EVENT_F\fR output. Detailed information on any
+additional \fBSSL_POLL_EVENT_F\fR events is not available. \fBSSL_poll()\fR may or may
+not return more than one \fBSSL_POLL_EVENT_F\fR event at once.
+.PP
+"Normal" events representing exceptional I/O conditions which do not
+constitute a failure of the \fBSSL_poll()\fR mechanism itself are not considered
+errors by \fBSSL_poll()\fR and are instead represented using their own event type; see
+"EVENT TYPES" for details.
+.PP
+The caller can establish the meaning of the \fBSSL_poll()\fR return and output values
+as follows:
+.IP \(bu 4
+If \fBSSL_poll()\fR returns 1 and \fIresult_count\fR is zero, the operation timed out
+before any resource was ready.
+.IP \(bu 4
+If \fBSSL_poll()\fR returns 1 and \fIresult_count\fR is nonzero, that many events were
+output.
+.IP \(bu 4
+If \fBSSL_poll()\fR returns 0 and \fIresult_count\fR is zero, the caller has made a basic
+usage error; check the ERR stack for details.
+.IP \(bu 4
+If \fBSSL_poll()\fR returns 0 and \fIresult_count\fR is nonzero, inspect the \fIitems\fR
+array for \fBSSL_POLL_ITEM\fR structures with the \fBSSL_POLL_EVENT_F\fR event type
+raised in \fIrevents\fR. The entries added to the ERR stack (of which there is
+guaranteed to be at least one) reflect the cause of the failure of the first
+item in \fIitems\fR with \fBSSL_POLL_EVENT_F\fR raised. Note that there may be events
+other than \fISSL_POLL_EVENT_F\fR output for items which come before the first
+item with \fBSSL_POLL_EVENT_F\fR raised, and additional \fBSSL_POLL_EVENT_F\fR
+events may or may not have been output, both of which which will be reflected in
+\&\fIresult_count\fR.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBBIO_get_rpoll_descriptor\fR\|(3), \fBBIO_get_wpoll_descriptor\fR\|(3),
+\&\fBSSL_get_rpoll_descriptor\fR\|(3), \fBSSL_get_wpoll_descriptor\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBSSL_poll()\fR was added in OpenSSL 3.3.
+.PP
+Before 3.5, \fBSSL_poll()\fR did not support blocking operation and
+would fail if called with a NULL \fItimeout\fR parameter or a \fItimeout\fR parameter
+pointing to a \fBstruct timeval\fR which was not zero.
+.PP
+Before 3.5, the \fBSSL_POLL_EVENT_EL\fR and \fBSSL_POLL_EVENT_IC\fR
+event types were not present.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2024\-2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_read.3 b/secure/lib/libcrypto/man/man3/SSL_read.3
index 053d52ea47f9..10d51268fab5 100644
--- a/secure/lib/libcrypto/man/man3/SSL_read.3
+++ b/secure/lib/libcrypto/man/man3/SSL_read.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_READ 3ossl"
-.TH SSL_READ 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_READ 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_read_ex, SSL_read, SSL_peek_ex, SSL_peek
 \&\- read bytes from a TLS/SSL connection
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -150,88 +74,96 @@ SSL_read_ex, SSL_read, SSL_peek_ex, SSL_peek
 \& int SSL_peek_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes);
 \& int SSL_peek(SSL *ssl, void *buf, int num);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_read_ex()\fR and \fBSSL_read()\fR try to read \fBnum\fR bytes from the specified \fBssl\fR
 into the buffer \fBbuf\fR. On success \fBSSL_read_ex()\fR will store the number of bytes
 actually read in \fB*readbytes\fR.
 .PP
 \&\fBSSL_peek_ex()\fR and \fBSSL_peek()\fR are identical to \fBSSL_read_ex()\fR and \fBSSL_read()\fR
-respectively except no bytes are actually removed from the underlying \s-1BIO\s0 during
+respectively except no bytes are actually removed from the underlying BIO during
 the read, so that a subsequent call to \fBSSL_read_ex()\fR or \fBSSL_read()\fR will yield
 at least the same bytes.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-In the paragraphs below a \*(L"read function\*(R" is defined as one of \fBSSL_read_ex()\fR,
+In the paragraphs below a "read function" is defined as one of \fBSSL_read_ex()\fR,
 \&\fBSSL_read()\fR, \fBSSL_peek_ex()\fR or \fBSSL_peek()\fR.
 .PP
-If necessary, a read function will negotiate a \s-1TLS/SSL\s0 session, if not already
+If necessary, a read function will negotiate a TLS/SSL session, if not already
 explicitly performed by \fBSSL_connect\fR\|(3) or \fBSSL_accept\fR\|(3). If the
 peer requests a re-negotiation, it will be performed transparently during
 the read function operation. The behaviour of the read functions depends on the
-underlying \s-1BIO.\s0
+underlying BIO.
 .PP
 For the transparent negotiation to succeed, the \fBssl\fR must have been
 initialized to client or server mode. This is being done by calling
 \&\fBSSL_set_connect_state\fR\|(3) or \fBSSL_set_accept_state()\fR before the first
 invocation of a read function.
 .PP
-The read functions work based on the \s-1SSL/TLS\s0 records. The data are received in
+The read functions work based on the SSL/TLS records. The data are received in
 records (with a maximum record size of 16kB). Only when a record has been
 completely received, can it be processed (decryption and check of integrity).
 Therefore, data that was not retrieved at the last read call can still be
-buffered inside the \s-1SSL\s0 layer and will be retrieved on the next read
+buffered inside the SSL layer and will be retrieved on the next read
 call. If \fBnum\fR is higher than the number of bytes buffered then the read
 functions will return with the bytes buffered. If no more bytes are in the
 buffer, the read functions will trigger the processing of the next record.
 Only when the record has been received and processed completely will the read
 functions return reporting success. At most the contents of one record will
-be returned. As the size of an \s-1SSL/TLS\s0 record may exceed the maximum packet size
-of the underlying transport (e.g. \s-1TCP\s0), it may be necessary to read several
+be returned. As the size of an SSL/TLS record may exceed the maximum packet size
+of the underlying transport (e.g. TCP), it may be necessary to read several
 packets from the transport layer before the record is complete and the read call
 can succeed.
 .PP
-If \fB\s-1SSL_MODE_AUTO_RETRY\s0\fR has been switched off and a non-application data
+If \fBSSL_MODE_AUTO_RETRY\fR has been switched off and a non-application data
 record has been processed, the read function can return and set the error to
-\&\fB\s-1SSL_ERROR_WANT_READ\s0\fR.
-In this case there might still be unprocessed data available in the \fB\s-1BIO\s0\fR.
+\&\fBSSL_ERROR_WANT_READ\fR.
+In this case there might still be unprocessed data available in the \fBBIO\fR.
 If read ahead was set using \fBSSL_CTX_set_read_ahead\fR\|(3), there might also still
-be unprocessed data available in the \fB\s-1SSL\s0\fR.
+be unprocessed data available in the \fBSSL\fR.
 This behaviour can be controlled using the \fBSSL_CTX_set_mode\fR\|(3) call.
 .PP
-If the underlying \s-1BIO\s0 is \fBblocking\fR, a read function will only return once the
+If the underlying BIO is \fBblocking\fR, a read function will only return once the
 read operation has been finished or an error occurred, except when a
-non-application data record has been processed and \fB\s-1SSL_MODE_AUTO_RETRY\s0\fR is
+non-application data record has been processed and \fBSSL_MODE_AUTO_RETRY\fR is
 not set.
-Note that if \fB\s-1SSL_MODE_AUTO_RETRY\s0\fR is set and only non-application data is
+Note that if \fBSSL_MODE_AUTO_RETRY\fR is set and only non-application data is
 available the call will hang.
 .PP
-If the underlying \s-1BIO\s0 is \fBnonblocking\fR, a read function will also return when
-the underlying \s-1BIO\s0 could not satisfy the needs of the function to continue the
+If the underlying BIO is \fBnonblocking\fR, a read function will also return when
+the underlying BIO could not satisfy the needs of the function to continue the
 operation.
 In this case a call to \fBSSL_get_error\fR\|(3) with the
-return value of the read function will yield \fB\s-1SSL_ERROR_WANT_READ\s0\fR or
-\&\fB\s-1SSL_ERROR_WANT_WRITE\s0\fR.
+return value of the read function will yield \fBSSL_ERROR_WANT_READ\fR or
+\&\fBSSL_ERROR_WANT_WRITE\fR.
 As at any time it's possible that non-application data needs to be sent,
 a read function can also cause write operations.
 The calling process then must repeat the call after taking appropriate action
 to satisfy the needs of the read function.
-The action depends on the underlying \s-1BIO.\s0
+The action depends on the underlying BIO.
 When using a nonblocking socket, nothing is to be done, but \fBselect()\fR can be
 used to check for the required condition.
-When using a buffering \s-1BIO,\s0 like a \s-1BIO\s0 pair, data must be written into or
-retrieved out of the \s-1BIO\s0 before being able to continue.
+When using a buffering BIO, like a BIO pair, data must be written into or
+retrieved out of the BIO before being able to continue.
 .PP
 \&\fBSSL_pending\fR\|(3) can be used to find out whether there
 are buffered bytes available for immediate retrieval.
 In this case the read function can be called without blocking or actually
 receiving new data from the underlying socket.
+.PP
+When used with a QUIC SSL object, calling an I/O function such as \fBSSL_read()\fR
+allows internal network event processing to be performed. It is important that
+this processing is performed regularly. If an application is not using thread
+assisted mode, an application should ensure that an I/O function such as
+\&\fBSSL_read()\fR is called regularly, or alternatively ensure that \fBSSL_handle_events()\fR
+is called regularly. See \fBopenssl\-quic\fR\|(7) and \fBSSL_handle_events\fR\|(3) for more
+information.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSSL_read_ex()\fR and \fBSSL_peek_ex()\fR will return 1 for success or 0 for failure.
-Success means that 1 or more application data bytes have been read from the \s-1SSL\s0
+Success means that 1 or more application data bytes have been read from the SSL
 connection.
-Failure means that no bytes could be read from the \s-1SSL\s0 connection.
+Failure means that no bytes could be read from the SSL connection.
 Failures can be retryable (e.g. we are waiting for more bytes to
 be delivered by the network) or non-retryable (e.g. a fatal network error).
 In the event of a failure call \fBSSL_get_error\fR\|(3) to find out the reason which
@@ -241,7 +173,7 @@ For \fBSSL_read()\fR and \fBSSL_peek()\fR the following return values can occur:
 .IP "> 0" 4
 .IX Item "> 0"
 The read operation was successful.
-The return value is the number of bytes actually read from the \s-1TLS/SSL\s0
+The return value is the number of bytes actually read from the TLS/SSL
 connection.
 .IP "<= 0" 4
 .IX Item "<= 0"
@@ -261,14 +193,14 @@ You should instead call \fBSSL_get_error()\fR to find out if it's retryable.
 \&\fBSSL_pending\fR\|(3),
 \&\fBSSL_shutdown\fR\|(3), \fBSSL_set_shutdown\fR\|(3),
 \&\fBssl\fR\|(7), \fBbio\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBSSL_read_ex()\fR and \fBSSL_peek_ex()\fR functions were added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_read_early_data.3 b/secure/lib/libcrypto/man/man3/SSL_read_early_data.3
index 8f3406673c2e..4d4a657e91ba 100644
--- a/secure/lib/libcrypto/man/man3/SSL_read_early_data.3
+++ b/secure/lib/libcrypto/man/man3/SSL_read_early_data.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_READ_EARLY_DATA 3ossl"
-.TH SSL_READ_EARLY_DATA 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_READ_EARLY_DATA 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_set_max_early_data,
 SSL_CTX_set_max_early_data,
 SSL_get_max_early_data,
@@ -154,7 +78,7 @@ SSL_allow_early_data_cb_fn,
 SSL_CTX_set_allow_early_data_cb,
 SSL_set_allow_early_data_cb
 \&\- functions for sending and receiving early data
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -188,22 +112,22 @@ SSL_set_allow_early_data_cb
 \&                                  SSL_allow_early_data_cb_fn cb,
 \&                                  void *arg);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 These functions are used to send and receive early data where TLSv1.3 has been
 negotiated. Early data can be sent by the client immediately after its initial
 ClientHello without having to wait for the server to complete the handshake.
 Early data can be sent if a session has previously been established with the
-server or when establishing a new session using an out-of-band \s-1PSK,\s0 and only
+server or when establishing a new session using an out-of-band PSK, and only
 when the server is known to support it. Additionally these functions can be used
 to send data from the server to the client when the client has not yet completed
 the authentication stage of the handshake.
 .PP
-Early data has weaker security properties than other data sent over an \s-1SSL/TLS\s0
+Early data has weaker security properties than other data sent over an SSL/TLS
 connection. In particular the data does not have forward secrecy. There are also
-additional considerations around replay attacks (see \*(L"\s-1REPLAY PROTECTION\*(R"\s0
+additional considerations around replay attacks (see "REPLAY PROTECTION"
 below). For these reasons extreme care should be exercised when using early
-data. For specific details, consult the \s-1TLS 1.3\s0 specification.
+data. For specific details, consult the TLS 1.3 specification.
 .PP
 When a server receives early data it may opt to immediately respond by sending
 application data back to the client. Data sent by the server at this stage is
@@ -222,8 +146,8 @@ will return the maximum number of early data bytes that can be sent.
 .PP
 The function \fBSSL_SESSION_set_max_early_data()\fR sets the maximum number of early
 data bytes that can be sent for a session. This would typically be used when
-creating a \s-1PSK\s0 session file (see \fBSSL_CTX_set_psk_use_session_callback\fR\|(3)). If
-using a ticket based \s-1PSK\s0 then this is set automatically to the value provided by
+creating a PSK session file (see \fBSSL_CTX_set_psk_use_session_callback\fR\|(3)). If
+using a ticket based PSK then this is set automatically to the value provided by
 the server.
 .PP
 A client uses the function \fBSSL_write_early_data()\fR to send early data. This
@@ -233,7 +157,7 @@ the underlying connection, and how to handle any errors that may arise. This
 page describes the differences between \fBSSL_write_early_data()\fR and
 \&\fBSSL_write_ex\fR\|(3).
 .PP
-When called by a client, \fBSSL_write_early_data()\fR must be the first \s-1IO\s0 function
+When called by a client, \fBSSL_write_early_data()\fR must be the first IO function
 called on a new connection, i.e. it must occur before any calls to
 \&\fBSSL_write_ex\fR\|(3), \fBSSL_read_ex\fR\|(3), \fBSSL_connect\fR\|(3), \fBSSL_do_handshake\fR\|(3)
 or other similar functions. It may be called multiple times to stream data to
@@ -255,14 +179,14 @@ write the requested data.
 A server may choose to ignore early data that has been sent to it. Once the
 connection has been completed you can determine whether the server accepted or
 rejected the early data by calling \fBSSL_get_early_data_status()\fR. This will return
-\&\s-1SSL_EARLY_DATA_ACCEPTED\s0 if the data was accepted, \s-1SSL_EARLY_DATA_REJECTED\s0 if it
-was rejected or \s-1SSL_EARLY_DATA_NOT_SENT\s0 if no early data was sent. This function
+SSL_EARLY_DATA_ACCEPTED if the data was accepted, SSL_EARLY_DATA_REJECTED if it
+was rejected or SSL_EARLY_DATA_NOT_SENT if no early data was sent. This function
 may be called by either the client or the server.
 .PP
 A server uses the \fBSSL_read_early_data()\fR function to receive early data on a
 connection for which early data has been enabled using
 \&\fBSSL_CTX_set_max_early_data()\fR or \fBSSL_set_max_early_data()\fR. As for
-\&\fBSSL_write_early_data()\fR, this must be the first \s-1IO\s0 function
+\&\fBSSL_write_early_data()\fR, this must be the first IO function
 called on a connection, i.e. it must occur before any calls to
 \&\fBSSL_write_ex\fR\|(3), \fBSSL_read_ex\fR\|(3), \fBSSL_accept\fR\|(3), \fBSSL_do_handshake\fR\|(3),
 or other similar functions.
@@ -271,26 +195,26 @@ or other similar functions.
 differences. Refer to \fBSSL_read_ex\fR\|(3) for full details.
 .PP
 \&\fBSSL_read_early_data()\fR may return 3 possible values:
-.IP "\s-1SSL_READ_EARLY_DATA_ERROR\s0" 4
+.IP SSL_READ_EARLY_DATA_ERROR 4
 .IX Item "SSL_READ_EARLY_DATA_ERROR"
-This indicates an \s-1IO\s0 or some other error occurred. This should be treated in the
+This indicates an IO or some other error occurred. This should be treated in the
 same way as a 0 return value from \fBSSL_read_ex\fR\|(3).
-.IP "\s-1SSL_READ_EARLY_DATA_SUCCESS\s0" 4
+.IP SSL_READ_EARLY_DATA_SUCCESS 4
 .IX Item "SSL_READ_EARLY_DATA_SUCCESS"
 This indicates that early data was successfully read. This should be treated in
 the same way as a 1 return value from \fBSSL_read_ex\fR\|(3). You should continue to
 call \fBSSL_read_early_data()\fR to read more data.
-.IP "\s-1SSL_READ_EARLY_DATA_FINISH\s0" 4
+.IP SSL_READ_EARLY_DATA_FINISH 4
 .IX Item "SSL_READ_EARLY_DATA_FINISH"
 This indicates that no more early data can be read. It may be returned on the
 first call to \fBSSL_read_early_data()\fR if the client has not sent any early data,
 or if the early data was rejected.
 .PP
 Once the initial \fBSSL_read_early_data()\fR call has completed successfully (i.e. it
-has returned \s-1SSL_READ_EARLY_DATA_SUCCESS\s0 or \s-1SSL_READ_EARLY_DATA_FINISH\s0) then the
+has returned SSL_READ_EARLY_DATA_SUCCESS or SSL_READ_EARLY_DATA_FINISH) then the
 server may choose to write data immediately to the unauthenticated client using
 \&\fBSSL_write_early_data()\fR. If \fBSSL_read_early_data()\fR returned
-\&\s-1SSL_READ_EARLY_DATA_FINISH\s0 then in some situations (e.g. if the client only
+SSL_READ_EARLY_DATA_FINISH then in some situations (e.g. if the client only
 supports TLSv1.2) the handshake may have already been completed and calls
 to \fBSSL_write_early_data()\fR are not allowed. Call \fBSSL_is_init_finished\fR\|(3) to
 determine whether the handshake has completed or not. If the handshake is still
@@ -299,13 +223,13 @@ calls to \fBSSL_read_early_data()\fR as required.
 .PP
 Servers must not call \fBSSL_read_ex\fR\|(3), \fBSSL_read\fR\|(3), \fBSSL_write_ex\fR\|(3) or
 \&\fBSSL_write\fR\|(3)  until \fBSSL_read_early_data()\fR has returned with
-\&\s-1SSL_READ_EARLY_DATA_FINISH.\s0 Once it has done so the connection to the client
+SSL_READ_EARLY_DATA_FINISH. Once it has done so the connection to the client
 still needs to be completed. Complete the connection by calling a function such
 as \fBSSL_accept\fR\|(3) or \fBSSL_do_handshake\fR\|(3). Alternatively you can call a
 standard read function such as \fBSSL_read_ex\fR\|(3), which will transparently
 complete the connection and read the requested data. Note that it is an error to
 attempt to complete the connection before \fBSSL_read_early_data()\fR has returned
-\&\s-1SSL_READ_EARLY_DATA_FINISH.\s0
+SSL_READ_EARLY_DATA_FINISH.
 .PP
 Only servers may call \fBSSL_read_early_data()\fR.
 .PP
@@ -322,17 +246,17 @@ the maximum amount of any early data that it will accept on any future
 connection attempt. By default the server does not accept early data; a
 server may indicate support for early data by calling
 \&\fBSSL_CTX_set_max_early_data()\fR or
-\&\fBSSL_set_max_early_data()\fR to set it for the whole \s-1SSL_CTX\s0 or an individual \s-1SSL\s0
+\&\fBSSL_set_max_early_data()\fR to set it for the whole SSL_CTX or an individual SSL
 object respectively. The \fBmax_early_data\fR parameter specifies the maximum
 amount of early data in bytes that is permitted to be sent on a single
 connection. Similarly the \fBSSL_CTX_get_max_early_data()\fR and
 \&\fBSSL_get_max_early_data()\fR functions can be used to obtain the current maximum
-early data settings for the \s-1SSL_CTX\s0 and \s-1SSL\s0 objects respectively. Generally a
+early data settings for the SSL_CTX and SSL objects respectively. Generally a
 server application will either use both of \fBSSL_read_early_data()\fR and
 \&\fBSSL_CTX_set_max_early_data()\fR (or \fBSSL_set_max_early_data()\fR), or neither of them,
 since there is no practical benefit from using only one of them. If the maximum
 early data setting for a server is nonzero then replay protection is
-automatically enabled (see \*(L"\s-1REPLAY PROTECTION\*(R"\s0 below).
+automatically enabled (see "REPLAY PROTECTION" below).
 .PP
 If the server rejects the early data sent by a client then it will skip over
 the data that is sent. The maximum amount of received early data that is skipped
@@ -356,7 +280,7 @@ aborted connections. The recv_max_early_data should never be set to less than
 the current configured max_early_data value.
 .PP
 Some server applications may wish to have more control over whether early data
-is accepted or not, for example to mitigate replay risks (see \*(L"\s-1REPLAY PROTECTION\*(R"\s0
+is accepted or not, for example to mitigate replay risks (see "REPLAY PROTECTION"
 below) or to decline early_data when the server is heavily loaded. The functions
 \&\fBSSL_CTX_set_allow_early_data_cb()\fR and \fBSSL_set_allow_early_data_cb()\fR set a
 callback which is called at a point in the handshake immediately before a
@@ -366,31 +290,36 @@ set. Returning 1 from the callback will allow early data and returning 0 will
 reject it. Note that the OpenSSL library may reject early data for other reasons
 in which case this callback will not get called. Notably, the built-in replay
 protection feature will still be used even if a callback is present unless it
-has been explicitly disabled using the \s-1SSL_OP_NO_ANTI_REPLAY\s0 option. See
-\&\*(L"\s-1REPLAY PROTECTION\*(R"\s0 below.
-.SH "NOTES"
+has been explicitly disabled using the SSL_OP_NO_ANTI_REPLAY option. See
+"REPLAY PROTECTION" below.
+.PP
+These functions cannot currently be used with QUIC SSL objects.
+\&\fBSSL_set_max_early_data()\fR, \fBSSL_set_recv_max_early_data()\fR, \fBSSL_write_early_data()\fR,
+\&\fBSSL_read_early_data()\fR, \fBSSL_get_early_data_status()\fR and
+\&\fBSSL_set_allow_early_data_cb()\fR fail if called on a QUIC SSL object.
+.SH NOTES
 .IX Header "NOTES"
 The whole purpose of early data is to enable a client to start sending data to
 the server before a full round trip of network traffic has occurred. Application
-developers should ensure they consider optimisation of the underlying \s-1TCP\s0 socket
+developers should ensure they consider optimisation of the underlying TCP socket
 to obtain a performant solution. For example Nagle's algorithm is commonly used
-by operating systems in an attempt to avoid lots of small \s-1TCP\s0 packets. In many
+by operating systems in an attempt to avoid lots of small TCP packets. In many
 scenarios this is beneficial for performance, but it does not work well with the
-early data solution as implemented in OpenSSL. In Nagle's algorithm the \s-1OS\s0 will
-buffer outgoing \s-1TCP\s0 data if a \s-1TCP\s0 packet has already been sent which we have not
-yet received an \s-1ACK\s0 for from the peer. The buffered data will only be
-transmitted if enough data to fill an entire \s-1TCP\s0 packet is accumulated, or if
-the \s-1ACK\s0 is received from the peer. The initial ClientHello will be sent in the
-first \s-1TCP\s0 packet along with any data from the first call to
+early data solution as implemented in OpenSSL. In Nagle's algorithm the OS will
+buffer outgoing TCP data if a TCP packet has already been sent which we have not
+yet received an ACK for from the peer. The buffered data will only be
+transmitted if enough data to fill an entire TCP packet is accumulated, or if
+the ACK is received from the peer. The initial ClientHello will be sent in the
+first TCP packet along with any data from the first call to
 \&\fBSSL_write_early_data()\fR. If the amount of data written will exceed the size of a
-single \s-1TCP\s0 packet, or if there are more calls to \fBSSL_write_early_data()\fR then
-that additional data will be sent in subsequent \s-1TCP\s0 packets which will be
-buffered by the \s-1OS\s0 and not sent until an \s-1ACK\s0 is received for the first packet
+single TCP packet, or if there are more calls to \fBSSL_write_early_data()\fR then
+that additional data will be sent in subsequent TCP packets which will be
+buffered by the OS and not sent until an ACK is received for the first packet
 containing the ClientHello. This means the early data is not actually
 sent until a complete round trip with the server has occurred which defeats the
 objective of early data.
 .PP
-In many operating systems the \s-1TCP_NODELAY\s0 socket option is available to disable
+In many operating systems the TCP_NODELAY socket option is available to disable
 Nagle's algorithm. If an application opts to disable Nagle's algorithm
 consideration should be given to turning it back on again after the handshake is
 complete if appropriate.
@@ -404,12 +333,12 @@ support TLSv1.3 but was later downgraded to TLSv1.2. Sending early data to such
 a server will cause the connection to abort. Clients that encounter an aborted
 connection while sending early data may want to retry the connection without
 sending early data as this does not happen automatically. A client will have to
-establish a new transport layer connection to the server and attempt the \s-1SSL/TLS\s0
+establish a new transport layer connection to the server and attempt the SSL/TLS
 connection again but without sending early data. Note that it is inadvisable to
 retry with a lower maximum protocol version.
 .SH "REPLAY PROTECTION"
 .IX Header "REPLAY PROTECTION"
-When early data is in use the \s-1TLS\s0 protocol provides no security guarantees that
+When early data is in use the TLS protocol provides no security guarantees that
 the same early data was not replayed across multiple connections. As a
 mitigation for this issue OpenSSL automatically enables replay protection if the
 server is configured with a nonzero max early data value. With replay
@@ -421,7 +350,7 @@ if a client does not send any early data.
 .PP
 The replay protection mechanism relies on the internal OpenSSL server session
 cache (see \fBSSL_CTX_set_session_cache_mode\fR\|(3)). When replay protection is
-being used the server will operate as if the \s-1SSL_OP_NO_TICKET\s0 option had been
+being used the server will operate as if the SSL_OP_NO_TICKET option had been
 selected (see \fBSSL_CTX_set_options\fR\|(3)). Sessions will be added to the cache
 whenever a session ticket is issued. When a client attempts to resume the
 session, OpenSSL will check for its presence in the internal cache. If it exists
@@ -448,7 +377,7 @@ should be applied when combining external PSKs with early data.
 .PP
 Some applications may mitigate the replay risks in other ways. For those
 applications it is possible to turn off the built-in replay protection feature
-using the \fB\s-1SSL_OP_NO_ANTI_REPLAY\s0\fR option. See \fBSSL_CTX_set_options\fR\|(3) for
+using the \fBSSL_OP_NO_ANTI_REPLAY\fR option. See \fBSSL_CTX_set_options\fR\|(3) for
 details. Applications can also set a callback to make decisions about accepting
 early data or not. See \fBSSL_CTX_set_allow_early_data_cb()\fR above for details.
 .SH "RETURN VALUES"
@@ -456,9 +385,9 @@ early data or not. See \fBSSL_CTX_set_allow_early_data_cb()\fR above for details
 \&\fBSSL_write_early_data()\fR returns 1 for success or 0 for failure. In the event of a
 failure call \fBSSL_get_error\fR\|(3) to determine the correct course of action.
 .PP
-\&\fBSSL_read_early_data()\fR returns \s-1SSL_READ_EARLY_DATA_ERROR\s0 for failure,
-\&\s-1SSL_READ_EARLY_DATA_SUCCESS\s0 for success with more data to read and
-\&\s-1SSL_READ_EARLY_DATA_FINISH\s0 for success with no more to data be read. In the
+\&\fBSSL_read_early_data()\fR returns SSL_READ_EARLY_DATA_ERROR for failure,
+SSL_READ_EARLY_DATA_SUCCESS for success with more data to read and
+SSL_READ_EARLY_DATA_FINISH for success with no more to data be read. In the
 event of a failure call \fBSSL_get_error\fR\|(3) to determine the correct course of
 action.
 .PP
@@ -469,9 +398,9 @@ that may be sent.
 \&\fBSSL_set_max_early_data()\fR, \fBSSL_CTX_set_max_early_data()\fR and
 \&\fBSSL_SESSION_set_max_early_data()\fR return 1 for success or 0 for failure.
 .PP
-\&\fBSSL_get_early_data_status()\fR returns \s-1SSL_EARLY_DATA_ACCEPTED\s0 if early data was
-accepted by the server, \s-1SSL_EARLY_DATA_REJECTED\s0 if early data was rejected by
-the server, or \s-1SSL_EARLY_DATA_NOT_SENT\s0 if no early data was sent.
+\&\fBSSL_get_early_data_status()\fR returns SSL_EARLY_DATA_ACCEPTED if early data was
+accepted by the server, SSL_EARLY_DATA_REJECTED if early data was rejected by
+the server, or SSL_EARLY_DATA_NOT_SENT if no early data was sent.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBSSL_get_error\fR\|(3),
@@ -482,14 +411,14 @@ the server, or \s-1SSL_EARLY_DATA_NOT_SENT\s0 if no early data was sent.
 \&\fBSSL_do_handshake\fR\|(3),
 \&\fBSSL_CTX_set_psk_use_session_callback\fR\|(3),
 \&\fBssl\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 All of the functions described above were added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2017\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_rstate_string.3 b/secure/lib/libcrypto/man/man3/SSL_rstate_string.3
index 0946bb36e2ea..edb22a0977e9 100644
--- a/secure/lib/libcrypto/man/man3/SSL_rstate_string.3
+++ b/secure/lib/libcrypto/man/man3/SSL_rstate_string.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_RSTATE_STRING 3ossl"
-.TH SSL_RSTATE_STRING 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_RSTATE_STRING 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_rstate_string, SSL_rstate_string_long \- get textual description of state of an SSL object during read operation
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -146,48 +70,44 @@ SSL_rstate_string, SSL_rstate_string_long \- get textual description of state of
 \& const char *SSL_rstate_string(SSL *ssl);
 \& const char *SSL_rstate_string_long(SSL *ssl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_rstate_string()\fR returns a 2 letter string indicating the current read state
-of the \s-1SSL\s0 object \fBssl\fR.
+of the SSL object \fBssl\fR.
 .PP
 \&\fBSSL_rstate_string_long()\fR returns a string indicating the current read state of
-the \s-1SSL\s0 object \fBssl\fR.
-.SH "NOTES"
+the SSL object \fBssl\fR.
+.SH NOTES
 .IX Header "NOTES"
-When performing a read operation, the \s-1SSL/TLS\s0 engine must parse the record,
+When performing a read operation, the SSL/TLS engine must parse the record,
 consisting of header and body. When working in a blocking environment,
-SSL_rstate_string[_long]() should always return \*(L"\s-1RD\*(R"/\s0\*(L"read done\*(R".
+SSL_rstate_string[_long]() should always return "RD"/"read done".
 .PP
 This function should only seldom be needed in applications.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSSL_rstate_string()\fR and \fBSSL_rstate_string_long()\fR can return the following
 values:
-.ie n .IP """\s-1RH""/\s0""read header""" 4
-.el .IP "``\s-1RH''/\s0``read header''" 4
-.IX Item "RH/read header"
+.IP """RH""/""read header""" 4
+.IX Item """RH""/""read header"""
 The header of the record is being evaluated.
-.ie n .IP """\s-1RB""/\s0""read body""" 4
-.el .IP "``\s-1RB''/\s0``read body''" 4
-.IX Item "RB/read body"
+.IP """RB""/""read body""" 4
+.IX Item """RB""/""read body"""
 The body of the record is being evaluated.
-.ie n .IP """\s-1RD""/\s0""read done""" 4
-.el .IP "``\s-1RD''/\s0``read done''" 4
-.IX Item "RD/read done"
-The record has been completely processed.
-.ie n .IP """unknown""/""unknown""" 4
-.el .IP "``unknown''/``unknown''" 4
-.IX Item "unknown/unknown"
+.IP """unknown""/""unknown""" 4
+.IX Item """unknown""/""unknown"""
 The read state is unknown. This should never happen.
+.PP
+When used with QUIC SSL objects, these functions always return "RH"/"read
+header" in normal conditions.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_session_reused.3 b/secure/lib/libcrypto/man/man3/SSL_session_reused.3
index 9e6087013e40..c30839270844 100644
--- a/secure/lib/libcrypto/man/man3/SSL_session_reused.3
+++ b/secure/lib/libcrypto/man/man3/SSL_session_reused.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,87 +52,27 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_SESSION_REUSED 3ossl"
-.TH SSL_SESSION_REUSED 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_SESSION_REUSED 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_session_reused \- query whether a reused session was negotiated during handshake
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
 \& int SSL_session_reused(const SSL *ssl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 Query, whether a reused session was negotiated during the handshake.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 During the negotiation, a client can propose to reuse a session. The server
 then looks up the session in its cache. If both client and server agree
@@ -157,20 +81,20 @@ queried by the application.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The following return values can occur:
-.IP "0" 4
+.IP 0 4
 A new session was negotiated.
-.IP "1" 4
+.IP 1 4
 .IX Item "1"
 A session was reused.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7), \fBSSL_set_session\fR\|(3),
 \&\fBSSL_CTX_set_session_cache_mode\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_set1_host.3 b/secure/lib/libcrypto/man/man3/SSL_set1_host.3
index 7eeaf8a55708..68144fcfb75f 100644
--- a/secure/lib/libcrypto/man/man3/SSL_set1_host.3
+++ b/secure/lib/libcrypto/man/man3/SSL_set1_host.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,151 +52,100 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_SET1_HOST 3ossl"
-.TH SSL_SET1_HOST 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_SET1_HOST 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_set1_host, SSL_add1_host, SSL_set_hostflags, SSL_get0_peername \-
 SSL server verification parameters
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
-\& int SSL_set1_host(SSL *s, const char *hostname);
-\& int SSL_add1_host(SSL *s, const char *hostname);
+\& int SSL_set1_host(SSL *s, const char *host);
+\& int SSL_add1_host(SSL *s, const char *host);
 \& void SSL_set_hostflags(SSL *s, unsigned int flags);
 \& const char *SSL_get0_peername(SSL *s);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-These functions configure server hostname checks in the \s-1SSL\s0 client.
+These functions configure server hostname checks in the SSL client.
 .PP
-\&\fBSSL_set1_host()\fR sets the expected \s-1DNS\s0 hostname to \fBname\fR clearing
-any previously specified hostname.  If \fBname\fR is \s-1NULL\s0
-or the empty string, the list of hostnames is cleared and name
-checks are not performed on the peer certificate.  When a nonempty
-\&\fBname\fR is specified, certificate verification automatically checks
-the peer hostname via \fBX509_check_host\fR\|(3) with \fBflags\fR as specified
-via \fBSSL_set_hostflags()\fR.  Clients that enable \s-1DANE TLSA\s0 authentication
+\&\fBSSL_set1_host()\fR sets in the verification parameters of \fIs\fR
+the expected DNS hostname or IP address to \fIhost\fR,
+clearing any previously specified IP address and hostnames.
+If \fIhost\fR is NULL or the empty string, IP address
+and hostname checks are not performed on the peer certificate.
+When a nonempty \fIhost\fR is specified, certificate verification automatically
+checks the peer hostname via \fBX509_check_host\fR\|(3) with \fIflags\fR as specified
+via \fBSSL_set_hostflags()\fR.  Clients that enable DANE TLSA authentication
 via \fBSSL_dane_enable\fR\|(3) should leave it to that function to set
 the primary reference identifier of the peer, and should not call
 \&\fBSSL_set1_host()\fR.
 .PP
-\&\fBSSL_add1_host()\fR adds \fBname\fR as an additional reference identifier
-that can match the peer's certificate.  Any previous names set via
-\&\fBSSL_set1_host()\fR or \fBSSL_add1_host()\fR are retained, no change is made
-if \fBname\fR is \s-1NULL\s0 or empty.  When multiple names are configured,
-the peer is considered verified when any name matches.  This function
-is required for \s-1DANE TLSA\s0 in the presence of service name indirection
-via \s-1CNAME, MX\s0 or \s-1SRV\s0 records as specified in \s-1RFC7671, RFC7672\s0 or
-\&\s-1RFC7673.\s0
+\&\fBSSL_add1_host()\fR adds \fIhost\fR as an additional reference identifier
+that can match the peer's certificate.  Any previous hostnames
+set via \fBSSL_set1_host()\fR or \fBSSL_add1_host()\fR are retained.
+Adding an IP address is allowed only if no IP address has been set before.
+No change is made if \fIhost\fR is NULL or empty.
+When an IP address and/or multiple hostnames are configured,
+the peer is considered verified when any of these matches.
+This function is required for DANE TLSA in the presence of service name indirection
+via CNAME, MX or SRV records as specified in RFCs 7671, 7672, and 7673.
+.PP
+TLS clients are recommended to use \fBSSL_set1_host()\fR or \fBSSL_add1_host()\fR
+for server hostname or IP address validation,
+as well as \fBSSL_set_tlsext_host_name\fR\|(3) for Server Name Indication (SNI),
+which may be crucial also for correct routing of the connection request.
 .PP
-\&\fBSSL_set_hostflags()\fR sets the \fBflags\fR that will be passed to
+\&\fBSSL_set_hostflags()\fR sets the \fIflags\fR that will be passed to
 \&\fBX509_check_host\fR\|(3) when name checks are applicable, by default
-the \fBflags\fR value is 0.  See \fBX509_check_host\fR\|(3) for the list
+the \fIflags\fR value is 0.  See \fBX509_check_host\fR\|(3) for the list
 of available flags and their meaning.
 .PP
-\&\fBSSL_get0_peername()\fR returns the \s-1DNS\s0 hostname or subject CommonName
+\&\fBSSL_get0_peername()\fR returns the DNS hostname or subject CommonName
 from the peer certificate that matched one of the reference
 identifiers.  When wildcard matching is not disabled, the name
 matched in the peer certificate may be a wildcard name.  When one
 of the reference identifiers configured via \fBSSL_set1_host()\fR or
-\&\fBSSL_add1_host()\fR starts with \*(L".\*(R", which indicates a parent domain prefix
+\&\fBSSL_add1_host()\fR starts with ".", which indicates a parent domain prefix
 rather than a fixed name, the matched peer name may be a sub-domain
 of the reference identifier.  The returned string is allocated by
-the library and is no longer valid once the associated \fBssl\fR handle
+the library and is no longer valid once the associated \fIssl\fR handle
 is cleared or freed, or a renegotiation takes place.  Applications
 must not free the return value.
 .PP
-\&\s-1SSL\s0 clients are advised to use these functions in preference to
+SSL clients are advised to use these functions in preference to
 explicitly calling \fBX509_check_host\fR\|(3).  Hostname checks may be out
-of scope with the \s-1RFC7671 \fBDANE\-EE\s0\fR\|(3) certificate usage, and the
-internal check will be suppressed as appropriate when \s-1DANE\s0 is
+of scope with the RFC 7671 \fBDANE\-EE\fR\|(3) certificate usage, and the
+internal check will be suppressed as appropriate when DANE is
 enabled.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSSL_set1_host()\fR and \fBSSL_add1_host()\fR return 1 for success and 0 for
 failure.
 .PP
-\&\fBSSL_get0_peername()\fR returns \s-1NULL\s0 if peername verification is not
-applicable (as with \s-1RFC7671 \fBDANE\-EE\s0\fR\|(3)), or no trusted peername was
+\&\fBSSL_set_hostflags()\fR returns nothing at all.
+.PP
+\&\fBSSL_get0_peername()\fR returns NULL if peername verification is not
+applicable (as with RFC 7671 \fBDANE\-EE\fR\|(3)), or no trusted peername was
 matched.  Otherwise, it returns the matched peername.  To determine
 whether verification succeeded call \fBSSL_get_verify_result\fR\|(3).
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-Suppose \*(L"smtp.example.com\*(R" is the \s-1MX\s0 host of the domain \*(L"example.com\*(R".
-The calls below will arrange to match either the \s-1MX\s0 hostname or the
-destination domain name in the \s-1SMTP\s0 server certificate.  Wildcards
+Suppose "smtp.example.com" is the MX host of the domain "example.com".
+The calls below will arrange to match either the MX hostname or the
+destination domain name in the SMTP server certificate.  Wildcards
 are supported, but must match the entire label.  The actual name
 matched in the certificate (which might be a wildcard) is retrieved,
 and must be copied by the application if it is to be retained beyond
-the lifetime of the \s-1SSL\s0 connection.
+the lifetime of the SSL connection.
 .PP
 .Vb 5
 \& SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
@@ -233,17 +166,16 @@ the lifetime of the \s-1SSL\s0 connection.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7),
-\&\fBX509_check_host\fR\|(3),
-\&\fBSSL_get_verify_result\fR\|(3).
-\&\fBSSL_dane_enable\fR\|(3).
-.SH "HISTORY"
+\&\fBX509_check_host\fR\|(3), \fBSSL_set_tlsext_host_name\fR\|(3),
+\&\fBSSL_get_verify_result\fR\|(3), \fBSSL_dane_enable\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 These functions were added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_set1_initial_peer_addr.3 b/secure/lib/libcrypto/man/man3/SSL_set1_initial_peer_addr.3
new file mode 100644
index 000000000000..d75d7f303d4f
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/SSL_set1_initial_peer_addr.3
@@ -0,0 +1,114 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "SSL_SET1_INITIAL_PEER_ADDR 3ossl"
+.TH SSL_SET1_INITIAL_PEER_ADDR 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+SSL_set1_initial_peer_addr \- set the initial peer address for a QUIC connection
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ssl.h>
+\&
+\& int SSL_set1_initial_peer_addr(SSL *s, const BIO_ADDR *addr);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBSSL_set1_initial_peer_addr()\fR sets the initial destination peer address to be used
+for the purposes of establishing a QUIC connection in client mode. This function
+can be used only on a QUIC connection SSL object, and can be used only before a
+connection attempt is first made. \fIaddr\fR must point to a \fBBIO_ADDR\fR
+representing a UDP destination address of the server to connect to.
+.PP
+Where a QUIC connection object is provided with a write BIO which supports the
+\&\fBBIO_CTRL_DGRAM_GET_PEER\fR control (for example, \fBBIO_s_dgram\fR), the initial
+destination peer address can be detected automatically; if
+\&\fBBIO_CTRL_DGRAM_GET_PEER\fR returns a valid (non\-\fBAF_UNSPEC\fR) peer address and
+no valid peer address has yet been set, this will be set automatically as the
+initial peer address. This behaviour can be overridden by calling
+\&\fBSSL_set1_initial_peer_addr()\fR with a valid peer address explicitly.
+.PP
+The destination address used by QUIC may change over time in response to
+connection events, such as connection migration (where supported).
+\&\fBSSL_set1_initial_peer_addr()\fR configures the destination address used for initial
+connection establishment, and does not confer any guarantee about the
+destination address being used for communication at any later time in the
+connection lifecycle.
+.PP
+This function makes a copy of the address passed by the caller; the \fBBIO_ADDR\fR
+structure pointed to by \fIaddr\fR may be freed by the caller after this function
+returns.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+Returns 1 on success and 0 on failure.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBBIO_ADDR\fR\|(3), \fBssl\fR\|(7)
+.SH HISTORY
+.IX Header "HISTORY"
+The \fBSSL_set1_initial_peer_addr()\fR function was added in OpenSSL 3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2022\-2023 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_set1_server_cert_type.3 b/secure/lib/libcrypto/man/man3/SSL_set1_server_cert_type.3
new file mode 100644
index 000000000000..4b2fd06c238d
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/SSL_set1_server_cert_type.3
@@ -0,0 +1,245 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "SSL_SET1_SERVER_CERT_TYPE 3ossl"
+.TH SSL_SET1_SERVER_CERT_TYPE 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+SSL_set1_client_cert_type,
+SSL_set1_server_cert_type,
+SSL_CTX_set1_client_cert_type,
+SSL_CTX_set1_server_cert_type,
+SSL_get0_client_cert_type,
+SSL_get0_server_cert_type,
+SSL_CTX_get0_client_cert_type,
+SSL_CTX_get0_server_cert_type \- certificate type (RFC7250) support
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ssl.h>
+\&
+\& int SSL_set1_client_cert_type(SSL *s, const unsigned char *val, size_t len);
+\& int SSL_set1_server_cert_type(SSL *s, const unsigned char *val, size_t len);
+\& int SSL_CTX_set1_client_cert_type(SSL_CTX *ctx, const unsigned char *val, size_t len);
+\& int SSL_CTX_set1_server_cert_type(SSL_CTX *ctx, const unsigned char *val, size_t len);
+\& int SSL_get0_client_cert_type(const SSL *s, unsigned char **val, size_t *len);
+\& int SSL_get0_server_cert_type(const SSL *s, unsigned char **val, size_t *len);
+\& int SSL_CTX_get0_client_cert_type(const SSL_CTX *ctx, unsigned char **val, size_t *len);
+\& int SSL_CTX_get0_server_cert_type(const SSL_CTX *s, unsigned char **val, size_t *len);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+The \fBSSL_set1_client_cert_type()\fR and \fBSSL_CTX_set1_client_cert_type()\fR functions
+set the values for the client certificate type extension.
+The \fBSSL_get0_client_cert_type()\fR and \fBSSL_CTX_get0_client_cert_type()\fR functions
+retrieve the local values to be used in the client certificate type extension.
+.PP
+The \fBSSL_set1_server_cert_type()\fR and \fBSSL_CTX_set1_server_cert_type()\fR functions
+set the values for the server certificate type extension.
+The \fBSSL_get0_server_cert_type()\fR and \fBSSL_CTX_get0_server_cert_type()\fR functions
+retrieve the local values to be used in the server certificate type extension.
+.SH NOTES
+.IX Header "NOTES"
+The certificate type extensions are used to negotiate the certificate type to
+be used in the handshake.
+These extensions let each side know what its peer is able to accept.
+.PP
+The client certificate type is sent from the client to the server to indicate
+what certificate types the client is able to present.
+Values are configured in preference order.
+On the server, this setting determines which certificate types the server is
+willing to accept.
+The server ultimately chooses what type to request (if any) from the values
+that are mutually supported.
+By default (if no explicit settings are specified), only X.509 certificates
+are supported.
+.PP
+The server certificate type is sent from the client to the server to indicate
+what certificate types the client accepts.
+Values are configured in preference order.
+On the server, this setting determines which certificate types the server is
+willing to present.
+The server ultimately chooses what type to use from the values that are
+mutually supported.
+By default (if no explicit settings are specified), only X.509 certificates
+are supported.
+.PP
+Having RPK specified first means that side will attempt to send (or request)
+RPKs if its peer also supports RPKs, otherwise X.509 certificate will be used
+if both have specified that (or have not configured these options).
+.PP
+The two supported values in the \fBval\fR array are:
+.IP TLSEXT_cert_type_x509 4
+.IX Item "TLSEXT_cert_type_x509"
+Which corresponds to an X.509 certificate normally used in TLS.
+.IP TLSEXT_cert_type_rpk 4
+.IX Item "TLSEXT_cert_type_rpk"
+Which corresponds to a raw public key.
+.PP
+If \fBval\fR is set to a non-NULL value, then the extension is sent in the handshake.
+If b<val> is set to a NULL value (and \fBlen\fR is 0), then the extension is
+disabled. The default value is NULL, meaning the extension is not sent, and
+X.509 certificates are used in the handshake.
+.PP
+Raw public keys may be used in place of certificates when specified in the
+certificate type and negotiated.
+Raw public keys have no subject, issuer, validity dates or digital signature.
+.PP
+Use the \fBSSL_get_negotiated_client_cert_type\fR\|(3) and
+\&\fBSSL_get_negotiated_server_cert_type\fR\|(3) functions to get the negotiated cert
+type values (at the conclusion of the handshake, or in callbacks that happen
+after the TLS ServerHello has been processed).
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+All functions return 1 on success and 0 on failure.
+.PP
+The memory returned from the get0 functions must not be freed.
+.SH EXAMPLES
+.IX Header "EXAMPLES"
+To use raw public keys on the server, set up the SSL_CTX and SSL as follows:
+.PP
+.Vb 4
+\& SSL_CTX *ctx;
+\& SSL *ssl;
+\& unsigned char cert_type[] = { TLSEXT_cert_type_rpk, TLSEXT_cert_type_x509 };
+\& EVP_PKEY *rpk;
+\&
+\& /* Assign rpk to an EVP_PKEY from a file or other means */
+\&
+\& if ((ctx = SSL_CTX_new(TLS_server_method())) == NULL)
+\&     /* error */
+\& if ((ssl = SSL_new(ctx)) == NULL)
+\&     /* error */
+\& if (!SSL_set1_server_cert_type(ssl, cert_type, sizeof(cert_type)))
+\&     /* error */
+\&
+\& /* A certificate does not need to be specified when using raw public keys */
+\& if (!SSL_use_PrivateKey(ssl, rpk))
+\&     /* error */
+\&
+\& /* Perform SSL_accept() operations */
+.Ve
+.PP
+To connect to this server, set the client SSL_CTX and SSL as follows:
+.PP
+.Vb 1
+\& /* Connect function */
+\&
+\& SSL_CTX *ctx;
+\& SSL *ssl;
+\& const char *dane_tlsa_domain = "smtp.example.com";
+\& unsigned char cert_type[] = { TLSEXT_cert_type_rpk, TLSEXT_cert_type_x509 };
+\& EVP_PKEY *rpk;
+\& int verify_result;
+\&
+\& /* Assign rpk to an EVP_PKEY from a file or other means */
+\&
+\& if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL)
+\&     /* error */
+\& if (SSL_CTX_dane_enable(ctx) <= 0)
+\&     /* error */
+\& if ((ssl = SSL_new(ctx)) == NULL)
+\&     /* error */
+\& /*
+\&  * The \`dane_tlsa_domain\` arguments sets the default SNI hostname.
+\&  * It may be set to NULL when enabling DANE on the server side.
+\&  */
+\& if (SSL_dane_enable(ssl, dane_tlsa_domain) <= 0)
+\&     /* error */
+\& if (!SSL_set1_server_cert_type(ssl, cert_type, sizeof(cert_type)))
+\&     /* error */
+\& if (!SSL_add_expected_rpk(ssl, rpk))
+\&     /* error */
+\&
+\& /* Do SSL_connect() handshake and handle errors here */
+\&
+\& /* Optional: verify the peer RPK */
+\& verify_result = SSL_get_verify_result(ssl);
+\& if (verify_result == X509_V_OK) {
+\&     /* The server\*(Aqs raw public key matched the TLSA record */
+\& } else if (verify_result == X509_V_ERR_DANE_NO_MATCH) {
+\&     /*
+\&      * The server\*(Aqs raw public key, or public key in certificate, did not
+\&      * match the TLSA record
+\&      */
+\& } else if (verify_result == X509_V_ERR_RPK_UNTRUSTED) {
+\&     /*
+\&      * No TLSA records of the correct type are available to verify the
+\&      * server\*(Aqs raw public key. This would not happen in this example,
+\&      * as a TLSA record is configured.
+\&      */
+\& } else {
+\&     /* Some other verify error */
+\& }
+.Ve
+.PP
+To validate client raw public keys, code from the client example may need to be
+incorporated into the server side.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBSSL_get0_peer_rpk\fR\|(3),
+\&\fBSSL_get_negotiated_client_cert_type\fR\|(3),
+\&\fBSSL_get_negotiated_server_cert_type\fR\|(3),
+\&\fBSSL_use_certificate\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+These functions were added in OpenSSL 3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/secure/lib/libcrypto/man/man3/SSL_set_async_callback.3 b/secure/lib/libcrypto/man/man3/SSL_set_async_callback.3
index afd3f5b6a806..c274fef23aec 100644
--- a/secure/lib/libcrypto/man/man3/SSL_set_async_callback.3
+++ b/secure/lib/libcrypto/man/man3/SSL_set_async_callback.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_SET_ASYNC_CALLBACK 3ossl"
-.TH SSL_SET_ASYNC_CALLBACK 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_SET_ASYNC_CALLBACK 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_CTX_set_async_callback,
 SSL_CTX_set_async_callback_arg,
 SSL_set_async_callback,
@@ -144,7 +68,7 @@ SSL_set_async_callback_arg,
 SSL_get_async_status,
 SSL_async_callback_fn
 \&\- manage asynchronous operations
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -156,60 +80,60 @@ SSL_async_callback_fn
 \& int SSL_set_async_callback_arg(SSL *s, void *arg);
 \& int SSL_get_async_status(SSL *s, int *status);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_CTX_set_async_callback()\fR sets an asynchronous callback function. All \fB\s-1SSL\s0\fR
-objects generated based on this \fB\s-1SSL_CTX\s0\fR will get this callback. If an engine
+\&\fBSSL_CTX_set_async_callback()\fR sets an asynchronous callback function. All \fBSSL\fR
+objects generated based on this \fBSSL_CTX\fR will get this callback. If an engine
 supports the callback mechanism, it will be automatically called if
-\&\fB\s-1SSL_MODE_ASYNC\s0\fR has been set and an asynchronous capable engine completes a
+\&\fBSSL_MODE_ASYNC\fR has been set and an asynchronous capable engine completes a
 cryptography operation to notify the application to resume the paused work flow.
 .PP
 \&\fBSSL_CTX_set_async_callback_arg()\fR sets the callback argument.
 .PP
 \&\fBSSL_set_async_callback()\fR allows an application to set a callback in an
-asynchronous \fB\s-1SSL\s0\fR object, so that when an engine completes a cryptography
+asynchronous \fBSSL\fR object, so that when an engine completes a cryptography
 operation, the callback will be called to notify the application to resume the
 paused work flow.
 .PP
-\&\fBSSL_set_async_callback_arg()\fR sets an argument for the \fB\s-1SSL\s0\fR object when the
+\&\fBSSL_set_async_callback_arg()\fR sets an argument for the \fBSSL\fR object when the
 above callback is called.
 .PP
 \&\fBSSL_get_async_status()\fR returns the engine status. This function facilitates the
-communication from the engine to the application. During an \s-1SSL\s0 session,
+communication from the engine to the application. During an SSL session,
 cryptographic operations are dispatched to an engine. The engine status is very
 useful for an application to know if the operation has been successfully
 dispatched. If the engine does not support this additional callback method,
-\&\fB\s-1ASYNC_STATUS_UNSUPPORTED\s0\fR will be returned. See \fBASYNC_WAIT_CTX_set_status()\fR
+\&\fBASYNC_STATUS_UNSUPPORTED\fR will be returned. See \fBASYNC_WAIT_CTX_set_status()\fR
 for a description of all of the status values.
 .PP
 An example of the above functions would be the following:
-.IP "1." 4
-Application sets the async callback and callback data on an \s-1SSL\s0 connection
+.IP 1. 4
+Application sets the async callback and callback data on an SSL connection
 by calling \fBSSL_set_async_callback()\fR.
-.IP "2." 4
-Application sets \fB\s-1SSL_MODE_ASYNC\s0\fR and makes an asynchronous \s-1SSL\s0 call
-.IP "3." 4
+.IP 2. 4
+Application sets \fBSSL_MODE_ASYNC\fR and makes an asynchronous SSL call
+.IP 3. 4
 OpenSSL submits the asynchronous request to the engine. If a retry occurs at
-this point then the status within the \fB\s-1ASYNC_WAIT_CTX\s0\fR would be set and the
+this point then the status within the \fBASYNC_WAIT_CTX\fR would be set and the
 async callback function would be called (goto Step 7).
-.IP "4." 4
+.IP 4. 4
 The OpenSSL engine pauses the current job and returns, so that the
 application can continue processing other connections.
-.IP "5." 4
+.IP 5. 4
 At a future point in time (probably via a polling mechanism or via an
 interrupt) the engine will become aware that the asynchronous request has
 finished processing.
-.IP "6." 4
+.IP 6. 4
 The engine will call the application's callback passing the callback data as
 a parameter.
-.IP "7." 4
+.IP 7. 4
 The callback function should then run. Note: it is a requirement that the
 callback function is small and nonblocking as it will be run in the context of
 a polling mechanism or an interrupt.
-.IP "8." 4
+.IP 8. 4
 It is the application's responsibility via the callback function to schedule
 recalling the OpenSSL asynchronous function and to continue processing.
-.IP "9." 4
+.IP 9. 4
 The callback function has the option to check the status returned via
 \&\fBSSL_get_async_status()\fR to determine whether a retry happened instead of the
 request being submitted, allowing different processing if required.
@@ -221,16 +145,16 @@ request being submitted, allowing different processing if required.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBSSL_CTX_set_async_callback()\fR, \fBSSL_CTX_set_async_callback_arg()\fR,
 \&\fBSSL_set_async_callback()\fR, \fBSSL_set_async_callback_arg()\fR and
 \&\fBSSL_get_async_status()\fR were first added to OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_set_bio.3 b/secure/lib/libcrypto/man/man3/SSL_set_bio.3
index 35a32e8b0d5a..bebf2da15f6d 100644
--- a/secure/lib/libcrypto/man/man3/SSL_set_bio.3
+++ b/secure/lib/libcrypto/man/man3/SSL_set_bio.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_SET_BIO 3ossl"
-.TH SSL_SET_BIO 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_SET_BIO 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_set_bio, SSL_set0_rbio, SSL_set0_wbio \- connect the SSL object with a BIO
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -147,10 +71,10 @@ SSL_set_bio, SSL_set0_rbio, SSL_set0_wbio \- connect the SSL object with a BIO
 \& void SSL_set0_rbio(SSL *s, BIO *rbio);
 \& void SSL_set0_wbio(SSL *s, BIO *wbio);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_set0_rbio()\fR connects the \s-1BIO\s0 \fBrbio\fR for the read operations of the \fBssl\fR
-object. The \s-1SSL\s0 engine inherits the behaviour of \fBrbio\fR. If the \s-1BIO\s0 is
+\&\fBSSL_set0_rbio()\fR connects the BIO \fBrbio\fR for the read operations of the \fBssl\fR
+object. The SSL engine inherits the behaviour of \fBrbio\fR. If the BIO is
 nonblocking then the \fBssl\fR object will also have nonblocking behaviour. This
 function transfers ownership of \fBrbio\fR to \fBssl\fR. It will be automatically
 freed using \fBBIO_free_all\fR\|(3) when the \fBssl\fR is freed. On calling this
@@ -158,42 +82,51 @@ function, any existing \fBrbio\fR that was previously set will also be freed via
 call to \fBBIO_free_all\fR\|(3) (this includes the case where the \fBrbio\fR is set to
 the same value as previously).
 .PP
+If using a custom BIO, \fBrbio\fR must implement either
+\&\fBBIO_meth_set_read_ex\fR\|(3) or \fBBIO_meth_set_read\fR\|(3).
+.PP
 \&\fBSSL_set0_wbio()\fR works in the same as \fBSSL_set0_rbio()\fR except that it connects
-the \s-1BIO\s0 \fBwbio\fR for the write operations of the \fBssl\fR object. Note that if the
+the BIO \fBwbio\fR for the write operations of the \fBssl\fR object. Note that if the
 rbio and wbio are the same then \fBSSL_set0_rbio()\fR and \fBSSL_set0_wbio()\fR each take
 ownership of one reference. Therefore, it may be necessary to increment the
 number of references available using \fBBIO_up_ref\fR\|(3) before calling the set0
 functions.
 .PP
+If using a custom BIO, \fBwbio\fR must implement
+\&\fBBIO_meth_set_write_ex\fR\|(3) or \fBBIO_meth_set_write\fR\|(3). It additionally must
+implement \fBBIO_flush\fR\|(3) using \fBBIO_CTRL_FLUSH\fR and \fBBIO_meth_set_ctrl\fR\|(3).
+If flushing is unnecessary with \fBwbio\fR, \fBBIO_flush\fR\|(3) should return one and
+do nothing.
+.PP
 \&\fBSSL_set_bio()\fR is similar to \fBSSL_set0_rbio()\fR and \fBSSL_set0_wbio()\fR except
 that it connects both the \fBrbio\fR and the \fBwbio\fR at the same time, and
 transfers the ownership of \fBrbio\fR and \fBwbio\fR to \fBssl\fR according to
 the following set of rules:
-.IP "\(bu" 2
+.IP \(bu 2
 If neither the \fBrbio\fR or \fBwbio\fR have changed from their previous values
 then nothing is done.
-.IP "\(bu" 2
+.IP \(bu 2
 If the \fBrbio\fR and \fBwbio\fR parameters are different and both are different
 to their
 previously set values then one reference is consumed for the rbio and one
 reference is consumed for the wbio.
-.IP "\(bu" 2
+.IP \(bu 2
 If the \fBrbio\fR and \fBwbio\fR parameters are the same and the \fBrbio\fR is not
 the same as the previously set value then one reference is consumed.
-.IP "\(bu" 2
+.IP \(bu 2
 If the \fBrbio\fR and \fBwbio\fR parameters are the same and the \fBrbio\fR is the
 same as the previously set value, then no additional references are consumed.
-.IP "\(bu" 2
+.IP \(bu 2
 If the \fBrbio\fR and \fBwbio\fR parameters are different and the \fBrbio\fR is the
 same as the
 previously set value then one reference is consumed for the \fBwbio\fR and no
 references are consumed for the \fBrbio\fR.
-.IP "\(bu" 2
+.IP \(bu 2
 If the \fBrbio\fR and \fBwbio\fR parameters are different and the \fBwbio\fR is the
 same as the previously set value and the old \fBrbio\fR and \fBwbio\fR values
 were the same as each other then one reference is consumed for the \fBrbio\fR
 and no references are consumed for the \fBwbio\fR.
-.IP "\(bu" 2
+.IP \(bu 2
 If the \fBrbio\fR and \fBwbio\fR parameters are different and the \fBwbio\fR
 is the same as the
 previously set value and the old \fBrbio\fR and \fBwbio\fR values were different
@@ -202,6 +135,12 @@ reference is consumed for the \fBwbio\fR.
 .PP
 Because of this complexity, this function should be avoided;
 use \fBSSL_set0_rbio()\fR and \fBSSL_set0_wbio()\fR instead.
+.PP
+Where a new BIO is set on a QUIC connection SSL object, blocking mode will be
+disabled on that SSL object if the BIO cannot support blocking mode. If another
+BIO is subsequently set on the SSL object which can support blocking mode,
+blocking mode will not be automatically re-enabled. For more information, see
+\&\fBSSL_set_blocking_mode\fR\|(3).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSSL_set_bio()\fR, \fBSSL_set0_rbio()\fR and \fBSSL_set0_wbio()\fR cannot fail.
@@ -210,14 +149,14 @@ use \fBSSL_set0_rbio()\fR and \fBSSL_set0_wbio()\fR instead.
 \&\fBSSL_get_rbio\fR\|(3),
 \&\fBSSL_connect\fR\|(3), \fBSSL_accept\fR\|(3),
 \&\fBSSL_shutdown\fR\|(3), \fBssl\fR\|(7), \fBbio\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBSSL_set0_rbio()\fR and \fBSSL_set0_wbio()\fR were added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_set_blocking_mode.3 b/secure/lib/libcrypto/man/man3/SSL_set_blocking_mode.3
new file mode 100644
index 000000000000..626ce7dd7469
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/SSL_set_blocking_mode.3
@@ -0,0 +1,128 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "SSL_SET_BLOCKING_MODE 3ossl"
+.TH SSL_SET_BLOCKING_MODE 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+SSL_set_blocking_mode, SSL_get_blocking_mode \- configure blocking mode for a
+QUIC SSL object
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ssl.h>
+\&
+\& int SSL_set_blocking_mode(SSL *s, int blocking);
+\& int SSL_get_blocking_mode(SSL *s);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBSSL_set_blocking_mode()\fR can be used to enable or disable blocking mode on a QUIC
+connection SSL object. By default, blocking is enabled, unless the SSL object is
+configured to use an underlying read or write BIO which cannot provide a poll
+descriptor (see \fBBIO_get_rpoll_descriptor\fR\|(3)), as blocking mode cannot be
+supported in this case.
+.PP
+To enable blocking mode, call \fBSSL_set_blocking_mode()\fR with \fIblocking\fR set to 1;
+to disable it, call \fBSSL_set_blocking_mode()\fR with \fIblocking\fR set to 0.
+.PP
+To retrieve the current blocking mode, call \fBSSL_get_blocking_mode()\fR.
+.PP
+Blocking mode means that calls such as \fBSSL_read()\fR and \fBSSL_write()\fR will block
+until the requested operation can be performed. In nonblocking mode, these
+calls will fail if the requested operation cannot be performed immediately; see
+\&\fBSSL_get_error\fR\|(3).
+.PP
+These functions are only applicable to QUIC connection SSL objects. Other kinds
+of SSL object, such as those for TLS, automatically function in blocking or
+nonblocking mode based on whether the underlying network read and write BIOs
+provided to the SSL object are themselves configured in nonblocking mode.
+.PP
+Where a QUIC connection SSL object is used in nonblocking mode, an application
+is responsible for ensuring that the SSL object is ticked regularly; see
+\&\fBSSL_handle_events\fR\|(3).
+.PP
+Blocking mode is disabled automatically if the application provides a QUIC
+connection SSL object with a network BIO which cannot support blocking mode. To
+re-enable blocking mode in this case, an application must set a network BIO
+which can support blocking mode and explicitly call \fBSSL_set_blocking_mode()\fR.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBSSL_set_blocking_mode()\fR returns 1 on success and 0 on failure. The function
+fails if called on an SSL object which does not represent a QUIC connection,
+or if blocking mode cannot be used for the given connection.
+.PP
+\&\fBSSL_get_blocking_mode()\fR returns 1 if blocking is currently enabled. It returns
+\&\-1 if called on an unsupported SSL object.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBSSL_handle_events\fR\|(3), \fBSSL_poll\fR\|(3), \fBopenssl\-quic\fR\|(7),
+\&\fBopenssl\-quic\-concurrency\fR\|(7), \fBssl\fR\|(7)
+.SH HISTORY
+.IX Header "HISTORY"
+The \fBSSL_set_blocking_mode()\fR and \fBSSL_get_blocking_mode()\fR functions were added in
+OpenSSL 3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2022\-2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_set_connect_state.3 b/secure/lib/libcrypto/man/man3/SSL_set_connect_state.3
index ded9148db0cc..c5549433cd8d 100644
--- a/secure/lib/libcrypto/man/man3/SSL_set_connect_state.3
+++ b/secure/lib/libcrypto/man/man3/SSL_set_connect_state.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_SET_CONNECT_STATE 3ossl"
-.TH SSL_SET_CONNECT_STATE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_SET_CONNECT_STATE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_set_connect_state, SSL_set_accept_state, SSL_is_server
 \&\- functions for manipulating and examining the client or server mode of an SSL object
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -150,23 +74,23 @@ SSL_set_connect_state, SSL_set_accept_state, SSL_is_server
 \&
 \& int SSL_is_server(const SSL *ssl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_set_connect_state()\fR sets \fBssl\fR to work in client mode.
 .PP
 \&\fBSSL_set_accept_state()\fR sets \fBssl\fR to work in server mode.
 .PP
 \&\fBSSL_is_server()\fR checks if \fBssl\fR is working in server mode.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-When the \s-1SSL_CTX\s0 object was created with \fBSSL_CTX_new\fR\|(3),
+When the SSL_CTX object was created with \fBSSL_CTX_new\fR\|(3),
 it was either assigned a dedicated client method, a dedicated server
 method, or a generic method, that can be used for both client and
 server connections. (The method might have been changed with
 \&\fBSSL_CTX_set_ssl_version\fR\|(3) or
 \&\fBSSL_set_ssl_method\fR\|(3).)
 .PP
-When beginning a new handshake, the \s-1SSL\s0 engine must know whether it must
+When beginning a new handshake, the SSL engine must know whether it must
 call the connect (client) or accept (server) routines. Even though it may
 be clear from the method chosen, whether client or server mode was
 requested, the handshake routines must be explicitly set.
@@ -180,7 +104,7 @@ the handshake routines must be explicitly set in advance using either
 .PP
 If \fBSSL_is_server()\fR is called before \fBSSL_set_connect_state()\fR or
 \&\fBSSL_set_accept_state()\fR is called (either automatically or explicitly),
-the result depends on what method was used when \s-1SSL_CTX\s0 was created with
+the result depends on what method was used when SSL_CTX was created with
 \&\fBSSL_CTX_new\fR\|(3). If a generic method or a dedicated server method was
 passed to \fBSSL_CTX_new\fR\|(3), \fBSSL_is_server()\fR returns 1; otherwise, it returns 0.
 .SH "RETURN VALUES"
@@ -196,11 +120,11 @@ information.
 \&\fBSSL_write_ex\fR\|(3), \fBSSL_write\fR\|(3), \fBSSL_read_ex\fR\|(3), \fBSSL_read\fR\|(3),
 \&\fBSSL_do_handshake\fR\|(3),
 \&\fBSSL_CTX_set_ssl_version\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2001\-2017 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_set_default_stream_mode.3 b/secure/lib/libcrypto/man/man3/SSL_set_default_stream_mode.3
new file mode 100644
index 000000000000..c38364baf6c7
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/SSL_set_default_stream_mode.3
@@ -0,0 +1,173 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "SSL_SET_DEFAULT_STREAM_MODE 3ossl"
+.TH SSL_SET_DEFAULT_STREAM_MODE 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+SSL_set_default_stream_mode,
+SSL_DEFAULT_STREAM_MODE_NONE, SSL_DEFAULT_STREAM_MODE_AUTO_BIDI,
+SSL_DEFAULT_STREAM_MODE_AUTO_UNI \- manage the default stream for a QUIC
+connection
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ssl.h>
+\&
+\& #define SSL_DEFAULT_STREAM_MODE_NONE
+\& #define SSL_DEFAULT_STREAM_MODE_AUTO_BIDI
+\& #define SSL_DEFAULT_STREAM_MODE_AUTO_UNI
+\&
+\& int SSL_set_default_stream_mode(SSL *conn, uint32_t mode);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+A QUIC connection SSL object may have a default stream attached to it. A default
+stream is a QUIC stream to which calls to \fBSSL_read\fR\|(3) and \fBSSL_write\fR\|(3)
+made on a QUIC connection SSL object are redirected. Default stream handling
+allows legacy applications to use QUIC similarly to a traditional TLS
+connection.
+.PP
+When not disabled, a default stream is automatically created on an outgoing
+connection once \fBSSL_read\fR\|(3) or \fBSSL_write\fR\|(3) is called.
+.PP
+A QUIC stream must be explicitly designated as client-initiated or
+server-initiated up front. This broadly corresponds to whether an application
+protocol involves the client transmitting first, or the server transmitting
+first. As such, if \fBSSL_read\fR\|(3) is called first (before any call to
+\&\fBSSL_write\fR\|(3))  after establishing a connection, OpenSSL will wait for the
+server to open the first server-initiated stream, and then bind this as the
+default stream. Conversely, if \fBSSL_write\fR\|(3) is called before any call to
+\&\fBSSL_read\fR\|(3), OpenSSL assumes the client wishes to transmit first, creates a
+client-initiated stream, and binds this as the default stream.
+.PP
+By default, the default stream created is bidirectional. If a unidirectional
+stream is desired, or if the application wishes to disable default stream
+functionality, \fBSSL_set_default_stream_mode()\fR (discussed below) can be used to
+accomplish this.
+.PP
+When a QUIC connection SSL object has no default stream currently associated
+with it, for example because default stream functionality was disabled, calls to
+functions which require a stream on the QUIC connection SSL object (for example,
+\&\fBSSL_read\fR\|(3) and \fBSSL_write\fR\|(3)) will fail.
+.PP
+It is recommended that new applications and applications which rely on multiple
+streams forego use of the default stream functionality, which is intended for
+legacy applications.
+.PP
+\&\fBSSL_set_default_stream_mode()\fR can be used to configure or disable default stream
+handling. It can only be called on a QUIC connection SSL object prior to any
+default stream being created. If used, it is recommended to call it immediately
+after calling \fBSSL_new\fR\|(3), prior to initiating a connection. The argument
+\&\fImode\fR may be one of the following options:
+.IP SSL_DEFAULT_STREAM_MODE_AUTO_BIDI 4
+.IX Item "SSL_DEFAULT_STREAM_MODE_AUTO_BIDI"
+This is the default setting. If \fBSSL_write\fR\|(3) is called prior to any call to
+\&\fBSSL_read\fR\|(3), a bidirectional client-initiated stream is created and bound as
+the default stream. If \fBSSL_read\fR\|(3) is called prior to any call to
+\&\fBSSL_write\fR\|(3), OpenSSL waits for an incoming stream from the peer (causing
+\&\fBSSL_read\fR\|(3) to block if the connection is in blocking mode), and then binds
+that stream as the default stream. Note that this incoming stream may be either
+bidirectional or unidirectional; thus, this setting does not guarantee the
+presence of a bidirectional stream when \fBSSL_read\fR\|(3) is called first. To
+determine the type of a stream after a call to \fBSSL_read\fR\|(3), use
+\&\fBSSL_get_stream_type\fR\|(3).
+.IP SSL_DEFAULT_STREAM_MODE_AUTO_UNI 4
+.IX Item "SSL_DEFAULT_STREAM_MODE_AUTO_UNI"
+In this mode, if \fBSSL_write\fR\|(3) is called prior to any call to \fBSSL_read\fR\|(3),
+a unidirectional client-initiated stream is created and bound as the default
+stream. The behaviour is otherwise identical to that of
+\&\fBSSL_DEFAULT_STREAM_MODE_AUTO_BIDI\fR. The behaviour when \fBSSL_read\fR\|(3) is
+called prior to any call to \fBSSL_write\fR\|(3) is unchanged.
+.IP SSL_DEFAULT_STREAM_MODE_NONE 4
+.IX Item "SSL_DEFAULT_STREAM_MODE_NONE"
+Default stream creation is inhibited. This is the recommended mode of operation.
+\&\fBSSL_read\fR\|(3) and \fBSSL_write\fR\|(3) calls cannot be made on the QUIC connection
+SSL object directly. You must obtain streams using \fBSSL_new_stream\fR\|(3) or
+\&\fBSSL_accept_stream\fR\|(3) in order to communicate with the peer.
+.PP
+A default stream will not be automatically created on a QUIC connection SSL
+object if the default stream mode is set to \fBSSL_DEFAULT_STREAM_MODE_NONE\fR.
+.PP
+\&\fBSSL_set_incoming_stream_policy\fR\|(3) interacts significantly with the default
+stream functionality.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBSSL_set_default_stream_mode()\fR returns 1 on success and 0 on failure.
+.PP
+\&\fBSSL_set_default_stream_mode()\fR fails if it is called after a default stream has
+already been established.
+.PP
+These functions fail if called on a QUIC stream SSL object or on a non-QUIC SSL
+object.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBSSL_new_stream\fR\|(3), \fBSSL_accept_stream\fR\|(3), \fBSSL_free\fR\|(3),
+\&\fBSSL_set_incoming_stream_policy\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+These functions were added in OpenSSL 3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2002\-2023 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_set_fd.3 b/secure/lib/libcrypto/man/man3/SSL_set_fd.3
index 02a05bf3120d..a3804b538d5d 100644
--- a/secure/lib/libcrypto/man/man3/SSL_set_fd.3
+++ b/secure/lib/libcrypto/man/man3/SSL_set_fd.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_SET_FD 3ossl"
-.TH SSL_SET_FD 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_SET_FD 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_set_fd, SSL_set_rfd, SSL_set_wfd \- connect the SSL object with a file descriptor
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -147,18 +71,22 @@ SSL_set_fd, SSL_set_rfd, SSL_set_wfd \- connect the SSL object with a file descr
 \& int SSL_set_rfd(SSL *ssl, int fd);
 \& int SSL_set_wfd(SSL *ssl, int fd);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_set_fd()\fR sets the file descriptor \fBfd\fR as the input/output facility
-for the \s-1TLS/SSL\s0 (encrypted) side of \fBssl\fR. \fBfd\fR will typically be the
+for the TLS/SSL (encrypted) side of \fBssl\fR. \fBfd\fR will typically be the
 socket file descriptor of a network connection.
 .PP
-When performing the operation, a \fBsocket \s-1BIO\s0\fR is automatically created to
-interface between the \fBssl\fR and \fBfd\fR. The \s-1BIO\s0 and hence the \s-1SSL\s0 engine
+When performing the operation, a \fBsocket BIO\fR is automatically created to
+interface between the \fBssl\fR and \fBfd\fR. The BIO and hence the SSL engine
 inherit the behaviour of \fBfd\fR. If \fBfd\fR is nonblocking, the \fBssl\fR will
 also have nonblocking behaviour.
 .PP
-If there was already a \s-1BIO\s0 connected to \fBssl\fR, \fBBIO_free()\fR will be called
+When used on a QUIC connection SSL object, a \fBdatagram BIO\fR is automatically
+created instead of a \fBsocket BIO\fR. These functions fail if called
+on a QUIC stream SSL object.
+.PP
+If there was already a BIO connected to \fBssl\fR, \fBBIO_free()\fR will be called
 (for both the reading and writing side, if different).
 .PP
 \&\fBSSL_set_rfd()\fR and \fBSSL_set_wfd()\fR perform the respective action, but only
@@ -166,18 +94,18 @@ for the read channel or the write channel, which can be set independently.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The following return values can occur:
-.IP "0" 4
+.IP 0 4
 The operation failed. Check the error stack to find out why.
-.IP "1" 4
+.IP 1 4
 .IX Item "1"
 The operation succeeded.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-On Windows, a socket handle is a 64\-bit data type (\s-1UINT_PTR\s0), which leads to a
-compiler warning (conversion from '\s-1SOCKET\s0' to 'int', possible loss of data) when
+On Windows, a socket handle is a 64\-bit data type (UINT_PTR), which leads to a
+compiler warning (conversion from 'SOCKET' to 'int', possible loss of data) when
 passing the socket handle to SSL_set_*\fBfd()\fR. For the time being, this warning can
 safely be ignored, because although the Microsoft documentation claims that the
-upper limit is \s-1INVALID_SOCKET\-1\s0 (2^64 \- 2), in practice the current \fBsocket()\fR
+upper limit is INVALID_SOCKET\-1 (2^64 \- 2), in practice the current \fBsocket()\fR
 implementation returns an index into the kernel handle table, the size of which
 is limited to 2^24.
 .SH "SEE ALSO"
@@ -185,11 +113,11 @@ is limited to 2^24.
 \&\fBSSL_get_fd\fR\|(3), \fBSSL_set_bio\fR\|(3),
 \&\fBSSL_connect\fR\|(3), \fBSSL_accept\fR\|(3),
 \&\fBSSL_shutdown\fR\|(3), \fBssl\fR\|(7) , \fBbio\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_set_incoming_stream_policy.3 b/secure/lib/libcrypto/man/man3/SSL_set_incoming_stream_policy.3
new file mode 100644
index 000000000000..0cb55e971190
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/SSL_set_incoming_stream_policy.3
@@ -0,0 +1,141 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "SSL_SET_INCOMING_STREAM_POLICY 3ossl"
+.TH SSL_SET_INCOMING_STREAM_POLICY 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+SSL_set_incoming_stream_policy, SSL_INCOMING_STREAM_POLICY_AUTO,
+SSL_INCOMING_STREAM_POLICY_ACCEPT,
+SSL_INCOMING_STREAM_POLICY_REJECT \- manage the QUIC incoming stream
+policy
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ssl.h>
+\&
+\& #define SSL_INCOMING_STREAM_POLICY_AUTO
+\& #define SSL_INCOMING_STREAM_POLICY_ACCEPT
+\& #define SSL_INCOMING_STREAM_POLICY_REJECT
+\&
+\& int SSL_set_incoming_stream_policy(SSL *conn, int policy,
+\&                                           uint64_t app_error_code);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBSSL_set_incoming_stream_policy()\fR policy changes the incoming stream policy for a
+QUIC connection. Depending on the policy configured, OpenSSL QUIC may
+automatically reject incoming streams initiated by the peer. This is intended to
+ensure that legacy applications using single-stream operation with a default
+stream on a QUIC connection SSL object are not passed remotely-initiated streams
+by a peer which those applications are not prepared to handle.
+.PP
+\&\fIapp_error_code\fR is an application error code which will be used in any QUIC
+\&\fBSTOP_SENDING\fR or \fBRESET_STREAM\fR frames generated to implement the policy. The
+default application error code is 0.
+.PP
+The valid values for \fIpolicy\fR are:
+.IP SSL_INCOMING_STREAM_POLICY_AUTO 4
+.IX Item "SSL_INCOMING_STREAM_POLICY_AUTO"
+This is the default setting. Incoming streams are accepted according to the
+following rules:
+.RS 4
+.IP \(bu 4
+If the default stream mode (configured using \fBSSL_set_default_stream_mode\fR\|(3))
+is set to \fBSSL_DEFAULT_STREAM_MODE_AUTO_BIDI\fR (the default) or
+\&\fBSSL_DEFAULT_STREAM_MODE_AUTO_UNI\fR, the incoming stream is rejected.
+.IP \(bu 4
+Otherwise (where the default stream mode is \fBSSL_DEFAULT_STREAM_MODE_NONE\fR),
+the application is assumed to be stream aware, and the incoming stream is
+accepted.
+.RE
+.RS 4
+.RE
+.IP SSL_INCOMING_STREAM_POLICY_ACCEPT 4
+.IX Item "SSL_INCOMING_STREAM_POLICY_ACCEPT"
+Always accept incoming streams, allowing them to be dequeued using
+\&\fBSSL_accept_stream\fR\|(3).
+.IP SSL_INCOMING_STREAM_POLICY_REJECT 4
+.IX Item "SSL_INCOMING_STREAM_POLICY_REJECT"
+Always reject incoming streams.
+.PP
+Where an incoming stream is rejected, it is rejected immediately and it is not
+possible to gain access to the stream using \fBSSL_accept_stream\fR\|(3). The stream
+is rejected using QUIC \fBSTOP_SENDING\fR and \fBRESET_STREAM\fR frames as
+appropriate.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+Returns 1 on success and 0 on failure.
+.PP
+This function fails if called on a QUIC stream SSL object, or on a non-QUIC SSL
+object.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBSSL_set_default_stream_mode\fR\|(3), \fBSSL_accept_stream\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBSSL_set_incoming_stream_policy()\fR was added in OpenSSL 3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2002\-2023 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_set_quic_tls_cbs.3 b/secure/lib/libcrypto/man/man3/SSL_set_quic_tls_cbs.3
new file mode 100644
index 000000000000..5313795cd952
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/SSL_set_quic_tls_cbs.3
@@ -0,0 +1,238 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "SSL_SET_QUIC_TLS_CBS 3ossl"
+.TH SSL_SET_QUIC_TLS_CBS 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+OSSL_FUNC_SSL_QUIC_TLS_crypto_send_fn,
+OSSL_FUNC_SSL_QUIC_TLS_crypto_recv_rcd_fn,
+OSSL_FUNC_SSL_QUIC_TLS_crypto_release_rcd_fn,
+OSSL_FUNC_SSL_QUIC_TLS_yield_secret_fn,
+OSSL_FUNC_SSL_QUIC_TLS_got_transport_params_fn,
+OSSL_FUNC_SSL_QUIC_TLS_alert_fn,
+SSL_set_quic_tls_cbs,
+SSL_set_quic_tls_transport_params,
+SSL_set_quic_tls_early_data_enabled
+\&\- Use the OpenSSL TLS implementation for a third party QUIC implementation
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ssl.h>
+\&
+\& /* QUIC TLS callbacks available via an OSSL_DISPATCH table */
+\&
+\& /* Function id: OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_SEND */
+\& typedef int (*OSSL_FUNC_SSL_QUIC_TLS_crypto_send_fn)(SSL *s,
+\&                                                      const unsigned char *buf,
+\&                                                      size_t buf_len,
+\&                                                      size_t *consumed,
+\&                                                      void *arg);
+\&
+\& /* Function id: OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RECV_RCD */
+\& typedef int (*OSSL_FUNC_SSL_QUIC_TLS_crypto_recv_rcd_fn)(SSL *s,
+\&                                                    const unsigned char **buf,
+\&                                                    size_t *bytes_read,
+\&                                                    void *arg);
+\&
+\& /* Function id: OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RELEASE_RCD */
+\& typedef int (*OSSL_FUNC_SSL_QUIC_TLS_crypto_release_rcd_fn)(SSL *,
+\&                                                             size_t bytes_read,
+\&                                                             void *arg);
+\&
+\& /* Function id: OSSL_FUNC_SSL_QUIC_TLS_YIELD_SECRET */
+\& typedef int (*OSSL_FUNC_SSL_QUIC_TLS_yield_secret_fn)(SSL *s,
+\&                                                    uint32_t prot_level,
+\&                                                    int direction,
+\&                                                    const unsigned char *secret,
+\&                                                    size_t secret_len,
+\&                                                    void *arg);
+\&
+\& /* Function id: OSSL_FUNC_SSL_QUIC_TLS_GOT_TRANSPORT_PARAMS */
+\& typedef int (*OSSL_FUNC_SSL_QUIC_TLS_got_transport_params_fn)(SSL *s,
+\&                                                    const unsigned char *params,
+\&                                                    size_t params_len,
+\&                                                    void *arg);
+\&
+\& /* Function id: OSSL_FUNC_SSL_QUIC_TLS_ALERT */
+\& typedef int (*OSSL_FUNC_SSL_QUIC_TLS_alert_fn)(SSL *s,
+\&                                                unsigned char alert_code,
+\&                                                void *arg);
+\&
+\& int SSL_set_quic_tls_cbs(SSL *s, const OSSL_DISPATCH *qtdis, void *arg);
+\& int SSL_set_quic_tls_transport_params(SSL *s,
+\&                                       const unsigned char *params,
+\&                                       size_t params_len);
+\& int SSL_set_quic_tls_early_data_enabled(SSL *s, int enabled);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBSSL_set_quic_tls_cbs()\fR can be used to replace the standard TLS record layer with
+a custom record layer for use by a third party QUIC implementation. For the
+given SSL object \fIs\fR, a set of callbacks are supplied in an \fBOSSL_DISPATCH\fR
+table via \fIqtdis\fR. The \fIarg\fR parameter will be passed as an argument when the
+various callbacks are called.
+.PP
+An \fBOSSL_DISPATCH\fR table should consist of an array of \fBOSSL_DISPATCH\fR entries
+where each entry is a function id, and a function pointer. The array should be
+terminated with an empty entry (i.e. a 0 function id, and a NULL function
+pointer).
+.PP
+Calling the \fBSSL_set_quic_tls_cbs()\fR function will switch off the
+\&\fBSSL_OP_ENABLE_MIDDLEBOX_COMPAT\fR option (if set). See \fBSSL_set_options\fR\|(3).
+Additionally the minimum TLS protocol version will be set to TLS1_3_VERSION. It
+is an error to call this function with anything other than a TLS connection SSL
+object.
+.PP
+The OSSL_FUNC_SSL_QUIC_TLS_crypto_send_fn callback (function id
+\&\fBOSSL_FUNC_SSL_QUIC_TLS_CRYPTO_SEND\fR) is called when CRYPTO frame data should
+be sent to the peer. The data to be sent is supplied in the buffer \fIbuf\fR which
+is of length \fIbuf_len\fR. The callback may choose to consume less data than was
+supplied in the buffer. On successful completion of the callback the \fIconsumed\fR
+parameter should be populated with the amount of data that the callback
+consumed. This should be less than or equal to the value in \fIbuf_len\fR. CRYPTO
+data should be sent using the most recent write encryption level set via the
+OSSL_FUNC_SSL_QUIC_TLS_yield_secret_fn callback (if it has been called).
+.PP
+The OSSL_FUNC_SSL_QUIC_TLS_crypto_recv_rcd_fn callback (function id
+\&\fBOSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RECV_RCD\fR) is used to receive CRYPTO frame data
+from the peer. When OpenSSL wants to read data from the peer this callback is
+called. The callback should populate \fI*buf\fR with a pointer to a buffer
+containing CRYPTO data that has been received from the peer. The size of the
+buffer should be populated in \fI*bytes_read\fR. The buffer should remain valid
+until OpenSSL calls the OSSL_FUNC_SSL_QUIC_TLS_crypto_release_rcd_fn callback.
+CRYPTO frame data is assumed to have been decrypted using the most recent read
+protection level set via the yield_secret_cb callback (if it has been called).
+.PP
+The OSSL_FUNC_SSL_QUIC_TLS_crypto_release_rcd_fn callback (function id
+\&\fBOSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RELEASE_RCD\fR) is called when data previously
+read via OSSL_FUNC_SSL_QUIC_TLS_crypto_recv_rcd_fn is no longer required. The
+\&\fIbytes_read\fR argument is always equal to the size of the buffer previously
+provided in the crypto_receive_rcd_cb callback. Only one record at a time will
+ever be read by OpenSSL.
+.PP
+The OSSL_FUNC_SSL_QUIC_TLS_yield_secret_fn callback (function id
+\&\fBOSSL_FUNC_SSL_QUIC_TLS_YIELD_SECRET\fR) is called when a new secret has been
+established. The \fIprot_level\fR argument identities the TLS protection level and
+will be one of \fBOSSL_RECORD_PROTECTION_LEVEL_NONE\fR,
+\&\fBOSSL_RECORD_PROTECTION_LEVEL_EARLY\fR, \fBOSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE\fR
+or \fBOSSL_RECORD_PROTECTION_LEVEL_APPLICATION\fR. The \fIdirection\fR will either be
+0 (for the read secret) or 1 (for the write secret). The secret itself will
+be in the buffer pointed to by \fIsecret\fR and the buffer will be of length
+\&\fIsecret_len\fR.
+.PP
+The OSSL_FUNC_SSL_QUIC_TLS_got_transport_params_fn callback (function id
+\&\fBOSSL_FUNC_SSL_QUIC_TLS_GOT_TRANSPORT_PARAMS\fR) is called when transport
+parameters have been received from the peer. The parameters are held in the
+\&\fIparams\fR buffer which is of length \fIparams_len\fR.
+.PP
+The OSSL_FUNC_SSL_QUIC_TLS_alert_fn callback (function id
+\&\fBOSSL_FUNC_SSL_QUIC_TLS_ALERT\fR) is called when OpenSSL is attempting to send an
+alert to the peer. The code for the alert is supplied in \fIalert_code\fR.
+.PP
+The \fBSSL_set_quic_tls_transport_params()\fR function is used to set the transport
+parameters to be sent by this endpoint. The parameters are in the \fIparams\fR
+buffer which should be of length \fIparams_len\fR. The buffer containing the
+parameters should remain valid until after the parameters have been sent. This
+function must have been called by the time the transport parameters need to be
+sent. For a client this will be before the connection has been initiated. For a
+server this might typically occur during the got_transport_params_cb.
+.PP
+The \fBSSL_set_quic_tls_early_data_enabled()\fR function is used to enable the 0\-RTT
+feature for a third party QUIC implementation.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+These functions return 1 on success and 0 on failure.
+.PP
+All of the callbacks should also return 1 on success and 0 on failure. A
+failure response is fatal to the connection.
+.SH EXAMPLES
+.IX Header "EXAMPLES"
+A call to \fBSSL_set_quic_tls_cbs()\fR might look something like the following, given
+suitable definitions of the various callback functions:
+.PP
+.Vb 10
+\& const OSSL_DISPATCH qtdis[] = {
+\&     {OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_SEND, (void (*)(void))crypto_send_cb},
+\&     {OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RECV_RCD,
+\&         (void (*)(void))crypto_recv_rcd_cb},
+\&     {OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RELEASE_RCD,
+\&         (void (*)(void))crypto_release_rcd_cb},
+\&     {OSSL_FUNC_SSL_QUIC_TLS_YIELD_SECRET,
+\&         (void (*)(void))yield_secret_cb},
+\&     {OSSL_FUNC_SSL_QUIC_TLS_GOT_TRANSPORT_PARAMS,
+\&         (void (*)(void))got_transport_params_cb},
+\&     {OSSL_FUNC_SSL_QUIC_TLS_ALERT, (void (*)(void))alert_cb},
+\&     {0, NULL}
+\&  };
+\&
+\& if (!SSL_set_quic_tls_cbs(ssl, qtdis, NULL))
+\&     goto err;
+.Ve
+.SH HISTORY
+.IX Header "HISTORY"
+These functions were added in OpenSSL 3.5.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2024\-2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_set_retry_verify.3 b/secure/lib/libcrypto/man/man3/SSL_set_retry_verify.3
index 489a4ff5423e..e7b0ccc3ff8d 100644
--- a/secure/lib/libcrypto/man/man3/SSL_set_retry_verify.3
+++ b/secure/lib/libcrypto/man/man3/SSL_set_retry_verify.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,84 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_SET_RETRY_VERIFY 3ossl"
-.TH SSL_SET_RETRY_VERIFY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_SET_RETRY_VERIFY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_set_retry_verify \- indicate that certificate verification should be retried
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
 \& int SSL_set_retry_verify(SSL *ssl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_set_retry_verify()\fR should be called from the certificate verification
 callback on a client when the application wants to indicate that the handshake
@@ -154,16 +78,16 @@ should be suspended and the control should be returned to the application.
 is resumed again by the application, retrying the verification step.
 .PP
 Please refer to \fBSSL_CTX_set_cert_verify_callback\fR\|(3) for further details.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The effect of calling \fBSSL_set_retry_verify()\fR outside of the certificate
 verification callback on the client side is undefined.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 SSL_set_retry \fBverify()\fR returns 1 on success, 0 otherwise.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-The following code snippet shows how to obtain the \fB\s-1SSL\s0\fR object associated
+The following code snippet shows how to obtain the \fBSSL\fR object associated
 with the \fBX509_STORE_CTX\fR to call the \fBSSL_set_retry_verify()\fR function:
 .PP
 .Vb 2
@@ -184,16 +108,16 @@ with the \fBX509_STORE_CTX\fR to call the \fBSSL_set_retry_verify()\fR function:
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7), \fBSSL_connect\fR\|(3), \fBSSL_CTX_set_cert_verify_callback\fR\|(3),
 \&\fBSSL_want_retry_verify\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBSSL_set_retry_verify()\fR was added in OpenSSL 3.0.2 to replace backwards
 incompatible handling of a negative return value from the verification
 callback.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_set_session.3 b/secure/lib/libcrypto/man/man3/SSL_set_session.3
index 3dcf8929dac2..db6314eadae2 100644
--- a/secure/lib/libcrypto/man/man3/SSL_set_session.3
+++ b/secure/lib/libcrypto/man/man3/SSL_set_session.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,87 +52,27 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_SET_SESSION 3ossl"
-.TH SSL_SET_SESSION 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_SET_SESSION 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_set_session \- set a TLS/SSL session to be used during TLS/SSL connect
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
 \& int SSL_set_session(SSL *ssl, SSL_SESSION *session);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_set_session()\fR sets \fBsession\fR to be used when the \s-1TLS/SSL\s0 connection
-is to be established. \fBSSL_set_session()\fR is only useful for \s-1TLS/SSL\s0 clients.
+\&\fBSSL_set_session()\fR sets \fBsession\fR to be used when the TLS/SSL connection
+is to be established. \fBSSL_set_session()\fR is only useful for TLS/SSL clients.
 When the session is set, the reference count of \fBsession\fR is incremented
 by 1. If the session is not reused, the reference count is decremented
 again during \fBSSL_connect()\fR. Whether the session was reused can be queried
@@ -157,24 +81,24 @@ with the \fBSSL_session_reused\fR\|(3) call.
 If there is already a session set inside \fBssl\fR (because it was set with
 \&\fBSSL_set_session()\fR before or because the same \fBssl\fR was already used for
 a connection), \fBSSL_SESSION_free()\fR will be called for that session.
-This is also the case when \fBsession\fR is a \s-1NULL\s0 pointer. If that old
+This is also the case when \fBsession\fR is a NULL pointer. If that old
 session is still \fBopen\fR, it is considered bad and will be removed from the
 session cache (if used). A session is considered open, if \fBSSL_shutdown\fR\|(3) was
 not called for the connection (or at least \fBSSL_set_shutdown\fR\|(3) was used to
-set the \s-1SSL_SENT_SHUTDOWN\s0 state).
-.SH "NOTES"
+set the SSL_SENT_SHUTDOWN state).
+.SH NOTES
 .IX Header "NOTES"
-\&\s-1SSL_SESSION\s0 objects keep internal link information about the session cache
-list, when being inserted into one \s-1SSL_CTX\s0 object's session cache.
-One \s-1SSL_SESSION\s0 object, regardless of its reference count, must therefore
-only be used with one \s-1SSL_CTX\s0 object (and the \s-1SSL\s0 objects created
-from this \s-1SSL_CTX\s0 object).
+SSL_SESSION objects keep internal link information about the session cache
+list, when being inserted into one SSL_CTX object's session cache.
+One SSL_SESSION object, regardless of its reference count, must therefore
+only be used with one SSL_CTX object (and the SSL objects created
+from this SSL_CTX object).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The following return values can occur:
-.IP "0" 4
+.IP 0 4
 The operation failed; check the error stack to find out the reason.
-.IP "1" 4
+.IP 1 4
 .IX Item "1"
 The operation succeeded.
 .SH "SEE ALSO"
@@ -183,11 +107,11 @@ The operation succeeded.
 \&\fBSSL_get_session\fR\|(3),
 \&\fBSSL_session_reused\fR\|(3),
 \&\fBSSL_CTX_set_session_cache_mode\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_set_session_secret_cb.3 b/secure/lib/libcrypto/man/man3/SSL_set_session_secret_cb.3
new file mode 100644
index 000000000000..62b38140650a
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/SSL_set_session_secret_cb.3
@@ -0,0 +1,123 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "SSL_SET_SESSION_SECRET_CB 3ossl"
+.TH SSL_SET_SESSION_SECRET_CB 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+SSL_set_session_secret_cb, tls_session_secret_cb_fn
+\&\- set the session secret callback
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ssl.h>
+\&
+\& typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len,
+\&                                         STACK_OF(SSL_CIPHER) *peer_ciphers,
+\&                                         const SSL_CIPHER **cipher, void *arg);
+\&
+\& int SSL_set_session_secret_cb(SSL *s,
+\&                               tls_session_secret_cb_fn session_secret_cb,
+\&                               void *arg);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBSSL_set_session_secret_cb()\fR sets the session secret callback to be used
+(\fIsession_secret_cb\fR), and an optional argument (\fIarg\fR) to be passed to that
+callback when it is called. This is only useful for an implementation of
+EAP-FAST (RFC4851). The presence of the callback also modifies the internal
+OpenSSL TLS state machine to match the modified TLS behaviour as described in
+RFC4851. Therefore this callback should not be used except when implementing
+EAP-FAST.
+.PP
+The callback is expected to set the master secret to be used by filling in the
+data pointed to by \fI*secret\fR. The size of the secret buffer is initially
+available in \fI*secret_len\fR and may be updated by the callback (but must not be
+larger than the initial value).
+.PP
+On the server side the set of ciphersuites offered by the peer is provided in
+the \fIpeer_ciphers\fR stack. Optionally the callback may select the preferred
+ciphersuite by setting it in \fI*cipher\fR.
+.PP
+On the client side the \fIpeer_ciphers\fR stack will always be NULL. The callback
+may specify the preferred cipher in \fI*cipher\fR and this will be associated with
+the \fBSSL_SESSION\fR \- but it does not affect the ciphersuite selected by the
+server.
+.PP
+The callback is also supplied with an additional argument in \fIarg\fR which is the
+argument that was provided to the original \fBSSL_set_session_secret_cb()\fR call.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBSSL_set_session_secret_cb()\fR returns 1 on success and 0 on failure.
+.PP
+If the callback returns 1 then this indicates it has successfully set the
+secret. A return value of 0 indicates that the secret has not been set. On the
+client this will cause an immediate abort of the handshake.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBssl\fR\|(7),
+\&\fBSSL_get_session\fR\|(3)
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_set_shutdown.3 b/secure/lib/libcrypto/man/man3/SSL_set_shutdown.3
index 6248cca92d9b..673089f09da2 100644
--- a/secure/lib/libcrypto/man/man3/SSL_set_shutdown.3
+++ b/secure/lib/libcrypto/man/man3/SSL_set_shutdown.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_SET_SHUTDOWN 3ossl"
-.TH SSL_SET_SHUTDOWN 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_SET_SHUTDOWN 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_set_shutdown, SSL_get_shutdown \- manipulate shutdown state of an SSL connection
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -147,56 +71,66 @@ SSL_set_shutdown, SSL_get_shutdown \- manipulate shutdown state of an SSL connec
 \&
 \& int SSL_get_shutdown(const SSL *ssl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_set_shutdown()\fR sets the shutdown state of \fBssl\fR to \fBmode\fR.
 .PP
 \&\fBSSL_get_shutdown()\fR returns the shutdown mode of \fBssl\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The shutdown state of an ssl connection is a bit-mask of:
-.IP "0" 4
+.IP 0 4
 No shutdown setting, yet.
-.IP "\s-1SSL_SENT_SHUTDOWN\s0" 4
+.IP SSL_SENT_SHUTDOWN 4
 .IX Item "SSL_SENT_SHUTDOWN"
 A close_notify shutdown alert was sent to the peer, the connection is being
 considered closed and the session is closed and correct.
-.IP "\s-1SSL_RECEIVED_SHUTDOWN\s0" 4
+.IP SSL_RECEIVED_SHUTDOWN 4
 .IX Item "SSL_RECEIVED_SHUTDOWN"
 A shutdown alert was received form the peer, either a normal close_notify
 or a fatal error.
 .PP
-\&\s-1SSL_SENT_SHUTDOWN\s0 and \s-1SSL_RECEIVED_SHUTDOWN\s0 can be set at the same time.
+SSL_SENT_SHUTDOWN and SSL_RECEIVED_SHUTDOWN can be set at the same time.
 .PP
 The shutdown state of the connection is used to determine the state of
 the ssl session. If the session is still open, when
 \&\fBSSL_clear\fR\|(3) or \fBSSL_free\fR\|(3) is called,
-it is considered bad and removed according to \s-1RFC2246.\s0
-The actual condition for a correctly closed session is \s-1SSL_SENT_SHUTDOWN\s0
-(according to the \s-1TLS RFC,\s0 it is acceptable to only send the close_notify
+it is considered bad and removed according to RFC2246.
+The actual condition for a correctly closed session is SSL_SENT_SHUTDOWN
+(according to the TLS RFC, it is acceptable to only send the close_notify
 alert but to not wait for the peer's answer, when the underlying connection
 is closed).
 \&\fBSSL_set_shutdown()\fR can be used to set this state without sending a
 close alert to the peer (see \fBSSL_shutdown\fR\|(3)).
 .PP
-If a close_notify was received, \s-1SSL_RECEIVED_SHUTDOWN\s0 will be set,
-for setting \s-1SSL_SENT_SHUTDOWN\s0 the application must however still call
+If a close_notify was received, SSL_RECEIVED_SHUTDOWN will be set,
+for setting SSL_SENT_SHUTDOWN the application must however still call
 \&\fBSSL_shutdown\fR\|(3) or \fBSSL_set_shutdown()\fR itself.
+.PP
+\&\fBSSL_set_shutdown()\fR is not supported for QUIC SSL objects.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBSSL_set_shutdown()\fR does not return diagnostic information.
 .PP
-\&\fBSSL_get_shutdown()\fR returns the current setting.
+\&\fBSSL_get_shutdown()\fR returns the current shutdown state as set or based
+on the actual connection state.
+.PP
+\&\fBSSL_get_shutdown()\fR returns 0 if called on a QUIC stream SSL object. If it
+is called on a QUIC connection SSL object, it returns a value with
+SSL_SENT_SHUTDOWN set if CONNECTION_CLOSE has been sent to the peer and
+it returns a value with SSL_RECEIVED_SHUTDOWN set if CONNECTION_CLOSE
+has been received from the peer or the QUIC connection is fully terminated
+for other reasons.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7), \fBSSL_shutdown\fR\|(3),
 \&\fBSSL_CTX_set_quiet_shutdown\fR\|(3),
 \&\fBSSL_clear\fR\|(3), \fBSSL_free\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_set_verify_result.3 b/secure/lib/libcrypto/man/man3/SSL_set_verify_result.3
index afa3b121bd6c..319d2971574e 100644
--- a/secure/lib/libcrypto/man/man3/SSL_set_verify_result.3
+++ b/secure/lib/libcrypto/man/man3/SSL_set_verify_result.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,89 +52,29 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_SET_VERIFY_RESULT 3ossl"
-.TH SSL_SET_VERIFY_RESULT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_SET_VERIFY_RESULT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_set_verify_result \- override result of peer certificate verification
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
 \& void SSL_set_verify_result(SSL *ssl, long verify_result);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_set_verify_result()\fR sets \fBverify_result\fR of the object \fBssl\fR to be the
 result of the verification of the X509 certificate presented by the peer,
 if any.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 \&\fBSSL_set_verify_result()\fR overrides the verification result. It only changes
 the verification result of the \fBssl\fR object. It does not become part of the
@@ -166,11 +90,11 @@ The valid codes for \fBverify_result\fR are documented in \fBopenssl\-verify\fR\
 \&\fBssl\fR\|(7), \fBSSL_get_verify_result\fR\|(3),
 \&\fBSSL_get_peer_certificate\fR\|(3),
 \&\fBopenssl\-verify\fR\|(1)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_shutdown.3 b/secure/lib/libcrypto/man/man3/SSL_shutdown.3
index 3bb0a09696c4..c67dcd30ddf7 100644
--- a/secure/lib/libcrypto/man/man3/SSL_shutdown.3
+++ b/secure/lib/libcrypto/man/man3/SSL_shutdown.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,218 +52,384 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_SHUTDOWN 3ossl"
-.TH SSL_SHUTDOWN 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_SHUTDOWN 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
-SSL_shutdown \- shut down a TLS/SSL connection
-.SH "SYNOPSIS"
+.SH NAME
+SSL_shutdown, SSL_shutdown_ex \- shut down a TLS/SSL or QUIC connection
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
 \& int SSL_shutdown(SSL *ssl);
+\&
+\& typedef struct ssl_shutdown_ex_args_st {
+\&     uint64_t    quic_error_code;
+\&     const char  *quic_reason;
+\& } SSL_SHUTDOWN_EX_ARGS;
+\&
+\& _\|_owur int SSL_shutdown_ex(SSL *ssl, uint64_t flags,
+\&                            const SSL_SHUTDOWN_EX_ARGS *args,
+\&                            size_t args_len);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_shutdown()\fR shuts down an active \s-1TLS/SSL\s0 connection. It sends the
-close_notify shutdown alert to the peer.
-.PP
-\&\fBSSL_shutdown()\fR tries to send the close_notify shutdown alert to the peer.
-Whether the operation succeeds or not, the \s-1SSL_SENT_SHUTDOWN\s0 flag is set and
-a currently open session is considered closed and good and will be kept in the
-session cache for further reuse.
-.PP
-Note that \fBSSL_shutdown()\fR must not be called if a previous fatal error has
-occurred on a connection i.e. if \fBSSL_get_error()\fR has returned \s-1SSL_ERROR_SYSCALL\s0
-or \s-1SSL_ERROR_SSL.\s0
-.PP
-The shutdown procedure consists of two steps: sending of the close_notify
-shutdown alert, and reception of the peer's close_notify shutdown alert.
-The order of those two steps depends on the application.
-.PP
-It is acceptable for an application to only send its shutdown alert and
-then close the underlying connection without waiting for the peer's response.
-This way resources can be saved, as the process can already terminate or
-serve another connection.
-This should only be done when it is known that the other side will not send more
-data, otherwise there is a risk of a truncation attack.
-.PP
-When a client only writes and never reads from the connection, and the server
-has sent a session ticket to establish a session, the client might not be able
-to resume the session because it did not received and process the session ticket
-from the server.
-In case the application wants to be able to resume the session, it is recommended to
-do a complete shutdown procedure (bidirectional close_notify alerts).
-.PP
-When the underlying connection shall be used for more communications, the
-complete shutdown procedure must be performed, so that the peers stay
-synchronized.
-.PP
-\&\fBSSL_shutdown()\fR only closes the write direction.
-It is not possible to call \fBSSL_write()\fR after calling \fBSSL_shutdown()\fR.
-The read direction is closed by the peer.
-.PP
-The behaviour of \fBSSL_shutdown()\fR additionally depends on the underlying \s-1BIO.\s0
-If the underlying \s-1BIO\s0 is \fBblocking\fR, \fBSSL_shutdown()\fR will only return once the
-handshake step has been finished or an error occurred.
-.PP
-If the underlying \s-1BIO\s0 is \fBnonblocking\fR, \fBSSL_shutdown()\fR will also return
-when the underlying \s-1BIO\s0 could not satisfy the needs of \fBSSL_shutdown()\fR
-to continue the handshake. In this case a call to \fBSSL_get_error()\fR with the
-return value of \fBSSL_shutdown()\fR will yield \fB\s-1SSL_ERROR_WANT_READ\s0\fR or
-\&\fB\s-1SSL_ERROR_WANT_WRITE\s0\fR. The calling process then must repeat the call after
-taking appropriate action to satisfy the needs of \fBSSL_shutdown()\fR.
-The action depends on the underlying \s-1BIO.\s0 When using a nonblocking socket,
-nothing is to be done, but \fBselect()\fR can be used to check for the required
-condition. When using a buffering \s-1BIO,\s0 like a \s-1BIO\s0 pair, data must be written
-into or retrieved out of the \s-1BIO\s0 before being able to continue.
-.PP
-After \fBSSL_shutdown()\fR returned 0, it is possible to call \fBSSL_shutdown()\fR again
-to wait for the peer's close_notify alert.
-\&\fBSSL_shutdown()\fR will return 1 in that case.
-However, it is recommended to wait for it using \fBSSL_read()\fR instead.
-.PP
-\&\fBSSL_shutdown()\fR can be modified to only set the connection to \*(L"shutdown\*(R"
-state but not actually send the close_notify alert messages,
-see \fBSSL_CTX_set_quiet_shutdown\fR\|(3).
-When \*(L"quiet shutdown\*(R" is enabled, \fBSSL_shutdown()\fR will always succeed
-and return 1.
-Note that this is not standard compliant behaviour.
-It should only be done when the peer has a way to make sure all
-data has been received and doesn't wait for the close_notify alert
-message, otherwise an unexpected \s-1EOF\s0 will be reported.
-.PP
-There are implementations that do not send the required close_notify alert.
-If there is a need to communicate with such an implementation, and it's clear
-that all data has been received, do not wait for the peer's close_notify alert.
-Waiting for the close_notify alert when the peer just closes the connection
-will result in an error being generated.
-The error can be ignored using the \fB\s-1SSL_OP_IGNORE_UNEXPECTED_EOF\s0\fR.
-For more information see \fBSSL_CTX_set_options\fR\|(3).
-.SS "First to close the connection"
-.IX Subsection "First to close the connection"
-When the application is the first party to send the close_notify
-alert, \fBSSL_shutdown()\fR will only send the alert and then set the
-\&\s-1SSL_SENT_SHUTDOWN\s0 flag (so that the session is considered good and will
-be kept in the cache).
-If successful, \fBSSL_shutdown()\fR will return 0.
-.PP
-If a unidirectional shutdown is enough (the underlying connection shall be
-closed anyway), this first successful call to \fBSSL_shutdown()\fR is sufficient.
-.PP
-In order to complete the bidirectional shutdown handshake, the peer needs
-to send back a close_notify alert.
-The \s-1SSL_RECEIVED_SHUTDOWN\s0 flag will be set after receiving and processing
-it.
-.PP
-The peer is still allowed to send data after receiving the close_notify
-event.
-When it is done sending data, it will send the close_notify alert.
-\&\fBSSL_read()\fR should be called until all data is received.
-\&\fBSSL_read()\fR will indicate the end of the peer data by returning <= 0
-and \fBSSL_get_error()\fR returning \s-1SSL_ERROR_ZERO_RETURN.\s0
-.SS "Peer closes the connection"
-.IX Subsection "Peer closes the connection"
-If the peer already sent the close_notify alert \fBand\fR it was
-already processed implicitly inside another function
-(\fBSSL_read\fR\|(3)), the \s-1SSL_RECEIVED_SHUTDOWN\s0 flag is set.
-\&\fBSSL_read()\fR will return <= 0 in that case, and \fBSSL_get_error()\fR will return
-\&\s-1SSL_ERROR_ZERO_RETURN.\s0
-\&\fBSSL_shutdown()\fR will send the close_notify alert, set the \s-1SSL_SENT_SHUTDOWN\s0
-flag.
-If successful, \fBSSL_shutdown()\fR will return 1.
-.PP
-Whether \s-1SSL_RECEIVED_SHUTDOWN\s0 is already set can be checked using the
-\&\fBSSL_get_shutdown()\fR (see also \fBSSL_set_shutdown\fR\|(3) call.
+\&\fBSSL_shutdown()\fR shuts down an active connection represented by an SSL object. \fIssl\fR \fBMUST NOT\fR be NULL.
+.PP
+\&\fBSSL_shutdown_ex()\fR is an extended version of \fBSSL_shutdown()\fR. If non-NULL, \fIargs\fR
+must point to a \fBSSL_SHUTDOWN_EX_ARGS\fR structure and \fIargs_len\fR must be set to
+\&\f(CWsizeof(SSL_SHUTDOWN_EX_ARGS)\fR. The \fBSSL_SHUTDOWN_EX_ARGS\fR structure must be
+zero-initialized. If \fIargs\fR is NULL, the behaviour is the same as passing a
+zero-initialised \fBSSL_SHUTDOWN_EX_ARGS\fR structure. Currently, all extended
+arguments relate to usage with QUIC, therefore this call functions identically
+to \fBSSL_shutdown()\fR when not being used with QUIC.
+.PP
+While the general operation of \fBSSL_shutdown()\fR is common between protocols, the
+exact nature of how a shutdown is performed depends on the underlying protocol
+being used. See the section below pertaining to each protocol for more
+information.
+.PP
+In general, calling \fBSSL_shutdown()\fR in nonblocking mode will initiate the
+shutdown process and return 0 to indicate that the shutdown process has not yet
+completed. Once the shutdown process has completed, subsequent calls to
+\&\fBSSL_shutdown()\fR will return 1. See the RETURN VALUES section for more
+information.
+.PP
+\&\fBSSL_shutdown()\fR should not be called if a previous fatal error has occurred on a
+connection; i.e., if \fBSSL_get_error\fR\|(3) has returned \fBSSL_ERROR_SYSCALL\fR or
+\&\fBSSL_ERROR_SSL\fR.
+.SH "TLS AND DTLS-SPECIFIC CONSIDERATIONS"
+.IX Header "TLS AND DTLS-SPECIFIC CONSIDERATIONS"
+Shutdown for SSL/TLS and DTLS is implemented in terms of the SSL/TLS/DTLS
+close_notify alert message. The shutdown process for SSL/TLS and DTLS
+consists of two steps:
+.IP \(bu 4
+A close_notify shutdown alert message is sent to the peer.
+.IP \(bu 4
+A close_notify shutdown alert message is received from the peer.
+.PP
+These steps can occur in either order depending on whether the connection
+shutdown process was first initiated by the local application or by the peer.
+.SS "Locally-Initiated Shutdown"
+.IX Subsection "Locally-Initiated Shutdown"
+Calling \fBSSL_shutdown()\fR on an SSL/TLS or DTLS SSL object initiates the shutdown
+process and causes OpenSSL to try to send a close_notify shutdown alert to the
+peer. The shutdown process will then be considered completed once the peer
+responds in turn with a close_notify shutdown alert message.
+.PP
+Calling \fBSSL_shutdown()\fR only closes the write direction of the connection; the
+read direction is closed by the peer. Once \fBSSL_shutdown()\fR is called,
+\&\fBSSL_write\fR\|(3) can no longer be used, but \fBSSL_read\fR\|(3) may still be used
+until the peer decides to close the connection in turn. The peer might
+continue sending data for some period of time before handling the local
+application's shutdown indication.
+.PP
+\&\fBSSL_shutdown()\fR does not affect an underlying network connection such as a TCP
+connection, which remains open.
+.SS "Remotely-Initiated Shutdown"
+.IX Subsection "Remotely-Initiated Shutdown"
+If the peer was the first to initiate the shutdown process by sending a
+close_notify alert message, an application will be notified of this as an EOF
+condition when calling
+\&\fBSSL_read\fR\|(3) (i.e., \fBSSL_read\fR\|(3) will fail and \fBSSL_get_error\fR\|(3) will
+return \fBSSL_ERROR_ZERO_RETURN\fR), after all application data sent by the peer
+prior to initiating the shutdown has been read. An application should handle
+this condition by calling \fBSSL_shutdown()\fR to respond with a close_notify alert in
+turn, completing the shutdown process, though it may choose to write additional
+application data using \fBSSL_write\fR\|(3) before doing so. If an application does
+not call \fBSSL_shutdown()\fR in this case, a close_notify alert will not be sent and
+the behaviour will not be fully standards compliant.
+.SS "Shutdown Lifecycle"
+.IX Subsection "Shutdown Lifecycle"
+Regardless of whether a shutdown was initiated locally or by the peer, if the
+underlying BIO is blocking, a call to \fBSSL_shutdown()\fR will return firstly once a
+close_notify alert message is written to the peer (returning 0), and upon a
+second and subsequent call, once a corresponding message is received from the
+peer (returning 1 and completing the shutdown process). Calls to \fBSSL_shutdown()\fR
+with a blocking underlying BIO will also return if an error occurs.
+.PP
+If the underlying BIO is nonblocking and the shutdown process is not yet
+complete (for example, because a close_notify alert message has not yet been
+received from the peer, or because a close_notify alert message needs to be sent
+but would currently block), \fBSSL_shutdown()\fR returns 0 to indicate that the
+shutdown process is still ongoing; in this case, a call to \fBSSL_get_error\fR\|(3)
+will yield \fBSSL_ERROR_WANT_READ\fR or \fBSSL_ERROR_WANT_WRITE\fR.
+.PP
+An application can then detect completion of the shutdown process by calling
+\&\fBSSL_shutdown()\fR again repeatedly until it returns 1, indicating that the shutdown
+process is complete (with a close_notify alert having both been sent and
+received).
+.PP
+However, the preferred method of waiting for the shutdown to complete is to use
+\&\fBSSL_read\fR\|(3) until \fBSSL_get_error\fR\|(3) indicates EOF by returning
+\&\fBSSL_ERROR_ZERO_RETURN\fR. This ensures any data received immediately before the
+peer's close_notify alert is still provided to the application. It also ensures
+any final handshake-layer messages received are processed (for example, messages
+issuing new session tickets).
+.PP
+If this approach is not used, the second call to \fBSSL_shutdown()\fR (to complete the
+shutdown by confirming receipt of the peer's close_notify message) will fail if
+it is called when the application has not read all pending application data
+sent by the peer using \fBSSL_read\fR\|(3).
+.PP
+When calling \fBSSL_shutdown()\fR, the \fBSSL_SENT_SHUTDOWN\fR flag is set once an
+attempt is made to send a close_notify alert, regardless of whether the attempt
+was successful. The \fBSSL_RECEIVED_SHUTDOWN\fR flag is set once a close_notify
+alert is received, which may occur during any call which processes incoming data
+from the network, such as \fBSSL_read\fR\|(3) or \fBSSL_shutdown()\fR. These flags
+may be checked using \fBSSL_get_shutdown\fR\|(3).
+.SS "Fast Shutdown"
+.IX Subsection "Fast Shutdown"
+Alternatively, it is acceptable for an application to call \fBSSL_shutdown()\fR once
+(such that it returns 0) and then close the underlying connection without
+waiting for the peer's response. This allows for a more rapid shutdown process
+if the application does not wish to wait for the peer.
+.PP
+This alternative "fast shutdown" approach should only be done if it is known
+that the peer will not send more data, otherwise there is a risk of an
+application exposing itself to a truncation attack. The full \fBSSL_shutdown()\fR
+process, in which both parties send close_notify alerts and \fBSSL_shutdown()\fR
+returns 1, provides a cryptographically authenticated indication of the end of a
+connection.
+.PP
+This approach of a single \fBSSL_shutdown()\fR call without waiting is preferable to
+simply calling \fBSSL_free\fR\|(3) or \fBSSL_clear\fR\|(3) as calling \fBSSL_shutdown()\fR
+beforehand makes an SSL session eligible for subsequent reuse and notifies the
+peer of connection shutdown.
+.PP
+The fast shutdown approach can only be used if there is no intention to reuse
+the underlying connection (e.g. a TCP connection) for further communication; in
+this case, the full shutdown process must be performed to ensure
+synchronisation.
+.SS "Effects on Session Reuse"
+.IX Subsection "Effects on Session Reuse"
+Calling \fBSSL_shutdown()\fR sets the SSL_SENT_SHUTDOWN flag (see
+\&\fBSSL_set_shutdown\fR\|(3)), regardless of whether the transmission of the
+close_notify alert was successful or not. This makes the SSL session eligible
+for reuse; the SSL session is considered properly closed and can be reused for
+future connections.
+.SS "Quiet Shutdown"
+.IX Subsection "Quiet Shutdown"
+\&\fBSSL_shutdown()\fR can be modified to set the connection to the "shutdown"
+state without actually sending a close_notify alert message; see
+\&\fBSSL_CTX_set_quiet_shutdown\fR\|(3). When "quiet shutdown" is enabled,
+\&\fBSSL_shutdown()\fR will always succeed and return 1 immediately.
+.PP
+This is not standards-compliant behaviour. It should only be done when the
+application protocol in use enables the peer to ensure that all data has been
+received, such that it doesn't need to wait for a close_notify alert, otherwise
+application data may be truncated unexpectedly.
+.SS "Non-Compliant Peers"
+.IX Subsection "Non-Compliant Peers"
+There are SSL/TLS implementations that never send the required close_notify
+alert message but simply close the underlying transport (e.g. a TCP connection)
+instead. This will ordinarily result in an error being generated.
+.PP
+If compatibility with such peers is desired, the option
+\&\fBSSL_OP_IGNORE_UNEXPECTED_EOF\fR can be set. For more information, see
+\&\fBSSL_CTX_set_options\fR\|(3).
+.PP
+Note that use of this option means that the EOF condition for application data
+does not receive cryptographic protection, and therefore renders an application
+potentially vulnerable to truncation attacks. Thus, this option must only be
+used in conjunction with an application protocol which indicates unambiguously
+when all data has been received.
+.PP
+An alternative approach is to simply avoid calling \fBSSL_read\fR\|(3) if it is known
+that no more data is going to be sent. This requires an application protocol
+which indicates unambiguously when all data has been sent.
+.SS "Session Ticket Handling"
+.IX Subsection "Session Ticket Handling"
+If a client application only writes to an SSL/TLS or DTLS connection and never
+reads, OpenSSL may never process new SSL/TLS session tickets sent by the server.
+This is because OpenSSL ordinarily processes handshake messages received from a
+peer during calls to \fBSSL_read\fR\|(3) by the application.
+.PP
+Therefore, client applications which only write and do not read but which wish
+to benefit from session resumption are advised to perform a complete shutdown
+procedure by calling \fBSSL_shutdown()\fR until it returns 1, as described above. This
+will ensure there is an opportunity for SSL/TLS session ticket messages to be
+received and processed by OpenSSL.
+.SH "QUIC-SPECIFIC SHUTDOWN CONSIDERATIONS"
+.IX Header "QUIC-SPECIFIC SHUTDOWN CONSIDERATIONS"
+When used with a QUIC connection SSL object, \fBSSL_shutdown()\fR initiates a QUIC
+immediate close using QUIC \fBCONNECTION_CLOSE\fR frames.
+.PP
+\&\fBSSL_shutdown()\fR cannot be used on QUIC stream SSL objects. To conclude a stream
+normally, see \fBSSL_stream_conclude\fR\|(3); to perform a non-normal stream
+termination, see \fBSSL_stream_reset\fR\|(3).
+.PP
+\&\fBSSL_shutdown_ex()\fR may be used instead of \fBSSL_shutdown()\fR by an application to
+provide additional information to the peer on the reason why a connection is
+being shut down. The information which can be provided is as follows:
+.IP \fIquic_error_code\fR 4
+.IX Item "quic_error_code"
+An optional 62\-bit application error code to be signalled to the peer. The value
+must be in the range [0, 2**62\-1], else the call to \fBSSL_shutdown_ex()\fR fails. If
+not provided, an error code of 0 is used by default.
+.IP \fIquic_reason\fR 4
+.IX Item "quic_reason"
+An optional zero-terminated (UTF\-8) reason string to be signalled to the peer.
+The application is responsible for providing a valid UTF\-8 string and OpenSSL
+will not validate the string. If a reason is not provided, or \fBSSL_shutdown()\fR is
+used, a zero-length string is used as the reason. If provided, the reason string
+is copied and stored inside the QUIC connection SSL object and need not remain
+allocated after the call to \fBSSL_shutdown_ex()\fR returns. Reason strings are
+bounded by the path MTU and may be silently truncated if they are too long to
+fit in a QUIC packet.
+.Sp
+Reason strings are intended for human diagnostic purposes only, and should not
+be used for application signalling.
+.PP
+The arguments to \fBSSL_shutdown_ex()\fR are used only on the first call to
+\&\fBSSL_shutdown_ex()\fR (or \fBSSL_shutdown()\fR) for a given QUIC connection SSL object.
+These arguments are ignored on subsequent calls.
+.PP
+These functions do not affect an underlying network BIO or the resource it
+represents; for example, a UDP datagram provided to a QUIC connection as the
+network BIO will remain open.
+.PP
+Note that when using QUIC, an application must call \fBSSL_shutdown()\fR if it wants
+to ensure that all transmitted data was received by the peer. This is unlike a
+TLS/TCP connection, where reliable transmission of buffered data is the
+responsibility of the operating system. If an application calls \fBSSL_free()\fR on a
+QUIC connection SSL object or exits before completing the shutdown process using
+\&\fBSSL_shutdown()\fR, data which was written by the application using \fBSSL_write()\fR, but
+could not yet be transmitted, or which was sent but lost in the network, may not
+be received by the peer.
+.PP
+When using QUIC, calling \fBSSL_shutdown()\fR allows internal network event processing
+to be performed. It is important that this processing is performed regularly,
+whether during connection usage or during shutdown. If an application is not
+using thread assisted mode, an application conducting shutdown should either
+ensure that \fBSSL_shutdown()\fR is called regularly, or alternatively ensure that
+\&\fBSSL_handle_events()\fR is called regularly. See \fBopenssl\-quic\fR\|(7) and
+\&\fBSSL_handle_events\fR\|(3) for more information.
+.SS "Application Data Drainage Behaviour"
+.IX Subsection "Application Data Drainage Behaviour"
+When using QUIC, \fBSSL_shutdown()\fR or \fBSSL_shutdown_ex()\fR ordinarily waits until all
+data written to a stream by an application has been acknowledged by the peer. In
+other words, the shutdown process waits until all data written by the
+application has been sent to the peer, and until the receipt of all such data is
+acknowledged by the peer. Only once this process is completed is the shutdown
+considered complete.
+.PP
+An exception to this is streams which terminated in a non-normal fashion, for
+example due to a stream reset; only streams which are non-terminated at the time
+\&\fBSSL_shutdown()\fR is called, or which terminated in a normal fashion, have their
+pending send buffers flushed in this manner.
+.PP
+This behaviour of flushing streams during the shutdown process can be skipped by
+setting the \fBSSL_SHUTDOWN_FLAG_NO_STREAM_FLUSH\fR flag in a call to
+\&\fBSSL_shutdown_ex()\fR; in this case, data remaining in stream send buffers may not
+be transmitted to the peer. This flag may be used when a non-normal application
+condition has occurred and the delivery of data written to streams via
+\&\fBSSL_write\fR\|(3) is no longer relevant.
+.SS "Shutdown Mode"
+.IX Subsection "Shutdown Mode"
+Aspects of how QUIC handles connection closure must be taken into account by
+applications. Ordinarily, QUIC expects a connection to continue to be serviced
+for a substantial period of time after it is nominally closed. This is necessary
+to ensure that any connection closure notification sent to the peer was
+successfully received. However, a consequence of this is that a fully
+RFC-compliant QUIC connection closure process could take of the order of
+seconds. This may be unsuitable for some applications, such as short-lived
+processes which need to exit immediately after completing an application-layer
+transaction.
+.PP
+As such, there are two shutdown modes available to users of QUIC connection SSL
+objects:
+.IP "RFC compliant shutdown mode" 4
+.IX Item "RFC compliant shutdown mode"
+This is the default behaviour. The shutdown process may take a period of time up
+to three times the current estimated RTT to the peer. It is possible for the
+closure process to complete much faster in some circumstances but this cannot be
+relied upon.
+.Sp
+In blocking mode, the function will return once the closure process is complete.
+In nonblocking mode, \fBSSL_shutdown_ex()\fR should be called until it returns 1,
+indicating the closure process is complete and the connection is now fully shut
+down.
+.IP "Rapid shutdown mode" 4
+.IX Item "Rapid shutdown mode"
+In this mode, the peer is notified of connection closure on a best effort basis
+by sending a single QUIC packet. If that QUIC packet is lost, the peer will not
+know that the connection has terminated until the negotiated idle timeout (if
+any) expires.
+.Sp
+This will generally return 0 on success, indicating that the connection has not
+yet been fully shut down (unless it has already done so, in which case it will
+return 1).
+.PP
+If \fBSSL_SHUTDOWN_FLAG_RAPID\fR is specified in \fIflags\fR, a rapid shutdown is
+performed, otherwise an RFC-compliant shutdown is performed.
+.PP
+If an application calls \fBSSL_shutdown_ex()\fR with \fBSSL_SHUTDOWN_FLAG_RAPID\fR, an
+application can subsequently change its mind about performing a rapid shutdown
+by making a subsequent call to \fBSSL_shutdown_ex()\fR without the flag set.
+.SS "Peer-Initiated Shutdown"
+.IX Subsection "Peer-Initiated Shutdown"
+In some cases, an application may wish to wait for a shutdown initiated by the
+peer rather than triggered locally. To do this, call \fBSSL_shutdown_ex()\fR with
+\&\fISSL_SHUTDOWN_FLAG_WAIT_PEER\fR specified in \fIflags\fR. In blocking mode, this
+waits until the peer initiates a shutdown or the connection otherwise becomes
+terminated for another reason. In nonblocking mode it exits immediately with
+either success or failure depending on whether a shutdown has occurred.
+.PP
+If a locally initiated shutdown has already been triggered or the connection has
+started terminating for another reason, this flag has no effect.
+.PP
+\&\fBSSL_SHUTDOWN_FLAG_WAIT_PEER\fR implies \fBSSL_SHUTDOWN_FLAG_NO_STREAM_FLUSH\fR, as
+stream data cannot be flushed after a peer closes the connection. Stream data
+may still be sent to the peer in any time spent waiting before the peer closes
+the connection, though there is no guarantee of this.
+.SS "Nonblocking Mode"
+.IX Subsection "Nonblocking Mode"
+\&\fBSSL_shutdown()\fR and \fBSSL_shutdown_ex()\fR block if the connection is configured in
+blocking mode. This may be overridden by specifying
+\&\fBSSL_SHUTDOWN_FLAG_NO_BLOCK\fR in \fIflags\fR when calling \fBSSL_shutdown_ex()\fR, which
+causes the call to operate as though in nonblocking mode.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-The following return values can occur:
-.IP "0" 4
-The shutdown is not yet finished: the close_notify was sent but the peer
-did not send it back yet.
-Call \fBSSL_read()\fR to do a bidirectional shutdown.
+For both \fBSSL_shutdown()\fR and \fBSSL_shutdown_ex()\fR the following return values can occur:
+.IP 0 4
+The shutdown process is ongoing and has not yet completed.
+.Sp
+For TLS and DTLS, this means that a close_notify alert has been sent but the
+peer has not yet replied in turn with its own close_notify.
+.Sp
+For QUIC connection SSL objects, a CONNECTION_CLOSE frame may have been
+sent but the connection closure process has not yet completed.
 .Sp
-Unlike most other function, returning 0 does not indicate an error.
-\&\fBSSL_get_error\fR\|(3) should not get called, it may misleadingly
-indicate an error even though no error occurred.
-.IP "1" 4
+Unlike most other functions, returning 0 does not indicate an error.
+\&\fBSSL_get_error\fR\|(3) should not be called; it may misleadingly indicate an error
+even though no error occurred.
+.IP 1 4
 .IX Item "1"
-The shutdown was successfully completed. The close_notify alert was sent
-and the peer's close_notify alert was received.
-.IP "<0" 4
+The shutdown was successfully completed.
+.Sp
+For TLS and DTLS, this means that a close_notify alert was sent and the peer's
+close_notify alert was received.
+.Sp
+For QUIC connection SSL objects, this means that the connection closure process
+has completed.
+.IP <0 4
 .IX Item "<0"
 The shutdown was not successful.
 Call \fBSSL_get_error\fR\|(3) with the return value \fBret\fR to find out the reason.
 It can occur if an action is needed to continue the operation for nonblocking
 BIOs.
 .Sp
-It can also occur when not all data was read using \fBSSL_read()\fR.
+It can also occur when not all data was read using \fBSSL_read()\fR, or if called
+on a QUIC stream SSL object.
+.Sp
+This value is also returned when called on QUIC stream SSL objects.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBSSL_get_error\fR\|(3), \fBSSL_connect\fR\|(3),
@@ -287,11 +437,14 @@ It can also occur when not all data was read using \fBSSL_read()\fR.
 \&\fBSSL_CTX_set_quiet_shutdown\fR\|(3), \fBSSL_CTX_set_options\fR\|(3)
 \&\fBSSL_clear\fR\|(3), \fBSSL_free\fR\|(3),
 \&\fBssl\fR\|(7), \fBbio\fR\|(7)
-.SH "COPYRIGHT"
+.SH HISTORY
+.IX Header "HISTORY"
+The \fBSSL_shutdown_ex()\fR function was added in OpenSSL 3.2.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_state_string.3 b/secure/lib/libcrypto/man/man3/SSL_state_string.3
index 1590c3502c4d..9164d24ad400 100644
--- a/secure/lib/libcrypto/man/man3/SSL_state_string.3
+++ b/secure/lib/libcrypto/man/man3/SSL_state_string.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_STATE_STRING 3ossl"
-.TH SSL_STATE_STRING 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_STATE_STRING 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_state_string, SSL_state_string_long \- get textual description of state of an SSL object
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -146,22 +70,22 @@ SSL_state_string, SSL_state_string_long \- get textual description of state of a
 \& const char *SSL_state_string(const SSL *ssl);
 \& const char *SSL_state_string_long(const SSL *ssl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_state_string()\fR returns an abbreviated string indicating the current state
-of the \s-1SSL\s0 object \fBssl\fR. The returned NUL-terminated string contains 6 or fewer characters.
+of the SSL object \fBssl\fR. The returned NUL-terminated string contains 6 or fewer characters.
 .PP
 \&\fBSSL_state_string_long()\fR returns a descriptive string indicating the current state of
-the \s-1SSL\s0 object \fBssl\fR.
-.SH "NOTES"
+the SSL object \fBssl\fR.
+.SH NOTES
 .IX Header "NOTES"
-During its use, an \s-1SSL\s0 objects passes several states. The state is internally
+During its use, an SSL objects passes several states. The state is internally
 maintained. Querying the state information is not very informative before
 or when a connection has been established. It however can be of significant
 interest during the handshake.
 .PP
 When using nonblocking sockets, the function call performing the handshake
-may return with \s-1SSL_ERROR_WANT_READ\s0 or \s-1SSL_ERROR_WANT_WRITE\s0 condition,
+may return with SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE condition,
 so that SSL_state_string[_long]() may be called.
 .PP
 For both blocking or nonblocking sockets, the details state information
@@ -173,11 +97,11 @@ Detailed description of possible states to be included later.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7), \fBSSL_CTX_set_info_callback\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2001\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_stream_conclude.3 b/secure/lib/libcrypto/man/man3/SSL_stream_conclude.3
new file mode 100644
index 000000000000..660b51a79235
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/SSL_stream_conclude.3
@@ -0,0 +1,113 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "SSL_STREAM_CONCLUDE 3ossl"
+.TH SSL_STREAM_CONCLUDE 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+SSL_stream_conclude \- conclude the sending part of a QUIC stream
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ssl.h>
+\&
+\& _\|_owur int SSL_stream_conclude(SSL *s, uint64_t flags);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBSSL_stream_conclude()\fR signals the normal end-of-stream condition for the send
+part of a QUIC stream. If called on a QUIC connection SSL object with an
+associated default stream, it signals the end of the single stream to the peer.
+.PP
+Any data already queued for transmission via a call to \fBSSL_write()\fR will still be
+written in a reliable manner before the end-of-stream is signalled, assuming the
+connection remains healthy. This function can be thought of as appending a
+logical end-of-stream marker after any data which has previously been written to
+the stream via calls to \fBSSL_write()\fR. Further attempts to call \fBSSL_write()\fR after
+calling this function will fail.
+.PP
+When calling this on a stream, the receive part of the stream remains
+unaffected, and the peer may continue to send data until it also signals the end
+of the stream. Thus, \fBSSL_read()\fR can still be used.
+.PP
+\&\fIflags\fR is reserved and should be set to 0.
+.PP
+Only the first call to this function has any effect for a given stream;
+subsequent calls are no-ops. This is considered a success case.
+.PP
+This function is not supported on an object other than a QUIC stream SSL object.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+Returns 1 on success and 0 on failure.
+.PP
+Returns 0 if called on an SSL object not representing a QUIC stream.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBopenssl\-quic\fR\|(7), \fBssl\fR\|(7), \fBSSL_shutdown_ex\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+The \fBSSL_stream_conclude()\fR function was added in OpenSSL 3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2022\-2023 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_stream_reset.3 b/secure/lib/libcrypto/man/man3/SSL_stream_reset.3
new file mode 100644
index 000000000000..07573715cc18
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/SSL_stream_reset.3
@@ -0,0 +1,131 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "SSL_STREAM_RESET 3ossl"
+.TH SSL_STREAM_RESET 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+SSL_stream_reset \- reset a QUIC stream
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ssl.h>
+\&
+\& typedef struct ssl_stream_reset_args_st {
+\&     uint64_t quic_error_code;
+\& } SSL_STREAM_RESET_ARGS;
+\&
+\& int SSL_stream_reset(SSL *ssl,
+\&                      const SSL_STREAM_RESET_ARGS *args,
+\&                      size_t args_len);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+The \fBSSL_stream_reset()\fR function resets the send part of a QUIC stream when
+called on a QUIC stream SSL object, or on a QUIC connection SSL object with  a
+default stream attached.
+.PP
+If \fIargs\fR is non-NULL, \fIargs_len\fR must be set to \f(CWsizeof(*args)\fR.
+.PP
+\&\fIquic_error_code\fR is an application-specified error code, which must be in the
+range [0, 2**62\-1]. If \fIargs\fR is NULL, a value of 0 is used.
+.PP
+Resetting a stream indicates to an application that the sending part of the
+stream is terminating abnormally. When a stream is reset, the implementation
+does not guarantee that any data already passed to \fBSSL_write\fR\|(3) will be
+received by the peer, and data already passed to \fBSSL_write\fR\|(3) but not yet
+transmitted may or may not be discarded. As such, you should only reset
+a stream when the information transmitted on the stream no longer matters, for
+example due to an error condition.
+.PP
+This function cannot be called on a unidirectional stream initiated by the peer,
+as only the sending side of a stream can initiate a stream reset.
+.PP
+It is also possible to trigger a stream reset by calling \fBSSL_free\fR\|(3); see the
+documentation for \fBSSL_free\fR\|(3) for details.
+.PP
+The receiving part of the stream (for bidirectional streams) continues to
+function normally.
+.SH NOTES
+.IX Header "NOTES"
+This function corresponds to the QUIC \fBRESET_STREAM\fR frame.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+Returns 1 on success and 0 on failure.
+.PP
+This function fails if called on a QUIC connection SSL object without a default
+stream attached, or on a non-QUIC SSL object.
+.PP
+After the first call to this function succeeds for a given stream,
+subsequent calls succeed but are ignored. The application error code
+used is that passed to the first successful call to this function.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBSSL_free\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBSSL_stream_reset()\fR was added in OpenSSL 3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2002\-2023 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_want.3 b/secure/lib/libcrypto/man/man3/SSL_want.3
index e98db1dc04bc..2cb8c98b801c 100644
--- a/secure/lib/libcrypto/man/man3/SSL_want.3
+++ b/secure/lib/libcrypto/man/man3/SSL_want.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_WANT 3ossl"
-.TH SSL_WANT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_WANT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 SSL_want, SSL_want_nothing, SSL_want_read, SSL_want_write,
 SSL_want_x509_lookup, SSL_want_retry_verify, SSL_want_async, SSL_want_async_job,
 SSL_want_client_hello_cb \- obtain state information TLS/SSL I/O operation
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
@@ -155,15 +79,15 @@ SSL_want_client_hello_cb \- obtain state information TLS/SSL I/O operation
 \& int SSL_want_async_job(const SSL *ssl);
 \& int SSL_want_client_hello_cb(const SSL *ssl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBSSL_want()\fR returns state information for the \s-1SSL\s0 object \fBssl\fR.
+\&\fBSSL_want()\fR returns state information for the SSL object \fBssl\fR. \fBssl\fR \fBMUST NOT\fR be NULL.
 .PP
 The other SSL_want_*() calls are shortcuts for the possible states returned
 by \fBSSL_want()\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-\&\fBSSL_want()\fR examines the internal state information of the \s-1SSL\s0 object. Its
+\&\fBSSL_want()\fR examines the internal state information of the SSL object. Its
 return values are similar to that of \fBSSL_get_error\fR\|(3).
 Unlike \fBSSL_get_error\fR\|(3), which also evaluates the
 error queue, the results are obtained by examining an internal state flag
@@ -176,61 +100,64 @@ the result of \fBSSL_get_error\fR\|(3).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The following return values can currently occur for \fBSSL_want()\fR:
-.IP "\s-1SSL_NOTHING\s0" 4
+.IP SSL_NOTHING 4
 .IX Item "SSL_NOTHING"
 There is no data to be written or to be read.
-.IP "\s-1SSL_WRITING\s0" 4
+.IP SSL_WRITING 4
 .IX Item "SSL_WRITING"
-There are data in the \s-1SSL\s0 buffer that must be written to the underlying
-\&\fB\s-1BIO\s0\fR layer in order to complete the actual SSL_*() operation.
-A call to \fBSSL_get_error\fR\|(3) should return \fB\s-1SSL_ERROR_WANT_WRITE\s0\fR.
-.IP "\s-1SSL_READING\s0" 4
+There are data in the SSL buffer that must be written to the underlying
+\&\fBBIO\fR layer in order to complete the actual SSL_*() operation.
+A call to \fBSSL_get_error\fR\|(3) should return \fBSSL_ERROR_WANT_WRITE\fR.
+.IP SSL_READING 4
 .IX Item "SSL_READING"
-More data must be read from the underlying \fB\s-1BIO\s0\fR layer in order to
+More data must be read from the underlying \fBBIO\fR layer in order to
 complete the actual SSL_*() operation.
-A call to \fBSSL_get_error\fR\|(3) should return \fB\s-1SSL_ERROR_WANT_READ\s0\fR.
-.IP "\s-1SSL_X509_LOOKUP\s0" 4
+A call to \fBSSL_get_error\fR\|(3) should return \fBSSL_ERROR_WANT_READ\fR.
+.IP SSL_X509_LOOKUP 4
 .IX Item "SSL_X509_LOOKUP"
 The operation did not complete because an application callback set by
 \&\fBSSL_CTX_set_client_cert_cb()\fR has asked to be called again.
-A call to \fBSSL_get_error\fR\|(3) should return \fB\s-1SSL_ERROR_WANT_X509_LOOKUP\s0\fR.
-.IP "\s-1SSL_RETRY_VERIFY\s0" 4
+A call to \fBSSL_get_error\fR\|(3) should return \fBSSL_ERROR_WANT_X509_LOOKUP\fR.
+.IP SSL_RETRY_VERIFY 4
 .IX Item "SSL_RETRY_VERIFY"
 The operation did not complete because a certificate verification callback
 has asked to be called again via \fBSSL_set_retry_verify\fR\|(3).
-A call to \fBSSL_get_error\fR\|(3) should return \fB\s-1SSL_ERROR_WANT_RETRY_VERIFY\s0\fR.
-.IP "\s-1SSL_ASYNC_PAUSED\s0" 4
+A call to \fBSSL_get_error\fR\|(3) should return \fBSSL_ERROR_WANT_RETRY_VERIFY\fR.
+.IP SSL_ASYNC_PAUSED 4
 .IX Item "SSL_ASYNC_PAUSED"
 An asynchronous operation partially completed and was then paused. See
 \&\fBSSL_get_all_async_fds\fR\|(3). A call to \fBSSL_get_error\fR\|(3) should return
-\&\fB\s-1SSL_ERROR_WANT_ASYNC\s0\fR.
-.IP "\s-1SSL_ASYNC_NO_JOBS\s0" 4
+\&\fBSSL_ERROR_WANT_ASYNC\fR.
+.IP SSL_ASYNC_NO_JOBS 4
 .IX Item "SSL_ASYNC_NO_JOBS"
 The asynchronous job could not be started because there were no async jobs
 available in the pool (see \fBASYNC_init_thread\fR\|(3)). A call to \fBSSL_get_error\fR\|(3)
-should return \fB\s-1SSL_ERROR_WANT_ASYNC_JOB\s0\fR.
-.IP "\s-1SSL_CLIENT_HELLO_CB\s0" 4
+should return \fBSSL_ERROR_WANT_ASYNC_JOB\fR.
+.IP SSL_CLIENT_HELLO_CB 4
 .IX Item "SSL_CLIENT_HELLO_CB"
 The operation did not complete because an application callback set by
 \&\fBSSL_CTX_set_client_hello_cb()\fR has asked to be called again.
-A call to \fBSSL_get_error\fR\|(3) should return \fB\s-1SSL_ERROR_WANT_CLIENT_HELLO_CB\s0\fR.
+A call to \fBSSL_get_error\fR\|(3) should return \fBSSL_ERROR_WANT_CLIENT_HELLO_CB\fR.
 .PP
 \&\fBSSL_want_nothing()\fR, \fBSSL_want_read()\fR, \fBSSL_want_write()\fR,
 \&\fBSSL_want_x509_lookup()\fR, \fBSSL_want_retry_verify()\fR,
 \&\fBSSL_want_async()\fR, \fBSSL_want_async_job()\fR, and \fBSSL_want_client_hello_cb()\fR
 return 1 when the corresponding condition is true or 0 otherwise.
+.SH "QUIC-SPECIFIC CONSIDERATIONS"
+.IX Header "QUIC-SPECIFIC CONSIDERATIONS"
+For QUIC, these functions relate only to the TLS handshake layer.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7), \fBSSL_get_error\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-The \fBSSL_want_client_hello_cb()\fR function and the \s-1SSL_CLIENT_HELLO_CB\s0 return value
+The \fBSSL_want_client_hello_cb()\fR function and the SSL_CLIENT_HELLO_CB return value
 were added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2001\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_write.3 b/secure/lib/libcrypto/man/man3/SSL_write.3
index f7e62b0169f3..867c650af27e 100644
--- a/secure/lib/libcrypto/man/man3/SSL_write.3
+++ b/secure/lib/libcrypto/man/man3/SSL_write.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,144 +52,130 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "SSL_WRITE 3ossl"
-.TH SSL_WRITE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH SSL_WRITE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
-SSL_write_ex, SSL_write, SSL_sendfile \- write bytes to a TLS/SSL connection
-.SH "SYNOPSIS"
+.SH NAME
+SSL_write_ex2, SSL_write_ex, SSL_write, SSL_sendfile, SSL_WRITE_FLAG_CONCLUDE \-
+write bytes to a TLS/SSL connection
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
+\& #define SSL_WRITE_FLAG_CONCLUDE
+\&
 \& ossl_ssize_t SSL_sendfile(SSL *s, int fd, off_t offset, size_t size, int flags);
+\& int SSL_write_ex2(SSL *s, const void *buf, size_t num,
+\&                   uint64_t flags,
+\&                   size_t *written);
 \& int SSL_write_ex(SSL *s, const void *buf, size_t num, size_t *written);
 \& int SSL_write(SSL *ssl, const void *buf, int num);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBSSL_write_ex()\fR and \fBSSL_write()\fR write \fBnum\fR bytes from the buffer \fBbuf\fR into
 the specified \fBssl\fR connection. On success \fBSSL_write_ex()\fR will store the number
 of bytes written in \fB*written\fR.
 .PP
+\&\fBSSL_write_ex2()\fR functions similarly to \fBSSL_write_ex()\fR but can also accept
+optional flags which modify its behaviour. Calling \fBSSL_write_ex2()\fR with a
+\&\fIflags\fR argument of 0 is exactly equivalent to calling \fBSSL_write_ex()\fR.
+.PP
 \&\fBSSL_sendfile()\fR writes \fBsize\fR bytes from offset \fBoffset\fR in the file
-descriptor \fBfd\fR to the specified \s-1SSL\s0 connection \fBs\fR. This function provides
+descriptor \fBfd\fR to the specified SSL connection \fBs\fR. This function provides
 efficient zero-copy semantics. \fBSSL_sendfile()\fR is available only when
-Kernel \s-1TLS\s0 is enabled, which can be checked by calling \fBBIO_get_ktls_send()\fR.
+Kernel TLS is enabled, which can be checked by calling \fBBIO_get_ktls_send()\fR.
 It is provided here to allow users to maintain the same interface.
 The meaning of \fBflags\fR is platform dependent.
 Currently, under Linux it is ignored.
-.SH "NOTES"
+.PP
+The \fIflags\fR argument to \fBSSL_write_ex2()\fR can accept zero or more of the
+following flags. Note that which flags are supported will depend on the kind of
+SSL object and underlying protocol being used:
+.IP \fBSSL_WRITE_FLAG_CONCLUDE\fR 4
+.IX Item "SSL_WRITE_FLAG_CONCLUDE"
+This flag is only supported on QUIC stream SSL objects (or QUIC connection SSL
+objects with a default stream attached).
+.Sp
+If this flag is set, and the call to \fBSSL_write_ex2()\fR succeeds, and all of the
+data passed to the call is written (meaning that \f(CW\*(C`*written == num\*(C'\fR), the
+relevant QUIC stream's send part is concluded automatically as though
+\&\fBSSL_stream_conclude\fR\|(3) was called (causing transmission of a FIN for the
+stream).
+.Sp
+While using this flag is semantically equivalent to calling
+\&\fBSSL_stream_conclude\fR\|(3) after a successful call to this function, using this
+flag enables greater efficiency than making these two API calls separately, as
+it enables the written stream data and the FIN flag indicating the end of the
+stream to be scheduled as part of the same QUIC STREAM frame and QUIC packet.
+.Sp
+Setting this flag does not cause a stream's send part to be concluded if not all
+of the data passed to the call was consumed.
+.PP
+A call to \fBSSL_write_ex2()\fR fails if a flag is passed which is not supported or
+understood by the given SSL object. An application should determine if a flag is
+supported (for example, for \fBSSL_WRITE_FLAG_CONCLUDE\fR, that a QUIC stream SSL
+object is being used) before attempting to use it.
+.SH NOTES
 .IX Header "NOTES"
-In the paragraphs below a \*(L"write function\*(R" is defined as one of either
+In the paragraphs below a "write function" is defined as one of either
 \&\fBSSL_write_ex()\fR, or \fBSSL_write()\fR.
 .PP
-If necessary, a write function will negotiate a \s-1TLS/SSL\s0 session, if not already
+If necessary, a write function will negotiate a TLS/SSL session, if not already
 explicitly performed by \fBSSL_connect\fR\|(3) or \fBSSL_accept\fR\|(3). If the peer
 requests a re-negotiation, it will be performed transparently during
 the write function operation. The behaviour of the write functions depends on the
-underlying \s-1BIO.\s0
+underlying BIO.
 .PP
 For the transparent negotiation to succeed, the \fBssl\fR must have been
 initialized to client or server mode. This is being done by calling
 \&\fBSSL_set_connect_state\fR\|(3) or \fBSSL_set_accept_state()\fR
 before the first call to a write function.
 .PP
-If the underlying \s-1BIO\s0 is \fBblocking\fR, the write functions will only return, once
+If the underlying BIO is \fBblocking\fR, the write functions will only return, once
 the write operation has been finished or an error occurred.
 .PP
-If the underlying \s-1BIO\s0 is \fBnonblocking\fR the write functions will also return
-when the underlying \s-1BIO\s0 could not satisfy the needs of the function to continue
+If the underlying BIO is \fBnonblocking\fR the write functions will also return
+when the underlying BIO could not satisfy the needs of the function to continue
 the operation. In this case a call to \fBSSL_get_error\fR\|(3) with the
-return value of the write function will yield \fB\s-1SSL_ERROR_WANT_READ\s0\fR
-or \fB\s-1SSL_ERROR_WANT_WRITE\s0\fR. As at any time a re-negotiation is possible, a
+return value of the write function will yield \fBSSL_ERROR_WANT_READ\fR
+or \fBSSL_ERROR_WANT_WRITE\fR. As at any time a re-negotiation is possible, a
 call to a write function can also cause read operations! The calling process
 then must repeat the call after taking appropriate action to satisfy the needs
-of the write function. The action depends on the underlying \s-1BIO.\s0 When using a
+of the write function. The action depends on the underlying BIO. When using a
 nonblocking socket, nothing is to be done, but \fBselect()\fR can be used to check
-for the required condition. When using a buffering \s-1BIO,\s0 like a \s-1BIO\s0 pair, data
-must be written into or retrieved out of the \s-1BIO\s0 before being able to continue.
+for the required condition. When using a buffering BIO, like a BIO pair, data
+must be written into or retrieved out of the BIO before being able to continue.
 .PP
 The write functions will only return with success when the complete contents of
 \&\fBbuf\fR of length \fBnum\fR has been written. This default behaviour can be changed
-with the \s-1SSL_MODE_ENABLE_PARTIAL_WRITE\s0 option of \fBSSL_CTX_set_mode\fR\|(3). When
+with the SSL_MODE_ENABLE_PARTIAL_WRITE option of \fBSSL_CTX_set_mode\fR\|(3). When
 this flag is set the write functions will also return with success when a
 partial write has been successfully completed. In this case the write function
 operation is considered completed. The bytes are sent and a new write call with
 a new buffer (with the already sent bytes removed) must be started. A partial
 write is performed with the size of a message block, which is 16kB.
-.SH "WARNINGS"
+.PP
+When used with a QUIC SSL object, calling an I/O function such as \fBSSL_write()\fR
+allows internal network event processing to be performed. It is important that
+this processing is performed regularly. If an application is not using thread
+assisted mode, an application should ensure that an I/O function such as
+\&\fBSSL_write()\fR is called regularly, or alternatively ensure that \fBSSL_handle_events()\fR
+is called regularly. See \fBopenssl\-quic\fR\|(7) and \fBSSL_handle_events\fR\|(3) for more
+information.
+.SH WARNINGS
 .IX Header "WARNINGS"
 When a write function call has to be repeated because \fBSSL_get_error\fR\|(3)
-returned \fB\s-1SSL_ERROR_WANT_READ\s0\fR or \fB\s-1SSL_ERROR_WANT_WRITE\s0\fR, it must be repeated
+returned \fBSSL_ERROR_WANT_READ\fR or \fBSSL_ERROR_WANT_WRITE\fR, it must be repeated
 with the same arguments.
 The data that was passed might have been partially processed.
-When \fB\s-1SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER\s0\fR was set using \fBSSL_CTX_set_mode\fR\|(3)
+When \fBSSL_MODE_ACCEPT_MOVING_WRITE_BUFFER\fR was set using \fBSSL_CTX_set_mode\fR\|(3)
 the pointer can be different, but the data and length should still be the same.
 .PP
 You should not call \fBSSL_write()\fR with num=0, it will return an error.
@@ -213,22 +183,23 @@ You should not call \fBSSL_write()\fR with num=0, it will return an error.
 the peer.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBSSL_write_ex()\fR will return 1 for success or 0 for failure. Success means that
-all requested application data bytes have been written to the \s-1SSL\s0 connection or,
-if \s-1SSL_MODE_ENABLE_PARTIAL_WRITE\s0 is in use, at least 1 application data byte has
-been written to the \s-1SSL\s0 connection. Failure means that not all the requested
-bytes have been written yet (if \s-1SSL_MODE_ENABLE_PARTIAL_WRITE\s0 is not in use) or
-no bytes could be written to the \s-1SSL\s0 connection (if
-\&\s-1SSL_MODE_ENABLE_PARTIAL_WRITE\s0 is in use). Failures can be retryable (e.g. the
-network write buffer has temporarily filled up) or non-retryable (e.g. a fatal
-network error). In the event of a failure call \fBSSL_get_error\fR\|(3) to find out
-the reason which indicates whether the call is retryable or not.
+\&\fBSSL_write_ex()\fR and \fBSSL_write_ex2()\fR return 1 for success or 0 for failure.
+Success means that all requested application data bytes have been written to the
+SSL connection or, if SSL_MODE_ENABLE_PARTIAL_WRITE is in use, at least 1
+application data byte has been written to the SSL connection. Failure means that
+not all the requested bytes have been written yet (if
+SSL_MODE_ENABLE_PARTIAL_WRITE is not in use) or no bytes could be written to the
+SSL connection (if SSL_MODE_ENABLE_PARTIAL_WRITE is in use). Failures can be
+retryable (e.g. the network write buffer has temporarily filled up) or
+non-retryable (e.g. a fatal network error). In the event of a failure call
+\&\fBSSL_get_error\fR\|(3) to find out the reason which indicates whether the call is
+retryable or not.
 .PP
 For \fBSSL_write()\fR the following return values can occur:
 .IP "> 0" 4
 .IX Item "> 0"
 The write operation was successful, the return value is the number of
-bytes actually written to the \s-1TLS/SSL\s0 connection.
+bytes actually written to the TLS/SSL connection.
 .IP "<= 0" 4
 .IX Item "<= 0"
 The write operation was not successful, because either the connection was
@@ -243,7 +214,7 @@ For \fBSSL_sendfile()\fR, the following return values can occur:
 .IP ">= 0" 4
 .IX Item ">= 0"
 The write operation was successful, the return value is the number
-of bytes of the file written to the \s-1TLS/SSL\s0 connection. The return
+of bytes of the file written to the TLS/SSL connection. The return
 value can be less than \fBsize\fR for a partial write.
 .IP "< 0" 4
 .IX Item "< 0"
@@ -257,15 +228,16 @@ Call \fBSSL_get_error()\fR with the return value to find out the reason.
 \&\fBSSL_connect\fR\|(3), \fBSSL_accept\fR\|(3)
 \&\fBSSL_set_connect_state\fR\|(3), \fBBIO_ctrl\fR\|(3),
 \&\fBssl\fR\|(7), \fBbio\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBSSL_write_ex()\fR function was added in OpenSSL 1.1.1.
 The \fBSSL_sendfile()\fR function was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The \fBSSL_write_ex2()\fR function was added in OpenSSL 3.3.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/TS_RESP_CTX_new.3 b/secure/lib/libcrypto/man/man3/TS_RESP_CTX_new.3
index c4b62890e562..3cb7826b3161 100644
--- a/secure/lib/libcrypto/man/man3/TS_RESP_CTX_new.3
+++ b/secure/lib/libcrypto/man/man3/TS_RESP_CTX_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "TS_RESP_CTX_NEW 3ossl"
-.TH TS_RESP_CTX_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH TS_RESP_CTX_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 TS_RESP_CTX_new_ex, TS_RESP_CTX_new,
 TS_RESP_CTX_free \- Timestamp response context object creation
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ts.h>
@@ -148,32 +72,33 @@ TS_RESP_CTX_free \- Timestamp response context object creation
 \& TS_RESP_CTX *TS_RESP_CTX_new(void);
 \& void TS_RESP_CTX_free(TS_RESP_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 Creates a response context that can be used for generating responses.
 .PP
-\&\fBTS_RESP_CTX_new_ex()\fR allocates and initializes a \s-1TS_RESP_CTX\s0 structure with a
+\&\fBTS_RESP_CTX_new_ex()\fR allocates and initializes a TS_RESP_CTX structure with a
 library context of \fIlibctx\fR and a property query of \fIpropq\fR.
 The library context and property query can be used to select which providers
 supply the fetched algorithms.
 .PP
 \&\fBTS_RESP_CTX_new()\fR is similar to \fBTS_RESP_CTX_new_ex()\fR but sets the library context
-and property query to \s-1NULL.\s0 This results in the default (\s-1NULL\s0) library context
+and property query to NULL. This results in the default (NULL) library context
 being used for any operations requiring algorithm fetches.
 .PP
-\&\fBTS_RESP_CTX_free()\fR frees the \fB\s-1TS_RESP_CTX\s0\fR object \fIctx\fR.
+\&\fBTS_RESP_CTX_free()\fR frees the \fBTS_RESP_CTX\fR object \fIctx\fR.
+If the argument is NULL, nothing is done.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-If the allocation fails, \fBTS_RESP_CTX_new_ex()\fR and \fBTS_RESP_CTX_new()\fR return \s-1NULL,\s0
+If the allocation fails, \fBTS_RESP_CTX_new_ex()\fR and \fBTS_RESP_CTX_new()\fR return NULL,
 otherwise it returns a pointer to the newly allocated structure.
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The function \fBTS_RESP_CTX_new_ex()\fR was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/TS_VERIFY_CTX.3 b/secure/lib/libcrypto/man/man3/TS_VERIFY_CTX.3
new file mode 100644
index 000000000000..ba7394f7b550
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/TS_VERIFY_CTX.3
@@ -0,0 +1,211 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "TS_VERIFY_CTX 3ossl"
+.TH TS_VERIFY_CTX 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+TS_VERIFY_CTX, TS_VERIFY_CTX_new, TS_VERIFY_CTX_init, TS_VERIFY_CTX_free,
+TS_VERIFY_CTX_cleanup, TS_VERIFY_CTX_set_flags, TS_VERIFY_CTX_add_flags,
+TS_VERIFY_CTX_set0_data, TS_VERIFY_CTX_set0_imprint, TS_VERIFY_CTX_set0_store,
+TS_VERIFY_CTX_set0_certs, TS_VERIFY_CTX_set_certs, TS_VERIFY_CTS_set_certs,
+TS_VERIFY_CTX_set_data, TS_VERIFY_CTX_set_imprint, TS_VERIFY_CTX_set_store
+\&\- manage the TS response verification context
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/ts.h>
+\&
+\& typedef struct TS_verify_ctx TS_VERIFY_CTX;
+\&
+\& TS_VERIFY_CTX *TS_VERIFY_CTX_new(void);
+\& void TS_VERIFY_CTX_init(TS_VERIFY_CTX *ctx);
+\& void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx);
+\& void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx);
+\& int TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int f);
+\& int TS_VERIFY_CTX_add_flags(TS_VERIFY_CTX *ctx, int f);
+\& int TS_VERIFY_CTX_set0_data(TS_VERIFY_CTX *ctx, BIO *b);
+\& int TS_VERIFY_CTX_set0_imprint(TS_VERIFY_CTX *ctx,
+\&                                unsigned char *hexstr, long len);
+\& int TS_VERIFY_CTX_set0_store(TS_VERIFY_CTX *ctx, X509_STORE *s);
+\& int TS_VERIFY_CTX_set0_certs(TS_VERIFY_CTX *ctx, STACK_OF(X509) *certs);
+.Ve
+.PP
+The following functions have been deprecated since OpenSSL 3.4:
+.PP
+.Vb 6
+\& BIO *TS_VERIFY_CTX_set_data(TS_VERIFY_CTX *ctx, BIO *b);
+\& unsigned char *TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx,
+\&                                          unsigned char *hexstr, long len);
+\& X509_STORE *TS_VERIFY_CTX_set_store(TS_VERIFY_CTX *ctx, X509_STORE *s);
+\& STACK_OF(X509) *TS_VERIFY_CTX_set_certs(TS_VERIFY_CTX *ctx,
+\&                                         STACK_OF(X509) *certs);
+.Ve
+.PP
+The following function has been deprecated since OpenSSL 3.0:
+.PP
+.Vb 2
+\& STACK_OF(X509) *TS_VERIFY_CTS_set_certs(TS_VERIFY_CTX *ctx,
+\&                                         STACK_OF(X509) *certs);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+The Time-Stamp Protocol (TSP) is defined by RFC 3161. TSP is a protocol used to
+provide long-term proof of the existence of certain data before a particular
+time. TSP defines a Time Stamping Authority (TSA) and an entity that makes
+requests to the TSA. Usually, the TSA is referred to as the server side, and the
+requesting entity is referred to as the client.
+.PP
+In TSP, when a server sends a response to a client, the server normally
+needs to sign the response data \- the TimeStampToken (TST) \- with its private
+key. Then the client verifies the received TST using the server's certificate
+chain.
+.PP
+For all the following methods, unless noted otherwise, \fIctx\fR is the
+verification context created in advance.
+.PP
+\&\fBTS_VERIFY_CTX_new()\fR returns an allocated \fBTS_VERIFY_CTX\fR structure.
+.PP
+\&\fBTS_VERIFY_CTX_init()\fR initializes a verification context.
+.PP
+\&\fBTS_VERIFY_CTX_free()\fR frees up a \fBTS_VERIFY_CTX\fR object. \fIctx\fR is the
+verification context to be freed. If \fIctx\fR is NULL, the call is ignored.
+.PP
+\&\fBTS_VERIFY_CTX_set_flags()\fR sets the flags in the verification context. \fIf\fR are
+the flags to be set.
+.PP
+\&\fBTS_VERIFY_CTX_add_flags()\fR adds flags to the verification context. \fIf\fR are the
+flags to be added (OR'd).
+.PP
+\&\fBTS_VERIFY_CTX_set0_data()\fR sets the data to be verified. \fIb\fR is the \fBBIO\fR with
+the data. A previously assigned \fBBIO\fR is freed.
+.PP
+\&\fBTS_VERIFY_CTX_set0_imprint()\fR sets the message imprint. \fIhexstr\fR is the
+message imprint to be assigned. A previously assigned imprint is freed.
+.PP
+\&\fBTS_VERIFY_CTX_set0_store()\fR sets the store for the verification context. \fIs\fR is
+the store to be assigned. A previously assigned store is freed.
+.PP
+\&\fBTS_VERIFY_CTX_set0_certs()\fR is used to set the server's certificate chain when
+verifying a TST. \fIcerts\fR is a stack of \fBX509\fR certificates.
+.PP
+\&\fBTS_VERIFY_CTX_cleanup()\fR frees all data associated with the given
+\&\fBTS_VERIFY_CTX\fR object and initializes it. \fIctx\fR is the verification context
+created in advance. If \fIctx\fR is NULL, the call is ignored.
+.PP
+All of the following functions described are deprecated. Applications should
+instead use the functions \fBTS_VERIFY_CTX_set0_data\fR\|(3),
+\&\fBTS_VERIFY_CTX_set0_imprint\fR\|(3), \fBTS_VERIFY_CTX_set0_store\fR\|(3),
+\&\fBTS_VERIFY_CTX_set0_certs\fR\|(3).
+.PP
+\&\fBTS_VERIFY_CTX_set_data()\fR is used to set the BIO with the data to be verified.
+A previously assigned BIO is \fBnot freed\fR by this call. \fIb\fR is the \fBBIO\fR
+with the data to assign.
+.PP
+\&\fBTS_VERIFY_CTX_set_imprint()\fR is used to set the message imprint. A previously
+assigned imprint \fBis freed\fR by this call. \fIhexstr\fR is the string with the
+message imprint to assign.
+.PP
+\&\fBTS_VERIFY_CTX_set_store()\fR is used to set the certificate store. A previously
+assigned store is \fBnot freed\fR by this call. \fIs\fR is the store to assign.
+.PP
+\&\fBTS_VERIFY_CTX_set_certs()\fR is used to set the server's certificate chain.
+A previously assigned stack is \fBnot freed\fR by this call. \fIcerts\fR is a stack
+of \fBX509\fR certificates.
+.PP
+\&\fBTS_VERIFY_CTS_set_certs()\fR is a misspelled version of \fBTS_VERIFY_CTX_set_certs()\fR
+which takes the same parameters and returns the same result.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBTS_VERIFY_CTX_new()\fR returns an allocated \fBTS_VERIFY_CTX\fR structure.
+.PP
+\&\fBTS_VERIFY_CTX_set_flags()\fR returns the flags passed via parameter \fIf\fR.
+.PP
+\&\fBTS_VERIFY_CTX_add_flags()\fR returns the flags of the context after the ones
+passed via parameter \fIf\fR are added to it.
+.PP
+\&\fBTS_VERIFY_CTX_set0_data()\fR, \fBTS_VERIFY_CTX_set0_imprint()\fR,
+\&\fBTS_VERIFY_CTX_set0_store()\fR, and \fBTS_VERIFY_CTX_set0_certs()\fR return 1 if the
+value could be successfully set and 0 in case of any error.
+.PP
+The deprecated functions \fBTS_VERIFY_CTX_set_data()\fR, \fBTS_VERIFY_CTX_set_imprint()\fR,
+\&\fBTS_VERIFY_CTX_set_store()\fR, \fBTS_VERIFY_CTX_set_certs()\fR return the parameter
+the user passes via parameter \fIbio\fR, \fIhexstr\fR, \fIs\fR or \fIcerts\fR.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBOSSL_ESS_check_signing_certs\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBTS_VERIFY_CTX_set0_data()\fR, \fBTS_VERIFY_CTX_set0_imprint()\fR,
+\&\fBTS_VERIFY_CTX_set0_store()\fR, \fBTS_VERIFY_CTX_set0_certs()\fR replace the functions
+\&\fBTS_VERIFY_CTX_set_data()\fR, \fBTS_VERIFY_CTX_set_imprint()\fR,
+\&\fBTS_VERIFY_CTX_set_store()\fR, \fBTS_VERIFY_CTX_set_certs()\fR that were deprecated
+in OpenSSL 3.4.0.
+.PP
+The spelling of \fBTS_VERIFY_CTX_set_certs()\fR was corrected in OpenSSL 3.0.0.
+The misspelled version \fBTS_VERIFY_CTS_set_certs()\fR has been retained for
+compatibility reasons, but it is deprecated in OpenSSL 3.0.0.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2019\-2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/TS_VERIFY_CTX_set_certs.3 b/secure/lib/libcrypto/man/man3/TS_VERIFY_CTX_set_certs.3
deleted file mode 100644
index 8335986b4644..000000000000
--- a/secure/lib/libcrypto/man/man3/TS_VERIFY_CTX_set_certs.3
+++ /dev/null
@@ -1,190 +0,0 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
-.\"
-.\" Standard preamble:
-.\" ========================================================================
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Vb \" Begin verbatim text
-.ft CW
-.nf
-.ne \\$1
-..
-.de Ve \" End verbatim text
-.ft R
-.fi
-..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
-.ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
-.    ds C` ""
-.    ds C' ""
-'br\}
-.el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
-.    ds C`
-.    ds C'
-'br\}
-.\"
-.\" Escape single quotes in literal strings from groff's Unicode transform.
-.ie \n(.g .ds Aq \(aq
-.el       .ds Aq '
-.\"
-.\" If the F register is >0, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
-.\" entries marked with X<> in POD.  Of course, you'll have to process the
-.\" output yourself in some meaningful fashion.
-.\"
-.\" Avoid warning from groff about undefined register 'F'.
-.de IX
-..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{\
-.    if \nF \{\
-.        de IX
-.        tm Index:\\$1\t\\n%\t"\\$2"
-..
-.        if !\nF==2 \{\
-.            nr % 0
-.            nr F 2
-.        \}
-.    \}
-.\}
-.rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
-.\" ========================================================================
-.\"
-.IX Title "TS_VERIFY_CTX_SET_CERTS 3ossl"
-.TH TS_VERIFY_CTX_SET_CERTS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
-.\" way too many mistakes in technical documents.
-.if n .ad l
-.nh
-.SH "NAME"
-TS_VERIFY_CTX_set_certs, TS_VERIFY_CTS_set_certs
-\&\- set certificates for TS response verification
-.SH "SYNOPSIS"
-.IX Header "SYNOPSIS"
-.Vb 1
-\& #include <openssl/ts.h>
-\&
-\& STACK_OF(X509) *TS_VERIFY_CTX_set_certs(TS_VERIFY_CTX *ctx,
-\&                                         STACK_OF(X509) *certs);
-\& STACK_OF(X509) *TS_VERIFY_CTS_set_certs(TS_VERIFY_CTX *ctx,
-\&                                         STACK_OF(X509) *certs);
-.Ve
-.SH "DESCRIPTION"
-.IX Header "DESCRIPTION"
-The Time-Stamp Protocol (\s-1TSP\s0) is defined by \s-1RFC 3161. TSP\s0 is a protocol used to
-provide long term proof of the existence of a certain datum before a particular
-time. \s-1TSP\s0 defines a Time Stamping Authority (\s-1TSA\s0) and an entity who shall make
-requests to the \s-1TSA.\s0 Usually the \s-1TSA\s0 is denoted as the server side and the
-requesting entity is denoted as the client.
-.PP
-In \s-1TSP,\s0 when a server is sending a response to a client, the server normally
-needs to sign the response data \- the TimeStampToken (\s-1TST\s0) \- with its private
-key. Then the client shall verify the received \s-1TST\s0 by the server's certificate
-chain.
-.PP
-\&\fBTS_VERIFY_CTX_set_certs()\fR is used to set the server's certificate chain when
-verifying a \s-1TST.\s0 \fBctx\fR is the verification context created in advance and
-\&\fBcerts\fR is a stack of \fBX509\fR certificates.
-.PP
-\&\fBTS_VERIFY_CTS_set_certs()\fR is a misspelled version of \fBTS_VERIFY_CTX_set_certs()\fR
-which takes the same parameters and returns the same result.
-.SH "RETURN VALUES"
-.IX Header "RETURN VALUES"
-\&\fBTS_VERIFY_CTX_set_certs()\fR returns the stack of \fBX509\fR certificates the user
-passes in via parameter \fBcerts\fR.
-.SH "SEE ALSO"
-.IX Header "SEE ALSO"
-\&\fBOSSL_ESS_check_signing_certs\fR\|(3)
-.SH "HISTORY"
-.IX Header "HISTORY"
-The spelling of \fBTS_VERIFY_CTX_set_certs()\fR was corrected in OpenSSL 3.0.0.
-The misspelled version \fBTS_VERIFY_CTS_set_certs()\fR has been retained for
-compatibility reasons, but it is deprecated in OpenSSL 3.0.0.
-.SH "COPYRIGHT"
-.IX Header "COPYRIGHT"
-Copyright 2019\-2021 The OpenSSL Project Authors. All Rights Reserved.
-.PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
-this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
-<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/UI_STRING.3 b/secure/lib/libcrypto/man/man3/UI_STRING.3
index 85997192f17d..b222c73d1d5c 100644
--- a/secure/lib/libcrypto/man/man3/UI_STRING.3
+++ b/secure/lib/libcrypto/man/man3/UI_STRING.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,82 +52,22 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "UI_STRING 3ossl"
-.TH UI_STRING 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH UI_STRING 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 UI_STRING, UI_string_types, UI_get_string_type,
 UI_get_input_flags, UI_get0_output_string,
 UI_get0_action_string, UI_get0_result_string, UI_get_result_string_length,
 UI_get0_test_string, UI_get_result_minsize,
 UI_get_result_maxsize, UI_set_result, UI_set_result_ex
 \&\- User interface string parsing
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ui.h>
@@ -171,107 +95,107 @@ UI_get_result_maxsize, UI_set_result, UI_set_result_ex
 \& int UI_set_result(UI *ui, UI_STRING *uis, const char *result);
 \& int UI_set_result_ex(UI *ui, UI_STRING *uis, const char *result, int len);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \fB\s-1UI_STRING\s0\fR gets created internally and added to a \fB\s-1UI\s0\fR whenever
+The \fBUI_STRING\fR gets created internally and added to a \fBUI\fR whenever
 one of the functions \fBUI_add_input_string()\fR, \fBUI_dup_input_string()\fR,
 \&\fBUI_add_verify_string()\fR, \fBUI_dup_verify_string()\fR,
 \&\fBUI_add_input_boolean()\fR, \fBUI_dup_input_boolean()\fR, \fBUI_add_info_string()\fR,
 \&\fBUI_dup_info_string()\fR, \fBUI_add_error_string()\fR or \fBUI_dup_error_string()\fR
 is called.
-For a \fB\s-1UI_METHOD\s0\fR user, there's no need to know more.
-For a \fB\s-1UI_METHOD\s0\fR creator, it is of interest to fetch text from these
-\&\fB\s-1UI_STRING\s0\fR objects as well as adding results to some of them.
+For a \fBUI_METHOD\fR user, there's no need to know more.
+For a \fBUI_METHOD\fR creator, it is of interest to fetch text from these
+\&\fBUI_STRING\fR objects as well as adding results to some of them.
 .PP
 \&\fBUI_get_string_type()\fR is used to retrieve the type of the given
-\&\fB\s-1UI_STRING\s0\fR.
+\&\fBUI_STRING\fR.
 .PP
 \&\fBUI_get_input_flags()\fR is used to retrieve the flags associated with the
-given \fB\s-1UI_STRING\s0\fR.
+given \fBUI_STRING\fR.
 .PP
 \&\fBUI_get0_output_string()\fR is used to retrieve the actual string to
 output (prompt, info, error, ...).
 .PP
 \&\fBUI_get0_action_string()\fR is used to retrieve the action description
-associated with a \fB\s-1UIT_BOOLEAN\s0\fR type \fB\s-1UI_STRING\s0\fR.
-For all other \fB\s-1UI_STRING\s0\fR types, \s-1NULL\s0 is returned.
+associated with a \fBUIT_BOOLEAN\fR type \fBUI_STRING\fR.
+For all other \fBUI_STRING\fR types, NULL is returned.
 See \fBUI_add_input_boolean\fR\|(3).
 .PP
 \&\fBUI_get0_result_string()\fR and \fBUI_get_result_string_length()\fR are used to
 retrieve the result of a prompt and its length.
-This is only useful for \fB\s-1UIT_PROMPT\s0\fR and \fB\s-1UIT_VERIFY\s0\fR type strings.
-For all other \fB\s-1UI_STRING\s0\fR types, \fBUI_get0_result_string()\fR returns \s-1NULL\s0
+This is only useful for \fBUIT_PROMPT\fR and \fBUIT_VERIFY\fR type strings.
+For all other \fBUI_STRING\fR types, \fBUI_get0_result_string()\fR returns NULL
 and \fBUI_get_result_string_length()\fR returns \-1.
 .PP
 \&\fBUI_get0_test_string()\fR is used to retrieve the string to compare the
 prompt result with.
-This is only useful for \fB\s-1UIT_VERIFY\s0\fR type strings.
-For all other \fB\s-1UI_STRING\s0\fR types, \s-1NULL\s0 is returned.
+This is only useful for \fBUIT_VERIFY\fR type strings.
+For all other \fBUI_STRING\fR types, NULL is returned.
 .PP
 \&\fBUI_get_result_minsize()\fR and \fBUI_get_result_maxsize()\fR are used to
 retrieve the minimum and maximum required size of the result.
-This is only useful for \fB\s-1UIT_PROMPT\s0\fR and \fB\s-1UIT_VERIFY\s0\fR type strings.
-For all other \fB\s-1UI_STRING\s0\fR types, \-1 is returned.
+This is only useful for \fBUIT_PROMPT\fR and \fBUIT_VERIFY\fR type strings.
+For all other \fBUI_STRING\fR types, \-1 is returned.
 .PP
 \&\fBUI_set_result_ex()\fR is used to set the result value of a prompt and its length.
-For \fB\s-1UIT_PROMPT\s0\fR and \fB\s-1UIT_VERIFY\s0\fR type \s-1UI\s0 strings, this sets the
+For \fBUIT_PROMPT\fR and \fBUIT_VERIFY\fR type UI strings, this sets the
 result retrievable with \fBUI_get0_result_string()\fR by copying the
 contents of \fBresult\fR if its length fits the minimum and maximum size
 requirements.
-For \fB\s-1UIT_BOOLEAN\s0\fR type \s-1UI\s0 strings, this sets the first character of
+For \fBUIT_BOOLEAN\fR type UI strings, this sets the first character of
 the result retrievable with \fBUI_get0_result_string()\fR to the first
 \&\fBok_char\fR given with \fBUI_add_input_boolean()\fR or \fBUI_dup_input_boolean()\fR
 if the \fBresult\fR matched any of them, or the first of the
 \&\fBcancel_chars\fR if the \fBresult\fR matched any of them, otherwise it's
-set to the \s-1NUL\s0 char \f(CW\*(C`\e0\*(C'\fR.
+set to the NUL char \f(CW\*(C`\e0\*(C'\fR.
 See \fBUI_add_input_boolean\fR\|(3) for more information on \fBok_chars\fR and
 \&\fBcancel_chars\fR.
 .PP
 \&\fBUI_set_result()\fR does the same thing as \fBUI_set_result_ex()\fR, but calculates
 its length internally.
-It expects the string to be terminated with a \s-1NUL\s0 byte, and is therefore
+It expects the string to be terminated with a NUL byte, and is therefore
 only useful with normal C strings.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBUI_get_string_type()\fR returns the \s-1UI\s0 string type.
+\&\fBUI_get_string_type()\fR returns the UI string type.
 .PP
-\&\fBUI_get_input_flags()\fR returns the \s-1UI\s0 string flags.
+\&\fBUI_get_input_flags()\fR returns the UI string flags.
 .PP
-\&\fBUI_get0_output_string()\fR returns the \s-1UI\s0 string output string.
+\&\fBUI_get0_output_string()\fR returns the UI string output string.
 .PP
-\&\fBUI_get0_action_string()\fR returns the \s-1UI\s0 string action description
-string for \fB\s-1UIT_BOOLEAN\s0\fR type \s-1UI\s0 strings, \s-1NULL\s0 for any other type.
+\&\fBUI_get0_action_string()\fR returns the UI string action description
+string for \fBUIT_BOOLEAN\fR type UI strings, NULL for any other type.
 .PP
-\&\fBUI_get0_result_string()\fR returns the \s-1UI\s0 string result buffer for
-\&\fB\s-1UIT_PROMPT\s0\fR and \fB\s-1UIT_VERIFY\s0\fR type \s-1UI\s0 strings, \s-1NULL\s0 for any other
+\&\fBUI_get0_result_string()\fR returns the UI string result buffer for
+\&\fBUIT_PROMPT\fR and \fBUIT_VERIFY\fR type UI strings, NULL for any other
 type.
 .PP
-\&\fBUI_get_result_string_length()\fR returns the \s-1UI\s0 string result buffer's
-content length for \fB\s-1UIT_PROMPT\s0\fR and \fB\s-1UIT_VERIFY\s0\fR type \s-1UI\s0 strings,
+\&\fBUI_get_result_string_length()\fR returns the UI string result buffer's
+content length for \fBUIT_PROMPT\fR and \fBUIT_VERIFY\fR type UI strings,
 \&\-1 for any other type.
 .PP
-\&\fBUI_get0_test_string()\fR returns the \s-1UI\s0 string action description
-string for \fB\s-1UIT_VERIFY\s0\fR type \s-1UI\s0 strings, \s-1NULL\s0 for any other type.
+\&\fBUI_get0_test_string()\fR returns the UI string action description
+string for \fBUIT_VERIFY\fR type UI strings, NULL for any other type.
 .PP
 \&\fBUI_get_result_minsize()\fR returns the minimum allowed result size for
-the \s-1UI\s0 string for \fB\s-1UIT_PROMPT\s0\fR and \fB\s-1UIT_VERIFY\s0\fR type strings,
+the UI string for \fBUIT_PROMPT\fR and \fBUIT_VERIFY\fR type strings,
 \&\-1 for any other type.
 .PP
 \&\fBUI_get_result_maxsize()\fR returns the minimum allowed result size for
-the \s-1UI\s0 string for \fB\s-1UIT_PROMPT\s0\fR and \fB\s-1UIT_VERIFY\s0\fR type strings,
+the UI string for \fBUIT_PROMPT\fR and \fBUIT_VERIFY\fR type strings,
 \&\-1 for any other type.
 .PP
-\&\fBUI_set_result()\fR returns 0 on success or when the \s-1UI\s0 string is of any
-type other than \fB\s-1UIT_PROMPT\s0\fR, \fB\s-1UIT_VERIFY\s0\fR or \fB\s-1UIT_BOOLEAN\s0\fR, \-1 on
+\&\fBUI_set_result()\fR returns 0 on success or when the UI string is of any
+type other than \fBUIT_PROMPT\fR, \fBUIT_VERIFY\fR or \fBUIT_BOOLEAN\fR, \-1 on
 error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBUI\s0\fR\|(3)
-.SH "COPYRIGHT"
+\&\fBUI\fR\|(3)
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/UI_UTIL_read_pw.3 b/secure/lib/libcrypto/man/man3/UI_UTIL_read_pw.3
index ebca7ef81c03..1e0af3f8b9da 100644
--- a/secure/lib/libcrypto/man/man3/UI_UTIL_read_pw.3
+++ b/secure/lib/libcrypto/man/man3/UI_UTIL_read_pw.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "UI_UTIL_READ_PW 3ossl"
-.TH UI_UTIL_READ_PW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH UI_UTIL_READ_PW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 UI_UTIL_read_pw_string, UI_UTIL_read_pw,
 UI_UTIL_wrap_read_pem_callback \- user interface utilities
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ui.h>
@@ -150,12 +74,12 @@ UI_UTIL_wrap_read_pem_callback \- user interface utilities
 \&                     int verify);
 \& UI_METHOD *UI_UTIL_wrap_read_pem_callback(pem_password_cb *cb, int rwflag);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBUI_UTIL_read_pw_string()\fR asks for a passphrase, using \fBprompt\fR as a
 prompt, and stores it in \fBbuf\fR.
 The maximum allowed size is given with \fBlength\fR, including the
-terminating \s-1NUL\s0 byte.
+terminating NUL byte.
 If \fBverify\fR is nonzero, the password will be verified as well.
 .PP
 \&\fBUI_UTIL_read_pw()\fR does the same as \fBUI_UTIL_read_pw_string()\fR, the
@@ -163,39 +87,39 @@ difference is that you can give it an external buffer \fBbuff\fR for the
 verification passphrase.
 .PP
 \&\fBUI_UTIL_wrap_read_pem_callback()\fR can be used to create a temporary
-\&\fB\s-1UI_METHOD\s0\fR that wraps a given \s-1PEM\s0 password callback \fBcb\fR.
+\&\fBUI_METHOD\fR that wraps a given PEM password callback \fBcb\fR.
 \&\fBrwflag\fR is used to specify if this method will be used for
 passphrase entry without (0) or with (1) verification.
 When not used any more, the returned method should be freed with
 \&\fBUI_destroy_method()\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 \&\fBUI_UTIL_read_pw_string()\fR and \fBUI_UTIL_read_pw()\fR use default
-\&\fB\s-1UI_METHOD\s0\fR.
+\&\fBUI_METHOD\fR.
 See \fBUI_get_default_method\fR\|(3) and friends for more information.
 .PP
-The result from the \fB\s-1UI_METHOD\s0\fR created by
+The result from the \fBUI_METHOD\fR created by
 \&\fBUI_UTIL_wrap_read_pem_callback()\fR will generate password strings in the
 encoding that the given password callback generates.
 The default password prompting functions (apart from
 \&\fBUI_UTIL_read_pw_string()\fR and \fBUI_UTIL_read_pw()\fR, there is
 \&\fBPEM_def_callback()\fR, \fBEVP_read_pw_string()\fR and \fBEVP_read_pw_string_min()\fR)
-all use the default \fB\s-1UI_METHOD\s0\fR.
+all use the default \fBUI_METHOD\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBUI_UTIL_read_pw_string()\fR and \fBUI_UTIL_read_pw()\fR return 0 on success or a negative
 value on error.
 .PP
-\&\fBUI_UTIL_wrap_read_pem_callback()\fR returns a valid \fB\s-1UI_METHOD\s0\fR structure or \s-1NULL\s0
+\&\fBUI_UTIL_wrap_read_pem_callback()\fR returns a valid \fBUI_METHOD\fR structure or NULL
 if an error occurred.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBUI_get_default_method\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/UI_create_method.3 b/secure/lib/libcrypto/man/man3/UI_create_method.3
index 3da1b82e898c..9ba2fcac5372 100644
--- a/secure/lib/libcrypto/man/man3/UI_create_method.3
+++ b/secure/lib/libcrypto/man/man3/UI_create_method.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "UI_CREATE_METHOD 3ossl"
-.TH UI_CREATE_METHOD 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH UI_CREATE_METHOD 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 UI_METHOD,
 UI_create_method, UI_destroy_method, UI_method_set_opener,
 UI_method_set_writer, UI_method_set_flusher, UI_method_set_reader,
@@ -147,7 +71,7 @@ UI_method_get_reader, UI_method_get_closer,
 UI_method_get_data_duplicator, UI_method_get_data_destructor,
 UI_method_get_prompt_constructor, UI_method_get_ex_data \- user
 interface method creation and destruction
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ui.h>
@@ -184,38 +108,38 @@ interface method creation and destruction
 \& void (*UI_method_get_data_destructor(const UI_METHOD *method)) (UI *, void *);
 \& const void *UI_method_get_ex_data(const UI_METHOD *method, int idx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 A method contains a few functions that implement the low-level of the
 User Interface.
 These functions are:
 .IP "an opener" 4
 .IX Item "an opener"
-This function takes a reference to a \s-1UI\s0 and starts a session, for
+This function takes a reference to a UI and starts a session, for
 example by opening a channel to a tty, or by creating a dialog box.
 .IP "a writer" 4
 .IX Item "a writer"
-This function takes a reference to a \s-1UI\s0 and a \s-1UI\s0 String, and writes
+This function takes a reference to a UI and a UI String, and writes
 the string where appropriate, maybe to the tty, maybe added as a field
 label in a dialog box.
-Note that this gets fed all strings associated with a \s-1UI,\s0 one after
+Note that this gets fed all strings associated with a UI, one after
 the other, so care must be taken which ones it actually uses.
 .IP "a flusher" 4
 .IX Item "a flusher"
-This function takes a reference to a \s-1UI,\s0 and flushes everything that
+This function takes a reference to a UI, and flushes everything that
 has been output so far.
 For example, if the method builds up a dialog box, this can be used to
 actually display it and accepting input ended with a pressed button.
 .IP "a reader" 4
 .IX Item "a reader"
-This function takes a reference to a \s-1UI\s0 and a \s-1UI\s0 string and reads off
+This function takes a reference to a UI and a UI string and reads off
 the given prompt, maybe from the tty, maybe from a field in a dialog
 box.
-Note that this gets fed all strings associated with a \s-1UI,\s0 one after
+Note that this gets fed all strings associated with a UI, one after
 the other, so care must be taken which ones it actually uses.
 .IP "a closer" 4
 .IX Item "a closer"
-This function takes a reference to a \s-1UI,\s0 and closes the session, maybe
+This function takes a reference to a UI, and closes the session, maybe
 by closing the channel to the tty, maybe by destroying a dialog box.
 .PP
 All of these functions are expected to return 0 on error, 1 on
@@ -241,26 +165,26 @@ fetch those results.
 .PP
 The central function that uses these method functions is \fBUI_process()\fR,
 and it does it in five steps:
-.IP "1." 4
+.IP 1. 4
 Open the session using the opener function if that one's defined.
 If an error occurs, jump to 5.
-.IP "2." 4
-For every \s-1UI\s0 String associated with the \s-1UI,\s0 call the writer function
+.IP 2. 4
+For every UI String associated with the UI, call the writer function
 if that one's defined.
 If an error occurs, jump to 5.
-.IP "3." 4
+.IP 3. 4
 Flush everything using the flusher function if that one's defined.
 If an error occurs, jump to 5.
-.IP "4." 4
-For every \s-1UI\s0 String associated with the \s-1UI,\s0 call the reader function
+.IP 4. 4
+For every UI String associated with the UI, call the reader function
 if that one's defined.
 If an error occurs, jump to 5.
-.IP "5." 4
+.IP 5. 4
 Close the session using the closer function if that one's defined.
 .PP
-\&\fBUI_create_method()\fR creates a new \s-1UI\s0 method with a given \fBname\fR.
+\&\fBUI_create_method()\fR creates a new UI method with a given \fBname\fR.
 .PP
-\&\fBUI_destroy_method()\fR destroys the given \s-1UI\s0 method \fBui_method\fR.
+\&\fBUI_destroy_method()\fR destroys the given UI method \fBui_method\fR.
 .PP
 \&\fBUI_method_set_opener()\fR, \fBUI_method_set_writer()\fR,
 \&\fBUI_method_set_flusher()\fR, \fBUI_method_set_reader()\fR and
@@ -274,7 +198,7 @@ See \fBUI_dup_user_data\fR\|(3).
 See \fBUI_construct_prompt\fR\|(3).
 .PP
 \&\fBUI_method_set_ex_data()\fR sets application specific data with a given
-\&\s-1EX_DATA\s0 index.
+EX_DATA index.
 See \fBCRYPTO_get_ex_new_index\fR\|(3) for general information on how to
 get that index.
 .PP
@@ -288,14 +212,14 @@ return the different method functions.
 with \fBUI_method_set_ex_data()\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBUI_create_method()\fR returns a \s-1UI_METHOD\s0 pointer on success, \s-1NULL\s0 on
+\&\fBUI_create_method()\fR returns a UI_METHOD pointer on success, NULL on
 error.
 .PP
 \&\fBUI_method_set_opener()\fR, \fBUI_method_set_writer()\fR,
 \&\fBUI_method_set_flusher()\fR, \fBUI_method_set_reader()\fR,
 \&\fBUI_method_set_closer()\fR, \fBUI_method_set_data_duplicator()\fR and
 \&\fBUI_method_set_prompt_constructor()\fR
-return 0 on success, \-1 if the given \fBmethod\fR is \s-1NULL.\s0
+return 0 on success, \-1 if the given \fBmethod\fR is NULL.
 .PP
 \&\fBUI_method_set_ex_data()\fR returns 1 on success and 0 on error (because
 \&\fBCRYPTO_set_ex_data()\fR does so).
@@ -305,22 +229,22 @@ return 0 on success, \-1 if the given \fBmethod\fR is \s-1NULL.\s0
 \&\fBUI_method_get_closer()\fR, \fBUI_method_get_data_duplicator()\fR,
 \&\fBUI_method_get_data_destructor()\fR and \fBUI_method_get_prompt_constructor()\fR
 return the requested function pointer if it's set in the method,
-otherwise \s-1NULL.\s0
+otherwise NULL.
 .PP
 \&\fBUI_method_get_ex_data()\fR returns a pointer to the application specific
 data associated with the method.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBUI\s0\fR\|(3), \fBCRYPTO_get_ex_data\fR\|(3), \s-1\fBUI_STRING\s0\fR\|(3)
-.SH "HISTORY"
+\&\fBUI\fR\|(3), \fBCRYPTO_get_ex_data\fR\|(3), \fBUI_STRING\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBUI_method_set_data_duplicator()\fR, \fBUI_method_get_data_duplicator()\fR
 and \fBUI_method_get_data_destructor()\fR functions were added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2001\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/UI_new.3 b/secure/lib/libcrypto/man/man3/UI_new.3
index 0564e5c57134..ed3e5b94331e 100644
--- a/secure/lib/libcrypto/man/man3/UI_new.3
+++ b/secure/lib/libcrypto/man/man3/UI_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "UI_NEW 3ossl"
-.TH UI_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH UI_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 UI,
 UI_new, UI_new_method, UI_free, UI_add_input_string, UI_dup_input_string,
 UI_add_verify_string, UI_dup_verify_string, UI_add_input_boolean,
@@ -146,7 +70,7 @@ UI_add_user_data, UI_dup_user_data, UI_get0_user_data, UI_get0_result,
 UI_get_result_length,
 UI_process, UI_ctrl, UI_set_default_method, UI_get_default_method,
 UI_get_method, UI_set_method, UI_OpenSSL, UI_null \- user interface
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ui.h>
@@ -200,65 +124,65 @@ UI_get_method, UI_set_method, UI_OpenSSL, UI_null \- user interface
 \& UI_METHOD *UI_OpenSSL(void);
 \& const UI_METHOD *UI_null(void);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\s-1UI\s0 stands for User Interface, and is general purpose set of routines to
+UI stands for User Interface, and is general purpose set of routines to
 prompt the user for text-based information.  Through user-written methods
 (see \fBUI_create_method\fR\|(3)), prompting can be done in any way
 imaginable, be it plain text prompting, through dialog boxes or from a
 cell phone.
 .PP
-All the functions work through a context of the type \s-1UI.\s0  This context
+All the functions work through a context of the type UI.  This context
 contains all the information needed to prompt correctly as well as a
-reference to a \s-1UI_METHOD,\s0 which is an ordered vector of functions that
+reference to a UI_METHOD, which is an ordered vector of functions that
 carry out the actual prompting.
 .PP
-The first thing to do is to create a \s-1UI\s0 with \fBUI_new()\fR or \fBUI_new_method()\fR,
+The first thing to do is to create a UI with \fBUI_new()\fR or \fBUI_new_method()\fR,
 then add information to it with the UI_add or UI_dup functions.  Also,
 user-defined random data can be passed down to the underlying method
 through calls to \fBUI_add_user_data()\fR or \fBUI_dup_user_data()\fR.  The default
-\&\s-1UI\s0 method doesn't care about these data, but other methods might.  Finally,
+UI method doesn't care about these data, but other methods might.  Finally,
 use \fBUI_process()\fR to actually perform the prompting and \fBUI_get0_result()\fR
 and \fBUI_get_result_length()\fR to find the result to the prompt and its length.
 .PP
-A \s-1UI\s0 can contain more than one prompt, which are performed in the given
+A UI can contain more than one prompt, which are performed in the given
 sequence.  Each prompt gets an index number which is returned by the
 UI_add and UI_dup functions, and has to be used to get the corresponding
 result with \fBUI_get0_result()\fR and \fBUI_get_result_length()\fR.
 .PP
-\&\fBUI_process()\fR can be called more than once on the same \s-1UI,\s0 thereby allowing
-a \s-1UI\s0 to have a long lifetime, but can just as well have a short lifetime.
+\&\fBUI_process()\fR can be called more than once on the same UI, thereby allowing
+a UI to have a long lifetime, but can just as well have a short lifetime.
 .PP
 The functions are as follows:
 .PP
-\&\fBUI_new()\fR creates a new \s-1UI\s0 using the default \s-1UI\s0 method.  When done with
-this \s-1UI,\s0 it should be freed using \fBUI_free()\fR.
+\&\fBUI_new()\fR creates a new UI using the default UI method.  When done with
+this UI, it should be freed using \fBUI_free()\fR.
 .PP
-\&\fBUI_new_method()\fR creates a new \s-1UI\s0 using the given \s-1UI\s0 method.  When done with
-this \s-1UI,\s0 it should be freed using \fBUI_free()\fR.
+\&\fBUI_new_method()\fR creates a new UI using the given UI method.  When done with
+this UI, it should be freed using \fBUI_free()\fR.
 .PP
-\&\fBUI_OpenSSL()\fR returns the built-in \s-1UI\s0 method (note: not necessarily the
+\&\fBUI_OpenSSL()\fR returns the built-in UI method (note: not necessarily the
 default one, since the default can be changed.  See further on).  This
 method is the most machine/OS dependent part of OpenSSL and normally
 generates the most problems when porting.
 .PP
-\&\fBUI_null()\fR returns a \s-1UI\s0 method that does nothing.  Its use is to avoid
-getting internal defaults for passed \s-1UI_METHOD\s0 pointers.
+\&\fBUI_null()\fR returns a UI method that does nothing.  Its use is to avoid
+getting internal defaults for passed UI_METHOD pointers.
 .PP
-\&\fBUI_free()\fR removes a \s-1UI\s0 from memory, along with all other pieces of memory
+\&\fBUI_free()\fR removes a UI from memory, along with all other pieces of memory
 that's connected to it, like duplicated input strings, results and others.
-If \fBui\fR is \s-1NULL\s0 nothing is done.
+If \fBui\fR is NULL nothing is done.
 .PP
-\&\fBUI_add_input_string()\fR and \fBUI_add_verify_string()\fR add a prompt to the \s-1UI,\s0
+\&\fBUI_add_input_string()\fR and \fBUI_add_verify_string()\fR add a prompt to the UI,
 as well as flags and a result buffer and the desired minimum and maximum
-sizes of the result, not counting the final \s-1NUL\s0 character.  The given
+sizes of the result, not counting the final NUL character.  The given
 information is used to prompt for information, for example a password,
 and to verify a password (i.e. having the user enter it twice and check
 that the same string was entered twice).  \fBUI_add_verify_string()\fR takes
 and extra argument that should be a pointer to the result buffer of the
 input string that it's supposed to verify, or verification will fail.
 .PP
-\&\fBUI_add_input_boolean()\fR adds a prompt to the \s-1UI\s0 that's supposed to be answered
+\&\fBUI_add_input_boolean()\fR adds a prompt to the UI that's supposed to be answered
 in a boolean way, with a single character for yes and a different character
 for no.  A set of characters that can be used to cancel the prompt is given
 as well.  The prompt itself is divided in two, one part being the
@@ -271,11 +195,11 @@ The difference between the two is only conceptual.  With the built-in method,
 there's no technical difference between them.  Other methods may make a
 difference between them, however.
 .PP
-The flags currently supported are \fB\s-1UI_INPUT_FLAG_ECHO\s0\fR, which is relevant for
+The flags currently supported are \fBUI_INPUT_FLAG_ECHO\fR, which is relevant for
 \&\fBUI_add_input_string()\fR and will have the users response be echoed (when
 prompting for a password, this flag should obviously not be used, and
-\&\fB\s-1UI_INPUT_FLAG_DEFAULT_PWD\s0\fR, which means that a default password of some
-sort will be used (completely depending on the application and the \s-1UI\s0
+\&\fBUI_INPUT_FLAG_DEFAULT_PWD\fR, which means that a default password of some
+sort will be used (completely depending on the application and the UI
 method).
 .PP
 \&\fBUI_dup_input_string()\fR, \fBUI_dup_verify_string()\fR, \fBUI_dup_input_boolean()\fR,
@@ -285,29 +209,29 @@ of all strings.
 .PP
 \&\fBUI_construct_prompt()\fR is a helper function that can be used to create
 a prompt from two pieces of information: a phrase description \fIphrase_desc\fR
-and an object name \fIobject_name\fR, where the latter may be \s-1NULL.\s0
+and an object name \fIobject_name\fR, where the latter may be NULL.
 The default constructor (if there is none provided by the method used)
-creates a string "Enter \fIphrase_desc\fR for \fIobject_name\fR:\*(L"
-where the \*(R" for \fIobject_name\fR" part is left out if \fIobject_name\fR is \s-1NULL.\s0
-With the description \*(L"pass phrase\*(R" and the filename \*(L"foo.key\*(R", that becomes
-\&\*(L"Enter pass phrase for foo.key:\*(R".  Other methods may create whatever
+creates a string "Enter \fIphrase_desc\fR for \fIobject_name\fR:"
+where the " for \fIobject_name\fR" part is left out if \fIobject_name\fR is NULL.
+With the description "pass phrase" and the filename "foo.key", that becomes
+"Enter pass phrase for foo.key:".  Other methods may create whatever
 string and may include encodings that will be processed by the other
 method functions.
 .PP
 \&\fBUI_add_user_data()\fR adds a user data pointer for the method to use at any
-time.  The built-in \s-1UI\s0 method doesn't care about this info.  Note that several
+time.  The built-in UI method doesn't care about this info.  Note that several
 calls to this function doesn't add data, it replaces the previous blob
 with the one given as argument.
 .PP
 \&\fBUI_dup_user_data()\fR duplicates the user data and works as an alternative
 to \fBUI_add_user_data()\fR when the user data needs to be preserved for a longer
-duration, perhaps even the lifetime of the application.  The \s-1UI\s0 object takes
+duration, perhaps even the lifetime of the application.  The UI object takes
 ownership of this duplicate and will free it whenever it gets replaced or
-the \s-1UI\s0 is destroyed.  \fBUI_dup_user_data()\fR returns 0 on success, or \-1 on memory
+the UI is destroyed.  \fBUI_dup_user_data()\fR returns 0 on success, or \-1 on memory
 allocation failure or if the method doesn't have a duplicator function.
 .PP
 \&\fBUI_get0_user_data()\fR retrieves the data that has last been given to the
-\&\s-1UI\s0 with \fBUI_add_user_data()\fR or UI_dup_user_data.
+UI with \fBUI_add_user_data()\fR or UI_dup_user_data.
 .PP
 \&\fBUI_get0_result()\fR returns a pointer to the result buffer associated with
 the information indexed by \fIi\fR.
@@ -320,33 +244,33 @@ and prompting and returns the final status, which is \-2 on out-of-band events
 (Interrupt, Cancel, ...), \-1 on error and 0 on success.
 .PP
 \&\fBUI_ctrl()\fR adds extra control for the application author.  For now, it
-understands two commands: \fB\s-1UI_CTRL_PRINT_ERRORS\s0\fR, which makes \fBUI_process()\fR
-print the OpenSSL error stack as part of processing the \s-1UI,\s0 and
-\&\fB\s-1UI_CTRL_IS_REDOABLE\s0\fR, which returns a flag saying if the used \s-1UI\s0 can
+understands two commands: \fBUI_CTRL_PRINT_ERRORS\fR, which makes \fBUI_process()\fR
+print the OpenSSL error stack as part of processing the UI, and
+\&\fBUI_CTRL_IS_REDOABLE\fR, which returns a flag saying if the used UI can
 be used again or not.
 .PP
-\&\fBUI_set_default_method()\fR changes the default \s-1UI\s0 method to the one given.
+\&\fBUI_set_default_method()\fR changes the default UI method to the one given.
 This function is not thread-safe and should not be called at the same time
 as other OpenSSL functions.
 .PP
-\&\fBUI_get_default_method()\fR returns a pointer to the current default \s-1UI\s0 method.
+\&\fBUI_get_default_method()\fR returns a pointer to the current default UI method.
 .PP
-\&\fBUI_get_method()\fR returns the \s-1UI\s0 method associated with a given \s-1UI.\s0
+\&\fBUI_get_method()\fR returns the UI method associated with a given UI.
 .PP
-\&\fBUI_set_method()\fR changes the \s-1UI\s0 method associated with a given \s-1UI.\s0
-.SH "NOTES"
+\&\fBUI_set_method()\fR changes the UI method associated with a given UI.
+.SH NOTES
 .IX Header "NOTES"
 The resulting strings that the built in method \fBUI_OpenSSL()\fR generate
 are assumed to be encoded according to the current locale or (for
 Windows) code page.
 For applications having different demands, these strings need to be
 converted appropriately by the caller.
-For Windows, if the \fB\s-1OPENSSL_WIN32_UTF8\s0\fR environment variable is set,
-the built-in method \fBUI_OpenSSL()\fR will produce \s-1UTF\-8\s0 encoded strings
+For Windows, if the \fBOPENSSL_WIN32_UTF8\fR environment variable is set,
+the built-in method \fBUI_OpenSSL()\fR will produce UTF\-8 encoded strings
 instead.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBUI_new()\fR and \fBUI_new_method()\fR return a valid \fB\s-1UI\s0\fR structure or \s-1NULL\s0 if an error
+\&\fBUI_new()\fR and \fBUI_new_method()\fR return a valid \fBUI\fR structure or NULL if an error
 occurred.
 .PP
 \&\fBUI_add_input_string()\fR, \fBUI_dup_input_string()\fR, \fBUI_add_verify_string()\fR,
@@ -355,11 +279,11 @@ occurred.
 and \fBUI_dup_error_string()\fR return a positive number on success or a value which
 is less than or equal to 0 otherwise.
 .PP
-\&\fBUI_construct_prompt()\fR returns a string or \s-1NULL\s0 if an error occurred.
+\&\fBUI_construct_prompt()\fR returns a string or NULL if an error occurred.
 .PP
 \&\fBUI_dup_user_data()\fR returns 0 on success or \-1 on error.
 .PP
-\&\fBUI_get0_result()\fR returns a string or \s-1NULL\s0 on error.
+\&\fBUI_get0_result()\fR returns a string or NULL on error.
 .PP
 \&\fBUI_get_result_length()\fR returns a positive integer or 0 on success; otherwise it
 returns \-1 on error.
@@ -369,16 +293,16 @@ returns \-1 on error.
 \&\fBUI_ctrl()\fR returns a mask on success or \-1 on error.
 .PP
 \&\fBUI_get_default_method()\fR, \fBUI_get_method()\fR, \fBUI_OpenSSL()\fR, \fBUI_null()\fR and
-\&\fBUI_set_method()\fR return either a valid \fB\s-1UI_METHOD\s0\fR structure or \s-1NULL\s0
+\&\fBUI_set_method()\fR return either a valid \fBUI_METHOD\fR structure or NULL
 respectively.
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBUI_dup_user_data()\fR function was added in OpenSSL 1.1.1.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2001\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509V3_get_d2i.3 b/secure/lib/libcrypto/man/man3/X509V3_get_d2i.3
index e65372288a30..b01d90a8733b 100644
--- a/secure/lib/libcrypto/man/man3/X509V3_get_d2i.3
+++ b/secure/lib/libcrypto/man/man3/X509V3_get_d2i.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,82 +52,23 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509V3_GET_D2I 3ossl"
-.TH X509V3_GET_D2I 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509V3_GET_D2I 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509V3_get_d2i, X509V3_add1_i2d, X509V3_EXT_d2i, X509V3_EXT_i2d,
 X509_get_ext_d2i, X509_add1_ext_i2d,
+X509_ACERT_get_ext_d2i, X509_ACERT_add1_ext_i2d,
 X509_CRL_get_ext_d2i, X509_CRL_add1_ext_i2d,
 X509_REVOKED_get_ext_d2i, X509_REVOKED_add1_ext_i2d,
-X509_get0_extensions, X509_CRL_get0_extensions,
+X509_get0_extensions, X509_ACERT_get0_extensions, X509_CRL_get0_extensions,
 X509_REVOKED_get0_extensions \- X509 extension decode and encode functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509v3.h>
@@ -160,6 +85,10 @@ X509_REVOKED_get0_extensions \- X509 extension decode and encode functions
 \& int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
 \&                       unsigned long flags);
 \&
+\& void *X509_ACERT_get_ext_d2i(const X509_ACERT *x, int nid, int *crit, int *idx);
+\& int X509_ACERT_add1_ext_i2d(X509_ACERT *x, int nid, void *value, int crit,
+\&                             unsigned long flags);
+\&
 \& void *X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid, int *crit, int *idx);
 \& int X509_CRL_add1_ext_i2d(X509_CRL *crl, int nid, void *value, int crit,
 \&                           unsigned long flags);
@@ -169,51 +98,57 @@ X509_REVOKED_get0_extensions \- X509 extension decode and encode functions
 \&                               unsigned long flags);
 \&
 \& const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x);
+\& const STACK_OF(X509_EXTENSION) *X509_ACERT_get0_extensions(const X509 *x);
 \& const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl);
 \& const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions(const X509_REVOKED *r);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBX509V3_get_d2i()\fR looks for an extension with \s-1OID\s0 \fInid\fR in the extensions
-\&\fIx\fR and, if found, decodes it. If \fIidx\fR is \s-1NULL\s0 then only one
+\&\fBX509V3_get_d2i()\fR looks for an extension with OID \fInid\fR in the extensions
+\&\fIx\fR and, if found, decodes it. If \fIidx\fR is NULL then only one
 occurrence of an extension is permissible, otherwise the first extension after
 index \fI*idx\fR is returned and \fI*idx\fR updated to the location of the extension.
-If \fIcrit\fR is not \s-1NULL\s0 then \fI*crit\fR is set to a status value: \-2 if the
-extension occurs multiple times (this is only returned if \fIidx\fR is \s-1NULL\s0),
+If \fIcrit\fR is not NULL then \fI*crit\fR is set to a status value: \-2 if the
+extension occurs multiple times (this is only returned if \fIidx\fR is NULL),
 \&\-1 if the extension could not be found, 0 if the extension is found and is
 not critical and 1 if critical. A pointer to an extension specific structure
-or \s-1NULL\s0 is returned.
+or NULL is returned.
 .PP
-\&\fBX509V3_add1_i2d()\fR adds extension \fIvalue\fR to \s-1STACK\s0 \fI*x\fR (allocating a new
-\&\s-1STACK\s0 if necessary) using \s-1OID\s0 \fInid\fR and criticality \fIcrit\fR according
+\&\fBX509V3_add1_i2d()\fR adds extension \fIvalue\fR to STACK \fI*x\fR (allocating a new
+STACK if necessary) using OID \fInid\fR and criticality \fIcrit\fR according
 to \fIflags\fR.
 .PP
-\&\fBX509V3_EXT_d2i()\fR attempts to decode the \s-1ASN.1\s0 data contained in extension
-\&\fIext\fR and returns a pointer to an extension specific structure or \s-1NULL\s0
+\&\fBX509V3_EXT_d2i()\fR attempts to decode the ASN.1 data contained in extension
+\&\fIext\fR and returns a pointer to an extension specific structure or NULL
 if the extension could not be decoded (invalid syntax or not supported).
 .PP
 \&\fBX509V3_EXT_i2d()\fR encodes the extension specific structure \fIext_struc\fR
-with \s-1OID\s0 \fIext_nid\fR and criticality \fIcrit\fR.
+with OID \fIext_nid\fR and criticality \fIcrit\fR.
 .PP
 \&\fBX509_get_ext_d2i()\fR and \fBX509_add1_ext_i2d()\fR operate on the extensions of
 certificate \fIx\fR. They are otherwise identical to \fBX509V3_get_d2i()\fR and
 \&\fBX509V3_add1_i2d()\fR.
 .PP
+\&\fBX509_ACERT_get_ext_d2i()\fR and \fBX509_ACERT_add1_ext_i2d()\fR operate on the extensions
+of \fBX509_ACERT\fR structure \fIx\fR. They are otherwise identical to \fBX509V3_get_d2i()\fR
+and \fBX509V3_add1_i2d()\fR.
+.PP
 \&\fBX509_CRL_get_ext_d2i()\fR and \fBX509_CRL_add1_ext_i2d()\fR operate on the extensions
-of \s-1CRL\s0 \fIcrl\fR. They are otherwise identical to \fBX509V3_get_d2i()\fR and
+of CRL \fIcrl\fR. They are otherwise identical to \fBX509V3_get_d2i()\fR and
 \&\fBX509V3_add1_i2d()\fR.
 .PP
 \&\fBX509_REVOKED_get_ext_d2i()\fR and \fBX509_REVOKED_add1_ext_i2d()\fR operate on the
-extensions of \fBX509_REVOKED\fR structure \fIr\fR (i.e for \s-1CRL\s0 entry extensions).
+extensions of \fBX509_REVOKED\fR structure \fIr\fR (i.e for CRL entry extensions).
 They are otherwise identical to \fBX509V3_get_d2i()\fR and \fBX509V3_add1_i2d()\fR.
 .PP
-\&\fBX509_get0_extensions()\fR, \fBX509_CRL_get0_extensions()\fR and
-\&\fBX509_REVOKED_get0_extensions()\fR return a \s-1STACK\s0 of all the extensions
-of a certificate, a \s-1CRL\s0 or a \s-1CRL\s0 entry respectively.
-.SH "NOTES"
+\&\fBX509_get0_extensions()\fR, \fBX509_ACERT_get0_extensions()\fR,
+\&\fBX509_CRL_get0_extensions()\fR and \fBX509_REVOKED_get0_extensions()\fR return a
+STACK of all the extensions of a certificate, an attribute certificate,
+a CRL or a CRL entry respectively.
+.SH NOTES
 .IX Header "NOTES"
 In almost all cases an extension can occur at most once and multiple
-occurrences is an error. Therefore, the \fIidx\fR parameter is usually \s-1NULL.\s0
+occurrences is an error. Therefore, the \fIidx\fR parameter is usually NULL.
 .PP
 The \fIflags\fR parameter may be one of the following values.
 .PP
@@ -239,21 +174,22 @@ If \fBX509V3_ADD_SILENT\fR is bitwise ORed with \fIflags\fR: any error returned
 will not be added to the error queue.
 .PP
 The function \fBX509V3_get_d2i()\fR and its variants
-will return \s-1NULL\s0 if the extension is not
+will return NULL if the extension is not
 found, occurs multiple times or cannot be decoded. It is possible to
 determine the precise reason by checking the value of \fI*crit\fR.
+The returned pointer must be explicitly freed.
 .PP
 The function \fBX509V3_add1_i2d()\fR and its variants allocate \fBX509_EXTENSION\fR
-objects on \s-1STACK\s0 \fI*x\fR depending on \fIflags\fR. The \fBX509_EXTENSION\fR objects
+objects on STACK \fI*x\fR depending on \fIflags\fR. The \fBX509_EXTENSION\fR objects
 must be explicitly freed using \fBX509_EXTENSION_free()\fR.
 .SH "SUPPORTED EXTENSIONS"
 .IX Header "SUPPORTED EXTENSIONS"
 The following sections contain a list of all supported extensions
-including their name and \s-1NID.\s0
-.SS "\s-1PKIX\s0 Certificate Extensions"
+including their name and NID.
+.SS "PKIX Certificate Extensions"
 .IX Subsection "PKIX Certificate Extensions"
-The following certificate extensions are defined in \s-1PKIX\s0 standards such as
-\&\s-1RFC5280.\s0
+The following certificate extensions are defined in PKIX standards such as
+RFC5280.
 .PP
 .Vb 3
 \& Basic Constraints                  NID_basic_constraints
@@ -300,9 +236,9 @@ The following are (largely obsolete) Netscape certificate extensions.
 \& Strong Extranet ID                 NID_sxnet
 \& Proxy Certificate Information      NID_proxyCertInfo
 .Ve
-.SS "\s-1PKIX CRL\s0 Extensions"
+.SS "PKIX CRL Extensions"
 .IX Subsection "PKIX CRL Extensions"
-The following are \s-1CRL\s0 extensions from \s-1PKIX\s0 standards such as \s-1RFC5280.\s0
+The following are CRL extensions from PKIX standards such as RFC5280.
 .PP
 .Vb 6
 \& CRL Number                         NID_crl_number
@@ -313,13 +249,13 @@ The following are \s-1CRL\s0 extensions from \s-1PKIX\s0 standards such as \s-1R
 \& Issuing Distribution Point         NID_issuing_distribution_point
 .Ve
 .PP
-The following are \s-1CRL\s0 entry extensions from \s-1PKIX\s0 standards such as \s-1RFC5280.\s0
+The following are CRL entry extensions from PKIX standards such as RFC5280.
 .PP
 .Vb 2
 \& CRL Reason Code                    NID_crl_reason
 \& Certificate Issuer                 NID_certificate_issuer
 .Ve
-.SS "\s-1OCSP\s0 Extensions"
+.SS "OCSP Extensions"
 .IX Subsection "OCSP Extensions"
 .Vb 7
 \& OCSP Nonce                         NID_id_pkix_OCSP_Nonce
@@ -332,7 +268,7 @@ The following are \s-1CRL\s0 entry extensions from \s-1PKIX\s0 standards such as
 .Ve
 .SS "Certificate Transparency Extensions"
 .IX Subsection "Certificate Transparency Extensions"
-The following extensions are used by certificate transparency, \s-1RFC6962\s0
+The following extensions are used by certificate transparency, RFC6962
 .PP
 .Vb 2
 \& CT Precertificate SCTs             NID_ct_precert_scts
@@ -341,7 +277,7 @@ The following extensions are used by certificate transparency, \s-1RFC6962\s0
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBX509V3_get_d2i()\fR, its variants, and \fBX509V3_EXT_d2i()\fR return
-a pointer to an extension specific structure or \s-1NULL\s0 if an error occurs.
+a pointer to an extension specific structure or NULL if an error occurs.
 .PP
 \&\fBX509V3_add1_i2d()\fR and its variants return 1 if the operation is successful
 and 0 if it fails due to a non-fatal error (extension not found, already exists,
@@ -349,11 +285,11 @@ cannot be encoded) or \-1 due to a fatal error such as a memory allocation
 failure.
 .PP
 \&\fBX509V3_EXT_i2d()\fR returns a pointer to an \fBX509_EXTENSION\fR structure
-or \s-1NULL\s0 if an error occurs.
+or NULL if an error occurs.
 .PP
 \&\fBX509_get0_extensions()\fR, \fBX509_CRL_get0_extensions()\fR and
 \&\fBX509_REVOKED_get0_extensions()\fR return a stack of extensions. They return
-\&\s-1NULL\s0 if no extensions are present.
+NULL if no extensions are present.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBd2i_X509\fR\|(3),
@@ -372,11 +308,15 @@ or \s-1NULL\s0 if an error occurs.
 \&\fBX509_new\fR\|(3),
 \&\fBX509_sign\fR\|(3),
 \&\fBX509_verify_cert\fR\|(3)
-.SH "COPYRIGHT"
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBX509_ACERT_get_ext_d2i()\fR, \fBX509_ACERT_add1_ext_i2d()\fR,
+\&\fBX509_ACERT_get0_extensions()\fR were added in OpenSSL 3.4.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2015\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509V3_set_ctx.3 b/secure/lib/libcrypto/man/man3/X509V3_set_ctx.3
index 66a8e2028d27..2fd52fce95b2 100644
--- a/secure/lib/libcrypto/man/man3/X509V3_set_ctx.3
+++ b/secure/lib/libcrypto/man/man3/X509V3_set_ctx.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509V3_SET_CTX 3ossl"
-.TH X509V3_SET_CTX 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509V3_SET_CTX 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509V3_set_ctx,
 X509V3_set_issuer_pkey \- X.509 v3 extension generation utilities
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509v3.h>
@@ -148,49 +72,51 @@ X509V3_set_issuer_pkey \- X.509 v3 extension generation utilities
 \&                     X509_REQ *req, X509_CRL *crl, int flags);
 \& int X509V3_set_issuer_pkey(X509V3_CTX *ctx, EVP_PKEY *pkey);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBX509V3_set_ctx()\fR fills in the basic fields of \fIctx\fR of type \fBX509V3_CTX\fR,
-providing details potentially needed by functions producing X509 v3 extensions,
-e.g., to look up values for filling in authority key identifiers.
-Any of \fIsubject\fR, \fIreq\fR, or \fIcrl\fR may be provided, pointing to a certificate,
-certification request, or certificate revocation list, respectively.
+providing details potentially needed by functions producing X509 v3 extensions.
+These may make use of fields of the certificate \fIsubject\fR, the certification
+request \fIreq\fR, or the certificate revocation list \fIcrl\fR.
+At most one of these three parameters can be non-NULL.
 When constructing the subject key identifier of a certificate by computing a
 hash value of its public key, the public key is taken from \fIsubject\fR or \fIreq\fR.
 Similarly, when constructing subject alternative names from any email addresses
-contained in a subject \s-1DN,\s0 the subject \s-1DN\s0 is taken from \fIsubject\fR or \fIreq\fR.
-If \fIsubject\fR or \fIcrl\fR is provided, \fIissuer\fR should point to its issuer,
-for instance to help generating an authority key identifier extension.
-Note that if \fIsubject\fR is provided, \fIissuer\fR may be the same as \fIsubject\fR,
-which means that \fIsubject\fR is self-issued (or even self-signed).
+contained in a subject DN, the subject DN is taken from \fIsubject\fR or \fIreq\fR.
+If \fIsubject\fR or \fIcrl\fR is provided, \fIissuer\fR should point to its issuer, for
+instance as a reference for generating the authority key identifier extension.
+\&\fIissuer\fR may be the same pointer value as \fIsubject\fR (which usually is an
+indication that the \fIsubject\fR certificate is self-issued or even self-signed).
+In this case the fallback source for generating the authority key identifier
+extension will be taken from any value provided using \fBX509V3_set_issuer_pkey()\fR.
 \&\fIflags\fR may be 0
 or contain \fBX509V3_CTX_TEST\fR, which means that just the syntax of
-extension definitions is to be checked without actually producing an extension,
+extension definitions is to be checked without actually producing any extension,
 or \fBX509V3_CTX_REPLACE\fR, which means that each X.509v3 extension added as
 defined in some configuration section shall replace any already existing
-extension with the same \s-1OID.\s0
+extension with the same OID.
 .PP
 \&\fBX509V3_set_issuer_pkey()\fR explicitly sets the issuer private key of
-the certificate that has been provided in \fIctx\fR.
-This should be done for self-issued certificates (which may be self-signed
-or not) to provide fallback data for the authority key identifier extension.
+the subject certificate that has been provided in \fIctx\fR.
+This should be done in case the \fIissuer\fR and \fIsubject\fR arguments to
+\&\fBX509V3_set_ctx()\fR have the same pointer value
+to provide fallback data for the authority key identifier extension.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBX509V3_set_ctx()\fR and \fBX509V3_set_issuer_pkey()\fR
-return 1 on success and 0 on error.
+\&\fBX509V3_set_issuer_pkey()\fR returns 1 on success and 0 on error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBX509_add_ext\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBX509V3_set_issuer_pkey()\fR was added in OpenSSL 3.0.
 .PP
-\&\s-1CTX_TEST\s0 was deprecated in OpenSSL 3.0; use X509V3_CTX_TEST instead.
-.SH "COPYRIGHT"
+CTX_TEST was deprecated in OpenSSL 3.0; use X509V3_CTX_TEST instead.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2015\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_ACERT_add1_attr.3 b/secure/lib/libcrypto/man/man3/X509_ACERT_add1_attr.3
new file mode 100644
index 000000000000..5f93e6e7d40a
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/X509_ACERT_add1_attr.3
@@ -0,0 +1,120 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "X509_ACERT_ADD1_ATTR 3ossl"
+.TH X509_ACERT_ADD1_ATTR 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+X509_ACERT_add1_attr,
+X509_ACERT_add1_attr_by_NID,
+X509_ACERT_add1_attr_by_OBJ,
+X509_ACERT_add1_attr_by_txt,
+X509_ACERT_delete_attr
+\&\- X509_ACERT attribute functions
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/x509_acert.h>
+\&
+\& int X509_ACERT_add1_attr(X509_ACERT *x, X509_ATTRIBUTE *attr);
+\& int X509_ACERT_add1_attr_by_NID(X509_ACERT *x, int nid, int type,
+\&                                 const void *bytes, int len);
+\& int X509_ACERT_add1_attr_by_OBJ(X509_ACERT *x, const ASN1_OBJECT *obj,
+\&                                 int type, const void *bytes, int len);
+\& int X509_ACERT_add1_attr_by_txt(X509_ACERT *x, const char *attrname, int type,
+\&                                 const unsigned char *bytes, int len);
+\& X509_ATTRIBUTE *X509_ACERT_delete_attr(X509_ACERT *x, int loc);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBX509_ACERT_add1_attr()\fR adds a constructed X509_ATTRIBUTE \fBattr\fR to the
+existing X509_ACERT structure \fBx\fR.
+.PP
+\&\fBX509_ACERT_add1_attr_by_NID()\fR and \fBX509_ACERT_add1_attr_by_OBJ()\fR
+add an attribute of type \fInid\fR or \fIobj\fR with a value of ASN1
+type \fItype\fR constructed using \fIlen\fR bytes from \fIbytes\fR.
+.PP
+\&\fBX509_ACERT_add1_attr_by_txt()\fR adds an attribute of type \fIattrname\fR with a value of
+ASN1 type \fItype\fR constructed using \fIlen\fR bytes from \fIbytes\fR.
+.PP
+\&\fBX509_ACERT_delete_attr()\fR will delete the \fIloc\fRth attribute from \fIx\fR and
+return a pointer to it or NULL if there are fewer than \fIloc\fR attributes
+contained in \fIx\fR.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBX509_ACERT_add1_attr()\fR, \fBX509_ACERT_add1_attr_by_NID()\fR, and
+\&\fBX509_ACERT_add1_attr_by_OBJ()\fR return 1 for success and 0 for failure.
+.PP
+\&\fBX509_ACERT_delete_attr()\fR returns a \fBX509_ATTRIBUTE\fR pointer on
+success or NULL on failure.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBX509_ACERT_get_attr_count\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBX509_ACERT_add1_attr()\fR, \fBX509_ACERT_add1_attr_by_NID()\fR, \fBX509_ACERT_add1_attr_by_OBJ()\fR,
+\&\fBX509_ACERT_add1_attr_by_txt()\fR and \fBX509_ACERT_delete_attr()\fR were added in OpenSSL 3.4.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2023\-2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_ACERT_add_attr_nconf.3 b/secure/lib/libcrypto/man/man3/X509_ACERT_add_attr_nconf.3
new file mode 100644
index 000000000000..8026fdffd143
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/X509_ACERT_add_attr_nconf.3
@@ -0,0 +1,120 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "X509_ACERT_ADD_ATTR_NCONF 3ossl"
+.TH X509_ACERT_ADD_ATTR_NCONF 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+X509_ACERT_add_attr_nconf
+\&\- Add attributes to X509_ACERT from configuration section
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/x509_acert.h>
+\&
+\& int X509_ACERT_add_attr_nconf(CONF *conf, const char *section,
+\&                               X509_ACERT *acert);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBX509_ACERT_add_attr_nconf()\fR adds one or more \fBX509_ATTRIBUTE\fRs to the
+existing \fBX509_ACERT\fR structure \fIacert\fR. The attributes are read
+from a \fIsection\fR of the \fIconf\fR object.
+.PP
+The give \fIsection\fR of the configuration should contain attribute
+descriptions of the form:
+.PP
+.Vb 1
+\&  attribute_name = value
+.Ve
+.PP
+The format of \fBvalue\fR will vary depending on the \fBattribute_name\fR.
+\&\fBvalue\fR can either be a string value or an \fBASN1_TYPE\fR
+object.
+.PP
+To encode an \fBASN1_TYPE\fR object, use the prefix "ASN1:" followed by
+the object description that uses the same syntax as \fBASN1_generate_nconf\fR\|(3).
+For example:
+.PP
+.Vb 1
+\& id\-aca\-group = ASN1:SEQUENCE:ietfattr
+\&
+\& [ietfattr]
+\& values = SEQUENCE:groups
+\&
+\& [groups]
+\& 1.string = UTF8:mygroup1
+.Ve
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBX509_ACERT_add_attr_nconf()\fR returns 1 for success and 0 for failure.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBASN1_generate_nconf\fR\|(3).
+.SH HISTORY
+.IX Header "HISTORY"
+The function \fBX509_ACERT_add_attr_nconf()\fR was added in OpenSSL 3.4.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2023\-2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_ACERT_get0_holder_baseCertId.3 b/secure/lib/libcrypto/man/man3/X509_ACERT_get0_holder_baseCertId.3
new file mode 100644
index 000000000000..14fbc0f582cb
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/X509_ACERT_get0_holder_baseCertId.3
@@ -0,0 +1,168 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "X509_ACERT_GET0_HOLDER_BASECERTID 3ossl"
+.TH X509_ACERT_GET0_HOLDER_BASECERTID 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+X509_ACERT_get0_holder_baseCertId,
+X509_ACERT_get0_holder_digest,
+X509_ACERT_get0_holder_entityName,
+X509_ACERT_set0_holder_baseCertId,
+X509_ACERT_set0_holder_digest,
+X509_ACERT_set0_holder_entityName,
+OSSL_ISSUER_SERIAL_get0_issuer,
+OSSL_ISSUER_SERIAL_get0_issuerUID,
+OSSL_ISSUER_SERIAL_get0_serial,
+OSSL_ISSUER_SERIAL_set1_issuer,
+OSSL_ISSUER_SERIAL_set1_issuerUID,
+OSSL_ISSUER_SERIAL_set1_serial,
+OSSL_OBJECT_DIGEST_INFO_get0_digest,
+OSSL_OBJECT_DIGEST_INFO_set1_digest \- get and set Attribute Certificate holder fields
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/x509_acert.h>
+\&
+\& const GENERAL_NAMES *X509_ACERT_get0_holder_entityName(const X509_ACERT *x);
+\& OSSL_ISSUER_SERIAL *X509_ACERT_get0_holder_baseCertId(const X509_ACERT *x);
+\& OSSL_OBJECT_DIGEST_INFO * X509_ACERT_get0_holder_digest(const X509_ACERT *x);
+\& void X509_ACERT_set0_holder_entityName(X509_ACERT *x, GENERAL_NAMES *name);
+\& void X509_ACERT_set0_holder_baseCertId(X509_ACERT *x, OSSL_ISSUER_SERIAL *isss);
+\& void X509_ACERT_set0_holder_digest(X509_ACERT *x,
+\&                                    OSSL_OBJECT_DIGEST_INFO *dinfo);
+\&
+\& X509_NAME *OSSL_ISSUER_SERIAL_get0_issuer(OSSL_ISSUER_SERIAL *isss);
+\& ASN1_INTEGER *OSSL_ISSUER_SERIAL_get0_serial(OSSL_ISSUER_SERIAL *isss);
+\& ASN1_BIT_STRING *OSSL_ISSUER_SERIAL_get0_issuerUID(OSSL_ISSUER_SERIAL *isss);
+\& int OSSL_ISSUER_SERIAL_set1_issuer(OSSL_ISSUER_SERIAL *isss, X509_NAME *issuer);
+\& int OSSL_ISSUER_SERIAL_set1_serial(OSSL_ISSUER_SERIAL *isss, ASN1_INTEGER *serial);
+\& int OSSL_ISSUER_SERIAL_set1_issuerUID(OSSL_ISSUER_SERIAL *isss, ASN1_BIT_STRING *uid);
+\&
+\& void OSSL_OBJECT_DIGEST_INFO_get0_digest(OSSL_OBJECT_DIGEST_INFO *o,
+\&                                          ASN1_ENUMERATED **digestedObjectType,
+\&                                          X509_ALGOR **digestAlgorithm,
+\&                                          ASN1_BIT_STRING **digest);
+\& void OSSL_OBJECT_DIGEST_INFO_set1_digest(OSSL_OBJECT_DIGEST_INFO *o,
+\&                                          ASN1_ENUMERATED *digestedObjectType,
+\&                                          X509_ALGOR *digestAlgorithm,
+\&                                          ASN1_BIT_STRING *digest);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+These routines set and get the holder identity of an X509 attribute certificate.
+.PP
+\&\fBX509_ACERT_set0_holder_entityName()\fR sets the identity as a \fBGENERAL_NAME\fR
+\&\fIname\fR, \fBX509_ACERT_set0_holder_baseCertId()\fR sets the identity based on the
+issuer and serial number of a certificate detailed in \fIisss\fR and
+\&\fBX509_ACERT_set0_holder_digest()\fR sets the holder entity based on digest
+information \fIdinfo\fR. Although RFC 5755 section 4.2.2 recommends that only
+one of the above methods be used to set the holder identity for a given
+attribute certificate \fIx\fR, setting multiple methods at the same time is
+possible.  It is up to the application to handle cases when conflicting
+identity information is specified using different methods.
+.PP
+Pointers to the internal structures describing the holder identity of
+attribute certificate \fIx\fR can be retrieved with
+\&\fBX509_ACERT_get0_holder_entityName()\fR, \fBX509_ACERT_get0_holder_baseCertId()\fR, and
+\&\fBX509_ACERT_get0_holder_digest()\fR.
+.PP
+A \fBOSSL_ISSUER_SERIAL\fR object holds the subject name and UID of a certificate
+issuer and a certificate's serial number.  \fBOSSL_ISSUER_SERIAL_set1_issuer()\fR,
+\&\fBOSSL_ISSUER_SERIAL_set1_issuerUID()\fR, and \fBOSSL_ISSUER_SERIAL_set1_serial()\fR
+respectively copy these values into the \fBOSSL_ISSUER_SERIAL\fR structure.
+The application is responsible for freeing its own copy of these values after
+use.  \fBOSSL_ISSUER_SERIAL_get0_issuer()\fR, \fBOSSL_ISSUER_SERIAL_get0_issuerUID()\fR,
+and \fBOSSL_ISSUER_SERIAL_get0_serial()\fR return pointers to these values in the object.
+.PP
+An \fBOSSL_OBJECT_DIGEST_INFO\fR object holds a digest of data to identify the
+attribute certificate holder.  \fBOSSL_OBJECT_DIGEST_INFO_set1_digest()\fR sets the
+digest information of the object.  The type of \fIdigest\fR information is given
+by \fIdigestedObjectType\fR and can be one of:
+.IP OSSL_OBJECT_DIGEST_INFO_PUBLIC_KEY 4
+.IX Item "OSSL_OBJECT_DIGEST_INFO_PUBLIC_KEY"
+Hash of a public key
+.IP OSSL_OBJECT_DIGEST_INFO_PUBLIC_KEY_CERT 4
+.IX Item "OSSL_OBJECT_DIGEST_INFO_PUBLIC_KEY_CERT"
+Hash of a public key certificate
+.IP OSSL_OBJECT_DIGEST_INFO_OTHER 4
+.IX Item "OSSL_OBJECT_DIGEST_INFO_OTHER"
+Hash of another object. See NOTES below.
+.PP
+\&\fIdigestAlgorithm\fR indicates the algorithm used to compute \fIdigest\fR.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+All \fIset0\fR/\fIset1\fR routines return 1 for success and 0 for failure.
+All \fIget0\fR functions return a pointer to the object's inner structure. These
+pointers must not be freed after use.
+.SH NOTES
+.IX Header "NOTES"
+Although the value of \fBOSSL_OBJECT_DIGEST_INFO_OTHER\fR is defined in RFC 5755,
+its use is prohibited for conformant attribute certificates.
+.SH HISTORY
+.IX Header "HISTORY"
+These functions were added in OpenSSL 3.4.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2023\-2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_ACERT_get_attr.3 b/secure/lib/libcrypto/man/man3/X509_ACERT_get_attr.3
new file mode 100644
index 000000000000..4184e9b3e204
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/X509_ACERT_get_attr.3
@@ -0,0 +1,113 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "X509_ACERT_GET_ATTR 3ossl"
+.TH X509_ACERT_GET_ATTR 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+X509_ACERT_get_attr,
+X509_ACERT_get_attr_by_NID,
+X509_ACERT_get_attr_by_OBJ,
+X509_ACERT_get_attr_count
+\&\- Retrieve attributes from an X509_ACERT structure
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/x509_acert.h>
+\&
+\& X509_ATTRIBUTE *X509_ACERT_get_attr(const X509_ACERT *x, int loc);
+\& int X509_ACERT_get_attr_by_NID(const X509_ACERT *x, int nid, int lastpos);
+\& int X509_ACERT_get_attr_by_OBJ(const X509_ACERT *x, const ASN1_OBJECT *obj,
+\&                                int lastpos);
+\& int X509_ACERT_get_attr_count(const X509_ACERT *x);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBX509_ACERT_get0_attr()\fR retrieves the \fIloc\fRth \fBX509_ATTRIBUTE\fR from an
+\&\fBX509_ACERT\fR \fIx\fR.  \fBX509_ACERT_get_attr_count()\fR returns the total number
+of attributes in the \fBX509_ACERT\fR.
+.PP
+\&\fBX509_ACERT_get_attr_by_NID()\fR and \fBX509_ACERT_get_attr_by_OBJ()\fR retrieve the next
+attribute location matching \fInid\fR or \fIobj\fR after \fIlastpos\fR. \fIlastpos\fR
+should initially be set to \-1.
+If there are no more entries \-1 is returned. If \fInid\fR is invalid
+(doesn't correspond to a valid OID) then \-2 is returned.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBX509_ACERT_get0_attr()\fR return a \fBX509_ATTRIBUTE\fR from an attribute
+certificate, or NULL if the specified attribute is not found.
+.PP
+\&\fBX509_ACERT_get_attr_by_NID()\fR and \fBX509_ACERT_get_attr_by_OBJ()\fR return
+the location of the next attribute requested or \-1 if not found.
+\&\fBX509_ACERT_get_attr_by_NID()\fR can also return \-2 if the supplied NID is invalid.
+.PP
+\&\fBX509_ACERT_get_attr_count()\fR returns the number of attributes in the given
+attribute certificate.
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBX509_ACERT_get0_attr()\fR, \fBX509_ACERT_get_attr_by_NID()\fR, \fBX509_ACERT_get_attr_by_OBJ()\fR and
+\&\fBX509_ACERT_get_attr_count()\fR were added in OpenSSL 3.4.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2023\-2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_ACERT_print_ex.3 b/secure/lib/libcrypto/man/man3/X509_ACERT_print_ex.3
new file mode 100644
index 000000000000..256e2526cf43
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/X509_ACERT_print_ex.3
@@ -0,0 +1,159 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "X509_ACERT_PRINT_EX 3ossl"
+.TH X509_ACERT_PRINT_EX 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+X509_ACERT_print_ex, X509_ACERT_print
+\&\- X509_ACERT printing routines
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/x509_acert.h>
+\&
+\& int X509_ACERT_print(BIO *bp, X509_ACERT *acert);
+\& int X509_ACERT_print_ex(BIO *bp, X509_ACERT *acert, unsigned long nmflags,
+\&                         unsigned long cflag);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBX509_ACERT_print_ex()\fR prints a human readable version of the attribute
+certificate \fIacert\fR to BIO \fIbp\fR.
+.PP
+The following data contained in the attribute certificate is printed
+in order:
+.IP \(bu 4
+The header text "Attribute certificate:" and "Data:" (X509_FLAG_NO_HEADER)
+.Sp
+= item *
+.Sp
+The attribute certificate version number as defined by the standard,
+followed in parentheses by the value contained in the version field in
+hexadecimal notation.  If the version number is not a valid value according
+to the specification, only the raw value is printed.
+See \fBX509_ACERT_get_version\fR\|(3) for details. (X509_FLAG_NO_VERSION)
+.Sp
+= item *
+.Sp
+The serial number of the attribute certificate (X509_FLAG_NO_SERIAL)
+.Sp
+= item *
+.Sp
+The identity of the holder of the attribute certificate. If the
+holder issuer name is present, the first GENERAL_NAME
+returned by \fBX509_ACERT_get0_holder_entityName()\fR is printed.
+If the holder baseCertificateId is present, the issuer name
+(printed with X509_NAME_print_ex) and serial number of the
+holder's certificate are displayed. (X509_FLAG_NO_SUBJECT)
+.Sp
+= item *
+.Sp
+The name of the attribute certificate issuer as returned from
+\&\fBX509_ACERT_get0_issuerName()\fR and printed using \fBX509_NAME_print_ex()\fR.
+(X509_FLAG_NO_ISSUER)
+.Sp
+= item *
+.Sp
+The period of validity between the times returned from \fBX509_ACERT_get0_notBefore()\fR
+and  \fBX509_ACERT_get0_notAfter()\fR.  The values are printed as a generalized times
+using \fBASN1_GENERALIZEDTIME_print()\fR. (X509_FLAG_NO_VALIDITY)
+.Sp
+= item *
+.Sp
+The list of attributes contained in the attribute certificate.
+The attribute type is printed with \fBi2a_ASN1_OBJECT()\fR.  String valued
+attributes are printed as raw string data. ASN1 encoded values are
+printed with \fBASN1_parse_dump()\fR.  (X509_FLAG_NO_ATTRIBUTES)
+.Sp
+= item *
+.Sp
+All X.509 extensions contained in the attribute certificate. (X509_FLAG_NO_EXTENSIONS)
+.Sp
+= item *
+.Sp
+The signature is printed with \fBX509_signature_print()\fR. (X509_FLAG_NO_SIGDUMP)
+.Sp
+If \fIcflag\fR is specifies as X509_FLAG_COMPAT, all of the above data in the
+attribute certificate will be printed.
+.Sp
+The \fInmflags\fR flag determines the format used to output all fields printed using
+\&\fBX509_NAME_print_ex()\fR. See \fBX509_NAME_print_ex\fR\|(3) for details.
+.Sp
+\&\fBX509_ACERT_print()\fR is equivalent to calling \fBX509_ACERT_print_ex()\fR with the
+\&\fInmflags\fR and \fIcflags\fR set to XN_FLAG_COMPAT and X509_FLAG_COMPAT
+respectively.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBX509_ACERT_print_ex()\fR \fBX509_ACERT_print()\fR return 1 for
+success and 0 for failure.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBX509_NAME_print_ex\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBX509_ACERT_print()\fR and \fBX509_ACERT_print_ex()\fR were added in OpenSSL 3.4.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2023\-2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_ALGOR_dup.3 b/secure/lib/libcrypto/man/man3/X509_ALGOR_dup.3
index ee8f506ab592..b25048223871 100644
--- a/secure/lib/libcrypto/man/man3/X509_ALGOR_dup.3
+++ b/secure/lib/libcrypto/man/man3/X509_ALGOR_dup.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_ALGOR_DUP 3ossl"
-.TH X509_ALGOR_DUP 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_ALGOR_DUP 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
-X509_ALGOR_dup, X509_ALGOR_set0, X509_ALGOR_get0, X509_ALGOR_set_md, X509_ALGOR_cmp, X509_ALGOR_copy \- AlgorithmIdentifier functions
-.SH "SYNOPSIS"
+.SH NAME
+X509_ALGOR_dup,
+X509_ALGOR_set0, X509_ALGOR_get0,
+X509_ALGOR_set_md, X509_ALGOR_cmp,
+X509_ALGOR_copy \- AlgorithmIdentifier functions
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
@@ -151,32 +78,33 @@ X509_ALGOR_dup, X509_ALGOR_set0, X509_ALGOR_get0, X509_ALGOR_set_md, X509_ALGOR_
 \& int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b);
 \& int X509_ALGOR_copy(X509_ALGOR *dest, const X509_ALGOR *src);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBX509_ALGOR_dup()\fR returns a copy of \fBalg\fR.
+\&\fBX509_ALGOR_dup()\fR returns a copy of \fIalg\fR.
 .PP
-\&\fBX509_ALGOR_set0()\fR sets the algorithm \s-1OID\s0 of \fBalg\fR to \fBaobj\fR and the
-associated parameter type to \fBptype\fR with value \fBpval\fR. If \fBptype\fR is
-\&\fBV_ASN1_UNDEF\fR the parameter is omitted, otherwise \fBptype\fR and \fBpval\fR have
-the same meaning as the \fBtype\fR and \fBvalue\fR parameters to \fBASN1_TYPE_set()\fR.
-All the supplied parameters are used internally so must \fB\s-1NOT\s0\fR be freed after
-this call.
+\&\fBX509_ALGOR_set0()\fR sets the algorithm OID of \fIalg\fR to \fIaobj\fR and the
+associated parameter type to \fIptype\fR with value \fIpval\fR. If \fIptype\fR is
+\&\fBV_ASN1_UNDEF\fR the parameter is omitted, otherwise \fIptype\fR and \fIpval\fR have
+the same meaning as the \fItype\fR and \fIvalue\fR parameters to \fBASN1_TYPE_set()\fR.
+All the supplied parameters are used internally so must \fBNOT\fR be freed after
+this call succeeded;
+otherwise ownership remains with the caller and \fIalg\fR remains untouched.
 .PP
 \&\fBX509_ALGOR_get0()\fR is the inverse of \fBX509_ALGOR_set0()\fR: it returns the
-algorithm \s-1OID\s0 in \fB*paobj\fR and the associated parameter in \fB*pptype\fR
-and \fB*ppval\fR from the \fBAlgorithmIdentifier\fR \fBalg\fR.
+algorithm OID in \fI*paobj\fR and the associated parameter in \fI*pptype\fR
+and \fI*ppval\fR from the \fBAlgorithmIdentifier\fR \fIalg\fR.
 .PP
-\&\fBX509_ALGOR_set_md()\fR sets the \fBAlgorithmIdentifier\fR \fBalg\fR to appropriate
-values for the message digest \fBmd\fR.
+\&\fBX509_ALGOR_set_md()\fR sets the \fBAlgorithmIdentifier\fR \fIalg\fR to appropriate
+values for the message digest \fImd\fR.
 .PP
-\&\fBX509_ALGOR_cmp()\fR compares \fBa\fR and \fBb\fR and returns 0 if they have identical
+\&\fBX509_ALGOR_cmp()\fR compares \fIa\fR and \fIb\fR and returns 0 if they have identical
 encodings and nonzero otherwise.
 .PP
 \&\fBX509_ALGOR_copy()\fR copies the source values into the dest structs; making
 a duplicate of each (and free any thing pointed to from within *dest).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBX509_ALGOR_dup()\fR returns a valid \fBX509_ALGOR\fR structure or \s-1NULL\s0 if an error
+\&\fBX509_ALGOR_dup()\fR returns a valid \fBX509_ALGOR\fR structure or NULL if an error
 occurred.
 .PP
 \&\fBX509_ALGOR_set0()\fR and \fBX509_ALGOR_copy()\fR return 1 on success or 0 on error.
@@ -185,14 +113,14 @@ occurred.
 .PP
 \&\fBX509_ALGOR_cmp()\fR returns 0 if the two parameters have identical encodings and
 nonzero otherwise.
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBX509_ALGOR_copy()\fR was added in 1.1.1e.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2002\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2002\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_ATTRIBUTE.3 b/secure/lib/libcrypto/man/man3/X509_ATTRIBUTE.3
new file mode 100644
index 000000000000..2a7d05d11ec1
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/X509_ATTRIBUTE.3
@@ -0,0 +1,321 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "X509_ATTRIBUTE 3ossl"
+.TH X509_ATTRIBUTE 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+X509_ATTRIBUTE, X509at_get_attr,
+X509at_get_attr_count, X509at_get_attr_by_NID, X509at_get_attr_by_OBJ,
+X509at_delete_attr,
+X509at_add1_attr,
+X509at_add1_attr_by_OBJ, X509at_add1_attr_by_NID, X509at_add1_attr_by_txt,
+X509at_get0_data_by_OBJ,
+X509_ATTRIBUTE_create, X509_ATTRIBUTE_create_by_NID,
+X509_ATTRIBUTE_create_by_OBJ, X509_ATTRIBUTE_create_by_txt,
+X509_ATTRIBUTE_set1_object, X509_ATTRIBUTE_set1_data,
+X509_ATTRIBUTE_count,
+X509_ATTRIBUTE_get0_data, X509_ATTRIBUTE_get0_object, X509_ATTRIBUTE_get0_type
+\&\- X509 attribute functions
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/x509.h>
+\&
+\& typedef struct x509_attributes_st X509_ATTRIBUTE;
+\&
+\& int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x);
+\& int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x, int nid,
+\&                            int lastpos);
+\& int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk,
+\&                            const ASN1_OBJECT *obj, int lastpos);
+\& X509_ATTRIBUTE *X509at_get_attr(const STACK_OF(X509_ATTRIBUTE) *x, int loc);
+\& X509_ATTRIBUTE *X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x, int loc);
+\& STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
+\&                                            X509_ATTRIBUTE *attr);
+\& STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE)
+\&                                                   **x, const ASN1_OBJECT *obj,
+\&                                                   int type,
+\&                                                   const unsigned char *bytes,
+\&                                                   int len);
+\& STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE)
+\&                                                   **x, int nid, int type,
+\&                                                   const unsigned char *bytes,
+\&                                                   int len);
+\& STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE)
+\&                                                   **x, const char *attrname,
+\&                                                   int type,
+\&                                                   const unsigned char *bytes,
+\&                                                   int len);
+\& void *X509at_get0_data_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *x,
+\&                               const ASN1_OBJECT *obj, int lastpos, int type);
+\& X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int atrtype, void *value);
+\& X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
+\&                                              int atrtype, const void *data,
+\&                                              int len);
+\& X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr,
+\&                                              const ASN1_OBJECT *obj,
+\&                                              int atrtype, const void *data,
+\&                                              int len);
+\& X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,
+\&                                              const char *atrname, int type,
+\&                                              const unsigned char *bytes,
+\&                                              int len);
+\& int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj);
+\& int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype,
+\&                              const void *data, int len);
+\& void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx, int atrtype,
+\&                                void *data);
+\& int X509_ATTRIBUTE_count(const X509_ATTRIBUTE *attr);
+\& ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr);
+\& ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBX509_ATTRIBUTE\fR objects are used by many standards including X509, X509_REQ,
+PKCS12, PKCS8, PKCS7 and CMS.
+.PP
+The \fBX509_ATTRIBUTE\fR object is used to represent the ASN.1 Attribute as defined
+in RFC 5280, i.e.
+.PP
+.Vb 3
+\& Attribute ::= SEQUENCE {
+\&   type             AttributeType,
+\&   values    SET OF AttributeValue }
+\&
+\& AttributeType ::= OBJECT IDENTIFIER
+\& AttributeValue ::= ANY \-\- DEFINED BY AttributeType
+.Ve
+.PP
+For example CMS defines the signing-time attribute as:
+.PP
+.Vb 2
+\&  id\-signingTime OBJECT IDENTIFIER ::= { iso(1) member\-body(2)
+\&      us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 }
+\&
+\&  SigningTime ::= Time
+\&
+\&  Time ::= CHOICE {
+\&    utcTime UTCTime,
+\&    generalizedTime GeneralizedTime }
+.Ve
+.PP
+In OpenSSL \fBAttributeType\fR maps to an \fBASN1_OBJECT\fR object
+and \fBAttributeValue\fR maps to a list of \fBASN1_TYPE\fR objects.
+.PP
+The following functions are used for \fBX509_ATTRIBUTE\fR objects.
+.PP
+\&\fBX509at_get_attr_by_OBJ()\fR finds the location of the first matching object \fIobj\fR
+in a list of attributes \fIsk\fR. The search starts at the position after \fIlastpos\fR.
+If the returned value is positive then it can be used on the next call to
+\&\fBX509at_get_attr_by_OBJ()\fR as the value of \fIlastpos\fR in order to iterate through
+the remaining attributes. \fIlastpos\fR can be set to any negative value on the
+first call, in order to start searching from the start of the list.
+.PP
+\&\fBX509at_get_attr_by_NID()\fR is similar to \fBX509at_get_attr_by_OBJ()\fR except that it
+passes the numerical identifier (NID) \fInid\fR associated with the object.
+See <openssl/obj_mac.h> for a list of NID_*.
+.PP
+\&\fBX509at_get_attr()\fR returns the \fBX509_ATTRIBUTE\fR object at index \fIloc\fR in the
+list of attributes \fIx\fR. \fIloc\fR should be in the range from 0 to
+\&\fBX509at_get_attr_count()\fR \- 1.
+.PP
+\&\fBX509at_delete_attr()\fR removes the \fBX509_ATTRIBUTE\fR object at index \fIloc\fR in
+the list of attributes \fIx\fR.
+.PP
+\&\fBX509at_add1_attr()\fR pushes a copy of the passed in \fBX509_ATTRIBUTE\fR object
+to the list \fIx\fR.
+Both \fIx\fR and \fIattr\fR must be non NULL or an error will occur.
+If \fI*x\fR is NULL then a new list is created, otherwise it uses the
+passed in list. An error will occur if an existing attribute (with the same
+attribute type) already exists in the attribute list.
+.PP
+\&\fBX509at_add1_attr_by_OBJ()\fR creates a new \fBX509_ATTRIBUTE\fR using
+\&\fBX509_ATTRIBUTE_set1_object()\fR and \fBX509_ATTRIBUTE_set1_data()\fR to assign a new
+\&\fIobj\fR with type \fItype\fR and data \fIbytes\fR of length \fIlen\fR and then pushes it
+to the attribute list \fIx\fR. Both \fIx\fR and \fIattr\fR must be non NULL or an error
+will occur. If \fI*x\fR is NULL then a new attribute list is created. If \fIobj\fR
+already exists in the attribute list then an error occurs.
+.PP
+\&\fBX509at_add1_attr_by_NID()\fR is similar to \fBX509at_add1_attr_by_OBJ()\fR except that it
+passes the numerical identifier (NID) \fInid\fR associated with the object.
+See <openssl/obj_mac.h> for a list of NID_*.
+.PP
+\&\fBX509at_add1_attr_by_txt()\fR is similar to \fBX509at_add1_attr_by_OBJ()\fR except that it
+passes a name \fIattrname\fR associated with the object.
+See <openssl/obj_mac.h> for a list of SN_* names.
+.PP
+\&\fBX509_ATTRIBUTE_set1_object()\fR assigns a \fBASN1_OBJECT\fR \fIobj\fR
+to the attribute \fIattr\fR. If \fIattr\fR contained an existing \fBASN1_OBJECT\fR then
+it is freed. An error occurs if either \fIattr\fR or \fIobj\fR are NULL, or if
+the passed in \fIobj\fR cannot be duplicated.
+.PP
+\&\fBX509_ATTRIBUTE_set1_data()\fR pushes a new \fBASN1_TYPE\fR object onto the \fIattr\fR
+attributes list. The new object is assigned a copy of the data in \fIdata\fR of
+size \fIlen\fR.
+If \fIattrtype\fR has flag \fIMBSTRING_FLAG\fR set then a table lookup using the
+\&\fIattr\fR attributes NID is used to set an \fBASN1_STRING\fR using
+\&\fBASN1_STRING_set_by_NID()\fR, and the passed in \fIdata\fR must be in the format
+required for that object type or an error will occur.
+If \fIlen\fR is not \-1 then internally \fBASN1_STRING_type_new()\fR is
+used with the passed in \fIattrtype\fR.
+If \fIattrtype\fR is 0 the call does nothing except return 1.
+.PP
+\&\fBX509_ATTRIBUTE_create()\fR creates a new \fBX509_ATTRIBUTE\fR using the \fInid\fR
+to set the \fBASN1_OBJECT\fR OID and the \fIatrtype\fR and \fIvalue\fR to set the
+\&\fBASN1_TYPE\fR.
+.PP
+\&\fBX509_ATTRIBUTE_create_by_OBJ()\fR uses \fBX509_ATTRIBUTE_set1_object()\fR and
+\&\fBX509_ATTRIBUTE_set1_data()\fR to assign a new \fIobj\fR with type \fIatrtype\fR and
+data \fIdata\fR of length \fIlen\fR. If the passed in attribute \fIattr\fR OR \fI*attr\fR is
+NULL then a new \fBX509_ATTRIBUTE\fR will be returned, otherwise the passed in
+\&\fBX509_ATTRIBUTE\fR is used. Note that the ASN1_OBJECT \fIobj\fR is pushed onto the
+attributes existing list of objects, which could be an issue if the attributes
+<ASN1_OBJECT> was different.
+.PP
+\&\fBX509_ATTRIBUTE_create_by_NID()\fR is similar to \fBX509_ATTRIBUTE_create_by_OBJ()\fR
+except that it passes the numerical identifier (NID) \fInid\fR associated with the
+object. See <openssl/obj_mac.h> for a list of NID_*.
+.PP
+\&\fBX509_ATTRIBUTE_create_by_txt()\fR is similar to \fBX509_ATTRIBUTE_create_by_OBJ()\fR
+except that it passes a name \fIatrname\fR associated with the
+object. See <openssl/obj_mac.h> for a list of SN_* names.
+.PP
+\&\fBX509_ATTRIBUTE_count()\fR returns the number of \fBASN1_TYPE\fR objects in an
+attribute \fIattr\fR.
+.PP
+\&\fBX509_ATTRIBUTE_get0_type()\fR returns the \fBASN1_TYPE\fR object at index \fIidx\fR in
+the attribute list \fIattr\fR. \fIidx\fR should be in the
+range of 0 to \fBX509_ATTRIBUTE_count()\fR \- 1 or an error will occur.
+.PP
+\&\fBX509_ATTRIBUTE_get0_data()\fR returns the data of an \fBASN1_TYPE\fR object at
+index \fIidx\fR in the attribute \fIattr\fR. \fIdata\fR is unused and can be set to NULL.
+An error will occur if the attribute type \fIatrtype\fR does not match the type of
+the \fBASN1_TYPE\fR object at index \fIidx\fR OR if \fIatrtype\fR is either
+\&\fBV_ASN1_BOOLEAN\fR or \fBV_ASN1_NULL\fR OR if the \fIidx\fR is not in the
+range 0 to \fBX509_ATTRIBUTE_count()\fR \- 1.
+.PP
+\&\fBX509at_get0_data_by_OBJ()\fR finds the first attribute in an attribute list \fIx\fR
+that matches the \fIobj\fR starting at index \fIlastpos\fR and returns the data
+retrieved from the found attributes first \fBASN1_TYPE\fR object. An error will
+occur if the attribute type \fItype\fR does not match the type of the \fBASN1_TYPE\fR
+object OR if \fItype\fR is either \fBV_ASN1_BOOLEAN\fR or \fBV_ASN1_NULL\fR OR the
+attribute is not found.
+If \fIlastpos\fR is less than \-1 then an error will occur if there are multiple
+objects in the list \fIx\fR that match \fIobj\fR.
+If \fIlastpos\fR is less than \-2 then an error will occur if there is more than
+one \fBASN1_TYPE\fR object in the found attribute.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBX509at_get_attr_count()\fR returns the number of attributes in the list \fIx\fR or \-1
+if \fIx\fR is NULL.
+.PP
+\&\fBX509at_get_attr_by_OBJ()\fR returns \-1 if either the list is empty OR the object
+is not found, otherwise it returns the location of the object in the list.
+.PP
+\&\fBX509at_get_attr_by_NID()\fR is similar to \fBX509at_get_attr_by_OBJ()\fR, except that
+it returns \-2 if the \fInid\fR is not known by OpenSSL.
+.PP
+\&\fBX509at_get_attr()\fR returns either an \fBX509_ATTRIBUTE\fR or NULL if there is a error.
+.PP
+\&\fBX509at_delete_attr()\fR returns either the removed \fBX509_ATTRIBUTE\fR or NULL if
+there is a error.
+.PP
+\&\fBX509_ATTRIBUTE_count()\fR returns \-1 on error, otherwise it returns the number
+of \fBASN1_TYPE\fR elements.
+.PP
+\&\fBX509_ATTRIBUTE_get0_type()\fR returns NULL on error, otherwise it returns a
+\&\fBASN1_TYPE\fR object.
+.PP
+\&\fBX509_ATTRIBUTE_get0_data()\fR returns NULL if an error occurs,
+otherwise it returns the data associated with an \fBASN1_TYPE\fR object.
+.PP
+\&\fBX509_ATTRIBUTE_set1_object()\fR and \fBX509_ATTRIBUTE_set1_data()\fR returns 1 on
+success, or 0 otherwise.
+.PP
+\&\fBX509_ATTRIBUTE_create()\fR, \fBX509_ATTRIBUTE_create_by_OBJ()\fR,
+\&\fBX509_ATTRIBUTE_create_by_NID()\fR and \fBX509_ATTRIBUTE_create_by_txt()\fR return either
+a \fBX509_ATTRIBUTE\fR on success, or NULL if there is a error.
+.PP
+\&\fBX509at_add1_attr()\fR, \fBX509at_add1_attr_by_OBJ()\fR, \fBX509at_add1_attr_by_NID()\fR and
+\&\fBX509at_add1_attr_by_txt()\fR return NULL on error, otherwise they return a list
+of \fBX509_ATTRIBUTE\fR.
+.PP
+\&\fBX509at_get0_data_by_OBJ()\fR returns the data retrieved from the found attributes
+first \fBASN1_TYPE\fR object, or NULL if an error occurs.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBASN1_TYPE_get\fR\|(3),
+\&\fBASN1_INTEGER_get\fR\|(3),
+\&\fBASN1_ENUMERATED_get\fR\|(3),
+\&\fBASN1_STRING_get0_data\fR\|(3),
+\&\fBASN1_STRING_length\fR\|(3),
+\&\fBASN1_STRING_type\fR\|(3),
+\&\fBX509_REQ_get_attr\fR\|(3),
+\&\fBEVP_PKEY_get_attr\fR\|(3),
+\&\fBCMS_signed_get_attr\fR\|(3),
+\&\fBPKCS8_pkey_get0_attrs\fR\|(3),
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2023\-2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_CRL_get0_by_serial.3 b/secure/lib/libcrypto/man/man3/X509_CRL_get0_by_serial.3
index e07c25292615..b98423a00a44 100644
--- a/secure/lib/libcrypto/man/man3/X509_CRL_get0_by_serial.3
+++ b/secure/lib/libcrypto/man/man3/X509_CRL_get0_by_serial.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_CRL_GET0_BY_SERIAL 3ossl"
-.TH X509_CRL_GET0_BY_SERIAL 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_CRL_GET0_BY_SERIAL 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_CRL_get0_by_serial, X509_CRL_get0_by_cert, X509_CRL_get_REVOKED,
 X509_REVOKED_get0_serialNumber, X509_REVOKED_get0_revocationDate,
 X509_REVOKED_set_serialNumber, X509_REVOKED_set_revocationDate,
 X509_CRL_add0_revoked, X509_CRL_sort \- CRL revoked entry utility
 functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
@@ -163,17 +87,17 @@ functions
 \&
 \& int X509_CRL_sort(X509_CRL *crl);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBX509_CRL_get0_by_serial()\fR attempts to find a revoked entry in \fIcrl\fR for
 serial number \fIserial\fR. If it is successful, it sets \fI*ret\fR to the internal
-pointer of the matching entry. As a result, \fI*ret\fR \fB\s-1MUST NOT\s0\fR be freed
+pointer of the matching entry. As a result, \fI*ret\fR \fBMUST NOT\fR be freed
 after the call.
 .PP
 \&\fBX509_CRL_get0_by_cert()\fR is similar to \fBX509_get0_by_serial()\fR except it
 looks for a revoked entry using the serial number of certificate \fIx\fR.
 .PP
-\&\fBX509_CRL_get_REVOKED()\fR returns an internal pointer to a \s-1STACK\s0 of all
+\&\fBX509_CRL_get_REVOKED()\fR returns an internal pointer to a STACK of all
 revoked entries for \fIcrl\fR.
 .PP
 \&\fBX509_REVOKED_get0_serialNumber()\fR returns an internal pointer to the
@@ -190,13 +114,13 @@ freed after use.
 \&\fItm\fR. The supplied \fItm\fR pointer is not used internally so it should be
 freed after use.
 .PP
-\&\fBX509_CRL_add0_revoked()\fR appends revoked entry \fIrev\fR to \s-1CRL\s0 \fIcrl\fR. The
-pointer \fIrev\fR is used internally so it \fB\s-1MUST NOT\s0\fR be freed after the call:
-it is freed when the parent \s-1CRL\s0 is freed.
+\&\fBX509_CRL_add0_revoked()\fR appends revoked entry \fIrev\fR to CRL \fIcrl\fR. The
+pointer \fIrev\fR is used internally so it \fBMUST NOT\fR be freed after the call:
+it is freed when the parent CRL is freed.
 .PP
 \&\fBX509_CRL_sort()\fR sorts the revoked entries of \fIcrl\fR into ascending serial
 number order.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 Applications can determine the number of revoked entries returned by
 \&\fBX509_CRL_get_REVOKED()\fR using \fBsk_X509_REVOKED_num()\fR and examine each one
@@ -207,11 +131,11 @@ in turn using \fBsk_X509_REVOKED_value()\fR.
 1 on success except if the revoked entry has the reason \f(CW\*(C`removeFromCRL\*(C'\fR (8),
 in which case 2 is returned.
 .PP
-\&\fBX509_CRL_get_REVOKED()\fR returns a \s-1STACK\s0 of revoked entries.
+\&\fBX509_CRL_get_REVOKED()\fR returns a STACK of revoked entries.
 .PP
-\&\fBX509_REVOKED_get0_serialNumber()\fR returns an \fB\s-1ASN1_INTEGER\s0\fR structure.
+\&\fBX509_REVOKED_get0_serialNumber()\fR returns an \fBASN1_INTEGER\fR structure.
 .PP
-\&\fBX509_REVOKED_get0_revocationDate()\fR returns an \fB\s-1ASN1_TIME\s0\fR structure.
+\&\fBX509_REVOKED_get0_revocationDate()\fR returns an \fBASN1_TIME\fR structure.
 .PP
 \&\fBX509_REVOKED_set_serialNumber()\fR, \fBX509_REVOKED_set_revocationDate()\fR,
 \&\fBX509_CRL_add0_revoked()\fR and \fBX509_CRL_sort()\fR return 1 for success and 0 for
@@ -234,11 +158,11 @@ failure.
 \&\fBX509_sign\fR\|(3),
 \&\fBX509V3_get_d2i\fR\|(3),
 \&\fBX509_verify_cert\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2015\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_EXTENSION_set_object.3 b/secure/lib/libcrypto/man/man3/X509_EXTENSION_set_object.3
index 98fe5c4a10cd..c46bf884b3df 100644
--- a/secure/lib/libcrypto/man/man3/X509_EXTENSION_set_object.3
+++ b/secure/lib/libcrypto/man/man3/X509_EXTENSION_set_object.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_EXTENSION_SET_OBJECT 3ossl"
-.TH X509_EXTENSION_SET_OBJECT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_EXTENSION_SET_OBJECT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_EXTENSION_set_object, X509_EXTENSION_set_critical,
 X509_EXTENSION_set_data, X509_EXTENSION_create_by_NID,
 X509_EXTENSION_create_by_OBJ, X509_EXTENSION_get_object,
 X509_EXTENSION_get_critical, X509_EXTENSION_get_data \- extension utility
 functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 3
 \& int X509_EXTENSION_set_object(X509_EXTENSION *ex, const ASN1_OBJECT *obj);
@@ -160,7 +84,7 @@ functions
 \& int X509_EXTENSION_get_critical(const X509_EXTENSION *ex);
 \& ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ne);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBX509_EXTENSION_set_object()\fR sets the extension type of \fBex\fR to \fBobj\fR. The
 \&\fBobj\fR pointer is duplicated internally so \fBobj\fR should be freed up after use.
@@ -174,14 +98,14 @@ functions
 \&\fBX509_EXTENSION_create_by_NID()\fR creates an extension of type \fBnid\fR,
 criticality \fBcrit\fR using data \fBdata\fR. The created extension is returned and
 written to \fB*ex\fR reusing or allocating a new extension if necessary so \fB*ex\fR
-should either be \fB\s-1NULL\s0\fR or a valid \fBX509_EXTENSION\fR structure it must
+should either be \fBNULL\fR or a valid \fBX509_EXTENSION\fR structure it must
 \&\fBnot\fR be an uninitialised pointer.
 .PP
 \&\fBX509_EXTENSION_create_by_OBJ()\fR is identical to \fBX509_EXTENSION_create_by_NID()\fR
-except it creates and extension using \fBobj\fR instead of a \s-1NID.\s0
+except it creates and extension using \fBobj\fR instead of a NID.
 .PP
 \&\fBX509_EXTENSION_get_object()\fR returns the extension type of \fBex\fR as an
-\&\fB\s-1ASN1_OBJECT\s0\fR pointer. The returned pointer is an internal value which must
+\&\fBASN1_OBJECT\fR pointer. The returned pointer is an internal value which must
 not be freed up.
 .PP
 \&\fBX509_EXTENSION_get_critical()\fR returns the criticality of extension \fBex\fR it
@@ -189,7 +113,7 @@ returns \fB1\fR for critical and \fB0\fR for non-critical.
 .PP
 \&\fBX509_EXTENSION_get_data()\fR returns the data of extension \fBex\fR. The returned
 pointer is an internal value which must not be freed up.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 These functions manipulate the contents of an extension directly. Most
 applications will want to parse or encode and add an extension: they should
@@ -197,29 +121,29 @@ use the extension encode and decode functions instead such as
 \&\fBX509_add1_ext_i2d()\fR and \fBX509_get_ext_d2i()\fR.
 .PP
 The \fBdata\fR associated with an extension is the extension encoding in an
-\&\fB\s-1ASN1_OCTET_STRING\s0\fR structure.
+\&\fBASN1_OCTET_STRING\fR structure.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBX509_EXTENSION_set_object()\fR \fBX509_EXTENSION_set_critical()\fR and
 \&\fBX509_EXTENSION_set_data()\fR return \fB1\fR for success and \fB0\fR for failure.
 .PP
 \&\fBX509_EXTENSION_create_by_NID()\fR and \fBX509_EXTENSION_create_by_OBJ()\fR return
-an \fBX509_EXTENSION\fR pointer or \fB\s-1NULL\s0\fR if an error occurs.
+an \fBX509_EXTENSION\fR pointer or \fBNULL\fR if an error occurs.
 .PP
-\&\fBX509_EXTENSION_get_object()\fR returns an \fB\s-1ASN1_OBJECT\s0\fR pointer.
+\&\fBX509_EXTENSION_get_object()\fR returns an \fBASN1_OBJECT\fR pointer.
 .PP
 \&\fBX509_EXTENSION_get_critical()\fR returns \fB0\fR for non-critical and \fB1\fR for
 critical.
 .PP
-\&\fBX509_EXTENSION_get_data()\fR returns an \fB\s-1ASN1_OCTET_STRING\s0\fR pointer.
+\&\fBX509_EXTENSION_get_data()\fR returns an \fBASN1_OCTET_STRING\fR pointer.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBX509V3_get_d2i\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_LOOKUP.3 b/secure/lib/libcrypto/man/man3/X509_LOOKUP.3
index ce29dfe232c4..692025c6e6c5 100644
--- a/secure/lib/libcrypto/man/man3/X509_LOOKUP.3
+++ b/secure/lib/libcrypto/man/man3/X509_LOOKUP.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_LOOKUP 3ossl"
-.TH X509_LOOKUP 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_LOOKUP 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_LOOKUP, X509_LOOKUP_TYPE,
 X509_LOOKUP_new, X509_LOOKUP_free, X509_LOOKUP_init,
 X509_LOOKUP_shutdown,
@@ -151,7 +75,7 @@ X509_LOOKUP_by_subject_ex, X509_LOOKUP_by_subject,
 X509_LOOKUP_by_issuer_serial, X509_LOOKUP_by_fingerprint,
 X509_LOOKUP_by_alias
 \&\- OpenSSL certificate lookup mechanisms
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509_vfy.h>
@@ -201,7 +125,7 @@ X509_LOOKUP_by_alias
 \& int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
 \&                          const char *str, int len, X509_OBJECT *ret);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The \fBX509_LOOKUP\fR structure holds the information needed to look up
 certificates and CRLs according to an associated \fBX509_LOOKUP_METHOD\fR\|(3).
@@ -220,13 +144,15 @@ needed by the given \fBX509_LOOKUP\fR to do its work.
 the given \fBX509_LOOKUP\fR.
 .PP
 \&\fBX509_LOOKUP_free()\fR destructs the given \fBX509_LOOKUP\fR.
+If the argument is NULL, nothing is done.
 .PP
 \&\fBX509_LOOKUP_set_method_data()\fR and \fBX509_LOOKUP_get_method_data()\fR
 associates and retrieves a pointer to application data to and from the
 given \fBX509_LOOKUP\fR, respectively.
 .PP
 \&\fBX509_LOOKUP_ctrl_ex()\fR is used to set or get additional data to or from
-a \fBX509_LOOKUP\fR structure or its associated \fBX509_LOOKUP_METHOD\fR\|(3).
+a \fBX509_LOOKUP\fR structure using any control function in the
+associated \fBX509_LOOKUP_METHOD\fR\|(3).
 The arguments of the control command are passed via \fIargc\fR and \fIargl\fR,
 its return value via \fI*ret\fR. The library context \fIlibctx\fR and property
 query \fIpropq\fR are used when fetching algorithms from providers.
@@ -234,10 +160,10 @@ The meaning of the arguments depends on the \fIcmd\fR number of the
 control command. In general, this function is not called directly, but
 wrapped by a macro call, see below.
 The control \fIcmd\fRs known to OpenSSL are discussed in more depth
-in \*(L"Control Commands\*(R".
+in "Control Commands".
 .PP
 \&\fBX509_LOOKUP_ctrl()\fR is similar to \fBX509_LOOKUP_ctrl_ex()\fR but
-uses \s-1NULL\s0 for the library context \fIlibctx\fR and property query \fIpropq\fR.
+uses NULL for the library context \fIlibctx\fR and property query \fIpropq\fR.
 .PP
 \&\fBX509_LOOKUP_load_file_ex()\fR passes a filename to be loaded immediately
 into the associated \fBX509_STORE\fR. The library context \fIlibctx\fR and property
@@ -247,7 +173,7 @@ This can only be used with a lookup using the implementation
 \&\fBX509_LOOKUP_file\fR\|(3).
 .PP
 \&\fBX509_LOOKUP_load_file()\fR is similar to \fBX509_LOOKUP_load_file_ex()\fR but
-uses \s-1NULL\s0 for the library context \fIlibctx\fR and property query \fIpropq\fR.
+uses NULL for the library context \fIlibctx\fR and property query \fIpropq\fR.
 .PP
 \&\fBX509_LOOKUP_add_dir()\fR passes a directory specification from which
 certificates and CRLs are loaded on demand into the associated
@@ -256,15 +182,15 @@ certificates and CRLs are loaded on demand into the associated
 This can only be used with a lookup using the implementation
 \&\fBX509_LOOKUP_hash_dir\fR\|(3).
 .PP
-\&\fBX509_LOOKUP_add_store_ex()\fR passes a \s-1URI\s0 for a directory-like structure
+\&\fBX509_LOOKUP_add_store_ex()\fR passes a URI for a directory-like structure
 from which containers with certificates and CRLs are loaded on demand
 into the associated \fBX509_STORE\fR. The library context \fIlibctx\fR and property
 query \fIpropq\fR are used when fetching algorithms from providers.
 .PP
 \&\fBX509_LOOKUP_add_store()\fR is similar to \fBX509_LOOKUP_add_store_ex()\fR but
-uses \s-1NULL\s0 for the library context \fIlibctx\fR and property query \fIpropq\fR.
+uses NULL for the library context \fIlibctx\fR and property query \fIpropq\fR.
 .PP
-\&\fBX509_LOOKUP_load_store_ex()\fR passes a \s-1URI\s0 for a single container from
+\&\fBX509_LOOKUP_load_store_ex()\fR passes a URI for a single container from
 which certificates and CRLs are immediately loaded into the associated
 \&\fBX509_STORE\fR. The library context \fIlibctx\fR and property query \fIpropq\fR are used
 when fetching algorithms from providers.
@@ -272,7 +198,7 @@ These functions can only be used with a lookup using the
 implementation \fBX509_LOOKUP_store\fR\|(3).
 .PP
 \&\fBX509_LOOKUP_load_store()\fR is similar to \fBX509_LOOKUP_load_store_ex()\fR but
-uses \s-1NULL\s0 for the library context \fIlibctx\fR and property query \fIpropq\fR.
+uses NULL for the library context \fIlibctx\fR and property query \fIpropq\fR.
 .PP
 \&\fBX509_LOOKUP_load_file_ex()\fR, \fBX509_LOOKUP_load_file()\fR,
 \&\fBX509_LOOKUP_add_dir()\fR,
@@ -292,56 +218,64 @@ possible to handle cases where the criteria have more than one hit.
 .IX Subsection "Control Commands"
 The \fBX509_LOOKUP_METHOD\fRs built into OpenSSL recognize the following
 \&\fBX509_LOOKUP_ctrl()\fR \fIcmd\fRs:
-.IP "\fBX509_L_FILE_LOAD\fR" 4
+.IP \fBX509_L_FILE_LOAD\fR 4
 .IX Item "X509_L_FILE_LOAD"
 This is the command that \fBX509_LOOKUP_load_file_ex()\fR and
 \&\fBX509_LOOKUP_load_file()\fR use.
 The filename is passed in \fIargc\fR, and the type in \fIargl\fR.
-.IP "\fBX509_L_ADD_DIR\fR" 4
+.IP \fBX509_L_ADD_DIR\fR 4
 .IX Item "X509_L_ADD_DIR"
 This is the command that \fBX509_LOOKUP_add_dir()\fR uses.
 The directory specification is passed in \fIargc\fR, and the type in
 \&\fIargl\fR.
-.IP "\fBX509_L_ADD_STORE\fR" 4
+.IP \fBX509_L_ADD_STORE\fR 4
 .IX Item "X509_L_ADD_STORE"
 This is the command that \fBX509_LOOKUP_add_store_ex()\fR and
 \&\fBX509_LOOKUP_add_store()\fR use.
-The \s-1URI\s0 is passed in \fIargc\fR.
-.IP "\fBX509_L_LOAD_STORE\fR" 4
+The URI is passed in \fIargc\fR.
+.IP \fBX509_L_LOAD_STORE\fR 4
 .IX Item "X509_L_LOAD_STORE"
 This is the command that \fBX509_LOOKUP_load_store_ex()\fR and
 \&\fBX509_LOOKUP_load_store()\fR use.
-The \s-1URI\s0 is passed in \fIargc\fR.
+The URI is passed in \fIargc\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBX509_LOOKUP_new()\fR returns a \fBX509_LOOKUP\fR pointer when successful,
-or \s-1NULL\s0 on error.
+or NULL on error.
 .PP
 \&\fBX509_LOOKUP_init()\fR and \fBX509_LOOKUP_shutdown()\fR return 1 on success, or
 0 on error.
 .PP
-\&\fBX509_LOOKUP_ctrl()\fR returns \-1 if the \fBX509_LOOKUP\fR doesn't have an
-associated \fBX509_LOOKUP_METHOD\fR, or 1 if the
+\&\fBX509_LOOKUP_ctrl_ex()\fR and \fBX509_LOOKUP_ctrl()\fR
+return \-1 if the \fBX509_LOOKUP\fR doesn't have an
+associated \fBX509_LOOKUP_METHOD\fR, or 1 if the 
 doesn't have a control function.
 Otherwise, it returns what the control function in the
-\&\fBX509_LOOKUP_METHOD\fR returns, which is usually 1 on success and 0 in
-error.
+\&\fBX509_LOOKUP_METHOD\fR returns, which is usually 1 on success and 0 on error
+but could also be \-1 on failure.
 .IX Xref "509_LOOKUP_METHOD"
 .PP
 \&\fBX509_LOOKUP_get_store()\fR returns a \fBX509_STORE\fR pointer if there is
-one, otherwise \s-1NULL.\s0
+one, otherwise NULL.
+.PP
+\&\fBX509_LOOKUP_by_subject_ex()\fR returns 0 if there is no \fBX509_LOOKUP_METHOD\fR
+that implements any of the \fBget_by_subject_ex()\fR or \fBget_by_subject()\fR functions.
+It calls \fBget_by_subject_ex()\fR if present, otherwise \fBget_by_subject()\fR, and returns
+the result of the function, which is usually 1 on success and 0 on error.
+.PP
+\&\fBX509_LOOKUP_by_subject()\fR is similar to \fBX509_LOOKUP_by_subject_ex()\fR
+but passes NULL for both the libctx and propq.
 .PP
-\&\fBX509_LOOKUP_by_subject_ex()\fR, \fBX509_LOOKUP_by_subject()\fR,
 \&\fBX509_LOOKUP_by_issuer_serial()\fR, \fBX509_LOOKUP_by_fingerprint()\fR, and
 \&\fBX509_LOOKUP_by_alias()\fR all return 0 if there is no \fBX509_LOOKUP_METHOD\fR or that
 method doesn't implement the corresponding function.
-Otherwise, it returns what the corresponding function in the
+Otherwise, they return what the corresponding function in the
 \&\fBX509_LOOKUP_METHOD\fR returns, which is usually 1 on success and 0 in
 error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBX509_LOOKUP_METHOD\fR\|(3), \fBX509_STORE\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The functions \fBX509_LOOKUP_by_subject_ex()\fR and
 \&\fBX509_LOOKUP_ctrl_ex()\fR were added in OpenSSL 3.0.
@@ -349,11 +283,11 @@ The functions \fBX509_LOOKUP_by_subject_ex()\fR and
 The macros \fBX509_LOOKUP_load_file_ex()\fR,
 \&\fBX509_LOOKUP_load_store_ex()\fR and 509_LOOKUP_add_store_ex() were
 added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_LOOKUP_hash_dir.3 b/secure/lib/libcrypto/man/man3/X509_LOOKUP_hash_dir.3
index fd701e6f596c..c41ba1756486 100644
--- a/secure/lib/libcrypto/man/man3/X509_LOOKUP_hash_dir.3
+++ b/secure/lib/libcrypto/man/man3/X509_LOOKUP_hash_dir.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_LOOKUP_HASH_DIR 3ossl"
-.TH X509_LOOKUP_HASH_DIR 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_LOOKUP_HASH_DIR 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_LOOKUP_hash_dir, X509_LOOKUP_file, X509_LOOKUP_store,
 X509_load_cert_file_ex, X509_load_cert_file,
 X509_load_crl_file,
 X509_load_cert_crl_file_ex, X509_load_cert_crl_file
 \&\- Default OpenSSL certificate lookup methods
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509_vfy.h>
@@ -159,7 +83,7 @@ X509_load_cert_crl_file_ex, X509_load_cert_crl_file
 \&                                OSSL_LIB_CTX *libctx, const char *propq);
 \& int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBX509_LOOKUP_hash_dir\fR and \fBX509_LOOKUP_file\fR are two certificate
 lookup methods to use with \fBX509_STORE\fR, provided by OpenSSL library.
@@ -173,19 +97,19 @@ functions.
 Internally loading of certificates and CRLs is implemented via functions
 \&\fBX509_load_cert_crl_file\fR, \fBX509_load_cert_file\fR and
 \&\fBX509_load_crl_file\fR. These functions support parameter \fItype\fR, which
-can be one of constants \fB\s-1FILETYPE_PEM\s0\fR, \fB\s-1FILETYPE_ASN1\s0\fR and
-\&\fB\s-1FILETYPE_DEFAULT\s0\fR. They load certificates and/or CRLs from specified
+can be one of constants \fBFILETYPE_PEM\fR, \fBFILETYPE_ASN1\fR and
+\&\fBFILETYPE_DEFAULT\fR. They load certificates and/or CRLs from specified
 file into memory cache of \fBX509_STORE\fR objects which given \fBctx\fR
 parameter is associated with.
 .PP
 Functions \fBX509_load_cert_file\fR and
-\&\fBX509_load_crl_file\fR can load both \s-1PEM\s0 and \s-1DER\s0 formats depending of
-type value. Because \s-1DER\s0 format cannot contain more than one certificate
-or \s-1CRL\s0 object (while \s-1PEM\s0 can contain several concatenated \s-1PEM\s0 objects)
-\&\fBX509_load_cert_crl_file\fR with \fB\s-1FILETYPE_ASN1\s0\fR is equivalent to
+\&\fBX509_load_crl_file\fR can load both PEM and DER formats depending of
+type value. Because DER format cannot contain more than one certificate
+or CRL object (while PEM can contain several concatenated PEM objects)
+\&\fBX509_load_cert_crl_file\fR with \fBFILETYPE_ASN1\fR is equivalent to
 \&\fBX509_load_cert_file\fR.
 .PP
-Constant \fB\s-1FILETYPE_DEFAULT\s0\fR with \s-1NULL\s0 filename causes these functions
+Constant \fBFILETYPE_DEFAULT\fR with NULL filename causes these functions
 to load default certificate store file (see
 \&\fBX509_STORE_set_default_paths\fR\|(3).
 .PP
@@ -203,7 +127,7 @@ The \fBX509_LOOKUP_file\fR method loads all the certificates or CRLs
 present in a file into memory at the time the file is added as a
 lookup source.
 .PP
-File format is \s-1ASCII\s0 text which contains concatenated \s-1PEM\s0 certificates
+File format is ASCII text which contains concatenated PEM certificates
 and CRLs.
 .PP
 This method should be used by applications which work with a small
@@ -216,16 +140,16 @@ they are loaded. As of OpenSSL 1.0.0, it also checks for newer CRLs
 upon each lookup, so that newer CRLs are as soon as they appear in
 the directory.
 .PP
-The directory should contain one certificate or \s-1CRL\s0 per file in \s-1PEM\s0 format,
+The directory should contain one certificate or CRL per file in PEM format,
 with a filename of the form \fIhash\fR.\fIN\fR for a certificate, or
-\&\fIhash\fR.\fBr\fR\fIN\fR for a \s-1CRL.\s0
+\&\fIhash\fR.\fBr\fR\fIN\fR for a CRL.
 The \fIhash\fR is the value returned by the \fBX509_NAME_hash_ex\fR\|(3) function
 applied to the subject name for certificates or issuer name for CRLs.
 The hash can also be obtained via the \fB\-hash\fR option of the
 \&\fBopenssl\-x509\fR\|(1) or \fBopenssl\-crl\fR\|(1) commands.
 .PP
 The .\fIN\fR or .\fBr\fR\fIN\fR suffix is a sequence number that starts at zero, and is
-incremented consecutively for each certificate or \s-1CRL\s0 with the same \fIhash\fR
+incremented consecutively for each certificate or CRL with the same \fIhash\fR
 value.
 Gaps in the sequence numbers are not supported, it is assumed that there are no
 more objects with the same hash beyond the first missing number in the
@@ -237,9 +161,9 @@ For example, it is possible to have in the store several certificates with same
 subject or several CRLs with same issuer (and, for example, different validity
 period).
 .PP
-When checking for new CRLs once one \s-1CRL\s0 for given hash value is
+When checking for new CRLs once one CRL for given hash value is
 loaded, hash_dir lookup method checks only for certificates with
-sequence number greater than that of the already cached \s-1CRL.\s0
+sequence number greater than that of the already cached CRL.
 .PP
 Note that the hash algorithm used for subject name hashing changed in OpenSSL
 1.0.0, and all certificate stores have to be rehashed when moving from OpenSSL
@@ -247,7 +171,7 @@ Note that the hash algorithm used for subject name hashing changed in OpenSSL
 .PP
 OpenSSL includes a \fBopenssl\-rehash\fR\|(1) utility which creates symlinks with
 hashed names for all files with \fI.pem\fR suffix in a given directory.
-.SS "\s-1OSSL_STORE\s0 Method"
+.SS "OSSL_STORE Method"
 .IX Subsection "OSSL_STORE Method"
 \&\fBX509_LOOKUP_store\fR is a method that allows access to any store of
 certificates and CRLs through any loader supported by
@@ -256,7 +180,7 @@ It works with the help of URIs, which can be direct references to
 certificates or CRLs, but can also be references to catalogues of such
 objects (that behave like directories).
 .PP
-This method overlaps the \*(L"File Method\*(R" and \*(L"Hashed Directory Method\*(R"
+This method overlaps the "File Method" and "Hashed Directory Method"
 because of the 'file:' scheme loader.
 It does no caching of its own, but can use a caching \fBossl_store\fR\|(7)
 loader, and therefore depends on the loader's capability.
@@ -274,16 +198,16 @@ the number of loaded objects or 0 on error.
 \&\fBSSL_CTX_load_verify_locations\fR\|(3),
 \&\fBX509_LOOKUP_meth_new\fR\|(3),
 \&\fBossl_store\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The functions \fBX509_load_cert_file_ex()\fR,
 \&\fBX509_load_cert_crl_file_ex()\fR and \fBX509_LOOKUP_store()\fR were added in
 OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2015\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_LOOKUP_meth_new.3 b/secure/lib/libcrypto/man/man3/X509_LOOKUP_meth_new.3
index 4f3fd0cbac6a..2f890c16ddcf 100644
--- a/secure/lib/libcrypto/man/man3/X509_LOOKUP_meth_new.3
+++ b/secure/lib/libcrypto/man/man3/X509_LOOKUP_meth_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_LOOKUP_METH_NEW 3ossl"
-.TH X509_LOOKUP_METH_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_LOOKUP_METH_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_LOOKUP_METHOD,
 X509_LOOKUP_meth_new, X509_LOOKUP_meth_free, X509_LOOKUP_meth_set_new_item,
 X509_LOOKUP_meth_get_new_item, X509_LOOKUP_meth_set_free,
@@ -154,7 +78,7 @@ X509_LOOKUP_get_by_alias_fn, X509_LOOKUP_meth_set_get_by_alias,
 X509_LOOKUP_meth_get_get_by_alias,
 X509_OBJECT_set1_X509, X509_OBJECT_set1_X509_CRL
 \&\- Routines to build up X509_LOOKUP methods
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509_vfy.h>
@@ -232,7 +156,7 @@ X509_OBJECT_set1_X509, X509_OBJECT_set1_X509_CRL
 \& int X509_OBJECT_set1_X509(X509_OBJECT *a, X509 *obj);
 \& int X509_OBJECT_set1_X509_CRL(X509_OBJECT *a, X509_CRL *obj);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The \fBX509_LOOKUP_METHOD\fR type is a structure used for the implementation of new
 X509_LOOKUP types. It provides a set of functions used by OpenSSL for the
@@ -245,6 +169,7 @@ be given a human-readable string containing a brief description of the lookup
 method.
 .PP
 \&\fBX509_LOOKUP_meth_free()\fR destroys a \fBX509_LOOKUP_METHOD\fR structure.
+If the argument is NULL, nothing is done.
 .PP
 \&\fBX509_LOOKUP_get_new_item()\fR and \fBX509_LOOKUP_set_new_item()\fR get and set the
 function that is called when an \fBX509_LOOKUP\fR object is created with
@@ -283,7 +208,7 @@ object.
 .PP
 Implementations must add objects they find to the \fBX509_STORE\fR object
 using \fBX509_STORE_add_cert()\fR or \fBX509_STORE_add_crl()\fR.  This increments
-its reference count.  However, the \fBX509_STORE_CTX_get_by_subject()\fR
+its reference count.  However, the \fBX509_STORE_CTX_get_by_subject\fR\|(3)
 function also increases the reference count which leads to one too
 many references being held.  Therefore, applications should
 additionally call \fBX509_free()\fR or \fBX509_CRL_free()\fR to decrement the
@@ -310,15 +235,16 @@ The \fBX509_LOOKUP_meth_get\fR functions return the corresponding function
 pointers.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
+\&\fBX509_STORE_CTX_get_by_subject\fR\|(3),
 \&\fBX509_STORE_new\fR\|(3), \fBSSL_CTX_set_cert_store\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The functions described here were added in OpenSSL 1.1.0i.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2018\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2018\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_NAME_ENTRY_get_object.3 b/secure/lib/libcrypto/man/man3/X509_NAME_ENTRY_get_object.3
index 3dfd04571f85..487edf594380 100644
--- a/secure/lib/libcrypto/man/man3/X509_NAME_ENTRY_get_object.3
+++ b/secure/lib/libcrypto/man/man3/X509_NAME_ENTRY_get_object.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_NAME_ENTRY_GET_OBJECT 3ossl"
-.TH X509_NAME_ENTRY_GET_OBJECT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_NAME_ENTRY_GET_OBJECT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_NAME_ENTRY_get_object, X509_NAME_ENTRY_get_data,
 X509_NAME_ENTRY_set_object, X509_NAME_ENTRY_set_data,
 X509_NAME_ENTRY_create_by_txt, X509_NAME_ENTRY_create_by_NID,
 X509_NAME_ENTRY_create_by_OBJ \- X509_NAME_ENTRY utility functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
@@ -163,13 +87,13 @@ X509_NAME_ENTRY_create_by_OBJ \- X509_NAME_ENTRY utility functions
 \&                                                const ASN1_OBJECT *obj, int type,
 \&                                                const unsigned char *bytes, int len);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBX509_NAME_ENTRY_get_object()\fR retrieves the field name of \fBne\fR in
-and \fB\s-1ASN1_OBJECT\s0\fR structure.
+and \fBASN1_OBJECT\fR structure.
 .PP
 \&\fBX509_NAME_ENTRY_get_data()\fR retrieves the field value of \fBne\fR in
-and \fB\s-1ASN1_STRING\s0\fR structure.
+and \fBASN1_STRING\fR structure.
 .PP
 \&\fBX509_NAME_ENTRY_set_object()\fR sets the field name of \fBne\fR to \fBobj\fR.
 .PP
@@ -179,7 +103,7 @@ and \fB\s-1ASN1_STRING\s0\fR structure.
 \&\fBX509_NAME_ENTRY_create_by_txt()\fR, \fBX509_NAME_ENTRY_create_by_NID()\fR
 and \fBX509_NAME_ENTRY_create_by_OBJ()\fR create and return an
 \&\fBX509_NAME_ENTRY\fR structure.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 \&\fBX509_NAME_ENTRY_get_object()\fR and \fBX509_NAME_ENTRY_get_data()\fR can be
 used to examine an \fBX509_NAME_ENTRY\fR function as returned by
@@ -195,31 +119,31 @@ create and add new entries in a single operation.
 The arguments of these functions support similar options to the similarly
 named ones of the corresponding \fBX509_NAME\fR functions such as
 \&\fBX509_NAME_add_entry_by_txt()\fR. So for example \fBtype\fR can be set to
-\&\fB\s-1MBSTRING_ASC\s0\fR but in the case of \fBX509_set_data()\fR the field name must be
+\&\fBMBSTRING_ASC\fR but in the case of \fBX509_set_data()\fR the field name must be
 set first so the relevant field information can be looked up internally.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBX509_NAME_ENTRY_get_object()\fR returns a valid \fB\s-1ASN1_OBJECT\s0\fR structure if it is
-set or \s-1NULL\s0 if an error occurred.
+\&\fBX509_NAME_ENTRY_get_object()\fR returns a valid \fBASN1_OBJECT\fR structure if it is
+set or NULL if an error occurred.
 .PP
-\&\fBX509_NAME_ENTRY_get_data()\fR returns a valid \fB\s-1ASN1_STRING\s0\fR structure if it is set
-or \s-1NULL\s0 if an error occurred.
+\&\fBX509_NAME_ENTRY_get_data()\fR returns a valid \fBASN1_STRING\fR structure if it is set
+or NULL if an error occurred.
 .PP
 \&\fBX509_NAME_ENTRY_set_object()\fR and \fBX509_NAME_ENTRY_set_data()\fR return 1 on success
 or 0 on error.
 .PP
 \&\fBX509_NAME_ENTRY_create_by_txt()\fR, \fBX509_NAME_ENTRY_create_by_NID()\fR and
 \&\fBX509_NAME_ENTRY_create_by_OBJ()\fR return a valid \fBX509_NAME_ENTRY\fR on success or
-\&\s-1NULL\s0 if an error occurred.
+NULL if an error occurred.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3), \fBd2i_X509_NAME\fR\|(3),
 \&\fBOBJ_nid2obj\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2002\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_NAME_add_entry_by_txt.3 b/secure/lib/libcrypto/man/man3/X509_NAME_add_entry_by_txt.3
index 822db6ded313..1974de430fe4 100644
--- a/secure/lib/libcrypto/man/man3/X509_NAME_add_entry_by_txt.3
+++ b/secure/lib/libcrypto/man/man3/X509_NAME_add_entry_by_txt.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_NAME_ADD_ENTRY_BY_TXT 3ossl"
-.TH X509_NAME_ADD_ENTRY_BY_TXT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_NAME_ADD_ENTRY_BY_TXT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_NAME_add_entry_by_txt, X509_NAME_add_entry_by_OBJ, X509_NAME_add_entry_by_NID,
 X509_NAME_add_entry, X509_NAME_delete_entry \- X509_NAME modification functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
@@ -157,18 +81,18 @@ X509_NAME_add_entry, X509_NAME_delete_entry \- X509_NAME modification functions
 \&
 \& X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBX509_NAME_add_entry_by_txt()\fR, \fBX509_NAME_add_entry_by_OBJ()\fR and
 \&\fBX509_NAME_add_entry_by_NID()\fR add a field whose name is defined
-by a string \fBfield\fR, an object \fBobj\fR or a \s-1NID\s0 \fBnid\fR respectively.
+by a string \fBfield\fR, an object \fBobj\fR or a NID \fBnid\fR respectively.
 The field value to be added is in \fBbytes\fR of length \fBlen\fR. If
 \&\fBlen\fR is \-1 then the field length is calculated internally using
 strlen(bytes).
 .PP
 The type of field is determined by \fBtype\fR which can either be a
-definition of the type of \fBbytes\fR (such as \fB\s-1MBSTRING_ASC\s0\fR) or a
-standard \s-1ASN1\s0 type (such as \fBV_ASN1_IA5STRING\fR). The new entry is
+definition of the type of \fBbytes\fR (such as \fBMBSTRING_ASC\fR) or a
+standard ASN1 type (such as \fBV_ASN1_IA5STRING\fR). The new entry is
 added to a position determined by \fBloc\fR and \fBset\fR.
 .PP
 \&\fBX509_NAME_add_entry()\fR adds a copy of \fBX509_NAME_ENTRY\fR structure \fBne\fR
@@ -178,15 +102,15 @@ the call.
 .PP
 \&\fBX509_NAME_delete_entry()\fR deletes an entry from \fBname\fR at position
 \&\fBloc\fR. The deleted entry is returned and must be freed up.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-The use of string types such as \fB\s-1MBSTRING_ASC\s0\fR or \fB\s-1MBSTRING_UTF8\s0\fR
+The use of string types such as \fBMBSTRING_ASC\fR or \fBMBSTRING_UTF8\fR
 is strongly recommended for the \fBtype\fR parameter. This allows the
 internal code to correctly determine the type of the field and to
 apply length checks according to the relevant standards. This is
 done using \fBASN1_STRING_set_by_NID()\fR.
 .PP
-If instead an \s-1ASN1\s0 type is used no checks are performed and the
+If instead an ASN1 type is used no checks are performed and the
 supplied data in \fBbytes\fR is used directly.
 .PP
 In \fBX509_NAME_add_entry_by_txt()\fR the \fBfield\fR string represents
@@ -195,17 +119,17 @@ the field name using OBJ_txt2obj(field, 0).
 The \fBloc\fR and \fBset\fR parameters determine where a new entry should
 be added. For almost all applications \fBloc\fR can be set to \-1 and \fBset\fR
 to 0. This adds a new entry to the end of \fBname\fR as a single valued
-RelativeDistinguishedName (\s-1RDN\s0).
+RelativeDistinguishedName (RDN).
 .PP
 \&\fBloc\fR actually determines the index where the new entry is inserted:
 if it is \-1 it is appended.
 .PP
 \&\fBset\fR determines how the new type is added.
-If it is zero a new \s-1RDN\s0 is created.
+If it is zero a new RDN is created.
 .PP
 If \fBset\fR is \-1 or 1 it is added as a new set member
-to the previous or next \s-1RDN\s0 structure, respectively.
-This will then become part of a multi-valued \s-1RDN\s0 (containing a set of AVAs).
+to the previous or next RDN structure, respectively.
+This will then become part of a multi-valued RDN (containing a set of AVAs).
 Since multi-valued RDNs are very rarely used \fBset\fR typically will be zero.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
@@ -214,12 +138,12 @@ Since multi-valued RDNs are very rarely used \fBset\fR typically will be zero.
 success of 0 if an error occurred.
 .PP
 \&\fBX509_NAME_delete_entry()\fR returns either the deleted \fBX509_NAME_ENTRY\fR
-structure or \fB\s-1NULL\s0\fR if an error occurred.
-.SH "EXAMPLES"
+structure or \fBNULL\fR if an error occurred.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 Create an \fBX509_NAME\fR structure:
 .PP
-\&\*(L"C=UK, O=Disorganized Organization, CN=Joe Bloggs\*(R"
+"C=UK, O=Disorganized Organization, CN=Joe Bloggs"
 .PP
 .Vb 1
 \& X509_NAME *nm;
@@ -237,7 +161,7 @@ Create an \fBX509_NAME\fR structure:
 \&                                 "Joe Bloggs", \-1, \-1, 0))
 \&     /* Error */
 .Ve
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
 \&\fBtype\fR can still be set to \fBV_ASN1_APP_CHOOSE\fR to use a
 different algorithm to determine field types. Since this form does
@@ -246,11 +170,11 @@ can result in invalid field types its use is strongly discouraged.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3), \fBd2i_X509_NAME\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2002\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_NAME_get0_der.3 b/secure/lib/libcrypto/man/man3/X509_NAME_get0_der.3
index c8efe471885e..2ba5cdf143be 100644
--- a/secure/lib/libcrypto/man/man3/X509_NAME_get0_der.3
+++ b/secure/lib/libcrypto/man/man3/X509_NAME_get0_der.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_NAME_GET0_DER 3ossl"
-.TH X509_NAME_GET0_DER 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_NAME_GET0_DER 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_NAME_get0_der \- get X509_NAME DER encoding
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
@@ -146,7 +70,7 @@ X509_NAME_get0_der \- get X509_NAME DER encoding
 \& int X509_NAME_get0_der(const X509_NAME *nm, const unsigned char **pder,
 \&                        size_t *pderlen);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The function \fBX509_NAME_get0_der()\fR returns an internal pointer to the
 encoding of an \fBX509_NAME\fR structure in \fB*pder\fR and consisting of
@@ -159,11 +83,11 @@ occurred.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBd2i_X509\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2002\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_NAME_get_index_by_NID.3 b/secure/lib/libcrypto/man/man3/X509_NAME_get_index_by_NID.3
index 849dcf7ab0c2..cc5666a8843b 100644
--- a/secure/lib/libcrypto/man/man3/X509_NAME_get_index_by_NID.3
+++ b/secure/lib/libcrypto/man/man3/X509_NAME_get_index_by_NID.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_NAME_GET_INDEX_BY_NID 3ossl"
-.TH X509_NAME_GET_INDEX_BY_NID 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_NAME_GET_INDEX_BY_NID 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_NAME_get_index_by_NID, X509_NAME_get_index_by_OBJ, X509_NAME_get_entry,
 X509_NAME_entry_count, X509_NAME_get_text_by_NID, X509_NAME_get_text_by_OBJ \-
 X509_NAME lookup and enumeration functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
@@ -157,17 +81,17 @@ X509_NAME lookup and enumeration functions
 \& int X509_NAME_get_text_by_OBJ(const X509_NAME *name, const ASN1_OBJECT *obj,
 \&                               char *buf, int len);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 These functions allow an \fBX509_NAME\fR structure to be examined. The
 \&\fBX509_NAME\fR structure is the same as the \fBName\fR type defined in
-\&\s-1RFC2459\s0 (and elsewhere) and used for example in certificate subject
+RFC2459 (and elsewhere) and used for example in certificate subject
 and issuer names.
 .PP
 \&\fBX509_NAME_get_index_by_NID()\fR and \fBX509_NAME_get_index_by_OBJ()\fR retrieve
 the next index matching \fBnid\fR or \fBobj\fR after \fBlastpos\fR. \fBlastpos\fR
 should initially be set to \-1. If there are no more entries \-1 is returned.
-If \fBnid\fR is invalid (doesn't correspond to a valid \s-1OID\s0) then \-2 is returned.
+If \fBnid\fR is invalid (doesn't correspond to a valid OID) then \-2 is returned.
 .PP
 \&\fBX509_NAME_entry_count()\fR returns the total number of entries in \fBname\fR.
 .PP
@@ -177,13 +101,13 @@ corresponding to index \fBloc\fR. Acceptable values for \fBloc\fR run from
 internal pointer which must not be freed.
 .PP
 \&\fBX509_NAME_get_text_by_NID()\fR, \fBX509_NAME_get_text_by_OBJ()\fR retrieve
-the \*(L"text\*(R" from the first entry in \fBname\fR which matches \fBnid\fR or
+the "text" from the first entry in \fBname\fR which matches \fBnid\fR or
 \&\fBobj\fR, if no such entry exists \-1 is returned. At most \fBlen\fR bytes
 will be written and the text written to \fBbuf\fR will be null
 terminated. The length of the output string written is returned
-excluding the terminating null. If \fBbuf\fR is <\s-1NULL\s0> then the amount
+excluding the terminating null. If \fBbuf\fR is <NULL> then the amount
 of space needed in \fBbuf\fR (excluding the final null) is returned.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 \&\fBX509_NAME_get_text_by_NID()\fR and \fBX509_NAME_get_text_by_OBJ()\fR should be
 considered deprecated because they
@@ -203,21 +127,21 @@ the source code header files \fI<openssl/obj_mac.h>\fR and/or
 \&\fI<openssl/objects.h>\fR.
 .PP
 Applications which could pass invalid NIDs to \fBX509_NAME_get_index_by_NID()\fR
-should check for the return value of \-2. Alternatively the \s-1NID\s0 validity
-can be determined first by checking OBJ_nid2obj(nid) is not \s-1NULL.\s0
+should check for the return value of \-2. Alternatively the NID validity
+can be determined first by checking OBJ_nid2obj(nid) is not NULL.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBX509_NAME_get_index_by_NID()\fR and \fBX509_NAME_get_index_by_OBJ()\fR
 return the index of the next matching entry or \-1 if not found.
 \&\fBX509_NAME_get_index_by_NID()\fR can also return \-2 if the supplied
-\&\s-1NID\s0 is invalid.
+NID is invalid.
 .PP
 \&\fBX509_NAME_entry_count()\fR returns the total number of entries, and 0
 for failure.
 .PP
 \&\fBX509_NAME_get_entry()\fR returns an \fBX509_NAME\fR pointer to the
-requested entry or \fB\s-1NULL\s0\fR if the index is invalid.
-.SH "EXAMPLES"
+requested entry or \fBNULL\fR if the index is invalid.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 Process all entries:
 .PP
@@ -248,11 +172,11 @@ Process all commonName entries:
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3), \fBd2i_X509_NAME\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2002\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_NAME_print_ex.3 b/secure/lib/libcrypto/man/man3/X509_NAME_print_ex.3
index 195a6f89dd01..aa7fc06d99dd 100644
--- a/secure/lib/libcrypto/man/man3/X509_NAME_print_ex.3
+++ b/secure/lib/libcrypto/man/man3/X509_NAME_print_ex.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_NAME_PRINT_EX 3ossl"
-.TH X509_NAME_PRINT_EX 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_NAME_PRINT_EX 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_NAME_print_ex, X509_NAME_print_ex_fp, X509_NAME_print,
 X509_NAME_oneline \- X509_NAME printing routines
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
@@ -151,18 +75,18 @@ X509_NAME_oneline \- X509_NAME printing routines
 \& char *X509_NAME_oneline(const X509_NAME *a, char *buf, int size);
 \& int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBX509_NAME_print_ex()\fR prints a human readable version of \fInm\fR to \s-1BIO\s0 \fIout\fR.
+\&\fBX509_NAME_print_ex()\fR prints a human readable version of \fInm\fR to BIO \fIout\fR.
 Each line (for multiline formats) is indented by \fIindent\fR spaces. The
 output format can be extensively customised by use of the \fIflags\fR parameter.
 .PP
 \&\fBX509_NAME_print_ex_fp()\fR is identical to \fBX509_NAME_print_ex()\fR
-except the output is written to \s-1FILE\s0 pointer \fIfp\fR.
+except the output is written to FILE pointer \fIfp\fR.
 .PP
-\&\fBX509_NAME_oneline()\fR prints an \s-1ASCII\s0 version of \fIa\fR to \fIbuf\fR.
+\&\fBX509_NAME_oneline()\fR prints an ASCII version of \fIa\fR to \fIbuf\fR.
 This supports multi-valued RDNs and escapes \fB/\fR and \fB+\fR characters in values.
-If \fIbuf\fR is \fB\s-1NULL\s0\fR then a buffer is dynamically allocated and returned, and
+If \fIbuf\fR is \fBNULL\fR then a buffer is dynamically allocated and returned, and
 \&\fIsize\fR is ignored.
 Otherwise, at most \fIsize\fR bytes will be written, including the ending '\e0',
 and \fIbuf\fR is returned.
@@ -170,7 +94,7 @@ and \fIbuf\fR is returned.
 \&\fBX509_NAME_print()\fR prints out \fIname\fR to \fIbp\fR indenting each line by \fIobase\fR
 characters. Multiple lines are used if the output (including indent) exceeds
 80 characters.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The functions \fBX509_NAME_oneline()\fR and \fBX509_NAME_print()\fR
 produce a non standard output form, they don't handle multi-character fields and
@@ -179,44 +103,44 @@ Their use is strongly discouraged in new applications and they could
 be deprecated in a future release.
 .PP
 Although there are a large number of possible flags for most purposes
-\&\fB\s-1XN_FLAG_ONELINE\s0\fR, \fB\s-1XN_FLAG_MULTILINE\s0\fR or \fB\s-1XN_FLAG_RFC2253\s0\fR will suffice.
+\&\fBXN_FLAG_ONELINE\fR, \fBXN_FLAG_MULTILINE\fR or \fBXN_FLAG_RFC2253\fR will suffice.
 As noted on the \fBASN1_STRING_print_ex\fR\|(3) manual page
-for \s-1UTF8\s0 terminals the \fB\s-1ASN1_STRFLGS_ESC_MSB\s0\fR should be unset: so for example
-\&\fB\s-1XN_FLAG_ONELINE &\s0 ~ASN1_STRFLGS_ESC_MSB\fR would be used.
+for UTF8 terminals the \fBASN1_STRFLGS_ESC_MSB\fR should be unset: so for example
+\&\fBXN_FLAG_ONELINE & ~ASN1_STRFLGS_ESC_MSB\fR would be used.
 .PP
 The complete set of the flags supported by \fBX509_NAME_print_ex()\fR is listed below.
 .PP
 Several options can be ored together.
 .PP
-The options \fB\s-1XN_FLAG_SEP_COMMA_PLUS\s0\fR, \fB\s-1XN_FLAG_SEP_CPLUS_SPC\s0\fR,
-\&\fB\s-1XN_FLAG_SEP_SPLUS_SPC\s0\fR and \fB\s-1XN_FLAG_SEP_MULTILINE\s0\fR
+The options \fBXN_FLAG_SEP_COMMA_PLUS\fR, \fBXN_FLAG_SEP_CPLUS_SPC\fR,
+\&\fBXN_FLAG_SEP_SPLUS_SPC\fR and \fBXN_FLAG_SEP_MULTILINE\fR
 determine the field separators to use.
 Two distinct separators are used between distinct RelativeDistinguishedName
-components and separate values in the same \s-1RDN\s0 for a multi-valued \s-1RDN.\s0
+components and separate values in the same RDN for a multi-valued RDN.
 Multi-valued RDNs are currently very rare
 so the second separator will hardly ever be used.
 .PP
-\&\fB\s-1XN_FLAG_SEP_COMMA_PLUS\s0\fR uses comma and plus as separators.
-\&\fB\s-1XN_FLAG_SEP_CPLUS_SPC\s0\fR uses comma and plus with spaces:
+\&\fBXN_FLAG_SEP_COMMA_PLUS\fR uses comma and plus as separators.
+\&\fBXN_FLAG_SEP_CPLUS_SPC\fR uses comma and plus with spaces:
 this is more readable that plain comma and plus.
-\&\fB\s-1XN_FLAG_SEP_SPLUS_SPC\s0\fR uses spaced semicolon and plus.
-\&\fB\s-1XN_FLAG_SEP_MULTILINE\s0\fR uses spaced newline and plus respectively.
+\&\fBXN_FLAG_SEP_SPLUS_SPC\fR uses spaced semicolon and plus.
+\&\fBXN_FLAG_SEP_MULTILINE\fR uses spaced newline and plus respectively.
 .PP
-If \fB\s-1XN_FLAG_DN_REV\s0\fR is set the whole \s-1DN\s0 is printed in reversed order.
+If \fBXN_FLAG_DN_REV\fR is set the whole DN is printed in reversed order.
 .PP
-The fields \fB\s-1XN_FLAG_FN_SN\s0\fR, \fB\s-1XN_FLAG_FN_LN\s0\fR, \fB\s-1XN_FLAG_FN_OID\s0\fR,
-\&\fB\s-1XN_FLAG_FN_NONE\s0\fR determine how a field name is displayed. It will
-use the short name (e.g. \s-1CN\s0) the long name (e.g. commonName) always
-use \s-1OID\s0 numerical form (normally OIDs are only used if the field name is not
+The fields \fBXN_FLAG_FN_SN\fR, \fBXN_FLAG_FN_LN\fR, \fBXN_FLAG_FN_OID\fR,
+\&\fBXN_FLAG_FN_NONE\fR determine how a field name is displayed. It will
+use the short name (e.g. CN) the long name (e.g. commonName) always
+use OID numerical form (normally OIDs are only used if the field name is not
 recognised) and no field name respectively.
 .PP
-If \fB\s-1XN_FLAG_SPC_EQ\s0\fR is set then spaces will be placed around the '=' character
+If \fBXN_FLAG_SPC_EQ\fR is set then spaces will be placed around the '=' character
 separating field names and values.
 .PP
-If \fB\s-1XN_FLAG_DUMP_UNKNOWN_FIELDS\s0\fR is set then the encoding of unknown fields is
+If \fBXN_FLAG_DUMP_UNKNOWN_FIELDS\fR is set then the encoding of unknown fields is
 printed instead of the values.
 .PP
-If \fB\s-1XN_FLAG_FN_ALIGN\s0\fR is set then field names are padded to 20 characters: this
+If \fBXN_FLAG_FN_ALIGN\fR is set then field names are padded to 20 characters: this
 is only of use for multiline format.
 .PP
 Additionally all the options supported by \fBASN1_STRING_print_ex()\fR can be used to
@@ -224,38 +148,38 @@ control how each field value is displayed.
 .PP
 In addition a number options can be set for commonly used formats.
 .PP
-\&\fB\s-1XN_FLAG_RFC2253\s0\fR sets options which produce an output compatible with \s-1RFC2253.\s0
+\&\fBXN_FLAG_RFC2253\fR sets options which produce an output compatible with RFC2253.
 It is equivalent to:
  \f(CW\*(C`ASN1_STRFLGS_RFC2253 | XN_FLAG_SEP_COMMA_PLUS | XN_FLAG_DN_REV
    | XN_FLAG_FN_SN | XN_FLAG_DUMP_UNKNOWN_FIELDS\*(C'\fR
 .PP
-\&\fB\s-1XN_FLAG_ONELINE\s0\fR is a more readable one line format which is the same as:
+\&\fBXN_FLAG_ONELINE\fR is a more readable one line format which is the same as:
  \f(CW\*(C`ASN1_STRFLGS_RFC2253 | ASN1_STRFLGS_ESC_QUOTE | XN_FLAG_SEP_CPLUS_SPC
    | XN_FLAG_SPC_EQ | XN_FLAG_FN_SN\*(C'\fR
 .PP
-\&\fB\s-1XN_FLAG_MULTILINE\s0\fR is a multiline format which is the same as:
+\&\fBXN_FLAG_MULTILINE\fR is a multiline format which is the same as:
  \f(CW\*(C`ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB | XN_FLAG_SEP_MULTILINE
    | XN_FLAG_SPC_EQ | XN_FLAG_FN_LN | XN_FLAG_FN_ALIGN\*(C'\fR
 .PP
-\&\fB\s-1XN_FLAG_COMPAT\s0\fR uses a format identical to \fBX509_NAME_print()\fR:
+\&\fBXN_FLAG_COMPAT\fR uses a format identical to \fBX509_NAME_print()\fR:
 in fact it calls \fBX509_NAME_print()\fR internally.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBX509_NAME_oneline()\fR returns a valid string on success or \s-1NULL\s0 on error.
+\&\fBX509_NAME_oneline()\fR returns a valid string on success or NULL on error.
 .PP
 \&\fBX509_NAME_print()\fR returns 1 on success or 0 on error.
 .PP
 \&\fBX509_NAME_print_ex()\fR and \fBX509_NAME_print_ex_fp()\fR return 1 on success or 0 on
-error if the \fB\s-1XN_FLAG_COMPAT\s0\fR is set, which is the same as \fBX509_NAME_print()\fR.
+error if the \fBXN_FLAG_COMPAT\fR is set, which is the same as \fBX509_NAME_print()\fR.
 Otherwise, it returns \-1 on error or other values on success.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBASN1_STRING_print_ex\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2002\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_PUBKEY_new.3 b/secure/lib/libcrypto/man/man3/X509_PUBKEY_new.3
index 331c116b1cc7..775ddd2b384d 100644
--- a/secure/lib/libcrypto/man/man3/X509_PUBKEY_new.3
+++ b/secure/lib/libcrypto/man/man3/X509_PUBKEY_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,22 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_PUBKEY_NEW 3ossl"
-.TH X509_PUBKEY_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_PUBKEY_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_PUBKEY_new_ex, X509_PUBKEY_new, X509_PUBKEY_free, X509_PUBKEY_dup,
 X509_PUBKEY_set, X509_PUBKEY_get0, X509_PUBKEY_get,
-d2i_PUBKEY_ex, d2i_PUBKEY, i2d_PUBKEY, d2i_PUBKEY_bio, d2i_PUBKEY_fp,
-i2d_PUBKEY_fp, i2d_PUBKEY_bio, X509_PUBKEY_set0_param, X509_PUBKEY_get0_param,
+d2i_PUBKEY_ex, d2i_PUBKEY, i2d_PUBKEY, d2i_PUBKEY_ex_bio, d2i_PUBKEY_bio,
+d2i_PUBKEY_ex_fp, d2i_PUBKEY_fp, i2d_PUBKEY_fp, i2d_PUBKEY_bio,
+X509_PUBKEY_set0_public_key, X509_PUBKEY_set0_param, X509_PUBKEY_get0_param,
 X509_PUBKEY_eq \- SubjectPublicKeyInfo public key functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
@@ -161,12 +86,19 @@ X509_PUBKEY_eq \- SubjectPublicKeyInfo public key functions
 \& EVP_PKEY *d2i_PUBKEY(EVP_PKEY **a, const unsigned char **pp, long length);
 \& int i2d_PUBKEY(const EVP_PKEY *a, unsigned char **pp);
 \&
+\& EVP_PKEY *d2i_PUBKEY_ex_bio(BIO *bp, EVP_PKEY **a, OSSL_LIB_CTX *libctx,
+\&                             const char *propq);
 \& EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a);
+\&
+\& EVP_PKEY *d2i_PUBKEY_ex_fp(FILE *fp, EVP_PKEY **a, OSSL_LIB_CTX *libctx,
+\&                            const char *propq);
 \& EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a);
 \&
 \& int i2d_PUBKEY_fp(const FILE *fp, EVP_PKEY *pkey);
 \& int i2d_PUBKEY_bio(BIO *bp, const EVP_PKEY *pkey);
 \&
+\& void X509_PUBKEY_set0_public_key(X509_PUBKEY *pub,
+\&                                  unsigned char *penc, int penclen);
 \& int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *aobj,
 \&                            int ptype, void *pval,
 \&                            unsigned char *penc, int penclen);
@@ -175,69 +107,79 @@ X509_PUBKEY_eq \- SubjectPublicKeyInfo public key functions
 \&                            X509_ALGOR **pa, const X509_PUBKEY *pub);
 \& int X509_PUBKEY_eq(X509_PUBKEY *a, X509_PUBKEY *b);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \fBX509_PUBKEY\fR structure represents the \s-1ASN.1\s0 \fBSubjectPublicKeyInfo\fR
-structure defined in \s-1RFC5280\s0 and used in certificates and certificate requests.
+The \fBX509_PUBKEY\fR structure represents the ASN.1 \fBSubjectPublicKeyInfo\fR
+structure defined in RFC5280 and used in certificates and certificate requests.
 .PP
 \&\fBX509_PUBKEY_new_ex()\fR allocates and initializes an \fBX509_PUBKEY\fR structure
-associated with the given \fB\s-1OSSL_LIB_CTX\s0\fR in the \fIlibctx\fR parameter. Any
+associated with the given \fBOSSL_LIB_CTX\fR in the \fIlibctx\fR parameter. Any
 algorithm fetches associated with using the \fBX509_PUBKEY\fR object will use
-the property query string \fIpropq\fR. See \*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7) for
+the property query string \fIpropq\fR. See "ALGORITHM FETCHING" in \fBcrypto\fR\|(7) for
 further information about algorithm fetching.
 .PP
 \&\fBX509_PUBKEY_new()\fR is the same as \fBX509_PUBKEY_new_ex()\fR except that the default
-(\s-1NULL\s0) \fB\s-1OSSL_LIB_CTX\s0\fR and a \s-1NULL\s0 property query string are used.
+(NULL) \fBOSSL_LIB_CTX\fR and a NULL property query string are used.
 .PP
 \&\fBX509_PUBKEY_dup()\fR creates a duplicate copy of the \fBX509_PUBKEY\fR object
 specified by \fIa\fR.
 .PP
-\&\fBX509_PUBKEY_free()\fR frees up \fBX509_PUBKEY\fR structure \fIa\fR. If \fIa\fR is \s-1NULL\s0
+\&\fBX509_PUBKEY_free()\fR frees up \fBX509_PUBKEY\fR structure \fIa\fR. If \fIa\fR is NULL
 nothing is done.
 .PP
 \&\fBX509_PUBKEY_set()\fR sets the public key in \fI*x\fR to the public key contained
-in the \fB\s-1EVP_PKEY\s0\fR structure \fIpkey\fR. If \fI*x\fR is not \s-1NULL\s0 any existing
+in the \fBEVP_PKEY\fR structure \fIpkey\fR. If \fI*x\fR is not NULL any existing
 public key structure will be freed.
 .PP
 \&\fBX509_PUBKEY_get0()\fR returns the public key contained in \fIkey\fR. The returned
-value is an internal pointer which \fB\s-1MUST NOT\s0\fR be freed after use.
+value is an internal pointer which \fBMUST NOT\fR be freed after use.
 .PP
 \&\fBX509_PUBKEY_get()\fR is similar to \fBX509_PUBKEY_get0()\fR except the reference
-count on the returned key is incremented so it \fB\s-1MUST\s0\fR be freed using
+count on the returned key is incremented so it \fBMUST\fR be freed using
 \&\fBEVP_PKEY_free()\fR after use.
 .PP
-\&\fBd2i_PUBKEY_ex()\fR decodes an \fB\s-1EVP_PKEY\s0\fR structure using \fBSubjectPublicKeyInfo\fR
+\&\fBd2i_PUBKEY_ex()\fR decodes an \fBEVP_PKEY\fR structure using \fBSubjectPublicKeyInfo\fR
 format.  Some public key decoding implementations may use cryptographic
 algorithms. In this case the supplied library context \fIlibctx\fR and property
 query string \fIpropq\fR are used.
 \&\fBd2i_PUBKEY()\fR does the same as \fBd2i_PUBKEY_ex()\fR except that the default
 library context and property query string are used.
 .PP
-\&\fBi2d_PUBKEY()\fR encodes an \fB\s-1EVP_PKEY\s0\fR structure using \fBSubjectPublicKeyInfo\fR
+\&\fBi2d_PUBKEY()\fR encodes an \fBEVP_PKEY\fR structure using \fBSubjectPublicKeyInfo\fR
 format.
 .PP
 \&\fBd2i_PUBKEY_bio()\fR, \fBd2i_PUBKEY_fp()\fR, \fBi2d_PUBKEY_bio()\fR and \fBi2d_PUBKEY_fp()\fR are
 similar to \fBd2i_PUBKEY()\fR and \fBi2d_PUBKEY()\fR except they decode or encode using a
-\&\fB\s-1BIO\s0\fR or \fB\s-1FILE\s0\fR pointer.
+\&\fBBIO\fR or \fBFILE\fR pointer.
+.PP
+\&\fBd2i_PUBKEY_ex_bio()\fR and \fBd2i_PUBKEY_ex_fp()\fR are similar to \fBd2i_PUBKEY_ex()\fR except
+they decode using a \fBBIO\fR or \fBFILE\fR pointer.
 .PP
-\&\fBX509_PUBKEY_set0_param()\fR sets the public key parameters of \fIpub\fR. The
-\&\s-1OID\s0 associated with the algorithm is set to \fIaobj\fR. The type of the
+\&\fBX509_PUBKEY_set0_public_key()\fR sets the public-key encoding of \fIpub\fR
+to the \fIpenclen\fR bytes contained in buffer \fIpenc\fR.
+Any earlier public-key encoding in \fIpub\fR is freed.
+\&\fIpenc\fR may be NULL to indicate that there is no actual public key data.
+Ownership of the \fIpenc\fR argument is passed to \fIpub\fR.
+.PP
+\&\fBX509_PUBKEY_set0_param()\fR sets the public-key parameters of \fIpub\fR.
+The OID associated with the algorithm is set to \fIaobj\fR. The type of the
 algorithm parameters is set to \fItype\fR using the structure \fIpval\fR.
-The encoding of the public key itself is set to the \fIpenclen\fR
-bytes contained in buffer \fIpenc\fR. On success ownership of all the supplied
-parameters is passed to \fIpub\fR so they must not be freed after the
-call.
+If \fIpenc\fR is not NULL the encoding of the public key itself is set
+to the \fIpenclen\fR bytes contained in buffer \fIpenc\fR and
+any earlier public-key encoding in \fIpub\fR is freed.
+On success ownership of all the supplied arguments is passed to \fIpub\fR
+so they must not be freed after the call.
 .PP
 \&\fBX509_PUBKEY_get0_param()\fR retrieves the public key parameters from \fIpub\fR,
-\&\fI*ppkalg\fR is set to the associated \s-1OID\s0 and the encoding consists of
+\&\fI*ppkalg\fR is set to the associated OID and the encoding consists of
 \&\fI*ppklen\fR bytes at \fI*pk\fR, \fI*pa\fR is set to the associated
 AlgorithmIdentifier for the public key. If the value of any of these
-parameters is not required it can be set to \s-1NULL.\s0 All of the
+parameters is not required it can be set to NULL. All of the
 retrieved pointers are internal and must not be freed after the
 call.
 .PP
 \&\fBX509_PUBKEY_eq()\fR compares two \fBX509_PUBKEY\fR values.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The \fBX509_PUBKEY\fR functions can be used to encode and decode public keys
 in a standard format.
@@ -247,13 +189,22 @@ directly: they will instead call wrapper functions such as \fBX509_get0_pubkey()
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 If the allocation fails, \fBX509_PUBKEY_new()\fR and \fBX509_PUBKEY_dup()\fR return
-\&\s-1NULL\s0 and set an error code that can be obtained by \fBERR_get_error\fR\|(3).
+NULL and set an error code that can be obtained by \fBERR_get_error\fR\|(3).
 Otherwise they return a pointer to the newly allocated structure.
 .PP
 \&\fBX509_PUBKEY_free()\fR does not return a value.
 .PP
-\&\fBX509_PUBKEY_get0()\fR and \fBX509_PUBKEY_get()\fR return a pointer to an \fB\s-1EVP_PKEY\s0\fR
-structure or \s-1NULL\s0 if an error occurs.
+\&\fBX509_PUBKEY_get0()\fR, \fBX509_PUBKEY_get()\fR, \fBd2i_PUBKEY_ex()\fR, \fBd2i_PUBKEY()\fR,
+\&\fBd2i_PUBKEY_ex_bio()\fR, \fBd2i_PUBKEY_bio()\fR, \fBd2i_PUBKEY_ex_fp()\fR and \fBd2i_PUBKEY_fp()\fR
+return a pointer to an \fBEVP_PKEY\fR structure or NULL if an error occurs.
+.PP
+\&\fBi2d_PUBKEY()\fR returns the number of bytes successfully encoded or a
+negative value if an error occurs.
+.PP
+\&\fBi2d_PUBKEY_fp()\fR and \fBi2d_PUBKEY_bio()\fR return 1 if successfully
+encoded or 0 if an error occurs.
+.PP
+\&\fBX509_PUBKEY_set0_public_key()\fR does not return a value.
 .PP
 \&\fBX509_PUBKEY_set()\fR, \fBX509_PUBKEY_set0_param()\fR and \fBX509_PUBKEY_get0_param()\fR
 return 1 for success and 0 if an error occurred.
@@ -264,15 +215,18 @@ return 1 for success and 0 if an error occurred.
 \&\fBd2i_X509\fR\|(3),
 \&\fBERR_get_error\fR\|(3),
 \&\fBX509_get_pubkey\fR\|(3),
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBX509_PUBKEY_new_ex()\fR and \fBX509_PUBKEY_eq()\fR functions were added in OpenSSL
 3.0.
-.SH "COPYRIGHT"
+.PP
+The \fBX509_PUBKEY_set0_public_key()\fR, \fBd2i_PUBKEY_ex_bio()\fR and \fBd2i_PUBKEY_ex_fp()\fR
+functions were added in OpenSSL 3.2.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_REQ_get_attr.3 b/secure/lib/libcrypto/man/man3/X509_REQ_get_attr.3
new file mode 100644
index 000000000000..d27389367876
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/X509_REQ_get_attr.3
@@ -0,0 +1,164 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "X509_REQ_GET_ATTR 3ossl"
+.TH X509_REQ_GET_ATTR 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+X509_REQ_get_attr_count,
+X509_REQ_get_attr_by_NID, X509_REQ_get_attr_by_OBJ, X509_REQ_get_attr,
+X509_REQ_delete_attr,
+X509_REQ_add1_attr, X509_REQ_add1_attr_by_OBJ, X509_REQ_add1_attr_by_NID,
+X509_REQ_add1_attr_by_txt
+\&\- X509_ATTRIBUTE support for signed certificate requests
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/x509.h>
+\&
+\& int X509_REQ_get_attr_count(const X509_REQ *req);
+\& int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid, int lastpos);
+\& int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, const ASN1_OBJECT *obj,
+\&                              int lastpos);
+\& X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc);
+\& X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc);
+\& int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr);
+\& int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
+\&                               const ASN1_OBJECT *obj, int type,
+\&                               const unsigned char *bytes, int len);
+\& int X509_REQ_add1_attr_by_NID(X509_REQ *req,
+\&                               int nid, int type,
+\&                               const unsigned char *bytes, int len);
+\& int X509_REQ_add1_attr_by_txt(X509_REQ *req,
+\&                               const char *attrname, int type,
+\&                               const unsigned char *bytes, int len);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBX509_REQ_get_attr_by_OBJ()\fR finds the location of the first matching object \fIobj\fR
+in the \fIreq\fR attribute list. The search starts at the position after \fIlastpos\fR.
+If the returned value is positive then it can be used on the next call to
+\&\fBX509_REQ_get_attr_by_OBJ()\fR as the value of \fIlastpos\fR in order to iterate through
+the remaining attributes. \fIlastpos\fR can be set to any negative value on the
+first call, in order to start searching from the start of the attribute list.
+.PP
+\&\fBX509_REQ_get_attr_by_NID()\fR is similar to \fBX509_REQ_get_attr_by_OBJ()\fR except that
+it passes the numerical identifier (NID) \fInid\fR associated with the object.
+See <openssl/obj_mac.h> for a list of NID_*.
+.PP
+\&\fBX509_REQ_get_attr()\fR returns the \fBX509_ATTRIBUTE\fR object at index \fIloc\fR in the
+\&\fIreq\fR attribute list. \fIloc\fR should be in the range from 0 to
+\&\fBX509_REQ_get_attr_count()\fR \- 1.
+.PP
+\&\fBX509_REQ_delete_attr()\fR removes the \fBX509_ATTRIBUTE\fR object at index \fIloc\fR in
+the \fIreq\fR objects list of attributes. An error occurs if \fIreq\fR is NULL.
+.PP
+\&\fBX509_REQ_add1_attr()\fR pushes a copy of the passed in \fBX509_ATTRIBUTE\fR \fRattr>
+to the \fIreq\fR object's attribute list. An error will occur if either the
+attribute list is NULL or the attribute already exists.
+.PP
+\&\fBX509_REQ_add1_attr_by_OBJ()\fR creates a new \fBX509_ATTRIBUTE\fR using
+\&\fBX509_ATTRIBUTE_set1_object()\fR and \fBX509_ATTRIBUTE_set1_data()\fR to assign a new
+\&\fIobj\fR with type \fItype\fR and data \fIbytes\fR of length \fIlen\fR and then pushes it
+to the \fIreq\fR object's attribute list. \fIreq\fR must be non NULL or an error
+will occur. If \fIobj\fR already exists in the attribute list then an error occurs.
+.PP
+\&\fBX509_REQ_add1_attr_by_NID()\fR is similar to \fBX509_REQ_add1_attr_by_OBJ()\fR except
+that it passes the numerical identifier (NID) \fInid\fR associated with the object.
+See <openssl/obj_mac.h> for a list of NID_*.
+.PP
+\&\fBX509_REQ_add1_attr_by_txt()\fR is similar to \fBX509_REQ_add1_attr_by_OBJ()\fR except
+that it passes a name \fIattrname\fR associated with the object.
+See <openssl/obj_mac.h> for a list of SN_* names.
+.PP
+Refer to \fBX509_ATTRIBUTE\fR\|(3) for information related to attributes.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBX509_REQ_get_attr_count()\fR returns the number of attributes in the \fIreq\fR object
+attribute list or \-1 if the attribute list is NULL.
+.PP
+\&\fBX509_REQ_get_attr_by_OBJ()\fR returns \-1 if either the \fIreq\fR object's attribute
+list is empty OR \fIobj\fR is not found, otherwise it returns the location of the
+\&\fIobj\fR in the attribute list.
+.PP
+\&\fBX509_REQ_get_attr_by_NID()\fR is similar to \fBX509_REQ_get_attr_by_OBJ()\fR, except that
+it returns \-2 if the \fInid\fR is not known by OpenSSL.
+.PP
+\&\fBX509_REQ_get_attr()\fR returns either an \fBX509_ATTRIBUTE\fR or NULL on error.
+.PP
+\&\fBX509_REQ_delete_attr()\fR returns either the removed \fBX509_ATTRIBUTE\fR or NULL if
+there is a error.
+.PP
+\&\fBX509_REQ_add1_attr()\fR, \fBX509_REQ_add1_attr_by_OBJ()\fR, \fBX509_REQ_add1_attr_by_NID()\fR
+and \fBX509_REQ_add1_attr_by_txt()\fR return 1 on success or 0 on error.
+.SH NOTES
+.IX Header "NOTES"
+Any functions that modify the attributes (add or delete) internally set a flag
+to indicate the ASN.1 encoding has been modified.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBX509_ATTRIBUTE\fR\|(3)
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2023\-2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_REQ_get_extensions.3 b/secure/lib/libcrypto/man/man3/X509_REQ_get_extensions.3
new file mode 100644
index 000000000000..44171ccb8976
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/X509_REQ_get_extensions.3
@@ -0,0 +1,107 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "X509_REQ_GET_EXTENSIONS 3ossl"
+.TH X509_REQ_GET_EXTENSIONS 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+X509_REQ_get_extensions,
+X509_REQ_add_extensions, X509_REQ_add_extensions_nid
+\&\- handle X.509 extension attributes of a CSR
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/x509.h>
+\&
+\& STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(const X509_REQ *req);
+\& int X509_REQ_add_extensions(X509_REQ *req, const STACK_OF(X509_EXTENSION) *exts);
+\& int X509_REQ_add_extensions_nid(X509_REQ *req,
+\&                                 const STACK_OF(X509_EXTENSION) *exts, int nid);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBX509_REQ_get_extensions()\fR returns the first list of X.509 extensions
+found in the attributes of \fIreq\fR.
+The returned list is empty if there are no such extensions in \fIreq\fR.
+The caller is responsible for freeing the list obtained.
+.PP
+\&\fBX509_REQ_add_extensions_nid()\fR adds to \fIreq\fR a list of X.509 extensions \fIexts\fR,
+using \fInid\fR to identify the extensions attribute.
+\&\fIreq\fR is unchanged if \fIexts\fR is NULL or an empty list.
+This function may be called more than once on the same \fIreq\fR and \fInid\fR.
+In such case any previous extensions are augmented, where an extension to be
+added that has the same OID as a pre-existing one replaces this earlier one.
+.PP
+\&\fBX509_REQ_add_extensions()\fR is like \fBX509_REQ_add_extensions_nid()\fR
+except that the default \fBNID_ext_req\fR is used.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBX509_REQ_get_extensions()\fR returns a pointer to \fBSTACK_OF(X509_EXTENSION)\fR
+or NULL on error.
+.PP
+\&\fBX509_REQ_add_extensions()\fR and \fBX509_REQ_add_extensions_nid()\fR
+return 1 on success, 0 on error.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2022\-2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_SIG_get0.3 b/secure/lib/libcrypto/man/man3/X509_SIG_get0.3
index 089c25a20cc6..047a4c1413b2 100644
--- a/secure/lib/libcrypto/man/man3/X509_SIG_get0.3
+++ b/secure/lib/libcrypto/man/man3/X509_SIG_get0.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_SIG_GET0 3ossl"
-.TH X509_SIG_GET0 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_SIG_GET0 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_SIG_get0, X509_SIG_getm \- DigestInfo functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
@@ -148,7 +72,7 @@ X509_SIG_get0, X509_SIG_getm \- DigestInfo functions
 \& void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **palg,
 \&                    ASN1_OCTET_STRING **pdigest);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBX509_SIG_get0()\fR returns pointers to the algorithm identifier and digest
 value in \fBsig\fR. \fBX509_SIG_getm()\fR is identical to \fBX509_SIG_get0()\fR
@@ -160,11 +84,11 @@ for example to initialise them.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBd2i_X509\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2002\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_STORE_CTX_get_by_subject.3 b/secure/lib/libcrypto/man/man3/X509_STORE_CTX_get_by_subject.3
new file mode 100644
index 000000000000..f5deef53ed7e
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/X509_STORE_CTX_get_by_subject.3
@@ -0,0 +1,105 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "X509_STORE_CTX_GET_BY_SUBJECT 3ossl"
+.TH X509_STORE_CTX_GET_BY_SUBJECT 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+X509_STORE_CTX_get_by_subject,
+X509_STORE_CTX_get_obj_by_subject
+\&\- X509 and X509_CRL lookup functions
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/x509_vfy.h>
+\&
+\& int X509_STORE_CTX_get_by_subject(const X509_STORE_CTX *vs,
+\&                                   X509_LOOKUP_TYPE type,
+\&                                   const X509_NAME *name, X509_OBJECT *ret);
+\& X509_OBJECT *X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX *vs,
+\&                                                X509_LOOKUP_TYPE type,
+\&                                                const X509_NAME *name);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+\&\fBX509_STORE_CTX_get_by_subject()\fR tries to find an object
+of given \fItype\fR, which may be \fBX509_LU_X509\fR or \fBX509_LU_CRL\fR,
+and subject \fIname\fR from the store in the provided store context \fIvs\fR.
+If found and \fIret\fR is not NULL, it increments the reference count and
+stores the looked up object in \fIret\fR.
+.PP
+\&\fBX509_STORE_CTX_get_obj_by_subject()\fR is like \fBX509_STORE_CTX_get_by_subject()\fR
+but returns the found object on success, else NULL.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBX509_STORE_CTX_get_by_subject()\fR returns 1 if the lookup was successful, else 0.
+.PP
+\&\fBX509_STORE_CTX_get_obj_by_subject()\fR returns an object on success, else NULL.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBX509_LOOKUP_meth_set_get_by_subject\fR\|(3),
+\&\fBX509_LOOKUP_by_subject\fR\|(3)
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_STORE_CTX_get_error.3 b/secure/lib/libcrypto/man/man3/X509_STORE_CTX_get_error.3
index 977f4b19f8b7..79123de0e496 100644
--- a/secure/lib/libcrypto/man/man3/X509_STORE_CTX_get_error.3
+++ b/secure/lib/libcrypto/man/man3/X509_STORE_CTX_get_error.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,82 +52,22 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_STORE_CTX_GET_ERROR 3ossl"
-.TH X509_STORE_CTX_GET_ERROR 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_STORE_CTX_GET_ERROR 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_STORE_CTX_get_error, X509_STORE_CTX_set_error,
 X509_STORE_CTX_get_error_depth, X509_STORE_CTX_set_error_depth,
 X509_STORE_CTX_get_current_cert, X509_STORE_CTX_set_current_cert,
 X509_STORE_CTX_get0_cert, X509_STORE_CTX_get1_chain,
 X509_verify_cert_error_string \- get or set certificate verification status
 information
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
@@ -160,25 +84,26 @@ information
 \&
 \& const char *X509_verify_cert_error_string(long n);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 These functions are typically called after certificate or chain verification
 using \fBX509_verify_cert\fR\|(3) or \fBX509_STORE_CTX_verify\fR\|(3) has indicated
 an error or in a verification callback to determine the nature of an error.
 .PP
-\&\fBX509_STORE_CTX_get_error()\fR returns the error code of \fIctx\fR.
-See the \*(L"\s-1ERROR CODES\*(R"\s0 section for a full description of all error codes.
+\&\fBX509_STORE_CTX_get_error()\fR returns the error code of \fIctx\fR. \fIctx\fR \fBMUST NOT\fR be NULL.
+See the "ERROR CODES" section for a full description of all error codes.
 It may return a code != X509_V_OK even if \fBX509_verify_cert()\fR did not indicate
 an error, likely because a verification callback function has waived the error.
 .PP
 \&\fBX509_STORE_CTX_set_error()\fR sets the error code of \fIctx\fR to \fIs\fR. For example
 it might be used in a verification callback to set an error based on additional
-checks.
+checks. \fIctx\fR \fBMUST NOT\fR be NULL.
 .PP
 \&\fBX509_STORE_CTX_get_error_depth()\fR returns the \fIdepth\fR of the error. This is a
 nonnegative integer representing where in the certificate chain the error
 occurred. If it is zero it occurred in the end entity certificate, one if
 it is the certificate which signed the end entity certificate and so on.
+\&\fIctx\fR \fBMUST NOT\fR be NULL.
 .PP
 \&\fBX509_STORE_CTX_set_error_depth()\fR sets the error \fIdepth\fR.
 This can be used in combination with \fBX509_STORE_CTX_set_error()\fR to set the
@@ -186,7 +111,7 @@ depth at which an error condition was detected.
 .PP
 \&\fBX509_STORE_CTX_get_current_cert()\fR returns the current certificate in
 \&\fIctx\fR. If an error occurred, the current certificate will be the one
-that is most closely related to the error, or possibly \s-1NULL\s0 if no such
+that is most closely related to the error, or possibly NULL if no such
 certificate is relevant.
 .PP
 \&\fBX509_STORE_CTX_set_current_cert()\fR sets the certificate \fIx\fR in \fIctx\fR which
@@ -202,7 +127,8 @@ Once such a \fIsaved\fR certificate is no longer needed it can be freed with
 \&\fBX509_free\fR\|(3).
 .PP
 \&\fBX509_STORE_CTX_get0_cert()\fR retrieves an internal pointer to the
-certificate being verified by the \fIctx\fR.
+certificate being verified by the \fIctx\fR. It may be NULL if a raw public
+key is being verified.
 .PP
 \&\fBX509_STORE_CTX_get1_chain()\fR returns a complete validate chain if a previous
 verification is successful. Otherwise the returned chain may be incomplete or
@@ -210,7 +136,7 @@ invalid.  The returned chain persists after the \fIctx\fR structure is freed.
 When it is no longer needed it should be free up using:
 .PP
 .Vb 1
-\& sk_X509_pop_free(chain, X509_free);
+\& OSSL_STACK_OF_X509_free(chain);
 .Ve
 .PP
 \&\fBX509_verify_cert_error_string()\fR returns a human readable error string for
@@ -222,7 +148,7 @@ verification error \fIn\fR.
 \&\fBX509_STORE_CTX_get_error_depth()\fR returns a nonnegative error depth.
 .PP
 \&\fBX509_STORE_CTX_get_current_cert()\fR returns the certificate which caused the
-error or \s-1NULL\s0 if no certificate is relevant to the error.
+error or NULL if no certificate is relevant to the error.
 .PP
 \&\fBX509_verify_cert_error_string()\fR returns a human readable error string for
 verification error \fIn\fR.
@@ -230,7 +156,7 @@ verification error \fIn\fR.
 .IX Header "ERROR CODES"
 A list of error codes and messages is shown below.  Some of the
 error codes are defined but currently never returned: these are described as
-\&\*(L"unused\*(R".
+"unused".
 .IP "\fBX509_V_OK: ok\fR" 4
 .IX Item "X509_V_OK: ok"
 The operation was successful.
@@ -243,17 +169,17 @@ The issuer certificate of a locally looked up certificate could not be found.
 This normally means the list of trusted certificates is not complete.
 To allow any certificate (not only a self-signed one) in the trust store
 to terminate the chain the \fBX509_V_FLAG_PARTIAL_CHAIN\fR flag may be set.
-.IP "\fBX509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate \s-1CRL\s0\fR" 4
+.IP "\fBX509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL\fR" 4
 .IX Item "X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL"
-The \s-1CRL\s0 of a certificate could not be found.
+The CRL of a certificate could not be found.
 .IP "\fBX509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature\fR" 4
 .IX Item "X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature"
 The certificate signature could not be decrypted. This means that the actual
 signature value could not be determined rather than it not matching the
-expected value, this is only meaningful for \s-1RSA\s0 keys.
-.IP "\fBX509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt \s-1CRL\s0's signature\fR" 4
+expected value, this is only meaningful for RSA keys.
+.IP "\fBX509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature\fR" 4
 .IX Item "X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature"
-The \s-1CRL\s0 signature could not be decrypted: this means that the actual signature
+The CRL signature could not be decrypted: this means that the actual signature
 value could not be determined rather than it not matching the expected value.
 Unused.
 .IP "\fBX509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key\fR" 4
@@ -263,9 +189,9 @@ not be read.
 .IP "\fBX509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure\fR" 4
 .IX Item "X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure"
 The signature of the certificate is invalid.
-.IP "\fBX509_V_ERR_CRL_SIGNATURE_FAILURE: \s-1CRL\s0 signature failure\fR" 4
+.IP "\fBX509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure\fR" 4
 .IX Item "X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure"
-The signature of the \s-1CRL\s0 is invalid.
+The signature of the CRL is invalid.
 .IP "\fBX509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid\fR" 4
 .IX Item "X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid"
 The certificate is not yet valid: the \f(CW\*(C`notBefore\*(C'\fR date is after the
@@ -274,24 +200,24 @@ current time.
 .IX Item "X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired"
 The certificate has expired: that is the \f(CW\*(C`notAfter\*(C'\fR date is before the
 current time.
-.IP "\fBX509_V_ERR_CRL_NOT_YET_VALID: \s-1CRL\s0 is not yet valid\fR" 4
+.IP "\fBX509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid\fR" 4
 .IX Item "X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid"
-The \s-1CRL\s0 is not yet valid.
-.IP "\fBX509_V_ERR_CRL_HAS_EXPIRED: \s-1CRL\s0 has expired\fR" 4
+The CRL is not yet valid.
+.IP "\fBX509_V_ERR_CRL_HAS_EXPIRED: CRL has expired\fR" 4
 .IX Item "X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired"
-The \s-1CRL\s0 has expired.
+The CRL has expired.
 .IP "\fBX509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field\fR" 4
 .IX Item "X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field"
 The certificate \f(CW\*(C`notBefore\*(C'\fR field contains an invalid time.
 .IP "\fBX509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field\fR" 4
 .IX Item "X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field"
 The certificate \f(CW\*(C`notAfter\*(C'\fR field contains an invalid time.
-.IP "\fBX509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in \s-1CRL\s0's lastUpdate field\fR" 4
+.IP "\fBX509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field\fR" 4
 .IX Item "X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field"
-The \s-1CRL\s0 \fBlastUpdate\fR field contains an invalid time.
-.IP "\fBX509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in \s-1CRL\s0's nextUpdate field\fR" 4
+The CRL \fBlastUpdate\fR field contains an invalid time.
+.IP "\fBX509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field\fR" 4
 .IX Item "X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field"
-The \s-1CRL\s0 \f(CW\*(C`nextUpdate\*(C'\fR field contains an invalid time.
+The CRL \f(CW\*(C`nextUpdate\*(C'\fR field contains an invalid time.
 .IP "\fBX509_V_ERR_OUT_OF_MEM: out of memory\fR" 4
 .IX Item "X509_V_ERR_OUT_OF_MEM: out of memory"
 An error occurred trying to allocate memory.
@@ -329,10 +255,10 @@ The basicConstraints path-length parameter has been exceeded.
 The target certificate cannot be used for the specified purpose.
 .IP "\fBX509_V_ERR_CERT_UNTRUSTED: certificate not trusted\fR" 4
 .IX Item "X509_V_ERR_CERT_UNTRUSTED: certificate not trusted"
-The root \s-1CA\s0 is not marked as trusted for the specified purpose.
+The root CA is not marked as trusted for the specified purpose.
 .IP "\fBX509_V_ERR_CERT_REJECTED: certificate rejected\fR" 4
 .IX Item "X509_V_ERR_CERT_REJECTED: certificate rejected"
-The root \s-1CA\s0 is marked to reject the specified purpose.
+The root CA is marked to reject the specified purpose.
 .IP "\fBX509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch\fR" 4
 .IX Item "X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch"
 The current candidate issuer certificate was rejected because its subject name
@@ -351,21 +277,21 @@ the current certificate.
 .IX Item "X509_V_ERR_KEYUSAGE_NO_CERTSIGN: key usage does not include certificate signing"
 The current candidate issuer certificate was rejected because its \f(CW\*(C`keyUsage\*(C'\fR
 extension does not permit certificate signing.
-.IP "\fBX509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: unable to get \s-1CRL\s0 issuer certificate\fR" 4
+.IP "\fBX509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: unable to get CRL issuer certificate\fR" 4
 .IX Item "X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: unable to get CRL issuer certificate"
-Unable to get \s-1CRL\s0 issuer certificate.
+Unable to get CRL issuer certificate.
 .IP "\fBX509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: unhandled critical extension\fR" 4
 .IX Item "X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: unhandled critical extension"
 Unhandled critical extension.
-.IP "\fBX509_V_ERR_KEYUSAGE_NO_CRL_SIGN: key usage does not include \s-1CRL\s0 signing\fR" 4
+.IP "\fBX509_V_ERR_KEYUSAGE_NO_CRL_SIGN: key usage does not include CRL signing\fR" 4
 .IX Item "X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: key usage does not include CRL signing"
-Key usage does not include \s-1CRL\s0 signing.
-.IP "\fBX509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: unhandled critical \s-1CRL\s0 extension\fR" 4
+Key usage does not include CRL signing.
+.IP "\fBX509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: unhandled critical CRL extension\fR" 4
 .IX Item "X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: unhandled critical CRL extension"
-Unhandled critical \s-1CRL\s0 extension.
-.IP "\fBX509_V_ERR_INVALID_NON_CA: invalid non-CA certificate (has \s-1CA\s0 markings)\fR" 4
+Unhandled critical CRL extension.
+.IP "\fBX509_V_ERR_INVALID_NON_CA: invalid non-CA certificate (has CA markings)\fR" 4
 .IX Item "X509_V_ERR_INVALID_NON_CA: invalid non-CA certificate (has CA markings)"
-Invalid non-CA certificate has \s-1CA\s0 markings.
+Invalid non-CA certificate has CA markings.
 .IP "\fBX509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: proxy path length constraint exceeded\fR" 4
 .IX Item "X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: proxy path length constraint exceeded"
 Proxy path length constraint exceeded.
@@ -390,15 +316,15 @@ occurs if policy processing is enabled.
 .IX Item "X509_V_ERR_NO_EXPLICIT_POLICY: no explicit policy"
 The verification flags were set to require and explicit policy but none was
 present.
-.IP "\fBX509_V_ERR_DIFFERENT_CRL_SCOPE: different \s-1CRL\s0 scope\fR" 4
+.IP "\fBX509_V_ERR_DIFFERENT_CRL_SCOPE: different CRL scope\fR" 4
 .IX Item "X509_V_ERR_DIFFERENT_CRL_SCOPE: different CRL scope"
 The only CRLs that could be found did not match the scope of the certificate.
 .IP "\fBX509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: unsupported extension feature\fR" 4
 .IX Item "X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: unsupported extension feature"
 Some feature of a certificate extension is not supported. Unused.
-.IP "\fBX509_V_ERR_UNNESTED_RESOURCE: \s-1RFC 3779\s0 resource not subset of parent's resources\fR" 4
+.IP "\fBX509_V_ERR_UNNESTED_RESOURCE: RFC 3779 resource not subset of parent's resources\fR" 4
 .IX Item "X509_V_ERR_UNNESTED_RESOURCE: RFC 3779 resource not subset of parent's resources"
-See \s-1RFC 3779\s0 for details.
+See RFC 3779 for details.
 .IP "\fBX509_V_ERR_PERMITTED_VIOLATION: permitted subtree violation\fR" 4
 .IX Item "X509_V_ERR_PERMITTED_VIOLATION: permitted subtree violation"
 A name constraint violation occurred in the permitted subtrees.
@@ -416,19 +342,19 @@ set by an application callback.
 .IP "\fBX509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: unsupported name constraint type\fR" 4
 .IX Item "X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: unsupported name constraint type"
 An unsupported name constraint type was encountered. OpenSSL currently only
-supports directory name, \s-1DNS\s0 name, email and \s-1URI\s0 types.
+supports directory name, DNS name, email and URI types.
 .IP "\fBX509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: unsupported or invalid name constraint syntax\fR" 4
 .IX Item "X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: unsupported or invalid name constraint syntax"
 The format of the name constraint is not recognised: for example an email
-address format of a form not mentioned in \s-1RFC3280.\s0 This could be caused by
+address format of a form not mentioned in RFC3280. This could be caused by
 a garbage extension or some new feature not currently supported.
 .IP "\fBX509_V_ERR_UNSUPPORTED_NAME_SYNTAX: unsupported or invalid name syntax\fR" 4
 .IX Item "X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: unsupported or invalid name syntax"
 Unsupported or invalid name syntax.
-.IP "\fBX509_V_ERR_CRL_PATH_VALIDATION_ERROR: \s-1CRL\s0 path validation error\fR" 4
+.IP "\fBX509_V_ERR_CRL_PATH_VALIDATION_ERROR: CRL path validation error\fR" 4
 .IX Item "X509_V_ERR_CRL_PATH_VALIDATION_ERROR: CRL path validation error"
-An error occurred when attempting to verify the \s-1CRL\s0 path. This error can only
-happen if extended \s-1CRL\s0 checking is enabled.
+An error occurred when attempting to verify the CRL path. This error can only
+happen if extended CRL checking is enabled.
 .IP "\fBX509_V_ERR_PATH_LOOP: path loop\fR" 4
 .IX Item "X509_V_ERR_PATH_LOOP: path loop"
 Path loop.
@@ -438,23 +364,23 @@ Hostname mismatch.
 .IP "\fBX509_V_ERR_EMAIL_MISMATCH: email address mismatch\fR" 4
 .IX Item "X509_V_ERR_EMAIL_MISMATCH: email address mismatch"
 Email address mismatch.
-.IP "\fBX509_V_ERR_IP_ADDRESS_MISMATCH: \s-1IP\s0 address mismatch\fR" 4
+.IP "\fBX509_V_ERR_IP_ADDRESS_MISMATCH: IP address mismatch\fR" 4
 .IX Item "X509_V_ERR_IP_ADDRESS_MISMATCH: IP address mismatch"
-\&\s-1IP\s0 address mismatch.
-.IP "\fBX509_V_ERR_DANE_NO_MATCH: no matching \s-1DANE TLSA\s0 records\fR" 4
+IP address mismatch.
+.IP "\fBX509_V_ERR_DANE_NO_MATCH: no matching DANE TLSA records\fR" 4
 .IX Item "X509_V_ERR_DANE_NO_MATCH: no matching DANE TLSA records"
-\&\s-1DANE TLSA\s0 authentication is enabled, but no \s-1TLSA\s0 records matched the
+DANE TLSA authentication is enabled, but no TLSA records matched the
 certificate chain.
 This error is only possible in \fBopenssl\-s_client\fR\|(1).
-.IP "\fBX509_V_ERR_EE_KEY_TOO_SMALL: \s-1EE\s0 certificate key too weak\fR" 4
+.IP "\fBX509_V_ERR_EE_KEY_TOO_SMALL: EE certificate key too weak\fR" 4
 .IX Item "X509_V_ERR_EE_KEY_TOO_SMALL: EE certificate key too weak"
-\&\s-1EE\s0 certificate key too weak.
-.IP "\fBX509_V_ERR_CA_KEY_TOO_SMALL: \s-1CA\s0 certificate key too weak\fR" 4
+EE certificate key too weak.
+.IP "\fBX509_V_ERR_CA_KEY_TOO_SMALL: CA certificate key too weak\fR" 4
 .IX Item "X509_V_ERR_CA_KEY_TOO_SMALL: CA certificate key too weak"
-\&\s-1CA\s0 certificate key too weak.
-.IP "\fBX509_V_ERR_CA_MD_TOO_WEAK: \s-1CA\s0 signature digest algorithm too weak\fR" 4
+CA certificate key too weak.
+.IP "\fBX509_V_ERR_CA_MD_TOO_WEAK: CA signature digest algorithm too weak\fR" 4
 .IX Item "X509_V_ERR_CA_MD_TOO_WEAK: CA signature digest algorithm too weak"
-\&\s-1CA\s0 signature digest algorithm too weak.
+CA signature digest algorithm too weak.
 .IP "\fBX509_V_ERR_INVALID_CALL: invalid certificate verification context\fR" 4
 .IX Item "X509_V_ERR_INVALID_CALL: invalid certificate verification context"
 Invalid certificate verification context.
@@ -467,16 +393,16 @@ Certificate Transparency required, but no valid SCTs found.
 .IP "\fBX509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION: proxy subject name violation\fR" 4
 .IX Item "X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION: proxy subject name violation"
 Proxy subject name violation.
-.IP "\fBX509_V_ERR_OCSP_VERIFY_NEEDED: \s-1OCSP\s0 verification needed\fR" 4
+.IP "\fBX509_V_ERR_OCSP_VERIFY_NEEDED: OCSP verification needed\fR" 4
 .IX Item "X509_V_ERR_OCSP_VERIFY_NEEDED: OCSP verification needed"
-Returned by the verify callback to indicate an \s-1OCSP\s0 verification is needed.
-.IP "\fBX509_V_ERR_OCSP_VERIFY_FAILED: \s-1OCSP\s0 verification failed\fR" 4
+Returned by the verify callback to indicate an OCSP verification is needed.
+.IP "\fBX509_V_ERR_OCSP_VERIFY_FAILED: OCSP verification failed\fR" 4
 .IX Item "X509_V_ERR_OCSP_VERIFY_FAILED: OCSP verification failed"
-Returned by the verify callback to indicate \s-1OCSP\s0 verification failed.
-.IP "\fBX509_V_ERR_OCSP_CERT_UNKNOWN: \s-1OCSP\s0 unknown cert\fR" 4
+Returned by the verify callback to indicate OCSP verification failed.
+.IP "\fBX509_V_ERR_OCSP_CERT_UNKNOWN: OCSP unknown cert\fR" 4
 .IX Item "X509_V_ERR_OCSP_CERT_UNKNOWN: OCSP unknown cert"
 Returned by the verify callback to indicate that the certificate is not
-recognized by the \s-1OCSP\s0 responder.
+recognized by the OCSP responder.
 .IP "\fBX509_V_ERR_UNSUPPORTED_SIGNATURE_ALGORITHM: unsupported signature algorithm\fR" 4
 .IX Item "X509_V_ERR_UNSUPPORTED_SIGNATURE_ALGORITHM: unsupported signature algorithm"
 Cannot find certificate signature algorithm.
@@ -488,24 +414,28 @@ the subject's certificate.
 .IX Item "X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY: cert info signature and signature algorithm mismatch"
 The algorithm given in the certificate info is inconsistent
  with the one used for the certificate signature.
-.IP "\fBX509_V_ERR_INVALID_CA: invalid \s-1CA\s0 certificate\fR" 4
+.IP "\fBX509_V_ERR_INVALID_CA: invalid CA certificate\fR" 4
 .IX Item "X509_V_ERR_INVALID_CA: invalid CA certificate"
-A \s-1CA\s0 certificate is invalid. Either it is not a \s-1CA\s0 or its extensions are not
+A CA certificate is invalid. Either it is not a CA or its extensions are not
 consistent with the supplied purpose.
-.SH "NOTES"
+.IP "\fBX509_V_ERR_RPK_UNTRUSTED: raw public key untrusted, no trusted keys configured\fR" 4
+.IX Item "X509_V_ERR_RPK_UNTRUSTED: raw public key untrusted, no trusted keys configured"
+No TLS records were configured to validate the raw public key, or DANE was not
+enabled on the connection.
+.SH NOTES
 .IX Header "NOTES"
 The above functions should be used instead of directly referencing the fields
 in the \fBX509_VERIFY_CTX\fR structure.
 .PP
 In versions of OpenSSL before 1.0 the current certificate returned by
-\&\fBX509_STORE_CTX_get_current_cert()\fR was never \s-1NULL.\s0 Applications should
+\&\fBX509_STORE_CTX_get_current_cert()\fR was never NULL. Applications should
 check the return value before printing out any debugging information relating
 to the current certificate.
 .PP
 If an unrecognised error code is passed to \fBX509_verify_cert_error_string()\fR the
 numerical value of the unknown code is returned in a static buffer. This is not
 thread safe but will never happen unless an invalid code is passed.
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
 Previous versions of this documentation swapped the meaning of the
 \&\fBX509_V_ERR_UNABLE_TO_GET_ISSUER_CERT\fR and
@@ -515,11 +445,11 @@ Previous versions of this documentation swapped the meaning of the
 \&\fBX509_verify_cert\fR\|(3), \fBX509_STORE_CTX_verify\fR\|(3),
 \&\fBX509_up_ref\fR\|(3),
 \&\fBX509_free\fR\|(3).
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2009\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_STORE_CTX_new.3 b/secure/lib/libcrypto/man/man3/X509_STORE_CTX_new.3
index 29a519f2d05a..068f65c872f3 100644
--- a/secure/lib/libcrypto/man/man3/X509_STORE_CTX_new.3
+++ b/secure/lib/libcrypto/man/man3/X509_STORE_CTX_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,82 +52,26 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_STORE_CTX_NEW 3ossl"
-.TH X509_STORE_CTX_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_STORE_CTX_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_STORE_CTX_new_ex, X509_STORE_CTX_new, X509_STORE_CTX_cleanup,
-X509_STORE_CTX_free, X509_STORE_CTX_init, X509_STORE_CTX_set0_trusted_stack,
+X509_STORE_CTX_free, X509_STORE_CTX_init,
+X509_STORE_CTX_init_rpk,
+X509_STORE_CTX_set0_trusted_stack,
 X509_STORE_CTX_set_cert, X509_STORE_CTX_set0_crls,
+X509_STORE_CTX_set0_rpk,
 X509_STORE_CTX_get0_param, X509_STORE_CTX_set0_param,
 X509_STORE_CTX_get0_untrusted, X509_STORE_CTX_set0_untrusted,
 X509_STORE_CTX_get_num_untrusted,
 X509_STORE_CTX_get0_chain, X509_STORE_CTX_set0_verified_chain,
+X509_STORE_CTX_get0_rpk,
 X509_STORE_CTX_set_default,
 X509_STORE_CTX_set_verify,
 X509_STORE_CTX_verify_fn,
@@ -151,7 +79,7 @@ X509_STORE_CTX_set_purpose,
 X509_STORE_CTX_set_trust,
 X509_STORE_CTX_purpose_inherit
 \&\- X509_STORE_CTX initialisation
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509_vfy.h>
@@ -163,11 +91,14 @@ X509_STORE_CTX_purpose_inherit
 \&
 \& int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *trust_store,
 \&                         X509 *target, STACK_OF(X509) *untrusted);
+\& int X509_STORE_CTX_init_rpk(X509_STORE_CTX *ctx, X509_STORE *trust_store,
+\&                             EVP_PKEY *rpk);
 \&
 \& void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);
 \&
 \& void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *target);
 \& void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk);
+\& void X509_STORE_CTX_set0_rpk(X509_STORE_CTX *ctx, EVP_PKEY *target);
 \&
 \& X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(const X509_STORE_CTX *ctx);
 \& void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param);
@@ -178,6 +109,7 @@ X509_STORE_CTX_purpose_inherit
 \& int X509_STORE_CTX_get_num_untrusted(const X509_STORE_CTX *ctx);
 \& STACK_OF(X509) *X509_STORE_CTX_get0_chain(const X509_STORE_CTX *ctx);
 \& void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *chain);
+\& EVP_PKEY *X509_STORE_CTX_get0_rpk(const X509_STORE_CTX *ctx);
 \&
 \& int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name);
 \& typedef int (*X509_STORE_CTX_verify_fn)(X509_STORE_CTX *);
@@ -188,7 +120,7 @@ X509_STORE_CTX_purpose_inherit
 \& int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
 \&                                    int purpose, int trust);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 These functions initialise an \fBX509_STORE_CTX\fR structure for subsequent use
 by \fBX509_verify_cert\fR\|(3) or \fBX509_STORE_CTX_verify\fR\|(3).
@@ -200,26 +132,34 @@ processing with the X509_STORE_CTX will use that library context and property
 query string.
 .PP
 \&\fBX509_STORE_CTX_new()\fR is the same as \fBX509_STORE_CTX_new_ex()\fR except that
-the default library context and a \s-1NULL\s0 property query string are used.
+the default library context and a NULL property query string are used.
 .PP
 \&\fBX509_STORE_CTX_cleanup()\fR internally cleans up an \fBX509_STORE_CTX\fR structure.
 It is used by \fBX509_STORE_CTX_init()\fR and \fBX509_STORE_CTX_free()\fR.
 .PP
 \&\fBX509_STORE_CTX_free()\fR completely frees up \fIctx\fR. After this call \fIctx\fR
 is no longer valid.
-If \fIctx\fR is \s-1NULL\s0 nothing is done.
+If \fIctx\fR is NULL nothing is done.
 .PP
+\&\fBX509_STORE_CTX_init()\fR sets up \fIctx\fR for a subsequent verification operation.
+.PP
+\&\fBX509_STORE_CTX_init()\fR initializes the internal state and resources of the
+given \fIctx\fR. Among others, it sets the verification parameters associated
+with the method name \f(CW\*(C`default\*(C'\fR, which includes the \f(CW\*(C`any\*(C'\fR purpose,
+and takes over callback function pointers from \fItrust_store\fR (unless NULL).
 It must be called before each call to \fBX509_verify_cert\fR\|(3) or
 \&\fBX509_STORE_CTX_verify\fR\|(3), i.e., a context is only good for one verification.
 If you want to verify a further certificate or chain with the same \fIctx\fR
 then you must call \fBX509_STORE_CTX_init()\fR again.
 The trusted certificate store is set to \fItrust_store\fR of type \fBX509_STORE\fR.
-This may be \s-1NULL\s0 because there are no trusted certificates or because
+This may be NULL because there are no trusted certificates or because
 they are provided simply as a list using \fBX509_STORE_CTX_set0_trusted_stack()\fR.
 The certificate to be verified is set to \fItarget\fR,
 and a list of additional certificates may be provided in \fIuntrusted\fR,
 which will be untrusted but may be used to build the chain.
-Each of the \fItrust_store\fR, \fItarget\fR and \fIuntrusted\fR parameters can be \s-1NULL.\s0
+The \fItarget\fR certificate is not copied (its reference count is not updated),
+and the caller must not free it before verification is complete.
+Each of the \fItrust_store\fR, \fItarget\fR and \fIuntrusted\fR parameters can be NULL.
 Yet note that \fBX509_verify_cert\fR\|(3) and \fBX509_STORE_CTX_verify\fR\|(3)
 will need a verification target.
 This can also be set using \fBX509_STORE_CTX_set_cert()\fR.
@@ -227,6 +167,14 @@ For \fBX509_STORE_CTX_verify\fR\|(3), which takes by default the first element o
 list of untrusted certificates as its verification target,
 this can be also set indirectly using \fBX509_STORE_CTX_set0_untrusted()\fR.
 .PP
+\&\fBX509_STORE_CTX_init_rpk()\fR sets up \fIctx\fR for a subsequent verification
+operation for the \fItarget\fR raw public key.
+It behaves similarly to \fBX509_STORE_CTX_init()\fR.
+The \fItarget\fR raw public key can also be supplied separately, via
+\&\fBX509_STORE_CTX_set0_rpk()\fR.
+The \fItarget\fR public key is not copied (its reference count is not updated),
+and the caller must not free it before verification is complete.
+.PP
 \&\fBX509_STORE_CTX_set0_trusted_stack()\fR sets the set of trusted certificates of
 \&\fIctx\fR to \fIsk\fR. This is an alternative way of specifying trusted certificates
 instead of using an \fBX509_STORE\fR where its complexity is not needed
@@ -234,6 +182,14 @@ or to make sure that only the given set \fIsk\fR of certificates are trusted.
 .PP
 \&\fBX509_STORE_CTX_set_cert()\fR sets the target certificate to be verified in \fIctx\fR
 to \fItarget\fR.
+The target certificate is not copied (its reference count is not updated),
+and the caller must not free it before verification is complete.
+.PP
+\&\fBX509_STORE_CTX_set0_rpk()\fR sets the target raw public key to be verified in \fIctx\fR
+to \fItarget\fR, a non-NULL raw public key preempts any target certificate, which
+is then ignored.
+The \fItarget\fR public key is not copied (its reference count is not updated),
+and the caller must not free it before verification is complete.
 .PP
 \&\fBX509_STORE_CTX_set0_verified_chain()\fR sets the validated chain to \fIchain\fR.
 Ownership of the chain is transferred to \fIctx\fR,
@@ -242,10 +198,13 @@ and so it should not be free'd by the caller.
 \&\fBX509_STORE_CTX_get0_chain()\fR returns the internal pointer used by the
 \&\fIctx\fR that contains the constructed (output) chain.
 .PP
+\&\fBX509_STORE_CTX_get0_rpk()\fR returns the internal pointer used by the
+\&\fIctx\fR that contains the raw public key.
+.PP
 \&\fBX509_STORE_CTX_set0_crls()\fR sets a set of CRLs to use to aid certificate
-verification to \fIsk\fR. These CRLs will only be used if \s-1CRL\s0 verification is
+verification to \fIsk\fR. These CRLs will only be used if CRL verification is
 enabled in the associated \fBX509_VERIFY_PARAM\fR structure. This might be
-used where additional \*(L"useful\*(R" CRLs are supplied as part of a protocol,
+used where additional "useful" CRLs are supplied as part of a protocol,
 for example in a PKCS#7 structure.
 .PP
 \&\fBX509_STORE_CTX_get0_param()\fR retrieves an internal pointer
@@ -271,20 +230,21 @@ With \fBX509_STORE_CTX_verify\fR\|(3), this does not count the first chain eleme
 \&\fIctx\fR that contains the validated chain.
 .PP
 Details of the chain building and checking process are described in
-\&\*(L"Certification Path Building\*(R" in \fBopenssl\-verification\-options\fR\|(1) and
-\&\*(L"Certification Path Validation\*(R" in \fBopenssl\-verification\-options\fR\|(1).
+"Certification Path Building" in \fBopenssl\-verification\-options\fR\|(1) and
+"Certification Path Validation" in \fBopenssl\-verification\-options\fR\|(1).
 .PP
 \&\fBX509_STORE_CTX_set0_verified_chain()\fR sets the validated chain used
 by \fIctx\fR to be \fIchain\fR.
 Ownership of the chain is transferred to \fIctx\fR,
 and so it should not be free'd by the caller.
 .PP
-\&\fBX509_STORE_CTX_set_default()\fR looks up and sets the default verification
-method to \fIname\fR. This uses the function \fBX509_VERIFY_PARAM_lookup()\fR to
-find an appropriate set of parameters from the purpose identifier \fIname\fR.
-Currently defined purposes are \f(CW\*(C`sslclient\*(C'\fR, \f(CW\*(C`sslserver\*(C'\fR, \f(CW\*(C`nssslserver\*(C'\fR,
-\&\f(CW\*(C`smimesign\*(C'\fR, \f(CW\*(C`smimeencrypt\*(C'\fR, \f(CW\*(C`crlsign\*(C'\fR, \f(CW\*(C`ocsphelper\*(C'\fR, \f(CW\*(C`timestampsign\*(C'\fR,
-and \f(CW\*(C`any\*(C'\fR.
+\&\fBX509_STORE_CTX_set_default()\fR looks up and sets the default verification method.
+This uses the function \fBX509_VERIFY_PARAM_lookup()\fR to find
+the set of parameters associated with the given verification method \fIname\fR.
+Among others, the parameters determine the trust model and verification purpose.
+More detail, including the list of currently predefined methods,
+is described for the \fB\-verify_name\fR command-line option
+in "Verification Options" in \fBopenssl\-verification\-options\fR\|(1).
 .PP
 \&\fBX509_STORE_CTX_set_verify()\fR provides the capability for overriding the default
 verify function. This function is responsible for verifying chain signatures and
@@ -301,21 +261,21 @@ This function should receive the current X509_STORE_CTX as a parameter and
 return 1 on success or 0 on failure.
 .PP
 X509 certificates may contain information about what purposes keys contained
-within them can be used for. For example \*(L"\s-1TLS WWW\s0 Server Authentication\*(R" or
-\&\*(L"Email Protection\*(R". This \*(L"key usage\*(R" information is held internally to the
+within them can be used for. For example "TLS WWW Server Authentication" or
+"Email Protection". This "key usage" information is held internally to the
 certificate itself. In addition the trust store containing trusted certificates
-can declare what purposes we trust different certificates for. This \*(L"trust\*(R"
-information is not held within the certificate itself but is \*(L"meta\*(R" information
-held alongside it. This \*(L"meta\*(R" information is associated with the certificate
+can declare what purposes we trust different certificates for. This "trust"
+information is not held within the certificate itself but is "meta" information
+held alongside it. This "meta" information is associated with the certificate
 after it is issued and could be determined by a system administrator. For
 example a certificate might declare that it is suitable for use for both
-\&\*(L"\s-1TLS WWW\s0 Server Authentication\*(R" and \*(L"\s-1TLS\s0 Client Authentication\*(R", but a system
+"TLS WWW Server Authentication" and "TLS Client Authentication", but a system
 administrator might only trust it for the former. An X.509 certificate extension
 exists that can record extended key usage information to supplement the purpose
 information described above. This extended mechanism is arbitrarily extensible
-and not well suited for a generic library \s-1API\s0; applications that need to
+and not well suited for a generic library API; applications that need to
 validate extended key usage information in certificates will need to define a
-custom \*(L"purpose\*(R" (see below) or supply a nondefault verification callback
+custom "purpose" (see below) or supply a nondefault verification callback
 (\fBX509_STORE_set_verify_cb_func\fR\|(3)).
 .PP
 \&\fBX509_STORE_CTX_set_purpose()\fR sets the purpose for the target certificate being
@@ -323,14 +283,18 @@ verified in the \fIctx\fR. Built-in available values for the \fIpurpose\fR argum
 are \fBX509_PURPOSE_SSL_CLIENT\fR, \fBX509_PURPOSE_SSL_SERVER\fR,
 \&\fBX509_PURPOSE_NS_SSL_SERVER\fR, \fBX509_PURPOSE_SMIME_SIGN\fR,
 \&\fBX509_PURPOSE_SMIME_ENCRYPT\fR, \fBX509_PURPOSE_CRL_SIGN\fR, \fBX509_PURPOSE_ANY\fR,
-\&\fBX509_PURPOSE_OCSP_HELPER\fR and \fBX509_PURPOSE_TIMESTAMP_SIGN\fR. It is also
-possible to create a custom purpose value. Setting a purpose will ensure that
-the key usage declared within certificates in the chain being verified is
-consistent with that purpose as well as, potentially, other checks. Every
-purpose also has an associated default trust value which will also be set at the
-same time. During verification this trust setting will be verified to check it
-is consistent with the trust set by the system administrator for certificates in
-the chain.
+\&\fBX509_PURPOSE_OCSP_HELPER\fR, \fBX509_PURPOSE_TIMESTAMP_SIGN\fR and
+\&\fBX509_PURPOSE_CODE_SIGN\fR.  It is also
+possible to create a custom purpose value. Setting a purpose requests that
+the key usage and extended key usage (EKU) extensions optionally declared within
+the certificate and its chain are verified to be consistent with that purpose.
+For SSL client, SSL server, and S/MIME purposes, the EKU is checked also for the
+CA certificates along the chain, including any given trust anchor certificate.
+Potentially also further checks are done (depending on the purpose given).
+Every purpose also has an associated default trust value, which will also be set
+at the same time. During verification, this trust setting will be verified
+to check whether it is consistent with the trust set by the system administrator
+for certificates in the chain.
 .PP
 \&\fBX509_STORE_CTX_set_trust()\fR sets the trust value for the target certificate
 being verified in the \fIctx\fR. Built-in available values for the \fItrust\fR
@@ -348,7 +312,7 @@ It should not normally be necessary for end user applications to call
 \&\fBX509_STORE_CTX_set_purpose()\fR or \fBX509_STORE_CTX_set_trust()\fR instead. Using this
 function it is possible to set the purpose and trust values for the \fIctx\fR at
 the same time.
-Both \fIctx\fR and its internal verification parameter pointer must not be \s-1NULL.\s0
+Both \fIctx\fR and its internal verification parameter pointer must not be NULL.
 The \fIdef_purpose\fR and \fIpurpose\fR arguments can have the same
 purpose values as described for \fBX509_STORE_CTX_set_purpose()\fR above. The \fItrust\fR
 argument can have the same trust values as described in
@@ -362,24 +326,28 @@ If \fItrust\fR is 0 then the trust value will be set from
 the default trust value for \fIpurpose\fR. If the default trust value for the
 purpose is \fIX509_TRUST_DEFAULT\fR and \fItrust\fR is 0 then the default trust value
 associated with the \fIdef_purpose\fR value is used for the trust setting instead.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The certificates and CRLs in a store are used internally and should \fBnot\fR
 be freed up until after the associated \fBX509_STORE_CTX\fR is freed.
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
 The certificates and CRLs in a context are used internally and should \fBnot\fR
 be freed up until after the associated \fBX509_STORE_CTX\fR is freed. Copies
 should be made or reference counts increased instead.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBX509_STORE_CTX_new()\fR returns a newly allocated context or \s-1NULL\s0 if an
+\&\fBX509_STORE_CTX_new()\fR returns a newly allocated context or NULL if an
 error occurred.
 .PP
-\&\fBX509_STORE_CTX_init()\fR returns 1 for success or 0 if an error occurred.
+\&\fBX509_STORE_CTX_init()\fR and \fBX509_STORE_CTX_init_rpk()\fR return 1 for success
+or 0 if an error occurred.
 .PP
 \&\fBX509_STORE_CTX_get0_param()\fR returns a pointer to an \fBX509_VERIFY_PARAM\fR
-structure or \s-1NULL\s0 if an error occurred.
+structure or NULL if an error occurred.
+.PP
+\&\fBX509_STORE_CTX_get0_rpk()\fR returns a pointer to an \fBEVP_PKEY\fR structure if
+present, or NULL if absent.
 .PP
 \&\fBX509_STORE_CTX_cleanup()\fR, \fBX509_STORE_CTX_free()\fR,
 \&\fBX509_STORE_CTX_set0_trusted_stack()\fR,
@@ -395,18 +363,20 @@ used.
 .IX Header "SEE ALSO"
 \&\fBX509_verify_cert\fR\|(3), \fBX509_STORE_CTX_verify\fR\|(3),
 \&\fBX509_VERIFY_PARAM_set_flags\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBX509_STORE_CTX_set0_crls()\fR function was added in OpenSSL 1.0.0.
 The \fBX509_STORE_CTX_get_num_untrusted()\fR function was added in OpenSSL 1.1.0.
 The \fBX509_STORE_CTX_new_ex()\fR function was added in OpenSSL 3.0.
+The \fBX509_STORE_CTX_init_rpk()\fR, \fBX509_STORE_CTX_get0_rpk()\fR, and
+\&\fBX509_STORE_CTX_set0_rpk()\fR functions were added in OpenSSL 3.2.
 .PP
 There is no need to call \fBX509_STORE_CTX_cleanup()\fR explicitly since OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2009\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2009\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_STORE_CTX_set_verify_cb.3 b/secure/lib/libcrypto/man/man3/X509_STORE_CTX_set_verify_cb.3
index 147e5078e0c5..3aa311ce5183 100644
--- a/secure/lib/libcrypto/man/man3/X509_STORE_CTX_set_verify_cb.3
+++ b/secure/lib/libcrypto/man/man3/X509_STORE_CTX_set_verify_cb.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_STORE_CTX_SET_VERIFY_CB 3ossl"
-.TH X509_STORE_CTX_SET_VERIFY_CB 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_STORE_CTX_SET_VERIFY_CB 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_STORE_CTX_get_cleanup,
 X509_STORE_CTX_get_lookup_crls,
 X509_STORE_CTX_get_lookup_certs,
@@ -144,15 +68,17 @@ X509_STORE_CTX_get_check_policy,
 X509_STORE_CTX_get_cert_crl,
 X509_STORE_CTX_get_check_crl,
 X509_STORE_CTX_get_get_crl,
+X509_STORE_CTX_set_get_crl,
 X509_STORE_CTX_get_check_revocation,
 X509_STORE_CTX_get_check_issued,
 X509_STORE_CTX_get_get_issuer,
 X509_STORE_CTX_get_verify_cb,
 X509_STORE_CTX_set_verify_cb,
 X509_STORE_CTX_verify_cb,
-X509_STORE_CTX_print_verify_cb
+X509_STORE_CTX_print_verify_cb,
+X509_STORE_CTX_set_current_reasons
 \&\- get and set X509_STORE_CTX components such as verification callback
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509_vfy.h>
@@ -168,15 +94,22 @@ X509_STORE_CTX_print_verify_cb
 \& X509_STORE_CTX_get_issuer_fn X509_STORE_CTX_get_get_issuer(X509_STORE_CTX *ctx);
 \& X509_STORE_CTX_check_issued_fn X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx);
 \& X509_STORE_CTX_check_revocation_fn X509_STORE_CTX_get_check_revocation(X509_STORE_CTX *ctx);
+\&
 \& X509_STORE_CTX_get_crl_fn X509_STORE_CTX_get_get_crl(X509_STORE_CTX *ctx);
+\&
+\& void X509_STORE_CTX_set_get_crl(X509_STORE_CTX *ctx,
+\&                                 X509_STORE_CTX_get_crl_fn get_crl);
+\&
 \& X509_STORE_CTX_check_crl_fn X509_STORE_CTX_get_check_crl(X509_STORE_CTX *ctx);
 \& X509_STORE_CTX_cert_crl_fn X509_STORE_CTX_get_cert_crl(X509_STORE_CTX *ctx);
 \& X509_STORE_CTX_check_policy_fn X509_STORE_CTX_get_check_policy(X509_STORE_CTX *ctx);
 \& X509_STORE_CTX_lookup_certs_fn X509_STORE_CTX_get_lookup_certs(X509_STORE_CTX *ctx);
 \& X509_STORE_CTX_lookup_crls_fn X509_STORE_CTX_get_lookup_crls(X509_STORE_CTX *ctx);
 \& X509_STORE_CTX_cleanup_fn X509_STORE_CTX_get_cleanup(X509_STORE_CTX *ctx);
+\& void X509_STORE_CTX_set_current_reasons(X509_STORE_CTX *ctx,
+\&                                         unsigned int current_reasons);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBX509_STORE_CTX_set_verify_cb()\fR sets the verification callback of \fBctx\fR to
 \&\fBverify_cb\fR overwriting any existing callback.
@@ -217,14 +150,25 @@ for the specific \fBctx\fR.
 and \fBX509_STORE_CTX_get_cleanup()\fR return the function pointers cached
 from the corresponding \fBX509_STORE\fR, please see
 \&\fBX509_STORE_set_verify\fR\|(3) for more information.
-.SH "WARNINGS"
+.PP
+\&\fBX509_STORE_CTX_set_get_crl()\fR sets the function to get the crl for a given
+certificate \fIx\fR.
+When found, the crl must be assigned to \fI*crl\fR.
+This function must return 0 on failure and 1 on success.
+\&\fIIf no function to get the issuer is provided, the internal default
+function will be used instead.\fR
+.PP
+\&\fBX509_STORE_CTX_set_current_reasons()\fR is used in conjunction with
+X509_STORE_CTX_get_crl_fn. The X509_STORE_CTX_get_crl_fn callback must
+use this method to set the reason why the certificate is invalid.
+.SH WARNINGS
 .IX Header "WARNINGS"
-In general a verification callback should \fB\s-1NOT\s0\fR unconditionally return 1 in
+In general a verification callback should \fBNOT\fR unconditionally return 1 in
 all circumstances because this will allow verification to succeed no matter
 what the error. This effectively removes all security from the application
 because \fBany\fR certificate (including untrusted generated ones) will be
 accepted.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The verification callback can be set and inherited from the parent structure
 performing the operation. In some cases (such as S/MIME verification) the
@@ -234,7 +178,7 @@ associated \fBX509_STORE\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBX509_STORE_CTX_set_verify_cb()\fR does not return a value.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 Default callback operation:
 .PP
@@ -275,7 +219,7 @@ expired just one specific case:
 .Ve
 .PP
 Full featured logging callback. In this case the \fBbio_err\fR is assumed to be
-a global logging \fB\s-1BIO\s0\fR, an alternative would to store a \s-1BIO\s0 in \fBctx\fR using
+a global logging \fBBIO\fR, an alternative would to store a BIO in \fBctx\fR using
 \&\fBex_data\fR.
 .PP
 .Vb 4
@@ -334,7 +278,7 @@ a global logging \fB\s-1BIO\s0\fR, an alternative would to store a \s-1BIO\s0 in
 \&\fBX509_STORE_CTX_get_error\fR\|(3)
 \&\fBX509_STORE_set_verify_cb_func\fR\|(3)
 \&\fBX509_STORE_CTX_get_ex_new_index\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The
 \&\fBX509_STORE_CTX_get_get_issuer()\fR,
@@ -345,11 +289,11 @@ The
 and \fBX509_STORE_CTX_get_cleanup()\fR functions were added in OpenSSL 1.1.0.
 .PP
 \&\fBX509_STORE_CTX_print_verify_cb()\fR was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2009\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2009\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_STORE_add_cert.3 b/secure/lib/libcrypto/man/man3/X509_STORE_add_cert.3
index 28810ca07fa3..26cf4901a596 100644
--- a/secure/lib/libcrypto/man/man3/X509_STORE_add_cert.3
+++ b/secure/lib/libcrypto/man/man3/X509_STORE_add_cert.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_STORE_ADD_CERT 3ossl"
-.TH X509_STORE_ADD_CERT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_STORE_ADD_CERT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_STORE,
 X509_STORE_add_cert, X509_STORE_add_crl, X509_STORE_set_depth,
 X509_STORE_set_flags, X509_STORE_set_purpose, X509_STORE_set_trust,
@@ -146,40 +70,40 @@ X509_STORE_load_store_ex, X509_STORE_load_store,
 X509_STORE_set_default_paths_ex, X509_STORE_set_default_paths,
 X509_STORE_load_locations_ex, X509_STORE_load_locations
 \&\- X509_STORE manipulation
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509_vfy.h>
 \&
 \& typedef x509_store_st X509_STORE;
 \&
-\& int X509_STORE_add_cert(X509_STORE *ctx, X509 *x);
-\& int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x);
+\& int X509_STORE_add_cert(X509_STORE *xs, X509 *x);
+\& int X509_STORE_add_crl(X509_STORE *xs, X509_CRL *x);
 \& int X509_STORE_set_depth(X509_STORE *store, int depth);
-\& int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags);
-\& int X509_STORE_set_purpose(X509_STORE *ctx, int purpose);
-\& int X509_STORE_set_trust(X509_STORE *ctx, int trust);
+\& int X509_STORE_set_flags(X509_STORE *xs, unsigned long flags);
+\& int X509_STORE_set_purpose(X509_STORE *xs, int purpose);
+\& int X509_STORE_set_trust(X509_STORE *xs, int trust);
 \&
 \& X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *store,
 \&                                    X509_LOOKUP_METHOD *meth);
 \&
-\& int X509_STORE_set_default_paths_ex(X509_STORE *ctx, OSSL_LIB_CTX *libctx,
+\& int X509_STORE_set_default_paths_ex(X509_STORE *xs, OSSL_LIB_CTX *libctx,
 \&                                     const char *propq);
-\& int X509_STORE_set_default_paths(X509_STORE *ctx);
-\& int X509_STORE_load_file_ex(X509_STORE *ctx, const char *file,
+\& int X509_STORE_set_default_paths(X509_STORE *xs);
+\& int X509_STORE_load_file_ex(X509_STORE *xs, const char *file,
 \&                             OSSL_LIB_CTX *libctx, const char *propq);
-\& int X509_STORE_load_file(X509_STORE *ctx, const char *file);
-\& int X509_STORE_load_path(X509_STORE *ctx, const char *dir);
-\& int X509_STORE_load_store_ex(X509_STORE *ctx, const char *uri,
+\& int X509_STORE_load_file(X509_STORE *xs, const char *file);
+\& int X509_STORE_load_path(X509_STORE *xs, const char *dir);
+\& int X509_STORE_load_store_ex(X509_STORE *xs, const char *uri,
 \&                              OSSL_LIB_CTX *libctx, const char *propq);
-\& int X509_STORE_load_store(X509_STORE *ctx, const char *uri);
-\& int X509_STORE_load_locations_ex(X509_STORE *ctx, const char *file,
+\& int X509_STORE_load_store(X509_STORE *xs, const char *uri);
+\& int X509_STORE_load_locations_ex(X509_STORE *xs, const char *file,
 \&                                  const char *dir, OSSL_LIB_CTX *libctx,
 \&                                  const char *propq);
-\& int X509_STORE_load_locations(X509_STORE *ctx,
+\& int X509_STORE_load_locations(X509_STORE *xs,
 \&                               const char *file, const char *dir);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The \fBX509_STORE\fR structure is intended to be a consolidated mechanism for
 holding information about X.509 certificates and CRLs, and constructing
@@ -189,8 +113,8 @@ with large numbers of certificates, and a great deal of flexibility in
 how validation and policy checks are performed.
 .PP
 Details of the chain building and checking process are described in
-\&\*(L"Certification Path Building\*(R" in \fBopenssl\-verification\-options\fR\|(1) and
-\&\*(L"Certification Path Validation\*(R" in \fBopenssl\-verification\-options\fR\|(1).
+"Certification Path Building" in \fBopenssl\-verification\-options\fR\|(1) and
+"Certification Path Validation" in \fBopenssl\-verification\-options\fR\|(1).
 .PP
 \&\fBX509_STORE_new\fR\|(3) creates an empty \fBX509_STORE\fR structure, which contains
 no information about trusted certificates or where such certificates
@@ -223,7 +147,7 @@ is no longer needed.
 \&\fBX509_STORE_set_trust()\fR, and \fBX509_STORE_set1_param()\fR set the default values
 for the corresponding values used in certificate chain validation.  Their
 behavior is documented in the corresponding \fBX509_VERIFY_PARAM\fR manual
-pages, e.g., \fBX509_VERIFY_PARAM_set_depth\fR\|(3).
+pages, e.g., \fBX509_VERIFY_PARAM_set_depth\fR\|(3). The \fBX509_STORE\fR \fBMUST NOT\fR be NULL.
 .PP
 \&\fBX509_STORE_add_lookup()\fR finds or creates a \fBX509_LOOKUP\fR\|(3) with the
 \&\fBX509_LOOKUP_METHOD\fR\|(3) \fImeth\fR and adds it to the \fBX509_STORE\fR
@@ -235,7 +159,7 @@ pages, e.g., \fBX509_VERIFY_PARAM_set_depth\fR\|(3).
 query \fIpropq\fR are used when fetching algorithms from providers.
 .PP
 \&\fBX509_STORE_load_file()\fR is similar to \fBX509_STORE_load_file_ex()\fR but
-uses \s-1NULL\s0 for the library context \fIlibctx\fR and property query \fIpropq\fR.
+uses NULL for the library context \fIlibctx\fR and property query \fIpropq\fR.
 .PP
 \&\fBX509_STORE_load_path()\fR loads trusted certificate(s) into an
 \&\fBX509_STORE\fR from a given directory path.
@@ -243,11 +167,11 @@ The certificates in the directory must be in hashed form, as
 documented in \fBX509_LOOKUP_hash_dir\fR\|(3).
 .PP
 \&\fBX509_STORE_load_store_ex()\fR loads trusted certificate(s) into an
-\&\fBX509_STORE\fR from a store at a given \s-1URI.\s0 The library context \fIlibctx\fR and
+\&\fBX509_STORE\fR from a store at a given URI. The library context \fIlibctx\fR and
 property query \fIpropq\fR are used when fetching algorithms from providers.
 .PP
 \&\fBX509_STORE_load_store()\fR is similar to \fBX509_STORE_load_store_ex()\fR but
-uses \s-1NULL\s0 for the library context \fIlibctx\fR and property query \fIpropq\fR.
+uses NULL for the library context \fIlibctx\fR and property query \fIpropq\fR.
 .PP
 \&\fBX509_STORE_load_locations_ex()\fR combines
 \&\fBX509_STORE_load_file_ex()\fR and \fBX509_STORE_load_path()\fR for a given file
@@ -256,7 +180,7 @@ It is permitted to specify just a file, just a directory, or both
 paths.
 .PP
 \&\fBX509_STORE_load_locations()\fR is similar to \fBX509_STORE_load_locations_ex()\fR
-but uses \s-1NULL\s0 for the library context \fIlibctx\fR and property query \fIpropq\fR.
+but uses NULL for the library context \fIlibctx\fR and property query \fIpropq\fR.
 .PP
 \&\fBX509_STORE_set_default_paths_ex()\fR is somewhat misnamed, in that it does
 not set what default paths should be used for loading certificates.  Instead,
@@ -265,7 +189,7 @@ paths. The library context \fIlibctx\fR and property query \fIpropq\fR are used
 fetching algorithms from providers.
 .PP
 \&\fBX509_STORE_set_default_paths()\fR is similar to
-\&\fBX509_STORE_set_default_paths_ex()\fR but uses \s-1NULL\s0 for the library
+\&\fBX509_STORE_set_default_paths_ex()\fR but uses NULL for the library
 context \fIlibctx\fR and property query \fIpropq\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
@@ -279,23 +203,23 @@ context \fIlibctx\fR and property query \fIpropq\fR.
 return 1 on success or 0 on failure.
 .PP
 \&\fBX509_STORE_add_lookup()\fR returns the found or created
-\&\fBX509_LOOKUP\fR\|(3), or \s-1NULL\s0 on error.
+\&\fBX509_LOOKUP\fR\|(3), or NULL on error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBX509_LOOKUP_hash_dir\fR\|(3).
 \&\fBX509_VERIFY_PARAM_set_depth\fR\|(3).
 \&\fBX509_STORE_new\fR\|(3),
 \&\fBX509_STORE_get0_param\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The functions \fBX509_STORE_set_default_paths_ex()\fR,
 \&\fBX509_STORE_load_file_ex()\fR, \fBX509_STORE_load_store_ex()\fR and
 \&\fBX509_STORE_load_locations_ex()\fR were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2017\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_STORE_get0_param.3 b/secure/lib/libcrypto/man/man3/X509_STORE_get0_param.3
index 75b3fac44427..f9390d10919d 100644
--- a/secure/lib/libcrypto/man/man3/X509_STORE_get0_param.3
+++ b/secure/lib/libcrypto/man/man3/X509_STORE_get0_param.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,100 +52,46 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_STORE_GET0_PARAM 3ossl"
-.TH X509_STORE_GET0_PARAM 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_STORE_GET0_PARAM 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_STORE_get0_param, X509_STORE_set1_param,
-X509_STORE_get0_objects, X509_STORE_get1_all_certs
+X509_STORE_get1_objects, X509_STORE_get0_objects, X509_STORE_get1_all_certs
 \&\- X509_STORE setter and getter functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509_vfy.h>
 \&
-\& X509_VERIFY_PARAM *X509_STORE_get0_param(const X509_STORE *ctx);
-\& int X509_STORE_set1_param(X509_STORE *ctx, const X509_VERIFY_PARAM *pm);
-\& STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(const X509_STORE *ctx);
-\& STACK_OF(X509) *X509_STORE_get1_all_certs(X509_STORE *st);
+\& X509_VERIFY_PARAM *X509_STORE_get0_param(const X509_STORE *xs);
+\& int X509_STORE_set1_param(X509_STORE *xs, const X509_VERIFY_PARAM *pm);
+\& STACK_OF(X509_OBJECT) *X509_STORE_get1_objects(X509_STORE *xs);
+\& STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(const X509_STORE *xs);
+\& STACK_OF(X509) *X509_STORE_get1_all_certs(X509_STORE *xs);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBX509_STORE_set1_param()\fR sets the verification parameters
-to \fBpm\fR for \fBctx\fR.
+\&\fBX509_STORE_set1_param()\fR sets the verification parameters to \fIpm\fR for \fIxs\fR.
 .PP
 \&\fBX509_STORE_get0_param()\fR retrieves an internal pointer to the verification
-parameters for \fBctx\fR. The returned pointer must not be freed by the
+parameters for \fIxs\fR. The returned pointer must not be freed by the
 calling application
 .PP
+\&\fBX509_STORE_get1_objects()\fR returns a snapshot of all objects in the store's X509
+cache. The cache contains \fBX509\fR and \fBX509_CRL\fR objects. The caller is
+responsible for freeing the returned list.
+.PP
 \&\fBX509_STORE_get0_objects()\fR retrieves an internal pointer to the store's
 X509 object cache. The cache contains \fBX509\fR and \fBX509_CRL\fR objects. The
-returned pointer must not be freed by the calling application.
+returned pointer must not be freed by the calling application. If the store is
+shared across multiple threads, it is not safe to use the result of this
+function. Use \fBX509_STORE_get1_objects()\fR instead, which avoids this problem.
 .PP
 \&\fBX509_STORE_get1_all_certs()\fR returns a list of all certificates in the store.
 The caller is responsible for freeing the returned list.
@@ -172,23 +102,27 @@ The caller is responsible for freeing the returned list.
 .PP
 \&\fBX509_STORE_set1_param()\fR returns 1 for success and 0 for failure.
 .PP
+\&\fBX509_STORE_get1_objects()\fR returns a pointer to a stack of the retrieved
+objects on success, else NULL.
+.PP
 \&\fBX509_STORE_get0_objects()\fR returns a pointer to a stack of \fBX509_OBJECT\fR.
 .PP
 \&\fBX509_STORE_get1_all_certs()\fR returns a pointer to a stack of the retrieved
-certificates on success, else \s-1NULL.\s0
+certificates on success, else NULL.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBX509_STORE_new\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBX509_STORE_get0_param\fR and \fBX509_STORE_get0_objects\fR were added in
 OpenSSL 1.1.0.
 \&\fBX509_STORE_get1_certs\fR was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+\&\fBX509_STORE_get1_objects\fR was added in OpenSSL 3.3.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_STORE_new.3 b/secure/lib/libcrypto/man/man3/X509_STORE_new.3
index 38fc0c3f37fb..080df500dbee 100644
--- a/secure/lib/libcrypto/man/man3/X509_STORE_new.3
+++ b/secure/lib/libcrypto/man/man3/X509_STORE_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,90 +52,30 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_STORE_NEW 3ossl"
-.TH X509_STORE_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_STORE_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_STORE_new, X509_STORE_up_ref, X509_STORE_free,
 X509_STORE_lock,X509_STORE_unlock
 \&\- X509_STORE allocation, freeing and locking functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509_vfy.h>
 \&
 \& X509_STORE *X509_STORE_new(void);
-\& void X509_STORE_free(X509_STORE *v);
-\& int X509_STORE_lock(X509_STORE *v);
-\& int X509_STORE_unlock(X509_STORE *v);
-\& int X509_STORE_up_ref(X509_STORE *v);
+\& void X509_STORE_free(X509_STORE *xs);
+\& int X509_STORE_lock(X509_STORE *xs);
+\& int X509_STORE_unlock(X509_STORE *xs);
+\& int X509_STORE_up_ref(X509_STORE *xs);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The \fBX509_STORE_new()\fR function returns a new X509_STORE.
 .PP
@@ -162,9 +86,10 @@ X509_STORE object.
 \&\fBX509_STORE_unlock()\fR unlocks it.
 .PP
 \&\fBX509_STORE_free()\fR frees up a single X509_STORE object.
+If the argument is NULL, nothing is done.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBX509_STORE_new()\fR returns a newly created X509_STORE or \s-1NULL\s0 if the call fails.
+\&\fBX509_STORE_new()\fR returns a newly created X509_STORE or NULL if the call fails.
 .PP
 \&\fBX509_STORE_up_ref()\fR, \fBX509_STORE_lock()\fR and \fBX509_STORE_unlock()\fR return
 1 for success and 0 for failure.
@@ -174,15 +99,15 @@ X509_STORE object.
 .IX Header "SEE ALSO"
 \&\fBX509_STORE_set_verify_cb_func\fR\|(3)
 \&\fBX509_STORE_get0_param\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBX509_STORE_up_ref()\fR, \fBX509_STORE_lock()\fR and \fBX509_STORE_unlock()\fR
 functions were added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_STORE_set_verify_cb_func.3 b/secure/lib/libcrypto/man/man3/X509_STORE_set_verify_cb_func.3
index 72d513257d1b..49aa8814cea8 100644
--- a/secure/lib/libcrypto/man/man3/X509_STORE_set_verify_cb_func.3
+++ b/secure/lib/libcrypto/man/man3/X509_STORE_set_verify_cb_func.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_STORE_SET_VERIFY_CB_FUNC 3ossl"
-.TH X509_STORE_SET_VERIFY_CB_FUNC 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_STORE_SET_VERIFY_CB_FUNC 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_STORE_set_lookup_crls_cb,
 X509_STORE_set_verify_func,
 X509_STORE_get_cleanup,
@@ -170,7 +94,7 @@ X509_STORE_CTX_check_revocation_fn, X509_STORE_CTX_cleanup_fn,
 X509_STORE_CTX_get_crl_fn, X509_STORE_CTX_get_issuer_fn,
 X509_STORE_CTX_lookup_certs_fn, X509_STORE_CTX_lookup_crls_fn
 \&\- set verification callback
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509_vfy.h>
@@ -193,78 +117,78 @@ X509_STORE_CTX_lookup_certs_fn, X509_STORE_CTX_lookup_crls_fn
 \&                                                              const X509_NAME *nm);
 \& typedef int (*X509_STORE_CTX_cleanup_fn)(X509_STORE_CTX *ctx);
 \&
-\& void X509_STORE_set_verify_cb(X509_STORE *ctx,
+\& void X509_STORE_set_verify_cb(X509_STORE *xs,
 \&                               X509_STORE_CTX_verify_cb verify_cb);
 \& X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(const X509_STORE_CTX *ctx);
 \&
-\& void X509_STORE_set_verify(X509_STORE *ctx, X509_STORE_CTX_verify_fn verify);
+\& void X509_STORE_set_verify(X509_STORE *xs, X509_STORE_CTX_verify_fn verify);
 \& X509_STORE_CTX_verify_fn X509_STORE_CTX_get_verify(const X509_STORE_CTX *ctx);
 \&
 \& int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
 \& X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(const X509_STORE_CTX *ctx);
-\& void X509_STORE_set_get_issuer(X509_STORE *ctx,
+\& void X509_STORE_set_get_issuer(X509_STORE *xs,
 \&                                X509_STORE_CTX_get_issuer_fn get_issuer);
 \&
-\& void X509_STORE_set_check_issued(X509_STORE *ctx,
+\& void X509_STORE_set_check_issued(X509_STORE *xs,
 \&                                  X509_STORE_CTX_check_issued_fn check_issued);
 \& X509_STORE_CTX_check_issued_fn
 \&     X509_STORE_get_check_issued(const X509_STORE_CTX *ctx);
 \&
-\& void X509_STORE_set_check_revocation(X509_STORE *ctx,
+\& void X509_STORE_set_check_revocation(X509_STORE *xs,
 \&                                      X509_STORE_CTX_check_revocation_fn check_revocation);
 \& X509_STORE_CTX_check_revocation_fn
 \&     X509_STORE_get_check_revocation(const X509_STORE_CTX *ctx);
 \&
-\& void X509_STORE_set_get_crl(X509_STORE *ctx,
+\& void X509_STORE_set_get_crl(X509_STORE *xs,
 \&                             X509_STORE_CTX_get_crl_fn get_crl);
 \& X509_STORE_CTX_get_crl_fn X509_STORE_get_get_crl(const X509_STORE_CTX *ctx);
 \&
-\& void X509_STORE_set_check_crl(X509_STORE *ctx,
+\& void X509_STORE_set_check_crl(X509_STORE *xs,
 \&                               X509_STORE_CTX_check_crl_fn check_crl);
 \& X509_STORE_CTX_check_crl_fn
 \&     X509_STORE_get_check_crl(const X509_STORE_CTX *ctx);
 \&
-\& void X509_STORE_set_cert_crl(X509_STORE *ctx,
+\& void X509_STORE_set_cert_crl(X509_STORE *xs,
 \&                              X509_STORE_CTX_cert_crl_fn cert_crl);
 \& X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(const X509_STORE_CTX *ctx);
 \&
-\& void X509_STORE_set_check_policy(X509_STORE *ctx,
+\& void X509_STORE_set_check_policy(X509_STORE *xs,
 \&                                  X509_STORE_CTX_check_policy_fn check_policy);
 \& X509_STORE_CTX_check_policy_fn
 \&     X509_STORE_get_check_policy(const X509_STORE_CTX *ctx);
 \&
-\& void X509_STORE_set_lookup_certs(X509_STORE *ctx,
+\& void X509_STORE_set_lookup_certs(X509_STORE *xs,
 \&                                  X509_STORE_CTX_lookup_certs_fn lookup_certs);
 \& X509_STORE_CTX_lookup_certs_fn
 \&     X509_STORE_get_lookup_certs(const X509_STORE_CTX *ctx);
 \&
-\& void X509_STORE_set_lookup_crls(X509_STORE *ctx,
+\& void X509_STORE_set_lookup_crls(X509_STORE *xs,
 \&                                 X509_STORE_CTX_lookup_crls_fn lookup_crls);
 \& X509_STORE_CTX_lookup_crls_fn
 \&     X509_STORE_get_lookup_crls(const X509_STORE_CTX *ctx);
 \&
-\& void X509_STORE_set_cleanup(X509_STORE *ctx,
+\& void X509_STORE_set_cleanup(X509_STORE *xs,
 \&                             X509_STORE_CTX_cleanup_fn cleanup);
 \& X509_STORE_CTX_cleanup_fn X509_STORE_get_cleanup(const X509_STORE_CTX *ctx);
 \&
 \& /* Aliases */
 \& void X509_STORE_set_verify_cb_func(X509_STORE *st,
 \&                                    X509_STORE_CTX_verify_cb verify_cb);
-\& void X509_STORE_set_verify_func(X509_STORE *ctx,
+\& void X509_STORE_set_verify_func(X509_STORE *xs,
 \&                                 X509_STORE_CTX_verify_fn verify);
-\& void X509_STORE_set_lookup_crls_cb(X509_STORE *ctx,
+\& void X509_STORE_set_lookup_crls_cb(X509_STORE *xs,
 \&                                    X509_STORE_CTX_lookup_crls_fn lookup_crls);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBX509_STORE_set_verify_cb()\fR sets the verification callback of \fIctx\fR to
+\&\fBX509_STORE_set_verify_cb()\fR sets the verification callback of \fIxs\fR to
 \&\fIverify_cb\fR overwriting the previous callback.
 The callback assigned with this function becomes a default for the one
 that can be assigned directly to the corresponding \fBX509_STORE_CTX\fR,
 please see \fBX509_STORE_CTX_set_verify_cb\fR\|(3) for further information.
 .PP
 \&\fBX509_STORE_set_verify()\fR sets the final chain verification function for
-\&\fIctx\fR to \fIverify\fR.
+\&\fIxs\fR to \fIverify\fR.
 Its purpose is to go through the chain of certificates and check that
 all signatures are valid and that the current time is within the
 limits of each certificate's first and last validity time.
@@ -274,17 +198,19 @@ on success.
 function will be used instead.\fR
 .PP
 \&\fBX509_STORE_CTX_get1_issuer()\fR tries to find a certificate from the \fIstore\fR
-component of \fIctx\fR with a subject name matching the issuer name of \fIx\fR.
-On success it assigns to \fI*issuer\fR the first match that is currently valid,
-or at least the most recently expired match if there is no currently valid one.
+component of \fIctx\fR that has a subject name matching the issuer name of \fIx\fR
+and is accepted by the \fIcheck_issued\fR function in \fIctx\fR.
+On success it assigns to \fI*issuer\fR the first match that has a suitable validity
+period or otherwise has the latest expiration date of all matching certificates.
 If the function returns 1 the caller is responsible for freeing \fI*issuer\fR.
+Note that this search does not support backtracking.
 .PP
-\&\fBX509_STORE_set_get_issuer()\fR sets the function \fIget_issuer\fR
-to get the \*(L"best\*(R" candidate issuer certificate of the given certificate \fIx\fR.
+\&\fBX509_STORE_set_get_issuer()\fR sets the function \fIget_issuer\fR that is used
+to get the "best" candidate issuer certificate of the given certificate \fIx\fR.
 When such a certificate is found, \fIget_issuer\fR must up-ref and assign it
 to \fI*issuer\fR and then return 1.
 Otherwise \fIget_issuer\fR must return 0 if not found and \-1 (or 0) on failure.
-If \fBX509_STORE_set_get_issuer()\fR is not used or \fIget_issuer\fR is \s-1NULL\s0
+If \fBX509_STORE_set_get_issuer()\fR is not used or \fIget_issuer\fR is NULL
 then \fBX509_STORE_CTX_get1_issuer()\fR is used as the default implementation.
 .PP
 \&\fBX509_STORE_set_check_issued()\fR sets the function to check that a given
@@ -330,7 +256,7 @@ function will be used instead.\fR
 \&\fBX509_STORE_set_lookup_certs()\fR and \fBX509_STORE_set_lookup_crls()\fR set the
 functions to look up all the certs or all the CRLs that match the
 given name \fInm\fR.
-These functions return \s-1NULL\s0 on failure and a pointer to a stack of
+These functions return NULL on failure and a pointer to a stack of
 certificates (\fBX509\fR) or to a stack of CRLs (\fBX509_CRL\fR) on
 success.
 \&\fIIf no function to get the issuer is provided, the internal default
@@ -353,7 +279,7 @@ the function pointer assigned with \fBX509_STORE_set_check_issued()\fR,
 \&\fBX509_STORE_set_check_revocation()\fR, \fBX509_STORE_set_get_crl()\fR,
 \&\fBX509_STORE_set_check_crl()\fR, \fBX509_STORE_set_cert_crl()\fR,
 \&\fBX509_STORE_set_check_policy()\fR, \fBX509_STORE_set_lookup_certs()\fR,
-\&\fBX509_STORE_set_lookup_crls()\fR and \fBX509_STORE_set_cleanup()\fR, or \s-1NULL\s0 if
+\&\fBX509_STORE_set_lookup_crls()\fR and \fBX509_STORE_set_cleanup()\fR, or NULL if
 no assignment has been made.
 .PP
 \&\fBX509_STORE_set_verify_cb_func()\fR, \fBX509_STORE_set_verify_func()\fR and
@@ -361,12 +287,12 @@ no assignment has been made.
 \&\fBX509_STORE_set_verify_cb()\fR, \fBX509_STORE_set_verify()\fR and
 X509_STORE_set_lookup_crls, available as macros for backward
 compatibility.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 All the callbacks from a \fBX509_STORE\fR are inherited by the
 corresponding \fBX509_STORE_CTX\fR structure when it is initialized.
 See \fBX509_STORE_CTX_set_verify_cb\fR\|(3) for further details.
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
 The macro version of this function was the only one available before
 OpenSSL 1.0.0.
@@ -384,7 +310,7 @@ function type.
 \&\fBX509_STORE_CTX_set_verify_cb\fR\|(3), \fBX509_STORE_CTX_get0_chain\fR\|(3),
 \&\fBX509_STORE_CTX_verify_cb\fR\|(3), \fBX509_STORE_CTX_verify_fn\fR\|(3),
 \&\fBCMS_verify\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBX509_STORE_set_verify_cb()\fR function was added in OpenSSL 1.0.0.
 .PP
@@ -402,11 +328,11 @@ The functions
 \&\fBX509_STORE_set_lookup_crls()\fR, \fBX509_STORE_get_lookup_crls()\fR,
 \&\fBX509_STORE_set_cleanup()\fR and \fBX509_STORE_get_cleanup()\fR
 were added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2009\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_VERIFY_PARAM_set_flags.3 b/secure/lib/libcrypto/man/man3/X509_VERIFY_PARAM_set_flags.3
index 1ae432d57f1a..6b7efc82b287 100644
--- a/secure/lib/libcrypto/man/man3/X509_VERIFY_PARAM_set_flags.3
+++ b/secure/lib/libcrypto/man/man3/X509_VERIFY_PARAM_set_flags.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_VERIFY_PARAM_SET_FLAGS 3ossl"
-.TH X509_VERIFY_PARAM_SET_FLAGS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_VERIFY_PARAM_SET_FLAGS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags,
 X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose,
+X509_VERIFY_PARAM_get_purpose,
 X509_VERIFY_PARAM_get_inh_flags, X509_VERIFY_PARAM_set_inh_flags,
 X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth,
 X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_auth_level,
@@ -154,7 +79,7 @@ X509_VERIFY_PARAM_get0_email, X509_VERIFY_PARAM_set1_email,
 X509_VERIFY_PARAM_set1_ip, X509_VERIFY_PARAM_get1_ip_asc,
 X509_VERIFY_PARAM_set1_ip_asc
 \&\- X509 verification parameters
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509_vfy.h>
@@ -170,6 +95,7 @@ X509_VERIFY_PARAM_set1_ip_asc
 \& uint32_t X509_VERIFY_PARAM_get_inh_flags(const X509_VERIFY_PARAM *param);
 \&
 \& int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose);
+\& int X509_VERIFY_PARAM_get_purpose(X509_VERIFY_PARAM *param);
 \& int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust);
 \&
 \& void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t);
@@ -204,13 +130,13 @@ X509_VERIFY_PARAM_set1_ip_asc
 \&                               const unsigned char *ip, size_t iplen);
 \& int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 These functions manipulate the \fBX509_VERIFY_PARAM\fR structure associated with
 a certificate verification operation.
 .PP
 The \fBX509_VERIFY_PARAM_set_flags()\fR function sets the flags in \fBparam\fR by oring
-it with \fBflags\fR. See \*(L"\s-1VERIFICATION FLAGS\*(R"\s0 for a complete
+it with \fBflags\fR. See "VERIFICATION FLAGS" for a complete
 description of values the \fBflags\fR parameter can take.
 .PP
 \&\fBX509_VERIFY_PARAM_get_flags()\fR returns the flags in \fBparam\fR.
@@ -218,14 +144,16 @@ description of values the \fBflags\fR parameter can take.
 \&\fBX509_VERIFY_PARAM_get_inh_flags()\fR returns the inheritance flags in \fBparam\fR
 which specifies how verification flags are copied from one structure to
 another. \fBX509_VERIFY_PARAM_set_inh_flags()\fR sets the inheritance flags.
-See the \fB\s-1INHERITANCE FLAGS\s0\fR section for a description of these bits.
+See the \fBINHERITANCE FLAGS\fR section for a description of these bits.
 .PP
 \&\fBX509_VERIFY_PARAM_clear_flags()\fR clears the flags \fBflags\fR in \fBparam\fR.
 .PP
 \&\fBX509_VERIFY_PARAM_set_purpose()\fR sets the verification purpose in \fBparam\fR
 to \fBpurpose\fR. This determines the acceptable purpose of the certificate
 chain, for example \fBX509_PURPOSE_SSL_CLIENT\fR.
-The purpose requirement is cleared if \fBpurpose\fR is 0.
+The purpose requirement is cleared if \fBpurpose\fR is X509_PURPOSE_DEFAULT_ANY.
+.PP
+\&\fBX509_VERIFY_PARAM_get_purpose()\fR returns the purpose in \fBparam\fR.
 .PP
 \&\fBX509_VERIFY_PARAM_set_trust()\fR sets the trust setting in \fBparam\fR to
 \&\fBtrust\fR.
@@ -239,18 +167,18 @@ policy checking.
 .PP
 \&\fBX509_VERIFY_PARAM_set1_policies()\fR enables policy checking (it is disabled
 by default) and sets the acceptable policy set to \fBpolicies\fR. Any existing
-policy set is cleared. The \fBpolicies\fR parameter can be \fB\s-1NULL\s0\fR to clear
+policy set is cleared. The \fBpolicies\fR parameter can be \fBNULL\fR to clear
 an existing policy set.
 .PP
 \&\fBX509_VERIFY_PARAM_set_depth()\fR sets the maximum verification depth to \fBdepth\fR.
-That is the maximum number of intermediate \s-1CA\s0 certificates that can appear in a
+That is the maximum number of intermediate CA certificates that can appear in a
 chain.
 A maximal depth chain contains 2 more certificates than the limit, since
 neither the end-entity certificate nor the trust-anchor count against this
 limit.
 Thus a \fBdepth\fR limit of 0 only allows the end-entity certificate to be signed
 directly by the trust anchor, while with a \fBdepth\fR limit of 1 there can be one
-intermediate \s-1CA\s0 certificate between the trust anchor and the end-entity
+intermediate CA certificate between the trust anchor and the end-entity
 certificate.
 .PP
 \&\fBX509_VERIFY_PARAM_set_auth_level()\fR sets the authentication security level to
@@ -264,20 +192,20 @@ anchor\fR certificate, which is either directly trusted or validated by means ot
 than its signature.
 See \fBSSL_CTX_set_security_level\fR\|(3) for the definitions of the available
 levels.
-The default security level is \-1, or \*(L"not set\*(R".
+The default security level is \-1, or "not set".
 At security level 0 or lower all algorithms are acceptable.
 Security level 1 requires at least 80\-bit\-equivalent security and is broadly
-interoperable, though it will, for example, reject \s-1MD5\s0 signatures or \s-1RSA\s0 keys
+interoperable, though it will, for example, reject MD5 signatures or RSA keys
 shorter than 1024 bits.
 .PP
-\&\fBX509_VERIFY_PARAM_get0_host()\fR returns the \fBn\fRth expected \s-1DNS\s0 hostname that has
+\&\fBX509_VERIFY_PARAM_get0_host()\fR returns the \fBn\fRth expected DNS hostname that has
 been set using \fBX509_VERIFY_PARAM_set1_host()\fR or \fBX509_VERIFY_PARAM_add1_host()\fR.
-To obtain all names start with \fBn\fR = 0 and increment \fBn\fR as long as no \s-1NULL\s0
+To obtain all names start with \fBn\fR = 0 and increment \fBn\fR as long as no NULL
 pointer is returned.
 .PP
-\&\fBX509_VERIFY_PARAM_set1_host()\fR sets the expected \s-1DNS\s0 hostname to
+\&\fBX509_VERIFY_PARAM_set1_host()\fR sets the expected DNS hostname to
 \&\fBname\fR clearing any previously specified hostname.  If
-\&\fBname\fR is \s-1NULL,\s0 or empty the list of hostnames is cleared, and
+\&\fBname\fR is NULL, or empty the list of hostnames is cleared, and
 name checks are not performed on the peer certificate.  If \fBname\fR
 is NUL-terminated, \fBnamelen\fR may be zero, otherwise \fBnamelen\fR
 must be set to the length of \fBname\fR.
@@ -288,19 +216,19 @@ with flags equal to the \fBflags\fR argument given to
 \&\fBX509_VERIFY_PARAM_set_hostflags()\fR (default zero).  Applications
 are strongly advised to use this interface in preference to explicitly
 calling \fBX509_check_host\fR\|(3), hostname checks may be out of scope
-with the \s-1\fBDANE\-EE\s0\fR\|(3) certificate usage, and the internal check will
-be suppressed as appropriate when \s-1DANE\s0 verification is enabled.
+with the \fBDANE\-EE\fR\|(3) certificate usage, and the internal check will
+be suppressed as appropriate when DANE verification is enabled.
 .PP
 When the subject CommonName will not be ignored, whether as a result of the
-\&\fBX509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT\fR host flag, or because no \s-1DNS\s0 subject
-alternative names are present in the certificate, any \s-1DNS\s0 name constraints in
+\&\fBX509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT\fR host flag, or because no DNS subject
+alternative names are present in the certificate, any DNS name constraints in
 issuer certificates apply to the subject CommonName as well as the subject
 alternative name extension.
 .PP
 When the subject CommonName will be ignored, whether as a result of the
-\&\fBX509_CHECK_FLAG_NEVER_CHECK_SUBJECT\fR host flag, or because some \s-1DNS\s0 subject
-alternative names are present in the certificate, \s-1DNS\s0 name constraints in
-issuer certificates will not be applied to the subject \s-1DN.\s0
+\&\fBX509_CHECK_FLAG_NEVER_CHECK_SUBJECT\fR host flag, or because some DNS subject
+alternative names are present in the certificate, DNS name constraints in
+issuer certificates will not be applied to the subject DN.
 As described in \fBX509_check_host\fR\|(3) the \fBX509_CHECK_FLAG_NEVER_CHECK_SUBJECT\fR
 flag takes precedence over the \fBX509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT\fR flag.
 .PP
@@ -310,41 +238,41 @@ call to \fBX509_VERIFY_PARAM_set_hostflags()\fR.
 \&\fBX509_VERIFY_PARAM_add1_host()\fR adds \fBname\fR as an additional reference
 identifier that can match the peer's certificate.  Any previous names
 set via \fBX509_VERIFY_PARAM_set1_host()\fR or \fBX509_VERIFY_PARAM_add1_host()\fR
-are retained, no change is made if \fBname\fR is \s-1NULL\s0 or empty.  When
+are retained, no change is made if \fBname\fR is NULL or empty.  When
 multiple names are configured, the peer is considered verified when
 any name matches.
 .PP
-\&\fBX509_VERIFY_PARAM_get0_peername()\fR returns the \s-1DNS\s0 hostname or subject
+\&\fBX509_VERIFY_PARAM_get0_peername()\fR returns the DNS hostname or subject
 CommonName from the peer certificate that matched one of the reference
 identifiers.  When wildcard matching is not disabled, or when a
-reference identifier specifies a parent domain (starts with \*(L".\*(R")
+reference identifier specifies a parent domain (starts with ".")
 rather than a hostname, the peer name may be a wildcard name or a
 sub-domain of the reference identifier respectively.  The return
 string is allocated by the library and is no longer valid once the
 associated \fBparam\fR argument is freed.  Applications must not free
 the return value.
 .PP
-\&\fBX509_VERIFY_PARAM_get0_email()\fR returns the expected \s-1RFC822\s0 email address.
+\&\fBX509_VERIFY_PARAM_get0_email()\fR returns the expected RFC822 email address.
 .PP
-\&\fBX509_VERIFY_PARAM_set1_email()\fR sets the expected \s-1RFC822\s0 email address to
+\&\fBX509_VERIFY_PARAM_set1_email()\fR sets the expected RFC822 email address to
 \&\fBemail\fR.  If \fBemail\fR is NUL-terminated, \fBemaillen\fR may be zero, otherwise
 \&\fBemaillen\fR must be set to the length of \fBemail\fR.  When an email address
 is specified, certificate verification automatically invokes
 \&\fBX509_check_email\fR\|(3).
 .PP
-\&\fBX509_VERIFY_PARAM_get1_ip_asc()\fR returns the expected \s-1IP\s0 address as a string.
+\&\fBX509_VERIFY_PARAM_get1_ip_asc()\fR returns the expected IP address as a string.
 The caller is responsible for freeing it.
 .PP
-\&\fBX509_VERIFY_PARAM_set1_ip()\fR sets the expected \s-1IP\s0 address to \fBip\fR.
+\&\fBX509_VERIFY_PARAM_set1_ip()\fR sets the expected IP address to \fBip\fR.
 The \fBip\fR argument is in binary format, in network byte-order and
-\&\fBiplen\fR must be set to 4 for IPv4 and 16 for IPv6.  When an \s-1IP\s0
+\&\fBiplen\fR must be set to 4 for IPv4 and 16 for IPv6.  When an IP
 address is specified, certificate verification automatically invokes
 \&\fBX509_check_ip\fR\|(3).
 .PP
-\&\fBX509_VERIFY_PARAM_set1_ip_asc()\fR sets the expected \s-1IP\s0 address to
-\&\fBipasc\fR.  The \fBipasc\fR argument is a NUL-terminal \s-1ASCII\s0 string:
+\&\fBX509_VERIFY_PARAM_set1_ip_asc()\fR sets the expected IP address to
+\&\fBipasc\fR.  The \fBipasc\fR argument is a NUL-terminal ASCII string:
 dotted decimal quad for IPv4 and colon-separated hexadecimal for
-IPv6.  The condensed \*(L"::\*(R" notation is supported for IPv6 addresses.
+IPv6.  The condensed "::" notation is supported for IPv6 addresses.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBX509_VERIFY_PARAM_set_flags()\fR, \fBX509_VERIFY_PARAM_clear_flags()\fR,
@@ -357,8 +285,8 @@ IPv6.  The condensed \*(L"::\*(R" notation is supported for IPv6 addresses.
 failure.
 .PP
 \&\fBX509_VERIFY_PARAM_get0_host()\fR, \fBX509_VERIFY_PARAM_get0_email()\fR, and
-\&\fBX509_VERIFY_PARAM_get1_ip_asc()\fR, return the string pointer specified above
-or \s-1NULL\s0 if the respective value has not been set or on error.
+\&\fBX509_VERIFY_PARAM_get1_ip_asc()\fR, return the string pointers specified above
+or NULL if the respective value has not been set or on error.
 .PP
 \&\fBX509_VERIFY_PARAM_get_flags()\fR returns the current verification flags.
 .PP
@@ -373,21 +301,24 @@ values.
 .PP
 \&\fBX509_VERIFY_PARAM_get_auth_level()\fR returns the current authentication security
 level.
+.PP
+\&\fBX509_VERIFY_PARAM_get_purpose()\fR returns the current purpose,
+which may be \fBX509_PURPOSE_DEFAULT_ANY\fR if unset.
 .SH "VERIFICATION FLAGS"
 .IX Header "VERIFICATION FLAGS"
 The verification flags consists of zero or more of the following flags
 ored together.
 .PP
-\&\fBX509_V_FLAG_CRL_CHECK\fR enables \s-1CRL\s0 checking for the certificate chain leaf
-certificate. An error occurs if a suitable \s-1CRL\s0 cannot be found.
+\&\fBX509_V_FLAG_CRL_CHECK\fR enables CRL checking for the certificate chain leaf
+certificate. An error occurs if a suitable CRL cannot be found.
 .PP
-\&\fBX509_V_FLAG_CRL_CHECK_ALL\fR enables \s-1CRL\s0 checking for the entire certificate
-chain.
+\&\fBX509_V_FLAG_CRL_CHECK_ALL\fR expands CRL checking to the entire certificate
+chain if \fBX509_V_FLAG_CRL_CHECK\fR has also been enabled, and is otherwise ignored.
 .PP
 \&\fBX509_V_FLAG_IGNORE_CRITICAL\fR disables critical extension checking. By default
 any unhandled critical extensions in certificates or (if checked) CRLs result
 in a fatal error. If this flag is set unhandled critical extensions are
-ignored. \fB\s-1WARNING\s0\fR setting this option for anything other than debugging
+ignored. \fBWARNING\fR setting this option for anything other than debugging
 purposes can be a security risk. Finer control over which extensions are
 supported can be performed in the verification callback.
 .PP
@@ -403,7 +334,7 @@ verification callback relating to policy checking.
 \&\fBX509_V_FLAG_EXPLICIT_POLICY\fR, \fBX509_V_FLAG_INHIBIT_ANY\fR and
 \&\fBX509_V_FLAG_INHIBIT_MAP\fR set the \fBrequire explicit policy\fR, \fBinhibit any
 policy\fR and \fBinhibit policy mapping\fR flags respectively as defined in
-\&\fB\s-1RFC3280\s0\fR. Policy checking is automatically enabled if any of these flags
+\&\fBRFC3280\fR. Policy checking is automatically enabled if any of these flags
 are set.
 .PP
 If \fBX509_V_FLAG_NOTIFY_POLICY\fR is set and the policy checking is successful
@@ -420,7 +351,7 @@ determine certificate status. If not set deltas are ignored.
 .PP
 \&\fBX509_V_FLAG_CHECK_SS_SIGNATURE\fR requests checking the signature of
 the last certificate in a chain if the certificate is supposedly self-signed.
-This is prohibited and will result in an error if it is a non-conforming \s-1CA\s0
+This is prohibited and will result in an error if it is a non-conforming CA
 certificate with key usage restrictions not including the \fIkeyCertSign\fR bit.
 By default this check is disabled because it doesn't
 add any additional security but in some cases applications might want to
@@ -435,7 +366,7 @@ before searching the provided untrusted certificates.
 Local issuer certificates are often more likely to satisfy local security
 requirements and lead to a locally trusted root.
 This is especially important when some certificates in the trust store have
-explicit trust settings (see \*(L"\s-1TRUST SETTINGS\*(R"\s0 in \fBopenssl\-x509\fR\|(1)).
+explicit trust settings (see "TRUST SETTINGS" in \fBopenssl\-x509\fR\|(1)).
 .PP
 The \fBX509_V_FLAG_NO_ALT_CHAINS\fR flag could have been used before OpenSSL 1.1.0
 to suppress checking for alternative chains.
@@ -449,13 +380,13 @@ has no effect.
 .PP
 The \fBX509_V_FLAG_PARTIAL_CHAIN\fR flag causes non-self-signed certificates in the
 trust store to be treated as trust anchors, in the same way as self-signed
-root \s-1CA\s0 certificates.
+root CA certificates.
 This makes it possible to trust self-issued certificates as well as certificates
-issued by an intermediate \s-1CA\s0 without having to trust their ancestor root \s-1CA.\s0
+issued by an intermediate CA without having to trust their ancestor root CA.
 With OpenSSL 1.1.0 and later and \fBX509_V_FLAG_PARTIAL_CHAIN\fR set, chain
 construction stops as soon as the first certificate contained in the trust store
-is added to the chain, whether that certificate is a self-signed \*(L"root\*(R"
-certificate or a not self-signed \*(L"intermediate\*(R" or self-issued certificate.
+is added to the chain, whether that certificate is a self-signed "root"
+certificate or a not self-signed "intermediate" or self-issued certificate.
 Thus, when an intermediate certificate is found in the trust store, the
 verified chain passed to callbacks may be shorter than it otherwise would
 be without the \fBX509_V_FLAG_PARTIAL_CHAIN\fR flag.
@@ -465,7 +396,7 @@ of certificates and CRLs against the current time. If \fBX509_VERIFY_PARAM_set_t
 is used to specify a verification time, the check is not suppressed.
 .SH "INHERITANCE FLAGS"
 .IX Header "INHERITANCE FLAGS"
-These flags specify how parameters are \*(L"inherited\*(R" from one structure to
+These flags specify how parameters are "inherited" from one structure to
 another.
 .PP
 If \fBX509_VP_FLAG_ONCE\fR is set then the current setting is zeroed
@@ -475,8 +406,8 @@ If \fBX509_VP_FLAG_LOCKED\fR is set then no values are copied.  This overrides
 all of the following flags.
 .PP
 If \fBX509_VP_FLAG_DEFAULT\fR is set then anything set in the source is copied
-to the destination. Effectively the values in \*(L"to\*(R" become default values
-which will be used only if nothing new is set in \*(L"from\*(R".  This is the
+to the destination. Effectively the values in "to" become default values
+which will be used only if nothing new is set in "from".  This is the
 default.
 .PP
 If \fBX509_VP_FLAG_OVERWRITE\fR is set then all value are copied across whether
@@ -484,25 +415,25 @@ they are set or not. Flags is still Ored though.
 .PP
 If \fBX509_VP_FLAG_RESET_FLAGS\fR is set then the flags value is copied instead
 of ORed.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The above functions should be used to manipulate verification parameters
 instead of functions which work in specific structures such as
 \&\fBX509_STORE_CTX_set_flags()\fR which are likely to be deprecated in a future
 release.
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
-Delta \s-1CRL\s0 checking is currently primitive. Only a single delta can be used and
+Delta CRL checking is currently primitive. Only a single delta can be used and
 (partly due to limitations of \fBX509_STORE\fR) constructed CRLs are not
 maintained.
 .PP
 If CRLs checking is enable CRLs are expected to be available in the
 corresponding \fBX509_STORE\fR structure. No attempt is made to download
-CRLs from the \s-1CRL\s0 distribution points extension.
-.SH "EXAMPLES"
+CRLs from the CRL distribution points extension.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-Enable \s-1CRL\s0 checking when performing certificate verification during \s-1SSL\s0
-connections associated with an \fB\s-1SSL_CTX\s0\fR structure \fBctx\fR:
+Enable CRL checking when performing certificate verification during SSL
+connections associated with an \fBSSL_CTX\fR structure \fBctx\fR:
 .PP
 .Vb 1
 \& X509_VERIFY_PARAM *param;
@@ -519,7 +450,7 @@ connections associated with an \fB\s-1SSL_CTX\s0\fR structure \fBctx\fR:
 \&\fBX509_check_email\fR\|(3),
 \&\fBX509_check_ip\fR\|(3),
 \&\fBopenssl\-x509\fR\|(1)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBX509_V_FLAG_NO_ALT_CHAINS\fR flag was added in OpenSSL 1.1.0.
 The flag \fBX509_V_FLAG_CB_ISSUER_CHECK\fR was deprecated in OpenSSL 1.1.0
@@ -533,11 +464,13 @@ and \fBX509_VERIFY_PARAM_get1_ip_asc()\fR functions were added in OpenSSL 3.0.
 The function \fBX509_VERIFY_PARAM_add0_policy()\fR was historically documented as
 enabling policy checking however the implementation has never done this.
 The documentation was changed to align with the implementation.
-.SH "COPYRIGHT"
+.PP
+The \fBX509_VERIFY_PARAM_get_purpose()\fR function was added in OpenSSL 3.5.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2009\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2009\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_add_cert.3 b/secure/lib/libcrypto/man/man3/X509_add_cert.3
index 5d93b310c497..6dff688d6f5a 100644
--- a/secure/lib/libcrypto/man/man3/X509_add_cert.3
+++ b/secure/lib/libcrypto/man/man3/X509_add_cert.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_ADD_CERT 3ossl"
-.TH X509_ADD_CERT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_ADD_CERT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_add_cert,
 X509_add_certs \-
 X509 certificate list addition functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
@@ -148,12 +72,13 @@ X509 certificate list addition functions
 \& int X509_add_cert(STACK_OF(X509) *sk, X509 *cert, int flags);
 \& int X509_add_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs, int flags);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBX509_add_cert()\fR adds a certificate \fIcert\fR to the given list \fIsk\fR.
+It is an error for the \fIcert\fR argument to be NULL.
 .PP
 \&\fBX509_add_certs()\fR adds a list of certificate \fIcerts\fR to the given list \fIsk\fR.
-The \fIcerts\fR argument may be \s-1NULL,\s0 which implies no effect.
+The \fIcerts\fR argument may be NULL, which implies no effect.
 It does not modify the list \fIcerts\fR but
 in case the \fBX509_ADD_FLAG_UP_REF\fR flag (described below) is set
 the reference counters of those of its members added to \fIsk\fR are increased.
@@ -178,7 +103,7 @@ which is determined using \fBX509_self_signed\fR\|(3), are ignored.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 Both functions return 1 for success and 0 for failure.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 If \fBX509_add_certs()\fR is used with the flags \fBX509_ADD_FLAG_NO_DUP\fR or
 \&\fBX509_ADD_FLAG_NO_SS\fR it is advisable to use also \fBX509_ADD_FLAG_UP_REF\fR
@@ -190,15 +115,15 @@ Care should also be taken in case the \fIcerts\fR argument equals \fIsk\fR.
 .IX Header "SEE ALSO"
 \&\fBX509_cmp\fR\|(3)
 \&\fBX509_self_signed\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The functions \fBX509_add_cert()\fR and \fBX509_add_certs()\fR
 were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_check_ca.3 b/secure/lib/libcrypto/man/man3/X509_check_ca.3
index ecd099fb6324..a62e5098d68e 100644
--- a/secure/lib/libcrypto/man/man3/X509_check_ca.3
+++ b/secure/lib/libcrypto/man/man3/X509_check_ca.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,96 +52,36 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_CHECK_CA 3ossl"
-.TH X509_CHECK_CA 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_CHECK_CA 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_check_ca \- check if given certificate is CA certificate
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509v3.h>
 \&
 \& int X509_check_ca(X509 *cert);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-This function checks if given certificate is \s-1CA\s0 certificate (can be used
+This function checks if given certificate is CA certificate (can be used
 to sign other certificates). The certificate must be a complete certificate
 otherwise an error is returned.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-Function return 0, if it is not \s-1CA\s0 certificate, 1 if it is proper X509v3
-\&\s-1CA\s0 certificate with \fBbasicConstraints\fR extension \s-1CA:TRUE,
-3,\s0 if it is self-signed X509 v1 certificate, 4, if it is certificate with
+Function return 0, if it is not CA certificate, 1 if it is proper X509v3
+CA certificate with \fBbasicConstraints\fR extension CA:TRUE,
+3, if it is self-signed X509 v1 certificate, 4, if it is certificate with
 \&\fBkeyUsage\fR extension with bit \fBkeyCertSign\fR set, but without
 \&\fBbasicConstraints\fR, and 5 if it has outdated Netscape Certificate Type
-extension telling that it is \s-1CA\s0 certificate.
+extension telling that it is CA certificate.
 .PP
 This function will also return 0 on error.
 .PP
@@ -168,11 +92,11 @@ used to sign other certificates.
 \&\fBX509_verify_cert\fR\|(3),
 \&\fBX509_check_issued\fR\|(3),
 \&\fBX509_check_purpose\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2015\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_check_host.3 b/secure/lib/libcrypto/man/man3/X509_check_host.3
index d5ef9c20f4aa..faf76898757a 100644
--- a/secure/lib/libcrypto/man/man3/X509_check_host.3
+++ b/secure/lib/libcrypto/man/man3/X509_check_host.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_CHECK_HOST 3ossl"
-.TH X509_CHECK_HOST 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_CHECK_HOST 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_check_host, X509_check_email, X509_check_ip, X509_check_ip_asc \- X.509 certificate matching
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509v3.h>
@@ -151,43 +75,43 @@ X509_check_host, X509_check_email, X509_check_ip, X509_check_ip_asc \- X.509 cer
 \&                   unsigned int flags);
 \& int X509_check_ip_asc(X509 *, const char *address, unsigned int flags);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The certificate matching functions are used to check whether a
-certificate matches a given hostname, email address, or \s-1IP\s0 address.
+certificate matches a given hostname, email address, or IP address.
 The validity of the certificate and its trust level has to be checked by
 other means.
 .PP
 \&\fBX509_check_host()\fR checks if the certificate Subject Alternative
-Name (\s-1SAN\s0) or Subject CommonName (\s-1CN\s0) matches the specified hostname,
+Name (SAN) or Subject CommonName (CN) matches the specified hostname,
 which must be encoded in the preferred name syntax described
-in section 3.5 of \s-1RFC 1034.\s0  By default, wildcards are supported
+in section 3.5 of RFC 1034.  By default, wildcards are supported
 and they match  only in the left-most label; but they may match
 part of that label with an explicit prefix or suffix.  For example,
-by default, the host \fBname\fR \*(L"www.example.com\*(R" would match a
-certificate with a \s-1SAN\s0 or \s-1CN\s0 value of \*(L"*.example.com\*(R", \*(L"w*.example.com\*(R"
-or \*(L"*w.example.com\*(R".
+by default, the host \fBname\fR "www.example.com" would match a
+certificate with a SAN or CN value of "*.example.com", "w*.example.com"
+or "*w.example.com".
 .PP
-Per section 6.4.2 of \s-1RFC 6125,\s0 \fBname\fR values representing international
+Per section 6.4.2 of RFC 6125, \fBname\fR values representing international
 domain names must be given in A\-label form.  The \fBnamelen\fR argument
 must be the number of characters in the name string or zero in which
 case the length is calculated with strlen(\fBname\fR).  When \fBname\fR starts
-with a dot (e.g. \*(L".example.com\*(R"), it will be matched by a certificate
+with a dot (e.g. ".example.com"), it will be matched by a certificate
 valid for any sub-domain of \fBname\fR, (see also
 \&\fBX509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS\fR below).
 .PP
-When the certificate is matched, and \fBpeername\fR is not \s-1NULL,\s0 a
-pointer to a copy of the matching \s-1SAN\s0 or \s-1CN\s0 from the peer certificate
+When the certificate is matched, and \fBpeername\fR is not NULL, a
+pointer to a copy of the matching SAN or CN from the peer certificate
 is stored at the address passed in \fBpeername\fR.  The application
 is responsible for freeing the peername via \fBOPENSSL_free()\fR when it
 is no longer needed.
 .PP
 \&\fBX509_check_email()\fR checks if the certificate matches the specified
-email \fBaddress\fR. The mailbox syntax of \s-1RFC 822\s0 is supported,
+email \fBaddress\fR. The mailbox syntax of RFC 822 is supported,
 comments are not allowed, and no attempt is made to normalize quoted
-characters. The mailbox syntax of \s-1RFC 6531\s0 is supported for
-SmtpUTF8Mailbox address in subjectAltName according to \s-1RFC 8398,\s0
-with similar limitations as for \s-1RFC 822\s0 syntax, and no attempt
+characters. The mailbox syntax of RFC 6531 is supported for
+SmtpUTF8Mailbox address in subjectAltName according to RFC 8398,
+with similar limitations as for RFC 822 syntax, and no attempt
 is made to convert from A\-label to U\-label before comparison.
 The \fBaddresslen\fR argument must be the number of
 characters in the address string or zero in which case the length
@@ -196,80 +120,80 @@ is calculated with strlen(\fBaddress\fR).
 \&\fBX509_check_ip()\fR checks if the certificate matches a specified IPv4 or
 IPv6 address.  The \fBaddress\fR array is in binary format, in network
 byte order.  The length is either 4 (IPv4) or 16 (IPv6).  Only
-explicitly marked addresses in the certificates are considered; \s-1IP\s0
-addresses stored in \s-1DNS\s0 names and Common Names are ignored. There are
+explicitly marked addresses in the certificates are considered; IP
+addresses stored in DNS names and Common Names are ignored. There are
 currently no \fBflags\fR that would affect the behavior of this call.
 .PP
 \&\fBX509_check_ip_asc()\fR is similar, except that the NUL-terminated
 string \fBaddress\fR is first converted to the internal representation.
 .PP
-The \fBflags\fR argument is usually 0.  It can be the bitwise \s-1OR\s0 of the
+The \fBflags\fR argument is usually 0.  It can be the bitwise OR of the
 flags:
-.IP "\fBX509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT\fR," 4
+.IP \fBX509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT\fR, 4
 .IX Item "X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT,"
 .PD 0
-.IP "\fBX509_CHECK_FLAG_NEVER_CHECK_SUBJECT\fR," 4
+.IP \fBX509_CHECK_FLAG_NEVER_CHECK_SUBJECT\fR, 4
 .IX Item "X509_CHECK_FLAG_NEVER_CHECK_SUBJECT,"
-.IP "\fBX509_CHECK_FLAG_NO_WILDCARDS\fR," 4
+.IP \fBX509_CHECK_FLAG_NO_WILDCARDS\fR, 4
 .IX Item "X509_CHECK_FLAG_NO_WILDCARDS,"
-.IP "\fBX509_CHECK_FLAG_NO_PARTIAL_WILDCARDS\fR," 4
+.IP \fBX509_CHECK_FLAG_NO_PARTIAL_WILDCARDS\fR, 4
 .IX Item "X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS,"
-.IP "\fBX509_CHECK_FLAG_MULTI_LABEL_WILDCARDS\fR." 4
+.IP \fBX509_CHECK_FLAG_MULTI_LABEL_WILDCARDS\fR. 4
 .IX Item "X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS."
-.IP "\fBX509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS\fR." 4
+.IP \fBX509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS\fR. 4
 .IX Item "X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS."
 .PD
 .PP
 The \fBX509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT\fR flag causes the function
-to consider the subject \s-1DN\s0 even if the certificate contains at least
-one subject alternative name of the right type (\s-1DNS\s0 name or email
-address as appropriate); the default is to ignore the subject \s-1DN\s0
+to consider the subject DN even if the certificate contains at least
+one subject alternative name of the right type (DNS name or email
+address as appropriate); the default is to ignore the subject DN
 when at least one corresponding subject alternative names is present.
 .PP
 The \fBX509_CHECK_FLAG_NEVER_CHECK_SUBJECT\fR flag causes the function to never
-consider the subject \s-1DN\s0 even if the certificate contains no subject alternative
-names of the right type (\s-1DNS\s0 name or email address as appropriate); the default
-is to use the subject \s-1DN\s0 when no corresponding subject alternative names are
+consider the subject DN even if the certificate contains no subject alternative
+names of the right type (DNS name or email address as appropriate); the default
+is to use the subject DN when no corresponding subject alternative names are
 present.
 If both \fBX509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT\fR and
 \&\fBX509_CHECK_FLAG_NEVER_CHECK_SUBJECT\fR are specified, the latter takes
-precedence and the subject \s-1DN\s0 is not checked for matching names.
+precedence and the subject DN is not checked for matching names.
 .PP
 If set, \fBX509_CHECK_FLAG_NO_WILDCARDS\fR disables wildcard
 expansion; this only applies to \fBX509_check_host\fR.
 .PP
 If set, \fBX509_CHECK_FLAG_NO_PARTIAL_WILDCARDS\fR suppresses support
-for \*(L"*\*(R" as wildcard pattern in labels that have a prefix or suffix,
-such as: \*(L"www*\*(R" or \*(L"*www\*(R"; this only applies to \fBX509_check_host\fR.
+for "*" as wildcard pattern in labels that have a prefix or suffix,
+such as: "www*" or "*www"; this only applies to \fBX509_check_host\fR.
 .PP
-If set, \fBX509_CHECK_FLAG_MULTI_LABEL_WILDCARDS\fR allows a \*(L"*\*(R" that
-constitutes the complete label of a \s-1DNS\s0 name (e.g. \*(L"*.example.com\*(R")
+If set, \fBX509_CHECK_FLAG_MULTI_LABEL_WILDCARDS\fR allows a "*" that
+constitutes the complete label of a DNS name (e.g. "*.example.com")
 to match more than one label in \fBname\fR; this flag only applies
 to \fBX509_check_host\fR.
 .PP
 If set, \fBX509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS\fR restricts \fBname\fR
-values which start with \*(L".\*(R", that would otherwise match any sub-domain
+values which start with ".", that would otherwise match any sub-domain
 in the peer certificate, to only match direct child sub-domains.
-Thus, for instance, with this flag set a \fBname\fR of \*(L".example.com\*(R"
-would match a peer certificate with a \s-1DNS\s0 name of \*(L"www.example.com\*(R",
-but would not match a peer certificate with a \s-1DNS\s0 name of
-\&\*(L"www.sub.example.com\*(R"; this flag only applies to \fBX509_check_host\fR.
+Thus, for instance, with this flag set a \fBname\fR of ".example.com"
+would match a peer certificate with a DNS name of "www.example.com",
+but would not match a peer certificate with a DNS name of
+"www.sub.example.com"; this flag only applies to \fBX509_check_host\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The functions return 1 for a successful match, 0 for a failed match
 and \-1 for an internal error: typically a memory allocation failure
-or an \s-1ASN.1\s0 decoding error.
+or an ASN.1 decoding error.
 .PP
 All functions can also return \-2 if the input is malformed. For example,
 \&\fBX509_check_host()\fR returns \-2 if the provided \fBname\fR contains embedded
 NULs.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 Applications are encouraged to use \fBX509_VERIFY_PARAM_set1_host()\fR
 rather than explicitly calling \fBX509_check_host\fR\|(3). Hostname
-checks may be out of scope with the \s-1\fBDANE\-EE\s0\fR\|(3) certificate usage,
+checks may be out of scope with the \fBDANE\-EE\fR\|(3) certificate usage,
 and the internal checks will be suppressed as appropriate when
-\&\s-1DANE\s0 support is enabled.
+DANE support is enabled.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBSSL_get_verify_result\fR\|(3),
@@ -277,14 +201,14 @@ and the internal checks will be suppressed as appropriate when
 \&\fBX509_VERIFY_PARAM_add1_host\fR\|(3),
 \&\fBX509_VERIFY_PARAM_set1_email\fR\|(3),
 \&\fBX509_VERIFY_PARAM_set1_ip\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 These functions were added in OpenSSL 1.0.2.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2012\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_check_issued.3 b/secure/lib/libcrypto/man/man3/X509_check_issued.3
index 0077072ca438..207f869e03ef 100644
--- a/secure/lib/libcrypto/man/man3/X509_check_issued.3
+++ b/secure/lib/libcrypto/man/man3/X509_check_issued.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,88 +52,28 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_CHECK_ISSUED 3ossl"
-.TH X509_CHECK_ISSUED 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_CHECK_ISSUED 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_check_issued \- checks if certificate is apparently issued by another
 certificate
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509v3.h>
 \&
 \& int X509_check_issued(X509 *issuer, X509 *subject);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBX509_check_issued()\fR checks if certificate \fIsubject\fR was apparently issued
-using (\s-1CA\s0) certificate \fIissuer\fR. This function takes into account not only
+using (CA) certificate \fIissuer\fR. This function takes into account not only
 matching of the issuer field of \fIsubject\fR with the subject field of \fIissuer\fR,
 but also compares all sub-fields of the \fBauthorityKeyIdentifier\fR extension of
 \&\fIsubject\fR, as far as present, with the respective \fBsubjectKeyIdentifier\fR,
@@ -165,11 +89,11 @@ or some \fBX509_V_ERR*\fR constant to indicate an error.
 .IX Header "SEE ALSO"
 \&\fBX509_verify_cert\fR\|(3), \fBX509_verify\fR\|(3), \fBX509_check_ca\fR\|(3),
 \&\fBopenssl\-verify\fR\|(1), \fBX509_self_signed\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2015\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_check_private_key.3 b/secure/lib/libcrypto/man/man3/X509_check_private_key.3
index 4ab32553d595..ab4c88404635 100644
--- a/secure/lib/libcrypto/man/man3/X509_check_private_key.3
+++ b/secure/lib/libcrypto/man/man3/X509_check_private_key.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,94 +52,34 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_CHECK_PRIVATE_KEY 3ossl"
-.TH X509_CHECK_PRIVATE_KEY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_CHECK_PRIVATE_KEY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_check_private_key, X509_REQ_check_private_key \- check the consistency
 of a private key with the public key in an X509 certificate or certificate
 request
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
 \&
-\& int X509_check_private_key(X509 *x, EVP_PKEY *k);
+\& int X509_check_private_key(const X509 *cert, EVP_PKEY *pkey);
 \&
-\& int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k);
+\& int X509_REQ_check_private_key(X509_REQ *req, EVP_PKEY *pkey);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBX509_check_private_key()\fR function checks the consistency of private
-key \fBk\fR with the public key in \fBx\fR.
+key \fIpkey\fR with the public key in \fIcert\fR.
 .PP
 \&\fBX509_REQ_check_private_key()\fR is equivalent to \fBX509_check_private_key()\fR
-except that \fBx\fR represents a certificate request of structure \fBX509_REQ\fR.
+except that \fIreq\fR represents a certificate request of structure \fBX509_REQ\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBX509_check_private_key()\fR and \fBX509_REQ_check_private_key()\fR return 1 if
@@ -163,21 +87,21 @@ the keys match each other, and 0 if not.
 .PP
 If the key is invalid or an error occurred, the reason code can be
 obtained using \fBERR_get_error\fR\|(3).
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
-The \fBcheck_private_key\fR functions don't check if \fBk\fR itself is indeed
-a private key or not. It merely compares the public materials (e.g. exponent
-and modulus of an \s-1RSA\s0 key) and/or key parameters (e.g. \s-1EC\s0 params of an \s-1EC\s0 key)
-of a key pair. So if you pass a public key to these functions in \fBk\fR, it will
-return success.
+The \fBX509_check_private_key()\fR and \fBX509_REQ_check_private_key()\fR functions
+do not check if \fIpkey\fR itself is indeed a private key or not.
+They merely compare the public materials (e.g., exponent and modulus of an RSA
+key) and/or key parameters (e.g. EC params of an EC key) of a key pair.
+So they also return success if \fIpkey\fR is a matching public key.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBERR_get_error\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_check_purpose.3 b/secure/lib/libcrypto/man/man3/X509_check_purpose.3
index 814064d4f95c..4960c7ee3bce 100644
--- a/secure/lib/libcrypto/man/man3/X509_check_purpose.3
+++ b/secure/lib/libcrypto/man/man3/X509_check_purpose.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,94 +52,62 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_CHECK_PURPOSE 3ossl"
-.TH X509_CHECK_PURPOSE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_CHECK_PURPOSE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
-X509_check_purpose \- Check the purpose of a certificate
-.SH "SYNOPSIS"
+.SH NAME
+X509_check_purpose,
+X509_PURPOSE_get_count,
+X509_PURPOSE_get_unused_id,
+X509_PURPOSE_get_by_sname,
+X509_PURPOSE_get_by_id,
+X509_PURPOSE_add,
+X509_PURPOSE_cleanup,
+X509_PURPOSE_get0,
+X509_PURPOSE_get_id,
+X509_PURPOSE_get0_name,
+X509_PURPOSE_get0_sname,
+X509_PURPOSE_get_trust,
+X509_PURPOSE_set \- functions related to checking the purpose of a certificate
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509v3.h>
 \&
 \& int X509_check_purpose(X509 *x, int id, int ca);
+\&
+\& int X509_PURPOSE_get_count(void);
+\& int X509_PURPOSE_get_unused_id(OSSL_LIB_CTX *libctx);
+\& int X509_PURPOSE_get_by_sname(const char *sname);
+\& int X509_PURPOSE_get_by_id(int id);
+\& int X509_PURPOSE_add(int id, int trust, int flags,
+\&                      int (*ck) (const X509_PURPOSE *, const X509 *, int),
+\&                      const char *name, const char *sname, void *arg);
+\& void X509_PURPOSE_cleanup(void);
+\&
+\& X509_PURPOSE *X509_PURPOSE_get0(int idx);
+\& int X509_PURPOSE_get_id(const X509_PURPOSE *);
+\& char *X509_PURPOSE_get0_name(const X509_PURPOSE *xp);
+\& char *X509_PURPOSE_get0_sname(const X509_PURPOSE *xp);
+\& int X509_PURPOSE_get_trust(const X509_PURPOSE *xp);
+\& int X509_PURPOSE_set(int *p, int purpose);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-This function checks if certificate \fIx\fR was created with the purpose
+\&\fBX509_check_purpose()\fR checks if certificate \fIx\fR was created with the purpose
 represented by \fIid\fR. If \fIca\fR is nonzero, then certificate \fIx\fR is
-checked to determine if it's a possible \s-1CA\s0 with various levels of certainty
+checked to determine if it's a possible CA with various levels of certainty
 possibly returned. The certificate \fIx\fR must be a complete certificate
 otherwise the function returns an error.
 .PP
-Below are the potential \s-1ID\s0's that can be checked:
+Below are the potential ID's that can be checked:
 .PP
-.Vb 9
+.Vb 10
 \& # define X509_PURPOSE_SSL_CLIENT        1
 \& # define X509_PURPOSE_SSL_SERVER        2
 \& # define X509_PURPOSE_NS_SSL_SERVER     3
@@ -165,12 +117,51 @@ Below are the potential \s-1ID\s0's that can be checked:
 \& # define X509_PURPOSE_ANY               7
 \& # define X509_PURPOSE_OCSP_HELPER       8
 \& # define X509_PURPOSE_TIMESTAMP_SIGN    9
+\& # define X509_PURPOSE_CODE_SIGN        10
 .Ve
 .PP
 The checks performed take into account the X.509 extensions
 keyUsage, extendedKeyUsage, and basicConstraints.
+.PP
+\&\fBX509_PURPOSE_get_count()\fR returns the number of currently defined purposes.
+.PP
+\&\fBX509_PURPOSE_get_unused_id()\fR returns the smallest purpose id not yet used,
+which is guaranteed to be unique and larger than \fBX509_PURPOSE_MAX\fR.
+The \fIlibctx\fR parameter should be used to provide the library context.
+It is currently ignored as the purpose mapping table is global.
+.PP
+\&\fBX509_PURPOSE_get_by_sname()\fR returns the index of
+the purpose with the given short name or \-1 if not found.
+.PP
+\&\fBX509_PURPOSE_get_by_id()\fR returns the index of
+the purpose with the given id or \-1 if not found.
+.PP
+\&\fBX509_PURPOSE_add()\fR adds or modifies a purpose entry identified by \fIsname\fR.
+Unless the id stays the same for an existing entry, \fIid\fR must be fresh,
+which can be achieved by using the result of \fBX509_PURPOSE_get_unused_id()\fR.
+The function also sets in the entry the trust id \fItrust\fR, the given \fIflags\fR,
+the purpose (long) name \fIname\fR, the short name \fIsname\fR, the purpose checking
+function \fIck\fR of type \fBint (*) (const X509_PURPOSE *, const X509 *, int)\fR,
+and its user data \fIarg\fR which may be retrieved via the \fBX509_PURPOSE\fR pointer.
+.PP
+\&\fBX509_PURPOSE_cleanup()\fR removes all purposes that are not pre-defined.
+.PP
+\&\fBX509_PURPOSE_get0()\fR returns an \fBX509_PURPOSE\fR pointer or NULL on error.
+.PP
+\&\fBX509_PURPOSE_get_id()\fR returns the id of the given \fBX509_PURPOSE\fR structure.
+.PP
+\&\fBX509_PURPOSE_get0_name()\fR returns the (long) name of the given \fBX509_PURPOSE\fR.
+.PP
+\&\fBX509_PURPOSE_get0_sname()\fR returns the short name of the given \fBX509_PURPOSE\fR.
+.PP
+\&\fBX509_PURPOSE_get_trust()\fR returns the trust id of the given \fBX509_PURPOSE\fR.
+.PP
+\&\fBX509_PURPOSE_set()\fR assigns the given \fIpurpose\fR id to the location pointed at by
+\&\fIp\fR.
+This resets to the any purpose if \fIpurpose\fR is \fBX509_PURPOSE_DEFAULT_ANY\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
+\&\fBX509_check_purpose()\fR returns the following values.
 For non-CA checks
 .IP "\-1 an error condition has occurred" 4
 .IX Item "-1 an error condition has occurred"
@@ -181,26 +172,60 @@ For non-CA checks
 .IX Item " 0 if the certificate was not created to perform the purpose represented by id"
 .PD
 .PP
-For \s-1CA\s0 checks the below integers could be returned with the following meanings:
+For CA checks the below integers could be returned with the following meanings:
 .IP "\-1 an error condition has occurred" 4
 .IX Item "-1 an error condition has occurred"
 .PD 0
-.IP " 0 not a \s-1CA\s0 or does not have the purpose represented by \fIid\fR" 4
+.IP " 0 not a CA or does not have the purpose represented by \fIid\fR" 4
 .IX Item " 0 not a CA or does not have the purpose represented by id"
-.IP " 1 is a \s-1CA.\s0" 4
+.IP " 1 is a CA." 4
 .IX Item " 1 is a CA."
-.IP " 2 Only possible in old versions of openSSL when basicConstraints are absent. New versions will not return this value. May be a \s-1CA\s0" 4
+.IP " 2 Only possible in old versions of openSSL when basicConstraints are absent. New versions will not return this value. May be a CA" 4
 .IX Item " 2 Only possible in old versions of openSSL when basicConstraints are absent. New versions will not return this value. May be a CA"
 .IP " 3 basicConstraints absent but self signed V1." 4
 .IX Item " 3 basicConstraints absent but self signed V1."
 .IP " 4 basicConstraints absent but keyUsage present and keyCertSign asserted." 4
 .IX Item " 4 basicConstraints absent but keyUsage present and keyCertSign asserted."
-.IP " 5 legacy Netscape specific \s-1CA\s0 Flags present" 4
+.IP " 5 legacy Netscape specific CA Flags present" 4
 .IX Item " 5 legacy Netscape specific CA Flags present"
 .PD
-.SH "COPYRIGHT"
+.PP
+\&\fBX509_PURPOSE_get_count()\fR returns the number of currently defined purposes.
+.PP
+\&\fBX509_PURPOSE_get_unused_id()\fR returns the smallest purpose id not yet used.
+.PP
+\&\fBX509_PURPOSE_get_by_sname()\fR returns the index of
+the purpose with the given short name or \-1 if not found.
+.PP
+\&\fBX509_PURPOSE_get_by_id()\fR returns the index of
+the purpose with the given id or \-1 if not found.
+.PP
+int \fBX509_PURPOSE_add()\fR returns 1 on success, 0 on error.
+.PP
+\&\fBX509_PURPOSE_cleanup()\fR does not return anything.
+.PP
+\&\fBX509_PURPOSE_get0()\fR returns an \fBX509_PURPOSE\fR pointer or NULL on error.
+.PP
+\&\fBX509_PURPOSE_get_id()\fR returns the id of the given \fBX509_PURPOSE\fR structure.
+.PP
+\&\fBX509_PURPOSE_get0_name()\fR returns the (long) name of the given \fBX509_PURPOSE\fR.
+.PP
+\&\fBX509_PURPOSE_get0_sname()\fR returns the short name of the given \fBX509_PURPOSE\fR.
+.PP
+\&\fBX509_PURPOSE_get_trust()\fR returns the trust id of the given \fBX509_PURPOSE\fR.
+.PP
+\&\fBX509_PURPOSE_set()\fR returns 1 on success, 0 on error.
+.SH BUGS
+.IX Header "BUGS"
+The X509_PURPOSE implementation so far is not thread-safe.
+There may be race conditions retrieving purpose information while
+\&\fBX509_PURPOSE_add()\fR or X509_PURPOSE_cleanup(void) is being called.
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBX509_PURPOSE_get_unused_id()\fR was added in OpensSL 3.5.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2021 The OpenSSL Project Authors. All Rights Reserved.
-Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use this
+Copyright 2019\-2025 The OpenSSL Project Authors. All Rights Reserved.
+Licensed under the Apache License 2.0 (the "License"). You may not use this
 file except in compliance with the License. You can obtain a copy in the file
-\&\s-1LICENSE\s0 in the source distribution or at <https://www.openssl.org/source/license.html>.
+LICENSE in the source distribution or at <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_cmp.3 b/secure/lib/libcrypto/man/man3/X509_cmp.3
index 20b8cec0f009..33b634916146 100644
--- a/secure/lib/libcrypto/man/man3/X509_cmp.3
+++ b/secure/lib/libcrypto/man/man3/X509_cmp.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_CMP 3ossl"
-.TH X509_CMP 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_CMP 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_cmp, X509_NAME_cmp,
 X509_issuer_and_serial_cmp, X509_issuer_name_cmp, X509_subject_name_cmp,
 X509_CRL_cmp, X509_CRL_match
 \&\- compare X509 certificates and related values
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
@@ -154,22 +78,23 @@ X509_CRL_cmp, X509_CRL_match
 \& int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b);
 \& int X509_CRL_match(const X509_CRL *a, const X509_CRL *b);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 This set of functions are used to compare X509 objects, including X509
-certificates, X509 \s-1CRL\s0 objects and various values in an X509 certificate.
+certificates, X509 CRL objects and various values in an X509 certificate.
 .PP
 The \fBX509_cmp()\fR function compares two \fBX509\fR objects indicated by parameters
 \&\fIa\fR and \fIb\fR. The comparison is based on the \fBmemcmp\fR result of the hash
-values of two \fBX509\fR objects and the canonical (\s-1DER\s0) encoding values.
+values of two \fBX509\fR objects and the canonical (DER) encoding values.
 .PP
 The \fBX509_NAME_cmp()\fR function compares two \fBX509_NAME\fR objects indicated by
-parameters \fIa\fR and \fIb\fR. The comparison is based on the \fBmemcmp\fR result of the
-canonical (\s-1DER\s0) encoding values of the two objects using \fBi2d_X509_NAME\fR\|(3).
-This procedure adheres to the matching rules for Distinguished Names (\s-1DN\s0)
-given in \s-1RFC 4517\s0 section 4.2.15 and \s-1RFC 5280\s0 section 7.1.
+parameters \fIa\fR and \fIb\fR, any of which may be NULL.
+The comparison is based on the \fBmemcmp\fR result of the
+canonical (DER) encoding values of the two objects using \fBi2d_X509_NAME\fR\|(3).
+This procedure adheres to the matching rules for Distinguished Names (DN)
+given in RFC 4517 section 4.2.15 and RFC 5280 section 7.1.
 In particular, the order of Relative Distinguished Names (RDNs) is relevant.
-On the other hand, if an \s-1RDN\s0 is multi-valued, i.e., it contains a set of
+On the other hand, if an RDN is multi-valued, i.e., it contains a set of
 AttributeValueAssertions (AVAs), its members are effectively not ordered.
 .PP
 The \fBX509_issuer_and_serial_cmp()\fR function compares the serial number and issuer
@@ -182,7 +107,7 @@ objects, respectively.
 .IX Xref "509"
 .PP
 The \fBX509_CRL_match()\fR function compares two \fBX509_CRL\fR objects. Unlike the
-\&\fBX509_CRL_cmp()\fR function, this function compares the whole \s-1CRL\s0 content instead
+\&\fBX509_CRL_cmp()\fR function, this function compares the whole CRL content instead
 of just the issuer name.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
@@ -192,11 +117,11 @@ found to be less than, to match, or be greater than object \fIb\fR, respectively
 \&\fBX509_NAME_cmp()\fR, \fBX509_issuer_and_serial_cmp()\fR, \fBX509_issuer_name_cmp()\fR,
 \&\fBX509_subject_name_cmp()\fR, \fBX509_CRL_cmp()\fR, and \fBX509_CRL_match()\fR
 may return \fB\-2\fR to indicate an error.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 These functions in fact utilize the underlying \fBmemcmp\fR of the C library to do
-the comparison job. Data to be compared varies from \s-1DER\s0 encoding data, hash
-value or \fB\s-1ASN1_STRING\s0\fR. The sign of the comparison can be used to order the
+the comparison job. Data to be compared varies from DER encoding data, hash
+value or \fBASN1_STRING\fR. The sign of the comparison can be used to order the
 objects but it does not have a special meaning in some cases.
 .PP
 \&\fBX509_NAME_cmp()\fR and wrappers utilize the value \fB\-2\fR to indicate errors in some
@@ -204,11 +129,11 @@ circumstances, which could cause confusion for the applications.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBi2d_X509_NAME\fR\|(3), \fBi2d_X509\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_cmp_time.3 b/secure/lib/libcrypto/man/man3/X509_cmp_time.3
index 82cdc2265eae..f1aed3ac91b9 100644
--- a/secure/lib/libcrypto/man/man3/X509_cmp_time.3
+++ b/secure/lib/libcrypto/man/man3/X509_cmp_time.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_CMP_TIME 3ossl"
-.TH X509_CMP_TIME 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_CMP_TIME 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_cmp_time, X509_cmp_current_time, X509_cmp_timeframe,
 X509_time_adj, X509_time_adj_ex, X509_gmtime_adj
 \&\- X509 time functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 8
 \& int X509_cmp_time(const ASN1_TIME *asn1_time, time_t *in_tm);
@@ -152,39 +76,39 @@ X509_time_adj, X509_time_adj_ex, X509_gmtime_adj
 \&                             offset_sec, time_t *in_tm);
 \& ASN1_TIME *X509_gmtime_adj(ASN1_TIME *asn1_time, long offset_sec);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBX509_cmp_time()\fR compares the \s-1ASN1_TIME\s0 in \fIasn1_time\fR with the time
+\&\fBX509_cmp_time()\fR compares the ASN1_TIME in \fIasn1_time\fR with the time
 in <in_tm>.
 .PP
-\&\fBX509_cmp_current_time()\fR compares the \s-1ASN1_TIME\s0 in
+\&\fBX509_cmp_current_time()\fR compares the ASN1_TIME in
 \&\fIasn1_time\fR with the current time, expressed as time_t.
 .PP
 \&\fBX509_cmp_timeframe()\fR compares the given time period with the reference time
-included in the verification parameters \fIvpm\fR if they are not \s-1NULL\s0 and contain
+included in the verification parameters \fIvpm\fR if they are not NULL and contain
 \&\fBX509_V_FLAG_USE_CHECK_TIME\fR; else the current time is used as reference time.
 .PP
-\&\fBX509_time_adj_ex()\fR sets the \s-1ASN1_TIME\s0 structure \fIasn1_time\fR to the time
+\&\fBX509_time_adj_ex()\fR sets the ASN1_TIME structure \fIasn1_time\fR to the time
 \&\fIoffset_day\fR and \fIoffset_sec\fR after \fIin_tm\fR.
 .PP
-\&\fBX509_time_adj()\fR sets the \s-1ASN1_TIME\s0 structure \fIasn1_time\fR to the time
+\&\fBX509_time_adj()\fR sets the ASN1_TIME structure \fIasn1_time\fR to the time
 \&\fIoffset_sec\fR after \fIin_tm\fR. This method can only handle second
 offsets up to the capacity of long, so the newer \fBX509_time_adj_ex()\fR
-\&\s-1API\s0 should be preferred.
+API should be preferred.
 .PP
-In both methods, if \fIasn1_time\fR is \s-1NULL,\s0 a new \s-1ASN1_TIME\s0 structure
+In both methods, if \fIasn1_time\fR is NULL, a new ASN1_TIME structure
 is allocated and returned.
 .PP
-In all methods, if \fIin_tm\fR is \s-1NULL,\s0 the current time, expressed as
+In all methods, if \fIin_tm\fR is NULL, the current time, expressed as
 time_t, is used.
 .PP
-\&\fIasn1_time\fR must satisfy the \s-1ASN1_TIME\s0 format mandated by \s-1RFC 5280,\s0
-i.e., its format must be either \s-1YYMMDDHHMMSSZ\s0 or \s-1YYYYMMDDHHMMSSZ.\s0
+\&\fIasn1_time\fR must satisfy the ASN1_TIME format mandated by RFC 5280,
+i.e., its format must be either YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ.
 .PP
-\&\fBX509_gmtime_adj()\fR sets the \s-1ASN1_TIME\s0 structure \fIasn1_time\fR to the time
+\&\fBX509_gmtime_adj()\fR sets the ASN1_TIME structure \fIasn1_time\fR to the time
 \&\fIoffset_sec\fR after the current time. It is equivalent to calling
-\&\fBX509_time_adj()\fR with the last parameter as \s-1NULL.\s0
-.SH "BUGS"
+\&\fBX509_time_adj()\fR with the last parameter as NULL.
+.SH BUGS
 .IX Header "BUGS"
 Unlike many standard comparison functions, \fBX509_cmp_time()\fR and
 \&\fBX509_cmp_current_time()\fR return 0 on error.
@@ -194,24 +118,24 @@ Unlike many standard comparison functions, \fBX509_cmp_time()\fR and
 is earlier than, or equal to, \fIin_tm\fR (resp. current time), and 1
 otherwise. These methods return 0 on error.
 .PP
-\&\fBX509_cmp_timeframe()\fR returns 0 if \fIvpm\fR is not \s-1NULL\s0 and the verification
+\&\fBX509_cmp_timeframe()\fR returns 0 if \fIvpm\fR is not NULL and the verification
 parameters do not contain \fBX509_V_FLAG_USE_CHECK_TIME\fR
 but do contain \fBX509_V_FLAG_NO_CHECK_TIME\fR. Otherwise it returns
-1 if the end time is not \s-1NULL\s0 and the reference time (which has determined as
-stated above) is past the end time, \-1 if the start time is not \s-1NULL\s0 and the
+1 if the end time is not NULL and the reference time (which has determined as
+stated above) is past the end time, \-1 if the start time is not NULL and the
 reference time is before, else 0 to indicate that the reference time is in range
 (implying that the end time is not before the start time if both are present).
 .PP
 \&\fBX509_time_adj()\fR, \fBX509_time_adj_ex()\fR and \fBX509_gmtime_adj()\fR return a pointer to
-the updated \s-1ASN1_TIME\s0 structure, and \s-1NULL\s0 on error.
-.SH "HISTORY"
+the updated ASN1_TIME structure, and NULL on error.
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBX509_cmp_timeframe()\fR was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2017\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_digest.3 b/secure/lib/libcrypto/man/man3/X509_digest.3
index 73742b4fef0f..052e839d82ec 100644
--- a/secure/lib/libcrypto/man/man3/X509_digest.3
+++ b/secure/lib/libcrypto/man/man3/X509_digest.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_DIGEST 3ossl"
-.TH X509_DIGEST 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_DIGEST 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_digest,
 X509_digest_sig,
 X509_CRL_digest,
@@ -145,7 +69,7 @@ X509_NAME_digest,
 X509_REQ_digest,
 PKCS7_ISSUER_AND_SERIAL_digest
 \&\- get digest of various objects
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
@@ -173,48 +97,48 @@ PKCS7_ISSUER_AND_SERIAL_digest
 \&                                    const EVP_MD *type, unsigned char *md,
 \&                                    unsigned int *len);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBX509_digest_sig()\fR calculates a digest of the given certificate \fIcert\fR
 using the same hash algorithm as in its signature, if the digest
 is an integral part of the certificate signature algorithm identifier.
 Otherwise, a fallback hash algorithm is determined as follows:
-\&\s-1SHA512\s0 if the signature algorithm is \s-1ED25519,
-SHAKE256\s0 if it is \s-1ED448,\s0 otherwise \s-1SHA256.\s0
+SHA512 if the signature algorithm is ED25519,
+SHAKE256 if it is ED448, otherwise SHA256.
 The output parameters are assigned as follows.
-Unless \fImd_used\fR is \s-1NULL,\s0 the hash algorithm used is provided
-in \fI*md_used\fR and must be freed by the caller (if it is not \s-1NULL\s0).
-Unless \fImd_is_fallback\fR is \s-1NULL,\s0
+Unless \fImd_used\fR is NULL, the hash algorithm used is provided
+in \fI*md_used\fR and must be freed by the caller (if it is not NULL).
+Unless \fImd_is_fallback\fR is NULL,
 the \fI*md_is_fallback\fR is set to 1 if the hash algorithm used is a fallback,
 otherwise to 0.
 .PP
-\&\fBX509_pubkey_digest()\fR returns a digest of the \s-1DER\s0 representation of the public
+\&\fBX509_pubkey_digest()\fR returns a digest of the DER representation of the public
 key in the specified X509 \fIdata\fR object.
 .PP
-All other functions described here return a digest of the \s-1DER\s0 representation
+All other functions described here return a digest of the DER representation
 of their entire \fIdata\fR objects.
 .PP
 The \fItype\fR parameter specifies the digest to
 be used, such as \fBEVP_sha1()\fR. The \fImd\fR is a pointer to the buffer where the
 digest will be copied and is assumed to be large enough; the constant
-\&\fB\s-1EVP_MAX_MD_SIZE\s0\fR is suggested. The \fIlen\fR parameter, if not \s-1NULL,\s0 points
+\&\fBEVP_MAX_MD_SIZE\fR is suggested. The \fIlen\fR parameter, if not NULL, points
 to a place where the digest size will be stored.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBX509_digest_sig()\fR returns an \s-1ASN1_OCTET_STRING\s0 pointer on success, else \s-1NULL.\s0
+\&\fBX509_digest_sig()\fR returns an ASN1_OCTET_STRING pointer on success, else NULL.
 .PP
 All other functions described here return 1 for success and 0 for failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_sha1\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBX509_digest_sig()\fR function was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2017\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_dup.3 b/secure/lib/libcrypto/man/man3/X509_dup.3
index 23e2f799fc4d..65ac4e08cd57 100644
--- a/secure/lib/libcrypto/man/man3/X509_dup.3
+++ b/secure/lib/libcrypto/man/man3/X509_dup.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_DUP 3ossl"
-.TH X509_DUP 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_DUP 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 DECLARE_ASN1_FUNCTIONS,
 IMPLEMENT_ASN1_FUNCTIONS,
 ASN1_ITEM,
@@ -166,8 +90,12 @@ CMS_ContentInfo_free,
 CMS_ContentInfo_new,
 CMS_ContentInfo_new_ex,
 CMS_ContentInfo_print_ctx,
+CMS_EnvelopedData_it,
+CMS_EnvelopedData_dup,
 CMS_ReceiptRequest_free,
 CMS_ReceiptRequest_new,
+CMS_SignedData_free,
+CMS_SignedData_new,
 CRL_DIST_POINTS_free,
 CRL_DIST_POINTS_new,
 DIRECTORYSTRING_free,
@@ -176,6 +104,7 @@ DISPLAYTEXT_free,
 DISPLAYTEXT_new,
 DIST_POINT_NAME_free,
 DIST_POINT_NAME_new,
+DIST_POINT_NAME_dup,
 DIST_POINT_free,
 DIST_POINT_new,
 DSAparams_dup,
@@ -211,6 +140,9 @@ GENERAL_NAME_free,
 GENERAL_NAME_new,
 GENERAL_SUBTREE_free,
 GENERAL_SUBTREE_new,
+OSSL_IETF_ATTR_SYNTAX_free,
+OSSL_IETF_ATTR_SYNTAX_it,
+OSSL_IETF_ATTR_SYNTAX_new,
 IPAddressChoice_free,
 IPAddressChoice_new,
 IPAddressFamily_free,
@@ -264,6 +196,49 @@ OCSP_SIGNATURE_free,
 OCSP_SIGNATURE_new,
 OCSP_SINGLERESP_free,
 OCSP_SINGLERESP_new,
+OSSL_AA_DIST_POINT_free,
+OSSL_AA_DIST_POINT_new,
+OSSL_AA_DIST_POINT_it,
+OSSL_ALLOWED_ATTRIBUTES_CHOICE_free,
+OSSL_ALLOWED_ATTRIBUTES_CHOICE_new,
+OSSL_ALLOWED_ATTRIBUTES_CHOICE_it,
+OSSL_ALLOWED_ATTRIBUTES_ITEM_free,
+OSSL_ALLOWED_ATTRIBUTES_ITEM_new,
+OSSL_ALLOWED_ATTRIBUTES_ITEM_it,
+OSSL_ALLOWED_ATTRIBUTES_SYNTAX_free,
+OSSL_ALLOWED_ATTRIBUTES_SYNTAX_new,
+OSSL_ALLOWED_ATTRIBUTES_SYNTAX_it,
+OSSL_ATAV_free,
+OSSL_ATAV_new,
+OSSL_ATAV_it,
+OSSL_ATTRIBUTE_DESCRIPTOR_free,
+OSSL_ATTRIBUTE_DESCRIPTOR_new,
+OSSL_ATTRIBUTE_DESCRIPTOR_it,
+OSSL_ATTRIBUTE_MAPPING_free,
+OSSL_ATTRIBUTE_MAPPING_new,
+OSSL_ATTRIBUTE_MAPPING_it,
+OSSL_ATTRIBUTE_MAPPINGS_free,
+OSSL_ATTRIBUTE_MAPPINGS_new,
+OSSL_ATTRIBUTE_MAPPINGS_it,
+OSSL_ATTRIBUTE_TYPE_MAPPING_free,
+OSSL_ATTRIBUTE_TYPE_MAPPING_new,
+OSSL_ATTRIBUTE_TYPE_MAPPING_it,
+OSSL_ATTRIBUTE_VALUE_MAPPING_free,
+OSSL_ATTRIBUTE_VALUE_MAPPING_new,
+OSSL_ATTRIBUTE_VALUE_MAPPING_it,
+OSSL_ATTRIBUTES_SYNTAX_free,
+OSSL_ATTRIBUTES_SYNTAX_it,
+OSSL_ATTRIBUTES_SYNTAX_new,
+OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX_free,
+OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX_it,
+OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX_new,
+OSSL_BASIC_ATTR_CONSTRAINTS_free,
+OSSL_BASIC_ATTR_CONSTRAINTS_it,
+OSSL_BASIC_ATTR_CONSTRAINTS_new,
+OSSL_CMP_ATAVS_new,
+OSSL_CMP_ATAVS_free,
+OSSL_CMP_ATAVS_it,
+OSSL_CMP_CRLSTATUS_free,
 OSSL_CMP_ITAV_dup,
 OSSL_CMP_ITAV_free,
 OSSL_CMP_MSG_dup,
@@ -284,6 +259,12 @@ OSSL_CRMF_CERTID_new,
 OSSL_CRMF_CERTTEMPLATE_free,
 OSSL_CRMF_CERTTEMPLATE_it,
 OSSL_CRMF_CERTTEMPLATE_new,
+OSSL_CRMF_CERTTEMPLATE_dup,
+OSSL_CRMF_ATTRIBUTETYPEANDVALUE_dup,
+OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free,
+OSSL_CRMF_ENCRYPTEDKEY_free,
+OSSL_CRMF_ENCRYPTEDKEY_it,
+OSSL_CRMF_ENCRYPTEDKEY_new,
 OSSL_CRMF_ENCRYPTEDVALUE_free,
 OSSL_CRMF_ENCRYPTEDVALUE_it,
 OSSL_CRMF_ENCRYPTEDVALUE_new,
@@ -303,6 +284,79 @@ OSSL_CRMF_PKIPUBLICATIONINFO_new,
 OSSL_CRMF_SINGLEPUBINFO_free,
 OSSL_CRMF_SINGLEPUBINFO_it,
 OSSL_CRMF_SINGLEPUBINFO_new,
+OSSL_DAY_TIME_free,
+OSSL_DAY_TIME_new,
+OSSL_DAY_TIME_it,
+OSSL_DAY_TIME_BAND_free,
+OSSL_DAY_TIME_BAND_new,
+OSSL_DAY_TIME_BAND_it,
+OSSL_HASH_free,
+OSSL_HASH_it,
+OSSL_HASH_new,
+OSSL_INFO_SYNTAX_free,
+OSSL_INFO_SYNTAX_it,
+OSSL_INFO_SYNTAX_new,
+OSSL_INFO_SYNTAX_POINTER_free,
+OSSL_INFO_SYNTAX_POINTER_it,
+OSSL_INFO_SYNTAX_POINTER_new,
+OSSL_PRIVILEGE_POLICY_ID_free,
+OSSL_PRIVILEGE_POLICY_ID_it,
+OSSL_PRIVILEGE_POLICY_ID_new,
+OSSL_TARGET_CERT_free,
+OSSL_TARGET_CERT_it,
+OSSL_TARGET_CERT_new,
+OSSL_TARGET_free,
+OSSL_TARGET_it,
+OSSL_TARGET_new,
+OSSL_TARGETING_INFORMATION_free,
+OSSL_TARGETING_INFORMATION_it,
+OSSL_TARGETING_INFORMATION_new,
+OSSL_TARGETS_free,
+OSSL_TARGETS_it,
+OSSL_TARGETS_new,
+OSSL_IETF_ATTR_SYNTAX_VALUE_free,
+OSSL_IETF_ATTR_SYNTAX_VALUE_it,
+OSSL_IETF_ATTR_SYNTAX_VALUE_new,
+OSSL_ISSUER_SERIAL_free,
+OSSL_ISSUER_SERIAL_new,
+OSSL_NAMED_DAY_free,
+OSSL_NAMED_DAY_new,
+OSSL_NAMED_DAY_it,
+OSSL_OBJECT_DIGEST_INFO_free,
+OSSL_OBJECT_DIGEST_INFO_new,
+OSSL_ROLE_SPEC_CERT_ID_free,
+OSSL_ROLE_SPEC_CERT_ID_new,
+OSSL_ROLE_SPEC_CERT_ID_it,
+OSSL_ROLE_SPEC_CERT_ID_SYNTAX_free,
+OSSL_ROLE_SPEC_CERT_ID_SYNTAX_new,
+OSSL_ROLE_SPEC_CERT_ID_SYNTAX_it,
+OSSL_TIME_PERIOD_free,
+OSSL_TIME_PERIOD_new,
+OSSL_TIME_PERIOD_it,
+OSSL_TIME_SPEC_ABSOLUTE_free,
+OSSL_TIME_SPEC_ABSOLUTE_new,
+OSSL_TIME_SPEC_ABSOLUTE_it,
+OSSL_TIME_SPEC_free,
+OSSL_TIME_SPEC_new,
+OSSL_TIME_SPEC_it,
+OSSL_TIME_SPEC_DAY_free,
+OSSL_TIME_SPEC_DAY_new,
+OSSL_TIME_SPEC_DAY_it,
+OSSL_TIME_SPEC_MONTH_free,
+OSSL_TIME_SPEC_MONTH_new,
+OSSL_TIME_SPEC_MONTH_it,
+OSSL_TIME_SPEC_TIME_free,
+OSSL_TIME_SPEC_TIME_new,
+OSSL_TIME_SPEC_TIME_it,
+OSSL_TIME_SPEC_WEEKS_free,
+OSSL_TIME_SPEC_WEEKS_new,
+OSSL_TIME_SPEC_WEEKS_it,
+OSSL_TIME_SPEC_X_DAY_OF_free,
+OSSL_TIME_SPEC_X_DAY_OF_new,
+OSSL_TIME_SPEC_X_DAY_OF_it,
+OSSL_USER_NOTICE_SYNTAX_free,
+OSSL_USER_NOTICE_SYNTAX_new,
+OSSL_USER_NOTICE_SYNTAX_it,
 OTHERNAME_free,
 OTHERNAME_new,
 PBE2PARAM_free,
@@ -311,6 +365,9 @@ PBEPARAM_free,
 PBEPARAM_new,
 PBKDF2PARAM_free,
 PBKDF2PARAM_new,
+PBMAC1PARAM_free,
+PBMAC1PARAM_it,
+PBMAC1PARAM_new,
 PKCS12_BAGS_free,
 PKCS12_BAGS_new,
 PKCS12_MAC_DATA_free,
@@ -397,6 +454,15 @@ TS_TST_INFO_free,
 TS_TST_INFO_new,
 USERNOTICE_free,
 USERNOTICE_new,
+X509_ACERT_dup,
+X509_ACERT_free,
+X509_ACERT_it,
+X509_ACERT_new,
+X509_ACERT_INFO_free,
+X509_ACERT_INFO_it,
+X509_ACERT_INFO_new,
+X509_ACERT_ISSUER_V2FORM_free,
+X509_ACERT_ISSUER_V2FORM_new,
 X509_ALGOR_free,
 X509_ALGOR_it,
 X509_ALGOR_new,
@@ -437,7 +503,7 @@ X509_VAL_free,
 X509_VAL_new,
 X509_dup,
 \&\- ASN1 object utilities
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/asn1t.h>
@@ -455,7 +521,7 @@ X509_dup,
 .Ve
 .PP
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 3
@@ -463,60 +529,140 @@ see \fBopenssl_user_macros\fR\|(7):
 \& RSA *RSAPrivateKey_dup(const RSA *rsa);
 \& RSA *RSAPublicKey_dup(const RSA *rsa);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-In the description below, \fB\f(BI\s-1TYPE\s0\fB\fR is used
+In the description below, \fR\f(BITYPE\fR\fB\fR is used
 as a placeholder for any of the OpenSSL datatypes, such as \fBX509\fR.
 .PP
-The OpenSSL \s-1ASN1\s0 parsing library templates are like a data-driven bytecode
+The OpenSSL ASN1 parsing library templates are like a data-driven bytecode
 interpreter.
-Every \s-1ASN1\s0 object as a global variable, TYPE_it, that describes the item
+Every ASN1 object as a global variable, TYPE_it, that describes the item
 such as its fields.  (On systems which cannot export variables from shared
 libraries, the global is instead a function which returns a pointer to a
 static variable.
 .PP
-The macro \s-1\fBDECLARE_ASN1_FUNCTIONS\s0()\fR is typically used in header files
+The macro \fBDECLARE_ASN1_FUNCTIONS()\fR is typically used in header files
 to generate the function declarations.
 .PP
-The macro \s-1\fBIMPLEMENT_ASN1_FUNCTIONS\s0()\fR is used once in a source file
+The macro \fBIMPLEMENT_ASN1_FUNCTIONS()\fR is used once in a source file
 to generate the function bodies.
 .PP
-\&\fB\f(BI\s-1TYPE\s0\fB_new\fR() allocates an empty object of the indicated type.
-The object returned must be released by calling \fB\f(BI\s-1TYPE\s0\fB_free\fR().
+\&\fR\f(BITYPE\fR\fB_new\fR() allocates an empty object of the indicated type.
+The object returned must be released by calling \fB\fR\f(BITYPE\fR\fB_free\fR().
 .PP
-\&\fB\f(BI\s-1TYPE\s0\fB_new_ex\fR() is similar to \fB\f(BI\s-1TYPE\s0\fB_new\fR() but also passes the
+\&\fR\f(BITYPE\fR\fB_new_ex\fR() is similar to \fB\fR\f(BITYPE\fR\fB_new\fR() but also passes the
 library context \fIlibctx\fR and the property query \fIpropq\fR to use when retrieving
 algorithms from providers. This created object can then be used when loading
-binary data using \fBd2i_\f(BI\s-1TYPE\s0\fB\fR().
+binary data using \fBd2i_\fR\f(BITYPE\fR\fB\fR().
 .PP
-\&\fB\f(BI\s-1TYPE\s0\fB_dup\fR() copies an existing object, leaving it untouched.
+\&\fR\f(BITYPE\fR\fB_dup\fR() copies an existing object, leaving it untouched.
+Note, however, that the internal representation of the object
+may contain (besides the ASN.1 structure) further data, which is not copied.
+For instance, an \fBX509\fR object usually is augmented by cached information
+on X.509v3 extensions, etc., and losing it can lead to wrong validation results.
+To avoid such situations, better use \fB\fR\f(BITYPE\fR\fB_up_ref\fR() if available.
+For the case of \fBX509\fR objects, an alternative to using \fBX509_up_ref\fR\|(3)
+may be to still call \fB\fR\f(BITYPE\fR\fB_dup\fR(), e.g., \fIcopied_cert = X509_dup(cert)\fR,
+followed by \fIX509_check_purpose(copied_cert, \-1, 0)\fR,
+which re-builds the cached data.
 .PP
-\&\fB\f(BI\s-1TYPE\s0\fB_free\fR() releases the object and all pointers and sub-objects
-within it.
+\&\fR\f(BITYPE\fR\fB_free\fR() releases the object and all pointers and sub-objects
+within it. If the argument is NULL, nothing is done.
 .PP
-\&\fB\f(BI\s-1TYPE\s0\fB_print_ctx\fR() prints the object \fIa\fR on the specified \s-1BIO\s0 \fIout\fR.
+\&\fR\f(BITYPE\fR\fB_print_ctx\fR() prints the object \fIa\fR on the specified BIO \fIout\fR.
 Each line will be prefixed with \fIindent\fR spaces.
 The \fIpctx\fR specifies the printing context and is for internal
-use; use \s-1NULL\s0 to get the default behavior.  If a print function is
+use; use NULL to get the default behavior.  If a print function is
 user-defined, then pass in any \fIpctx\fR down to any nested calls.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fB\f(BI\s-1TYPE\s0\fB_new\fR(), \fB\f(BI\s-1TYPE\s0\fB_new_ex\fR() and \fB\f(BI\s-1TYPE\s0\fB_dup\fR() return a pointer to
-the object or \s-1NULL\s0 on failure.
+\&\fR\f(BITYPE\fR\fB_new\fR(), \fB\fR\f(BITYPE\fR\fB_new_ex\fR() and \fB\fR\f(BITYPE\fR\fB_dup\fR() return a pointer to
+the object or NULL on failure.
 .PP
-\&\fB\f(BI\s-1TYPE\s0\fB_print_ctx\fR() returns 1 on success or zero on failure.
-.SH "HISTORY"
+\&\fR\f(BITYPE\fR\fB_print_ctx\fR() returns 1 on success or zero on failure.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBX509_up_ref\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 The functions \fBX509_REQ_new_ex()\fR, \fBX509_CRL_new_ex()\fR, \fBPKCS7_new_ex()\fR and
 \&\fBCMS_ContentInfo_new_ex()\fR were added in OpenSSL 3.0.
 .PP
 The functions \fBDSAparams_dup()\fR, \fBRSAPrivateKey_dup()\fR and \fBRSAPublicKey_dup()\fR were
 deprecated in 3.0.
-.SH "COPYRIGHT"
+.PP
+\&\fBCMS_EnvelopedData_it()\fR, \fBCMS_SignedData_free()\fR, \fBCMS_SignedData_new()\fR
+were added in OpenSSL 3.2.
+.PP
+\&\fBDIST_POINT_NAME_dup()\fR, \fBOSSL_IETF_ATTR_SYNTAX_free()\fR, \fBOSSL_IETF_ATTR_SYNTAX_it()\fR,
+\&\fBOSSL_IETF_ATTR_SYNTAX_new()\fR, \fBOSSL_ATTRIBUTES_SYNTAX_free()\fR,
+\&\fBOSSL_ATTRIBUTES_SYNTAX_it()\fR, \fBOSSL_ATTRIBUTES_SYNTAX_new()\fR,
+\&\fBOSSL_BASIC_ATTR_CONSTRAINTS_free()\fR, \fBOSSL_BASIC_ATTR_CONSTRAINTS_it()\fR,
+\&\fBOSSL_BASIC_ATTR_CONSTRAINTS_new()\fR, \fBOSSL_CMP_ATAVS_new()\fR, \fBOSSL_CMP_ATAVS_free()\fR,
+\&\fBOSSL_CMP_ATAVS_it()\fR, \fBOSSL_CMP_CRLSTATUS_free()\fR, \fBOSSL_CRMF_CERTTEMPLATE_dup()\fR,
+\&\fBOSSL_CRMF_ATTRIBUTETYPEANDVALUE_dup()\fR, \fBOSSL_CRMF_ATTRIBUTETYPEANDVALUE_free()\fR,
+\&\fBOSSL_TARGET_free()\fR, \fBOSSL_TARGET_it()\fR, \fBOSSL_TARGET_new()\fR,
+\&\fBOSSL_TARGETING_INFORMATION_free()\fR, \fBOSSL_TARGETING_INFORMATION_it()\fR,
+\&\fBOSSL_TARGETING_INFORMATION_new()\fR, \fBOSSL_TARGETS_free()\fR,
+\&\fBOSSL_TARGETS_it()\fR, \fBOSSL_TARGETS_new()\fR, \fBOSSL_IETF_ATTR_SYNTAX_VALUE_free()\fR,
+\&\fBOSSL_IETF_ATTR_SYNTAX_VALUE_it()\fR, \fBOSSL_IETF_ATTR_SYNTAX_VALUE_new()\fR,
+\&\fBOSSL_ISSUER_SERIAL_free()\fR, \fBOSSL_ISSUER_SERIAL_new()\fR,
+\&\fBOSSL_OBJECT_DIGEST_INFO_free()\fR, \fBOSSL_OBJECT_DIGEST_INFO_new()\fR,
+\&\fBOSSL_USER_NOTICE_SYNTAX_free()\fR, \fBOSSL_USER_NOTICE_SYNTAX_new()\fR,
+\&\fBOSSL_USER_NOTICE_SYNTAX_it()\fR, \fBPBMAC1PARAM_free()\fR, \fBPBMAC1PARAM_it()\fR,
+\&\fBPBMAC1PARAM_new()\fR, \fBX509_ACERT_dup()\fR, \fBX509_ACERT_free()\fR, \fBX509_ACERT_it()\fR,
+\&\fBX509_ACERT_new()\fR, \fBX509_ACERT_INFO_free()\fR, \fBX509_ACERT_INFO_it()\fR,
+\&\fBX509_ACERT_INFO_new()\fR, \fBX509_ACERT_ISSUER_V2FORM_free()\fR,
+\&\fBX509_ACERT_ISSUER_V2FORM_new()\fR
+were added in OpenSSL 3.4.
+.PP
+\&\fBOSSL_AA_DIST_POINT_free()\fR, \fBOSSL_AA_DIST_POINT_new()\fR, \fBOSSL_AA_DIST_POINT_it()\fR,
+\&\fBOSSL_ALLOWED_ATTRIBUTES_CHOICE_free()\fR, \fBOSSL_ALLOWED_ATTRIBUTES_CHOICE_new()\fR,
+\&\fBOSSL_ALLOWED_ATTRIBUTES_CHOICE_it()\fR, \fBOSSL_ALLOWED_ATTRIBUTES_ITEM_free()\fR,
+\&\fBOSSL_ALLOWED_ATTRIBUTES_ITEM_new()\fR, \fBOSSL_ALLOWED_ATTRIBUTES_ITEM_it()\fR,
+\&\fBOSSL_ALLOWED_ATTRIBUTES_SYNTAX_free()\fR, \fBOSSL_ALLOWED_ATTRIBUTES_SYNTAX_new()\fR,
+\&\fBOSSL_ALLOWED_ATTRIBUTES_SYNTAX_it()\fR,
+\&\fBOSSL_ATAV_free()\fR, \fBOSSL_ATAV_it()\fR, \fBOSSL_ATAV_new()\fR,
+\&\fBOSSL_ATTRIBUTE_DESCRIPTOR_free()\fR, \fBOSSL_ATTRIBUTE_DESCRIPTOR_new()\fR,
+\&\fBOSSL_ATTRIBUTE_DESCRIPTOR_it()\fR, 
+\&\fBOSSL_ATTRIBUTE_MAPPINGS_free()\fR, \fBOSSL_ATTRIBUTE_MAPPINGS_it()\fR,
+\&\fBOSSL_ATTRIBUTE_MAPPINGS_new()\fR, \fBOSSL_ATTRIBUTE_MAPPING_free()\fR,
+\&\fBOSSL_ATTRIBUTE_MAPPING_it()\fR, \fBOSSL_ATTRIBUTE_MAPPING_new()\fR,
+\&\fBOSSL_ATTRIBUTE_TYPE_MAPPING_free()\fR, \fBOSSL_ATTRIBUTE_TYPE_MAPPING_it()\fR,
+\&\fBOSSL_ATTRIBUTE_TYPE_MAPPING_new()\fR, \fBOSSL_ATTRIBUTE_VALUE_MAPPING_free()\fR,
+\&\fBOSSL_ATTRIBUTE_VALUE_MAPPING_it()\fR, \fBOSSL_ATTRIBUTE_VALUE_MAPPING_new()\fR,
+\&\fBOSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX_free()\fR,
+\&\fBOSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX_it()\fR, \fBOSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX_new()\fR,
+\&\fBOSSL_HASH_free()\fR, \fBOSSL_HASH_it()\fR, \fBOSSL_HASH_new()\fR, \fBOSSL_INFO_SYNTAX_free()\fR,
+\&\fBOSSL_INFO_SYNTAX_it()\fR, \fBOSSL_INFO_SYNTAX_new()\fR, \fBOSSL_INFO_SYNTAX_POINTER_free()\fR,
+\&\fBOSSL_INFO_SYNTAX_POINTER_it()\fR, \fBOSSL_INFO_SYNTAX_POINTER_new()\fR,
+\&\fBOSSL_PRIVILEGE_POLICY_ID_free()\fR, \fBOSSL_PRIVILEGE_POLICY_ID_it()\fR,
+\&\fBOSSL_PRIVILEGE_POLICY_ID_new()\fR, \fBOSSL_ROLE_SPEC_CERT_ID_free()\fR,
+\&\fBOSSL_ROLE_SPEC_CERT_ID_new()\fR, \fBOSSL_ROLE_SPEC_CERT_ID_it()\fR,
+\&\fBOSSL_ROLE_SPEC_CERT_ID_SYNTAX_free()\fR, \fBOSSL_ROLE_SPEC_CERT_ID_SYNTAX_new()\fR,
+\&\fBOSSL_ROLE_SPEC_CERT_ID_SYNTAX_it()\fR, \fBOSSL_DAY_TIME_BAND_free()\fR,
+\&\fBOSSL_DAY_TIME_BAND_it()\fR, \fBOSSL_DAY_TIME_BAND_new()\fR,
+\&\fBOSSL_DAY_TIME_free()\fR, \fBOSSL_DAY_TIME_it()\fR, \fBOSSL_DAY_TIME_new()\fR,
+\&\fBOSSL_NAMED_DAY_free()\fR, \fBOSSL_NAMED_DAY_it()\fR, \fBOSSL_NAMED_DAY_new()\fR,
+\&\fBOSSL_TIME_PERIOD_free()\fR, \fBOSSL_TIME_PERIOD_it()\fR, \fBOSSL_TIME_PERIOD_new()\fR,
+\&\fBOSSL_TIME_SPEC_ABSOLUTE_free()\fR, \fBOSSL_TIME_SPEC_ABSOLUTE_it()\fR,
+\&\fBOSSL_TIME_SPEC_ABSOLUTE_new()\fR, \fBOSSL_TIME_SPEC_DAY_free()\fR,
+\&\fBOSSL_TIME_SPEC_DAY_it()\fR, \fBOSSL_TIME_SPEC_DAY_new()\fR,
+\&\fBOSSL_TIME_SPEC_MONTH_free()\fR, \fBOSSL_TIME_SPEC_MONTH_it()\fR,
+\&\fBOSSL_TIME_SPEC_MONTH_new()\fR, \fBOSSL_TIME_SPEC_TIME_free()\fR,
+\&\fBOSSL_TIME_SPEC_TIME_it()\fR, \fBOSSL_TIME_SPEC_TIME_new()\fR,
+\&\fBOSSL_TIME_SPEC_WEEKS_free()\fR, \fBOSSL_TIME_SPEC_WEEKS_it()\fR,
+\&\fBOSSL_TIME_SPEC_WEEKS_new()\fR, \fBOSSL_TIME_SPEC_X_DAY_OF_free()\fR,
+\&\fBOSSL_TIME_SPEC_X_DAY_OF_it()\fR, \fBOSSL_TIME_SPEC_X_DAY_OF_new()\fR,
+\&\fBOSSL_TIME_SPEC_free()\fR, \fBOSSL_TIME_SPEC_it()\fR, \fBOSSL_TIME_SPEC_new()\fR,
+\&\fBCMS_EnvelopedData_dup()\fR, \fBOSSL_CRMF_ENCRYPTEDKEY_free()\fR,
+\&\fBOSSL_CRMF_ENCRYPTEDKEY_it()\fR and \fBOSSL_CRMF_ENCRYPTEDKEY_new()\fR
+were added in OpenSSL 3.5.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_get0_distinguishing_id.3 b/secure/lib/libcrypto/man/man3/X509_get0_distinguishing_id.3
index e9ab7cbe81b6..e0eca08241d1 100644
--- a/secure/lib/libcrypto/man/man3/X509_get0_distinguishing_id.3
+++ b/secure/lib/libcrypto/man/man3/X509_get0_distinguishing_id.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_GET0_DISTINGUISHING_ID 3ossl"
-.TH X509_GET0_DISTINGUISHING_ID 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_GET0_DISTINGUISHING_ID 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_get0_distinguishing_id, X509_set0_distinguishing_id,
 X509_REQ_get0_distinguishing_id, X509_REQ_set0_distinguishing_id
 \&\- get or set the Distinguishing ID for certificate operations
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
@@ -150,26 +74,26 @@ X509_REQ_get0_distinguishing_id, X509_REQ_set0_distinguishing_id
 \& ASN1_OCTET_STRING *X509_REQ_get0_distinguishing_id(X509_REQ *x);
 \& void X509_REQ_set0_distinguishing_id(X509_REQ *x, ASN1_OCTET_STRING *distid);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The Distinguishing \s-1ID\s0 is defined in \s-1FIPS 196\s0 as follows:
+The Distinguishing ID is defined in FIPS 196 as follows:
 .IP "\fIDistinguishing  identifier\fR" 4
 .IX Item "Distinguishing identifier"
 Information which unambiguously distinguishes
 an entity in the authentication process.
 .PP
-The \s-1SM2\s0 signature algorithm requires a Distinguishing \s-1ID\s0 value when generating
-and verifying a signature, but the Ddistinguishing \s-1ID\s0 may also find other uses.
-In the context of \s-1SM2,\s0 the Distinguishing \s-1ID\s0 is often referred to as the \*(L"\s-1SM2
-ID\*(R".\s0
+The SM2 signature algorithm requires a Distinguishing ID value when generating
+and verifying a signature, but the Ddistinguishing ID may also find other uses.
+In the context of SM2, the Distinguishing ID is often referred to as the "SM2
+ID".
 .PP
 For the purpose off verifying a certificate or a certification request, a
-Distinguishing \s-1ID\s0 may be attached to it, so functions like \fBX509_verify\fR\|(3)
+Distinguishing ID may be attached to it, so functions like \fBX509_verify\fR\|(3)
 or \fBX509_REQ_verify\fR\|(3) have easy access to that identity for signature
 verification.
 .PP
-\&\fBX509_get0_distinguishing_id()\fR gets the Distinguishing \s-1ID\s0 value of a certificate
-\&\fBx\fR by returning an \fB\s-1ASN1_OCTET_STRING\s0\fR object which should not be freed by
+\&\fBX509_get0_distinguishing_id()\fR gets the Distinguishing ID value of a certificate
+\&\fBx\fR by returning an \fBASN1_OCTET_STRING\fR object which should not be freed by
 the caller.
 .PP
 \&\fBX509_set0_distinguishing_id()\fR assigns \fBdistid\fR to the certificate \fBx\fR.
@@ -187,12 +111,12 @@ objects instead of \fBX509\fR.
 return a value.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBX509_verify\fR\|(3), \s-1\fBSM2\s0\fR\|(7)
-.SH "COPYRIGHT"
+\&\fBX509_verify\fR\|(3), \fBSM2\fR\|(7)
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2019\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_get0_notBefore.3 b/secure/lib/libcrypto/man/man3/X509_get0_notBefore.3
index 7b8c563eeef4..386e00533bc3 100644
--- a/secure/lib/libcrypto/man/man3/X509_get0_notBefore.3
+++ b/secure/lib/libcrypto/man/man3/X509_get0_notBefore.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,22 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_GET0_NOTBEFORE 3ossl"
-.TH X509_GET0_NOTBEFORE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_GET0_NOTBEFORE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_get0_notBefore, X509_getm_notBefore, X509_get0_notAfter,
 X509_getm_notAfter, X509_set1_notBefore, X509_set1_notAfter,
+X509_ACERT_get0_notBefore, X509_ACERT_get0_notAfter,
+X509_ACERT_set1_notBefore, X509_ACERT_set1_notAfter,
 X509_CRL_get0_lastUpdate, X509_CRL_get0_nextUpdate, X509_CRL_set1_lastUpdate,
 X509_CRL_set1_nextUpdate \- get or set certificate or CRL dates
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
@@ -155,18 +81,24 @@ X509_CRL_set1_nextUpdate \- get or set certificate or CRL dates
 \& int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm);
 \& int X509_set1_notAfter(X509 *x, const ASN1_TIME *tm);
 \&
+\& const ASN1_GENERALIZEDTIME *X509_ACERT_get0_notBefore(const X509 *x);
+\& const ASN1_GENERALIZEDTIME *X509_ACERT_get0_notAfter(const X509 *x);
+\&
+\& int X509_ACERT_set1_notBefore(X509_ACERT *x, const ASN1_GENERALIZEDTIME *tm);
+\& int X509_ACERT_set1_notAfter(X509_ACERT *x, const ASN1_GENERALIZEDTIME *tm);
+\&
 \& const ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl);
 \& const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl);
 \&
 \& int X509_CRL_set1_lastUpdate(X509_CRL *x, const ASN1_TIME *tm);
 \& int X509_CRL_set1_nextUpdate(X509_CRL *x, const ASN1_TIME *tm);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBX509_get0_notBefore()\fR and \fBX509_get0_notAfter()\fR return the \fBnotBefore\fR
-and \fBnotAfter\fR fields of certificate \fBx\fR respectively. The value
+and \fBnotAfter\fR fields of certificate \fIx\fR respectively. The value
 returned is an internal pointer which must not be freed up after
-the call.
+the call. \fIx\fR \fBMUST NOT\fR be NULL.
 .PP
 \&\fBX509_getm_notBefore()\fR and \fBX509_getm_notAfter()\fR are similar to
 \&\fBX509_get0_notBefore()\fR and \fBX509_get0_notAfter()\fR except they return
@@ -174,33 +106,51 @@ non-constant mutable references to the associated date field of
 the certificate.
 .PP
 \&\fBX509_set1_notBefore()\fR and \fBX509_set1_notAfter()\fR set the \fBnotBefore\fR
+and \fBnotAfter\fR fields of \fIx\fR to \fItm\fR. Ownership of the passed
+parameter \fItm\fR is not transferred by these functions so it must
+be freed up after the call.
+.PP
+\&\fBX509_ACERT_get0_notBefore()\fR and \fBX509_ACERT_get0_notAfter()\fR return
+the \fBnotBefore\fR and \fBnotAfter\fR fields of certificate \fBx\fR respectively.
+returned is an internal pointer which must not be freed up after
+the call.
+.PP
+\&\fBX509_ACERT_set1_notBefore()\fR and \fBX509_ACERT_set1_notAfter()\fR set the \fBnotBefore\fR
 and \fBnotAfter\fR fields of \fBx\fR to \fBtm\fR. Ownership of the passed
 parameter \fBtm\fR is not transferred by these functions so it must
 be freed up after the call.
 .PP
 \&\fBX509_CRL_get0_lastUpdate()\fR and \fBX509_CRL_get0_nextUpdate()\fR return the
-\&\fBlastUpdate\fR and \fBnextUpdate\fR fields of \fBcrl\fR. The value
+\&\fBlastUpdate\fR and \fBnextUpdate\fR fields of \fIcrl\fR. The value
 returned is an internal pointer which must not be freed up after
-the call. If the \fBnextUpdate\fR field is absent from \fBcrl\fR then
-\&\fB\s-1NULL\s0\fR is returned.
+the call. If the \fBnextUpdate\fR field is absent from \fIcrl\fR then
+NULL is returned.
 .PP
 \&\fBX509_CRL_set1_lastUpdate()\fR and \fBX509_CRL_set1_nextUpdate()\fR set the \fBlastUpdate\fR
-and \fBnextUpdate\fR fields of \fBcrl\fR to \fBtm\fR. Ownership of the passed parameter
-\&\fBtm\fR is not transferred by these functions so it must be freed up after the
+and \fBnextUpdate\fR fields of \fIcrl\fR to \fItm\fR. Ownership of the passed parameter
+\&\fItm\fR is not transferred by these functions so it must be freed up after the
 call.
+For \fBX509_CRL_set1_nextUpdate()\fR the \fItm\fR argument may be NULL,
+which implies removal of the optional \fBnextUpdate\fR field.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBX509_get0_notBefore()\fR, \fBX509_get0_notAfter()\fR and \fBX509_CRL_get0_lastUpdate()\fR
-return a pointer to an \fB\s-1ASN1_TIME\s0\fR structure.
+return a pointer to an \fBASN1_TIME\fR structure.
 .PP
-\&\fBX509_CRL_get0_lastUpdate()\fR return a pointer to an \fB\s-1ASN1_TIME\s0\fR structure
-or \s-1NULL\s0 if the \fBlastUpdate\fR field is absent.
+\&\fBX509_CRL_get0_lastUpdate()\fR return a pointer to an \fBASN1_TIME\fR structure
+or NULL if the \fBlastUpdate\fR field is absent.
 .PP
 \&\fBX509_set1_notBefore()\fR, \fBX509_set1_notAfter()\fR, \fBX509_CRL_set1_lastUpdate()\fR and
 \&\fBX509_CRL_set1_nextUpdate()\fR return 1 for success or 0 for failure.
+.SH NOTES
+.IX Header "NOTES"
+Unlike the \fBX509\fR and \fBX509_CRL\fR routines, the \fBX509_ACERT\fR routines
+use the ASN1_GENERALIZEDTIME format instead of ASN1_TIME for holding time
+data.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBd2i_X509\fR\|(3),
+\&\fBASN1_GENERALIZEDTIME_check\fR\|(3)
 \&\fBERR_get_error\fR\|(3),
 \&\fBX509_CRL_get0_by_serial\fR\|(3),
 \&\fBX509_get0_signature\fR\|(3),
@@ -216,17 +166,19 @@ or \s-1NULL\s0 if the \fBlastUpdate\fR field is absent.
 \&\fBX509_sign\fR\|(3),
 \&\fBX509V3_get_d2i\fR\|(3),
 \&\fBX509_verify_cert\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-These functions are available in all versions of OpenSSL.
-.PP
 \&\fBX509_get_notBefore()\fR and \fBX509_get_notAfter()\fR were deprecated in OpenSSL
-1.1.0
-.SH "COPYRIGHT"
+1.1.0.
+.PP
+\&\fBX509_ACERT_get0_notBefore()\fR, \fBX509_ACERT_get0_notAfter()\fR,
+\&\fBX509_ACERT_set1_notBefore()\fR, \fBX509_ACERT_set1_notAfter()\fR
+were added in OpenSSL 3.4.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_get0_signature.3 b/secure/lib/libcrypto/man/man3/X509_get0_signature.3
index c96605ffbab7..3f7be421320d 100644
--- a/secure/lib/libcrypto/man/man3/X509_get0_signature.3
+++ b/secure/lib/libcrypto/man/man3/X509_get0_signature.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,22 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_GET0_SIGNATURE 3ossl"
-.TH X509_GET0_SIGNATURE 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_GET0_SIGNATURE 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_get0_signature, X509_REQ_set0_signature, X509_REQ_set1_signature_algo,
 X509_get_signature_nid, X509_get0_tbs_sigalg, X509_REQ_get0_signature,
 X509_REQ_get_signature_nid, X509_CRL_get0_signature, X509_CRL_get_signature_nid,
-X509_get_signature_info, X509_SIG_INFO_get, X509_SIG_INFO_set \- signature information
-.SH "SYNOPSIS"
+X509_ACERT_get0_signature, X509_ACERT_get0_info_sigalg,
+X509_ACERT_get_signature_nid, X509_get_signature_info,
+X509_SIG_INFO_get, X509_SIG_INFO_set \- signature information
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
@@ -159,6 +85,8 @@ X509_get_signature_info, X509_SIG_INFO_get, X509_SIG_INFO_set \- signature infor
 \&                              const X509_ALGOR **palg);
 \& int X509_REQ_get_signature_nid(const X509_REQ *crl);
 \&
+\& const X509_ALGOR *X509_ACERT_get0_info_sigalg(const X509_ACERT *x);
+\&
 \& void X509_CRL_get0_signature(const X509_CRL *crl,
 \&                              const ASN1_BIT_STRING **psig,
 \&                              const X509_ALGOR **palg);
@@ -171,12 +99,19 @@ X509_get_signature_info, X509_SIG_INFO_get, X509_SIG_INFO_set \- signature infor
 \&                      int *secbits, uint32_t *flags);
 \& void X509_SIG_INFO_set(X509_SIG_INFO *siginf, int mdnid, int pknid,
 \&                        int secbits, uint32_t flags);
+\&
+\& #include <openssl/x509_acert.h>
+\&
+\& void X509_ACERT_get0_signature(const X509_ACERT *x,
+\&                                const ASN1_BIT_STRING **psig,
+\&                                const X509_ALGOR **palg);
+\& int X509_ACERT_get_signature_nid(const X509_ACERT *x);
+\&=head1 DESCRIPTION
 .Ve
-.SH "DESCRIPTION"
-.IX Header "DESCRIPTION"
+.PP
 \&\fBX509_get0_signature()\fR sets \fB*psig\fR to the signature of \fBx\fR and \fB*palg\fR
 to the signature algorithm of \fBx\fR. The values returned are internal
-pointers which \fB\s-1MUST NOT\s0\fR be freed up after the call.
+pointers which \fBMUST NOT\fR be freed up after the call.
 .PP
 \&\fBX509_set0_signature()\fR and \fBX509_REQ_set1_signature_algo()\fR are the
 equivalent setters for the two values of \fBX509_get0_signature()\fR.
@@ -184,25 +119,29 @@ equivalent setters for the two values of \fBX509_get0_signature()\fR.
 \&\fBX509_get0_tbs_sigalg()\fR returns the signature algorithm in the signed
 portion of \fBx\fR.
 .PP
-\&\fBX509_get_signature_nid()\fR returns the \s-1NID\s0 corresponding to the signature
+\&\fBX509_get_signature_nid()\fR returns the NID corresponding to the signature
 algorithm of \fBx\fR.
 .PP
 \&\fBX509_REQ_get0_signature()\fR, \fBX509_REQ_get_signature_nid()\fR
 \&\fBX509_CRL_get0_signature()\fR and \fBX509_CRL_get_signature_nid()\fR perform the
 same function for certificate requests and CRLs.
 .PP
+\&\fBX509_ACERT_get0_signature()\fR, \fBX509_ACERT_get_signature_nid()\fR and
+\&\fBX509_ACERT_get0_info_sigalg()\fR perform the same function for attribute
+certificates.
+.PP
 \&\fBX509_get_signature_info()\fR retrieves information about the signature of
-certificate \fBx\fR. The \s-1NID\s0 of the signing digest is written to \fB*mdnid\fR,
+certificate \fBx\fR. The NID of the signing digest is written to \fB*mdnid\fR,
 the public key algorithm to \fB*pknid\fR, the effective security bits to
 \&\fB*secbits\fR and flag details to \fB*flags\fR. Any of the parameters can
-be set to \fB\s-1NULL\s0\fR if the information is not required.
+be set to \fBNULL\fR if the information is not required.
 .PP
 \&\fBX509_SIG_INFO_get()\fR and \fBX509_SIG_INFO_set()\fR get and set information
 about a signature in an \fBX509_SIG_INFO\fR structure. They are only
 used by implementations of algorithms which need to set custom
 signature information: most applications will never need to call
 them.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 These functions provide lower level access to signatures in certificates
 where an application wishes to analyse or generate a signature in a form
@@ -212,12 +151,12 @@ or unsupported format).
 The security bits returned by \fBX509_get_signature_info()\fR refers to information
 available from the certificate signature (such as the signing digest). In some
 cases the actual security of the signature is less because the signing
-key is less secure: for example a certificate signed using \s-1SHA\-512\s0 and a
-1024 bit \s-1RSA\s0 key.
+key is less secure: for example a certificate signed using SHA\-512 and a
+1024 bit RSA key.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBX509_get_signature_nid()\fR, \fBX509_REQ_get_signature_nid()\fR and
-\&\fBX509_CRL_get_signature_nid()\fR return a \s-1NID.\s0
+\&\fBX509_CRL_get_signature_nid()\fR return a NID.
 .PP
 \&\fBX509_get0_signature()\fR, \fBX509_REQ_get0_signature()\fR and
 \&\fBX509_CRL_get0_signature()\fR do not return values.
@@ -227,7 +166,7 @@ returned is valid or 0 if the information is not available (e.g.
 unknown algorithms or malformed parameters).
 .PP
 \&\fBX509_REQ_set1_signature_algo()\fR returns 0 on success; or 1 on an
-error (e.g. null \s-1ALGO\s0 pointer). X509_REQ_set0_signature does
+error (e.g. null ALGO pointer). X509_REQ_set0_signature does
 not return an error value.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
@@ -247,7 +186,7 @@ not return an error value.
 \&\fBX509_sign\fR\|(3),
 \&\fBX509V3_get_d2i\fR\|(3),
 \&\fBX509_verify_cert\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The
 \&\fBX509_get0_signature()\fR and \fBX509_get_signature_nid()\fR functions were
@@ -260,11 +199,14 @@ added in OpenSSL 1.1.0.
 .PP
 The \fBX509_REQ_set0_signature()\fR and \fBX509_REQ_set1_signature_algo()\fR
 were added in OpenSSL 1.1.1e.
-.SH "COPYRIGHT"
+.PP
+The \fBX509_ACERT_get0_signature()\fR, \fBX509_ACERT_get0_info_sigalg()\fR and
+\&\fBX509_ACERT_get_signature_nid()\fR functions were added in OpenSSL 3.4.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2015\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_get0_uids.3 b/secure/lib/libcrypto/man/man3/X509_get0_uids.3
index 32e15dcf2cda..cbb8b5dd3026 100644
--- a/secure/lib/libcrypto/man/man3/X509_get0_uids.3
+++ b/secure/lib/libcrypto/man/man3/X509_get0_uids.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,95 +52,46 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_GET0_UIDS 3ossl"
-.TH X509_GET0_UIDS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_GET0_UIDS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
-X509_get0_uids \- get certificate unique identifiers
-.SH "SYNOPSIS"
+.SH NAME
+X509_get0_uids, X509_ACERT_get0_issuerUID
+\&\- get certificate and attribute certificate unique identifiers
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
 \&
 \& void X509_get0_uids(const X509 *x, const ASN1_BIT_STRING **piuid,
 \&                     const ASN1_BIT_STRING **psuid);
+\&
+\& #include <openssl/x509_acert.h>
+\&
+\& ASN1_BIT_STRING *X509_ACERT_get0_issuerUID(X509_ACERT *x);
+\&=head1 DESCRIPTION
 .Ve
-.SH "DESCRIPTION"
-.IX Header "DESCRIPTION"
+.PP
 \&\fBX509_get0_uids()\fR sets \fB*piuid\fR and \fB*psuid\fR to the issuer and subject unique
-identifiers of certificate \fBx\fR or \s-1NULL\s0 if the fields are not present.
-.SH "NOTES"
+identifiers of certificate \fBx\fR or NULL if the fields are not present.
+.PP
+\&\fBX509_ACERT_get0_issuerUID()\fR returns the issuer unique identifier of the
+attribute certificate \fBx\fR or NULL if the field is not present.
+.SH NOTES
 .IX Header "NOTES"
 The issuer and subject unique identifier fields are very rarely encountered in
 practice outside test cases.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBX509_get0_uids()\fR does not return a value.
+.PP
+\&\fBX509_ACERT_get0_issuerUID()\fR returns a unique identifier on success or NULL
+on failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBd2i_X509\fR\|(3),
@@ -176,11 +111,16 @@ practice outside test cases.
 \&\fBX509_sign\fR\|(3),
 \&\fBX509V3_get_d2i\fR\|(3),
 \&\fBX509_verify_cert\fR\|(3)
-.SH "COPYRIGHT"
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBX509_get0_uids()\fR was added in OpenSSL 1.1.0.
+.PP
+\&\fBX509_ACERT_get0_issuerUID()\fR was added in OpenSSL 3.4.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_get_default_cert_file.3 b/secure/lib/libcrypto/man/man3/X509_get_default_cert_file.3
new file mode 100644
index 000000000000..7ffe874d28bc
--- /dev/null
+++ b/secure/lib/libcrypto/man/man3/X509_get_default_cert_file.3
@@ -0,0 +1,139 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "X509_GET_DEFAULT_CERT_FILE 3ossl"
+.TH X509_GET_DEFAULT_CERT_FILE 3ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+X509_get_default_cert_file, X509_get_default_cert_file_env,
+X509_get_default_cert_dir, X509_get_default_cert_dir_env \-
+retrieve default locations for trusted CA certificates
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/x509.h>
+\&
+\& const char *X509_get_default_cert_file(void);
+\& const char *X509_get_default_cert_dir(void);
+\&
+\& const char *X509_get_default_cert_file_env(void);
+\& const char *X509_get_default_cert_dir_env(void);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+The \fBX509_get_default_cert_file()\fR function returns the default path
+to a file containing trusted CA certificates. OpenSSL will use this as
+the default path when it is asked to load trusted CA certificates
+from a file and no other path is specified. If the file exists, CA certificates
+are loaded from the file.
+.PP
+The \fBX509_get_default_cert_dir()\fR function returns a default delimeter-separated
+list of paths to a directories containing trusted CA certificates named in the
+hashed format. OpenSSL will use this as the default list of paths when it is
+asked to load trusted CA certificates from a directory and no other path is
+specified. If a given directory in the list exists, OpenSSL attempts to lookup
+CA certificates in this directory by calculating a filename based on a hash of
+the certificate's subject name.
+.PP
+\&\fBX509_get_default_cert_file_env()\fR returns an environment variable name which is
+recommended to specify a nondefault value to be used instead of the value
+returned by \fBX509_get_default_cert_file()\fR. The value returned by the latter
+function is not affected by these environment variables; you must check for this
+environment variable yourself, using this function to retrieve the correct
+environment variable name. If an environment variable is not set, the value
+returned by the \fBX509_get_default_cert_file()\fR should be used.
+.PP
+\&\fBX509_get_default_cert_dir_env()\fR returns the environment variable name which is
+recommended to specify a nondefault value to be used instead of the value
+returned by \fBX509_get_default_cert_dir()\fR. The value specified by this environment
+variable can also be a store URI (but see BUGS below).
+.SH BUGS
+.IX Header "BUGS"
+By default (for example, when \fBX509_STORE_set_default_paths\fR\|(3) is used), the
+environment variable name returned by \fBX509_get_default_cert_dir_env()\fR is
+interpreted both as a delimiter-separated list of paths, and as a store URI.
+This is ambiguous. For example, specifying a value of \fB"file:///etc/certs"\fR
+would cause instantiation of the "file" store provided as part of the default
+provider, but would also cause an \fBX509_LOOKUP_hash_dir\fR\|(3) instance to look
+for certificates in the directory \fB"file"\fR (relative to the current working
+directory) and the directory \fB"///etc/certs"\fR. This can be avoided by avoiding
+use of the environment variable mechanism and using other methods to construct
+X509_LOOKUP instances.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+These functions return pointers to constant strings with static storage
+duration.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBX509_LOOKUP\fR\|(3),
+\&\fBSSL_CTX_set_default_verify_file\fR\|(3),
+\&\fBSSL_CTX_set_default_verify_dir\fR\|(3),
+\&\fBSSL_CTX_set_default_verify_store\fR\|(3),
+\&\fBSSL_CTX_load_verify_file\fR\|(3),
+\&\fBSSL_CTX_load_verify_dir\fR\|(3),
+\&\fBSSL_CTX_load_verify_store\fR\|(3),
+\&\fBSSL_CTX_load_verify_locations\fR\|(3)
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2022\-2023 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_get_extension_flags.3 b/secure/lib/libcrypto/man/man3/X509_get_extension_flags.3
index 2f28ceb5c5b8..1c9cb90ad790 100644
--- a/secure/lib/libcrypto/man/man3/X509_get_extension_flags.3
+++ b/secure/lib/libcrypto/man/man3/X509_get_extension_flags.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_GET_EXTENSION_FLAGS 3ossl"
-.TH X509_GET_EXTENSION_FLAGS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_GET_EXTENSION_FLAGS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_get0_subject_key_id,
 X509_get0_authority_key_id,
 X509_get0_authority_issuer,
@@ -148,7 +72,7 @@ X509_get_extended_key_usage,
 X509_set_proxy_flag,
 X509_set_proxy_pathlen,
 X509_get_proxy_pathlen \- retrieve certificate extension data
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509v3.h>
@@ -165,113 +89,113 @@ X509_get_proxy_pathlen \- retrieve certificate extension data
 \& void X509_set_proxy_pathlen(int l);
 \& long X509_get_proxy_pathlen(X509 *x);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 These functions retrieve information related to commonly used certificate extensions.
 .PP
 \&\fBX509_get_pathlen()\fR retrieves the path length extension from a certificate.
 This extension is used to limit the length of a cert chain that may be
-issued from that \s-1CA.\s0
+issued from that CA.
 .PP
 \&\fBX509_get_extension_flags()\fR retrieves general information about a certificate,
 it will return one or more of the following flags ored together.
-.IP "\fB\s-1EXFLAG_V1\s0\fR" 4
+.IP \fBEXFLAG_V1\fR 4
 .IX Item "EXFLAG_V1"
 The certificate is an obsolete version 1 certificate.
-.IP "\fB\s-1EXFLAG_BCONS\s0\fR" 4
+.IP \fBEXFLAG_BCONS\fR 4
 .IX Item "EXFLAG_BCONS"
 The certificate contains a basic constraints extension.
-.IP "\fB\s-1EXFLAG_CA\s0\fR" 4
+.IP \fBEXFLAG_CA\fR 4
 .IX Item "EXFLAG_CA"
-The certificate contains basic constraints and asserts the \s-1CA\s0 flag.
-.IP "\fB\s-1EXFLAG_PROXY\s0\fR" 4
+The certificate contains basic constraints and asserts the CA flag.
+.IP \fBEXFLAG_PROXY\fR 4
 .IX Item "EXFLAG_PROXY"
 The certificate is a valid proxy certificate.
-.IP "\fB\s-1EXFLAG_SI\s0\fR" 4
+.IP \fBEXFLAG_SI\fR 4
 .IX Item "EXFLAG_SI"
 The certificate is self issued (that is subject and issuer names match).
-.IP "\fB\s-1EXFLAG_SS\s0\fR" 4
+.IP \fBEXFLAG_SS\fR 4
 .IX Item "EXFLAG_SS"
 The subject and issuer names match and extension values imply it is self
 signed.
-.IP "\fB\s-1EXFLAG_FRESHEST\s0\fR" 4
+.IP \fBEXFLAG_FRESHEST\fR 4
 .IX Item "EXFLAG_FRESHEST"
-The freshest \s-1CRL\s0 extension is present in the certificate.
-.IP "\fB\s-1EXFLAG_CRITICAL\s0\fR" 4
+The freshest CRL extension is present in the certificate.
+.IP \fBEXFLAG_CRITICAL\fR 4
 .IX Item "EXFLAG_CRITICAL"
 The certificate contains an unhandled critical extension.
-.IP "\fB\s-1EXFLAG_INVALID\s0\fR" 4
+.IP \fBEXFLAG_INVALID\fR 4
 .IX Item "EXFLAG_INVALID"
 Some certificate extension values are invalid or inconsistent.
 The certificate should be rejected.
 This bit may also be raised after an out-of-memory error while
 processing the X509 object, so it may not be related to the processed
-\&\s-1ASN1\s0 object itself.
-.IP "\fB\s-1EXFLAG_NO_FINGERPRINT\s0\fR" 4
+ASN1 object itself.
+.IP \fBEXFLAG_NO_FINGERPRINT\fR 4
 .IX Item "EXFLAG_NO_FINGERPRINT"
-Failed to compute the internal \s-1SHA1\s0 hash value of the certificate or \s-1CRL.\s0
-This may be due to malloc failure or because no \s-1SHA1\s0 implementation was found.
-.IP "\fB\s-1EXFLAG_INVALID_POLICY\s0\fR" 4
+Failed to compute the internal SHA1 hash value of the certificate or CRL.
+This may be due to malloc failure or because no SHA1 implementation was found.
+.IP \fBEXFLAG_INVALID_POLICY\fR 4
 .IX Item "EXFLAG_INVALID_POLICY"
 The NID_certificate_policies certificate extension is invalid or
 inconsistent. The certificate should be rejected.
 This bit may also be raised after an out-of-memory error while
 processing the X509 object, so it may not be related to the processed
-\&\s-1ASN1\s0 object itself.
-.IP "\fB\s-1EXFLAG_KUSAGE\s0\fR" 4
+ASN1 object itself.
+.IP \fBEXFLAG_KUSAGE\fR 4
 .IX Item "EXFLAG_KUSAGE"
 The certificate contains a key usage extension. The value can be retrieved
 using \fBX509_get_key_usage()\fR.
-.IP "\fB\s-1EXFLAG_XKUSAGE\s0\fR" 4
+.IP \fBEXFLAG_XKUSAGE\fR 4
 .IX Item "EXFLAG_XKUSAGE"
 The certificate contains an extended key usage extension. The value can be
 retrieved using \fBX509_get_extended_key_usage()\fR.
 .PP
 \&\fBX509_get_key_usage()\fR returns the value of the key usage extension.  If key
 usage is present will return zero or more of the flags:
-\&\fB\s-1KU_DIGITAL_SIGNATURE\s0\fR, \fB\s-1KU_NON_REPUDIATION\s0\fR, \fB\s-1KU_KEY_ENCIPHERMENT\s0\fR,
-\&\fB\s-1KU_DATA_ENCIPHERMENT\s0\fR, \fB\s-1KU_KEY_AGREEMENT\s0\fR, \fB\s-1KU_KEY_CERT_SIGN\s0\fR,
-\&\fB\s-1KU_CRL_SIGN\s0\fR, \fB\s-1KU_ENCIPHER_ONLY\s0\fR or \fB\s-1KU_DECIPHER_ONLY\s0\fR corresponding to
-individual key usage bits. If key usage is absent then \fB\s-1UINT32_MAX\s0\fR is
+\&\fBKU_DIGITAL_SIGNATURE\fR, \fBKU_NON_REPUDIATION\fR, \fBKU_KEY_ENCIPHERMENT\fR,
+\&\fBKU_DATA_ENCIPHERMENT\fR, \fBKU_KEY_AGREEMENT\fR, \fBKU_KEY_CERT_SIGN\fR,
+\&\fBKU_CRL_SIGN\fR, \fBKU_ENCIPHER_ONLY\fR or \fBKU_DECIPHER_ONLY\fR corresponding to
+individual key usage bits. If key usage is absent then \fBUINT32_MAX\fR is
 returned.
 .PP
 \&\fBX509_get_extended_key_usage()\fR returns the value of the extended key usage
 extension. If extended key usage is present it will return zero or more of the
-flags: \fB\s-1XKU_SSL_SERVER\s0\fR, \fB\s-1XKU_SSL_CLIENT\s0\fR, \fB\s-1XKU_SMIME\s0\fR, \fB\s-1XKU_CODE_SIGN\s0\fR
-\&\fB\s-1XKU_OCSP_SIGN\s0\fR, \fB\s-1XKU_TIMESTAMP\s0\fR, \fB\s-1XKU_DVCS\s0\fR or \fB\s-1XKU_ANYEKU\s0\fR. These
+flags: \fBXKU_SSL_SERVER\fR, \fBXKU_SSL_CLIENT\fR, \fBXKU_SMIME\fR, \fBXKU_CODE_SIGN\fR
+\&\fBXKU_OCSP_SIGN\fR, \fBXKU_TIMESTAMP\fR, \fBXKU_DVCS\fR or \fBXKU_ANYEKU\fR. These
 correspond to the OIDs \fBid-kp-serverAuth\fR, \fBid-kp-clientAuth\fR,
 \&\fBid-kp-emailProtection\fR, \fBid-kp-codeSigning\fR, \fBid-kp-OCSPSigning\fR,
 \&\fBid-kp-timeStamping\fR, \fBid-kp-dvcs\fR and \fBanyExtendedKeyUsage\fR respectively.
-Additionally \fB\s-1XKU_SGC\s0\fR is set if either Netscape or Microsoft \s-1SGC\s0 OIDs are
+Additionally \fBXKU_SGC\fR is set if either Netscape or Microsoft SGC OIDs are
 present.
 .PP
 \&\fBX509_get0_subject_key_id()\fR returns an internal pointer to the subject key
-identifier of \fBx\fR as an \fB\s-1ASN1_OCTET_STRING\s0\fR or \fB\s-1NULL\s0\fR if the extension
+identifier of \fBx\fR as an \fBASN1_OCTET_STRING\fR or \fBNULL\fR if the extension
 is not present or cannot be parsed.
 .PP
 \&\fBX509_get0_authority_key_id()\fR returns an internal pointer to the authority key
-identifier of \fBx\fR as an \fB\s-1ASN1_OCTET_STRING\s0\fR or \fB\s-1NULL\s0\fR if the extension
+identifier of \fBx\fR as an \fBASN1_OCTET_STRING\fR or \fBNULL\fR if the extension
 is not present or cannot be parsed.
 .PP
 \&\fBX509_get0_authority_issuer()\fR returns an internal pointer to the authority
-certificate issuer of \fBx\fR as a stack of \fB\s-1GENERAL_NAME\s0\fR structures or
-\&\fB\s-1NULL\s0\fR if the extension is not present or cannot be parsed.
+certificate issuer of \fBx\fR as a stack of \fBGENERAL_NAME\fR structures or
+\&\fBNULL\fR if the extension is not present or cannot be parsed.
 .PP
 \&\fBX509_get0_authority_serial()\fR returns an internal pointer to the authority
-certificate serial number of \fBx\fR as an \fB\s-1ASN1_INTEGER\s0\fR or \fB\s-1NULL\s0\fR if the
+certificate serial number of \fBx\fR as an \fBASN1_INTEGER\fR or \fBNULL\fR if the
 extension is not present or cannot be parsed.
 .PP
-\&\fBX509_set_proxy_flag()\fR marks the certificate with the \fB\s-1EXFLAG_PROXY\s0\fR flag.
+\&\fBX509_set_proxy_flag()\fR marks the certificate with the \fBEXFLAG_PROXY\fR flag.
 This is for the users who need to mark non\-RFC3820 proxy certificates as
-such, as OpenSSL only detects \s-1RFC3820\s0 compliant ones.
+such, as OpenSSL only detects RFC3820 compliant ones.
 .PP
 \&\fBX509_set_proxy_pathlen()\fR sets the proxy certificate path length for the given
 certificate \fBx\fR.  This is for the users who need to mark non\-RFC3820 proxy
-certificates as such, as OpenSSL only detects \s-1RFC3820\s0 compliant ones.
+certificates as such, as OpenSSL only detects RFC3820 compliant ones.
 .PP
 \&\fBX509_get_proxy_pathlen()\fR returns the proxy certificate path length for the
 given certificate \fBx\fR if it is a proxy certificate.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The value of the flags correspond to extension values which are cached
 in the \fBX509\fR structure. If the flags returned do not provide sufficient
@@ -280,12 +204,12 @@ for example using \fBX509_get_ext_d2i()\fR.
 .PP
 If the key usage or extended key usage extension is absent then typically usage
 is unrestricted. For this reason \fBX509_get_key_usage()\fR and
-\&\fBX509_get_extended_key_usage()\fR return \fB\s-1UINT32_MAX\s0\fR when the corresponding
+\&\fBX509_get_extended_key_usage()\fR return \fBUINT32_MAX\fR when the corresponding
 extension is absent. Applications can additionally check the return value of
 \&\fBX509_get_extension_flags()\fR and take appropriate action is an extension is
 absent.
 .PP
-If \fBX509_get0_subject_key_id()\fR returns \fB\s-1NULL\s0\fR then the extension may be
+If \fBX509_get0_subject_key_id()\fR returns \fBNULL\fR then the extension may be
 absent or malformed. Applications can determine the precise reason using
 \&\fBX509_get_ext_d2i()\fR.
 .SH "RETURN VALUES"
@@ -298,7 +222,7 @@ is not present.
 certificate extension values.
 .PP
 \&\fBX509_get0_subject_key_id()\fR returns the subject key identifier as a
-pointer to an \fB\s-1ASN1_OCTET_STRING\s0\fR structure or \fB\s-1NULL\s0\fR if the extension
+pointer to an \fBASN1_OCTET_STRING\fR structure or \fBNULL\fR if the extension
 is absent or an error occurred during parsing.
 .PP
 \&\fBX509_get_proxy_pathlen()\fR returns the path length value if the given
@@ -306,15 +230,15 @@ certificate is a proxy one and has a path length set, and \-1 otherwise.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBX509_check_purpose\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBX509_get_pathlen()\fR, \fBX509_set_proxy_flag()\fR, \fBX509_set_proxy_pathlen()\fR and
 \&\fBX509_get_proxy_pathlen()\fR were added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2015\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_get_pubkey.3 b/secure/lib/libcrypto/man/man3/X509_get_pubkey.3
index 20113a4e32ab..efcd3f373f80 100644
--- a/secure/lib/libcrypto/man/man3/X509_get_pubkey.3
+++ b/secure/lib/libcrypto/man/man3/X509_get_pubkey.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_GET_PUBKEY 3ossl"
-.TH X509_GET_PUBKEY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_GET_PUBKEY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_get_pubkey, X509_get0_pubkey, X509_set_pubkey, X509_get_X509_PUBKEY,
 X509_REQ_get_pubkey, X509_REQ_get0_pubkey, X509_REQ_set_pubkey,
 X509_REQ_get_X509_PUBKEY \- get or set certificate or certificate request
 public key
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
@@ -156,13 +80,13 @@ public key
 \& int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey);
 \& X509_PUBKEY *X509_REQ_get_X509_PUBKEY(X509_REQ *x);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBX509_get_pubkey()\fR attempts to decode the public key for certificate \fBx\fR. If
-successful it returns the public key as an \fB\s-1EVP_PKEY\s0\fR pointer with its
+successful it returns the public key as an \fBEVP_PKEY\fR pointer with its
 reference count incremented: this means the returned key must be freed up
 after use. \fBX509_get0_pubkey()\fR is similar except it does \fBnot\fR increment
-the reference count of the returned \fB\s-1EVP_PKEY\s0\fR so it must not be freed up
+the reference count of the returned \fBEVP_PKEY\fR so it must not be freed up
 after use.
 .PP
 \&\fBX509_get_X509_PUBKEY()\fR returns an internal pointer to the \fBX509_PUBKEY\fR
@@ -174,9 +98,9 @@ must not be freed up after use.
 .PP
 \&\fBX509_REQ_get_pubkey()\fR, \fBX509_REQ_get0_pubkey()\fR, \fBX509_REQ_set_pubkey()\fR and
 \&\fBX509_REQ_get_X509_PUBKEY()\fR are similar but operate on certificate request \fBreq\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-The first time a public key is decoded the \fB\s-1EVP_PKEY\s0\fR structure is
+The first time a public key is decoded the \fBEVP_PKEY\fR structure is
 cached in the certificate or certificate request itself. Subsequent calls
 return the cached structure with its reference count incremented to
 improve performance.
@@ -184,7 +108,7 @@ improve performance.
 .IX Header "RETURN VALUES"
 \&\fBX509_get_pubkey()\fR, \fBX509_get0_pubkey()\fR, \fBX509_get_X509_PUBKEY()\fR,
 \&\fBX509_REQ_get_pubkey()\fR and \fBX509_REQ_get_X509_PUBKEY()\fR return a public key or
-\&\fB\s-1NULL\s0\fR if an error occurred.
+\&\fBNULL\fR if an error occurred.
 .PP
 \&\fBX509_set_pubkey()\fR and \fBX509_REQ_set_pubkey()\fR return 1 for success and 0
 for failure.
@@ -206,11 +130,11 @@ for failure.
 \&\fBX509_sign\fR\|(3),
 \&\fBX509V3_get_d2i\fR\|(3),
 \&\fBX509_verify_cert\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2015\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_get_serialNumber.3 b/secure/lib/libcrypto/man/man3/X509_get_serialNumber.3
index 4fee9f22e51f..064bb753f627 100644
--- a/secure/lib/libcrypto/man/man3/X509_get_serialNumber.3
+++ b/secure/lib/libcrypto/man/man3/X509_get_serialNumber.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,22 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_GET_SERIALNUMBER 3ossl"
-.TH X509_GET_SERIALNUMBER 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_GET_SERIALNUMBER 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_get_serialNumber,
 X509_get0_serialNumber,
-X509_set_serialNumber
+X509_set_serialNumber,
+X509_ACERT_get0_serialNumber,
+X509_ACERT_set1_serialNumber
 \&\- get or set certificate serial number
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
@@ -149,12 +75,17 @@ X509_set_serialNumber
 \& ASN1_INTEGER *X509_get_serialNumber(X509 *x);
 \& const ASN1_INTEGER *X509_get0_serialNumber(const X509 *x);
 \& int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial);
+\&
+\& #include <openssl/x509_acert.h>
+\&
+\& ASN1_INTEGER *X509_ACERT_get0_serialNumber(X509_ACERT *x);
+\& int X509_ACERT_set1_serialNumber(X509_ACERT *x, ASN1_INTEGER *serial);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBX509_get_serialNumber()\fR returns the serial number of certificate \fBx\fR as an
-\&\fB\s-1ASN1_INTEGER\s0\fR structure which can be examined or initialised. The value
-returned is an internal pointer which \fB\s-1MUST NOT\s0\fR be freed up after the call.
+\&\fBASN1_INTEGER\fR structure which can be examined or initialised. The value
+returned is an internal pointer which \fBMUST NOT\fR be freed up after the call.
 .PP
 \&\fBX509_get0_serialNumber()\fR is the same as \fBX509_get_serialNumber()\fR except it
 accepts a const parameter and returns a const result.
@@ -162,12 +93,19 @@ accepts a const parameter and returns a const result.
 \&\fBX509_set_serialNumber()\fR sets the serial number of certificate \fBx\fR to
 \&\fBserial\fR. A copy of the serial number is used internally so \fBserial\fR should
 be freed up after use.
+.PP
+\&\fBX509_ACERT_get0_serialNumber()\fR performs the same operation as
+\&\fBX509_get_serialNumber()\fR for attribute certificates.
+.PP
+\&\fBX509_ACERT_set1_serialNumber()\fR performs the same operation as
+\&\fBX509_set_serialNumber()\fR for attribute certificates.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBX509_get_serialNumber()\fR and \fBX509_get0_serialNumber()\fR return an \fB\s-1ASN1_INTEGER\s0\fR
-structure.
+\&\fBX509_get_serialNumber()\fR, \fBX509_get0_serialNumber()\fR and
+\&\fBX509_ACERT_get0_serialNumber()\fR return a pointer to an \fBASN1_INTEGER\fR structure.
 .PP
-\&\fBX509_set_serialNumber()\fR returns 1 for success and 0 for failure.
+\&\fBX509_set_serialNumber()\fR and \fBX509_ACERT_set1_serialNumber()\fR return 1 for success
+and 0 for failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBd2i_X509\fR\|(3),
@@ -186,16 +124,18 @@ structure.
 \&\fBX509_sign\fR\|(3),
 \&\fBX509V3_get_d2i\fR\|(3),
 \&\fBX509_verify_cert\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBX509_get_serialNumber()\fR and \fBX509_set_serialNumber()\fR functions are
 available in all versions of OpenSSL.
 The \fBX509_get0_serialNumber()\fR function was added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+The \fBX509_ACERT_get0_serialNumber()\fR and \fBX509_ACERT_set1_serialNumber()\fR
+functions were added in OpenSSL 3.4.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_get_subject_name.3 b/secure/lib/libcrypto/man/man3/X509_get_subject_name.3
index 77aa6f9ecef7..2fe8cf70a66e 100644
--- a/secure/lib/libcrypto/man/man3/X509_get_subject_name.3
+++ b/secure/lib/libcrypto/man/man3/X509_get_subject_name.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,82 +52,23 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_GET_SUBJECT_NAME 3ossl"
-.TH X509_GET_SUBJECT_NAME 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_GET_SUBJECT_NAME 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_NAME_hash_ex, X509_NAME_hash,
 X509_get_subject_name, X509_set_subject_name, X509_subject_name_hash,
 X509_get_issuer_name, X509_set_issuer_name, X509_issuer_name_hash,
 X509_REQ_get_subject_name, X509_REQ_set_subject_name,
+X509_ACERT_get0_issuerName, X509_ACERT_set1_issuerName,
 X509_CRL_get_issuer, X509_CRL_set_issuer_name \-
 get X509_NAME hashes or get and set issuer or subject names
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
@@ -164,28 +89,33 @@ get X509_NAME hashes or get and set issuer or subject names
 \&
 \& X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl);
 \& int X509_CRL_set_issuer_name(X509_CRL *x, const X509_NAME *name);
+\&
+\& #include <openssl/x509_acert.h>
+\&
+\& X509_NAME *X509_ACERT_get0_issuerName(const X509_ACERT *x);
+\& int X509_ACERT_set1_issuerName(X509_ACERT *x, const X509_NAME *name);
 .Ve
 .PP
 The following macro has been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 1
 \& #define X509_NAME_hash(x) X509_NAME_hash_ex(x, NULL, NULL, NULL)
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBX509_NAME_hash_ex()\fR returns a hash value of name \fIx\fR or 0 on failure,
 using any given library context \fIlibctx\fR and property query \fIpropq\fR.
-The \fIok\fR result argument may be \s-1NULL\s0
+The \fIok\fR result argument may be NULL
 or else is used to return 1 for success and 0 for failure.
-Failure may happen on malloc error or if no \s-1SHA1\s0 implementation is available.
+Failure may happen on malloc error or if no SHA1 implementation is available.
 .PP
 \&\fBX509_NAME_hash()\fR returns a hash value of name \fIx\fR or 0 on failure,
 using the default library context and default property query.
 .PP
 \&\fBX509_get_subject_name()\fR returns the subject name of certificate \fIx\fR. The
-returned value is an internal pointer which \fB\s-1MUST NOT\s0\fR be freed.
+returned value is an internal pointer which \fBMUST NOT\fR be freed. \fIx\fR \fBMUST NOT\fR be NULL.
 .PP
 \&\fBX509_set_subject_name()\fR sets the issuer name of certificate \fIx\fR to
 \&\fIname\fR. The \fIname\fR parameter is copied internally and should be freed
@@ -200,22 +130,29 @@ are identical to
 except they relate to the issuer name of \fIx\fR.
 .PP
 Similarly \fBX509_REQ_get_subject_name()\fR, \fBX509_REQ_set_subject_name()\fR,
+\&\fBX509_ACERT_get0_issuerName()\fR, \fBX509_ACERT_set1_issuerName()\fR,
 \&\fBX509_CRL_get_issuer()\fR and \fBX509_CRL_set_issuer_name()\fR get or set the subject
 or issuer names of certificate requests of CRLs respectively.
+.PP
+Since attribute certificates do not have a subject name, only the issuer name
+can be set.  For details on setting X509_ACERT holder identities, see
+\&\fBX509_ACERT_set0_holder_entityName\fR\|(3).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBX509_get_subject_name()\fR, \fBX509_get_issuer_name()\fR, \fBX509_REQ_get_subject_name()\fR
-and \fBX509_CRL_get_issuer()\fR return an \fBX509_NAME\fR pointer.
+\&\fBX509_ACERT_get0_issuerName()\fR and \fBX509_CRL_get_issuer()\fR return
+an \fBX509_NAME\fR pointer.
 .PP
 \&\fBX509_NAME_hash_ex()\fR, \fBX509_NAME_hash()\fR,
 \&\fBX509_subject_name_hash()\fR and \fBX509_issuer_name_hash()\fR
-return the first four bytes of the \s-1SHA1\s0 hash value,
+return the first four bytes of the SHA1 hash value,
 converted to \fBunsigned long\fR in little endian order,
 or 0 on failure.
 .PP
-\&\fBX509_set_subject_name()\fR, \fBX509_set_issuer_name()\fR, \fBX509_REQ_set_subject_name()\fR
-and \fBX509_CRL_set_issuer_name()\fR return 1 for success and 0 for failure.
-.SH "BUGS"
+\&\fBX509_set_subject_name()\fR, \fBX509_set_issuer_name()\fR, \fBX509_REQ_set_subject_name()\fR,
+\&\fBX509_ACERT_get0_issuerName()\fR and \fBX509_CRL_set_issuer_name()\fR return 1 for
+success and 0 for failure.
+.SH BUGS
 .IX Header "BUGS"
 In case \fBX509_NAME_hash()\fR, \fBX509_subject_name_hash()\fR, or \fBX509_issuer_name_hash()\fR
 returns 0 it remains unclear if this is the real hash value or due to failure.
@@ -237,7 +174,7 @@ Better use \fBX509_NAME_hash_ex()\fR instead.
 \&\fBX509_sign\fR\|(3),
 \&\fBX509V3_get_d2i\fR\|(3),
 \&\fBX509_verify_cert\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBX509_REQ_get_subject_name()\fR is a function in OpenSSL 1.1.0 and a macro in
 earlier versions.
@@ -246,11 +183,14 @@ earlier versions.
 added in OpenSSL 1.0.0 as a macro.
 .PP
 \&\fBX509_NAME_hash()\fR was turned into a macro and deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.PP
+\&\fBX509_ACERT_get0_issuerName()\fR, \fBX509_ACERT_set1_issuerName()\fR
+were added in OpenSSL 3.4.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2015\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_get_version.3 b/secure/lib/libcrypto/man/man3/X509_get_version.3
index ce02daa5979d..611cd99f8527 100644
--- a/secure/lib/libcrypto/man/man3/X509_get_version.3
+++ b/secure/lib/libcrypto/man/man3/X509_get_version.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_GET_VERSION 3ossl"
-.TH X509_GET_VERSION 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_GET_VERSION 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_get_version, X509_set_version, X509_REQ_get_version, X509_REQ_set_version,
-X509_CRL_get_version, X509_CRL_set_version \- get or set certificate,
+X509_ACERT_get_version, X509_ACERT_set_version, X509_CRL_get_version,
+X509_CRL_set_version \- get or set certificate,
 certificate request or CRL version
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
@@ -153,26 +78,33 @@ certificate request or CRL version
 \&
 \& long X509_CRL_get_version(const X509_CRL *crl);
 \& int X509_CRL_set_version(X509_CRL *x, long version);
+\&
+\& #include <openssl/x509_acert.h>
+\&
+\& int X509_ACERT_set_version(X509_ACERT *x, long version);
+\& long X509_ACERT_get_version(const X509_ACERT *x);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBX509_get_version()\fR returns the numerical value of the version field of
-certificate \fBx\fR. These correspond to the constants \fBX509_VERSION_1\fR,
+certificate \fIx\fR. These correspond to the constants \fBX509_VERSION_1\fR,
 \&\fBX509_VERSION_2\fR, and \fBX509_VERSION_3\fR. Note: the values of these constants
 are defined by standards (X.509 et al) to be one less than the certificate
 version. So \fBX509_VERSION_3\fR has value 2 and \fBX509_VERSION_1\fR has value 0.
 .PP
 \&\fBX509_set_version()\fR sets the numerical value of the version field of certificate
-\&\fBx\fR to \fBversion\fR.
+\&\fIx\fR to \fIversion\fR.
 .PP
 Similarly \fBX509_REQ_get_version()\fR, \fBX509_REQ_set_version()\fR,
+\&\fBX509_ACERT_get_version()\fR, \fBX509_ACERT_set_version()\fR,
 \&\fBX509_CRL_get_version()\fR and \fBX509_CRL_set_version()\fR get and set the version
 number of certificate requests and CRLs. They use constants
-\&\fBX509_REQ_VERSION_1\fR, \fBX509_CRL_VERSION_1\fR, and \fBX509_CRL_VERSION_2\fR.
-.SH "NOTES"
+\&\fBX509_REQ_VERSION_1\fR, \fBX509_ACERT_VERSION_2\fR, \fBX509_CRL_VERSION_1\fR,
+and \fBX509_CRL_VERSION_2\fR.
+.SH NOTES
 .IX Header "NOTES"
 The version field of certificates, certificate requests and CRLs has a
-\&\s-1DEFAULT\s0 value of \fB\fBv1\fB\|(0)\fR meaning the field should be omitted for version
+DEFAULT value of \fBv1\|(0)\fR meaning the field should be omitted for version
 1. This is handled transparently by these functions.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
@@ -199,15 +131,18 @@ return 1 for success and 0 for failure.
 \&\fBX509_sign\fR\|(3),
 \&\fBX509V3_get_d2i\fR\|(3),
 \&\fBX509_verify_cert\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBX509_get_version()\fR, \fBX509_REQ_get_version()\fR and \fBX509_CRL_get_version()\fR are
 functions in OpenSSL 1.1.0, in previous versions they were macros.
-.SH "COPYRIGHT"
+.PP
+\&\fBX509_ACERT_get_version()\fR, \fBX509_ACERT_set_version()\fR
+were added in OpenSSL 3.4.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2015\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_load_http.3 b/secure/lib/libcrypto/man/man3/X509_load_http.3
index 5767e998f0a8..9b800406c44e 100644
--- a/secure/lib/libcrypto/man/man3/X509_load_http.3
+++ b/secure/lib/libcrypto/man/man3/X509_load_http.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_LOAD_HTTP 3ossl"
-.TH X509_LOAD_HTTP 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_LOAD_HTTP 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_load_http,
 X509_http_nbio,
 X509_CRL_load_http,
 X509_CRL_http_nbio
 \&\- certificate and CRL loading functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
@@ -152,19 +76,22 @@ X509_CRL_http_nbio
 .Ve
 .PP
 The following macros have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 2
 \& #define X509_http_nbio(rctx, pcert)
 \& #define X509_CRL_http_nbio(rctx, pcrl)
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBX509_load_http()\fR and \fBX509_CRL_load_http()\fR loads a certificate or a \s-1CRL,\s0
-respectively, in \s-1ASN.1\s0 format using \s-1HTTP\s0 from the given \fBurl\fR.
+\&\fBX509_load_http()\fR and \fBX509_CRL_load_http()\fR loads a certificate or a CRL,
+respectively, in ASN.1 format using HTTP from the given \fBurl\fR.
+.PP
+Maximum size of the HTTP response is 100 kB for certificates and 32 MB for CRLs
+and hard coded in the functions.
 .PP
-If \fBbio\fR is given and \fBrbio\fR is \s-1NULL\s0 then this \s-1BIO\s0 is used instead of an
+If \fBbio\fR is given and \fBrbio\fR is NULL then this BIO is used instead of an
 internal one for connecting, writing the request, and reading the response.
 If both \fBbio\fR and \fBrbio\fR are given (which may be memory BIOs, for instance)
 then no explicit connection is attempted,
@@ -180,20 +107,20 @@ that have the same effect as the functions above but with infinite timeout
 and without the possibility to specify custom BIOs.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-On success the function yield the loaded value, else \s-1NULL.\s0
+On success the function yield the loaded value, else NULL.
 Error conditions include connection/transfer timeout, parse errors, etc.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBOSSL_HTTP_get\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBX509_load_http()\fR and \fBX509_CRL_load_http()\fR were added in OpenSSL 3.0.
 \&\fBX509_http_nbio()\fR and \fBX509_CRL_http_nbio()\fR were deprecated in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2019\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_new.3 b/secure/lib/libcrypto/man/man3/X509_new.3
index c3a6d58ebb13..b1a4971e6000 100644
--- a/secure/lib/libcrypto/man/man3/X509_new.3
+++ b/secure/lib/libcrypto/man/man3/X509_new.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_NEW 3ossl"
-.TH X509_NEW 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_NEW 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_new, X509_new_ex,
 X509_free, X509_up_ref,
-X509_chain_up_ref \- X509 certificate ASN1 allocation functions
-.SH "SYNOPSIS"
+X509_chain_up_ref,
+OSSL_STACK_OF_X509_free
+\&\- X509 certificate ASN1 allocation and deallocation functions
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
@@ -150,31 +76,37 @@ X509_chain_up_ref \- X509 certificate ASN1 allocation functions
 \& void X509_free(X509 *a);
 \& int X509_up_ref(X509 *a);
 \& STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *x);
+\& void OSSL_STACK_OF_X509_free(STACK_OF(X509) *certs);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The X509 \s-1ASN1\s0 allocation routines, allocate and free an
+The X509 ASN1 allocation routines allocate and free an
 X509 structure, which represents an X509 certificate.
 .PP
 \&\fBX509_new_ex()\fR allocates and initializes a X509 structure with a
 library context of \fIlibctx\fR, property query of \fIpropq\fR and a reference
 count of \fB1\fR. Many X509 functions such as \fBX509_check_purpose()\fR, and
 \&\fBX509_verify()\fR use this library context to select which providers supply the
-fetched algorithms (\s-1SHA1\s0 is used internally). This created X509 object can then
+fetched algorithms (SHA1 is used internally). This created X509 object can then
 be used when loading binary data using \fBd2i_X509()\fR.
 .PP
 \&\fBX509_new()\fR is similar to \fBX509_new_ex()\fR but sets the library context
-and property query to \s-1NULL.\s0 This results in the default (\s-1NULL\s0) library context
+and property query to NULL. This results in the default (NULL) library context
 being used for any X509 operations requiring algorithm fetches.
 .PP
 \&\fBX509_free()\fR decrements the reference count of \fBX509\fR structure \fBa\fR and
-frees it up if the reference count is zero. If \fBa\fR is \s-1NULL\s0 nothing is done.
+frees it up if the reference count is zero. If the argument is NULL,
+nothing is done.
 .PP
 \&\fBX509_up_ref()\fR increments the reference count of \fBa\fR.
 .PP
 \&\fBX509_chain_up_ref()\fR increases the reference count of all certificates in
-chain \fBx\fR and returns a copy of the stack, or an empty stack if \fBa\fR is \s-1NULL.\s0
-.SH "NOTES"
+chain \fBx\fR and returns a copy of the stack, or an empty stack if \fBa\fR is NULL.
+.PP
+\&\fBOSSL_STACK_OF_X509_free()\fR deallocates the given list of pointers to
+certificates after calling \fBX509_free()\fR on all its elements.
+If the argument is NULL, nothing is done.
+.SH NOTES
 .IX Header "NOTES"
 The function \fBX509_up_ref()\fR if useful if a certificate structure is being
 used by several different operations each of which will free it up after
@@ -186,13 +118,15 @@ but it serves a similar purpose: the returned chain persists after the
 original has been freed.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-If the allocation fails, \fBX509_new()\fR returns \s-1NULL\s0 and sets an error
+If the allocation fails, \fBX509_new()\fR returns NULL and sets an error
 code that can be obtained by \fBERR_get_error\fR\|(3).
 Otherwise it returns a pointer to the newly allocated structure.
 .PP
 \&\fBX509_up_ref()\fR returns 1 for success and 0 for failure.
 .PP
-\&\fBX509_chain_up_ref()\fR returns a copy of the stack or \s-1NULL\s0 if an error occurred.
+\&\fBX509_chain_up_ref()\fR returns a copy of the stack or NULL if an error occurred.
+.PP
+\&\fBOSSL_STACK_OF_X509_free()\fR has no return value.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBd2i_X509\fR\|(3),
@@ -211,14 +145,16 @@ Otherwise it returns a pointer to the newly allocated structure.
 \&\fBX509_sign\fR\|(3),
 \&\fBX509V3_get_d2i\fR\|(3),
 \&\fBX509_verify_cert\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-The function \fBX509_new_ex()\fR was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+\&\fBX509_new_ex()\fR was added in OpenSSL 3.0.
+.PP
+\&\fBOSSL_STACK_OF_X509_free()\fR was added in OpenSSL 3.2.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2002\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2002\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_sign.3 b/secure/lib/libcrypto/man/man3/X509_sign.3
index f7b41e4cb8e4..747538ee669d 100644
--- a/secure/lib/libcrypto/man/man3/X509_sign.3
+++ b/secure/lib/libcrypto/man/man3/X509_sign.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_SIGN 3ossl"
-.TH X509_SIGN 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_SIGN 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_sign, X509_sign_ctx,
 X509_REQ_sign, X509_REQ_sign_ctx,
+X509_ACERT_sign, X509_ACERT_sign_ctx,
 X509_CRL_sign, X509_CRL_sign_ctx \-
 sign certificate, certificate request, or CRL signature
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
@@ -154,24 +79,32 @@ sign certificate, certificate request, or CRL signature
 \&
 \& int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
 \& int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx);
+\&
+\& #include <openssl/x509_acert.h>
+\&
+\& int X509_ACERT_sign(X509_ACERT *x, EVP_PKEY *pkey, const EVP_MD *md);
+\& int X509_ACERT_sign_ctx(X509_ACERT *x, EVP_MD_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBX509_sign()\fR signs certificate \fIx\fR using private key \fIpkey\fR and message
 digest \fImd\fR and sets the signature in \fIx\fR. \fBX509_sign_ctx()\fR also signs
 certificate \fIx\fR but uses the parameters contained in digest context \fIctx\fR.
+If the certificate information includes X.509 extensions,
+these two functions make sure that the certificate bears X.509 version 3.
 .PP
 \&\fBX509_REQ_sign()\fR, \fBX509_REQ_sign_ctx()\fR,
+\&\fBX509_ACERT_sign()\fR, \fBX509_ACERT_sign_ctx()\fR,
 \&\fBX509_CRL_sign()\fR, and \fBX509_CRL_sign_ctx()\fR
 sign certificate requests and CRLs, respectively.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 \&\fBX509_sign_ctx()\fR is used where the default parameters for the corresponding
 public key and digest are not suitable. It can be used to sign keys using
 RSA-PSS for example.
 .PP
-For efficiency reasons and to work around \s-1ASN.1\s0 encoding issues the encoding
-of the signed portion of a certificate, certificate request and \s-1CRL\s0 is cached
+For efficiency reasons and to work around ASN.1 encoding issues the encoding
+of the signed portion of a certificate, certificate request and CRL is cached
 internally. If the signed portion of the structure is modified the encoding
 is not always updated meaning a stale version is sometimes used. This is not
 normally a problem because modifying the signed portion will invalidate the
@@ -189,18 +122,21 @@ in bytes for success and zero for failure.
 \&\fBX509_verify\fR\|(3),
 \&\fBX509_REQ_verify_ex\fR\|(3), \fBX509_REQ_verify\fR\|(3),
 \&\fBX509_CRL_verify\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBX509_sign()\fR, \fBX509_REQ_sign()\fR and \fBX509_CRL_sign()\fR functions are
 available in all versions of OpenSSL.
 .PP
 The \fBX509_sign_ctx()\fR, \fBX509_REQ_sign_ctx()\fR
 and \fBX509_CRL_sign_ctx()\fR functions were added in OpenSSL 1.0.1.
-.SH "COPYRIGHT"
+.PP
+The \fBX509_ACERT_sign()\fR and \fBX509_ACERT_sign_ctx()\fR functions were added
+in OpenSSL 3.4.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2015\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_verify.3 b/secure/lib/libcrypto/man/man3/X509_verify.3
index c338bca47ddc..27fc988a8caf 100644
--- a/secure/lib/libcrypto/man/man3/X509_verify.3
+++ b/secure/lib/libcrypto/man/man3/X509_verify.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,80 +52,20 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_VERIFY 3ossl"
-.TH X509_VERIFY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_VERIFY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_verify, X509_self_signed,
 X509_REQ_verify_ex, X509_REQ_verify,
-X509_CRL_verify \-
+X509_CRL_verify, X509_ACERT_verify \-
 verify certificate, certificate request, or CRL signature
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
@@ -153,8 +77,11 @@ verify certificate, certificate request, or CRL signature
 \&                        const char *propq);
 \& int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r);
 \& int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r);
+\&
+\& #include <openssl/x509_acert.h>
+\& int X509_ACERT_verify(X509_CRL *a, EVP_PKEY *r);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBX509_verify()\fR verifies the signature of certificate \fIx\fR using public key
 \&\fIpkey\fR. Only the signature is checked: no other checks (such as certificate
@@ -166,8 +93,9 @@ authority key identifier (if present) must match the subject key identifier etc.
 The signature itself is actually verified only if \fBverify_signature\fR is 1, as
 for explicitly trusted certificates this verification is not worth the effort.
 .PP
-\&\fBX509_REQ_verify_ex()\fR, \fBX509_REQ_verify()\fR and \fBX509_CRL_verify()\fR
-verify the signatures of certificate requests and CRLs, respectively.
+\&\fBX509_REQ_verify_ex()\fR, \fBX509_REQ_verify()\fR, \fBX509_CRL_verify()\fR and \fBX509_ACERT_verify()\fR
+verify the signatures of certificate requests, CRLs and attribute certificates
+respectively.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBX509_verify()\fR,
@@ -195,18 +123,20 @@ if all respective fields match and \fBverify_signature\fR is 0.
 \&\fBX509_NAME_print_ex\fR\|(3),
 \&\fBX509V3_get_d2i\fR\|(3),
 \&\fBX509_verify_cert\fR\|(3),
-\&\s-1\fBOSSL_LIB_CTX\s0\fR\|(3)
-.SH "HISTORY"
+\&\fBOSSL_LIB_CTX\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBX509_verify()\fR, \fBX509_REQ_verify()\fR, and \fBX509_CRL_verify()\fR
 functions are available in all versions of OpenSSL.
 .PP
 \&\fBX509_REQ_verify_ex()\fR, and \fBX509_self_signed()\fR were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.PP
+\&\fBX509_ACERT_verify()\fR was added in OpenSSL 3.4.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2015\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_verify_cert.3 b/secure/lib/libcrypto/man/man3/X509_verify_cert.3
index fc91f231d3ca..b786c1f3ace3 100644
--- a/secure/lib/libcrypto/man/man3/X509_verify_cert.3
+++ b/secure/lib/libcrypto/man/man3/X509_verify_cert.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509_VERIFY_CERT 3ossl"
-.TH X509_VERIFY_CERT 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509_VERIFY_CERT 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509_build_chain,
 X509_verify_cert,
 X509_STORE_CTX_verify \- build and verify X509 certificate chain
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509_vfy.h>
@@ -151,14 +75,14 @@ X509_STORE_CTX_verify \- build and verify X509 certificate chain
 \& int X509_verify_cert(X509_STORE_CTX *ctx);
 \& int X509_STORE_CTX_verify(X509_STORE_CTX *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBX509_build_chain()\fR builds a certificate chain starting from \fItarget\fR
-using the optional list of intermediate \s-1CA\s0 certificates \fIcerts\fR.
-If \fIstore\fR is \s-1NULL\s0 it builds the chain as far down as possible, ignoring errors.
+using the optional list of intermediate CA certificates \fIcerts\fR.
+If \fIstore\fR is NULL it builds the chain as far down as possible, ignoring errors.
 Else the chain must reach a trust anchor contained in \fIstore\fR.
 It internally uses a \fBX509_STORE_CTX\fR structure associated with the library
-context \fIlibctx\fR and property query string \fIpropq\fR, both of which may be \s-1NULL.\s0
+context \fIlibctx\fR and property query string \fIpropq\fR, both of which may be NULL.
 In case there is more than one possibility for the chain, only one is taken.
 .PP
 On success it returns a pointer to a new stack of (up_ref'ed) certificates
@@ -181,7 +105,7 @@ the \fBopenssl\-verification\-options\fR\|(1) manual page.
 .PP
 Applications rarely call this function directly but it is used by
 OpenSSL internally for certificate validation, in both the S/MIME and
-\&\s-1SSL/TLS\s0 code.
+SSL/TLS code.
 .PP
 A negative return value from \fBX509_verify_cert()\fR can occur if it is invoked
 incorrectly, such as with no certificate set in \fIctx\fR, or when it is called
@@ -193,9 +117,17 @@ Applications must interpret any return value <= 0 as an error.
 The \fBX509_STORE_CTX_verify()\fR behaves like \fBX509_verify_cert()\fR except that its
 target certificate is the first element of the list of untrusted certificates
 in \fIctx\fR unless a target certificate is set explicitly.
+.PP
+When the verification target is a raw public key, rather than a certificate,
+both functions validate the target raw public key.
+In that case the number of possible checks is significantly reduced.
+The raw public key can be authenticated only via DANE TLSA records, either
+locally synthesised or obtained by the application from DNS.
+Raw public key DANE TLSA records may be added via \fBSSL_add_expected_rpk\fR\|(3) or
+\&\fBSSL_dane_tlsa_add\fR\|(3).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBX509_build_chain()\fR returns \s-1NULL\s0 on error, else a stack of certificates.
+\&\fBX509_build_chain()\fR returns NULL on error, else a stack of certificates.
 .PP
 Both \fBX509_verify_cert()\fR and \fBX509_STORE_CTX_verify()\fR
 return 1 if a complete chain can be built and validated,
@@ -213,16 +145,21 @@ verification indicated success, the stored error code may be different from
 X509_V_OK, likely because a verification callback function has waived the error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBX509_STORE_CTX_new\fR\|(3), \fBX509_STORE_CTX_init\fR\|(3),
+\&\fBSSL_add_expected_rpk\fR\|(3),
+\&\fBSSL_CTX_dane_enable\fR\|(3),
+\&\fBSSL_dane_tlsa_add\fR\|(3),
+\&\fBX509_STORE_CTX_new\fR\|(3),
+\&\fBX509_STORE_CTX_init\fR\|(3),
+\&\fBX509_STORE_CTX_init_rpk\fR\|(3),
 \&\fBX509_STORE_CTX_get_error\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBX509_build_chain()\fR and \fBX509_STORE_CTX_verify()\fR were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2009\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2009\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509v3_get_ext_by_NID.3 b/secure/lib/libcrypto/man/man3/X509v3_get_ext_by_NID.3
index 62b27506a161..39fe05af78a1 100644
--- a/secure/lib/libcrypto/man/man3/X509v3_get_ext_by_NID.3
+++ b/secure/lib/libcrypto/man/man3/X509v3_get_ext_by_NID.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509V3_GET_EXT_BY_NID 3ossl"
-.TH X509V3_GET_EXT_BY_NID 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509V3_GET_EXT_BY_NID 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X509v3_get_ext_count, X509v3_get_ext, X509v3_get_ext_by_NID,
 X509v3_get_ext_by_OBJ, X509v3_get_ext_by_critical, X509v3_delete_ext,
-X509v3_add_ext, X509_get_ext_count, X509_get_ext,
+X509v3_add_ext, X509v3_add_extensions, X509_get_ext_count, X509_get_ext,
 X509_get_ext_by_NID, X509_get_ext_by_OBJ, X509_get_ext_by_critical,
 X509_delete_ext, X509_add_ext, X509_CRL_get_ext_count, X509_CRL_get_ext,
 X509_CRL_get_ext_by_NID, X509_CRL_get_ext_by_OBJ, X509_CRL_get_ext_by_critical,
@@ -147,7 +71,7 @@ X509_CRL_delete_ext, X509_CRL_add_ext, X509_REVOKED_get_ext_count,
 X509_REVOKED_get_ext, X509_REVOKED_get_ext_by_NID, X509_REVOKED_get_ext_by_OBJ,
 X509_REVOKED_get_ext_by_critical, X509_REVOKED_delete_ext,
 X509_REVOKED_add_ext \- extension stack utility functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
@@ -164,6 +88,9 @@ X509_REVOKED_add_ext \- extension stack utility functions
 \& X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc);
 \& STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x,
 \&                                          X509_EXTENSION *ex, int loc);
+\& STACK_OF(X509_EXTENSION)
+\&      *X509v3_add_extensions(STACK_OF(X509_EXTENSION) **target,
+\&                             const STACK_OF(X509_EXTENSION) *exts);
 \&
 \& int X509_get_ext_count(const X509 *x);
 \& X509_EXTENSION *X509_get_ext(const X509 *x, int loc);
@@ -191,17 +118,17 @@ X509_REVOKED_add_ext \- extension stack utility functions
 \& X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc);
 \& int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBX509v3_get_ext_count()\fR retrieves the number of extensions in \fIx\fR.
 .PP
 \&\fBX509v3_get_ext()\fR retrieves extension \fIloc\fR from \fIx\fR. The index \fIloc\fR
 can take any value from 0 to X509_get_ext_count(\fIx\fR) \- 1. The returned
-extension is an internal pointer which \fB\s-1MUST NOT\s0\fR be freed by the
+extension is an internal pointer which \fBMUST NOT\fR be freed by the
 application.
 .PP
 \&\fBX509v3_get_ext_by_NID()\fR and \fBX509v3_get_ext_by_OBJ()\fR look for an extension
-with \fInid\fR or \fIobj\fR from extension \s-1STACK\s0 \fIx\fR. The search starts from the
+with \fInid\fR or \fIobj\fR from extension STACK \fIx\fR. The search starts from the
 extension after \fIlastpos\fR or from the beginning if \fIlastpos\fR is \-1. If
 the extension is found, its index is returned, otherwise \-1 is returned.
 .PP
@@ -212,12 +139,18 @@ extension.
 .PP
 \&\fBX509v3_delete_ext()\fR deletes the extension with index \fIloc\fR from \fIx\fR.
 The deleted extension is returned and must be freed by the caller.
-If \fIloc\fR is an invalid index value, \s-1NULL\s0 is returned.
+If \fIloc\fR is an invalid index value, NULL is returned.
+.PP
+\&\fBX509v3_add_ext()\fR inserts extension \fIex\fR to STACK \fI*x\fR at position \fIloc\fR.
+If \fIloc\fR is \-1, the new extension is added to the end.
+A new STACK is allocated if \fI*x\fR is NULL.
+The passed extension \fIex\fR is duplicated so it must be freed after use.
 .PP
-\&\fBX509v3_add_ext()\fR adds extension \fIex\fR to \s-1STACK\s0 \fI*x\fR at position \fIloc\fR. If
-\&\fIloc\fR is \-1, the new extension is added to the end. If \fI*x\fR is \s-1NULL,\s0
-a new \s-1STACK\s0 will be allocated. The passed extension \fIex\fR is duplicated
-internally so it must be freed after use.
+\&\fBX509v3_add_extensions()\fR adds the list of extensions \fIexts\fR to STACK \fI*target\fR.
+The STACK \fI*target\fR is returned unchanged if \fIexts\fR is NULL or an empty list.
+Otherwise a new stack is allocated if \fI*target\fR is NULL.
+An extension to be added
+that has the same OID as a pre-existing one replaces this earlier one.
 .PP
 \&\fBX509_get_ext_count()\fR, \fBX509_get_ext()\fR, \fBX509_get_ext_by_NID()\fR,
 \&\fBX509_get_ext_by_OBJ()\fR, \fBX509_get_ext_by_critical()\fR, \fBX509_delete_ext()\fR
@@ -227,14 +160,14 @@ otherwise identical to the X509v3 functions.
 \&\fBX509_CRL_get_ext_count()\fR, \fBX509_CRL_get_ext()\fR, \fBX509_CRL_get_ext_by_NID()\fR,
 \&\fBX509_CRL_get_ext_by_OBJ()\fR, \fBX509_CRL_get_ext_by_critical()\fR,
 \&\fBX509_CRL_delete_ext()\fR and \fBX509_CRL_add_ext()\fR operate on the extensions of
-\&\s-1CRL\s0 \fIx\fR. They are otherwise identical to the X509v3 functions.
+CRL \fIx\fR. They are otherwise identical to the X509v3 functions.
 .PP
 \&\fBX509_REVOKED_get_ext_count()\fR, \fBX509_REVOKED_get_ext()\fR,
 \&\fBX509_REVOKED_get_ext_by_NID()\fR, \fBX509_REVOKED_get_ext_by_OBJ()\fR,
 \&\fBX509_REVOKED_get_ext_by_critical()\fR, \fBX509_REVOKED_delete_ext()\fR and
-\&\fBX509_REVOKED_add_ext()\fR operate on the extensions of \s-1CRL\s0 entry \fIx\fR.
+\&\fBX509_REVOKED_add_ext()\fR operate on the extensions of CRL entry \fIx\fR.
 They are otherwise identical to the X509v3 functions.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 These functions are used to examine stacks of extensions directly.
 Applications that want to parse or encode and add an extension should
@@ -243,7 +176,7 @@ use the extension encode and decode functions instead, such as
 .PP
 For \fBX509v3_get_ext_by_NID()\fR, \fBX509v3_get_ext_by_OBJ()\fR,
 \&\fBX509v3_get_ext_by_critical()\fR and its variants, a zero index return value
-is not an error since extension \s-1STACK\s0 \fIx\fR indices start from zero.
+is not an error since extension STACK \fIx\fR indices start from zero.
 These search functions start from the extension \fBafter\fR the \fIlastpos\fR parameter
 so it should initially be set to \-1. If it is set to zero, the initial extension
 will not be checked.
@@ -257,7 +190,7 @@ using \fBX509_EXTENSION_free()\fR.
 \&\fBX509v3_get_ext_count()\fR returns the extension count or 0 for failure.
 .PP
 \&\fBX509v3_get_ext()\fR, \fBX509v3_delete_ext()\fR and \fBX509_delete_ext()\fR return an
-\&\fBX509_EXTENSION\fR structure or \s-1NULL\s0 if an error occurs.
+\&\fBX509_EXTENSION\fR structure or NULL if an error occurs.
 .PP
 \&\fBX509v3_get_ext_by_OBJ()\fR and \fBX509v3_get_ext_by_critical()\fR return
 the extension index or \-1 if an error occurs.
@@ -265,17 +198,23 @@ the extension index or \-1 if an error occurs.
 \&\fBX509v3_get_ext_by_NID()\fR returns the extension index or negative values if an
 error occurs.
 .PP
-\&\fBX509v3_add_ext()\fR returns a \s-1STACK\s0 of extensions or \s-1NULL\s0 on error.
+\&\fBX509v3_add_ext()\fR returns a STACK of extensions or NULL on error.
+.PP
+\&\fBX509v3_add_extensions()\fR returns a STACK of extensions
+or NULL on error or if \fI*target\fR is NULL and \fIexts\fR is NULL or an empty list.
 .PP
 \&\fBX509_add_ext()\fR returns 1 on success and 0 on error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBX509V3_get_d2i\fR\|(3)
-.SH "COPYRIGHT"
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBX509v3_add_extensions()\fR was added in OpenSSL 3.4.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2015\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/b2i_PVK_bio_ex.3 b/secure/lib/libcrypto/man/man3/b2i_PVK_bio_ex.3
index 927c6a60df5f..9250076b10f2 100644
--- a/secure/lib/libcrypto/man/man3/b2i_PVK_bio_ex.3
+++ b/secure/lib/libcrypto/man/man3/b2i_PVK_bio_ex.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "B2I_PVK_BIO_EX 3ossl"
-.TH B2I_PVK_BIO_EX 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH B2I_PVK_BIO_EX 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 b2i_PVK_bio, b2i_PVK_bio_ex, i2b_PVK_bio, i2b_PVK_bio_ex \- Decode and encode
 functions for reading and writing MSBLOB format private keys
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pem.h>
@@ -153,9 +77,9 @@ functions for reading and writing MSBLOB format private keys
 \&                    pem_password_cb *cb, void *u,
 \&                    OSSL_LIB_CTX *libctx, const char *propq);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBb2i_PVK_bio_ex()\fR decodes a private key of \s-1MSBLOB\s0 format read from a \fB\s-1BIO\s0\fR. It
+\&\fBb2i_PVK_bio_ex()\fR decodes a private key of MSBLOB format read from a \fBBIO\fR. It
 attempts to automatically determine the key type. If the key is encrypted then
 \&\fIcb\fR is called with the user data \fIu\fR in order to obtain a password to decrypt
 the key. The supplied library context \fIlibctx\fR and property query
@@ -164,7 +88,7 @@ string \fIpropq\fR are used in any decrypt operation.
 \&\fBb2i_PVK_bio()\fR does the same as \fBb2i_PVK_bio_ex()\fR except that the default
 library context and property query string are used.
 .PP
-\&\fBi2b_PVK_bio_ex()\fR encodes \fIpk\fR using \s-1MSBLOB\s0 format. If \fIenclevel\fR is 1 then
+\&\fBi2b_PVK_bio_ex()\fR encodes \fIpk\fR using MSBLOB format. If \fIenclevel\fR is 1 then
 a password obtained via \fIpem_password_cb\fR is used to encrypt the private key.
 If \fIenclevel\fR is 0 then no encryption is applied. The user data in \fIu\fR is
 passed to the password callback. The supplied library context \fIlibctx\fR and
@@ -174,8 +98,8 @@ property query string \fIpropq\fR are used in any decrypt operation.
 library context and property query string are used.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-The \fBb2i_PVK_bio()\fR and \fBb2i_PVK_bio_ex()\fR functions return a valid \fB\s-1EVP_KEY\s0\fR
-structure or \fB\s-1NULL\s0\fR if an error occurs. The error code can be obtained by calling
+The \fBb2i_PVK_bio()\fR and \fBb2i_PVK_bio_ex()\fR functions return a valid \fBEVP_KEY\fR
+structure or \fBNULL\fR if an error occurs. The error code can be obtained by calling
 \&\fBERR_get_error\fR\|(3).
 .PP
 \&\fBi2b_PVK_bio()\fR and \fBi2b_PVK_bio_ex()\fR return the number of bytes successfully
@@ -185,14 +109,14 @@ by calling \fBERR_get_error\fR\|(3).
 .IX Header "SEE ALSO"
 \&\fBcrypto\fR\|(7),
 \&\fBd2i_PKCS8PrivateKey_bio\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBb2i_PVK_bio_ex()\fR and \fBi2b_PVK_bio_ex()\fR were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/d2i_PKCS8PrivateKey_bio.3 b/secure/lib/libcrypto/man/man3/d2i_PKCS8PrivateKey_bio.3
index 01b0cac7b2b4..0ccf5d15144f 100644
--- a/secure/lib/libcrypto/man/man3/d2i_PKCS8PrivateKey_bio.3
+++ b/secure/lib/libcrypto/man/man3/d2i_PKCS8PrivateKey_bio.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,82 +52,22 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "D2I_PKCS8PRIVATEKEY_BIO 3ossl"
-.TH D2I_PKCS8PRIVATEKEY_BIO 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH D2I_PKCS8PRIVATEKEY_BIO 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 d2i_PKCS8PrivateKey_bio, d2i_PKCS8PrivateKey_fp,
 i2d_PKCS8PrivateKey_bio, i2d_PKCS8PrivateKey_fp,
 i2d_PKCS8PrivateKey_nid_bio, i2d_PKCS8PrivateKey_nid_fp \- PKCS#8 format private key functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
-\& #include <openssl/evp.h>
+\& #include <openssl/pem.h>
 \&
 \& EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u);
 \& EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, void *u);
@@ -164,18 +88,18 @@ i2d_PKCS8PrivateKey_nid_bio, i2d_PKCS8PrivateKey_nid_fp \- PKCS#8 format private
 \&                                char *kstr, int klen,
 \&                                pem_password_cb *cb, void *u);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The PKCS#8 functions encode and decode private keys in PKCS#8 format using both
 PKCS#5 v1.5 and PKCS#5 v2.0 password based encryption algorithms.
 .PP
-Other than the use of \s-1DER\s0 as opposed to \s-1PEM\s0 these functions are identical to the
-corresponding \fB\s-1PEM\s0\fR function as described in \fBPEM_read_PrivateKey\fR\|(3).
-.SH "NOTES"
+Other than the use of DER as opposed to PEM these functions are identical to the
+corresponding \fBPEM\fR function as described in \fBPEM_read_PrivateKey\fR\|(3).
+.SH NOTES
 .IX Header "NOTES"
-These functions are currently the only way to store encrypted private keys using \s-1DER\s0 format.
+These functions are currently the only way to store encrypted private keys using DER format.
 .PP
-Currently all the functions use BIOs or \s-1FILE\s0 pointers, there are no functions which
+Currently all the functions use BIOs or FILE pointers, there are no functions which
 work directly on memory: this can be readily worked around by converting the buffers
 to memory BIOs, see \fBBIO_s_mem\fR\|(3) for details.
 .PP
@@ -184,8 +108,8 @@ password callback.
 It will simply be treated as a byte sequence.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBd2i_PKCS8PrivateKey_bio()\fR and \fBd2i_PKCS8PrivateKey_fp()\fR return a valid \fB\s-1EVP_PKEY\s0\fR
-structure or \s-1NULL\s0 if an error occurred.
+\&\fBd2i_PKCS8PrivateKey_bio()\fR and \fBd2i_PKCS8PrivateKey_fp()\fR return a valid \fBEVP_PKEY\fR
+structure or NULL if an error occurred.
 .PP
 \&\fBi2d_PKCS8PrivateKey_bio()\fR, \fBi2d_PKCS8PrivateKey_fp()\fR, \fBi2d_PKCS8PrivateKey_nid_bio()\fR
 and \fBi2d_PKCS8PrivateKey_nid_fp()\fR return 1 on success or 0 on error.
@@ -193,11 +117,11 @@ and \fBi2d_PKCS8PrivateKey_nid_fp()\fR return 1 on success or 0 on error.
 .IX Header "SEE ALSO"
 \&\fBPEM_read_PrivateKey\fR\|(3),
 \&\fBpassphrase\-encoding\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2002\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/d2i_PrivateKey.3 b/secure/lib/libcrypto/man/man3/d2i_PrivateKey.3
index 461cf769f25f..fc4f1ba80b3f 100644
--- a/secure/lib/libcrypto/man/man3/d2i_PrivateKey.3
+++ b/secure/lib/libcrypto/man/man3/d2i_PrivateKey.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,82 +52,22 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "D2I_PRIVATEKEY 3ossl"
-.TH D2I_PRIVATEKEY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH D2I_PRIVATEKEY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 d2i_PrivateKey_ex, d2i_PrivateKey, d2i_PublicKey, d2i_KeyParams,
 d2i_AutoPrivateKey_ex,  d2i_AutoPrivateKey, i2d_PrivateKey, i2d_PublicKey,
 i2d_KeyParams, i2d_KeyParams_bio, d2i_PrivateKey_ex_bio, d2i_PrivateKey_bio,
 d2i_PrivateKey_ex_fp, d2i_PrivateKey_fp, d2i_KeyParams_bio, i2d_PrivateKey_bio,
 i2d_PrivateKey_fp
 \&\- decode and encode functions for reading and saving EVP_PKEY structures
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
@@ -182,18 +106,18 @@ i2d_PrivateKey_fp
 \& int i2d_PrivateKey_bio(BIO *bp, const EVP_PKEY *pkey);
 \& int i2d_PrivateKey_fp(FILE *fp, const EVP_PKEY *pkey);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 \&\fBd2i_PrivateKey_ex()\fR decodes a private key using algorithm \fItype\fR. It attempts
 to use any key-specific format or PKCS#8 unencrypted PrivateKeyInfo format.
 The \fItype\fR parameter should be a public key algorithm constant such as
-\&\fB\s-1EVP_PKEY_RSA\s0\fR. An error occurs if the decoded key does not match \fItype\fR. Some
+\&\fBEVP_PKEY_RSA\fR. An error occurs if the decoded key does not match \fItype\fR. Some
 private key decoding implementations may use cryptographic algorithms (for
 example to automatically derive the public key if it is not explicitly
 included in the encoding). In this case the supplied library context \fIlibctx\fR
 and property query string \fIpropq\fR are used.
-If successful and the \fIa\fR parameter is not \s-1NULL\s0 the function assigns the
-returned \fB\s-1EVP_PKEY\s0\fR structure pointer to \fI*a\fR, overwriting any previous value.
+If successful and the \fIa\fR parameter is not NULL the function assigns the
+returned \fBEVP_PKEY\fR structure pointer to \fI*a\fR, overwriting any previous value.
 .PP
 \&\fBd2i_PrivateKey()\fR does the same as \fBd2i_PrivateKey_ex()\fR except that the default
 library context and property query string are used.
@@ -202,9 +126,9 @@ library context and property query string are used.
 .PP
 The \fBd2i_PrivateKey_ex_bio()\fR and \fBd2i_PrivateKey_bio()\fR functions are similar to
 \&\fBd2i_PrivateKey_ex()\fR and \fBd2i_PrivateKey()\fR respectively except that they decode
-the data read from the given \s-1BIO.\s0 The \fBd2i_PrivateKey_ex_fp()\fR and
+the data read from the given BIO. The \fBd2i_PrivateKey_ex_fp()\fR and
 \&\fBd2i_PrivateKey_fp()\fR functions are the same except that they read the data from
-the given \s-1FILE.\s0
+the given FILE.
 .PP
 \&\fBd2i_AutoPrivateKey_ex()\fR and \fBd2i_AutoPrivateKey()\fR are similar to
 \&\fBd2i_PrivateKey_ex()\fR and \fBd2i_PrivateKey()\fR respectively except that they attempt
@@ -216,27 +140,27 @@ defined for that key type, PKCS#8 unencrypted PrivateKeyInfo format.
 \&\fBi2d_KeyParams()\fR does the same for key parameters.
 These functions are similar to the \fBd2i_X509()\fR functions; see \fBd2i_X509\fR\|(3).
 \&\fBi2d_PrivateKey_bio()\fR and \fBi2d_PrivateKey_fp()\fR do the same thing except that they
-encode to a \fB\s-1BIO\s0\fR or \fB\s-1FILE\s0\fR respectively. Again, these work similarly to the
+encode to a \fBBIO\fR or \fBFILE\fR respectively. Again, these work similarly to the
 functions described in \fBd2i_X509\fR\|(3).
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 All the functions that operate on data in memory update the data pointer \fI*pp\fR
 after a successful operation, just like the other d2i and i2d functions;
 see \fBd2i_X509\fR\|(3).
 .PP
-All these functions use \s-1DER\s0 format and unencrypted keys. Applications wishing
+All these functions use DER format and unencrypted keys. Applications wishing
 to encrypt or decrypt private keys should use other functions such as
 \&\fBd2i_PKCS8PrivateKey()\fR instead.
 .PP
-To decode a key with type \fB\s-1EVP_PKEY_EC\s0\fR, \fBd2i_PublicKey()\fR requires \fI*a\fR to be
-a non-NULL \s-1EVP_PKEY\s0 structure assigned an \s-1EC_KEY\s0 structure referencing the proper
-\&\s-1EC_GROUP.\s0
+To decode a key with type \fBEVP_PKEY_EC\fR, \fBd2i_PublicKey()\fR requires \fI*a\fR to be
+a non-NULL EVP_PKEY structure assigned an EC_KEY structure referencing the proper
+EC_GROUP.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 The \fBd2i_PrivateKey_ex()\fR, \fBd2i_PrivateKey()\fR, \fBd2i_AutoPrivateKey_ex()\fR,
 \&\fBd2i_AutoPrivateKey()\fR, \fBd2i_PrivateKey_ex_bio()\fR, \fBd2i_PrivateKey_bio()\fR,
 \&\fBd2i_PrivateKey_ex_fp()\fR, \fBd2i_PrivateKey_fp()\fR, \fBd2i_PublicKey()\fR, \fBd2i_KeyParams()\fR
-and \fBd2i_KeyParams_bio()\fR functions return a valid \fB\s-1EVP_PKEY\s0\fR structure or \s-1NULL\s0 if
+and \fBd2i_KeyParams_bio()\fR functions return a valid \fBEVP_PKEY\fR structure or NULL if
 an error occurs. The error code can be obtained by calling \fBERR_get_error\fR\|(3).
 .PP
 \&\fBi2d_PrivateKey()\fR, \fBi2d_PublicKey()\fR and \fBi2d_KeyParams()\fR return the number of
@@ -249,15 +173,15 @@ successfully encoded or zero if an error occurs.
 .IX Header "SEE ALSO"
 \&\fBcrypto\fR\|(7),
 \&\fBd2i_PKCS8PrivateKey_bio\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBd2i_PrivateKey_ex()\fR, \fBd2i_PrivateKey_ex_bio()\fR, \fBd2i_PrivateKey_ex_fp()\fR, and
 \&\fBd2i_AutoPrivateKey_ex()\fR were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/d2i_RSAPrivateKey.3 b/secure/lib/libcrypto/man/man3/d2i_RSAPrivateKey.3
index 81d0c4c28c98..81bf916ef31f 100644
--- a/secure/lib/libcrypto/man/man3/d2i_RSAPrivateKey.3
+++ b/secure/lib/libcrypto/man/man3/d2i_RSAPrivateKey.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "D2I_RSAPRIVATEKEY 3ossl"
-.TH D2I_RSAPRIVATEKEY 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH D2I_RSAPRIVATEKEY 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 d2i_DSAPrivateKey,
 d2i_DSAPrivateKey_bio,
 d2i_DSAPrivateKey_fp,
@@ -192,10 +116,10 @@ i2d_EC_PUBKEY,
 i2d_EC_PUBKEY_bio,
 i2d_EC_PUBKEY_fp
 \&\- DEPRECATED
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 The following functions have been deprecated since OpenSSL 3.0, and can be
-hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value,
+hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value,
 see \fBopenssl_user_macros\fR\|(7):
 .PP
 .Vb 12
@@ -237,14 +161,14 @@ see \fBopenssl_user_macros\fR\|(7):
 \& int i2d_TYPE_PUBKEY_bio(BIO *bp, const TYPE *a);
 \& int i2d_TYPE_PUBKEY_bio(BIO *bp, TYPE *a);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-All functions described here are deprecated.  Please use \s-1\fBOSSL_DECODER\s0\fR\|(3)
-instead of the \fBd2i\fR functions and \s-1\fBOSSL_ENCODER\s0\fR\|(3) instead of the \fBi2d\fR
-functions.  See \*(L"Migration\*(R" below.
+All functions described here are deprecated.  Please use \fBOSSL_DECODER\fR\|(3)
+instead of the \fBd2i\fR functions and \fBOSSL_ENCODER\fR\|(3) instead of the \fBi2d\fR
+functions.  See "Migration" below.
 .PP
-In the description here, \fB\f(BI\s-1TYPE\s0\fB\fR is used a placeholder for any of the
-OpenSSL datatypes, such as \fB\s-1RSA\s0\fR.
+In the description here, \fR\f(BITYPE\fR\fB\fR is used a placeholder for any of the
+OpenSSL datatypes, such as \fBRSA\fR.
 The function parameters \fIppin\fR and \fIppout\fR are generally either both named
 \&\fIpp\fR in the headers, or \fIin\fR and \fIout\fR.
 .PP
@@ -252,90 +176,90 @@ All the functions here behave the way that's described in \fBd2i_X509\fR\|(3).
 .PP
 Please note that not all functions in the synopsis are available for all key
 types.  For example, there are no \fBd2i_RSAparams()\fR or \fBi2d_RSAparams()\fR,
-because the PKCS#1 \fB\s-1RSA\s0\fR structure doesn't include any key parameters.
+because the PKCS#1 \fBRSA\fR structure doesn't include any key parameters.
 .PP
-\&\fBd2i_\f(BI\s-1TYPE\s0\fBPrivateKey\fR() and derivates thereof decode \s-1DER\s0 encoded
-\&\fB\f(BI\s-1TYPE\s0\fB\fR private key data organized in a type specific structure.
+\&\fBd2i_\fR\f(BITYPE\fR\fBPrivateKey\fR() and derivates thereof decode DER encoded
+\&\fR\f(BITYPE\fR\fB\fR private key data organized in a type specific structure.
 .PP
-\&\fBd2i_\f(BI\s-1TYPE\s0\fBPublicKey\fR() and derivates thereof decode \s-1DER\s0 encoded
-\&\fB\f(BI\s-1TYPE\s0\fB\fR public key data organized in a type specific structure.
+\&\fBd2i_\fR\f(BITYPE\fR\fBPublicKey\fR() and derivates thereof decode DER encoded
+\&\fR\f(BITYPE\fR\fB\fR public key data organized in a type specific structure.
 .PP
-\&\fBd2i_\f(BI\s-1TYPE\s0\fBparams\fR() and derivates thereof decode \s-1DER\s0 encoded \fB\f(BI\s-1TYPE\s0\fB\fR
+\&\fBd2i_\fR\f(BITYPE\fR\fBparams\fR() and derivates thereof decode DER encoded \fR\f(BITYPE\fR\fB\fR
 key parameters organized in a type specific structure.
 .PP
-\&\fBd2i_\f(BI\s-1TYPE\s0\fB_PUBKEY\fR() and derivates thereof decode \s-1DER\s0 encoded \fB\f(BI\s-1TYPE\s0\fB\fR
+\&\fBd2i_\fR\f(BITYPE\fR\fB_PUBKEY\fR() and derivates thereof decode DER encoded \fR\f(BITYPE\fR\fB\fR
 public key data organized in a \fBSubjectPublicKeyInfo\fR structure.
 .PP
-\&\fBi2d_\f(BI\s-1TYPE\s0\fBPrivateKey\fR() and derivates thereof encode the private key
-\&\fB\f(BI\s-1TYPE\s0\fB\fR data into a type specific \s-1DER\s0 encoded structure.
+\&\fBi2d_\fR\f(BITYPE\fR\fBPrivateKey\fR() and derivates thereof encode the private key
+\&\fR\f(BITYPE\fR\fB\fR data into a type specific DER encoded structure.
 .PP
-\&\fBi2d_\f(BI\s-1TYPE\s0\fBPublicKey\fR() and derivates thereof encode the public key
-\&\fB\f(BI\s-1TYPE\s0\fB\fR data into a type specific \s-1DER\s0 encoded structure.
+\&\fBi2d_\fR\f(BITYPE\fR\fBPublicKey\fR() and derivates thereof encode the public key
+\&\fR\f(BITYPE\fR\fB\fR data into a type specific DER encoded structure.
 .PP
-\&\fBi2d_\f(BI\s-1TYPE\s0\fBparams\fR() and derivates thereof encode the \fB\f(BI\s-1TYPE\s0\fB\fR key
-parameters data into a type specific \s-1DER\s0 encoded structure.
+\&\fBi2d_\fR\f(BITYPE\fR\fBparams\fR() and derivates thereof encode the \fR\f(BITYPE\fR\fB\fR key
+parameters data into a type specific DER encoded structure.
 .PP
-\&\fBi2d_\f(BI\s-1TYPE\s0\fB_PUBKEY\fR() and derivates thereof encode the public key
-\&\fB\f(BI\s-1TYPE\s0\fB\fR data into a \s-1DER\s0 encoded \fBSubjectPublicKeyInfo\fR structure.
+\&\fBi2d_\fR\f(BITYPE\fR\fB_PUBKEY\fR() and derivates thereof encode the public key
+\&\fR\f(BITYPE\fR\fB\fR data into a DER encoded \fBSubjectPublicKeyInfo\fR structure.
 .PP
 For example, \fBd2i_RSAPrivateKey()\fR and \fBd2i_RSAPublicKey()\fR expects the
 structure defined by PKCS#1.
-Similarly, \fBi2d_RSAPrivateKey()\fR and  \fBi2d_RSAPublicKey()\fR produce \s-1DER\s0 encoded
+Similarly, \fBi2d_RSAPrivateKey()\fR and  \fBi2d_RSAPublicKey()\fR produce DER encoded
 string organized according to PKCS#1.
-.SS "Migration"
+.SS Migration
 .IX Subsection "Migration"
-Migration from the diverse \fB\f(BI\s-1TYPE\s0\fB\fRs requires using corresponding new
-OpenSSL types.  For all \fB\f(BI\s-1TYPE\s0\fB\fRs described here, the corresponding new
-type is \fB\s-1EVP_PKEY\s0\fR.  The rest of this section assumes that this has been
+Migration from the diverse \fR\f(BITYPE\fR\fB\fRs requires using corresponding new
+OpenSSL types.  For all \fB\fR\f(BITYPE\fR\fB\fRs described here, the corresponding new
+type is \fBEVP_PKEY\fR.  The rest of this section assumes that this has been
 done, exactly how to do that is described elsewhere.
 .PP
 There are two migration paths:
-.IP "\(bu" 4
+.IP \(bu 4
 Replace
-b<d2i_\fI\s-1TYPE\s0\fR\fBPrivateKey()\fR> with \fBd2i_PrivateKey\fR\|(3),
-b<d2i_\fI\s-1TYPE\s0\fR\fBPublicKey()\fR> with \fBd2i_PublicKey\fR\|(3),
-b<d2i_\fI\s-1TYPE\s0\fR\fBparams()\fR> with \fBd2i_KeyParams\fR\|(3),
-b<d2i_\fI\s-1TYPE\s0\fR\fB_PUBKEY()\fR> with \fBd2i_PUBKEY\fR\|(3),
-b<i2d_\fI\s-1TYPE\s0\fR\fBPrivateKey()\fR> with \fBi2d_PrivateKey\fR\|(3),
-b<i2d_\fI\s-1TYPE\s0\fR\fBPublicKey()\fR> with \fBi2d_PublicKey\fR\|(3),
-b<i2d_\fI\s-1TYPE\s0\fR\fBparams()\fR> with \fBi2d_KeyParams\fR\|(3),
-b<i2d_\fI\s-1TYPE\s0\fR\fB_PUBKEY()\fR> with \fBi2d_PUBKEY\fR\|(3).
-A caveat is that \fBi2d_PrivateKey\fR\|(3) may output a \s-1DER\s0 encoded PKCS#8
+b<d2i_\fITYPE\fR\fBPrivateKey()\fR> with \fBd2i_PrivateKey\fR\|(3),
+b<d2i_\fITYPE\fR\fBPublicKey()\fR> with \fBd2i_PublicKey\fR\|(3),
+b<d2i_\fITYPE\fR\fBparams()\fR> with \fBd2i_KeyParams\fR\|(3),
+b<d2i_\fITYPE\fR\fB_PUBKEY()\fR> with \fBd2i_PUBKEY\fR\|(3),
+b<i2d_\fITYPE\fR\fBPrivateKey()\fR> with \fBi2d_PrivateKey\fR\|(3),
+b<i2d_\fITYPE\fR\fBPublicKey()\fR> with \fBi2d_PublicKey\fR\|(3),
+b<i2d_\fITYPE\fR\fBparams()\fR> with \fBi2d_KeyParams\fR\|(3),
+b<i2d_\fITYPE\fR\fB_PUBKEY()\fR> with \fBi2d_PUBKEY\fR\|(3).
+A caveat is that \fBi2d_PrivateKey\fR\|(3) may output a DER encoded PKCS#8
 outermost structure instead of the type specific structure, and that
 \&\fBd2i_PrivateKey\fR\|(3) recognises and unpacks a PKCS#8 structures.
-.IP "\(bu" 4
-Use \s-1\fBOSSL_DECODER\s0\fR\|(3) and \s-1\fBOSSL_ENCODER\s0\fR\|(3).  How to migrate is described
+.IP \(bu 4
+Use \fBOSSL_DECODER\fR\|(3) and \fBOSSL_ENCODER\fR\|(3).  How to migrate is described
 below.  All those descriptions assume that the key to be encoded is in the
 variable \fIpkey\fR.
 .PP
-\fIMigrating \f(BIi2d\fI functions to \f(BI\s-1OSSL_ENCODER\s0\fI\fR
+\fIMigrating \fR\f(BIi2d\fR\fI functions to \fR\f(BIOSSL_ENCODER\fR
 .IX Subsection "Migrating i2d functions to OSSL_ENCODER"
 .PP
-The exact \s-1\fBOSSL_ENCODER\s0\fR\|(3) output is driven by arguments rather than by
-function names.  The sample code to get \s-1DER\s0 encoded output in a type
+The exact \fBOSSL_ENCODER\fR\|(3) output is driven by arguments rather than by
+function names.  The sample code to get DER encoded output in a type
 specific structure is uniform, the only things that vary are the selection
-of what part of the \fB\s-1EVP_PKEY\s0\fR should be output, and the structure.  The
+of what part of the \fBEVP_PKEY\fR should be output, and the structure.  The
 \&\fBi2d\fR functions names can therefore be translated into two variables,
 \&\fIselection\fR and \fIstructure\fR as follows:
-.IP "\fBi2d_\f(BI\s-1TYPE\s0\fBPrivateKey\fR() translates into:" 4
+.IP "\fBi2d_\fR\f(BITYPE\fR\fBPrivateKey\fR() translates into:" 4
 .IX Item "i2d_TYPEPrivateKey() translates into:"
 .Vb 2
 \& int selection = EVP_PKEY_KEYPAIR;
 \& const char *structure = "type\-specific";
 .Ve
-.IP "\fBi2d_\f(BI\s-1TYPE\s0\fBPublicKey\fR() translates into:" 4
+.IP "\fBi2d_\fR\f(BITYPE\fR\fBPublicKey\fR() translates into:" 4
 .IX Item "i2d_TYPEPublicKey() translates into:"
 .Vb 2
 \& int selection = EVP_PKEY_PUBLIC_KEY;
 \& const char *structure = "type\-specific";
 .Ve
-.IP "\fBi2d_\f(BI\s-1TYPE\s0\fBparams\fR() translates into:" 4
+.IP "\fBi2d_\fR\f(BITYPE\fR\fBparams\fR() translates into:" 4
 .IX Item "i2d_TYPEparams() translates into:"
 .Vb 2
 \& int selection = EVP_PKEY_PARAMETERS;
 \& const char *structure = "type\-specific";
 .Ve
-.IP "\fBi2d_\f(BI\s-1TYPE\s0\fB_PUBKEY\fR() translates into:" 4
+.IP "\fBi2d_\fR\f(BITYPE\fR\fB_PUBKEY\fR() translates into:" 4
 .IX Item "i2d_TYPE_PUBKEY() translates into:"
 .Vb 2
 \& int selection = EVP_PKEY_PUBLIC_KEY;
@@ -363,62 +287,62 @@ The following sample code does the rest of the work:
 \& }
 \& OSSL_ENCODER_CTX_free(ctx);
 .Ve
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-The letters \fBi\fR and \fBd\fR in \fBi2d_\f(BI\s-1TYPE\s0\fB\fR() stand for
-\&\*(L"internal\*(R" (that is, an internal C structure) and \*(L"\s-1DER\*(R"\s0 respectively.
-So \fBi2d_\f(BI\s-1TYPE\s0\fB\fR() converts from internal to \s-1DER.\s0
+The letters \fBi\fR and \fBd\fR in \fBi2d_\fR\f(BITYPE\fR() stand for
+"internal" (that is, an internal C structure) and "DER" respectively.
+So \fBi2d_\fR\f(BITYPE\fR\fB\fR() converts from internal to DER.
 .PP
-The functions can also understand \fB\s-1BER\s0\fR forms.
+The functions can also understand \fBBER\fR forms.
 .PP
-The actual \s-1TYPE\s0 structure passed to \fBi2d_\f(BI\s-1TYPE\s0\fB\fR() must be a valid
-populated \fB\f(BI\s-1TYPE\s0\fB\fR structure \*(-- it \fBcannot\fR simply be fed with an
+The actual TYPE structure passed to \fBi2d_\fR\f(BITYPE\fR() must be a valid
+populated \fB\fR\f(BITYPE\fR\fB\fR structure \-\- it \fBcannot\fR simply be fed with an
 empty structure such as that returned by \fBTYPE_new()\fR.
 .PP
 The encoded data is in binary form and may contain embedded zeros.
-Therefore, any \s-1FILE\s0 pointers or BIOs should be opened in binary mode.
+Therefore, any FILE pointers or BIOs should be opened in binary mode.
 Functions such as \fBstrlen()\fR will \fBnot\fR return the correct length
 of the encoded structure.
 .PP
 The ways that \fI*ppin\fR and \fI*ppout\fR are incremented after the operation
-can trap the unwary. See the \fB\s-1WARNINGS\s0\fR section in \fBd2i_X509\fR\|(3) for some
+can trap the unwary. See the \fBWARNINGS\fR section in \fBd2i_X509\fR\|(3) for some
 common errors.
 The reason for this-auto increment behaviour is to reflect a typical
-usage of \s-1ASN1\s0 functions: after one structure is encoded or decoded
+usage of ASN1 functions: after one structure is encoded or decoded
 another will be processed after it.
 .PP
 The following points about the data types might be useful:
-.IP "\fB\s-1DSA_PUBKEY\s0\fR" 4
+.IP \fBDSA_PUBKEY\fR 4
 .IX Item "DSA_PUBKEY"
-Represents a \s-1DSA\s0 public key using a \fBSubjectPublicKeyInfo\fR structure.
+Represents a DSA public key using a \fBSubjectPublicKeyInfo\fR structure.
 .IP "\fBDSAPublicKey\fR, \fBDSAPrivateKey\fR" 4
 .IX Item "DSAPublicKey, DSAPrivateKey"
-Use a non-standard OpenSSL format and should be avoided; use \fB\s-1DSA_PUBKEY\s0\fR,
+Use a non-standard OpenSSL format and should be avoided; use \fBDSA_PUBKEY\fR,
 \&\fBPEM_write_PrivateKey\fR\|(3), or similar instead.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBd2i_\f(BI\s-1TYPE\s0\fB\fR(), \fBd2i_\f(BI\s-1TYPE\s0\fB_bio\fR() and \fBd2i_\f(BI\s-1TYPE\s0\fB_fp\fR() return a valid
-\&\fB\f(BI\s-1TYPE\s0\fB\fR structure or \s-1NULL\s0 if an error occurs.  If the \*(L"reuse\*(R" capability has
+\&\fBd2i_\fR\f(BITYPE\fR(), \fBd2i_\fR\f(BITYPE\fR\fB_bio\fR() and \fBd2i_\fR\f(BITYPE\fR\fB_fp\fR() return a valid
+\&\fB\fR\f(BITYPE\fR\fB\fR structure or NULL if an error occurs.  If the "reuse" capability has
 been used with a valid structure being passed in via \fIa\fR, then the object is
-freed in the event of error and \fI*a\fR is set to \s-1NULL.\s0
+freed in the event of error and \fI*a\fR is set to NULL.
 .PP
-\&\fBi2d_\f(BI\s-1TYPE\s0\fB\fR() returns the number of bytes successfully encoded or a negative
+\&\fBi2d_\fR\f(BITYPE\fR() returns the number of bytes successfully encoded or a negative
 value if an error occurs.
 .PP
-\&\fBi2d_\f(BI\s-1TYPE\s0\fB_bio\fR() and \fBi2d_\f(BI\s-1TYPE\s0\fB_fp\fR() return 1 for success and 0 if an
+\&\fBi2d_\fR\f(BITYPE\fR\fB_bio\fR() and \fBi2d_\fR\f(BITYPE\fR\fB_fp\fR() return 1 for success and 0 if an
 error occurs.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBOSSL_ENCODER\s0\fR\|(3), \s-1\fBOSSL_DECODER\s0\fR\|(3),
+\&\fBOSSL_ENCODER\fR\|(3), \fBOSSL_DECODER\fR\|(3),
 \&\fBd2i_PrivateKey\fR\|(3), \fBd2i_PublicKey\fR\|(3), \fBd2i_KeyParams\fR\|(3),
 \&\fBd2i_PUBKEY\fR\|(3),
 \&\fBi2d_PrivateKey\fR\|(3), \fBi2d_PublicKey\fR\|(3), \fBi2d_KeyParams\fR\|(3),
 \&\fBi2d_PUBKEY\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/d2i_SSL_SESSION.3 b/secure/lib/libcrypto/man/man3/d2i_SSL_SESSION.3
index f9e9941afffc..23055c3fc5c7 100644
--- a/secure/lib/libcrypto/man/man3/d2i_SSL_SESSION.3
+++ b/secure/lib/libcrypto/man/man3/d2i_SSL_SESSION.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,113 +52,60 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "D2I_SSL_SESSION 3ossl"
-.TH D2I_SSL_SESSION 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH D2I_SSL_SESSION 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
-d2i_SSL_SESSION, i2d_SSL_SESSION \- convert SSL_SESSION object from/to ASN1 representation
-.SH "SYNOPSIS"
+.SH NAME
+d2i_SSL_SESSION, d2i_SSL_SESSION_ex, i2d_SSL_SESSION \- convert SSL_SESSION object from/to ASN1 representation
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ssl.h>
 \&
 \& SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
 \&                              long length);
+\& SSL_SESSION *d2i_SSL_SESSION_ex(SSL_SESSION **a, const unsigned char **pp,
+\&                                 long length, OSSL_LIB_CTX *libctx,
+\&                                 const char *propq);
 \& int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-These functions decode and encode an \s-1SSL_SESSION\s0 object.
+These functions decode and encode an SSL_SESSION object.
 For encoding details see \fBd2i_X509\fR\|(3).
 .PP
-\&\s-1SSL_SESSION\s0 objects keep internal link information about the session cache
-list, when being inserted into one \s-1SSL_CTX\s0 object's session cache.
-One \s-1SSL_SESSION\s0 object, regardless of its reference count, must therefore
-only be used with one \s-1SSL_CTX\s0 object (and the \s-1SSL\s0 objects created
-from this \s-1SSL_CTX\s0 object).
+SSL_SESSION objects keep internal link information about the session cache
+list, when being inserted into one SSL_CTX object's session cache.
+One SSL_SESSION object, regardless of its reference count, must therefore
+only be used with one SSL_CTX object (and the SSL objects created
+from this SSL_CTX object).
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBd2i_SSL_SESSION()\fR returns a pointer to the newly allocated \s-1SSL_SESSION\s0
-object. In case of failure the NULL-pointer is returned and the error message
+\&\fBd2i_SSL_SESSION()\fR and \fBd2i_SSL_SESSION_ex()\fR return a pointer to the newly
+allocated SSL_SESSION object.
+In case of failure the NULL-pointer is returned and the error message
 can be retrieved from the error stack.
 .PP
-\&\fBi2d_SSL_SESSION()\fR returns the size of the \s-1ASN1\s0 representation in bytes.
+\&\fBi2d_SSL_SESSION()\fR returns the size of the ASN1 representation in bytes.
 When the session is not valid, \fB0\fR is returned and no operation is performed.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBssl\fR\|(7), \fBSSL_SESSION_free\fR\|(3),
 \&\fBSSL_CTX_sess_set_get_cb\fR\|(3),
 \&\fBd2i_X509\fR\|(3)
-.SH "COPYRIGHT"
+.SH HISTORY
+.IX Header "HISTORY"
+The function \fBd2i_SSL_SESSION_ex()\fR was added in OpenSSL 3.2.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/d2i_X509.3 b/secure/lib/libcrypto/man/man3/d2i_X509.3
index c5c045b2437e..e609aefcd0db 100644
--- a/secure/lib/libcrypto/man/man3/d2i_X509.3
+++ b/secure/lib/libcrypto/man/man3/d2i_X509.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "D2I_X509 3ossl"
-.TH D2I_X509 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH D2I_X509 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 d2i_ACCESS_DESCRIPTION,
 d2i_ADMISSIONS,
 d2i_ADMISSION_SYNTAX,
@@ -217,21 +141,62 @@ d2i_OCSP_REVOKEDINFO,
 d2i_OCSP_SERVICELOC,
 d2i_OCSP_SIGNATURE,
 d2i_OCSP_SINGLERESP,
+d2i_OSSL_AA_DIST_POINT,
+d2i_OSSL_ALLOWED_ATTRIBUTES_CHOICE,
+d2i_OSSL_ALLOWED_ATTRIBUTES_ITEM,
+d2i_OSSL_ALLOWED_ATTRIBUTES_SYNTAX,
+d2i_OSSL_ATAV,
+d2i_OSSL_ATTRIBUTE_DESCRIPTOR,
+d2i_OSSL_ATTRIBUTE_MAPPING,
+d2i_OSSL_ATTRIBUTE_MAPPINGS,
+d2i_OSSL_ATTRIBUTE_TYPE_MAPPING,
+d2i_OSSL_ATTRIBUTE_VALUE_MAPPING,
+d2i_OSSL_ATTRIBUTES_SYNTAX,
+d2i_OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX,
+d2i_OSSL_BASIC_ATTR_CONSTRAINTS,
+d2i_OSSL_CMP_ATAVS,
 d2i_OSSL_CMP_MSG,
 d2i_OSSL_CMP_PKIHEADER,
 d2i_OSSL_CMP_PKISI,
 d2i_OSSL_CRMF_CERTID,
 d2i_OSSL_CRMF_CERTTEMPLATE,
+d2i_OSSL_CRMF_ENCRYPTEDKEY,
 d2i_OSSL_CRMF_ENCRYPTEDVALUE,
 d2i_OSSL_CRMF_MSG,
 d2i_OSSL_CRMF_MSGS,
 d2i_OSSL_CRMF_PBMPARAMETER,
 d2i_OSSL_CRMF_PKIPUBLICATIONINFO,
 d2i_OSSL_CRMF_SINGLEPUBINFO,
+d2i_OSSL_DAY_TIME,
+d2i_OSSL_DAY_TIME_BAND,
+d2i_OSSL_HASH,
+d2i_OSSL_IETF_ATTR_SYNTAX,
+d2i_OSSL_INFO_SYNTAX,
+d2i_OSSL_INFO_SYNTAX_POINTER,
+d2i_OSSL_ISSUER_SERIAL,
+d2i_OSSL_NAMED_DAY,
+d2i_OSSL_OBJECT_DIGEST_INFO,
+d2i_OSSL_PRIVILEGE_POLICY_ID,
+d2i_OSSL_ROLE_SPEC_CERT_ID,
+d2i_OSSL_ROLE_SPEC_CERT_ID_SYNTAX,
+d2i_OSSL_TARGET_CERT,
+d2i_OSSL_TARGET,
+d2i_OSSL_TARGETING_INFORMATION,
+d2i_OSSL_TARGETS,
+d2i_OSSL_TIME_PERIOD,
+d2i_OSSL_TIME_SPEC,
+d2i_OSSL_TIME_SPEC_ABSOLUTE,
+d2i_OSSL_TIME_SPEC_DAY,
+d2i_OSSL_TIME_SPEC_MONTH,
+d2i_OSSL_TIME_SPEC_TIME,
+d2i_OSSL_TIME_SPEC_WEEKS,
+d2i_OSSL_TIME_SPEC_X_DAY_OF,
+d2i_OSSL_USER_NOTICE_SYNTAX,
 d2i_OTHERNAME,
 d2i_PBE2PARAM,
 d2i_PBEPARAM,
 d2i_PBKDF2PARAM,
+d2i_PBMAC1PARAM,
 d2i_PKCS12,
 d2i_PKCS12_BAGS,
 d2i_PKCS12_MAC_DATA,
@@ -285,6 +250,9 @@ d2i_USERNOTICE,
 d2i_X509,
 d2i_X509_bio,
 d2i_X509_fp,
+d2i_X509_ACERT,
+d2i_X509_ACERT_bio,
+d2i_X509_ACERT_fp,
 d2i_X509_ALGOR,
 d2i_X509_ALGORS,
 d2i_X509_ATTRIBUTE,
@@ -388,21 +356,62 @@ i2d_OCSP_REVOKEDINFO,
 i2d_OCSP_SERVICELOC,
 i2d_OCSP_SIGNATURE,
 i2d_OCSP_SINGLERESP,
+i2d_OSSL_AA_DIST_POINT,
+i2d_OSSL_ALLOWED_ATTRIBUTES_CHOICE,
+i2d_OSSL_ALLOWED_ATTRIBUTES_ITEM,
+i2d_OSSL_ALLOWED_ATTRIBUTES_SYNTAX,
+i2d_OSSL_ATAV,
+i2d_OSSL_ATTRIBUTE_DESCRIPTOR,
+i2d_OSSL_ATTRIBUTE_MAPPING,
+i2d_OSSL_ATTRIBUTE_MAPPINGS,
+i2d_OSSL_ATTRIBUTE_TYPE_MAPPING,
+i2d_OSSL_ATTRIBUTE_VALUE_MAPPING,
+i2d_OSSL_ATTRIBUTES_SYNTAX,
+i2d_OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX,
+i2d_OSSL_BASIC_ATTR_CONSTRAINTS,
+i2d_OSSL_CMP_ATAVS,
 i2d_OSSL_CMP_MSG,
 i2d_OSSL_CMP_PKIHEADER,
 i2d_OSSL_CMP_PKISI,
 i2d_OSSL_CRMF_CERTID,
 i2d_OSSL_CRMF_CERTTEMPLATE,
+i2d_OSSL_CRMF_ENCRYPTEDKEY,
 i2d_OSSL_CRMF_ENCRYPTEDVALUE,
 i2d_OSSL_CRMF_MSG,
 i2d_OSSL_CRMF_MSGS,
 i2d_OSSL_CRMF_PBMPARAMETER,
 i2d_OSSL_CRMF_PKIPUBLICATIONINFO,
 i2d_OSSL_CRMF_SINGLEPUBINFO,
+i2d_OSSL_HASH,
+i2d_OSSL_DAY_TIME,
+i2d_OSSL_DAY_TIME_BAND,
+i2d_OSSL_IETF_ATTR_SYNTAX,
+i2d_OSSL_INFO_SYNTAX,
+i2d_OSSL_INFO_SYNTAX_POINTER,
+i2d_OSSL_ISSUER_SERIAL,
+i2d_OSSL_NAMED_DAY,
+i2d_OSSL_OBJECT_DIGEST_INFO,
+i2d_OSSL_PRIVILEGE_POLICY_ID,
+i2d_OSSL_ROLE_SPEC_CERT_ID,
+i2d_OSSL_ROLE_SPEC_CERT_ID_SYNTAX,
+i2d_OSSL_TARGET_CERT,
+i2d_OSSL_TARGET,
+i2d_OSSL_TARGETING_INFORMATION,
+i2d_OSSL_TARGETS,
+i2d_OSSL_TIME_PERIOD,
+i2d_OSSL_TIME_SPEC,
+i2d_OSSL_TIME_SPEC_ABSOLUTE,
+i2d_OSSL_TIME_SPEC_DAY,
+i2d_OSSL_TIME_SPEC_MONTH,
+i2d_OSSL_TIME_SPEC_TIME,
+i2d_OSSL_TIME_SPEC_WEEKS,
+i2d_OSSL_TIME_SPEC_X_DAY_OF,
+i2d_OSSL_USER_NOTICE_SYNTAX,
 i2d_OTHERNAME,
 i2d_PBE2PARAM,
 i2d_PBEPARAM,
 i2d_PBKDF2PARAM,
+i2d_PBMAC1PARAM,
 i2d_PKCS12,
 i2d_PKCS12_BAGS,
 i2d_PKCS12_MAC_DATA,
@@ -459,6 +468,9 @@ i2d_USERNOTICE,
 i2d_X509,
 i2d_X509_bio,
 i2d_X509_fp,
+i2d_X509_ACERT,
+i2d_X509_ACERT_bio,
+i2d_X509_ACERT_fp,
 i2d_X509_ALGOR,
 i2d_X509_ALGORS,
 i2d_X509_ATTRIBUTE,
@@ -483,7 +495,7 @@ i2d_X509_REVOKED,
 i2d_X509_SIG,
 i2d_X509_VAL,
 \&\- convert objects from/to ASN.1/DER representation
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 3
 \& TYPE *d2i_TYPE(TYPE **a, const unsigned char **ppin, long length);
@@ -497,122 +509,126 @@ i2d_X509_VAL,
 \& int i2d_TYPE_bio(BIO *bp, const TYPE *a);
 \& int i2d_TYPE_bio(BIO *bp, TYPE *a);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-In the description here, \fB\f(BI\s-1TYPE\s0\fB\fR is used a placeholder
+In the description here, \fR\f(BITYPE\fR\fB\fR is used a placeholder
 for any of the OpenSSL datatypes, such as \fBX509_CRL\fR.
 The function parameters \fIppin\fR and \fIppout\fR are generally
 either both named \fIpp\fR in the headers, or \fIin\fR and \fIout\fR.
 .PP
-These functions convert OpenSSL objects to and from their \s-1ASN.1/DER\s0
+These functions convert OpenSSL objects to and from their ASN.1/DER
 encoding.  Unlike the C structures which can have pointers to sub-objects
-within, the \s-1DER\s0 is a serialized encoding, suitable for sending over the
+within, the DER is a serialized encoding, suitable for sending over the
 network, writing to a file, and so on.
 .PP
-\&\fBd2i_\f(BI\s-1TYPE\s0\fB\fR() attempts to decode \fIlen\fR bytes at \fI*ppin\fR. If successful a
-pointer to the \fB\f(BI\s-1TYPE\s0\fB\fR structure is returned and \fI*ppin\fR is incremented to
-the byte following the parsed data.  If \fIa\fR is not \s-1NULL\s0 then a pointer
+\&\fBd2i_\fR\f(BITYPE\fR() attempts to decode \fIlen\fR bytes at \fI*ppin\fR. If successful a
+pointer to the \fB\fR\f(BITYPE\fR\fB\fR structure is returned and \fI*ppin\fR is incremented to
+the byte following the parsed data.  If \fIa\fR is not NULL then a pointer
 to the returned structure is also written to \fI*a\fR.  If an error occurred
-then \s-1NULL\s0 is returned.
+then NULL is returned. The caller retains ownership of the
+returned object and needs to free it when it is no longer needed, e.g.
+using \fBX509_free()\fR for X509 objects or \fBDSA_SIG_free()\fR for DSA_SIG objects.
 .PP
-On a successful return, if \fI*a\fR is not \s-1NULL\s0 then it is assumed that \fI*a\fR
-contains a valid \fB\f(BI\s-1TYPE\s0\fB\fR structure and an attempt is made to reuse it. This
-\&\*(L"reuse\*(R" capability is present for historical compatibility but its use is
-\&\fBstrongly discouraged\fR (see \s-1BUGS\s0 below, and the discussion in the \s-1RETURN
-VALUES\s0 section).
+On a successful return, if \fI*a\fR is not NULL then it is assumed that \fI*a\fR
+contains a valid \fR\f(BITYPE\fR\fB\fR structure and an attempt is made to reuse it.
+For \fB\fR\f(BITYPE\fR\fB\fR structures where it matters it is possible to set up a library
+context on the decoded structure this way (see the \fBEXAMPLES\fR section).
+However using the "reuse" capability for other purposes is \fBstrongly
+discouraged\fR (see \fBBUGS\fR below, and the discussion in the \fBRETURN VALUES\fR
+section).
 .PP
-\&\fBd2i_\f(BI\s-1TYPE\s0\fB_bio\fR() is similar to \fBd2i_\f(BI\s-1TYPE\s0\fB\fR() except it attempts
-to parse data from \s-1BIO\s0 \fIbp\fR.
+\&\fBd2i_\fR\f(BITYPE\fR\fB_bio\fR() is similar to \fBd2i_\fR\f(BITYPE\fR() except it attempts
+to parse data from BIO \fIbp\fR.
 .PP
-\&\fBd2i_\f(BI\s-1TYPE\s0\fB_fp\fR() is similar to \fBd2i_\f(BI\s-1TYPE\s0\fB\fR() except it attempts
-to parse data from \s-1FILE\s0 pointer \fIfp\fR.
+\&\fBd2i_\fR\f(BITYPE\fR\fB_fp\fR() is similar to \fBd2i_\fR\f(BITYPE\fR() except it attempts
+to parse data from FILE pointer \fIfp\fR.
 .PP
-\&\fBi2d_\f(BI\s-1TYPE\s0\fB\fR() encodes the structure pointed to by \fIa\fR into \s-1DER\s0 format.
-If \fIppout\fR is not \s-1NULL,\s0 it writes the \s-1DER\s0 encoded data to the buffer
+\&\fBi2d_\fR\f(BITYPE\fR() encodes the structure pointed to by \fIa\fR into DER format.
+If \fIppout\fR is not NULL, it writes the DER encoded data to the buffer
 at \fI*ppout\fR, and increments it to point after the data just written.
 If the return value is negative an error occurred, otherwise it
 returns the length of the encoded data.
 .PP
-If \fI*ppout\fR is \s-1NULL\s0 memory will be allocated for a buffer and the encoded
+If \fI*ppout\fR is NULL memory will be allocated for a buffer and the encoded
 data written to it. In this case \fI*ppout\fR is not incremented and it points
 to the start of the data just written.
 .PP
-\&\fBi2d_\f(BI\s-1TYPE\s0\fB_bio\fR() is similar to \fBi2d_\f(BI\s-1TYPE\s0\fB\fR() except it writes
-the encoding of the structure \fIa\fR to \s-1BIO\s0 \fIbp\fR and it
+\&\fBi2d_\fR\f(BITYPE\fR\fB_bio\fR() is similar to \fBi2d_\fR\f(BITYPE\fR() except it writes
+the encoding of the structure \fIa\fR to BIO \fIbp\fR and it
 returns 1 for success and 0 for failure.
 .PP
-\&\fBi2d_\f(BI\s-1TYPE\s0\fB_fp\fR() is similar to \fBi2d_\f(BI\s-1TYPE\s0\fB\fR() except it writes
-the encoding of the structure \fIa\fR to \s-1FILE\s0 pointer \fIfp\fR and it
+\&\fBi2d_\fR\f(BITYPE\fR\fB_fp\fR() is similar to \fBi2d_\fR\f(BITYPE\fR() except it writes
+the encoding of the structure \fIa\fR to FILE pointer \fIfp\fR and it
 returns 1 for success and 0 for failure.
 .PP
 These routines do not encrypt private keys and therefore offer no
 security; use \fBPEM_write_PrivateKey\fR\|(3) or similar for writing to files.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-The letters \fBi\fR and \fBd\fR in \fBi2d_\f(BI\s-1TYPE\s0\fB\fR() stand for
-\&\*(L"internal\*(R" (that is, an internal C structure) and \*(L"\s-1DER\*(R"\s0 respectively.
-So \fBi2d_\f(BI\s-1TYPE\s0\fB\fR() converts from internal to \s-1DER.\s0
+The letters \fBi\fR and \fBd\fR in \fBi2d_\fR\f(BITYPE\fR() stand for
+"internal" (that is, an internal C structure) and "DER" respectively.
+So \fBi2d_\fR\f(BITYPE\fR\fB\fR() converts from internal to DER.
 .PP
-The functions can also understand \fB\s-1BER\s0\fR forms.
+The functions can also understand \fBBER\fR forms.
 .PP
-The actual \s-1TYPE\s0 structure passed to \fBi2d_\f(BI\s-1TYPE\s0\fB\fR() must be a valid
-populated \fB\f(BI\s-1TYPE\s0\fB\fR structure \*(-- it \fBcannot\fR simply be fed with an
+The actual TYPE structure passed to \fBi2d_\fR\f(BITYPE\fR() must be a valid
+populated \fB\fR\f(BITYPE\fR\fB\fR structure \-\- it \fBcannot\fR simply be fed with an
 empty structure such as that returned by \fBTYPE_new()\fR.
 .PP
 The encoded data is in binary form and may contain embedded zeros.
-Therefore, any \s-1FILE\s0 pointers or BIOs should be opened in binary mode.
+Therefore, any FILE pointers or BIOs should be opened in binary mode.
 Functions such as \fBstrlen()\fR will \fBnot\fR return the correct length
 of the encoded structure.
 .PP
 The ways that \fI*ppin\fR and \fI*ppout\fR are incremented after the operation
-can trap the unwary. See the \fB\s-1WARNINGS\s0\fR section for some common
+can trap the unwary. See the \fBWARNINGS\fR section for some common
 errors.
 The reason for this-auto increment behaviour is to reflect a typical
-usage of \s-1ASN1\s0 functions: after one structure is encoded or decoded
+usage of ASN1 functions: after one structure is encoded or decoded
 another will be processed after it.
 .PP
 The following points about the data types might be useful:
-.IP "\fB\s-1ASN1_OBJECT\s0\fR" 4
+.IP \fBASN1_OBJECT\fR 4
 .IX Item "ASN1_OBJECT"
-Represents an \s-1ASN1 OBJECT IDENTIFIER.\s0
-.IP "\fBDHparams\fR" 4
+Represents an ASN1 OBJECT IDENTIFIER.
+.IP \fBDHparams\fR 4
 .IX Item "DHparams"
-Represents a PKCS#3 \s-1DH\s0 parameters structure.
-.IP "\fBDHxparams\fR" 4
+Represents a PKCS#3 DH parameters structure.
+.IP \fBDHxparams\fR 4
 .IX Item "DHxparams"
-Represents an \s-1ANSI X9.42 DH\s0 parameters structure.
-.IP "\fB\s-1ECDSA_SIG\s0\fR" 4
+Represents an ANSI X9.42 DH parameters structure.
+.IP \fBECDSA_SIG\fR 4
 .IX Item "ECDSA_SIG"
-Represents an \s-1ECDSA\s0 signature.
-.IP "\fBX509_ALGOR\fR" 4
+Represents an ECDSA signature.
+.IP \fBX509_ALGOR\fR 4
 .IX Item "X509_ALGOR"
-Represents an \fBAlgorithmIdentifier\fR structure as used in \s-1IETF RFC 6960\s0 and
+Represents an \fBAlgorithmIdentifier\fR structure as used in IETF RFC 6960 and
 elsewhere.
-.IP "\fBX509_NAME\fR" 4
+.IP \fBX509_NAME\fR 4
 .IX Item "X509_NAME"
 Represents a \fBName\fR type as used for subject and issuer names in
-\&\s-1IETF RFC 6960\s0 and elsewhere.
-.IP "\fBX509_REQ\fR" 4
+IETF RFC 6960 and elsewhere.
+.IP \fBX509_REQ\fR 4
 .IX Item "X509_REQ"
 Represents a PKCS#10 certificate request.
-.IP "\fBX509_SIG\fR" 4
+.IP \fBX509_SIG\fR 4
 .IX Item "X509_SIG"
 Represents the \fBDigestInfo\fR structure defined in PKCS#1 and PKCS#7.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBd2i_\f(BI\s-1TYPE\s0\fB\fR(), \fBd2i_\f(BI\s-1TYPE\s0\fB_bio\fR() and \fBd2i_\f(BI\s-1TYPE\s0\fB_fp\fR() return a valid
-\&\fB\f(BI\s-1TYPE\s0\fB\fR structure or \s-1NULL\s0 if an error occurs.  If the \*(L"reuse\*(R" capability has
+\&\fBd2i_\fR\f(BITYPE\fR(), \fBd2i_\fR\f(BITYPE\fR\fB_bio\fR() and \fBd2i_\fR\f(BITYPE\fR\fB_fp\fR() return a valid
+\&\fB\fR\f(BITYPE\fR\fB\fR structure or NULL if an error occurs.  If the "reuse" capability has
 been used with a valid structure being passed in via \fIa\fR, then the object is
-freed in the event of error and \fI*a\fR is set to \s-1NULL.\s0
+freed in the event of error and \fI*a\fR is set to NULL.
 .PP
-\&\fBi2d_\f(BI\s-1TYPE\s0\fB\fR() returns the number of bytes successfully encoded or a negative
+\&\fBi2d_\fR\f(BITYPE\fR() returns the number of bytes successfully encoded or a negative
 value if an error occurs.
 .PP
-\&\fBi2d_\f(BI\s-1TYPE\s0\fB_bio\fR() and \fBi2d_\f(BI\s-1TYPE\s0\fB_fp\fR() return 1 for success and 0 if an
+\&\fBi2d_\fR\f(BITYPE\fR\fB_bio\fR() and \fBi2d_\fR\f(BITYPE\fR\fB_fp\fR() return 1 for success and 0 if an
 error occurs.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-Allocate and encode the \s-1DER\s0 encoding of an X509 structure:
+Allocate and encode the DER encoding of an X509 structure:
 .PP
 .Vb 2
 \& int len;
@@ -654,7 +670,25 @@ Alternative technique:
 \& if (d2i_X509(&x, &p, len) == NULL)
 \&     /* error */
 .Ve
-.SH "WARNINGS"
+.PP
+Setting up a library context and property query:
+.PP
+.Vb 6
+\& X509 *x;
+\& unsigned char *buf;
+\& const unsigned char *p;
+\& int len;
+\& OSSL_LIB_CTX *libctx = ....;
+\& const char *propq = ....;
+\&
+\& /* Set up buf and len to point to the input buffer. */
+\& p = buf;
+\& x = X509_new_ex(libctx, propq);
+\&
+\& if (d2i_X509(&x, &p, len) == NULL)
+\&     /* error, x was freed and NULL assigned to it (see RETURN VALUES) */
+.Ve
+.SH WARNINGS
 .IX Header "WARNINGS"
 Using a temporary variable is mandatory. A common
 mistake is to attempt to use a buffer directly as follows:
@@ -676,7 +710,7 @@ it was incremented after the call to point after the data just written.
 Also \fIbuf\fR will no longer contain the pointer allocated by \fBOPENSSL_malloc()\fR
 and the subsequent call to \fBOPENSSL_free()\fR is likely to crash.
 .PP
-Another trap to avoid is misuse of the \fIa\fR argument to \fBd2i_\f(BI\s-1TYPE\s0\fB\fR():
+Another trap to avoid is misuse of the \fIa\fR argument to \fBd2i_\fR\f(BITYPE\fR():
 .PP
 .Vb 1
 \& X509 *x;
@@ -688,36 +722,82 @@ Another trap to avoid is misuse of the \fIa\fR argument to \fBd2i_\f(BI\s-1TYPE\
 This will probably crash somewhere in \fBd2i_X509()\fR. The reason for this
 is that the variable \fIx\fR is uninitialized and an attempt will be made to
 interpret its (invalid) value as an \fBX509\fR structure, typically causing
-a segmentation violation. If \fIx\fR is set to \s-1NULL\s0 first then this will not
+a segmentation violation. If \fIx\fR is set to NULL first then this will not
 happen.
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
-In some versions of OpenSSL the \*(L"reuse\*(R" behaviour of \fBd2i_\f(BI\s-1TYPE\s0\fB\fR() when
+In some versions of OpenSSL the "reuse" behaviour of \fBd2i_\fR\f(BITYPE\fR() when
 \&\fI*a\fR is valid is broken and some parts of the reused structure may
 persist if they are not present in the new one. Additionally, in versions of
-OpenSSL prior to 1.1.0, when the \*(L"reuse\*(R" behaviour is used and an error occurs
+OpenSSL prior to 1.1.0, when the "reuse" behaviour is used and an error occurs
 the behaviour is inconsistent. Some functions behaved as described here, while
-some did not free \fI*a\fR on error and did not set \fI*a\fR to \s-1NULL.\s0
+some did not free \fI*a\fR on error and did not set \fI*a\fR to NULL.
 .PP
-As a result of the above issues the \*(L"reuse\*(R" behaviour is strongly discouraged.
+As a result of the above issues the "reuse" behaviour is strongly discouraged.
 .PP
-\&\fBi2d_\f(BI\s-1TYPE\s0\fB\fR() will not return an error in many versions of OpenSSL,
+\&\fBi2d_\fR\f(BITYPE\fR() will not return an error in many versions of OpenSSL,
 if mandatory fields are not initialized due to a programming error
 then the encoded structure may contain invalid data or omit the
-fields entirely and will not be parsed by \fBd2i_\f(BI\s-1TYPE\s0\fB\fR(). This may be
-fixed in future so code should not assume that \fBi2d_\f(BI\s-1TYPE\s0\fB\fR() will
+fields entirely and will not be parsed by \fBd2i_\fR\f(BITYPE\fR\fB\fR(). This may be
+fixed in future so code should not assume that \fBi2d_\fR\f(BITYPE\fR\fB\fR() will
 always succeed.
 .PP
-Any function which encodes a structure (\fBi2d_\f(BI\s-1TYPE\s0\fB\fR(),
-\&\fBi2d_\f(BI\s-1TYPE\s0\fB_bio\fR() or \fBi2d_\f(BI\s-1TYPE\s0\fB_fp\fR()) may return a stale encoding if the
+Any function which encodes a structure (\fBi2d_\fR\f(BITYPE\fR(),
+\&\fBi2d_\fR\f(BITYPE\fR\fB_bio\fR() or \fBi2d_\fR\f(BITYPE\fR\fB_fp\fR()) may return a stale encoding if the
 structure has been modified after deserialization or previous
 serialization. This is because some objects cache the encoding for
 efficiency reasons.
-.SH "COPYRIGHT"
+.SH HISTORY
+.IX Header "HISTORY"
+\&\fBd2i_OSSL_ATTRIBUTES_SYNTAX()\fR, \fBd2i_OSSL_BASIC_ATTR_CONSTRAINTS()\fR,
+\&\fBd2i_OSSL_CMP_ATAVS()\fR, \fBd2i_OSSL_IETF_ATTR_SYNTAX()\fR,
+\&\fBd2i_OSSL_TARGET()\fR, \fBd2i_OSSL_TARGETING_INFORMATION()\fR,
+\&\fBd2i_OSSL_TARGETS()\fR, \fBd2i_OSSL_USER_NOTICE_SYNTAX()\fR,
+\&\fBd2i_PBMAC1PARAM()\fR, \fBd2i_X509_ACERT()\fR, \fBd2i_X509_ACERT_bio()\fR,
+\&\fBd2i_X509_ACERT_fp()\fR, \fBi2d_OSSL_ATTRIBUTES_SYNTAX()\fR,
+\&\fBi2d_OSSL_BASIC_ATTR_CONSTRAINTS()\fR, \fBi2d_OSSL_CMP_ATAVS()\fR,
+\&\fBi2d_OSSL_IETF_ATTR_SYNTAX()\fR, \fBi2d_OSSL_TARGET()\fR,
+\&\fBi2d_OSSL_TARGETING_INFORMATION()\fR, \fBi2d_OSSL_TARGETS()\fR,
+\&\fBi2d_OSSL_USER_NOTICE_SYNTAX()\fR, \fBi2d_PBMAC1PARAM()\fR, \fBi2d_X509_ACERT()\fR,
+\&\fBi2d_X509_ACERT_bio()\fR, \fBi2d_X509_ACERT_fp()\fR
+were added in OpenSSL 3.4.
+.PP
+\&\fBd2i_OSSL_AA_DIST_POINT()\fR,
+\&\fBd2i_OSSL_ALLOWED_ATTRIBUTES_CHOICE()\fR, \fBd2i_OSSL_ALLOWED_ATTRIBUTES_ITEM()\fR,
+\&\fBd2i_OSSL_ALLOWED_ATTRIBUTES_SYNTAX()\fR,
+\&\fBd2i_OSSL_ATAV()\fR, \fBd2i_OSSL_ATTRIBUTE_DESCRIPTOR()\fR, \fBd2i_OSSL_ATTRIBUTE_MAPPING()\fR,
+\&\fBd2i_OSSL_ATTRIBUTE_MAPPINGS()\fR, \fBd2i_OSSL_ATTRIBUTE_TYPE_MAPPING()\fR,
+\&\fBd2i_OSSL_ATTRIBUTE_VALUE_MAPPING()\fR, \fBd2i_OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX()\fR,
+\&\fBd2i_OSSL_HASH()\fR, \fBd2i_OSSL_INFO_SYNTAX()\fR,
+\&\fBd2i_OSSL_INFO_SYNTAX_POINTER()\fR, \fBd2i_OSSL_PRIVILEGE_POLICY_ID()\fR,
+\&\fBd2i_OSSL_ROLE_SPEC_CERT_ID()\fR, \fBd2i_OSSL_ROLE_SPEC_CERT_ID_SYNTAX()\fR,
+\&\fBi2d_OSSL_AA_DIST_POINT()\fR,
+\&\fBi2d_OSSL_ALLOWED_ATTRIBUTES_CHOICE()\fR, \fBi2d_OSSL_ALLOWED_ATTRIBUTES_ITEM()\fR,
+\&\fBi2d_OSSL_ALLOWED_ATTRIBUTES_SYNTAX()\fR,
+\&\fBi2d_OSSL_ATAV()\fR, \fBi2d_OSSL_ATTRIBUTE_DESCRIPTOR()\fR, \fBi2d_OSSL_ATTRIBUTE_MAPPING()\fR,
+\&\fBi2d_OSSL_ATTRIBUTE_MAPPINGS()\fR, \fBi2d_OSSL_ATTRIBUTE_TYPE_MAPPING()\fR,
+\&\fBi2d_OSSL_ATTRIBUTE_VALUE_MAPPING()\fR, \fBi2d_OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX()\fR,
+\&\fBi2d_OSSL_HASH()\fR, \fBi2d_OSSL_INFO_SYNTAX()\fR,
+\&\fBi2d_OSSL_INFO_SYNTAX_POINTER()\fR, \fBi2d_OSSL_PRIVILEGE_POLICY_ID()\fR,
+\&\fBi2d_OSSL_ROLE_SPEC_CERT_ID()\fR, \fBi2d_OSSL_ROLE_SPEC_CERT_ID_SYNTAX()\fR,
+\&\fBd2i_OSSL_CRMF_ENCRYPTEDKEY()\fR, \fBi2d_OSSL_CRMF_ENCRYPTEDKEY()\fR,
+\&\fBd2i_OSSL_DAY_TIME()\fR, \fBd2i_OSSL_DAY_TIME_BAND()\fR, \fBd2i_OSSL_NAMED_DAY()\fR,
+\&\fBd2i_OSSL_TIME_PERIOD()\fR, \fBd2i_OSSL_TIME_SPEC()\fR,
+\&\fBd2i_OSSL_TIME_SPEC_ABSOLUTE()\fR, \fBd2i_OSSL_TIME_SPEC_DAY()\fR,
+\&\fBd2i_OSSL_TIME_SPEC_MONTH()\fR, \fBd2i_OSSL_TIME_SPEC_TIME()\fR,
+\&\fBd2i_OSSL_TIME_SPEC_WEEKS()\fR, \fBd2i_OSSL_TIME_SPEC_X_DAY_OF()\fR,
+\&\fBi2d_OSSL_DAY_TIME()\fR, \fBi2d_OSSL_DAY_TIME_BAND()\fR,
+\&\fBi2d_OSSL_NAMED_DAY()\fR, \fBi2d_OSSL_TIME_PERIOD()\fR,
+\&\fBi2d_OSSL_TIME_SPEC()\fR, \fBi2d_OSSL_TIME_SPEC_ABSOLUTE()\fR,
+\&\fBi2d_OSSL_TIME_SPEC_DAY()\fR, \fBi2d_OSSL_TIME_SPEC_MONTH()\fR,
+\&\fBi2d_OSSL_TIME_SPEC_TIME()\fR, \fBi2d_OSSL_TIME_SPEC_WEEKS()\fR,
+\&\fBi2d_OSSL_TIME_SPEC_X_DAY_OF()\fR
+were added in OpenSSL 3.5.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 1998\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 1998\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/i2d_CMS_bio_stream.3 b/secure/lib/libcrypto/man/man3/i2d_CMS_bio_stream.3
index 1219848ea3fd..75bfff0a2085 100644
--- a/secure/lib/libcrypto/man/man3/i2d_CMS_bio_stream.3
+++ b/secure/lib/libcrypto/man/man3/i2d_CMS_bio_stream.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,95 +52,35 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "I2D_CMS_BIO_STREAM 3ossl"
-.TH I2D_CMS_BIO_STREAM 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH I2D_CMS_BIO_STREAM 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 i2d_CMS_bio_stream \- output CMS_ContentInfo structure in BER format
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/cms.h>
 \&
 \& int i2d_CMS_bio_stream(BIO *out, CMS_ContentInfo *cms, BIO *data, int flags);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBi2d_CMS_bio_stream()\fR outputs a CMS_ContentInfo structure in \s-1BER\s0 format.
+\&\fBi2d_CMS_bio_stream()\fR outputs a CMS_ContentInfo structure in BER format.
 .PP
 It is otherwise identical to the function \fBSMIME_write_CMS()\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 This function is effectively a version of the \fBi2d_CMS_bio()\fR supporting
 streaming.
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
-The prefix \*(L"i2d\*(R" is arguably wrong because the function outputs \s-1BER\s0 format.
+The prefix "i2d" is arguably wrong because the function outputs BER format.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBi2d_CMS_bio_stream()\fR returns 1 for success or 0 for failure.
@@ -167,14 +91,14 @@ The prefix \*(L"i2d\*(R" is arguably wrong because the function outputs \s-1BER\
 \&\fBCMS_decrypt\fR\|(3),
 \&\fBSMIME_write_CMS\fR\|(3),
 \&\fBPEM_write_bio_CMS_stream\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBi2d_CMS_bio_stream()\fR function was added in OpenSSL 1.0.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/i2d_PKCS7_bio_stream.3 b/secure/lib/libcrypto/man/man3/i2d_PKCS7_bio_stream.3
index 07f63661c368..5ba94a47f37d 100644
--- a/secure/lib/libcrypto/man/man3/i2d_PKCS7_bio_stream.3
+++ b/secure/lib/libcrypto/man/man3/i2d_PKCS7_bio_stream.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,95 +52,35 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "I2D_PKCS7_BIO_STREAM 3ossl"
-.TH I2D_PKCS7_BIO_STREAM 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH I2D_PKCS7_BIO_STREAM 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 i2d_PKCS7_bio_stream \- output PKCS7 structure in BER format
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/pkcs7.h>
 \&
 \& int i2d_PKCS7_bio_stream(BIO *out, PKCS7 *p7, BIO *data, int flags);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fBi2d_PKCS7_bio_stream()\fR outputs a \s-1PKCS7\s0 structure in \s-1BER\s0 format.
+\&\fBi2d_PKCS7_bio_stream()\fR outputs a PKCS7 structure in BER format.
 .PP
 It is otherwise identical to the function \fBSMIME_write_PKCS7()\fR.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 This function is effectively a version of the \fBd2i_PKCS7_bio()\fR supporting
 streaming.
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
-The prefix \*(L"i2d\*(R" is arguably wrong because the function outputs \s-1BER\s0 format.
+The prefix "i2d" is arguably wrong because the function outputs BER format.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBi2d_PKCS7_bio_stream()\fR returns 1 for success or 0 for failure.
@@ -167,14 +91,14 @@ The prefix \*(L"i2d\*(R" is arguably wrong because the function outputs \s-1BER\
 \&\fBPKCS7_decrypt\fR\|(3),
 \&\fBSMIME_write_PKCS7\fR\|(3),
 \&\fBPEM_write_bio_PKCS7_stream\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The \fBi2d_PKCS7_bio_stream()\fR function was added in OpenSSL 1.0.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/i2d_re_X509_tbs.3 b/secure/lib/libcrypto/man/man3/i2d_re_X509_tbs.3
index d11f56af6920..f8a949ed840b 100644
--- a/secure/lib/libcrypto/man/man3/i2d_re_X509_tbs.3
+++ b/secure/lib/libcrypto/man/man3/i2d_re_X509_tbs.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "I2D_RE_X509_TBS 3ossl"
-.TH I2D_RE_X509_TBS 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH I2D_RE_X509_TBS 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 d2i_X509_AUX, i2d_X509_AUX,
 i2d_re_X509_tbs, i2d_re_X509_CRL_tbs, i2d_re_X509_REQ_tbs
 \&\- X509 encode and decode functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
@@ -151,27 +75,27 @@ i2d_re_X509_tbs, i2d_re_X509_CRL_tbs, i2d_re_X509_REQ_tbs
 \& int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **pp);
 \& int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The X509 encode and decode routines encode and parse an
 \&\fBX509\fR structure, which represents an X509 certificate.
 .PP
 \&\fBd2i_X509_AUX()\fR is similar to \fBd2i_X509\fR\|(3) but the input is expected to
 consist of an X509 certificate followed by auxiliary trust information.
-This is used by the \s-1PEM\s0 routines to read \*(L"\s-1TRUSTED CERTIFICATE\*(R"\s0 objects.
+This is used by the PEM routines to read "TRUSTED CERTIFICATE" objects.
 This function should not be called on untrusted input.
 .PP
 \&\fBi2d_X509_AUX()\fR is similar to \fBi2d_X509\fR\|(3), but the encoded output
 contains both the certificate and any auxiliary trust information.
-This is used by the \s-1PEM\s0 routines to write \*(L"\s-1TRUSTED CERTIFICATE\*(R"\s0 objects.
+This is used by the PEM routines to write "TRUSTED CERTIFICATE" objects.
 Note that this is a non-standard OpenSSL-specific data format.
 .PP
 \&\fBi2d_re_X509_tbs()\fR is similar to \fBi2d_X509\fR\|(3) except it encodes only
 the TBSCertificate portion of the certificate.  \fBi2d_re_X509_CRL_tbs()\fR
-and \fBi2d_re_X509_REQ_tbs()\fR are analogous for \s-1CRL\s0 and certificate request,
-respectively.  The \*(L"re\*(R" in \fBi2d_re_X509_tbs\fR stands for \*(L"re-encode\*(R",
+and \fBi2d_re_X509_REQ_tbs()\fR are analogous for CRL and certificate request,
+respectively.  The "re" in \fBi2d_re_X509_tbs\fR stands for "re-encode",
 and ensures that a fresh encoding is generated in case the object has been
-modified after creation (see the \s-1BUGS\s0 section).
+modified after creation (see the BUGS section).
 .PP
 The encoding of the TBSCertificate portion of a certificate is cached
 in the \fBX509\fR structure internally to improve encoding performance
@@ -184,7 +108,7 @@ TBSCertificate portion of the \fBX509\fR can be manually renewed by calling
 \&\fBi2d_re_X509_tbs()\fR.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBd2i_X509_AUX()\fR returns a valid \fBX509\fR structure or \s-1NULL\s0 if an error occurred.
+\&\fBd2i_X509_AUX()\fR returns a valid \fBX509\fR structure or NULL if an error occurred.
 .PP
 \&\fBi2d_X509_AUX()\fR returns the length of encoded data or \-1 on error.
 .PP
@@ -208,11 +132,11 @@ length of encoded data or <=0 on error.
 \&\fBX509_sign\fR\|(3),
 \&\fBX509V3_get_d2i\fR\|(3),
 \&\fBX509_verify_cert\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2002\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2002\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/o2i_SCT_LIST.3 b/secure/lib/libcrypto/man/man3/o2i_SCT_LIST.3
index 9014a09df279..d22ce5a71b44 100644
--- a/secure/lib/libcrypto/man/man3/o2i_SCT_LIST.3
+++ b/secure/lib/libcrypto/man/man3/o2i_SCT_LIST.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "O2I_SCT_LIST 3ossl"
-.TH O2I_SCT_LIST 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH O2I_SCT_LIST 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 o2i_SCT_LIST, i2o_SCT_LIST, o2i_SCT, i2o_SCT \-
 decode and encode Signed Certificate Timestamp lists in TLS wire format
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ct.h>
@@ -150,11 +74,11 @@ decode and encode Signed Certificate Timestamp lists in TLS wire format
 \& SCT *o2i_SCT(SCT **psct, const unsigned char **in, size_t len);
 \& int i2o_SCT(const SCT *sct, unsigned char **out);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1SCT_LIST\s0 and \s-1SCT\s0 functions are very similar to the i2d and d2i family of
-functions, except that they convert to and from \s-1TLS\s0 wire format, as described in
-\&\s-1RFC 6962.\s0 See \fBd2i_SCT_LIST\fR\|(3) for more information about how the parameters are
+The SCT_LIST and SCT functions are very similar to the i2d and d2i family of
+functions, except that they convert to and from TLS wire format, as described in
+RFC 6962. See \fBd2i_SCT_LIST\fR\|(3) for more information about how the parameters are
 treated and the return values.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
@@ -165,14 +89,14 @@ All of the functions have return values consistent with those stated for
 \&\fBct\fR\|(7),
 \&\fBd2i_SCT_LIST\fR\|(3),
 \&\fBi2d_SCT_LIST\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 These functions were added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/s2i_ASN1_IA5STRING.3 b/secure/lib/libcrypto/man/man3/s2i_ASN1_IA5STRING.3
index 85d9473dc81b..2d7b847050b3 100644
--- a/secure/lib/libcrypto/man/man3/s2i_ASN1_IA5STRING.3
+++ b/secure/lib/libcrypto/man/man3/s2i_ASN1_IA5STRING.3
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,75 +52,15 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "S2I_ASN1_IA5STRING 3ossl"
-.TH S2I_ASN1_IA5STRING 3ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH S2I_ASN1_IA5STRING 3ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 i2s_ASN1_IA5STRING,
 s2i_ASN1_IA5STRING,
 i2s_ASN1_INTEGER,
@@ -148,7 +72,7 @@ i2s_ASN1_ENUMERATED_TABLE,
 i2s_ASN1_UTF8STRING,
 s2i_ASN1_UTF8STRING
 \&\- convert objects from/to ASN.1/string representation
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509v3.h>
@@ -171,14 +95,14 @@ s2i_ASN1_UTF8STRING
 \& ASN1_UTF8STRING *s2i_ASN1_UTF8STRING(X509V3_EXT_METHOD *method,
 \&                                      X509V3_CTX *ctx, const char *str);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-These functions convert OpenSSL objects to and from their \s-1ASN\s0.1/string
+These functions convert OpenSSL objects to and from their ASN.1/string
 representation. This function is used for \fBX509v3\fR extensions.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 The letters \fBi\fR and \fBs\fR in \fBi2s\fR and \fBs2i\fR stand for
-\&\*(L"internal\*(R" (that is, an internal C structure) and string respectively.
+"internal" (that is, an internal C structure) and string respectively.
 So \fBi2s_ASN1_IA5STRING\fR() converts from internal to string.
 .PP
 It is the caller's responsibility to free the returned string.
@@ -186,43 +110,43 @@ In the \fBi2s_ASN1_IA5STRING\fR() function the string is copied and
 the ownership of the original string remains with the caller.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBi2s_ASN1_IA5STRING\fR() returns the pointer to a \s-1IA5\s0 string
-or \s-1NULL\s0 if an error occurs.
+\&\fBi2s_ASN1_IA5STRING\fR() returns the pointer to a IA5 string
+or NULL if an error occurs.
 .PP
 \&\fBs2i_ASN1_IA5STRING\fR() return a valid
-\&\fB\s-1ASN1_IA5STRING\s0\fR structure or \s-1NULL\s0 if an error occurs.
+\&\fBASN1_IA5STRING\fR structure or NULL if an error occurs.
 .PP
 \&\fBi2s_ASN1_INTEGER\fR() return a valid
-string or \s-1NULL\s0 if an error occurs.
+string or NULL if an error occurs.
 .PP
-\&\fBs2i_ASN1_INTEGER\fR() returns the pointer to a \fB\s-1ASN1_INTEGER\s0\fR
-structure or \s-1NULL\s0 if an error occurs.
+\&\fBs2i_ASN1_INTEGER\fR() returns the pointer to a \fBASN1_INTEGER\fR
+structure or NULL if an error occurs.
 .PP
-\&\fBi2s_ASN1_OCTET_STRING\fR() returns the pointer to a \s-1OCTET_STRING\s0 string
-or \s-1NULL\s0 if an error occurs.
+\&\fBi2s_ASN1_OCTET_STRING\fR() returns the pointer to a OCTET_STRING string
+or NULL if an error occurs.
 .PP
 \&\fBs2i_ASN1_OCTET_STRING\fR() return a valid
-\&\fB\s-1ASN1_OCTET_STRING\s0\fR structure or \s-1NULL\s0 if an error occurs.
+\&\fBASN1_OCTET_STRING\fR structure or NULL if an error occurs.
 .PP
 \&\fBi2s_ASN1_ENUMERATED\fR() return a valid
-string or \s-1NULL\s0 if an error occurs.
+string or NULL if an error occurs.
 .PP
-\&\fBs2i_ASN1_ENUMERATED\fR() returns the pointer to a \fB\s-1ASN1_ENUMERATED\s0\fR
-structure or \s-1NULL\s0 if an error occurs.
+\&\fBs2i_ASN1_ENUMERATED\fR() returns the pointer to a \fBASN1_ENUMERATED\fR
+structure or NULL if an error occurs.
 .PP
 \&\fBs2i_ASN1_UTF8STRING\fR() return a valid
-\&\fB\s-1ASN1_UTF8STRING\s0\fR structure or \s-1NULL\s0 if an error occurs.
+\&\fBASN1_UTF8STRING\fR structure or NULL if an error occurs.
 .PP
-\&\fBi2s_ASN1_UTF8STRING\fR() returns the pointer to a \s-1UTF\-8\s0 string
-or \s-1NULL\s0 if an error occurs.
-.SH "HISTORY"
+\&\fBi2s_ASN1_UTF8STRING\fR() returns the pointer to a UTF\-8 string
+or NULL if an error occurs.
+.SH HISTORY
 .IX Header "HISTORY"
 \&\fBi2s_ASN1_UTF8STRING()\fR and \fBs2i_ASN1_UTF8STRING()\fR were made public in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man5/config.5 b/secure/lib/libcrypto/man/man5/config.5
index ea387fa315c5..ac12a0a948e5 100644
--- a/secure/lib/libcrypto/man/man5/config.5
+++ b/secure/lib/libcrypto/man/man5/config.5
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CONFIG 5ossl"
-.TH CONFIG 5ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CONFIG 5ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 config \- OpenSSL CONF library configuration files
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 This page documents the syntax of OpenSSL configuration files,
 as parsed by \fBNCONF_load\fR\|(3) and related functions.
@@ -149,15 +73,15 @@ The first part describes the general syntax of the configuration
 files, and subsequent sections describe the semantics of individual
 modules. Other modules are described in \fBfips_config\fR\|(5) and
 \&\fBx509v3_config\fR\|(5).
-The syntax for defining \s-1ASN.1\s0 values is described in
+The syntax for defining ASN.1 values is described in
 \&\fBASN1_generate_nconf\fR\|(3).
-.SH "SYNTAX"
+.SH SYNTAX
 .IX Header "SYNTAX"
 A configuration file is a series of lines.  Blank lines, and whitespace
 between the elements of a line, have no significance. A comment starts
 with a \fB#\fR character; the rest of the line is ignored. If the \fB#\fR
 is the first non-space character in a line, the entire line is ignored.
-.SS "Directives"
+.SS Directives
 .IX Subsection "Directives"
 Two directives can be used to control the parsing of configuration files:
 \&\fB.include\fR and \fB.pragma\fR.
@@ -176,14 +100,14 @@ If \fBpathname\fR is a simple filename, that file is included directly at
 that point.  Included files can have \fB.include\fR statements that specify
 other files.  If \fBpathname\fR is a directory, all files within that directory
 that have a \f(CW\*(C`.cnf\*(C'\fR or \f(CW\*(C`.conf\*(C'\fR extension will be included.  (This is only
-available on systems with \s-1POSIX IO\s0 support.)  Any sub-directories found
+available on systems with POSIX IO support.)  Any sub-directories found
 inside the \fBpathname\fR are \fBignored\fR.  Similarly, if a file is opened
 while scanning a directory, and that file has an \fB.include\fR directive
 that specifies a directory, that is also ignored.
 .PP
 As a general rule, the \fBpathname\fR should be an absolute path; this can
 be enforced with the \fBabspath\fR and \fBincludedir\fR pragmas, described below.
-The environment variable \fB\s-1OPENSSL_CONF_INCLUDE\s0\fR, if it exists,
+The environment variable \fBOPENSSL_CONF_INCLUDE\fR, if it exists,
 is prepended to all relative pathnames.
 If the pathname is still relative, it is interpreted based on the
 current working directory.
@@ -219,10 +143,10 @@ variable expansions must be specified using braces or parentheses.
 .Ve
 .PP
 If a relative pathname is specified in the \fB.include\fR directive, and
-the \fB\s-1OPENSSL_CONF_INCLUDE\s0\fR environment variable doesn't exist, then
+the \fBOPENSSL_CONF_INCLUDE\fR environment variable doesn't exist, then
 the value of the \fBincludedir\fR pragma, if it exists, is prepended to the
 pathname.
-.SS "Settings"
+.SS Settings
 .IX Subsection "Settings"
 A configuration file is divided into a number of \fIsections\fR.  A section
 begins with the section name in square brackets, and ends when a new
@@ -236,7 +160,7 @@ the start of file until the first named section. When a name is being
 looked up, it is first looked up in the current or named section,
 and then the default section if necessary.
 .PP
-The environment is mapped onto a section called \fB\s-1ENV\s0\fR.
+The environment is mapped onto a section called \fBENV\fR.
 .PP
 Within a section are a series of name/value assignments, described in more
 detail below.  As a reminder, the square brackets shown in this example
@@ -282,7 +206,7 @@ an error is flagged and the file will not load.
 This can be worked around by specifying a default value in the \fBdefault\fR
 section before the variable is used.
 .PP
-Any name/value settings in an \fB\s-1ENV\s0\fR section are available
+Any name/value settings in an \fBENV\fR section are available
 to the configuration file, but are not propagated to the environment.
 .PP
 It is an error if the value ends up longer than 64k.
@@ -300,7 +224,7 @@ also apply to the pathname of the \fB.include\fR directive.
 .IX Header "OPENSSL LIBRARY CONFIGURATION"
 The sections below use the informal term \fImodule\fR to refer to a part
 of the OpenSSL functionality. This is not the same as the formal term
-\&\fI\s-1FIPS\s0 module\fR, for example.
+\&\fIFIPS module\fR, for example.
 .PP
 The OpenSSL configuration looks up the value of \fBopenssl_conf\fR
 in the default section and takes that as the name of a section that specifies
@@ -349,18 +273,18 @@ will be allowed but the desired configuration will \fBnot\fR be used.
 \& ... random properties here ...
 .Ve
 .PP
-The semantics of each module are described below. The phrase \*(L"in the
-initialization section\*(R" refers to the section identified by the
+The semantics of each module are described below. The phrase "in the
+initialization section" refers to the section identified by the
 \&\fBopenssl_conf\fR or other name (given as \fBopenssl_init\fR in the
 example above).  The examples below assume the configuration above
 is used to specify the individual sections.
-.SS "\s-1ASN.1\s0 Object Identifier Configuration"
+.SS "ASN.1 Object Identifier Configuration"
 .IX Subsection "ASN.1 Object Identifier Configuration"
 The name \fBoid_section\fR in the initialization section names the section
-containing name/value pairs of \s-1OID\s0's.
+containing name/value pairs of OID's.
 The name is the short name; the value is an optional long name followed
 by a comma, and the numeric value.
-While some OpenSSL commands have their own section for specifying \s-1OID\s0's,
+While some OpenSSL commands have their own section for specifying OID's,
 this section makes them available to all commands and applications.
 .PP
 .Vb 4
@@ -383,7 +307,7 @@ will output:
 \& 0:d=0  hl=2 l=   4 prim: OBJECT            :newoid1
 .Ve
 .PP
-showing that the \s-1OID\s0 \*(L"newoid1\*(R" has been added as \*(L"1.2.3.4.1\*(R".
+showing that the OID "newoid1" has been added as "1.2.3.4.1".
 .SS "Provider Configuration"
 .IX Subsection "Provider Configuration"
 The name \fBproviders\fR in the initialization section names the section
@@ -393,7 +317,7 @@ for that provider. The provider-specific section is used to specify how
 to load the module, activate it, and set other parameters.
 .PP
 Within a provider section, the following names have meaning:
-.IP "\fBidentity\fR" 4
+.IP \fBidentity\fR 4
 .IX Item "identity"
 This is used to specify an alternate name, overriding the default name
 specified in the list of providers.  For example:
@@ -405,13 +329,24 @@ specified in the list of providers.  For example:
 \& [foo_provider]
 \& identity = my_fips_module
 .Ve
-.IP "\fBmodule\fR" 4
+.IP \fBmodule\fR 4
 .IX Item "module"
 Specifies the pathname of the module (typically a shared library) to load.
-.IP "\fBactivate\fR" 4
+.IP \fBactivate\fR 4
 .IX Item "activate"
-If present, the module is activated. The value assigned to this name is not
-significant.
+If present and set to one of the values yes, on, true or 1, then the associated
+provider will be activated. Conversely, setting this value to no, off, false, or
+0 will prevent the provider from being activated. Settings can be given in lower
+or uppercase. Setting activate to any other setting, or omitting a setting
+value will result in an error.
+.Sp
+= item \fBsoft_load\fR
+.Sp
+If enabled, informs the library to clear the error stack on failure to activate
+requested provider.  A value of 1, yes, true or on (in lower or uppercase) will
+activate this setting, while a value of 0, no, false, or off (again in lower or
+uppercase) will disable this setting.  Any other value will produce an error.
+Note this setting defaults to off if not provided
 .PP
 All parameters in the section as well as sub-sections are made
 available to the provider.
@@ -425,13 +360,13 @@ See \fBOSSL_PROVIDER\-default\fR\|(7) for more details.
 If you add a section explicitly activating any other provider(s),
 you most probably need to explicitly activate the default provider,
 otherwise it becomes unavailable in openssl. It may make the system remotely unavailable.
-.SS "\s-1EVP\s0 Configuration"
+.SS "EVP Configuration"
 .IX Subsection "EVP Configuration"
 The name \fBalg_section\fR in the initialization section names the section
-containing algorithmic properties when using the \fB\s-1EVP\s0\fR \s-1API.\s0
+containing algorithmic properties when using the \fBEVP\fR API.
 .PP
 Within the algorithm properties section, the following names have meaning:
-.IP "\fBdefault_properties\fR" 4
+.IP \fBdefault_properties\fR 4
 .IX Item "default_properties"
 The value may be anything that is acceptable as a property query
 string for \fBEVP_set_default_properties()\fR.
@@ -446,10 +381,10 @@ The value is a boolean that can be \fByes\fR or \fBno\fR.  If the value is
 .Sp
 If the value is \fBno\fR, nothing happens. Using this name is deprecated, and
 if used, it must be the only name in the section.
-.SS "\s-1SSL\s0 Configuration"
+.SS "SSL Configuration"
 .IX Subsection "SSL Configuration"
 The name \fBssl_conf\fR in the initialization section names the section
-containing the list of \s-1SSL/TLS\s0 configurations.
+containing the list of SSL/TLS configurations.
 As with the providers, each name in this section identifies a
 section with the configuration for that name. For example:
 .PP
@@ -467,8 +402,8 @@ section with the configuration for that name. For example:
 .Ve
 .PP
 The configuration name \fBsystem_default\fR has a special meaning.  If it
-exists, it is applied whenever an \fB\s-1SSL_CTX\s0\fR object is created.  For example,
-to impose system-wide minimum \s-1TLS\s0 and \s-1DTLS\s0 protocol versions:
+exists, it is applied whenever an \fBSSL_CTX\fR object is created.  For example,
+to impose system-wide minimum TLS and DTLS protocol versions:
 .PP
 .Vb 3
 \& [tls_system_default]
@@ -476,12 +411,12 @@ to impose system-wide minimum \s-1TLS\s0 and \s-1DTLS\s0 protocol versions:
 \& MinProtocol = DTLSv1.2
 .Ve
 .PP
-The minimum \s-1TLS\s0 protocol is applied to \fB\s-1SSL_CTX\s0\fR objects that are TLS-based,
-and the minimum \s-1DTLS\s0 protocol to those are DTLS-based.
+The minimum TLS protocol is applied to \fBSSL_CTX\fR objects that are TLS-based,
+and the minimum DTLS protocol to those are DTLS-based.
 The same applies also to maximum versions set with \fBMaxProtocol\fR.
 .PP
 Each configuration section consists of name/value pairs that are parsed
-by \fB\fBSSL_CONF_cmd\fB\|(3)\fR, which will be called by \fBSSL_CTX_config()\fR or
+by \fBSSL_CONF_cmd\|(3)\fR, which will be called by \fBSSL_CTX_config()\fR or
 \&\fBSSL_config()\fR, appropriately.  Note that any characters before an initial
 dot in the configuration section are ignored, so that the same command can
 be used multiple times. This probably is most useful for loading different
@@ -495,14 +430,14 @@ key types, as shown here:
 .SS "Engine Configuration"
 .IX Subsection "Engine Configuration"
 The name \fBengines\fR in the initialization section names the section
-containing the list of \s-1ENGINE\s0 configurations.
+containing the list of ENGINE configurations.
 As with the providers, each name in this section identifies an engine
 with the configuration for that engine.
 The engine-specific section is used to specify how to load the engine,
 activate it, and set other parameters.
 .PP
 Within an engine section, the following names have meaning:
-.IP "\fBengine_id\fR" 4
+.IP \fBengine_id\fR 4
 .IX Item "engine_id"
 This is used to specify an alternate name, overriding the default name
 specified in the list of engines. If present, it must be first.
@@ -515,29 +450,29 @@ For example:
 \& [foo_engine]
 \& engine_id = myfoo
 .Ve
-.IP "\fBdynamic_path\fR" 4
+.IP \fBdynamic_path\fR 4
 .IX Item "dynamic_path"
-This loads and adds an \s-1ENGINE\s0 from the given path. It is equivalent to
-sending the ctrls \fB\s-1SO_PATH\s0\fR with the path argument followed by \fB\s-1LIST_ADD\s0\fR
-with value \fB2\fR and \fB\s-1LOAD\s0\fR to the dynamic \s-1ENGINE.\s0  If this is not the
+This loads and adds an ENGINE from the given path. It is equivalent to
+sending the ctrls \fBSO_PATH\fR with the path argument followed by \fBLIST_ADD\fR
+with value \fB2\fR and \fBLOAD\fR to the dynamic ENGINE.  If this is not the
 required behaviour then alternative ctrls can be sent directly to the
-dynamic \s-1ENGINE\s0 using ctrl commands.
-.IP "\fBinit\fR" 4
+dynamic ENGINE using ctrl commands.
+.IP \fBinit\fR 4
 .IX Item "init"
-This specifies whether to initialize the \s-1ENGINE.\s0 If the value is \fB0\fR the
-\&\s-1ENGINE\s0 will not be initialized, if the value is \fB1\fR an attempt is made
+This specifies whether to initialize the ENGINE. If the value is \fB0\fR the
+ENGINE will not be initialized, if the value is \fB1\fR an attempt is made
 to initialize
-the \s-1ENGINE\s0 immediately. If the \fBinit\fR command is not present then an
-attempt will be made to initialize the \s-1ENGINE\s0 after all commands in its
+the ENGINE immediately. If the \fBinit\fR command is not present then an
+attempt will be made to initialize the ENGINE after all commands in its
 section have been processed.
-.IP "\fBdefault_algorithms\fR" 4
+.IP \fBdefault_algorithms\fR 4
 .IX Item "default_algorithms"
-This sets the default algorithms an \s-1ENGINE\s0 will supply using the function
+This sets the default algorithms an ENGINE will supply using the function
 \&\fBENGINE_set_default_string()\fR.
 .PP
 All other names are taken to be the name of a ctrl command that is
-sent to the \s-1ENGINE,\s0 and the value is the argument passed with the command.
-The special value \fB\s-1EMPTY\s0\fR means no value is sent with the command.
+sent to the ENGINE, and the value is the argument passed with the command.
+The special value \fBEMPTY\fR means no value is sent with the command.
 For example:
 .PP
 .Vb 2
@@ -556,7 +491,7 @@ The name \fBrandom\fR in the initialization section names the section
 containing the random number generator settings.
 .PP
 Within the random section, the following names have meaning:
-.IP "\fBrandom\fR" 4
+.IP \fBrandom\fR 4
 .IX Item "random"
 This is used to specify the random bit generator.
 For example:
@@ -568,39 +503,44 @@ For example:
 .Sp
 The available random bit generators are:
 .RS 4
-.IP "\fBCTR-DRBG\fR" 4
+.IP \fBCTR-DRBG\fR 4
 .IX Item "CTR-DRBG"
 .PD 0
-.IP "\fBHASH-DRBG\fR" 4
+.IP \fBHASH-DRBG\fR 4
 .IX Item "HASH-DRBG"
-.IP "\fBHMAC-DRBG\fR" 4
+.IP \fBHMAC-DRBG\fR 4
 .IX Item "HMAC-DRBG"
 .RE
 .RS 4
 .RE
-.IP "\fBcipher\fR" 4
+.IP \fBcipher\fR 4
 .IX Item "cipher"
 .PD
 This specifies what cipher a \fBCTR-DRBG\fR random bit generator will use.
 Other random bit generators ignore this name.
-The default value is \fB\s-1AES\-256\-CTR\s0\fR.
-.IP "\fBdigest\fR" 4
+The default value is \fBAES\-256\-CTR\fR.
+.IP \fBdigest\fR 4
 .IX Item "digest"
 This specifies what digest the \fBHASH-DRBG\fR or \fBHMAC-DRBG\fR random bit
 generators will use.  Other random bit generators ignore this name.
-.IP "\fBproperties\fR" 4
+.IP \fBproperties\fR 4
 .IX Item "properties"
 This sets the property query used when fetching the random bit generator and
 any underlying algorithms.
-.IP "\fBseed\fR" 4
+.IP \fBseed\fR 4
 .IX Item "seed"
 This sets the randomness source that should be used.  By default \fBSEED-SRC\fR
-will be used outside of the \s-1FIPS\s0 provider.  The \s-1FIPS\s0 provider uses call backs
+will be used outside of the FIPS provider.  The FIPS provider uses call backs
 to access the same randomness sources from outside the validated boundary.
-.IP "\fBseed_properties\fR" 4
+.IP \fBseed_properties\fR 4
 .IX Item "seed_properties"
 This sets the property query used when fetching the randomness source.
-.SH "EXAMPLES"
+.IP \fBrandom_provider\fR 4
+.IX Item "random_provider"
+This sets the provider to use for the \fBRAND_bytes\fR\|(3) calls instead of the built-in
+entropy sources.  It defaults to "fips".  If the named provider is not loaded, the
+built-in entropy sources will be used.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 This example shows how to use quoting and escaping.
 .PP
@@ -623,12 +563,12 @@ This example shows how to use quoting and escaping.
 .PP
 This example shows how to expand environment variables safely.
 In this example, the variable \fBtempfile\fR is intended to refer
-to a temporary file, and the environment variable \fB\s-1TEMP\s0\fR or
-\&\fB\s-1TMP\s0\fR, if present, specify the directory where the file
+to a temporary file, and the environment variable \fBTEMP\fR or
+\&\fBTMP\fR, if present, specify the directory where the file
 should be put.
 Since the default section is checked if a variable does not
-exist, it is possible to set \fB\s-1TMP\s0\fR to default to \fI/tmp\fR, and
-\&\fB\s-1TEMP\s0\fR to default to \fB\s-1TMP\s0\fR.
+exist, it is possible to set \fBTMP\fR to default to \fI/tmp\fR, and
+\&\fBTEMP\fR to default to \fBTMP\fR.
 .PP
 .Vb 3
 \& # These two lines must be in the default section.
@@ -639,7 +579,7 @@ exist, it is possible to set \fB\s-1TMP\s0\fR to default to \fI/tmp\fR, and
 \& tmpfile = ${ENV::TEMP}/tmp.filename
 .Ve
 .PP
-This example shows how to enforce \s-1FIPS\s0 mode for the application
+This example shows how to enforce FIPS mode for the application
 \&\fIsample\fR.
 .PP
 .Vb 1
@@ -651,24 +591,24 @@ This example shows how to enforce \s-1FIPS\s0 mode for the application
 \& [evp_properties]
 \& default_properties = "fips=yes"
 .Ve
-.SH "ENVIRONMENT"
+.SH ENVIRONMENT
 .IX Header "ENVIRONMENT"
-.IP "\fB\s-1OPENSSL_CONF\s0\fR" 4
+.IP \fBOPENSSL_CONF\fR 4
 .IX Item "OPENSSL_CONF"
 The path to the config file, or the empty string for none.
 Ignored in set-user-ID and set-group-ID programs.
-.IP "\fB\s-1OPENSSL_ENGINES\s0\fR" 4
+.IP \fBOPENSSL_ENGINES\fR 4
 .IX Item "OPENSSL_ENGINES"
 The path to the engines directory.
 Ignored in set-user-ID and set-group-ID programs.
-.IP "\fB\s-1OPENSSL_MODULES\s0\fR" 4
+.IP \fBOPENSSL_MODULES\fR 4
 .IX Item "OPENSSL_MODULES"
 The path to the directory with OpenSSL modules, such as providers.
 Ignored in set-user-ID and set-group-ID programs.
-.IP "\fB\s-1OPENSSL_CONF_INCLUDE\s0\fR" 4
+.IP \fBOPENSSL_CONF_INCLUDE\fR 4
 .IX Item "OPENSSL_CONF_INCLUDE"
 The optional path to prepend to all \fB.include\fR paths.
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
 There is no way to include characters using the octal \fB\ennn\fR form. Strings
 are all null terminated so nulls cannot form part of the value.
@@ -678,9 +618,9 @@ you can't use any quote escaping on the same line.
 .PP
 The limit that only one directory can be opened and read at a time
 can be considered a bug and should be fixed.
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-An undocumented \s-1API, \fBNCONF_WIN32\s0()\fR, used a slightly different set
+An undocumented API, \fBNCONF_WIN32()\fR, used a slightly different set
 of parsing rules there were intended to be tailored to
 the Microsoft Windows platform.
 Specifically, the backslash character was not an escape character and
@@ -696,13 +636,14 @@ configuration files using that syntax will have to be modified.
 \&\fBEVP_set_default_properties\fR\|(3),
 \&\fBCONF_modules_load\fR\|(3),
 \&\fBCONF_modules_load_file\fR\|(3),
+\&\fBRAND_bytes\fR\|(3),
 \&\fBfips_config\fR\|(5), and
 \&\fBx509v3_config\fR\|(5).
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man5/fips_config.5 b/secure/lib/libcrypto/man/man5/fips_config.5
index 71c6014ae588..25b3b1f24c59 100644
--- a/secure/lib/libcrypto/man/man5/fips_config.5
+++ b/secure/lib/libcrypto/man/man5/fips_config.5
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,84 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "FIPS_CONFIG 5ossl"
-.TH FIPS_CONFIG 5ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH FIPS_CONFIG 5ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 fips_config \- OpenSSL FIPS configuration
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 A separate configuration file, using the OpenSSL \fBconfig\fR\|(5) syntax,
-is used to hold information about the \s-1FIPS\s0 module. This includes a digest
+is used to hold information about the FIPS module. This includes a digest
 of the shared library file, and status about the self-testing.
 This data is used automatically by the module itself for two
 purposes:
-.IP "\- Run the startup \s-1FIPS\s0 self-test known answer tests (\s-1KATS\s0)." 4
+.IP "\- Run the startup FIPS self-test known answer tests (KATS)." 4
 .IX Item "- Run the startup FIPS self-test known answer tests (KATS)."
 This is normally done once, at installation time, but may also be set up to
 run each time the module is used.
@@ -154,52 +78,140 @@ run each time the module is used.
 This is done each time the module is used.
 .PP
 This file is generated by the \fBopenssl\-fipsinstall\fR\|(1) program, and
-used internally by the \s-1FIPS\s0 module during its initialization.
+used internally by the FIPS module during its initialization.
 .PP
 The following options are supported. They should all appear in a section
 whose name is identified by the \fBfips\fR option in the \fBproviders\fR
-section, as described in \*(L"Provider Configuration Module\*(R" in \fBconfig\fR\|(5).
-.IP "\fBactivate\fR" 4
+section, as described in "Provider Configuration Module" in \fBconfig\fR\|(5).
+.IP \fBactivate\fR 4
 .IX Item "activate"
 If present, the module is activated. The value assigned to this name is not
 significant.
-.IP "\fBinstall-version\fR" 4
-.IX Item "install-version"
-A version number for the fips install process. Should be 1.
-.IP "\fBconditional-errors\fR" 4
+.IP \fBconditional-errors\fR 4
 .IX Item "conditional-errors"
-The \s-1FIPS\s0 module normally enters an internal error mode if any self test fails.
+The FIPS module normally enters an internal error mode if any self test fails.
 Once this error mode is active, no services or cryptographic algorithms are
 accessible from this point on.
 Continuous tests are a subset of the self tests (e.g., a key pair test during key
-generation, or the \s-1CRNG\s0 output test).
+generation, or the CRNG output test).
 Setting this value to \f(CW0\fR allows the error mode to not be triggered if any
 continuous test fails. The default value of \f(CW1\fR will trigger the error mode.
 Regardless of the value, the operation (e.g., key generation) that called the
 continuous test will return an error code if its continuous test fails. The
 operation may then be retried if the error mode has not been triggered.
-.IP "\fBsecurity-checks\fR" 4
-.IX Item "security-checks"
-This indicates if run-time checks related to enforcement of security parameters
-such as minimum security strength of keys and approved curve names are used.
-A value of '1' will perform the checks, otherwise if the value is '0' the checks
-are not performed and \s-1FIPS\s0 compliance must be done by procedures documented in
-the relevant Security Policy.
-.IP "\fBmodule-mac\fR" 4
+.IP \fBmodule-mac\fR 4
 .IX Item "module-mac"
-The calculated \s-1MAC\s0 of the \s-1FIPS\s0 provider file.
-.IP "\fBinstall-status\fR" 4
+The calculated MAC of the FIPS provider file.
+.IP \fBinstall-version\fR 4
+.IX Item "install-version"
+A version number for the fips install process. Should be 1.
+.IP \fBinstall-status\fR 4
 .IX Item "install-status"
 An indicator that the self-tests were successfully run.
 This should only be written after the module has
 successfully passed its self tests during installation.
 If this field is not present, then the self tests will run when the module
 loads.
-.IP "\fBinstall-mac\fR" 4
+.IP \fBinstall-mac\fR 4
 .IX Item "install-mac"
-A \s-1MAC\s0 of the value of the \fBinstall-status\fR option, to prevent accidental
+A MAC of the value of the \fBinstall-status\fR option, to prevent accidental
 changes to that value.
 It is written-to at the same time as \fBinstall-status\fR is updated.
+.SS "FIPS indicator options"
+.IX Subsection "FIPS indicator options"
+The following FIPS configuration options indicate if run-time checks related to
+enforcement of FIPS security parameters such as minimum security strength of
+keys and approved curve names are used.
+A value of '1' will perform the checks, otherwise if the value is '0' the checks
+are not performed and FIPS compliance must be done by procedures documented in
+the relevant Security Policy.
+.PP
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) for further information related to these
+options.
+.IP \fBsecurity-checks\fR 4
+.IX Item "security-checks"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-no_security_checks\fR
+.IP \fBtls1\-prf\-ems\-check\fR 4
+.IX Item "tls1-prf-ems-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-ems_check\fR
+.IP \fBno-short-mac\fR 4
+.IX Item "no-short-mac"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-no_short_mac\fR
+.IP \fBdrbg-no-trunc-md\fR 4
+.IX Item "drbg-no-trunc-md"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-no_drbg_truncated_digests\fR
+.IP \fBsignature-digest-check\fR 4
+.IX Item "signature-digest-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-signature_digest_check\fR
+.IP \fBhkdf-digest-check\fR 4
+.IX Item "hkdf-digest-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-hkdf_digest_check\fR
+.IP \fBtls13\-kdf\-digest\-check\fR 4
+.IX Item "tls13-kdf-digest-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-tls13_kdf_digest_check\fR
+.IP \fBtls1\-prf\-digest\-check\fR 4
+.IX Item "tls1-prf-digest-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-tls1_prf_digest_check\fR
+.IP \fBsshkdf-digest-check\fR 4
+.IX Item "sshkdf-digest-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-sshkdf_digest_check\fR
+.IP \fBsskdf-digest-check\fR 4
+.IX Item "sskdf-digest-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-sskdf_digest_check\fR
+.IP \fBx963kdf\-digest\-check\fR 4
+.IX Item "x963kdf-digest-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-x963kdf_digest_check\fR
+.IP \fBdsa-sign-disabled\fR 4
+.IX Item "dsa-sign-disabled"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-dsa_sign_disabled\fR
+.IP \fBtdes-encrypt-disabled\fR 4
+.IX Item "tdes-encrypt-disabled"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-tdes_encrypt_disabled\fR
+.IP \fBrsa\-pkcs15\-pad\-disabled\fR 4
+.IX Item "rsa-pkcs15-pad-disabled"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-rsa_pkcs15_pad_disabled\fR
+.IP \fBrsa-pss-saltlen-check\fR 4
+.IX Item "rsa-pss-saltlen-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-rsa_pss_saltlen_check\fR
+.IP \fBrsa\-sign\-x931\-pad\-disabled\fR 4
+.IX Item "rsa-sign-x931-pad-disabled"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-rsa_sign_x931_disabled\fR
+.IP \fBhkdf-key-check\fR 4
+.IX Item "hkdf-key-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-hkdf_key_check\fR
+.IP \fBkbkdf-key-check\fR 4
+.IX Item "kbkdf-key-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-kbkdf_key_check\fR
+.IP \fBtls13\-kdf\-key\-check\fR 4
+.IX Item "tls13-kdf-key-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-tls13_kdf_key_check\fR
+.IP \fBtls1\-prf\-key\-check\fR 4
+.IX Item "tls1-prf-key-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-tls1_prf_key_check\fR
+.IP \fBsshkdf-key-check\fR 4
+.IX Item "sshkdf-key-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-sshkdf_key_check\fR
+.IP \fBsskdf-key-check\fR 4
+.IX Item "sskdf-key-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-sskdf_key_check\fR
+.IP \fBx963kdf\-key\-check\fR 4
+.IX Item "x963kdf-key-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-x963kdf_key_check\fR
+.IP \fBx942kdf\-key\-check\fR 4
+.IX Item "x942kdf-key-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-x942kdf_key_check\fR
+.IP \fBpbkdf2\-lower\-bound\-check\fR 4
+.IX Item "pbkdf2-lower-bound-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-no_pbkdf2_lower_bound_check\fR
+.IP \fBecdh-cofactor-check\fR 4
+.IX Item "ecdh-cofactor-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-ecdh_cofactor_check\fR
+.IP \fBhmac-key-check\fR 4
+.IX Item "hmac-key-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-hmac_key_check\fR
+.IP \fBkmac-key-check\fR 4
+.IX Item "kmac-key-check"
+See "OPTIONS" in \fBopenssl\-fipsinstall\fR\|(1) \fB\-kmac_key_check\fR
 .PP
 For example:
 .PP
@@ -213,9 +225,9 @@ For example:
 \& install\-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C
 \& install\-status = INSTALL_SELF_TEST_KATS_RUN
 .Ve
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-When using the \s-1FIPS\s0 provider, it is recommended that the
+When using the FIPS provider, it is recommended that the
 \&\fBconfig_diagnostics\fR option is enabled to prevent accidental use of
 non-FIPS validated algorithms via broken or mistaken configuration.
 See \fBconfig\fR\|(5).
@@ -223,14 +235,14 @@ See \fBconfig\fR\|(5).
 .IX Header "SEE ALSO"
 \&\fBconfig\fR\|(5)
 \&\fBopenssl\-fipsinstall\fR\|(1)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 This functionality was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man5/x509v3_config.5 b/secure/lib/libcrypto/man/man5/x509v3_config.5
index 374dd11e34ff..f0ae1fbb3564 100644
--- a/secure/lib/libcrypto/man/man5/x509v3_config.5
+++ b/secure/lib/libcrypto/man/man5/x509v3_config.5
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,81 +52,21 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509V3_CONFIG 5ossl"
-.TH X509V3_CONFIG 5ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509V3_CONFIG 5ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 x509v3_config \- X509 V3 certificate extension configuration format
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 Several OpenSSL commands can add extensions to a certificate or
 certificate request based on the contents of a configuration file
-and \s-1CLI\s0 options such as \fB\-addext\fR.
+and CLI options such as \fB\-addext\fR.
 The syntax of configuration files is described in \fBconfig\fR\|(5).
 The commands typically have an option to specify the name of the configuration
 file, and a section within that file; see the documentation of the
@@ -244,10 +168,10 @@ numeric identifier, as shown here:
 .PP
 The syntax of raw extensions is defined by the source code that parses
 the extension but should be documented.
-See \*(L"Certificate Policies\*(R" for an example of a raw extension.
+See "Certificate Policies" for an example of a raw extension.
 .PP
 If an extension type is unsupported, then the \fIarbitrary\fR extension syntax
-must be used, see the \*(L"\s-1ARBITRARY EXTENSIONS\*(R"\s0 section for more details.
+must be used, see the "ARBITRARY EXTENSIONS" section for more details.
 .SH "STANDARD EXTENSIONS"
 .IX Header "STANDARD EXTENSIONS"
 The following sections describe the syntax of each supported extension.
@@ -255,8 +179,8 @@ They do not define the semantics of the extension.
 .SS "Basic Constraints"
 .IX Subsection "Basic Constraints"
 This is a multi-valued extension which indicates whether a certificate is
-a \s-1CA\s0 certificate. The first value is \fB\s-1CA\s0\fR followed by \fB\s-1TRUE\s0\fR or
-\&\fB\s-1FALSE\s0\fR. If \fB\s-1CA\s0\fR is \fB\s-1TRUE\s0\fR then an optional \fBpathlen\fR name followed by a
+a CA certificate. The first value is \fBCA\fR followed by \fBTRUE\fR or
+\&\fBFALSE\fR. If \fBCA\fR is \fBTRUE\fR then an optional \fBpathlen\fR name followed by a
 nonnegative value can be included.
 .PP
 For example:
@@ -269,11 +193,11 @@ For example:
 \& basicConstraints = critical, CA:TRUE, pathlen:1
 .Ve
 .PP
-A \s-1CA\s0 certificate \fImust\fR include the \fBbasicConstraints\fR name with the \fB\s-1CA\s0\fR
-parameter set to \fB\s-1TRUE\s0\fR. An end-user certificate must either have \fB\s-1CA:FALSE\s0\fR
+A CA certificate \fImust\fR include the \fBbasicConstraints\fR name with the \fBCA\fR
+parameter set to \fBTRUE\fR. An end-user certificate must either have \fBCA:FALSE\fR
 or omit the extension entirely.
 The \fBpathlen\fR parameter specifies the maximum number of CAs that can appear
-below this one in a chain. A \fBpathlen\fR of zero means the \s-1CA\s0 cannot sign
+below this one in a chain. A \fBpathlen\fR of zero means the CA cannot sign
 any sub-CA's, and can only sign end-entity certificates.
 .SS "Key Usage"
 .IX Subsection "Key Usage"
@@ -293,7 +217,7 @@ Examples:
 .IX Subsection "Extended Key Usage"
 This extension consists of a list of values indicating purposes for which
 the certificate public key can be used.
-Each value can be either a short text name or an \s-1OID.\s0
+Each value can be either a short text name or an OID.
 The following text names, and their intended meaning, are known:
 .PP
 .Vb 10
@@ -312,8 +236,8 @@ The following text names, and their intended meaning, are known:
 \& msEFS                  Microsoft Encrypted File System
 .Ve
 .PP
-While \s-1IETF RFC 5280\s0 says that \fBid-kp-serverAuth\fR and \fBid-kp-clientAuth\fR
-are only for \s-1WWW\s0 use, in practice they are used for all kinds of \s-1TLS\s0 clients
+While IETF RFC 5280 says that \fBid-kp-serverAuth\fR and \fBid-kp-clientAuth\fR
+are only for WWW use, in practice they are used for all kinds of TLS clients
 and servers, and this is what OpenSSL assumes as well.
 .PP
 Examples:
@@ -325,15 +249,22 @@ Examples:
 .Ve
 .SS "Subject Key Identifier"
 .IX Subsection "Subject Key Identifier"
-The \s-1SKID\s0 extension specification has a value with three choices.
-If the value is the word \fBnone\fR then no \s-1SKID\s0 extension will be included.
-If the value is the word \fBhash\fR, or by default for the \fBx509\fR, \fBreq\fR, and
-\&\fBca\fR apps, the process specified in \s-1RFC 5280\s0 section 4.2.1.2. (1) is followed:
-The keyIdentifier is composed of the 160\-bit \s-1SHA\-1\s0 hash of the value of the \s-1BIT
-STRING\s0 subjectPublicKey (excluding the tag, length, and number of unused bits).
-.PP
-Otherwise, the value must be a hex string (possibly with \f(CW\*(C`:\*(C'\fR separating bytes)
-to output directly, however, this is strongly discouraged.
+The SKID extension specification has a value with three choices.
+.IP \fBnone\fR 4
+.IX Item "none"
+No SKID extension will be included.
+.IP \fBhash\fR 4
+.IX Item "hash"
+The process specified in RFC 5280 section 4.2.1.2. (1) is followed:
+The keyIdentifier is composed of the 160\-bit SHA\-1 hash of the value of the BIT
+STRING subjectPublicKey (excluding the tag, length, and number of unused bits).
+.ie n .IP "A hex string (possibly with "":"" separating bytes)" 4
+.el .IP "A hex string (possibly with \f(CW:\fR separating bytes)" 4
+.IX Item "A hex string (possibly with : separating bytes)"
+The provided value is output directly.
+This choice is strongly discouraged.
+.PP
+By default the \fBx509\fR, \fBreq\fR, and \fBca\fR apps behave as if \fBhash\fR was given.
 .PP
 Example:
 .PP
@@ -342,18 +273,19 @@ Example:
 .Ve
 .SS "Authority Key Identifier"
 .IX Subsection "Authority Key Identifier"
-The \s-1AKID\s0 extension specification may have the value \fBnone\fR
-indicating that no \s-1AKID\s0 shall be included.
+The AKID extension specification may have the value \fBnone\fR
+indicating that no AKID shall be included.
 Otherwise it may have the value \fBkeyid\fR or \fBissuer\fR
 or both of them, separated by \f(CW\*(C`,\*(C'\fR.
 Either or both can have the option \fBalways\fR,
 indicated by putting a colon \f(CW\*(C`:\*(C'\fR between the value and this option.
-For self-signed certificates the \s-1AKID\s0 is suppressed unless \fBalways\fR is present.
-By default the \fBx509\fR, \fBreq\fR, and \fBca\fR apps behave as if
-\&\*(L"none\*(R" was given for self-signed certificates and \*(L"keyid, issuer\*(R" otherwise.
+For self-signed certificates the AKID is suppressed unless \fBalways\fR is present.
+.PP
+By default the \fBx509\fR, \fBreq\fR, and \fBca\fR apps behave as if \fBnone\fR was given
+for self-signed certificates and \fBkeyid\fR\f(CW\*(C`,\*(C'\fR \fBissuer\fR otherwise.
 .PP
 If \fBkeyid\fR is present, an attempt is made to
-copy the subject key identifier (\s-1SKID\s0) from the issuer certificate except if
+copy the subject key identifier (SKID) from the issuer certificate except if
 the issuer certificate is the same as the current one and it is not self-signed.
 The hash of the public key related to the signing key is taken as fallback
 if the issuer certificate is the same as the current certificate.
@@ -361,7 +293,8 @@ If \fBalways\fR is present but no value can be obtained, an error is returned.
 .PP
 If \fBissuer\fR is present, and in addition it has the option \fBalways\fR specified
 or \fBkeyid\fR is not present,
-then the issuer \s-1DN\s0 and serial number are copied from the issuer certificate.
+then the issuer DN and serial number are copied from the issuer certificate.
+If this fails, an error is returned.
 .PP
 Examples:
 .PP
@@ -375,10 +308,10 @@ Examples:
 This is a multi-valued extension that supports several types of name
 identifier, including
 \&\fBemail\fR (an email address),
-\&\fB\s-1URI\s0\fR (a uniform resource indicator),
-\&\fB\s-1DNS\s0\fR (a \s-1DNS\s0 domain name),
-\&\fB\s-1RID\s0\fR (a registered \s-1ID: OBJECT IDENTIFIER\s0),
-\&\fB\s-1IP\s0\fR (an \s-1IP\s0 address),
+\&\fBURI\fR (a uniform resource indicator),
+\&\fBDNS\fR (a DNS domain name),
+\&\fBRID\fR (a registered ID: OBJECT IDENTIFIER),
+\&\fBIP\fR (an IP address),
 \&\fBdirName\fR (a distinguished name),
 and \fBotherName\fR.
 The syntax of each is described in the following paragraphs.
@@ -389,14 +322,14 @@ contained in the certificate subject name in the extension.
 \&\f(CW\*(C`move\*(C'\fR will automatically move any email addresses
 from the certificate subject name to the extension.
 .PP
-The \s-1IP\s0 address used in the \fB\s-1IP\s0\fR option can be in either IPv4 or IPv6 format.
+The IP address used in the \fBIP\fR option can be in either IPv4 or IPv6 format.
 .PP
 The value of \fBdirName\fR is specifies the configuration section containing
 the distinguished name to use, as a set of name-value pairs.
 Multi-valued AVAs can be formed by prefacing the name with a \fB+\fR character.
 .PP
-The value of \fBotherName\fR can include arbitrary data associated with an \s-1OID\s0;
-the value should be the \s-1OID\s0 followed by a semicolon and the content in specified
+The value of \fBotherName\fR can include arbitrary data associated with an OID;
+the value should be the OID followed by a semicolon and the content in specified
 using the syntax in \fBASN1_generate_nconf\fR\|(3).
 .PP
 Examples:
@@ -422,8 +355,8 @@ Examples:
 \& CN = My Name
 .Ve
 .PP
-Non-ASCII Email Address conforming the syntax defined in Section 3.3 of \s-1RFC 6531\s0
-are provided as otherName.SmtpUTF8Mailbox. According to \s-1RFC 8398,\s0 the email
+Non-ASCII Email Address conforming the syntax defined in Section 3.3 of RFC 6531
+are provided as otherName.SmtpUTF8Mailbox. According to RFC 8398, the email
 address should be provided as UTF8String. To enforce the valid representation in
 the certificate, the SmtpUTF8Mailbox should be provided as follows
 .PP
@@ -447,16 +380,16 @@ Example:
 .SS "Authority Info Access"
 .IX Subsection "Authority Info Access"
 This extension gives details about how to retrieve information that
-related to the certificate that the \s-1CA\s0 makes available. The syntax is
+related to the certificate that the CA makes available. The syntax is
 \&\fBaccess_id;location\fR, where \fBaccess_id\fR is an object identifier
 (although only a few values are well-known) and \fBlocation\fR has the same
 syntax as subject alternative name (except that \fBemail:copy\fR is not supported).
 .PP
-Possible values for access_id include \fB\s-1OCSP\s0\fR (\s-1OCSP\s0 responder),
-\&\fBcaIssuers\fR (\s-1CA\s0 Issuers),
-\&\fBad_timestamping\fR (\s-1AD\s0 Time Stamping),
-\&\fB\s-1AD_DVCS\s0\fR (ad dvcs),
-\&\fBcaRepository\fR (\s-1CA\s0 Repository).
+Possible values for access_id include \fBOCSP\fR (OCSP responder),
+\&\fBcaIssuers\fR (CA Issuers),
+\&\fBad_timestamping\fR (AD Time Stamping),
+\&\fBAD_DVCS\fR (ad dvcs),
+\&\fBcaRepository\fR (CA Repository).
 .PP
 Examples:
 .PP
@@ -465,7 +398,7 @@ Examples:
 \&
 \& authorityInfoAccess = OCSP;URI:http://ocsp.example.com/
 .Ve
-.SS "\s-1CRL\s0 distribution points"
+.SS "CRL distribution points"
 .IX Subsection "CRL distribution points"
 This is a multi-valued extension whose values can be either a name-value
 pair using the same form as subject alternative name or a single value
@@ -477,18 +410,18 @@ value, and the reasons and cRLIssuer fields will be omitted.
 .PP
 When a single option is used, the value specifies the section, and that
 section can have the following items:
-.IP "fullname" 4
+.IP fullname 4
 .IX Item "fullname"
 The full name of the distribution point, in the same format as the subject
 alternative name.
-.IP "relativename" 4
+.IP relativename 4
 .IX Item "relativename"
 The value is taken as a distinguished name fragment that is set as the
 value of the nameRelativeToCRLIssuer field.
-.IP "CRLIssuer" 4
+.IP CRLIssuer 4
 .IX Item "CRLIssuer"
 The value must in the same format as the subject alternative name.
-.IP "reasons" 4
+.IP reasons 4
 .IX Item "reasons"
 A multi-value field that contains the reasons for revocation. The recognized
 values are: \f(CW\*(C`keyCompromise\*(C'\fR, \f(CW\*(C`CACompromise\*(C'\fR, \f(CW\*(C`affiliationChanged\*(C'\fR,
@@ -524,17 +457,17 @@ Full distribution point example:
 .SS "Issuing Distribution Point"
 .IX Subsection "Issuing Distribution Point"
 This extension should only appear in CRLs. It is a multi-valued extension
-whose syntax is similar to the \*(L"section\*(R" pointed to by the \s-1CRL\s0 distribution
+whose syntax is similar to the "section" pointed to by the CRL distribution
 points extension. The following names have meaning:
-.IP "fullname" 4
+.IP fullname 4
 .IX Item "fullname"
 The full name of the distribution point, in the same format as the subject
 alternative name.
-.IP "relativename" 4
+.IP relativename 4
 .IX Item "relativename"
 The value is taken as a distinguished name fragment that is set as the
 value of the nameRelativeToCRLIssuer field.
-.IP "onlysomereasons" 4
+.IP onlysomereasons 4
 .IX Item "onlysomereasons"
 A multi-value field that contains the reasons for revocation. The recognized
 values are: \f(CW\*(C`keyCompromise\*(C'\fR, \f(CW\*(C`CACompromise\*(C'\fR, \f(CW\*(C`affiliationChanged\*(C'\fR,
@@ -560,17 +493,17 @@ Example:
 This is a \fIraw\fR extension that supports all of the defined fields of the
 certificate extension.
 .PP
-Policies without qualifiers are specified by giving the \s-1OID.\s0
+Policies without qualifiers are specified by giving the OID.
 Multiple policies are comma-separated. For example:
 .PP
 .Vb 1
 \& certificatePolicies = 1.2.4.5, 1.1.3.4
 .Ve
 .PP
-To include policy qualifiers, use the \*(L"@section\*(R" syntax to point to a
+To include policy qualifiers, use the "@section" syntax to point to a
 section that specifies all the information.
 .PP
-The section referred to must include the policy \s-1OID\s0 using the name
+The section referred to must include the policy OID using the name
 \&\fBpolicyIdentifier\fR. cPSuri qualifiers can be included using the syntax:
 .PP
 .Vb 1
@@ -589,7 +522,7 @@ The value of the userNotice qualifier is specified in the relevant section.
 This section can include \fBexplicitText\fR, \fBorganization\fR, and \fBnoticeNumbers\fR
 options. explicitText and organization are text strings, noticeNumbers is a
 comma separated list of numbers. The organization and noticeNumbers options
-(if included) must \s-1BOTH\s0 be present. Some software might require
+(if included) must BOTH be present. Some software might require
 the \fBia5org\fR option at the top level; this changes the encoding from
 Displaytext to IA5String.
 .PP
@@ -612,7 +545,7 @@ Example:
 .Ve
 .PP
 The character encoding of explicitText can be specified by prefixing the
-value with \fB\s-1UTF8\s0\fR, \fB\s-1BMP\s0\fR, or \fB\s-1VISIBLE\s0\fR followed by colon. For example:
+value with \fBUTF8\fR, \fBBMP\fR, or \fBVISIBLE\fR followed by colon. For example:
 .PP
 .Vb 2
 \& [notice]
@@ -644,7 +577,7 @@ This is a multi-valued extension. The name should
 begin with the word \fBpermitted\fR or \fBexcluded\fR followed by a \fB;\fR. The rest of
 the name and the value follows the syntax of subjectAltName except
 \&\fBemail:copy\fR
-is not supported and the \fB\s-1IP\s0\fR form should consist of an \s-1IP\s0 addresses and
+is not supported and the \fBIP\fR form should consist of an IP addresses and
 subnet mask separated by a \fB/\fR.
 .PP
 Examples:
@@ -656,7 +589,7 @@ Examples:
 \&
 \& nameConstraints = excluded;email:.com
 .Ve
-.SS "\s-1OCSP\s0 No Check"
+.SS "OCSP No Check"
 .IX Subsection "OCSP No Check"
 This is a string extension. It is parsed, but ignored.
 .PP
@@ -665,11 +598,11 @@ Example:
 .Vb 1
 \& noCheck = ignored
 .Ve
-.SS "\s-1TLS\s0 Feature (aka Must Staple)"
+.SS "TLS Feature (aka Must Staple)"
 .IX Subsection "TLS Feature (aka Must Staple)"
-This is a multi-valued extension consisting of a list of \s-1TLS\s0 extension
+This is a multi-valued extension consisting of a list of TLS extension
 identifiers. Each identifier may be a number (0..65535) or a supported name.
-When a \s-1TLS\s0 client sends a listed extension, the \s-1TLS\s0 server is expected to
+When a TLS client sends a listed extension, the TLS server is expected to
 include that extension in its reply.
 .PP
 The supported names are: \fBstatus_request\fR and \fBstatus_request_v2\fR.
@@ -708,7 +641,7 @@ the data is formatted correctly for the given extension type.
 .PP
 There are two ways to encode arbitrary extensions.
 .PP
-The first way is to use the word \s-1ASN1\s0 followed by the extension content
+The first way is to use the word ASN1 followed by the extension content
 using the same syntax as \fBASN1_generate_nconf\fR\|(3).
 For example:
 .PP
@@ -722,7 +655,7 @@ For example:
 \& field2 = UTF8:field2
 .Ve
 .PP
-It is also possible to use the word \s-1DER\s0 to include the raw encoded data in any
+It is also possible to use the word DER to include the raw encoded data in any
 extension.
 .PP
 .Vb 2
@@ -730,31 +663,31 @@ extension.
 \& 1.2.3.4.1 = DER:01020304
 .Ve
 .PP
-The value following \s-1DER\s0 is a hex dump of the \s-1DER\s0 encoding of the extension
+The value following DER is a hex dump of the DER encoding of the extension
 Any extension can be placed in this form to override the default behaviour.
 For example:
 .PP
 .Vb 1
 \& basicConstraints = critical, DER:00:01:02:03
 .Ve
-.SH "WARNINGS"
+.SH WARNINGS
 .IX Header "WARNINGS"
 There is no guarantee that a specific implementation will process a given
 extension. It may therefore be sometimes possible to use certificates for
 purposes prohibited by their extensions because a specific application does
 not recognize or honour the values of the relevant extensions.
 .PP
-The \s-1DER\s0 and \s-1ASN1\s0 options should be used with caution. It is possible to create
+The DER and ASN1 options should be used with caution. It is possible to create
 invalid extensions if they are not used carefully.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBopenssl\-req\fR\|(1), \fBopenssl\-ca\fR\|(1), \fBopenssl\-x509\fR\|(1),
 \&\fBASN1_generate_nconf\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2004\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_ASYM_CIPHER-RSA.7 b/secure/lib/libcrypto/man/man7/EVP_ASYM_CIPHER-RSA.7
index 9ea289bcedf9..95e0d492506d 100644
--- a/secure/lib/libcrypto/man/man7/EVP_ASYM_CIPHER-RSA.7
+++ b/secure/lib/libcrypto/man/man7/EVP_ASYM_CIPHER-RSA.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,117 +52,59 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_ASYM_CIPHER-RSA 7ossl"
-.TH EVP_ASYM_CIPHER-RSA 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_ASYM_CIPHER-RSA 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_ASYM_CIPHER\-RSA
 \&\- RSA Asymmetric Cipher algorithm support
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Asymmetric Cipher support for the \fB\s-1RSA\s0\fR key type.
-.SS "\s-1RSA\s0 Asymmetric Cipher parameters"
+Asymmetric Cipher support for the \fBRSA\fR key type.
+.SS "RSA Asymmetric Cipher parameters"
 .IX Subsection "RSA Asymmetric Cipher parameters"
-.ie n .IP """pad-mode"" (\fB\s-1OSSL_ASYM_CIPHER_PARAM_PAD_MODE\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``pad-mode'' (\fB\s-1OSSL_ASYM_CIPHER_PARAM_PAD_MODE\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "pad-mode (OSSL_ASYM_CIPHER_PARAM_PAD_MODE) <UTF8 string>"
-The default provider understands these \s-1RSA\s0 padding modes in string form:
+.IP """pad-mode"" (\fBOSSL_ASYM_CIPHER_PARAM_PAD_MODE\fR) <UTF8 string>" 4
+.IX Item """pad-mode"" (OSSL_ASYM_CIPHER_PARAM_PAD_MODE) <UTF8 string>"
+The default provider understands these RSA padding modes in string form:
 .RS 4
-.ie n .IP """none"" (\fB\s-1OSSL_PKEY_RSA_PAD_MODE_NONE\s0\fR)" 4
-.el .IP "``none'' (\fB\s-1OSSL_PKEY_RSA_PAD_MODE_NONE\s0\fR)" 4
-.IX Item "none (OSSL_PKEY_RSA_PAD_MODE_NONE)"
+.IP """none"" (\fBOSSL_PKEY_RSA_PAD_MODE_NONE\fR)" 4
+.IX Item """none"" (OSSL_PKEY_RSA_PAD_MODE_NONE)"
 .PD 0
-.ie n .IP """oaep"" (\fB\s-1OSSL_PKEY_RSA_PAD_MODE_OAEP\s0\fR)" 4
-.el .IP "``oaep'' (\fB\s-1OSSL_PKEY_RSA_PAD_MODE_OAEP\s0\fR)" 4
-.IX Item "oaep (OSSL_PKEY_RSA_PAD_MODE_OAEP)"
-.ie n .IP """pkcs1"" (\fB\s-1OSSL_PKEY_RSA_PAD_MODE_PKCSV15\s0\fR)" 4
-.el .IP "``pkcs1'' (\fB\s-1OSSL_PKEY_RSA_PAD_MODE_PKCSV15\s0\fR)" 4
-.IX Item "pkcs1 (OSSL_PKEY_RSA_PAD_MODE_PKCSV15)"
-.ie n .IP """x931"" (\fB\s-1OSSL_PKEY_RSA_PAD_MODE_X931\s0\fR)" 4
-.el .IP "``x931'' (\fB\s-1OSSL_PKEY_RSA_PAD_MODE_X931\s0\fR)" 4
-.IX Item "x931 (OSSL_PKEY_RSA_PAD_MODE_X931)"
+.IP """oaep"" (\fBOSSL_PKEY_RSA_PAD_MODE_OAEP\fR)" 4
+.IX Item """oaep"" (OSSL_PKEY_RSA_PAD_MODE_OAEP)"
+.IP """pkcs1"" (\fBOSSL_PKEY_RSA_PAD_MODE_PKCSV15\fR)" 4
+.IX Item """pkcs1"" (OSSL_PKEY_RSA_PAD_MODE_PKCSV15)"
+.PD
+This padding mode is no longer supported by the FIPS provider for key
+agreement and key transport.
+(This is a FIPS 140\-3 requirement)
+.IP """x931"" (\fBOSSL_PKEY_RSA_PAD_MODE_X931\fR)" 4
+.IX Item """x931"" (OSSL_PKEY_RSA_PAD_MODE_X931)"
 .RE
 .RS 4
 .RE
-.ie n .IP """pad-mode"" (\fB\s-1OSSL_ASYM_CIPHER_PARAM_PAD_MODE\s0\fR) <integer>" 4
-.el .IP "``pad-mode'' (\fB\s-1OSSL_ASYM_CIPHER_PARAM_PAD_MODE\s0\fR) <integer>" 4
-.IX Item "pad-mode (OSSL_ASYM_CIPHER_PARAM_PAD_MODE) <integer>"
+.PD 0
+.IP """pad-mode"" (\fBOSSL_ASYM_CIPHER_PARAM_PAD_MODE\fR) <integer>" 4
+.IX Item """pad-mode"" (OSSL_ASYM_CIPHER_PARAM_PAD_MODE) <integer>"
 .PD
-The default provider understands these \s-1RSA\s0 padding modes in integer form:
+The default provider understands these RSA padding modes in integer form:
 .RS 4
-.IP "1 (\fB\s-1RSA_PKCS1_PADDING\s0\fR)" 4
+.IP "1 (\fBRSA_PKCS1_PADDING\fR)" 4
 .IX Item "1 (RSA_PKCS1_PADDING)"
-.PD 0
-.IP "3 (\fB\s-1RSA_NO_PADDING\s0\fR)" 4
+This padding mode is no longer supported by the FIPS provider for key
+agreement and key transport.
+(This is a FIPS 140\-3 requirement)
+.IP "3 (\fBRSA_NO_PADDING\fR)" 4
 .IX Item "3 (RSA_NO_PADDING)"
-.IP "4 (\fB\s-1RSA_PKCS1_OAEP_PADDING\s0\fR)" 4
+.PD 0
+.IP "4 (\fBRSA_PKCS1_OAEP_PADDING\fR)" 4
 .IX Item "4 (RSA_PKCS1_OAEP_PADDING)"
-.IP "5 (\fB\s-1RSA_X931_PADDING\s0\fR)" 4
+.IP "5 (\fBRSA_X931_PADDING\fR)" 4
 .IX Item "5 (RSA_X931_PADDING)"
 .RE
 .RS 4
@@ -186,46 +112,56 @@ The default provider understands these \s-1RSA\s0 padding modes in integer form:
 .Sp
 See \fBEVP_PKEY_CTX_set_rsa_padding\fR\|(3) for further details.
 .RE
-.ie n .IP """digest"" (\fB\s-1OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST) <UTF8 string>"
+.IP """digest"" (\fBOSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST) <UTF8 string>"
 .PD 0
-.ie n .IP """digest-props"" (\fB\s-1OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest-props'' (\fB\s-1OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest-props (OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS) <UTF8 string>"
-.ie n .IP """mgf1\-digest"" (\fB\s-1OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``mgf1\-digest'' (\fB\s-1OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "mgf1-digest (OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST) <UTF8 string>"
-.ie n .IP """mgf1\-digest\-props"" (\fB\s-1OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST_PROPS\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``mgf1\-digest\-props'' (\fB\s-1OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST_PROPS\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "mgf1-digest-props (OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST_PROPS) <UTF8 string>"
-.ie n .IP """oaep-label"" (\fB\s-1OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL\s0\fR) <octet string>" 4
-.el .IP "``oaep-label'' (\fB\s-1OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL\s0\fR) <octet string>" 4
-.IX Item "oaep-label (OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL) <octet string>"
-.ie n .IP """tls-client-version"" (\fB\s-1OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION\s0\fR) <unsigned integer>" 4
-.el .IP "``tls-client-version'' (\fB\s-1OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION\s0\fR) <unsigned integer>" 4
-.IX Item "tls-client-version (OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION) <unsigned integer>"
+.IP """digest-props"" (\fBOSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS\fR) <UTF8 string>" 4
+.IX Item """digest-props"" (OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS) <UTF8 string>"
+.IP """mgf1\-digest"" (\fBOSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST\fR) <UTF8 string>" 4
+.IX Item """mgf1-digest"" (OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST) <UTF8 string>"
+.IP """mgf1\-digest\-props"" (\fBOSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST_PROPS\fR) <UTF8 string>" 4
+.IX Item """mgf1-digest-props"" (OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST_PROPS) <UTF8 string>"
+.IP """oaep-label"" (\fBOSSL_ASYM_CIPHER_PARAM_OAEP_LABEL\fR) <octet string>" 4
+.IX Item """oaep-label"" (OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL) <octet string>"
+.IP """tls-client-version"" (\fBOSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION\fR) <unsigned integer>" 4
+.IX Item """tls-client-version"" (OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION) <unsigned integer>"
 .PD
-See \fB\s-1RSA_PKCS1_WITH_TLS_PADDING\s0\fR on the page \fBEVP_PKEY_CTX_set_rsa_padding\fR\|(3).
-.ie n .IP """tls-negotiated-version"" (\fB\s-1OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION\s0\fR) <unsigned integer>" 4
-.el .IP "``tls-negotiated-version'' (\fB\s-1OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION\s0\fR) <unsigned integer>" 4
-.IX Item "tls-negotiated-version (OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION) <unsigned integer>"
-See \fB\s-1RSA_PKCS1_WITH_TLS_PADDING\s0\fR on the page \fBEVP_PKEY_CTX_set_rsa_padding\fR\|(3).
+See \fBRSA_PKCS1_WITH_TLS_PADDING\fR on the page \fBEVP_PKEY_CTX_set_rsa_padding\fR\|(3).
+.IP """tls-negotiated-version"" (\fBOSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION\fR) <unsigned integer>" 4
+.IX Item """tls-negotiated-version"" (OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION) <unsigned integer>"
+See \fBRSA_PKCS1_WITH_TLS_PADDING\fR on the page \fBEVP_PKEY_CTX_set_rsa_padding\fR\|(3).
 .Sp
-See \*(L"Asymmetric Cipher Parameters\*(R" in \fBprovider\-asym_cipher\fR\|(7) for more information.
+See "Asymmetric Cipher Parameters" in \fBprovider\-asym_cipher\fR\|(7) for more information.
+.PP
+The OpenSSL FIPS provider also supports the following parameters:
+.IP """fips-indicator"" (\fBOSSL_ASYM_CIPHER_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_ASYM_CIPHER_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+.PD 0
+.IP """key-check"" (\fBOSSL_ASYM_CIPHER_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4
+.IX Item """key-check"" (OSSL_ASYM_CIPHER_PARAM_FIPS_KEY_CHECK) <integer>"
+.PD
+See "Asymmetric Cipher Parameters" in \fBprovider\-asym_cipher\fR\|(7) for more information.
+.IP """pkcs15\-pad\-disabled"" (\fBOSSL_ASYM_CIPHER_PARAM_FIPS_RSA_PKCS15_PAD_DISABLED\fR) <integer>" 4
+.IX Item """pkcs15-pad-disabled"" (OSSL_ASYM_CIPHER_PARAM_FIPS_RSA_PKCS15_PAD_DISABLED) <integer>"
+The default value of 1 causes an error during encryption if the RSA padding
+mode is set to "pkcs1".
+Setting this to zero will ignore the error and set the approved
+"fips-indicator" to 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_PKEY\-RSA\s0\fR\|(7),
-\&\s-1\fBEVP_PKEY\s0\fR\|(3),
+\&\fBEVP_PKEY\-RSA\fR\|(7),
+\&\fBEVP_PKEY\fR\|(3),
 \&\fBprovider\-asym_cipher\fR\|(7),
 \&\fBprovider\-keymgmt\fR\|(7),
 \&\fBOSSL_PROVIDER\-default\fR\|(7)
-\&\s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7)
-.SH "COPYRIGHT"
+\&\fBOSSL_PROVIDER\-FIPS\fR\|(7)
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2022\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_ASYM_CIPHER-SM2.7 b/secure/lib/libcrypto/man/man7/EVP_ASYM_CIPHER-SM2.7
index 7f9dcdf94ade..14748090fa32 100644
--- a/secure/lib/libcrypto/man/man7/EVP_ASYM_CIPHER-SM2.7
+++ b/secure/lib/libcrypto/man/man7/EVP_ASYM_CIPHER-SM2.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,103 +52,41 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_ASYM_CIPHER-SM2 7ossl"
-.TH EVP_ASYM_CIPHER-SM2 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_ASYM_CIPHER-SM2 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_ASYM_CIPHER\-SM2
 \&\- SM2 Asymmetric Cipher algorithm support
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Asymmetric Cipher support for the \fB\s-1SM2\s0\fR key type.
-.SS "\s-1SM2\s0 Asymmetric Cipher parameters"
+Asymmetric Cipher support for the \fBSM2\fR key type.
+.SS "SM2 Asymmetric Cipher parameters"
 .IX Subsection "SM2 Asymmetric Cipher parameters"
-.ie n .IP """digest"" (\fB\s-1OSSL_ASYM_CIPHER_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_ASYM_CIPHER_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_ASYM_CIPHER_PARAM_DIGEST) <UTF8 string>"
+.IP """digest"" (\fBOSSL_ASYM_CIPHER_PARAM_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_ASYM_CIPHER_PARAM_DIGEST) <UTF8 string>"
 .PD 0
-.ie n .IP """digest-props"" (\fB\s-1OSSL_ASYM_CIPHER_PARAM_DIGEST_PROPS\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest-props'' (\fB\s-1OSSL_ASYM_CIPHER_PARAM_DIGEST_PROPS\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest-props (OSSL_ASYM_CIPHER_PARAM_DIGEST_PROPS) <UTF8 string>"
+.IP """digest-props"" (\fBOSSL_ASYM_CIPHER_PARAM_DIGEST_PROPS\fR) <UTF8 string>" 4
+.IX Item """digest-props"" (OSSL_ASYM_CIPHER_PARAM_DIGEST_PROPS) <UTF8 string>"
 .PD
-See \*(L"Asymmetric Cipher Parameters\*(R" in \fBprovider\-asym_cipher\fR\|(7).
+See "Asymmetric Cipher Parameters" in \fBprovider\-asym_cipher\fR\|(7).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_PKEY\-SM2\s0\fR\|(7),
-\&\s-1\fBEVP_PKEY\s0\fR\|(3),
+\&\fBEVP_PKEY\-SM2\fR\|(7),
+\&\fBEVP_PKEY\fR\|(3),
 \&\fBprovider\-asym_cipher\fR\|(7),
 \&\fBprovider\-keymgmt\fR\|(7),
 \&\fBOSSL_PROVIDER\-default\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-AES.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-AES.7
index a9730056ef87..ba3ef2d2cb06 100644
--- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-AES.7
+++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-AES.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,141 +52,85 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_CIPHER-AES 7ossl"
-.TH EVP_CIPHER-AES 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_CIPHER-AES 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_CIPHER\-AES \- The AES EVP_CIPHER implementations
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for \s-1AES\s0 symmetric encryption using the \fB\s-1EVP_CIPHER\s0\fR \s-1API.\s0
+Support for AES symmetric encryption using the \fBEVP_CIPHER\fR API.
 .SS "Algorithm Names"
 .IX Subsection "Algorithm Names"
-The following algorithms are available in the \s-1FIPS\s0 provider as well as the
+The following algorithms are available in the FIPS provider as well as the
 default provider:
-.ie n .IP """\s-1AES\-128\-CBC"", ""AES\-192\-CBC""\s0 and  ""\s-1AES\-256\-CBC""\s0" 4
-.el .IP "``\s-1AES\-128\-CBC'', ``AES\-192\-CBC''\s0 and  ``\s-1AES\-256\-CBC''\s0" 4
-.IX Item "AES-128-CBC, AES-192-CBC and AES-256-CBC"
+.IP """AES\-128\-CBC"", ""AES\-192\-CBC"" and  ""AES\-256\-CBC""" 4
+.IX Item """AES-128-CBC"", ""AES-192-CBC"" and ""AES-256-CBC"""
 .PD 0
-.ie n .IP """\s-1AES\-128\-CBC\-CTS"", ""AES\-192\-CBC\-CTS""\s0 and ""\s-1AES\-256\-CBC\-CTS""\s0" 4
-.el .IP "``\s-1AES\-128\-CBC\-CTS'', ``AES\-192\-CBC\-CTS''\s0 and ``\s-1AES\-256\-CBC\-CTS''\s0" 4
-.IX Item "AES-128-CBC-CTS, AES-192-CBC-CTS and AES-256-CBC-CTS"
-.ie n .IP """\s-1AES\-128\-CFB"", ""AES\-192\-CFB"", ""AES\-256\-CFB"", ""AES\-128\-CFB1"", ""AES\-192\-CFB1"", ""AES\-256\-CFB1"", ""AES\-128\-CFB8"", ""AES\-192\-CFB8""\s0 and ""\s-1AES\-256\-CFB8""\s0" 4
-.el .IP "``\s-1AES\-128\-CFB'', ``AES\-192\-CFB'', ``AES\-256\-CFB'', ``AES\-128\-CFB1'', ``AES\-192\-CFB1'', ``AES\-256\-CFB1'', ``AES\-128\-CFB8'', ``AES\-192\-CFB8''\s0 and ``\s-1AES\-256\-CFB8''\s0" 4
-.IX Item "AES-128-CFB, AES-192-CFB, AES-256-CFB, AES-128-CFB1, AES-192-CFB1, AES-256-CFB1, AES-128-CFB8, AES-192-CFB8 and AES-256-CFB8"
-.ie n .IP """\s-1AES\-128\-CTR"", ""AES\-192\-CTR""\s0 and ""\s-1AES\-256\-CTR""\s0" 4
-.el .IP "``\s-1AES\-128\-CTR'', ``AES\-192\-CTR''\s0 and ``\s-1AES\-256\-CTR''\s0" 4
-.IX Item "AES-128-CTR, AES-192-CTR and AES-256-CTR"
-.ie n .IP """\s-1AES\-128\-ECB"", ""AES\-192\-ECB""\s0 and ""\s-1AES\-256\-ECB""\s0" 4
-.el .IP "``\s-1AES\-128\-ECB'', ``AES\-192\-ECB''\s0 and ``\s-1AES\-256\-ECB''\s0" 4
-.IX Item "AES-128-ECB, AES-192-ECB and AES-256-ECB"
-.ie n .IP """\s-1AES\-192\-OFB"", ""AES\-128\-OFB""\s0 and ""\s-1AES\-256\-OFB""\s0" 4
-.el .IP "``\s-1AES\-192\-OFB'', ``AES\-128\-OFB''\s0 and ``\s-1AES\-256\-OFB''\s0" 4
-.IX Item "AES-192-OFB, AES-128-OFB and AES-256-OFB"
-.ie n .IP """\s-1AES\-128\-XTS""\s0 and ""\s-1AES\-256\-XTS""\s0" 4
-.el .IP "``\s-1AES\-128\-XTS''\s0 and ``\s-1AES\-256\-XTS''\s0" 4
-.IX Item "AES-128-XTS and AES-256-XTS"
-.ie n .IP """\s-1AES\-128\-CCM"", ""AES\-192\-CCM""\s0 and ""\s-1AES\-256\-CCM""\s0" 4
-.el .IP "``\s-1AES\-128\-CCM'', ``AES\-192\-CCM''\s0 and ``\s-1AES\-256\-CCM''\s0" 4
-.IX Item "AES-128-CCM, AES-192-CCM and AES-256-CCM"
-.ie n .IP """\s-1AES\-128\-GCM"", ""AES\-192\-GCM""\s0 and ""\s-1AES\-256\-GCM""\s0" 4
-.el .IP "``\s-1AES\-128\-GCM'', ``AES\-192\-GCM''\s0 and ``\s-1AES\-256\-GCM''\s0" 4
-.IX Item "AES-128-GCM, AES-192-GCM and AES-256-GCM"
-.ie n .IP """\s-1AES\-128\-WRAP"", ""AES\-192\-WRAP"", ""AES\-256\-WRAP"", ""AES\-128\-WRAP\-PAD"", ""AES\-192\-WRAP\-PAD"", ""AES\-256\-WRAP\-PAD"", ""AES\-128\-WRAP\-INV"", ""AES\-192\-WRAP\-INV"", ""AES\-256\-WRAP\-INV"", ""AES\-128\-WRAP\-PAD\-INV"", ""AES\-192\-WRAP\-PAD\-INV""\s0 and ""\s-1AES\-256\-WRAP\-PAD\-INV""\s0" 4
-.el .IP "``\s-1AES\-128\-WRAP'', ``AES\-192\-WRAP'', ``AES\-256\-WRAP'', ``AES\-128\-WRAP\-PAD'', ``AES\-192\-WRAP\-PAD'', ``AES\-256\-WRAP\-PAD'', ``AES\-128\-WRAP\-INV'', ``AES\-192\-WRAP\-INV'', ``AES\-256\-WRAP\-INV'', ``AES\-128\-WRAP\-PAD\-INV'', ``AES\-192\-WRAP\-PAD\-INV''\s0 and ``\s-1AES\-256\-WRAP\-PAD\-INV''\s0" 4
-.IX Item "AES-128-WRAP, AES-192-WRAP, AES-256-WRAP, AES-128-WRAP-PAD, AES-192-WRAP-PAD, AES-256-WRAP-PAD, AES-128-WRAP-INV, AES-192-WRAP-INV, AES-256-WRAP-INV, AES-128-WRAP-PAD-INV, AES-192-WRAP-PAD-INV and AES-256-WRAP-PAD-INV"
-.ie n .IP """\s-1AES\-128\-CBC\-HMAC\-SHA1"", ""AES\-256\-CBC\-HMAC\-SHA1"", ""AES\-128\-CBC\-HMAC\-SHA256""\s0 and ""\s-1AES\-256\-CBC\-HMAC\-SHA256""\s0" 4
-.el .IP "``\s-1AES\-128\-CBC\-HMAC\-SHA1'', ``AES\-256\-CBC\-HMAC\-SHA1'', ``AES\-128\-CBC\-HMAC\-SHA256''\s0 and ``\s-1AES\-256\-CBC\-HMAC\-SHA256''\s0" 4
-.IX Item "AES-128-CBC-HMAC-SHA1, AES-256-CBC-HMAC-SHA1, AES-128-CBC-HMAC-SHA256 and AES-256-CBC-HMAC-SHA256"
+.IP """AES\-128\-CBC\-CTS"", ""AES\-192\-CBC\-CTS"" and ""AES\-256\-CBC\-CTS""" 4
+.IX Item """AES-128-CBC-CTS"", ""AES-192-CBC-CTS"" and ""AES-256-CBC-CTS"""
+.IP """AES\-128\-CFB"", ""AES\-192\-CFB"", ""AES\-256\-CFB"", ""AES\-128\-CFB1"", ""AES\-192\-CFB1"", ""AES\-256\-CFB1"", ""AES\-128\-CFB8"", ""AES\-192\-CFB8"" and ""AES\-256\-CFB8""" 4
+.IX Item """AES-128-CFB"", ""AES-192-CFB"", ""AES-256-CFB"", ""AES-128-CFB1"", ""AES-192-CFB1"", ""AES-256-CFB1"", ""AES-128-CFB8"", ""AES-192-CFB8"" and ""AES-256-CFB8"""
+.IP """AES\-128\-CTR"", ""AES\-192\-CTR"" and ""AES\-256\-CTR""" 4
+.IX Item """AES-128-CTR"", ""AES-192-CTR"" and ""AES-256-CTR"""
+.IP """AES\-128\-ECB"", ""AES\-192\-ECB"" and ""AES\-256\-ECB""" 4
+.IX Item """AES-128-ECB"", ""AES-192-ECB"" and ""AES-256-ECB"""
+.IP """AES\-192\-OFB"", ""AES\-128\-OFB"" and ""AES\-256\-OFB""" 4
+.IX Item """AES-192-OFB"", ""AES-128-OFB"" and ""AES-256-OFB"""
+.IP """AES\-128\-XTS"" and ""AES\-256\-XTS""" 4
+.IX Item """AES-128-XTS"" and ""AES-256-XTS"""
+.IP """AES\-128\-CCM"", ""AES\-192\-CCM"" and ""AES\-256\-CCM""" 4
+.IX Item """AES-128-CCM"", ""AES-192-CCM"" and ""AES-256-CCM"""
+.IP """AES\-128\-GCM"", ""AES\-192\-GCM"" and ""AES\-256\-GCM""" 4
+.IX Item """AES-128-GCM"", ""AES-192-GCM"" and ""AES-256-GCM"""
+.IP """AES\-128\-WRAP"", ""AES\-192\-WRAP"", ""AES\-256\-WRAP"", ""AES\-128\-WRAP\-PAD"", ""AES\-192\-WRAP\-PAD"", ""AES\-256\-WRAP\-PAD"", ""AES\-128\-WRAP\-INV"", ""AES\-192\-WRAP\-INV"", ""AES\-256\-WRAP\-INV"", ""AES\-128\-WRAP\-PAD\-INV"", ""AES\-192\-WRAP\-PAD\-INV"" and ""AES\-256\-WRAP\-PAD\-INV""" 4
+.IX Item """AES-128-WRAP"", ""AES-192-WRAP"", ""AES-256-WRAP"", ""AES-128-WRAP-PAD"", ""AES-192-WRAP-PAD"", ""AES-256-WRAP-PAD"", ""AES-128-WRAP-INV"", ""AES-192-WRAP-INV"", ""AES-256-WRAP-INV"", ""AES-128-WRAP-PAD-INV"", ""AES-192-WRAP-PAD-INV"" and ""AES-256-WRAP-PAD-INV"""
+.IP """AES\-128\-CBC\-HMAC\-SHA1"", ""AES\-256\-CBC\-HMAC\-SHA1"", ""AES\-128\-CBC\-HMAC\-SHA256"" and ""AES\-256\-CBC\-HMAC\-SHA256""" 4
+.IX Item """AES-128-CBC-HMAC-SHA1"", ""AES-256-CBC-HMAC-SHA1"", ""AES-128-CBC-HMAC-SHA256"" and ""AES-256-CBC-HMAC-SHA256"""
 .PD
 .PP
 The following algorithms are available in the default provider, but not the
-\&\s-1FIPS\s0 provider:
-.ie n .IP """\s-1AES\-128\-OCB"", ""AES\-192\-OCB""\s0 and ""\s-1AES\-256\-OCB""\s0" 4
-.el .IP "``\s-1AES\-128\-OCB'', ``AES\-192\-OCB''\s0 and ``\s-1AES\-256\-OCB''\s0" 4
-.IX Item "AES-128-OCB, AES-192-OCB and AES-256-OCB"
+FIPS provider:
+.IP """AES\-128\-OCB"", ""AES\-192\-OCB"" and ""AES\-256\-OCB""" 4
+.IX Item """AES-128-OCB"", ""AES-192-OCB"" and ""AES-256-OCB"""
 .PD 0
-.ie n .IP """\s-1AES\-128\-SIV"", ""AES\-192\-SIV""\s0 and ""\s-1AES\-256\-SIV""\s0" 4
-.el .IP "``\s-1AES\-128\-SIV'', ``AES\-192\-SIV''\s0 and ``\s-1AES\-256\-SIV''\s0" 4
-.IX Item "AES-128-SIV, AES-192-SIV and AES-256-SIV"
+.IP """AES\-128\-SIV"", ""AES\-192\-SIV"" and ""AES\-256\-SIV""" 4
+.IX Item """AES-128-SIV"", ""AES-192-SIV"" and ""AES-256-SIV"""
+.IP """AES\-128\-GCM\-SIV"", ""AES\-192\-GCM\-SIV"" and ""AES\-256\-GCM\-SIV""" 4
+.IX Item """AES-128-GCM-SIV"", ""AES-192-GCM-SIV"" and ""AES-256-GCM-SIV"""
 .PD
-.SS "Parameters"
+.SS Parameters
 .IX Subsection "Parameters"
 This implementation supports the parameters described in
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \fBEVP_EncryptInit\fR\|(3).
+"PARAMETERS" in \fBEVP_EncryptInit\fR\|(3).
+.SH NOTES
+.IX Header "NOTES"
+The AES-SIV and AES-WRAP mode implementations do not support streaming. That
+means to obtain correct results there can be only one \fBEVP_EncryptUpdate\fR\|(3)
+or \fBEVP_DecryptUpdate\fR\|(3) call after the initialization of the context.
+.PP
+The AES-XTS implementations allow streaming to be performed, but each
+\&\fBEVP_EncryptUpdate\fR\|(3) or \fBEVP_DecryptUpdate\fR\|(3) call requires each input
+to be a multiple of the blocksize. Only the final \fBEVP_EncryptUpdate()\fR or
+\&\fBEVP_DecryptUpdate()\fR call can optionally have an input that is not a multiple
+of the blocksize but is larger than one block. In that case ciphertext
+stealing (CTS) is used to fill the block.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBprovider\-cipher\fR\|(7), \s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7)
-.SH "COPYRIGHT"
+\&\fBprovider\-cipher\fR\|(7), \fBOSSL_PROVIDER\-FIPS\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7)
+.SH HISTORY
+.IX Header "HISTORY"
+The GCM-SIV mode ciphers were added in OpenSSL version 3.2.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2021\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-ARIA.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-ARIA.7
index 57fd0fd1dbb2..9210862f71e2 100644
--- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-ARIA.7
+++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-ARIA.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,120 +52,52 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_CIPHER-ARIA 7ossl"
-.TH EVP_CIPHER-ARIA 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_CIPHER-ARIA 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_CIPHER\-ARIA \- The ARIA EVP_CIPHER implementations
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for \s-1ARIA\s0 symmetric encryption using the \fB\s-1EVP_CIPHER\s0\fR \s-1API.\s0
+Support for ARIA symmetric encryption using the \fBEVP_CIPHER\fR API.
 .SS "Algorithm Names"
 .IX Subsection "Algorithm Names"
 The following algorithms are available in the default provider:
-.ie n .IP """\s-1ARIA\-128\-CBC"", ""ARIA\-192\-CBC""\s0 and  ""\s-1ARIA\-256\-CBC""\s0" 4
-.el .IP "``\s-1ARIA\-128\-CBC'', ``ARIA\-192\-CBC''\s0 and  ``\s-1ARIA\-256\-CBC''\s0" 4
-.IX Item "ARIA-128-CBC, ARIA-192-CBC and ARIA-256-CBC"
+.IP """ARIA\-128\-CBC"", ""ARIA\-192\-CBC"" and  ""ARIA\-256\-CBC""" 4
+.IX Item """ARIA-128-CBC"", ""ARIA-192-CBC"" and ""ARIA-256-CBC"""
 .PD 0
-.ie n .IP """\s-1ARIA\-128\-CFB"", ""ARIA\-192\-CFB"", ""ARIA\-256\-CFB"", ""ARIA\-128\-CFB1"", ""ARIA\-192\-CFB1"", ""ARIA\-256\-CFB1"", ""ARIA\-128\-CFB8"", ""ARIA\-192\-CFB8""\s0 and ""\s-1ARIA\-256\-CFB8""\s0" 4
-.el .IP "``\s-1ARIA\-128\-CFB'', ``ARIA\-192\-CFB'', ``ARIA\-256\-CFB'', ``ARIA\-128\-CFB1'', ``ARIA\-192\-CFB1'', ``ARIA\-256\-CFB1'', ``ARIA\-128\-CFB8'', ``ARIA\-192\-CFB8''\s0 and ``\s-1ARIA\-256\-CFB8''\s0" 4
-.IX Item "ARIA-128-CFB, ARIA-192-CFB, ARIA-256-CFB, ARIA-128-CFB1, ARIA-192-CFB1, ARIA-256-CFB1, ARIA-128-CFB8, ARIA-192-CFB8 and ARIA-256-CFB8"
-.ie n .IP """\s-1ARIA\-128\-CTR"", ""ARIA\-192\-CTR""\s0 and ""\s-1ARIA\-256\-CTR""\s0" 4
-.el .IP "``\s-1ARIA\-128\-CTR'', ``ARIA\-192\-CTR''\s0 and ``\s-1ARIA\-256\-CTR''\s0" 4
-.IX Item "ARIA-128-CTR, ARIA-192-CTR and ARIA-256-CTR"
-.ie n .IP """\s-1ARIA\-128\-ECB"", ""ARIA\-192\-ECB""\s0 and ""\s-1ARIA\-256\-ECB""\s0" 4
-.el .IP "``\s-1ARIA\-128\-ECB'', ``ARIA\-192\-ECB''\s0 and ``\s-1ARIA\-256\-ECB''\s0" 4
-.IX Item "ARIA-128-ECB, ARIA-192-ECB and ARIA-256-ECB"
-.ie n .IP """\s-1AES\-192\-OCB"", ""AES\-128\-OCB""\s0 and ""\s-1AES\-256\-OCB""\s0" 4
-.el .IP "``\s-1AES\-192\-OCB'', ``AES\-128\-OCB''\s0 and ``\s-1AES\-256\-OCB''\s0" 4
-.IX Item "AES-192-OCB, AES-128-OCB and AES-256-OCB"
-.ie n .IP """\s-1ARIA\-128\-OFB"", ""ARIA\-192\-OFB""\s0 and ""\s-1ARIA\-256\-OFB""\s0" 4
-.el .IP "``\s-1ARIA\-128\-OFB'', ``ARIA\-192\-OFB''\s0 and ``\s-1ARIA\-256\-OFB''\s0" 4
-.IX Item "ARIA-128-OFB, ARIA-192-OFB and ARIA-256-OFB"
-.ie n .IP """\s-1ARIA\-128\-CCM"", ""ARIA\-192\-CCM""\s0 and ""\s-1ARIA\-256\-CCM""\s0" 4
-.el .IP "``\s-1ARIA\-128\-CCM'', ``ARIA\-192\-CCM''\s0 and ``\s-1ARIA\-256\-CCM''\s0" 4
-.IX Item "ARIA-128-CCM, ARIA-192-CCM and ARIA-256-CCM"
-.ie n .IP """\s-1ARIA\-128\-GCM"", ""ARIA\-192\-GCM""\s0 and ""\s-1ARIA\-256\-GCM""\s0" 4
-.el .IP "``\s-1ARIA\-128\-GCM'', ``ARIA\-192\-GCM''\s0 and ``\s-1ARIA\-256\-GCM''\s0" 4
-.IX Item "ARIA-128-GCM, ARIA-192-GCM and ARIA-256-GCM"
+.IP """ARIA\-128\-CFB"", ""ARIA\-192\-CFB"", ""ARIA\-256\-CFB"", ""ARIA\-128\-CFB1"", ""ARIA\-192\-CFB1"", ""ARIA\-256\-CFB1"", ""ARIA\-128\-CFB8"", ""ARIA\-192\-CFB8"" and ""ARIA\-256\-CFB8""" 4
+.IX Item """ARIA-128-CFB"", ""ARIA-192-CFB"", ""ARIA-256-CFB"", ""ARIA-128-CFB1"", ""ARIA-192-CFB1"", ""ARIA-256-CFB1"", ""ARIA-128-CFB8"", ""ARIA-192-CFB8"" and ""ARIA-256-CFB8"""
+.IP """ARIA\-128\-CTR"", ""ARIA\-192\-CTR"" and ""ARIA\-256\-CTR""" 4
+.IX Item """ARIA-128-CTR"", ""ARIA-192-CTR"" and ""ARIA-256-CTR"""
+.IP """ARIA\-128\-ECB"", ""ARIA\-192\-ECB"" and ""ARIA\-256\-ECB""" 4
+.IX Item """ARIA-128-ECB"", ""ARIA-192-ECB"" and ""ARIA-256-ECB"""
+.IP """AES\-192\-OCB"", ""AES\-128\-OCB"" and ""AES\-256\-OCB""" 4
+.IX Item """AES-192-OCB"", ""AES-128-OCB"" and ""AES-256-OCB"""
+.IP """ARIA\-128\-OFB"", ""ARIA\-192\-OFB"" and ""ARIA\-256\-OFB""" 4
+.IX Item """ARIA-128-OFB"", ""ARIA-192-OFB"" and ""ARIA-256-OFB"""
+.IP """ARIA\-128\-CCM"", ""ARIA\-192\-CCM"" and ""ARIA\-256\-CCM""" 4
+.IX Item """ARIA-128-CCM"", ""ARIA-192-CCM"" and ""ARIA-256-CCM"""
+.IP """ARIA\-128\-GCM"", ""ARIA\-192\-GCM"" and ""ARIA\-256\-GCM""" 4
+.IX Item """ARIA-128-GCM"", ""ARIA-192-GCM"" and ""ARIA-256-GCM"""
 .PD
-.SS "Parameters"
+.SS Parameters
 .IX Subsection "Parameters"
 This implementation supports the parameters described in
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \fBEVP_EncryptInit\fR\|(3).
+"PARAMETERS" in \fBEVP_EncryptInit\fR\|(3).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\-cipher\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-BLOWFISH.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-BLOWFISH.7
index 0b07c7ba2cc6..fa3b5aa101c9 100644
--- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-BLOWFISH.7
+++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-BLOWFISH.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,108 +52,44 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_CIPHER-BLOWFISH 7ossl"
-.TH EVP_CIPHER-BLOWFISH 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_CIPHER-BLOWFISH 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_CIPHER\-BLOWFISH \- The BLOBFISH EVP_CIPHER implementations
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for \s-1BLOWFISH\s0 symmetric encryption using the \fB\s-1EVP_CIPHER\s0\fR \s-1API.\s0
+Support for BLOWFISH symmetric encryption using the \fBEVP_CIPHER\fR API.
 .SS "Algorithm Names"
 .IX Subsection "Algorithm Names"
 The following algorithms are available in the legacy provider:
-.ie n .IP """BF-ECB""" 4
-.el .IP "``BF-ECB''" 4
-.IX Item "BF-ECB"
+.IP """BF-ECB""" 4
+.IX Item """BF-ECB"""
 .PD 0
-.ie n .IP """BF-CBC""" 4
-.el .IP "``BF-CBC''" 4
-.IX Item "BF-CBC"
-.ie n .IP """BF-OFB""" 4
-.el .IP "``BF-OFB''" 4
-.IX Item "BF-OFB"
-.ie n .IP """BF-CFB""" 4
-.el .IP "``BF-CFB''" 4
-.IX Item "BF-CFB"
+.IP """BF-CBC""" 4
+.IX Item """BF-CBC"""
+.IP """BF-OFB""" 4
+.IX Item """BF-OFB"""
+.IP """BF-CFB""" 4
+.IX Item """BF-CFB"""
 .PD
-.SS "Parameters"
+.SS Parameters
 .IX Subsection "Parameters"
 This implementation supports the parameters described in
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \fBEVP_EncryptInit\fR\|(3).
+"PARAMETERS" in \fBEVP_EncryptInit\fR\|(3).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\-cipher\fR\|(7), \fBOSSL_PROVIDER\-legacy\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-CAMELLIA.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-CAMELLIA.7
index fa128996498c..6483d1a7c94b 100644
--- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-CAMELLIA.7
+++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-CAMELLIA.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,114 +52,48 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_CIPHER-CAMELLIA 7ossl"
-.TH EVP_CIPHER-CAMELLIA 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_CIPHER-CAMELLIA 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_CIPHER\-CAMELLIA \- The CAMELLIA EVP_CIPHER implementations
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for \s-1CAMELLIA\s0 symmetric encryption using the \fB\s-1EVP_CIPHER\s0\fR \s-1API.\s0
+Support for CAMELLIA symmetric encryption using the \fBEVP_CIPHER\fR API.
 .SS "Algorithm Names"
 .IX Subsection "Algorithm Names"
 The following algorithms are available in the default provider:
-.ie n .IP """\s-1CAMELLIA\-128\-CBC"", ""CAMELLIA\-192\-CBC""\s0 and  ""\s-1CAMELLIA\-256\-CBC""\s0" 4
-.el .IP "``\s-1CAMELLIA\-128\-CBC'', ``CAMELLIA\-192\-CBC''\s0 and  ``\s-1CAMELLIA\-256\-CBC''\s0" 4
-.IX Item "CAMELLIA-128-CBC, CAMELLIA-192-CBC and CAMELLIA-256-CBC"
+.IP """CAMELLIA\-128\-CBC"", ""CAMELLIA\-192\-CBC"" and  ""CAMELLIA\-256\-CBC""" 4
+.IX Item """CAMELLIA-128-CBC"", ""CAMELLIA-192-CBC"" and ""CAMELLIA-256-CBC"""
 .PD 0
-.ie n .IP """\s-1CAMELLIA\-128\-CBC\-CTS"", ""CAMELLIA\-192\-CBC\-CTS""\s0 and ""\s-1CAMELLIA\-256\-CBC\-CTS""\s0" 4
-.el .IP "``\s-1CAMELLIA\-128\-CBC\-CTS'', ``CAMELLIA\-192\-CBC\-CTS''\s0 and ``\s-1CAMELLIA\-256\-CBC\-CTS''\s0" 4
-.IX Item "CAMELLIA-128-CBC-CTS, CAMELLIA-192-CBC-CTS and CAMELLIA-256-CBC-CTS"
-.ie n .IP """\s-1CAMELLIA\-128\-CFB"", ""CAMELLIA\-192\-CFB"", ""CAMELLIA\-256\-CFB"", ""CAMELLIA\-128\-CFB1"", ""CAMELLIA\-192\-CFB1"", ""CAMELLIA\-256\-CFB1"", ""CAMELLIA\-128\-CFB8"", ""CAMELLIA\-192\-CFB8""\s0 and ""\s-1CAMELLIA\-256\-CFB8""\s0" 4
-.el .IP "``\s-1CAMELLIA\-128\-CFB'', ``CAMELLIA\-192\-CFB'', ``CAMELLIA\-256\-CFB'', ``CAMELLIA\-128\-CFB1'', ``CAMELLIA\-192\-CFB1'', ``CAMELLIA\-256\-CFB1'', ``CAMELLIA\-128\-CFB8'', ``CAMELLIA\-192\-CFB8''\s0 and ``\s-1CAMELLIA\-256\-CFB8''\s0" 4
-.IX Item "CAMELLIA-128-CFB, CAMELLIA-192-CFB, CAMELLIA-256-CFB, CAMELLIA-128-CFB1, CAMELLIA-192-CFB1, CAMELLIA-256-CFB1, CAMELLIA-128-CFB8, CAMELLIA-192-CFB8 and CAMELLIA-256-CFB8"
-.ie n .IP """\s-1CAMELLIA\-128\-CTR"", ""CAMELLIA\-192\-CTR""\s0 and ""\s-1CAMELLIA\-256\-CTR""\s0" 4
-.el .IP "``\s-1CAMELLIA\-128\-CTR'', ``CAMELLIA\-192\-CTR''\s0 and ``\s-1CAMELLIA\-256\-CTR''\s0" 4
-.IX Item "CAMELLIA-128-CTR, CAMELLIA-192-CTR and CAMELLIA-256-CTR"
-.ie n .IP """\s-1CAMELLIA\-128\-ECB"", ""CAMELLIA\-192\-ECB""\s0 and ""\s-1CAMELLIA\-256\-ECB""\s0" 4
-.el .IP "``\s-1CAMELLIA\-128\-ECB'', ``CAMELLIA\-192\-ECB''\s0 and ``\s-1CAMELLIA\-256\-ECB''\s0" 4
-.IX Item "CAMELLIA-128-ECB, CAMELLIA-192-ECB and CAMELLIA-256-ECB"
-.ie n .IP """\s-1CAMELLIA\-192\-OFB"", ""CAMELLIA\-128\-OFB""\s0 and ""\s-1CAMELLIA\-256\-OFB""\s0" 4
-.el .IP "``\s-1CAMELLIA\-192\-OFB'', ``CAMELLIA\-128\-OFB''\s0 and ``\s-1CAMELLIA\-256\-OFB''\s0" 4
-.IX Item "CAMELLIA-192-OFB, CAMELLIA-128-OFB and CAMELLIA-256-OFB"
+.IP """CAMELLIA\-128\-CBC\-CTS"", ""CAMELLIA\-192\-CBC\-CTS"" and ""CAMELLIA\-256\-CBC\-CTS""" 4
+.IX Item """CAMELLIA-128-CBC-CTS"", ""CAMELLIA-192-CBC-CTS"" and ""CAMELLIA-256-CBC-CTS"""
+.IP """CAMELLIA\-128\-CFB"", ""CAMELLIA\-192\-CFB"", ""CAMELLIA\-256\-CFB"", ""CAMELLIA\-128\-CFB1"", ""CAMELLIA\-192\-CFB1"", ""CAMELLIA\-256\-CFB1"", ""CAMELLIA\-128\-CFB8"", ""CAMELLIA\-192\-CFB8"" and ""CAMELLIA\-256\-CFB8""" 4
+.IX Item """CAMELLIA-128-CFB"", ""CAMELLIA-192-CFB"", ""CAMELLIA-256-CFB"", ""CAMELLIA-128-CFB1"", ""CAMELLIA-192-CFB1"", ""CAMELLIA-256-CFB1"", ""CAMELLIA-128-CFB8"", ""CAMELLIA-192-CFB8"" and ""CAMELLIA-256-CFB8"""
+.IP """CAMELLIA\-128\-CTR"", ""CAMELLIA\-192\-CTR"" and ""CAMELLIA\-256\-CTR""" 4
+.IX Item """CAMELLIA-128-CTR"", ""CAMELLIA-192-CTR"" and ""CAMELLIA-256-CTR"""
+.IP """CAMELLIA\-128\-ECB"", ""CAMELLIA\-192\-ECB"" and ""CAMELLIA\-256\-ECB""" 4
+.IX Item """CAMELLIA-128-ECB"", ""CAMELLIA-192-ECB"" and ""CAMELLIA-256-ECB"""
+.IP """CAMELLIA\-192\-OFB"", ""CAMELLIA\-128\-OFB"" and ""CAMELLIA\-256\-OFB""" 4
+.IX Item """CAMELLIA-192-OFB"", ""CAMELLIA-128-OFB"" and ""CAMELLIA-256-OFB"""
 .PD
-.SS "Parameters"
+.SS Parameters
 .IX Subsection "Parameters"
 This implementation supports the parameters described in
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \fBEVP_EncryptInit\fR\|(3).
+"PARAMETERS" in \fBEVP_EncryptInit\fR\|(3).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\-cipher\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-CAST.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-CAST.7
index dff008aa485d..b696d7b1912f 100644
--- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-CAST.7
+++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-CAST.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,108 +52,44 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_CIPHER-CAST 7ossl"
-.TH EVP_CIPHER-CAST 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_CIPHER-CAST 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_CIPHER\-CAST \- The CAST EVP_CIPHER implementations
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for \s-1CAST\s0 symmetric encryption using the \fB\s-1EVP_CIPHER\s0\fR \s-1API.\s0
+Support for CAST symmetric encryption using the \fBEVP_CIPHER\fR API.
 .SS "Algorithm Names"
 .IX Subsection "Algorithm Names"
 The following algorithms are available in the legacy provider:
-.ie n .IP """\s-1CAST\-128\-CBC"", ""CAST\-192\-CBC""\s0 and  ""\s-1CAST\-256\-CBC""\s0" 4
-.el .IP "``\s-1CAST\-128\-CBC'', ``CAST\-192\-CBC''\s0 and  ``\s-1CAST\-256\-CBC''\s0" 4
-.IX Item "CAST-128-CBC, CAST-192-CBC and CAST-256-CBC"
+.IP """CAST\-128\-CBC"", ""CAST\-192\-CBC"" and  ""CAST\-256\-CBC""" 4
+.IX Item """CAST-128-CBC"", ""CAST-192-CBC"" and ""CAST-256-CBC"""
 .PD 0
-.ie n .IP """\s-1CAST\-128\-CFB"", ""CAST\-192\-CFB"", ""CAST\-256\-CFB""\s0" 4
-.el .IP "``\s-1CAST\-128\-CFB'', ``CAST\-192\-CFB'', ``CAST\-256\-CFB''\s0" 4
-.IX Item "CAST-128-CFB, CAST-192-CFB, CAST-256-CFB"
-.ie n .IP """\s-1CAST\-128\-ECB"", ""CAST\-192\-ECB""\s0 and ""\s-1CAST\-256\-ECB""\s0" 4
-.el .IP "``\s-1CAST\-128\-ECB'', ``CAST\-192\-ECB''\s0 and ``\s-1CAST\-256\-ECB''\s0" 4
-.IX Item "CAST-128-ECB, CAST-192-ECB and CAST-256-ECB"
-.ie n .IP """\s-1CAST\-192\-OFB"", ""CAST\-128\-OFB""\s0 and ""\s-1CAST\-256\-OFB""\s0" 4
-.el .IP "``\s-1CAST\-192\-OFB'', ``CAST\-128\-OFB''\s0 and ``\s-1CAST\-256\-OFB''\s0" 4
-.IX Item "CAST-192-OFB, CAST-128-OFB and CAST-256-OFB"
+.IP """CAST\-128\-CFB"", ""CAST\-192\-CFB"", ""CAST\-256\-CFB""" 4
+.IX Item """CAST-128-CFB"", ""CAST-192-CFB"", ""CAST-256-CFB"""
+.IP """CAST\-128\-ECB"", ""CAST\-192\-ECB"" and ""CAST\-256\-ECB""" 4
+.IX Item """CAST-128-ECB"", ""CAST-192-ECB"" and ""CAST-256-ECB"""
+.IP """CAST\-192\-OFB"", ""CAST\-128\-OFB"" and ""CAST\-256\-OFB""" 4
+.IX Item """CAST-192-OFB"", ""CAST-128-OFB"" and ""CAST-256-OFB"""
 .PD
-.SS "Parameters"
+.SS Parameters
 .IX Subsection "Parameters"
 This implementation supports the parameters described in
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \fBEVP_EncryptInit\fR\|(3).
+"PARAMETERS" in \fBEVP_EncryptInit\fR\|(3).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\-cipher\fR\|(7), \fBOSSL_PROVIDER\-legacy\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-CHACHA.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-CHACHA.7
index 1e6320dc9e7d..0d2a1136a27c 100644
--- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-CHACHA.7
+++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-CHACHA.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,102 +52,40 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_CIPHER-CHACHA 7ossl"
-.TH EVP_CIPHER-CHACHA 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_CIPHER-CHACHA 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_CIPHER\-CHACHA \- The CHACHA EVP_CIPHER implementations
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for \s-1CHACHA\s0 symmetric encryption using the \fB\s-1EVP_CIPHER\s0\fR \s-1API.\s0
+Support for CHACHA symmetric encryption using the \fBEVP_CIPHER\fR API.
 .SS "Algorithm Names"
 .IX Subsection "Algorithm Names"
 The following algorithms are available in the default provider:
-.ie n .IP """ChaCha20""" 4
-.el .IP "``ChaCha20''" 4
-.IX Item "ChaCha20"
+.IP """ChaCha20""" 4
+.IX Item """ChaCha20"""
 .PD 0
-.ie n .IP """ChaCha20\-Poly1305""" 4
-.el .IP "``ChaCha20\-Poly1305''" 4
-.IX Item "ChaCha20-Poly1305"
+.IP """ChaCha20\-Poly1305""" 4
+.IX Item """ChaCha20-Poly1305"""
 .PD
-.SS "Parameters"
+.SS Parameters
 .IX Subsection "Parameters"
 This implementation supports the parameters described in
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \fBEVP_EncryptInit\fR\|(3).
+"PARAMETERS" in \fBEVP_EncryptInit\fR\|(3).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\-cipher\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-DES.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-DES.7
index 54d91917064b..f90426cc0379 100644
--- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-DES.7
+++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-DES.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,146 +52,73 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_CIPHER-DES 7ossl"
-.TH EVP_CIPHER-DES 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_CIPHER-DES 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_CIPHER\-DES \- The DES EVP_CIPHER implementations
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for \s-1DES\s0 symmetric encryption using the \fB\s-1EVP_CIPHER\s0\fR \s-1API.\s0
+Support for DES symmetric encryption using the \fBEVP_CIPHER\fR API.
 .SS "Algorithm Names"
 .IX Subsection "Algorithm Names"
-The following algorithms are available in the \s-1FIPS\s0 provider as well as the
+The following algorithms are available in the FIPS provider as well as the
 default provider:
-.ie n .IP """\s-1DES\-EDE3\-ECB""\s0 or ""\s-1DES\-EDE3""\s0" 4
-.el .IP "``\s-1DES\-EDE3\-ECB''\s0 or ``\s-1DES\-EDE3''\s0" 4
-.IX Item "DES-EDE3-ECB or DES-EDE3"
+.IP """DES\-EDE3\-ECB"" or ""DES\-EDE3""" 4
+.IX Item """DES-EDE3-ECB"" or ""DES-EDE3"""
 .PD 0
-.ie n .IP """\s-1DES\-EDE3\-CBC""\s0 or ""\s-1DES3""\s0" 4
-.el .IP "``\s-1DES\-EDE3\-CBC''\s0 or ``\s-1DES3''\s0" 4
-.IX Item "DES-EDE3-CBC or DES3"
+.IP """DES\-EDE3\-CBC"" or ""DES3""" 4
+.IX Item """DES-EDE3-CBC"" or ""DES3"""
 .PD
 .PP
 The following algorithms are available in the default provider, but not the
-\&\s-1FIPS\s0 provider:
-.ie n .IP """\s-1DES\-EDE3\-CFB8""\s0 and ""\s-1DES\-EDE3\-CFB1""\s0" 4
-.el .IP "``\s-1DES\-EDE3\-CFB8''\s0 and ``\s-1DES\-EDE3\-CFB1''\s0" 4
-.IX Item "DES-EDE3-CFB8 and DES-EDE3-CFB1"
+FIPS provider:
+.IP """DES\-EDE3\-CFB8"" and ""DES\-EDE3\-CFB1""" 4
+.IX Item """DES-EDE3-CFB8"" and ""DES-EDE3-CFB1"""
 .PD 0
-.ie n .IP """DES-EDE-ECB"" or ""DES-EDE""" 4
-.el .IP "``DES-EDE-ECB'' or ``DES-EDE''" 4
-.IX Item "DES-EDE-ECB or DES-EDE"
-.ie n .IP """DES-EDE-CBC""" 4
-.el .IP "``DES-EDE-CBC''" 4
-.IX Item "DES-EDE-CBC"
-.ie n .IP """DES-EDE-OFB""" 4
-.el .IP "``DES-EDE-OFB''" 4
-.IX Item "DES-EDE-OFB"
-.ie n .IP """DES-EDE-CFB""" 4
-.el .IP "``DES-EDE-CFB''" 4
-.IX Item "DES-EDE-CFB"
-.ie n .IP """\s-1DES3\-WRAP""\s0" 4
-.el .IP "``\s-1DES3\-WRAP''\s0" 4
-.IX Item "DES3-WRAP"
+.IP """DES-EDE-ECB"" or ""DES-EDE""" 4
+.IX Item """DES-EDE-ECB"" or ""DES-EDE"""
+.IP """DES-EDE-CBC""" 4
+.IX Item """DES-EDE-CBC"""
+.IP """DES-EDE-OFB""" 4
+.IX Item """DES-EDE-OFB"""
+.IP """DES-EDE-CFB""" 4
+.IX Item """DES-EDE-CFB"""
+.IP """DES3\-WRAP""" 4
+.IX Item """DES3-WRAP"""
 .PD
 .PP
 The following algorithms are available in the legacy provider:
-.ie n .IP """DES-ECB""" 4
-.el .IP "``DES-ECB''" 4
-.IX Item "DES-ECB"
+.IP """DES-ECB""" 4
+.IX Item """DES-ECB"""
 .PD 0
-.ie n .IP """DES-CBC""" 4
-.el .IP "``DES-CBC''" 4
-.IX Item "DES-CBC"
-.ie n .IP """DES-OFB""" 4
-.el .IP "``DES-OFB''" 4
-.IX Item "DES-OFB"
-.ie n .IP """DES-CFB"", ""\s-1DES\-CFB1""\s0 and ""\s-1DES\-CFB8""\s0" 4
-.el .IP "``DES-CFB'', ``\s-1DES\-CFB1''\s0 and ``\s-1DES\-CFB8''\s0" 4
-.IX Item "DES-CFB, DES-CFB1 and DES-CFB8"
-.ie n .IP """DESX-CBC""" 4
-.el .IP "``DESX-CBC''" 4
-.IX Item "DESX-CBC"
+.IP """DES-CBC""" 4
+.IX Item """DES-CBC"""
+.IP """DES-OFB""" 4
+.IX Item """DES-OFB"""
+.IP """DES-CFB"", ""DES\-CFB1"" and ""DES\-CFB8""" 4
+.IX Item """DES-CFB"", ""DES-CFB1"" and ""DES-CFB8"""
+.IP """DESX-CBC""" 4
+.IX Item """DESX-CBC"""
 .PD
-.SS "Parameters"
+.SS Parameters
 .IX Subsection "Parameters"
 This implementation supports the parameters described in
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \fBEVP_EncryptInit\fR\|(3).
+"PARAMETERS" in \fBEVP_EncryptInit\fR\|(3) including "encrypt-check" and "fips-indicator".
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBprovider\-cipher\fR\|(7), \s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7),
+\&\fBprovider\-cipher\fR\|(7), \fBOSSL_PROVIDER\-FIPS\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7),
 \&\fBOSSL_PROVIDER\-legacy\fR\|(7),
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-IDEA.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-IDEA.7
index c40eb344a7e5..ff17392741e7 100644
--- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-IDEA.7
+++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-IDEA.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,108 +52,44 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_CIPHER-IDEA 7ossl"
-.TH EVP_CIPHER-IDEA 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_CIPHER-IDEA 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_CIPHER\-IDEA \- The IDEA EVP_CIPHER implementations
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for \s-1IDEA\s0 symmetric encryption using the \fB\s-1EVP_CIPHER\s0\fR \s-1API.\s0
+Support for IDEA symmetric encryption using the \fBEVP_CIPHER\fR API.
 .SS "Algorithm Names"
 .IX Subsection "Algorithm Names"
 The following algorithms are available in the legacy provider:
-.ie n .IP """IDEA-ECB""" 4
-.el .IP "``IDEA-ECB''" 4
-.IX Item "IDEA-ECB"
+.IP """IDEA-ECB""" 4
+.IX Item """IDEA-ECB"""
 .PD 0
-.ie n .IP """IDEA-CBC""" 4
-.el .IP "``IDEA-CBC''" 4
-.IX Item "IDEA-CBC"
-.ie n .IP """IDEA-OFB"" or ""\s-1IDEA\-OFB64""\s0" 4
-.el .IP "``IDEA-OFB'' or ``\s-1IDEA\-OFB64''\s0" 4
-.IX Item "IDEA-OFB or IDEA-OFB64"
-.ie n .IP """IDEA-CFB"" or ""\s-1IDEA\-CFB64""\s0" 4
-.el .IP "``IDEA-CFB'' or ``\s-1IDEA\-CFB64''\s0" 4
-.IX Item "IDEA-CFB or IDEA-CFB64"
+.IP """IDEA-CBC""" 4
+.IX Item """IDEA-CBC"""
+.IP """IDEA-OFB"" or ""IDEA\-OFB64""" 4
+.IX Item """IDEA-OFB"" or ""IDEA-OFB64"""
+.IP """IDEA-CFB"" or ""IDEA\-CFB64""" 4
+.IX Item """IDEA-CFB"" or ""IDEA-CFB64"""
 .PD
-.SS "Parameters"
+.SS Parameters
 .IX Subsection "Parameters"
 This implementation supports the parameters described in
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \fBEVP_EncryptInit\fR\|(3).
+"PARAMETERS" in \fBEVP_EncryptInit\fR\|(3).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\-cipher\fR\|(7), \fBOSSL_PROVIDER\-legacy\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-NULL.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-NULL.7
index fc39ddbd0a68..4333a408a13a 100644
--- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-NULL.7
+++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-NULL.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,130 +52,65 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_CIPHER-NULL 7ossl"
-.TH EVP_CIPHER-NULL 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_CIPHER-NULL 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_CIPHER\-NULL \- The NULL EVP_CIPHER implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for a \s-1NULL\s0 symmetric encryption using the \fB\s-1EVP_CIPHER\s0\fR \s-1API.\s0
-This is used when the \s-1TLS\s0 cipher suite is \s-1TLS_NULL_WITH_NULL_NULL.\s0
+Support for a NULL symmetric encryption using the \fBEVP_CIPHER\fR API.
+This is used when the TLS cipher suite is TLS_NULL_WITH_NULL_NULL.
 This does no encryption (just copies the data) and has a mac size of zero.
 .SS "Algorithm Name"
 .IX Subsection "Algorithm Name"
 The following algorithm is available in the default provider:
-.ie n .IP """\s-1NULL""\s0" 4
-.el .IP "``\s-1NULL''\s0" 4
-.IX Item "NULL"
-.SS "Parameters"
+.IP """NULL""" 4
+.IX Item """NULL"""
+.SS Parameters
 .IX Subsection "Parameters"
 This implementation supports the following parameters:
 .PP
-\fIGettable \s-1EVP_CIPHER\s0 parameters\fR
+\fIGettable EVP_CIPHER parameters\fR
 .IX Subsection "Gettable EVP_CIPHER parameters"
 .PP
-See \*(L"Gettable \s-1EVP_CIPHER\s0 parameters\*(R" in \fBEVP_EncryptInit\fR\|(3)
+See "Gettable EVP_CIPHER parameters" in \fBEVP_EncryptInit\fR\|(3)
 .PP
-\fIGettable \s-1EVP_CIPHER_CTX\s0 parameters\fR
+\fIGettable EVP_CIPHER_CTX parameters\fR
 .IX Subsection "Gettable EVP_CIPHER_CTX parameters"
-.ie n .IP """keylen"" (\fB\s-1OSSL_CIPHER_PARAM_KEYLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``keylen'' (\fB\s-1OSSL_CIPHER_PARAM_KEYLEN\s0\fR) <unsigned integer>" 4
-.IX Item "keylen (OSSL_CIPHER_PARAM_KEYLEN) <unsigned integer>"
+.IP """keylen"" (\fBOSSL_CIPHER_PARAM_KEYLEN\fR) <unsigned integer>" 4
+.IX Item """keylen"" (OSSL_CIPHER_PARAM_KEYLEN) <unsigned integer>"
 .PD 0
-.ie n .IP """ivlen"" (\fB\s-1OSSL_CIPHER_PARAM_IVLEN\s0\fR and <\fB\s-1OSSL_CIPHER_PARAM_AEAD_IVLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``ivlen'' (\fB\s-1OSSL_CIPHER_PARAM_IVLEN\s0\fR and <\fB\s-1OSSL_CIPHER_PARAM_AEAD_IVLEN\s0\fR) <unsigned integer>" 4
-.IX Item "ivlen (OSSL_CIPHER_PARAM_IVLEN and <OSSL_CIPHER_PARAM_AEAD_IVLEN) <unsigned integer>"
-.ie n .IP """tls-mac"" (\fB\s-1OSSL_CIPHER_PARAM_TLS_MAC\s0\fR) <octet ptr>" 4
-.el .IP "``tls-mac'' (\fB\s-1OSSL_CIPHER_PARAM_TLS_MAC\s0\fR) <octet ptr>" 4
-.IX Item "tls-mac (OSSL_CIPHER_PARAM_TLS_MAC) <octet ptr>"
+.IP """ivlen"" (\fBOSSL_CIPHER_PARAM_IVLEN\fR and <\fBOSSL_CIPHER_PARAM_AEAD_IVLEN\fR) <unsigned integer>" 4
+.IX Item """ivlen"" (OSSL_CIPHER_PARAM_IVLEN and <OSSL_CIPHER_PARAM_AEAD_IVLEN) <unsigned integer>"
+.IP """tls-mac"" (\fBOSSL_CIPHER_PARAM_TLS_MAC\fR) <octet ptr>" 4
+.IX Item """tls-mac"" (OSSL_CIPHER_PARAM_TLS_MAC) <octet ptr>"
 .PD
 .PP
-See \*(L"\s-1PARAMETERS\*(R"\s0 in \fBEVP_EncryptInit\fR\|(3) for further information.
+See "PARAMETERS" in \fBEVP_EncryptInit\fR\|(3) for further information.
 .PP
-\fISettable \s-1EVP_CIPHER_CTX\s0 parameters\fR
+\fISettable EVP_CIPHER_CTX parameters\fR
 .IX Subsection "Settable EVP_CIPHER_CTX parameters"
-.ie n .IP """tls-mac-size"" (\fB\s-1OSSL_CIPHER_PARAM_TLS_MAC_SIZE\s0\fR) <unsigned integer>" 4
-.el .IP "``tls-mac-size'' (\fB\s-1OSSL_CIPHER_PARAM_TLS_MAC_SIZE\s0\fR) <unsigned integer>" 4
-.IX Item "tls-mac-size (OSSL_CIPHER_PARAM_TLS_MAC_SIZE) <unsigned integer>"
+.IP """tls-mac-size"" (\fBOSSL_CIPHER_PARAM_TLS_MAC_SIZE\fR) <unsigned integer>" 4
+.IX Item """tls-mac-size"" (OSSL_CIPHER_PARAM_TLS_MAC_SIZE) <unsigned integer>"
 .PP
-See \*(L"\s-1PARAMETERS\*(R"\s0 in \fBEVP_EncryptInit\fR\|(3) for further information.
+See "PARAMETERS" in \fBEVP_EncryptInit\fR\|(3) for further information.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1RFC 5246\s0 section\-6.2.3.1
+RFC 5246 section\-6.2.3.1
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\-cipher\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC2.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC2.7
index aa3030def6e0..e5bdc2a1105f 100644
--- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC2.7
+++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC2.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,114 +52,48 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_CIPHER-RC2 7ossl"
-.TH EVP_CIPHER-RC2 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_CIPHER-RC2 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_CIPHER\-RC2 \- The RC2 EVP_CIPHER implementations
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for \s-1RC2\s0 symmetric encryption using the \fB\s-1EVP_CIPHER\s0\fR \s-1API.\s0
+Support for RC2 symmetric encryption using the \fBEVP_CIPHER\fR API.
 .SS "Algorithm Names"
 .IX Subsection "Algorithm Names"
 The following algorithms are available in the legacy provider:
-.ie n .IP """\s-1RC2\-CBC"", ""RC2""\s0 or ""\s-1RC2\-128""\s0" 4
-.el .IP "``\s-1RC2\-CBC'', ``RC2''\s0 or ``\s-1RC2\-128''\s0" 4
-.IX Item "RC2-CBC, RC2 or RC2-128"
+.IP """RC2\-CBC"", ""RC2"" or ""RC2\-128""" 4
+.IX Item """RC2-CBC"", ""RC2"" or ""RC2-128"""
 .PD 0
-.ie n .IP """\s-1RC2\-40\-CBC""\s0 or ""\s-1RC2\-40""\s0" 4
-.el .IP "``\s-1RC2\-40\-CBC''\s0 or ``\s-1RC2\-40''\s0" 4
-.IX Item "RC2-40-CBC or RC2-40"
-.ie n .IP """\s-1RC2\-64\-CBC""\s0 or ""\s-1RC2\-64""\s0" 4
-.el .IP "``\s-1RC2\-64\-CBC''\s0 or ``\s-1RC2\-64''\s0" 4
-.IX Item "RC2-64-CBC or RC2-64"
-.ie n .IP """\s-1RC2\-ECB""\s0" 4
-.el .IP "``\s-1RC2\-ECB''\s0" 4
-.IX Item "RC2-ECB"
-.ie n .IP """\s-1RC2\-CFB""\s0" 4
-.el .IP "``\s-1RC2\-CFB''\s0" 4
-.IX Item "RC2-CFB"
-.ie n .IP """\s-1RC2\-OFB""\s0" 4
-.el .IP "``\s-1RC2\-OFB''\s0" 4
-.IX Item "RC2-OFB"
+.IP """RC2\-40\-CBC"" or ""RC2\-40""" 4
+.IX Item """RC2-40-CBC"" or ""RC2-40"""
+.IP """RC2\-64\-CBC"" or ""RC2\-64""" 4
+.IX Item """RC2-64-CBC"" or ""RC2-64"""
+.IP """RC2\-ECB""" 4
+.IX Item """RC2-ECB"""
+.IP """RC2\-CFB""" 4
+.IX Item """RC2-CFB"""
+.IP """RC2\-OFB""" 4
+.IX Item """RC2-OFB"""
 .PD
-.SS "Parameters"
+.SS Parameters
 .IX Subsection "Parameters"
 This implementation supports the parameters described in
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \fBEVP_EncryptInit\fR\|(3).
+"PARAMETERS" in \fBEVP_EncryptInit\fR\|(3).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\-cipher\fR\|(7), \fBOSSL_PROVIDER\-legacy\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC4.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC4.7
index aadd1d3f1a51..027970a0dd31 100644
--- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC4.7
+++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC4.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,105 +52,42 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_CIPHER-RC4 7ossl"
-.TH EVP_CIPHER-RC4 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_CIPHER-RC4 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_CIPHER\-RC4 \- The RC4 EVP_CIPHER implementations
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for \s-1RC4\s0 symmetric encryption using the \fB\s-1EVP_CIPHER\s0\fR \s-1API.\s0
+Support for RC4 symmetric encryption using the \fBEVP_CIPHER\fR API.
 .SS "Algorithm Names"
 .IX Subsection "Algorithm Names"
 The following algorithms are available in the legacy provider:
-.ie n .IP """\s-1RC4""\s0" 4
-.el .IP "``\s-1RC4''\s0" 4
-.IX Item "RC4"
+.IP """RC4""" 4
+.IX Item """RC4"""
 .PD 0
-.ie n .IP """\s-1RC4\-40""\s0" 4
-.el .IP "``\s-1RC4\-40''\s0" 4
-.IX Item "RC4-40"
-.ie n .IP """\s-1RC4\-HMAC\-MD5""\s0" 4
-.el .IP "``\s-1RC4\-HMAC\-MD5''\s0" 4
-.IX Item "RC4-HMAC-MD5"
+.IP """RC4\-40""" 4
+.IX Item """RC4-40"""
+.IP """RC4\-HMAC\-MD5""" 4
+.IX Item """RC4-HMAC-MD5"""
 .PD
-.SS "Parameters"
+.SS Parameters
 .IX Subsection "Parameters"
 This implementation supports the parameters described in
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \fBEVP_EncryptInit\fR\|(3).
+"PARAMETERS" in \fBEVP_EncryptInit\fR\|(3).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\-cipher\fR\|(7), \fBOSSL_PROVIDER\-legacy\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC5.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC5.7
index c2e3aab7dcab..e71716c5808c 100644
--- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC5.7
+++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-RC5.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,110 +52,46 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_CIPHER-RC5 7ossl"
-.TH EVP_CIPHER-RC5 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_CIPHER-RC5 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_CIPHER\-RC5 \- The RC5 EVP_CIPHER implementations
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for \s-1RC5\s0 symmetric encryption using the \fB\s-1EVP_CIPHER\s0\fR \s-1API.\s0
+Support for RC5 symmetric encryption using the \fBEVP_CIPHER\fR API.
 .PP
 Disabled by default. Use the \fIenable\-rc5\fR configuration option to enable.
 .SS "Algorithm Names"
 .IX Subsection "Algorithm Names"
 The following algorithms are available in the legacy provider:
-.ie n .IP """\s-1RC5\-CBC""\s0 or ""\s-1RC5""\s0" 4
-.el .IP "``\s-1RC5\-CBC''\s0 or ``\s-1RC5''\s0" 4
-.IX Item "RC5-CBC or RC5"
+.IP """RC5\-CBC"" or ""RC5""" 4
+.IX Item """RC5-CBC"" or ""RC5"""
 .PD 0
-.ie n .IP """\s-1RC5\-ECB""\s0" 4
-.el .IP "``\s-1RC5\-ECB''\s0" 4
-.IX Item "RC5-ECB"
-.ie n .IP """\s-1RC5\-OFB""\s0" 4
-.el .IP "``\s-1RC5\-OFB''\s0" 4
-.IX Item "RC5-OFB"
-.ie n .IP """\s-1RC5\-CFB""\s0" 4
-.el .IP "``\s-1RC5\-CFB''\s0" 4
-.IX Item "RC5-CFB"
+.IP """RC5\-ECB""" 4
+.IX Item """RC5-ECB"""
+.IP """RC5\-OFB""" 4
+.IX Item """RC5-OFB"""
+.IP """RC5\-CFB""" 4
+.IX Item """RC5-CFB"""
 .PD
-.SS "Parameters"
+.SS Parameters
 .IX Subsection "Parameters"
 This implementation supports the parameters described in
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \fBEVP_EncryptInit\fR\|(3).
+"PARAMETERS" in \fBEVP_EncryptInit\fR\|(3).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\-cipher\fR\|(7), \fBOSSL_PROVIDER\-legacy\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-SEED.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-SEED.7
index ee30270a9201..66f73b46db6f 100644
--- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-SEED.7
+++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-SEED.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,108 +52,44 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_CIPHER-SEED 7ossl"
-.TH EVP_CIPHER-SEED 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_CIPHER-SEED 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_CIPHER\-SEED \- The SEED EVP_CIPHER implementations
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for \s-1SEED\s0 symmetric encryption using the \fB\s-1EVP_CIPHER\s0\fR \s-1API.\s0
+Support for SEED symmetric encryption using the \fBEVP_CIPHER\fR API.
 .SS "Algorithm Names"
 .IX Subsection "Algorithm Names"
 The following algorithms are available in the legacy provider:
-.ie n .IP """SEED-CBC"" or ""\s-1SEED""\s0" 4
-.el .IP "``SEED-CBC'' or ``\s-1SEED''\s0" 4
-.IX Item "SEED-CBC or SEED"
+.IP """SEED-CBC"" or ""SEED""" 4
+.IX Item """SEED-CBC"" or ""SEED"""
 .PD 0
-.ie n .IP """SEED-ECB""" 4
-.el .IP "``SEED-ECB''" 4
-.IX Item "SEED-ECB"
-.ie n .IP """SEED-OFB"" or ""\s-1SEED\-OFB128""\s0" 4
-.el .IP "``SEED-OFB'' or ``\s-1SEED\-OFB128''\s0" 4
-.IX Item "SEED-OFB or SEED-OFB128"
-.ie n .IP """SEED-CFB"" or ""\s-1SEED\-CFB128""\s0" 4
-.el .IP "``SEED-CFB'' or ``\s-1SEED\-CFB128''\s0" 4
-.IX Item "SEED-CFB or SEED-CFB128"
+.IP """SEED-ECB""" 4
+.IX Item """SEED-ECB"""
+.IP """SEED-OFB"" or ""SEED\-OFB128""" 4
+.IX Item """SEED-OFB"" or ""SEED-OFB128"""
+.IP """SEED-CFB"" or ""SEED\-CFB128""" 4
+.IX Item """SEED-CFB"" or ""SEED-CFB128"""
 .PD
-.SS "Parameters"
+.SS Parameters
 .IX Subsection "Parameters"
 This implementation supports the parameters described in
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \fBEVP_EncryptInit\fR\|(3).
+"PARAMETERS" in \fBEVP_EncryptInit\fR\|(3).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\-cipher\fR\|(7), \fBOSSL_PROVIDER\-legacy\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_CIPHER-SM4.7 b/secure/lib/libcrypto/man/man7/EVP_CIPHER-SM4.7
index 329189ba789e..d87dc44694cc 100644
--- a/secure/lib/libcrypto/man/man7/EVP_CIPHER-SM4.7
+++ b/secure/lib/libcrypto/man/man7/EVP_CIPHER-SM4.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,111 +52,60 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_CIPHER-SM4 7ossl"
-.TH EVP_CIPHER-SM4 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_CIPHER-SM4 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_CIPHER\-SM4 \- The SM4 EVP_CIPHER implementations
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for \s-1SM4\s0 symmetric encryption using the \fB\s-1EVP_CIPHER\s0\fR \s-1API.\s0
+Support for SM4 symmetric encryption using the \fBEVP_CIPHER\fR API.
 .SS "Algorithm Names"
 .IX Subsection "Algorithm Names"
 The following algorithms are available in the default provider:
-.ie n .IP """\s-1SM4\-CBC:SM4""\s0" 4
-.el .IP "``\s-1SM4\-CBC:SM4''\s0" 4
-.IX Item "SM4-CBC:SM4"
+.IP """SM4\-CBC:SM4""" 4
+.IX Item """SM4-CBC:SM4"""
 .PD 0
-.ie n .IP """\s-1SM4\-ECB""\s0" 4
-.el .IP "``\s-1SM4\-ECB''\s0" 4
-.IX Item "SM4-ECB"
-.ie n .IP """\s-1SM4\-CTR""\s0" 4
-.el .IP "``\s-1SM4\-CTR''\s0" 4
-.IX Item "SM4-CTR"
-.ie n .IP """\s-1SM4\-OFB""\s0 or ""\s-1SM4\-OFB128""\s0" 4
-.el .IP "``\s-1SM4\-OFB''\s0 or ``\s-1SM4\-OFB128''\s0" 4
-.IX Item "SM4-OFB or SM4-OFB128"
-.ie n .IP """\s-1SM4\-CFB""\s0 or ""\s-1SM4\-CFB128""\s0" 4
-.el .IP "``\s-1SM4\-CFB''\s0 or ``\s-1SM4\-CFB128''\s0" 4
-.IX Item "SM4-CFB or SM4-CFB128"
+.IP """SM4\-ECB""" 4
+.IX Item """SM4-ECB"""
+.IP """SM4\-CTR""" 4
+.IX Item """SM4-CTR"""
+.IP """SM4\-OFB"" or ""SM4\-OFB128""" 4
+.IX Item """SM4-OFB"" or ""SM4-OFB128"""
+.IP """SM4\-CFB"" or ""SM4\-CFB128""" 4
+.IX Item """SM4-CFB"" or ""SM4-CFB128"""
+.IP """SM4\-GCM""" 4
+.IX Item """SM4-GCM"""
+.IP """SM4\-CCM""" 4
+.IX Item """SM4-CCM"""
+.IP """SM4\-XTS""" 4
+.IX Item """SM4-XTS"""
 .PD
-.SS "Parameters"
+.SS Parameters
 .IX Subsection "Parameters"
 This implementation supports the parameters described in
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \fBEVP_EncryptInit\fR\|(3).
+"PARAMETERS" in \fBEVP_EncryptInit\fR\|(3).
+.SH NOTES
+.IX Header "NOTES"
+The SM4\-XTS implementation allows streaming to be performed, but each
+\&\fBEVP_EncryptUpdate\fR\|(3) or \fBEVP_DecryptUpdate\fR\|(3) call requires each input
+to be a multiple of the blocksize. Only the final \fBEVP_EncryptUpdate()\fR or
+\&\fBEVP_DecryptUpdate()\fR call can optionally have an input that is not a multiple
+of the blocksize but is larger than one block. In that case ciphertext
+stealing (CTS) is used to fill the block.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\-cipher\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-ARGON2.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-ARGON2.7
new file mode 100644
index 000000000000..ab16ceb90375
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/EVP_KDF-ARGON2.7
@@ -0,0 +1,236 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "EVP_KDF-ARGON2 7ossl"
+.TH EVP_KDF-ARGON2 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+EVP_KDF\-ARGON2 \- The Argon2 EVP KDF implementation
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+Support for computing the \fBargon2\fR password-based KDF through the \fBEVP_KDF\fR
+API.
+.PP
+The EVP_KDF\-ARGON2 algorithm implements the Argon2 password-based key
+derivation function, as described in IETF RFC 9106.  It is memory-hard in
+the sense that it deliberately requires a significant amount of RAM for efficient
+computation. The intention of this is to render brute forcing of passwords on
+systems that lack large amounts of main memory (such as GPUs or ASICs)
+computationally infeasible.
+.PP
+Argon2d (Argon2i) uses data-dependent (data-independent) memory access and
+primary seek to address trade-off (side-channel) attacks.
+.PP
+Argon2id is a hybrid construction which, in the first two slices of the first
+pass, generates reference addresses data-independently as in Argon2i, whereas
+in later slices and next passes it generates them data-dependently as in
+Argon2d.
+.PP
+Sbox-hardened version Argon2ds is not supported.
+.PP
+For more information, please refer to RFC 9106.
+.SS "Supported parameters"
+.IX Subsection "Supported parameters"
+The supported parameters are:
+.IP """pass"" (\fBOSSL_KDF_PARAM_PASSWORD\fR) <octet string>" 4
+.IX Item """pass"" (OSSL_KDF_PARAM_PASSWORD) <octet string>"
+.PD 0
+.IP """salt"" (\fBOSSL_KDF_PARAM_SALT\fR) <octet string>" 4
+.IX Item """salt"" (OSSL_KDF_PARAM_SALT) <octet string>"
+.IP """secret"" (\fBOSSL_KDF_PARAM_SECRET\fR) <octet string>" 4
+.IX Item """secret"" (OSSL_KDF_PARAM_SECRET) <octet string>"
+.IP """iter"" (\fBOSSL_KDF_PARAM_ITER\fR) <unsigned integer>" 4
+.IX Item """iter"" (OSSL_KDF_PARAM_ITER) <unsigned integer>"
+.IP """size"" (\fBOSSL_KDF_PARAM_SIZE\fR) <unsigned integer>" 4
+.IX Item """size"" (OSSL_KDF_PARAM_SIZE) <unsigned integer>"
+.IP """properties"" (\fBOSSL_KDF_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
+.PD
+These parameters work as described in "PARAMETERS" in \fBEVP_KDF\fR\|(3).
+.Sp
+Note that RFC 9106 recommends 128 bits salt for most applications, or 64 bits
+salt in the case of space constraints. At least 128 bits output length is
+recommended.
+.Sp
+Note that secret (or pepper) is an optional secret data used along the
+password.
+.IP """threads"" (\fBOSSL_KDF_PARAM_THREADS\fR) <unsigned integer>" 4
+.IX Item """threads"" (OSSL_KDF_PARAM_THREADS) <unsigned integer>"
+The number of threads, bounded above by the number of lanes.
+.Sp
+This can only be used with built-in thread support. Threading must be
+explicitly enabled. See EXAMPLES section for more information.
+.IP """ad"" (\fBOSSL_KDF_PARAM_ARGON2_AD\fR) <octet string>" 4
+.IX Item """ad"" (OSSL_KDF_PARAM_ARGON2_AD) <octet string>"
+Optional associated data, may be used to "tag" a group of keys, or tie them
+to a particular public key, without having to modify salt.
+.IP """lanes"" (\fBOSSL_KDF_PARAM_ARGON2_LANES\fR) <unsigned integer>" 4
+.IX Item """lanes"" (OSSL_KDF_PARAM_ARGON2_LANES) <unsigned integer>"
+Argon2 splits the requested memory size into lanes, each of which is designed
+to be processed in parallel. For example, on a system with p cores, it's
+recommended to use p lanes.
+.Sp
+The number of lanes is used to derive the key. It is possible to specify
+more lanes than the number of available computational threads. This is
+especially encouraged if multi-threading is disabled.
+.IP """memcost"" (\fBOSSL_KDF_PARAM_ARGON2_MEMCOST\fR) <unsigned integer>" 4
+.IX Item """memcost"" (OSSL_KDF_PARAM_ARGON2_MEMCOST) <unsigned integer>"
+Memory cost parameter (the number of 1k memory blocks used).
+.IP """version"" (\fBOSSL_KDF_PARAM_ARGON2_VERSION\fR) <unsigned integer>" 4
+.IX Item """version"" (OSSL_KDF_PARAM_ARGON2_VERSION) <unsigned integer>"
+Argon2 version. Supported values: 0x10, 0x13 (default).
+.IP """early_clean"" (\fBOSSL_KDF_PARAM_EARLY_CLEAN\fR) <unsigned integer>" 4
+.IX Item """early_clean"" (OSSL_KDF_PARAM_EARLY_CLEAN) <unsigned integer>"
+If set (nonzero), password and secret stored in Argon2 context are zeroed
+early during initial hash computation, as soon as they are not needed.
+Otherwise, they are zeroed along the rest of Argon2 context data on clear,
+free, reset.
+.Sp
+This can be useful if, for example, multiple keys with different ad value
+are to be generated from a single password and secret.
+.SH EXAMPLES
+.IX Header "EXAMPLES"
+This example uses Argon2d with password "1234567890", salt "saltsalt",
+using 2 lanes, 2 threads, and memory cost of 65536:
+.PP
+.Vb 5
+\& #include <string.h>                 /* strlen               */
+\& #include <openssl/core_names.h>     /* OSSL_KDF_*           */
+\& #include <openssl/params.h>         /* OSSL_PARAM_*         */
+\& #include <openssl/thread.h>         /* OSSL_set_max_threads */
+\& #include <openssl/kdf.h>            /* EVP_KDF_*            */
+\&
+\& int main(void)
+\& {
+\&     int retval = 1;
+\&
+\&     EVP_KDF *kdf = NULL;
+\&     EVP_KDF_CTX *kctx = NULL;
+\&     OSSL_PARAM params[6], *p = params;
+\&
+\&     /* argon2 params, please refer to RFC9106 for recommended defaults */
+\&     uint32_t lanes = 2, threads = 2, memcost = 65536;
+\&     char pwd[] = "1234567890", salt[] = "saltsalt";
+\&
+\&     /* derive result */
+\&     size_t outlen = 128;
+\&     unsigned char result[outlen];
+\&
+\&     /* required if threads > 1 */
+\&     if (OSSL_set_max_threads(NULL, threads) != 1)
+\&         goto fail;
+\&
+\&     p = params;
+\&     *p++ = OSSL_PARAM_construct_uint32(OSSL_KDF_PARAM_THREADS, &threads);
+\&     *p++ = OSSL_PARAM_construct_uint32(OSSL_KDF_PARAM_ARGON2_LANES,
+\&                                        &lanes);
+\&     *p++ = OSSL_PARAM_construct_uint32(OSSL_KDF_PARAM_ARGON2_MEMCOST,
+\&                                        &memcost);
+\&     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
+\&                                              salt,
+\&                                              strlen((const char *)salt));
+\&     *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PASSWORD,
+\&                                              pwd,
+\&                                              strlen((const char *)pwd));
+\&     *p++ = OSSL_PARAM_construct_end();
+\&
+\&     if ((kdf = EVP_KDF_fetch(NULL, "ARGON2D", NULL)) == NULL)
+\&         goto fail;
+\&     if ((kctx = EVP_KDF_CTX_new(kdf)) == NULL)
+\&         goto fail;
+\&     if (EVP_KDF_derive(kctx, &result[0], outlen, params) != 1)
+\&         goto fail;
+\&
+\&     printf("Output = %s\en", OPENSSL_buf2hexstr(result, outlen));
+\&     retval = 0;
+\&
+\& fail:
+\&     EVP_KDF_free(kdf);
+\&     EVP_KDF_CTX_free(kctx);
+\&     OSSL_set_max_threads(NULL, 0);
+\&
+\&     return retval;
+\& }
+.Ve
+.SH NOTES
+.IX Header "NOTES"
+"ARGON2I", "ARGON2D", and "ARGON2ID" are the names for this implementation; it
+can be used with the \fBEVP_KDF_fetch()\fR function.
+.SH "CONFORMING TO"
+.IX Header "CONFORMING TO"
+RFC 9106 Argon2, see <https://www.rfc\-editor.org/rfc/rfc9106.txt>.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBEVP_KDF\fR\|(3),
+\&\fBEVP_KDF_CTX_new\fR\|(3),
+\&\fBEVP_KDF_CTX_free\fR\|(3),
+\&\fBEVP_KDF_CTX_set_params\fR\|(3),
+\&\fBEVP_KDF_derive\fR\|(3),
+"PARAMETERS" in \fBEVP_KDF\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+This functionality was added to OpenSSL 3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2022\-2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-HKDF.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-HKDF.7
index da992a187d1a..15df2fd89166 100644
--- a/secure/lib/libcrypto/man/man7/EVP_KDF-HKDF.7
+++ b/secure/lib/libcrypto/man/man7/EVP_KDF-HKDF.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,133 +52,67 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_KDF-HKDF 7ossl"
-.TH EVP_KDF-HKDF 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_KDF-HKDF 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_KDF\-HKDF \- The HKDF EVP_KDF implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing the \fB\s-1HKDF\s0\fR \s-1KDF\s0 through the \fB\s-1EVP_KDF\s0\fR \s-1API.\s0
+Support for computing the \fBHKDF\fR KDF through the \fBEVP_KDF\fR API.
 .PP
-The \s-1EVP_KDF\-HKDF\s0 algorithm implements the \s-1HKDF\s0 key derivation function.
-\&\s-1HKDF\s0 follows the \*(L"extract-then-expand\*(R" paradigm, where the \s-1KDF\s0 logically
+The EVP_KDF\-HKDF algorithm implements the HKDF key derivation function.
+HKDF follows the "extract-then-expand" paradigm, where the KDF logically
 consists of two modules. The first stage takes the input keying material
-and \*(L"extracts\*(R" from it a fixed-length pseudorandom key K. The second stage
-\&\*(L"expands\*(R" the key K into several additional pseudorandom keys (the output
-of the \s-1KDF\s0).
-.SS "Identity"
+and "extracts" from it a fixed-length pseudorandom key K. The second stage
+"expands" the key K into several additional pseudorandom keys (the output
+of the KDF).
+.PP
+The output is considered to be keying material.
+.SS Identity
 .IX Subsection "Identity"
-\&\*(L"\s-1HKDF\*(R"\s0 is the name for this implementation; it
+"HKDF" is the name for this implementation; it
 can be used with the \fBEVP_KDF_fetch()\fR function.
 .SS "Supported parameters"
 .IX Subsection "Supported parameters"
 The supported parameters are:
-.ie n .IP """properties"" (\fB\s-1OSSL_KDF_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``properties'' (\fB\s-1OSSL_KDF_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "properties (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
+.IP """properties"" (\fBOSSL_KDF_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
 .PD 0
-.ie n .IP """digest"" (\fB\s-1OSSL_KDF_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_KDF_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_KDF_PARAM_DIGEST) <UTF8 string>"
-.ie n .IP """key"" (\fB\s-1OSSL_KDF_PARAM_KEY\s0\fR) <octet string>" 4
-.el .IP "``key'' (\fB\s-1OSSL_KDF_PARAM_KEY\s0\fR) <octet string>" 4
-.IX Item "key (OSSL_KDF_PARAM_KEY) <octet string>"
-.ie n .IP """salt"" (\fB\s-1OSSL_KDF_PARAM_SALT\s0\fR) <octet string>" 4
-.el .IP "``salt'' (\fB\s-1OSSL_KDF_PARAM_SALT\s0\fR) <octet string>" 4
-.IX Item "salt (OSSL_KDF_PARAM_SALT) <octet string>"
+.IP """digest"" (\fBOSSL_KDF_PARAM_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_KDF_PARAM_DIGEST) <UTF8 string>"
+.IP """key"" (\fBOSSL_KDF_PARAM_KEY\fR) <octet string>" 4
+.IX Item """key"" (OSSL_KDF_PARAM_KEY) <octet string>"
+.IP """salt"" (\fBOSSL_KDF_PARAM_SALT\fR) <octet string>" 4
+.IX Item """salt"" (OSSL_KDF_PARAM_SALT) <octet string>"
 .PD
-These parameters work as described in \*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_KDF\s0\fR\|(3).
-.ie n .IP """info"" (\fB\s-1OSSL_KDF_PARAM_INFO\s0\fR) <octet string>" 4
-.el .IP "``info'' (\fB\s-1OSSL_KDF_PARAM_INFO\s0\fR) <octet string>" 4
-.IX Item "info (OSSL_KDF_PARAM_INFO) <octet string>"
+These parameters work as described in "PARAMETERS" in \fBEVP_KDF\fR\|(3).
+.IP """info"" (\fBOSSL_KDF_PARAM_INFO\fR) <octet string>" 4
+.IX Item """info"" (OSSL_KDF_PARAM_INFO) <octet string>"
 This parameter sets the info value.
 The length of the context info buffer cannot exceed 1024 bytes;
-this should be more than enough for any normal use of \s-1HKDF.\s0
-.ie n .IP """mode"" (\fB\s-1OSSL_KDF_PARAM_MODE\s0\fR) <\s-1UTF8\s0 string> or <integer>" 4
-.el .IP "``mode'' (\fB\s-1OSSL_KDF_PARAM_MODE\s0\fR) <\s-1UTF8\s0 string> or <integer>" 4
-.IX Item "mode (OSSL_KDF_PARAM_MODE) <UTF8 string> or <integer>"
-This parameter sets the mode for the \s-1HKDF\s0 operation.
+this should be more than enough for any normal use of HKDF.
+.IP """mode"" (\fBOSSL_KDF_PARAM_MODE\fR) <UTF8 string> or <integer>" 4
+.IX Item """mode"" (OSSL_KDF_PARAM_MODE) <UTF8 string> or <integer>"
+This parameter sets the mode for the HKDF operation.
 There are three modes that are currently defined:
 .RS 4
-.ie n .IP """\s-1EXTRACT_AND_EXPAND""\s0 or \fB\s-1EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND\s0\fR" 4
-.el .IP "``\s-1EXTRACT_AND_EXPAND''\s0 or \fB\s-1EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND\s0\fR" 4
-.IX Item "EXTRACT_AND_EXPAND or EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND"
-This is the default mode.  Calling \fBEVP_KDF_derive\fR\|(3) on an \s-1EVP_KDF_CTX\s0 set
-up for \s-1HKDF\s0 will perform an extract followed by an expand operation in one go.
+.IP """EXTRACT_AND_EXPAND"" or \fBEVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND\fR" 4
+.IX Item """EXTRACT_AND_EXPAND"" or EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND"
+This is the default mode.  Calling \fBEVP_KDF_derive\fR\|(3) on an EVP_KDF_CTX set
+up for HKDF will perform an extract followed by an expand operation in one go.
 The derived key returned will be the result after the expand operation. The
 intermediate fixed-length pseudorandom key K is not returned.
 .Sp
 In this mode the digest, key, salt and info values must be set before a key is
 derived otherwise an error will occur.
-.ie n .IP """\s-1EXTRACT_ONLY""\s0 or \fB\s-1EVP_KDF_HKDF_MODE_EXTRACT_ONLY\s0\fR" 4
-.el .IP "``\s-1EXTRACT_ONLY''\s0 or \fB\s-1EVP_KDF_HKDF_MODE_EXTRACT_ONLY\s0\fR" 4
-.IX Item "EXTRACT_ONLY or EVP_KDF_HKDF_MODE_EXTRACT_ONLY"
+.IP """EXTRACT_ONLY"" or \fBEVP_KDF_HKDF_MODE_EXTRACT_ONLY\fR" 4
+.IX Item """EXTRACT_ONLY"" or EVP_KDF_HKDF_MODE_EXTRACT_ONLY"
 In this mode calling \fBEVP_KDF_derive\fR\|(3) will just perform the extract
 operation. The value returned will be the intermediate fixed-length pseudorandom
 key K.  The \fIkeylen\fR parameter must match the size of K, which can be looked
@@ -202,9 +120,8 @@ up by calling \fBEVP_KDF_CTX_get_kdf_size()\fR after setting the mode and digest
 .Sp
 The digest, key and salt values must be set before a key is derived otherwise
 an error will occur.
-.ie n .IP """\s-1EXPAND_ONLY""\s0 or \fB\s-1EVP_KDF_HKDF_MODE_EXPAND_ONLY\s0\fR" 4
-.el .IP "``\s-1EXPAND_ONLY''\s0 or \fB\s-1EVP_KDF_HKDF_MODE_EXPAND_ONLY\s0\fR" 4
-.IX Item "EXPAND_ONLY or EVP_KDF_HKDF_MODE_EXPAND_ONLY"
+.IP """EXPAND_ONLY"" or \fBEVP_KDF_HKDF_MODE_EXPAND_ONLY\fR" 4
+.IX Item """EXPAND_ONLY"" or EVP_KDF_HKDF_MODE_EXPAND_ONLY"
 In this mode calling \fBEVP_KDF_derive\fR\|(3) will just perform the expand
 operation. The input key should be set to the intermediate fixed-length
 pseudorandom key K returned from a previous extract operation.
@@ -214,25 +131,41 @@ an error will occur.
 .RE
 .RS 4
 .RE
-.SH "NOTES"
+.PP
+The OpenSSL FIPS provider also supports the following parameters:
+.IP """fips-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+A getter that returns 1 if the operation is FIPS approved, or 0 otherwise.
+This may be used after calling EVP_KDF_derive. It returns 0 if "key-check"
+is set to 0 and the check fails.
+.IP """key-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4
+.IX Item """key-check"" (OSSL_KDF_PARAM_FIPS_KEY_CHECK) <integer>"
+The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if the
+length of used key-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112
+bits.
+Setting this to zero will ignore the error and set the approved
+"fips-indicator" to 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
+.SH NOTES
 .IX Header "NOTES"
-A context for \s-1HKDF\s0 can be obtained by calling:
+A context for HKDF can be obtained by calling:
 .PP
 .Vb 2
 \& EVP_KDF *kdf = EVP_KDF_fetch(NULL, "HKDF", NULL);
 \& EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf);
 .Ve
 .PP
-The output length of an \s-1HKDF\s0 expand operation is specified via the \fIkeylen\fR
+The output length of an HKDF expand operation is specified via the \fIkeylen\fR
 parameter to the \fBEVP_KDF_derive\fR\|(3) function.  When using
-\&\s-1EVP_KDF_HKDF_MODE_EXTRACT_ONLY\s0 the \fIkeylen\fR parameter must equal the size of
+EVP_KDF_HKDF_MODE_EXTRACT_ONLY the \fIkeylen\fR parameter must equal the size of
 the intermediate fixed-length pseudorandom key otherwise an error will occur.
 For that mode, the fixed output size can be looked up by calling \fBEVP_KDF_CTX_get_kdf_size()\fR
-after setting the mode and digest on the \fB\s-1EVP_KDF_CTX\s0\fR.
-.SH "EXAMPLES"
+after setting the mode and digest on the \fBEVP_KDF_CTX\fR.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-This example derives 10 bytes using \s-1SHA\-256\s0 with the secret key \*(L"secret\*(R",
-salt value \*(L"salt\*(R" and info value \*(L"label\*(R":
+This example derives 10 bytes using SHA\-256 with the secret key "secret",
+salt value "salt" and info value "label":
 .PP
 .Vb 4
 \& EVP_KDF *kdf;
@@ -261,25 +194,25 @@ salt value \*(L"salt\*(R" and info value \*(L"label\*(R":
 .Ve
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1RFC 5869\s0
+RFC 5869
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_KDF\s0\fR\|(3),
+\&\fBEVP_KDF\fR\|(3),
 \&\fBEVP_KDF_CTX_new\fR\|(3),
 \&\fBEVP_KDF_CTX_free\fR\|(3),
 \&\fBEVP_KDF_CTX_get_kdf_size\fR\|(3),
 \&\fBEVP_KDF_CTX_set_params\fR\|(3),
 \&\fBEVP_KDF_derive\fR\|(3),
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_KDF\s0\fR\|(3),
-\&\s-1\fBEVP_KDF\-TLS13_KDF\s0\fR\|(7)
-.SH "HISTORY"
+"PARAMETERS" in \fBEVP_KDF\fR\|(3),
+\&\fBEVP_KDF\-TLS13_KDF\fR\|(7)
+.SH HISTORY
 .IX Header "HISTORY"
 This functionality was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-HMAC-DRBG.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-HMAC-DRBG.7
new file mode 100644
index 000000000000..41a1c70f2c12
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/EVP_KDF-HMAC-DRBG.7
@@ -0,0 +1,117 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "EVP_KDF-HMAC-DRBG 7ossl"
+.TH EVP_KDF-HMAC-DRBG 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+EVP_KDF\-HMAC\-DRBG
+\&\- The HMAC DRBG DETERMINISTIC EVP_KDF implementation
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+Support for a deterministic HMAC DRBG using the \fBEVP_KDF\fR API. This is similar
+to \fBEVP_RAND\-HMAC\-DRBG\fR\|(7), but uses fixed values for its entropy and nonce
+values. This is used to generate deterministic nonce value required by ECDSA
+and DSA (as defined in RFC 6979).
+.SS Identity
+.IX Subsection "Identity"
+"HMAC-DRBG-KDF" is the name for this implementation; it can be used
+with the \fBEVP_KDF_fetch()\fR function.
+.SS "Supported parameters"
+.IX Subsection "Supported parameters"
+The supported parameters are:
+.IP """digest"" (\fBOSSL_DRBG_PARAM_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_DRBG_PARAM_DIGEST) <UTF8 string>"
+.PD 0
+.IP """properties"" (\fBOSSL_DRBG_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_DRBG_PARAM_PROPERTIES) <UTF8 string>"
+.PD
+These parameters work as described in "PARAMETERS" in \fBEVP_KDF\fR\|(3).
+.IP """entropy"" (\fBOSSL_KDF_PARAM_HMACDRBG_ENTROPY\fR) <octet string>" 4
+.IX Item """entropy"" (OSSL_KDF_PARAM_HMACDRBG_ENTROPY) <octet string>"
+Sets the entropy bytes supplied to the HMAC-DRBG.
+.IP """nonce"" (\fBOSSL_KDF_PARAM_HMACDRBG_NONCE\fR) <octet string>" 4
+.IX Item """nonce"" (OSSL_KDF_PARAM_HMACDRBG_NONCE) <octet string>"
+Sets the nonce bytes supplied to the HMAC-DRBG.
+.SH NOTES
+.IX Header "NOTES"
+A context for KDF HMAC DRBG can be obtained by calling:
+.PP
+.Vb 2
+\& EVP_KDF *kdf = EVP_KDF_fetch(NULL, "HMAC\-DRBG\-KDF", NULL);
+\& EVP_KDF_CTX *kdf_ctx = EVP_KDF_CTX_new(kdf, NULL);
+.Ve
+.SH "CONFORMING TO"
+.IX Header "CONFORMING TO"
+RFC 6979
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBEVP_KDF\fR\|(3),
+"PARAMETERS" in \fBEVP_KDF\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+The EVP_KDF\-HMAC\-DRBG functionality was added in OpenSSL 3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2022\-2023 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-KB.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-KB.7
index 9a05e4556576..86da837bef2d 100644
--- a/secure/lib/libcrypto/man/man7/EVP_KDF-KB.7
+++ b/secure/lib/libcrypto/man/man7/EVP_KDF-KB.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,160 +52,114 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_KDF-KB 7ossl"
-.TH EVP_KDF-KB 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_KDF-KB 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_KDF\-KB \- The Key\-Based EVP_KDF implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1EVP_KDF\-KB\s0 algorithm implements the Key-Based key derivation function
-(\s-1KBKDF\s0).  \s-1KBKDF\s0 derives a key from repeated application of a keyed \s-1MAC\s0 to an
+The EVP_KDF\-KB algorithm implements the Key-Based key derivation function
+(KBKDF).  KBKDF derives a key from repeated application of a keyed MAC to an
 input secret (and other optional values).
-.SS "Identity"
+.PP
+The output is considered to be keying material.
+.SS Identity
 .IX Subsection "Identity"
-\&\*(L"\s-1KBKDF\*(R"\s0 is the name for this implementation; it can be used with the
+"KBKDF" is the name for this implementation; it can be used with the
 \&\fBEVP_KDF_fetch()\fR function.
 .SS "Supported parameters"
 .IX Subsection "Supported parameters"
 The supported parameters are:
-.ie n .IP """mode"" (\fB\s-1OSSL_KDF_PARAM_MODE\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``mode'' (\fB\s-1OSSL_KDF_PARAM_MODE\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "mode (OSSL_KDF_PARAM_MODE) <UTF8 string>"
-The mode parameter determines which flavor of \s-1KBKDF\s0 to use \- currently the
-choices are \*(L"counter\*(R" and \*(L"feedback\*(R". \*(L"counter\*(R" is the default, and will be
+.IP """mode"" (\fBOSSL_KDF_PARAM_MODE\fR) <UTF8 string>" 4
+.IX Item """mode"" (OSSL_KDF_PARAM_MODE) <UTF8 string>"
+The mode parameter determines which flavor of KBKDF to use \- currently the
+choices are "counter" and "feedback". "counter" is the default, and will be
 used if unspecified.
-.ie n .IP """mac"" (\fB\s-1OSSL_KDF_PARAM_MAC\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``mac'' (\fB\s-1OSSL_KDF_PARAM_MAC\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "mac (OSSL_KDF_PARAM_MAC) <UTF8 string>"
-The value is either \s-1CMAC\s0 or \s-1HMAC.\s0
-.ie n .IP """digest"" (\fB\s-1OSSL_KDF_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_KDF_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_KDF_PARAM_DIGEST) <UTF8 string>"
+.IP """mac"" (\fBOSSL_KDF_PARAM_MAC\fR) <UTF8 string>" 4
+.IX Item """mac"" (OSSL_KDF_PARAM_MAC) <UTF8 string>"
+The value is either CMAC, HMAC, KMAC128 or KMAC256.
+.IP """digest"" (\fBOSSL_KDF_PARAM_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_KDF_PARAM_DIGEST) <UTF8 string>"
 .PD 0
-.ie n .IP """cipher"" (\fB\s-1OSSL_KDF_PARAM_CIPHER\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``cipher'' (\fB\s-1OSSL_KDF_PARAM_CIPHER\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "cipher (OSSL_KDF_PARAM_CIPHER) <UTF8 string>"
-.ie n .IP """properties"" (\fB\s-1OSSL_KDF_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``properties'' (\fB\s-1OSSL_KDF_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "properties (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
-.ie n .IP """key"" (\fB\s-1OSSL_KDF_PARAM_KEY\s0\fR) <octet string>" 4
-.el .IP "``key'' (\fB\s-1OSSL_KDF_PARAM_KEY\s0\fR) <octet string>" 4
-.IX Item "key (OSSL_KDF_PARAM_KEY) <octet string>"
-.ie n .IP """salt"" (\fB\s-1OSSL_KDF_PARAM_SALT\s0\fR) <octet string>" 4
-.el .IP "``salt'' (\fB\s-1OSSL_KDF_PARAM_SALT\s0\fR) <octet string>" 4
-.IX Item "salt (OSSL_KDF_PARAM_SALT) <octet string>"
-.IP """info (\fB\s-1OSSL_KDF_PARAM_INFO\s0\fR) <octet string>" 4
+.IP """cipher"" (\fBOSSL_KDF_PARAM_CIPHER\fR) <UTF8 string>" 4
+.IX Item """cipher"" (OSSL_KDF_PARAM_CIPHER) <UTF8 string>"
+.IP """properties"" (\fBOSSL_KDF_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
+.IP """key"" (\fBOSSL_KDF_PARAM_KEY\fR) <octet string>" 4
+.IX Item """key"" (OSSL_KDF_PARAM_KEY) <octet string>"
+.IP """salt"" (\fBOSSL_KDF_PARAM_SALT\fR) <octet string>" 4
+.IX Item """salt"" (OSSL_KDF_PARAM_SALT) <octet string>"
+.IP """info (\fBOSSL_KDF_PARAM_INFO\fR) <octet string>" 4
 .IX Item """info (OSSL_KDF_PARAM_INFO) <octet string>"
-.ie n .IP """seed"" (\fB\s-1OSSL_KDF_PARAM_SEED\s0\fR) <octet string>" 4
-.el .IP "``seed'' (\fB\s-1OSSL_KDF_PARAM_SEED\s0\fR) <octet string>" 4
-.IX Item "seed (OSSL_KDF_PARAM_SEED) <octet string>"
+.IP """seed"" (\fBOSSL_KDF_PARAM_SEED\fR) <octet string>" 4
+.IX Item """seed"" (OSSL_KDF_PARAM_SEED) <octet string>"
 .PD
 The seed parameter is unused in counter mode.
-.ie n .IP """use-l"" (\fB\s-1OSSL_KDF_PARAM_KBKDF_USE_L\s0\fR) <integer>" 4
-.el .IP "``use-l'' (\fB\s-1OSSL_KDF_PARAM_KBKDF_USE_L\s0\fR) <integer>" 4
-.IX Item "use-l (OSSL_KDF_PARAM_KBKDF_USE_L) <integer>"
-Set to \fB0\fR to disable use of the optional Fixed Input data 'L' (see \s-1SP800\-108\s0).
+.IP """use-l"" (\fBOSSL_KDF_PARAM_KBKDF_USE_L\fR) <integer>" 4
+.IX Item """use-l"" (OSSL_KDF_PARAM_KBKDF_USE_L) <integer>"
+Set to \fB0\fR to disable use of the optional Fixed Input data 'L' (see SP800\-108).
 The default value of \fB1\fR will be used if unspecified.
-.ie n .IP """use-separator"" (\fB\s-1OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR\s0\fR) <integer>" 4
-.el .IP "``use-separator'' (\fB\s-1OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR\s0\fR) <integer>" 4
-.IX Item "use-separator (OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR) <integer>"
+.IP """use-separator"" (\fBOSSL_KDF_PARAM_KBKDF_USE_SEPARATOR\fR) <integer>" 4
+.IX Item """use-separator"" (OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR) <integer>"
 Set to \fB0\fR to disable use of the optional Fixed Input data 'zero separator'
-(see \s-1SP800\-108\s0) that is placed between the Label and Context.
+(see SP800\-108) that is placed between the Label and Context.
 The default value of \fB1\fR will be used if unspecified.
+.IP """r"" (\fBOSSL_KDF_PARAM_KBKDF_R\fR) <integer>" 4
+.IX Item """r"" (OSSL_KDF_PARAM_KBKDF_R) <integer>"
+Set the fixed value 'r', indicating the length of the counter in bits.
+.Sp
+Supported values are \fB8\fR, \fB16\fR, \fB24\fR, and \fB32\fR.
+The default value of \fB32\fR will be used if unspecified.
 .PP
-Depending on whether mac is \s-1CMAC\s0 or \s-1HMAC,\s0 either digest or cipher is required
-(respectively) and the other is unused.
+The OpenSSL FIPS provider also supports the following parameters:
+.IP """fips-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+A getter that returns 1 if the operation is FIPS approved, or 0 otherwise.
+This may be used after calling EVP_KDF_derive. It returns 0 if "key-check"
+is set to 0 and the check fails.
+.IP """key-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4
+.IX Item """key-check"" (OSSL_KDF_PARAM_FIPS_KEY_CHECK) <integer>"
+The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if the
+length of used key-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112
+bits.
+Setting this to zero will ignore the error and set the approved
+"fips-indicator" to 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
 .PP
-The parameters key, salt, info, and seed correspond to \s-1KI,\s0 Label, Context, and
-\&\s-1IV\s0 (respectively) in \s-1SP800\-108.\s0  As in that document, salt, info, and seed are
+Depending on whether mac is CMAC or HMAC, either digest or cipher is required
+(respectively) and the other is unused. They are unused for KMAC128 and KMAC256.
+.PP
+The parameters key, salt, info, and seed correspond to KI, Label, Context, and
+IV (respectively) in SP800\-108.  As in that document, salt, info, and seed are
 optional and may be omitted.
 .PP
-\&\*(L"mac\*(R", \*(L"digest\*(R", cipher\*(L" and \*(R"properties" are described in
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_KDF\s0\fR\|(3).
-.SH "NOTES"
+"mac", "digest", cipher" and "properties" are described in
+"PARAMETERS" in \fBEVP_KDF\fR\|(3).
+.SH NOTES
 .IX Header "NOTES"
-A context for \s-1KBKDF\s0 can be obtained by calling:
+A context for KBKDF can be obtained by calling:
 .PP
 .Vb 2
 \& EVP_KDF *kdf = EVP_KDF_fetch(NULL, "KBKDF", NULL);
 \& EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf);
 .Ve
 .PP
-The output length of an \s-1KBKDF\s0 is specified via the \f(CW\*(C`keylen\*(C'\fR
+The output length of an KBKDF is specified via the \f(CW\*(C`keylen\*(C'\fR
 parameter to the \fBEVP_KDF_derive\fR\|(3) function.
 .PP
 Note that currently OpenSSL only implements counter and feedback modes.  Other
 variants may be supported in the future.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-This example derives 10 bytes using \s-1COUNTER\-HMAC\-SHA256,\s0 with \s-1KI\s0 \*(L"secret\*(R",
-Label \*(L"label\*(R", and Context \*(L"context\*(R".
+This example derives 10 bytes using COUNTER\-HMAC\-SHA256, with KI "secret",
+Label "label", and Context "context".
 .PP
 .Vb 4
 \& EVP_KDF *kdf;
@@ -250,8 +188,8 @@ Label \*(L"label\*(R", and Context \*(L"context\*(R".
 \& EVP_KDF_CTX_free(kctx);
 .Ve
 .PP
-This example derives 10 bytes using \s-1FEEDBACK\-CMAC\-AES256,\s0 with \s-1KI\s0 \*(L"secret\*(R",
-Label \*(L"label\*(R", and \s-1IV\s0 \*(L"sixteen bytes iv\*(R".
+This example derives 10 bytes using FEEDBACK\-CMAC\-AES256, with KI "secret",
+Label "label", and IV "sixteen bytes iv".
 .PP
 .Vb 5
 \& EVP_KDF *kdf;
@@ -283,23 +221,25 @@ Label \*(L"label\*(R", and \s-1IV\s0 \*(L"sixteen bytes iv\*(R".
 .Ve
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1NIST SP800\-108, IETF RFC 6803, IETF RFC 8009.\s0
+NIST SP800\-108, IETF RFC 6803, IETF RFC 8009.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_KDF\s0\fR\|(3),
+\&\fBEVP_KDF\fR\|(3),
 \&\fBEVP_KDF_CTX_free\fR\|(3),
 \&\fBEVP_KDF_CTX_get_kdf_size\fR\|(3),
 \&\fBEVP_KDF_derive\fR\|(3),
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_KDF\s0\fR\|(3)
-.SH "HISTORY"
+"PARAMETERS" in \fBEVP_KDF\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 This functionality was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.PP
+Support for KMAC was added in OpenSSL 3.1.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2024 The OpenSSL Project Authors. All Rights Reserved.
 Copyright 2019 Red Hat, Inc.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-KRB5KDF.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-KRB5KDF.7
index 374a45d2931f..2575e0571fb7 100644
--- a/secure/lib/libcrypto/man/man7/EVP_KDF-KRB5KDF.7
+++ b/secure/lib/libcrypto/man/man7/EVP_KDF-KRB5KDF.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,130 +52,66 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_KDF-KRB5KDF 7ossl"
-.TH EVP_KDF-KRB5KDF 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_KDF-KRB5KDF 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_KDF\-KRB5KDF \- The RFC3961 Krb5 KDF EVP_KDF implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing the \fB\s-1KRB5KDF\s0\fR \s-1KDF\s0 through the \fB\s-1EVP_KDF\s0\fR \s-1API.\s0
+Support for computing the \fBKRB5KDF\fR KDF through the \fBEVP_KDF\fR API.
 .PP
-The \s-1EVP_KDF\-KRB5KDF\s0 algorithm implements the key derivation function defined
-in \s-1RFC 3961,\s0 section 5.1 and is used by Krb5 to derive session keys.
+The EVP_KDF\-KRB5KDF algorithm implements the key derivation function defined
+in RFC 3961, section 5.1 and is used by Krb5 to derive session keys.
 Three inputs are required to perform key derivation: a cipher, (for example
-\&\s-1AES\-128\-CBC\s0), the initial key, and a constant.
-.SS "Identity"
+AES\-128\-CBC), the initial key, and a constant.
+.SS Identity
 .IX Subsection "Identity"
-\&\*(L"\s-1KRB5KDF\*(R"\s0 is the name for this implementation;
+"KRB5KDF" is the name for this implementation;
 it can be used with the \fBEVP_KDF_fetch()\fR function.
 .SS "Supported parameters"
 .IX Subsection "Supported parameters"
 The supported parameters are:
-.ie n .IP """properties"" (\fB\s-1OSSL_KDF_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``properties'' (\fB\s-1OSSL_KDF_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "properties (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
+.IP """properties"" (\fBOSSL_KDF_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
 .PD 0
-.ie n .IP """cipher"" (\fB\s-1OSSL_KDF_PARAM_CIPHER\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``cipher'' (\fB\s-1OSSL_KDF_PARAM_CIPHER\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "cipher (OSSL_KDF_PARAM_CIPHER) <UTF8 string>"
-.ie n .IP """key"" (\fB\s-1OSSL_KDF_PARAM_KEY\s0\fR) <octet string>" 4
-.el .IP "``key'' (\fB\s-1OSSL_KDF_PARAM_KEY\s0\fR) <octet string>" 4
-.IX Item "key (OSSL_KDF_PARAM_KEY) <octet string>"
+.IP """cipher"" (\fBOSSL_KDF_PARAM_CIPHER\fR) <UTF8 string>" 4
+.IX Item """cipher"" (OSSL_KDF_PARAM_CIPHER) <UTF8 string>"
+.IP """key"" (\fBOSSL_KDF_PARAM_KEY\fR) <octet string>" 4
+.IX Item """key"" (OSSL_KDF_PARAM_KEY) <octet string>"
 .PD
-These parameters work as described in \*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_KDF\s0\fR\|(3).
-.ie n .IP """constant"" (\fB\s-1OSSL_KDF_PARAM_CONSTANT\s0\fR) <octet string>" 4
-.el .IP "``constant'' (\fB\s-1OSSL_KDF_PARAM_CONSTANT\s0\fR) <octet string>" 4
-.IX Item "constant (OSSL_KDF_PARAM_CONSTANT) <octet string>"
-This parameter sets the constant value for the \s-1KDF.\s0
+These parameters work as described in "PARAMETERS" in \fBEVP_KDF\fR\|(3).
+.IP """constant"" (\fBOSSL_KDF_PARAM_CONSTANT\fR) <octet string>" 4
+.IX Item """constant"" (OSSL_KDF_PARAM_CONSTANT) <octet string>"
+This parameter sets the constant value for the KDF.
 If a value is already set, the contents are replaced.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-A context for \s-1KRB5KDF\s0 can be obtained by calling:
+A context for KRB5KDF can be obtained by calling:
 .PP
 .Vb 2
 \& EVP_KDF *kdf = EVP_KDF_fetch(NULL, "KRB5KDF", NULL);
 \& EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf);
 .Ve
 .PP
-The output length of the \s-1KRB5KDF\s0 derivation is specified via the \fIkeylen\fR
-parameter to the \fBEVP_KDF_derive\fR\|(3) function, and \s-1MUST\s0 match the key
+The output length of the KRB5KDF derivation is specified via the \fIkeylen\fR
+parameter to the \fBEVP_KDF_derive\fR\|(3) function, and MUST match the key
 length for the chosen cipher or an error is returned. Moreover, the
 constant's length must not exceed the block size of the cipher.
-Since the \s-1KRB5KDF\s0 output length depends on the chosen cipher, calling
+Since the KRB5KDF output length depends on the chosen cipher, calling
 \&\fBEVP_KDF_CTX_get_kdf_size\fR\|(3) to obtain the requisite length returns the correct length
-only after the cipher is set. Prior to that \fB\s-1EVP_MAX_KEY_LENGTH\s0\fR is returned.
+only after the cipher is set. Prior to that \fBEVP_MAX_KEY_LENGTH\fR is returned.
 The caller must allocate a buffer of the correct length for the chosen
 cipher, and pass that buffer to the \fBEVP_KDF_derive\fR\|(3) function along
 with that length.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-This example derives a key using the \s-1AES\-128\-CBC\s0 cipher:
+This example derives a key using the AES\-128\-CBC cipher:
 .PP
 .Vb 7
 \& EVP_KDF *kdf;
@@ -221,22 +141,22 @@ This example derives a key using the \s-1AES\-128\-CBC\s0 cipher:
 .Ve
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1RFC 3961\s0
+RFC 3961
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_KDF\s0\fR\|(3),
+\&\fBEVP_KDF\fR\|(3),
 \&\fBEVP_KDF_CTX_free\fR\|(3),
 \&\fBEVP_KDF_CTX_get_kdf_size\fR\|(3),
 \&\fBEVP_KDF_derive\fR\|(3),
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_KDF\s0\fR\|(3)
-.SH "HISTORY"
+"PARAMETERS" in \fBEVP_KDF\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 This functionality was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2016\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-PBKDF1.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-PBKDF1.7
index 71875fe44e42..8e4cc66e4162 100644
--- a/secure/lib/libcrypto/man/man7/EVP_KDF-PBKDF1.7
+++ b/secure/lib/libcrypto/man/man7/EVP_KDF-PBKDF1.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,143 +52,81 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_KDF-PBKDF1 7ossl"
-.TH EVP_KDF-PBKDF1 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_KDF-PBKDF1 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_KDF\-PBKDF1 \- The PBKDF1 EVP_KDF implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing the \fB\s-1PBKDF1\s0\fR password-based \s-1KDF\s0 through the \fB\s-1EVP_KDF\s0\fR
-\&\s-1API.\s0
+Support for computing the \fBPBKDF1\fR password-based KDF through the \fBEVP_KDF\fR
+API.
 .PP
-The \s-1EVP_KDF\-PBKDF1\s0 algorithm implements the \s-1PBKDF1\s0 password-based key
-derivation function, as described in \s-1RFC 8018\s0; it derives a key from a password
+The EVP_KDF\-PBKDF1 algorithm implements the PBKDF1 password-based key
+derivation function, as described in RFC 8018; it derives a key from a password
 using a salt and iteration count.
-.SS "Identity"
+.SS Identity
 .IX Subsection "Identity"
-\&\*(L"\s-1PBKDF1\*(R"\s0 is the name for this implementation; it
+"PBKDF1" is the name for this implementation; it
 can be used with the \fBEVP_KDF_fetch()\fR function.
 .SS "Supported parameters"
 .IX Subsection "Supported parameters"
 The supported parameters are:
-.ie n .IP """pass"" (\fB\s-1OSSL_KDF_PARAM_PASSWORD\s0\fR) <octet string>" 4
-.el .IP "``pass'' (\fB\s-1OSSL_KDF_PARAM_PASSWORD\s0\fR) <octet string>" 4
-.IX Item "pass (OSSL_KDF_PARAM_PASSWORD) <octet string>"
+.IP """pass"" (\fBOSSL_KDF_PARAM_PASSWORD\fR) <octet string>" 4
+.IX Item """pass"" (OSSL_KDF_PARAM_PASSWORD) <octet string>"
 .PD 0
-.ie n .IP """salt"" (\fB\s-1OSSL_KDF_PARAM_SALT\s0\fR) <octet string>" 4
-.el .IP "``salt'' (\fB\s-1OSSL_KDF_PARAM_SALT\s0\fR) <octet string>" 4
-.IX Item "salt (OSSL_KDF_PARAM_SALT) <octet string>"
-.ie n .IP """iter"" (\fB\s-1OSSL_KDF_PARAM_ITER\s0\fR) <unsigned integer>" 4
-.el .IP "``iter'' (\fB\s-1OSSL_KDF_PARAM_ITER\s0\fR) <unsigned integer>" 4
-.IX Item "iter (OSSL_KDF_PARAM_ITER) <unsigned integer>"
+.IP """salt"" (\fBOSSL_KDF_PARAM_SALT\fR) <octet string>" 4
+.IX Item """salt"" (OSSL_KDF_PARAM_SALT) <octet string>"
+.IP """iter"" (\fBOSSL_KDF_PARAM_ITER\fR) <unsigned integer>" 4
+.IX Item """iter"" (OSSL_KDF_PARAM_ITER) <unsigned integer>"
 .PD
 This parameter has a default value of 0 and should be set.
-.ie n .IP """properties"" (\fB\s-1OSSL_KDF_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``properties'' (\fB\s-1OSSL_KDF_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "properties (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
+.IP """properties"" (\fBOSSL_KDF_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
 .PD 0
-.ie n .IP """digest"" (\fB\s-1OSSL_KDF_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_KDF_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_KDF_PARAM_DIGEST) <UTF8 string>"
+.IP """digest"" (\fBOSSL_KDF_PARAM_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_KDF_PARAM_DIGEST) <UTF8 string>"
 .PD
-These parameters work as described in \*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_KDF\s0\fR\|(3).
-.SH "NOTES"
+These parameters work as described in "PARAMETERS" in \fBEVP_KDF\fR\|(3).
+.SH NOTES
 .IX Header "NOTES"
 A typical application of this algorithm is to derive keying material for an
-encryption algorithm from a password in the \*(L"pass\*(R", a salt in \*(L"salt\*(R",
+encryption algorithm from a password in the "pass", a salt in "salt",
 and an iteration count.
 .PP
-Increasing the \*(L"iter\*(R" parameter slows down the algorithm which makes it
+Increasing the "iter" parameter slows down the algorithm which makes it
 harder for an attacker to perform a brute force attack using a large number
 of candidate passwords.
 .PP
 No assumption is made regarding the given password; it is simply treated as a
 byte sequence.
+.PP
+The legacy provider needs to be available in order to access this algorithm.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1RFC 8018\s0
+RFC 8018
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_KDF\s0\fR\|(3),
+\&\fBEVP_KDF\fR\|(3),
 \&\fBEVP_KDF_CTX_new\fR\|(3),
 \&\fBEVP_KDF_CTX_free\fR\|(3),
 \&\fBEVP_KDF_CTX_set_params\fR\|(3),
 \&\fBEVP_KDF_derive\fR\|(3),
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_KDF\s0\fR\|(3)
-.SH "HISTORY"
+"PARAMETERS" in \fBEVP_KDF\fR\|(3),
+\&\fBOSSL_PROVIDER\-legacy\fR\|(7)
+.SH HISTORY
 .IX Header "HISTORY"
 This functionality was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-PBKDF2.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-PBKDF2.7
index b68738ab2964..798b268a3cec 100644
--- a/secure/lib/libcrypto/man/man7/EVP_KDF-PBKDF2.7
+++ b/secure/lib/libcrypto/man/man7/EVP_KDF-PBKDF2.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,116 +52,52 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_KDF-PBKDF2 7ossl"
-.TH EVP_KDF-PBKDF2 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_KDF-PBKDF2 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_KDF\-PBKDF2 \- The PBKDF2 EVP_KDF implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing the \fB\s-1PBKDF2\s0\fR password-based \s-1KDF\s0 through the \fB\s-1EVP_KDF\s0\fR
-\&\s-1API.\s0
+Support for computing the \fBPBKDF2\fR password-based KDF through the \fBEVP_KDF\fR
+API.
 .PP
-The \s-1EVP_KDF\-PBKDF2\s0 algorithm implements the \s-1PBKDF2\s0 password-based key
-derivation function, as described in \s-1SP800\-132\s0; it derives a key from a password
+The EVP_KDF\-PBKDF2 algorithm implements the PBKDF2 password-based key
+derivation function, as described in SP800\-132; it derives a key from a password
 using a salt and iteration count.
-.SS "Identity"
+.PP
+The output is considered to be a cryptographic key.
+.SS Identity
 .IX Subsection "Identity"
-\&\*(L"\s-1PBKDF2\*(R"\s0 is the name for this implementation; it
+"PBKDF2" is the name for this implementation; it
 can be used with the \fBEVP_KDF_fetch()\fR function.
 .SS "Supported parameters"
 .IX Subsection "Supported parameters"
 The supported parameters are:
-.ie n .IP """pass"" (\fB\s-1OSSL_KDF_PARAM_PASSWORD\s0\fR) <octet string>" 4
-.el .IP "``pass'' (\fB\s-1OSSL_KDF_PARAM_PASSWORD\s0\fR) <octet string>" 4
-.IX Item "pass (OSSL_KDF_PARAM_PASSWORD) <octet string>"
+.IP """pass"" (\fBOSSL_KDF_PARAM_PASSWORD\fR) <octet string>" 4
+.IX Item """pass"" (OSSL_KDF_PARAM_PASSWORD) <octet string>"
 .PD 0
-.ie n .IP """salt"" (\fB\s-1OSSL_KDF_PARAM_SALT\s0\fR) <octet string>" 4
-.el .IP "``salt'' (\fB\s-1OSSL_KDF_PARAM_SALT\s0\fR) <octet string>" 4
-.IX Item "salt (OSSL_KDF_PARAM_SALT) <octet string>"
-.ie n .IP """iter"" (\fB\s-1OSSL_KDF_PARAM_ITER\s0\fR) <unsigned integer>" 4
-.el .IP "``iter'' (\fB\s-1OSSL_KDF_PARAM_ITER\s0\fR) <unsigned integer>" 4
-.IX Item "iter (OSSL_KDF_PARAM_ITER) <unsigned integer>"
+.IP """salt"" (\fBOSSL_KDF_PARAM_SALT\fR) <octet string>" 4
+.IX Item """salt"" (OSSL_KDF_PARAM_SALT) <octet string>"
+.IP """iter"" (\fBOSSL_KDF_PARAM_ITER\fR) <unsigned integer>" 4
+.IX Item """iter"" (OSSL_KDF_PARAM_ITER) <unsigned integer>"
 .PD
 This parameter has a default value of 2048.
-.ie n .IP """properties"" (\fB\s-1OSSL_KDF_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``properties'' (\fB\s-1OSSL_KDF_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "properties (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
+.IP """properties"" (\fBOSSL_KDF_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
 .PD 0
-.ie n .IP """digest"" (\fB\s-1OSSL_KDF_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_KDF_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_KDF_PARAM_DIGEST) <UTF8 string>"
+.IP """digest"" (\fBOSSL_KDF_PARAM_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_KDF_PARAM_DIGEST) <UTF8 string>"
 .PD
-These parameters work as described in \*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_KDF\s0\fR\|(3).
-.ie n .IP """pkcs5"" (\fB\s-1OSSL_KDF_PARAM_PKCS5\s0\fR) <integer>" 4
-.el .IP "``pkcs5'' (\fB\s-1OSSL_KDF_PARAM_PKCS5\s0\fR) <integer>" 4
-.IX Item "pkcs5 (OSSL_KDF_PARAM_PKCS5) <integer>"
-This parameter can be used to enable or disable \s-1SP800\-132\s0 compliance checks.
+These parameters work as described in "PARAMETERS" in \fBEVP_KDF\fR\|(3).
+.IP """pkcs5"" (\fBOSSL_KDF_PARAM_PKCS5\fR) <integer>" 4
+.IX Item """pkcs5"" (OSSL_KDF_PARAM_PKCS5) <integer>"
+This parameter can be used to enable or disable SP800\-132 compliance checks.
 Setting the mode to 0 enables the compliance checks.
 .Sp
 The checks performed are:
@@ -194,17 +114,25 @@ The checks performed are:
 .PD
 .Sp
 The default provider uses a default mode of 1 for backwards compatibility,
-and the \s-1FIPS\s0 provider uses a default mode of 0.
-.Sp
-The value string is expected to be a decimal number 0 or 1.
+and the FIPS provider uses a default mode of 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
 .RE
-.SH "NOTES"
+.IP """fips-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+This option is used by the OpenSSL FIPS provider.
+.Sp
+A getter that returns 1 if the operation is FIPS approved, or 0 otherwise.
+This may be used after calling EVP_KDF_derive. It returns 0 if "pkcs5"
+is set to 1 and the derived key length, salt length or iteration count test
+fails.
+.SH NOTES
 .IX Header "NOTES"
 A typical application of this algorithm is to derive keying material for an
-encryption algorithm from a password in the \*(L"pass\*(R", a salt in \*(L"salt\*(R",
+encryption algorithm from a password in the "pass", a salt in "salt",
 and an iteration count.
 .PP
-Increasing the \*(L"iter\*(R" parameter slows down the algorithm which makes it
+Increasing the "iter" parameter slows down the algorithm which makes it
 harder for an attacker to perform a brute force attack using a large number
 of candidate passwords.
 .PP
@@ -212,23 +140,23 @@ No assumption is made regarding the given password; it is simply treated as a
 byte sequence.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1SP800\-132\s0
+SP800\-132
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_KDF\s0\fR\|(3),
+\&\fBEVP_KDF\fR\|(3),
 \&\fBEVP_KDF_CTX_new\fR\|(3),
 \&\fBEVP_KDF_CTX_free\fR\|(3),
 \&\fBEVP_KDF_CTX_set_params\fR\|(3),
 \&\fBEVP_KDF_derive\fR\|(3),
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_KDF\s0\fR\|(3)
-.SH "HISTORY"
+"PARAMETERS" in \fBEVP_KDF\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 This functionality was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2018\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2018\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-PKCS12KDF.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-PKCS12KDF.7
index 48e726a12187..47c79769cb3c 100644
--- a/secure/lib/libcrypto/man/man7/EVP_KDF-PKCS12KDF.7
+++ b/secure/lib/libcrypto/man/man7/EVP_KDF-PKCS12KDF.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,125 +52,59 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_KDF-PKCS12KDF 7ossl"
-.TH EVP_KDF-PKCS12KDF 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_KDF-PKCS12KDF 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_KDF\-PKCS12KDF \- The PKCS#12 EVP_KDF implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing the \fBPKCS#12\fR password-based \s-1KDF\s0 through the \fB\s-1EVP_KDF\s0\fR
-\&\s-1API.\s0
+Support for computing the \fBPKCS#12\fR password-based KDF through the \fBEVP_KDF\fR
+API.
 .PP
-The \s-1EVP_KDF\-PKCS12KDF\s0 algorithm implements the PKCS#12 password-based key
-derivation function, as described in appendix B of \s-1RFC 7292\s0 (\s-1PKCS\s0 #12:
+The EVP_KDF\-PKCS12KDF algorithm implements the PKCS#12 password-based key
+derivation function, as described in appendix B of RFC 7292 (PKCS #12:
 Personal Information Exchange Syntax); it derives a key from a password
 using a salt, iteration count and the intended usage.
-.SS "Identity"
+.SS Identity
 .IX Subsection "Identity"
-\&\*(L"\s-1PKCS12KDF\*(R"\s0 is the name for this implementation; it
+"PKCS12KDF" is the name for this implementation; it
 can be used with the \fBEVP_KDF_fetch()\fR function.
 .SS "Supported parameters"
 .IX Subsection "Supported parameters"
 The supported parameters are:
-.ie n .IP """pass"" (\fB\s-1OSSL_KDF_PARAM_PASSWORD\s0\fR) <octet string>" 4
-.el .IP "``pass'' (\fB\s-1OSSL_KDF_PARAM_PASSWORD\s0\fR) <octet string>" 4
-.IX Item "pass (OSSL_KDF_PARAM_PASSWORD) <octet string>"
+.IP """pass"" (\fBOSSL_KDF_PARAM_PASSWORD\fR) <octet string>" 4
+.IX Item """pass"" (OSSL_KDF_PARAM_PASSWORD) <octet string>"
 .PD 0
-.ie n .IP """salt"" (\fB\s-1OSSL_KDF_PARAM_SALT\s0\fR) <octet string>" 4
-.el .IP "``salt'' (\fB\s-1OSSL_KDF_PARAM_SALT\s0\fR) <octet string>" 4
-.IX Item "salt (OSSL_KDF_PARAM_SALT) <octet string>"
-.ie n .IP """iter"" (\fB\s-1OSSL_KDF_PARAM_ITER\s0\fR) <unsigned integer>" 4
-.el .IP "``iter'' (\fB\s-1OSSL_KDF_PARAM_ITER\s0\fR) <unsigned integer>" 4
-.IX Item "iter (OSSL_KDF_PARAM_ITER) <unsigned integer>"
-.ie n .IP """properties"" (\fB\s-1OSSL_KDF_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``properties'' (\fB\s-1OSSL_KDF_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "properties (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
-.ie n .IP """digest"" (\fB\s-1OSSL_KDF_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_KDF_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_KDF_PARAM_DIGEST) <UTF8 string>"
+.IP """salt"" (\fBOSSL_KDF_PARAM_SALT\fR) <octet string>" 4
+.IX Item """salt"" (OSSL_KDF_PARAM_SALT) <octet string>"
+.IP """iter"" (\fBOSSL_KDF_PARAM_ITER\fR) <unsigned integer>" 4
+.IX Item """iter"" (OSSL_KDF_PARAM_ITER) <unsigned integer>"
+.IP """properties"" (\fBOSSL_KDF_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
+.IP """digest"" (\fBOSSL_KDF_PARAM_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_KDF_PARAM_DIGEST) <UTF8 string>"
 .PD
-These parameters work as described in \*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_KDF\s0\fR\|(3).
-.ie n .IP """id"" (\fB\s-1OSSL_KDF_PARAM_PKCS12_ID\s0\fR) <integer>" 4
-.el .IP "``id'' (\fB\s-1OSSL_KDF_PARAM_PKCS12_ID\s0\fR) <integer>" 4
-.IX Item "id (OSSL_KDF_PARAM_PKCS12_ID) <integer>"
+These parameters work as described in "PARAMETERS" in \fBEVP_KDF\fR\|(3).
+.IP """id"" (\fBOSSL_KDF_PARAM_PKCS12_ID\fR) <integer>" 4
+.IX Item """id"" (OSSL_KDF_PARAM_PKCS12_ID) <integer>"
 This parameter is used to specify the intended usage of the output bits, as per
-\&\s-1RFC 7292\s0 section B.3.
-.SH "NOTES"
+RFC 7292 section B.3.
+.SH NOTES
 .IX Header "NOTES"
-This algorithm is not available in the \s-1FIPS\s0 provider as it is not \s-1FIPS\s0
+This algorithm is not available in the FIPS provider as it is not FIPS
 approvable.
 .PP
 A typical application of this algorithm is to derive keying material for an
-encryption algorithm from a password in the \*(L"pass\*(R", a salt in \*(L"salt\*(R",
+encryption algorithm from a password in the "pass", a salt in "salt",
 and an iteration count.
 .PP
-Increasing the \*(L"iter\*(R" parameter slows down the algorithm which makes it
+Increasing the "iter" parameter slows down the algorithm which makes it
 harder for an attacker to perform a brute force attack using a large number
 of candidate passwords.
 .PP
@@ -194,24 +112,24 @@ No assumption is made regarding the given password; it is simply treated as a
 byte sequence.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1RFC7292\s0
+RFC7292
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_KDF\s0\fR\|(3),
+\&\fBEVP_KDF\fR\|(3),
 \&\fBEVP_KDF_CTX_new\fR\|(3),
 \&\fBEVP_KDF_CTX_free\fR\|(3),
 \&\fBEVP_KDF_CTX_set_params\fR\|(3),
 \&\fBEVP_KDF_derive\fR\|(3),
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_KDF\s0\fR\|(3),
-\&\s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7)
-.SH "HISTORY"
+"PARAMETERS" in \fBEVP_KDF\fR\|(3),
+\&\fBOSSL_PROVIDER\-FIPS\fR\|(7)
+.SH HISTORY
 .IX Header "HISTORY"
 This functionality was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-PVKKDF.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-PVKKDF.7
new file mode 100644
index 000000000000..09083109fe03
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/EVP_KDF-PVKKDF.7
@@ -0,0 +1,118 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "EVP_KDF-PVKKDF 7ossl"
+.TH EVP_KDF-PVKKDF 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+EVP_KDF\-PVKKDF \- The PVK EVP_KDF implementation
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+Support for computing the \fBPVK KDF\fR PIN-based KDF through the \fBEVP_KDF\fR
+API.
+.PP
+The EVP_KDF\-PVKKDF algorithm implements a PVK PIN-based key
+derivation function; it derives a key from a password using a salt.
+.SS Identity
+.IX Subsection "Identity"
+"PVKKDF" is the name for this implementation; it
+can be used with the \fBEVP_KDF_fetch()\fR function.
+.SS "Supported parameters"
+.IX Subsection "Supported parameters"
+The supported parameters are:
+.IP """pass"" (\fBOSSL_KDF_PARAM_PASSWORD\fR) <octet string>" 4
+.IX Item """pass"" (OSSL_KDF_PARAM_PASSWORD) <octet string>"
+.PD 0
+.IP """salt"" (\fBOSSL_KDF_PARAM_SALT\fR) <octet string>" 4
+.IX Item """salt"" (OSSL_KDF_PARAM_SALT) <octet string>"
+.IP """properties"" (\fBOSSL_KDF_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
+.IP """digest"" (\fBOSSL_KDF_PARAM_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_KDF_PARAM_DIGEST) <UTF8 string>"
+.PD
+These parameters work as described in "PARAMETERS" in \fBEVP_KDF\fR\|(3).
+.SH NOTES
+.IX Header "NOTES"
+A typical application of this algorithm is to derive keying material for an
+encryption algorithm from a password in the "pass" and a salt in "salt".
+.PP
+No assumption is made regarding the given password; it is simply treated as a
+byte sequence.
+.PP
+The legacy provider needs to be available in order to access this algorithm.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBEVP_KDF\fR\|(3),
+\&\fBEVP_KDF_CTX_new\fR\|(3),
+\&\fBEVP_KDF_CTX_free\fR\|(3),
+\&\fBEVP_KDF_CTX_set_params\fR\|(3),
+\&\fBEVP_KDF_derive\fR\|(3),
+"PARAMETERS" in \fBEVP_KDF\fR\|(3),
+\&\fBOSSL_PROVIDER\-legacy\fR\|(7)
+.SH HISTORY
+.IX Header "HISTORY"
+This functionality was added in OpenSSL 3.2.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-SCRYPT.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-SCRYPT.7
index 5b84dbfe0d24..780026a993e3 100644
--- a/secure/lib/libcrypto/man/man7/EVP_KDF-SCRYPT.7
+++ b/secure/lib/libcrypto/man/man7/EVP_KDF-SCRYPT.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,142 +52,75 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_KDF-SCRYPT 7ossl"
-.TH EVP_KDF-SCRYPT 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_KDF-SCRYPT 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_KDF\-SCRYPT \- The scrypt EVP_KDF implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing the \fBscrypt\fR password-based \s-1KDF\s0 through the \fB\s-1EVP_KDF\s0\fR
-\&\s-1API.\s0
+Support for computing the \fBscrypt\fR password-based KDF through the \fBEVP_KDF\fR
+API.
 .PP
-The \s-1EVP_KDF\-SCRYPT\s0 algorithm implements the scrypt password-based key
-derivation function, as described in \s-1RFC 7914.\s0  It is memory-hard in the sense
-that it deliberately requires a significant amount of \s-1RAM\s0 for efficient
+The EVP_KDF\-SCRYPT algorithm implements the scrypt password-based key
+derivation function, as described in RFC 7914.  It is memory-hard in the sense
+that it deliberately requires a significant amount of RAM for efficient
 computation. The intention of this is to render brute forcing of passwords on
 systems that lack large amounts of main memory (such as GPUs or ASICs)
 computationally infeasible.
 .PP
 scrypt provides three work factors that can be customized: N, r and p. N, which
-has to be a positive power of two, is the general work factor and scales \s-1CPU\s0
+has to be a positive power of two, is the general work factor and scales CPU
 time in an approximately linear fashion. r is the block size of the internally
 used hash function and p is the parallelization factor. Both r and p need to be
-greater than zero. The amount of \s-1RAM\s0 that scrypt requires for its computation
+greater than zero. The amount of RAM that scrypt requires for its computation
 is roughly (128 * N * r * p) bytes.
 .PP
-In the original paper of Colin Percival (\*(L"Stronger Key Derivation via
-Sequential Memory-Hard Functions\*(R", 2009), the suggested values that give a
+In the original paper of Colin Percival ("Stronger Key Derivation via
+Sequential Memory-Hard Functions", 2009), the suggested values that give a
 computation time of less than 5 seconds on a 2.5 GHz Intel Core 2 Duo are N =
 2^20 = 1048576, r = 8, p = 1. Consequently, the required amount of memory for
-this computation is roughly 1 GiB. On a more recent \s-1CPU\s0 (Intel i7\-5930K at 3.5
+this computation is roughly 1 GiB. On a more recent CPU (Intel i7\-5930K at 3.5
 GHz), this computation takes about 3 seconds. When N, r or p are not specified,
-they default to 1048576, 8, and 1, respectively. The maximum amount of \s-1RAM\s0 that
+they default to 1048576, 8, and 1, respectively. The maximum amount of RAM that
 may be used by scrypt defaults to 1025 MiB.
-.SS "Identity"
+.SS Identity
 .IX Subsection "Identity"
-\&\*(L"\s-1SCRYPT\*(R"\s0 is the name for this implementation; it
+"SCRYPT" is the name for this implementation; it
 can be used with the \fBEVP_KDF_fetch()\fR function.
 .SS "Supported parameters"
 .IX Subsection "Supported parameters"
 The supported parameters are:
-.ie n .IP """pass"" (\fB\s-1OSSL_KDF_PARAM_PASSWORD\s0\fR) <octet string>" 4
-.el .IP "``pass'' (\fB\s-1OSSL_KDF_PARAM_PASSWORD\s0\fR) <octet string>" 4
-.IX Item "pass (OSSL_KDF_PARAM_PASSWORD) <octet string>"
+.IP """pass"" (\fBOSSL_KDF_PARAM_PASSWORD\fR) <octet string>" 4
+.IX Item """pass"" (OSSL_KDF_PARAM_PASSWORD) <octet string>"
 .PD 0
-.ie n .IP """salt"" (\fB\s-1OSSL_KDF_PARAM_SALT\s0\fR) <octet string>" 4
-.el .IP "``salt'' (\fB\s-1OSSL_KDF_PARAM_SALT\s0\fR) <octet string>" 4
-.IX Item "salt (OSSL_KDF_PARAM_SALT) <octet string>"
+.IP """salt"" (\fBOSSL_KDF_PARAM_SALT\fR) <octet string>" 4
+.IX Item """salt"" (OSSL_KDF_PARAM_SALT) <octet string>"
 .PD
-These parameters work as described in \*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_KDF\s0\fR\|(3).
-.ie n .IP """n"" (\fB\s-1OSSL_KDF_PARAM_SCRYPT_N\s0\fR) <unsigned integer>" 4
-.el .IP "``n'' (\fB\s-1OSSL_KDF_PARAM_SCRYPT_N\s0\fR) <unsigned integer>" 4
-.IX Item "n (OSSL_KDF_PARAM_SCRYPT_N) <unsigned integer>"
+These parameters work as described in "PARAMETERS" in \fBEVP_KDF\fR\|(3).
+.IP """n"" (\fBOSSL_KDF_PARAM_SCRYPT_N\fR) <unsigned integer>" 4
+.IX Item """n"" (OSSL_KDF_PARAM_SCRYPT_N) <unsigned integer>"
 .PD 0
-.ie n .IP """r"" (\fB\s-1OSSL_KDF_PARAM_SCRYPT_R\s0\fR) <unsigned integer>" 4
-.el .IP "``r'' (\fB\s-1OSSL_KDF_PARAM_SCRYPT_R\s0\fR) <unsigned integer>" 4
-.IX Item "r (OSSL_KDF_PARAM_SCRYPT_R) <unsigned integer>"
-.ie n .IP """p"" (\fB\s-1OSSL_KDF_PARAM_SCRYPT_P\s0\fR) <unsigned integer>" 4
-.el .IP "``p'' (\fB\s-1OSSL_KDF_PARAM_SCRYPT_P\s0\fR) <unsigned integer>" 4
-.IX Item "p (OSSL_KDF_PARAM_SCRYPT_P) <unsigned integer>"
-.ie n .IP """maxmem_bytes"" (\fB\s-1OSSL_KDF_PARAM_SCRYPT_MAXMEM\s0\fR) <unsigned integer>" 4
-.el .IP "``maxmem_bytes'' (\fB\s-1OSSL_KDF_PARAM_SCRYPT_MAXMEM\s0\fR) <unsigned integer>" 4
-.IX Item "maxmem_bytes (OSSL_KDF_PARAM_SCRYPT_MAXMEM) <unsigned integer>"
+.IP """r"" (\fBOSSL_KDF_PARAM_SCRYPT_R\fR) <unsigned integer>" 4
+.IX Item """r"" (OSSL_KDF_PARAM_SCRYPT_R) <unsigned integer>"
+.IP """p"" (\fBOSSL_KDF_PARAM_SCRYPT_P\fR) <unsigned integer>" 4
+.IX Item """p"" (OSSL_KDF_PARAM_SCRYPT_P) <unsigned integer>"
+.IP """maxmem_bytes"" (\fBOSSL_KDF_PARAM_SCRYPT_MAXMEM\fR) <unsigned integer>" 4
+.IX Item """maxmem_bytes"" (OSSL_KDF_PARAM_SCRYPT_MAXMEM) <unsigned integer>"
 .PD
 These parameters configure the scrypt work factors N, r, maxmem and p.
 Both N and maxmem_bytes are parameters of type \fBuint64_t\fR.
 Both r and p are parameters of type \fBuint32_t\fR.
-.ie n .IP """properties"" (\fB\s-1OSSL_KDF_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``properties'' (\fB\s-1OSSL_KDF_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "properties (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
+.IP """properties"" (\fBOSSL_KDF_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
 This can be used to set the property query string when fetching the
-fixed digest internally. \s-1NULL\s0 is used if this value is not set.
-.SH "NOTES"
+fixed digest internally. NULL is used if this value is not set.
+.SH NOTES
 .IX Header "NOTES"
 A context for scrypt can be obtained by calling:
 .PP
@@ -213,11 +130,11 @@ A context for scrypt can be obtained by calling:
 .Ve
 .PP
 The output length of an scrypt key derivation is specified via the
-\&\*(L"keylen\*(R" parameter to the \fBEVP_KDF_derive\fR\|(3) function.
-.SH "EXAMPLES"
+"keylen" parameter to the \fBEVP_KDF_derive\fR\|(3) function.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 This example derives a 64\-byte long test vector using scrypt with the password
-\&\*(L"password\*(R", salt \*(L"NaCl\*(R" and N = 1024, r = 8, p = 16.
+"password", salt "NaCl" and N = 1024, r = 8, p = 16.
 .PP
 .Vb 4
 \& EVP_KDF *kdf;
@@ -260,23 +177,23 @@ This example derives a 64\-byte long test vector using scrypt with the password
 .Ve
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1RFC 7914\s0
+RFC 7914
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_KDF\s0\fR\|(3),
+\&\fBEVP_KDF\fR\|(3),
 \&\fBEVP_KDF_CTX_new\fR\|(3),
 \&\fBEVP_KDF_CTX_free\fR\|(3),
 \&\fBEVP_KDF_CTX_set_params\fR\|(3),
 \&\fBEVP_KDF_derive\fR\|(3),
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_KDF\s0\fR\|(3)
-.SH "HISTORY"
+"PARAMETERS" in \fBEVP_KDF\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 This functionality was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-SS.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-SS.7
index f76307b3716b..e33453d3b5cc 100644
--- a/secure/lib/libcrypto/man/man7/EVP_KDF-SS.7
+++ b/secure/lib/libcrypto/man/man7/EVP_KDF-SS.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,82 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_KDF-SS 7ossl"
-.TH EVP_KDF-SS 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_KDF-SS 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_KDF\-SS \- The Single Step / One Step EVP_KDF implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1EVP_KDF\-SS\s0 algorithm implements the Single Step key derivation function (\s-1SSKDF\s0).
-\&\s-1SSKDF\s0 derives a key using input such as a shared secret key (that was generated
+The EVP_KDF\-SS algorithm implements the Single Step key derivation function (SSKDF).
+SSKDF derives a key using input such as a shared secret key (that was generated
 during the execution of a key establishment scheme) and fixedinfo.
-\&\s-1SSKDF\s0 is also informally referred to as 'Concat \s-1KDF\s0'.
+SSKDF is also informally referred to as 'Concat KDF'.
+.PP
+The output is considered to be keying material.
 .SS "Auxiliary function"
 .IX Subsection "Auxiliary function"
 The implementation uses a selectable auxiliary function H, which can be one of:
@@ -152,64 +78,72 @@ The implementation uses a selectable auxiliary function H, which can be one of:
 .PD 0
 .IP "\fBH(x) = HMAC_hash(x, key=salt, digest=md)\fR" 4
 .IX Item "H(x) = HMAC_hash(x, key=salt, digest=md)"
-.ie n .IP "\fBH(x) = KMACxxx(x, key=salt, custom=""\s-1KDF"",\s0 outlen=mac_size)\fR" 4
-.el .IP "\fBH(x) = KMACxxx(x, key=salt, custom=``\s-1KDF'',\s0 outlen=mac_size)\fR" 4
-.IX Item "H(x) = KMACxxx(x, key=salt, custom=KDF, outlen=mac_size)"
+.IP "\fBH(x) = KMACxxx(x, key=salt, custom=""KDF"", outlen=mac_size)\fR" 4
+.IX Item "H(x) = KMACxxx(x, key=salt, custom=""KDF"", outlen=mac_size)"
 .PD
 .PP
-Both the \s-1HMAC\s0 and \s-1KMAC\s0 implementations set the key using the 'salt' value.
-The hash and \s-1HMAC\s0 also require the digest to be set.
-.SS "Identity"
+Both the HMAC and KMAC implementations set the key using the 'salt' value.
+The hash and HMAC also require the digest to be set.
+.SS Identity
 .IX Subsection "Identity"
-\&\*(L"\s-1SSKDF\*(R"\s0 is the name for this implementation; it
+"SSKDF" is the name for this implementation; it
 can be used with the \fBEVP_KDF_fetch()\fR function.
 .SS "Supported parameters"
 .IX Subsection "Supported parameters"
 The supported parameters are:
-.ie n .IP """properties"" (\fB\s-1OSSL_KDF_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``properties'' (\fB\s-1OSSL_KDF_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "properties (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
+.IP """properties"" (\fBOSSL_KDF_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
 .PD 0
-.ie n .IP """digest"" (\fB\s-1OSSL_KDF_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_KDF_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_KDF_PARAM_DIGEST) <UTF8 string>"
+.IP """digest"" (\fBOSSL_KDF_PARAM_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_KDF_PARAM_DIGEST) <UTF8 string>"
 .PD
-This parameter is ignored for \s-1KMAC.\s0
-.ie n .IP """mac"" (\fB\s-1OSSL_KDF_PARAM_MAC\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``mac'' (\fB\s-1OSSL_KDF_PARAM_MAC\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "mac (OSSL_KDF_PARAM_MAC) <UTF8 string>"
+This parameter is ignored for KMAC.
+.IP """mac"" (\fBOSSL_KDF_PARAM_MAC\fR) <UTF8 string>" 4
+.IX Item """mac"" (OSSL_KDF_PARAM_MAC) <UTF8 string>"
 .PD 0
-.ie n .IP """maclen"" (\fB\s-1OSSL_KDF_PARAM_MAC_SIZE\s0\fR) <unsigned integer>" 4
-.el .IP "``maclen'' (\fB\s-1OSSL_KDF_PARAM_MAC_SIZE\s0\fR) <unsigned integer>" 4
-.IX Item "maclen (OSSL_KDF_PARAM_MAC_SIZE) <unsigned integer>"
-.ie n .IP """salt"" (\fB\s-1OSSL_KDF_PARAM_SALT\s0\fR) <octet string>" 4
-.el .IP "``salt'' (\fB\s-1OSSL_KDF_PARAM_SALT\s0\fR) <octet string>" 4
-.IX Item "salt (OSSL_KDF_PARAM_SALT) <octet string>"
+.IP """maclen"" (\fBOSSL_KDF_PARAM_MAC_SIZE\fR) <unsigned integer>" 4
+.IX Item """maclen"" (OSSL_KDF_PARAM_MAC_SIZE) <unsigned integer>"
+.IP """salt"" (\fBOSSL_KDF_PARAM_SALT\fR) <octet string>" 4
+.IX Item """salt"" (OSSL_KDF_PARAM_SALT) <octet string>"
 .PD
-These parameters work as described in \*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_KDF\s0\fR\|(3).
-.ie n .IP """key"" (\fB\s-1EVP_KDF_CTRL_SET_KEY\s0\fR) <octet string>" 4
-.el .IP "``key'' (\fB\s-1EVP_KDF_CTRL_SET_KEY\s0\fR) <octet string>" 4
-.IX Item "key (EVP_KDF_CTRL_SET_KEY) <octet string>"
+These parameters work as described in "PARAMETERS" in \fBEVP_KDF\fR\|(3).
+.IP """key"" (\fBOSSL_KDF_PARAM_SECRET\fR) <octet string>" 4
+.IX Item """key"" (OSSL_KDF_PARAM_SECRET) <octet string>"
 This parameter set the shared secret that is used for key derivation.
-.ie n .IP """info"" (\fB\s-1OSSL_KDF_PARAM_INFO\s0\fR) <octet string>" 4
-.el .IP "``info'' (\fB\s-1OSSL_KDF_PARAM_INFO\s0\fR) <octet string>" 4
-.IX Item "info (OSSL_KDF_PARAM_INFO) <octet string>"
+.IP """info"" (\fBOSSL_KDF_PARAM_INFO\fR) <octet string>" 4
+.IX Item """info"" (OSSL_KDF_PARAM_INFO) <octet string>"
 This parameter sets an optional value for fixedinfo, also known as otherinfo.
-.SH "NOTES"
+.PP
+The OpenSSL FIPS provider also supports the following parameters:
+.IP """fips-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+A getter that returns 1 if the operation is FIPS approved, or 0 otherwise.
+This may be used after calling EVP_KDF_derive. It returns 0 if "key-check"
+is set to 0 and the check fails.
+.IP """key-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4
+.IX Item """key-check"" (OSSL_KDF_PARAM_FIPS_KEY_CHECK) <integer>"
+The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if the
+length of used key-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112
+bits.
+Setting this to zero will ignore the error and set the approved
+"fips-indicator" to 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
+.SH NOTES
 .IX Header "NOTES"
-A context for \s-1SSKDF\s0 can be obtained by calling:
+A context for SSKDF can be obtained by calling:
 .PP
 .Vb 2
 \& EVP_KDF *kdf = EVP_KDF_fetch(NULL, "SSKDF", NULL);
 \& EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf);
 .Ve
 .PP
-The output length of an \s-1SSKDF\s0 is specified via the \fIkeylen\fR
+The output length of an SSKDF is specified via the \fIkeylen\fR
 parameter to the \fBEVP_KDF_derive\fR\|(3) function.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-This example derives 10 bytes using H(x) = \s-1SHA\-256,\s0 with the secret key \*(L"secret\*(R"
-and fixedinfo value \*(L"label\*(R":
+This example derives 10 bytes using H(x) = SHA\-256, with the secret key "secret"
+and fixedinfo value "label":
 .PP
 .Vb 4
 \& EVP_KDF *kdf;
@@ -235,8 +169,8 @@ and fixedinfo value \*(L"label\*(R":
 \& EVP_KDF_CTX_free(kctx);
 .Ve
 .PP
-This example derives 10 bytes using H(x) = \s-1HMAC\s0(\s-1SHA\-256\s0), with the secret key \*(L"secret\*(R",
-fixedinfo value \*(L"label\*(R" and salt \*(L"salt\*(R":
+This example derives 10 bytes using H(x) = HMAC(SHA\-256), with the secret key "secret",
+fixedinfo value "label" and salt "salt":
 .PP
 .Vb 4
 \& EVP_KDF *kdf;
@@ -252,7 +186,7 @@ fixedinfo value \*(L"label\*(R" and salt \*(L"salt\*(R":
 \&                                         SN_hmac, strlen(SN_hmac));
 \& *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
 \&                                         SN_sha256, strlen(SN_sha256));
-\& *p++ = OSSL_PARAM_construct_octet_string(EVP_KDF_CTRL_SET_KEY,
+\& *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET,
 \&                                          "secret", (size_t)6);
 \& *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
 \&                                          "label", (size_t)5);
@@ -266,8 +200,8 @@ fixedinfo value \*(L"label\*(R" and salt \*(L"salt\*(R":
 \& EVP_KDF_CTX_free(kctx);
 .Ve
 .PP
-This example derives 10 bytes using H(x) = \s-1KMAC128\s0(x,salt,outlen), with the secret key \*(L"secret\*(R"
-fixedinfo value \*(L"label\*(R", salt of \*(L"salt\*(R" and \s-1KMAC\s0 outlen of 20:
+This example derives 10 bytes using H(x) = KMAC128(x,salt,outlen), with the secret key "secret"
+fixedinfo value "label", salt of "salt" and KMAC outlen of 20:
 .PP
 .Vb 4
 \& EVP_KDF *kdf;
@@ -281,7 +215,7 @@ fixedinfo value \*(L"label\*(R", salt of \*(L"salt\*(R" and \s-1KMAC\s0 outlen o
 \&
 \& *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_MAC,
 \&                                         SN_kmac128, strlen(SN_kmac128));
-\& *p++ = OSSL_PARAM_construct_octet_string(EVP_KDF_CTRL_SET_KEY,
+\& *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET,
 \&                                          "secret", (size_t)6);
 \& *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_INFO,
 \&                                          "label", (size_t)5);
@@ -297,25 +231,25 @@ fixedinfo value \*(L"label\*(R", salt of \*(L"salt\*(R" and \s-1KMAC\s0 outlen o
 .Ve
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1NIST\s0 SP800\-56Cr1.
+NIST SP800\-56Cr1.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_KDF\s0\fR\|(3),
+\&\fBEVP_KDF\fR\|(3),
 \&\fBEVP_KDF_CTX_new\fR\|(3),
 \&\fBEVP_KDF_CTX_free\fR\|(3),
 \&\fBEVP_KDF_CTX_set_params\fR\|(3),
 \&\fBEVP_KDF_CTX_get_kdf_size\fR\|(3),
 \&\fBEVP_KDF_derive\fR\|(3),
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_KDF\s0\fR\|(3)
-.SH "HISTORY"
+"PARAMETERS" in \fBEVP_KDF\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 This functionality was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2023 The OpenSSL Project Authors. All Rights Reserved.  Copyright
+Copyright 2019\-2024 The OpenSSL Project Authors. All Rights Reserved.  Copyright
 (c) 2019, Oracle and/or its affiliates.  All rights reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-SSHKDF.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-SSHKDF.7
index feccc434bbc5..74561b004524 100644
--- a/secure/lib/libcrypto/man/man7/EVP_KDF-SSHKDF.7
+++ b/secure/lib/libcrypto/man/man7/EVP_KDF-SSHKDF.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,167 +52,130 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_KDF-SSHKDF 7ossl"
-.TH EVP_KDF-SSHKDF 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_KDF-SSHKDF 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_KDF\-SSHKDF \- The SSHKDF EVP_KDF implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing the \fB\s-1SSHKDF\s0\fR \s-1KDF\s0 through the \fB\s-1EVP_KDF\s0\fR \s-1API.\s0
+Support for computing the \fBSSHKDF\fR KDF through the \fBEVP_KDF\fR API.
 .PP
-The \s-1EVP_KDF\-SSHKDF\s0 algorithm implements the \s-1SSHKDF\s0 key derivation function.
-It is defined in \s-1RFC 4253,\s0 section 7.2 and is used by \s-1SSH\s0 to derive IVs,
+The EVP_KDF\-SSHKDF algorithm implements the SSHKDF key derivation function.
+It is defined in RFC 4253, section 7.2 and is used by SSH to derive IVs,
 encryption keys and integrity keys.
 Five inputs are required to perform key derivation: The hashing function
-(for example \s-1SHA256\s0), the Initial Key, the Exchange Hash, the Session \s-1ID,\s0
+(for example SHA256), the Initial Key, the Exchange Hash, the Session ID,
 and the derivation key type.
-.SS "Identity"
+.PP
+The output is considered to be keying material.
+.SS Identity
 .IX Subsection "Identity"
-\&\*(L"\s-1SSHKDF\*(R"\s0 is the name for this implementation; it
+"SSHKDF" is the name for this implementation; it
 can be used with the \fBEVP_KDF_fetch()\fR function.
 .SS "Supported parameters"
 .IX Subsection "Supported parameters"
 The supported parameters are:
-.ie n .IP """properties"" (\fB\s-1OSSL_KDF_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``properties'' (\fB\s-1OSSL_KDF_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "properties (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
+.IP """properties"" (\fBOSSL_KDF_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
 .PD 0
-.ie n .IP """digest"" (\fB\s-1OSSL_KDF_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_KDF_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_KDF_PARAM_DIGEST) <UTF8 string>"
-.ie n .IP """key"" (\fB\s-1OSSL_KDF_PARAM_KEY\s0\fR) <octet string>" 4
-.el .IP "``key'' (\fB\s-1OSSL_KDF_PARAM_KEY\s0\fR) <octet string>" 4
-.IX Item "key (OSSL_KDF_PARAM_KEY) <octet string>"
+.IP """digest"" (\fBOSSL_KDF_PARAM_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_KDF_PARAM_DIGEST) <UTF8 string>"
+.IP """key"" (\fBOSSL_KDF_PARAM_KEY\fR) <octet string>" 4
+.IX Item """key"" (OSSL_KDF_PARAM_KEY) <octet string>"
 .PD
-These parameters work as described in \*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_KDF\s0\fR\|(3).
-.ie n .IP """xcghash"" (\fB\s-1OSSL_KDF_PARAM_SSHKDF_XCGHASH\s0\fR) <octet string>" 4
-.el .IP "``xcghash'' (\fB\s-1OSSL_KDF_PARAM_SSHKDF_XCGHASH\s0\fR) <octet string>" 4
-.IX Item "xcghash (OSSL_KDF_PARAM_SSHKDF_XCGHASH) <octet string>"
+These parameters work as described in "PARAMETERS" in \fBEVP_KDF\fR\|(3).
+.IP """xcghash"" (\fBOSSL_KDF_PARAM_SSHKDF_XCGHASH\fR) <octet string>" 4
+.IX Item """xcghash"" (OSSL_KDF_PARAM_SSHKDF_XCGHASH) <octet string>"
 .PD 0
-.ie n .IP """session_id"" (\fB\s-1OSSL_KDF_PARAM_SSHKDF_SESSION_ID\s0\fR) <octet string>" 4
-.el .IP "``session_id'' (\fB\s-1OSSL_KDF_PARAM_SSHKDF_SESSION_ID\s0\fR) <octet string>" 4
-.IX Item "session_id (OSSL_KDF_PARAM_SSHKDF_SESSION_ID) <octet string>"
+.IP """session_id"" (\fBOSSL_KDF_PARAM_SSHKDF_SESSION_ID\fR) <octet string>" 4
+.IX Item """session_id"" (OSSL_KDF_PARAM_SSHKDF_SESSION_ID) <octet string>"
 .PD
-These parameters set the respective values for the \s-1KDF.\s0
+These parameters set the respective values for the KDF.
 If a value is already set, the contents are replaced.
-.ie n .IP """type"" (\fB\s-1OSSL_KDF_PARAM_SSHKDF_TYPE\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``type'' (\fB\s-1OSSL_KDF_PARAM_SSHKDF_TYPE\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "type (OSSL_KDF_PARAM_SSHKDF_TYPE) <UTF8 string>"
-This parameter sets the type for the \s-1SSHKDF\s0 operation.
+.IP """type"" (\fBOSSL_KDF_PARAM_SSHKDF_TYPE\fR) <UTF8 string>" 4
+.IX Item """type"" (OSSL_KDF_PARAM_SSHKDF_TYPE) <UTF8 string>"
+This parameter sets the type for the SSHKDF operation.
 There are six supported types:
 .RS 4
-.IP "\s-1EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV\s0" 4
+.IP EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 4
 .IX Item "EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV"
-The Initial \s-1IV\s0 from client to server.
-A single char of value 65 (\s-1ASCII\s0 char 'A').
-.IP "\s-1EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI\s0" 4
+The Initial IV from client to server.
+A single char of value 65 (ASCII char 'A').
+.IP EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 4
 .IX Item "EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI"
-The Initial \s-1IV\s0 from server to client
-A single char of value 66 (\s-1ASCII\s0 char 'B').
-.IP "\s-1EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV\s0" 4
+The Initial IV from server to client
+A single char of value 66 (ASCII char 'B').
+.IP EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 4
 .IX Item "EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV"
 The Encryption Key from client to server
-A single char of value 67 (\s-1ASCII\s0 char 'C').
-.IP "\s-1EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_SRV_TO_CLI\s0" 4
+A single char of value 67 (ASCII char 'C').
+.IP EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_SRV_TO_CLI 4
 .IX Item "EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_SRV_TO_CLI"
 The Encryption Key from server to client
-A single char of value 68 (\s-1ASCII\s0 char 'D').
-.IP "\s-1EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV\s0" 4
+A single char of value 68 (ASCII char 'D').
+.IP EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV 4
 .IX Item "EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV"
 The Integrity Key from client to server
-A single char of value 69 (\s-1ASCII\s0 char 'E').
-.IP "\s-1EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI\s0" 4
+A single char of value 69 (ASCII char 'E').
+.IP EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI 4
 .IX Item "EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI"
 The Integrity Key from client to server
-A single char of value 70 (\s-1ASCII\s0 char 'F').
+A single char of value 70 (ASCII char 'F').
 .RE
 .RS 4
 .RE
-.SH "NOTES"
+.PP
+The OpenSSL FIPS provider also supports the following parameters:
+.IP """fips-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+A getter that returns 1 if the operation is FIPS approved, or 0 otherwise.
+This may be used after calling EVP_KDF_derive. It returns 0 if any "***\-check"
+related parameter is set to 0 and the check fails.
+.IP """digest-check"" (\fBOSSL_KDF_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4
+.IX Item """digest-check"" (OSSL_KDF_PARAM_FIPS_DIGEST_CHECK) <integer>"
+The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if
+used digest is not approved.
+Setting this to zero will ignore the error and set the approved
+"fips-indicator" to 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
+.Sp
+According to SP 800\-135r1, the following are approved digest algorithms: SHA\-1,
+SHA2\-224, SHA2\-256, SHA2\-384, SHA2\-512.
+.IP """key-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4
+.IX Item """key-check"" (OSSL_KDF_PARAM_FIPS_KEY_CHECK) <integer>"
+The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if the
+length of used key-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112
+bits.
+Setting this to zero will ignore the error and set the approved
+"fips-indicator" to 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
+.SH NOTES
 .IX Header "NOTES"
-A context for \s-1SSHKDF\s0 can be obtained by calling:
+A context for SSHKDF can be obtained by calling:
 .PP
 .Vb 2
 \& EVP_KDF *kdf = EVP_KDF_fetch(NULL, "SSHKDF", NULL);
 \& EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf);
 .Ve
 .PP
-The output length of the \s-1SSHKDF\s0 derivation is specified via the \fIkeylen\fR
+The output length of the SSHKDF derivation is specified via the \fIkeylen\fR
 parameter to the \fBEVP_KDF_derive\fR\|(3) function.
-Since the \s-1SSHKDF\s0 output length is variable, calling \fBEVP_KDF_CTX_get_kdf_size\fR\|(3)
+Since the SSHKDF output length is variable, calling \fBEVP_KDF_CTX_get_kdf_size\fR\|(3)
 to obtain the requisite length is not meaningful. The caller must
 allocate a buffer of the desired length, and pass that buffer to the
 \&\fBEVP_KDF_derive\fR\|(3) function along with the desired length.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-This example derives an 8 byte \s-1IV\s0 using \s-1SHA\-256\s0 with a 1K \*(L"key\*(R" and appropriate
-\&\*(L"xcghash\*(R" and \*(L"session_id\*(R" values:
+This example derives an 8 byte IV using SHA\-256 with a 1K "key" and appropriate
+"xcghash" and "session_id" values:
 .PP
 .Vb 9
 \& EVP_KDF *kdf;
@@ -261,24 +208,24 @@ This example derives an 8 byte \s-1IV\s0 using \s-1SHA\-256\s0 with a 1K \*(L"ke
 .Ve
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1RFC 4253\s0
+RFC 4253
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_KDF\s0\fR\|(3),
+\&\fBEVP_KDF\fR\|(3),
 \&\fBEVP_KDF_CTX_new\fR\|(3),
 \&\fBEVP_KDF_CTX_free\fR\|(3),
 \&\fBEVP_KDF_CTX_set_params\fR\|(3),
 \&\fBEVP_KDF_CTX_get_kdf_size\fR\|(3),
 \&\fBEVP_KDF_derive\fR\|(3),
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_KDF\s0\fR\|(3)
-.SH "HISTORY"
+"PARAMETERS" in \fBEVP_KDF\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 This functionality was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-TLS13_KDF.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-TLS13_KDF.7
index 0cf37210f47b..a1449138cab2 100644
--- a/secure/lib/libcrypto/man/man7/EVP_KDF-TLS13_KDF.7
+++ b/secure/lib/libcrypto/man/man7/EVP_KDF-TLS13_KDF.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,130 +52,63 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_KDF-TLS13_KDF 7ossl"
-.TH EVP_KDF-TLS13_KDF 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_KDF-TLS13_KDF 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_KDF\-TLS13_KDF \- The TLS 1.3 EVP_KDF implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing the \s-1TLS 1.3\s0 version of the \fB\s-1HKDF\s0\fR \s-1KDF\s0 through
-the \fB\s-1EVP_KDF\s0\fR \s-1API.\s0
+Support for computing the TLS 1.3 version of the \fBHKDF\fR KDF through
+the \fBEVP_KDF\fR API.
+.PP
+The EVP_KDF\-TLS13_KDF algorithm implements the HKDF key derivation function
+as used by TLS 1.3.
 .PP
-The \s-1EVP_KDF\-TLS13_KDF\s0 algorithm implements the \s-1HKDF\s0 key derivation function
-as used by \s-1TLS 1.3.\s0
-.SS "Identity"
+The output is considered to be keying material.
+.SS Identity
 .IX Subsection "Identity"
-\&\*(L"\s-1TLS13\-KDF\*(R"\s0 is the name for this implementation; it
+"TLS13\-KDF" is the name for this implementation; it
 can be used with the \fBEVP_KDF_fetch()\fR function.
 .SS "Supported parameters"
 .IX Subsection "Supported parameters"
 The supported parameters are:
-.ie n .IP """properties"" (\fB\s-1OSSL_KDF_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``properties'' (\fB\s-1OSSL_KDF_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "properties (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
+.IP """properties"" (\fBOSSL_KDF_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
 .PD 0
-.ie n .IP """digest"" (\fB\s-1OSSL_KDF_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_KDF_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_KDF_PARAM_DIGEST) <UTF8 string>"
-.ie n .IP """key"" (\fB\s-1OSSL_KDF_PARAM_KEY\s0\fR) <octet string>" 4
-.el .IP "``key'' (\fB\s-1OSSL_KDF_PARAM_KEY\s0\fR) <octet string>" 4
-.IX Item "key (OSSL_KDF_PARAM_KEY) <octet string>"
-.ie n .IP """salt"" (\fB\s-1OSSL_KDF_PARAM_SALT\s0\fR) <octet string>" 4
-.el .IP "``salt'' (\fB\s-1OSSL_KDF_PARAM_SALT\s0\fR) <octet string>" 4
-.IX Item "salt (OSSL_KDF_PARAM_SALT) <octet string>"
+.IP """digest"" (\fBOSSL_KDF_PARAM_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_KDF_PARAM_DIGEST) <UTF8 string>"
+.IP """key"" (\fBOSSL_KDF_PARAM_KEY\fR) <octet string>" 4
+.IX Item """key"" (OSSL_KDF_PARAM_KEY) <octet string>"
+.IP """salt"" (\fBOSSL_KDF_PARAM_SALT\fR) <octet string>" 4
+.IX Item """salt"" (OSSL_KDF_PARAM_SALT) <octet string>"
 .PD
-These parameters work as described in \*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_KDF\s0\fR\|(3).
-.ie n .IP """prefix"" (\fB\s-1OSSL_KDF_PARAM_PREFIX\s0\fR) <octet string>" 4
-.el .IP "``prefix'' (\fB\s-1OSSL_KDF_PARAM_PREFIX\s0\fR) <octet string>" 4
-.IX Item "prefix (OSSL_KDF_PARAM_PREFIX) <octet string>"
-This parameter sets the label prefix on the specified \s-1TLS 1.3 KDF\s0 context.
-For \s-1TLS 1.3\s0 this should be set to the \s-1ASCII\s0 string \*(L"tls13 \*(R" without a
-trailing zero byte.  Refer to \s-1RFC 8446\s0 section 7.1 \*(L"Key Schedule\*(R" for details.
-.ie n .IP """label"" (\fB\s-1OSSL_KDF_PARAM_LABEL\s0\fR) <octet string>" 4
-.el .IP "``label'' (\fB\s-1OSSL_KDF_PARAM_LABEL\s0\fR) <octet string>" 4
-.IX Item "label (OSSL_KDF_PARAM_LABEL) <octet string>"
-This parameter sets the label on the specified \s-1TLS 1.3 KDF\s0 context.
-Refer to \s-1RFC 8446\s0 section 7.1 \*(L"Key Schedule\*(R" for details.
-.ie n .IP """data"" (\fB\s-1OSSL_KDF_PARAM_DATA\s0\fR) <octet string>" 4
-.el .IP "``data'' (\fB\s-1OSSL_KDF_PARAM_DATA\s0\fR) <octet string>" 4
-.IX Item "data (OSSL_KDF_PARAM_DATA) <octet string>"
-This parameter sets the context data on the specified \s-1TLS 1.3 KDF\s0 context.
-Refer to \s-1RFC 8446\s0 section 7.1 \*(L"Key Schedule\*(R" for details.
-.ie n .IP """mode"" (\fB\s-1OSSL_KDF_PARAM_MODE\s0\fR) <\s-1UTF8\s0 string> or <integer>" 4
-.el .IP "``mode'' (\fB\s-1OSSL_KDF_PARAM_MODE\s0\fR) <\s-1UTF8\s0 string> or <integer>" 4
-.IX Item "mode (OSSL_KDF_PARAM_MODE) <UTF8 string> or <integer>"
-This parameter sets the mode for the \s-1TLS 1.3 KDF\s0 operation.
+These parameters work as described in "PARAMETERS" in \fBEVP_KDF\fR\|(3).
+.IP """prefix"" (\fBOSSL_KDF_PARAM_PREFIX\fR) <octet string>" 4
+.IX Item """prefix"" (OSSL_KDF_PARAM_PREFIX) <octet string>"
+This parameter sets the label prefix on the specified TLS 1.3 KDF context.
+For TLS 1.3 this should be set to the ASCII string "tls13 " without a
+trailing zero byte.  Refer to RFC 8446 section 7.1 "Key Schedule" for details.
+.IP """label"" (\fBOSSL_KDF_PARAM_LABEL\fR) <octet string>" 4
+.IX Item """label"" (OSSL_KDF_PARAM_LABEL) <octet string>"
+This parameter sets the label on the specified TLS 1.3 KDF context.
+Refer to RFC 8446 section 7.1 "Key Schedule" for details.
+.IP """data"" (\fBOSSL_KDF_PARAM_DATA\fR) <octet string>" 4
+.IX Item """data"" (OSSL_KDF_PARAM_DATA) <octet string>"
+This parameter sets the context data on the specified TLS 1.3 KDF context.
+Refer to RFC 8446 section 7.1 "Key Schedule" for details.
+.IP """mode"" (\fBOSSL_KDF_PARAM_MODE\fR) <UTF8 string> or <integer>" 4
+.IX Item """mode"" (OSSL_KDF_PARAM_MODE) <UTF8 string> or <integer>"
+This parameter sets the mode for the TLS 1.3 KDF operation.
 There are two modes that are currently defined:
 .RS 4
-.ie n .IP """\s-1EXTRACT_ONLY""\s0 or \fB\s-1EVP_KDF_HKDF_MODE_EXTRACT_ONLY\s0\fR" 4
-.el .IP "``\s-1EXTRACT_ONLY''\s0 or \fB\s-1EVP_KDF_HKDF_MODE_EXTRACT_ONLY\s0\fR" 4
-.IX Item "EXTRACT_ONLY or EVP_KDF_HKDF_MODE_EXTRACT_ONLY"
+.IP """EXTRACT_ONLY"" or \fBEVP_KDF_HKDF_MODE_EXTRACT_ONLY\fR" 4
+.IX Item """EXTRACT_ONLY"" or EVP_KDF_HKDF_MODE_EXTRACT_ONLY"
 In this mode calling \fBEVP_KDF_derive\fR\|(3) will just perform the extract
 operation. The value returned will be the intermediate fixed-length pseudorandom
 key K.  The \fIkeylen\fR parameter must match the size of K, which can be looked
@@ -199,9 +116,8 @@ up by calling \fBEVP_KDF_CTX_get_kdf_size()\fR after setting the mode and digest
 .Sp
 The digest, key and salt values must be set before a key is derived otherwise
 an error will occur.
-.ie n .IP """\s-1EXPAND_ONLY""\s0 or \fB\s-1EVP_KDF_HKDF_MODE_EXPAND_ONLY\s0\fR" 4
-.el .IP "``\s-1EXPAND_ONLY''\s0 or \fB\s-1EVP_KDF_HKDF_MODE_EXPAND_ONLY\s0\fR" 4
-.IX Item "EXPAND_ONLY or EVP_KDF_HKDF_MODE_EXPAND_ONLY"
+.IP """EXPAND_ONLY"" or \fBEVP_KDF_HKDF_MODE_EXPAND_ONLY\fR" 4
+.IX Item """EXPAND_ONLY"" or EVP_KDF_HKDF_MODE_EXPAND_ONLY"
 In this mode calling \fBEVP_KDF_derive\fR\|(3) will just perform the expand
 operation. The input key should be set to the intermediate fixed-length
 pseudorandom key K returned from a previous extract operation.
@@ -211,50 +127,77 @@ an error will occur.
 .RE
 .RS 4
 .RE
-.SH "NOTES"
+.PP
+The OpenSSL FIPS provider also supports the following parameters:
+.IP """fips-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+A getter that returns 1 if the operation is FIPS approved, or 0 otherwise.
+This may be used after calling EVP_KDF_derive. It returns 0 if any "***\-check"
+related parameter is set to 0 and the check fails.
+.IP """digest-check"" (\fBOSSL_KDF_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4
+.IX Item """digest-check"" (OSSL_KDF_PARAM_FIPS_DIGEST_CHECK) <integer>"
+The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if
+used digest is not approved.
+Setting this to zero will ignore the error and set the approved
+"fips-indicator" to 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
+.Sp
+According to RFC 8446, the following are approved digest algorithms: SHA2\-256,
+SHA2\-384.
+.IP """key-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4
+.IX Item """key-check"" (OSSL_KDF_PARAM_FIPS_KEY_CHECK) <integer>"
+The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if the
+length of used key-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112
+bits.
+Setting this to zero will ignore the error and set the approved
+"fips-indicator" to 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
+.SH NOTES
 .IX Header "NOTES"
-This \s-1KDF\s0 is intended for use by the \s-1TLS 1.3\s0 implementation in libssl.
-It does not support all the options and capabilities that \s-1HKDF\s0 does.
+This KDF is intended for use by the TLS 1.3 implementation in libssl.
+It does not support all the options and capabilities that HKDF does.
 .PP
-The \fI\s-1OSSL_PARAM\s0\fR array passed to \fBEVP_KDF_derive\fR\|(3) or
+The \fIOSSL_PARAM\fR array passed to \fBEVP_KDF_derive\fR\|(3) or
 \&\fBEVP_KDF_CTX_set_params\fR\|(3) must specify all of the parameters required.
-This \s-1KDF\s0 does not support a piecemeal approach to providing these.
+This KDF does not support a piecemeal approach to providing these.
 .PP
-A context for a \s-1TLS 1.3 KDF\s0 can be obtained by calling:
+A context for a TLS 1.3 KDF can be obtained by calling:
 .PP
 .Vb 2
 \& EVP_KDF *kdf = EVP_KDF_fetch(NULL, "TLS13\-KDF", NULL);
 \& EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf);
 .Ve
 .PP
-The output length of a \s-1TLS 1.3 KDF\s0 expand operation is specified via the
+The output length of a TLS 1.3 KDF expand operation is specified via the
 \&\fIkeylen\fR parameter to the \fBEVP_KDF_derive\fR\|(3) function.  When using
-\&\s-1EVP_KDF_HKDF_MODE_EXTRACT_ONLY\s0 the \fIkeylen\fR parameter must equal the size of
+EVP_KDF_HKDF_MODE_EXTRACT_ONLY the \fIkeylen\fR parameter must equal the size of
 the intermediate fixed-length pseudorandom key otherwise an error will occur.
 For that mode, the fixed output size can be looked up by calling
 \&\fBEVP_KDF_CTX_get_kdf_size()\fR after setting the mode and digest on the
-\&\fB\s-1EVP_KDF_CTX\s0\fR.
+\&\fBEVP_KDF_CTX\fR.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1RFC 8446\s0
+RFC 8446
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_KDF\s0\fR\|(3),
+\&\fBEVP_KDF\fR\|(3),
 \&\fBEVP_KDF_CTX_new\fR\|(3),
 \&\fBEVP_KDF_CTX_free\fR\|(3),
 \&\fBEVP_KDF_CTX_get_kdf_size\fR\|(3),
 \&\fBEVP_KDF_CTX_set_params\fR\|(3),
 \&\fBEVP_KDF_derive\fR\|(3),
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_KDF\s0\fR\|(3),
-\&\s-1\fBEVP_KDF\-HKDF\s0\fR\|(7)
-.SH "HISTORY"
+"PARAMETERS" in \fBEVP_KDF\fR\|(3),
+\&\fBEVP_KDF\-HKDF\fR\|(7)
+.SH HISTORY
 .IX Header "HISTORY"
 This functionality was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-TLS1_PRF.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-TLS1_PRF.7
index efbaee1ffc8d..a8b7961570aa 100644
--- a/secure/lib/libcrypto/man/man7/EVP_KDF-TLS1_PRF.7
+++ b/secure/lib/libcrypto/man/man7/EVP_KDF-TLS1_PRF.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,117 +52,89 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_KDF-TLS1_PRF 7ossl"
-.TH EVP_KDF-TLS1_PRF 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_KDF-TLS1_PRF 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_KDF\-TLS1_PRF \- The TLS1 PRF EVP_KDF implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing the \fB\s-1TLS1\s0\fR \s-1PRF\s0 through the \fB\s-1EVP_KDF\s0\fR \s-1API.\s0
+Support for computing the \fBTLS1\fR PRF through the \fBEVP_KDF\fR API.
+.PP
+The EVP_KDF\-TLS1_PRF algorithm implements the PRF used by TLS versions up to
+and including TLS 1.2.
 .PP
-The \s-1EVP_KDF\-TLS1_PRF\s0 algorithm implements the \s-1PRF\s0 used by \s-1TLS\s0 versions up to
-and including \s-1TLS 1.2.\s0
-.SS "Identity"
+The output is considered to be keying material.
+.SS Identity
 .IX Subsection "Identity"
-\&\*(L"\s-1TLS1\-PRF\*(R"\s0 is the name for this implementation; it
+"TLS1\-PRF" is the name for this implementation; it
 can be used with the \fBEVP_KDF_fetch()\fR function.
 .SS "Supported parameters"
 .IX Subsection "Supported parameters"
 The supported parameters are:
-.ie n .IP """properties"" (\fB\s-1OSSL_KDF_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``properties'' (\fB\s-1OSSL_KDF_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "properties (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
+.IP """properties"" (\fBOSSL_KDF_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
 .PD 0
-.ie n .IP """digest"" (\fB\s-1OSSL_KDF_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_KDF_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_KDF_PARAM_DIGEST) <UTF8 string>"
+.IP """digest"" (\fBOSSL_KDF_PARAM_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_KDF_PARAM_DIGEST) <UTF8 string>"
 .PD
-These parameters work as described in \*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_KDF\s0\fR\|(3).
+These parameters work as described in "PARAMETERS" in \fBEVP_KDF\fR\|(3).
 .Sp
-The \fB\s-1OSSL_KDF_PARAM_DIGEST\s0\fR parameter is used to set the message digest
-associated with the \s-1TLS PRF.\s0
+The \fBOSSL_KDF_PARAM_DIGEST\fR parameter is used to set the message digest
+associated with the TLS PRF.
 \&\fBEVP_md5_sha1()\fR is treated as a special case which uses the
-\&\s-1PRF\s0 algorithm using both \fB\s-1MD5\s0\fR and \fB\s-1SHA1\s0\fR as used in \s-1TLS 1.0\s0 and 1.1.
-.ie n .IP """secret"" (\fB\s-1OSSL_KDF_PARAM_SECRET\s0\fR) <octet string>" 4
-.el .IP "``secret'' (\fB\s-1OSSL_KDF_PARAM_SECRET\s0\fR) <octet string>" 4
-.IX Item "secret (OSSL_KDF_PARAM_SECRET) <octet string>"
-This parameter sets the secret value of the \s-1TLS PRF.\s0
+PRF algorithm using both \fBMD5\fR and \fBSHA1\fR as used in TLS 1.0 and 1.1.
+.IP """secret"" (\fBOSSL_KDF_PARAM_SECRET\fR) <octet string>" 4
+.IX Item """secret"" (OSSL_KDF_PARAM_SECRET) <octet string>"
+This parameter sets the secret value of the TLS PRF.
 Any existing secret value is replaced.
-.ie n .IP """seed"" (\fB\s-1OSSL_KDF_PARAM_SEED\s0\fR) <octet string>" 4
-.el .IP "``seed'' (\fB\s-1OSSL_KDF_PARAM_SEED\s0\fR) <octet string>" 4
-.IX Item "seed (OSSL_KDF_PARAM_SEED) <octet string>"
+.IP """seed"" (\fBOSSL_KDF_PARAM_SEED\fR) <octet string>" 4
+.IX Item """seed"" (OSSL_KDF_PARAM_SEED) <octet string>"
 This parameter sets the context seed.
 The length of the context seed cannot exceed 1024 bytes;
-this should be more than enough for any normal use of the \s-1TLS PRF.\s0
-.SH "NOTES"
+this should be more than enough for any normal use of the TLS PRF.
+.PP
+The OpenSSL FIPS provider also supports the following parameters:
+.IP """fips-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+A getter that returns 1 if the operation is FIPS approved, or 0 otherwise.
+This may be used after calling EVP_KDF_derive. It returns 0 if any "***\-check"
+related parameter is set to 0 and the check fails.
+.IP """ems_check"" (\fBOSSL_KDF_PARAM_FIPS_EMS_CHECK\fR) <integer>" 4
+.IX Item """ems_check"" (OSSL_KDF_PARAM_FIPS_EMS_CHECK) <integer>"
+The default value of 1 causes an error during \fBEVP_KDF_derive()\fR if
+"master secret" is used instead of "extended master secret" Setting this to zero
+will ignore the error and set the approved "fips-indicator" to 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
+.IP """digest-check"" (\fBOSSL_KDF_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4
+.IX Item """digest-check"" (OSSL_KDF_PARAM_FIPS_DIGEST_CHECK) <integer>"
+The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if
+used digest is not approved.
+Setting this to zero will ignore the error and set the approved
+"fips-indicator" to 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
+.Sp
+According to SP 800\-135r1, the following are approved digest algorithms:
+SHA2\-256, SHA2\-384, SHA2\-512.
+.IP """key-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4
+.IX Item """key-check"" (OSSL_KDF_PARAM_FIPS_KEY_CHECK) <integer>"
+The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if the
+length of used key-derivation key (\fBOSSL_KDF_PARAM_SECRET\fR) is shorter than 112
+bits.
+Setting this to zero will ignore the error and set the approved
+"fips-indicator" to 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
+.SH NOTES
 .IX Header "NOTES"
-A context for the \s-1TLS PRF\s0 can be obtained by calling:
+A context for the TLS PRF can be obtained by calling:
 .PP
 .Vb 2
 \& EVP_KDF *kdf = EVP_KDF_fetch(NULL, "TLS1\-PRF", NULL);
@@ -188,12 +144,12 @@ A context for the \s-1TLS PRF\s0 can be obtained by calling:
 The digest, secret value and seed must be set before a key is derived otherwise
 an error will occur.
 .PP
-The output length of the \s-1PRF\s0 is specified by the \fIkeylen\fR parameter to the
+The output length of the PRF is specified by the \fIkeylen\fR parameter to the
 \&\fBEVP_KDF_derive()\fR function.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-This example derives 10 bytes using \s-1SHA\-256\s0 with the secret key \*(L"secret\*(R"
-and seed value \*(L"seed\*(R":
+This example derives 10 bytes using SHA\-256 with the secret key "secret"
+and seed value "seed":
 .PP
 .Vb 4
 \& EVP_KDF *kdf;
@@ -219,23 +175,23 @@ and seed value \*(L"seed\*(R":
 .Ve
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1RFC 2246, RFC 5246\s0 and \s-1NIST SP 800\-135\s0 r1
+RFC 2246, RFC 5246 and NIST SP 800\-135 r1
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_KDF\s0\fR\|(3),
+\&\fBEVP_KDF\fR\|(3),
 \&\fBEVP_KDF_CTX_new\fR\|(3),
 \&\fBEVP_KDF_CTX_free\fR\|(3),
 \&\fBEVP_KDF_CTX_set_params\fR\|(3),
 \&\fBEVP_KDF_derive\fR\|(3),
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_KDF\s0\fR\|(3)
-.SH "HISTORY"
+"PARAMETERS" in \fBEVP_KDF\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 This functionality was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2018\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2018\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-X942-ASN1.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-X942-ASN1.7
index 3455ae9798f1..2b428378c744 100644
--- a/secure/lib/libcrypto/man/man7/EVP_KDF-X942-ASN1.7
+++ b/secure/lib/libcrypto/man/man7/EVP_KDF-X942-ASN1.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,146 +52,93 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_KDF-X942-ASN1 7ossl"
-.TH EVP_KDF-X942-ASN1 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_KDF-X942-ASN1 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_KDF\-X942\-ASN1 \- The X9.42\-2003 asn1 EVP_KDF implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1EVP_KDF\-X942\-ASN1\s0 algorithm implements the key derivation function
-X942KDF\-ASN1. It is used by \s-1DH\s0 KeyAgreement, to derive a key using input such as
-a shared secret key and other info. The other info is \s-1DER\s0 encoded data that
-contains a 32 bit counter as well as optional fields for \*(L"partyu-info\*(R",
-\&\*(L"partyv-info\*(R", \*(L"supp-pubinfo\*(R" and \*(L"supp-privinfo\*(R".
-This kdf is used by Cryptographic Message Syntax (\s-1CMS\s0).
-.SS "Identity"
+The EVP_KDF\-X942\-ASN1 algorithm implements the key derivation function
+X942KDF\-ASN1. It is used by DH KeyAgreement, to derive a key using input such as
+a shared secret key and other info. The other info is DER encoded data that
+contains a 32 bit counter as well as optional fields for "partyu-info",
+"partyv-info", "supp-pubinfo" and "supp-privinfo".
+This kdf is used by Cryptographic Message Syntax (CMS).
+.PP
+The output is considered to be keying material.
+.SS Identity
 .IX Subsection "Identity"
-\&\*(L"X942KDF\-ASN1\*(R" or \*(L"X942KDF\*(R" is the name for this implementation; it
+"X942KDF\-ASN1" or "X942KDF" is the name for this implementation; it
 can be used with the \fBEVP_KDF_fetch()\fR function.
 .SS "Supported parameters"
 .IX Subsection "Supported parameters"
 The supported parameters are:
-.ie n .IP """properties"" (\fB\s-1OSSL_KDF_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``properties'' (\fB\s-1OSSL_KDF_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "properties (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
+.IP """properties"" (\fBOSSL_KDF_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
 .PD 0
-.ie n .IP """digest"" (\fB\s-1OSSL_KDF_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_KDF_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_KDF_PARAM_DIGEST) <UTF8 string>"
+.IP """digest"" (\fBOSSL_KDF_PARAM_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_KDF_PARAM_DIGEST) <UTF8 string>"
 .PD
-These parameters work as described in \*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_KDF\s0\fR\|(3).
-.ie n .IP """secret"" (\fB\s-1OSSL_KDF_PARAM_SECRET\s0\fR) <octet string>" 4
-.el .IP "``secret'' (\fB\s-1OSSL_KDF_PARAM_SECRET\s0\fR) <octet string>" 4
-.IX Item "secret (OSSL_KDF_PARAM_SECRET) <octet string>"
+These parameters work as described in "PARAMETERS" in \fBEVP_KDF\fR\|(3).
+.IP """secret"" (\fBOSSL_KDF_PARAM_SECRET\fR) <octet string>" 4
+.IX Item """secret"" (OSSL_KDF_PARAM_SECRET) <octet string>"
 The shared secret used for key derivation.  This parameter sets the secret.
-.ie n .IP """acvp-info"" (\fB\s-1OSSL_KDF_PARAM_X942_ACVPINFO\s0\fR) <octet string>" 4
-.el .IP "``acvp-info'' (\fB\s-1OSSL_KDF_PARAM_X942_ACVPINFO\s0\fR) <octet string>" 4
-.IX Item "acvp-info (OSSL_KDF_PARAM_X942_ACVPINFO) <octet string>"
-This value should not be used in production and should only be used for \s-1ACVP\s0
-testing. It is an optional octet string containing a combined \s-1DER\s0 encoded blob
-of any of the optional fields related to \*(L"partyu-info\*(R", \*(L"partyv-info\*(R",
-\&\*(L"supp-pubinfo\*(R" and \*(L"supp-privinfo\*(R". If it is specified then none of these other
+.IP """acvp-info"" (\fBOSSL_KDF_PARAM_X942_ACVPINFO\fR) <octet string>" 4
+.IX Item """acvp-info"" (OSSL_KDF_PARAM_X942_ACVPINFO) <octet string>"
+This value should not be used in production and should only be used for ACVP
+testing. It is an optional octet string containing a combined DER encoded blob
+of any of the optional fields related to "partyu-info", "partyv-info",
+"supp-pubinfo" and "supp-privinfo". If it is specified then none of these other
 fields should be used.
-.ie n .IP """partyu-info"" (\fB\s-1OSSL_KDF_PARAM_X942_PARTYUINFO\s0\fR) <octet string>" 4
-.el .IP "``partyu-info'' (\fB\s-1OSSL_KDF_PARAM_X942_PARTYUINFO\s0\fR) <octet string>" 4
-.IX Item "partyu-info (OSSL_KDF_PARAM_X942_PARTYUINFO) <octet string>"
+.IP """partyu-info"" (\fBOSSL_KDF_PARAM_X942_PARTYUINFO\fR) <octet string>" 4
+.IX Item """partyu-info"" (OSSL_KDF_PARAM_X942_PARTYUINFO) <octet string>"
 An optional octet string containing public info contributed by the initiator.
-.ie n .IP """ukm"" (\fB\s-1OSSL_KDF_PARAM_UKM\s0\fR) <octet string>" 4
-.el .IP "``ukm'' (\fB\s-1OSSL_KDF_PARAM_UKM\s0\fR) <octet string>" 4
-.IX Item "ukm (OSSL_KDF_PARAM_UKM) <octet string>"
-An alias for \*(L"partyu-info\*(R".
-In \s-1CMS\s0 this is the user keying material.
-.ie n .IP """partyv-info"" (\fB\s-1OSSL_KDF_PARAM_X942_PARTYVINFO\s0\fR) <octet string>" 4
-.el .IP "``partyv-info'' (\fB\s-1OSSL_KDF_PARAM_X942_PARTYVINFO\s0\fR) <octet string>" 4
-.IX Item "partyv-info (OSSL_KDF_PARAM_X942_PARTYVINFO) <octet string>"
+.IP """ukm"" (\fBOSSL_KDF_PARAM_UKM\fR) <octet string>" 4
+.IX Item """ukm"" (OSSL_KDF_PARAM_UKM) <octet string>"
+An alias for "partyu-info".
+In CMS this is the user keying material.
+.IP """partyv-info"" (\fBOSSL_KDF_PARAM_X942_PARTYVINFO\fR) <octet string>" 4
+.IX Item """partyv-info"" (OSSL_KDF_PARAM_X942_PARTYVINFO) <octet string>"
 An optional octet string containing public info contributed by the responder.
-.ie n .IP """supp-pubinfo"" (\fB\s-1OSSL_KDF_PARAM_X942_SUPP_PUBINFO\s0\fR) <octet string>" 4
-.el .IP "``supp-pubinfo'' (\fB\s-1OSSL_KDF_PARAM_X942_SUPP_PUBINFO\s0\fR) <octet string>" 4
-.IX Item "supp-pubinfo (OSSL_KDF_PARAM_X942_SUPP_PUBINFO) <octet string>"
+.IP """supp-pubinfo"" (\fBOSSL_KDF_PARAM_X942_SUPP_PUBINFO\fR) <octet string>" 4
+.IX Item """supp-pubinfo"" (OSSL_KDF_PARAM_X942_SUPP_PUBINFO) <octet string>"
 An optional octet string containing some additional, mutually-known public
-information. Setting this value also sets \*(L"use-keybits\*(R" to 0.
-.ie n .IP """use-keybits"" (\fB\s-1OSSL_KDF_PARAM_X942_USE_KEYBITS\s0\fR) <integer>" 4
-.el .IP "``use-keybits'' (\fB\s-1OSSL_KDF_PARAM_X942_USE_KEYBITS\s0\fR) <integer>" 4
-.IX Item "use-keybits (OSSL_KDF_PARAM_X942_USE_KEYBITS) <integer>"
-The default value of 1 will use the \s-1KEK\s0 key length (in bits) as the
-\&\*(L"supp-pubinfo\*(R". A value of 0 disables setting the \*(L"supp-pubinfo\*(R".
-.ie n .IP """supp-privinfo"" (\fB\s-1OSSL_KDF_PARAM_X942_SUPP_PRIVINFO\s0\fR) <octet string>" 4
-.el .IP "``supp-privinfo'' (\fB\s-1OSSL_KDF_PARAM_X942_SUPP_PRIVINFO\s0\fR) <octet string>" 4
-.IX Item "supp-privinfo (OSSL_KDF_PARAM_X942_SUPP_PRIVINFO) <octet string>"
+information. Setting this value also sets "use-keybits" to 0.
+.IP """use-keybits"" (\fBOSSL_KDF_PARAM_X942_USE_KEYBITS\fR) <integer>" 4
+.IX Item """use-keybits"" (OSSL_KDF_PARAM_X942_USE_KEYBITS) <integer>"
+The default value of 1 will use the KEK key length (in bits) as the
+"supp-pubinfo". A value of 0 disables setting the "supp-pubinfo".
+.IP """supp-privinfo"" (\fBOSSL_KDF_PARAM_X942_SUPP_PRIVINFO\fR) <octet string>" 4
+.IX Item """supp-privinfo"" (OSSL_KDF_PARAM_X942_SUPP_PRIVINFO) <octet string>"
 An optional octet string containing some additional, mutually-known private
 information.
-.ie n .IP """cekalg"" (\fB\s-1OSSL_KDF_PARAM_CEK_ALG\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``cekalg'' (\fB\s-1OSSL_KDF_PARAM_CEK_ALG\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "cekalg (OSSL_KDF_PARAM_CEK_ALG) <UTF8 string>"
-This parameter sets the \s-1CEK\s0 wrapping algorithm name.
-Valid values are \*(L"\s-1AES\-128\-WRAP\*(R", \*(L"AES\-192\-WRAP\*(R", \*(L"AES\-256\-WRAP\*(R"\s0 and \*(L"\s-1DES3\-WRAP\*(R".\s0
-.SH "NOTES"
+.IP """cekalg"" (\fBOSSL_KDF_PARAM_CEK_ALG\fR) <UTF8 string>" 4
+.IX Item """cekalg"" (OSSL_KDF_PARAM_CEK_ALG) <UTF8 string>"
+This parameter sets the CEK wrapping algorithm name.
+Valid values are "AES\-128\-WRAP", "AES\-192\-WRAP", "AES\-256\-WRAP" and "DES3\-WRAP".
+.PP
+The OpenSSL FIPS provider also supports the following parameters:
+.IP """fips-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+A getter that returns 1 if the operation is FIPS approved, or 0 otherwise.
+This may be used after calling EVP_KDF_derive. It returns 0 if "key-check"
+parameter is set to 0 and the check fails.
+.IP """key-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4
+.IX Item """key-check"" (OSSL_KDF_PARAM_FIPS_KEY_CHECK) <integer>"
+The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if the
+length of used key-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112
+bits.
+Setting this to zero will ignore the error and set the approved
+"fips-indicator" to 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
+.SH NOTES
 .IX Header "NOTES"
 A context for X942KDF can be obtained by calling:
 .PP
@@ -218,9 +149,9 @@ A context for X942KDF can be obtained by calling:
 .PP
 The output length of an X942KDF is specified via the \fIkeylen\fR
 parameter to the \fBEVP_KDF_derive\fR\|(3) function.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-This example derives 24 bytes, with the secret key \*(L"secret\*(R" and random user
+This example derives 24 bytes, with the secret key "secret" and random user
 keying material:
 .PP
 .Vb 5
@@ -254,25 +185,25 @@ keying material:
 .Ve
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1ANS1 X9.42\-2003
-RFC 2631\s0
+ANS1 X9.42\-2003
+RFC 2631
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_KDF\s0\fR\|(3),
+\&\fBEVP_KDF\fR\|(3),
 \&\fBEVP_KDF_CTX_new\fR\|(3),
 \&\fBEVP_KDF_CTX_free\fR\|(3),
 \&\fBEVP_KDF_CTX_set_params\fR\|(3),
 \&\fBEVP_KDF_CTX_get_kdf_size\fR\|(3),
 \&\fBEVP_KDF_derive\fR\|(3),
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_KDF\s0\fR\|(3)
-.SH "HISTORY"
+"PARAMETERS" in \fBEVP_KDF\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 This functionality was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-X942-CONCAT.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-X942-CONCAT.7
index 83f6acc90138..29e0e25a85e5 100644
--- a/secure/lib/libcrypto/man/man7/EVP_KDF-X942-CONCAT.7
+++ b/secure/lib/libcrypto/man/man7/EVP_KDF-X942-CONCAT.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,97 +52,37 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_KDF-X942-CONCAT 7ossl"
-.TH EVP_KDF-X942-CONCAT 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_KDF-X942-CONCAT 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_KDF\-X942\-CONCAT \- The X942 Concat EVP_KDF implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1EVP_KDF\-X942\-CONCAT\s0 algorithm is identical to \s-1EVP_KDF\-X963.\s0 It is
+The EVP_KDF\-X942\-CONCAT algorithm is identical to EVP_KDF\-X963. It is
 used for key agreement to derive a key using input such as a shared secret key
 and shared info.
-.SS "Identity"
+.SS Identity
 .IX Subsection "Identity"
-\&\*(L"X942KDF_CONCAT\*(R" is the name for this implementation; it
+"X942KDF_CONCAT" is the name for this implementation; it
 can be used with the \fBEVP_KDF_fetch()\fR function.
 .PP
-This is an alias for \*(L"X963KDF\*(R".
+This is an alias for "X963KDF".
 .PP
-See \s-1\fBEVP_KDF\-X963\s0\fR\|(7) for a list of supported parameters and examples.
-.SH "HISTORY"
+See \fBEVP_KDF\-X963\fR\|(7) for a list of supported parameters and examples.
+.SH HISTORY
 .IX Header "HISTORY"
 This functionality was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_KDF-X963.7 b/secure/lib/libcrypto/man/man7/EVP_KDF-X963.7
index 20c7a48de9ad..13268cdc6437 100644
--- a/secure/lib/libcrypto/man/man7/EVP_KDF-X963.7
+++ b/secure/lib/libcrypto/man/man7/EVP_KDF-X963.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,110 +52,76 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_KDF-X963 7ossl"
-.TH EVP_KDF-X963 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_KDF-X963 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_KDF\-X963 \- The X9.63\-2001 EVP_KDF implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1EVP_KDF\-X963\s0 algorithm implements the key derivation function (X963KDF).
-X963KDF is used by Cryptographic Message Syntax (\s-1CMS\s0) for \s-1EC\s0 KeyAgreement, to
+The EVP_KDF\-X963 algorithm implements the key derivation function (X963KDF).
+X963KDF is used by Cryptographic Message Syntax (CMS) for EC KeyAgreement, to
 derive a key using input such as a shared secret key and shared info.
-.SS "Identity"
+.PP
+The output is considered to be keying material.
+.SS Identity
 .IX Subsection "Identity"
-\&\*(L"X963KDF\*(R" is the name for this implementation; it
+"X963KDF" is the name for this implementation; it
 can be used with the \fBEVP_KDF_fetch()\fR function.
 .SS "Supported parameters"
 .IX Subsection "Supported parameters"
 The supported parameters are:
-.ie n .IP """properties"" (\fB\s-1OSSL_KDF_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``properties'' (\fB\s-1OSSL_KDF_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "properties (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
+.IP """properties"" (\fBOSSL_KDF_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
 .PD 0
-.ie n .IP """digest"" (\fB\s-1OSSL_KDF_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_KDF_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_KDF_PARAM_DIGEST) <UTF8 string>"
+.IP """digest"" (\fBOSSL_KDF_PARAM_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_KDF_PARAM_DIGEST) <UTF8 string>"
 .PD
-These parameters work as described in \*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_KDF\s0\fR\|(3).
-.ie n .IP """key"" (\fB\s-1OSSL_KDF_PARAM_KEY\s0\fR) <octet string>" 4
-.el .IP "``key'' (\fB\s-1OSSL_KDF_PARAM_KEY\s0\fR) <octet string>" 4
-.IX Item "key (OSSL_KDF_PARAM_KEY) <octet string>"
+These parameters work as described in "PARAMETERS" in \fBEVP_KDF\fR\|(3).
+.IP """key"" (\fBOSSL_KDF_PARAM_KEY\fR) <octet string>" 4
+.IX Item """key"" (OSSL_KDF_PARAM_KEY) <octet string>"
 The shared secret used for key derivation.
 This parameter sets the secret.
-.ie n .IP """info"" (\fB\s-1OSSL_KDF_PARAM_INFO\s0\fR) <octet string>" 4
-.el .IP "``info'' (\fB\s-1OSSL_KDF_PARAM_INFO\s0\fR) <octet string>" 4
-.IX Item "info (OSSL_KDF_PARAM_INFO) <octet string>"
+.IP """info"" (\fBOSSL_KDF_PARAM_INFO\fR) <octet string>" 4
+.IX Item """info"" (OSSL_KDF_PARAM_INFO) <octet string>"
 This parameter specifies an optional value for shared info.
-.SH "NOTES"
+.PP
+The OpenSSL FIPS provider also supports the following parameters:
+.IP """fips-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+A getter that returns 1 if the operation is FIPS approved, or 0 otherwise.
+This may be used after calling EVP_KDF_derive. It returns 0 if any "***\-check"
+related parameter is set to 0 and the check fails.
+.IP """digest-check"" (\fBOSSL_KDF_PARAM_FIPS_DIGEST_CHECK\fR) <int>" 4
+.IX Item """digest-check"" (OSSL_KDF_PARAM_FIPS_DIGEST_CHECK) <int>"
+The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if
+used digest is not approved.
+Setting this to zero will ignore the error and set the approved
+"fips-indicator" to 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
+.Sp
+According to ANSI X9.63\-2001, the following are approved digest algorithms:
+SHA2\-224, SHA2\-256, SHA2\-384, SHA2\-512, SHA2\-512/224, SHA2\-512/256, SHA3\-224,
+SHA3\-256, SHA3\-384, SHA3\-512.
+.IP """key-check"" (\fBOSSL_KDF_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4
+.IX Item """key-check"" (OSSL_KDF_PARAM_FIPS_KEY_CHECK) <integer>"
+The default value of 1 causes an error during \fBEVP_KDF_CTX_set_params()\fR if the
+length of used key-derivation key (\fBOSSL_KDF_PARAM_KEY\fR) is shorter than 112
+bits.
+Setting this to zero will ignore the error and set the approved
+"fips-indicator" to 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
+.SH NOTES
 .IX Header "NOTES"
-X963KDF is very similar to the \s-1SSKDF\s0 that uses a digest as the auxiliary function,
-X963KDF appends the counter to the secret, whereas \s-1SSKDF\s0 prepends the counter.
+X963KDF is very similar to the SSKDF that uses a digest as the auxiliary function,
+X963KDF appends the counter to the secret, whereas SSKDF prepends the counter.
 .PP
 A context for X963KDF can be obtained by calling:
 .PP
@@ -182,10 +132,10 @@ A context for X963KDF can be obtained by calling:
 .PP
 The output length of an X963KDF is specified via the \fIkeylen\fR
 parameter to the \fBEVP_KDF_derive\fR\|(3) function.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-This example derives 10 bytes, with the secret key \*(L"secret\*(R" and sharedinfo
-value \*(L"label\*(R":
+This example derives 10 bytes, with the secret key "secret" and sharedinfo
+value "label":
 .PP
 .Vb 4
 \& EVP_KDF *kdf;
@@ -212,24 +162,24 @@ value \*(L"label\*(R":
 .Ve
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\*(L"\s-1SEC 1:\s0 Elliptic Curve Cryptography\*(R"
+"SEC 1: Elliptic Curve Cryptography"
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_KDF\s0\fR\|(3),
+\&\fBEVP_KDF\fR\|(3),
 \&\fBEVP_KDF_CTX_new\fR\|(3),
 \&\fBEVP_KDF_CTX_free\fR\|(3),
 \&\fBEVP_KDF_CTX_set_params\fR\|(3),
 \&\fBEVP_KDF_CTX_get_kdf_size\fR\|(3),
 \&\fBEVP_KDF_derive\fR\|(3),
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_KDF\s0\fR\|(3)
-.SH "HISTORY"
+"PARAMETERS" in \fBEVP_KDF\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 This functionality was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_KEM-EC.7 b/secure/lib/libcrypto/man/man7/EVP_KEM-EC.7
new file mode 100644
index 000000000000..1845863ab8a0
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/EVP_KEM-EC.7
@@ -0,0 +1,128 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "EVP_KEM-EC 7ossl"
+.TH EVP_KEM-EC 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+EVP_KEM\-EC
+\&\- EVP_KEM EC keytype and algorithm support
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+The \fBEC\fR keytype and its parameters are described in \fBEVP_PKEY\-EC\fR\|(7).
+See \fBEVP_PKEY_encapsulate\fR\|(3) and \fBEVP_PKEY_decapsulate\fR\|(3) for more info.
+.SS "EC KEM parameters"
+.IX Subsection "EC KEM parameters"
+.IP """operation"" (\fBOSSL_KEM_PARAM_OPERATION\fR)<UTF8 string>" 4
+.IX Item """operation"" (OSSL_KEM_PARAM_OPERATION)<UTF8 string>"
+The OpenSSL EC Key Encapsulation Mechanisms only supports the
+following default operation (operating mode):
+.RS 4
+.IP """DHKEM"" (\fBOSSL_KEM_PARAM_OPERATION_DHKEM\fR)" 4
+.IX Item """DHKEM"" (OSSL_KEM_PARAM_OPERATION_DHKEM)"
+The encapsulate function generates an ephemeral keypair. It produces keymaterial
+by doing an ECDH key exchange using the ephemeral private key and a supplied
+recipient public key. A HKDF operation using the keymaterial and a kem context
+then produces a shared secret. The shared secret and the ephemeral public key
+are returned.
+The decapsulate function uses the recipient private key and the
+ephemeral public key to produce the same keymaterial, which can then be used to
+produce the same shared secret.
+See <https://www.rfc\-editor.org/rfc/rfc9180.html#name\-dh\-based\-kem\-dhkem>
+.RE
+.RS 4
+.Sp
+This can be set using either \fBEVP_PKEY_CTX_set_kem_op()\fR or
+\&\fBEVP_PKEY_CTX_set_params()\fR.
+.RE
+.IP """ikme"" (\fBOSSL_KEM_PARAM_IKME\fR) <octet string>" 4
+.IX Item """ikme"" (OSSL_KEM_PARAM_IKME) <octet string>"
+Used to specify the key material used for generation of the ephemeral key.
+This value should not be reused for other purposes.
+It can only be used for the curves "P\-256", "P\-384" and "P\-521" and should
+have a length of at least the size of the encoded private key
+(i.e. 32, 48 and 66 for the listed curves).
+If this value is not set, then a random ikm is used.
+.SH "CONFORMING TO"
+.IX Header "CONFORMING TO"
+.IP RFC9180 4
+.IX Item "RFC9180"
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBEVP_PKEY_CTX_set_kem_op\fR\|(3),
+\&\fBEVP_PKEY_encapsulate\fR\|(3),
+\&\fBEVP_PKEY_decapsulate\fR\|(3)
+\&\fBEVP_KEYMGMT\fR\|(3),
+\&\fBEVP_PKEY\fR\|(3),
+\&\fBprovider\-keymgmt\fR\|(7)
+.SH HISTORY
+.IX Header "HISTORY"
+This functionality was added in OpenSSL 3.2.
+.PP
+The \f(CW\*(C`operation\*(C'\fR (operating mode) was a required parameter prior to OpenSSL 3.5.
+As of OpenSSL 3.5, \f(CW\*(C`DHKEM\*(C'\fR is the default operating mode, and no explicit value
+need be specified.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2022\-2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_KEM-ML-KEM.7 b/secure/lib/libcrypto/man/man7/EVP_KEM-ML-KEM.7
new file mode 100644
index 000000000000..b5c7ce4c44cf
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/EVP_KEM-ML-KEM.7
@@ -0,0 +1,108 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "EVP_KEM-ML-KEM 7ossl"
+.TH EVP_KEM-ML-KEM 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+EVP_KEM\-ML\-KEM\-512, EVP_KEM\-ML\-KEM\-768, EVP_KEM\-ML\-KEM\-1024, EVP_KEM\-ML\-KEM
+\&\- EVP_KEM ML\-KEM keytype and algorithm support
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+The \fBML-KEM\fR keytypes and parameters are described in \fBEVP_PKEY\-ML\-KEM\fR\|(7).
+See \fBEVP_PKEY_encapsulate\fR\|(3) and \fBEVP_PKEY_decapsulate\fR\|(3) for more details
+about basic KEM operations.
+.SS "ML-KEM KEM parameters"
+.IX Subsection "ML-KEM KEM parameters"
+.IP """ikme"" (\fBOSSL_KEM_PARAM_IKME\fR) <octet string>" 4
+.IX Item """ikme"" (OSSL_KEM_PARAM_IKME) <octet string>"
+The OpenSSL ML-KEM encapsulation mechanism can only be modified by
+setting randomness during encapsulation, this enables testing, as per
+FIPS 203, section 6.2, algorithm 17.
+.Sp
+This parameter should not be used for purposes other than testing.
+.Sp
+When this parameter is not set, encapsulation proceeds as per FIPS 203,
+section 7.2
+.Sp
+This parameter is only settable.
+.PP
+This can be set when using \fBEVP_PKEY_encapsulate_init()\fR.
+.SH "CONFORMING TO"
+.IX Header "CONFORMING TO"
+.IP FIPS203 4
+.IX Item "FIPS203"
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBEVP_PKEY_encapsulate\fR\|(3),
+\&\fBEVP_PKEY_decapsulate\fR\|(3),
+\&\fBEVP_KEYMGMT\fR\|(3),
+\&\fBEVP_PKEY\fR\|(3),
+\&\fBprovider\-keymgmt\fR\|(7)
+.SH HISTORY
+.IX Header "HISTORY"
+This functionality was added in OpenSSL 3.5.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2024\-2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_KEM-RSA.7 b/secure/lib/libcrypto/man/man7/EVP_KEM-RSA.7
index 992a588f488c..43d2720af9a5 100644
--- a/secure/lib/libcrypto/man/man7/EVP_KEM-RSA.7
+++ b/secure/lib/libcrypto/man/man7/EVP_KEM-RSA.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,122 +52,71 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_KEM-RSA 7ossl"
-.TH EVP_KEM-RSA 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_KEM-RSA 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_KEM\-RSA
 \&\- EVP_KEM RSA keytype and algorithm support
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \fB\s-1RSA\s0\fR keytype and its parameters are described in \s-1\fBEVP_PKEY\-RSA\s0\fR\|(7).
+The \fBRSA\fR keytype and its parameters are described in \fBEVP_PKEY\-RSA\fR\|(7).
 See \fBEVP_PKEY_encapsulate\fR\|(3) and \fBEVP_PKEY_decapsulate\fR\|(3) for more info.
-.SS "\s-1RSA KEM\s0 parameters"
+.SS "RSA KEM parameters"
 .IX Subsection "RSA KEM parameters"
-.ie n .IP """operation"" (\fB\s-1OSSL_KEM_PARAM_OPERATION\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``operation'' (\fB\s-1OSSL_KEM_PARAM_OPERATION\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "operation (OSSL_KEM_PARAM_OPERATION) <UTF8 string>"
-The OpenSSL \s-1RSA\s0 Key Encapsulation Mechanism only currently supports the
-following operation
+.IP """operation"" (\fBOSSL_KEM_PARAM_OPERATION\fR) <UTF8 string>" 4
+.IX Item """operation"" (OSSL_KEM_PARAM_OPERATION) <UTF8 string>"
+The OpenSSL RSA Key Encapsulation Mechanism only currently supports the
+following default operation (operating mode):
 .RS 4
-.ie n .IP """\s-1RSASVE""\s0" 4
-.el .IP "``\s-1RSASVE''\s0" 4
-.IX Item "RSASVE"
+.IP """RSASVE""" 4
+.IX Item """RSASVE"""
 The encapsulate function simply generates a secret using random bytes and then
-encrypts the secret using the \s-1RSA\s0 public key (with no padding).
-The decapsulate function recovers the secret using the \s-1RSA\s0 private key.
+encrypts the secret using the RSA public key (with no padding).
+The decapsulate function recovers the secret using the RSA private key.
 .RE
 .RS 4
 .Sp
 This can be set using \fBEVP_PKEY_CTX_set_kem_op()\fR.
 .RE
+.IP """fips-indicator"" (\fBOSSL_KEM_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_KEM_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+.PD 0
+.IP """key-check"" (\fBOSSL_KEM_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4
+.IX Item """key-check"" (OSSL_KEM_PARAM_FIPS_KEY_CHECK) <integer>"
+.PD
+These parameters are described in \fBprovider\-kem\fR\|(7).
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-.IP "SP800\-56Br2" 4
+.IP SP800\-56Br2 4
 .IX Item "SP800-56Br2"
-Section 7.2.1.2 \s-1RSASVE\s0 Generate Operation (\s-1RSASVE.GENERATE\s0).
-Section 7.2.1.3 \s-1RSASVE\s0 Recovery Operation (\s-1RSASVE.RECOVER\s0).
+Section 7.2.1.2 RSASVE Generate Operation (RSASVE.GENERATE).
+Section 7.2.1.3 RSASVE Recovery Operation (RSASVE.RECOVER).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_PKEY_CTX_set_kem_op\fR\|(3),
 \&\fBEVP_PKEY_encapsulate\fR\|(3),
 \&\fBEVP_PKEY_decapsulate\fR\|(3)
-\&\s-1\fBEVP_KEYMGMT\s0\fR\|(3),
-\&\s-1\fBEVP_PKEY\s0\fR\|(3),
+\&\fBEVP_KEYMGMT\fR\|(3),
+\&\fBEVP_PKEY\fR\|(3),
 \&\fBprovider\-keymgmt\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 This functionality was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.PP
+The \f(CW\*(C`operation\*(C'\fR (operating mode) was a required parameter prior to OpenSSL 3.5.
+As of OpenSSL 3.5, \f(CW\*(C`RSASVE\*(C'\fR is the default operating mode, and no explicit
+value need be specified.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_KEM-X25519.7 b/secure/lib/libcrypto/man/man7/EVP_KEM-X25519.7
new file mode 100644
index 000000000000..b6433f607a57
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/EVP_KEM-X25519.7
@@ -0,0 +1,127 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "EVP_KEM-X25519 7ossl"
+.TH EVP_KEM-X25519 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+EVP_KEM\-X25519, EVP_KEM\-X448
+\&\- EVP_KEM X25519 and EVP_KEM X448 keytype and algorithm support
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+The \fBX25519\fR and <X448> keytype and its parameters are described in
+\&\fBEVP_PKEY\-X25519\fR\|(7).
+See \fBEVP_PKEY_encapsulate\fR\|(3) and \fBEVP_PKEY_decapsulate\fR\|(3) for more info.
+.SS "X25519 and X448 KEM parameters"
+.IX Subsection "X25519 and X448 KEM parameters"
+.IP """operation"" (\fBOSSL_KEM_PARAM_OPERATION\fR)<UTF8 string>" 4
+.IX Item """operation"" (OSSL_KEM_PARAM_OPERATION)<UTF8 string>"
+The OpenSSL X25519 and X448 Key Encapsulation Mechanisms only support the
+following default operation (operating mode):
+.RS 4
+.IP """DHKEM"" (\fBOSSL_KEM_PARAM_OPERATION_DHKEM\fR)" 4
+.IX Item """DHKEM"" (OSSL_KEM_PARAM_OPERATION_DHKEM)"
+The encapsulate function generates an ephemeral keypair. It produces keymaterial
+by doing an X25519 or X448 key exchange using the ephemeral private key and a
+supplied recipient public key. A HKDF operation using the keymaterial and a kem
+context then produces a shared secret. The shared secret and the ephemeral
+public key are returned.
+The decapsulate function uses the recipient private key and the
+ephemeral public key to produce the same keymaterial, which can then be used to
+produce the same shared secret.
+See <https://www.rfc\-editor.org/rfc/rfc9180.html#name\-dh\-based\-kem\-dhkem>
+.RE
+.RS 4
+.Sp
+This can be set using either \fBEVP_PKEY_CTX_set_kem_op()\fR or
+\&\fBEVP_PKEY_CTX_set_params()\fR.
+.RE
+.IP """ikme"" (\fBOSSL_KEM_PARAM_IKME\fR) <octet string>" 4
+.IX Item """ikme"" (OSSL_KEM_PARAM_IKME) <octet string>"
+Used to specify the key material used for generation of the ephemeral key.
+This value should not be reused for other purposes.
+It should have a length of at least 32 for X25519, and 56 for X448.
+If this value is not set, then a random ikm is used.
+.SH "CONFORMING TO"
+.IX Header "CONFORMING TO"
+.IP RFC9180 4
+.IX Item "RFC9180"
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBEVP_PKEY_CTX_set_kem_op\fR\|(3),
+\&\fBEVP_PKEY_encapsulate\fR\|(3),
+\&\fBEVP_PKEY_decapsulate\fR\|(3)
+\&\fBEVP_KEYMGMT\fR\|(3),
+\&\fBEVP_PKEY\fR\|(3),
+\&\fBprovider\-keymgmt\fR\|(7)
+.SH HISTORY
+.IX Header "HISTORY"
+This functionality was added in OpenSSL 3.2.
+.PP
+The \f(CW\*(C`operation\*(C'\fR (operating mode) was a required parameter prior to OpenSSL 3.5.
+As of OpenSSL 3.5, \f(CW\*(C`DHKEM\*(C'\fR is the default operating mode, and no explicit value
+need be specified.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2022\-2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-DH.7 b/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-DH.7
index 5bd029857a40..790a7f6ec666 100644
--- a/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-DH.7
+++ b/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-DH.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,85 +52,29 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_KEYEXCH-DH 7ossl"
-.TH EVP_KEYEXCH-DH 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_KEYEXCH-DH 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_KEYEXCH\-DH
 \&\- DH Key Exchange algorithm support
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Key exchange support for the \fB\s-1DH\s0\fR key type.
-.SS "\s-1DH\s0 key exchange parameters"
-.IX Subsection "DH key exchange parameters"
-.ie n .IP """pad"" (\fB\s-1OSSL_EXCHANGE_PARAM_PAD\s0\fR) <unsigned integer>" 4
-.el .IP "``pad'' (\fB\s-1OSSL_EXCHANGE_PARAM_PAD\s0\fR) <unsigned integer>" 4
-.IX Item "pad (OSSL_EXCHANGE_PARAM_PAD) <unsigned integer>"
+Key exchange support for the \fBDH\fR and \fBDHX\fR key types.
+.PP
+Please note that although both key types support the same key exchange
+operations, they cannot be used together in a single key exchange. It
+is not possible to use a private key of the \fBDH\fR type in key exchange
+with the public key of \fBDHX\fR type and vice versa.
+.SS "DH and DHX key exchange parameters"
+.IX Subsection "DH and DHX key exchange parameters"
+.IP """pad"" (\fBOSSL_EXCHANGE_PARAM_PAD\fR) <unsigned integer>" 4
+.IX Item """pad"" (OSSL_EXCHANGE_PARAM_PAD) <unsigned integer>"
 Sets the padding mode for the associated key exchange ctx.
 Setting a value of 1 will turn padding on.
 Setting a value of 0 will turn padding off.
@@ -156,38 +84,36 @@ If padding is on then the derived shared secret will have its first bytes
 filled with zeros where necessary to make the shared secret the same size as
 the largest possible secret size.
 The padding mode parameter is ignored (and padding implicitly enabled) when
-the \s-1KDF\s0 type is set to \*(L"X942KDF\-ASN1\*(R" (\fB\s-1OSSL_KDF_NAME_X942KDF_ASN1\s0\fR).
-.ie n .IP """kdf-type"" (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_TYPE\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``kdf-type'' (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_TYPE\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "kdf-type (OSSL_EXCHANGE_PARAM_KDF_TYPE) <UTF8 string>"
-See \*(L"Common Key Exchange parameters\*(R" in \fBprovider\-keyexch\fR\|(7).
-.ie n .IP """kdf-digest"" (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``kdf-digest'' (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "kdf-digest (OSSL_EXCHANGE_PARAM_KDF_DIGEST) <UTF8 string>"
-See \*(L"Common Key Exchange parameters\*(R" in \fBprovider\-keyexch\fR\|(7).
-.ie n .IP """kdf-digest-props"" (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``kdf-digest-props'' (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "kdf-digest-props (OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS) <UTF8 string>"
-See \*(L"Common Key Exchange parameters\*(R" in \fBprovider\-keyexch\fR\|(7).
-.ie n .IP """kdf-outlen"" (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_OUTLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``kdf-outlen'' (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_OUTLEN\s0\fR) <unsigned integer>" 4
-.IX Item "kdf-outlen (OSSL_EXCHANGE_PARAM_KDF_OUTLEN) <unsigned integer>"
-See \*(L"Common Key Exchange parameters\*(R" in \fBprovider\-keyexch\fR\|(7).
-.ie n .IP """kdf-ukm"" (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_UKM\s0\fR) <octet string>" 4
-.el .IP "``kdf-ukm'' (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_UKM\s0\fR) <octet string>" 4
-.IX Item "kdf-ukm (OSSL_EXCHANGE_PARAM_KDF_UKM) <octet string>"
-See \*(L"Common Key Exchange parameters\*(R" in \fBprovider\-keyexch\fR\|(7).
-.ie n .IP """cekalg"" (\fB\s-1OSSL_KDF_PARAM_CEK_ALG\s0\fR) <octet string ptr>" 4
-.el .IP "``cekalg'' (\fB\s-1OSSL_KDF_PARAM_CEK_ALG\s0\fR) <octet string ptr>" 4
-.IX Item "cekalg (OSSL_KDF_PARAM_CEK_ALG) <octet string ptr>"
-See \*(L"\s-1KDF\s0 Parameters\*(R" in \fBprovider\-kdf\fR\|(7).
-.SH "EXAMPLES"
+the KDF type is set to "X942KDF\-ASN1" (\fBOSSL_KDF_NAME_X942KDF_ASN1\fR).
+.IP """kdf-type"" (\fBOSSL_EXCHANGE_PARAM_KDF_TYPE\fR) <UTF8 string>" 4
+.IX Item """kdf-type"" (OSSL_EXCHANGE_PARAM_KDF_TYPE) <UTF8 string>"
+.PD 0
+.IP """kdf-digest"" (\fBOSSL_EXCHANGE_PARAM_KDF_DIGEST\fR) <UTF8 string>" 4
+.IX Item """kdf-digest"" (OSSL_EXCHANGE_PARAM_KDF_DIGEST) <UTF8 string>"
+.IP """kdf-digest-props"" (\fBOSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS\fR) <UTF8 string>" 4
+.IX Item """kdf-digest-props"" (OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS) <UTF8 string>"
+.IP """kdf-outlen"" (\fBOSSL_EXCHANGE_PARAM_KDF_OUTLEN\fR) <unsigned integer>" 4
+.IX Item """kdf-outlen"" (OSSL_EXCHANGE_PARAM_KDF_OUTLEN) <unsigned integer>"
+.IP """kdf-ukm"" (\fBOSSL_EXCHANGE_PARAM_KDF_UKM\fR) <octet string>" 4
+.IX Item """kdf-ukm"" (OSSL_EXCHANGE_PARAM_KDF_UKM) <octet string>"
+.IP """fips-indicator"" (\fBOSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+.IP """key-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4
+.IX Item """key-check"" (OSSL_EXCHANGE_PARAM_FIPS_KEY_CHECK) <integer>"
+.IP """digest-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4
+.IX Item """digest-check"" (OSSL_EXCHANGE_PARAM_FIPS_DIGEST_CHECK) <integer>"
+.PD
+See "Common Key Exchange parameters" in \fBprovider\-keyexch\fR\|(7).
+.IP """cekalg"" (\fBOSSL_KDF_PARAM_CEK_ALG\fR) <octet string ptr>" 4
+.IX Item """cekalg"" (OSSL_KDF_PARAM_CEK_ALG) <octet string ptr>"
+See "KDF Parameters" in \fBprovider\-kdf\fR\|(7).
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 The examples assume a host and peer both generate keys using the same
-named group (or domain parameters). See \*(L"Examples\*(R" in \s-1\fBEVP_PKEY\-DH\s0\fR\|(7).
+named group (or domain parameters). See "Examples" in \fBEVP_PKEY\-DH\fR\|(7).
 Both the host and peer transfer their public key to each other.
 .PP
-To convert the peer's generated key pair to a public key in \s-1DER\s0 format in order
+To convert the peer's generated key pair to a public key in DER format in order
 to transfer to the host:
 .PP
 .Vb 3
@@ -200,7 +126,7 @@ to transfer to the host:
 \&    OPENSSL_free(peer_pub_der);
 .Ve
 .PP
-To convert the received peer's public key from \s-1DER\s0 format on the host:
+To convert the received peer's public key from DER format on the host:
 .PP
 .Vb 4
 \&    const unsigned char *pd = peer_pub_der;
@@ -246,18 +172,18 @@ Very similar code can be used by the peer to derive the same shared secret
 using the host's public key and the peer's generated key pair.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_PKEY\-DH\s0\fR\|(7),
-\&\s-1\fBEVP_PKEY\-FFC\s0\fR\|(7),
-\&\s-1\fBEVP_PKEY\s0\fR\|(3),
+\&\fBEVP_PKEY\-DH\fR\|(7),
+\&\fBEVP_PKEY\-FFC\fR\|(7),
+\&\fBEVP_PKEY\fR\|(3),
 \&\fBprovider\-keyexch\fR\|(7),
 \&\fBprovider\-keymgmt\fR\|(7),
 \&\fBOSSL_PROVIDER\-default\fR\|(7),
-\&\s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7),
-.SH "COPYRIGHT"
+\&\fBOSSL_PROVIDER\-FIPS\fR\|(7),
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-ECDH.7 b/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-ECDH.7
index 7d3198f97944..15065f315ac7 100644
--- a/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-ECDH.7
+++ b/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-ECDH.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,89 +52,28 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_KEYEXCH-ECDH 7ossl"
-.TH EVP_KEYEXCH-ECDH 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_KEYEXCH-ECDH 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_KEYEXCH\-ECDH \- ECDH Key Exchange algorithm support
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Key exchange support for the \fB\s-1ECDH\s0\fR key type.
-.SS "\s-1ECDH\s0 Key Exchange parameters"
+Key exchange support for the \fBECDH\fR key type.
+.SS "ECDH Key Exchange parameters"
 .IX Subsection "ECDH Key Exchange parameters"
-.ie n .IP """ecdh-cofactor-mode"" (\fB\s-1OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE\s0\fR) <integer>" 4
-.el .IP "``ecdh-cofactor-mode'' (\fB\s-1OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE\s0\fR) <integer>" 4
-.IX Item "ecdh-cofactor-mode (OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE) <integer>"
-Sets or gets the \s-1ECDH\s0 mode of operation for the associated key exchange ctx.
+.IP """ecdh-cofactor-mode"" (\fBOSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE\fR) <integer>" 4
+.IX Item """ecdh-cofactor-mode"" (OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE) <integer>"
+Sets or gets the ECDH mode of operation for the associated key exchange ctx.
 .Sp
 In the context of an Elliptic Curve Diffie-Hellman key exchange, this parameter
-can be used to select between the plain Diffie-Hellman (\s-1DH\s0) or Cofactor
-Diffie-Hellman (\s-1CDH\s0) variants of the key exchange algorithm.
+can be used to select between the plain Diffie-Hellman (DH) or Cofactor
+Diffie-Hellman (CDH) variants of the key exchange algorithm.
 .Sp
 When setting, the value should be 1, 0 or \-1, respectively forcing cofactor mode
 on, off, or resetting it to the default for the private key associated with the
@@ -160,35 +83,49 @@ When getting, the value should be either 1 or 0, respectively signaling if the
 cofactor mode is on or off.
 .Sp
 See also \fBprovider\-keymgmt\fR\|(7) for the related
-\&\fB\s-1OSSL_PKEY_PARAM_USE_COFACTOR_ECDH\s0\fR parameter that can be set on a
+\&\fBOSSL_PKEY_PARAM_USE_COFACTOR_ECDH\fR parameter that can be set on a
 per-key basis.
-.ie n .IP """kdf-type"" (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_TYPE\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``kdf-type'' (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_TYPE\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "kdf-type (OSSL_EXCHANGE_PARAM_KDF_TYPE) <UTF8 string>"
-See \*(L"Common Key Exchange parameters\*(R" in \fBprovider\-keyexch\fR\|(7).
-.ie n .IP """kdf-digest"" (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``kdf-digest'' (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "kdf-digest (OSSL_EXCHANGE_PARAM_KDF_DIGEST) <UTF8 string>"
-See \*(L"Common Key Exchange parameters\*(R" in \fBprovider\-keyexch\fR\|(7).
-.ie n .IP """kdf-digest-props"" (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``kdf-digest-props'' (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "kdf-digest-props (OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS) <UTF8 string>"
-See \*(L"Common Key Exchange parameters\*(R" in \fBprovider\-keyexch\fR\|(7).
-.ie n .IP """kdf-outlen"" (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_OUTLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``kdf-outlen'' (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_OUTLEN\s0\fR) <unsigned integer>" 4
-.IX Item "kdf-outlen (OSSL_EXCHANGE_PARAM_KDF_OUTLEN) <unsigned integer>"
-See \*(L"Common Key Exchange parameters\*(R" in \fBprovider\-keyexch\fR\|(7).
-.ie n .IP """kdf-ukm"" (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_UKM\s0\fR) <octet string>" 4
-.el .IP "``kdf-ukm'' (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_UKM\s0\fR) <octet string>" 4
-.IX Item "kdf-ukm (OSSL_EXCHANGE_PARAM_KDF_UKM) <octet string>"
-See \*(L"Common Key Exchange parameters\*(R" in \fBprovider\-keyexch\fR\|(7).
-.SH "EXAMPLES"
+.IP """kdf-type"" (\fBOSSL_EXCHANGE_PARAM_KDF_TYPE\fR) <UTF8 string>" 4
+.IX Item """kdf-type"" (OSSL_EXCHANGE_PARAM_KDF_TYPE) <UTF8 string>"
+.PD 0
+.IP """kdf-digest"" (\fBOSSL_EXCHANGE_PARAM_KDF_DIGEST\fR) <UTF8 string>" 4
+.IX Item """kdf-digest"" (OSSL_EXCHANGE_PARAM_KDF_DIGEST) <UTF8 string>"
+.IP """kdf-digest-props"" (\fBOSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS\fR) <UTF8 string>" 4
+.IX Item """kdf-digest-props"" (OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS) <UTF8 string>"
+.IP """kdf-outlen"" (\fBOSSL_EXCHANGE_PARAM_KDF_OUTLEN\fR) <unsigned integer>" 4
+.IX Item """kdf-outlen"" (OSSL_EXCHANGE_PARAM_KDF_OUTLEN) <unsigned integer>"
+.IP """kdf-ukm"" (\fBOSSL_EXCHANGE_PARAM_KDF_UKM\fR) <octet string>" 4
+.IX Item """kdf-ukm"" (OSSL_EXCHANGE_PARAM_KDF_UKM) <octet string>"
+.PD
+.PP
+The OpenSSL FIPS provider also supports the following parameters:
+.IP """fips-indicator"" (\fBOSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+.PD 0
+.IP """key-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4
+.IX Item """key-check"" (OSSL_EXCHANGE_PARAM_FIPS_KEY_CHECK) <integer>"
+.IP """digest-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4
+.IX Item """digest-check"" (OSSL_EXCHANGE_PARAM_FIPS_DIGEST_CHECK) <integer>"
+.PD
+See "Common Key Exchange parameters" in \fBprovider\-keyexch\fR\|(7).
+.IP """ecdh-cofactor-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_ECDH_COFACTOR_CHECK\fR) <integer>" 4
+.IX Item """ecdh-cofactor-check"" (OSSL_EXCHANGE_PARAM_FIPS_ECDH_COFACTOR_CHECK) <integer>"
+If required this parameter should before \fBOSSL_FUNC_keyexch_derive()\fR.
+The default value of 1 causes an error during the OSSL_FUNC_keyexch_derive if
+the EC curve has a cofactor that is not 1, and the cofactor is not used.
+Setting this to 0 will ignore the error and set the approved
+"fips-indicator" to 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
+Examples of key agreement can be found in demos/keyexch.
+.PP
 Keys for the host and peer must be generated as shown in
-\&\*(L"Examples\*(R" in \s-1\fBEVP_PKEY\-EC\s0\fR\|(7) using the same curve name.
+"Examples" in \fBEVP_PKEY\-EC\fR\|(7) using the same curve name.
 .PP
 The code to generate a shared secret for the normal case is identical to
-\&\*(L"Examples\*(R" in \s-1\fBEVP_KEYEXCH\-DH\s0\fR\|(7).
+"Examples" in \fBEVP_KEYEXCH\-DH\fR\|(7).
 .PP
 To derive a shared secret on the host using the host's key and the peer's public
 key but also using X963KDF with a user key material:
@@ -228,17 +165,17 @@ key but also using X963KDF with a user key material:
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_PKEY\-EC\s0\fR\|(7)
-\&\s-1\fBEVP_PKEY\s0\fR\|(3),
+\&\fBEVP_PKEY\-EC\fR\|(7)
+\&\fBEVP_PKEY\fR\|(3),
 \&\fBprovider\-keyexch\fR\|(7),
 \&\fBprovider\-keymgmt\fR\|(7),
 \&\fBOSSL_PROVIDER\-default\fR\|(7),
-\&\s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7),
-.SH "COPYRIGHT"
+\&\fBOSSL_PROVIDER\-FIPS\fR\|(7),
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-X25519.7 b/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-X25519.7
index f46f0f08402b..fea366da1d37 100644
--- a/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-X25519.7
+++ b/secure/lib/libcrypto/man/man7/EVP_KEYEXCH-X25519.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,108 +52,54 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_KEYEXCH-X25519 7ossl"
-.TH EVP_KEYEXCH-X25519 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_KEYEXCH-X25519 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_KEYEXCH\-X25519,
 EVP_KEYEXCH\-X448
 \&\- X25519 and X448 Key Exchange algorithm support
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 Key exchange support for the \fBX25519\fR and \fBX448\fR key types.
 .SS "Key exchange parameters"
 .IX Subsection "Key exchange parameters"
-.ie n .IP """pad"" (\fB\s-1OSSL_EXCHANGE_PARAM_PAD\s0\fR) <unsigned integer>" 4
-.el .IP "``pad'' (\fB\s-1OSSL_EXCHANGE_PARAM_PAD\s0\fR) <unsigned integer>" 4
-.IX Item "pad (OSSL_EXCHANGE_PARAM_PAD) <unsigned integer>"
-See \*(L"Common Key Exchange parameters\*(R" in \fBprovider\-keyexch\fR\|(7).
-.SH "EXAMPLES"
+.IP """pad"" (\fBOSSL_EXCHANGE_PARAM_PAD\fR) <unsigned integer>" 4
+.IX Item """pad"" (OSSL_EXCHANGE_PARAM_PAD) <unsigned integer>"
+.PD 0
+.IP """fips-indicator"" (\fBOSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+.PD
+\&\fBX25519\fR and \fBX448\fR are not FIPS approved in FIPS 140\-3.
+So this getter will return 0.
+.Sp
+See "Common Key Exchange parameters" in \fBprovider\-keyexch\fR\|(7).
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 Keys for the host and peer can be generated as shown in
-\&\*(L"Examples\*(R" in \s-1\fBEVP_PKEY\-X25519\s0\fR\|(7).
+"Examples" in \fBEVP_PKEY\-X25519\fR\|(7).
 .PP
 The code to generate a shared secret is identical to
-\&\*(L"Examples\*(R" in \s-1\fBEVP_KEYEXCH\-DH\s0\fR\|(7).
+"Examples" in \fBEVP_KEYEXCH\-DH\fR\|(7).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_PKEY\-FFC\s0\fR\|(7),
-\&\s-1\fBEVP_PKEY\-DH\s0\fR\|(7)
-\&\s-1\fBEVP_PKEY\s0\fR\|(3),
+\&\fBEVP_PKEY\-FFC\fR\|(7),
+\&\fBEVP_PKEY\-DH\fR\|(7)
+\&\fBEVP_PKEY\fR\|(3),
 \&\fBprovider\-keyexch\fR\|(7),
 \&\fBprovider\-keymgmt\fR\|(7),
 \&\fBOSSL_PROVIDER\-default\fR\|(7),
-\&\s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7),
-.SH "COPYRIGHT"
+\&\fBOSSL_PROVIDER\-FIPS\fR\|(7),
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_MAC-BLAKE2.7 b/secure/lib/libcrypto/man/man7/EVP_MAC-BLAKE2.7
index 7fb0643f8f81..c264b84a85d6 100644
--- a/secure/lib/libcrypto/man/man7/EVP_MAC-BLAKE2.7
+++ b/secure/lib/libcrypto/man/man7/EVP_MAC-BLAKE2.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,146 +52,80 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_MAC-BLAKE2 7ossl"
-.TH EVP_MAC-BLAKE2 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_MAC-BLAKE2 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_MAC\-BLAKE2, EVP_MAC\-BLAKE2BMAC, EVP_MAC\-BLAKE2SMAC
 \&\- The BLAKE2 EVP_MAC implementations
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing \s-1BLAKE2\s0 MACs through the \fB\s-1EVP_MAC\s0\fR \s-1API.\s0
-.SS "Identity"
+Support for computing BLAKE2 MACs through the \fBEVP_MAC\fR API.
+.SS Identity
 .IX Subsection "Identity"
 These implementations are identified with one of these names and
 properties, to be used with \fBEVP_MAC_fetch()\fR:
-.ie n .IP """\s-1BLAKE2BMAC"",\s0 ""provider=default""" 4
-.el .IP "``\s-1BLAKE2BMAC'',\s0 ``provider=default''" 4
-.IX Item "BLAKE2BMAC, provider=default"
+.IP """BLAKE2BMAC"", ""provider=default""" 4
+.IX Item """BLAKE2BMAC"", ""provider=default"""
 .PD 0
-.ie n .IP """\s-1BLAKE2SMAC"",\s0 ""provider=default""" 4
-.el .IP "``\s-1BLAKE2SMAC'',\s0 ``provider=default''" 4
-.IX Item "BLAKE2SMAC, provider=default"
+.IP """BLAKE2SMAC"", ""provider=default""" 4
+.IX Item """BLAKE2SMAC"", ""provider=default"""
 .PD
 .SS "Supported parameters"
 .IX Subsection "Supported parameters"
 The general description of these parameters can be found in
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_MAC\s0\fR\|(3).
+"PARAMETERS" in \fBEVP_MAC\fR\|(3).
 .PP
-All these parameters can be set with \fBEVP_MAC_CTX_set_params()\fR.
-Furthermore, the \*(L"size\*(R" parameter can be retrieved with
+All these parameters (except for "block-size") can be set with
+\&\fBEVP_MAC_CTX_set_params()\fR.
+Furthermore, the "size" parameter can be retrieved with
 \&\fBEVP_MAC_CTX_get_params()\fR, or with \fBEVP_MAC_CTX_get_mac_size()\fR.
-The length of the \*(L"size\*(R" parameter should not exceed that of a \fBsize_t\fR.
-Likewise, the \*(L"block-size\*(R" parameter can be retrieved with
+The length of the "size" parameter should not exceed that of a \fBsize_t\fR.
+Likewise, the "block-size" parameter can be retrieved with
 \&\fBEVP_MAC_CTX_get_params()\fR, or with \fBEVP_MAC_CTX_get_block_size()\fR.
-.ie n .IP """key"" (\fB\s-1OSSL_MAC_PARAM_KEY\s0\fR) <octet string>" 4
-.el .IP "``key'' (\fB\s-1OSSL_MAC_PARAM_KEY\s0\fR) <octet string>" 4
-.IX Item "key (OSSL_MAC_PARAM_KEY) <octet string>"
-Sets the \s-1MAC\s0 key.
-It may be at most 64 bytes for \s-1BLAKE2BMAC\s0 or 32 for \s-1BLAKE2SMAC\s0 and at
+.IP """key"" (\fBOSSL_MAC_PARAM_KEY\fR) <octet string>" 4
+.IX Item """key"" (OSSL_MAC_PARAM_KEY) <octet string>"
+Sets the MAC key.
+It may be at most 64 bytes for BLAKE2BMAC or 32 for BLAKE2SMAC and at
 least 1 byte in both cases.
 Setting this parameter is identical to passing a \fIkey\fR to \fBEVP_MAC_init\fR\|(3).
-.ie n .IP """custom"" (\fB\s-1OSSL_MAC_PARAM_CUSTOM\s0\fR) <octet string>" 4
-.el .IP "``custom'' (\fB\s-1OSSL_MAC_PARAM_CUSTOM\s0\fR) <octet string>" 4
-.IX Item "custom (OSSL_MAC_PARAM_CUSTOM) <octet string>"
-Sets the custom value.
-It is an optional value of at most 16 bytes for \s-1BLAKE2BMAC\s0 or 8 for
-\&\s-1BLAKE2SMAC,\s0 and is empty by default.
-.ie n .IP """salt"" (\fB\s-1OSSL_MAC_PARAM_SALT\s0\fR) <octet string>" 4
-.el .IP "``salt'' (\fB\s-1OSSL_MAC_PARAM_SALT\s0\fR) <octet string>" 4
-.IX Item "salt (OSSL_MAC_PARAM_SALT) <octet string>"
+.IP """custom"" (\fBOSSL_MAC_PARAM_CUSTOM\fR) <octet string>" 4
+.IX Item """custom"" (OSSL_MAC_PARAM_CUSTOM) <octet string>"
+Sets the customization/personalization string.
+It is an optional value of at most 16 bytes for BLAKE2BMAC or 8 for
+BLAKE2SMAC, and is empty by default.
+.IP """salt"" (\fBOSSL_MAC_PARAM_SALT\fR) <octet string>" 4
+.IX Item """salt"" (OSSL_MAC_PARAM_SALT) <octet string>"
 Sets the salt.
-It is an optional value of at most 16 bytes for \s-1BLAKE2BMAC\s0 or 8 for
-\&\s-1BLAKE2SMAC,\s0 and is empty by default.
-.ie n .IP """size"" (\fB\s-1OSSL_MAC_PARAM_SIZE\s0\fR) <unsigned integer>" 4
-.el .IP "``size'' (\fB\s-1OSSL_MAC_PARAM_SIZE\s0\fR) <unsigned integer>" 4
-.IX Item "size (OSSL_MAC_PARAM_SIZE) <unsigned integer>"
-Sets the \s-1MAC\s0 size.
-It can be any number between 1 and 32 for \s-1EVP_MAC_BLAKE2S\s0 or between 1
-and 64 for \s-1EVP_MAC_BLAKE2B.\s0
+It is an optional value of at most 16 bytes for BLAKE2BMAC or 8 for
+BLAKE2SMAC, and is empty by default.
+.IP """size"" (\fBOSSL_MAC_PARAM_SIZE\fR) <unsigned integer>" 4
+.IX Item """size"" (OSSL_MAC_PARAM_SIZE) <unsigned integer>"
+Sets the MAC size.
+It can be any number between 1 and 32 for EVP_MAC_BLAKE2S or between 1
+and 64 for EVP_MAC_BLAKE2B.
 It is 32 and 64 respectively by default.
-.ie n .IP """block-size"" (\fB\s-1OSSL_MAC_PARAM_SIZE\s0\fR) <unsigned integer>" 4
-.el .IP "``block-size'' (\fB\s-1OSSL_MAC_PARAM_SIZE\s0\fR) <unsigned integer>" 4
-.IX Item "block-size (OSSL_MAC_PARAM_SIZE) <unsigned integer>"
-Gets the \s-1MAC\s0 block size.
-By default, it is 64 for \s-1EVP_MAC_BLAKE2S\s0 and 128 for \s-1EVP_MAC_BLAKE2B.\s0
+.IP """block-size"" (\fBOSSL_MAC_PARAM_BLOCK_SIZE\fR) <unsigned integer>" 4
+.IX Item """block-size"" (OSSL_MAC_PARAM_BLOCK_SIZE) <unsigned integer>"
+Gets the MAC block size.
+It is 64 for EVP_MAC_BLAKE2S and 128 for EVP_MAC_BLAKE2B.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_MAC_CTX_get_params\fR\|(3), \fBEVP_MAC_CTX_set_params\fR\|(3),
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_MAC\s0\fR\|(3), \s-1\fBOSSL_PARAM\s0\fR\|(3)
-.SH "HISTORY"
+"PARAMETERS" in \fBEVP_MAC\fR\|(3), \fBOSSL_PARAM\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 The macros and functions described here were added to OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2018\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_MAC-CMAC.7 b/secure/lib/libcrypto/man/man7/EVP_MAC-CMAC.7
index 1deecd76353f..e864a8f407a3 100644
--- a/secure/lib/libcrypto/man/man7/EVP_MAC-CMAC.7
+++ b/secure/lib/libcrypto/man/man7/EVP_MAC-CMAC.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,132 +52,85 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_MAC-CMAC 7ossl"
-.TH EVP_MAC-CMAC 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_MAC-CMAC 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_MAC\-CMAC \- The CMAC EVP_MAC implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing \s-1CMAC\s0 MACs through the \fB\s-1EVP_MAC\s0\fR \s-1API.\s0
+Support for computing CMAC MACs through the \fBEVP_MAC\fR API.
 .PP
-This implementation uses \s-1EVP_CIPHER\s0 functions to get access to the underlying
+This implementation uses EVP_CIPHER functions to get access to the underlying
 cipher.
-.SS "Identity"
+.SS Identity
 .IX Subsection "Identity"
 This implementation is identified with this name and properties, to be
 used with \fBEVP_MAC_fetch()\fR:
-.ie n .IP """\s-1CMAC"",\s0 ""provider=default"" or ""provider=fips""" 4
-.el .IP "``\s-1CMAC'',\s0 ``provider=default'' or ``provider=fips''" 4
-.IX Item "CMAC, provider=default or provider=fips"
+.IP """CMAC"", ""provider=default"" or ""provider=fips""" 4
+.IX Item """CMAC"", ""provider=default"" or ""provider=fips"""
 .SS "Supported parameters"
 .IX Subsection "Supported parameters"
 The general description of these parameters can be found in
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_MAC\s0\fR\|(3).
+"PARAMETERS" in \fBEVP_MAC\fR\|(3).
 .PP
 The following parameter can be set with \fBEVP_MAC_CTX_set_params()\fR:
-.ie n .IP """key"" (\fB\s-1OSSL_MAC_PARAM_KEY\s0\fR) <octet string>" 4
-.el .IP "``key'' (\fB\s-1OSSL_MAC_PARAM_KEY\s0\fR) <octet string>" 4
-.IX Item "key (OSSL_MAC_PARAM_KEY) <octet string>"
-Sets the \s-1MAC\s0 key.
+.IP """key"" (\fBOSSL_MAC_PARAM_KEY\fR) <octet string>" 4
+.IX Item """key"" (OSSL_MAC_PARAM_KEY) <octet string>"
+Sets the MAC key.
 Setting this parameter is identical to passing a \fIkey\fR to \fBEVP_MAC_init\fR\|(3).
-.ie n .IP """cipher"" (\fB\s-1OSSL_MAC_PARAM_CIPHER\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``cipher'' (\fB\s-1OSSL_MAC_PARAM_CIPHER\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "cipher (OSSL_MAC_PARAM_CIPHER) <UTF8 string>"
-Sets the name of the underlying cipher to be used.
-.ie n .IP """properties"" (\fB\s-1OSSL_MAC_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``properties'' (\fB\s-1OSSL_MAC_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "properties (OSSL_MAC_PARAM_PROPERTIES) <UTF8 string>"
+.IP """cipher"" (\fBOSSL_MAC_PARAM_CIPHER\fR) <UTF8 string>" 4
+.IX Item """cipher"" (OSSL_MAC_PARAM_CIPHER) <UTF8 string>"
+Sets the name of the underlying cipher to be used. The mode of the cipher
+must be CBC.
+.IP """properties"" (\fBOSSL_MAC_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_MAC_PARAM_PROPERTIES) <UTF8 string>"
 Sets the properties to be queried when trying to fetch the underlying cipher.
 This must be given together with the cipher naming parameter to be considered
 valid.
+.IP """encrypt-check"" (\fBOSSL_CIPHER_PARAM_FIPS_ENCRYPT_CHECK\fR) <integer>" 4
+.IX Item """encrypt-check"" (OSSL_CIPHER_PARAM_FIPS_ENCRYPT_CHECK) <integer>"
+This option is used by the OpenSSL FIPS provider.
+If required this parameter should be set before \fBEVP_MAC_init()\fR
+.Sp
+The default value of 1 causes an error when a unapproved Triple-DES encryption
+operation is triggered.
+Setting this to 0 will ignore the error and set the approved
+"fips-indicator" to 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
 .PP
 The following parameters can be retrieved with
 \&\fBEVP_MAC_CTX_get_params()\fR:
-.ie n .IP """size"" (\fB\s-1OSSL_MAC_PARAM_SIZE\s0\fR) <unsigned integer>" 4
-.el .IP "``size'' (\fB\s-1OSSL_MAC_PARAM_SIZE\s0\fR) <unsigned integer>" 4
-.IX Item "size (OSSL_MAC_PARAM_SIZE) <unsigned integer>"
-The \*(L"size\*(R" parameter can also be retrieved with with \fBEVP_MAC_CTX_get_mac_size()\fR.
-The length of the \*(L"size\*(R" parameter is equal to that of an \fBunsigned int\fR.
-.ie n .IP """block-size"" (\fB\s-1OSSL_MAC_PARAM_SIZE\s0\fR) <unsigned integer>" 4
-.el .IP "``block-size'' (\fB\s-1OSSL_MAC_PARAM_SIZE\s0\fR) <unsigned integer>" 4
-.IX Item "block-size (OSSL_MAC_PARAM_SIZE) <unsigned integer>"
-Gets the \s-1MAC\s0 block size.  The \*(L"block-size\*(R" parameter can also be retrieved with
+.IP """size"" (\fBOSSL_MAC_PARAM_SIZE\fR) <unsigned integer>" 4
+.IX Item """size"" (OSSL_MAC_PARAM_SIZE) <unsigned integer>"
+The "size" parameter can also be retrieved with with \fBEVP_MAC_CTX_get_mac_size()\fR.
+The length of the "size" parameter is equal to that of an \fBunsigned int\fR.
+.IP """block-size"" (\fBOSSL_MAC_PARAM_BLOCK_SIZE\fR) <unsigned integer>" 4
+.IX Item """block-size"" (OSSL_MAC_PARAM_BLOCK_SIZE) <unsigned integer>"
+Gets the MAC block size.  The "block-size" parameter can also be retrieved with
 \&\fBEVP_MAC_CTX_get_block_size()\fR.
+.IP """fips-indicator"" (\fBOSSL_CIPHER_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_CIPHER_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+This option is used by the OpenSSL FIPS provider.
+.Sp
+A getter that returns 1 if the operation is FIPS approved, or 0 otherwise.
+This may be used after calling \fBEVP_MAC_final()\fR.
+It may return 0 if the "encrypt-check" option is set to 0.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_MAC_CTX_get_params\fR\|(3), \fBEVP_MAC_CTX_set_params\fR\|(3),
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_MAC\s0\fR\|(3), \s-1\fBOSSL_PARAM\s0\fR\|(3)
-.SH "COPYRIGHT"
+"PARAMETERS" in \fBEVP_MAC\fR\|(3), \fBOSSL_PARAM\fR\|(3)
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2018\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2018\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_MAC-GMAC.7 b/secure/lib/libcrypto/man/man7/EVP_MAC-GMAC.7
index a3b6ffef7cf0..d686950c32d4 100644
--- a/secure/lib/libcrypto/man/man7/EVP_MAC-GMAC.7
+++ b/secure/lib/libcrypto/man/man7/EVP_MAC-GMAC.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,133 +52,67 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_MAC-GMAC 7ossl"
-.TH EVP_MAC-GMAC 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_MAC-GMAC 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_MAC\-GMAC \- The GMAC EVP_MAC implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing \s-1GMAC\s0 MACs through the \fB\s-1EVP_MAC\s0\fR \s-1API.\s0
+Support for computing GMAC MACs through the \fBEVP_MAC\fR API.
 .PP
-This implementation uses \s-1EVP_CIPHER\s0 functions to get access to the underlying
+This implementation uses EVP_CIPHER functions to get access to the underlying
 cipher.
-.SS "Identity"
+.SS Identity
 .IX Subsection "Identity"
 This implementation is identified with this name and properties, to be
 used with \fBEVP_MAC_fetch()\fR:
-.ie n .IP """\s-1GMAC"",\s0 ""provider=default"" or ""provider=fips""" 4
-.el .IP "``\s-1GMAC'',\s0 ``provider=default'' or ``provider=fips''" 4
-.IX Item "GMAC, provider=default or provider=fips"
+.IP """GMAC"", ""provider=default"" or ""provider=fips""" 4
+.IX Item """GMAC"", ""provider=default"" or ""provider=fips"""
 .SS "Supported parameters"
 .IX Subsection "Supported parameters"
 The general description of these parameters can be found in
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_MAC\s0\fR\|(3).
+"PARAMETERS" in \fBEVP_MAC\fR\|(3).
 .PP
 The following parameter can be set with \fBEVP_MAC_CTX_set_params()\fR:
-.ie n .IP """key"" (\fB\s-1OSSL_MAC_PARAM_KEY\s0\fR) <octet string>" 4
-.el .IP "``key'' (\fB\s-1OSSL_MAC_PARAM_KEY\s0\fR) <octet string>" 4
-.IX Item "key (OSSL_MAC_PARAM_KEY) <octet string>"
-Sets the \s-1MAC\s0 key.
+.IP """key"" (\fBOSSL_MAC_PARAM_KEY\fR) <octet string>" 4
+.IX Item """key"" (OSSL_MAC_PARAM_KEY) <octet string>"
+Sets the MAC key.
 Setting this parameter is identical to passing a \fIkey\fR to \fBEVP_MAC_init\fR\|(3).
-.ie n .IP """iv"" (\fB\s-1OSSL_MAC_PARAM_IV\s0\fR) <octet string>" 4
-.el .IP "``iv'' (\fB\s-1OSSL_MAC_PARAM_IV\s0\fR) <octet string>" 4
-.IX Item "iv (OSSL_MAC_PARAM_IV) <octet string>"
-Sets the \s-1IV\s0 of the underlying cipher, when applicable.
-.ie n .IP """cipher"" (\fB\s-1OSSL_MAC_PARAM_CIPHER\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``cipher'' (\fB\s-1OSSL_MAC_PARAM_CIPHER\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "cipher (OSSL_MAC_PARAM_CIPHER) <UTF8 string>"
+.IP """iv"" (\fBOSSL_MAC_PARAM_IV\fR) <octet string>" 4
+.IX Item """iv"" (OSSL_MAC_PARAM_IV) <octet string>"
+Sets the IV of the underlying cipher, when applicable.
+.IP """cipher"" (\fBOSSL_MAC_PARAM_CIPHER\fR) <UTF8 string>" 4
+.IX Item """cipher"" (OSSL_MAC_PARAM_CIPHER) <UTF8 string>"
 Sets the name of the underlying cipher to be used.
-.ie n .IP """properties"" (\fB\s-1OSSL_MAC_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``properties'' (\fB\s-1OSSL_MAC_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "properties (OSSL_MAC_PARAM_PROPERTIES) <UTF8 string>"
+.IP """properties"" (\fBOSSL_MAC_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_MAC_PARAM_PROPERTIES) <UTF8 string>"
 Sets the properties to be queried when trying to fetch the underlying cipher.
 This must be given together with the cipher naming parameter to be considered
 valid.
 .PP
 The following parameters can be retrieved with
 \&\fBEVP_MAC_CTX_get_params()\fR:
-.ie n .IP """size"" (\fB\s-1OSSL_MAC_PARAM_SIZE\s0\fR) <unsigned integer>" 4
-.el .IP "``size'' (\fB\s-1OSSL_MAC_PARAM_SIZE\s0\fR) <unsigned integer>" 4
-.IX Item "size (OSSL_MAC_PARAM_SIZE) <unsigned integer>"
-Gets the \s-1MAC\s0 size.
+.IP """size"" (\fBOSSL_MAC_PARAM_SIZE\fR) <unsigned integer>" 4
+.IX Item """size"" (OSSL_MAC_PARAM_SIZE) <unsigned integer>"
+Gets the MAC size.
 .PP
-The \*(L"size\*(R" parameter can also be retrieved with \fBEVP_MAC_CTX_get_mac_size()\fR.
-The length of the \*(L"size\*(R" parameter is equal to that of an \fBunsigned int\fR.
+The "size" parameter can also be retrieved with \fBEVP_MAC_CTX_get_mac_size()\fR.
+The length of the "size" parameter is equal to that of an \fBunsigned int\fR.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_MAC_CTX_get_params\fR\|(3), \fBEVP_MAC_CTX_set_params\fR\|(3),
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_MAC\s0\fR\|(3), \s-1\fBOSSL_PARAM\s0\fR\|(3)
-.SH "COPYRIGHT"
+"PARAMETERS" in \fBEVP_MAC\fR\|(3), \fBOSSL_PARAM\fR\|(3)
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2018\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_MAC-HMAC.7 b/secure/lib/libcrypto/man/man7/EVP_MAC-HMAC.7
index 8ab1d90ec2e8..bb580008054b 100644
--- a/secure/lib/libcrypto/man/man7/EVP_MAC-HMAC.7
+++ b/secure/lib/libcrypto/man/man7/EVP_MAC-HMAC.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,145 +52,88 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_MAC-HMAC 7ossl"
-.TH EVP_MAC-HMAC 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_MAC-HMAC 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_MAC\-HMAC \- The HMAC EVP_MAC implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing \s-1HMAC\s0 MACs through the \fB\s-1EVP_MAC\s0\fR \s-1API.\s0
+Support for computing HMAC MACs through the \fBEVP_MAC\fR API.
 .PP
-This implementation uses \s-1EVP_MD\s0 functions to get access to the underlying
+This implementation uses EVP_MD functions to get access to the underlying
 digest.
-.SS "Identity"
+.SS Identity
 .IX Subsection "Identity"
 This implementation is identified with this name and properties, to be
 used with \fBEVP_MAC_fetch()\fR:
-.ie n .IP """\s-1HMAC"",\s0 ""provider=default"" or ""provider=fips""" 4
-.el .IP "``\s-1HMAC'',\s0 ``provider=default'' or ``provider=fips''" 4
-.IX Item "HMAC, provider=default or provider=fips"
+.IP """HMAC"", ""provider=default"" or ""provider=fips""" 4
+.IX Item """HMAC"", ""provider=default"" or ""provider=fips"""
 .SS "Supported parameters"
 .IX Subsection "Supported parameters"
 The general description of these parameters can be found in
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_MAC\s0\fR\|(3).
+"PARAMETERS" in \fBEVP_MAC\fR\|(3).
 .PP
-The following parameter can be set with \fBEVP_MAC_CTX_set_params()\fR:
-.ie n .IP """key"" (\fB\s-1OSSL_MAC_PARAM_KEY\s0\fR) <octet string>" 4
-.el .IP "``key'' (\fB\s-1OSSL_MAC_PARAM_KEY\s0\fR) <octet string>" 4
-.IX Item "key (OSSL_MAC_PARAM_KEY) <octet string>"
-Sets the \s-1MAC\s0 key.
+The following parameters can be set with \fBEVP_MAC_CTX_set_params()\fR:
+.IP """key"" (\fBOSSL_MAC_PARAM_KEY\fR) <octet string>" 4
+.IX Item """key"" (OSSL_MAC_PARAM_KEY) <octet string>"
+Sets the MAC key.
 Setting this parameter is identical to passing a \fIkey\fR to \fBEVP_MAC_init\fR\|(3).
-.ie n .IP """digest"" (\fB\s-1OSSL_MAC_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_MAC_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_MAC_PARAM_DIGEST) <UTF8 string>"
+.IP """digest"" (\fBOSSL_MAC_PARAM_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_MAC_PARAM_DIGEST) <UTF8 string>"
 Sets the name of the underlying digest to be used.
-.ie n .IP """properties"" (\fB\s-1OSSL_MAC_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``properties'' (\fB\s-1OSSL_MAC_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "properties (OSSL_MAC_PARAM_PROPERTIES) <UTF8 string>"
+.IP """properties"" (\fBOSSL_MAC_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_MAC_PARAM_PROPERTIES) <UTF8 string>"
 Sets the properties to be queried when trying to fetch the underlying digest.
-This must be given together with the digest naming parameter (\*(L"digest\*(R", or
-\&\fB\s-1OSSL_MAC_PARAM_DIGEST\s0\fR) to be considered valid.
-.ie n .IP """digest-noinit"" (\fB\s-1OSSL_MAC_PARAM_DIGEST_NOINIT\s0\fR) <integer>" 4
-.el .IP "``digest-noinit'' (\fB\s-1OSSL_MAC_PARAM_DIGEST_NOINIT\s0\fR) <integer>" 4
-.IX Item "digest-noinit (OSSL_MAC_PARAM_DIGEST_NOINIT) <integer>"
-A flag to set the \s-1MAC\s0 digest to not initialise the implementation
+This must be given together with the digest naming parameter ("digest", or
+\&\fBOSSL_MAC_PARAM_DIGEST\fR) to be considered valid.
+.IP """digest-noinit"" (\fBOSSL_MAC_PARAM_DIGEST_NOINIT\fR) <integer>" 4
+.IX Item """digest-noinit"" (OSSL_MAC_PARAM_DIGEST_NOINIT) <integer>"
+A flag to set the MAC digest to not initialise the implementation
 specific data.
 The value 0 or 1 is expected.
-.ie n .IP """digest-oneshot"" (\fB\s-1OSSL_MAC_PARAM_DIGEST_ONESHOT\s0\fR) <integer>" 4
-.el .IP "``digest-oneshot'' (\fB\s-1OSSL_MAC_PARAM_DIGEST_ONESHOT\s0\fR) <integer>" 4
-.IX Item "digest-oneshot (OSSL_MAC_PARAM_DIGEST_ONESHOT) <integer>"
-A flag to set the \s-1MAC\s0 digest to be a one-shot operation.
+This option is deprecated and will be removed in a future release.
+It may be set but is currently ignored
+.IP """digest-oneshot"" (\fBOSSL_MAC_PARAM_DIGEST_ONESHOT\fR) <integer>" 4
+.IX Item """digest-oneshot"" (OSSL_MAC_PARAM_DIGEST_ONESHOT) <integer>"
+A flag to set the MAC digest to be a one-shot operation.
 The value 0 or 1 is expected.
-.ie n .IP """tls-data-size"" (\fB\s-1OSSL_MAC_PARAM_TLS_DATA_SIZE\s0\fR) <unsigned integer>" 4
-.el .IP "``tls-data-size'' (\fB\s-1OSSL_MAC_PARAM_TLS_DATA_SIZE\s0\fR) <unsigned integer>" 4
-.IX Item "tls-data-size (OSSL_MAC_PARAM_TLS_DATA_SIZE) <unsigned integer>"
+This option is deprecated and will be removed in a future release.
+It may be set but is currently ignored.
+.IP """tls-data-size"" (\fBOSSL_MAC_PARAM_TLS_DATA_SIZE\fR) <unsigned integer>" 4
+.IX Item """tls-data-size"" (OSSL_MAC_PARAM_TLS_DATA_SIZE) <unsigned integer>"
+.PD 0
+.IP """key-check"" (\fBOSSL_MAC_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4
+.IX Item """key-check"" (OSSL_MAC_PARAM_FIPS_KEY_CHECK) <integer>"
+.PD
+See "Mac Parameters" in \fBprovider\-mac\fR\|(7).
 .PP
-The following parameter can be retrieved with \fBEVP_MAC_CTX_get_params()\fR:
-.ie n .IP """size"" (\fB\s-1OSSL_MAC_PARAM_SIZE\s0\fR) <unsigned integer>" 4
-.el .IP "``size'' (\fB\s-1OSSL_MAC_PARAM_SIZE\s0\fR) <unsigned integer>" 4
-.IX Item "size (OSSL_MAC_PARAM_SIZE) <unsigned integer>"
-The \*(L"size\*(R" parameter can also be retrieved with \fBEVP_MAC_CTX_get_mac_size()\fR.
-The length of the \*(L"size\*(R" parameter is equal to that of an \fBunsigned int\fR.
-.ie n .IP """block-size"" (\fB\s-1OSSL_MAC_PARAM_SIZE\s0\fR) <unsigned integer>" 4
-.el .IP "``block-size'' (\fB\s-1OSSL_MAC_PARAM_SIZE\s0\fR) <unsigned integer>" 4
-.IX Item "block-size (OSSL_MAC_PARAM_SIZE) <unsigned integer>"
-Gets the \s-1MAC\s0 block size.  The \*(L"block-size\*(R" parameter can also be retrieved with
+The following parameters can be retrieved with \fBEVP_MAC_CTX_get_params()\fR:
+.IP """size"" (\fBOSSL_MAC_PARAM_SIZE\fR) <unsigned integer>" 4
+.IX Item """size"" (OSSL_MAC_PARAM_SIZE) <unsigned integer>"
+The "size" parameter can also be retrieved with \fBEVP_MAC_CTX_get_mac_size()\fR.
+The length of the "size" parameter is equal to that of an \fBunsigned int\fR.
+.IP """block-size"" (\fBOSSL_MAC_PARAM_BLOCK_SIZE\fR) <unsigned integer>" 4
+.IX Item """block-size"" (OSSL_MAC_PARAM_BLOCK_SIZE) <unsigned integer>"
+Gets the MAC block size.  The "block-size" parameter can also be retrieved with
 \&\fBEVP_MAC_CTX_get_block_size()\fR.
+.IP """fips-indicator"" (\fBOSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_KDF_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+See "Mac Parameters" in \fBprovider\-mac\fR\|(7).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_MAC_CTX_get_params\fR\|(3), \fBEVP_MAC_CTX_set_params\fR\|(3),
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_MAC\s0\fR\|(3), \s-1\fBOSSL_PARAM\s0\fR\|(3), \s-1\fBHMAC\s0\fR\|(3)
-.SH "COPYRIGHT"
+"PARAMETERS" in \fBEVP_MAC\fR\|(3), \fBOSSL_PARAM\fR\|(3), \fBHMAC\fR\|(3)
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2018\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2018\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_MAC-KMAC.7 b/secure/lib/libcrypto/man/man7/EVP_MAC-KMAC.7
index 116c9a57577b..3e3228e7d8f5 100644
--- a/secure/lib/libcrypto/man/man7/EVP_MAC-KMAC.7
+++ b/secure/lib/libcrypto/man/man7/EVP_MAC-KMAC.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,135 +52,82 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_MAC-KMAC 7ossl"
-.TH EVP_MAC-KMAC 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_MAC-KMAC 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_MAC\-KMAC, EVP_MAC\-KMAC128, EVP_MAC\-KMAC256
 \&\- The KMAC EVP_MAC implementations
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing \s-1KMAC\s0 MACs through the \fB\s-1EVP_MAC\s0\fR \s-1API.\s0
-.SS "Identity"
+Support for computing KMAC MACs through the \fBEVP_MAC\fR API.
+.SS Identity
 .IX Subsection "Identity"
 These implementations are identified with one of these names and
 properties, to be used with \fBEVP_MAC_fetch()\fR:
-.ie n .IP """\s-1KMAC\-128"",\s0 ""provider=default"" or ""provider=fips""" 4
-.el .IP "``\s-1KMAC\-128'',\s0 ``provider=default'' or ``provider=fips''" 4
-.IX Item "KMAC-128, provider=default or provider=fips"
+.IP """KMAC\-128"", ""provider=default"" or ""provider=fips""" 4
+.IX Item """KMAC-128"", ""provider=default"" or ""provider=fips"""
 .PD 0
-.ie n .IP """\s-1KMAC\-256"",\s0 ""provider=default"" or ""provider=fips""" 4
-.el .IP "``\s-1KMAC\-256'',\s0 ``provider=default'' or ``provider=fips''" 4
-.IX Item "KMAC-256, provider=default or provider=fips"
+.IP """KMAC\-256"", ""provider=default"" or ""provider=fips""" 4
+.IX Item """KMAC-256"", ""provider=default"" or ""provider=fips"""
 .PD
 .SS "Supported parameters"
 .IX Subsection "Supported parameters"
 The general description of these parameters can be found in
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_MAC\s0\fR\|(3).
+"PARAMETERS" in \fBEVP_MAC\fR\|(3).
 .PP
-All these parameters can be set with \fBEVP_MAC_CTX_set_params()\fR.
-Furthermore, the \*(L"size\*(R" parameter can be retrieved with
+All these parameters (except for "block-size") can be set with
+\&\fBEVP_MAC_CTX_set_params()\fR.
+Furthermore, the "size" parameter can be retrieved with
 \&\fBEVP_MAC_CTX_get_params()\fR, or with \fBEVP_MAC_CTX_get_mac_size()\fR.
-The length of the \*(L"size\*(R" parameter should not exceed that of a \fBsize_t\fR.
-Likewise, the \*(L"block-size\*(R" parameter can be retrieved with
+The length of the "size" parameter should not exceed that of a \fBsize_t\fR.
+Likewise, the "block-size" parameter can be retrieved with
 \&\fBEVP_MAC_CTX_get_params()\fR, or with \fBEVP_MAC_CTX_get_block_size()\fR.
-.ie n .IP """key"" (\fB\s-1OSSL_MAC_PARAM_KEY\s0\fR) <octet string>" 4
-.el .IP "``key'' (\fB\s-1OSSL_MAC_PARAM_KEY\s0\fR) <octet string>" 4
-.IX Item "key (OSSL_MAC_PARAM_KEY) <octet string>"
-Sets the \s-1MAC\s0 key.
+.IP """key"" (\fBOSSL_MAC_PARAM_KEY\fR) <octet string>" 4
+.IX Item """key"" (OSSL_MAC_PARAM_KEY) <octet string>"
+Sets the MAC key.
 Setting this parameter is identical to passing a \fIkey\fR to \fBEVP_MAC_init\fR\|(3).
 The length of the key (in bytes) must be in the range 4...512.
-.ie n .IP """custom"" (\fB\s-1OSSL_MAC_PARAM_CUSTOM\s0\fR) <octet string>" 4
-.el .IP "``custom'' (\fB\s-1OSSL_MAC_PARAM_CUSTOM\s0\fR) <octet string>" 4
-.IX Item "custom (OSSL_MAC_PARAM_CUSTOM) <octet string>"
-Sets the custom value.
-It is an optional value with a length of at most 512 bytes, and is empty by default.
-.ie n .IP """size"" (\fB\s-1OSSL_MAC_PARAM_SIZE\s0\fR) <unsigned integer>" 4
-.el .IP "``size'' (\fB\s-1OSSL_MAC_PARAM_SIZE\s0\fR) <unsigned integer>" 4
-.IX Item "size (OSSL_MAC_PARAM_SIZE) <unsigned integer>"
-Sets the \s-1MAC\s0 size.
-By default, it is 16 for \f(CW\*(C`KMAC\-128\*(C'\fR and 32 for \f(CW\*(C`KMAC\-256\*(C'\fR.
-.ie n .IP """block-size"" (\fB\s-1OSSL_MAC_PARAM_SIZE\s0\fR) <unsigned integer>" 4
-.el .IP "``block-size'' (\fB\s-1OSSL_MAC_PARAM_SIZE\s0\fR) <unsigned integer>" 4
-.IX Item "block-size (OSSL_MAC_PARAM_SIZE) <unsigned integer>"
-Gets the \s-1MAC\s0 block size.
-By default, it is 168 for \f(CW\*(C`KMAC\-128\*(C'\fR and 136 for \f(CW\*(C`KMAC\-256\*(C'\fR.
-.ie n .IP """xof"" (\fB\s-1OSSL_MAC_PARAM_XOF\s0\fR) <integer>" 4
-.el .IP "``xof'' (\fB\s-1OSSL_MAC_PARAM_XOF\s0\fR) <integer>" 4
-.IX Item "xof (OSSL_MAC_PARAM_XOF) <integer>"
-The \*(L"xof\*(R" parameter value is expected to be 1 or 0. Use 1 to enable \s-1XOF\s0 mode.
+.IP """custom"" (\fBOSSL_MAC_PARAM_CUSTOM\fR) <octet string>" 4
+.IX Item """custom"" (OSSL_MAC_PARAM_CUSTOM) <octet string>"
+Sets the customization string.
+It is an optional value with a length of at most 512 bytes, and is
+empty by default.
+.IP """size"" (\fBOSSL_MAC_PARAM_SIZE\fR) <unsigned integer>" 4
+.IX Item """size"" (OSSL_MAC_PARAM_SIZE) <unsigned integer>"
+Sets the MAC size.
+By default, it is 32 for \f(CW\*(C`KMAC\-128\*(C'\fR and 64 for \f(CW\*(C`KMAC\-256\*(C'\fR.
+.IP """block-size"" (\fBOSSL_MAC_PARAM_BLOCK_SIZE\fR) <unsigned integer>" 4
+.IX Item """block-size"" (OSSL_MAC_PARAM_BLOCK_SIZE) <unsigned integer>"
+Gets the MAC block size.
+It is 168 for \f(CW\*(C`KMAC\-128\*(C'\fR and 136 for \f(CW\*(C`KMAC\-256\*(C'\fR.
+.IP """xof"" (\fBOSSL_MAC_PARAM_XOF\fR) <integer>" 4
+.IX Item """xof"" (OSSL_MAC_PARAM_XOF) <integer>"
+The "xof" parameter value is expected to be 1 or 0. Use 1 to enable XOF mode.
 The default value is 0.
+.IP """fips-indicator"" (\fBOSSL_MAC_PARAM_FIPS_APPROVED_INDICATOR\fR) <int>" 4
+.IX Item """fips-indicator"" (OSSL_MAC_PARAM_FIPS_APPROVED_INDICATOR) <int>"
+This settable parameter is described in \fBprovider\-mac\fR\|(7).
+.IP """no-short-mac"" (\fBOSSL_MAC_PARAM_FIPS_NO_SHORT_MAC\fR) <integer>" 4
+.IX Item """no-short-mac"" (OSSL_MAC_PARAM_FIPS_NO_SHORT_MAC) <integer>"
+This settable parameter is described in \fBprovider\-mac\fR\|(7).  It is used by
+the OpenSSL FIPS provider and the minimum length output for KMAC
+is defined by NIST's SP 800\-185 8.4.2.
+.IP """key-check"" (\fBOSSL_MAC_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4
+.IX Item """key-check"" (OSSL_MAC_PARAM_FIPS_KEY_CHECK) <integer>"
+This settable parameter is described in \fBprovider\-mac\fR\|(7).
 .PP
-The \*(L"custom\*(R" parameter must be set as part of or before the \fBEVP_MAC_init()\fR call.
-The \*(L"xof\*(R" and \*(L"size\*(R" parameters can be set at any time before \fBEVP_MAC_final()\fR.
-The \*(L"key\*(R" parameter is set as part of the \fBEVP_MAC_init()\fR call, but can be
+The "custom" and "no-short-mac" parameters must be set as part of or before
+the \fBEVP_MAC_init()\fR call.
+The "xof" and "size" parameters can be set at any time before \fBEVP_MAC_final()\fR.
+The "key" parameter is set as part of the \fBEVP_MAC_init()\fR call, but can be
 set before it instead.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 .Vb 2
 \&  #include <openssl/evp.h>
@@ -265,12 +196,13 @@ set before it instead.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_MAC_CTX_get_params\fR\|(3), \fBEVP_MAC_CTX_set_params\fR\|(3),
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_MAC\s0\fR\|(3), \s-1\fBOSSL_PARAM\s0\fR\|(3)
-.SH "COPYRIGHT"
+"PARAMETERS" in \fBEVP_MAC\fR\|(3), \fBOSSL_PARAM\fR\|(3),
+SP 800\-185 8.4.2 <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-185.pdf>
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2018\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2018\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_MAC-Poly1305.7 b/secure/lib/libcrypto/man/man7/EVP_MAC-Poly1305.7
index 443a55de81b3..3b96e30fb0b7 100644
--- a/secure/lib/libcrypto/man/man7/EVP_MAC-Poly1305.7
+++ b/secure/lib/libcrypto/man/man7/EVP_MAC-Poly1305.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,122 +52,59 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_MAC-POLY1305 7ossl"
-.TH EVP_MAC-POLY1305 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_MAC-POLY1305 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_MAC\-Poly1305 \- The Poly1305 EVP_MAC implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing Poly1305 MACs through the \fB\s-1EVP_MAC\s0\fR \s-1API.\s0
-.SS "Identity"
+Support for computing Poly1305 MACs through the \fBEVP_MAC\fR API.
+.SS Identity
 .IX Subsection "Identity"
 This implementation is identified with this name and properties, to be
 used with \fBEVP_MAC_fetch()\fR:
-.ie n .IP """\s-1POLY1305"",\s0 ""provider=default""" 4
-.el .IP "``\s-1POLY1305'',\s0 ``provider=default''" 4
-.IX Item "POLY1305, provider=default"
+.IP """POLY1305"", ""provider=default""" 4
+.IX Item """POLY1305"", ""provider=default"""
 .SS "Supported parameters"
 .IX Subsection "Supported parameters"
 The general description of these parameters can be found in
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_MAC\s0\fR\|(3).
+"PARAMETERS" in \fBEVP_MAC\fR\|(3).
 .PP
 The following parameter can be set with \fBEVP_MAC_CTX_set_params()\fR:
-.ie n .IP """key"" (\fB\s-1OSSL_MAC_PARAM_KEY\s0\fR) <octet string>" 4
-.el .IP "``key'' (\fB\s-1OSSL_MAC_PARAM_KEY\s0\fR) <octet string>" 4
-.IX Item "key (OSSL_MAC_PARAM_KEY) <octet string>"
-Sets the \s-1MAC\s0 key.
+.IP """key"" (\fBOSSL_MAC_PARAM_KEY\fR) <octet string>" 4
+.IX Item """key"" (OSSL_MAC_PARAM_KEY) <octet string>"
+Sets the MAC key.
 Setting this parameter is identical to passing a \fIkey\fR to \fBEVP_MAC_init\fR\|(3).
 .PP
 The following parameters can be retrieved with
 \&\fBEVP_MAC_CTX_get_params()\fR:
-.ie n .IP """size"" (\fB\s-1OSSL_MAC_PARAM_SIZE\s0\fR) <unsigned integer>" 4
-.el .IP "``size'' (\fB\s-1OSSL_MAC_PARAM_SIZE\s0\fR) <unsigned integer>" 4
-.IX Item "size (OSSL_MAC_PARAM_SIZE) <unsigned integer>"
-Gets the \s-1MAC\s0 size.
+.IP """size"" (\fBOSSL_MAC_PARAM_SIZE\fR) <unsigned integer>" 4
+.IX Item """size"" (OSSL_MAC_PARAM_SIZE) <unsigned integer>"
+Gets the MAC size.
 .PP
-The \*(L"size\*(R" parameter can also be retrieved with with \fBEVP_MAC_CTX_get_mac_size()\fR.
-The length of the \*(L"size\*(R" parameter should not exceed that of an \fBunsigned int\fR.
-.SH "NOTES"
+The "size" parameter can also be retrieved with with \fBEVP_MAC_CTX_get_mac_size()\fR.
+The length of the "size" parameter should not exceed that of an \fBunsigned int\fR.
+.SH NOTES
 .IX Header "NOTES"
-The OpenSSL implementation of the Poly 1305 \s-1MAC\s0 corresponds to \s-1RFC 7539.\s0
+The OpenSSL implementation of the Poly 1305 MAC corresponds to RFC 7539.
 .PP
 It is critical to never reuse the key.  The security implication noted in
-\&\s-1RFC 8439\s0 applies equally to the OpenSSL implementation.
+RFC 8439 applies equally to the OpenSSL implementation.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_MAC_CTX_get_params\fR\|(3), \fBEVP_MAC_CTX_set_params\fR\|(3),
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_MAC\s0\fR\|(3), \s-1\fBOSSL_PARAM\s0\fR\|(3)
-.SH "COPYRIGHT"
+"PARAMETERS" in \fBEVP_MAC\fR\|(3), \fBOSSL_PARAM\fR\|(3)
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2018\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_MAC-Siphash.7 b/secure/lib/libcrypto/man/man7/EVP_MAC-Siphash.7
index 7d00c3d78bd2..935eae562dcb 100644
--- a/secure/lib/libcrypto/man/man7/EVP_MAC-Siphash.7
+++ b/secure/lib/libcrypto/man/man7/EVP_MAC-Siphash.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,121 +52,56 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_MAC-SIPHASH 7ossl"
-.TH EVP_MAC-SIPHASH 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_MAC-SIPHASH 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_MAC\-Siphash \- The Siphash EVP_MAC implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing Siphash MACs through the \fB\s-1EVP_MAC\s0\fR \s-1API.\s0
-.SS "Identity"
+Support for computing Siphash MACs through the \fBEVP_MAC\fR API.
+.SS Identity
 .IX Subsection "Identity"
 This implementation is identified with this name and properties, to be
 used with \fBEVP_MAC_fetch()\fR:
-.ie n .IP """\s-1SIPHASH"",\s0 ""provider=default""" 4
-.el .IP "``\s-1SIPHASH'',\s0 ``provider=default''" 4
-.IX Item "SIPHASH, provider=default"
+.IP """SIPHASH"", ""provider=default""" 4
+.IX Item """SIPHASH"", ""provider=default"""
 .SS "Supported parameters"
 .IX Subsection "Supported parameters"
 The general description of these parameters can be found in
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_MAC\s0\fR\|(3).
+"PARAMETERS" in \fBEVP_MAC\fR\|(3).
 .PP
 All these parameters can be set with \fBEVP_MAC_CTX_set_params()\fR.
-Furthermore, the \*(L"size\*(R" parameter can be retrieved with
+Furthermore, the "size" parameter can be retrieved with
 \&\fBEVP_MAC_CTX_get_params()\fR, or with \fBEVP_MAC_CTX_get_mac_size()\fR.
-The length of the \*(L"size\*(R" parameter should not exceed that of a \fBsize_t\fR.
-.ie n .IP """key"" (\fB\s-1OSSL_MAC_PARAM_KEY\s0\fR) <octet string>" 4
-.el .IP "``key'' (\fB\s-1OSSL_MAC_PARAM_KEY\s0\fR) <octet string>" 4
-.IX Item "key (OSSL_MAC_PARAM_KEY) <octet string>"
-Sets the \s-1MAC\s0 key.
+The length of the "size" parameter should not exceed that of a \fBsize_t\fR.
+.IP """key"" (\fBOSSL_MAC_PARAM_KEY\fR) <octet string>" 4
+.IX Item """key"" (OSSL_MAC_PARAM_KEY) <octet string>"
+Sets the MAC key.
 Setting this parameter is identical to passing a \fIkey\fR to \fBEVP_MAC_init\fR\|(3).
-.ie n .IP """size"" (\fB\s-1OSSL_MAC_PARAM_SIZE\s0\fR) <unsigned integer>" 4
-.el .IP "``size'' (\fB\s-1OSSL_MAC_PARAM_SIZE\s0\fR) <unsigned integer>" 4
-.IX Item "size (OSSL_MAC_PARAM_SIZE) <unsigned integer>"
-Sets the \s-1MAC\s0 size.
-.ie n .IP """c\-rounds"" (\fB\s-1OSSL_MAC_PARAM_C_ROUNDS\s0\fR) <unsigned integer>" 4
-.el .IP "``c\-rounds'' (\fB\s-1OSSL_MAC_PARAM_C_ROUNDS\s0\fR) <unsigned integer>" 4
-.IX Item "c-rounds (OSSL_MAC_PARAM_C_ROUNDS) <unsigned integer>"
+.IP """size"" (\fBOSSL_MAC_PARAM_SIZE\fR) <unsigned integer>" 4
+.IX Item """size"" (OSSL_MAC_PARAM_SIZE) <unsigned integer>"
+Sets the MAC size.
+.IP """c\-rounds"" (\fBOSSL_MAC_PARAM_C_ROUNDS\fR) <unsigned integer>" 4
+.IX Item """c-rounds"" (OSSL_MAC_PARAM_C_ROUNDS) <unsigned integer>"
 Specifies the number of rounds per message block.  By default this is \fI2\fR.
-.ie n .IP """d\-rounds"" (\fB\s-1OSSL_MAC_PARAM_D_ROUNDS\s0\fR) <unsigned integer>" 4
-.el .IP "``d\-rounds'' (\fB\s-1OSSL_MAC_PARAM_D_ROUNDS\s0\fR) <unsigned integer>" 4
-.IX Item "d-rounds (OSSL_MAC_PARAM_D_ROUNDS) <unsigned integer>"
+.IP """d\-rounds"" (\fBOSSL_MAC_PARAM_D_ROUNDS\fR) <unsigned integer>" 4
+.IX Item """d-rounds"" (OSSL_MAC_PARAM_D_ROUNDS) <unsigned integer>"
 Specifies the number of finalisation rounds.  By default this is \fI4\fR.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_MAC_CTX_get_params\fR\|(3), \fBEVP_MAC_CTX_set_params\fR\|(3),
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_MAC\s0\fR\|(3), \s-1\fBOSSL_PARAM\s0\fR\|(3)
-.SH "COPYRIGHT"
+"PARAMETERS" in \fBEVP_MAC\fR\|(3), \fBOSSL_PARAM\fR\|(3)
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2018\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-BLAKE2.7 b/secure/lib/libcrypto/man/man7/EVP_MD-BLAKE2.7
index b00535364c7a..3afc751cbb22 100644
--- a/secure/lib/libcrypto/man/man7/EVP_MD-BLAKE2.7
+++ b/secure/lib/libcrypto/man/man7/EVP_MD-BLAKE2.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,101 +52,67 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_MD-BLAKE2 7ossl"
-.TH EVP_MD-BLAKE2 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_MD-BLAKE2 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_MD\-BLAKE2 \- The BLAKE2 EVP_MD implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing \s-1BLAKE2\s0 digests through the \fB\s-1EVP_MD\s0\fR \s-1API.\s0
-.SS "Identities"
+Support for computing BLAKE2 digests through the \fBEVP_MD\fR API.
+.SS Identities
 .IX Subsection "Identities"
 This implementation is only available with the default provider, and
 includes the following varieties:
-.IP "\s-1BLAKE2S\-256\s0" 4
+.IP BLAKE2S\-256 4
 .IX Item "BLAKE2S-256"
-Known names are \*(L"\s-1BLAKE2S\-256\*(R"\s0 and \*(L"BLAKE2s256\*(R".
-.IP "\s-1BLAKE2B\-512\s0" 4
+Known names are "BLAKE2S\-256" and "BLAKE2s256".
+.IP BLAKE2B\-512 4
 .IX Item "BLAKE2B-512"
-Known names are \*(L"\s-1BLAKE2B\-512\*(R"\s0 and \*(L"BLAKE2b512\*(R".
+Known names are "BLAKE2B\-512" and "BLAKE2b512".
+.SS "Settable Parameters"
+.IX Subsection "Settable Parameters"
+"BLAKE2B\-512" supports the following \fBEVP_MD_CTX_set_params()\fR key
+described in "PARAMETERS" in \fBEVP_DigestInit\fR\|(3).
+.IP """size"" (\fBOSSL_DIGEST_PARAM_SIZE\fR) <unsigned integer>" 4
+.IX Item """size"" (OSSL_DIGEST_PARAM_SIZE) <unsigned integer>"
 .SS "Gettable Parameters"
 .IX Subsection "Gettable Parameters"
 This implementation supports the common gettable parameters described
 in \fBEVP_MD\-common\fR\|(7).
+.SS "Settable Context Parameters"
+.IX Subsection "Settable Context Parameters"
+The implementation supports the following \fBOSSL_PARAM\fR\|(3) entries which
+are settable for an \fBEVP_MD_CTX\fR with \fBEVP_DigestInit_ex2\fR\|(3) or
+\&\fBEVP_MD_CTX_set_params\fR\|(3):
+.IP """size"" (\fBOSSL_DIGEST_PARAM_SIZE\fR) <unsigned integer>" 4
+.IX Item """size"" (OSSL_DIGEST_PARAM_SIZE) <unsigned integer>"
+Sets a different digest length for the \fBEVP_DigestFinal\fR\|(3) output.
+The value of the "size" parameter must not exceed the default digest length
+of the respective BLAKE2 algorithm variants, 64 for BLAKE2B\-512 and
+32 for BLAKE2S\-256. The parameter must be set with the
+\&\fBEVP_DigestInit_ex2\fR\|(3) call to have an immediate effect. When set with
+\&\fBEVP_MD_CTX_set_params\fR\|(3) it will have an effect only if the \fBEVP_MD_CTX\fR
+context is reinitialized.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\-digest\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7)
-.SH "COPYRIGHT"
+.SH HISTORY
+.IX Header "HISTORY"
+This functionality was added in OpenSSL 3.0.
+.PP
+The variable size support was added in OpenSSL 3.2 for BLAKE2B\-512 and
+in OpenSSL 3.3 for BLAKE2S\-256.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-KECCAK.7 b/secure/lib/libcrypto/man/man7/EVP_MD-KECCAK.7
new file mode 100644
index 000000000000..36f08999cb57
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/EVP_MD-KECCAK.7
@@ -0,0 +1,96 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "EVP_MD-KECCAK 7ossl"
+.TH EVP_MD-KECCAK 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+EVP_MD\-KECCAK \- The KECCAK EVP_MD implementations
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+Support for computing KECCAK digests through the \fBEVP_MD\fR API.
+.SS Identities
+.IX Subsection "Identities"
+This implementation is available in the default provider and
+includes the following varieties:
+.IP """KECCAK\-224""" 4
+.IX Item """KECCAK-224"""
+.PD 0
+.IP """KECCAK\-256""" 4
+.IX Item """KECCAK-256"""
+.IP """KECCAK\-384""" 4
+.IX Item """KECCAK-384"""
+.IP """KECCAK\-512""" 4
+.IX Item """KECCAK-512"""
+.PD
+.SS "Gettable Parameters"
+.IX Subsection "Gettable Parameters"
+This implementation supports the common gettable parameters described
+in \fBEVP_MD\-common\fR\|(7).
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBprovider\-digest\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7)
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-MD2.7 b/secure/lib/libcrypto/man/man7/EVP_MD-MD2.7
index c3bbd22b5117..0745f7664270 100644
--- a/secure/lib/libcrypto/man/man7/EVP_MD-MD2.7
+++ b/secure/lib/libcrypto/man/man7/EVP_MD-MD2.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,83 +52,23 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_MD-MD2 7ossl"
-.TH EVP_MD-MD2 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_MD-MD2 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_MD\-MD2 \- The MD2 EVP_MD implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing \s-1MD2\s0 digests through the \fB\s-1EVP_MD\s0\fR \s-1API.\s0
-.SS "Identity"
+Support for computing MD2 digests through the \fBEVP_MD\fR API.
+.SS Identity
 .IX Subsection "Identity"
 This implementation is only available with the legacy provider, and is
-identified with the name \*(L"\s-1MD2\*(R".\s0
+identified with the name "MD2".
 .SS "Gettable Parameters"
 .IX Subsection "Gettable Parameters"
 This implementation supports the common gettable parameters described
@@ -152,11 +76,11 @@ in \fBEVP_MD\-common\fR\|(7).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\-digest\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-MD4.7 b/secure/lib/libcrypto/man/man7/EVP_MD-MD4.7
index c171280822fd..17b8745d20e5 100644
--- a/secure/lib/libcrypto/man/man7/EVP_MD-MD4.7
+++ b/secure/lib/libcrypto/man/man7/EVP_MD-MD4.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,83 +52,23 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_MD-MD4 7ossl"
-.TH EVP_MD-MD4 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_MD-MD4 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_MD\-MD4 \- The MD4 EVP_MD implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing \s-1MD4\s0 digests through the \fB\s-1EVP_MD\s0\fR \s-1API.\s0
-.SS "Identity"
+Support for computing MD4 digests through the \fBEVP_MD\fR API.
+.SS Identity
 .IX Subsection "Identity"
 This implementation is only available with the legacy provider, and is
-identified with the name \*(L"\s-1MD4\*(R".\s0
+identified with the name "MD4".
 .SS "Gettable Parameters"
 .IX Subsection "Gettable Parameters"
 This implementation supports the common gettable parameters described
@@ -152,11 +76,11 @@ in \fBEVP_MD\-common\fR\|(7).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\-digest\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-MD5-SHA1.7 b/secure/lib/libcrypto/man/man7/EVP_MD-MD5-SHA1.7
index e64d91a41161..efc2719375b8 100644
--- a/secure/lib/libcrypto/man/man7/EVP_MD-MD5-SHA1.7
+++ b/secure/lib/libcrypto/man/man7/EVP_MD-MD5-SHA1.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,112 +52,51 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_MD-MD5-SHA1 7ossl"
-.TH EVP_MD-MD5-SHA1 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_MD-MD5-SHA1 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_MD\-MD5\-SHA1 \- The MD5\-SHA1 EVP_MD implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing \s-1MD5\-SHA1\s0 digests through the \fB\s-1EVP_MD\s0\fR \s-1API.\s0
+Support for computing MD5\-SHA1 digests through the \fBEVP_MD\fR API.
 .PP
-\&\s-1MD5\-SHA1\s0 is a rather special digest that's used with SSLv3.
-.SS "Identity"
+MD5\-SHA1 is a rather special digest that's used with SSLv3.
+.SS Identity
 .IX Subsection "Identity"
 This implementation is only available with the default provider, and is
-identified with the name \*(L"\s-1MD5\-SHA1\*(R".\s0
+identified with the name "MD5\-SHA1".
 .SS "Gettable Parameters"
 .IX Subsection "Gettable Parameters"
 This implementation supports the common gettable parameters described
 in \fBEVP_MD\-common\fR\|(7).
 .SS "Settable Context Parameters"
 .IX Subsection "Settable Context Parameters"
-This implementation supports the following \s-1\fBOSSL_PARAM\s0\fR\|(3) entries,
-settable for an \fB\s-1EVP_MD_CTX\s0\fR with \fBEVP_MD_CTX_set_params\fR\|(3):
-.ie n .IP """ssl3\-ms"" (\fB\s-1OSSL_DIGEST_PARAM_SSL3_MS\s0\fR) <octet string>" 4
-.el .IP "``ssl3\-ms'' (\fB\s-1OSSL_DIGEST_PARAM_SSL3_MS\s0\fR) <octet string>" 4
-.IX Item "ssl3-ms (OSSL_DIGEST_PARAM_SSL3_MS) <octet string>"
+This implementation supports the following \fBOSSL_PARAM\fR\|(3) entries,
+settable for an \fBEVP_MD_CTX\fR with \fBEVP_MD_CTX_set_params\fR\|(3):
+.IP """ssl3\-ms"" (\fBOSSL_DIGEST_PARAM_SSL3_MS\fR) <octet string>" 4
+.IX Item """ssl3-ms"" (OSSL_DIGEST_PARAM_SSL3_MS) <octet string>"
 This parameter is set by libssl in order to calculate a signature hash for an
-SSLv3 CertificateVerify message as per \s-1RFC6101.\s0
+SSLv3 CertificateVerify message as per RFC6101.
 It is only set after all handshake messages have already been digested via
 \&\fBOP_digest_update()\fR calls.
 The parameter provides the master secret value to be added to the digest.
-The digest implementation should calculate the complete digest as per \s-1RFC6101\s0
+The digest implementation should calculate the complete digest as per RFC6101
 section 5.6.8.
 The next call after setting this parameter should be \fBOP_digest_final()\fR.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_MD_CTX_set_params\fR\|(3), \fBprovider\-digest\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-MD5.7 b/secure/lib/libcrypto/man/man7/EVP_MD-MD5.7
index 817b9529efb4..95aeb1df528c 100644
--- a/secure/lib/libcrypto/man/man7/EVP_MD-MD5.7
+++ b/secure/lib/libcrypto/man/man7/EVP_MD-MD5.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,83 +52,23 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_MD-MD5 7ossl"
-.TH EVP_MD-MD5 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_MD-MD5 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_MD\-MD5 \- The MD5 EVP_MD implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing \s-1MD5\s0 digests through the \fB\s-1EVP_MD\s0\fR \s-1API.\s0
-.SS "Identity"
+Support for computing MD5 digests through the \fBEVP_MD\fR API.
+.SS Identity
 .IX Subsection "Identity"
 This implementation is only available with the default provider, and is
-identified with the name \*(L"\s-1MD5\*(R".\s0
+identified with the name "MD5".
 .SS "Gettable Parameters"
 .IX Subsection "Gettable Parameters"
 This implementation supports the common gettable parameters described
@@ -152,11 +76,11 @@ in \fBEVP_MD\-common\fR\|(7).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\-digest\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-MDC2.7 b/secure/lib/libcrypto/man/man7/EVP_MD-MDC2.7
index d637c89a2424..fce6fb9683b8 100644
--- a/secure/lib/libcrypto/man/man7/EVP_MD-MDC2.7
+++ b/secure/lib/libcrypto/man/man7/EVP_MD-MDC2.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,106 +52,45 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_MD-MDC2 7ossl"
-.TH EVP_MD-MDC2 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_MD-MDC2 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_MD\-MDC2 \- The MDC2 EVP_MD implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing \s-1MDC2\s0 digests through the \fB\s-1EVP_MD\s0\fR \s-1API.\s0
-.SS "Identity"
+Support for computing MDC2 digests through the \fBEVP_MD\fR API.
+.SS Identity
 .IX Subsection "Identity"
 This implementation is only available with the legacy provider, and is
-identified with the name \*(L"\s-1MDC2\*(R".\s0
+identified with the name "MDC2".
 .SS "Gettable Parameters"
 .IX Subsection "Gettable Parameters"
 This implementation supports the common gettable parameters described
 in \fBEVP_MD\-common\fR\|(7).
 .SS "Settable Context Parameters"
 .IX Subsection "Settable Context Parameters"
-This implementation supports the following \s-1\fBOSSL_PARAM\s0\fR\|(3) entries,
-settable for an \fB\s-1EVP_MD_CTX\s0\fR with \fBEVP_MD_CTX_set_params\fR\|(3):
-.ie n .IP """pad-type"" (\fB\s-1OSSL_DIGEST_PARAM_PAD_TYPE\s0\fR) <unsigned integer>" 4
-.el .IP "``pad-type'' (\fB\s-1OSSL_DIGEST_PARAM_PAD_TYPE\s0\fR) <unsigned integer>" 4
-.IX Item "pad-type (OSSL_DIGEST_PARAM_PAD_TYPE) <unsigned integer>"
+This implementation supports the following \fBOSSL_PARAM\fR\|(3) entries,
+settable for an \fBEVP_MD_CTX\fR with \fBEVP_MD_CTX_set_params\fR\|(3):
+.IP """pad-type"" (\fBOSSL_DIGEST_PARAM_PAD_TYPE\fR) <unsigned integer>" 4
+.IX Item """pad-type"" (OSSL_DIGEST_PARAM_PAD_TYPE) <unsigned integer>"
 Sets the padding type to be used.
-Normally the final \s-1MDC2\s0 block is padded with zeros.
+Normally the final MDC2 block is padded with zeros.
 If the pad type is set to 2 then the final block is padded with 0x80 followed by
 zeros.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_MD_CTX_set_params\fR\|(3), \fBprovider\-digest\fR\|(7), \fBOSSL_PROVIDER\-legacy\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-NULL.7 b/secure/lib/libcrypto/man/man7/EVP_MD-NULL.7
index 699a8b29355e..e5feac468f9d 100644
--- a/secure/lib/libcrypto/man/man7/EVP_MD-NULL.7
+++ b/secure/lib/libcrypto/man/man7/EVP_MD-NULL.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,87 +52,26 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_MD-NULL 7ossl"
-.TH EVP_MD-NULL 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_MD-NULL 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_MD\-NULL \- The NULL EVP_MD implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for a \s-1NULL\s0 digest through the \fB\s-1EVP_MD\s0\fR \s-1API.\s0
+Support for a NULL digest through the \fBEVP_MD\fR API.
 This algorithm does nothing and returns 1 for its init,
 update and final methods.
 .SS "Algorithm Name"
 .IX Subsection "Algorithm Name"
 The following algorithm is available in the default provider:
-.ie n .IP """\s-1NULL""\s0" 4
-.el .IP "``\s-1NULL''\s0" 4
-.IX Item "NULL"
+.IP """NULL""" 4
+.IX Item """NULL"""
 .SS "Gettable Parameters"
 .IX Subsection "Gettable Parameters"
 This implementation supports the common gettable parameters described
@@ -157,11 +80,11 @@ in \fBEVP_MD\-common\fR\|(7).
 .IX Header "SEE ALSO"
 \&\fBEVP_MD_CTX_set_params\fR\|(3), \fBprovider\-digest\fR\|(7),
 \&\fBOSSL_PROVIDER\-default\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-RIPEMD160.7 b/secure/lib/libcrypto/man/man7/EVP_MD-RIPEMD160.7
index eb080649e373..2cea8732840d 100644
--- a/secure/lib/libcrypto/man/man7/EVP_MD-RIPEMD160.7
+++ b/secure/lib/libcrypto/man/man7/EVP_MD-RIPEMD160.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,84 +52,24 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_MD-RIPEMD160 7ossl"
-.TH EVP_MD-RIPEMD160 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_MD-RIPEMD160 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_MD\-RIPEMD160 \- The RIPEMD160 EVP_MD implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing \s-1RIPEMD160\s0 digests through the \fB\s-1EVP_MD\s0\fR \s-1API.\s0
-.SS "Identities"
+Support for computing RIPEMD160 digests through the \fBEVP_MD\fR API.
+.SS Identities
 .IX Subsection "Identities"
 This implementation is available in both the default and legacy providers, and is
-identified with any of the names \*(L"\s-1RIPEMD\-160\*(R", \*(L"RIPEMD160\*(R", \*(L"RIPEMD\*(R"\s0 and
-\&\*(L"\s-1RMD160\*(R".\s0
+identified with any of the names "RIPEMD\-160", "RIPEMD160", "RIPEMD" and
+"RMD160".
 .SS "Gettable Parameters"
 .IX Subsection "Gettable Parameters"
 This implementation supports the common gettable parameters described
@@ -153,14 +77,14 @@ in \fBEVP_MD\-common\fR\|(7).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\-digest\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 This digest was added to the default provider in OpenSSL 3.0.7.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-SHA1.7 b/secure/lib/libcrypto/man/man7/EVP_MD-SHA1.7
index 6d93e505502f..ef0d4befda79 100644
--- a/secure/lib/libcrypto/man/man7/EVP_MD-SHA1.7
+++ b/secure/lib/libcrypto/man/man7/EVP_MD-SHA1.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,111 +52,50 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_MD-SHA1 7ossl"
-.TH EVP_MD-SHA1 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_MD-SHA1 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_MD\-SHA1 \- The SHA1 EVP_MD implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing \s-1SHA1\s0 digests through the \fB\s-1EVP_MD\s0\fR \s-1API.\s0
-.SS "Identities"
+Support for computing SHA1 digests through the \fBEVP_MD\fR API.
+.SS Identities
 .IX Subsection "Identities"
-This implementation is available with the \s-1FIPS\s0 provider as well as the
-default provider, and is identified with the names \*(L"\s-1SHA1\*(R"\s0 and \*(L"\s-1SHA\-1\*(R".\s0
+This implementation is available with the FIPS provider as well as the
+default provider, and is identified with the names "SHA1" and "SHA\-1".
 .SS "Gettable Parameters"
 .IX Subsection "Gettable Parameters"
 This implementation supports the common gettable parameters described
 in \fBEVP_MD\-common\fR\|(7).
 .SS "Settable Context Parameters"
 .IX Subsection "Settable Context Parameters"
-This implementation supports the following \s-1\fBOSSL_PARAM\s0\fR\|(3) entries,
-settable for an \fB\s-1EVP_MD_CTX\s0\fR with \fBEVP_MD_CTX_set_params\fR\|(3):
-.ie n .IP """ssl3\-ms"" (\fB\s-1OSSL_DIGEST_PARAM_SSL3_MS\s0\fR) <octet string>" 4
-.el .IP "``ssl3\-ms'' (\fB\s-1OSSL_DIGEST_PARAM_SSL3_MS\s0\fR) <octet string>" 4
-.IX Item "ssl3-ms (OSSL_DIGEST_PARAM_SSL3_MS) <octet string>"
+This implementation supports the following \fBOSSL_PARAM\fR\|(3) entries,
+settable for an \fBEVP_MD_CTX\fR with \fBEVP_MD_CTX_set_params\fR\|(3):
+.IP """ssl3\-ms"" (\fBOSSL_DIGEST_PARAM_SSL3_MS\fR) <octet string>" 4
+.IX Item """ssl3-ms"" (OSSL_DIGEST_PARAM_SSL3_MS) <octet string>"
 This parameter is set by libssl in order to calculate a signature hash for an
-SSLv3 CertificateVerify message as per \s-1RFC6101.\s0
+SSLv3 CertificateVerify message as per RFC6101.
 It is only set after all handshake messages have already been digested via
 \&\fBOP_digest_update()\fR calls.
 The parameter provides the master secret value to be added to the digest.
-The digest implementation should calculate the complete digest as per \s-1RFC6101\s0
+The digest implementation should calculate the complete digest as per RFC6101
 section 5.6.8.
 The next call after setting this parameter should be \fBOP_digest_final()\fR.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_MD_CTX_set_params\fR\|(3), \fBprovider\-digest\fR\|(7),
-\&\s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7)
-.SH "COPYRIGHT"
+\&\fBOSSL_PROVIDER\-FIPS\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7)
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-SHA2.7 b/secure/lib/libcrypto/man/man7/EVP_MD-SHA2.7
index bf33c33221f1..9bf4855062ea 100644
--- a/secure/lib/libcrypto/man/man7/EVP_MD-SHA2.7
+++ b/secure/lib/libcrypto/man/man7/EVP_MD-SHA2.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,109 +52,52 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_MD-SHA2 7ossl"
-.TH EVP_MD-SHA2 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_MD-SHA2 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_MD\-SHA2 \- The SHA2 EVP_MD implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing \s-1SHA2\s0 digests through the \fB\s-1EVP_MD\s0\fR \s-1API.\s0
-.SS "Identities"
+Support for computing SHA2 digests through the \fBEVP_MD\fR API.
+.SS Identities
 .IX Subsection "Identities"
 This implementation includes the following varieties:
-.IP "\(bu" 4
-Available with the \s-1FIPS\s0 provider as well as the default provider:
+.IP \(bu 4
+Available with the FIPS provider as well as the default provider:
 .RS 4
-.IP "\s-1SHA2\-224\s0" 4
+.IP SHA2\-224 4
 .IX Item "SHA2-224"
-Known names are \*(L"\s-1SHA2\-224\*(R", \*(L"SHA\-224\*(R"\s0 and \*(L"\s-1SHA224\*(R".\s0
-.IP "\s-1SHA2\-256\s0" 4
+Known names are "SHA2\-224", "SHA\-224" and "SHA224".
+.IP SHA2\-256 4
 .IX Item "SHA2-256"
-Known names are \*(L"\s-1SHA2\-256\*(R", \*(L"SHA\-256\*(R"\s0 and \*(L"\s-1SHA256\*(R".\s0
-.IP "\s-1SHA2\-384\s0" 4
+Known names are "SHA2\-256", "SHA\-256" and "SHA256".
+.IP SHA2\-384 4
 .IX Item "SHA2-384"
-Known names are \*(L"\s-1SHA2\-384\*(R", \*(L"SHA\-384\*(R"\s0 and \*(L"\s-1SHA384\*(R".\s0
-.IP "\s-1SHA2\-512\s0" 4
+Known names are "SHA2\-384", "SHA\-384" and "SHA384".
+.IP SHA2\-512 4
 .IX Item "SHA2-512"
-Known names are \*(L"\s-1SHA2\-512\*(R", \*(L"SHA\-512\*(R"\s0 and \*(L"\s-1SHA512\*(R".\s0
+Known names are "SHA2\-512", "SHA\-512" and "SHA512".
 .RE
 .RS 4
 .RE
-.IP "\(bu" 4
+.IP \(bu 4
 Available with the default provider:
 .RS 4
-.IP "\s-1SHA2\-512/224\s0" 4
+.IP SHA2\-256/192 4
+.IX Item "SHA2-256/192"
+Known names are "SHA2\-256/192", "SHA\-256/192" and "SHA256\-192".
+.IP SHA2\-512/224 4
 .IX Item "SHA2-512/224"
-Known names are \*(L"\s-1SHA2\-512/224\*(R", \*(L"SHA\-512/224\*(R"\s0 and \*(L"\s-1SHA512\-224\*(R".\s0
-.IP "\s-1SHA2\-512/256\s0" 4
+Known names are "SHA2\-512/224", "SHA\-512/224" and "SHA512\-224".
+.IP SHA2\-512/256 4
 .IX Item "SHA2-512/256"
-Known names are \*(L"\s-1SHA2\-512/256\*(R", \*(L"SHA\-512/256\*(R"\s0 and \*(L"\s-1SHA512\-256\*(R".\s0
+Known names are "SHA2\-512/256", "SHA\-512/256" and "SHA512\-256".
 .RE
 .RS 4
 .RE
@@ -180,12 +107,12 @@ This implementation supports the common gettable parameters described
 in \fBEVP_MD\-common\fR\|(7).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBprovider\-digest\fR\|(7), \s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7)
-.SH "COPYRIGHT"
+\&\fBprovider\-digest\fR\|(7), \fBOSSL_PROVIDER\-FIPS\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7)
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-SHA3.7 b/secure/lib/libcrypto/man/man7/EVP_MD-SHA3.7
index 62cf05474936..82268d3adeb3 100644
--- a/secure/lib/libcrypto/man/man7/EVP_MD-SHA3.7
+++ b/secure/lib/libcrypto/man/man7/EVP_MD-SHA3.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,96 +52,32 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_MD-SHA3 7ossl"
-.TH EVP_MD-SHA3 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_MD-SHA3 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_MD\-SHA3 \- The SHA3 EVP_MD implementations
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing \s-1SHA3\s0 digests through the \fB\s-1EVP_MD\s0\fR \s-1API.\s0
-.SS "Identities"
+Support for computing SHA3 digests through the \fBEVP_MD\fR API.
+.SS Identities
 .IX Subsection "Identities"
-This implementation is available with the \s-1FIPS\s0 provider as well as the
+This implementation is available with the FIPS provider as well as the
 default provider, and includes the following varieties:
-.ie n .IP """\s-1SHA3\-224""\s0" 4
-.el .IP "``\s-1SHA3\-224''\s0" 4
-.IX Item "SHA3-224"
+.IP """SHA3\-224""" 4
+.IX Item """SHA3-224"""
 .PD 0
-.ie n .IP """\s-1SHA3\-256""\s0" 4
-.el .IP "``\s-1SHA3\-256''\s0" 4
-.IX Item "SHA3-256"
-.ie n .IP """\s-1SHA3\-384""\s0" 4
-.el .IP "``\s-1SHA3\-384''\s0" 4
-.IX Item "SHA3-384"
-.ie n .IP """\s-1SHA3\-512""\s0" 4
-.el .IP "``\s-1SHA3\-512''\s0" 4
-.IX Item "SHA3-512"
+.IP """SHA3\-256""" 4
+.IX Item """SHA3-256"""
+.IP """SHA3\-384""" 4
+.IX Item """SHA3-384"""
+.IP """SHA3\-512""" 4
+.IX Item """SHA3-512"""
 .PD
 .SS "Gettable Parameters"
 .IX Subsection "Gettable Parameters"
@@ -165,12 +85,12 @@ This implementation supports the common gettable parameters described
 in \fBEVP_MD\-common\fR\|(7).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBprovider\-digest\fR\|(7), \s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7)
-.SH "COPYRIGHT"
+\&\fBprovider\-digest\fR\|(7), \fBOSSL_PROVIDER\-FIPS\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7)
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-SHAKE.7 b/secure/lib/libcrypto/man/man7/EVP_MD-SHAKE.7
index 4d3be8040de0..10b47cba22bf 100644
--- a/secure/lib/libcrypto/man/man7/EVP_MD-SHAKE.7
+++ b/secure/lib/libcrypto/man/man7/EVP_MD-SHAKE.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,131 +52,86 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_MD-SHAKE 7ossl"
-.TH EVP_MD-SHAKE 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_MD-SHAKE 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_MD\-SHAKE, EVP_MD\-KECCAK\-KMAC
 \&\- The SHAKE / KECCAK family EVP_MD implementations
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing \s-1SHAKE\s0 or KECCAK-KMAC digests through the
-\&\fB\s-1EVP_MD\s0\fR \s-1API.\s0
+Support for computing SHAKE or KECCAK-KMAC digests through the
+\&\fBEVP_MD\fR API.
 .PP
-KECCAK-KMAC is a special digest that's used by the \s-1KMAC EVP_MAC\s0
-implementation (see \s-1\fBEVP_MAC\-KMAC\s0\fR\|(7)).
-.SS "Identities"
+KECCAK-KMAC is an Extendable Output Function (XOF), with a definition
+similar to SHAKE, used by the KMAC EVP_MAC implementation (see
+\&\fBEVP_MAC\-KMAC\fR\|(7)).
+.SS Identities
 .IX Subsection "Identities"
-This implementation is available in the \s-1FIPS\s0 provider as well as the default
+This implementation is available in the FIPS provider as well as the default
 provider, and includes the following varieties:
-.IP "\s-1KECCAK\-KMAC\-128\s0" 4
+.IP KECCAK\-KMAC\-128 4
 .IX Item "KECCAK-KMAC-128"
-Known names are \*(L"\s-1KECCAK\-KMAC\-128\*(R"\s0 and \*(L"\s-1KECCAK\-KMAC128\*(R"\s0
-This is used by \s-1\fBEVP_MAC\-KMAC128\s0\fR\|(7)
-.IP "\s-1KECCAK\-KMAC\-256\s0" 4
+Known names are "KECCAK\-KMAC\-128" and "KECCAK\-KMAC128".  This is used
+by \fBEVP_MAC\-KMAC128\fR\|(7).  Using the notation from NIST FIPS 202
+(Section 6.2), we have KECCAK\-KMAC\-128(M,\ d) = KECCAK[256](M\ ||\ 00,\ d)
+(see the description of KMAC128 in Appendix A of NIST SP 800\-185).
+.IP KECCAK\-KMAC\-256 4
 .IX Item "KECCAK-KMAC-256"
-Known names are \*(L"\s-1KECCAK\-KMAC\-256\*(R"\s0 and \*(L"\s-1KECCAK\-KMAC256\*(R"\s0
-This is used by \s-1\fBEVP_MAC\-KMAC256\s0\fR\|(7)
-.IP "\s-1SHAKE\-128\s0" 4
+Known names are "KECCAK\-KMAC\-256" and "KECCAK\-KMAC256".  This is used
+by \fBEVP_MAC\-KMAC256\fR\|(7).  Using the notation from NIST FIPS 202
+(Section 6.2), we have KECCAK\-KMAC\-256(M,\ d) = KECCAK[512](M\ ||\ 00,\ d)
+(see the description of KMAC256 in Appendix A of NIST SP 800\-185).
+.IP SHAKE\-128 4
 .IX Item "SHAKE-128"
-Known names are \*(L"\s-1SHAKE\-128\*(R"\s0 and \*(L"\s-1SHAKE128\*(R"\s0
-.IP "\s-1SHAKE\-256\s0" 4
+Known names are "SHAKE\-128" and "SHAKE128".
+.IP SHAKE\-256 4
 .IX Item "SHAKE-256"
-Known names are \*(L"\s-1SHAKE\-256\*(R"\s0 and \*(L"\s-1SHAKE256\*(R"\s0
-.SS "Gettable Parameters"
-.IX Subsection "Gettable Parameters"
-This implementation supports the common gettable parameters described
-in \fBEVP_MD\-common\fR\|(7).
-.SS "Settable Context Parameters"
-.IX Subsection "Settable Context Parameters"
-These implementations support the following \s-1\fBOSSL_PARAM\s0\fR\|(3) entries,
-settable for an \fB\s-1EVP_MD_CTX\s0\fR with \fBEVP_MD_CTX_set_params\fR\|(3):
-.ie n .IP """xoflen"" (\fB\s-1OSSL_DIGEST_PARAM_XOFLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``xoflen'' (\fB\s-1OSSL_DIGEST_PARAM_XOFLEN\s0\fR) <unsigned integer>" 4
-.IX Item "xoflen (OSSL_DIGEST_PARAM_XOFLEN) <unsigned integer>"
-Sets the digest length for extendable output functions.
-The length of the \*(L"xoflen\*(R" parameter should not exceed that of a \fBsize_t\fR.
+Known names are "SHAKE\-256" and "SHAKE256".
+.SS Parameters
+.IX Subsection "Parameters"
+This implementation supports the following \fBOSSL_PARAM\fR\|(3) entries:
+.IP """xoflen"" (\fBOSSL_DIGEST_PARAM_XOFLEN\fR) <unsigned integer>" 4
+.IX Item """xoflen"" (OSSL_DIGEST_PARAM_XOFLEN) <unsigned integer>"
+Sets or Gets the digest length for extendable output functions.
+The length of the "xoflen" parameter should not exceed that of a \fBsize_t\fR.
 .Sp
-For backwards compatibility reasons the default xoflen length for \s-1SHAKE\-128\s0 is
-16 (bytes) which results in a security strength of only 64 bits. To ensure the
-maximum security strength of 128 bits, the xoflen should be set to at least 32.
+The SHAKE\-128 and SHAKE\-256 implementations do not have any default digest
+length.
 .Sp
-For backwards compatibility reasons the default xoflen length for \s-1SHAKE\-256\s0 is
-32 (bytes) which results in a security strength of only 128 bits. To ensure the
-maximum security strength of 256 bits, the xoflen should be set to at least 64.
+This parameter must be set before calling either \fBEVP_DigestFinal_ex()\fR or
+\&\fBEVP_DigestFinal()\fR, since these functions were not designed to handle variable
+length output. It is recommended to either use \fBEVP_DigestSqueeze()\fR or
+\&\fBEVP_DigestFinalXOF()\fR instead.
+.IP """size"" (\fBOSSL_DIGEST_PARAM_SIZE\fR) <unsigned integer>" 4
+.IX Item """size"" (OSSL_DIGEST_PARAM_SIZE) <unsigned integer>"
+An alias of "xoflen".
+.PP
+See "PARAMETERS" in \fBEVP_DigestInit\fR\|(3) for further information related to parameters
+.SH NOTES
+.IX Header "NOTES"
+For SHAKE\-128, to ensure the maximum security strength of 128 bits, the output
+length passed to \fBEVP_DigestFinalXOF()\fR should be at least 32.
+.PP
+For SHAKE\-256, to ensure the maximum security strength of 256 bits, the output
+length passed to \fBEVP_DigestFinalXOF()\fR should be at least 64.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_MD_CTX_set_params\fR\|(3), \fBprovider\-digest\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7)
-.SH "COPYRIGHT"
+.SH HISTORY
+.IX Header "HISTORY"
+Since OpenSSL 3.4 the SHAKE\-128 and SHAKE\-256 implementations have no default
+digest length.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-SM3.7 b/secure/lib/libcrypto/man/man7/EVP_MD-SM3.7
index 2e0fb458e534..a5628a1adbde 100644
--- a/secure/lib/libcrypto/man/man7/EVP_MD-SM3.7
+++ b/secure/lib/libcrypto/man/man7/EVP_MD-SM3.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,83 +52,23 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_MD-SM3 7ossl"
-.TH EVP_MD-SM3 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_MD-SM3 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_MD\-SM3 \- The SM3 EVP_MD implementations
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing \s-1SM3\s0 digests through the \fB\s-1EVP_MD\s0\fR \s-1API.\s0
-.SS "Identity"
+Support for computing SM3 digests through the \fBEVP_MD\fR API.
+.SS Identity
 .IX Subsection "Identity"
 This implementation is only available with the default provider, and is
-identified with the name \*(L"\s-1SM3\*(R".\s0
+identified with the name "SM3".
 .SS "Gettable Parameters"
 .IX Subsection "Gettable Parameters"
 This implementation supports the common gettable parameters described
@@ -152,11 +76,11 @@ in \fBEVP_MD\-common\fR\|(7).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\-digest\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-WHIRLPOOL.7 b/secure/lib/libcrypto/man/man7/EVP_MD-WHIRLPOOL.7
index 2a241ef83862..6df4a69f187d 100644
--- a/secure/lib/libcrypto/man/man7/EVP_MD-WHIRLPOOL.7
+++ b/secure/lib/libcrypto/man/man7/EVP_MD-WHIRLPOOL.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,83 +52,23 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_MD-WHIRLPOOL 7ossl"
-.TH EVP_MD-WHIRLPOOL 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_MD-WHIRLPOOL 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_MD\-WHIRLPOOL \- The WHIRLPOOL EVP_MD implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing \s-1WHIRLPOOL\s0 digests through the \fB\s-1EVP_MD\s0\fR \s-1API.\s0
-.SS "Identity"
+Support for computing WHIRLPOOL digests through the \fBEVP_MD\fR API.
+.SS Identity
 .IX Subsection "Identity"
 This implementation is only available with the legacy provider, and is
-identified with the name \*(L"\s-1WHIRLPOOL\*(R".\s0
+identified with the name "WHIRLPOOL".
 .SS "Gettable Parameters"
 .IX Subsection "Gettable Parameters"
 This implementation supports the common gettable parameters described
@@ -152,11 +76,11 @@ in \fBEVP_MD\-common\fR\|(7).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\-digest\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_MD-common.7 b/secure/lib/libcrypto/man/man7/EVP_MD-common.7
index b5648944f9c4..9035cb9613e4 100644
--- a/secure/lib/libcrypto/man/man7/EVP_MD-common.7
+++ b/secure/lib/libcrypto/man/man7/EVP_MD-common.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,114 +52,51 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_MD-COMMON 7ossl"
-.TH EVP_MD-COMMON 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_MD-COMMON 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_MD\-common \- The OpenSSL EVP_MD implementations, common things
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-All the OpenSSL \s-1EVP_MD\s0 implementations understand the following
-\&\s-1\fBOSSL_PARAM\s0\fR\|(3) entries that are
+All the OpenSSL EVP_MD implementations understand the following
+\&\fBOSSL_PARAM\fR\|(3) entries that are
 gettable with \fBEVP_MD_get_params\fR\|(3), as well as these:
-.ie n .IP """blocksize"" (\fB\s-1OSSL_DIGEST_PARAM_BLOCK_SIZE\s0\fR) <unsigned integer>" 4
-.el .IP "``blocksize'' (\fB\s-1OSSL_DIGEST_PARAM_BLOCK_SIZE\s0\fR) <unsigned integer>" 4
-.IX Item "blocksize (OSSL_DIGEST_PARAM_BLOCK_SIZE) <unsigned integer>"
+.IP """blocksize"" (\fBOSSL_DIGEST_PARAM_BLOCK_SIZE\fR) <unsigned integer>" 4
+.IX Item """blocksize"" (OSSL_DIGEST_PARAM_BLOCK_SIZE) <unsigned integer>"
 The digest block size.
-The length of the \*(L"blocksize\*(R" parameter should not exceed that of a
+The length of the "blocksize" parameter should not exceed that of a
 \&\fBsize_t\fR.
 .Sp
 This value can also be retrieved with \fBEVP_MD_get_block_size\fR\|(3).
-.ie n .IP """size"" (\fB\s-1OSSL_DIGEST_PARAM_SIZE\s0\fR) <unsigned integer>" 4
-.el .IP "``size'' (\fB\s-1OSSL_DIGEST_PARAM_SIZE\s0\fR) <unsigned integer>" 4
-.IX Item "size (OSSL_DIGEST_PARAM_SIZE) <unsigned integer>"
+.IP """size"" (\fBOSSL_DIGEST_PARAM_SIZE\fR) <unsigned integer>" 4
+.IX Item """size"" (OSSL_DIGEST_PARAM_SIZE) <unsigned integer>"
 The digest output size.
-The length of the \*(L"size\*(R" parameter should not exceed that of a \fBsize_t\fR.
+The length of the "size" parameter should not exceed that of a \fBsize_t\fR.
 .Sp
 This value can also be retrieved with \fBEVP_MD_get_size\fR\|(3).
-.ie n .IP """flags"" (\fB\s-1OSSL_DIGEST_PARAM_FLAGS\s0\fR) <unsigned integer>" 4
-.el .IP "``flags'' (\fB\s-1OSSL_DIGEST_PARAM_FLAGS\s0\fR) <unsigned integer>" 4
-.IX Item "flags (OSSL_DIGEST_PARAM_FLAGS) <unsigned integer>"
+.IP """flags"" (\fBOSSL_DIGEST_PARAM_FLAGS\fR) <unsigned integer>" 4
+.IX Item """flags"" (OSSL_DIGEST_PARAM_FLAGS) <unsigned integer>"
 Diverse flags that describe exceptional behaviour for the digest.
-These flags are described in \*(L"\s-1DESCRIPTION\*(R"\s0 in \fBEVP_MD_meth_set_flags\fR\|(3).
+These flags are described in "DESCRIPTION" in \fBEVP_MD_meth_set_flags\fR\|(3).
 .Sp
-The length of the \*(L"flags\*(R" parameter should equal that of an
+The length of the "flags" parameter should equal that of an
 \&\fBunsigned long int\fR.
 .Sp
 This value can also be retrieved with \fBEVP_MD_get_flags\fR\|(3).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBEVP_MD_get_params\fR\|(3), \fBprovider\-digest\fR\|(7)
-.SH "COPYRIGHT"
+"PARAMETERS" in \fBEVP_DigestInit\fR\|(3), \fBEVP_MD_get_params\fR\|(3), \fBprovider\-digest\fR\|(7)
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-DH.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-DH.7
index 69d92750e3eb..b25b29931a12 100644
--- a/secure/lib/libcrypto/man/man7/EVP_PKEY-DH.7
+++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-DH.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,232 +52,163 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY-DH 7ossl"
-.TH EVP_PKEY-DH 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY-DH 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY\-DH, EVP_PKEY\-DHX, EVP_KEYMGMT\-DH, EVP_KEYMGMT\-DHX
 \&\- EVP_PKEY DH and DHX keytype and algorithm support
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-For \fB\s-1DH\s0\fR \s-1FFC\s0 key agreement, two classes of domain parameters can be used:
-\&\*(L"safe\*(R" domain parameters that are associated with approved named safe-prime
-groups, and a class of \*(L"FIPS186\-type\*(R" domain parameters. FIPS186\-type domain
-parameters should only be used for backward compatibility with existing
-applications that cannot be upgraded to use the approved safe-prime groups.
+For finite field Diffie-Hellman key agreement, two classes of domain
+parameters can be used: "safe" domain parameters that are associated with
+approved named safe-prime groups, and a class of "FIPS186\-type" domain
+parameters. FIPS186\-type domain parameters should only be used for backward
+compatibility with existing applications that cannot be upgraded to use the
+approved safe-prime groups.
 .PP
-See \s-1\fBEVP_PKEY\-FFC\s0\fR\|(7) for more information about \s-1FFC\s0 keys.
+See \fBEVP_PKEY\-FFC\fR\|(7) for more information about FFC keys.
 .PP
-The \fB\s-1DH\s0\fR key type uses PKCS#3 format which saves \fIp\fR and \fIg\fR, but not the
+The \fBDH\fR key type uses PKCS#3 format which saves \fIp\fR and \fIg\fR, but not the
 \&\fIq\fR value.
-The \fB\s-1DHX\s0\fR key type uses X9.42 format which saves the value of \fIq\fR and this
-must be used for \s-1FIPS186\-4.\s0 If key validation is required, users should be aware
-of the nuances associated with \s-1FIPS186\-4\s0 style parameters as discussed in
-\&\*(L"\s-1DH\s0 key validation\*(R".
-.SS "\s-1DH\s0 and \s-1DHX\s0 domain parameters"
+The \fBDHX\fR key type uses X9.42 format which saves the value of \fIq\fR and this
+must be used for FIPS186\-4. If key validation is required, users should be aware
+of the nuances associated with FIPS186\-4 style parameters as discussed in
+"DH and DHX key validation".
+.SS "DH and DHX domain parameters"
 .IX Subsection "DH and DHX domain parameters"
-In addition to the common \s-1FCC\s0 parameters that all \s-1FFC\s0 keytypes should support
-(see \*(L"\s-1FFC\s0 parameters\*(R" in \s-1\fBEVP_PKEY\-FFC\s0\fR\|(7)) the \fB\s-1DHX\s0\fR and \fB\s-1DH\s0\fR keytype
+In addition to the common FFC parameters that all FFC keytypes should support
+(see "FFC parameters" in \fBEVP_PKEY\-FFC\fR\|(7)) the \fBDHX\fR and \fBDH\fR keytype
 implementations support the following:
-.ie n .IP """group"" (\fB\s-1OSSL_PKEY_PARAM_GROUP_NAME\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``group'' (\fB\s-1OSSL_PKEY_PARAM_GROUP_NAME\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "group (OSSL_PKEY_PARAM_GROUP_NAME) <UTF8 string>"
-Sets or gets a string that associates a \fB\s-1DH\s0\fR or \fB\s-1DHX\s0\fR named safe prime group
+.IP """group"" (\fBOSSL_PKEY_PARAM_GROUP_NAME\fR) <UTF8 string>" 4
+.IX Item """group"" (OSSL_PKEY_PARAM_GROUP_NAME) <UTF8 string>"
+Sets or gets a string that associates a \fBDH\fR or \fBDHX\fR named safe prime group
 with known values for \fIp\fR, \fIq\fR and \fIg\fR.
 .Sp
-The following values can be used by the OpenSSL's default and \s-1FIPS\s0 providers:
-\&\*(L"ffdhe2048\*(R", \*(L"ffdhe3072\*(R", \*(L"ffdhe4096\*(R", \*(L"ffdhe6144\*(R", \*(L"ffdhe8192\*(R",
-\&\*(L"modp_2048\*(R", \*(L"modp_3072\*(R", \*(L"modp_4096\*(R", \*(L"modp_6144\*(R", \*(L"modp_8192\*(R".
+The following values can be used by the OpenSSL's default and FIPS providers:
+"ffdhe2048", "ffdhe3072", "ffdhe4096", "ffdhe6144", "ffdhe8192",
+"modp_2048", "modp_3072", "modp_4096", "modp_6144", "modp_8192".
 .Sp
 The following additional values can also be used by OpenSSL's default provider:
-\&\*(L"modp_1536\*(R", \*(L"dh_1024_160\*(R", \*(L"dh_2048_224\*(R", \*(L"dh_2048_256\*(R".
+"modp_1536", "dh_1024_160", "dh_2048_224", "dh_2048_256".
 .Sp
-\&\s-1DH/DHX\s0 named groups can be easily validated since the parameters are well known.
+DH/DHX named groups can be easily validated since the parameters are well known.
 For protocols that only transfer \fIp\fR and \fIg\fR the value of \fIq\fR can also be
 retrieved.
-.SS "\s-1DH\s0 and \s-1DHX\s0 additional parameters"
+.SS "DH and DHX additional parameters"
 .IX Subsection "DH and DHX additional parameters"
-.ie n .IP """encoded-pub-key"" (\fB\s-1OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY\s0\fR) <octet string>" 4
-.el .IP "``encoded-pub-key'' (\fB\s-1OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY\s0\fR) <octet string>" 4
-.IX Item "encoded-pub-key (OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY) <octet string>"
-Used for getting and setting the encoding of the \s-1DH\s0 public key used in a key
-exchange message for the \s-1TLS\s0 protocol.
+.IP """encoded-pub-key"" (\fBOSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY\fR) <octet string>" 4
+.IX Item """encoded-pub-key"" (OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY) <octet string>"
+Used for getting and setting the encoding of the DH public key used in a key
+exchange message for the TLS protocol.
 See \fBEVP_PKEY_set1_encoded_public_key()\fR and \fBEVP_PKEY_get1_encoded_public_key()\fR.
-.SS "\s-1DH\s0 additional domain parameters"
+.SS "DH additional domain parameters"
 .IX Subsection "DH additional domain parameters"
-.ie n .IP """safeprime-generator"" (\fB\s-1OSSL_PKEY_PARAM_DH_GENERATOR\s0\fR) <integer>" 4
-.el .IP "``safeprime-generator'' (\fB\s-1OSSL_PKEY_PARAM_DH_GENERATOR\s0\fR) <integer>" 4
-.IX Item "safeprime-generator (OSSL_PKEY_PARAM_DH_GENERATOR) <integer>"
-Used for \s-1DH\s0 generation of safe primes using the old safe prime generator code.
+.IP """safeprime-generator"" (\fBOSSL_PKEY_PARAM_DH_GENERATOR\fR) <integer>" 4
+.IX Item """safeprime-generator"" (OSSL_PKEY_PARAM_DH_GENERATOR) <integer>"
+Used for DH generation of safe primes using the old safe prime generator code.
 The default value is 2.
 It is recommended to use a named safe prime group instead, if domain parameter
 validation is required.
 .Sp
-Randomly generated safe primes are not allowed by \s-1FIPS,\s0 so setting this value
-for the OpenSSL \s-1FIPS\s0 provider will instead choose a named safe prime group
+Randomly generated safe primes are not allowed by FIPS, so setting this value
+for the OpenSSL FIPS provider will instead choose a named safe prime group
 based on the size of \fIp\fR.
-.SS "\s-1DH\s0 and \s-1DHX\s0 domain parameter / key generation parameters"
+.SS "DH and DHX domain parameter / key generation parameters"
 .IX Subsection "DH and DHX domain parameter / key generation parameters"
-In addition to the common \s-1FFC\s0 key generation parameters that all \s-1FFC\s0 key types
-should support (see \*(L"\s-1FFC\s0 key generation parameters\*(R" in \s-1\fBEVP_PKEY\-FFC\s0\fR\|(7)) the
-\&\fB\s-1DH\s0\fR and \fB\s-1DHX\s0\fR keytype implementation supports the following:
-.ie n .IP """type"" (\fB\s-1OSSL_PKEY_PARAM_FFC_TYPE\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``type'' (\fB\s-1OSSL_PKEY_PARAM_FFC_TYPE\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "type (OSSL_PKEY_PARAM_FFC_TYPE) <UTF8 string>"
-Sets the type of parameter generation. For \fB\s-1DH\s0\fR valid values are:
+In addition to the common FFC key generation parameters that all FFC key types
+should support (see "FFC key generation parameters" in \fBEVP_PKEY\-FFC\fR\|(7)) the
+\&\fBDH\fR and \fBDHX\fR keytype implementation supports the following:
+.IP """type"" (\fBOSSL_PKEY_PARAM_FFC_TYPE\fR) <UTF8 string>" 4
+.IX Item """type"" (OSSL_PKEY_PARAM_FFC_TYPE) <UTF8 string>"
+Sets the type of parameter generation. For \fBDH\fR valid values are:
 .RS 4
-.ie n .IP """fips186_4""" 4
-.el .IP "``fips186_4''" 4
-.IX Item "fips186_4"
+.IP """fips186_4""" 4
+.IX Item """fips186_4"""
 .PD 0
-.ie n .IP """default""" 4
-.el .IP "``default''" 4
-.IX Item "default"
-.ie n .IP """fips186_2""" 4
-.el .IP "``fips186_2''" 4
-.IX Item "fips186_2"
+.IP """default""" 4
+.IX Item """default"""
+.IP """fips186_2""" 4
+.IX Item """fips186_2"""
 .PD
-These are described in \*(L"\s-1FFC\s0 key generation parameters\*(R" in \s-1\fBEVP_PKEY\-FFC\s0\fR\|(7)
-.ie n .IP """group""" 4
-.el .IP "``group''" 4
-.IX Item "group"
-This specifies that a named safe prime name will be chosen using the \*(L"pbits\*(R"
+These are described in "FFC key generation parameters" in \fBEVP_PKEY\-FFC\fR\|(7)
+.IP """group""" 4
+.IX Item """group"""
+This specifies that a named safe prime name will be chosen using the "pbits"
 type.
-.ie n .IP """generator""" 4
-.el .IP "``generator''" 4
-.IX Item "generator"
-A safe prime generator. See the \*(L"safeprime-generator\*(R" type above.
-This is only valid for \fB\s-1DH\s0\fR keys.
+.IP """generator""" 4
+.IX Item """generator"""
+A safe prime generator. See the "safeprime-generator" type above.
+This is only valid for \fBDH\fR keys.
 .RE
 .RS 4
 .RE
-.ie n .IP """pbits"" (\fB\s-1OSSL_PKEY_PARAM_FFC_PBITS\s0\fR) <unsigned integer>" 4
-.el .IP "``pbits'' (\fB\s-1OSSL_PKEY_PARAM_FFC_PBITS\s0\fR) <unsigned integer>" 4
-.IX Item "pbits (OSSL_PKEY_PARAM_FFC_PBITS) <unsigned integer>"
+.IP """pbits"" (\fBOSSL_PKEY_PARAM_FFC_PBITS\fR) <unsigned integer>" 4
+.IX Item """pbits"" (OSSL_PKEY_PARAM_FFC_PBITS) <unsigned integer>"
 Sets the size (in bits) of the prime 'p'.
 .Sp
-For \*(L"fips186_4\*(R" this must be 2048.
-For \*(L"fips186_2\*(R" this must be 1024.
-For \*(L"group\*(R" this can be any one of 2048, 3072, 4096, 6144 or 8192.
-.ie n .IP """priv_len"" (\fB\s-1OSSL_PKEY_PARAM_DH_PRIV_LEN\s0\fR) <integer>" 4
-.el .IP "``priv_len'' (\fB\s-1OSSL_PKEY_PARAM_DH_PRIV_LEN\s0\fR) <integer>" 4
-.IX Item "priv_len (OSSL_PKEY_PARAM_DH_PRIV_LEN) <integer>"
+For "fips186_4" this must be 2048.
+For "fips186_2" this must be 1024.
+For "group" this can be any one of 2048, 3072, 4096, 6144 or 8192.
+.IP """priv_len"" (\fBOSSL_PKEY_PARAM_DH_PRIV_LEN\fR) <integer>" 4
+.IX Item """priv_len"" (OSSL_PKEY_PARAM_DH_PRIV_LEN) <integer>"
 An optional value to set the maximum length of the generated private key.
 The default value used if this is not set is the maximum value of
 BN_num_bits(\fIq\fR)). The minimum value that this can be set to is 2 * s.
 Where s is the security strength of the key which has values of
 112, 128, 152, 176 and 200 for key sizes of 2048, 3072, 4096, 6144 and 8192.
-.SS "\s-1DH\s0 key validation"
-.IX Subsection "DH key validation"
-For \fB\s-1DHX\s0\fR that is not a named group the \s-1FIPS186\-4\s0 standard specifies that the
-values used for \s-1FFC\s0 parameter generation are also required for parameter
-validation. This means that optional \s-1FFC\s0 domain parameter values for
+.SS "DH and DHX key validation"
+.IX Subsection "DH and DHX key validation"
+For keys that are not a named group the FIPS186\-4 standard specifies that the
+values used for FFC parameter generation are also required for parameter
+validation. This means that optional FFC domain parameter values for
 \&\fIseed\fR, \fIpcounter\fR and \fIgindex\fR or \fIhindex\fR may need to be stored for
 validation purposes.
-For \fB\s-1DHX\s0\fR the \fIseed\fR and \fIpcounter\fR can be stored in \s-1ASN1\s0 data
+For \fBDHX\fR the \fIseed\fR and \fIpcounter\fR can be stored in ASN1 data
 (but the \fIgindex\fR or \fIhindex\fR cannot be stored). It is recommended to use a
-named safe prime group instead.
+\&\fBDH\fR parameters with named safe prime group instead.
 .PP
-For \s-1DH\s0 keys, \fBEVP_PKEY_param_check\fR\|(3) behaves in the following way:
-The OpenSSL \s-1FIPS\s0 provider tests if the parameters are either an approved safe
-prime group \s-1OR\s0 that the \s-1FFC\s0 parameters conform to \s-1FIPS186\-4\s0 as defined in
-SP800\-56Ar3 \fIAssurances of Domain-Parameter Validity\fR.
-The OpenSSL default provider uses simpler checks that allows there to be no \fIq\fR
-value for backwards compatibility.
+With the OpenSSL FIPS provider, \fBEVP_PKEY_param_check\fR\|(3) and
+\&\fBEVP_PKEY_param_check_quick\fR\|(3) behave in the following way: the parameters
+are tested if they are either an approved safe prime group OR that the FFC
+parameters conform to FIPS186\-4 as defined in SP800\-56Ar3 \fIAssurances of
+Domain-Parameter Validity\fR.
 .PP
-For \s-1DH\s0 keys, \fBEVP_PKEY_param_check_quick\fR\|(3) is equivalent to
-\&\fBEVP_PKEY_param_check\fR\|(3).
+The OpenSSL default provider uses simpler checks that allows there to be no \fIq\fR
+value for backwards compatibility, however the \fBEVP_PKEY_param_check\fR\|(3) will
+test the \fIp\fR value for being a prime (and a safe prime if \fIq\fR is missing)
+which can take significant time. The \fBEVP_PKEY_param_check_quick\fR\|(3) avoids
+the prime tests.
 .PP
-For \s-1DH\s0 keys, \fBEVP_PKEY_public_check\fR\|(3) conforms to
-SP800\-56Ar3 \fI\s-1FFC\s0 Full Public-Key Validation\fR.
+\&\fBEVP_PKEY_public_check\fR\|(3) conforms to SP800\-56Ar3
+\&\fIFFC Full Public-Key Validation\fR.
 .PP
-For \s-1DH\s0 keys, \fBEVP_PKEY_public_check_quick\fR\|(3) conforms to
-SP800\-56Ar3 \fI\s-1FFC\s0 Partial Public-Key Validation\fR when the
-\&\s-1DH\s0 key is an approved named safe prime group, otherwise it is the same as
-\&\fBEVP_PKEY_public_check\fR\|(3).
+\&\fBEVP_PKEY_public_check_quick\fR\|(3) conforms to SP800\-56Ar3
+\&\fIFFC Partial Public-Key Validation\fR when the key is an approved named safe
+prime group, otherwise it is the same as \fBEVP_PKEY_public_check\fR\|(3).
 .PP
-For \s-1DH\s0 Keys, \fBEVP_PKEY_private_check\fR\|(3) tests that the private key is in the
-correct range according to SP800\-56Ar3. The OpenSSL \s-1FIPS\s0 provider requires the
-value of \fIq\fR to be set (note that this is set for named safe prime groups).
+\&\fBEVP_PKEY_private_check\fR\|(3) tests that the private key is in the correct range
+according to SP800\-56Ar3. The OpenSSL FIPS provider requires the value of \fIq\fR
+to be set (note that this is implicitly set for named safe prime groups).
 For backwards compatibility the OpenSSL default provider only requires \fIp\fR to
 be set.
 .PP
-For \s-1DH\s0 keys, \fBEVP_PKEY_pairwise_check\fR\|(3) conforms to
-SP800\-56Ar3 \fIOwner Assurance of Pair-wise Consistency\fR.
-.SH "EXAMPLES"
+\&\fBEVP_PKEY_pairwise_check\fR\|(3) conforms to SP800\-56Ar3
+\&\fIOwner Assurance of Pair-wise Consistency\fR.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-An \fB\s-1EVP_PKEY\s0\fR context can be obtained by calling:
+An \fBEVP_PKEY\fR context can be obtained by calling:
 .PP
 .Vb 1
 \&    EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL);
 .Ve
 .PP
-A \fB\s-1DH\s0\fR key can be generated with a named safe prime group by calling:
+A \fBDH\fR key can be generated with a named safe prime group by calling:
 .PP
 .Vb 4
 \&    int priv_len = 2 * 112;
@@ -314,7 +229,7 @@ A \fB\s-1DH\s0\fR key can be generated with a named safe prime group by calling:
 \&    EVP_PKEY_CTX_free(pctx);
 .Ve
 .PP
-\&\fB\s-1DHX\s0\fR domain parameters can be generated according to \fB\s-1FIPS186\-4\s0\fR by calling:
+\&\fBDHX\fR domain parameters can be generated according to \fBFIPS186\-4\fR by calling:
 .PP
 .Vb 6
 \&    int gindex = 2;
@@ -343,7 +258,7 @@ A \fB\s-1DH\s0\fR key can be generated with a named safe prime group by calling:
 \&    EVP_PKEY_CTX_free(pctx);
 .Ve
 .PP
-A \fB\s-1DH\s0\fR key can be generated using domain parameters by calling:
+A \fBDH\fR key can be generated using domain parameters by calling:
 .PP
 .Vb 2
 \&    EVP_PKEY *key = NULL;
@@ -357,8 +272,8 @@ A \fB\s-1DH\s0\fR key can be generated using domain parameters by calling:
 \&    EVP_PKEY_CTX_free(gctx);
 .Ve
 .PP
-To validate \fB\s-1FIPS186\-4\s0\fR \fB\s-1DHX\s0\fR domain parameters decoded from \fB\s-1PEM\s0\fR or
-\&\fB\s-1DER\s0\fR data, additional values used during generation may be required to
+To validate \fBFIPS186\-4\fR \fBDHX\fR domain parameters decoded from \fBPEM\fR or
+\&\fBDER\fR data, additional values used during generation may be required to
 be set into the key.
 .PP
 \&\fBEVP_PKEY_todata()\fR, \fBOSSL_PARAM_merge()\fR, and \fBEVP_PKEY_fromdata()\fR are useful
@@ -409,25 +324,24 @@ the actual validation. In production code the return values should be checked.
 .Ve
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-.IP "\s-1RFC 7919\s0 (\s-1TLS\s0 ffdhe named safe prime groups)" 4
+.IP "RFC 7919 (TLS ffdhe named safe prime groups)" 4
 .IX Item "RFC 7919 (TLS ffdhe named safe prime groups)"
 .PD 0
-.IP "\s-1RFC 3526\s0 (\s-1IKE\s0 modp named safe prime groups)" 4
+.IP "RFC 3526 (IKE modp named safe prime groups)" 4
 .IX Item "RFC 3526 (IKE modp named safe prime groups)"
-.ie n .IP "\s-1RFC 5114\s0 (Additional \s-1DH\s0 named groups for dh_1024_160"", ""dh_2048_224"" and ""dh_2048_256"")." 4
-.el .IP "\s-1RFC 5114\s0 (Additional \s-1DH\s0 named groups for dh_1024_160``, ''dh_2048_224`` and ''dh_2048_256"")." 4
-.IX Item "RFC 5114 (Additional DH named groups for dh_1024_160, dh_2048_224 and dh_2048_256"")."
+.IP "RFC 5114 (Additional DH named groups for dh_1024_160"", ""dh_2048_224"" and ""dh_2048_256"")." 4
+.IX Item "RFC 5114 (Additional DH named groups for dh_1024_160"", ""dh_2048_224"" and ""dh_2048_256"")."
 .PD
 .PP
 The following sections of SP800\-56Ar3:
-.IP "5.5.1.1 \s-1FFC\s0 Domain Parameter Selection/Generation" 4
+.IP "5.5.1.1 FFC Domain Parameter Selection/Generation" 4
 .IX Item "5.5.1.1 FFC Domain Parameter Selection/Generation"
 .PD 0
-.IP "Appendix D: \s-1FFC\s0 Safe-prime Groups" 4
+.IP "Appendix D: FFC Safe-prime Groups" 4
 .IX Item "Appendix D: FFC Safe-prime Groups"
 .PD
 .PP
-The following sections of \s-1FIPS186\-4:\s0
+The following sections of FIPS186\-4:
 .IP "A.1.1.2 Generation of Probable Primes p and q Using an Approved Hash Function." 4
 .IX Item "A.1.1.2 Generation of Probable Primes p and q Using an Approved Hash Function."
 .PD 0
@@ -438,18 +352,18 @@ The following sections of \s-1FIPS186\-4:\s0
 .PD
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_PKEY\-FFC\s0\fR\|(7),
-\&\s-1\fBEVP_KEYEXCH\-DH\s0\fR\|(7)
-\&\s-1\fBEVP_PKEY\s0\fR\|(3),
+\&\fBEVP_PKEY\-FFC\fR\|(7),
+\&\fBEVP_KEYEXCH\-DH\fR\|(7)
+\&\fBEVP_PKEY\fR\|(3),
 \&\fBprovider\-keymgmt\fR\|(7),
-\&\s-1\fBEVP_KEYMGMT\s0\fR\|(3),
+\&\fBEVP_KEYMGMT\fR\|(3),
 \&\fBOSSL_PROVIDER\-default\fR\|(7),
-\&\s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7)
-.SH "COPYRIGHT"
+\&\fBOSSL_PROVIDER\-FIPS\fR\|(7)
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-DSA.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-DSA.7
index 646834ae94dd..fb87017add56 100644
--- a/secure/lib/libcrypto/man/man7/EVP_PKEY-DSA.7
+++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-DSA.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,122 +52,74 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY-DSA 7ossl"
-.TH EVP_PKEY-DSA 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY-DSA 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY\-DSA, EVP_KEYMGMT\-DSA \- EVP_PKEY DSA keytype and algorithm support
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-For \fB\s-1DSA\s0\fR the \s-1FIPS186\-4\s0 standard specifies that the values used for \s-1FFC\s0
+For \fBDSA\fR the FIPS 186\-4 standard specifies that the values used for FFC
 parameter generation are also required for parameter validation.
-This means that optional \s-1FFC\s0 domain parameter values for \fIseed\fR, \fIpcounter\fR
-and \fIgindex\fR may need to be stored for validation purposes. For \fB\s-1DSA\s0\fR these
-fields are not stored in the \s-1ASN1\s0 data so they need to be stored externally if
+This means that optional FFC domain parameter values for \fIseed\fR, \fIpcounter\fR
+and \fIgindex\fR may need to be stored for validation purposes. For \fBDSA\fR these
+fields are not stored in the ASN1 data so they need to be stored externally if
 validation is required.
-.SS "\s-1DSA\s0 parameters"
+.PP
+As part of FIPS 140\-3 DSA is not longer FIPS approved for key generation and
+signature validation, but is still allowed for signature verification.
+.SS "DSA parameters"
 .IX Subsection "DSA parameters"
-The \fB\s-1DSA\s0\fR key type supports the \s-1FFC\s0 parameters (see
-\&\*(L"\s-1FFC\s0 parameters\*(R" in \s-1\fBEVP_PKEY\-FFC\s0\fR\|(7)).
-.SS "\s-1DSA\s0 key generation parameters"
+The \fBDSA\fR key type supports the FFC parameters (see
+"FFC parameters" in \fBEVP_PKEY\-FFC\fR\|(7)).
+.PP
+It also supports the following parameters:
+.IP """sign-check"" (\fBOSSL_PKEY_PARAM_FIPS_SIGN_CHECK\fR) <integer" 4
+.IX Item """sign-check"" (OSSL_PKEY_PARAM_FIPS_SIGN_CHECK) <integer"
+.PD 0
+.IP """fips-indicator"" (\fBOSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+.PD
+See "Common Information Parameters" in \fBprovider\-keymgmt\fR\|(7) for more information.
+.SS "DSA key generation parameters"
 .IX Subsection "DSA key generation parameters"
-The \fB\s-1DSA\s0\fR key type supports the \s-1FFC\s0 key generation parameters (see
-\&\*(L"\s-1FFC\s0 key generation parameters\*(R" in \s-1\fBEVP_PKEY\-FFC\s0\fR\|(7)
+The \fBDSA\fR key type supports the FFC key generation parameters (see
+"FFC key generation parameters" in \fBEVP_PKEY\-FFC\fR\|(7)
 .PP
-The following restrictions apply to the \*(L"pbits\*(R" field:
+The following restrictions apply to the "pbits" field:
 .PP
-For \*(L"fips186_4\*(R" this must be either 2048 or 3072.
-For \*(L"fips186_2\*(R" this must be 1024.
-For \*(L"group\*(R" this can be any one of 2048, 3072, 4096, 6144 or 8192.
-.SS "\s-1DSA\s0 key validation"
+For "fips186_4" this must be either 2048 or 3072.
+For "fips186_2" this must be 1024.
+For "group" this can be any one of 2048, 3072, 4096, 6144 or 8192.
+.SS "DSA key validation"
 .IX Subsection "DSA key validation"
-For \s-1DSA\s0 keys, \fBEVP_PKEY_param_check\fR\|(3) behaves in the following way:
-The OpenSSL \s-1FIPS\s0 provider conforms to the rules within the \s-1FIPS186\-4\s0
-standard for \s-1FFC\s0 parameter validation. For backwards compatibility the OpenSSL
+For DSA keys, \fBEVP_PKEY_param_check\fR\|(3) behaves in the following way:
+The OpenSSL FIPS provider conforms to the rules within the FIPS186\-4
+standard for FFC parameter validation. For backwards compatibility the OpenSSL
 default provider uses a much simpler check (see below) for parameter validation,
 unless the seed parameter is set.
 .PP
-For \s-1DSA\s0 keys, \fBEVP_PKEY_param_check_quick\fR\|(3) behaves in the following way:
+For DSA keys, \fBEVP_PKEY_param_check_quick\fR\|(3) behaves in the following way:
 A simple check of L and N and partial g is performed. The default provider
-also supports validation of legacy \*(L"fips186_2\*(R" keys.
+also supports validation of legacy "fips186_2" keys.
 .PP
-For \s-1DSA\s0 keys, \fBEVP_PKEY_public_check\fR\|(3), \fBEVP_PKEY_private_check\fR\|(3) and
-\&\fBEVP_PKEY_pairwise_check\fR\|(3) the OpenSSL default and \s-1FIPS\s0 providers conform to
+For DSA keys, \fBEVP_PKEY_public_check\fR\|(3), \fBEVP_PKEY_private_check\fR\|(3) and
+\&\fBEVP_PKEY_pairwise_check\fR\|(3) the OpenSSL default and FIPS providers conform to
 the rules within SP800\-56Ar3 for public, private and pairwise tests respectively.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-An \fB\s-1EVP_PKEY\s0\fR context can be obtained by calling:
+An \fBEVP_PKEY\fR context can be obtained by calling:
 .PP
 .Vb 1
 \&    EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL);
 .Ve
 .PP
-The \fB\s-1DSA\s0\fR domain parameters can be generated by calling:
+The \fBDSA\fR domain parameters can be generated by calling:
 .PP
 .Vb 6
 \&    unsigned int pbits = 2048;
@@ -209,7 +145,7 @@ The \fB\s-1DSA\s0\fR domain parameters can be generated by calling:
 \&    EVP_PKEY_print_params(bio_out, param_key, 0, NULL);
 .Ve
 .PP
-A \fB\s-1DSA\s0\fR key can be generated using domain parameters by calling:
+A \fBDSA\fR key can be generated using domain parameters by calling:
 .PP
 .Vb 2
 \&    EVP_PKEY *key = NULL;
@@ -223,7 +159,7 @@ A \fB\s-1DSA\s0\fR key can be generated using domain parameters by calling:
 .Ve
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-The following sections of \s-1FIPS186\-4:\s0
+The following sections of FIPS186\-4:
 .IP "A.1.1.2 Generation of Probable Primes p and q Using an Approved Hash Function." 4
 .IX Item "A.1.1.2 Generation of Probable Primes p and q Using an Approved Hash Function."
 .PD 0
@@ -234,18 +170,22 @@ The following sections of \s-1FIPS186\-4:\s0
 .PD
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_PKEY\-FFC\s0\fR\|(7),
-\&\s-1\fBEVP_SIGNATURE\-DSA\s0\fR\|(7)
-\&\s-1\fBEVP_PKEY\s0\fR\|(3),
+\&\fBEVP_PKEY\-FFC\fR\|(7),
+\&\fBEVP_SIGNATURE\-DSA\fR\|(7)
+\&\fBEVP_PKEY\fR\|(3),
 \&\fBprovider\-keymgmt\fR\|(7),
-\&\s-1\fBEVP_KEYMGMT\s0\fR\|(3),
+\&\fBEVP_KEYMGMT\fR\|(3),
 \&\fBOSSL_PROVIDER\-default\fR\|(7),
-\&\s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7)
-.SH "COPYRIGHT"
+\&\fBOSSL_PROVIDER\-FIPS\fR\|(7)
+.SH HISTORY
+.IX Header "HISTORY"
+DSA Key generation and signature generation are no longer FIPS approved in
+OpenSSL 3.4. See "FIPS indicators" in \fBfips_module\fR\|(7) for more information.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-EC.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-EC.7
index a59429889b2a..244f4a7d64ae 100644
--- a/secure/lib/libcrypto/man/man7/EVP_PKEY-EC.7
+++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-EC.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,189 +52,113 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY-EC 7ossl"
-.TH EVP_PKEY-EC 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY-EC 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY\-EC,
 EVP_KEYMGMT\-EC
 \&\- EVP_PKEY EC keytype and algorithm support
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \fB\s-1EC\s0\fR keytype is implemented in OpenSSL's default provider.
-.SS "Common \s-1EC\s0 parameters"
+The \fBEC\fR keytype is implemented in OpenSSL's default provider.
+.SS "Common EC parameters"
 .IX Subsection "Common EC parameters"
-The normal way of specifying domain parameters for an \s-1EC\s0 curve is via the
-curve name \*(L"group\*(R". For curves with no curve name, explicit parameters can be
-used that specify \*(L"field-type\*(R", \*(L"p\*(R", \*(L"a\*(R", \*(L"b\*(R", \*(L"generator\*(R" and \*(L"order\*(R".
+The normal way of specifying domain parameters for an EC curve is via the
+curve name "group". For curves with no curve name, explicit parameters can be
+used that specify "field-type", "p", "a", "b", "generator" and "order".
 Explicit parameters are supported for backwards compatibility reasons, but they
-are not compliant with multiple standards (including \s-1RFC5915\s0) which only allow
+are not compliant with multiple standards (including RFC5915) which only allow
 named curves.
 .PP
-The following KeyGen/Gettable/Import/Export types are available for the
-built-in \s-1EC\s0 algorithm:
-.ie n .IP """group"" (\fB\s-1OSSL_PKEY_PARAM_GROUP_NAME\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``group'' (\fB\s-1OSSL_PKEY_PARAM_GROUP_NAME\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "group (OSSL_PKEY_PARAM_GROUP_NAME) <UTF8 string>"
+The following Key generation/Gettable/Import/Export types are available for the
+built-in EC algorithm:
+.IP """group"" (\fBOSSL_PKEY_PARAM_GROUP_NAME\fR) <UTF8 string>" 4
+.IX Item """group"" (OSSL_PKEY_PARAM_GROUP_NAME) <UTF8 string>"
 The curve name.
-.ie n .IP """field-type"" (\fB\s-1OSSL_PKEY_PARAM_EC_FIELD_TYPE\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``field-type'' (\fB\s-1OSSL_PKEY_PARAM_EC_FIELD_TYPE\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "field-type (OSSL_PKEY_PARAM_EC_FIELD_TYPE) <UTF8 string>"
-The value should be either \*(L"prime-field\*(R" or \*(L"characteristic-two-field\*(R",
+.IP """field-type"" (\fBOSSL_PKEY_PARAM_EC_FIELD_TYPE\fR) <UTF8 string>" 4
+.IX Item """field-type"" (OSSL_PKEY_PARAM_EC_FIELD_TYPE) <UTF8 string>"
+The value should be either "prime-field" or "characteristic-two-field",
 which correspond to prime field Fp and binary field F2^m.
-.ie n .IP """p"" (\fB\s-1OSSL_PKEY_PARAM_EC_P\s0\fR) <unsigned integer>" 4
-.el .IP "``p'' (\fB\s-1OSSL_PKEY_PARAM_EC_P\s0\fR) <unsigned integer>" 4
-.IX Item "p (OSSL_PKEY_PARAM_EC_P) <unsigned integer>"
+.IP """p"" (\fBOSSL_PKEY_PARAM_EC_P\fR) <unsigned integer>" 4
+.IX Item """p"" (OSSL_PKEY_PARAM_EC_P) <unsigned integer>"
 For a curve over Fp \fIp\fR is the prime for the field. For a curve over F2^m \fIp\fR
 represents the irreducible polynomial \- each bit represents a term in the
 polynomial. Therefore, there will either be three or five bits set dependent on
 whether the polynomial is a trinomial or a pentanomial.
-.ie n .IP """a"" (\fB\s-1OSSL_PKEY_PARAM_EC_A\s0\fR) <unsigned integer>" 4
-.el .IP "``a'' (\fB\s-1OSSL_PKEY_PARAM_EC_A\s0\fR) <unsigned integer>" 4
-.IX Item "a (OSSL_PKEY_PARAM_EC_A) <unsigned integer>"
+.IP """a"" (\fBOSSL_PKEY_PARAM_EC_A\fR) <unsigned integer>" 4
+.IX Item """a"" (OSSL_PKEY_PARAM_EC_A) <unsigned integer>"
 .PD 0
-.ie n .IP """b"" (\fB\s-1OSSL_PKEY_PARAM_EC_B\s0\fR) <unsigned integer>" 4
-.el .IP "``b'' (\fB\s-1OSSL_PKEY_PARAM_EC_B\s0\fR) <unsigned integer>" 4
-.IX Item "b (OSSL_PKEY_PARAM_EC_B) <unsigned integer>"
-.ie n .IP """seed"" (\fB\s-1OSSL_PKEY_PARAM_EC_SEED\s0\fR) <octet string>" 4
-.el .IP "``seed'' (\fB\s-1OSSL_PKEY_PARAM_EC_SEED\s0\fR) <octet string>" 4
-.IX Item "seed (OSSL_PKEY_PARAM_EC_SEED) <octet string>"
+.IP """b"" (\fBOSSL_PKEY_PARAM_EC_B\fR) <unsigned integer>" 4
+.IX Item """b"" (OSSL_PKEY_PARAM_EC_B) <unsigned integer>"
+.IP """seed"" (\fBOSSL_PKEY_PARAM_EC_SEED\fR) <octet string>" 4
+.IX Item """seed"" (OSSL_PKEY_PARAM_EC_SEED) <octet string>"
 .PD
 \&\fIa\fR and \fIb\fR represents the coefficients of the curve
-For Fp:   y^2 mod p = x^3 +ax + b mod p \s-1OR\s0
+For Fp:   y^2 mod p = x^3 +ax + b mod p OR
 For F2^m: y^2 + xy = x^3 + ax^2 + b
 .Sp
 \&\fIseed\fR is an optional value that is for information purposes only.
 It represents the random number seed used to generate the coefficient \fIb\fR from a
 random number.
-.ie n .IP """generator"" (\fB\s-1OSSL_PKEY_PARAM_EC_GENERATOR\s0\fR) <octet string>" 4
-.el .IP "``generator'' (\fB\s-1OSSL_PKEY_PARAM_EC_GENERATOR\s0\fR) <octet string>" 4
-.IX Item "generator (OSSL_PKEY_PARAM_EC_GENERATOR) <octet string>"
+.IP """generator"" (\fBOSSL_PKEY_PARAM_EC_GENERATOR\fR) <octet string>" 4
+.IX Item """generator"" (OSSL_PKEY_PARAM_EC_GENERATOR) <octet string>"
 .PD 0
-.ie n .IP """order"" (\fB\s-1OSSL_PKEY_PARAM_EC_ORDER\s0\fR) <unsigned integer>" 4
-.el .IP "``order'' (\fB\s-1OSSL_PKEY_PARAM_EC_ORDER\s0\fR) <unsigned integer>" 4
-.IX Item "order (OSSL_PKEY_PARAM_EC_ORDER) <unsigned integer>"
-.ie n .IP """cofactor"" (\fB\s-1OSSL_PKEY_PARAM_EC_COFACTOR\s0\fR) <unsigned integer>" 4
-.el .IP "``cofactor'' (\fB\s-1OSSL_PKEY_PARAM_EC_COFACTOR\s0\fR) <unsigned integer>" 4
-.IX Item "cofactor (OSSL_PKEY_PARAM_EC_COFACTOR) <unsigned integer>"
+.IP """order"" (\fBOSSL_PKEY_PARAM_EC_ORDER\fR) <unsigned integer>" 4
+.IX Item """order"" (OSSL_PKEY_PARAM_EC_ORDER) <unsigned integer>"
+.IP """cofactor"" (\fBOSSL_PKEY_PARAM_EC_COFACTOR\fR) <unsigned integer>" 4
+.IX Item """cofactor"" (OSSL_PKEY_PARAM_EC_COFACTOR) <unsigned integer>"
 .PD
 The \fIgenerator\fR is a well defined point on the curve chosen for cryptographic
-operations. The encoding conforms with Sec. 2.3.3 of the \s-1SECG SEC 1\s0 (\*(L"Elliptic Curve
-Cryptography\*(R") standard. See \fBEC_POINT_oct2point()\fR.
+operations. The encoding conforms with Sec. 2.3.3 of the SECG SEC 1 ("Elliptic Curve
+Cryptography") standard. See \fBEC_POINT_oct2point()\fR.
 Integers used for point multiplications will be between 0 and
 \&\fIorder\fR \- 1.
 \&\fIcofactor\fR is an optional value.
 \&\fIorder\fR multiplied by the \fIcofactor\fR gives the number of points on the curve.
-.ie n .IP """decoded-from-explicit"" (\fB\s-1OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS\s0\fR) <integer>" 4
-.el .IP "``decoded-from-explicit'' (\fB\s-1OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS\s0\fR) <integer>" 4
-.IX Item "decoded-from-explicit (OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS) <integer>"
+.IP """decoded-from-explicit"" (\fBOSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS\fR) <integer>" 4
+.IX Item """decoded-from-explicit"" (OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS) <integer>"
 Gets a flag indicating whether the key or parameters were decoded from explicit
 curve parameters. Set to 1 if so or 0 if a named curve was used.
-.ie n .IP """use-cofactor-flag"" (\fB\s-1OSSL_PKEY_PARAM_USE_COFACTOR_ECDH\s0\fR) <integer>" 4
-.el .IP "``use-cofactor-flag'' (\fB\s-1OSSL_PKEY_PARAM_USE_COFACTOR_ECDH\s0\fR) <integer>" 4
-.IX Item "use-cofactor-flag (OSSL_PKEY_PARAM_USE_COFACTOR_ECDH) <integer>"
-Enable Cofactor \s-1DH\s0 (\s-1ECC CDH\s0) if this value is 1, otherwise it uses normal \s-1EC DH\s0
+.IP """use-cofactor-flag"" (\fBOSSL_PKEY_PARAM_USE_COFACTOR_ECDH\fR) <integer>" 4
+.IX Item """use-cofactor-flag"" (OSSL_PKEY_PARAM_USE_COFACTOR_ECDH) <integer>"
+Enable Cofactor DH (ECC CDH) if this value is 1, otherwise it uses normal EC DH
 if the value is zero. The cofactor variant multiplies the shared secret by the
-\&\s-1EC\s0 curve's cofactor (note for some curves the cofactor is 1).
+EC curve's cofactor (note for some curves the cofactor is 1).
 .Sp
-See also \s-1\fBEVP_KEYEXCH\-ECDH\s0\fR\|(7) for the related
-\&\fB\s-1OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE\s0\fR parameter that can be set on a
+See also \fBEVP_KEYEXCH\-ECDH\fR\|(7) for the related
+\&\fBOSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE\fR parameter that can be set on a
 per-operation basis.
-.ie n .IP """encoding"" (\fB\s-1OSSL_PKEY_PARAM_EC_ENCODING\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``encoding'' (\fB\s-1OSSL_PKEY_PARAM_EC_ENCODING\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "encoding (OSSL_PKEY_PARAM_EC_ENCODING) <UTF8 string>"
-Set the format used for serializing the \s-1EC\s0 group parameters.
-Valid values are \*(L"explicit\*(R" or \*(L"named_curve\*(R". The default value is \*(L"named_curve\*(R".
-.ie n .IP """point-format"" (\fB\s-1OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``point-format'' (\fB\s-1OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "point-format (OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT) <UTF8 string>"
+.IP """encoding"" (\fBOSSL_PKEY_PARAM_EC_ENCODING\fR) <UTF8 string>" 4
+.IX Item """encoding"" (OSSL_PKEY_PARAM_EC_ENCODING) <UTF8 string>"
+Set the format used for serializing the EC group parameters.
+Valid values are "explicit" or "named_curve". The default value is "named_curve".
+.IP """point-format"" (\fBOSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT\fR) <UTF8 string>" 4
+.IX Item """point-format"" (OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT) <UTF8 string>"
 Sets or gets the point_conversion_form for the \fIkey\fR. For a description of
 point_conversion_forms please see \fBEC_POINT_new\fR\|(3). Valid values are
-\&\*(L"uncompressed\*(R" or \*(L"compressed\*(R". The default value is \*(L"uncompressed\*(R".
-.ie n .IP """group-check"" (\fB\s-1OSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``group-check'' (\fB\s-1OSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "group-check (OSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE) <UTF8 string>"
+"uncompressed" or "compressed". The default value is "uncompressed".
+.IP """group-check"" (\fBOSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE\fR) <UTF8 string>" 4
+.IX Item """group-check"" (OSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE) <UTF8 string>"
 Sets or Gets the type of group check done when \fBEVP_PKEY_param_check()\fR is called.
-Valid values are \*(L"default\*(R", \*(L"named\*(R" and \*(L"named-nist\*(R".
-The \*(L"named\*(R" type checks that the domain parameters match the inbuilt curve parameters,
-\&\*(L"named-nist\*(R" is similar but also checks that the named curve is a nist curve.
-The \*(L"default\*(R" type does domain parameter validation for the OpenSSL default provider,
-but is equivalent to \*(L"named-nist\*(R" for the OpenSSL \s-1FIPS\s0 provider.
-.ie n .IP """include-public"" (\fB\s-1OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC\s0\fR) <integer>" 4
-.el .IP "``include-public'' (\fB\s-1OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC\s0\fR) <integer>" 4
-.IX Item "include-public (OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC) <integer>"
+Valid values are "default", "named" and "named-nist".
+The "named" type checks that the domain parameters match the inbuilt curve parameters,
+"named-nist" is similar but also checks that the named curve is a nist curve.
+The "default" type does domain parameter validation for the OpenSSL default provider,
+but is equivalent to "named-nist" for the OpenSSL FIPS provider.
+.IP """include-public"" (\fBOSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC\fR) <integer>" 4
+.IX Item """include-public"" (OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC) <integer>"
 Setting this value to 0 indicates that the public key should not be included when
 encoding the private key. The default value of 1 will include the public key.
-.ie n .IP """pub"" (\fB\s-1OSSL_PKEY_PARAM_PUB_KEY\s0\fR) <octet string>" 4
-.el .IP "``pub'' (\fB\s-1OSSL_PKEY_PARAM_PUB_KEY\s0\fR) <octet string>" 4
-.IX Item "pub (OSSL_PKEY_PARAM_PUB_KEY) <octet string>"
-The public key value in encoded \s-1EC\s0 point format conforming to Sec. 2.3.3 and
-2.3.4 of the \s-1SECG SEC 1\s0 (\*(L"Elliptic Curve Cryptography\*(R") standard.
+.IP """pub"" (\fBOSSL_PKEY_PARAM_PUB_KEY\fR) <octet string>" 4
+.IX Item """pub"" (OSSL_PKEY_PARAM_PUB_KEY) <octet string>"
+The public key value in encoded EC point format conforming to Sec. 2.3.3 and
+2.3.4 of the SECG SEC 1 ("Elliptic Curve Cryptography") standard.
 This parameter is used when importing or exporting the public key value with the
 \&\fBEVP_PKEY_fromdata()\fR and \fBEVP_PKEY_todata()\fR functions.
 .Sp
@@ -260,54 +168,50 @@ provider implementation.
 Before OpenSSL 3.0.8, the implementation of providers included with OpenSSL always
 opted for an encoding in compressed format, unconditionally.
 Since OpenSSL 3.0.8, the implementation has been changed to honor the
-\&\fB\s-1OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT\s0\fR parameter, if set, or to default
+\&\fBOSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT\fR parameter, if set, or to default
 to uncompressed format.
-.ie n .IP """priv"" (\fB\s-1OSSL_PKEY_PARAM_PRIV_KEY\s0\fR) <unsigned integer>" 4
-.el .IP "``priv'' (\fB\s-1OSSL_PKEY_PARAM_PRIV_KEY\s0\fR) <unsigned integer>" 4
-.IX Item "priv (OSSL_PKEY_PARAM_PRIV_KEY) <unsigned integer>"
+.IP """priv"" (\fBOSSL_PKEY_PARAM_PRIV_KEY\fR) <unsigned integer>" 4
+.IX Item """priv"" (OSSL_PKEY_PARAM_PRIV_KEY) <unsigned integer>"
 The private key value.
-.ie n .IP """encoded-pub-key"" (\fB\s-1OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY\s0\fR) <octet string>" 4
-.el .IP "``encoded-pub-key'' (\fB\s-1OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY\s0\fR) <octet string>" 4
-.IX Item "encoded-pub-key (OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY) <octet string>"
-Used for getting and setting the encoding of an \s-1EC\s0 public key. The public key
-is expected to be a point conforming to Sec. 2.3.4 of the \s-1SECG SEC 1\s0 (\*(L"Elliptic
-Curve Cryptography\*(R") standard.
-.ie n .IP """qx"" (\fB\s-1OSSL_PKEY_PARAM_EC_PUB_X\s0\fR) <unsigned integer>" 4
-.el .IP "``qx'' (\fB\s-1OSSL_PKEY_PARAM_EC_PUB_X\s0\fR) <unsigned integer>" 4
-.IX Item "qx (OSSL_PKEY_PARAM_EC_PUB_X) <unsigned integer>"
-Used for getting the \s-1EC\s0 public key X component.
-.ie n .IP """qy"" (\fB\s-1OSSL_PKEY_PARAM_EC_PUB_Y\s0\fR) <unsigned integer>" 4
-.el .IP "``qy'' (\fB\s-1OSSL_PKEY_PARAM_EC_PUB_Y\s0\fR) <unsigned integer>" 4
-.IX Item "qy (OSSL_PKEY_PARAM_EC_PUB_Y) <unsigned integer>"
-Used for getting the \s-1EC\s0 public key Y component.
-.ie n .IP """default-digest"" (\fB\s-1OSSL_PKEY_PARAM_DEFAULT_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``default-digest'' (\fB\s-1OSSL_PKEY_PARAM_DEFAULT_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "default-digest (OSSL_PKEY_PARAM_DEFAULT_DIGEST) <UTF8 string>"
+.IP """encoded-pub-key"" (\fBOSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY\fR) <octet string>" 4
+.IX Item """encoded-pub-key"" (OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY) <octet string>"
+Used for getting and setting the encoding of an EC public key. The public key
+is expected to be a point conforming to Sec. 2.3.4 of the SECG SEC 1 ("Elliptic
+Curve Cryptography") standard.
+.IP """qx"" (\fBOSSL_PKEY_PARAM_EC_PUB_X\fR) <unsigned integer>" 4
+.IX Item """qx"" (OSSL_PKEY_PARAM_EC_PUB_X) <unsigned integer>"
+Used for getting the EC public key X component.
+.IP """qy"" (\fBOSSL_PKEY_PARAM_EC_PUB_Y\fR) <unsigned integer>" 4
+.IX Item """qy"" (OSSL_PKEY_PARAM_EC_PUB_Y) <unsigned integer>"
+Used for getting the EC public key Y component.
+.IP """default-digest"" (\fBOSSL_PKEY_PARAM_DEFAULT_DIGEST\fR) <UTF8 string>" 4
+.IX Item """default-digest"" (OSSL_PKEY_PARAM_DEFAULT_DIGEST) <UTF8 string>"
 Getter that returns the default digest name.
-(Currently returns \*(L"\s-1SHA256\*(R"\s0 as of OpenSSL 3.0).
+(Currently returns "SHA256" as of OpenSSL 3.0).
+.IP """dhkem-ikm"" (\fBOSSL_PKEY_PARAM_DHKEM_IKM\fR) <octet string>" 4
+.IX Item """dhkem-ikm"" (OSSL_PKEY_PARAM_DHKEM_IKM) <octet string>"
+DHKEM requires the generation of a keypair using an input key material (seed).
+Use this to specify the key material used for generation of the private key.
+This value should not be reused for other purposes. It can only be used
+for the curves "P\-256", "P\-384" and "P\-521" and should have a length of at least
+the size of the encoded private key (i.e. 32, 48 and 66 for the listed curves).
 .PP
-The following Gettable types are also available for the built-in \s-1EC\s0 algorithm:
-.ie n .IP """basis-type"" (\fB\s-1OSSL_PKEY_PARAM_EC_CHAR2_TYPE\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``basis-type'' (\fB\s-1OSSL_PKEY_PARAM_EC_CHAR2_TYPE\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "basis-type (OSSL_PKEY_PARAM_EC_CHAR2_TYPE) <UTF8 string>"
-Supports the values \*(L"tpBasis\*(R" for a trinomial or \*(L"ppBasis\*(R" for a pentanomial.
+The following Gettable types are also available for the built-in EC algorithm:
+.IP """basis-type"" (\fBOSSL_PKEY_PARAM_EC_CHAR2_TYPE\fR) <UTF8 string>" 4
+.IX Item """basis-type"" (OSSL_PKEY_PARAM_EC_CHAR2_TYPE) <UTF8 string>"
+Supports the values "tpBasis" for a trinomial or "ppBasis" for a pentanomial.
 This field is only used for a binary field F2^m.
-.ie n .IP """m"" (\fB\s-1OSSL_PKEY_PARAM_EC_CHAR2_M\s0\fR) <integer>" 4
-.el .IP "``m'' (\fB\s-1OSSL_PKEY_PARAM_EC_CHAR2_M\s0\fR) <integer>" 4
-.IX Item "m (OSSL_PKEY_PARAM_EC_CHAR2_M) <integer>"
+.IP """m"" (\fBOSSL_PKEY_PARAM_EC_CHAR2_M\fR) <integer>" 4
+.IX Item """m"" (OSSL_PKEY_PARAM_EC_CHAR2_M) <integer>"
 .PD 0
-.ie n .IP """tp"" (\fB\s-1OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS\s0\fR) <integer>" 4
-.el .IP "``tp'' (\fB\s-1OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS\s0\fR) <integer>" 4
-.IX Item "tp (OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS) <integer>"
-.ie n .IP """k1"" (\fB\s-1OSSL_PKEY_PARAM_EC_CHAR2_PP_K1\s0\fR) <integer>" 4
-.el .IP "``k1'' (\fB\s-1OSSL_PKEY_PARAM_EC_CHAR2_PP_K1\s0\fR) <integer>" 4
-.IX Item "k1 (OSSL_PKEY_PARAM_EC_CHAR2_PP_K1) <integer>"
-.ie n .IP """k2"" (\fB\s-1OSSL_PKEY_PARAM_EC_CHAR2_PP_K2\s0\fR) <integer>" 4
-.el .IP "``k2'' (\fB\s-1OSSL_PKEY_PARAM_EC_CHAR2_PP_K2\s0\fR) <integer>" 4
-.IX Item "k2 (OSSL_PKEY_PARAM_EC_CHAR2_PP_K2) <integer>"
-.ie n .IP """k3"" (\fB\s-1OSSL_PKEY_PARAM_EC_CHAR2_PP_K3\s0\fR) <integer>" 4
-.el .IP "``k3'' (\fB\s-1OSSL_PKEY_PARAM_EC_CHAR2_PP_K3\s0\fR) <integer>" 4
-.IX Item "k3 (OSSL_PKEY_PARAM_EC_CHAR2_PP_K3) <integer>"
+.IP """tp"" (\fBOSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS\fR) <integer>" 4
+.IX Item """tp"" (OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS) <integer>"
+.IP """k1"" (\fBOSSL_PKEY_PARAM_EC_CHAR2_PP_K1\fR) <integer>" 4
+.IX Item """k1"" (OSSL_PKEY_PARAM_EC_CHAR2_PP_K1) <integer>"
+.IP """k2"" (\fBOSSL_PKEY_PARAM_EC_CHAR2_PP_K2\fR) <integer>" 4
+.IX Item """k2"" (OSSL_PKEY_PARAM_EC_CHAR2_PP_K2) <integer>"
+.IP """k3"" (\fBOSSL_PKEY_PARAM_EC_CHAR2_PP_K3\fR) <integer>" 4
+.IX Item """k3"" (OSSL_PKEY_PARAM_EC_CHAR2_PP_K3) <integer>"
 .PD
 These fields are only used for a binary field F2^m.
 \&\fIm\fR is the degree of the binary field.
@@ -317,35 +221,47 @@ range m > tp > 0.
 .Sp
 \&\fIk1\fR, \fIk2\fR and \fIk3\fR are used to get the middle bits of a pentanomial such
 that m > k3 > k2 > k1 > 0
-.SS "\s-1EC\s0 key validation"
+.PP
+The following key generation settable parameter is also available for the
+OpenSSL FIPS provider's EC algorithm:
+.IP """key-check"" (\fBOSSL_PKEY_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4
+.IX Item """key-check"" (OSSL_PKEY_PARAM_FIPS_KEY_CHECK) <integer>"
+See "Common Information Parameters" in \fBprovider\-keymgmt\fR\|(7) for further information.
+.PP
+The following key generation Gettable parameter is available for the OpenSSL
+FIPS provider's EC algorithm:
+.IP """fips-indicator"" (\fBOSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+See "Common Information Parameters" in \fBprovider\-keymgmt\fR\|(7) for further information.
+.SS "EC key validation"
 .IX Subsection "EC key validation"
-For \s-1EC\s0 keys, \fBEVP_PKEY_param_check\fR\|(3) behaves in the following way:
+For EC keys, \fBEVP_PKEY_param_check\fR\|(3) behaves in the following way:
 For the OpenSSL default provider it uses either
 \&\fBEC_GROUP_check\fR\|(3) or \fBEC_GROUP_check_named_curve\fR\|(3) depending on the flag
-\&\s-1EC_FLAG_CHECK_NAMED_GROUP.\s0
-The OpenSSL \s-1FIPS\s0 provider uses \fBEC_GROUP_check_named_curve\fR\|(3) in order to
+EC_FLAG_CHECK_NAMED_GROUP.
+The OpenSSL FIPS provider uses \fBEC_GROUP_check_named_curve\fR\|(3) in order to
 conform to SP800\-56Ar3 \fIAssurances of Domain-Parameter Validity\fR.
 .PP
-For \s-1EC\s0 keys, \fBEVP_PKEY_param_check_quick\fR\|(3) is equivalent to
+For EC keys, \fBEVP_PKEY_param_check_quick\fR\|(3) is equivalent to
 \&\fBEVP_PKEY_param_check\fR\|(3).
 .PP
-For \s-1EC\s0 keys, \fBEVP_PKEY_public_check\fR\|(3) and \fBEVP_PKEY_public_check_quick\fR\|(3)
-conform to SP800\-56Ar3 \fI\s-1ECC\s0 Full Public-Key Validation\fR and
-\&\fI\s-1ECC\s0 Partial Public-Key Validation\fR respectively.
+For EC keys, \fBEVP_PKEY_public_check\fR\|(3) and \fBEVP_PKEY_public_check_quick\fR\|(3)
+conform to SP800\-56Ar3 \fIECC Full Public-Key Validation\fR and
+\&\fIECC Partial Public-Key Validation\fR respectively.
 .PP
-For \s-1EC\s0 Keys, \fBEVP_PKEY_private_check\fR\|(3) and \fBEVP_PKEY_pairwise_check\fR\|(3)
+For EC Keys, \fBEVP_PKEY_private_check\fR\|(3) and \fBEVP_PKEY_pairwise_check\fR\|(3)
 conform to SP800\-56Ar3 \fIPrivate key validity\fR and
 \&\fIOwner Assurance of Pair-wise Consistency\fR respectively.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-An \fB\s-1EVP_PKEY\s0\fR context can be obtained by calling:
+An \fBEVP_PKEY\fR context can be obtained by calling:
 .PP
 .Vb 2
 \&    EVP_PKEY_CTX *pctx =
 \&        EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
 .Ve
 .PP
-An \fB\s-1EVP_PKEY\s0\fR \s-1ECDSA\s0 or \s-1ECDH\s0 key can be generated with a \*(L"P\-256\*(R" named group by
+An \fBEVP_PKEY\fR ECDSA or ECDH key can be generated with a "P\-256" named group by
 calling:
 .PP
 .Vb 1
@@ -375,8 +291,8 @@ or like this:
 \&    EVP_PKEY_CTX_free(gctx);
 .Ve
 .PP
-An \fB\s-1EVP_PKEY\s0\fR \s-1EC CDH\s0 (Cofactor Diffie-Hellman) key can be generated with a
-\&\*(L"K\-571\*(R" named group by calling:
+An \fBEVP_PKEY\fR EC CDH (Cofactor Diffie-Hellman) key can be generated with a
+"K\-571" named group by calling:
 .PP
 .Vb 5
 \&    int use_cdh = 1;
@@ -408,16 +324,16 @@ An \fB\s-1EVP_PKEY\s0\fR \s-1EC CDH\s0 (Cofactor Diffie-Hellman) key can be gene
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_EC_gen\fR\|(3),
-\&\s-1\fBEVP_KEYMGMT\s0\fR\|(3),
-\&\s-1\fBEVP_PKEY\s0\fR\|(3),
+\&\fBEVP_KEYMGMT\fR\|(3),
+\&\fBEVP_PKEY\fR\|(3),
 \&\fBprovider\-keymgmt\fR\|(7),
-\&\s-1\fBEVP_SIGNATURE\-ECDSA\s0\fR\|(7),
-\&\s-1\fBEVP_KEYEXCH\-ECDH\s0\fR\|(7)
-.SH "COPYRIGHT"
+\&\fBEVP_SIGNATURE\-ECDSA\fR\|(7),
+\&\fBEVP_KEYEXCH\-ECDH\fR\|(7)
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-FFC.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-FFC.7
index aa77863f4184..80c3cd5e1520 100644
--- a/secure/lib/libcrypto/man/man7/EVP_PKEY-FFC.7
+++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-FFC.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,253 +52,168 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY-FFC 7ossl"
-.TH EVP_PKEY-FFC 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY-FFC 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY\-FFC \- EVP_PKEY DSA and DH/DHX shared FFC parameters.
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Finite field cryptography (\s-1FFC\s0) is a method of implementing discrete logarithm
-cryptography using finite field mathematics. \s-1DSA\s0 is an example of \s-1FFC\s0 and
-Diffie-Hellman key establishment algorithms specified in \s-1SP800\-56A\s0 can also be
-implemented as \s-1FFC.\s0
+Finite field cryptography (FFC) is a method of implementing discrete logarithm
+cryptography using finite field mathematics. DSA is an example of FFC and
+Diffie-Hellman key establishment algorithms specified in SP800\-56A can also be
+implemented as FFC.
 .PP
-The \fB\s-1DSA\s0\fR, \fB\s-1DH\s0\fR and \fB\s-1DHX\s0\fR keytypes are implemented in OpenSSL's default and
-\&\s-1FIPS\s0 providers.
-The implementations support the basic \s-1DSA, DH\s0 and \s-1DHX\s0 keys, containing the public
+The \fBDSA\fR, \fBDH\fR and \fBDHX\fR keytypes are implemented in OpenSSL's default and
+FIPS providers.
+The implementations support the basic DSA, DH and DHX keys, containing the public
 and private keys \fIpub\fR and \fIpriv\fR as well as the three main domain parameters
 \&\fIp\fR, \fIq\fR and \fIg\fR.
 .PP
-For \fB\s-1DSA\s0\fR (and \fB\s-1DH\s0\fR that is not a named group) the \s-1FIPS186\-4\s0 standard
-specifies that the values used for \s-1FFC\s0 parameter generation are also required
+For \fBDSA\fR (and \fBDH\fR that is not a named group) the FIPS186\-4 standard
+specifies that the values used for FFC parameter generation are also required
 for parameter validation.
-This means that optional \s-1FFC\s0 domain parameter values for \fIseed\fR, \fIpcounter\fR
+This means that optional FFC domain parameter values for \fIseed\fR, \fIpcounter\fR
 and \fIgindex\fR may need to be stored for validation purposes.
-For \fB\s-1DH\s0\fR the \fIseed\fR and \fIpcounter\fR can be stored in \s-1ASN1\s0 data
-(but the \fIgindex\fR is not). For \fB\s-1DSA\s0\fR however, these fields are not stored in
-the \s-1ASN1\s0 data so they need to be stored externally if validation is required.
+For \fBDH\fR the \fIseed\fR and \fIpcounter\fR can be stored in ASN1 data
+(but the \fIgindex\fR is not). For \fBDSA\fR however, these fields are not stored in
+the ASN1 data so they need to be stored externally if validation is required.
 .PP
-The \fB\s-1DH\s0\fR key type uses PKCS#3 format which saves p and g, but not the 'q' value.
-The \fB\s-1DHX\s0\fR key type uses X9.42 format which saves the value of 'q' and this
-must be used for \s-1FIPS186\-4.\s0
-.SS "\s-1FFC\s0 parameters"
+The \fBDH\fR key type uses PKCS#3 format which saves p and g, but not the 'q' value.
+The \fBDHX\fR key type uses X9.42 format which saves the value of 'q' and this
+must be used for FIPS186\-4.
+.SS "FFC parameters"
 .IX Subsection "FFC parameters"
 In addition to the common parameters that all keytypes should support (see
-\&\*(L"Common parameters\*(R" in \fBprovider\-keymgmt\fR\|(7)), the \fB\s-1DSA\s0\fR, \fB\s-1DH\s0\fR and \fB\s-1DHX\s0\fR keytype
+"Common parameters" in \fBprovider\-keymgmt\fR\|(7)), the \fBDSA\fR, \fBDH\fR and \fBDHX\fR keytype
 implementations support the following.
-.ie n .IP """pub"" (\fB\s-1OSSL_PKEY_PARAM_PUB_KEY\s0\fR) <unsigned integer>" 4
-.el .IP "``pub'' (\fB\s-1OSSL_PKEY_PARAM_PUB_KEY\s0\fR) <unsigned integer>" 4
-.IX Item "pub (OSSL_PKEY_PARAM_PUB_KEY) <unsigned integer>"
+.IP """pub"" (\fBOSSL_PKEY_PARAM_PUB_KEY\fR) <unsigned integer>" 4
+.IX Item """pub"" (OSSL_PKEY_PARAM_PUB_KEY) <unsigned integer>"
 The public key value.
-.ie n .IP """priv"" (\fB\s-1OSSL_PKEY_PARAM_PRIV_KEY\s0\fR) <unsigned integer>" 4
-.el .IP "``priv'' (\fB\s-1OSSL_PKEY_PARAM_PRIV_KEY\s0\fR) <unsigned integer>" 4
-.IX Item "priv (OSSL_PKEY_PARAM_PRIV_KEY) <unsigned integer>"
+.IP """priv"" (\fBOSSL_PKEY_PARAM_PRIV_KEY\fR) <unsigned integer>" 4
+.IX Item """priv"" (OSSL_PKEY_PARAM_PRIV_KEY) <unsigned integer>"
 The private key value.
-.SS "\s-1FFC DSA, DH\s0 and \s-1DHX\s0 domain parameters"
+.SS "FFC DSA, DH and DHX domain parameters"
 .IX Subsection "FFC DSA, DH and DHX domain parameters"
-.ie n .IP """p"" (\fB\s-1OSSL_PKEY_PARAM_FFC_P\s0\fR) <unsigned integer>" 4
-.el .IP "``p'' (\fB\s-1OSSL_PKEY_PARAM_FFC_P\s0\fR) <unsigned integer>" 4
-.IX Item "p (OSSL_PKEY_PARAM_FFC_P) <unsigned integer>"
-A \s-1DSA\s0 or Diffie-Hellman prime \*(L"p\*(R" value.
-.ie n .IP """g"" (\fB\s-1OSSL_PKEY_PARAM_FFC_G\s0\fR) <unsigned integer>" 4
-.el .IP "``g'' (\fB\s-1OSSL_PKEY_PARAM_FFC_G\s0\fR) <unsigned integer>" 4
-.IX Item "g (OSSL_PKEY_PARAM_FFC_G) <unsigned integer>"
-A \s-1DSA\s0 or Diffie-Hellman generator \*(L"g\*(R" value.
-.SS "\s-1FFC DSA\s0 and \s-1DHX\s0 domain parameters"
+.IP """p"" (\fBOSSL_PKEY_PARAM_FFC_P\fR) <unsigned integer>" 4
+.IX Item """p"" (OSSL_PKEY_PARAM_FFC_P) <unsigned integer>"
+A DSA or Diffie-Hellman prime "p" value.
+.IP """g"" (\fBOSSL_PKEY_PARAM_FFC_G\fR) <unsigned integer>" 4
+.IX Item """g"" (OSSL_PKEY_PARAM_FFC_G) <unsigned integer>"
+A DSA or Diffie-Hellman generator "g" value.
+.SS "FFC DSA and DHX domain parameters"
 .IX Subsection "FFC DSA and DHX domain parameters"
-.ie n .IP """q"" (\fB\s-1OSSL_PKEY_PARAM_FFC_Q\s0\fR) <unsigned integer>" 4
-.el .IP "``q'' (\fB\s-1OSSL_PKEY_PARAM_FFC_Q\s0\fR) <unsigned integer>" 4
-.IX Item "q (OSSL_PKEY_PARAM_FFC_Q) <unsigned integer>"
-A \s-1DSA\s0 or Diffie-Hellman prime \*(L"q\*(R" value.
-.ie n .IP """seed"" (\fB\s-1OSSL_PKEY_PARAM_FFC_SEED\s0\fR) <octet string>" 4
-.el .IP "``seed'' (\fB\s-1OSSL_PKEY_PARAM_FFC_SEED\s0\fR) <octet string>" 4
-.IX Item "seed (OSSL_PKEY_PARAM_FFC_SEED) <octet string>"
+.IP """q"" (\fBOSSL_PKEY_PARAM_FFC_Q\fR) <unsigned integer>" 4
+.IX Item """q"" (OSSL_PKEY_PARAM_FFC_Q) <unsigned integer>"
+A DSA or Diffie-Hellman prime "q" value.
+.IP """seed"" (\fBOSSL_PKEY_PARAM_FFC_SEED\fR) <octet string>" 4
+.IX Item """seed"" (OSSL_PKEY_PARAM_FFC_SEED) <octet string>"
 An optional domain parameter \fIseed\fR value used during generation and validation
 of \fIp\fR, \fIq\fR and canonical \fIg\fR.
 For validation this needs to set the \fIseed\fR that was produced during generation.
-.ie n .IP """gindex"" (\fB\s-1OSSL_PKEY_PARAM_FFC_GINDEX\s0\fR) <integer>" 4
-.el .IP "``gindex'' (\fB\s-1OSSL_PKEY_PARAM_FFC_GINDEX\s0\fR) <integer>" 4
-.IX Item "gindex (OSSL_PKEY_PARAM_FFC_GINDEX) <integer>"
+.IP """gindex"" (\fBOSSL_PKEY_PARAM_FFC_GINDEX\fR) <integer>" 4
+.IX Item """gindex"" (OSSL_PKEY_PARAM_FFC_GINDEX) <integer>"
 Sets the index to use for canonical generation and verification of the generator
 \&\fIg\fR.
 Set this to a positive value from 0..FF to use this mode. This \fIgindex\fR can
 then be reused during key validation to verify the value of \fIg\fR. If this value
 is not set or is \-1 then unverifiable generation of the generator \fIg\fR will be
 used.
-.ie n .IP """pcounter"" (\fB\s-1OSSL_PKEY_PARAM_FFC_PCOUNTER\s0\fR) <integer>" 4
-.el .IP "``pcounter'' (\fB\s-1OSSL_PKEY_PARAM_FFC_PCOUNTER\s0\fR) <integer>" 4
-.IX Item "pcounter (OSSL_PKEY_PARAM_FFC_PCOUNTER) <integer>"
+.IP """pcounter"" (\fBOSSL_PKEY_PARAM_FFC_PCOUNTER\fR) <integer>" 4
+.IX Item """pcounter"" (OSSL_PKEY_PARAM_FFC_PCOUNTER) <integer>"
 An optional domain parameter \fIcounter\fR value that is output during generation
 of \fIp\fR. This value must be saved if domain parameter validation is required.
-.ie n .IP """hindex"" (\fB\s-1OSSL_PKEY_PARAM_FFC_H\s0\fR) <integer>" 4
-.el .IP "``hindex'' (\fB\s-1OSSL_PKEY_PARAM_FFC_H\s0\fR) <integer>" 4
-.IX Item "hindex (OSSL_PKEY_PARAM_FFC_H) <integer>"
+.IP """hindex"" (\fBOSSL_PKEY_PARAM_FFC_H\fR) <integer>" 4
+.IX Item """hindex"" (OSSL_PKEY_PARAM_FFC_H) <integer>"
 For unverifiable generation of the generator \fIg\fR this value is output during
 generation of \fIg\fR. Its value is the first integer larger than one that
-satisfies g = h^j mod p (where g != 1 and \*(L"j\*(R" is the cofactor).
-.ie n .IP """j"" (\fB\s-1OSSL_PKEY_PARAM_FFC_COFACTOR\s0\fR) <unsigned integer>" 4
-.el .IP "``j'' (\fB\s-1OSSL_PKEY_PARAM_FFC_COFACTOR\s0\fR) <unsigned integer>" 4
-.IX Item "j (OSSL_PKEY_PARAM_FFC_COFACTOR) <unsigned integer>"
+satisfies g = h^j mod p (where g != 1 and "j" is the cofactor).
+.IP """j"" (\fBOSSL_PKEY_PARAM_FFC_COFACTOR\fR) <unsigned integer>" 4
+.IX Item """j"" (OSSL_PKEY_PARAM_FFC_COFACTOR) <unsigned integer>"
 An optional informational cofactor parameter that should equal to (p \- 1) / q.
-.ie n .IP """validate-pq"" (\fB\s-1OSSL_PKEY_PARAM_FFC_VALIDATE_PQ\s0\fR) <unsigned integer>" 4
-.el .IP "``validate-pq'' (\fB\s-1OSSL_PKEY_PARAM_FFC_VALIDATE_PQ\s0\fR) <unsigned integer>" 4
-.IX Item "validate-pq (OSSL_PKEY_PARAM_FFC_VALIDATE_PQ) <unsigned integer>"
+.IP """validate-pq"" (\fBOSSL_PKEY_PARAM_FFC_VALIDATE_PQ\fR) <unsigned integer>" 4
+.IX Item """validate-pq"" (OSSL_PKEY_PARAM_FFC_VALIDATE_PQ) <unsigned integer>"
 .PD 0
-.ie n .IP """validate-g"" (\fB\s-1OSSL_PKEY_PARAM_FFC_VALIDATE_G\s0\fR) <unsigned integer>" 4
-.el .IP "``validate-g'' (\fB\s-1OSSL_PKEY_PARAM_FFC_VALIDATE_G\s0\fR) <unsigned integer>" 4
-.IX Item "validate-g (OSSL_PKEY_PARAM_FFC_VALIDATE_G) <unsigned integer>"
+.IP """validate-g"" (\fBOSSL_PKEY_PARAM_FFC_VALIDATE_G\fR) <unsigned integer>" 4
+.IX Item """validate-g"" (OSSL_PKEY_PARAM_FFC_VALIDATE_G) <unsigned integer>"
 .PD
-These boolean values are used during \s-1FIPS186\-4\s0 or \s-1FIPS186\-2\s0 key validation checks
+These boolean values are used during FIPS186\-4 or FIPS186\-2 key validation checks
 (See \fBEVP_PKEY_param_check\fR\|(3)) to select validation options. By default
 \&\fIvalidate-pq\fR and \fIvalidate-g\fR are both set to 1 to check that p,q and g are
 valid. Either of these may be set to 0 to skip a test, which is mainly useful
 for testing purposes.
-.ie n .IP """validate-legacy"" (\fB\s-1OSSL_PKEY_PARAM_FFC_VALIDATE_LEGACY\s0\fR) <unsigned integer>" 4
-.el .IP "``validate-legacy'' (\fB\s-1OSSL_PKEY_PARAM_FFC_VALIDATE_LEGACY\s0\fR) <unsigned integer>" 4
-.IX Item "validate-legacy (OSSL_PKEY_PARAM_FFC_VALIDATE_LEGACY) <unsigned integer>"
+.IP """validate-legacy"" (\fBOSSL_PKEY_PARAM_FFC_VALIDATE_LEGACY\fR) <unsigned integer>" 4
+.IX Item """validate-legacy"" (OSSL_PKEY_PARAM_FFC_VALIDATE_LEGACY) <unsigned integer>"
 This boolean value is used during key validation checks
 (See \fBEVP_PKEY_param_check\fR\|(3)) to select the validation type. The default
-value of 0 selects \s-1FIPS186\-4\s0 validation. Setting this value to 1 selects
-\&\s-1FIPS186\-2\s0 validation.
-.SS "\s-1FFC\s0 key generation parameters"
+value of 0 selects FIPS186\-4 validation. Setting this value to 1 selects
+FIPS186\-2 validation.
+.SS "FFC key generation parameters"
 .IX Subsection "FFC key generation parameters"
-The following key generation types are available for \s-1DSA\s0 and \s-1DHX\s0 algorithms:
-.ie n .IP """type"" (\fB\s-1OSSL_PKEY_PARAM_FFC_TYPE\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``type'' (\fB\s-1OSSL_PKEY_PARAM_FFC_TYPE\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "type (OSSL_PKEY_PARAM_FFC_TYPE) <UTF8 string>"
+The following key generation types are available for DSA and DHX algorithms:
+.IP """type"" (\fBOSSL_PKEY_PARAM_FFC_TYPE\fR) <UTF8 string>" 4
+.IX Item """type"" (OSSL_PKEY_PARAM_FFC_TYPE) <UTF8 string>"
 Sets the type of parameter generation. The shared valid values are:
 .RS 4
-.ie n .IP """fips186_4""" 4
-.el .IP "``fips186_4''" 4
-.IX Item "fips186_4"
+.IP """fips186_4""" 4
+.IX Item """fips186_4"""
 The current standard.
-.ie n .IP """fips186_2""" 4
-.el .IP "``fips186_2''" 4
-.IX Item "fips186_2"
+.IP """fips186_2""" 4
+.IX Item """fips186_2"""
 The old standard that should only be used for legacy purposes.
-.ie n .IP """default""" 4
-.el .IP "``default''" 4
-.IX Item "default"
-This can choose one of \*(L"fips186_4\*(R" or \*(L"fips186_2\*(R" depending on other
+.IP """default""" 4
+.IX Item """default"""
+This can choose one of "fips186_4" or "fips186_2" depending on other
 parameters set for parameter generation.
 .RE
 .RS 4
 .RE
-.ie n .IP """pbits"" (\fB\s-1OSSL_PKEY_PARAM_FFC_PBITS\s0\fR) <unsigned integer>" 4
-.el .IP "``pbits'' (\fB\s-1OSSL_PKEY_PARAM_FFC_PBITS\s0\fR) <unsigned integer>" 4
-.IX Item "pbits (OSSL_PKEY_PARAM_FFC_PBITS) <unsigned integer>"
+.IP """pbits"" (\fBOSSL_PKEY_PARAM_FFC_PBITS\fR) <unsigned integer>" 4
+.IX Item """pbits"" (OSSL_PKEY_PARAM_FFC_PBITS) <unsigned integer>"
 Sets the size (in bits) of the prime 'p'.
-.ie n .IP """qbits"" (\fB\s-1OSSL_PKEY_PARAM_FFC_QBITS\s0\fR) <unsigned integer>" 4
-.el .IP "``qbits'' (\fB\s-1OSSL_PKEY_PARAM_FFC_QBITS\s0\fR) <unsigned integer>" 4
-.IX Item "qbits (OSSL_PKEY_PARAM_FFC_QBITS) <unsigned integer>"
+.IP """qbits"" (\fBOSSL_PKEY_PARAM_FFC_QBITS\fR) <unsigned integer>" 4
+.IX Item """qbits"" (OSSL_PKEY_PARAM_FFC_QBITS) <unsigned integer>"
 Sets the size (in bits) of the prime 'q'.
 .Sp
-For \*(L"fips186_4\*(R" this can be either 224 or 256.
-For \*(L"fips186_2\*(R" this has a size of 160.
-.ie n .IP """digest"" (\fB\s-1OSSL_PKEY_PARAM_FFC_DIGEST\s0\fR)  <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_PKEY_PARAM_FFC_DIGEST\s0\fR)  <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_PKEY_PARAM_FFC_DIGEST) <UTF8 string>"
+For "fips186_4" this can be either 224 or 256.
+For "fips186_2" this has a size of 160.
+.IP """digest"" (\fBOSSL_PKEY_PARAM_FFC_DIGEST\fR)  <UTF8 string>" 4
+.IX Item """digest"" (OSSL_PKEY_PARAM_FFC_DIGEST) <UTF8 string>"
 Sets the Digest algorithm to be used as part of the Key Generation Function
 associated with the given Key Generation \fIctx\fR.
 This must also be set for key validation.
-.ie n .IP """properties"" (\fB\s-1OSSL_PKEY_PARAM_FFC_DIGEST_PROPS\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``properties'' (\fB\s-1OSSL_PKEY_PARAM_FFC_DIGEST_PROPS\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "properties (OSSL_PKEY_PARAM_FFC_DIGEST_PROPS) <UTF8 string>"
+.IP """properties"" (\fBOSSL_PKEY_PARAM_FFC_DIGEST_PROPS\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_PKEY_PARAM_FFC_DIGEST_PROPS) <UTF8 string>"
 Sets properties to be used upon look up of the implementation for the selected
 Digest algorithm for the Key Generation Function associated with the given key
 generation \fIctx\fR. This may also be set for key validation.
-.ie n .IP """seed"" (\fB\s-1OSSL_PKEY_PARAM_FFC_SEED\s0\fR) <octet string>" 4
-.el .IP "``seed'' (\fB\s-1OSSL_PKEY_PARAM_FFC_SEED\s0\fR) <octet string>" 4
-.IX Item "seed (OSSL_PKEY_PARAM_FFC_SEED) <octet string>"
-For \*(L"fips186_4\*(R" or \*(L"fips186_2\*(R" generation this sets the \fIseed\fR data to use
+.IP """seed"" (\fBOSSL_PKEY_PARAM_FFC_SEED\fR) <octet string>" 4
+.IX Item """seed"" (OSSL_PKEY_PARAM_FFC_SEED) <octet string>"
+For "fips186_4" or "fips186_2" generation this sets the \fIseed\fR data to use
 instead of generating a random seed internally. This should be used for
 testing purposes only. This will either produce fixed values for the generated
-parameters \s-1OR\s0 it will fail if the seed did not generate valid primes.
-.ie n .IP """gindex"" (\fB\s-1OSSL_PKEY_PARAM_FFC_GINDEX\s0\fR) <integer>" 4
-.el .IP "``gindex'' (\fB\s-1OSSL_PKEY_PARAM_FFC_GINDEX\s0\fR) <integer>" 4
-.IX Item "gindex (OSSL_PKEY_PARAM_FFC_GINDEX) <integer>"
+parameters OR it will fail if the seed did not generate valid primes.
+.IP """gindex"" (\fBOSSL_PKEY_PARAM_FFC_GINDEX\fR) <integer>" 4
+.IX Item """gindex"" (OSSL_PKEY_PARAM_FFC_GINDEX) <integer>"
 .PD 0
-.ie n .IP """pcounter"" (\fB\s-1OSSL_PKEY_PARAM_FFC_PCOUNTER\s0\fR) <integer>" 4
-.el .IP "``pcounter'' (\fB\s-1OSSL_PKEY_PARAM_FFC_PCOUNTER\s0\fR) <integer>" 4
-.IX Item "pcounter (OSSL_PKEY_PARAM_FFC_PCOUNTER) <integer>"
-.ie n .IP """hindex"" (\fB\s-1OSSL_PKEY_PARAM_FFC_H\s0\fR) <integer>" 4
-.el .IP "``hindex'' (\fB\s-1OSSL_PKEY_PARAM_FFC_H\s0\fR) <integer>" 4
-.IX Item "hindex (OSSL_PKEY_PARAM_FFC_H) <integer>"
+.IP """pcounter"" (\fBOSSL_PKEY_PARAM_FFC_PCOUNTER\fR) <integer>" 4
+.IX Item """pcounter"" (OSSL_PKEY_PARAM_FFC_PCOUNTER) <integer>"
+.IP """hindex"" (\fBOSSL_PKEY_PARAM_FFC_H\fR) <integer>" 4
+.IX Item """hindex"" (OSSL_PKEY_PARAM_FFC_H) <integer>"
 .PD
 These types are described above.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
 The following sections of SP800\-56Ar3:
-.IP "5.5.1.1 \s-1FFC\s0 Domain Parameter Selection/Generation" 4
+.IP "5.5.1.1 FFC Domain Parameter Selection/Generation" 4
 .IX Item "5.5.1.1 FFC Domain Parameter Selection/Generation"
 .PP
-The following sections of \s-1FIPS186\-4:\s0
+The following sections of FIPS186\-4:
 .IP "A.1.1.2 Generation of Probable Primes p and q Using an Approved Hash Function." 4
 .IX Item "A.1.1.2 Generation of Probable Primes p and q Using an Approved Hash Function."
 .PD 0
@@ -325,20 +224,20 @@ The following sections of \s-1FIPS186\-4:\s0
 .PD
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_PKEY\-DSA\s0\fR\|(7),
-\&\s-1\fBEVP_PKEY\-DH\s0\fR\|(7),
-\&\s-1\fBEVP_SIGNATURE\-DSA\s0\fR\|(7),
-\&\s-1\fBEVP_KEYEXCH\-DH\s0\fR\|(7)
-\&\s-1\fBEVP_KEYMGMT\s0\fR\|(3),
-\&\s-1\fBEVP_PKEY\s0\fR\|(3),
+\&\fBEVP_PKEY\-DSA\fR\|(7),
+\&\fBEVP_PKEY\-DH\fR\|(7),
+\&\fBEVP_SIGNATURE\-DSA\fR\|(7),
+\&\fBEVP_KEYEXCH\-DH\fR\|(7)
+\&\fBEVP_KEYMGMT\fR\|(3),
+\&\fBEVP_PKEY\fR\|(3),
 \&\fBprovider\-keymgmt\fR\|(7),
 \&\fBOSSL_PROVIDER\-default\fR\|(7),
-\&\s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7),
-.SH "COPYRIGHT"
+\&\fBOSSL_PROVIDER\-FIPS\fR\|(7),
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-HMAC.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-HMAC.7
index 9f93ee1566e0..52a765b83a66 100644
--- a/secure/lib/libcrypto/man/man7/EVP_PKEY-HMAC.7
+++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-HMAC.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,138 +52,72 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY-HMAC 7ossl"
-.TH EVP_PKEY-HMAC 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY-HMAC 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY\-HMAC, EVP_KEYMGMT\-HMAC, EVP_PKEY\-Siphash, EVP_KEYMGMT\-Siphash,
 EVP_PKEY\-Poly1305, EVP_KEYMGMT\-Poly1305, EVP_PKEY\-CMAC, EVP_KEYMGMT\-CMAC
 \&\- EVP_PKEY legacy MAC keytypes and algorithm support
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \fB\s-1HMAC\s0\fR and \fB\s-1CMAC\s0\fR key types are implemented in OpenSSL's default and \s-1FIPS\s0
+The \fBHMAC\fR and \fBCMAC\fR key types are implemented in OpenSSL's default and FIPS
 providers. Additionally the \fBSiphash\fR and \fBPoly1305\fR key types are implemented
-in the default provider. Performing \s-1MAC\s0 operations via an \s-1EVP_PKEY\s0
+in the default provider. Performing MAC operations via an EVP_PKEY
 is considered legacy and are only available for backwards compatibility purposes
-and for a restricted set of algorithms. The preferred way of performing \s-1MAC\s0
-operations is via the \s-1EVP_MAC\s0 APIs. See \fBEVP_MAC_init\fR\|(3).
+and for a restricted set of algorithms. The preferred way of performing MAC
+operations is via the EVP_MAC APIs. See \fBEVP_MAC_init\fR\|(3).
 .PP
-For further details on using \s-1EVP_PKEY\s0 based \s-1MAC\s0 keys see
-\&\s-1\fBEVP_SIGNATURE\-HMAC\s0\fR\|(7), \fBEVP_SIGNATURE\-Siphash\fR\|(7),
-\&\fBEVP_SIGNATURE\-Poly1305\fR\|(7) or \s-1\fBEVP_SIGNATURE\-CMAC\s0\fR\|(7).
-.SS "Common \s-1MAC\s0 parameters"
+For further details on using EVP_PKEY based MAC keys see
+\&\fBEVP_SIGNATURE\-HMAC\fR\|(7), \fBEVP_SIGNATURE\-Siphash\fR\|(7),
+\&\fBEVP_SIGNATURE\-Poly1305\fR\|(7) or \fBEVP_SIGNATURE\-CMAC\fR\|(7).
+.SS "Common MAC parameters"
 .IX Subsection "Common MAC parameters"
-All the \fB\s-1MAC\s0\fR keytypes support the following parameters.
-.ie n .IP """priv"" (\fB\s-1OSSL_PKEY_PARAM_PRIV_KEY\s0\fR) <octet string>" 4
-.el .IP "``priv'' (\fB\s-1OSSL_PKEY_PARAM_PRIV_KEY\s0\fR) <octet string>" 4
-.IX Item "priv (OSSL_PKEY_PARAM_PRIV_KEY) <octet string>"
-The \s-1MAC\s0 key value.
-.ie n .IP """properties"" (\fB\s-1OSSL_PKEY_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``properties'' (\fB\s-1OSSL_PKEY_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "properties (OSSL_PKEY_PARAM_PROPERTIES) <UTF8 string>"
+All the \fBMAC\fR keytypes support the following parameters.
+.IP """priv"" (\fBOSSL_PKEY_PARAM_PRIV_KEY\fR) <octet string>" 4
+.IX Item """priv"" (OSSL_PKEY_PARAM_PRIV_KEY) <octet string>"
+The MAC key value.
+.IP """properties"" (\fBOSSL_PKEY_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_PKEY_PARAM_PROPERTIES) <UTF8 string>"
 A property query string to be used when any algorithms are fetched.
-.SS "\s-1CMAC\s0 parameters"
+.SS "CMAC parameters"
 .IX Subsection "CMAC parameters"
-As well as the parameters described above, the \fB\s-1CMAC\s0\fR keytype additionally
+As well as the parameters described above, the \fBCMAC\fR keytype additionally
 supports the following parameters.
-.ie n .IP """cipher"" (\fB\s-1OSSL_PKEY_PARAM_CIPHER\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``cipher'' (\fB\s-1OSSL_PKEY_PARAM_CIPHER\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "cipher (OSSL_PKEY_PARAM_CIPHER) <UTF8 string>"
-The name of a cipher to be used when generating the \s-1MAC.\s0
-.ie n .IP """engine"" (\fB\s-1OSSL_PKEY_PARAM_ENGINE\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``engine'' (\fB\s-1OSSL_PKEY_PARAM_ENGINE\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "engine (OSSL_PKEY_PARAM_ENGINE) <UTF8 string>"
+.IP """cipher"" (\fBOSSL_PKEY_PARAM_CIPHER\fR) <UTF8 string>" 4
+.IX Item """cipher"" (OSSL_PKEY_PARAM_CIPHER) <UTF8 string>"
+The name of a cipher to be used when generating the MAC.
+.IP """engine"" (\fBOSSL_PKEY_PARAM_ENGINE\fR) <UTF8 string>" 4
+.IX Item """engine"" (OSSL_PKEY_PARAM_ENGINE) <UTF8 string>"
 The name of an engine to be used for the specified cipher (if any).
-.SS "Common \s-1MAC\s0 key generation parameters"
+.SS "Common MAC key generation parameters"
 .IX Subsection "Common MAC key generation parameters"
-\&\s-1MAC\s0 key generation is unusual in that no new key is actually generated. Instead
+MAC key generation is unusual in that no new key is actually generated. Instead
 a new provider side key object is created with the supplied raw key value. This
 is done for backwards compatibility with previous versions of OpenSSL.
-.ie n .IP """priv"" (\fB\s-1OSSL_PKEY_PARAM_PRIV_KEY\s0\fR) <octet string>" 4
-.el .IP "``priv'' (\fB\s-1OSSL_PKEY_PARAM_PRIV_KEY\s0\fR) <octet string>" 4
-.IX Item "priv (OSSL_PKEY_PARAM_PRIV_KEY) <octet string>"
-The \s-1MAC\s0 key value.
-.SS "\s-1CMAC\s0 key generation parameters"
+.IP """priv"" (\fBOSSL_PKEY_PARAM_PRIV_KEY\fR) <octet string>" 4
+.IX Item """priv"" (OSSL_PKEY_PARAM_PRIV_KEY) <octet string>"
+The MAC key value.
+.SS "CMAC key generation parameters"
 .IX Subsection "CMAC key generation parameters"
-In addition to the common \s-1MAC\s0 key generation parameters, the \s-1CMAC\s0 key generation
+In addition to the common MAC key generation parameters, the CMAC key generation
 additionally recognises the following.
-.ie n .IP """cipher"" (\fB\s-1OSSL_PKEY_PARAM_CIPHER\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``cipher'' (\fB\s-1OSSL_PKEY_PARAM_CIPHER\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "cipher (OSSL_PKEY_PARAM_CIPHER) <UTF8 string>"
-The name of a cipher to be used when generating the \s-1MAC.\s0
+.IP """cipher"" (\fBOSSL_PKEY_PARAM_CIPHER\fR) <UTF8 string>" 4
+.IX Item """cipher"" (OSSL_PKEY_PARAM_CIPHER) <UTF8 string>"
+The name of a cipher to be used when generating the MAC.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_KEYMGMT\s0\fR\|(3), \s-1\fBEVP_PKEY\s0\fR\|(3), \fBprovider\-keymgmt\fR\|(7)
-.SH "COPYRIGHT"
+\&\fBEVP_KEYMGMT\fR\|(3), \fBEVP_PKEY\fR\|(3), \fBprovider\-keymgmt\fR\|(7)
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-ML-DSA.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-ML-DSA.7
new file mode 100644
index 000000000000..35a26a89582d
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-ML-DSA.7
@@ -0,0 +1,349 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "EVP_PKEY-ML-DSA 7ossl"
+.TH EVP_PKEY-ML-DSA 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+EVP_PKEY\-ML\-DSA, EVP_KEYMGMT\-ML\-DSA,
+EVP_PKEY\-ML\-DSA\-44, EVP_PKEY\-ML\-DSA\-65, EVP_PKEY\-ML\-DSA\-87
+\&\- EVP_PKEY ML\-DSA keytype and algorithm support
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+ML-DSA implements the algorithms \fBML\-DSA\-44\fR, \fBML\-DSA\-65\fR and \fBML\-DSA\-87\fR. 
+The key types \fBEVP_PKEY_ML_DSA_44\fR, \fBEVP_PKEY_ML_DSA_65\fR and
+\&\fBEVP_PKEY_ML_DSA_87\fR are implemented in OpenSSL's default and FIPS providers.
+These implementations support the associated key, containing the public key \fIpub\fR
+and the private key \fIpriv\fR.
+.PP
+Each of the different key types has an associated security category.
+This value is one of 2, 3 or 5 for key types \fBML\-DSA\-44\fR, \fBML\-DSA\-65\fR
+and \fBML\-DSA\-87\fR respectively, which correspond to security strengths of
+128, 192 and 256 repsectively.
+.SS "Keygen Parameters"
+.IX Subsection "Keygen Parameters"
+.IP """seed"" (\fBOSSL_PKEY_PARAM_ML_DSA_SEED\fR) <octet string>" 4
+.IX Item """seed"" (OSSL_PKEY_PARAM_ML_DSA_SEED) <octet string>"
+The seed can be used to generate the private and public key components in a
+deterministic manner.
+The length of the value supplied must be 32 bytes.
+When this value is not supplied the seed is generated randomly using a DRBG.
+.Sp
+Generated keys default to retaining the seed used.
+The seed is also by default retained when keys are loaded from \fBPKCS#8\fR files
+in the seed format.
+When available, the seed parameter is also used during key export and import,
+with keys (by default) regenerated from the seed even when also provided on import.
+See "Provider configuration parameters" below for related controls.
+.Sp
+When the seed is retained, it is also available as a \fBgettable\fR parameter,
+and private key output to \fBPKCS#8\fR files will by default include the seed.
+When the seed was not initially known, or was not retained, \fBPKCS#8\fR private
+key files will contain only the private key in FIPS 204 \f(CW\*(C`sk\*(C'\fR format.
+.IP """properties"" (\fBOSSL_PKEY_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_PKEY_PARAM_PROPERTIES) <UTF8 string>"
+Sets properties to be used when fetching algorithm implementations used for
+ML-DSA hashing operations.
+.PP
+Use \fBEVP_PKEY_CTX_set_params\fR\|(3) after calling \fBEVP_PKEY_keygen_init\fR\|(3).
+.SS "Common ML-DSA parameters"
+.IX Subsection "Common ML-DSA parameters"
+In addition to the common parameters that all keytypes should support (see
+"Common Information Parameters" in \fBprovider\-keymgmt\fR\|(7), the implementation of
+these key types support the parameters listed below.
+These are gettable using
+\&\fBEVP_PKEY_get_octet_string_param\fR\|(3) or \fBEVP_PKEY_get_params\fR\|(3).
+They can be initialised via \fBEVP_PKEY_fromdata\fR\|(3), and are returned by
+\&\fBEVP_PKEY_todata\fR\|(3) given a suitable \fIselection\fR.
+Once a public or private key is configured, it can no longer be modified,
+nor can another key component be added.
+.IP """pub"" (\fBOSSL_PKEY_PARAM_PUB_KEY\fR) <octet string>" 4
+.IX Item """pub"" (OSSL_PKEY_PARAM_PUB_KEY) <octet string>"
+The encoded public key value of size 1312, 1952 or 2592 bytes depending on the
+respective key type of \fBML\-DSA\-44\fR, \fBML\-DSA\-65\fR or \fBML\-DSA\-87\fR.
+.IP """priv"" (\fBOSSL_PKEY_PARAM_PRIV_KEY\fR) <octet string>" 4
+.IX Item """priv"" (OSSL_PKEY_PARAM_PRIV_KEY) <octet string>"
+The encoded private key value of size 2560, 4032 or 4896 bytes depending on the
+respective key type of \fBML\-DSA\-44\fR, \fBML\-DSA\-65\fR or \fBML\-DSA\-87\fR.
+.SS "Provider configuration parameters"
+.IX Subsection "Provider configuration parameters"
+See the description of the \fB\-provparam\fR option in \fBopenssl\fR\|(1) to learn
+how to set provider configuration parameters in the command line tools.
+See \fBOSSL_PROVIDER_add_conf_parameter\fR\|(3) to learn how to set provider
+configuration options programmatically.
+.ie n .IP """ml\-dsa.retain_seed"" (\fBOSSL_PKEY_PARAM_ML_DSA_RETAIN_SEED\fR) <UTF8 string>" 4
+.el .IP "\f(CWml\-dsa.retain_seed\fR (\fBOSSL_PKEY_PARAM_ML_DSA_RETAIN_SEED\fR) <UTF8 string>" 4
+.IX Item "ml-dsa.retain_seed (OSSL_PKEY_PARAM_ML_DSA_RETAIN_SEED) <UTF8 string>"
+When set to a string representing a false boolean value (see
+\&\fBOSSL_PROVIDER_conf_get_bool\fR\|(3)), the seed will not be retained after key
+generation or key import from a seed value.
+If the resulting key is then written to a PKCS#8 object, it will contain
+only the FIPS 204 \f(CW\*(C`sk\*(C'\fR key.
+.ie n .IP """ml\-dsa.prefer_seed"" (\fBOSSL_PKEY_PARAM_ML_DSA_PREFER_SEED\fR) <UTF8 string>" 4
+.el .IP "\f(CWml\-dsa.prefer_seed\fR (\fBOSSL_PKEY_PARAM_ML_DSA_PREFER_SEED\fR) <UTF8 string>" 4
+.IX Item "ml-dsa.prefer_seed (OSSL_PKEY_PARAM_ML_DSA_PREFER_SEED) <UTF8 string>"
+When decoding PKCS#8 objects that contain both a seed and the FIPS 204 \f(CW\*(C`sk\*(C'\fR
+private key, the seed is by default used to regenerate the key, and the
+companion private key is ignored.
+When this configuration parameter is set to a string representing a false
+boolean value (see \fBOSSL_PROVIDER_conf_get_bool\fR\|(3)), the seed is ignored
+(neither used to regenerate the key, nor retained), and the companion key is
+used instead.
+.ie n .IP """ml\-dsa.input_formats"" (\fBOSSL_PKEY_PARAM_ML_DSA_INPUT_FORMATS\fR) <UTF8 string>" 4
+.el .IP "\f(CWml\-dsa.input_formats\fR (\fBOSSL_PKEY_PARAM_ML_DSA_INPUT_FORMATS\fR) <UTF8 string>" 4
+.IX Item "ml-dsa.input_formats (OSSL_PKEY_PARAM_ML_DSA_INPUT_FORMATS) <UTF8 string>"
+List of enabled private key input formats when parsing PKCS#8 objects.
+List elements are separated by commas, spaces or tabs.
+The list of enabled formats can be specified in the configuration file, as seen
+in the "EXAMPLES" section below, or the via the \fB\-provparam\fR command-line
+option (see also \fBOSSL_PROVIDER_add_conf_parameter\fR\|(3)).
+.Sp
+Values specified on the command-line override any configuration file settings.
+By default all the supported formats are enabled.
+The supported formats are:
+.RS 4
+.ie n .IP """seed\-priv"":" 4
+.el .IP \f(CWseed\-priv\fR: 4
+.IX Item "seed-priv:"
+This format represents \fBPKCS#8\fR objects in which both the FIPS 204 32\-byte
+\&\fBξ\fR seed and the secret key \fBsk\fR are present in the private key as part of
+the DER encoding of the ASN.1 sequence:
+.Sp
+.Vb 6
+\&    ML\-DSA\-PrivateKey ::= CHOICE {
+\&      seed [0] IMPLICIT OCTET STRING (SIZE (32)),
+\&      expandedKey OCTET STRING (SIZE (2560 | 4032 | 4896)),
+\&      both SEQUENCE {
+\&        seed OCTET STRING (SIZE (32)),
+\&        expandedKey OCTET STRING (SIZE (2560 | 4032 | 4896)) } }
+.Ve
+.Sp
+If the \f(CW\*(C`seed\-priv\*(C'\fR format is not included in the list, this format will not be
+recognised on input.
+.ie n .IP """seed\-only"":" 4
+.el .IP \f(CWseed\-only\fR: 4
+.IX Item "seed-only:"
+This format represents \fBPKCS#8\fR objects in which only the 32\-byte FIPS 204
+\&\fBξ\fR seed is present in the above sequence.
+If the \f(CW\*(C`seed\-only\*(C'\fR format is not included in the list, this format will not be
+recognised on input.
+.ie n .IP """priv\-only"":" 4
+.el .IP \f(CWpriv\-only\fR: 4
+.IX Item "priv-only:"
+This format represents \fBPKCS#8\fR objects in which only the FIPS 204
+private key \fBsk\fR is present in the above sequence.
+If the \f(CW\*(C`priv\-only\*(C'\fR format is not included in the list, this format will not be
+recognised on input.
+.ie n .IP """oqskeypair"":" 4
+.el .IP \f(CWoqskeypair\fR: 4
+.IX Item "oqskeypair:"
+This format represents \fBPKCS#8\fR objects in which the private key is a DER
+encoding of an octet string containing the concatenaton of the FIPS 204 private
+key \fBsk\fR and the public key \fBpk\fR.
+This encoding is used in some builds of the \f(CW\*(C`oqsprovider\*(C'\fR.
+If the \f(CW\*(C`oqskeypair\*(C'\fR format is not included in the list, this format will not be
+recognised on input.
+.ie n .IP """bare\-seed"":" 4
+.el .IP \f(CWbare\-seed\fR: 4
+.IX Item "bare-seed:"
+This format represents \fBPKCS#8\fR objects in which the private key contains
+the 32\-byte FIPS 204 seed \fBξ\fR without any ASN.1 encapsulation.
+If the \f(CW\*(C`bare\-seed\*(C'\fR format is not included in the list, this format will not be
+recognised on input.
+.ie n .IP """bare\-priv"":" 4
+.el .IP \f(CWbare\-priv\fR: 4
+.IX Item "bare-priv:"
+This format represents \fBPKCS#8\fR objects in which the private key contains
+the FIPS 204 secret key \fBsk\fR without any ASN.1 encapsulation.
+If the \f(CW\*(C`bare\-priv\*(C'\fR format is not included in the list, this format will not be
+recognised on input.
+.RE
+.RS 4
+.RE
+.ie n .IP """ml\-dsa.output_formats"" (\fBOSSL_PKEY_PARAM_ML_DSA_OUTPUT_FORMATS\fR) <UTF8 string>" 4
+.el .IP "\f(CWml\-dsa.output_formats\fR (\fBOSSL_PKEY_PARAM_ML_DSA_OUTPUT_FORMATS\fR) <UTF8 string>" 4
+.IX Item "ml-dsa.output_formats (OSSL_PKEY_PARAM_ML_DSA_OUTPUT_FORMATS) <UTF8 string>"
+Ordered list of enabled private key output formats when writing \fBPKCS#8\fR files.
+List elements are separated by commas, spaces or tabs.
+The list of enabled formats can be specified in the configuration file, as seen
+in the "EXAMPLES" section below, or the via the \fB\-provparam\fR command-line
+option.
+.Sp
+This supports the same set of formats as described under \f(CW\*(C`ml\-dsa.input_formats\*(C'\fR
+above.
+The order in which elements are listed is important, the selected format will be
+the first one that is possible to output.
+If the key seed is known, the first listed format will be selected.
+If the key seed is not known, the first format that omits the seed will be selected.
+The default order is equivalent to \f(CW\*(C`seed\-priv\*(C'\fR first and \f(CW\*(C`priv\-only\*(C'\fR second, with
+both seed and key output when the seed is available, and just the
+key otherwise.
+If \f(CW\*(C`seed\-only\*(C'\fR is listed first, then the seed will be output without the key
+when available, otherwise the output will have just the key.
+If \f(CW\*(C`priv\-only\*(C'\fR is listed first, then just the key is output regardless of
+whether the seed is present.
+The legacy \f(CW\*(C`oqskeypair\*(C'\fR, \f(CW\*(C`bare\-seed\*(C'\fR and \f(CW\*(C`bare\-priv\*(C'\fR formats can also be
+output, by listing those first.
+.SH "CONFORMING TO"
+.IX Header "CONFORMING TO"
+.IP "FIPS 204" 4
+.IX Item "FIPS 204"
+.SH EXAMPLES
+.IX Header "EXAMPLES"
+An \fBEVP_PKEY\fR context can be obtained by calling:
+.PP
+.Vb 2
+\&    EVP_PKEY_CTX *pctx =
+\&        EVP_PKEY_CTX_new_from_name(NULL, "ML\-DSA\-44", NULL);
+.Ve
+.PP
+An \fBML\-DSA\-44\fR key can be generated like this:
+.PP
+.Vb 1
+\&    pkey = EVP_PKEY_Q_keygen(NULL, NULL, "ML\-DSA\-44");
+.Ve
+.PP
+The key pair components can be extracted from a key by calling:
+.PP
+.Vb 3
+\&    /* Sizes large enough for ML\-DSA\-87 */
+\&    uint8_t pub[2592], priv[4896], seed[32]:
+\&    size_t priv_len, pub_len, seed_len;
+\&
+\&    EVP_PKEY_get_octet_string_param(pkey, OSSL_PKEY_PARAM_ML_DSA_SEED,
+\&                                    seed, sizeof(seed), &seed_len);
+\&    EVP_PKEY_get_octet_string_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY,
+\&                                    priv, sizeof(priv), &priv_len);
+\&    EVP_PKEY_get_octet_string_param(pkey, OSSL_PKEY_PARAM_PUB_KEY,
+\&                                    pub, sizeof(pub), &pub_len));
+.Ve
+.PP
+An \fBML-DSA\fR private key in seed format can be converted to a key in the FIPS
+204 \fBsk\fR format by running:
+.PP
+.Vb 2
+\&    $ openssl pkey \-provparam ml\-dsa.retain_seed=no \e
+\&        \-in seed\-only.pem \-out priv\-only.pem
+.Ve
+.PP
+To generate an, e.g., \fBML\-DSA\-65\fR key, in FIPS 204 \fBsk\fR format, you can run:
+.PP
+.Vb 2
+\&    $ openssl genpkey \-provparam ml\-dsa.retain_seed=no \e
+\&        \-algorithm ml\-dsa\-65 \-out priv\-only.pem
+.Ve
+.PP
+If you have a \fBPKCS#8\fR file with both a seed and a key, and prefer to import the
+companion key rather than the seed, you can run:
+.PP
+.Vb 2
+\&    $ openssl pkey \-provparam ml\-dsa.prefer_seed=no \e
+\&        \-in seed\-priv.pem \-out priv\-only.pem
+.Ve
+.PP
+In the \fBopenssl.cnf\fR file, this looks like:
+.PP
+.Vb 1
+\&    openssl_conf = openssl_init
+\&
+\&    [openssl_init]
+\&    providers = providers_sect
+\&
+\&    # Can be referenced in one or more provider sections
+\&    [ml_dsa_sect]
+\&    prefer_seed = yes
+\&    retain_seed = yes
+\&    # OQS legacy formats disabled
+\&    input_formats = seed\-priv, seed\-only, priv\-only
+\&    # Output either the seed alone, or else the key alone
+\&    output_formats = seed\-only, priv\-only
+\&
+\&    [providers_sect]
+\&    default = default_sect
+\&    # Or perhaps just: base = default_sect
+\&    base = base_sect
+\&
+\&    [default_sect]
+\&    ml\-dsa = ml_dsa_sect
+\&
+\&    [base_sect]
+\&    ml\-dsa = ml_dsa_sect
+.Ve
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBEVP_KEYMGMT\fR\|(3),
+\&\fBEVP_PKEY\fR\|(3),
+\&\fBprovider\-keymgmt\fR\|(7),
+\&\fBEVP_PKEY_get_raw_private_key\fR\|(3),
+\&\fBEVP_PKEY_get_raw_public_key\fR\|(3),
+\&\fBEVP_PKEY_get1_encoded_public_key\fR\|(3),
+\&\fBOSSL_PROVIDER_add_conf_parameter\fR\|(3),
+\&\fBprovider\-keymgmt\fR\|(7),
+\&\fBEVP_SIGNATURE\-ML\-DSA\fR\|(7)
+.SH HISTORY
+.IX Header "HISTORY"
+This functionality was added in OpenSSL 3.5.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-ML-KEM.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-ML-KEM.7
new file mode 100644
index 000000000000..b7f03db24ab4
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-ML-KEM.7
@@ -0,0 +1,367 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "EVP_PKEY-ML-KEM 7ossl"
+.TH EVP_PKEY-ML-KEM 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+EVP_PKEY\-ML\-KEM,
+EVP_KEYMGMT\-ML\-KEM,
+EVP_PKEY\-ML\-KEM\-512,
+EVP_PKEY\-ML\-KEM\-768,
+EVP_PKEY\-ML\-KEM\-1024,
+EVP_KEYMGMT\-ML\-KEM\-512,
+EVP_KEYMGMT\-ML\-KEM\-768,
+EVP_KEYMGMT\-ML\-KEM\-1024
+\&\- ML\-KEM keytype and algorithm support
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+The \fBML\-KEM\-512\fR, \fBML\-KEM\-768\fR, and \fBML\-KEM\-1024\fR keytypes are implemented
+in OpenSSL's default and FIPS providers.
+.SS "Keygen Parameters"
+.IX Subsection "Keygen Parameters"
+No mandatory parameters are required for generating a key pair.
+To set explicit parameters, use \fBEVP_PKEY_CTX_set_params()\fR after calling
+\&\fBEVP_PKEY_keygen_init()\fR.
+.IP """seed"" (\fBOSSL_PKEY_PARAM_ML_KEM_SEED\fR) <octet string>" 4
+.IX Item """seed"" (OSSL_PKEY_PARAM_ML_KEM_SEED) <octet string>"
+Internally, ML-KEM generates keys using a 64\-byte random value (seed), which is
+the concatenation of the 32\-byte \fId\fR and \fIz\fR parameters described in FIPS 203.
+This optional parameter can be used to set a pre-determined seed prior to
+keypair generation.
+.Sp
+Generated keys default to retaining the seed used.
+The seed is also by default retained when keys are loaded from \fBPKCS#8\fR files
+in the seed format.
+When available, the seed parameter is also used during key export and import,
+with keys (by default) regenerated from the seed even when also provided on import.
+See "Provider configuration parameters" below for related controls.
+.Sp
+When the seed is retained, it is also available as a \fBgettable\fR parameter,
+and private key output to \fBPKCS#8\fR files will by default include the seed.
+When the seed was not initially known, or was not retained, \fBPKCS#8\fR private
+key files will contain only the private key in FIPS 203 \f(CW\*(C`dk\*(C'\fR format.
+.IP """properties"" (\fBOSSL_PKEY_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_PKEY_PARAM_PROPERTIES) <UTF8 string>"
+Sets properties to be used when fetching algorithm implementations used for
+ML-KEM hashing operations.
+.Sp
+Use \fBEVP_PKEY_CTX_set_params\fR\|(3) after calling \fBEVP_PKEY_keygen_init\fR\|(3).
+.SS "Common parameters"
+.IX Subsection "Common parameters"
+In addition to the common parameters that all keytypes should support (see
+"Common Information Parameters" in \fBprovider\-keymgmt\fR\|(7)), \fBML-KEM\fR keys
+keys support the parameters listed below.
+These are gettable using
+\&\fBEVP_PKEY_get_octet_string_param\fR\|(3) or \fBEVP_PKEY_get_params\fR\|(3).
+They can be initialised via \fBEVP_PKEY_fromdata\fR\|(3), and are returned by
+\&\fBEVP_PKEY_todata\fR\|(3) given a suitable \fIselection\fR.
+Once a public or private key is configured, it can no longer be modified,
+nor can another key component be added.
+.IP """pub"" (\fBOSSL_PKEY_PARAM_PUB_KEY\fR) <octet string>" 4
+.IX Item """pub"" (OSSL_PKEY_PARAM_PUB_KEY) <octet string>"
+The public key value.
+.Sp
+This parameter is used when importing or exporting the public key value with
+the \fBEVP_PKEY_fromdata()\fR and \fBEVP_PKEY_todata()\fR functions.
+The key length and content is that of the FIPS 203 (Algorithm 16:
+\&\fBML\-KEM.KeyGen_internal\fR) \fBek\fR public key for the given ML-KEM variant.
+Initial import aside, this parameter is otherwise only gettable.
+.IP """priv"" (\fBOSSL_PKEY_PARAM_PRIV_KEY\fR) <octet string>" 4
+.IX Item """priv"" (OSSL_PKEY_PARAM_PRIV_KEY) <octet string>"
+The private key value.
+.Sp
+This parameter is used when importing or exporting the private key value with
+the \fBEVP_PKEY_fromdata()\fR and \fBEVP_PKEY_todata()\fR functions.
+The key length and content is that of the FIPS 203 (Algorithm 16:
+\&\fBML\-KEM.KeyGen_internal\fR) \fBdk\fR private key for the given ML-KEM variant.
+Initial import aside, this parameter is otherwise only gettable.
+.IP """encoded-pub-key"" (\fBOSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY\fR) <octet string>" 4
+.IX Item """encoded-pub-key"" (OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY) <octet string>"
+Used for getting and setting the encoding of a public key.
+The key format is that of \fBek\fR in FIPS 203, Algorithm 16:
+\&\fBML\-KEM.KeyGen_internal\fR.
+Updates of the public and private key components are only allowed on keys that
+are empty.
+Once a public or private key component is set, no further changes are allowed.
+This parameter is gettable and settable (once only).
+.SS "Provider configuration parameters"
+.IX Subsection "Provider configuration parameters"
+See the description of the \fB\-provparam\fR option in \fBopenssl\fR\|(1) to learn
+how to set provider configuration parameters in the command line tools.
+See \fBOSSL_PROVIDER_add_conf_parameter\fR\|(3) to learn how to set provider
+configuration options programmatically.
+.ie n .IP """ml\-kem.import_pct_type"" (\fBOSSL_PKEY_PARAM_ML_KEM_IMPORT_PCT_TYPE\fR) <UTF8 string>" 4
+.el .IP "\f(CWml\-kem.import_pct_type\fR (\fBOSSL_PKEY_PARAM_ML_KEM_IMPORT_PCT_TYPE\fR) <UTF8 string>" 4
+.IX Item "ml-kem.import_pct_type (OSSL_PKEY_PARAM_ML_KEM_IMPORT_PCT_TYPE) <UTF8 string>"
+When an \fBML-KEM\fR key is imported as an explict FIPS 203 \fBdk\fR decapsulation
+key, rather than a seed, a pairwise consistency test (PCT) is optionally
+performed.
+By default, or when this parameter is set explicitly to \f(CW\*(C`random\*(C'\fR, the PCT
+is performed with a random entropy value for the encapsulation step.
+Setting the parameter to \f(CW\*(C`fixed\*(C'\fR, still runs the test, but the encapsulation
+entropy is a fixed 32 byte value.
+Specifying any other value of the parameter, e.g. \f(CW\*(C`none\*(C'\fR, skips the test.
+.ie n .IP """ml\-kem.retain_seed"" (\fBOSSL_PKEY_PARAM_ML_KEM_RETAIN_SEED\fR) <UTF8 string>" 4
+.el .IP "\f(CWml\-kem.retain_seed\fR (\fBOSSL_PKEY_PARAM_ML_KEM_RETAIN_SEED\fR) <UTF8 string>" 4
+.IX Item "ml-kem.retain_seed (OSSL_PKEY_PARAM_ML_KEM_RETAIN_SEED) <UTF8 string>"
+When set to a string representing a false boolean value (see
+\&\fBOSSL_PROVIDER_conf_get_bool\fR\|(3)), the seed will not be retained after key
+generation or key import from a seed value.
+If the resulting key is then written to a PKCS#8 object, it will contain
+only the FIPS 203 \f(CW\*(C`dk\*(C'\fR key.
+.ie n .IP """ml\-kem.prefer_seed"" (\fBOSSL_PKEY_PARAM_ML_KEM_PREFER_SEED\fR) <UTF8 string>" 4
+.el .IP "\f(CWml\-kem.prefer_seed\fR (\fBOSSL_PKEY_PARAM_ML_KEM_PREFER_SEED\fR) <UTF8 string>" 4
+.IX Item "ml-kem.prefer_seed (OSSL_PKEY_PARAM_ML_KEM_PREFER_SEED) <UTF8 string>"
+When decoding PKCS#8 objects that contain both a seed and the FIPS 203 \f(CW\*(C`dk\*(C'\fR
+private key, the seed is by default used to regenerate the key, and the
+companion key is ignored.
+When this configuration parameter is set to a string representing a false
+boolean value (see \fBOSSL_PROVIDER_conf_get_bool\fR\|(3)), the seed is ignored
+(neither used to regenerate the key, nor retained), and the companion key is
+used instead.
+.ie n .IP """ml\-kem.input_formats"" (\fBOSSL_PKEY_PARAM_ML_KEM_INPUT_FORMATS\fR) <UTF8 string>" 4
+.el .IP "\f(CWml\-kem.input_formats\fR (\fBOSSL_PKEY_PARAM_ML_KEM_INPUT_FORMATS\fR) <UTF8 string>" 4
+.IX Item "ml-kem.input_formats (OSSL_PKEY_PARAM_ML_KEM_INPUT_FORMATS) <UTF8 string>"
+List of enabled private key input formats when parsing PKCS#8 objects.
+List elements are separated by commas and/or spaces or tabs.
+The list of enabled formats can be specified in the configuration file, as seen
+in the "EXAMPLES" section below, or the via the \fB\-provparam\fR command-line
+option (see also \fBOSSL_PROVIDER_add_conf_parameter\fR\|(3)).
+.Sp
+Values specified on the command-line override any configuration file settings.
+By default all the supported formats are enabled.
+The supported formats are:
+.RS 4
+.ie n .IP """seed\-priv"":" 4
+.el .IP \f(CWseed\-priv\fR: 4
+.IX Item "seed-priv:"
+This format represents \fBPKCS#8\fR objects in which both the FIPS 203 64\-byte
+\&\fB(d, z)\fR seed and the decapsulation key \fBdk\fR are present in the private key
+as part of the DER encoding of the ASN.1 sequence:
+.Sp
+.Vb 6
+\&    ML\-KEM\-PrivateKey ::= CHOICE {
+\&      seed [0] IMPLICIT OCTET STRING (SIZE (64)),
+\&      expandedKey OCTET STRING (SIZE (1632 | 2400 | 3168)),
+\&      both SEQUENCE {
+\&        seed OCTET STRING (SIZE (64)),
+\&        expandedKey OCTET STRING (SIZE (1632 | 2400 | 3168)) } }
+.Ve
+.Sp
+If the \f(CW\*(C`seed\-priv\*(C'\fR format is not included in the list, this format will not be
+recognised on input.
+.ie n .IP """seed\-only"":" 4
+.el .IP \f(CWseed\-only\fR: 4
+.IX Item "seed-only:"
+This format represents \fBPKCS#8\fR objects in which only the 64\-byte \fB(d, z)\fR
+seed is present in the above sequence.
+If the \f(CW\*(C`seed\-only\*(C'\fR format is not included in the list, this format will not be
+recognised on input.
+.ie n .IP """priv\-only"":" 4
+.el .IP \f(CWpriv\-only\fR: 4
+.IX Item "priv-only:"
+This format represents \fBPKCS#8\fR objects in which only the FIPS 203
+decapsulation key \fBdk\fR is present in the above sequence.
+If the \f(CW\*(C`priv\-only\*(C'\fR format is not included in the list, this format will not be
+recognised on input.
+.ie n .IP """oqskeypair"":" 4
+.el .IP \f(CWoqskeypair\fR: 4
+.IX Item "oqskeypair:"
+This format represents \fBPKCS#8\fR objects in which the private key is a DER
+encoding of an octet string containing the concatenaton of the FIPS 203
+decapsulation key \fBdk\fR and the encapsulation key \fBek\fR.
+This encoding is used in some builds of the \f(CW\*(C`oqsprovider\*(C'\fR.
+If the \f(CW\*(C`oqskeypair\*(C'\fR format is not included in the list, this format will not be
+recognised on input.
+.ie n .IP """bare\-seed"":" 4
+.el .IP \f(CWbare\-seed\fR: 4
+.IX Item "bare-seed:"
+This format represents \fBPKCS#8\fR objects in which the private key contains
+the 64\-byte FIPS 204 seed \fB(d, z)\fR without any ASN.1 encapsulation.
+If the \f(CW\*(C`bare\-seed\*(C'\fR format is not included in the list, this format will not be
+recognised on input.
+.ie n .IP """bare\-priv"":" 4
+.el .IP \f(CWbare\-priv\fR: 4
+.IX Item "bare-priv:"
+This format represents \fBPKCS#8\fR objects in which the private key contains
+the FIPS 204 decapsulation key \fBdk\fR without any ASN.1 encapsulation.
+If the \f(CW\*(C`bare\-priv\*(C'\fR format is not included in the list, this format will not be
+recognised on input.
+.RE
+.RS 4
+.RE
+.ie n .IP """ml\-kem.output_formats"" (\fBOSSL_PKEY_PARAM_ML_KEM_OUTPUT_FORMATS\fR) <UTF8 string>" 4
+.el .IP "\f(CWml\-kem.output_formats\fR (\fBOSSL_PKEY_PARAM_ML_KEM_OUTPUT_FORMATS\fR) <UTF8 string>" 4
+.IX Item "ml-kem.output_formats (OSSL_PKEY_PARAM_ML_KEM_OUTPUT_FORMATS) <UTF8 string>"
+Ordered list of enabled private key output formats when writing \fBPKCS#8\fR files.
+List elements are separated by commas, spaces or tabs.
+The list of enabled formats can be specified in the configuration file, as seen
+in the "EXAMPLES" section below, or the via the \fB\-provparam\fR command-line
+option.
+.Sp
+This supports the same set of formats as described under \f(CW\*(C`ml\-kem.input_formats\*(C'\fR
+above.
+The order in which elements are listed is important, the selected format will be
+the first one that is possible to output.
+If the key seed is known, the first listed format will be selected.
+If the key seed is not known, the first format that omits the seed will be selected.
+The default order is equivalent to \f(CW\*(C`seed\-priv\*(C'\fR first and \f(CW\*(C`priv\-only\*(C'\fR second, with
+both seed and key output when the seed is available, and just the
+key otherwise.
+If \f(CW\*(C`seed\-only\*(C'\fR is listed first, then the seed will be output without the key
+when available, otherwise the output will have just the key.
+If \f(CW\*(C`priv\-only\*(C'\fR is listed first, then just the key is output regardless of
+whether the seed is present.
+The legacy \f(CW\*(C`oqskeypair\*(C'\fR, \f(CW\*(C`bare\-seed\*(C'\fR and \f(CW\*(C`bare\-priv\*(C'\fR formats can also be
+output, by listing those first.
+.SH "CONFORMING TO"
+.IX Header "CONFORMING TO"
+.IP "FIPS 203" 4
+.IX Item "FIPS 203"
+.SH EXAMPLES
+.IX Header "EXAMPLES"
+An \fBEVP_PKEY\fR context can be obtained by calling:
+.PP
+.Vb 2
+\&    EVP_PKEY_CTX *pctx =
+\&        EVP_PKEY_CTX_new_from_name(NULL, "ML\-KEM\-768", NULL);
+.Ve
+.PP
+An \fBML\-KEM\-768\fR key can be generated like this:
+.PP
+.Vb 1
+\&    pkey = EVP_PKEY_Q_keygen(NULL, NULL, "ML\-KEM\-768");
+.Ve
+.PP
+An \fBML-KEM\fR private key in seed format can be converted to a key in the FIPS
+203 \fBdk\fR format by running:
+.PP
+.Vb 2
+\&    $ openssl pkey \-provparam ml\-kem.retain_seed=no \e
+\&        \-in seed\-only.pem \-out priv\-only.pem
+.Ve
+.PP
+To generate an, e.g., \fBML\-KEM\-768\fR key, in FIPS 203 \fBdk\fR format, you can run:
+.PP
+.Vb 2
+\&    $ openssl genpkey \-provparam ml\-kem.retain_seed=no \e
+\&        \-algorithm ml\-kem\-768 \-out priv\-only.pem
+.Ve
+.PP
+If you have a \fBPKCS#8\fR file with both a seed and a key, and prefer to import the
+companion key rather than the seed, you can run:
+.PP
+.Vb 2
+\&    $ openssl pkey \-provparam ml\-kem.prefer_seed=no \e
+\&        \-in seed\-priv.pem \-out priv\-only.pem
+.Ve
+.PP
+In the \fBopenssl.cnf\fR file, this looks like:
+.PP
+.Vb 1
+\&    openssl_conf = openssl_init
+\&
+\&    [openssl_init]
+\&    providers = providers_sect
+\&
+\&    # Can be referenced in one or more provider sections
+\&    [ml_kem_sect]
+\&    prefer_seed = yes
+\&    retain_seed = yes
+\&    # OQS legacy formats disabled
+\&    input_formats = seed\-priv, seed\-only, priv\-only
+\&    # Output either the seed alone, or else the key alone
+\&    output_formats = seed\-only, priv\-only
+\&
+\&    [providers_sect]
+\&    default = default_sect
+\&    # Or perhaps just: base = default_sect
+\&    base = base_sect
+\&
+\&    [default_sect]
+\&    ml\-kem = ml_kem_sect
+\&
+\&    [base_sect]
+\&    ml\-kem = ml_kem_sect
+.Ve
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBopenssl\fR\|(1),
+\&\fBopenssl\-pkey\fR\|(1),
+\&\fBopenssl\-genpkey\fR\|(1),
+\&\fBEVP_KEYMGMT\fR\|(3),
+\&\fBEVP_PKEY\fR\|(3),
+\&\fBEVP_PKEY_get_raw_private_key\fR\|(3),
+\&\fBEVP_PKEY_get_raw_public_key\fR\|(3),
+\&\fBEVP_PKEY_get1_encoded_public_key\fR\|(3),
+\&\fBOSSL_PROVIDER_add_conf_parameter\fR\|(3),
+\&\fBprovider\-keymgmt\fR\|(7),
+\&\fBEVP_KEM\-ML\-KEM\fR\|(7)
+.SH HISTORY
+.IX Header "HISTORY"
+This functionality was added in OpenSSL 3.5.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2024\-2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-RSA.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-RSA.7
index 6923fbfcc06f..08efa19c3d45 100644
--- a/secure/lib/libcrypto/man/man7/EVP_PKEY-RSA.7
+++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-RSA.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,315 +52,218 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY-RSA 7ossl"
-.TH EVP_PKEY-RSA 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY-RSA 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY\-RSA, EVP_KEYMGMT\-RSA, RSA
 \&\- EVP_PKEY RSA keytype and algorithm support
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \fB\s-1RSA\s0\fR keytype is implemented in OpenSSL's default and \s-1FIPS\s0 providers.
-That implementation supports the basic \s-1RSA\s0 keys, containing the modulus \fIn\fR,
+The \fBRSA\fR keytype is implemented in OpenSSL's default and FIPS providers.
+That implementation supports the basic RSA keys, containing the modulus \fIn\fR,
 the public exponent \fIe\fR, the private exponent \fId\fR, and a collection of prime
-factors, exponents and coefficient for \s-1CRT\s0 calculations, of which the first
+factors, exponents and coefficient for CRT calculations, of which the first
 few are known as \fIp\fR and \fIq\fR, \fIdP\fR and \fIdQ\fR, and \fIqInv\fR.
-.SS "Common \s-1RSA\s0 parameters"
+.SS "Common RSA parameters"
 .IX Subsection "Common RSA parameters"
 In addition to the common parameters that all keytypes should support (see
-\&\*(L"Common parameters\*(R" in \fBprovider\-keymgmt\fR\|(7)), the \fB\s-1RSA\s0\fR keytype implementation
+"Common parameters" in \fBprovider\-keymgmt\fR\|(7)), the \fBRSA\fR keytype implementation
 supports the following.
-.ie n .IP """n"" (\fB\s-1OSSL_PKEY_PARAM_RSA_N\s0\fR) <unsigned integer>" 4
-.el .IP "``n'' (\fB\s-1OSSL_PKEY_PARAM_RSA_N\s0\fR) <unsigned integer>" 4
-.IX Item "n (OSSL_PKEY_PARAM_RSA_N) <unsigned integer>"
-The \s-1RSA\s0 modulus \*(L"n\*(R" value.
-.ie n .IP """e"" (\fB\s-1OSSL_PKEY_PARAM_RSA_E\s0\fR) <unsigned integer>" 4
-.el .IP "``e'' (\fB\s-1OSSL_PKEY_PARAM_RSA_E\s0\fR) <unsigned integer>" 4
-.IX Item "e (OSSL_PKEY_PARAM_RSA_E) <unsigned integer>"
-The \s-1RSA\s0 public exponent \*(L"e\*(R" value.
+.IP """n"" (\fBOSSL_PKEY_PARAM_RSA_N\fR) <unsigned integer>" 4
+.IX Item """n"" (OSSL_PKEY_PARAM_RSA_N) <unsigned integer>"
+The RSA modulus "n" value.
+.IP """e"" (\fBOSSL_PKEY_PARAM_RSA_E\fR) <unsigned integer>" 4
+.IX Item """e"" (OSSL_PKEY_PARAM_RSA_E) <unsigned integer>"
+The RSA public exponent "e" value.
 This value must always be set when creating a raw key using \fBEVP_PKEY_fromdata\fR\|(3).
 Note that when a decryption operation is performed, that this value is used for
 blinding purposes to prevent timing attacks.
-.ie n .IP """d"" (\fB\s-1OSSL_PKEY_PARAM_RSA_D\s0\fR) <unsigned integer>" 4
-.el .IP "``d'' (\fB\s-1OSSL_PKEY_PARAM_RSA_D\s0\fR) <unsigned integer>" 4
-.IX Item "d (OSSL_PKEY_PARAM_RSA_D) <unsigned integer>"
-The \s-1RSA\s0 private exponent \*(L"d\*(R" value.
-.ie n .IP """rsa\-factor1"" (\fB\s-1OSSL_PKEY_PARAM_RSA_FACTOR1\s0\fR) <unsigned integer>" 4
-.el .IP "``rsa\-factor1'' (\fB\s-1OSSL_PKEY_PARAM_RSA_FACTOR1\s0\fR) <unsigned integer>" 4
-.IX Item "rsa-factor1 (OSSL_PKEY_PARAM_RSA_FACTOR1) <unsigned integer>"
+.IP """d"" (\fBOSSL_PKEY_PARAM_RSA_D\fR) <unsigned integer>" 4
+.IX Item """d"" (OSSL_PKEY_PARAM_RSA_D) <unsigned integer>"
+The RSA private exponent "d" value.
+.IP """rsa\-factor1"" (\fBOSSL_PKEY_PARAM_RSA_FACTOR1\fR) <unsigned integer>" 4
+.IX Item """rsa-factor1"" (OSSL_PKEY_PARAM_RSA_FACTOR1) <unsigned integer>"
 .PD 0
-.ie n .IP """rsa\-factor2"" (\fB\s-1OSSL_PKEY_PARAM_RSA_FACTOR2\s0\fR) <unsigned integer>" 4
-.el .IP "``rsa\-factor2'' (\fB\s-1OSSL_PKEY_PARAM_RSA_FACTOR2\s0\fR) <unsigned integer>" 4
-.IX Item "rsa-factor2 (OSSL_PKEY_PARAM_RSA_FACTOR2) <unsigned integer>"
-.ie n .IP """rsa\-factor3"" (\fB\s-1OSSL_PKEY_PARAM_RSA_FACTOR3\s0\fR) <unsigned integer>" 4
-.el .IP "``rsa\-factor3'' (\fB\s-1OSSL_PKEY_PARAM_RSA_FACTOR3\s0\fR) <unsigned integer>" 4
-.IX Item "rsa-factor3 (OSSL_PKEY_PARAM_RSA_FACTOR3) <unsigned integer>"
-.ie n .IP """rsa\-factor4"" (\fB\s-1OSSL_PKEY_PARAM_RSA_FACTOR4\s0\fR) <unsigned integer>" 4
-.el .IP "``rsa\-factor4'' (\fB\s-1OSSL_PKEY_PARAM_RSA_FACTOR4\s0\fR) <unsigned integer>" 4
-.IX Item "rsa-factor4 (OSSL_PKEY_PARAM_RSA_FACTOR4) <unsigned integer>"
-.ie n .IP """rsa\-factor5"" (\fB\s-1OSSL_PKEY_PARAM_RSA_FACTOR5\s0\fR) <unsigned integer>" 4
-.el .IP "``rsa\-factor5'' (\fB\s-1OSSL_PKEY_PARAM_RSA_FACTOR5\s0\fR) <unsigned integer>" 4
-.IX Item "rsa-factor5 (OSSL_PKEY_PARAM_RSA_FACTOR5) <unsigned integer>"
-.ie n .IP """rsa\-factor6"" (\fB\s-1OSSL_PKEY_PARAM_RSA_FACTOR6\s0\fR) <unsigned integer>" 4
-.el .IP "``rsa\-factor6'' (\fB\s-1OSSL_PKEY_PARAM_RSA_FACTOR6\s0\fR) <unsigned integer>" 4
-.IX Item "rsa-factor6 (OSSL_PKEY_PARAM_RSA_FACTOR6) <unsigned integer>"
-.ie n .IP """rsa\-factor7"" (\fB\s-1OSSL_PKEY_PARAM_RSA_FACTOR7\s0\fR) <unsigned integer>" 4
-.el .IP "``rsa\-factor7'' (\fB\s-1OSSL_PKEY_PARAM_RSA_FACTOR7\s0\fR) <unsigned integer>" 4
-.IX Item "rsa-factor7 (OSSL_PKEY_PARAM_RSA_FACTOR7) <unsigned integer>"
-.ie n .IP """rsa\-factor8"" (\fB\s-1OSSL_PKEY_PARAM_RSA_FACTOR8\s0\fR) <unsigned integer>" 4
-.el .IP "``rsa\-factor8'' (\fB\s-1OSSL_PKEY_PARAM_RSA_FACTOR8\s0\fR) <unsigned integer>" 4
-.IX Item "rsa-factor8 (OSSL_PKEY_PARAM_RSA_FACTOR8) <unsigned integer>"
-.ie n .IP """rsa\-factor9"" (\fB\s-1OSSL_PKEY_PARAM_RSA_FACTOR9\s0\fR) <unsigned integer>" 4
-.el .IP "``rsa\-factor9'' (\fB\s-1OSSL_PKEY_PARAM_RSA_FACTOR9\s0\fR) <unsigned integer>" 4
-.IX Item "rsa-factor9 (OSSL_PKEY_PARAM_RSA_FACTOR9) <unsigned integer>"
-.ie n .IP """rsa\-factor10"" (\fB\s-1OSSL_PKEY_PARAM_RSA_FACTOR10\s0\fR) <unsigned integer>" 4
-.el .IP "``rsa\-factor10'' (\fB\s-1OSSL_PKEY_PARAM_RSA_FACTOR10\s0\fR) <unsigned integer>" 4
-.IX Item "rsa-factor10 (OSSL_PKEY_PARAM_RSA_FACTOR10) <unsigned integer>"
+.IP """rsa\-factor2"" (\fBOSSL_PKEY_PARAM_RSA_FACTOR2\fR) <unsigned integer>" 4
+.IX Item """rsa-factor2"" (OSSL_PKEY_PARAM_RSA_FACTOR2) <unsigned integer>"
+.IP """rsa\-factor3"" (\fBOSSL_PKEY_PARAM_RSA_FACTOR3\fR) <unsigned integer>" 4
+.IX Item """rsa-factor3"" (OSSL_PKEY_PARAM_RSA_FACTOR3) <unsigned integer>"
+.IP """rsa\-factor4"" (\fBOSSL_PKEY_PARAM_RSA_FACTOR4\fR) <unsigned integer>" 4
+.IX Item """rsa-factor4"" (OSSL_PKEY_PARAM_RSA_FACTOR4) <unsigned integer>"
+.IP """rsa\-factor5"" (\fBOSSL_PKEY_PARAM_RSA_FACTOR5\fR) <unsigned integer>" 4
+.IX Item """rsa-factor5"" (OSSL_PKEY_PARAM_RSA_FACTOR5) <unsigned integer>"
+.IP """rsa\-factor6"" (\fBOSSL_PKEY_PARAM_RSA_FACTOR6\fR) <unsigned integer>" 4
+.IX Item """rsa-factor6"" (OSSL_PKEY_PARAM_RSA_FACTOR6) <unsigned integer>"
+.IP """rsa\-factor7"" (\fBOSSL_PKEY_PARAM_RSA_FACTOR7\fR) <unsigned integer>" 4
+.IX Item """rsa-factor7"" (OSSL_PKEY_PARAM_RSA_FACTOR7) <unsigned integer>"
+.IP """rsa\-factor8"" (\fBOSSL_PKEY_PARAM_RSA_FACTOR8\fR) <unsigned integer>" 4
+.IX Item """rsa-factor8"" (OSSL_PKEY_PARAM_RSA_FACTOR8) <unsigned integer>"
+.IP """rsa\-factor9"" (\fBOSSL_PKEY_PARAM_RSA_FACTOR9\fR) <unsigned integer>" 4
+.IX Item """rsa-factor9"" (OSSL_PKEY_PARAM_RSA_FACTOR9) <unsigned integer>"
+.IP """rsa\-factor10"" (\fBOSSL_PKEY_PARAM_RSA_FACTOR10\fR) <unsigned integer>" 4
+.IX Item """rsa-factor10"" (OSSL_PKEY_PARAM_RSA_FACTOR10) <unsigned integer>"
 .PD
-\&\s-1RSA\s0 prime factors. The factors are known as \*(L"p\*(R", \*(L"q\*(R" and \*(L"r_i\*(R" in \s-1RFC8017.\s0
-Up to eight additional \*(L"r_i\*(R" prime factors are supported.
-.ie n .IP """rsa\-exponent1"" (\fB\s-1OSSL_PKEY_PARAM_RSA_EXPONENT1\s0\fR) <unsigned integer>" 4
-.el .IP "``rsa\-exponent1'' (\fB\s-1OSSL_PKEY_PARAM_RSA_EXPONENT1\s0\fR) <unsigned integer>" 4
-.IX Item "rsa-exponent1 (OSSL_PKEY_PARAM_RSA_EXPONENT1) <unsigned integer>"
+RSA prime factors. The factors are known as "p", "q" and "r_i" in RFC8017.
+Up to eight additional "r_i" prime factors are supported.
+.IP """rsa\-exponent1"" (\fBOSSL_PKEY_PARAM_RSA_EXPONENT1\fR) <unsigned integer>" 4
+.IX Item """rsa-exponent1"" (OSSL_PKEY_PARAM_RSA_EXPONENT1) <unsigned integer>"
 .PD 0
-.ie n .IP """rsa\-exponent2"" (\fB\s-1OSSL_PKEY_PARAM_RSA_EXPONENT2\s0\fR) <unsigned integer>" 4
-.el .IP "``rsa\-exponent2'' (\fB\s-1OSSL_PKEY_PARAM_RSA_EXPONENT2\s0\fR) <unsigned integer>" 4
-.IX Item "rsa-exponent2 (OSSL_PKEY_PARAM_RSA_EXPONENT2) <unsigned integer>"
-.ie n .IP """rsa\-exponent3"" (\fB\s-1OSSL_PKEY_PARAM_RSA_EXPONENT3\s0\fR) <unsigned integer>" 4
-.el .IP "``rsa\-exponent3'' (\fB\s-1OSSL_PKEY_PARAM_RSA_EXPONENT3\s0\fR) <unsigned integer>" 4
-.IX Item "rsa-exponent3 (OSSL_PKEY_PARAM_RSA_EXPONENT3) <unsigned integer>"
-.ie n .IP """rsa\-exponent4"" (\fB\s-1OSSL_PKEY_PARAM_RSA_EXPONENT4\s0\fR) <unsigned integer>" 4
-.el .IP "``rsa\-exponent4'' (\fB\s-1OSSL_PKEY_PARAM_RSA_EXPONENT4\s0\fR) <unsigned integer>" 4
-.IX Item "rsa-exponent4 (OSSL_PKEY_PARAM_RSA_EXPONENT4) <unsigned integer>"
-.ie n .IP """rsa\-exponent5"" (\fB\s-1OSSL_PKEY_PARAM_RSA_EXPONENT5\s0\fR) <unsigned integer>" 4
-.el .IP "``rsa\-exponent5'' (\fB\s-1OSSL_PKEY_PARAM_RSA_EXPONENT5\s0\fR) <unsigned integer>" 4
-.IX Item "rsa-exponent5 (OSSL_PKEY_PARAM_RSA_EXPONENT5) <unsigned integer>"
-.ie n .IP """rsa\-exponent6"" (\fB\s-1OSSL_PKEY_PARAM_RSA_EXPONENT6\s0\fR) <unsigned integer>" 4
-.el .IP "``rsa\-exponent6'' (\fB\s-1OSSL_PKEY_PARAM_RSA_EXPONENT6\s0\fR) <unsigned integer>" 4
-.IX Item "rsa-exponent6 (OSSL_PKEY_PARAM_RSA_EXPONENT6) <unsigned integer>"
-.ie n .IP """rsa\-exponent7"" (\fB\s-1OSSL_PKEY_PARAM_RSA_EXPONENT7\s0\fR) <unsigned integer>" 4
-.el .IP "``rsa\-exponent7'' (\fB\s-1OSSL_PKEY_PARAM_RSA_EXPONENT7\s0\fR) <unsigned integer>" 4
-.IX Item "rsa-exponent7 (OSSL_PKEY_PARAM_RSA_EXPONENT7) <unsigned integer>"
-.ie n .IP """rsa\-exponent8"" (\fB\s-1OSSL_PKEY_PARAM_RSA_EXPONENT8\s0\fR) <unsigned integer>" 4
-.el .IP "``rsa\-exponent8'' (\fB\s-1OSSL_PKEY_PARAM_RSA_EXPONENT8\s0\fR) <unsigned integer>" 4
-.IX Item "rsa-exponent8 (OSSL_PKEY_PARAM_RSA_EXPONENT8) <unsigned integer>"
-.ie n .IP """rsa\-exponent9"" (\fB\s-1OSSL_PKEY_PARAM_RSA_EXPONENT9\s0\fR) <unsigned integer>" 4
-.el .IP "``rsa\-exponent9'' (\fB\s-1OSSL_PKEY_PARAM_RSA_EXPONENT9\s0\fR) <unsigned integer>" 4
-.IX Item "rsa-exponent9 (OSSL_PKEY_PARAM_RSA_EXPONENT9) <unsigned integer>"
-.ie n .IP """rsa\-exponent10"" (\fB\s-1OSSL_PKEY_PARAM_RSA_EXPONENT10\s0\fR) <unsigned integer>" 4
-.el .IP "``rsa\-exponent10'' (\fB\s-1OSSL_PKEY_PARAM_RSA_EXPONENT10\s0\fR) <unsigned integer>" 4
-.IX Item "rsa-exponent10 (OSSL_PKEY_PARAM_RSA_EXPONENT10) <unsigned integer>"
+.IP """rsa\-exponent2"" (\fBOSSL_PKEY_PARAM_RSA_EXPONENT2\fR) <unsigned integer>" 4
+.IX Item """rsa-exponent2"" (OSSL_PKEY_PARAM_RSA_EXPONENT2) <unsigned integer>"
+.IP """rsa\-exponent3"" (\fBOSSL_PKEY_PARAM_RSA_EXPONENT3\fR) <unsigned integer>" 4
+.IX Item """rsa-exponent3"" (OSSL_PKEY_PARAM_RSA_EXPONENT3) <unsigned integer>"
+.IP """rsa\-exponent4"" (\fBOSSL_PKEY_PARAM_RSA_EXPONENT4\fR) <unsigned integer>" 4
+.IX Item """rsa-exponent4"" (OSSL_PKEY_PARAM_RSA_EXPONENT4) <unsigned integer>"
+.IP """rsa\-exponent5"" (\fBOSSL_PKEY_PARAM_RSA_EXPONENT5\fR) <unsigned integer>" 4
+.IX Item """rsa-exponent5"" (OSSL_PKEY_PARAM_RSA_EXPONENT5) <unsigned integer>"
+.IP """rsa\-exponent6"" (\fBOSSL_PKEY_PARAM_RSA_EXPONENT6\fR) <unsigned integer>" 4
+.IX Item """rsa-exponent6"" (OSSL_PKEY_PARAM_RSA_EXPONENT6) <unsigned integer>"
+.IP """rsa\-exponent7"" (\fBOSSL_PKEY_PARAM_RSA_EXPONENT7\fR) <unsigned integer>" 4
+.IX Item """rsa-exponent7"" (OSSL_PKEY_PARAM_RSA_EXPONENT7) <unsigned integer>"
+.IP """rsa\-exponent8"" (\fBOSSL_PKEY_PARAM_RSA_EXPONENT8\fR) <unsigned integer>" 4
+.IX Item """rsa-exponent8"" (OSSL_PKEY_PARAM_RSA_EXPONENT8) <unsigned integer>"
+.IP """rsa\-exponent9"" (\fBOSSL_PKEY_PARAM_RSA_EXPONENT9\fR) <unsigned integer>" 4
+.IX Item """rsa-exponent9"" (OSSL_PKEY_PARAM_RSA_EXPONENT9) <unsigned integer>"
+.IP """rsa\-exponent10"" (\fBOSSL_PKEY_PARAM_RSA_EXPONENT10\fR) <unsigned integer>" 4
+.IX Item """rsa-exponent10"" (OSSL_PKEY_PARAM_RSA_EXPONENT10) <unsigned integer>"
 .PD
-\&\s-1RSA CRT\s0 (Chinese Remainder Theorem) exponents. The exponents are known
-as \*(L"dP\*(R", \*(L"dQ\*(R" and \*(L"d_i in \s-1RFC8017\*(R".\s0
-Up to eight additional \*(L"d_i\*(R" exponents are supported.
-.ie n .IP """rsa\-coefficient1"" (\fB\s-1OSSL_PKEY_PARAM_RSA_COEFFICIENT1\s0\fR) <unsigned integer>" 4
-.el .IP "``rsa\-coefficient1'' (\fB\s-1OSSL_PKEY_PARAM_RSA_COEFFICIENT1\s0\fR) <unsigned integer>" 4
-.IX Item "rsa-coefficient1 (OSSL_PKEY_PARAM_RSA_COEFFICIENT1) <unsigned integer>"
+RSA CRT (Chinese Remainder Theorem) exponents. The exponents are known
+as "dP", "dQ" and "d_i" in RFC8017.
+Up to eight additional "d_i" exponents are supported.
+.IP """rsa\-coefficient1"" (\fBOSSL_PKEY_PARAM_RSA_COEFFICIENT1\fR) <unsigned integer>" 4
+.IX Item """rsa-coefficient1"" (OSSL_PKEY_PARAM_RSA_COEFFICIENT1) <unsigned integer>"
 .PD 0
-.ie n .IP """rsa\-coefficient2"" (\fB\s-1OSSL_PKEY_PARAM_RSA_COEFFICIENT2\s0\fR) <unsigned integer>" 4
-.el .IP "``rsa\-coefficient2'' (\fB\s-1OSSL_PKEY_PARAM_RSA_COEFFICIENT2\s0\fR) <unsigned integer>" 4
-.IX Item "rsa-coefficient2 (OSSL_PKEY_PARAM_RSA_COEFFICIENT2) <unsigned integer>"
-.ie n .IP """rsa\-coefficient3"" (\fB\s-1OSSL_PKEY_PARAM_RSA_COEFFICIENT3\s0\fR) <unsigned integer>" 4
-.el .IP "``rsa\-coefficient3'' (\fB\s-1OSSL_PKEY_PARAM_RSA_COEFFICIENT3\s0\fR) <unsigned integer>" 4
-.IX Item "rsa-coefficient3 (OSSL_PKEY_PARAM_RSA_COEFFICIENT3) <unsigned integer>"
-.ie n .IP """rsa\-coefficient4"" (\fB\s-1OSSL_PKEY_PARAM_RSA_COEFFICIENT4\s0\fR) <unsigned integer>" 4
-.el .IP "``rsa\-coefficient4'' (\fB\s-1OSSL_PKEY_PARAM_RSA_COEFFICIENT4\s0\fR) <unsigned integer>" 4
-.IX Item "rsa-coefficient4 (OSSL_PKEY_PARAM_RSA_COEFFICIENT4) <unsigned integer>"
-.ie n .IP """rsa\-coefficient5"" (\fB\s-1OSSL_PKEY_PARAM_RSA_COEFFICIENT5\s0\fR) <unsigned integer>" 4
-.el .IP "``rsa\-coefficient5'' (\fB\s-1OSSL_PKEY_PARAM_RSA_COEFFICIENT5\s0\fR) <unsigned integer>" 4
-.IX Item "rsa-coefficient5 (OSSL_PKEY_PARAM_RSA_COEFFICIENT5) <unsigned integer>"
-.ie n .IP """rsa\-coefficient6"" (\fB\s-1OSSL_PKEY_PARAM_RSA_COEFFICIENT6\s0\fR) <unsigned integer>" 4
-.el .IP "``rsa\-coefficient6'' (\fB\s-1OSSL_PKEY_PARAM_RSA_COEFFICIENT6\s0\fR) <unsigned integer>" 4
-.IX Item "rsa-coefficient6 (OSSL_PKEY_PARAM_RSA_COEFFICIENT6) <unsigned integer>"
-.ie n .IP """rsa\-coefficient7"" (\fB\s-1OSSL_PKEY_PARAM_RSA_COEFFICIENT7\s0\fR) <unsigned integer>" 4
-.el .IP "``rsa\-coefficient7'' (\fB\s-1OSSL_PKEY_PARAM_RSA_COEFFICIENT7\s0\fR) <unsigned integer>" 4
-.IX Item "rsa-coefficient7 (OSSL_PKEY_PARAM_RSA_COEFFICIENT7) <unsigned integer>"
-.ie n .IP """rsa\-coefficient8"" (\fB\s-1OSSL_PKEY_PARAM_RSA_COEFFICIENT8\s0\fR) <unsigned integer>" 4
-.el .IP "``rsa\-coefficient8'' (\fB\s-1OSSL_PKEY_PARAM_RSA_COEFFICIENT8\s0\fR) <unsigned integer>" 4
-.IX Item "rsa-coefficient8 (OSSL_PKEY_PARAM_RSA_COEFFICIENT8) <unsigned integer>"
-.ie n .IP """rsa\-coefficient9"" (\fB\s-1OSSL_PKEY_PARAM_RSA_COEFFICIENT9\s0\fR) <unsigned integer>" 4
-.el .IP "``rsa\-coefficient9'' (\fB\s-1OSSL_PKEY_PARAM_RSA_COEFFICIENT9\s0\fR) <unsigned integer>" 4
-.IX Item "rsa-coefficient9 (OSSL_PKEY_PARAM_RSA_COEFFICIENT9) <unsigned integer>"
+.IP """rsa\-coefficient2"" (\fBOSSL_PKEY_PARAM_RSA_COEFFICIENT2\fR) <unsigned integer>" 4
+.IX Item """rsa-coefficient2"" (OSSL_PKEY_PARAM_RSA_COEFFICIENT2) <unsigned integer>"
+.IP """rsa\-coefficient3"" (\fBOSSL_PKEY_PARAM_RSA_COEFFICIENT3\fR) <unsigned integer>" 4
+.IX Item """rsa-coefficient3"" (OSSL_PKEY_PARAM_RSA_COEFFICIENT3) <unsigned integer>"
+.IP """rsa\-coefficient4"" (\fBOSSL_PKEY_PARAM_RSA_COEFFICIENT4\fR) <unsigned integer>" 4
+.IX Item """rsa-coefficient4"" (OSSL_PKEY_PARAM_RSA_COEFFICIENT4) <unsigned integer>"
+.IP """rsa\-coefficient5"" (\fBOSSL_PKEY_PARAM_RSA_COEFFICIENT5\fR) <unsigned integer>" 4
+.IX Item """rsa-coefficient5"" (OSSL_PKEY_PARAM_RSA_COEFFICIENT5) <unsigned integer>"
+.IP """rsa\-coefficient6"" (\fBOSSL_PKEY_PARAM_RSA_COEFFICIENT6\fR) <unsigned integer>" 4
+.IX Item """rsa-coefficient6"" (OSSL_PKEY_PARAM_RSA_COEFFICIENT6) <unsigned integer>"
+.IP """rsa\-coefficient7"" (\fBOSSL_PKEY_PARAM_RSA_COEFFICIENT7\fR) <unsigned integer>" 4
+.IX Item """rsa-coefficient7"" (OSSL_PKEY_PARAM_RSA_COEFFICIENT7) <unsigned integer>"
+.IP """rsa\-coefficient8"" (\fBOSSL_PKEY_PARAM_RSA_COEFFICIENT8\fR) <unsigned integer>" 4
+.IX Item """rsa-coefficient8"" (OSSL_PKEY_PARAM_RSA_COEFFICIENT8) <unsigned integer>"
+.IP """rsa\-coefficient9"" (\fBOSSL_PKEY_PARAM_RSA_COEFFICIENT9\fR) <unsigned integer>" 4
+.IX Item """rsa-coefficient9"" (OSSL_PKEY_PARAM_RSA_COEFFICIENT9) <unsigned integer>"
 .PD
-\&\s-1RSA CRT\s0 (Chinese Remainder Theorem) coefficients. The coefficients are known as
-\&\*(L"qInv\*(R" and \*(L"t_i\*(R".
-Up to eight additional \*(L"t_i\*(R" exponents are supported.
-.SS "\s-1RSA\s0 key generation parameters"
+RSA CRT (Chinese Remainder Theorem) coefficients. The coefficients are known as
+"qInv" and "t_i".
+Up to eight additional "t_i" exponents are supported.
+.SS "RSA key generation parameters"
 .IX Subsection "RSA key generation parameters"
-When generating \s-1RSA\s0 keys, the following key generation parameters may be used.
-.ie n .IP """bits"" (\fB\s-1OSSL_PKEY_PARAM_RSA_BITS\s0\fR) <unsigned integer>" 4
-.el .IP "``bits'' (\fB\s-1OSSL_PKEY_PARAM_RSA_BITS\s0\fR) <unsigned integer>" 4
-.IX Item "bits (OSSL_PKEY_PARAM_RSA_BITS) <unsigned integer>"
-The value should be the cryptographic length for the \fB\s-1RSA\s0\fR cryptosystem, in
+When generating RSA keys, the following key generation parameters may be used.
+.IP """bits"" (\fBOSSL_PKEY_PARAM_RSA_BITS\fR) <unsigned integer>" 4
+.IX Item """bits"" (OSSL_PKEY_PARAM_RSA_BITS) <unsigned integer>"
+The value should be the cryptographic length for the \fBRSA\fR cryptosystem, in
 bits.
-.ie n .IP """primes"" (\fB\s-1OSSL_PKEY_PARAM_RSA_PRIMES\s0\fR) <unsigned integer>" 4
-.el .IP "``primes'' (\fB\s-1OSSL_PKEY_PARAM_RSA_PRIMES\s0\fR) <unsigned integer>" 4
-.IX Item "primes (OSSL_PKEY_PARAM_RSA_PRIMES) <unsigned integer>"
-The value should be the number of primes for the generated \fB\s-1RSA\s0\fR key.  The
+.IP """primes"" (\fBOSSL_PKEY_PARAM_RSA_PRIMES\fR) <unsigned integer>" 4
+.IX Item """primes"" (OSSL_PKEY_PARAM_RSA_PRIMES) <unsigned integer>"
+The value should be the number of primes for the generated \fBRSA\fR key.  The
 default is 2.  It isn't permitted to specify a larger number of primes than
 10.  Additionally, the number of primes is limited by the length of the key
 being generated so the maximum number could be less.
 Some providers may only support a value of 2.
-.ie n .IP """e"" (\fB\s-1OSSL_PKEY_PARAM_RSA_E\s0\fR) <unsigned integer>" 4
-.el .IP "``e'' (\fB\s-1OSSL_PKEY_PARAM_RSA_E\s0\fR) <unsigned integer>" 4
-.IX Item "e (OSSL_PKEY_PARAM_RSA_E) <unsigned integer>"
-The \s-1RSA\s0 \*(L"e\*(R" value. The value may be any odd number greater than or equal to
+.IP """e"" (\fBOSSL_PKEY_PARAM_RSA_E\fR) <unsigned integer>" 4
+.IX Item """e"" (OSSL_PKEY_PARAM_RSA_E) <unsigned integer>"
+The RSA "e" value. The value may be any odd number greater than or equal to
 65537. The default value is 65537.
 For legacy reasons a value of 3 is currently accepted but is deprecated.
-.SS "\s-1RSA\s0 key generation parameters for \s-1FIPS\s0 module testing"
+.IP """rsa-derive-from-pq""  (\fBOSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ\fR) <unsigned integer>" 4
+.IX Item """rsa-derive-from-pq"" (OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ) <unsigned integer>"
+Indicate that missing parameters not passed in the parameter list should be
+derived if not provided.  Setting a nonzero value will cause all
+needed exponents and coefficients to be derived if not available.  Setting this
+option requires at least OSSL_PARAM_RSA_FACTOR1, OSSL_PARAM_RSA_FACTOR2,
+and OSSL_PARAM_RSA_N to be provided.  This option is ignored if
+OSSL_KEYMGMT_SELECT_PRIVATE_KEY is not set in the selection parameter.
+.SS "RSA key generation parameters for FIPS module testing"
 .IX Subsection "RSA key generation parameters for FIPS module testing"
-When generating \s-1RSA\s0 keys, the following additional key generation parameters may
+When generating RSA keys, the following additional key generation parameters may
 be used for algorithm testing purposes only. Do not use these to generate
-\&\s-1RSA\s0 keys for a production environment.
-.ie n .IP """xp"" (\fB\s-1OSSL_PKEY_PARAM_RSA_TEST_XP\s0\fR) <unsigned integer>" 4
-.el .IP "``xp'' (\fB\s-1OSSL_PKEY_PARAM_RSA_TEST_XP\s0\fR) <unsigned integer>" 4
-.IX Item "xp (OSSL_PKEY_PARAM_RSA_TEST_XP) <unsigned integer>"
+RSA keys for a production environment.
+.IP """xp"" (\fBOSSL_PKEY_PARAM_RSA_TEST_XP\fR) <unsigned integer>" 4
+.IX Item """xp"" (OSSL_PKEY_PARAM_RSA_TEST_XP) <unsigned integer>"
 .PD 0
-.ie n .IP """xq"" (\fB\s-1OSSL_PKEY_PARAM_RSA_TEST_XQ\s0\fR) <unsigned integer>" 4
-.el .IP "``xq'' (\fB\s-1OSSL_PKEY_PARAM_RSA_TEST_XQ\s0\fR) <unsigned integer>" 4
-.IX Item "xq (OSSL_PKEY_PARAM_RSA_TEST_XQ) <unsigned integer>"
+.IP """xq"" (\fBOSSL_PKEY_PARAM_RSA_TEST_XQ\fR) <unsigned integer>" 4
+.IX Item """xq"" (OSSL_PKEY_PARAM_RSA_TEST_XQ) <unsigned integer>"
 .PD
-These 2 fields are normally randomly generated and are used to generate \*(L"p\*(R" and
-\&\*(L"q\*(R".
-.ie n .IP """xp1"" (\fB\s-1OSSL_PKEY_PARAM_RSA_TEST_XP1\s0\fR) <unsigned integer>" 4
-.el .IP "``xp1'' (\fB\s-1OSSL_PKEY_PARAM_RSA_TEST_XP1\s0\fR) <unsigned integer>" 4
-.IX Item "xp1 (OSSL_PKEY_PARAM_RSA_TEST_XP1) <unsigned integer>"
+These 2 fields are normally randomly generated and are used to generate "p" and
+"q".
+.IP """xp1"" (\fBOSSL_PKEY_PARAM_RSA_TEST_XP1\fR) <unsigned integer>" 4
+.IX Item """xp1"" (OSSL_PKEY_PARAM_RSA_TEST_XP1) <unsigned integer>"
 .PD 0
-.ie n .IP """xp2"" (\fB\s-1OSSL_PKEY_PARAM_RSA_TEST_XP2\s0\fR) <unsigned integer>" 4
-.el .IP "``xp2'' (\fB\s-1OSSL_PKEY_PARAM_RSA_TEST_XP2\s0\fR) <unsigned integer>" 4
-.IX Item "xp2 (OSSL_PKEY_PARAM_RSA_TEST_XP2) <unsigned integer>"
-.ie n .IP """xq1"" (\fB\s-1OSSL_PKEY_PARAM_RSA_TEST_XQ1\s0\fR) <unsigned integer>" 4
-.el .IP "``xq1'' (\fB\s-1OSSL_PKEY_PARAM_RSA_TEST_XQ1\s0\fR) <unsigned integer>" 4
-.IX Item "xq1 (OSSL_PKEY_PARAM_RSA_TEST_XQ1) <unsigned integer>"
-.ie n .IP """xq2"" (\fB\s-1OSSL_PKEY_PARAM_RSA_TEST_XQ2\s0\fR) <unsigned integer>" 4
-.el .IP "``xq2'' (\fB\s-1OSSL_PKEY_PARAM_RSA_TEST_XQ2\s0\fR) <unsigned integer>" 4
-.IX Item "xq2 (OSSL_PKEY_PARAM_RSA_TEST_XQ2) <unsigned integer>"
+.IP """xp2"" (\fBOSSL_PKEY_PARAM_RSA_TEST_XP2\fR) <unsigned integer>" 4
+.IX Item """xp2"" (OSSL_PKEY_PARAM_RSA_TEST_XP2) <unsigned integer>"
+.IP """xq1"" (\fBOSSL_PKEY_PARAM_RSA_TEST_XQ1\fR) <unsigned integer>" 4
+.IX Item """xq1"" (OSSL_PKEY_PARAM_RSA_TEST_XQ1) <unsigned integer>"
+.IP """xq2"" (\fBOSSL_PKEY_PARAM_RSA_TEST_XQ2\fR) <unsigned integer>" 4
+.IX Item """xq2"" (OSSL_PKEY_PARAM_RSA_TEST_XQ2) <unsigned integer>"
 .PD
-These 4 fields are normally randomly generated. The prime factors \*(L"p1\*(R", \*(L"p2\*(R",
-\&\*(L"q1\*(R" and \*(L"q2\*(R" are determined from these values.
-.SS "\s-1RSA\s0 key parameters for \s-1FIPS\s0 module testing"
+These 4 fields are normally randomly generated. The prime factors "p1", "p2",
+"q1" and "q2" are determined from these values.
+.SS "RSA key parameters for FIPS module testing"
 .IX Subsection "RSA key parameters for FIPS module testing"
 The following intermediate values can be retrieved only if the values
-specified in \*(L"\s-1RSA\s0 key generation parameters for \s-1FIPS\s0 module testing\*(R" are set.
+specified in "RSA key generation parameters for FIPS module testing" are set.
 These should not be accessed in a production environment.
-.ie n .IP """p1"" (\fB\s-1OSSL_PKEY_PARAM_RSA_TEST_P1\s0\fR) <unsigned integer>" 4
-.el .IP "``p1'' (\fB\s-1OSSL_PKEY_PARAM_RSA_TEST_P1\s0\fR) <unsigned integer>" 4
-.IX Item "p1 (OSSL_PKEY_PARAM_RSA_TEST_P1) <unsigned integer>"
+.IP """p1"" (\fBOSSL_PKEY_PARAM_RSA_TEST_P1\fR) <unsigned integer>" 4
+.IX Item """p1"" (OSSL_PKEY_PARAM_RSA_TEST_P1) <unsigned integer>"
 .PD 0
-.ie n .IP """p2"" (\fB\s-1OSSL_PKEY_PARAM_RSA_TEST_P2\s0\fR) <unsigned integer>" 4
-.el .IP "``p2'' (\fB\s-1OSSL_PKEY_PARAM_RSA_TEST_P2\s0\fR) <unsigned integer>" 4
-.IX Item "p2 (OSSL_PKEY_PARAM_RSA_TEST_P2) <unsigned integer>"
-.ie n .IP """q1"" (\fB\s-1OSSL_PKEY_PARAM_RSA_TEST_Q1\s0\fR) <unsigned integer>" 4
-.el .IP "``q1'' (\fB\s-1OSSL_PKEY_PARAM_RSA_TEST_Q1\s0\fR) <unsigned integer>" 4
-.IX Item "q1 (OSSL_PKEY_PARAM_RSA_TEST_Q1) <unsigned integer>"
-.ie n .IP """q2"" (\fB\s-1OSSL_PKEY_PARAM_RSA_TEST_Q2\s0\fR) <unsigned integer>" 4
-.el .IP "``q2'' (\fB\s-1OSSL_PKEY_PARAM_RSA_TEST_Q2\s0\fR) <unsigned integer>" 4
-.IX Item "q2 (OSSL_PKEY_PARAM_RSA_TEST_Q2) <unsigned integer>"
+.IP """p2"" (\fBOSSL_PKEY_PARAM_RSA_TEST_P2\fR) <unsigned integer>" 4
+.IX Item """p2"" (OSSL_PKEY_PARAM_RSA_TEST_P2) <unsigned integer>"
+.IP """q1"" (\fBOSSL_PKEY_PARAM_RSA_TEST_Q1\fR) <unsigned integer>" 4
+.IX Item """q1"" (OSSL_PKEY_PARAM_RSA_TEST_Q1) <unsigned integer>"
+.IP """q2"" (\fBOSSL_PKEY_PARAM_RSA_TEST_Q2\fR) <unsigned integer>" 4
+.IX Item """q2"" (OSSL_PKEY_PARAM_RSA_TEST_Q2) <unsigned integer>"
 .PD
 The auxiliary probable primes.
-.SS "\s-1RSA\s0 key validation"
+.SS "RSA key validation"
 .IX Subsection "RSA key validation"
-For \s-1RSA\s0 keys, \fBEVP_PKEY_param_check\fR\|(3) and \fBEVP_PKEY_param_check_quick\fR\|(3)
+For RSA keys, \fBEVP_PKEY_param_check\fR\|(3) and \fBEVP_PKEY_param_check_quick\fR\|(3)
 both return 1 unconditionally.
 .PP
-For \s-1RSA\s0 keys, \fBEVP_PKEY_public_check\fR\|(3) conforms to the SP800\-56Br1 \fIpublic key
-check\fR when the OpenSSL \s-1FIPS\s0 provider is used. The OpenSSL default provider
+For RSA keys, \fBEVP_PKEY_public_check\fR\|(3) conforms to the SP800\-56Br1 \fIpublic key
+check\fR when the OpenSSL FIPS provider is used. The OpenSSL default provider
 performs similar tests but relaxes the keysize restrictions for backwards
 compatibility.
 .PP
-For \s-1RSA\s0 keys, \fBEVP_PKEY_public_check_quick\fR\|(3) is the same as
+For RSA keys, \fBEVP_PKEY_public_check_quick\fR\|(3) is the same as
 \&\fBEVP_PKEY_public_check\fR\|(3).
 .PP
-For \s-1RSA\s0 keys, \fBEVP_PKEY_private_check\fR\|(3) conforms to the SP800\-56Br1
+For RSA keys, \fBEVP_PKEY_private_check\fR\|(3) conforms to the SP800\-56Br1
 \&\fIprivate key test\fR.
 .PP
-For \s-1RSA\s0 keys, \fBEVP_PKEY_pairwise_check\fR\|(3) conforms to the
-SP800\-56Br1 \fIKeyPair Validation check\fR for the OpenSSL \s-1FIPS\s0 provider. The
+For RSA keys, \fBEVP_PKEY_pairwise_check\fR\|(3) conforms to the
+SP800\-56Br1 \fIKeyPair Validation check\fR for the OpenSSL FIPS provider. The
 OpenSSL default provider allows testing of the validity of multi-primes.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-.IP "\s-1FIPS186\-4\s0" 4
+.IP FIPS186\-4 4
 .IX Item "FIPS186-4"
 Section B.3.6  Generation of Probable Primes with Conditions Based on
 Auxiliary Probable Primes
-.IP "\s-1RFC 8017,\s0 excluding RSA-PSS and RSA-OAEP" 4
+.IP "RFC 8017, excluding RSA-PSS and RSA-OAEP" 4
 .IX Item "RFC 8017, excluding RSA-PSS and RSA-OAEP"
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-An \fB\s-1EVP_PKEY\s0\fR context can be obtained by calling:
+An \fBEVP_PKEY\fR context can be obtained by calling:
 .PP
 .Vb 2
 \&    EVP_PKEY_CTX *pctx =
 \&        EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
 .Ve
 .PP
-An \fB\s-1RSA\s0\fR key can be generated simply like this:
+An \fBRSA\fR key can be generated simply like this:
 .PP
 .Vb 1
 \&    pkey = EVP_RSA_gen(4096);
@@ -394,7 +281,7 @@ or like this:
 \&    EVP_PKEY_CTX_free(pctx);
 .Ve
 .PP
-An \fB\s-1RSA\s0\fR key can be generated with key generation parameters:
+An \fBRSA\fR key can be generated with key generation parameters:
 .PP
 .Vb 5
 \&    unsigned int primes = 3;
@@ -416,12 +303,12 @@ An \fB\s-1RSA\s0\fR key can be generated with key generation parameters:
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBEVP_RSA_gen\fR\|(3), \s-1\fBEVP_KEYMGMT\s0\fR\|(3), \s-1\fBEVP_PKEY\s0\fR\|(3), \fBprovider\-keymgmt\fR\|(7)
-.SH "COPYRIGHT"
+\&\fBEVP_RSA_gen\fR\|(3), \fBEVP_KEYMGMT\fR\|(3), \fBEVP_PKEY\fR\|(3), \fBprovider\-keymgmt\fR\|(7)
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-SLH-DSA.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-SLH-DSA.7
new file mode 100644
index 000000000000..c9ff281d113a
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-SLH-DSA.7
@@ -0,0 +1,196 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "EVP_PKEY-SLH-DSA 7ossl"
+.TH EVP_PKEY-SLH-DSA 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+EVP_PKEY\-SLH\-DSA, EVP_KEYMGMT\-SLH\-DSA,
+EVP_PKEY\-SLH\-DSA\-SHA2\-128s, EVP_PKEY\-SLH\-DSA\-SHA2\-128f,
+EVP_PKEY\-SLH\-DSA\-SHA2\-192s, EVP_PKEY\-SLH\-DSA\-SHA2\-192f,
+EVP_PKEY\-SLH\-DSA\-SHA2\-256s, EVP_PKEY\-SLH\-DSA\-SHA2\-256f,
+EVP_PKEY\-SLH\-DSA\-SHAKE\-128s, EVP_PKEY\-SLH\-DSA\-SHAKE\-128f,
+EVP_PKEY\-SLH\-DSA\-SHAKE\-192s, EVP_PKEY\-SLH\-DSA\-SHAKE\-192f,
+EVP_PKEY\-SLH\-DSA\-SHAKE\-256s, EVP_PKEY\-SLH\-DSA\-SHAKE\-256f
+\&\- EVP_PKEY SLH\-DSA keytype and algorithm support
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+The \fBSLH\-DSA\-SHA2\-128s\fR, \fBEVP_PKEY\-SLH\-DSA\-SHA2\-128f\fR,
+\&\fBSLH\-DSA\-SHA2\-192s\fR, \fBEVP_PKEY\-SLH\-DSA\-SHA2\-192f\fR,
+\&\fBSLH\-DSA\-SHA2\-256s\fR, \fBEVP_PKEY\-SLH\-DSA\-SHA2\-256f\fR,
+\&\fBSLH\-DSA\-SHAKE\-128s\fR, \fBEVP_PKEY\-SLH\-DSA\-SHAKE\-128f\fR,
+\&\fBSLH\-DSA\-SHAKE\-192s\fR, \fBEVP_PKEY\-SLH\-DSA\-SHAKE\-192f\fR,
+\&\fBSLH\-DSA\-SHAKE\-256s\fR and \fBEVP_PKEY\-SLH\-DSA\-SHAKE\-256f\fR key types are
+implemented in OpenSSL's default and FIPS providers.  These implementations
+support the associated key, containing the public key \fIpub\fR and the
+private key \fIpriv\fR.
+.PP
+SLH-DSA (Stateless Hash-based Digital Signature Standard) uses small keys,
+but has relatively large signatures and is relatively slow performing all
+operations compared to \fBML-DSA\fR. It does however have proven security proofs,
+since it relies only on hash functions.
+.PP
+Each of the different key types has an associated security parameter \fBn\fR.
+This value is one of 16, 24 or 32 for key types \fBSLH\-DSA*128*\fR, \fBSLH\-DSA*192*\fR
+and \fBSLH\-DSA*256*\fR, respectively.
+.PP
+Both the public and private key components contain 2 elements of size \fBn\fR.
+Key generation generates the private key elements and one of the public key
+elements randomly, and the final public key element is computed from these values.
+.PP
+The public key has relatively small sizes of 32, 48 or 64 bytes,
+corresponding to the algorithm names of 128, 192 and 256 respectively.
+.PP
+The algorithms ending with \fBs\fR produce smaller signatures, but are much slower
+than the faster \fBf\fR variants.
+.PP
+The signature sizes for the \fBs\fR algorithm variants are 7856, 16224 and 29792
+which correspond to the algorithm names of 128s, 192s and 256s respectively.
+The signature sizes for the \fBf\fR algorithm variants are 17088, 35664 and 49856
+which correspond to the algorithm names containing 128f, 192f and 256f respectively.
+.PP
+Internally there are 7 hash related functions that are used for each algorithm.
+For algorithms containing \fBSHAKE\fR in their name \fBSHAKE\-256\fR is used for all
+functions.
+For the <SHA2\-128> algorithms the functions use <MGF1\-SHA\-256>, <HMAC\-SHA\-256>
+and <SHA\-256>.
+The remaining <SHA2> algorithms use <MGF1\-SHA\-512>, <HMAC\-SHA\-512>, <SHA\-256> and
+<SHA\-512>.
+See FIPS 205 Section 11.1 and 11.2 for more information.
+.SS "Keygen Parameters"
+.IX Subsection "Keygen Parameters"
+.IP """seed"" (\fBOSSL_PKEY_PARAM_SLH_DSA_SEED\fR) <octet string>" 4
+.IX Item """seed"" (OSSL_PKEY_PARAM_SLH_DSA_SEED) <octet string>"
+Supplies values to use for the private seed, private prf and
+public seed instead of generating random values. This is used for testing
+purposes only. The length of the value supplied must be 3 * \fBn\fR.
+.IP """properties"" (\fBOSSL_PKEY_PARAM_PROPERTIES\fR) <utf8_string>" 4
+.IX Item """properties"" (OSSL_PKEY_PARAM_PROPERTIES) <utf8_string>"
+Sets properties to be used when fetching algorithm implementations used for
+SLH-DSA hashing operations.
+.PP
+Use \fBEVP_PKEY_CTX_set_params()\fR after calling \fBEVP_PKEY_keygen_init()\fR.
+.SS "Common SLH-DSA parameters"
+.IX Subsection "Common SLH-DSA parameters"
+In addition to the common parameters that all keytypes should support (see
+"Common Information Parameters" in \fBprovider\-keymgmt\fR\|(7)), the implementation of
+these key types support the following.
+.PP
+The following parameters are gettable using \fBEVP_PKEY_get_octet_string_param()\fR,
+and settable when using \fBEVP_PKEY_fromdata()\fR.
+.IP """pub"" (\fBOSSL_PKEY_PARAM_PUB_KEY\fR) <octet string>" 4
+.IX Item """pub"" (OSSL_PKEY_PARAM_PUB_KEY) <octet string>"
+The public key has a size of 2 * \fBn\fR bytes.
+i.e. It consists of the concatenation of PK.seed and PK.root
+as defined by FIPS 205 Figure 16.
+.IP """priv"" (\fBOSSL_PKEY_PARAM_PRIV_KEY\fR) <octet string>" 4
+.IX Item """priv"" (OSSL_PKEY_PARAM_PRIV_KEY) <octet string>"
+The private key has a size of 4 * \fBn\fR bytes, which includes the public key components.
+i.e. It consists of the concatenation of SK.seed, SK.prf, PK.seed and PF.root
+as defined by FIPS 205 Figure 15.
+.IP """mandatory-digest"" (\fBOSSL_PKEY_PARAM_MANDATORY_DIGEST\fR) <UTF8 string>" 4
+.IX Item """mandatory-digest"" (OSSL_PKEY_PARAM_MANDATORY_DIGEST) <UTF8 string>"
+The empty string, signifying that no digest may be specified.
+.SH "CONFORMING TO"
+.IX Header "CONFORMING TO"
+.IP "FIPS 205" 4
+.IX Item "FIPS 205"
+.SH EXAMPLES
+.IX Header "EXAMPLES"
+An \fBEVP_PKEY\fR context can be obtained by calling:
+.PP
+.Vb 2
+\&    EVP_PKEY_CTX *pctx =
+\&        EVP_PKEY_CTX_new_from_name(NULL, "SLH\-DSA\-SHA2\-128f", NULL);
+.Ve
+.PP
+An \fBSLH-DSA\fR key can be generated like this:
+.PP
+.Vb 1
+\&    pkey = EVP_PKEY_Q_keygen(NULL, NULL, "SLH\-DSA\-SHA2\-128f");
+.Ve
+.PP
+The key pair components can be extracted from a key by calling:
+.PP
+.Vb 2
+\&    uint8_t priv[64], pub[32];
+\&    size_t priv_len, pub_len;
+\&
+\&    EVP_PKEY_get_octet_string_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY,
+\&                                    priv, sizeof(priv), &priv_len);
+\&    EVP_PKEY_get_octet_string_param(pkey, OSSL_PKEY_PARAM_PUB_KEY,
+\&                                    pub, sizeof(pub), &pub_len));
+.Ve
+.PP
+Similar code can be used for the other key types such as "SLH\-DSA\-SHAKE\-256f".
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBEVP_KEYMGMT\fR\|(3), \fBEVP_PKEY\fR\|(3), \fBprovider\-keymgmt\fR\|(7),
+\&\fBEVP_SIGNATURE\-SLH\-DSA\fR\|(7)
+.SH HISTORY
+.IX Header "HISTORY"
+This functionality was added in OpenSSL 3.5.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2024\-2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-SM2.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-SM2.7
index 285528e9e525..ff784fc07dd3 100644
--- a/secure/lib/libcrypto/man/man7/EVP_PKEY-SM2.7
+++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-SM2.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,113 +52,55 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY-SM2 7ossl"
-.TH EVP_PKEY-SM2 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY-SM2 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY\-SM2, EVP_KEYMGMT\-SM2, SM2
 \&\- EVP_PKEY keytype support for the Chinese SM2 signature and encryption algorithms
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \fB\s-1SM2\s0\fR algorithm was first defined by the Chinese national standard \s-1GM/T
-0003\-2012\s0 and was later standardized by \s-1ISO\s0 as \s-1ISO/IEC 14888.\s0 \fB\s-1SM2\s0\fR is actually
+The \fBSM2\fR algorithm was first defined by the Chinese national standard GM/T
+0003\-2012 and was later standardized by ISO as ISO/IEC 14888. \fBSM2\fR is actually
 an elliptic curve based algorithm. The current implementation in OpenSSL supports
-both signature and encryption schemes via the \s-1EVP\s0 interface.
+both signature and encryption schemes via the EVP interface.
 .PP
-When doing the \fB\s-1SM2\s0\fR signature algorithm, it requires a distinguishing identifier
+When doing the \fBSM2\fR signature algorithm, it requires a distinguishing identifier
 to form the message prefix which is hashed before the real message is hashed.
-.SS "Common \s-1SM2\s0 parameters"
+.SS "Common SM2 parameters"
 .IX Subsection "Common SM2 parameters"
-\&\s-1SM2\s0 uses the parameters defined in \*(L"Common \s-1EC\s0 parameters\*(R" in \s-1\fBEVP_PKEY\-EC\s0\fR\|(7).
+SM2 uses the parameters defined in "Common EC parameters" in \fBEVP_PKEY\-EC\fR\|(7).
 The following parameters are different:
-.ie n .IP """cofactor"" (\fB\s-1OSSL_PKEY_PARAM_EC_COFACTOR\s0\fR) <unsigned integer>" 4
-.el .IP "``cofactor'' (\fB\s-1OSSL_PKEY_PARAM_EC_COFACTOR\s0\fR) <unsigned integer>" 4
-.IX Item "cofactor (OSSL_PKEY_PARAM_EC_COFACTOR) <unsigned integer>"
-This parameter is ignored for \fB\s-1SM2\s0\fR.
-.IP "(\fB\s-1OSSL_PKEY_PARAM_DEFAULT_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
+.IP """cofactor"" (\fBOSSL_PKEY_PARAM_EC_COFACTOR\fR) <unsigned integer>" 4
+.IX Item """cofactor"" (OSSL_PKEY_PARAM_EC_COFACTOR) <unsigned integer>"
+This parameter is ignored for \fBSM2\fR.
+.IP "(\fBOSSL_PKEY_PARAM_DEFAULT_DIGEST\fR) <UTF8 string>" 4
 .IX Item "(OSSL_PKEY_PARAM_DEFAULT_DIGEST) <UTF8 string>"
 Getter that returns the default digest name.
-(Currently returns \*(L"\s-1SM3\*(R"\s0 as of OpenSSL 3.0).
-.SH "NOTES"
+(Currently returns "SM3" as of OpenSSL 3.0).
+.SH NOTES
 .IX Header "NOTES"
-\&\fB\s-1SM2\s0\fR signatures can be generated by using the 'DigestSign' series of APIs, for
+\&\fBSM2\fR signatures can be generated by using the 'DigestSign' series of APIs, for
 instance, \fBEVP_DigestSignInit()\fR, \fBEVP_DigestSignUpdate()\fR and \fBEVP_DigestSignFinal()\fR.
 Ditto for the verification process by calling the 'DigestVerify' series of APIs.
+Note that the SM2 algorithm requires the presence of the public key for signatures,
+as such the \fBOSSL_PKEY_PARAM_PUB_KEY\fR option must be set on any key used in signature
+generation.
 .PP
-Before computing an \fB\s-1SM2\s0\fR signature, an \fB\s-1EVP_PKEY_CTX\s0\fR needs to be created,
-and an \fB\s-1SM2\s0\fR \s-1ID\s0 must be set for it, like this:
+Before computing an \fBSM2\fR signature, an \fBEVP_PKEY_CTX\fR needs to be created,
+and an \fBSM2\fR ID must be set for it, like this:
 .PP
 .Vb 1
 \& EVP_PKEY_CTX_set1_id(pctx, id, id_len);
 .Ve
 .PP
 Before calling the \fBEVP_DigestSignInit()\fR or \fBEVP_DigestVerifyInit()\fR functions,
-that \fB\s-1EVP_PKEY_CTX\s0\fR should be assigned to the \fB\s-1EVP_MD_CTX\s0\fR, like this:
+that \fBEVP_PKEY_CTX\fR should be assigned to the \fBEVP_MD_CTX\fR, like this:
 .PP
 .Vb 1
 \& EVP_MD_CTX_set_pkey_ctx(mctx, pctx);
@@ -183,15 +109,15 @@ that \fB\s-1EVP_PKEY_CTX\s0\fR should be assigned to the \fB\s-1EVP_MD_CTX\s0\fR
 There is normally no need to pass a \fBpctx\fR parameter to \fBEVP_DigestSignInit()\fR
 or \fBEVP_DigestVerifyInit()\fR in such a scenario.
 .PP
-\&\s-1SM2\s0 can be tested with the \fBopenssl\-speed\fR\|(1) application since version 3.0.
+SM2 can be tested with the \fBopenssl\-speed\fR\|(1) application since version 3.0.
 Currently, the only valid algorithm name is \fBsm2\fR.
 .PP
-Since version 3.0, \s-1SM2\s0 keys can be generated and loaded only when the domain
-parameters specify the \s-1SM2\s0 elliptic curve.
-.SH "EXAMPLES"
+Since version 3.0, SM2 keys can be generated and loaded only when the domain
+parameters specify the SM2 elliptic curve.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-This example demonstrates the calling sequence for using an \fB\s-1EVP_PKEY\s0\fR to verify
-a message with the \s-1SM2\s0 signature algorithm and the \s-1SM3\s0 hash algorithm:
+This example demonstrates the calling sequence for using an \fBEVP_PKEY\fR to verify
+a message with the SM2 signature algorithm and the SM3 hash algorithm:
 .PP
 .Vb 1
 \& #include <openssl/evp.h>
@@ -212,11 +138,11 @@ a message with the \s-1SM2\s0 signature algorithm and the \s-1SM3\s0 hash algori
 \&\fBEVP_DigestVerifyInit\fR\|(3),
 \&\fBEVP_PKEY_CTX_set1_id\fR\|(3),
 \&\fBEVP_MD_CTX_set_pkey_ctx\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2018\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2018\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_PKEY-X25519.7 b/secure/lib/libcrypto/man/man7/EVP_PKEY-X25519.7
index 6bbacd1a8cc5..fd21081a79b1 100644
--- a/secure/lib/libcrypto/man/man7/EVP_PKEY-X25519.7
+++ b/secure/lib/libcrypto/man/man7/EVP_PKEY-X25519.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,128 +52,78 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_PKEY-X25519 7ossl"
-.TH EVP_PKEY-X25519 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_PKEY-X25519 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_PKEY\-X25519, EVP_PKEY\-X448, EVP_PKEY\-ED25519, EVP_PKEY\-ED448,
 EVP_KEYMGMT\-X25519, EVP_KEYMGMT\-X448, EVP_KEYMGMT\-ED25519, EVP_KEYMGMT\-ED448
 \&\- EVP_PKEY X25519, X448, ED25519 and ED448 keytype and algorithm support
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \fBX25519\fR, \fBX448\fR, \fB\s-1ED25519\s0\fR and \fB\s-1ED448\s0\fR keytypes are
-implemented in OpenSSL's default and \s-1FIPS\s0 providers.  These implementations
+The \fBX25519\fR, \fBX448\fR, \fBED25519\fR and \fBED448\fR keytypes are
+implemented in OpenSSL's default and FIPS providers.  These implementations
 support the associated key, containing the public key \fIpub\fR and the
 private key \fIpriv\fR.
+.SS "Keygen Parameters"
+.IX Subsection "Keygen Parameters"
+.IP """dhkem-ikm"" (\fBOSSL_PKEY_PARAM_DHKEM_IKM\fR) <octet string>" 4
+.IX Item """dhkem-ikm"" (OSSL_PKEY_PARAM_DHKEM_IKM) <octet string>"
+DHKEM requires the generation of a keypair using an input key material (seed).
+Use this to specify the key material used for generation of the private key.
+This value should not be reused for other purposes.
+It should have a length of at least 32 for X25519, and 56 for X448.
+This is only supported by X25519 and X448.
+.IP """fips-indicator"" (\fBOSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+This getter is only supported by X25519 and X448 for the FIPS provider.
+Since X25519 and X448 are unapproved in FIPS 140\-3 this getter return 0.
+.Sp
+See "Common Information Parameters" in \fBprovider\-keymgmt\fR\|(7) for further information.
 .PP
-No additional parameters can be set during key generation.
-.SS "Common X25519, X448, \s-1ED25519\s0 and \s-1ED448\s0 parameters"
+Use \fBEVP_PKEY_CTX_set_params()\fR after calling \fBEVP_PKEY_keygen_init()\fR.
+.SS "Common X25519, X448, ED25519 and ED448 parameters"
 .IX Subsection "Common X25519, X448, ED25519 and ED448 parameters"
 In addition to the common parameters that all keytypes should support (see
-\&\*(L"Common parameters\*(R" in \fBprovider\-keymgmt\fR\|(7)), the implementation of these keytypes
+"Common parameters" in \fBprovider\-keymgmt\fR\|(7)), the implementation of these keytypes
 support the following.
-.ie n .IP """group"" (\fB\s-1OSSL_PKEY_PARAM_GROUP_NAME\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``group'' (\fB\s-1OSSL_PKEY_PARAM_GROUP_NAME\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "group (OSSL_PKEY_PARAM_GROUP_NAME) <UTF8 string>"
-This is only supported by X25519 and X448. The group name must be \*(L"x25519\*(R" or
-\&\*(L"x448\*(R" respectively for those algorithms. This is only present for consistency
+.IP """group"" (\fBOSSL_PKEY_PARAM_GROUP_NAME\fR) <UTF8 string>" 4
+.IX Item """group"" (OSSL_PKEY_PARAM_GROUP_NAME) <UTF8 string>"
+This is only supported by X25519 and X448. The group name must be "x25519" or
+"x448" respectively for those algorithms. This is only present for consistency
 with other key exchange algorithms and is typically not needed.
-.ie n .IP """pub"" (\fB\s-1OSSL_PKEY_PARAM_PUB_KEY\s0\fR) <octet string>" 4
-.el .IP "``pub'' (\fB\s-1OSSL_PKEY_PARAM_PUB_KEY\s0\fR) <octet string>" 4
-.IX Item "pub (OSSL_PKEY_PARAM_PUB_KEY) <octet string>"
+.IP """pub"" (\fBOSSL_PKEY_PARAM_PUB_KEY\fR) <octet string>" 4
+.IX Item """pub"" (OSSL_PKEY_PARAM_PUB_KEY) <octet string>"
 The public key value.
-.ie n .IP """priv"" (\fB\s-1OSSL_PKEY_PARAM_PRIV_KEY\s0\fR) <octet string>" 4
-.el .IP "``priv'' (\fB\s-1OSSL_PKEY_PARAM_PRIV_KEY\s0\fR) <octet string>" 4
-.IX Item "priv (OSSL_PKEY_PARAM_PRIV_KEY) <octet string>"
+.IP """priv"" (\fBOSSL_PKEY_PARAM_PRIV_KEY\fR) <octet string>" 4
+.IX Item """priv"" (OSSL_PKEY_PARAM_PRIV_KEY) <octet string>"
 The private key value.
-.ie n .IP """encoded-pub-key"" (\fB\s-1OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY\s0\fR) <octet string>" 4
-.el .IP "``encoded-pub-key'' (\fB\s-1OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY\s0\fR) <octet string>" 4
-.IX Item "encoded-pub-key (OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY) <octet string>"
+.IP """encoded-pub-key"" (\fBOSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY\fR) <octet string>" 4
+.IX Item """encoded-pub-key"" (OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY) <octet string>"
 Used for getting and setting the encoding of a public key for the \fBX25519\fR and
 \&\fBX448\fR key types. Public keys are expected be encoded in a format as defined by
-\&\s-1RFC7748.\s0
-.SS "\s-1ED25519\s0 and \s-1ED448\s0 parameters"
+RFC7748.
+.SS "ED25519 and ED448 parameters"
 .IX Subsection "ED25519 and ED448 parameters"
-.ie n .IP """mandatory-digest"" (\fB\s-1OSSL_PKEY_PARAM_MANDATORY_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``mandatory-digest'' (\fB\s-1OSSL_PKEY_PARAM_MANDATORY_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "mandatory-digest (OSSL_PKEY_PARAM_MANDATORY_DIGEST) <UTF8 string>"
+.IP """mandatory-digest"" (\fBOSSL_PKEY_PARAM_MANDATORY_DIGEST\fR) <UTF8 string>" 4
+.IX Item """mandatory-digest"" (OSSL_PKEY_PARAM_MANDATORY_DIGEST) <UTF8 string>"
 The empty string, signifying that no digest may be specified.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-.IP "\s-1RFC 8032\s0" 4
+.IP "RFC 8032" 4
 .IX Item "RFC 8032"
 .PD 0
-.IP "\s-1RFC 8410\s0" 4
+.IP "RFC 8410" 4
 .IX Item "RFC 8410"
 .PD
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-An \fB\s-1EVP_PKEY\s0\fR context can be obtained by calling:
+An \fBEVP_PKEY\fR context can be obtained by calling:
 .PP
 .Vb 2
 \&    EVP_PKEY_CTX *pctx =
@@ -211,17 +145,17 @@ An \fBX25519\fR key can be generated like this:
 \&    pkey = EVP_PKEY_Q_keygen(NULL, NULL, "X25519");
 .Ve
 .PP
-An \fBX448\fR, \fB\s-1ED25519\s0\fR, or \fB\s-1ED448\s0\fR key can be generated likewise.
+An \fBX448\fR, \fBED25519\fR, or \fBED448\fR key can be generated likewise.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_KEYMGMT\s0\fR\|(3), \s-1\fBEVP_PKEY\s0\fR\|(3), \fBprovider\-keymgmt\fR\|(7),
-\&\s-1\fBEVP_KEYEXCH\-X25519\s0\fR\|(7), \s-1\fBEVP_KEYEXCH\-X448\s0\fR\|(7),
-\&\s-1\fBEVP_SIGNATURE\-ED25519\s0\fR\|(7), \s-1\fBEVP_SIGNATURE\-ED448\s0\fR\|(7)
-.SH "COPYRIGHT"
+\&\fBEVP_KEYMGMT\fR\|(3), \fBEVP_PKEY\fR\|(3), \fBprovider\-keymgmt\fR\|(7),
+\&\fBEVP_KEYEXCH\-X25519\fR\|(7), \fBEVP_KEYEXCH\-X448\fR\|(7),
+\&\fBEVP_SIGNATURE\-ED25519\fR\|(7), \fBEVP_SIGNATURE\-ED448\fR\|(7)
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_RAND-CRNG-TEST.7 b/secure/lib/libcrypto/man/man7/EVP_RAND-CRNG-TEST.7
new file mode 100644
index 000000000000..bbfd4ec4dfb0
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/EVP_RAND-CRNG-TEST.7
@@ -0,0 +1,120 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "EVP_RAND-CRNG-TEST 7ossl"
+.TH EVP_RAND-CRNG-TEST 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+EVP_RAND\-CRNG\-TEST \- The FIPS health testing EVP_RAND filter
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+This \fBEVP_RAND\fR object acts as a filter between the entropy source
+and its users.  It performs CRNG health tests as defined in
+SP 800\-90B <https://csrc.nist.gov/pubs/sp/800/90/b/final> Section 4 "Health
+Tests".  Most requests are forwarded to the entropy source, either via
+its parent reference or via the provider entropy upcalls.
+.SS Identity
+.IX Subsection "Identity"
+"CRNG-TEST" is the name for this implementation; it can be used with the
+\&\fBEVP_RAND_fetch()\fR function.
+.SS "Supported parameters"
+.IX Subsection "Supported parameters"
+If a parent EVP_RAND is specified on context creation, the parent's
+parameters are supported because the request is forwarded to the parent
+seed source for processing.
+.PP
+If no parent EVP_RAND is specified on context creation, the following parameters
+are supported:
+.IP """state"" (\fBOSSL_RAND_PARAM_STATE\fR) <integer>" 4
+.IX Item """state"" (OSSL_RAND_PARAM_STATE) <integer>"
+.PD 0
+.IP """strength"" (\fBOSSL_RAND_PARAM_STRENGTH\fR) <unsigned integer>" 4
+.IX Item """strength"" (OSSL_RAND_PARAM_STRENGTH) <unsigned integer>"
+.IP """max_request"" (\fBOSSL_RAND_PARAM_MAX_REQUEST\fR) <unsigned integer>" 4
+.IX Item """max_request"" (OSSL_RAND_PARAM_MAX_REQUEST) <unsigned integer>"
+.PD
+These parameters work as described in "PARAMETERS" in \fBEVP_RAND\fR\|(3).
+.IP """fips-indicator"" (\fBOSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+This parameter works as described in "PARAMETERS" in \fBprovider\-rand\fR\|(7).
+.SH NOTES
+.IX Header "NOTES"
+This EVP_RAND is only implemented by the OpenSSL FIPS provider.
+.PP
+A context for a health test filter can be obtained by calling:
+.PP
+.Vb 3
+\& EVP_RAND *parent = ...;
+\& EVP_RAND *rand = EVP_RAND_fetch(NULL, "CRNG\-TEST", NULL);
+\& EVP_RAND_CTX *rctx = EVP_RAND_CTX_new(rand, parent);
+.Ve
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBEVP_RAND\fR\|(3), \fBOSSL_PROVIDER\-FIPS\fR\|(7)
+.SH HISTORY
+.IX Header "HISTORY"
+This functionality was added in OpenSSL 3.4.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_RAND-CTR-DRBG.7 b/secure/lib/libcrypto/man/man7/EVP_RAND-CTR-DRBG.7
index ec01146899b7..f3c385c1c7ef 100644
--- a/secure/lib/libcrypto/man/man7/EVP_RAND-CTR-DRBG.7
+++ b/secure/lib/libcrypto/man/man7/EVP_RAND-CTR-DRBG.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,147 +52,78 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_RAND-CTR-DRBG 7ossl"
-.TH EVP_RAND-CTR-DRBG 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_RAND-CTR-DRBG 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_RAND\-CTR\-DRBG \- The CTR DRBG EVP_RAND implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 Support for the counter deterministic random bit generator through the
-\&\fB\s-1EVP_RAND\s0\fR \s-1API.\s0
-.SS "Identity"
+\&\fBEVP_RAND\fR API.
+.SS Identity
 .IX Subsection "Identity"
-\&\*(L"CTR-DRBG\*(R" is the name for this implementation; it can be used with the
+"CTR-DRBG" is the name for this implementation; it can be used with the
 \&\fBEVP_RAND_fetch()\fR function.
 .SS "Supported parameters"
 .IX Subsection "Supported parameters"
 The supported parameters are:
-.ie n .IP """state"" (\fB\s-1OSSL_RAND_PARAM_STATE\s0\fR) <integer>" 4
-.el .IP "``state'' (\fB\s-1OSSL_RAND_PARAM_STATE\s0\fR) <integer>" 4
-.IX Item "state (OSSL_RAND_PARAM_STATE) <integer>"
+.IP """state"" (\fBOSSL_RAND_PARAM_STATE\fR) <integer>" 4
+.IX Item """state"" (OSSL_RAND_PARAM_STATE) <integer>"
 .PD 0
-.ie n .IP """strength"" (\fB\s-1OSSL_RAND_PARAM_STRENGTH\s0\fR) <unsigned integer>" 4
-.el .IP "``strength'' (\fB\s-1OSSL_RAND_PARAM_STRENGTH\s0\fR) <unsigned integer>" 4
-.IX Item "strength (OSSL_RAND_PARAM_STRENGTH) <unsigned integer>"
-.ie n .IP """max_request"" (\fB\s-1OSSL_RAND_PARAM_MAX_REQUEST\s0\fR) <unsigned integer>" 4
-.el .IP "``max_request'' (\fB\s-1OSSL_RAND_PARAM_MAX_REQUEST\s0\fR) <unsigned integer>" 4
-.IX Item "max_request (OSSL_RAND_PARAM_MAX_REQUEST) <unsigned integer>"
-.ie n .IP """reseed_requests"" (\fB\s-1OSSL_DRBG_PARAM_RESEED_REQUESTS\s0\fR) <unsigned integer>" 4
-.el .IP "``reseed_requests'' (\fB\s-1OSSL_DRBG_PARAM_RESEED_REQUESTS\s0\fR) <unsigned integer>" 4
-.IX Item "reseed_requests (OSSL_DRBG_PARAM_RESEED_REQUESTS) <unsigned integer>"
-.ie n .IP """reseed_time_interval"" (\fB\s-1OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL\s0\fR) <integer>" 4
-.el .IP "``reseed_time_interval'' (\fB\s-1OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL\s0\fR) <integer>" 4
-.IX Item "reseed_time_interval (OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL) <integer>"
-.ie n .IP """min_entropylen"" (\fB\s-1OSSL_DRBG_PARAM_MIN_ENTROPYLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``min_entropylen'' (\fB\s-1OSSL_DRBG_PARAM_MIN_ENTROPYLEN\s0\fR) <unsigned integer>" 4
-.IX Item "min_entropylen (OSSL_DRBG_PARAM_MIN_ENTROPYLEN) <unsigned integer>"
-.ie n .IP """max_entropylen"" (\fB\s-1OSSL_DRBG_PARAM_MAX_ENTROPYLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``max_entropylen'' (\fB\s-1OSSL_DRBG_PARAM_MAX_ENTROPYLEN\s0\fR) <unsigned integer>" 4
-.IX Item "max_entropylen (OSSL_DRBG_PARAM_MAX_ENTROPYLEN) <unsigned integer>"
-.ie n .IP """min_noncelen"" (\fB\s-1OSSL_DRBG_PARAM_MIN_NONCELEN\s0\fR) <unsigned integer>" 4
-.el .IP "``min_noncelen'' (\fB\s-1OSSL_DRBG_PARAM_MIN_NONCELEN\s0\fR) <unsigned integer>" 4
-.IX Item "min_noncelen (OSSL_DRBG_PARAM_MIN_NONCELEN) <unsigned integer>"
-.ie n .IP """max_noncelen"" (\fB\s-1OSSL_DRBG_PARAM_MAX_NONCELEN\s0\fR) <unsigned integer>" 4
-.el .IP "``max_noncelen'' (\fB\s-1OSSL_DRBG_PARAM_MAX_NONCELEN\s0\fR) <unsigned integer>" 4
-.IX Item "max_noncelen (OSSL_DRBG_PARAM_MAX_NONCELEN) <unsigned integer>"
-.ie n .IP """max_perslen"" (\fB\s-1OSSL_DRBG_PARAM_MAX_PERSLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``max_perslen'' (\fB\s-1OSSL_DRBG_PARAM_MAX_PERSLEN\s0\fR) <unsigned integer>" 4
-.IX Item "max_perslen (OSSL_DRBG_PARAM_MAX_PERSLEN) <unsigned integer>"
-.ie n .IP """max_adinlen"" (\fB\s-1OSSL_DRBG_PARAM_MAX_ADINLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``max_adinlen'' (\fB\s-1OSSL_DRBG_PARAM_MAX_ADINLEN\s0\fR) <unsigned integer>" 4
-.IX Item "max_adinlen (OSSL_DRBG_PARAM_MAX_ADINLEN) <unsigned integer>"
-.ie n .IP """reseed_counter"" (\fB\s-1OSSL_DRBG_PARAM_RESEED_COUNTER\s0\fR) <unsigned integer>" 4
-.el .IP "``reseed_counter'' (\fB\s-1OSSL_DRBG_PARAM_RESEED_COUNTER\s0\fR) <unsigned integer>" 4
-.IX Item "reseed_counter (OSSL_DRBG_PARAM_RESEED_COUNTER) <unsigned integer>"
-.ie n .IP """properties"" (\fB\s-1OSSL_DRBG_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``properties'' (\fB\s-1OSSL_DRBG_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "properties (OSSL_DRBG_PARAM_PROPERTIES) <UTF8 string>"
-.ie n .IP """cipher"" (\fB\s-1OSSL_DRBG_PARAM_CIPHER\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``cipher'' (\fB\s-1OSSL_DRBG_PARAM_CIPHER\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "cipher (OSSL_DRBG_PARAM_CIPHER) <UTF8 string>"
+.IP """strength"" (\fBOSSL_RAND_PARAM_STRENGTH\fR) <unsigned integer>" 4
+.IX Item """strength"" (OSSL_RAND_PARAM_STRENGTH) <unsigned integer>"
+.IP """max_request"" (\fBOSSL_RAND_PARAM_MAX_REQUEST\fR) <unsigned integer>" 4
+.IX Item """max_request"" (OSSL_RAND_PARAM_MAX_REQUEST) <unsigned integer>"
+.IP """reseed_requests"" (\fBOSSL_DRBG_PARAM_RESEED_REQUESTS\fR) <unsigned integer>" 4
+.IX Item """reseed_requests"" (OSSL_DRBG_PARAM_RESEED_REQUESTS) <unsigned integer>"
+.IP """reseed_time_interval"" (\fBOSSL_DRBG_PARAM_RESEED_TIME_INTERVAL\fR) <integer>" 4
+.IX Item """reseed_time_interval"" (OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL) <integer>"
+.IP """min_entropylen"" (\fBOSSL_DRBG_PARAM_MIN_ENTROPYLEN\fR) <unsigned integer>" 4
+.IX Item """min_entropylen"" (OSSL_DRBG_PARAM_MIN_ENTROPYLEN) <unsigned integer>"
+.IP """max_entropylen"" (\fBOSSL_DRBG_PARAM_MAX_ENTROPYLEN\fR) <unsigned integer>" 4
+.IX Item """max_entropylen"" (OSSL_DRBG_PARAM_MAX_ENTROPYLEN) <unsigned integer>"
+.IP """min_noncelen"" (\fBOSSL_DRBG_PARAM_MIN_NONCELEN\fR) <unsigned integer>" 4
+.IX Item """min_noncelen"" (OSSL_DRBG_PARAM_MIN_NONCELEN) <unsigned integer>"
+.IP """max_noncelen"" (\fBOSSL_DRBG_PARAM_MAX_NONCELEN\fR) <unsigned integer>" 4
+.IX Item """max_noncelen"" (OSSL_DRBG_PARAM_MAX_NONCELEN) <unsigned integer>"
+.IP """max_perslen"" (\fBOSSL_DRBG_PARAM_MAX_PERSLEN\fR) <unsigned integer>" 4
+.IX Item """max_perslen"" (OSSL_DRBG_PARAM_MAX_PERSLEN) <unsigned integer>"
+.IP """max_adinlen"" (\fBOSSL_DRBG_PARAM_MAX_ADINLEN\fR) <unsigned integer>" 4
+.IX Item """max_adinlen"" (OSSL_DRBG_PARAM_MAX_ADINLEN) <unsigned integer>"
+.IP """reseed_counter"" (\fBOSSL_DRBG_PARAM_RESEED_COUNTER\fR) <unsigned integer>" 4
+.IX Item """reseed_counter"" (OSSL_DRBG_PARAM_RESEED_COUNTER) <unsigned integer>"
+.IP """properties"" (\fBOSSL_DRBG_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_DRBG_PARAM_PROPERTIES) <UTF8 string>"
+.IP """cipher"" (\fBOSSL_DRBG_PARAM_CIPHER\fR) <UTF8 string>" 4
+.IX Item """cipher"" (OSSL_DRBG_PARAM_CIPHER) <UTF8 string>"
 .PD
-These parameters work as described in \*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_RAND\s0\fR\|(3).
-.ie n .IP """use_derivation_function"" (\fB\s-1OSSL_DRBG_PARAM_USE_DF\s0\fR) <integer>" 4
-.el .IP "``use_derivation_function'' (\fB\s-1OSSL_DRBG_PARAM_USE_DF\s0\fR) <integer>" 4
-.IX Item "use_derivation_function (OSSL_DRBG_PARAM_USE_DF) <integer>"
+These parameters work as described in "PARAMETERS" in \fBEVP_RAND\fR\|(3).
+.IP """use_derivation_function"" (\fBOSSL_DRBG_PARAM_USE_DF\fR) <integer>" 4
+.IX Item """use_derivation_function"" (OSSL_DRBG_PARAM_USE_DF) <integer>"
 This Boolean indicates if a derivation function should be used or not.
 A nonzero value (the default) uses the derivation function.  A zero value
 does not.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-A context for \s-1CTR DRBG\s0 can be obtained by calling:
+A context for CTR DRBG can be obtained by calling:
 .PP
 .Vb 2
 \& EVP_RAND *rand = EVP_RAND_fetch(NULL, "CTR\-DRBG", NULL);
-\& EVP_RAND_CTX *rctx = EVP_RAND_CTX_new(rand);
+\& EVP_RAND_CTX *rctx = EVP_RAND_CTX_new(rand, NULL);
 .Ve
-.SH "EXAMPLES"
+.PP
+The default CTR-DRBG implementation attempts to fetch the required internal
+algorithms from the provider they are built into (eg the default provider)
+regardless of the properties provided. Should the provider not implement
+the required algorithms then properties will be used to find a different
+implementation.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 .Vb 5
 \& EVP_RAND *rand;
@@ -232,16 +147,16 @@ A context for \s-1CTR DRBG\s0 can be obtained by calling:
 .Ve
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1NIST SP 800\-90A\s0 and \s-1SP 800\-90B\s0
+NIST SP 800\-90A and SP 800\-90B
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_RAND\s0\fR\|(3),
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_RAND\s0\fR\|(3)
-.SH "COPYRIGHT"
+\&\fBEVP_RAND\fR\|(3),
+"PARAMETERS" in \fBEVP_RAND\fR\|(3)
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_RAND-HASH-DRBG.7 b/secure/lib/libcrypto/man/man7/EVP_RAND-HASH-DRBG.7
index f9d8f02d0a48..5ca3cb766d03 100644
--- a/secure/lib/libcrypto/man/man7/EVP_RAND-HASH-DRBG.7
+++ b/secure/lib/libcrypto/man/man7/EVP_RAND-HASH-DRBG.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,141 +52,96 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_RAND-HASH-DRBG 7ossl"
-.TH EVP_RAND-HASH-DRBG 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_RAND-HASH-DRBG 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_RAND\-HASH\-DRBG \- The HASH DRBG EVP_RAND implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 Support for the hash deterministic random bit generator through the
-\&\fB\s-1EVP_RAND\s0\fR \s-1API.\s0
-.SS "Identity"
+\&\fBEVP_RAND\fR API.
+.SS Identity
 .IX Subsection "Identity"
-\&\*(L"HASH-DRBG\*(R" is the name for this implementation; it can be used with the
+"HASH-DRBG" is the name for this implementation; it can be used with the
 \&\fBEVP_RAND_fetch()\fR function.
 .SS "Supported parameters"
 .IX Subsection "Supported parameters"
 The supported parameters are:
-.ie n .IP """state"" (\fB\s-1OSSL_RAND_PARAM_STATE\s0\fR) <integer>" 4
-.el .IP "``state'' (\fB\s-1OSSL_RAND_PARAM_STATE\s0\fR) <integer>" 4
-.IX Item "state (OSSL_RAND_PARAM_STATE) <integer>"
+.IP """state"" (\fBOSSL_RAND_PARAM_STATE\fR) <integer>" 4
+.IX Item """state"" (OSSL_RAND_PARAM_STATE) <integer>"
 .PD 0
-.ie n .IP """strength"" (\fB\s-1OSSL_RAND_PARAM_STRENGTH\s0\fR) <unsigned integer>" 4
-.el .IP "``strength'' (\fB\s-1OSSL_RAND_PARAM_STRENGTH\s0\fR) <unsigned integer>" 4
-.IX Item "strength (OSSL_RAND_PARAM_STRENGTH) <unsigned integer>"
-.ie n .IP """max_request"" (\fB\s-1OSSL_RAND_PARAM_MAX_REQUEST\s0\fR) <unsigned integer>" 4
-.el .IP "``max_request'' (\fB\s-1OSSL_RAND_PARAM_MAX_REQUEST\s0\fR) <unsigned integer>" 4
-.IX Item "max_request (OSSL_RAND_PARAM_MAX_REQUEST) <unsigned integer>"
-.ie n .IP """reseed_requests"" (\fB\s-1OSSL_DRBG_PARAM_RESEED_REQUESTS\s0\fR) <unsigned integer>" 4
-.el .IP "``reseed_requests'' (\fB\s-1OSSL_DRBG_PARAM_RESEED_REQUESTS\s0\fR) <unsigned integer>" 4
-.IX Item "reseed_requests (OSSL_DRBG_PARAM_RESEED_REQUESTS) <unsigned integer>"
-.ie n .IP """reseed_time_interval"" (\fB\s-1OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL\s0\fR) <integer>" 4
-.el .IP "``reseed_time_interval'' (\fB\s-1OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL\s0\fR) <integer>" 4
-.IX Item "reseed_time_interval (OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL) <integer>"
-.ie n .IP """min_entropylen"" (\fB\s-1OSSL_DRBG_PARAM_MIN_ENTROPYLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``min_entropylen'' (\fB\s-1OSSL_DRBG_PARAM_MIN_ENTROPYLEN\s0\fR) <unsigned integer>" 4
-.IX Item "min_entropylen (OSSL_DRBG_PARAM_MIN_ENTROPYLEN) <unsigned integer>"
-.ie n .IP """max_entropylen"" (\fB\s-1OSSL_DRBG_PARAM_MAX_ENTROPYLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``max_entropylen'' (\fB\s-1OSSL_DRBG_PARAM_MAX_ENTROPYLEN\s0\fR) <unsigned integer>" 4
-.IX Item "max_entropylen (OSSL_DRBG_PARAM_MAX_ENTROPYLEN) <unsigned integer>"
-.ie n .IP """min_noncelen"" (\fB\s-1OSSL_DRBG_PARAM_MIN_NONCELEN\s0\fR) <unsigned integer>" 4
-.el .IP "``min_noncelen'' (\fB\s-1OSSL_DRBG_PARAM_MIN_NONCELEN\s0\fR) <unsigned integer>" 4
-.IX Item "min_noncelen (OSSL_DRBG_PARAM_MIN_NONCELEN) <unsigned integer>"
-.ie n .IP """max_noncelen"" (\fB\s-1OSSL_DRBG_PARAM_MAX_NONCELEN\s0\fR) <unsigned integer>" 4
-.el .IP "``max_noncelen'' (\fB\s-1OSSL_DRBG_PARAM_MAX_NONCELEN\s0\fR) <unsigned integer>" 4
-.IX Item "max_noncelen (OSSL_DRBG_PARAM_MAX_NONCELEN) <unsigned integer>"
-.ie n .IP """max_perslen"" (\fB\s-1OSSL_DRBG_PARAM_MAX_PERSLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``max_perslen'' (\fB\s-1OSSL_DRBG_PARAM_MAX_PERSLEN\s0\fR) <unsigned integer>" 4
-.IX Item "max_perslen (OSSL_DRBG_PARAM_MAX_PERSLEN) <unsigned integer>"
-.ie n .IP """max_adinlen"" (\fB\s-1OSSL_DRBG_PARAM_MAX_ADINLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``max_adinlen'' (\fB\s-1OSSL_DRBG_PARAM_MAX_ADINLEN\s0\fR) <unsigned integer>" 4
-.IX Item "max_adinlen (OSSL_DRBG_PARAM_MAX_ADINLEN) <unsigned integer>"
-.ie n .IP """reseed_counter"" (\fB\s-1OSSL_DRBG_PARAM_RESEED_COUNTER\s0\fR) <unsigned integer>" 4
-.el .IP "``reseed_counter'' (\fB\s-1OSSL_DRBG_PARAM_RESEED_COUNTER\s0\fR) <unsigned integer>" 4
-.IX Item "reseed_counter (OSSL_DRBG_PARAM_RESEED_COUNTER) <unsigned integer>"
-.ie n .IP """properties"" (\fB\s-1OSSL_DRBG_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``properties'' (\fB\s-1OSSL_DRBG_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "properties (OSSL_DRBG_PARAM_PROPERTIES) <UTF8 string>"
-.ie n .IP """digest"" (\fB\s-1OSSL_DRBG_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_DRBG_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_DRBG_PARAM_DIGEST) <UTF8 string>"
+.IP """strength"" (\fBOSSL_RAND_PARAM_STRENGTH\fR) <unsigned integer>" 4
+.IX Item """strength"" (OSSL_RAND_PARAM_STRENGTH) <unsigned integer>"
+.IP """max_request"" (\fBOSSL_RAND_PARAM_MAX_REQUEST\fR) <unsigned integer>" 4
+.IX Item """max_request"" (OSSL_RAND_PARAM_MAX_REQUEST) <unsigned integer>"
+.IP """reseed_requests"" (\fBOSSL_DRBG_PARAM_RESEED_REQUESTS\fR) <unsigned integer>" 4
+.IX Item """reseed_requests"" (OSSL_DRBG_PARAM_RESEED_REQUESTS) <unsigned integer>"
+.IP """reseed_time_interval"" (\fBOSSL_DRBG_PARAM_RESEED_TIME_INTERVAL\fR) <integer>" 4
+.IX Item """reseed_time_interval"" (OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL) <integer>"
+.IP """min_entropylen"" (\fBOSSL_DRBG_PARAM_MIN_ENTROPYLEN\fR) <unsigned integer>" 4
+.IX Item """min_entropylen"" (OSSL_DRBG_PARAM_MIN_ENTROPYLEN) <unsigned integer>"
+.IP """max_entropylen"" (\fBOSSL_DRBG_PARAM_MAX_ENTROPYLEN\fR) <unsigned integer>" 4
+.IX Item """max_entropylen"" (OSSL_DRBG_PARAM_MAX_ENTROPYLEN) <unsigned integer>"
+.IP """min_noncelen"" (\fBOSSL_DRBG_PARAM_MIN_NONCELEN\fR) <unsigned integer>" 4
+.IX Item """min_noncelen"" (OSSL_DRBG_PARAM_MIN_NONCELEN) <unsigned integer>"
+.IP """max_noncelen"" (\fBOSSL_DRBG_PARAM_MAX_NONCELEN\fR) <unsigned integer>" 4
+.IX Item """max_noncelen"" (OSSL_DRBG_PARAM_MAX_NONCELEN) <unsigned integer>"
+.IP """max_perslen"" (\fBOSSL_DRBG_PARAM_MAX_PERSLEN\fR) <unsigned integer>" 4
+.IX Item """max_perslen"" (OSSL_DRBG_PARAM_MAX_PERSLEN) <unsigned integer>"
+.IP """max_adinlen"" (\fBOSSL_DRBG_PARAM_MAX_ADINLEN\fR) <unsigned integer>" 4
+.IX Item """max_adinlen"" (OSSL_DRBG_PARAM_MAX_ADINLEN) <unsigned integer>"
+.IP """reseed_counter"" (\fBOSSL_DRBG_PARAM_RESEED_COUNTER\fR) <unsigned integer>" 4
+.IX Item """reseed_counter"" (OSSL_DRBG_PARAM_RESEED_COUNTER) <unsigned integer>"
+.IP """properties"" (\fBOSSL_DRBG_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_DRBG_PARAM_PROPERTIES) <UTF8 string>"
+.IP """digest"" (\fBOSSL_DRBG_PARAM_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_DRBG_PARAM_DIGEST) <UTF8 string>"
 .PD
-These parameters work as described in \*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_RAND\s0\fR\|(3).
-.SH "NOTES"
+These parameters work as described in "PARAMETERS" in \fBEVP_RAND\fR\|(3).
+.IP """fips-indicator"" (\fBOSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+.PD 0
+.IP """digest-check"" (\fBOSSL_DRBG_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4
+.IX Item """digest-check"" (OSSL_DRBG_PARAM_FIPS_DIGEST_CHECK) <integer>"
+.PD
+These parameters work as described in "PARAMETERS" in \fBprovider\-rand\fR\|(7).
+.SH NOTES
 .IX Header "NOTES"
-A context for \s-1HASH DRBG\s0 can be obtained by calling:
+When the FIPS provider is installed using the \fB\-no_drbg_truncated_digests\fR
+option to fipsinstall, only these digests are permitted (as per
+FIPS 140\-3 IG D.R <https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf>):
+.PP
+The default HASH-DRBG implementation attempts to fetch the required internal
+algorithms from the provider they are built into (eg the default provider)
+regardless of the properties provided. Should the provider not implement
+the required algorithms then properties will be used to find a different
+implementation.
+.IP SHA\-1 4
+.IX Item "SHA-1"
+.PD 0
+.IP SHA2\-256 4
+.IX Item "SHA2-256"
+.IP SHA2\-512 4
+.IX Item "SHA2-512"
+.IP SHA3\-256 4
+.IX Item "SHA3-256"
+.IP SHA3\-512 4
+.IX Item "SHA3-512"
+.PD
+.PP
+A context for HASH DRBG can be obtained by calling:
 .PP
 .Vb 2
 \& EVP_RAND *rand = EVP_RAND_fetch(NULL, "HASH\-DRBG", NULL);
-\& EVP_RAND_CTX *rctx = EVP_RAND_CTX_new(rand);
+\& EVP_RAND_CTX *rctx = EVP_RAND_CTX_new(rand, NULL);
 .Ve
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 .Vb 5
 \& EVP_RAND *rand;
@@ -225,16 +164,23 @@ A context for \s-1HASH DRBG\s0 can be obtained by calling:
 .Ve
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1NIST SP 800\-90A\s0 and \s-1SP 800\-90B\s0
+NIST SP 800\-90A and SP 800\-90B
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_RAND\s0\fR\|(3),
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_RAND\s0\fR\|(3)
-.SH "COPYRIGHT"
+\&\fBEVP_RAND\fR\|(3),
+"PARAMETERS" in \fBEVP_RAND\fR\|(3),
+\&\fBopenssl\-fipsinstall\fR\|(1)
+.SH HISTORY
+.IX Header "HISTORY"
+OpenSSL 3.1.1 introduced the \fB\-no_drbg_truncated_digests\fR option to
+fipsinstall which restricts the permitted digests when using the FIPS
+provider in a complaint manner.  For details refer to
+FIPS 140\-3 IG D.R <https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf>.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_RAND-HMAC-DRBG.7 b/secure/lib/libcrypto/man/man7/EVP_RAND-HMAC-DRBG.7
index 7e86d096e1b3..2862bd121c54 100644
--- a/secure/lib/libcrypto/man/man7/EVP_RAND-HMAC-DRBG.7
+++ b/secure/lib/libcrypto/man/man7/EVP_RAND-HMAC-DRBG.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,144 +52,97 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_RAND-HMAC-DRBG 7ossl"
-.TH EVP_RAND-HMAC-DRBG 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_RAND-HMAC-DRBG 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_RAND\-HMAC\-DRBG \- The HMAC DRBG EVP_RAND implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for the \s-1HMAC\s0 deterministic random bit generator through the
-\&\fB\s-1EVP_RAND\s0\fR \s-1API.\s0
-.SS "Identity"
+Support for the HMAC deterministic random bit generator through the
+\&\fBEVP_RAND\fR API.
+.SS Identity
 .IX Subsection "Identity"
-\&\*(L"HMAC-DRBG\*(R" is the name for this implementation; it can be used with the
+"HMAC-DRBG" is the name for this implementation; it can be used with the
 \&\fBEVP_RAND_fetch()\fR function.
 .SS "Supported parameters"
 .IX Subsection "Supported parameters"
 The supported parameters are:
-.ie n .IP """state"" (\fB\s-1OSSL_RAND_PARAM_STATE\s0\fR) <integer>" 4
-.el .IP "``state'' (\fB\s-1OSSL_RAND_PARAM_STATE\s0\fR) <integer>" 4
-.IX Item "state (OSSL_RAND_PARAM_STATE) <integer>"
+.IP """state"" (\fBOSSL_RAND_PARAM_STATE\fR) <integer>" 4
+.IX Item """state"" (OSSL_RAND_PARAM_STATE) <integer>"
 .PD 0
-.ie n .IP """strength"" (\fB\s-1OSSL_RAND_PARAM_STRENGTH\s0\fR) <unsigned integer>" 4
-.el .IP "``strength'' (\fB\s-1OSSL_RAND_PARAM_STRENGTH\s0\fR) <unsigned integer>" 4
-.IX Item "strength (OSSL_RAND_PARAM_STRENGTH) <unsigned integer>"
-.ie n .IP """max_request"" (\fB\s-1OSSL_RAND_PARAM_MAX_REQUEST\s0\fR) <unsigned integer>" 4
-.el .IP "``max_request'' (\fB\s-1OSSL_RAND_PARAM_MAX_REQUEST\s0\fR) <unsigned integer>" 4
-.IX Item "max_request (OSSL_RAND_PARAM_MAX_REQUEST) <unsigned integer>"
-.ie n .IP """reseed_requests"" (\fB\s-1OSSL_DRBG_PARAM_RESEED_REQUESTS\s0\fR) <unsigned integer>" 4
-.el .IP "``reseed_requests'' (\fB\s-1OSSL_DRBG_PARAM_RESEED_REQUESTS\s0\fR) <unsigned integer>" 4
-.IX Item "reseed_requests (OSSL_DRBG_PARAM_RESEED_REQUESTS) <unsigned integer>"
-.ie n .IP """reseed_time_interval"" (\fB\s-1OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL\s0\fR) <integer>" 4
-.el .IP "``reseed_time_interval'' (\fB\s-1OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL\s0\fR) <integer>" 4
-.IX Item "reseed_time_interval (OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL) <integer>"
-.ie n .IP """min_entropylen"" (\fB\s-1OSSL_DRBG_PARAM_MIN_ENTROPYLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``min_entropylen'' (\fB\s-1OSSL_DRBG_PARAM_MIN_ENTROPYLEN\s0\fR) <unsigned integer>" 4
-.IX Item "min_entropylen (OSSL_DRBG_PARAM_MIN_ENTROPYLEN) <unsigned integer>"
-.ie n .IP """max_entropylen"" (\fB\s-1OSSL_DRBG_PARAM_MAX_ENTROPYLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``max_entropylen'' (\fB\s-1OSSL_DRBG_PARAM_MAX_ENTROPYLEN\s0\fR) <unsigned integer>" 4
-.IX Item "max_entropylen (OSSL_DRBG_PARAM_MAX_ENTROPYLEN) <unsigned integer>"
-.ie n .IP """min_noncelen"" (\fB\s-1OSSL_DRBG_PARAM_MIN_NONCELEN\s0\fR) <unsigned integer>" 4
-.el .IP "``min_noncelen'' (\fB\s-1OSSL_DRBG_PARAM_MIN_NONCELEN\s0\fR) <unsigned integer>" 4
-.IX Item "min_noncelen (OSSL_DRBG_PARAM_MIN_NONCELEN) <unsigned integer>"
-.ie n .IP """max_noncelen"" (\fB\s-1OSSL_DRBG_PARAM_MAX_NONCELEN\s0\fR) <unsigned integer>" 4
-.el .IP "``max_noncelen'' (\fB\s-1OSSL_DRBG_PARAM_MAX_NONCELEN\s0\fR) <unsigned integer>" 4
-.IX Item "max_noncelen (OSSL_DRBG_PARAM_MAX_NONCELEN) <unsigned integer>"
-.ie n .IP """max_perslen"" (\fB\s-1OSSL_DRBG_PARAM_MAX_PERSLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``max_perslen'' (\fB\s-1OSSL_DRBG_PARAM_MAX_PERSLEN\s0\fR) <unsigned integer>" 4
-.IX Item "max_perslen (OSSL_DRBG_PARAM_MAX_PERSLEN) <unsigned integer>"
-.ie n .IP """max_adinlen"" (\fB\s-1OSSL_DRBG_PARAM_MAX_ADINLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``max_adinlen'' (\fB\s-1OSSL_DRBG_PARAM_MAX_ADINLEN\s0\fR) <unsigned integer>" 4
-.IX Item "max_adinlen (OSSL_DRBG_PARAM_MAX_ADINLEN) <unsigned integer>"
-.ie n .IP """reseed_counter"" (\fB\s-1OSSL_DRBG_PARAM_RESEED_COUNTER\s0\fR) <unsigned integer>" 4
-.el .IP "``reseed_counter'' (\fB\s-1OSSL_DRBG_PARAM_RESEED_COUNTER\s0\fR) <unsigned integer>" 4
-.IX Item "reseed_counter (OSSL_DRBG_PARAM_RESEED_COUNTER) <unsigned integer>"
-.ie n .IP """properties"" (\fB\s-1OSSL_DRBG_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``properties'' (\fB\s-1OSSL_DRBG_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "properties (OSSL_DRBG_PARAM_PROPERTIES) <UTF8 string>"
-.ie n .IP """mac"" (\fB\s-1OSSL_DRBG_PARAM_MAC\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``mac'' (\fB\s-1OSSL_DRBG_PARAM_MAC\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "mac (OSSL_DRBG_PARAM_MAC) <UTF8 string>"
-.ie n .IP """digest"" (\fB\s-1OSSL_DRBG_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_DRBG_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_DRBG_PARAM_DIGEST) <UTF8 string>"
+.IP """strength"" (\fBOSSL_RAND_PARAM_STRENGTH\fR) <unsigned integer>" 4
+.IX Item """strength"" (OSSL_RAND_PARAM_STRENGTH) <unsigned integer>"
+.IP """max_request"" (\fBOSSL_RAND_PARAM_MAX_REQUEST\fR) <unsigned integer>" 4
+.IX Item """max_request"" (OSSL_RAND_PARAM_MAX_REQUEST) <unsigned integer>"
+.IP """reseed_requests"" (\fBOSSL_DRBG_PARAM_RESEED_REQUESTS\fR) <unsigned integer>" 4
+.IX Item """reseed_requests"" (OSSL_DRBG_PARAM_RESEED_REQUESTS) <unsigned integer>"
+.IP """reseed_time_interval"" (\fBOSSL_DRBG_PARAM_RESEED_TIME_INTERVAL\fR) <integer>" 4
+.IX Item """reseed_time_interval"" (OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL) <integer>"
+.IP """min_entropylen"" (\fBOSSL_DRBG_PARAM_MIN_ENTROPYLEN\fR) <unsigned integer>" 4
+.IX Item """min_entropylen"" (OSSL_DRBG_PARAM_MIN_ENTROPYLEN) <unsigned integer>"
+.IP """max_entropylen"" (\fBOSSL_DRBG_PARAM_MAX_ENTROPYLEN\fR) <unsigned integer>" 4
+.IX Item """max_entropylen"" (OSSL_DRBG_PARAM_MAX_ENTROPYLEN) <unsigned integer>"
+.IP """min_noncelen"" (\fBOSSL_DRBG_PARAM_MIN_NONCELEN\fR) <unsigned integer>" 4
+.IX Item """min_noncelen"" (OSSL_DRBG_PARAM_MIN_NONCELEN) <unsigned integer>"
+.IP """max_noncelen"" (\fBOSSL_DRBG_PARAM_MAX_NONCELEN\fR) <unsigned integer>" 4
+.IX Item """max_noncelen"" (OSSL_DRBG_PARAM_MAX_NONCELEN) <unsigned integer>"
+.IP """max_perslen"" (\fBOSSL_DRBG_PARAM_MAX_PERSLEN\fR) <unsigned integer>" 4
+.IX Item """max_perslen"" (OSSL_DRBG_PARAM_MAX_PERSLEN) <unsigned integer>"
+.IP """max_adinlen"" (\fBOSSL_DRBG_PARAM_MAX_ADINLEN\fR) <unsigned integer>" 4
+.IX Item """max_adinlen"" (OSSL_DRBG_PARAM_MAX_ADINLEN) <unsigned integer>"
+.IP """reseed_counter"" (\fBOSSL_DRBG_PARAM_RESEED_COUNTER\fR) <unsigned integer>" 4
+.IX Item """reseed_counter"" (OSSL_DRBG_PARAM_RESEED_COUNTER) <unsigned integer>"
+.IP """properties"" (\fBOSSL_DRBG_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_DRBG_PARAM_PROPERTIES) <UTF8 string>"
+.IP """mac"" (\fBOSSL_DRBG_PARAM_MAC\fR) <UTF8 string>" 4
+.IX Item """mac"" (OSSL_DRBG_PARAM_MAC) <UTF8 string>"
+.IP """digest"" (\fBOSSL_DRBG_PARAM_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_DRBG_PARAM_DIGEST) <UTF8 string>"
 .PD
-These parameters work as described in \*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_RAND\s0\fR\|(3).
-.SH "NOTES"
+These parameters work as described in "PARAMETERS" in \fBEVP_RAND\fR\|(3).
+.IP """fips-indicator"" (\fBOSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+.PD 0
+.IP """digest-check"" (\fBOSSL_DRBG_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4
+.IX Item """digest-check"" (OSSL_DRBG_PARAM_FIPS_DIGEST_CHECK) <integer>"
+.PD
+These parameters work as described in "PARAMETERS" in \fBprovider\-rand\fR\|(7).
+.SH NOTES
 .IX Header "NOTES"
-A context for \s-1HMAC DRBG\s0 can be obtained by calling:
+When using the FIPS provider, only these digests are permitted (as per
+FIPS 140\-3 IG D.R <https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf>):
+.PP
+The default HMAC-DRBG implementation attempts to fetch the required internal
+algorithms from the provider they are built into (eg the default provider)
+regardless of the properties provided. Should the provider not implement
+the required algorithms then properties will be used to find a different
+implementation.
+.IP SHA\-1 4
+.IX Item "SHA-1"
+.PD 0
+.IP SHA2\-256 4
+.IX Item "SHA2-256"
+.IP SHA2\-512 4
+.IX Item "SHA2-512"
+.IP SHA3\-256 4
+.IX Item "SHA3-256"
+.IP SHA3\-512 4
+.IX Item "SHA3-512"
+.PD
+.PP
+A context for HMAC DRBG can be obtained by calling:
 .PP
 .Vb 2
 \& EVP_RAND *rand = EVP_RAND_fetch(NULL, "HMAC\-DRBG", NULL);
-\& EVP_RAND_CTX *rctx = EVP_RAND_CTX_new(rand);
+\& EVP_RAND_CTX *rctx = EVP_RAND_CTX_new(rand, NULL);
 .Ve
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 .Vb 5
 \& EVP_RAND *rand;
@@ -229,16 +166,23 @@ A context for \s-1HMAC DRBG\s0 can be obtained by calling:
 .Ve
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1NIST SP 800\-90A\s0 and \s-1SP 800\-90B\s0
+NIST SP 800\-90A and SP 800\-90B
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_RAND\s0\fR\|(3),
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_RAND\s0\fR\|(3)
-.SH "COPYRIGHT"
+\&\fBEVP_RAND\fR\|(3),
+"PARAMETERS" in \fBEVP_RAND\fR\|(3),
+\&\fBopenssl\-fipsinstall\fR\|(1)
+.SH HISTORY
+.IX Header "HISTORY"
+OpenSSL 3.1.1 introduced the \fB\-no_drbg_truncated_digests\fR option to
+fipsinstall which restricts the permitted digests when using the FIPS
+provider in a complaint manner.  For details refer to
+FIPS 140\-3 IG D.R <https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf>).
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_RAND-JITTER.7 b/secure/lib/libcrypto/man/man7/EVP_RAND-JITTER.7
new file mode 100644
index 000000000000..5d77f0d877bd
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/EVP_RAND-JITTER.7
@@ -0,0 +1,153 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "EVP_RAND-JITTER 7ossl"
+.TH EVP_RAND-JITTER 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+EVP_RAND\-JITTER \- The randomness seed source EVP_RAND implementation
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+Support for deterministic random number generator seeding through the
+\&\fBEVP_RAND\fR API.
+.PP
+This software seed source produces randomness based on tiny CPU
+"jitter" fluctuations.
+.PP
+It is available when OpenSSL is compiled with \fBenable-jitter\fR
+option. When available it is listed in \fBopenssl list
+\&\-random\-generators\fR and \fBopenssl info \-seeds\fR.
+.SS Identity
+.IX Subsection "Identity"
+"JITTER" is the name for this implementation; it can be used with the
+\&\fBEVP_RAND_fetch()\fR function.
+.SS "Supported parameters"
+.IX Subsection "Supported parameters"
+The supported parameters are:
+.IP """state"" (\fBOSSL_RAND_PARAM_STATE\fR) <integer>" 4
+.IX Item """state"" (OSSL_RAND_PARAM_STATE) <integer>"
+.PD 0
+.IP """strength"" (\fBOSSL_RAND_PARAM_STRENGTH\fR) <unsigned integer>" 4
+.IX Item """strength"" (OSSL_RAND_PARAM_STRENGTH) <unsigned integer>"
+.IP """max_request"" (\fBOSSL_RAND_PARAM_MAX_REQUEST\fR) <unsigned integer>" 4
+.IX Item """max_request"" (OSSL_RAND_PARAM_MAX_REQUEST) <unsigned integer>"
+.PD
+These parameters work as described in "PARAMETERS" in \fBEVP_RAND\fR\|(3).
+.SH NOTES
+.IX Header "NOTES"
+A context for the seed source can be obtained by calling:
+.PP
+.Vb 2
+\& EVP_RAND *rand = EVP_RAND_fetch(NULL, "JITTER", NULL);
+\& EVP_RAND_CTX *rctx = EVP_RAND_CTX_new(rand, NULL);
+.Ve
+.PP
+The \fBenable-jitter\fR option was added in OpenSSL 3.4.
+.PP
+By specifying the \fBenable-fips-jitter\fR configuration option, the FIPS
+provider will use an internal jitter source for its entropy.  Enabling
+this option will cause the FIPS provider to operate in a non-compliant
+mode unless an entropy assessment
+ESV <https://csrc.nist.gov/Projects/cryptographic-module-validation-program/entropy-validations>
+and validation through the
+CMVP <https://csrc.nist.gov/projects/cryptographic-module-validation-program>
+are additionally conducted.  This option was added in OpenSSL 3.5.
+.SH EXAMPLES
+.IX Header "EXAMPLES"
+.Vb 5
+\& EVP_RAND *rand;
+\& EVP_RAND_CTX *seed, *rctx;
+\& unsigned char bytes[100];
+\& OSSL_PARAM params[2], *p = params;
+\& unsigned int strength = 128;
+\&
+\& /* Create and instantiate a seed source */
+\& rand = EVP_RAND_fetch(NULL, "JITTER", NULL);
+\& seed = EVP_RAND_CTX_new(rand, NULL);
+\& EVP_RAND_instantiate(seed, strength, 0, NULL, 0, NULL);
+\& EVP_RAND_free(rand);
+\&
+\& /* Feed this into a DRBG */
+\& rand = EVP_RAND_fetch(NULL, "CTR\-DRBG", NULL);
+\& rctx = EVP_RAND_CTX_new(rand, seed);
+\& EVP_RAND_free(rand);
+\&
+\& /* Configure the DRBG */
+\& *p++ = OSSL_PARAM_construct_utf8_string(OSSL_DRBG_PARAM_CIPHER,
+\&                                         SN_aes_256_ctr, 0);
+\& *p = OSSL_PARAM_construct_end();
+\& EVP_RAND_instantiate(rctx, strength, 0, NULL, 0, params);
+\&
+\& EVP_RAND_generate(rctx, bytes, sizeof(bytes), strength, 0, NULL, 0);
+\&
+\& EVP_RAND_CTX_free(rctx);
+\& EVP_RAND_CTX_free(seed);
+.Ve
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBEVP_RAND\fR\|(3),
+"PARAMETERS" in \fBEVP_RAND\fR\|(3)
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_RAND-SEED-SRC.7 b/secure/lib/libcrypto/man/man7/EVP_RAND-SEED-SRC.7
index d5172b6432ff..c1724a7c8043 100644
--- a/secure/lib/libcrypto/man/man7/EVP_RAND-SEED-SRC.7
+++ b/secure/lib/libcrypto/man/man7/EVP_RAND-SEED-SRC.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,112 +52,49 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_RAND-SEED-SRC 7ossl"
-.TH EVP_RAND-SEED-SRC 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_RAND-SEED-SRC 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_RAND\-SEED\-SRC \- The randomness seed source EVP_RAND implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 Support for deterministic random number generator seeding through the
-\&\fB\s-1EVP_RAND\s0\fR \s-1API.\s0
+\&\fBEVP_RAND\fR API.
 .PP
 The seed sources used are specified at the time OpenSSL is configured for
 building using the \fB\-\-with\-rand\-seed=\fR option.  By default, operating system
 randomness sources are used.
-.SS "Identity"
+.SS Identity
 .IX Subsection "Identity"
-\&\*(L"SEED-SRC\*(R" is the name for this implementation; it can be used with the
+"SEED-SRC" is the name for this implementation; it can be used with the
 \&\fBEVP_RAND_fetch()\fR function.
 .SS "Supported parameters"
 .IX Subsection "Supported parameters"
 The supported parameters are:
-.ie n .IP """state"" (\fB\s-1OSSL_RAND_PARAM_STATE\s0\fR) <integer>" 4
-.el .IP "``state'' (\fB\s-1OSSL_RAND_PARAM_STATE\s0\fR) <integer>" 4
-.IX Item "state (OSSL_RAND_PARAM_STATE) <integer>"
+.IP """state"" (\fBOSSL_RAND_PARAM_STATE\fR) <integer>" 4
+.IX Item """state"" (OSSL_RAND_PARAM_STATE) <integer>"
 .PD 0
-.ie n .IP """strength"" (\fB\s-1OSSL_RAND_PARAM_STRENGTH\s0\fR) <unsigned integer>" 4
-.el .IP "``strength'' (\fB\s-1OSSL_RAND_PARAM_STRENGTH\s0\fR) <unsigned integer>" 4
-.IX Item "strength (OSSL_RAND_PARAM_STRENGTH) <unsigned integer>"
-.ie n .IP """max_request"" (\fB\s-1OSSL_RAND_PARAM_MAX_REQUEST\s0\fR) <unsigned integer>" 4
-.el .IP "``max_request'' (\fB\s-1OSSL_RAND_PARAM_MAX_REQUEST\s0\fR) <unsigned integer>" 4
-.IX Item "max_request (OSSL_RAND_PARAM_MAX_REQUEST) <unsigned integer>"
+.IP """strength"" (\fBOSSL_RAND_PARAM_STRENGTH\fR) <unsigned integer>" 4
+.IX Item """strength"" (OSSL_RAND_PARAM_STRENGTH) <unsigned integer>"
+.IP """max_request"" (\fBOSSL_RAND_PARAM_MAX_REQUEST\fR) <unsigned integer>" 4
+.IX Item """max_request"" (OSSL_RAND_PARAM_MAX_REQUEST) <unsigned integer>"
 .PD
-These parameters work as described in \*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_RAND\s0\fR\|(3).
-.SH "NOTES"
+These parameters work as described in "PARAMETERS" in \fBEVP_RAND\fR\|(3).
+.SH NOTES
 .IX Header "NOTES"
 A context for the seed source can be obtained by calling:
 .PP
 .Vb 2
 \& EVP_RAND *rand = EVP_RAND_fetch(NULL, "SEED\-SRC", NULL);
-\& EVP_RAND_CTX *rctx = EVP_RAND_CTX_new(rand);
+\& EVP_RAND_CTX *rctx = EVP_RAND_CTX_new(rand, NULL);
 .Ve
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 .Vb 5
 \& EVP_RAND *rand;
@@ -182,9 +103,10 @@ A context for the seed source can be obtained by calling:
 \& OSSL_PARAM params[2], *p = params;
 \& unsigned int strength = 128;
 \&
-\& /* Create a seed source */
+\& /* Create and instantiate a seed source */
 \& rand = EVP_RAND_fetch(NULL, "SEED\-SRC", NULL);
 \& seed = EVP_RAND_CTX_new(rand, NULL);
+\& EVP_RAND_instantiate(seed, strength, 0, NULL, 0, NULL);
 \& EVP_RAND_free(rand);
 \&
 \& /* Feed this into a DRBG */
@@ -205,13 +127,13 @@ A context for the seed source can be obtained by calling:
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_RAND\s0\fR\|(3),
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_RAND\s0\fR\|(3)
-.SH "COPYRIGHT"
+\&\fBEVP_RAND\fR\|(3),
+"PARAMETERS" in \fBEVP_RAND\fR\|(3)
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_RAND-TEST-RAND.7 b/secure/lib/libcrypto/man/man7/EVP_RAND-TEST-RAND.7
index 539ab5faafd9..8da6d2e2cbd2 100644
--- a/secure/lib/libcrypto/man/man7/EVP_RAND-TEST-RAND.7
+++ b/secure/lib/libcrypto/man/man7/EVP_RAND-TEST-RAND.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,148 +52,84 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_RAND-TEST-RAND 7ossl"
-.TH EVP_RAND-TEST-RAND 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_RAND-TEST-RAND 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_RAND\-TEST\-RAND \- The test EVP_RAND implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for a test generator through the \fB\s-1EVP_RAND\s0\fR \s-1API.\s0 This generator is
+Support for a test generator through the \fBEVP_RAND\fR API. This generator is
 for test purposes only, it does not generate random numbers.
-.SS "Identity"
+.SS Identity
 .IX Subsection "Identity"
-\&\*(L"TEST-RAND\*(R" is the name for this implementation; it can be used with the
+"TEST-RAND" is the name for this implementation; it can be used with the
 \&\fBEVP_RAND_fetch()\fR function.
 .SS "Supported parameters"
 .IX Subsection "Supported parameters"
 The supported parameters are:
-.ie n .IP """state"" (\fB\s-1OSSL_RAND_PARAM_STATE\s0\fR) <integer>" 4
-.el .IP "``state'' (\fB\s-1OSSL_RAND_PARAM_STATE\s0\fR) <integer>" 4
-.IX Item "state (OSSL_RAND_PARAM_STATE) <integer>"
-These parameter works as described in \*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_RAND\s0\fR\|(3).
-.ie n .IP """strength"" (\fB\s-1OSSL_RAND_PARAM_STRENGTH\s0\fR) <unsigned integer>" 4
-.el .IP "``strength'' (\fB\s-1OSSL_RAND_PARAM_STRENGTH\s0\fR) <unsigned integer>" 4
-.IX Item "strength (OSSL_RAND_PARAM_STRENGTH) <unsigned integer>"
+.IP """state"" (\fBOSSL_RAND_PARAM_STATE\fR) <integer>" 4
+.IX Item """state"" (OSSL_RAND_PARAM_STATE) <integer>"
+.PD 0
+.IP """fips-indicator"" (\fBOSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+.PD
+These parameter works as described in "PARAMETERS" in \fBEVP_RAND\fR\|(3).
+.IP """strength"" (\fBOSSL_RAND_PARAM_STRENGTH\fR) <unsigned integer>" 4
+.IX Item """strength"" (OSSL_RAND_PARAM_STRENGTH) <unsigned integer>"
 .PD 0
-.ie n .IP """reseed_requests"" (\fB\s-1OSSL_DRBG_PARAM_RESEED_REQUESTS\s0\fR) <unsigned integer>" 4
-.el .IP "``reseed_requests'' (\fB\s-1OSSL_DRBG_PARAM_RESEED_REQUESTS\s0\fR) <unsigned integer>" 4
-.IX Item "reseed_requests (OSSL_DRBG_PARAM_RESEED_REQUESTS) <unsigned integer>"
-.ie n .IP """reseed_time_interval"" (\fB\s-1OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL\s0\fR) <integer>" 4
-.el .IP "``reseed_time_interval'' (\fB\s-1OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL\s0\fR) <integer>" 4
-.IX Item "reseed_time_interval (OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL) <integer>"
-.ie n .IP """max_request"" (\fB\s-1OSSL_DRBG_PARAM_RESEED_REQUESTS\s0\fR) <unsigned integer>" 4
-.el .IP "``max_request'' (\fB\s-1OSSL_DRBG_PARAM_RESEED_REQUESTS\s0\fR) <unsigned integer>" 4
-.IX Item "max_request (OSSL_DRBG_PARAM_RESEED_REQUESTS) <unsigned integer>"
-.ie n .IP """min_entropylen"" (\fB\s-1OSSL_DRBG_PARAM_MIN_ENTROPYLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``min_entropylen'' (\fB\s-1OSSL_DRBG_PARAM_MIN_ENTROPYLEN\s0\fR) <unsigned integer>" 4
-.IX Item "min_entropylen (OSSL_DRBG_PARAM_MIN_ENTROPYLEN) <unsigned integer>"
-.ie n .IP """max_entropylen"" (\fB\s-1OSSL_DRBG_PARAM_MAX_ENTROPYLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``max_entropylen'' (\fB\s-1OSSL_DRBG_PARAM_MAX_ENTROPYLEN\s0\fR) <unsigned integer>" 4
-.IX Item "max_entropylen (OSSL_DRBG_PARAM_MAX_ENTROPYLEN) <unsigned integer>"
-.ie n .IP """min_noncelen"" (\fB\s-1OSSL_DRBG_PARAM_MIN_NONCELEN\s0\fR) <unsigned integer>" 4
-.el .IP "``min_noncelen'' (\fB\s-1OSSL_DRBG_PARAM_MIN_NONCELEN\s0\fR) <unsigned integer>" 4
-.IX Item "min_noncelen (OSSL_DRBG_PARAM_MIN_NONCELEN) <unsigned integer>"
-.ie n .IP """max_noncelen"" (\fB\s-1OSSL_DRBG_PARAM_MAX_NONCELEN\s0\fR) <unsigned integer>" 4
-.el .IP "``max_noncelen'' (\fB\s-1OSSL_DRBG_PARAM_MAX_NONCELEN\s0\fR) <unsigned integer>" 4
-.IX Item "max_noncelen (OSSL_DRBG_PARAM_MAX_NONCELEN) <unsigned integer>"
-.ie n .IP """max_perslen"" (\fB\s-1OSSL_DRBG_PARAM_MAX_PERSLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``max_perslen'' (\fB\s-1OSSL_DRBG_PARAM_MAX_PERSLEN\s0\fR) <unsigned integer>" 4
-.IX Item "max_perslen (OSSL_DRBG_PARAM_MAX_PERSLEN) <unsigned integer>"
-.ie n .IP """max_adinlen"" (\fB\s-1OSSL_DRBG_PARAM_MAX_ADINLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``max_adinlen'' (\fB\s-1OSSL_DRBG_PARAM_MAX_ADINLEN\s0\fR) <unsigned integer>" 4
-.IX Item "max_adinlen (OSSL_DRBG_PARAM_MAX_ADINLEN) <unsigned integer>"
-.ie n .IP """reseed_counter"" (\fB\s-1OSSL_DRBG_PARAM_RESEED_COUNTER\s0\fR) <unsigned integer>" 4
-.el .IP "``reseed_counter'' (\fB\s-1OSSL_DRBG_PARAM_RESEED_COUNTER\s0\fR) <unsigned integer>" 4
-.IX Item "reseed_counter (OSSL_DRBG_PARAM_RESEED_COUNTER) <unsigned integer>"
+.IP """reseed_requests"" (\fBOSSL_DRBG_PARAM_RESEED_REQUESTS\fR) <unsigned integer>" 4
+.IX Item """reseed_requests"" (OSSL_DRBG_PARAM_RESEED_REQUESTS) <unsigned integer>"
+.IP """reseed_time_interval"" (\fBOSSL_DRBG_PARAM_RESEED_TIME_INTERVAL\fR) <integer>" 4
+.IX Item """reseed_time_interval"" (OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL) <integer>"
+.IP """max_request"" (\fBOSSL_DRBG_PARAM_RESEED_REQUESTS\fR) <unsigned integer>" 4
+.IX Item """max_request"" (OSSL_DRBG_PARAM_RESEED_REQUESTS) <unsigned integer>"
+.IP """min_entropylen"" (\fBOSSL_DRBG_PARAM_MIN_ENTROPYLEN\fR) <unsigned integer>" 4
+.IX Item """min_entropylen"" (OSSL_DRBG_PARAM_MIN_ENTROPYLEN) <unsigned integer>"
+.IP """max_entropylen"" (\fBOSSL_DRBG_PARAM_MAX_ENTROPYLEN\fR) <unsigned integer>" 4
+.IX Item """max_entropylen"" (OSSL_DRBG_PARAM_MAX_ENTROPYLEN) <unsigned integer>"
+.IP """min_noncelen"" (\fBOSSL_DRBG_PARAM_MIN_NONCELEN\fR) <unsigned integer>" 4
+.IX Item """min_noncelen"" (OSSL_DRBG_PARAM_MIN_NONCELEN) <unsigned integer>"
+.IP """max_noncelen"" (\fBOSSL_DRBG_PARAM_MAX_NONCELEN\fR) <unsigned integer>" 4
+.IX Item """max_noncelen"" (OSSL_DRBG_PARAM_MAX_NONCELEN) <unsigned integer>"
+.IP """max_perslen"" (\fBOSSL_DRBG_PARAM_MAX_PERSLEN\fR) <unsigned integer>" 4
+.IX Item """max_perslen"" (OSSL_DRBG_PARAM_MAX_PERSLEN) <unsigned integer>"
+.IP """max_adinlen"" (\fBOSSL_DRBG_PARAM_MAX_ADINLEN\fR) <unsigned integer>" 4
+.IX Item """max_adinlen"" (OSSL_DRBG_PARAM_MAX_ADINLEN) <unsigned integer>"
+.IP """reseed_counter"" (\fBOSSL_DRBG_PARAM_RESEED_COUNTER\fR) <unsigned integer>" 4
+.IX Item """reseed_counter"" (OSSL_DRBG_PARAM_RESEED_COUNTER) <unsigned integer>"
 .PD
-These parameters work as described in \*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_RAND\s0\fR\|(3), except that
+These parameters work as described in "PARAMETERS" in \fBEVP_RAND\fR\|(3), except that
 they can all be set as well as read.
-.ie n .IP """test_entropy"" (\fB\s-1OSSL_RAND_PARAM_TEST_ENTROPY\s0\fR) <octet string>" 4
-.el .IP "``test_entropy'' (\fB\s-1OSSL_RAND_PARAM_TEST_ENTROPY\s0\fR) <octet string>" 4
-.IX Item "test_entropy (OSSL_RAND_PARAM_TEST_ENTROPY) <octet string>"
+.IP """test_entropy"" (\fBOSSL_RAND_PARAM_TEST_ENTROPY\fR) <octet string>" 4
+.IX Item """test_entropy"" (OSSL_RAND_PARAM_TEST_ENTROPY) <octet string>"
 Sets the bytes returned when the test generator is sent an entropy request.
 The current position is remembered across generate calls.
 If there are insufficient data present to satisfy a call, an error is returned.
-.ie n .IP """test_nonce"" (\fB\s-1OSSL_RAND_PARAM_TEST_NONCE\s0\fR) <octet string>" 4
-.el .IP "``test_nonce'' (\fB\s-1OSSL_RAND_PARAM_TEST_NONCE\s0\fR) <octet string>" 4
-.IX Item "test_nonce (OSSL_RAND_PARAM_TEST_NONCE) <octet string>"
+.IP """test_nonce"" (\fBOSSL_RAND_PARAM_TEST_NONCE\fR) <octet string>" 4
+.IX Item """test_nonce"" (OSSL_RAND_PARAM_TEST_NONCE) <octet string>"
 Sets the bytes returned when the test generator is sent a nonce request.
 Each nonce request will return all of the bytes.
-.SH "NOTES"
+.IP """generate"" (\fBOSSL_RAND_PARAM_GENERATE\fR) <integer>" 4
+.IX Item """generate"" (OSSL_RAND_PARAM_GENERATE) <integer>"
+If this parameter is zero, it will only emit the nonce and entropy data
+supplied via the aforementioned parameters.  Otherwise, low quality
+non-cryptographic pseudorandom output is produced.  This parameter defaults
+to zero.
+.SH NOTES
 .IX Header "NOTES"
 A context for a test generator can be obtained by calling:
 .PP
 .Vb 2
 \& EVP_RAND *rand = EVP_RAND_fetch(NULL, "TEST\-RAND", NULL);
-\& EVP_RAND_CTX *rctx = EVP_RAND_CTX_new(rand);
+\& EVP_RAND_CTX *rctx = EVP_RAND_CTX_new(rand, NULL);
 .Ve
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 .Vb 7
 \& EVP_RAND *rand;
@@ -238,16 +158,16 @@ A context for a test generator can be obtained by calling:
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_RAND\s0\fR\|(3),
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \s-1\fBEVP_RAND\s0\fR\|(3)
-.SH "HISTORY"
+\&\fBEVP_RAND\fR\|(3),
+"PARAMETERS" in \fBEVP_RAND\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 This functionality was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_RAND.7 b/secure/lib/libcrypto/man/man7/EVP_RAND.7
index 698f4008d804..2d79242db883 100644
--- a/secure/lib/libcrypto/man/man7/EVP_RAND.7
+++ b/secure/lib/libcrypto/man/man7/EVP_RAND.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,177 +52,117 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_RAND 7ossl"
-.TH EVP_RAND 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_RAND 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_RAND \- the random bit generator
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 2
 \& #include <openssl/evp.h>
 \& #include <rand.h>
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The default OpenSSL \s-1RAND\s0 method is based on the \s-1EVP_RAND\s0 classes to provide
+The default OpenSSL RAND method is based on the EVP_RAND classes to provide
 non-deterministic inputs to other cryptographic algorithms.
 .PP
-While the \s-1RAND API\s0 is the 'frontend' which is intended to be used by
-application developers for obtaining random bytes, the \s-1EVP_RAND API\s0
+While the RAND API is the 'frontend' which is intended to be used by
+application developers for obtaining random bytes, the EVP_RAND API
 serves as the 'backend', connecting the former with the operating
 systems's entropy sources and providing access to deterministic random
-bit generators (\s-1DRBG\s0) and their configuration parameters.
-A \s-1DRBG\s0 is a certain type of cryptographically-secure pseudo-random
-number generator (\s-1CSPRNG\s0), which is described in
-[\s-1NIST SP 800\-90A\s0 Rev. 1].
-.SS "Disclaimer"
+bit generators (DRBG) and their configuration parameters.
+A DRBG is a certain type of cryptographically-secure pseudo-random
+number generator (CSPRNG), which is described in
+[NIST SP 800\-90A Rev. 1].
+.SS Disclaimer
 .IX Subsection "Disclaimer"
 Unless you have very specific requirements for your random generator,
-it is in general not necessary to utilize the \s-1EVP_RAND API\s0 directly.
+it is in general not necessary to utilize the EVP_RAND API directly.
 The usual way to obtain random bytes is to use \fBRAND_bytes\fR\|(3) or
-\&\fBRAND_priv_bytes\fR\|(3), see also \s-1\fBRAND\s0\fR\|(7).
+\&\fBRAND_priv_bytes\fR\|(3), see also \fBRAND\fR\|(7).
 .SS "Typical Use Cases"
 .IX Subsection "Typical Use Cases"
 Typical examples for such special use cases are the following:
-.IP "\(bu" 2
-You want to use your own private \s-1DRBG\s0 instances.
-Multiple \s-1DRBG\s0 instances which are accessed only by a single thread provide
+.IP \(bu 2
+You want to use your own private DRBG instances.
+Multiple DRBG instances which are accessed only by a single thread provide
 additional security (because their internal states are independent) and
 better scalability in multithreaded applications (because they don't need
 to be locked).
-.IP "\(bu" 2
+.IP \(bu 2
 You need to integrate a previously unsupported entropy source.
 Refer to \fBprovider\-rand\fR\|(7) for the implementation details to support adding
-randomness sources to \s-1EVP_RAND.\s0
-.IP "\(bu" 2
-You need to change the default settings of the standard OpenSSL \s-1RAND\s0
+randomness sources to EVP_RAND.
+.IP \(bu 2
+You need to change the default settings of the standard OpenSSL RAND
 implementation to meet specific requirements.
 .SH "EVP_RAND CHAINING"
 .IX Header "EVP_RAND CHAINING"
-An \s-1EVP_RAND\s0 instance can be used as the entropy source of another
-\&\s-1EVP_RAND\s0 instance, provided it has itself access to a valid entropy source.
-The \s-1EVP_RAND\s0 instance which acts as entropy source is called the \fIparent\fR,
-the other instance the \fIchild\fR.  Typically, the child will be a \s-1DRBG\s0 because
+An EVP_RAND instance can be used as the entropy source of another
+EVP_RAND instance, provided it has itself access to a valid entropy source.
+The EVP_RAND instance which acts as entropy source is called the \fIparent\fR,
+the other instance the \fIchild\fR.  Typically, the child will be a DRBG because
 it does not make sense for the child to be an entropy source.
 .PP
-This is called chaining. A chained \s-1EVP_RAND\s0 instance is created by passing
-a pointer to the parent \s-1EVP_RAND_CTX\s0 as argument to the \fBEVP_RAND_CTX_new()\fR call.
-It is possible to create chains of more than two \s-1DRBG\s0 in a row.
-It is also possible to use any \s-1EVP_RAND_CTX\s0 class as the parent, however, only
+This is called chaining. A chained EVP_RAND instance is created by passing
+a pointer to the parent EVP_RAND_CTX as argument to the \fBEVP_RAND_CTX_new()\fR call.
+It is possible to create chains of more than two DRBG in a row.
+It is also possible to use any EVP_RAND_CTX class as the parent, however, only
 a live entropy source may ignore and not use its parent.
 .SH "THE THREE SHARED DRBG INSTANCES"
 .IX Header "THE THREE SHARED DRBG INSTANCES"
-Currently, there are three shared \s-1DRBG\s0 instances,
-the <primary>, <public>, and <private> \s-1DRBG.\s0
-While the <primary> \s-1DRBG\s0 is a single global instance, the <public> and <private>
-\&\s-1DRBG\s0 are created per thread and accessed through thread-local storage.
+Currently, there are three shared DRBG instances,
+the <primary>, <public>, and <private> DRBG.
+While the <primary> DRBG is a single global instance, the <public> and <private>
+DRBG are created per thread and accessed through thread-local storage.
 .PP
 By default, the functions \fBRAND_bytes\fR\|(3) and \fBRAND_priv_bytes\fR\|(3) use
-the thread-local <public> and <private> \s-1DRBG\s0 instance, respectively.
-.SS "The <primary> \s-1DRBG\s0 instance"
+the thread-local <public> and <private> DRBG instance, respectively.
+.SS "The <primary> DRBG instance"
 .IX Subsection "The <primary> DRBG instance"
-The <primary> \s-1DRBG\s0 is not used directly by the application, only for reseeding
-the two other two \s-1DRBG\s0 instances. It reseeds itself by obtaining randomness
+The <primary> DRBG is not used directly by the application, only for reseeding
+the two other two DRBG instances. It reseeds itself by obtaining randomness
 either from os entropy sources or by consuming randomness which was added
 previously by \fBRAND_add\fR\|(3).
-.SS "The <public> \s-1DRBG\s0 instance"
+.SS "The <public> DRBG instance"
 .IX Subsection "The <public> DRBG instance"
 This instance is used per default by \fBRAND_bytes\fR\|(3).
-.SS "The <private> \s-1DRBG\s0 instance"
+.SS "The <private> DRBG instance"
 .IX Subsection "The <private> DRBG instance"
 This instance is used per default by \fBRAND_priv_bytes\fR\|(3)
-.SH "LOCKING"
+.SH LOCKING
 .IX Header "LOCKING"
-The <primary> \s-1DRBG\s0 is intended to be accessed concurrently for reseeding
-by its child \s-1DRBG\s0 instances. The necessary locking is done internally.
-It is \fInot\fR thread-safe to access the <primary> \s-1DRBG\s0 directly via the
-\&\s-1EVP_RAND\s0 interface.
-The <public> and <private> \s-1DRBG\s0 are thread-local, i.e. there is an
+The <primary> DRBG is intended to be accessed concurrently for reseeding
+by its child DRBG instances. The necessary locking is done internally.
+It is \fInot\fR thread-safe to access the <primary> DRBG directly via the
+EVP_RAND interface.
+The <public> and <private> DRBG are thread-local, i.e. there is an
 instance of each per thread. So they can safely be accessed without
-locking via the \s-1EVP_RAND\s0 interface.
+locking via the EVP_RAND interface.
 .PP
-Pointers to these \s-1DRBG\s0 instances can be obtained using
+Pointers to these DRBG instances can be obtained using
 \&\fBRAND_get0_primary()\fR, \fBRAND_get0_public()\fR and \fBRAND_get0_private()\fR, respectively.
 Note that it is not allowed to store a pointer to one of the thread-local
-\&\s-1DRBG\s0 instances in a variable or other memory location where it will be
+DRBG instances in a variable or other memory location where it will be
 accessed and used by multiple threads.
 .PP
-All other \s-1DRBG\s0 instances created by an application don't support locking,
+All other DRBG instances created by an application don't support locking,
 because they are intended to be used by a single thread.
-Instead of accessing a single \s-1DRBG\s0 instance concurrently from different
-threads, it is recommended to instantiate a separate \s-1DRBG\s0 instance per
-thread. Using the <primary> \s-1DRBG\s0 as entropy source for multiple \s-1DRBG\s0
-instances on different threads is thread-safe, because the \s-1DRBG\s0 instance
-will lock the <primary> \s-1DRBG\s0 automatically for obtaining random input.
+Instead of accessing a single DRBG instance concurrently from different
+threads, it is recommended to instantiate a separate DRBG instance per
+thread. Using the <primary> DRBG as entropy source for multiple DRBG
+instances on different threads is thread-safe, because the DRBG instance
+will lock the <primary> DRBG automatically for obtaining random input.
 .SH "THE OVERALL PICTURE"
 .IX Header "THE OVERALL PICTURE"
-The following picture gives an overview over how the \s-1DRBG\s0 instances work
+The following picture gives an overview over how the DRBG instances work
 together and are being used.
 .PP
 .Vb 10
@@ -267,11 +191,11 @@ RAND_priv_bytes(...). These calls are roughly equivalent to calling
 EVP_RAND_generate(<public>, ...) and
 EVP_RAND_generate(<private>, ...),
 respectively.
-.SH "RESEEDING"
+.SH RESEEDING
 .IX Header "RESEEDING"
-A \s-1DRBG\s0 instance seeds itself automatically, pulling random input from
+A DRBG instance seeds itself automatically, pulling random input from
 its entropy source. The entropy source can be either a trusted operating
-system entropy source, or another \s-1DRBG\s0 with access to such a source.
+system entropy source, or another DRBG with access to such a source.
 .PP
 Automatic reseeding occurs after a predefined number of generate requests.
 The selection of the trusted entropy sources is configured at build
@@ -279,10 +203,10 @@ time using the \-\-with\-rand\-seed option. The following sections explain
 the reseeding process in more detail.
 .SS "Automatic Reseeding"
 .IX Subsection "Automatic Reseeding"
-Before satisfying a generate request (\fBEVP_RAND_generate\fR\|(3)), the \s-1DRBG\s0
+Before satisfying a generate request (\fBEVP_RAND_generate\fR\|(3)), the DRBG
 reseeds itself automatically, if one of the following conditions holds:
 .PP
-\&\- the \s-1DRBG\s0 was not instantiated (=seeded) yet or has been uninstantiated.
+\&\- the DRBG was not instantiated (=seeded) yet or has been uninstantiated.
 .PP
 \&\- the number of generate requests since the last reseeding exceeds a
 certain threshold, the so called \fIreseed_interval\fR.
@@ -292,39 +216,39 @@ This behaviour can be disabled by setting the \fIreseed_interval\fR to 0.
 interval, the so called \fIreseed_time_interval\fR.
 This can be disabled by setting the \fIreseed_time_interval\fR to 0.
 .PP
-\&\- the \s-1DRBG\s0 is in an error state.
+\&\- the DRBG is in an error state.
 .PP
 \&\fBNote\fR: An error state is entered if the entropy source fails while
-the \s-1DRBG\s0 is seeding or reseeding.
-The last case ensures that the \s-1DRBG\s0 automatically recovers
+the DRBG is seeding or reseeding.
+The last case ensures that the DRBG automatically recovers
 from the error as soon as the entropy source is available again.
 .SS "Manual Reseeding"
 .IX Subsection "Manual Reseeding"
 In addition to automatic reseeding, the caller can request an immediate
-reseeding of the \s-1DRBG\s0 with fresh entropy by setting the
+reseeding of the DRBG with fresh entropy by setting the
 \&\fIprediction resistance\fR parameter to 1 when calling
 \&\fBEVP_RAND_generate\fR\|(3).
 .PP
-The document [\s-1NIST SP 800\-90C\s0] describes prediction resistance requests
+The document [NIST SP 800\-90C] describes prediction resistance requests
 in detail and imposes strict conditions on the entropy sources that are
 approved for providing prediction resistance.
 A request for prediction resistance can only be satisfied by pulling fresh
-entropy from a live entropy source (section 5.5.2 of [\s-1NIST SP 800\-90C\s0]).
+entropy from a live entropy source (section 5.5.2 of [NIST SP 800\-90C]).
 It is up to the user to ensure that a live entropy source is configured
 and is being used.
 .PP
 For the three shared DRBGs (and only for these) there is another way to
 reseed them manually:
 If \fBRAND_add\fR\|(3) is called with a positive \fIrandomness\fR argument
-(or \fBRAND_seed\fR\|(3)), then this will immediately reseed the <primary> \s-1DRBG.\s0
-The <public> and <private> \s-1DRBG\s0 will detect this on their next generate
+(or \fBRAND_seed\fR\|(3)), then this will immediately reseed the <primary> DRBG.
+The <public> and <private> DRBG will detect this on their next generate
 call and reseed, pulling randomness from <primary>.
 .PP
 The last feature has been added to support the common practice used with
 previous OpenSSL versions to call \fBRAND_add()\fR before calling \fBRAND_bytes()\fR.
 .SS "Entropy Input and Additional Data"
 .IX Subsection "Entropy Input and Additional Data"
-The \s-1DRBG\s0 distinguishes two different types of random input: \fIentropy\fR,
+The DRBG distinguishes two different types of random input: \fIentropy\fR,
 which comes from a trusted source, and \fIadditional input\fR',
 which can optionally be added by the user and is considered untrusted.
 It is possible to add \fIadditional input\fR not only during reseeding,
@@ -332,68 +256,74 @@ but also for every generate request.
 .SS "Configuring the Random Seed Source"
 .IX Subsection "Configuring the Random Seed Source"
 In most cases OpenSSL will automatically choose a suitable seed source
-for automatically seeding and reseeding its <primary> \s-1DRBG.\s0 In some cases
-however, it will be necessary to explicitly specify a seed source during
-configuration, using the \-\-with\-rand\-seed option. For more information,
-see the \s-1INSTALL\s0 instructions. There are also operating systems where no
-seed source is available and automatic reseeding is disabled by default.
+for automatically seeding and reseeding its <primary> DRBG. The
+default seed source can be configured when OpenSSL is compiled by
+setting \fB\-DOPENSSL_DEFAULT_SEED_SRC=SEED\-SRC\fR. If not set then
+"SEED-SRC" is used. One can specify a third-party provider seed-source,
+or \fB\-DOPENSSL_DEFAULT_SEED_SRC=JITTER\fR if available.
+.PP
+In some cases however, it will be necessary to explicitly specify a
+seed source used by "SEED-SRC" during configuration, using the
+\&\-\-with\-rand\-seed option. For more information, see the INSTALL
+instructions. There are also operating systems where no seed source is
+available and automatic reseeding is disabled by default.
 .PP
 The following two sections describe the reseeding process of the primary
-\&\s-1DRBG,\s0 depending on whether automatic reseeding is available or not.
-.SS "Reseeding the primary \s-1DRBG\s0 with automatic seeding enabled"
+DRBG, depending on whether automatic reseeding is available or not.
+.SS "Reseeding the primary DRBG with automatic seeding enabled"
 .IX Subsection "Reseeding the primary DRBG with automatic seeding enabled"
-Calling \fBRAND_poll()\fR or \fBRAND_add()\fR is not necessary, because the \s-1DRBG\s0
+Calling \fBRAND_poll()\fR or \fBRAND_add()\fR is not necessary, because the DRBG
 pulls the necessary entropy from its source automatically.
-However, both calls are permitted, and do reseed the \s-1RNG.\s0
+However, both calls are permitted, and do reseed the RNG.
 .PP
 \&\fBRAND_add()\fR can be used to add both kinds of random input, depending on the
 value of the \fIrandomness\fR argument:
 .IP "randomness == 0:" 4
 .IX Item "randomness == 0:"
 The random bytes are mixed as additional input into the current state of
-the \s-1DRBG.\s0
+the DRBG.
 Mixing in additional input is not considered a full reseeding, hence the
 reseed counter is not reset.
 .IP "randomness > 0:" 4
 .IX Item "randomness > 0:"
 The random bytes are used as entropy input for a full reseeding
-(resp. reinstantiation) if the \s-1DRBG\s0 is instantiated
+(resp. reinstantiation) if the DRBG is instantiated
 (resp. uninstantiated or in an error state).
 The number of random bits required for reseeding is determined by the
-security strength of the \s-1DRBG.\s0 Currently it defaults to 256 bits (32 bytes).
+security strength of the DRBG. Currently it defaults to 256 bits (32 bytes).
 It is possible to provide less randomness than required.
 In this case the missing randomness will be obtained by pulling random input
 from the trusted entropy sources.
 .PP
-\&\s-1NOTE:\s0 Manual reseeding is *not allowed* in \s-1FIPS\s0 mode, because
-[\s-1NIST\s0 SP\-800\-90Ar1] mandates that entropy *shall not* be provided by
+NOTE: Manual reseeding is *not allowed* in FIPS mode, because
+[NIST SP\-800\-90Ar1] mandates that entropy *shall not* be provided by
 the consuming application for instantiation (Section 9.1) or
 reseeding (Section 9.2). For that reason, the \fIrandomness\fR
 argument is ignored and the random bytes provided by the \fBRAND_add\fR\|(3) and
 \&\fBRAND_seed\fR\|(3) calls are treated as additional data.
-.SS "Reseeding the primary \s-1DRBG\s0 with automatic seeding disabled"
+.SS "Reseeding the primary DRBG with automatic seeding disabled"
 .IX Subsection "Reseeding the primary DRBG with automatic seeding disabled"
 Calling \fBRAND_poll()\fR will always fail.
 .PP
 \&\fBRAND_add()\fR needs to be called for initial seeding and periodic reseeding.
 At least 48 bytes (384 bits) of randomness have to be provided, otherwise
-the (re\-)seeding of the \s-1DRBG\s0 will fail. This corresponds to one and a half
-times the security strength of the \s-1DRBG.\s0 The extra half is used for the
+the (re\-)seeding of the DRBG will fail. This corresponds to one and a half
+times the security strength of the DRBG. The extra half is used for the
 nonce during instantiation.
 .PP
 More precisely, the number of bytes needed for seeding depend on the
-\&\fIsecurity strength\fR of the \s-1DRBG,\s0 which is set to 256 by default.
+\&\fIsecurity strength\fR of the DRBG, which is set to 256 by default.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBRAND\s0\fR\|(7), \s-1\fBEVP_RAND\s0\fR\|(3)
-.SH "HISTORY"
+\&\fBRAND\fR\|(7), \fBEVP_RAND\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 This functionality was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2017\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-DSA.7 b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-DSA.7
index 7d5b4b3ec782..f441957b8f09 100644
--- a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-DSA.7
+++ b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-DSA.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,105 +52,100 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_SIGNATURE-DSA 7ossl"
-.TH EVP_SIGNATURE-DSA 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_SIGNATURE-DSA 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_SIGNATURE\-DSA
 \&\- The EVP_PKEY DSA signature implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing \s-1DSA\s0 signatures.
-See \s-1\fBEVP_PKEY\-DSA\s0\fR\|(7) for information related to \s-1DSA\s0 keys.
+Support for computing DSA signatures. The signature produced with
+\&\fBEVP_PKEY_sign\fR\|(3) is DER encoded ASN.1 in the form described in
+RFC 3279, section 2.2.2.
+See \fBEVP_PKEY\-DSA\fR\|(7) for information related to DSA keys.
+.PP
+As part of FIPS 140\-3 DSA is not longer FIPS approved for key generation and
+signature validation, but is still allowed for signature verification.
+.SS "Algorithm Names"
+.IX Subsection "Algorithm Names"
+In this list, names are grouped together to signify that they are the same
+algorithm having multiple names.  This also includes the OID in canonical
+decimal form (which means that they are possible to fetch if the caller has a
+mere OID which came out in this form after a call to \fBOBJ_obj2txt\fR\|(3)).
+.IP """DSA"", ""dsaEncryption"", ""1.2.840.10040.4.1""" 4
+.IX Item """DSA"", ""dsaEncryption"", ""1.2.840.10040.4.1"""
+The base signature algorithm, supported explicitly fetched with
+\&\fBEVP_PKEY_sign_init_ex2\fR\|(3), and implicitly fetched (through
+EC keys) with \fBEVP_DigestSignInit\fR\|(3) and
+\&\fBEVP_DigestVerifyInit\fR\|(3).
+.Sp
+It can't be used with \fBEVP_PKEY_sign_message_init\fR\|(3)
+.IP """DSA\-SHA1"", ""DSA\-SHA\-1"", ""dsaWithSHA1"", ""1.2.840.10040.4.3""" 4
+.IX Item """DSA-SHA1"", ""DSA-SHA-1"", ""dsaWithSHA1"", ""1.2.840.10040.4.3"""
+.PD 0
+.IP """DSA\-SHA2\-224"", ""DSA\-SHA224"", ""dsa_with_SHA224"", ""2.16.840.1.101.3.4.3.1""" 4
+.IX Item """DSA-SHA2-224"", ""DSA-SHA224"", ""dsa_with_SHA224"", ""2.16.840.1.101.3.4.3.1"""
+.IP """DSA\-SHA2\-256"", ""DSA\-SHA256"", ""dsa_with_SHA256"", ""2.16.840.1.101.3.4.3.2""" 4
+.IX Item """DSA-SHA2-256"", ""DSA-SHA256"", ""dsa_with_SHA256"", ""2.16.840.1.101.3.4.3.2"""
+.IP """DSA\-SHA2\-384"", ""DSA\-SHA384"", ""dsa_with_SHA384"", ""id\-dsa\-with\-sha384"", ""1.2.840.1.101.3.4.3.3""" 4
+.IX Item """DSA-SHA2-384"", ""DSA-SHA384"", ""dsa_with_SHA384"", ""id-dsa-with-sha384"", ""1.2.840.1.101.3.4.3.3"""
+.IP """DSA\-SHA2\-512"", ""DSA\-SHA512"", ""dsa_with_SHA512"", ""id\-dsa\-with\-sha512"", ""1.2.840.1.101.3.4.3.4""" 4
+.IX Item """DSA-SHA2-512"", ""DSA-SHA512"", ""dsa_with_SHA512"", ""id-dsa-with-sha512"", ""1.2.840.1.101.3.4.3.4"""
+.IP """DSA\-SHA3\-224"", ""dsa_with_SHA3\-224"", ""id\-dsa\-with\-sha3\-224"", ""2.16.840.1.101.3.4.3.5""" 4
+.IX Item """DSA-SHA3-224"", ""dsa_with_SHA3-224"", ""id-dsa-with-sha3-224"", ""2.16.840.1.101.3.4.3.5"""
+.IP """DSA\-SHA3\-256"", ""dsa_with_SHA3\-256"", ""id\-dsa\-with\-sha3\-256"", ""2.16.840.1.101.3.4.3.6""" 4
+.IX Item """DSA-SHA3-256"", ""dsa_with_SHA3-256"", ""id-dsa-with-sha3-256"", ""2.16.840.1.101.3.4.3.6"""
+.IP """DSA\-SHA3\-384"", ""dsa_with_SHA3\-384"", ""id\-dsa\-with\-sha3\-384"", ""2.16.840.1.101.3.4.3.7""" 4
+.IX Item """DSA-SHA3-384"", ""dsa_with_SHA3-384"", ""id-dsa-with-sha3-384"", ""2.16.840.1.101.3.4.3.7"""
+.IP """DSA\-SHA3\-512"", ""dsa_with_SHA3\-512"", ""id\-dsa\-with\-sha3\-512"", ""2.16.840.1.101.3.4.3.8""" 4
+.IX Item """DSA-SHA3-512"", ""dsa_with_SHA3-512"", ""id-dsa-with-sha3-512"", ""2.16.840.1.101.3.4.3.8"""
+.PD
+DSA signature schemes with diverse message digest algorithms.  They are all
+supported explicitly fetched with \fBEVP_PKEY_sign_init_ex2\fR\|(3) and
+\&\fBEVP_PKEY_sign_message_init\fR\|(3).
 .SS "Signature Parameters"
 .IX Subsection "Signature Parameters"
 The following signature parameters can be set using \fBEVP_PKEY_CTX_set_params()\fR.
 This may be called after \fBEVP_PKEY_sign_init()\fR or \fBEVP_PKEY_verify_init()\fR,
-and before calling \fBEVP_PKEY_sign()\fR or \fBEVP_PKEY_verify()\fR.
-.ie n .IP """digest"" (\fB\s-1OSSL_SIGNATURE_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_SIGNATURE_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_SIGNATURE_PARAM_DIGEST) <UTF8 string>"
+and before calling \fBEVP_PKEY_sign()\fR or \fBEVP_PKEY_verify()\fR. They may also be set
+using \fBEVP_PKEY_sign_init_ex()\fR or \fBEVP_PKEY_verify_init_ex()\fR.
+.IP """digest"" (\fBOSSL_SIGNATURE_PARAM_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_SIGNATURE_PARAM_DIGEST) <UTF8 string>"
+.PD 0
+.IP """properties"" (\fBOSSL_SIGNATURE_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_SIGNATURE_PARAM_PROPERTIES) <UTF8 string>"
+.PD
+These two are not supported with the DSA signature schemes that already
+include a message digest algorithm, See "Algorithm Names" above.
+.IP """nonce-type"" (\fBOSSL_SIGNATURE_PARAM_NONCE_TYPE\fR) <unsigned integer>" 4
+.IX Item """nonce-type"" (OSSL_SIGNATURE_PARAM_NONCE_TYPE) <unsigned integer>"
 .PD 0
-.ie n .IP """properties"" (\fB\s-1OSSL_SIGNATURE_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``properties'' (\fB\s-1OSSL_SIGNATURE_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "properties (OSSL_SIGNATURE_PARAM_PROPERTIES) <UTF8 string>"
+.IP """key-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4
+.IX Item """key-check"" (OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK) <integer>"
+.IP """digest-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4
+.IX Item """digest-check"" (OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK) <integer>"
+.IP """sign-check""  (\fBOSSL_SIGNATURE_PARAM_FIPS_SIGN_CHECK\fR) <int>" 4
+.IX Item """sign-check"" (OSSL_SIGNATURE_PARAM_FIPS_SIGN_CHECK) <int>"
 .PD
 The settable parameters are described in \fBprovider\-signature\fR\|(7).
 .PP
 The following signature parameters can be retrieved using
 \&\fBEVP_PKEY_CTX_get_params()\fR.
-.ie n .IP """algorithm-id"" (\fB\s-1OSSL_SIGNATURE_PARAM_ALGORITHM_ID\s0\fR) <octet string>" 4
-.el .IP "``algorithm-id'' (\fB\s-1OSSL_SIGNATURE_PARAM_ALGORITHM_ID\s0\fR) <octet string>" 4
-.IX Item "algorithm-id (OSSL_SIGNATURE_PARAM_ALGORITHM_ID) <octet string>"
+.IP """algorithm-id"" (\fBOSSL_SIGNATURE_PARAM_ALGORITHM_ID\fR) <octet string>" 4
+.IX Item """algorithm-id"" (OSSL_SIGNATURE_PARAM_ALGORITHM_ID) <octet string>"
 .PD 0
-.ie n .IP """digest"" (\fB\s-1OSSL_SIGNATURE_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_SIGNATURE_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_SIGNATURE_PARAM_DIGEST) <UTF8 string>"
+.IP """digest"" (\fBOSSL_SIGNATURE_PARAM_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_SIGNATURE_PARAM_DIGEST) <UTF8 string>"
+.IP """nonce-type"" (\fBOSSL_SIGNATURE_PARAM_NONCE_TYPE\fR) <unsigned integer>" 4
+.IX Item """nonce-type"" (OSSL_SIGNATURE_PARAM_NONCE_TYPE) <unsigned integer>"
+.IP """fips-indicator"" (\fBOSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
 .PD
 The gettable parameters are described in \fBprovider\-signature\fR\|(7).
 .SH "SEE ALSO"
@@ -175,11 +154,15 @@ The gettable parameters are described in \fBprovider\-signature\fR\|(7).
 \&\fBEVP_PKEY_sign\fR\|(3),
 \&\fBEVP_PKEY_verify\fR\|(3),
 \&\fBprovider\-signature\fR\|(7),
-.SH "COPYRIGHT"
+.SH HISTORY
+.IX Header "HISTORY"
+DSA Key generation and signature generation are no longer FIPS approved in
+OpenSSL 3.4. See "FIPS indicators" in \fBfips_module\fR\|(7) for more information.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ECDSA.7 b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ECDSA.7
index b7e8c1a7a1fc..eca42f1bd020 100644
--- a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ECDSA.7
+++ b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ECDSA.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,104 +52,93 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_SIGNATURE-ECDSA 7ossl"
-.TH EVP_SIGNATURE-ECDSA 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_SIGNATURE-ECDSA 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_SIGNATURE\-ECDSA \- The EVP_PKEY ECDSA signature implementation.
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing \s-1ECDSA\s0 signatures.
-See \s-1\fBEVP_PKEY\-EC\s0\fR\|(7) for information related to \s-1EC\s0 keys.
-.SS "\s-1ECDSA\s0 Signature Parameters"
+Support for computing ECDSA signatures.
+See \fBEVP_PKEY\-EC\fR\|(7) for information related to EC keys.
+.SS "Algorithm Names"
+.IX Subsection "Algorithm Names"
+In this list, names are grouped together to signify that they are the same
+algorithm having multiple names.  This also includes the OID in canonical
+decimal form (which means that they are possible to fetch if the caller has a
+mere OID which came out in this form after a call to \fBOBJ_obj2txt\fR\|(3)).
+.IP """ECDSA""" 4
+.IX Item """ECDSA"""
+The base signature algorithm, supported explicitly fetched with
+\&\fBEVP_PKEY_sign_init_ex2\fR\|(3), and implicitly fetched (through
+EC keys) with \fBEVP_DigestSignInit\fR\|(3) and
+\&\fBEVP_DigestVerifyInit\fR\|(3).
+.Sp
+It can't be used with \fBEVP_PKEY_sign_message_init\fR\|(3)
+.IP """ECDSA\-SHA1"", ""ECDSA\-SHA\-1"", ""ecdsa\-with\-SHA1"", ""1.2.840.10045.4.1""" 4
+.IX Item """ECDSA-SHA1"", ""ECDSA-SHA-1"", ""ecdsa-with-SHA1"", ""1.2.840.10045.4.1"""
+.PD 0
+.IP """ECDSA\-SHA2\-224"", ""ECDSA\-SHA224"", ""ecdsa\-with\-SHA224"", ""1.2.840.10045.4.3.1""" 4
+.IX Item """ECDSA-SHA2-224"", ""ECDSA-SHA224"", ""ecdsa-with-SHA224"", ""1.2.840.10045.4.3.1"""
+.IP """ECDSA\-SHA2\-256"", ""ECDSA\-SHA256"", ""ecdsa\-with\-SHA256"", ""1.2.840.10045.4.3.2""" 4
+.IX Item """ECDSA-SHA2-256"", ""ECDSA-SHA256"", ""ecdsa-with-SHA256"", ""1.2.840.10045.4.3.2"""
+.IP """ECDSA\-SHA2\-384"", ""ECDSA\-SHA384"", ""ecdsa\-with\-SHA384"", ""1.2.840.10045.4.3.3""" 4
+.IX Item """ECDSA-SHA2-384"", ""ECDSA-SHA384"", ""ecdsa-with-SHA384"", ""1.2.840.10045.4.3.3"""
+.IP """ECDSA\-SHA2\-512"", ""ECDSA\-SHA512"", ""ecdsa\-with\-SHA512"", ""1.2.840.10045.4.3.4""" 4
+.IX Item """ECDSA-SHA2-512"", ""ECDSA-SHA512"", ""ecdsa-with-SHA512"", ""1.2.840.10045.4.3.4"""
+.IP """ECDSA\-SHA3\-224"", ""ecdsa_with_SHA3\-224"", ""id\-ecdsa\-with\-sha3\-224"", ""2.16.840.1.101.3.4.3.9""" 4
+.IX Item """ECDSA-SHA3-224"", ""ecdsa_with_SHA3-224"", ""id-ecdsa-with-sha3-224"", ""2.16.840.1.101.3.4.3.9"""
+.IP """ECDSA\-SHA3\-256"", ""ecdsa_with_SHA3\-256"", ""id\-ecdsa\-with\-sha3\-256"", ""2.16.840.1.101.3.4.3.10""" 4
+.IX Item """ECDSA-SHA3-256"", ""ecdsa_with_SHA3-256"", ""id-ecdsa-with-sha3-256"", ""2.16.840.1.101.3.4.3.10"""
+.IP """ECDSA\-SHA3\-384"", ""ecdsa_with_SHA3\-384"", ""id\-ecdsa\-with\-sha3\-384"", ""2.16.840.1.101.3.4.3.11""" 4
+.IX Item """ECDSA-SHA3-384"", ""ecdsa_with_SHA3-384"", ""id-ecdsa-with-sha3-384"", ""2.16.840.1.101.3.4.3.11"""
+.IP """ECDSA\-SHA3\-512"", ""ecdsa_with_SHA3\-512"", ""id\-ecdsa\-with\-sha3\-512"", ""2.16.840.1.101.3.4.3.12""" 4
+.IX Item """ECDSA-SHA3-512"", ""ecdsa_with_SHA3-512"", ""id-ecdsa-with-sha3-512"", ""2.16.840.1.101.3.4.3.12"""
+.PD
+ECDSA signature schemes with diverse message digest algorithms.  They are all
+supported explicitly fetched with \fBEVP_PKEY_sign_init_ex2\fR\|(3) and
+\&\fBEVP_PKEY_sign_message_init\fR\|(3).
+.SS "ECDSA Signature Parameters"
 .IX Subsection "ECDSA Signature Parameters"
 The following signature parameters can be set using \fBEVP_PKEY_CTX_set_params()\fR.
 This may be called after \fBEVP_PKEY_sign_init()\fR or \fBEVP_PKEY_verify_init()\fR,
 and before calling \fBEVP_PKEY_sign()\fR or \fBEVP_PKEY_verify()\fR.
-.ie n .IP """digest"" (\fB\s-1OSSL_SIGNATURE_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_SIGNATURE_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_SIGNATURE_PARAM_DIGEST) <UTF8 string>"
+.IP """digest"" (\fBOSSL_SIGNATURE_PARAM_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_SIGNATURE_PARAM_DIGEST) <UTF8 string>"
+.PD 0
+.IP """properties"" (\fBOSSL_SIGNATURE_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_SIGNATURE_PARAM_PROPERTIES) <UTF8 string>"
+.PD
+These two are not supported with the ECDSA signature schemes that already
+include a message digest algorithm, See "Algorithm Names" above.
+.IP """nonce-type"" (\fBOSSL_SIGNATURE_PARAM_NONCE_TYPE\fR) <unsigned integer>" 4
+.IX Item """nonce-type"" (OSSL_SIGNATURE_PARAM_NONCE_TYPE) <unsigned integer>"
 .PD 0
-.ie n .IP """properties"" (\fB\s-1OSSL_SIGNATURE_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``properties'' (\fB\s-1OSSL_SIGNATURE_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "properties (OSSL_SIGNATURE_PARAM_PROPERTIES) <UTF8 string>"
+.IP """key-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4
+.IX Item """key-check"" (OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK) <integer>"
+.IP """digest-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4
+.IX Item """digest-check"" (OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK) <integer>"
 .PD
 These parameters are described in \fBprovider\-signature\fR\|(7).
 .PP
 The following signature parameters can be retrieved using
 \&\fBEVP_PKEY_CTX_get_params()\fR.
-.ie n .IP """algorithm-id"" (\fB\s-1OSSL_SIGNATURE_PARAM_ALGORITHM_ID\s0\fR) <octet string>" 4
-.el .IP "``algorithm-id'' (\fB\s-1OSSL_SIGNATURE_PARAM_ALGORITHM_ID\s0\fR) <octet string>" 4
-.IX Item "algorithm-id (OSSL_SIGNATURE_PARAM_ALGORITHM_ID) <octet string>"
+.IP """algorithm-id"" (\fBOSSL_SIGNATURE_PARAM_ALGORITHM_ID\fR) <octet string>" 4
+.IX Item """algorithm-id"" (OSSL_SIGNATURE_PARAM_ALGORITHM_ID) <octet string>"
 .PD 0
-.ie n .IP """digest"" (\fB\s-1OSSL_SIGNATURE_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_SIGNATURE_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_SIGNATURE_PARAM_DIGEST) <UTF8 string>"
+.IP """digest"" (\fBOSSL_SIGNATURE_PARAM_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_SIGNATURE_PARAM_DIGEST) <UTF8 string>"
+.IP """nonce-type"" (\fBOSSL_SIGNATURE_PARAM_NONCE_TYPE\fR) <unsigned integer>" 4
+.IX Item """nonce-type"" (OSSL_SIGNATURE_PARAM_NONCE_TYPE) <unsigned integer>"
+.IP """fips-indicator"" (\fBOSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+.IP """verify-message"" (\fBOSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE\fR <integer>" 4
+.IX Item """verify-message"" (OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE <integer>"
 .PD
 The parameters are described in \fBprovider\-signature\fR\|(7).
 .SH "SEE ALSO"
@@ -174,11 +147,11 @@ The parameters are described in \fBprovider\-signature\fR\|(7).
 \&\fBEVP_PKEY_sign\fR\|(3),
 \&\fBEVP_PKEY_verify\fR\|(3),
 \&\fBprovider\-signature\fR\|(7),
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ED25519.7 b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ED25519.7
index 237d5162589a..4008ec633b95 100644
--- a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ED25519.7
+++ b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ED25519.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,108 +52,115 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_SIGNATURE-ED25519 7ossl"
-.TH EVP_SIGNATURE-ED25519 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_SIGNATURE-ED25519 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_SIGNATURE\-ED25519,
 EVP_SIGNATURE\-ED448,
 Ed25519,
 Ed448
 \&\- EVP_PKEY Ed25519 and Ed448 support
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \fBEd25519\fR and \fBEd448\fR \s-1EVP_PKEY\s0 implementation supports key generation,
-one-shot digest sign and digest verify using PureEdDSA and \fBEd25519\fR or \fBEd448\fR
-(see \s-1RFC8032\s0). It has associated private and public key formats compatible with
-\&\s-1RFC 8410.\s0
-.SS "\s-1ED25519\s0 and \s-1ED448\s0 Signature Parameters"
+The \fBEd25519\fR and \fBEd448\fR EVP_PKEY implementation supports key
+generation, one-shot digest-sign and digest-verify using the EdDSA
+signature schemes described in RFC 8032. It has associated private and
+public key formats compatible with RFC 8410.
+.SS "EdDSA Instances"
+.IX Subsection "EdDSA Instances"
+RFC 8032 describes five EdDSA instances: Ed25519, Ed25519ctx,
+Ed25519ph, Ed448, Ed448ph.
+.PP
+The instances Ed25519, Ed25519ctx, Ed448 are referred to as \fBPureEdDSA\fR
+schemes.  For these three instances, the sign and verify procedures
+require access to the complete message (not a digest of the message).
+.PP
+The instances Ed25519ph, Ed448ph are referred to as \fBHashEdDSA\fR
+schemes.  For these two instances, the sign and verify procedures do
+not require access to the complete message; they operate on a hash of
+the message.  For Ed25519ph, the hash function is SHA512.  For
+Ed448ph, the hash function is SHAKE256 with an output length of 512
+bits.
+.PP
+The instances Ed25519ctx, Ed25519ph, Ed448, Ed448ph accept an optional
+\&\fBcontext-string\fR as input to sign and verify operations (and for
+Ed25519ctx, the context-string must be nonempty).  For the Ed25519
+instance, a nonempty context-string is not permitted.
+.PP
+These instances can be specified as signature parameters when using
+\&\fBEVP_DigestSignInit\fR\|(3) and \fBEVP_DigestVerifyInit\fR\|(3), see
+"ED25519 and ED448 Signature Parameters" below.
+.PP
+These instances are also explicitly fetchable as algorithms using
+\&\fBEVP_SIGNATURE_fetch\fR\|(3), which can be used with
+\&\fBEVP_PKEY_sign_init_ex2\fR\|(3), \fBEVP_PKEY_verify_init_ex2\fR\|(3),
+\&\fBEVP_PKEY_sign_message_init\fR\|(3) and \fBEVP_PKEY_verify_message_init\fR\|(3).
+.SS "ED25519 and ED448 Signature Parameters"
 .IX Subsection "ED25519 and ED448 Signature Parameters"
-No additional parameters can be set during one-shot signing or verification.
-In particular, because PureEdDSA is used, a digest must \fB\s-1NOT\s0\fR be specified when
-signing or verifying.
-See \s-1\fBEVP_PKEY\-X25519\s0\fR\|(7) for information related to \fBX25519\fR and \fBX448\fR keys.
+Two parameters can be set during signing or verification: the EdDSA
+\&\fBinstance name\fR and the \fBcontext-string value\fR.  They can be set by
+passing an OSSL_PARAM array to \fBEVP_DigestSignInit_ex()\fR.
+.IP \(bu 4
+"instance" (\fBOSSL_SIGNATURE_PARAM_INSTANCE\fR) <utf8 string>
+.Sp
+One of the five strings "Ed25519", "Ed25519ctx", "Ed25519ph", "Ed448", "Ed448ph".
+.Sp
+"Ed25519", "Ed25519ctx", "Ed25519ph" are valid only for an Ed25519 EVP_PKEY.
+.Sp
+"Ed448", "Ed448ph" are valid only for an Ed448 EVP_PKEY.
+.IP \(bu 4
+"context-string" (\fBOSSL_SIGNATURE_PARAM_CONTEXT_STRING\fR) <octet string>
+.Sp
+A string of octets with length at most 255.
+.PP
+Both of these parameters are optional.
+.PP
+When using \fBEVP_DigestSignInit\fR\|(3) or \fBEVP_DigestVerifyInit\fR\|(3), the
+signature algorithm is derived from the key type name.  The key type name
+("Ed25519" or "Ed448") is also the default for the instance, but this can be
+changed with the "instance" parameter.
+.PP
+Note that a message digest name must \fBNOT\fR be specified when signing
+or verifying.
+.PP
+When using \fBEVP_PKEY_sign_init_ex2\fR\|(3), \fBEVP_PKEY_verify_init_ex2\fR\|(3),
+\&\fBEVP_PKEY_sign_message_init\fR\|(3) or \fBEVP_PKEY_verify_message_init\fR\|(3), the
+instance is the explicit signature algorithm name, and may not be changed
+(trying to give one with the "instance" parameter is therefore an error).
+.PP
+If a context-string is not specified, then an empty context-string is
+used.
+.PP
+See \fBEVP_PKEY\-X25519\fR\|(7) for information related to \fBX25519\fR and \fBX448\fR keys.
 .PP
 The following signature parameters can be retrieved using
 \&\fBEVP_PKEY_CTX_get_params()\fR.
-.ie n .IP """algorithm-id"" (\fB\s-1OSSL_SIGNATURE_PARAM_ALGORITHM_ID\s0\fR) <octet string>" 4
-.el .IP "``algorithm-id'' (\fB\s-1OSSL_SIGNATURE_PARAM_ALGORITHM_ID\s0\fR) <octet string>" 4
-.IX Item "algorithm-id (OSSL_SIGNATURE_PARAM_ALGORITHM_ID) <octet string>"
+.IP \(bu 4
+"algorithm-id" (\fBOSSL_SIGNATURE_PARAM_ALGORITHM_ID\fR) <octet string>
+.IP \(bu 4
+"instance" (\fBOSSL_SIGNATURE_PARAM_INSTANCE\fR) <utf8 string>
+.IP \(bu 4
+"context-string" (\fBOSSL_SIGNATURE_PARAM_CONTEXT_STRING\fR) <octet string>
+.PP
 The parameters are described in \fBprovider\-signature\fR\|(7).
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-The PureEdDSA algorithm does not support the streaming mechanism
-of other signature algorithms using, for example, \fBEVP_DigestUpdate()\fR.
+The PureEdDSA instances do not support the streaming mechanism of
+other signature algorithms using, for example, \fBEVP_DigestUpdate()\fR.
 The message to sign or verify must be passed using the one-shot
 \&\fBEVP_DigestSign()\fR and \fBEVP_DigestVerify()\fR functions.
 .PP
+The HashEdDSA instances do not yet support the streaming mechanisms
+(so the one-shot functions must be used with HashEdDSA as well).
+.PP
 When calling \fBEVP_DigestSignInit()\fR or \fBEVP_DigestVerifyInit()\fR, the
-digest \fItype\fR parameter \fB\s-1MUST\s0\fR be set to \s-1NULL.\s0
+digest \fItype\fR parameter \fBMUST\fR be set to NULL.
 .PP
 Applications wishing to sign certificates (or other structures such as
 CRLs or certificate requests) using Ed25519 or Ed448 can either use \fBX509_sign()\fR
@@ -183,15 +174,15 @@ the associated public key.
 .PP
 Ed25519 or Ed448 public keys can be set directly using
 \&\fBEVP_PKEY_new_raw_public_key\fR\|(3) or loaded from a SubjectPublicKeyInfo
-structure in a \s-1PEM\s0 file using \fBPEM_read_bio_PUBKEY\fR\|(3) (or similar function).
+structure in a PEM file using \fBPEM_read_bio_PUBKEY\fR\|(3) (or similar function).
 .PP
 Ed25519 and Ed448 can be tested with the \fBopenssl\-speed\fR\|(1) application
 since version 1.1.1.
 Valid algorithm names are \fBed25519\fR, \fBed448\fR and \fBeddsa\fR. If \fBeddsa\fR is
 specified, then both Ed25519 and Ed448 are benchmarked.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-To sign a message using a \s-1ED25519\s0 or \s-1ED448\s0 key:
+To sign a message using an ED25519 EVP_PKEY structure:
 .PP
 .Vb 5
 \&    void do_sign(EVP_PKEY *ed_key, unsigned char *msg, size_t msg_len)
@@ -200,8 +191,16 @@ To sign a message using a \s-1ED25519\s0 or \s-1ED448\s0 key:
 \&        unsigned char *sig = NULL;
 \&        EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
 \&
-\&        EVP_DigestSignInit(md_ctx, NULL, NULL, NULL, ed_key);
-\&        /* Calculate the requires size for the signature by passing a NULL buffer */
+\&        const OSSL_PARAM params[] = {
+\&            OSSL_PARAM_utf8_string ("instance", "Ed25519ctx", 10),
+\&            OSSL_PARAM_octet_string("context\-string", (unsigned char *)"A protocol defined context string", 33),
+\&            OSSL_PARAM_END
+\&        };
+\&
+\&        /* The input "params" is not needed if default options are acceptable.
+\&           Use NULL in place of "params" in that case. */
+\&        EVP_DigestSignInit_ex(md_ctx, NULL, NULL, NULL, NULL, ed_key, params);
+\&        /* Calculate the required size for the signature by passing a NULL buffer. */
 \&        EVP_DigestSign(md_ctx, NULL, &sig_len, msg, msg_len);
 \&        sig = OPENSSL_zalloc(sig_len);
 \&
@@ -213,15 +212,15 @@ To sign a message using a \s-1ED25519\s0 or \s-1ED448\s0 key:
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBEVP_PKEY\-X25519\s0\fR\|(7)
+\&\fBEVP_PKEY\-X25519\fR\|(7)
 \&\fBprovider\-signature\fR\|(7),
 \&\fBEVP_DigestSignInit\fR\|(3),
 \&\fBEVP_DigestVerifyInit\fR\|(3),
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2017\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-HMAC.7 b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-HMAC.7
index 8c8119943dff..8450ff0beeac 100644
--- a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-HMAC.7
+++ b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-HMAC.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,79 +52,19 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_SIGNATURE-HMAC 7ossl"
-.TH EVP_SIGNATURE-HMAC 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_SIGNATURE-HMAC 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_SIGNATURE\-HMAC, EVP_SIGNATURE\-Siphash, EVP_SIGNATURE\-Poly1305,
 EVP_SIGNATURE\-CMAC
 \&\- The legacy EVP_PKEY MAC signature implementations
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The algorithms described here have legacy support for creating MACs using
 \&\fBEVP_DigestSignInit\fR\|(3) and related functions. This is not the preferred way of
@@ -149,9 +73,9 @@ This mechanism is provided for backwards compatibility with older versions of
 OpenSSL.
 .PP
 The same signature parameters can be set using \fBEVP_PKEY_CTX_set_params()\fR as can
-be set via \fBEVP_MAC_CTX_set_params()\fR for the underlying \s-1EVP_MAC.\s0 See
-\&\s-1\fBEVP_MAC\-HMAC\s0\fR\|(7), \fBEVP_MAC\-Siphash\fR\|(7), \fBEVP_MAC\-Poly1305\fR\|(7) and
-\&\s-1\fBEVP_MAC\-CMAC\s0\fR\|(7) for details.
+be set via \fBEVP_MAC_CTX_set_params()\fR for the underlying EVP_MAC. See
+\&\fBEVP_MAC\-HMAC\fR\|(7), \fBEVP_MAC\-Siphash\fR\|(7), \fBEVP_MAC\-Poly1305\fR\|(7) and
+\&\fBEVP_MAC\-CMAC\fR\|(7) for details.
 .PP
 .Vb 3
 \& See L<EVP_PKEY\-HMAC(7)>, L<EVP_PKEY\-Siphash(7)>, L<EVP_PKEY\-Poly1305(7)> or
@@ -162,20 +86,20 @@ be set via \fBEVP_MAC_CTX_set_params()\fR for the underlying \s-1EVP_MAC.\s0 See
 .IX Header "SEE ALSO"
 \&\fBEVP_MAC_init\fR\|(3),
 \&\fBEVP_DigestSignInit\fR\|(3),
-\&\s-1\fBEVP_PKEY\-HMAC\s0\fR\|(7),
+\&\fBEVP_PKEY\-HMAC\fR\|(7),
 \&\fBEVP_PKEY\-Siphash\fR\|(7),
 \&\fBEVP_PKEY\-Poly1305\fR\|(7),
-\&\s-1\fBEVP_PKEY\-CMAC\s0\fR\|(7),
-\&\s-1\fBEVP_MAC\-HMAC\s0\fR\|(7),
+\&\fBEVP_PKEY\-CMAC\fR\|(7),
+\&\fBEVP_MAC\-HMAC\fR\|(7),
 \&\fBEVP_MAC\-Siphash\fR\|(7),
 \&\fBEVP_MAC\-Poly1305\fR\|(7),
-\&\s-1\fBEVP_MAC\-CMAC\s0\fR\|(7),
+\&\fBEVP_MAC\-CMAC\fR\|(7),
 \&\fBprovider\-signature\fR\|(7),
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ML-DSA.7 b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ML-DSA.7
new file mode 100644
index 000000000000..e453e42e7a88
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-ML-DSA.7
@@ -0,0 +1,180 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "EVP_SIGNATURE-ML-DSA 7ossl"
+.TH EVP_SIGNATURE-ML-DSA 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+EVP_SIGNATURE\-ML\-DSA,
+EVP_SIGNATURE\-ML\-DSA\-44, EVP_SIGNATURE\-ML\-DSA\-65, EVP_SIGNATURE\-ML\-DSA\-87,
+\&\- EVP_SIGNATURE ML\-DSA support
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+The \fBML\-DSA\-44\fR, \fBML\-DSA\-65\fR and \fBML\-DSA\-87\fR EVP_PKEY implementations
+support key generation, and one-shot sign and verify using the ML-DSA
+signature schemes described in FIPS 204 <https://csrc.nist.gov/pubs/fips/204/final>.
+.PP
+The different algorithms names correspond to the parameter sets defined in
+FIPS 204 <https://csrc.nist.gov/pubs/fips/204/final> Section 4 Table 1.
+(The signatures range in size from ~2.5K to ~4.5K depending on the type chosen).
+There are 3 different security categories also depending on the type.
+.PP
+\&\fBEVP_SIGNATURE_fetch\fR\|(3) can be used to explicitely fetch one of the 3
+algorithms which can then be used with \fBEVP_PKEY_sign_message_init\fR\|(3),
+\&\fBEVP_PKEY_sign\fR\|(3), \fBEVP_PKEY_verify_message_init\fR\|(3), and
+\&\fBEVP_PKEY_verify\fR\|(3) to perform one-shot message signing or signature verification.
+.PP
+The normal signing process (called Pure ML-DSA Signature Generation)
+encodes the message internally as 0x00 || len(ctx) || ctx || message.
+where \fBctx\fR is some optional value of size 0x00..0xFF.  This process is
+defined in FIPS 204 <https://csrc.nist.gov/pubs/fips/204/final> Algorithm 2
+step 10 and Algorithm 3 step 5.
+OpenSSL also allows the message to not be encoded which is required for
+testing. OpenSSL does not support Pre Hash ML-DSA Signature Generation, but this
+may be done by the user by doing Pre hash encoding externally and then choosing
+the option to not encode the message.
+.SS "ML-DSA Signature Parameters"
+.IX Subsection "ML-DSA Signature Parameters"
+The following parameter can be used for both signing and verification.
+it may be set by passing an OSSL_PARAM array to \fBEVP_PKEY_sign_message_init\fR\|(3)
+or \fBEVP_PKEY_verify_message_init\fR\|(3)
+.IP """context-string"" (\fBOSSL_SIGNATURE_PARAM_CONTEXT_STRING\fR) <octet string>" 4
+.IX Item """context-string"" (OSSL_SIGNATURE_PARAM_CONTEXT_STRING) <octet string>"
+A string of octets with length at most 255. By default it is the empty string.
+.PP
+The following parameters can be used when signing:
+They can be set by passing an OSSL_PARAM array to \fBEVP_PKEY_sign_init_ex2\fR\|(3).
+.IP """message-encoding"" (\fBOSSL_SIGNATURE_PARAM_MESSAGE_ENCODING\fR) <integer>" 4
+.IX Item """message-encoding"" (OSSL_SIGNATURE_PARAM_MESSAGE_ENCODING) <integer>"
+The default value of 1 uses 'Pure ML-DSA Signature Generation' as described
+above. Setting it to 0 does not encode the message, which is used for testing.
+The message encoding steps are defined in
+FIPS 204 <https://csrc.nist.gov/pubs/fips/204/final> Algorithm 2 step 10 and
+Algorithm 3 step 5.
+.IP """test-entropy"" (\fBOSSL_SIGNATURE_PARAM_TEST_ENTROPY\fR) <octet string>" 4
+.IX Item """test-entropy"" (OSSL_SIGNATURE_PARAM_TEST_ENTROPY) <octet string>"
+Used for testing to pass an optional deterministic per message random value.
+If set the size must be 32 bytes.
+.IP """deterministic"" (\fBOSSL_SIGNATURE_PARAM_DETERMINISTIC\fR) <integer>" 4
+.IX Item """deterministic"" (OSSL_SIGNATURE_PARAM_DETERMINISTIC) <integer>"
+The default value of 0 causes the per message randomness to be randomly
+generated using a DRBG. Setting this to 1 causes the per message randomness
+to be set to 32 bytes of zeros. This value is ignored if "test-entropy" is set.
+.IP """mu"" (\fBOSSL_SIGNATURE_PARAM_MU\fR) <integer>" 4
+.IX Item """mu"" (OSSL_SIGNATURE_PARAM_MU) <integer>"
+The default value of 0 causes sign and verify operations to process a raw message.
+Setting this to 1 causes those operations to assume the input is the \f(CW\*(C`mu\*(C'\fR value
+from FIPS 204 <https://csrc.nist.gov/pubs/fips/204/final> Algorithm 7 step 6 and
+Algorithm 8 step 7.
+.Sp
+Note that the message encoding steps from
+FIPS 204 <https://csrc.nist.gov/pubs/fips/204/final> Algorithm 2 step 10 and
+Algorithm 3 step 5 are omitted when this setting is 1.
+.PP
+See \fBEVP_PKEY\-ML\-DSA\fR\|(7) for information related to \fBML-DSA\fR keys.
+.SH NOTES
+.IX Header "NOTES"
+For backwards compatability reasons \fBEVP_DigestSignInit_ex()\fR, \fBEVP_DigestSign()\fR,
+\&\fBEVP_DigestVerifyInit_ex()\fR and \fBEVP_DigestVerify()\fR may also be used, but the digest
+passed in \fImdname\fR must be NULL.
+.SH EXAMPLES
+.IX Header "EXAMPLES"
+To sign a message using an ML-DSA EVP_PKEY structure:
+.PP
+.Vb 10
+\&    void do_sign(EVP_PKEY *key, unsigned char *msg, size_t msg_len)
+\&    {
+\&        size_t sig_len;
+\&        unsigned char *sig = NULL;
+\&        const OSSL_PARAM params[] = {
+\&            OSSL_PARAM_octet_string("context\-string", (unsigned char *)"A context string", 16),
+\&            OSSL_PARAM_END
+\&        };
+\&        EVP_PKEY_CTX *sctx = EVP_PKEY_CTX_new_from_pkey(NULL, pkey, NULL);
+\&        EVP_SIGNATURE *sig_alg = EVP_SIGNATURE_fetch(NULL, "ML\-DSA\-65", NULL);
+\&
+\&        EVP_PKEY_sign_message_init(sctx, sig_alg, params);
+\&        /* Calculate the required size for the signature by passing a NULL buffer. */
+\&        EVP_PKEY_sign(sctx, NULL, &sig_len, msg, msg_len);
+\&        sig = OPENSSL_zalloc(sig_len);
+\&        EVP_PKEY_sign(sctx, sig, &sig_len, msg, msg_len);
+\&        ...
+\&        OPENSSL_free(sig);
+\&        EVP_SIGNATURE(sig_alg);
+\&        EVP_PKEY_CTX_free(sctx);
+\&    }
+.Ve
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBEVP_PKEY\-ML\-DSA\fR\|(7)
+\&\fBprovider\-signature\fR\|(7),
+\&\fBEVP_PKEY_sign\fR\|(3),
+\&\fBEVP_PKEY_verify\fR\|(3),
+FIPS 204 <https://csrc.nist.gov/pubs/fips/204/final>
+.SH HISTORY
+.IX Header "HISTORY"
+This functionality was added in OpenSSL 3.5.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-RSA.7 b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-RSA.7
index 25401e4167e9..5c5cccb27711 100644
--- a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-RSA.7
+++ b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-RSA.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,167 +52,172 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP_SIGNATURE-RSA 7ossl"
-.TH EVP_SIGNATURE-RSA 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP_SIGNATURE-RSA 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 EVP_SIGNATURE\-RSA
 \&\- The EVP_PKEY RSA signature implementation
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Support for computing \s-1RSA\s0 signatures.
-See \s-1\fBEVP_PKEY\-RSA\s0\fR\|(7) for information related to \s-1RSA\s0 keys.
+Support for computing RSA signatures.
+See \fBEVP_PKEY\-RSA\fR\|(7) for information related to RSA keys.
+.SS "Algorithm Names"
+.IX Subsection "Algorithm Names"
+In this list, names are grouped together to signify that they are the same
+algorithm having multiple names.  This also includes the OID in canonical
+decimal form (which means that they are possible to fetch if the caller has a
+mere OID which came out in this form after a call to \fBOBJ_obj2txt\fR\|(3)).
+.IP """RSA"", ""rsaEncryption"", ""1.2.840.113549.1.1.1""" 4
+.IX Item """RSA"", ""rsaEncryption"", ""1.2.840.113549.1.1.1"""
+The base signature algorithm, supported explicitly fetched with
+\&\fBEVP_PKEY_sign_init_ex2\fR\|(3), and implicitly fetched (through
+RSA keys) with \fBEVP_DigestSignInit\fR\|(3) and
+\&\fBEVP_DigestVerifyInit\fR\|(3).
+.Sp
+It can't be used with \fBEVP_PKEY_sign_message_init\fR\|(3)
+.IP """RSA\-RIPEMD160"", ""ripemd160WithRSA"", ""1.3.36.3.3.1.2""" 4
+.IX Item """RSA-RIPEMD160"", ""ripemd160WithRSA"", ""1.3.36.3.3.1.2"""
+.PD 0
+.IP """RSA\-SHA2\-256"", ""RSA\-SHA256"", ""sha256WithRSAEncryption"", ""1.2.840.113549.1.1.11""" 4
+.IX Item """RSA-SHA2-256"", ""RSA-SHA256"", ""sha256WithRSAEncryption"", ""1.2.840.113549.1.1.11"""
+.IP """RSA\-SHA2\-384"", ""RSA\-SHA384"", ""sha384WithRSAEncryption"", ""1.2.840.113549.1.1.12""" 4
+.IX Item """RSA-SHA2-384"", ""RSA-SHA384"", ""sha384WithRSAEncryption"", ""1.2.840.113549.1.1.12"""
+.IP """RSA\-SHA2\-512"", ""RSA\-SHA512"", ""sha512WithRSAEncryption"", ""1.2.840.113549.1.1.13""" 4
+.IX Item """RSA-SHA2-512"", ""RSA-SHA512"", ""sha512WithRSAEncryption"", ""1.2.840.113549.1.1.13"""
+.IP """RSA\-SHA2\-224"", ""RSA\-SHA224"", ""sha224WithRSAEncryption"", ""1.2.840.113549.1.1.14""" 4
+.IX Item """RSA-SHA2-224"", ""RSA-SHA224"", ""sha224WithRSAEncryption"", ""1.2.840.113549.1.1.14"""
+.IP """RSA\-SHA2\-512/224"", ""RSA\-SHA512\-224"", ""sha512\-224WithRSAEncryption"", ""1.2.840.113549.1.1.15""" 4
+.IX Item """RSA-SHA2-512/224"", ""RSA-SHA512-224"", ""sha512-224WithRSAEncryption"", ""1.2.840.113549.1.1.15"""
+.IP """RSA\-SHA2\-512/256"", ""RSA\-SHA512\-256"", ""sha512\-256WithRSAEncryption"", ""1.2.840.113549.1.1.16""" 4
+.IX Item """RSA-SHA2-512/256"", ""RSA-SHA512-256"", ""sha512-256WithRSAEncryption"", ""1.2.840.113549.1.1.16"""
+.IP """RSA\-SHA3\-224"", ""id\-rsassa\-pkcs1\-v1_5\-with\-sha3\-224"", ""2.16.840.1.101.3.4.3.13""" 4
+.IX Item """RSA-SHA3-224"", ""id-rsassa-pkcs1-v1_5-with-sha3-224"", ""2.16.840.1.101.3.4.3.13"""
+.IP """RSA\-SHA3\-256"", ""id\-rsassa\-pkcs1\-v1_5\-with\-sha3\-256"", ""2.16.840.1.101.3.4.3.14""" 4
+.IX Item """RSA-SHA3-256"", ""id-rsassa-pkcs1-v1_5-with-sha3-256"", ""2.16.840.1.101.3.4.3.14"""
+.IP """RSA\-SHA3\-384"", ""id\-rsassa\-pkcs1\-v1_5\-with\-sha3\-384"", ""2.16.840.1.101.3.4.3.15""" 4
+.IX Item """RSA-SHA3-384"", ""id-rsassa-pkcs1-v1_5-with-sha3-384"", ""2.16.840.1.101.3.4.3.15"""
+.IP """RSA\-SHA3\-512"", ""id\-rsassa\-pkcs1\-v1_5\-with\-sha3\-512"", ""2.16.840.1.101.3.4.3.16""" 4
+.IX Item """RSA-SHA3-512"", ""id-rsassa-pkcs1-v1_5-with-sha3-512"", ""2.16.840.1.101.3.4.3.16"""
+.IP """RSA\-SM3"", ""sm3WithRSAEncryption"", ""1.2.156.10197.1.504""" 4
+.IX Item """RSA-SM3"", ""sm3WithRSAEncryption"", ""1.2.156.10197.1.504"""
+.PD
+PKCS#1 v1.5 RSA signature schemes with diverse message digest algorithms.  They
+are all supported explicitly fetched with \fBEVP_PKEY_sign_init_ex2\fR\|(3) and
+\&\fBEVP_PKEY_sign_message_init\fR\|(3).
+They are all pre-set to use the pad mode "pkcs1".  This cannot be changed.
 .SS "Signature Parameters"
 .IX Subsection "Signature Parameters"
 The following signature parameters can be set using \fBEVP_PKEY_CTX_set_params()\fR.
 This may be called after \fBEVP_PKEY_sign_init()\fR or \fBEVP_PKEY_verify_init()\fR,
-and before calling \fBEVP_PKEY_sign()\fR or \fBEVP_PKEY_verify()\fR.
-.ie n .IP """digest"" (\fB\s-1OSSL_SIGNATURE_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_SIGNATURE_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_SIGNATURE_PARAM_DIGEST) <UTF8 string>"
+and before calling \fBEVP_PKEY_sign()\fR or \fBEVP_PKEY_verify()\fR.  They may also be set
+using \fBEVP_PKEY_sign_init_ex()\fR or \fBEVP_PKEY_verify_init_ex()\fR.
+.IP """digest"" (\fBOSSL_SIGNATURE_PARAM_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_SIGNATURE_PARAM_DIGEST) <UTF8 string>"
 .PD 0
-.ie n .IP """properties"" (\fB\s-1OSSL_SIGNATURE_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``properties'' (\fB\s-1OSSL_SIGNATURE_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "properties (OSSL_SIGNATURE_PARAM_PROPERTIES) <UTF8 string>"
+.IP """properties"" (\fBOSSL_SIGNATURE_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_SIGNATURE_PARAM_PROPERTIES) <UTF8 string>"
 .PD
+These are not supported with the RSA signature schemes that already include a
+message digest algorithm, See "Algorithm Names" above.
+.Sp
 These common parameters are described in \fBprovider\-signature\fR\|(7).
-.ie n .IP """pad-mode"" (\fB\s-1OSSL_SIGNATURE_PARAM_PAD_MODE\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``pad-mode'' (\fB\s-1OSSL_SIGNATURE_PARAM_PAD_MODE\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "pad-mode (OSSL_SIGNATURE_PARAM_PAD_MODE) <UTF8 string>"
+.IP """pad-mode"" (\fBOSSL_SIGNATURE_PARAM_PAD_MODE\fR) <UTF8 string>" 4
+.IX Item """pad-mode"" (OSSL_SIGNATURE_PARAM_PAD_MODE) <UTF8 string>"
 The type of padding to be used. Its value can be one of the following:
 .RS 4
-.ie n .IP """none"" (\fB\s-1OSSL_PKEY_RSA_PAD_MODE_NONE\s0\fR)" 4
-.el .IP "``none'' (\fB\s-1OSSL_PKEY_RSA_PAD_MODE_NONE\s0\fR)" 4
-.IX Item "none (OSSL_PKEY_RSA_PAD_MODE_NONE)"
+.IP """none"" (\fBOSSL_PKEY_RSA_PAD_MODE_NONE\fR)" 4
+.IX Item """none"" (OSSL_PKEY_RSA_PAD_MODE_NONE)"
 .PD 0
-.ie n .IP """pkcs1"" (\fB\s-1OSSL_PKEY_RSA_PAD_MODE_PKCSV15\s0\fR)" 4
-.el .IP "``pkcs1'' (\fB\s-1OSSL_PKEY_RSA_PAD_MODE_PKCSV15\s0\fR)" 4
-.IX Item "pkcs1 (OSSL_PKEY_RSA_PAD_MODE_PKCSV15)"
-.ie n .IP """x931"" (\fB\s-1OSSL_PKEY_RSA_PAD_MODE_X931\s0\fR)" 4
-.el .IP "``x931'' (\fB\s-1OSSL_PKEY_RSA_PAD_MODE_X931\s0\fR)" 4
-.IX Item "x931 (OSSL_PKEY_RSA_PAD_MODE_X931)"
-.ie n .IP """pss"" (\fB\s-1OSSL_PKEY_RSA_PAD_MODE_PSS\s0\fR)" 4
-.el .IP "``pss'' (\fB\s-1OSSL_PKEY_RSA_PAD_MODE_PSS\s0\fR)" 4
-.IX Item "pss (OSSL_PKEY_RSA_PAD_MODE_PSS)"
+.IP """pkcs1"" (\fBOSSL_PKEY_RSA_PAD_MODE_PKCSV15\fR)" 4
+.IX Item """pkcs1"" (OSSL_PKEY_RSA_PAD_MODE_PKCSV15)"
+.IP """x931"" (\fBOSSL_PKEY_RSA_PAD_MODE_X931\fR)" 4
+.IX Item """x931"" (OSSL_PKEY_RSA_PAD_MODE_X931)"
+.PD
+This padding mode is no longer supported by the FIPS provider for signature
+generation, but may be used for signature verification for legacy use cases.
+(This is a FIPS 140\-3 requirement)
+.IP """pss"" (\fBOSSL_PKEY_RSA_PAD_MODE_PSS\fR)" 4
+.IX Item """pss"" (OSSL_PKEY_RSA_PAD_MODE_PSS)"
 .RE
 .RS 4
 .RE
-.ie n .IP """mgf1\-digest"" (\fB\s-1OSSL_SIGNATURE_PARAM_MGF1_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``mgf1\-digest'' (\fB\s-1OSSL_SIGNATURE_PARAM_MGF1_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "mgf1-digest (OSSL_SIGNATURE_PARAM_MGF1_DIGEST) <UTF8 string>"
+.PD 0
+.IP """mgf1\-digest"" (\fBOSSL_SIGNATURE_PARAM_MGF1_DIGEST\fR) <UTF8 string>" 4
+.IX Item """mgf1-digest"" (OSSL_SIGNATURE_PARAM_MGF1_DIGEST) <UTF8 string>"
 .PD
-The digest algorithm name to use for the maskGenAlgorithm used by \*(L"pss\*(R" mode.
-.ie n .IP """mgf1\-properties"" (\fB\s-1OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``mgf1\-properties'' (\fB\s-1OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "mgf1-properties (OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES) <UTF8 string>"
-Sets the name of the property query associated with the \*(L"mgf1\-digest\*(R" algorithm.
-\&\s-1NULL\s0 is used if this optional value is not set.
-.ie n .IP """saltlen"" (\fB\s-1OSSL_SIGNATURE_PARAM_PSS_SALTLEN\s0\fR) <integer> or <\s-1UTF8\s0 string>" 4
-.el .IP "``saltlen'' (\fB\s-1OSSL_SIGNATURE_PARAM_PSS_SALTLEN\s0\fR) <integer> or <\s-1UTF8\s0 string>" 4
-.IX Item "saltlen (OSSL_SIGNATURE_PARAM_PSS_SALTLEN) <integer> or <UTF8 string>"
-The \*(L"pss\*(R" mode minimum salt length. The value can either be an integer,
+The digest algorithm name to use for the maskGenAlgorithm used by "pss" mode.
+.IP """mgf1\-properties"" (\fBOSSL_SIGNATURE_PARAM_MGF1_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """mgf1-properties"" (OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES) <UTF8 string>"
+Sets the name of the property query associated with the "mgf1\-digest" algorithm.
+NULL is used if this optional value is not set.
+.IP """saltlen"" (\fBOSSL_SIGNATURE_PARAM_PSS_SALTLEN\fR) <integer> or <UTF8 string>" 4
+.IX Item """saltlen"" (OSSL_SIGNATURE_PARAM_PSS_SALTLEN) <integer> or <UTF8 string>"
+The "pss" mode minimum salt length. The value can either be an integer,
 a string value representing a number or one of the following string values:
 .RS 4
-.ie n .IP """digest"" (\fB\s-1OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST\s0\fR)" 4
-.el .IP "``digest'' (\fB\s-1OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST\s0\fR)" 4
-.IX Item "digest (OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST)"
+.IP """digest"" (\fBOSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST\fR)" 4
+.IX Item """digest"" (OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST)"
 Use the same length as the digest size.
-.ie n .IP """max"" (\fB\s-1OSSL_PKEY_RSA_PSS_SALT_LEN_MAX\s0\fR)" 4
-.el .IP "``max'' (\fB\s-1OSSL_PKEY_RSA_PSS_SALT_LEN_MAX\s0\fR)" 4
-.IX Item "max (OSSL_PKEY_RSA_PSS_SALT_LEN_MAX)"
+.IP """max"" (\fBOSSL_PKEY_RSA_PSS_SALT_LEN_MAX\fR)" 4
+.IX Item """max"" (OSSL_PKEY_RSA_PSS_SALT_LEN_MAX)"
 Use the maximum salt length.
-.ie n .IP """auto"" (\fB\s-1OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO\s0\fR)" 4
-.el .IP "``auto'' (\fB\s-1OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO\s0\fR)" 4
-.IX Item "auto (OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO)"
+.IP """auto"" (\fBOSSL_PKEY_RSA_PSS_SALT_LEN_AUTO\fR)" 4
+.IX Item """auto"" (OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO)"
 Auto detect the salt length.
+.IP """auto-digestmax"" (\fBOSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX\fR)" 4
+.IX Item """auto-digestmax"" (OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX)"
+Auto detect the salt length when verifying.  Maximize the salt length up to the
+digest size when signing to comply with FIPS 186\-4 section 5.5.
 .RE
 .RS 4
 .RE
 .PP
+The OpenSSL FIPS provider also supports the following parameters:
+.IP """key-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4
+.IX Item """key-check"" (OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK) <integer>"
+.PD 0
+.IP """digest-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4
+.IX Item """digest-check"" (OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK) <integer>"
+.IP """sign\-x931\-pad\-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK\fR) <integer>" 4
+.IX Item """sign-x931-pad-check"" (OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK) <integer>"
+.PD
+These parameters are described in \fBprovider\-signature\fR\|(7).
+.IP """rsa-pss-saltlen-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK\fR) <integer>" 4
+.IX Item """rsa-pss-saltlen-check"" (OSSL_SIGNATURE_PARAM_FIPS_RSA_PSS_SALTLEN_CHECK) <integer>"
+The default value of 1 causes an error during signature generation or
+verification if salt length (\fBOSSL_SIGNATURE_PARAM_PSS_SALTLEN\fR) is not between
+zero and the output block size of the digest function (inclusive).
+Setting this to zero will ignore the error and set the approved "fips-indicator"
+to 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
+.PP
 The following signature parameters can be retrieved using
 \&\fBEVP_PKEY_CTX_get_params()\fR.
-.ie n .IP """algorithm-id"" (\fB\s-1OSSL_SIGNATURE_PARAM_ALGORITHM_ID\s0\fR) <octet string>" 4
-.el .IP "``algorithm-id'' (\fB\s-1OSSL_SIGNATURE_PARAM_ALGORITHM_ID\s0\fR) <octet string>" 4
-.IX Item "algorithm-id (OSSL_SIGNATURE_PARAM_ALGORITHM_ID) <octet string>"
-This common parameter is described in \fBprovider\-signature\fR\|(7).
-.ie n .IP """digest"" (\fB\s-1OSSL_SIGNATURE_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_SIGNATURE_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_SIGNATURE_PARAM_DIGEST) <UTF8 string>"
+.IP """algorithm-id"" (\fBOSSL_SIGNATURE_PARAM_ALGORITHM_ID\fR) <octet string>" 4
+.IX Item """algorithm-id"" (OSSL_SIGNATURE_PARAM_ALGORITHM_ID) <octet string>"
+.PD 0
+.IP """fips-indicator"" (\fBOSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+.IP """verify-message"" (\fBOSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE\fR <integer>" 4
+.IX Item """verify-message"" (OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE <integer>"
+.PD
+These common parameter are described in \fBprovider\-signature\fR\|(7).
+.IP """digest"" (\fBOSSL_SIGNATURE_PARAM_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_SIGNATURE_PARAM_DIGEST) <UTF8 string>"
 .PD 0
-.ie n .IP """pad-mode"" (\fB\s-1OSSL_SIGNATURE_PARAM_PAD_MODE\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``pad-mode'' (\fB\s-1OSSL_SIGNATURE_PARAM_PAD_MODE\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "pad-mode (OSSL_SIGNATURE_PARAM_PAD_MODE) <UTF8 string>"
-.ie n .IP """mgf1\-digest"" (\fB\s-1OSSL_SIGNATURE_PARAM_MGF1_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``mgf1\-digest'' (\fB\s-1OSSL_SIGNATURE_PARAM_MGF1_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "mgf1-digest (OSSL_SIGNATURE_PARAM_MGF1_DIGEST) <UTF8 string>"
-.ie n .IP """saltlen"" (\fB\s-1OSSL_SIGNATURE_PARAM_PSS_SALTLEN\s0\fR) <integer> or <\s-1UTF8\s0 string>" 4
-.el .IP "``saltlen'' (\fB\s-1OSSL_SIGNATURE_PARAM_PSS_SALTLEN\s0\fR) <integer> or <\s-1UTF8\s0 string>" 4
-.IX Item "saltlen (OSSL_SIGNATURE_PARAM_PSS_SALTLEN) <integer> or <UTF8 string>"
+.IP """pad-mode"" (\fBOSSL_SIGNATURE_PARAM_PAD_MODE\fR) <UTF8 string>" 4
+.IX Item """pad-mode"" (OSSL_SIGNATURE_PARAM_PAD_MODE) <UTF8 string>"
+.IP """mgf1\-digest"" (\fBOSSL_SIGNATURE_PARAM_MGF1_DIGEST\fR) <UTF8 string>" 4
+.IX Item """mgf1-digest"" (OSSL_SIGNATURE_PARAM_MGF1_DIGEST) <UTF8 string>"
+.IP """saltlen"" (\fBOSSL_SIGNATURE_PARAM_PSS_SALTLEN\fR) <integer> or <UTF8 string>" 4
+.IX Item """saltlen"" (OSSL_SIGNATURE_PARAM_PSS_SALTLEN) <integer> or <UTF8 string>"
 .PD
 These parameters are as described above.
 .SH "SEE ALSO"
@@ -237,11 +226,11 @@ These parameters are as described above.
 \&\fBEVP_PKEY_sign\fR\|(3),
 \&\fBEVP_PKEY_verify\fR\|(3),
 \&\fBprovider\-signature\fR\|(7),
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-SLH-DSA.7 b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-SLH-DSA.7
new file mode 100644
index 000000000000..6a90fa66242c
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/EVP_SIGNATURE-SLH-DSA.7
@@ -0,0 +1,176 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "EVP_SIGNATURE-SLH-DSA 7ossl"
+.TH EVP_SIGNATURE-SLH-DSA 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+EVP_SIGNATURE\-SLH\-DSA,
+EVP_SIGNATURE\-SLH\-DSA\-SHA2\-128s, EVP_SIGNATURE\-SLH\-DSA\-SHA2\-128f,
+EVP_SIGNATURE\-SLH\-DSA\-SHA2\-192s, EVP_SIGNATURE\-SLH\-DSA\-SHA2\-192f,
+EVP_SIGNATURE\-SLH\-DSA\-SHA2\-256s, EVP_SIGNATURE\-SLH\-DSA\-SHA2\-256f,
+EVP_SIGNATURE\-SLH\-DSA\-SHAKE\-128s, EVP_SIGNATURE\-SLH\-DSA\-SHAKE\-128f,
+EVP_SIGNATURE\-SLH\-DSA\-SHAKE\-192s, EVP_SIGNATURE\-SLH\-DSA\-SHAKE\-192f,
+EVP_SIGNATURE\-SLH\-DSA\-SHAKE\-256s, EVP_SIGNATURE\-SLH\-DSA\-SHAKE\-256f
+\&\- EVP_PKEY SLH\-DSA support
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+The \fBSLH\-DSA\-SHA2\-128s\fR, \fBEVP_PKEY\-SLH\-DSA\-SHA2\-128f\fR,
+\&\fBSLH\-DSA\-SHA2\-192s\fR, \fBEVP_PKEY\-SLH\-DSA\-SHA2\-192f\fR,
+\&\fBSLH\-DSA\-SHA2\-256s\fR, \fBEVP_PKEY\-SLH\-DSA\-SHA2\-256f\fR,
+\&\fBSLH\-DSA\-SHAKE\-128s\fR, \fBEVP_PKEY\-SLH\-DSA\-SHAKE\-128f\fR,
+\&\fBSLH\-DSA\-SHAKE\-192s\fR, \fBEVP_PKEY\-SLH\-DSA\-SHAKE\-192f\fR,
+\&\fBSLH\-DSA\-SHAKE\-256s\fR and \fBEVP_PKEY\-SLH\-DSA\-SHAKE\-256f\fR EVP_PKEY implementations
+supports key generation, one-shot sign and verify using the SLH-DSA
+signature schemes described in FIPS 205.
+.PP
+The different algorithms names correspond to the parameter sets defined in
+FIPS 205 Section 11 Table 2.
+\&\f(CW\*(C`s\*(C'\fR types have smaller signature sizes, and the \f(CW\*(C`f\*(C'\fR variants are faster,
+(The signatures range from ~8K to ~50K depending on the type chosen). There are
+3 different security categories also depending on the type.
+.PP
+\&\fBEVP_SIGNATURE_fetch\fR\|(3) can be used to explicitely fetch one of the 12
+algorithms which can then be used with \fBEVP_PKEY_sign_message_init\fR\|(3),
+\&\fBEVP_PKEY_sign\fR\|(3), \fBEVP_PKEY_verify_message_init\fR\|(3), and
+\&\fBEVP_PKEY_verify\fR\|(3) to perform one-shot message signing or verification.
+.PP
+The normal signing process (called Pure SLH-DSA Signature Generation)
+encodes the message internally as 0x00 || len(ctx) || ctx || message.
+where \fBctx\fR is some optional value of size 0x00..0xFF.
+OpenSSL also allows the message to not be encoded which is required for
+testing. OpenSSL does not support Pre Hash SLH-DSA Signature Generation, but this
+may be done by the user by doing Pre hash encoding externally and then chosing
+the option to not encode the message.
+.SS "SLH-DSA Signature Parameters"
+.IX Subsection "SLH-DSA Signature Parameters"
+The \f(CW\*(C`context\-string\*(C'\fR parameter, described below, can be used for both signing
+and verification.
+It may be set by passing an OSSL_PARAM array to \fBEVP_PKEY_sign_init_ex2\fR\|(3) or
+\&\fBEVP_PKEY_verify_init_ex2\fR\|(3)
+.IP """context-string"" (\fBOSSL_SIGNATURE_PARAM_CONTEXT_STRING\fR) <octet string>" 4
+.IX Item """context-string"" (OSSL_SIGNATURE_PARAM_CONTEXT_STRING) <octet string>"
+A string of octets with length at most 255. By default it is the empty string.
+.PP
+The following parameters can be used when signing:
+They can be set by passing an OSSL_PARAM array to \fBEVP_PKEY_sign_init_ex2\fR\|(3).
+.IP """message-encoding"" (\fBOSSL_SIGNATURE_PARAM_MESSAGE_ENCODING\fR) <integer>" 4
+.IX Item """message-encoding"" (OSSL_SIGNATURE_PARAM_MESSAGE_ENCODING) <integer>"
+The default value of 1 uses 'Pure SLH-DSA Signature Generation' as described
+above. Setting it to 0 does not encode the message, which is used for testing,
+but can also be used for 'Pre Hash SLH-DSA Signature Generation'.
+.IP """test-entropy"" (\fBOSSL_SIGNATURE_PARAM_TEST_ENTROPY <octet string\fR" 4
+.IX Item """test-entropy"" (OSSL_SIGNATURE_PARAM_TEST_ENTROPY <octet string"
+Used for testing to pass a optional random value.
+.IP """deterministic"" (\fBOSSL_SIGNATURE_PARAM_DETERMINISTIC\fR) <integer>" 4
+.IX Item """deterministic"" (OSSL_SIGNATURE_PARAM_DETERMINISTIC) <integer>"
+The default value of 0 generates a random value (using a DRBG) this is used when
+processing the message. Setting this to 1 causes the private key seed to be used
+instead. This value is ignored if "test-entropy" is set.
+.PP
+See \fBEVP_PKEY\-SLH\-DSA\fR\|(7) for information related to \fBSLH-DSA\fR keys.
+.SH NOTES
+.IX Header "NOTES"
+For backwards compatibility reasons \fBEVP_DigestSignInit_ex()\fR, \fBEVP_DigestSign()\fR,
+\&\fBEVP_DigestVerifyInit_ex()\fR and \fBEVP_DigestVerify()\fR may also be used, but the digest
+passed in \fImdname\fR must be NULL.
+.SH EXAMPLES
+.IX Header "EXAMPLES"
+To sign a message using an SLH-DSA EVP_PKEY structure:
+.PP
+.Vb 10
+\&    void do_sign(EVP_PKEY *key, unsigned char *msg, size_t msg_len)
+\&    {
+\&        size_t sig_len;
+\&        unsigned char *sig = NULL;
+\&        const OSSL_PARAM params[] = {
+\&            OSSL_PARAM_octet_string("context\-string", (unsigned char *)"A context string", 33),
+\&            OSSL_PARAM_END
+\&        };
+\&        EVP_PKEY_CTX *sctx = EVP_PKEY_CTX_new_from_pkey(NULL, pkey, NULL);
+\&        EVP_SIGNATURE *sig_alg = EVP_SIGNATURE_fetch(NULL, "SLH\-DSA\-SHA2\-128s", NULL);
+\&
+\&        EVP_PKEY_sign_message_init(sctx, sig_alg, params);
+\&        /* Calculate the required size for the signature by passing a NULL buffer. */
+\&        EVP_PKEY_sign(sctx, NULL, &sig_len, msg, msg_len);
+\&        sig = OPENSSL_zalloc(sig_len);
+\&        EVP_PKEY_sign(sctx, sig, &sig_len, msg, msg_len);
+\&        ...
+\&        OPENSSL_free(sig);
+\&        EVP_SIGNATURE(sig_alg);
+\&        EVP_PKEY_CTX_free(sctx);
+\&    }
+.Ve
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBEVP_PKEY\-SLH\-DSA\fR\|(7)
+\&\fBprovider\-signature\fR\|(7),
+\&\fBEVP_PKEY_sign\fR\|(3),
+\&\fBEVP_PKEY_verify\fR\|(3),
+.SH HISTORY
+.IX Header "HISTORY"
+This functionality was added in OpenSSL 3.5.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2024\-2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/Makefile b/secure/lib/libcrypto/man/man7/Makefile
index 06def852520b..1518c54bb49f 100644
--- a/secure/lib/libcrypto/man/man7/Makefile
+++ b/secure/lib/libcrypto/man/man7/Makefile
@@ -14,12 +14,15 @@ MAN+= EVP_CIPHER-RC4.7
 MAN+= EVP_CIPHER-RC5.7
 MAN+= EVP_CIPHER-SEED.7
 MAN+= EVP_CIPHER-SM4.7
+MAN+= EVP_KDF-ARGON2.7
 MAN+= EVP_KDF-HKDF.7
+MAN+= EVP_KDF-HMAC-DRBG.7
 MAN+= EVP_KDF-KB.7
 MAN+= EVP_KDF-KRB5KDF.7
 MAN+= EVP_KDF-PBKDF1.7
 MAN+= EVP_KDF-PBKDF2.7
 MAN+= EVP_KDF-PKCS12KDF.7
+MAN+= EVP_KDF-PVKKDF.7
 MAN+= EVP_KDF-SCRYPT.7
 MAN+= EVP_KDF-SS.7
 MAN+= EVP_KDF-SSHKDF.7
@@ -28,7 +31,10 @@ MAN+= EVP_KDF-TLS1_PRF.7
 MAN+= EVP_KDF-X942-ASN1.7
 MAN+= EVP_KDF-X942-CONCAT.7
 MAN+= EVP_KDF-X963.7
+MAN+= EVP_KEM-EC.7
+MAN+= EVP_KEM-ML-KEM.7
 MAN+= EVP_KEM-RSA.7
+MAN+= EVP_KEM-X25519.7
 MAN+= EVP_KEYEXCH-DH.7
 MAN+= EVP_KEYEXCH-ECDH.7
 MAN+= EVP_KEYEXCH-X25519.7
@@ -40,6 +46,7 @@ MAN+= EVP_MAC-KMAC.7
 MAN+= EVP_MAC-Poly1305.7
 MAN+= EVP_MAC-Siphash.7
 MAN+= EVP_MD-BLAKE2.7
+MAN+= EVP_MD-KECCAK.7
 MAN+= EVP_MD-MD2.7
 MAN+= EVP_MD-MD4.7
 MAN+= EVP_MD-MD5-SHA1.7
@@ -59,12 +66,17 @@ MAN+= EVP_PKEY-DSA.7
 MAN+= EVP_PKEY-EC.7
 MAN+= EVP_PKEY-FFC.7
 MAN+= EVP_PKEY-HMAC.7
+MAN+= EVP_PKEY-ML-DSA.7
+MAN+= EVP_PKEY-ML-KEM.7
 MAN+= EVP_PKEY-RSA.7
+MAN+= EVP_PKEY-SLH-DSA.7
 MAN+= EVP_PKEY-SM2.7
 MAN+= EVP_PKEY-X25519.7
+MAN+= EVP_RAND-CRNG-TEST.7
 MAN+= EVP_RAND-CTR-DRBG.7
 MAN+= EVP_RAND-HASH-DRBG.7
 MAN+= EVP_RAND-HMAC-DRBG.7
+MAN+= EVP_RAND-JITTER.7
 MAN+= EVP_RAND-SEED-SRC.7
 MAN+= EVP_RAND-TEST-RAND.7
 MAN+= EVP_RAND.7
@@ -72,17 +84,19 @@ MAN+= EVP_SIGNATURE-DSA.7
 MAN+= EVP_SIGNATURE-ECDSA.7
 MAN+= EVP_SIGNATURE-ED25519.7
 MAN+= EVP_SIGNATURE-HMAC.7
+MAN+= EVP_SIGNATURE-ML-DSA.7
 MAN+= EVP_SIGNATURE-RSA.7
+MAN+= EVP_SIGNATURE-SLH-DSA.7
 MAN+= OSSL_PROVIDER-FIPS.7
 MAN+= OSSL_PROVIDER-base.7
 MAN+= OSSL_PROVIDER-default.7
 MAN+= OSSL_PROVIDER-legacy.7
 MAN+= OSSL_PROVIDER-null.7
+MAN+= OSSL_STORE-winstore.7
 MAN+= RAND.7
 MAN+= RSA-PSS.7
 MAN+= X25519.7
 MAN+= bio.7
-MAN+= crypto.7
 MAN+= ct.7
 MAN+= des_modes.7
 MAN+= evp.7
@@ -93,14 +107,30 @@ MAN+= life_cycle-kdf.7
 MAN+= life_cycle-mac.7
 MAN+= life_cycle-pkey.7
 MAN+= life_cycle-rand.7
-MAN+= migration_guide.7
 MAN+= openssl-core.h.7
 MAN+= openssl-core_dispatch.h.7
 MAN+= openssl-core_names.h.7
 MAN+= openssl-env.7
 MAN+= openssl-glossary.7
+MAN+= openssl-qlog.7
+MAN+= openssl-quic-concurrency.7
+MAN+= openssl-quic.7
 MAN+= openssl-threads.7
 MAN+= openssl_user_macros.7
+MAN+= ossl-guide-introduction.7
+MAN+= ossl-guide-libcrypto-introduction.7
+MAN+= ossl-guide-libraries-introduction.7
+MAN+= ossl-guide-libssl-introduction.7
+MAN+= ossl-guide-quic-client-block.7
+MAN+= ossl-guide-quic-client-non-block.7
+MAN+= ossl-guide-quic-introduction.7
+MAN+= ossl-guide-quic-multi-stream.7
+MAN+= ossl-guide-quic-server-block.7
+MAN+= ossl-guide-quic-server-non-block.7
+MAN+= ossl-guide-tls-client-block.7
+MAN+= ossl-guide-tls-client-non-block.7
+MAN+= ossl-guide-tls-introduction.7
+MAN+= ossl-guide-tls-server-block.7
 MAN+= ossl_store-file.7
 MAN+= ossl_store.7
 MAN+= passphrase-encoding.7
@@ -119,10 +149,10 @@ MAN+= provider-mac.7
 MAN+= provider-object.7
 MAN+= provider-rand.7
 MAN+= provider-signature.7
+MAN+= provider-skeymgmt.7
 MAN+= provider-storemgmt.7
 MAN+= provider.7
 MAN+= proxy-certificates.7
-MAN+= ssl.7
 MAN+= x509.7
 MLINKS+= EVP_KEYEXCH-X25519.7 EVP_KEYEXCH-X448.7
 MLINKS+= EVP_PKEY-HMAC.7 EVP_KEYMGMT-CMAC.7
diff --git a/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-FIPS.7 b/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-FIPS.7
index ba53edf486f7..b6f6a30026ca 100644
--- a/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-FIPS.7
+++ b/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-FIPS.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,93 +52,31 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_PROVIDER-FIPS 7ossl"
-.TH OSSL_PROVIDER-FIPS 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_PROVIDER-FIPS 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_PROVIDER\-FIPS \- OpenSSL FIPS provider
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The OpenSSL \s-1FIPS\s0 provider is a special provider that conforms to the Federal
-Information Processing Standards (\s-1FIPS\s0) specified in \s-1FIPS 140\-2.\s0 This 'module'
+The OpenSSL FIPS provider is a special provider that conforms to the Federal
+Information Processing Standards (FIPS) specified in FIPS 140\-3. This 'module'
 contains an approved set of cryptographic algorithms that is validated by an
 accredited testing laboratory.
-.SS "Properties"
+.SS Properties
 .IX Subsection "Properties"
 The implementations in this provider specifically have these properties
 defined:
-.ie n .IP """provider=fips""" 4
-.el .IP "``provider=fips''" 4
-.IX Item "provider=fips"
+.IP """provider=fips""" 4
+.IX Item """provider=fips"""
 .PD 0
-.ie n .IP """fips=yes""" 4
-.el .IP "``fips=yes''" 4
-.IX Item "fips=yes"
+.IP """fips=yes""" 4
+.IX Item """fips=yes"""
 .PD
 .PP
 It may be used in a property query string with fetching functions such as
@@ -162,341 +84,426 @@ It may be used in a property query string with fetching functions such as
 functions that take a property query string, such as
 \&\fBEVP_PKEY_CTX_new_from_name\fR\|(3).
 .PP
-It isn't mandatory to query for any of these properties, except to
-make sure to get implementations of this provider and none other.
+To be FIPS compliant, it is mandatory to include \f(CW\*(C`fips=yes\*(C'\fR as
+part of all property queries.  This ensures that only FIPS approved
+implementations are used for cryptographic operations.  The \f(CW\*(C`fips=yes\*(C'\fR
+query may also include other non-crypto support operations that
+are not in the FIPS provider, such as asymmetric key encoders, see
+"Asymmetric Key Management" in \fBOSSL_PROVIDER\-default\fR\|(7).
 .PP
-The \*(L"fips=yes\*(R" property can be use to make sure only \s-1FIPS\s0 approved
-implementations are used for crypto operations.  This may also include
-other non-crypto support operations that are not in the \s-1FIPS\s0 provider,
-such as asymmetric key encoders,
-see \*(L"Asymmetric Key Management\*(R" in \fBOSSL_PROVIDER\-default\fR\|(7).
+It is not mandatory to include \f(CW\*(C`provider=fips\*(C'\fR as part of your property
+query.  Including \f(CW\*(C`provider=fips\*(C'\fR in your property query guarantees
+that the OpenSSL FIPS provider is used for cryptographic operations
+rather than other FIPS capable providers.
+.SS "Provider parameters"
+.IX Subsection "Provider parameters"
+See "Provider parameters" in \fBprovider\-base\fR\|(7) for a list of base parameters.
+Additionally the OpenSSL FIPS provider also supports the following gettable
+parameters:
+.IP """security-checks"" (\fBOSSL_OSSL_PROV_PARAM_SECURITY_CHECKS\fR) <unsigned integer>" 4
+.IX Item """security-checks"" (OSSL_OSSL_PROV_PARAM_SECURITY_CHECKS) <unsigned integer>"
+For further information refer to the \fBopenssl\-fipsinstall\fR\|(1) option
+\&\fB\-no_security_checks\fR.
 .SH "OPERATIONS AND ALGORITHMS"
 .IX Header "OPERATIONS AND ALGORITHMS"
-The OpenSSL \s-1FIPS\s0 provider supports these operations and algorithms:
+The OpenSSL FIPS provider supports these operations and algorithms:
 .SS "Hashing Algorithms / Message Digests"
 .IX Subsection "Hashing Algorithms / Message Digests"
-.IP "\s-1SHA1,\s0 see \s-1\fBEVP_MD\-SHA1\s0\fR\|(7)" 4
+.IP "SHA1, see \fBEVP_MD\-SHA1\fR\|(7)" 4
 .IX Item "SHA1, see EVP_MD-SHA1"
 .PD 0
-.IP "\s-1SHA2,\s0 see \s-1\fBEVP_MD\-SHA2\s0\fR\|(7)" 4
+.IP "SHA2, see \fBEVP_MD\-SHA2\fR\|(7)" 4
 .IX Item "SHA2, see EVP_MD-SHA2"
-.IP "\s-1SHA3,\s0 see \s-1\fBEVP_MD\-SHA3\s0\fR\|(7)" 4
+.IP "SHA3, see \fBEVP_MD\-SHA3\fR\|(7)" 4
 .IX Item "SHA3, see EVP_MD-SHA3"
-.IP "KECCAK-KMAC, see \s-1\fBEVP_MD\-KECCAK\-KMAC\s0\fR\|(7)" 4
+.IP "KECCAK-KMAC, see \fBEVP_MD\-KECCAK\-KMAC\fR\|(7)" 4
 .IX Item "KECCAK-KMAC, see EVP_MD-KECCAK-KMAC"
+.IP "SHAKE, see \fBEVP_MD\-SHAKE\fR\|(7)" 4
+.IX Item "SHAKE, see EVP_MD-SHAKE"
 .PD
 .SS "Symmetric Ciphers"
 .IX Subsection "Symmetric Ciphers"
-.IP "\s-1AES,\s0 see \s-1\fBEVP_CIPHER\-AES\s0\fR\|(7)" 4
+.IP "AES, see \fBEVP_CIPHER\-AES\fR\|(7)" 4
 .IX Item "AES, see EVP_CIPHER-AES"
 .PD 0
-.IP "\s-1DES\-EDE3\s0 (TripleDES), see \s-1\fBEVP_CIPHER\-DES\s0\fR\|(7)" 4
-.IX Item "DES-EDE3 (TripleDES), see EVP_CIPHER-DES"
+.IP "3DES, see \fBEVP_CIPHER\-DES\fR\|(7)" 4
+.IX Item "3DES, see EVP_CIPHER-DES"
 .PD
-.SS "Message Authentication Code (\s-1MAC\s0)"
+This is an unapproved algorithm.
+.SS "Message Authentication Code (MAC)"
 .IX Subsection "Message Authentication Code (MAC)"
-.IP "\s-1CMAC,\s0 see \s-1\fBEVP_MAC\-CMAC\s0\fR\|(7)" 4
+.IP "CMAC, see \fBEVP_MAC\-CMAC\fR\|(7)" 4
 .IX Item "CMAC, see EVP_MAC-CMAC"
 .PD 0
-.IP "\s-1GMAC,\s0 see \s-1\fBEVP_MAC\-GMAC\s0\fR\|(7)" 4
+.IP "GMAC, see \fBEVP_MAC\-GMAC\fR\|(7)" 4
 .IX Item "GMAC, see EVP_MAC-GMAC"
-.IP "\s-1HMAC,\s0 see \s-1\fBEVP_MAC\-HMAC\s0\fR\|(7)" 4
+.IP "HMAC, see \fBEVP_MAC\-HMAC\fR\|(7)" 4
 .IX Item "HMAC, see EVP_MAC-HMAC"
-.IP "\s-1KMAC,\s0 see \s-1\fBEVP_MAC\-KMAC\s0\fR\|(7)" 4
+.IP "KMAC, see \fBEVP_MAC\-KMAC\fR\|(7)" 4
 .IX Item "KMAC, see EVP_MAC-KMAC"
 .PD
-.SS "Key Derivation Function (\s-1KDF\s0)"
+.SS "Key Derivation Function (KDF)"
 .IX Subsection "Key Derivation Function (KDF)"
-.IP "\s-1HKDF,\s0 see \s-1\fBEVP_KDF\-HKDF\s0\fR\|(7)" 4
+.IP "HKDF, see \fBEVP_KDF\-HKDF\fR\|(7)" 4
 .IX Item "HKDF, see EVP_KDF-HKDF"
 .PD 0
-.IP "\s-1TLS13\-KDF,\s0 see \s-1\fBEVP_KDF\-TLS13_KDF\s0\fR\|(7)" 4
+.IP "TLS13\-KDF, see \fBEVP_KDF\-TLS13_KDF\fR\|(7)" 4
 .IX Item "TLS13-KDF, see EVP_KDF-TLS13_KDF"
-.IP "\s-1SSKDF,\s0 see \s-1\fBEVP_KDF\-SS\s0\fR\|(7)" 4
+.IP "SSKDF, see \fBEVP_KDF\-SS\fR\|(7)" 4
 .IX Item "SSKDF, see EVP_KDF-SS"
-.IP "\s-1PBKDF2,\s0 see \s-1\fBEVP_KDF\-PBKDF2\s0\fR\|(7)" 4
+.IP "PBKDF2, see \fBEVP_KDF\-PBKDF2\fR\|(7)" 4
 .IX Item "PBKDF2, see EVP_KDF-PBKDF2"
-.IP "\s-1SSHKDF,\s0 see \s-1\fBEVP_KDF\-SSHKDF\s0\fR\|(7)" 4
+.IP "SSHKDF, see \fBEVP_KDF\-SSHKDF\fR\|(7)" 4
 .IX Item "SSHKDF, see EVP_KDF-SSHKDF"
-.IP "\s-1TLS1\-PRF,\s0 see \s-1\fBEVP_KDF\-TLS1_PRF\s0\fR\|(7)" 4
+.IP "TLS1\-PRF, see \fBEVP_KDF\-TLS1_PRF\fR\|(7)" 4
 .IX Item "TLS1-PRF, see EVP_KDF-TLS1_PRF"
-.IP "\s-1KBKDF,\s0 see \s-1\fBEVP_KDF\-KB\s0\fR\|(7)" 4
+.IP "KBKDF, see \fBEVP_KDF\-KB\fR\|(7)" 4
 .IX Item "KBKDF, see EVP_KDF-KB"
-.IP "X942KDF\-ASN1, see \s-1\fBEVP_KDF\-X942\-ASN1\s0\fR\|(7)" 4
+.IP "X942KDF\-ASN1, see \fBEVP_KDF\-X942\-ASN1\fR\|(7)" 4
 .IX Item "X942KDF-ASN1, see EVP_KDF-X942-ASN1"
-.IP "X942KDF\-CONCAT, see \s-1\fBEVP_KDF\-X942\-CONCAT\s0\fR\|(7)" 4
+.IP "X942KDF\-CONCAT, see \fBEVP_KDF\-X942\-CONCAT\fR\|(7)" 4
 .IX Item "X942KDF-CONCAT, see EVP_KDF-X942-CONCAT"
-.IP "X963KDF, see \s-1\fBEVP_KDF\-X963\s0\fR\|(7)" 4
+.IP "X963KDF, see \fBEVP_KDF\-X963\fR\|(7)" 4
 .IX Item "X963KDF, see EVP_KDF-X963"
 .PD
 .SS "Key Exchange"
 .IX Subsection "Key Exchange"
-.IP "\s-1DH,\s0 see \s-1\fBEVP_KEYEXCH\-DH\s0\fR\|(7)" 4
+.IP "DH, see \fBEVP_KEYEXCH\-DH\fR\|(7)" 4
 .IX Item "DH, see EVP_KEYEXCH-DH"
 .PD 0
-.IP "\s-1ECDH,\s0 see \s-1\fBEVP_KEYEXCH\-ECDH\s0\fR\|(7)" 4
+.IP "ECDH, see \fBEVP_KEYEXCH\-ECDH\fR\|(7)" 4
 .IX Item "ECDH, see EVP_KEYEXCH-ECDH"
-.IP "X25519, see \s-1\fBEVP_KEYEXCH\-X25519\s0\fR\|(7)" 4
+.IP "X25519, see \fBEVP_KEYEXCH\-X25519\fR\|(7)" 4
 .IX Item "X25519, see EVP_KEYEXCH-X25519"
-.IP "X448, see \s-1\fBEVP_KEYEXCH\-X448\s0\fR\|(7)" 4
+.IP "X448, see \fBEVP_KEYEXCH\-X448\fR\|(7)" 4
 .IX Item "X448, see EVP_KEYEXCH-X448"
+.IP "ML-KEM, see \fBEVP_KEM\-ML\-KEM\fR\|(7)" 4
+.IX Item "ML-KEM, see EVP_KEM-ML-KEM"
+.IP TLS1\-PRF 4
+.IX Item "TLS1-PRF"
+.IP HKDF 4
+.IX Item "HKDF"
 .PD
 .SS "Asymmetric Signature"
 .IX Subsection "Asymmetric Signature"
-.IP "\s-1RSA,\s0 see \s-1\fBEVP_SIGNATURE\-RSA\s0\fR\|(7)" 4
+.IP "RSA, see \fBEVP_SIGNATURE\-RSA\fR\|(7)" 4
 .IX Item "RSA, see EVP_SIGNATURE-RSA"
+The \fBX931\fR padding mode "OSSL_PKEY_RSA_PAD_MODE_X931" is no longer supported
+for signature generation, but may be used for verification for legacy use cases.
+(This is a FIPS 140\-3 requirement)
+.IP "DSA, see \fBEVP_SIGNATURE\-DSA\fR\|(7)" 4
+.IX Item "DSA, see EVP_SIGNATURE-DSA"
 .PD 0
-.IP "X25519, see \s-1\fBEVP_SIGNATURE\-ED25519\s0\fR\|(7)" 4
-.IX Item "X25519, see EVP_SIGNATURE-ED25519"
-.IP "X448, see \s-1\fBEVP_SIGNATURE\-ED448\s0\fR\|(7)" 4
-.IX Item "X448, see EVP_SIGNATURE-ED448"
-.IP "\s-1HMAC,\s0 see \s-1\fBEVP_SIGNATURE\-HMAC\s0\fR\|(7)" 4
+.IP "ED25519, see \fBEVP_SIGNATURE\-ED25519\fR\|(7)" 4
+.IX Item "ED25519, see EVP_SIGNATURE-ED25519"
+.IP "ED448, see \fBEVP_SIGNATURE\-ED448\fR\|(7)" 4
+.IX Item "ED448, see EVP_SIGNATURE-ED448"
+.IP "ECDSA, see \fBEVP_SIGNATURE\-ECDSA\fR\|(7)" 4
+.IX Item "ECDSA, see EVP_SIGNATURE-ECDSA"
+.IP "ML\-DSA\-44, see \fBEVP_SIGNATURE\-ML\-DSA\fR\|(7)" 4
+.IX Item "ML-DSA-44, see EVP_SIGNATURE-ML-DSA"
+.IP "ML\-DSA\-65, see \fBEVP_SIGNATURE\-ML\-DSA\fR\|(7)" 4
+.IX Item "ML-DSA-65, see EVP_SIGNATURE-ML-DSA"
+.IP "ML\-DSA\-87, see \fBEVP_SIGNATURE\-ML\-DSA\fR\|(7)" 4
+.IX Item "ML-DSA-87, see EVP_SIGNATURE-ML-DSA"
+.IP "SLH-DSA, see \fBEVP_SIGNATURE\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA, see EVP_SIGNATURE-SLH-DSA"
+.IP "HMAC, see \fBEVP_SIGNATURE\-HMAC\fR\|(7)" 4
 .IX Item "HMAC, see EVP_SIGNATURE-HMAC"
-.IP "\s-1CMAC,\s0 see \s-1\fBEVP_SIGNATURE\-CMAC\s0\fR\|(7)" 4
+.IP "CMAC, see \fBEVP_SIGNATURE\-CMAC\fR\|(7)" 4
 .IX Item "CMAC, see EVP_SIGNATURE-CMAC"
 .PD
 .SS "Asymmetric Cipher"
 .IX Subsection "Asymmetric Cipher"
-.IP "\s-1RSA,\s0 see \s-1\fBEVP_ASYM_CIPHER\-RSA\s0\fR\|(7)" 4
+.IP "RSA, see \fBEVP_ASYM_CIPHER\-RSA\fR\|(7)" 4
 .IX Item "RSA, see EVP_ASYM_CIPHER-RSA"
 .SS "Asymmetric Key Encapsulation"
 .IX Subsection "Asymmetric Key Encapsulation"
 .PD 0
-.IP "\s-1RSA,\s0 see \s-1\fBEVP_KEM\-RSA\s0\fR\|(7)" 4
+.IP "RSA, see \fBEVP_KEM\-RSA\fR\|(7)" 4
 .IX Item "RSA, see EVP_KEM-RSA"
 .PD
 .SS "Asymmetric Key Management"
 .IX Subsection "Asymmetric Key Management"
-.IP "\s-1DH,\s0 see \s-1\fBEVP_KEYMGMT\-DH\s0\fR\|(7)" 4
+.IP "DH, see \fBEVP_KEYMGMT\-DH\fR\|(7)" 4
 .IX Item "DH, see EVP_KEYMGMT-DH"
 .PD 0
-.IP "\s-1DHX,\s0 see \s-1\fBEVP_KEYMGMT\-DHX\s0\fR\|(7)" 4
+.IP "DHX, see \fBEVP_KEYMGMT\-DHX\fR\|(7)" 4
 .IX Item "DHX, see EVP_KEYMGMT-DHX"
-.IP "\s-1DSA,\s0 see \s-1\fBEVP_KEYMGMT\-DSA\s0\fR\|(7)" 4
+.IP "DSA, see \fBEVP_KEYMGMT\-DSA\fR\|(7)" 4
 .IX Item "DSA, see EVP_KEYMGMT-DSA"
-.IP "\s-1RSA,\s0 see \s-1\fBEVP_KEYMGMT\-RSA\s0\fR\|(7)" 4
+.IP "RSA, see \fBEVP_KEYMGMT\-RSA\fR\|(7)" 4
 .IX Item "RSA, see EVP_KEYMGMT-RSA"
-.IP "\s-1EC,\s0 see \s-1\fBEVP_KEYMGMT\-EC\s0\fR\|(7)" 4
+.IP RSA-PSS 4
+.IX Item "RSA-PSS"
+.IP "EC, see \fBEVP_KEYMGMT\-EC\fR\|(7)" 4
 .IX Item "EC, see EVP_KEYMGMT-EC"
-.IP "X25519, see \s-1\fBEVP_KEYMGMT\-X25519\s0\fR\|(7)" 4
+.IP "X25519, see \fBEVP_KEYMGMT\-X25519\fR\|(7)" 4
 .IX Item "X25519, see EVP_KEYMGMT-X25519"
-.IP "X448, see \s-1\fBEVP_KEYMGMT\-X448\s0\fR\|(7)" 4
+.PD
+This is an unapproved algorithm.
+.IP "X448, see \fBEVP_KEYMGMT\-X448\fR\|(7)" 4
 .IX Item "X448, see EVP_KEYMGMT-X448"
+This is an unapproved algorithm.
+.IP "ED25519, see \fBEVP_KEYMGMT\-ED25519\fR\|(7)" 4
+.IX Item "ED25519, see EVP_KEYMGMT-ED25519"
+This is an unapproved algorithm.
+.IP "ED448, see \fBEVP_KEYMGMT\-ED448\fR\|(7)" 4
+.IX Item "ED448, see EVP_KEYMGMT-ED448"
+This is an unapproved algorithm.
+.IP TLS1\-PRF 4
+.IX Item "TLS1-PRF"
+.PD 0
+.IP HKDF 4
+.IX Item "HKDF"
+.IP "HMAC, see \fBEVP_KEYMGMT\-HMAC\fR\|(7)" 4
+.IX Item "HMAC, see EVP_KEYMGMT-HMAC"
+.IP "CMAC, see \fBEVP_KEYMGMT\-CMAC\fR\|(7)" 4
+.IX Item "CMAC, see EVP_KEYMGMT-CMAC"
+.IP "ML\-DSA\-44, see \fBEVP_KEYMGMT\-ML\-DSA\fR\|(7)" 4
+.IX Item "ML-DSA-44, see EVP_KEYMGMT-ML-DSA"
+.IP "ML\-DSA\-65, see \fBEVP_KEYMGMT\-ML\-DSA\fR\|(7)" 4
+.IX Item "ML-DSA-65, see EVP_KEYMGMT-ML-DSA"
+.IP "ML\-DSA\-87, see \fBEVP_KEYMGMT\-ML\-DSA\fR\|(7)" 4
+.IX Item "ML-DSA-87, see EVP_KEYMGMT-ML-DSA"
+.IP "SLH\-DSA\-SHA2\-128s, see \fBEVP_KEYMGMT\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHA2-128s, see EVP_KEYMGMT-SLH-DSA"
+.IP "SLH\-DSA\-SHA2\-128f, see \fBEVP_KEYMGMT\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHA2-128f, see EVP_KEYMGMT-SLH-DSA"
+.IP "SLH\-DSA\-SHA2\-192s, see \fBEVP_KEYMGMT\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHA2-192s, see EVP_KEYMGMT-SLH-DSA"
+.IP "SLH\-DSA\-SHA2\-192f, see \fBEVP_KEYMGMT\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHA2-192f, see EVP_KEYMGMT-SLH-DSA"
+.IP "SLH\-DSA\-SHA2\-256s, see \fBEVP_KEYMGMT\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHA2-256s, see EVP_KEYMGMT-SLH-DSA"
+.IP "SLH\-DSA\-SHA2\-256f, see \fBEVP_KEYMGMT\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHA2-256f, see EVP_KEYMGMT-SLH-DSA"
+.IP "SLH\-DSA\-SHAKE\-128s, see \fBEVP_KEYMGMT\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHAKE-128s, see EVP_KEYMGMT-SLH-DSA"
+.IP "SLH\-DSA\-SHAKE\-128f, see \fBEVP_KEYMGMT\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHAKE-128f, see EVP_KEYMGMT-SLH-DSA"
+.IP "SLH\-DSA\-SHAKE\-192s, see \fBEVP_KEYMGMT\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHAKE-192s, see EVP_KEYMGMT-SLH-DSA"
+.IP "SLH\-DSA\-SHAKE\-192f, see \fBEVP_KEYMGMT\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHAKE-192f, see EVP_KEYMGMT-SLH-DSA"
+.IP "SLH\-DSA\-SHAKE\-256s, see \fBEVP_KEYMGMT\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHAKE-256s, see EVP_KEYMGMT-SLH-DSA"
+.IP "SLH\-DSA\-SHAKE\-256f, see \fBEVP_KEYMGMT\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHAKE-256f, see EVP_KEYMGMT-SLH-DSA"
 .PD
 .SS "Random Number Generation"
 .IX Subsection "Random Number Generation"
-.IP "CTR-DRBG, see \s-1\fBEVP_RAND\-CTR\-DRBG\s0\fR\|(7)" 4
-.IX Item "CTR-DRBG, see EVP_RAND-CTR-DRBG"
+.IP "CRNG-TEST, see \fBEVP_RAND\-CRNG\-TEST\fR\|(7)" 4
+.IX Item "CRNG-TEST, see EVP_RAND-CRNG-TEST"
 .PD 0
-.IP "HASH-DRBG, see \s-1\fBEVP_RAND\-HASH\-DRBG\s0\fR\|(7)" 4
+.IP "CTR-DRBG, see \fBEVP_RAND\-CTR\-DRBG\fR\|(7)" 4
+.IX Item "CTR-DRBG, see EVP_RAND-CTR-DRBG"
+.IP "HASH-DRBG, see \fBEVP_RAND\-HASH\-DRBG\fR\|(7)" 4
 .IX Item "HASH-DRBG, see EVP_RAND-HASH-DRBG"
-.IP "HMAC-DRBG, see \s-1\fBEVP_RAND\-HMAC\-DRBG\s0\fR\|(7)" 4
+.IP "HMAC-DRBG, see \fBEVP_RAND\-HMAC\-DRBG\fR\|(7)" 4
 .IX Item "HMAC-DRBG, see EVP_RAND-HMAC-DRBG"
-.IP "TEST-RAND, see \s-1\fBEVP_RAND\-TEST\-RAND\s0\fR\|(7)" 4
+.IP "TEST-RAND, see \fBEVP_RAND\-TEST\-RAND\fR\|(7)" 4
 .IX Item "TEST-RAND, see EVP_RAND-TEST-RAND"
 .PD
 TEST-RAND is an unapproved algorithm.
 .SH "SELF TESTING"
 .IX Header "SELF TESTING"
-One of the requirements for the \s-1FIPS\s0 module is self testing. An optional callback
+One of the requirements for the FIPS module is self testing. An optional callback
 mechanism is available to return information to the user using
 \&\fBOSSL_SELF_TEST_set_callback\fR\|(3).
 .PP
 The parameters passed to the callback are described in \fBOSSL_SELF_TEST_new\fR\|(3)
 .PP
-The OpenSSL \s-1FIPS\s0 module uses the following mechanism to provide information
+The OpenSSL FIPS module uses the following mechanism to provide information
 about the self tests as they run.
 This is useful for debugging if a self test is failing.
 The callback also allows forcing any self test to fail, in order to check that
 it operates correctly on failure.
 Note that all self tests run even if a self test failure occurs.
 .PP
-The \s-1FIPS\s0 module passes the following type(s) to \fBOSSL_SELF_TEST_onbegin()\fR.
-.ie n .IP """Module_Integrity"" (\fB\s-1OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY\s0\fR)" 4
-.el .IP "``Module_Integrity'' (\fB\s-1OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY\s0\fR)" 4
-.IX Item "Module_Integrity (OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)"
-Uses \s-1HMAC SHA256\s0 on the module file to validate that the module has not been
+The FIPS module passes the following type(s) to \fBOSSL_SELF_TEST_onbegin()\fR.
+.IP """Module_Integrity"" (\fBOSSL_SELF_TEST_TYPE_MODULE_INTEGRITY\fR)" 4
+.IX Item """Module_Integrity"" (OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)"
+Uses HMAC SHA256 on the module file to validate that the module has not been
 modified. The integrity value is compared to a value written to a configuration
 file during installation.
-.ie n .IP """Install_Integrity"" (\fB\s-1OSSL_SELF_TEST_TYPE_INSTALL_INTEGRITY\s0\fR)" 4
-.el .IP "``Install_Integrity'' (\fB\s-1OSSL_SELF_TEST_TYPE_INSTALL_INTEGRITY\s0\fR)" 4
-.IX Item "Install_Integrity (OSSL_SELF_TEST_TYPE_INSTALL_INTEGRITY)"
-Uses \s-1HMAC SHA256\s0 on a fixed string to validate that the installation process
-has already been performed and the self test \s-1KATS\s0 have already been tested,
+.IP """Install_Integrity"" (\fBOSSL_SELF_TEST_TYPE_INSTALL_INTEGRITY\fR)" 4
+.IX Item """Install_Integrity"" (OSSL_SELF_TEST_TYPE_INSTALL_INTEGRITY)"
+Uses HMAC SHA256 on a fixed string to validate that the installation process
+has already been performed and the self test KATS have already been tested,
 The integrity value is compared to a value written to a configuration
 file after successfully running the self tests during installation.
-.ie n .IP """KAT_Cipher"" (\fB\s-1OSSL_SELF_TEST_TYPE_KAT_CIPHER\s0\fR)" 4
-.el .IP "``KAT_Cipher'' (\fB\s-1OSSL_SELF_TEST_TYPE_KAT_CIPHER\s0\fR)" 4
-.IX Item "KAT_Cipher (OSSL_SELF_TEST_TYPE_KAT_CIPHER)"
+.IP """KAT_Cipher"" (\fBOSSL_SELF_TEST_TYPE_KAT_CIPHER\fR)" 4
+.IX Item """KAT_Cipher"" (OSSL_SELF_TEST_TYPE_KAT_CIPHER)"
 Known answer test for a symmetric cipher.
-.ie n .IP """KAT_AsymmetricCipher"" (\fB\s-1OSSL_SELF_TEST_TYPE_KAT_ASYM_CIPHER\s0\fR)" 4
-.el .IP "``KAT_AsymmetricCipher'' (\fB\s-1OSSL_SELF_TEST_TYPE_KAT_ASYM_CIPHER\s0\fR)" 4
-.IX Item "KAT_AsymmetricCipher (OSSL_SELF_TEST_TYPE_KAT_ASYM_CIPHER)"
+.IP """KAT_AsymmetricCipher"" (\fBOSSL_SELF_TEST_TYPE_KAT_ASYM_CIPHER\fR)" 4
+.IX Item """KAT_AsymmetricCipher"" (OSSL_SELF_TEST_TYPE_KAT_ASYM_CIPHER)"
 Known answer test for a asymmetric cipher.
-.ie n .IP """KAT_Digest"" (\fB\s-1OSSL_SELF_TEST_TYPE_KAT_DIGEST\s0\fR)" 4
-.el .IP "``KAT_Digest'' (\fB\s-1OSSL_SELF_TEST_TYPE_KAT_DIGEST\s0\fR)" 4
-.IX Item "KAT_Digest (OSSL_SELF_TEST_TYPE_KAT_DIGEST)"
+.IP """KAT_Digest"" (\fBOSSL_SELF_TEST_TYPE_KAT_DIGEST\fR)" 4
+.IX Item """KAT_Digest"" (OSSL_SELF_TEST_TYPE_KAT_DIGEST)"
 Known answer test for a digest.
-.ie n .IP """KAT_Signature"" (\fB\s-1OSSL_SELF_TEST_TYPE_KAT_SIGNATURE\s0\fR)" 4
-.el .IP "``KAT_Signature'' (\fB\s-1OSSL_SELF_TEST_TYPE_KAT_SIGNATURE\s0\fR)" 4
-.IX Item "KAT_Signature (OSSL_SELF_TEST_TYPE_KAT_SIGNATURE)"
+.IP """KAT_AsymmetricKeyGeneration"" (\fBOSSL_SELF_TEST_TYPE_KAT_ASYM_KEYGEN\fR)" 4
+.IX Item """KAT_AsymmetricKeyGeneration"" (OSSL_SELF_TEST_TYPE_KAT_ASYM_KEYGEN)"
+Known answer test for asymmetric key generation.
+.IP """KAT_Signature"" (\fBOSSL_SELF_TEST_TYPE_KAT_SIGNATURE\fR)" 4
+.IX Item """KAT_Signature"" (OSSL_SELF_TEST_TYPE_KAT_SIGNATURE)"
 Known answer test for a signature.
-.ie n .IP """PCT_Signature"" (\fB\s-1OSSL_SELF_TEST_TYPE_PCT_SIGNATURE\s0\fR)" 4
-.el .IP "``PCT_Signature'' (\fB\s-1OSSL_SELF_TEST_TYPE_PCT_SIGNATURE\s0\fR)" 4
-.IX Item "PCT_Signature (OSSL_SELF_TEST_TYPE_PCT_SIGNATURE)"
+.IP """PCT_Signature"" (\fBOSSL_SELF_TEST_TYPE_PCT_SIGNATURE\fR)" 4
+.IX Item """PCT_Signature"" (OSSL_SELF_TEST_TYPE_PCT_SIGNATURE)"
 Pairwise Consistency check for a signature.
-.ie n .IP """\s-1KAT_KDF""\s0 (\fB\s-1OSSL_SELF_TEST_TYPE_KAT_KDF\s0\fR)" 4
-.el .IP "``\s-1KAT_KDF''\s0 (\fB\s-1OSSL_SELF_TEST_TYPE_KAT_KDF\s0\fR)" 4
-.IX Item "KAT_KDF (OSSL_SELF_TEST_TYPE_KAT_KDF)"
+.IP """KAT_KDF"" (\fBOSSL_SELF_TEST_TYPE_KAT_KDF\fR)" 4
+.IX Item """KAT_KDF"" (OSSL_SELF_TEST_TYPE_KAT_KDF)"
 Known answer test for a key derivation function.
-.ie n .IP """\s-1KAT_KA""\s0 (\fB\s-1OSSL_SELF_TEST_TYPE_KAT_KA\s0\fR)" 4
-.el .IP "``\s-1KAT_KA''\s0 (\fB\s-1OSSL_SELF_TEST_TYPE_KAT_KA\s0\fR)" 4
-.IX Item "KAT_KA (OSSL_SELF_TEST_TYPE_KAT_KA)"
+.IP """KAT_KA"" (\fBOSSL_SELF_TEST_TYPE_KAT_KA\fR)" 4
+.IX Item """KAT_KA"" (OSSL_SELF_TEST_TYPE_KAT_KA)"
 Known answer test for key agreement.
-.ie n .IP """\s-1DRBG""\s0 (\fB\s-1OSSL_SELF_TEST_TYPE_DRBG\s0\fR)" 4
-.el .IP "``\s-1DRBG''\s0 (\fB\s-1OSSL_SELF_TEST_TYPE_DRBG\s0\fR)" 4
-.IX Item "DRBG (OSSL_SELF_TEST_TYPE_DRBG)"
+.IP """KAT_KEM"" (\fBOSSL_SELF_TEST_TYPE_KAT_KEM\fR)" 4
+.IX Item """KAT_KEM"" (OSSL_SELF_TEST_TYPE_KAT_KEM)"
+Known answer test for key encapsulation.
+.IP """DRBG"" (\fBOSSL_SELF_TEST_TYPE_DRBG\fR)" 4
+.IX Item """DRBG"" (OSSL_SELF_TEST_TYPE_DRBG)"
 Known answer test for a Deterministic Random Bit Generator.
-.ie n .IP """Conditional_PCT"" (\fB\s-1OSSL_SELF_TEST_TYPE_PCT\s0\fR)" 4
-.el .IP "``Conditional_PCT'' (\fB\s-1OSSL_SELF_TEST_TYPE_PCT\s0\fR)" 4
-.IX Item "Conditional_PCT (OSSL_SELF_TEST_TYPE_PCT)"
-Conditional test that is run during the generation of key pairs.
-.ie n .IP """Continuous_RNG_Test"" (\fB\s-1OSSL_SELF_TEST_TYPE_CRNG\s0\fR)" 4
-.el .IP "``Continuous_RNG_Test'' (\fB\s-1OSSL_SELF_TEST_TYPE_CRNG\s0\fR)" 4
-.IX Item "Continuous_RNG_Test (OSSL_SELF_TEST_TYPE_CRNG)"
+.IP """Conditional_PCT"" (\fBOSSL_SELF_TEST_TYPE_PCT\fR)" 4
+.IX Item """Conditional_PCT"" (OSSL_SELF_TEST_TYPE_PCT)"
+Conditional test that is run during the generation or importing of key pairs.
+.IP """Continuous_RNG_Test"" (\fBOSSL_SELF_TEST_TYPE_CRNG\fR)" 4
+.IX Item """Continuous_RNG_Test"" (OSSL_SELF_TEST_TYPE_CRNG)"
 Continuous random number generator test.
 .PP
-The \*(L"Module_Integrity\*(R" self test is always run at startup.
-The \*(L"Install_Integrity\*(R" self test is used to check if the self tests have
+The "Module_Integrity" self test is always run at startup.
+The "Install_Integrity" self test is used to check if the self tests have
 already been run at installation time. If they have already run then the
 self tests are not run on subsequent startups.
 All other self test categories are run once at installation time, except for the
-\&\*(L"Pairwise_Consistency_Test\*(R".
+"Pairwise_Consistency_Test".
 .PP
-There is only one instance of the \*(L"Module_Integrity\*(R" and \*(L"Install_Integrity\*(R"
+There is only one instance of the "Module_Integrity" and "Install_Integrity"
 self tests. All other self tests may have multiple instances.
 .PP
-The \s-1FIPS\s0 module passes the following descriptions(s) to \fBOSSL_SELF_TEST_onbegin()\fR.
-.ie n .IP """\s-1HMAC""\s0 (\fB\s-1OSSL_SELF_TEST_DESC_INTEGRITY_HMAC\s0\fR)" 4
-.el .IP "``\s-1HMAC''\s0 (\fB\s-1OSSL_SELF_TEST_DESC_INTEGRITY_HMAC\s0\fR)" 4
-.IX Item "HMAC (OSSL_SELF_TEST_DESC_INTEGRITY_HMAC)"
-\&\*(L"Module_Integrity\*(R" and \*(L"Install_Integrity\*(R" use this.
-.ie n .IP """\s-1RSA""\s0 (\fB\s-1OSSL_SELF_TEST_DESC_PCT_RSA_PKCS1\s0\fR)" 4
-.el .IP "``\s-1RSA''\s0 (\fB\s-1OSSL_SELF_TEST_DESC_PCT_RSA_PKCS1\s0\fR)" 4
-.IX Item "RSA (OSSL_SELF_TEST_DESC_PCT_RSA_PKCS1)"
+The FIPS module passes the following descriptions(s) to \fBOSSL_SELF_TEST_onbegin()\fR.
+.IP """HMAC"" (\fBOSSL_SELF_TEST_DESC_INTEGRITY_HMAC\fR)" 4
+.IX Item """HMAC"" (OSSL_SELF_TEST_DESC_INTEGRITY_HMAC)"
+"Module_Integrity" and "Install_Integrity" use this.
+.IP """RSA"" (\fBOSSL_SELF_TEST_DESC_PCT_RSA_PKCS1\fR)" 4
+.IX Item """RSA"" (OSSL_SELF_TEST_DESC_PCT_RSA_PKCS1)"
 .PD 0
-.ie n .IP """\s-1ECDSA""\s0 (\fB\s-1OSSL_SELF_TEST_DESC_PCT_ECDSA\s0\fR)" 4
-.el .IP "``\s-1ECDSA''\s0 (\fB\s-1OSSL_SELF_TEST_DESC_PCT_ECDSA\s0\fR)" 4
-.IX Item "ECDSA (OSSL_SELF_TEST_DESC_PCT_ECDSA)"
-.ie n .IP """\s-1DSA""\s0 (\fB\s-1OSSL_SELF_TEST_DESC_PCT_DSA\s0\fR)" 4
-.el .IP "``\s-1DSA''\s0 (\fB\s-1OSSL_SELF_TEST_DESC_PCT_DSA\s0\fR)" 4
-.IX Item "DSA (OSSL_SELF_TEST_DESC_PCT_DSA)"
+.IP """RSA"" (\fBOSSL_SELF_TEST_DESC_PCT_RSA\fR)" 4
+.IX Item """RSA"" (OSSL_SELF_TEST_DESC_PCT_RSA)"
+.IP """ECDSA"" (\fBOSSL_SELF_TEST_DESC_PCT_ECDSA\fR)" 4
+.IX Item """ECDSA"" (OSSL_SELF_TEST_DESC_PCT_ECDSA)"
+.IP """EDDSA"" (\fBOSSL_SELF_TEST_DESC_PCT_EDDSA\fR)" 4
+.IX Item """EDDSA"" (OSSL_SELF_TEST_DESC_PCT_EDDSA)"
+.IP """DSA"" (\fBOSSL_SELF_TEST_DESC_PCT_DSA\fR)" 4
+.IX Item """DSA"" (OSSL_SELF_TEST_DESC_PCT_DSA)"
+.IP """ML-DSA"" (\fBOSSL_SELF_TEST_DESC_PCT_ML_DSA\fR)" 4
+.IX Item """ML-DSA"" (OSSL_SELF_TEST_DESC_PCT_ML_DSA)"
+.IP """ML-KEM"" (\fBOSSL_SELF_TEST_DESC_PCT_ML_KEM\fR)" 4
+.IX Item """ML-KEM"" (OSSL_SELF_TEST_DESC_PCT_ML_KEM)"
+.IP """SLH-DSA"" (\fBOSSL_SELF_TEST_DESC_PCT_SLH_DSA\fR)" 4
+.IX Item """SLH-DSA"" (OSSL_SELF_TEST_DESC_PCT_SLH_DSA)"
 .PD
-Key generation tests used with the \*(L"Pairwise_Consistency_Test\*(R" type.
-.ie n .IP """RSA_Encrypt"" (\fB\s-1OSSL_SELF_TEST_DESC_ASYM_RSA_ENC\s0\fR)" 4
-.el .IP "``RSA_Encrypt'' (\fB\s-1OSSL_SELF_TEST_DESC_ASYM_RSA_ENC\s0\fR)" 4
-.IX Item "RSA_Encrypt (OSSL_SELF_TEST_DESC_ASYM_RSA_ENC)"
+Key generation tests used with the "Pairwise_Consistency_Test" type.
+.IP """RSA_Encrypt"" (\fBOSSL_SELF_TEST_DESC_ASYM_RSA_ENC\fR)" 4
+.IX Item """RSA_Encrypt"" (OSSL_SELF_TEST_DESC_ASYM_RSA_ENC)"
 .PD 0
-.ie n .IP """RSA_Decrypt"" (\fB\s-1OSSL_SELF_TEST_DESC_ASYM_RSA_DEC\s0\fR)" 4
-.el .IP "``RSA_Decrypt'' (\fB\s-1OSSL_SELF_TEST_DESC_ASYM_RSA_DEC\s0\fR)" 4
-.IX Item "RSA_Decrypt (OSSL_SELF_TEST_DESC_ASYM_RSA_DEC)"
+.IP """RSA_Decrypt"" (\fBOSSL_SELF_TEST_DESC_ASYM_RSA_DEC\fR)" 4
+.IX Item """RSA_Decrypt"" (OSSL_SELF_TEST_DESC_ASYM_RSA_DEC)"
 .PD
-\&\*(L"KAT_AsymmetricCipher\*(R" uses this to indicate an encrypt or decrypt \s-1KAT.\s0
-.ie n .IP """\s-1AES_GCM""\s0 (\fB\s-1OSSL_SELF_TEST_DESC_CIPHER_AES_GCM\s0\fR)" 4
-.el .IP "``\s-1AES_GCM''\s0 (\fB\s-1OSSL_SELF_TEST_DESC_CIPHER_AES_GCM\s0\fR)" 4
-.IX Item "AES_GCM (OSSL_SELF_TEST_DESC_CIPHER_AES_GCM)"
+"KAT_AsymmetricCipher" uses this to indicate an encrypt or decrypt KAT.
+.IP """ML-DSA"" (\fBOSSL_SELF_TEST_DESC_KEYGEN_ML_DSA\fR)" 4
+.IX Item """ML-DSA"" (OSSL_SELF_TEST_DESC_KEYGEN_ML_DSA)"
 .PD 0
-.ie n .IP """AES_ECB_Decrypt"" (\fB\s-1OSSL_SELF_TEST_DESC_CIPHER_AES_ECB\s0\fR)" 4
-.el .IP "``AES_ECB_Decrypt'' (\fB\s-1OSSL_SELF_TEST_DESC_CIPHER_AES_ECB\s0\fR)" 4
-.IX Item "AES_ECB_Decrypt (OSSL_SELF_TEST_DESC_CIPHER_AES_ECB)"
-.ie n .IP """\s-1TDES""\s0 (\fB\s-1OSSL_SELF_TEST_DESC_CIPHER_TDES\s0\fR)" 4
-.el .IP "``\s-1TDES''\s0 (\fB\s-1OSSL_SELF_TEST_DESC_CIPHER_TDES\s0\fR)" 4
-.IX Item "TDES (OSSL_SELF_TEST_DESC_CIPHER_TDES)"
+.IP """ML-KEM"" (\fBOSSL_SELF_TEST_DESC_KEYGEN_ML_KEM\fR)" 4
+.IX Item """ML-KEM"" (OSSL_SELF_TEST_DESC_KEYGEN_ML_KEM)"
+.IP """SLH-DSA"" (\fBOSSL_SELF_TEST_DESC_KEYGEN_SLH_DSA\fR)" 4
+.IX Item """SLH-DSA"" (OSSL_SELF_TEST_DESC_KEYGEN_SLH_DSA)"
 .PD
-Symmetric cipher tests used with the \*(L"KAT_Cipher\*(R" type.
-.ie n .IP """\s-1SHA1""\s0 (\fB\s-1OSSL_SELF_TEST_DESC_MD_SHA1\s0\fR)" 4
-.el .IP "``\s-1SHA1''\s0 (\fB\s-1OSSL_SELF_TEST_DESC_MD_SHA1\s0\fR)" 4
-.IX Item "SHA1 (OSSL_SELF_TEST_DESC_MD_SHA1)"
+"KAT_AsymmetricKeyGeneration" uses this to indicate a key generation KAT.
+.IP """AES_GCM"" (\fBOSSL_SELF_TEST_DESC_CIPHER_AES_GCM\fR)" 4
+.IX Item """AES_GCM"" (OSSL_SELF_TEST_DESC_CIPHER_AES_GCM)"
 .PD 0
-.ie n .IP """\s-1SHA2""\s0 (\fB\s-1OSSL_SELF_TEST_DESC_MD_SHA2\s0\fR)" 4
-.el .IP "``\s-1SHA2''\s0 (\fB\s-1OSSL_SELF_TEST_DESC_MD_SHA2\s0\fR)" 4
-.IX Item "SHA2 (OSSL_SELF_TEST_DESC_MD_SHA2)"
-.ie n .IP """\s-1SHA3""\s0 (\fB\s-1OSSL_SELF_TEST_DESC_MD_SHA3\s0\fR)" 4
-.el .IP "``\s-1SHA3''\s0 (\fB\s-1OSSL_SELF_TEST_DESC_MD_SHA3\s0\fR)" 4
-.IX Item "SHA3 (OSSL_SELF_TEST_DESC_MD_SHA3)"
+.IP """AES_ECB_Decrypt"" (\fBOSSL_SELF_TEST_DESC_CIPHER_AES_ECB\fR)" 4
+.IX Item """AES_ECB_Decrypt"" (OSSL_SELF_TEST_DESC_CIPHER_AES_ECB)"
+.IP """TDES"" (\fBOSSL_SELF_TEST_DESC_CIPHER_TDES\fR)" 4
+.IX Item """TDES"" (OSSL_SELF_TEST_DESC_CIPHER_TDES)"
 .PD
-Digest tests used with the \*(L"KAT_Digest\*(R" type.
-.ie n .IP """\s-1DSA""\s0 (\fB\s-1OSSL_SELF_TEST_DESC_SIGN_DSA\s0\fR)" 4
-.el .IP "``\s-1DSA''\s0 (\fB\s-1OSSL_SELF_TEST_DESC_SIGN_DSA\s0\fR)" 4
-.IX Item "DSA (OSSL_SELF_TEST_DESC_SIGN_DSA)"
+Symmetric cipher tests used with the "KAT_Cipher" type.
+.IP """SHA1"" (\fBOSSL_SELF_TEST_DESC_MD_SHA1\fR)" 4
+.IX Item """SHA1"" (OSSL_SELF_TEST_DESC_MD_SHA1)"
 .PD 0
-.ie n .IP """\s-1RSA""\s0 (\fB\s-1OSSL_SELF_TEST_DESC_SIGN_RSA\s0\fR)" 4
-.el .IP "``\s-1RSA''\s0 (\fB\s-1OSSL_SELF_TEST_DESC_SIGN_RSA\s0\fR)" 4
-.IX Item "RSA (OSSL_SELF_TEST_DESC_SIGN_RSA)"
-.ie n .IP """\s-1ECDSA""\s0 (\fB\s-1OSSL_SELF_TEST_DESC_SIGN_ECDSA\s0\fR)" 4
-.el .IP "``\s-1ECDSA''\s0 (\fB\s-1OSSL_SELF_TEST_DESC_SIGN_ECDSA\s0\fR)" 4
-.IX Item "ECDSA (OSSL_SELF_TEST_DESC_SIGN_ECDSA)"
+.IP """SHA2"" (\fBOSSL_SELF_TEST_DESC_MD_SHA2\fR)" 4
+.IX Item """SHA2"" (OSSL_SELF_TEST_DESC_MD_SHA2)"
+.IP """SHA3"" (\fBOSSL_SELF_TEST_DESC_MD_SHA3\fR)" 4
+.IX Item """SHA3"" (OSSL_SELF_TEST_DESC_MD_SHA3)"
 .PD
-Signature tests used with the \*(L"KAT_Signature\*(R" type.
-.ie n .IP """\s-1ECDH""\s0 (\fB\s-1OSSL_SELF_TEST_DESC_KA_ECDH\s0\fR)" 4
-.el .IP "``\s-1ECDH''\s0 (\fB\s-1OSSL_SELF_TEST_DESC_KA_ECDH\s0\fR)" 4
-.IX Item "ECDH (OSSL_SELF_TEST_DESC_KA_ECDH)"
+Digest tests used with the "KAT_Digest" type.
+.IP """DSA"" (\fBOSSL_SELF_TEST_DESC_SIGN_DSA\fR)" 4
+.IX Item """DSA"" (OSSL_SELF_TEST_DESC_SIGN_DSA)"
 .PD 0
-.ie n .IP """\s-1DH""\s0 (\fB\s-1OSSL_SELF_TEST_DESC_KA_DH\s0\fR)" 4
-.el .IP "``\s-1DH''\s0 (\fB\s-1OSSL_SELF_TEST_DESC_KA_DH\s0\fR)" 4
-.IX Item "DH (OSSL_SELF_TEST_DESC_KA_DH)"
+.IP """RSA"" (\fBOSSL_SELF_TEST_DESC_SIGN_RSA\fR)" 4
+.IX Item """RSA"" (OSSL_SELF_TEST_DESC_SIGN_RSA)"
+.IP """ECDSA"" (\fBOSSL_SELF_TEST_DESC_SIGN_ECDSA\fR)" 4
+.IX Item """ECDSA"" (OSSL_SELF_TEST_DESC_SIGN_ECDSA)"
+.IP """EDDSA"" (\fBOSSL_SELF_TEST_DESC_SIGN_EDDSA\fR)" 4
+.IX Item """EDDSA"" (OSSL_SELF_TEST_DESC_SIGN_EDDSA)"
+.IP """ML-DSA"" (\fBOSSL_SELF_TEST_DESC_SIGN_ML_DSA\fR)" 4
+.IX Item """ML-DSA"" (OSSL_SELF_TEST_DESC_SIGN_ML_DSA)"
+.IP """SLH-DSA"" (\fBOSSL_SELF_TEST_DESC_SIGN_SLH_DSA\fR)" 4
+.IX Item """SLH-DSA"" (OSSL_SELF_TEST_DESC_SIGN_SLH_DSA)"
 .PD
-Key agreement tests used with the \*(L"\s-1KAT_KA\*(R"\s0 type.
-.ie n .IP """\s-1HKDF""\s0 (\fB\s-1OSSL_SELF_TEST_DESC_KDF_HKDF\s0\fR)" 4
-.el .IP "``\s-1HKDF''\s0 (\fB\s-1OSSL_SELF_TEST_DESC_KDF_HKDF\s0\fR)" 4
-.IX Item "HKDF (OSSL_SELF_TEST_DESC_KDF_HKDF)"
+Signature tests used with the "KAT_Signature" type.
+.IP """ECDH"" (\fBOSSL_SELF_TEST_DESC_KA_ECDH\fR)" 4
+.IX Item """ECDH"" (OSSL_SELF_TEST_DESC_KA_ECDH)"
 .PD 0
-.ie n .IP """\s-1TLS13_KDF_EXTRACT""\s0 (\fB\s-1OSSL_SELF_TEST_DESC_KDF_TLS13_EXTRACT\s0\fR)" 4
-.el .IP "``\s-1TLS13_KDF_EXTRACT''\s0 (\fB\s-1OSSL_SELF_TEST_DESC_KDF_TLS13_EXTRACT\s0\fR)" 4
-.IX Item "TLS13_KDF_EXTRACT (OSSL_SELF_TEST_DESC_KDF_TLS13_EXTRACT)"
-.ie n .IP """\s-1TLS13_KDF_EXPAND""\s0 (\fB\s-1OSSL_SELF_TEST_DESC_KDF_TLS13_EXPAND\s0\fR)" 4
-.el .IP "``\s-1TLS13_KDF_EXPAND''\s0 (\fB\s-1OSSL_SELF_TEST_DESC_KDF_TLS13_EXPAND\s0\fR)" 4
-.IX Item "TLS13_KDF_EXPAND (OSSL_SELF_TEST_DESC_KDF_TLS13_EXPAND)"
-.ie n .IP """\s-1SSKDF""\s0 (\fB\s-1OSSL_SELF_TEST_DESC_KDF_SSKDF\s0\fR)" 4
-.el .IP "``\s-1SSKDF''\s0 (\fB\s-1OSSL_SELF_TEST_DESC_KDF_SSKDF\s0\fR)" 4
-.IX Item "SSKDF (OSSL_SELF_TEST_DESC_KDF_SSKDF)"
-.ie n .IP """X963KDF"" (\fB\s-1OSSL_SELF_TEST_DESC_KDF_X963KDF\s0\fR)" 4
-.el .IP "``X963KDF'' (\fB\s-1OSSL_SELF_TEST_DESC_KDF_X963KDF\s0\fR)" 4
-.IX Item "X963KDF (OSSL_SELF_TEST_DESC_KDF_X963KDF)"
-.ie n .IP """X942KDF"" (\fB\s-1OSSL_SELF_TEST_DESC_KDF_X942KDF\s0\fR)" 4
-.el .IP "``X942KDF'' (\fB\s-1OSSL_SELF_TEST_DESC_KDF_X942KDF\s0\fR)" 4
-.IX Item "X942KDF (OSSL_SELF_TEST_DESC_KDF_X942KDF)"
-.ie n .IP """\s-1PBKDF2""\s0 (\fB\s-1OSSL_SELF_TEST_DESC_KDF_PBKDF2\s0\fR)" 4
-.el .IP "``\s-1PBKDF2''\s0 (\fB\s-1OSSL_SELF_TEST_DESC_KDF_PBKDF2\s0\fR)" 4
-.IX Item "PBKDF2 (OSSL_SELF_TEST_DESC_KDF_PBKDF2)"
-.ie n .IP """\s-1SSHKDF""\s0 (\fB\s-1OSSL_SELF_TEST_DESC_KDF_SSHKDF\s0\fR)" 4
-.el .IP "``\s-1SSHKDF''\s0 (\fB\s-1OSSL_SELF_TEST_DESC_KDF_SSHKDF\s0\fR)" 4
-.IX Item "SSHKDF (OSSL_SELF_TEST_DESC_KDF_SSHKDF)"
-.ie n .IP """\s-1TLS12_PRF""\s0 (\fB\s-1OSSL_SELF_TEST_DESC_KDF_TLS12_PRF\s0\fR)" 4
-.el .IP "``\s-1TLS12_PRF''\s0 (\fB\s-1OSSL_SELF_TEST_DESC_KDF_TLS12_PRF\s0\fR)" 4
-.IX Item "TLS12_PRF (OSSL_SELF_TEST_DESC_KDF_TLS12_PRF)"
-.ie n .IP """\s-1KBKDF""\s0 (\fB\s-1OSSL_SELF_TEST_DESC_KDF_KBKDF\s0\fR)" 4
-.el .IP "``\s-1KBKDF''\s0 (\fB\s-1OSSL_SELF_TEST_DESC_KDF_KBKDF\s0\fR)" 4
-.IX Item "KBKDF (OSSL_SELF_TEST_DESC_KDF_KBKDF)"
+.IP """DH"" (\fBOSSL_SELF_TEST_DESC_KA_DH\fR)" 4
+.IX Item """DH"" (OSSL_SELF_TEST_DESC_KA_DH)"
 .PD
-Key Derivation Function tests used with the \*(L"\s-1KAT_KDF\*(R"\s0 type.
-.ie n .IP """\s-1CTR""\s0 (\fB\s-1OSSL_SELF_TEST_DESC_DRBG_CTR\s0\fR)" 4
-.el .IP "``\s-1CTR''\s0 (\fB\s-1OSSL_SELF_TEST_DESC_DRBG_CTR\s0\fR)" 4
-.IX Item "CTR (OSSL_SELF_TEST_DESC_DRBG_CTR)"
+Key agreement tests used with the "KAT_KA" type.
+.IP """HKDF"" (\fBOSSL_SELF_TEST_DESC_KDF_HKDF\fR)" 4
+.IX Item """HKDF"" (OSSL_SELF_TEST_DESC_KDF_HKDF)"
 .PD 0
-.ie n .IP """\s-1HASH""\s0 (\fB\s-1OSSL_SELF_TEST_DESC_DRBG_HASH\s0\fR)" 4
-.el .IP "``\s-1HASH''\s0 (\fB\s-1OSSL_SELF_TEST_DESC_DRBG_HASH\s0\fR)" 4
-.IX Item "HASH (OSSL_SELF_TEST_DESC_DRBG_HASH)"
-.ie n .IP """\s-1HMAC""\s0 (\fB\s-1OSSL_SELF_TEST_DESC_DRBG_HMAC\s0\fR)" 4
-.el .IP "``\s-1HMAC''\s0 (\fB\s-1OSSL_SELF_TEST_DESC_DRBG_HMAC\s0\fR)" 4
-.IX Item "HMAC (OSSL_SELF_TEST_DESC_DRBG_HMAC)"
+.IP """TLS13_KDF_EXTRACT"" (\fBOSSL_SELF_TEST_DESC_KDF_TLS13_EXTRACT\fR)" 4
+.IX Item """TLS13_KDF_EXTRACT"" (OSSL_SELF_TEST_DESC_KDF_TLS13_EXTRACT)"
+.IP """TLS13_KDF_EXPAND"" (\fBOSSL_SELF_TEST_DESC_KDF_TLS13_EXPAND\fR)" 4
+.IX Item """TLS13_KDF_EXPAND"" (OSSL_SELF_TEST_DESC_KDF_TLS13_EXPAND)"
+.IP """SSKDF"" (\fBOSSL_SELF_TEST_DESC_KDF_SSKDF\fR)" 4
+.IX Item """SSKDF"" (OSSL_SELF_TEST_DESC_KDF_SSKDF)"
+.IP """X963KDF"" (\fBOSSL_SELF_TEST_DESC_KDF_X963KDF\fR)" 4
+.IX Item """X963KDF"" (OSSL_SELF_TEST_DESC_KDF_X963KDF)"
+.IP """X942KDF"" (\fBOSSL_SELF_TEST_DESC_KDF_X942KDF\fR)" 4
+.IX Item """X942KDF"" (OSSL_SELF_TEST_DESC_KDF_X942KDF)"
+.IP """PBKDF2"" (\fBOSSL_SELF_TEST_DESC_KDF_PBKDF2\fR)" 4
+.IX Item """PBKDF2"" (OSSL_SELF_TEST_DESC_KDF_PBKDF2)"
+.IP """SSHKDF"" (\fBOSSL_SELF_TEST_DESC_KDF_SSHKDF\fR)" 4
+.IX Item """SSHKDF"" (OSSL_SELF_TEST_DESC_KDF_SSHKDF)"
+.IP """TLS12_PRF"" (\fBOSSL_SELF_TEST_DESC_KDF_TLS12_PRF\fR)" 4
+.IX Item """TLS12_PRF"" (OSSL_SELF_TEST_DESC_KDF_TLS12_PRF)"
+.IP """KBKDF"" (\fBOSSL_SELF_TEST_DESC_KDF_KBKDF\fR)" 4
+.IX Item """KBKDF"" (OSSL_SELF_TEST_DESC_KDF_KBKDF)"
 .PD
-\&\s-1DRBG\s0 tests used with the \*(L"\s-1DRBG\*(R"\s0 type.
-.Sp
-= item \*(L"\s-1RNG\*(R"\s0 (\fB\s-1OSSL_SELF_TEST_DESC_RNG\s0\fR)
-.Sp
-\&\*(L"Continuous_RNG_Test\*(R" uses this.
-.SH "EXAMPLES"
+Key Encapsulation Function tests used with the "KAT_KEM" type.
+.IP """KEM_Encap"" (\fBOSSL_SELF_TEST_DESC_ENCAP_KEM\fR)" 4
+.IX Item """KEM_Encap"" (OSSL_SELF_TEST_DESC_ENCAP_KEM)"
+.PD 0
+.IP """KEM_Decap"" (\fBOSSL_SELF_TEST_DESC_DECAP_KEM\fR)" 4
+.IX Item """KEM_Decap"" (OSSL_SELF_TEST_DESC_DECAP_KEM)"
+.IP """KEM_Decap_Reject"" (\fBOSSL_SELF_TEST_DESC_DECAP_REJ_KEM\fR)" 4
+.IX Item """KEM_Decap_Reject"" (OSSL_SELF_TEST_DESC_DECAP_REJ_KEM)"
+.PD
+Key Derivation Function tests used with the "KAT_KDF" type.
+.IP """CTR"" (\fBOSSL_SELF_TEST_DESC_DRBG_CTR\fR)" 4
+.IX Item """CTR"" (OSSL_SELF_TEST_DESC_DRBG_CTR)"
+.PD 0
+.IP """HASH"" (\fBOSSL_SELF_TEST_DESC_DRBG_HASH\fR)" 4
+.IX Item """HASH"" (OSSL_SELF_TEST_DESC_DRBG_HASH)"
+.IP """HMAC"" (\fBOSSL_SELF_TEST_DESC_DRBG_HMAC\fR)" 4
+.IX Item """HMAC"" (OSSL_SELF_TEST_DESC_DRBG_HMAC)"
+.PD
+DRBG tests used with the "DRBG" type.
+.IP """RNG"" (\fBOSSL_SELF_TEST_DESC_RNG\fR)" 4
+.IX Item """RNG"" (OSSL_SELF_TEST_DESC_RNG)"
+"Continuous_RNG_Test" uses this.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 A simple self test callback is shown below for illustrative purposes.
 .PP
@@ -544,37 +551,62 @@ A simple self test callback is shown below for illustrative purposes.
 \&    return ret;
 \&  }
 .Ve
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 Some released versions of OpenSSL do not include a validated
-\&\s-1FIPS\s0 provider.  To determine which versions have undergone
+FIPS provider.  To determine which versions have undergone
 the validation process, please refer to the
 OpenSSL Downloads page <https://www.openssl.org/source/>.  If you
-require FIPS-approved functionality, it is essential to build your \s-1FIPS\s0
+require FIPS-approved functionality, it is essential to build your FIPS
 provider using one of the validated versions listed there.  Normally,
-it is possible to utilize a \s-1FIPS\s0 provider constructed from one of the
+it is possible to utilize a FIPS provider constructed from one of the
 validated versions alongside \fIlibcrypto\fR and \fIlibssl\fR compiled from any
 release within the same major release series.  This flexibility enables
-you to address bug fixes and CVEs that fall outside the \s-1FIPS\s0 boundary.
+you to address bug fixes and CVEs that fall outside the FIPS boundary.
+.PP
+The FIPS provider in OpenSSL 3.1 includes some non-FIPS validated algorithms,
+consequently the property query \f(CW\*(C`fips=yes\*(C'\fR is mandatory for applications that
+want to operate in a FIPS approved manner.  The algorithms are:
+.IP "Triple DES ECB" 4
+.IX Item "Triple DES ECB"
+.PD 0
+.IP "Triple DES CBC" 4
+.IX Item "Triple DES CBC"
+.IP EdDSA 4
+.IX Item "EdDSA"
+.PD
+.PP
+You can load the FIPS provider into multiple library contexts as any other
+provider. However the following restriction applies. The FIPS provider cannot
+be used by multiple copies of OpenSSL libcrypto in a single process.
+.PP
+As the provider saves core callbacks to the libcrypto obtained in the
+\&\fBOSSL_provider_init()\fR call to global data it will fail if subsequent
+invocations of its \fBOSSL_provider_init()\fR function yield different addresses
+of these callbacks than in the initial call. This happens when different
+copies of libcrypto are present in the memory of the process and both try
+to load the same FIPS provider. A workaround is to have a different copy
+of the FIPS provider loaded for each of the libcrypto instances in the
+process.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBopenssl\-fipsinstall\fR\|(1),
 \&\fBfips_config\fR\|(5),
 \&\fBOSSL_SELF_TEST_set_callback\fR\|(3),
 \&\fBOSSL_SELF_TEST_new\fR\|(3),
-\&\s-1\fBOSSL_PARAM\s0\fR\|(3),
+\&\fBOSSL_PARAM\fR\|(3),
 \&\fBopenssl\-core.h\fR\|(7),
 \&\fBopenssl\-core_dispatch.h\fR\|(7),
 \&\fBprovider\fR\|(7),
 <https://www.openssl.org/source/>
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 This functionality was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-base.7 b/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-base.7
index 6127b4d31f6c..c57b88535278 100644
--- a/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-base.7
+++ b/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-base.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,156 +52,228 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_PROVIDER-BASE 7ossl"
-.TH OSSL_PROVIDER-BASE 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_PROVIDER-BASE 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_PROVIDER\-base \- OpenSSL base provider
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The OpenSSL base provider supplies the encoding for OpenSSL's
 asymmetric cryptography.
-.SS "Properties"
+.SS Properties
 .IX Subsection "Properties"
 The implementations in this provider specifically have this property
 defined:
-.ie n .IP """provider=base""" 4
-.el .IP "``provider=base''" 4
-.IX Item "provider=base"
+.IP """provider=base""" 4
+.IX Item """provider=base"""
 .PP
 It may be used in a property query string with fetching functions.
 .PP
 It isn't mandatory to query for this property, except to make sure to get
 implementations of this provider and none other.
-.ie n .IP """type=parameters""" 4
-.el .IP "``type=parameters''" 4
-.IX Item "type=parameters"
+.IP """type=parameters""" 4
+.IX Item """type=parameters"""
 .PD 0
-.ie n .IP """type=private""" 4
-.el .IP "``type=private''" 4
-.IX Item "type=private"
-.ie n .IP """type=public""" 4
-.el .IP "``type=public''" 4
-.IX Item "type=public"
+.IP """type=private""" 4
+.IX Item """type=private"""
+.IP """type=public""" 4
+.IX Item """type=public"""
 .PD
 .PP
 These may be used in a property query string with fetching functions to select
 which data are to be encoded.  Either the private key material, the public
 key material or the domain parameters can be selected.
-.ie n .IP """format=der""" 4
-.el .IP "``format=der''" 4
-.IX Item "format=der"
+.IP """format=der""" 4
+.IX Item """format=der"""
 .PD 0
-.ie n .IP """format=pem""" 4
-.el .IP "``format=pem''" 4
-.IX Item "format=pem"
-.ie n .IP """format=text""" 4
-.el .IP "``format=text''" 4
-.IX Item "format=text"
+.IP """format=pem""" 4
+.IX Item """format=pem"""
+.IP """format=text""" 4
+.IX Item """format=text"""
 .PD
 .PP
 These may be used in a property query string with fetching functions to select
-the encoding output format.  Either the \s-1DER, PEM\s0 and plaintext are
+the encoding output format.  Either the DER, PEM and plaintext are
 currently permitted.
 .SH "OPERATIONS AND ALGORITHMS"
 .IX Header "OPERATIONS AND ALGORITHMS"
 The OpenSSL base provider supports these operations and algorithms:
+.SS "Random Number Generation"
+.IX Subsection "Random Number Generation"
+.IP "SEED-SRC,  see \fBEVP_RAND\-SEED\-SRC\fR\|(7)" 4
+.IX Item "SEED-SRC, see EVP_RAND-SEED-SRC"
+.PD 0
+.IP "JITTER,  see \fBEVP_RAND\-JITTER\fR\|(7)" 4
+.IX Item "JITTER, see EVP_RAND-JITTER"
+.PD
+.PP
+In addition to this provider, the "SEED-SRC" and "JITTER" algorithms
+are also available in the default provider.
 .SS "Asymmetric Key Encoder"
 .IX Subsection "Asymmetric Key Encoder"
-In addition to \*(L"provider=base\*(R", some of these encoders define the
-property \*(L"fips=yes\*(R", to allow them to be used together with the \s-1FIPS\s0
-provider.
-.IP "\s-1RSA,\s0 see \s-1\fBOSSL_ENCODER\-RSA\s0\fR\|(7)" 4
-.IX Item "RSA, see OSSL_ENCODER-RSA"
+.IP RSA 4
+.IX Item "RSA"
 .PD 0
-.IP "\s-1DH,\s0 see \s-1\fBOSSL_ENCODER\-DH\s0\fR\|(7)" 4
-.IX Item "DH, see OSSL_ENCODER-DH"
-.IP "\s-1DSA,\s0 see \s-1\fBOSSL_ENCODER\-DSA\s0\fR\|(7)" 4
-.IX Item "DSA, see OSSL_ENCODER-DSA"
-.IP "\s-1EC,\s0 see \s-1\fBOSSL_ENCODER\-EC\s0\fR\|(7)" 4
-.IX Item "EC, see OSSL_ENCODER-EC"
-.IP "X25519, see \s-1\fBOSSL_ENCODER\-X25519\s0\fR\|(7)" 4
-.IX Item "X25519, see OSSL_ENCODER-X25519"
-.IP "X448, see \s-1\fBOSSL_ENCODER\-X448\s0\fR\|(7)" 4
-.IX Item "X448, see OSSL_ENCODER-X448"
+.IP RSA-PSS 4
+.IX Item "RSA-PSS"
+.IP DH 4
+.IX Item "DH"
+.IP DHX 4
+.IX Item "DHX"
+.IP DSA 4
+.IX Item "DSA"
+.IP EC 4
+.IX Item "EC"
+.IP ED25519 4
+.IX Item "ED25519"
+.IP ED448 4
+.IX Item "ED448"
+.IP X25519 4
+.IX Item "X25519"
+.IP X448 4
+.IX Item "X448"
+.IP SM2 4
+.IX Item "SM2"
+.IP ML\-DSA\-44 4
+.IX Item "ML-DSA-44"
+.IP ML\-DSA\-65 4
+.IX Item "ML-DSA-65"
+.IP ML\-DSA\-87 4
+.IX Item "ML-DSA-87"
+.IP ML\-KEM\-512 4
+.IX Item "ML-KEM-512"
+.IP ML\-KEM\-768 4
+.IX Item "ML-KEM-768"
+.IP ML\-KEM\-1024 4
+.IX Item "ML-KEM-1024"
+.IP SLH\-DSA\-SHA2\-128s 4
+.IX Item "SLH-DSA-SHA2-128s"
+.IP SLH\-DSA\-SHA2\-128f 4
+.IX Item "SLH-DSA-SHA2-128f"
+.IP SLH\-DSA\-SHA2\-192s 4
+.IX Item "SLH-DSA-SHA2-192s"
+.IP SLH\-DSA\-SHA2\-192f 4
+.IX Item "SLH-DSA-SHA2-192f"
+.IP SLH\-DSA\-SHA2\-256s 4
+.IX Item "SLH-DSA-SHA2-256s"
+.IP SLH\-DSA\-SHA2\-256f 4
+.IX Item "SLH-DSA-SHA2-256f"
+.IP SLH\-DSA\-SHAKE\-128s 4
+.IX Item "SLH-DSA-SHAKE-128s"
+.IP SLH\-DSA\-SHAKE\-128f 4
+.IX Item "SLH-DSA-SHAKE-128f"
+.IP SLH\-DSA\-SHAKE\-192s 4
+.IX Item "SLH-DSA-SHAKE-192s"
+.IP SLH\-DSA\-SHAKE\-192f 4
+.IX Item "SLH-DSA-SHAKE-192f"
+.IP SLH\-DSA\-SHAKE\-256s 4
+.IX Item "SLH-DSA-SHAKE-256s"
+.IP SLH\-DSA\-SHAKE\-256f 4
+.IX Item "SLH-DSA-SHAKE-256f"
 .PD
+.PP
+In addition to this provider, all of these encoding algorithms are also
+available in the default provider. Some of these algorithms may be used in
+combination with the FIPS provider.
+.SS "Asymmetric Key Decoder"
+.IX Subsection "Asymmetric Key Decoder"
+.IP RSA 4
+.IX Item "RSA"
+.PD 0
+.IP RSA-PSS 4
+.IX Item "RSA-PSS"
+.IP DH 4
+.IX Item "DH"
+.IP DHX 4
+.IX Item "DHX"
+.IP DSA 4
+.IX Item "DSA"
+.IP EC 4
+.IX Item "EC"
+.IP ED25519 4
+.IX Item "ED25519"
+.IP ED448 4
+.IX Item "ED448"
+.IP X25519 4
+.IX Item "X25519"
+.IP X448 4
+.IX Item "X448"
+.IP SM2 4
+.IX Item "SM2"
+.IP DER 4
+.IX Item "DER"
+.IP ML\-DSA\-44 4
+.IX Item "ML-DSA-44"
+.IP ML\-DSA\-65 4
+.IX Item "ML-DSA-65"
+.IP ML\-DSA\-87 4
+.IX Item "ML-DSA-87"
+.IP ML\-KEM\-512 4
+.IX Item "ML-KEM-512"
+.IP ML\-KEM\-768 4
+.IX Item "ML-KEM-768"
+.IP ML\-KEM\-1024 4
+.IX Item "ML-KEM-1024"
+.IP SLH\-DSA\-SHA2\-128s 4
+.IX Item "SLH-DSA-SHA2-128s"
+.IP SLH\-DSA\-SHA2\-128f 4
+.IX Item "SLH-DSA-SHA2-128f"
+.IP SLH\-DSA\-SHA2\-192s 4
+.IX Item "SLH-DSA-SHA2-192s"
+.IP SLH\-DSA\-SHA2\-192f 4
+.IX Item "SLH-DSA-SHA2-192f"
+.IP SLH\-DSA\-SHA2\-256s 4
+.IX Item "SLH-DSA-SHA2-256s"
+.IP SLH\-DSA\-SHA2\-256f 4
+.IX Item "SLH-DSA-SHA2-256f"
+.IP SLH\-DSA\-SHAKE\-128s 4
+.IX Item "SLH-DSA-SHAKE-128s"
+.IP SLH\-DSA\-SHAKE\-128f 4
+.IX Item "SLH-DSA-SHAKE-128f"
+.IP SLH\-DSA\-SHAKE\-192s 4
+.IX Item "SLH-DSA-SHAKE-192s"
+.IP SLH\-DSA\-SHAKE\-192f 4
+.IX Item "SLH-DSA-SHAKE-192f"
+.IP SLH\-DSA\-SHAKE\-256s 4
+.IX Item "SLH-DSA-SHAKE-256s"
+.IP SLH\-DSA\-SHAKE\-256f 4
+.IX Item "SLH-DSA-SHAKE-256f"
+.PD
+.PP
+In addition to this provider, all of these decoding algorithms are also
+available in the default provider. Some of these algorithms may be used in
+combination with the FIPS provider.
+.SS Stores
+.IX Subsection "Stores"
+.IP file 4
+.IX Item "file"
+.PD 0
+.IP "org.openssl.winstore, see \fBOSSL_STORE\-winstore\fR\|(7)" 4
+.IX Item "org.openssl.winstore, see OSSL_STORE-winstore"
+.PD
+.PP
+In addition to this provider, all of these store algorithms are also
+available in the default provider.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBOSSL_PROVIDER\-default\fR\|(7), \fBopenssl\-core.h\fR\|(7),
 \&\fBopenssl\-core_dispatch.h\fR\|(7), \fBprovider\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 This functionality was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.PP
+Support for \fBML-DSA\fR and <ML\-KEM> was added in OpenSSL 3.5.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-default.7 b/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-default.7
index 58331313e4cd..d255fd1d8160 100644
--- a/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-default.7
+++ b/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-default.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_PROVIDER-DEFAULT 7ossl"
-.TH OSSL_PROVIDER-DEFAULT 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_PROVIDER-DEFAULT 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_PROVIDER\-default \- OpenSSL default provider
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The OpenSSL default provider supplies the majority of OpenSSL's diverse
 algorithm implementations. If an application doesn't specify anything else
@@ -154,13 +78,12 @@ then it must be loaded explicitly. Automatic loading of the default
 provider only occurs a maximum of once; if the default provider is
 explicitly unloaded then the default provider will not be automatically
 loaded again.
-.SS "Properties"
+.SS Properties
 .IX Subsection "Properties"
 The implementations in this provider specifically have this property
 defined:
-.ie n .IP """provider=default""" 4
-.el .IP "``provider=default''" 4
-.IX Item "provider=default"
+.IP """provider=default""" 4
+.IX Item """provider=default"""
 .PP
 It may be used in a property query string with fetching functions such as
 \&\fBEVP_MD_fetch\fR\|(3) or \fBEVP_CIPHER_fetch\fR\|(3), as well as with other
@@ -177,203 +100,460 @@ listed below
 The OpenSSL default provider supports these operations and algorithms:
 .SS "Hashing Algorithms / Message Digests"
 .IX Subsection "Hashing Algorithms / Message Digests"
-.IP "\s-1SHA1,\s0 see \s-1\fBEVP_MD\-SHA1\s0\fR\|(7)" 4
+.IP "SHA1, see \fBEVP_MD\-SHA1\fR\|(7)" 4
 .IX Item "SHA1, see EVP_MD-SHA1"
 .PD 0
-.IP "\s-1SHA2,\s0 see \s-1\fBEVP_MD\-SHA2\s0\fR\|(7)" 4
+.IP "SHA2, see \fBEVP_MD\-SHA2\fR\|(7)" 4
 .IX Item "SHA2, see EVP_MD-SHA2"
-.IP "\s-1SHA3,\s0 see \s-1\fBEVP_MD\-SHA3\s0\fR\|(7)" 4
+.IP "SHA3, see \fBEVP_MD\-SHA3\fR\|(7)" 4
 .IX Item "SHA3, see EVP_MD-SHA3"
-.IP "KECCAK-KMAC, see \s-1\fBEVP_MD\-KECCAK\-KMAC\s0\fR\|(7)" 4
+.IP "KECCAK, see \fBEVP_MD\-KECCAK\fR\|(7)" 4
+.IX Item "KECCAK, see EVP_MD-KECCAK"
+.IP "KECCAK-KMAC, see \fBEVP_MD\-KECCAK\-KMAC\fR\|(7)" 4
 .IX Item "KECCAK-KMAC, see EVP_MD-KECCAK-KMAC"
-.IP "\s-1SHAKE,\s0 see \s-1\fBEVP_MD\-SHAKE\s0\fR\|(7)" 4
+.IP "SHAKE, see \fBEVP_MD\-SHAKE\fR\|(7)" 4
 .IX Item "SHAKE, see EVP_MD-SHAKE"
-.IP "\s-1BLAKE2,\s0 see \s-1\fBEVP_MD\-BLAKE2\s0\fR\|(7)" 4
+.IP "BLAKE2, see \fBEVP_MD\-BLAKE2\fR\|(7)" 4
 .IX Item "BLAKE2, see EVP_MD-BLAKE2"
-.IP "\s-1SM3,\s0 see \s-1\fBEVP_MD\-SM3\s0\fR\|(7)" 4
+.IP "SM3, see \fBEVP_MD\-SM3\fR\|(7)" 4
 .IX Item "SM3, see EVP_MD-SM3"
-.IP "\s-1MD5,\s0 see \s-1\fBEVP_MD\-MD5\s0\fR\|(7)" 4
+.IP "MD5, see \fBEVP_MD\-MD5\fR\|(7)" 4
 .IX Item "MD5, see EVP_MD-MD5"
-.IP "\s-1MD5\-SHA1,\s0 see \s-1\fBEVP_MD\-MD5\-SHA1\s0\fR\|(7)" 4
+.IP "MD5\-SHA1, see \fBEVP_MD\-MD5\-SHA1\fR\|(7)" 4
 .IX Item "MD5-SHA1, see EVP_MD-MD5-SHA1"
-.IP "\s-1RIPEMD160,\s0 see \s-1\fBEVP_MD\-RIPEMD160\s0\fR\|(7)" 4
+.IP "RIPEMD160, see \fBEVP_MD\-RIPEMD160\fR\|(7)" 4
 .IX Item "RIPEMD160, see EVP_MD-RIPEMD160"
-.IP "\s-1NULL,\s0 see \s-1\fBEVP_MD\-NULL\s0\fR\|(7)" 4
+.IP "NULL, see \fBEVP_MD\-NULL\fR\|(7)" 4
 .IX Item "NULL, see EVP_MD-NULL"
 .PD
 .SS "Symmetric Ciphers"
 .IX Subsection "Symmetric Ciphers"
-.IP "\s-1AES,\s0 see \s-1\fBEVP_CIPHER\-AES\s0\fR\|(7)" 4
+.IP "AES, see \fBEVP_CIPHER\-AES\fR\|(7)" 4
 .IX Item "AES, see EVP_CIPHER-AES"
 .PD 0
-.IP "\s-1ARIA,\s0 see \s-1\fBEVP_CIPHER\-ARIA\s0\fR\|(7)" 4
+.IP "ARIA, see \fBEVP_CIPHER\-ARIA\fR\|(7)" 4
 .IX Item "ARIA, see EVP_CIPHER-ARIA"
-.IP "\s-1CAMELLIA,\s0 see \s-1\fBEVP_CIPHER\-CAMELLIA\s0\fR\|(7)" 4
+.IP "CAMELLIA, see \fBEVP_CIPHER\-CAMELLIA\fR\|(7)" 4
 .IX Item "CAMELLIA, see EVP_CIPHER-CAMELLIA"
-.IP "3DES, see \s-1\fBEVP_CIPHER\-DES\s0\fR\|(7)" 4
+.IP "3DES, see \fBEVP_CIPHER\-DES\fR\|(7)" 4
 .IX Item "3DES, see EVP_CIPHER-DES"
-.IP "\s-1SEED,\s0 see \s-1\fBEVP_CIPHER\-SEED\s0\fR\|(7)" 4
-.IX Item "SEED, see EVP_CIPHER-SEED"
-.IP "\s-1SM4,\s0 see \s-1\fBEVP_CIPHER\-SM4\s0\fR\|(7)" 4
+.IP "SM4, see \fBEVP_CIPHER\-SM4\fR\|(7)" 4
 .IX Item "SM4, see EVP_CIPHER-SM4"
-.IP "ChaCha20, see \s-1\fBEVP_CIPHER\-CHACHA\s0\fR\|(7)" 4
+.IP "ChaCha20, see \fBEVP_CIPHER\-CHACHA\fR\|(7)" 4
 .IX Item "ChaCha20, see EVP_CIPHER-CHACHA"
-.IP "ChaCha20\-Poly1305, see \s-1\fBEVP_CIPHER\-CHACHA\s0\fR\|(7)" 4
+.IP "ChaCha20\-Poly1305, see \fBEVP_CIPHER\-CHACHA\fR\|(7)" 4
 .IX Item "ChaCha20-Poly1305, see EVP_CIPHER-CHACHA"
-.IP "\s-1NULL,\s0 see \s-1\fBEVP_CIPHER\-NULL\s0\fR\|(7)" 4
+.IP "NULL, see \fBEVP_CIPHER\-NULL\fR\|(7)" 4
 .IX Item "NULL, see EVP_CIPHER-NULL"
 .PD
-.SS "Message Authentication Code (\s-1MAC\s0)"
+.SS "Message Authentication Code (MAC)"
 .IX Subsection "Message Authentication Code (MAC)"
-.IP "\s-1BLAKE2,\s0 see \s-1\fBEVP_MAC\-BLAKE2\s0\fR\|(7)" 4
+.IP "BLAKE2, see \fBEVP_MAC\-BLAKE2\fR\|(7)" 4
 .IX Item "BLAKE2, see EVP_MAC-BLAKE2"
 .PD 0
-.IP "\s-1CMAC,\s0 see \s-1\fBEVP_MAC\-CMAC\s0\fR\|(7)" 4
+.IP "CMAC, see \fBEVP_MAC\-CMAC\fR\|(7)" 4
 .IX Item "CMAC, see EVP_MAC-CMAC"
-.IP "\s-1GMAC,\s0 see \s-1\fBEVP_MAC\-GMAC\s0\fR\|(7)" 4
+.IP "GMAC, see \fBEVP_MAC\-GMAC\fR\|(7)" 4
 .IX Item "GMAC, see EVP_MAC-GMAC"
-.IP "\s-1HMAC,\s0 see \s-1\fBEVP_MAC\-HMAC\s0\fR\|(7)" 4
+.IP "HMAC, see \fBEVP_MAC\-HMAC\fR\|(7)" 4
 .IX Item "HMAC, see EVP_MAC-HMAC"
-.IP "\s-1KMAC,\s0 see \s-1\fBEVP_MAC\-KMAC\s0\fR\|(7)" 4
+.IP "KMAC, see \fBEVP_MAC\-KMAC\fR\|(7)" 4
 .IX Item "KMAC, see EVP_MAC-KMAC"
-.IP "\s-1SIPHASH,\s0 see \fBEVP_MAC\-Siphash\fR\|(7)" 4
+.IP "SIPHASH, see \fBEVP_MAC\-Siphash\fR\|(7)" 4
 .IX Item "SIPHASH, see EVP_MAC-Siphash"
-.IP "\s-1POLY1305,\s0 see \fBEVP_MAC\-Poly1305\fR\|(7)" 4
+.IP "POLY1305, see \fBEVP_MAC\-Poly1305\fR\|(7)" 4
 .IX Item "POLY1305, see EVP_MAC-Poly1305"
 .PD
-.SS "Key Derivation Function (\s-1KDF\s0)"
+.SS "Key Derivation Function (KDF)"
 .IX Subsection "Key Derivation Function (KDF)"
-.IP "\s-1HKDF,\s0 see \s-1\fBEVP_KDF\-HKDF\s0\fR\|(7)" 4
+.IP "HKDF, see \fBEVP_KDF\-HKDF\fR\|(7)" 4
 .IX Item "HKDF, see EVP_KDF-HKDF"
 .PD 0
-.IP "\s-1SSKDF,\s0 see \s-1\fBEVP_KDF\-SS\s0\fR\|(7)" 4
+.IP "TLS13\-KDF, see \fBEVP_KDF\-TLS13_KDF\fR\|(7)" 4
+.IX Item "TLS13-KDF, see EVP_KDF-TLS13_KDF"
+.IP "SSKDF, see \fBEVP_KDF\-SS\fR\|(7)" 4
 .IX Item "SSKDF, see EVP_KDF-SS"
-.IP "\s-1PBKDF2,\s0 see \s-1\fBEVP_KDF\-PBKDF2\s0\fR\|(7)" 4
+.IP "PBKDF2, see \fBEVP_KDF\-PBKDF2\fR\|(7)" 4
 .IX Item "PBKDF2, see EVP_KDF-PBKDF2"
-.IP "\s-1PKCS12KDF,\s0 see \s-1\fBEVP_KDF\-PKCS12KDF\s0\fR\|(7)" 4
+.IP "PKCS12KDF, see \fBEVP_KDF\-PKCS12KDF\fR\|(7)" 4
 .IX Item "PKCS12KDF, see EVP_KDF-PKCS12KDF"
-.IP "\s-1SSHKDF,\s0 see \s-1\fBEVP_KDF\-SSHKDF\s0\fR\|(7)" 4
+.IP "SSHKDF, see \fBEVP_KDF\-SSHKDF\fR\|(7)" 4
 .IX Item "SSHKDF, see EVP_KDF-SSHKDF"
-.IP "\s-1TLS1\-PRF,\s0 see \s-1\fBEVP_KDF\-TLS1_PRF\s0\fR\|(7)" 4
+.IP "TLS1\-PRF, see \fBEVP_KDF\-TLS1_PRF\fR\|(7)" 4
 .IX Item "TLS1-PRF, see EVP_KDF-TLS1_PRF"
-.IP "\s-1KBKDF,\s0 see \s-1\fBEVP_KDF\-KB\s0\fR\|(7)" 4
+.IP "KBKDF, see \fBEVP_KDF\-KB\fR\|(7)" 4
 .IX Item "KBKDF, see EVP_KDF-KB"
-.IP "X942KDF\-ASN1, see \s-1\fBEVP_KDF\-X942\-ASN1\s0\fR\|(7)" 4
+.IP "X942KDF\-ASN1, see \fBEVP_KDF\-X942\-ASN1\fR\|(7)" 4
 .IX Item "X942KDF-ASN1, see EVP_KDF-X942-ASN1"
-.IP "X942KDF\-CONCAT, see \s-1\fBEVP_KDF\-X942\-CONCAT\s0\fR\|(7)" 4
+.IP "X942KDF\-CONCAT, see \fBEVP_KDF\-X942\-CONCAT\fR\|(7)" 4
 .IX Item "X942KDF-CONCAT, see EVP_KDF-X942-CONCAT"
-.IP "X963KDF, see \s-1\fBEVP_KDF\-X963\s0\fR\|(7)" 4
+.IP "X963KDF, see \fBEVP_KDF\-X963\fR\|(7)" 4
 .IX Item "X963KDF, see EVP_KDF-X963"
-.IP "\s-1SCRYPT,\s0 see \s-1\fBEVP_KDF\-SCRYPT\s0\fR\|(7)" 4
+.IP "SCRYPT, see \fBEVP_KDF\-SCRYPT\fR\|(7)" 4
 .IX Item "SCRYPT, see EVP_KDF-SCRYPT"
-.IP "\s-1KRB5KDF,\s0 see \s-1\fBEVP_KDF\-KRB5KDF\s0\fR\|(7)" 4
+.IP "KRB5KDF, see \fBEVP_KDF\-KRB5KDF\fR\|(7)" 4
 .IX Item "KRB5KDF, see EVP_KDF-KRB5KDF"
+.IP "HMAC-DRBG, see \fBEVP_KDF\-HMAC\-DRBG\fR\|(7)" 4
+.IX Item "HMAC-DRBG, see EVP_KDF-HMAC-DRBG"
+.IP "ARGON2, see \fBEVP_KDF\-ARGON2\fR\|(7)" 4
+.IX Item "ARGON2, see EVP_KDF-ARGON2"
 .PD
 .SS "Key Exchange"
 .IX Subsection "Key Exchange"
-.IP "\s-1DH,\s0 see \s-1\fBEVP_KEYEXCH\-DH\s0\fR\|(7)" 4
+.IP "DH, see \fBEVP_KEYEXCH\-DH\fR\|(7)" 4
 .IX Item "DH, see EVP_KEYEXCH-DH"
 .PD 0
-.IP "\s-1ECDH,\s0 see \s-1\fBEVP_KEYEXCH\-ECDH\s0\fR\|(7)" 4
+.IP "ECDH, see \fBEVP_KEYEXCH\-ECDH\fR\|(7)" 4
 .IX Item "ECDH, see EVP_KEYEXCH-ECDH"
-.IP "X25519, see \s-1\fBEVP_KEYEXCH\-X25519\s0\fR\|(7)" 4
+.IP "X25519, see \fBEVP_KEYEXCH\-X25519\fR\|(7)" 4
 .IX Item "X25519, see EVP_KEYEXCH-X25519"
-.IP "X448, see \s-1\fBEVP_KEYEXCH\-X448\s0\fR\|(7)" 4
+.IP "X448, see \fBEVP_KEYEXCH\-X448\fR\|(7)" 4
 .IX Item "X448, see EVP_KEYEXCH-X448"
+.IP "ML\-KEM\-512, see \fBEVP_KEM\-ML\-KEM\-512\fR\|(7)" 4
+.IX Item "ML-KEM-512, see EVP_KEM-ML-KEM-512"
+.IP "ML\-KEM\-768, see \fBEVP_KEM\-ML\-KEM\-768\fR\|(7)" 4
+.IX Item "ML-KEM-768, see EVP_KEM-ML-KEM-768"
+.IP "ML\-KEM\-1024, see \fBEVP_KEM\-ML\-KEM\-1024\fR\|(7)" 4
+.IX Item "ML-KEM-1024, see EVP_KEM-ML-KEM-1024"
+.IP TLS1\-PRF 4
+.IX Item "TLS1-PRF"
+.IP HKDF 4
+.IX Item "HKDF"
+.IP SCRYPT 4
+.IX Item "SCRYPT"
 .PD
 .SS "Asymmetric Signature"
 .IX Subsection "Asymmetric Signature"
-.IP "\s-1DSA,\s0 see \s-1\fBEVP_SIGNATURE\-DSA\s0\fR\|(7)" 4
+.IP "DSA, see \fBEVP_SIGNATURE\-DSA\fR\|(7)" 4
 .IX Item "DSA, see EVP_SIGNATURE-DSA"
 .PD 0
-.IP "\s-1RSA,\s0 see \s-1\fBEVP_SIGNATURE\-RSA\s0\fR\|(7)" 4
+.IP "RSA, see \fBEVP_SIGNATURE\-RSA\fR\|(7)" 4
 .IX Item "RSA, see EVP_SIGNATURE-RSA"
-.IP "\s-1HMAC,\s0 see \s-1\fBEVP_SIGNATURE\-HMAC\s0\fR\|(7)" 4
+.IP "ED25519, see \fBEVP_SIGNATURE\-ED25519\fR\|(7)" 4
+.IX Item "ED25519, see EVP_SIGNATURE-ED25519"
+.IP "ED448, see \fBEVP_SIGNATURE\-ED448\fR\|(7)" 4
+.IX Item "ED448, see EVP_SIGNATURE-ED448"
+.IP "ECDSA, see \fBEVP_SIGNATURE\-ECDSA\fR\|(7)" 4
+.IX Item "ECDSA, see EVP_SIGNATURE-ECDSA"
+.IP SM2 4
+.IX Item "SM2"
+.IP "ML\-DSA\-44, see \fBEVP_SIGNATURE\-ML\-DSA\fR\|(7)" 4
+.IX Item "ML-DSA-44, see EVP_SIGNATURE-ML-DSA"
+.IP "ML\-DSA\-65, see \fBEVP_SIGNATURE\-ML\-DSA\fR\|(7)" 4
+.IX Item "ML-DSA-65, see EVP_SIGNATURE-ML-DSA"
+.IP "ML\-DSA\-87, see \fBEVP_SIGNATURE\-ML\-DSA\fR\|(7)" 4
+.IX Item "ML-DSA-87, see EVP_SIGNATURE-ML-DSA"
+.IP "HMAC, see \fBEVP_SIGNATURE\-HMAC\fR\|(7)" 4
 .IX Item "HMAC, see EVP_SIGNATURE-HMAC"
-.IP "\s-1SIPHASH,\s0 see \fBEVP_SIGNATURE\-Siphash\fR\|(7)" 4
+.IP "SIPHASH, see \fBEVP_SIGNATURE\-Siphash\fR\|(7)" 4
 .IX Item "SIPHASH, see EVP_SIGNATURE-Siphash"
-.IP "\s-1POLY1305,\s0 see \fBEVP_SIGNATURE\-Poly1305\fR\|(7)" 4
+.IP "POLY1305, see \fBEVP_SIGNATURE\-Poly1305\fR\|(7)" 4
 .IX Item "POLY1305, see EVP_SIGNATURE-Poly1305"
-.IP "\s-1CMAC,\s0 see \s-1\fBEVP_SIGNATURE\-CMAC\s0\fR\|(7)" 4
+.IP "CMAC, see \fBEVP_SIGNATURE\-CMAC\fR\|(7)" 4
 .IX Item "CMAC, see EVP_SIGNATURE-CMAC"
+.IP "SLH\-DSA\-SHA2\-128s, see \fBEVP_SIGNATURE\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHA2-128s, see EVP_SIGNATURE-SLH-DSA"
+.IP "SLH\-DSA\-SHA2\-128f, see \fBEVP_SIGNATURE\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHA2-128f, see EVP_SIGNATURE-SLH-DSA"
+.IP "SLH\-DSA\-SHA2\-192s, see \fBEVP_SIGNATURE\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHA2-192s, see EVP_SIGNATURE-SLH-DSA"
+.IP "SLH\-DSA\-SHA2\-192f, see \fBEVP_SIGNATURE\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHA2-192f, see EVP_SIGNATURE-SLH-DSA"
+.IP "SLH\-DSA\-SHA2\-256s, see \fBEVP_SIGNATURE\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHA2-256s, see EVP_SIGNATURE-SLH-DSA"
+.IP "SLH\-DSA\-SHA2\-256f, see \fBEVP_SIGNATURE\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHA2-256f, see EVP_SIGNATURE-SLH-DSA"
+.IP "SLH\-DSA\-SHAKE\-128s, see \fBEVP_SIGNATURE\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHAKE-128s, see EVP_SIGNATURE-SLH-DSA"
+.IP "SLH\-DSA\-SHAKE\-128f, see \fBEVP_SIGNATURE\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHAKE-128f, see EVP_SIGNATURE-SLH-DSA"
+.IP "SLH\-DSA\-SHAKE\-192s, see \fBEVP_SIGNATURE\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHAKE-192s, see EVP_SIGNATURE-SLH-DSA"
+.IP "SLH\-DSA\-SHAKE\-192f, see \fBEVP_SIGNATURE\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHAKE-192f, see EVP_SIGNATURE-SLH-DSA"
+.IP "SLH\-DSA\-SHAKE\-256s, see \fBEVP_SIGNATURE\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHAKE-256s, see EVP_SIGNATURE-SLH-DSA"
+.IP "SLH\-DSA\-SHAKE\-256f, see \fBEVP_SIGNATURE\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHAKE-256f, see EVP_SIGNATURE-SLH-DSA"
 .PD
 .SS "Asymmetric Cipher"
 .IX Subsection "Asymmetric Cipher"
-.IP "\s-1RSA,\s0 see \s-1\fBEVP_ASYM_CIPHER\-RSA\s0\fR\|(7)" 4
+.IP "RSA, see \fBEVP_ASYM_CIPHER\-RSA\fR\|(7)" 4
 .IX Item "RSA, see EVP_ASYM_CIPHER-RSA"
 .PD 0
-.IP "\s-1SM2,\s0 see \s-1\fBEVP_ASYM_CIPHER\-SM2\s0\fR\|(7)" 4
+.IP "SM2, see \fBEVP_ASYM_CIPHER\-SM2\fR\|(7)" 4
 .IX Item "SM2, see EVP_ASYM_CIPHER-SM2"
 .PD
 .SS "Asymmetric Key Encapsulation"
 .IX Subsection "Asymmetric Key Encapsulation"
-.IP "\s-1RSA,\s0 see \s-1\fBEVP_KEM\-RSA\s0\fR\|(7)" 4
+.IP "RSA, see \fBEVP_KEM\-RSA\fR\|(7)" 4
 .IX Item "RSA, see EVP_KEM-RSA"
+.PD 0
+.IP "X25519, see \fBEVP_KEM\-X25519\fR\|(7)" 4
+.IX Item "X25519, see EVP_KEM-X25519"
+.IP "X448, see \fBEVP_KEM\-X448\fR\|(7)" 4
+.IX Item "X448, see EVP_KEM-X448"
+.IP "EC, see \fBEVP_KEM\-EC\fR\|(7)" 4
+.IX Item "EC, see EVP_KEM-EC"
+.IP "ML\-KEM\-512, see \fBEVP_KEM\-ML\-KEM\-512\fR\|(7)" 4
+.IX Item "ML-KEM-512, see EVP_KEM-ML-KEM-512"
+.IP "ML\-KEM\-768, see \fBEVP_KEM\-ML\-KEM\-768\fR\|(7)" 4
+.IX Item "ML-KEM-768, see EVP_KEM-ML-KEM-768"
+.IP "ML\-KEM\-1024, see \fBEVP_KEM\-ML\-KEM\-1024\fR\|(7)" 4
+.IX Item "ML-KEM-1024, see EVP_KEM-ML-KEM-1024"
+.PD
 .SS "Asymmetric Key Management"
 .IX Subsection "Asymmetric Key Management"
-.PD 0
-.IP "\s-1DH,\s0 see \s-1\fBEVP_KEYMGMT\-DH\s0\fR\|(7)" 4
-.IX Item "DH, see EVP_KEYMGMT-DH"
-.IP "\s-1DHX,\s0 see \s-1\fBEVP_KEYMGMT\-DHX\s0\fR\|(7)" 4
-.IX Item "DHX, see EVP_KEYMGMT-DHX"
-.IP "\s-1DSA,\s0 see \s-1\fBEVP_KEYMGMT\-DSA\s0\fR\|(7)" 4
+.IP "DSA, see \fBEVP_KEYMGMT\-DSA\fR\|(7)" 4
 .IX Item "DSA, see EVP_KEYMGMT-DSA"
-.IP "\s-1RSA,\s0 see \s-1\fBEVP_KEYMGMT\-RSA\s0\fR\|(7)" 4
+.PD 0
+.IP "RSA, see \fBEVP_KEYMGMT\-RSA\fR\|(7)" 4
 .IX Item "RSA, see EVP_KEYMGMT-RSA"
-.IP "\s-1EC,\s0 see \s-1\fBEVP_KEYMGMT\-EC\s0\fR\|(7)" 4
+.IP RSA-PSS 4
+.IX Item "RSA-PSS"
+.IP "EC, see \fBEVP_KEYMGMT\-EC\fR\|(7)" 4
 .IX Item "EC, see EVP_KEYMGMT-EC"
-.IP "X25519, see \s-1\fBEVP_KEYMGMT\-X25519\s0\fR\|(7)" 4
+.IP "ED25519, see \fBEVP_KEYMGMT\-ED25519\fR\|(7)" 4
+.IX Item "ED25519, see EVP_KEYMGMT-ED25519"
+.IP "ED448, see \fBEVP_KEYMGMT\-ED448\fR\|(7)" 4
+.IX Item "ED448, see EVP_KEYMGMT-ED448"
+.IP "SM2, see \fBEVP_KEYMGMT\-SM2\fR\|(7)" 4
+.IX Item "SM2, see EVP_KEYMGMT-SM2"
+.IP "DH, see \fBEVP_KEYMGMT\-DH\fR\|(7)" 4
+.IX Item "DH, see EVP_KEYMGMT-DH"
+.IP "DHX, see \fBEVP_KEYMGMT\-DHX\fR\|(7)" 4
+.IX Item "DHX, see EVP_KEYMGMT-DHX"
+.IP "X25519, see \fBEVP_KEYMGMT\-X25519\fR\|(7)" 4
 .IX Item "X25519, see EVP_KEYMGMT-X25519"
-.IP "X448, see \s-1\fBEVP_KEYMGMT\-X448\s0\fR\|(7)" 4
+.IP "X448, see \fBEVP_KEYMGMT\-X448\fR\|(7)" 4
 .IX Item "X448, see EVP_KEYMGMT-X448"
+.IP "ML\-DSA\-44, see \fBEVP_KEYMGMT\-ML\-DSA\fR\|(7)" 4
+.IX Item "ML-DSA-44, see EVP_KEYMGMT-ML-DSA"
+.IP "ML\-DSA\-65, see \fBEVP_KEYMGMT\-ML\-DSA\fR\|(7)" 4
+.IX Item "ML-DSA-65, see EVP_KEYMGMT-ML-DSA"
+.IP "ML\-DSA\-87, see \fBEVP_KEYMGMT\-ML\-DSA\fR\|(7)" 4
+.IX Item "ML-DSA-87, see EVP_KEYMGMT-ML-DSA"
+.IP "MK\-KEM\-512, see \fBEVP_KEYMGMT\-ML\-KEM\-512\fR\|(7)" 4
+.IX Item "MK-KEM-512, see EVP_KEYMGMT-ML-KEM-512"
+.IP "MK\-KEM\-768, see \fBEVP_KEYMGMT\-ML\-KEM\-768\fR\|(7)" 4
+.IX Item "MK-KEM-768, see EVP_KEYMGMT-ML-KEM-768"
+.IP "MK\-KEM\-1024, see \fBEVP_KEYMGMT\-ML\-KEM\-1024\fR\|(7)" 4
+.IX Item "MK-KEM-1024, see EVP_KEYMGMT-ML-KEM-1024"
+.IP "SLH\-DSA\-SHA2\-128s, see \fBEVP_KEYMGMT\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHA2-128s, see EVP_KEYMGMT-SLH-DSA"
+.IP "SLH\-DSA\-SHA2\-128f, see \fBEVP_KEYMGMT\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHA2-128f, see EVP_KEYMGMT-SLH-DSA"
+.IP "SLH\-DSA\-SHA2\-192s, see \fBEVP_KEYMGMT\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHA2-192s, see EVP_KEYMGMT-SLH-DSA"
+.IP "SLH\-DSA\-SHA2\-192f, see \fBEVP_KEYMGMT\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHA2-192f, see EVP_KEYMGMT-SLH-DSA"
+.IP "SLH\-DSA\-SHA2\-256s, see \fBEVP_KEYMGMT\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHA2-256s, see EVP_KEYMGMT-SLH-DSA"
+.IP "SLH\-DSA\-SHA2\-256f, see \fBEVP_KEYMGMT\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHA2-256f, see EVP_KEYMGMT-SLH-DSA"
+.IP "SLH\-DSA\-SHAKE\-128s, see \fBEVP_KEYMGMT\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHAKE-128s, see EVP_KEYMGMT-SLH-DSA"
+.IP "SLH\-DSA\-SHAKE\-128f, see \fBEVP_KEYMGMT\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHAKE-128f, see EVP_KEYMGMT-SLH-DSA"
+.IP "SLH\-DSA\-SHAKE\-192s, see \fBEVP_KEYMGMT\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHAKE-192s, see EVP_KEYMGMT-SLH-DSA"
+.IP "SLH\-DSA\-SHAKE\-192f, see \fBEVP_KEYMGMT\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHAKE-192f, see EVP_KEYMGMT-SLH-DSA"
+.IP "SLH\-DSA\-SHAKE\-256s, see \fBEVP_KEYMGMT\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHAKE-256s, see EVP_KEYMGMT-SLH-DSA"
+.IP "SLH\-DSA\-SHAKE\-256f, see \fBEVP_KEYMGMT\-SLH\-DSA\fR\|(7)" 4
+.IX Item "SLH-DSA-SHAKE-256f, see EVP_KEYMGMT-SLH-DSA"
+.IP TLS1\-PRF 4
+.IX Item "TLS1-PRF"
+.IP HKDF 4
+.IX Item "HKDF"
+.IP SCRYPT 4
+.IX Item "SCRYPT"
+.IP "HMAC, see \fBEVP_KEYMGMT\-HMAC\fR\|(7)" 4
+.IX Item "HMAC, see EVP_KEYMGMT-HMAC"
+.IP "SIPHASH, see \fBEVP_KEYMGMT\-Siphash\fR\|(7)" 4
+.IX Item "SIPHASH, see EVP_KEYMGMT-Siphash"
+.IP "POLY1305, see \fBEVP_KEYMGMT\-Poly1305\fR\|(7)" 4
+.IX Item "POLY1305, see EVP_KEYMGMT-Poly1305"
+.IP "CMAC, see \fBEVP_KEYMGMT\-CMAC\fR\|(7)" 4
+.IX Item "CMAC, see EVP_KEYMGMT-CMAC"
 .PD
 .SS "Random Number Generation"
 .IX Subsection "Random Number Generation"
-.IP "CTR-DRBG, see \s-1\fBEVP_RAND\-CTR\-DRBG\s0\fR\|(7)" 4
+.IP "CTR-DRBG, see \fBEVP_RAND\-CTR\-DRBG\fR\|(7)" 4
 .IX Item "CTR-DRBG, see EVP_RAND-CTR-DRBG"
 .PD 0
-.IP "HASH-DRBG, see \s-1\fBEVP_RAND\-HASH\-DRBG\s0\fR\|(7)" 4
+.IP "HASH-DRBG, see \fBEVP_RAND\-HASH\-DRBG\fR\|(7)" 4
 .IX Item "HASH-DRBG, see EVP_RAND-HASH-DRBG"
-.IP "HMAC-DRBG, see \s-1\fBEVP_RAND\-HMAC\-DRBG\s0\fR\|(7)" 4
+.IP "HMAC-DRBG, see \fBEVP_RAND\-HMAC\-DRBG\fR\|(7)" 4
 .IX Item "HMAC-DRBG, see EVP_RAND-HMAC-DRBG"
-.IP "SEED-SRC,  see \s-1\fBEVP_RAND\-SEED\-SRC\s0\fR\|(7)" 4
+.IP "SEED-SRC,  see \fBEVP_RAND\-SEED\-SRC\fR\|(7)" 4
 .IX Item "SEED-SRC, see EVP_RAND-SEED-SRC"
-.IP "TEST-RAND, see \s-1\fBEVP_RAND\-TEST\-RAND\s0\fR\|(7)" 4
+.IP "JITTER,  see \fBEVP_RAND\-JITTER\fR\|(7)" 4
+.IX Item "JITTER, see EVP_RAND-JITTER"
+.IP "TEST-RAND, see \fBEVP_RAND\-TEST\-RAND\fR\|(7)" 4
 .IX Item "TEST-RAND, see EVP_RAND-TEST-RAND"
 .PD
+.PP
+In addition to this provider, the "SEED-SRC" and "JITTER" algorithms
+are also available in the base provider.
 .SS "Asymmetric Key Encoder"
 .IX Subsection "Asymmetric Key Encoder"
-The default provider also includes all of the encoding algorithms
-present in the base provider.  Some of these have the property \*(L"fips=yes\*(R",
-to allow them to be used together with the \s-1FIPS\s0 provider.
-.IP "\s-1RSA,\s0 see \s-1\fBOSSL_ENCODER\-RSA\s0\fR\|(7)" 4
-.IX Item "RSA, see OSSL_ENCODER-RSA"
+.IP RSA 4
+.IX Item "RSA"
+.PD 0
+.IP RSA-PSS 4
+.IX Item "RSA-PSS"
+.IP DH 4
+.IX Item "DH"
+.IP DHX 4
+.IX Item "DHX"
+.IP DSA 4
+.IX Item "DSA"
+.IP EC 4
+.IX Item "EC"
+.IP ED25519 4
+.IX Item "ED25519"
+.IP ED448 4
+.IX Item "ED448"
+.IP X25519 4
+.IX Item "X25519"
+.IP X448 4
+.IX Item "X448"
+.IP SM2 4
+.IX Item "SM2"
+.IP ML\-DSA\-44 4
+.IX Item "ML-DSA-44"
+.IP ML\-DSA\-65 4
+.IX Item "ML-DSA-65"
+.IP ML\-DSA\-87 4
+.IX Item "ML-DSA-87"
+.IP ML\-KEM\-512 4
+.IX Item "ML-KEM-512"
+.IP ML\-KEM\-768 4
+.IX Item "ML-KEM-768"
+.IP ML\-KEM\-1024 4
+.IX Item "ML-KEM-1024"
+.IP SLH\-DSA\-SHA2\-128s 4
+.IX Item "SLH-DSA-SHA2-128s"
+.IP SLH\-DSA\-SHA2\-128f 4
+.IX Item "SLH-DSA-SHA2-128f"
+.IP SLH\-DSA\-SHA2\-192s 4
+.IX Item "SLH-DSA-SHA2-192s"
+.IP SLH\-DSA\-SHA2\-192f 4
+.IX Item "SLH-DSA-SHA2-192f"
+.IP SLH\-DSA\-SHA2\-256s 4
+.IX Item "SLH-DSA-SHA2-256s"
+.IP SLH\-DSA\-SHA2\-256f 4
+.IX Item "SLH-DSA-SHA2-256f"
+.IP SLH\-DSA\-SHAKE\-128s 4
+.IX Item "SLH-DSA-SHAKE-128s"
+.IP SLH\-DSA\-SHAKE\-128f 4
+.IX Item "SLH-DSA-SHAKE-128f"
+.IP SLH\-DSA\-SHAKE\-192s 4
+.IX Item "SLH-DSA-SHAKE-192s"
+.IP SLH\-DSA\-SHAKE\-192f 4
+.IX Item "SLH-DSA-SHAKE-192f"
+.IP SLH\-DSA\-SHAKE\-256s 4
+.IX Item "SLH-DSA-SHAKE-256s"
+.IP SLH\-DSA\-SHAKE\-256f 4
+.IX Item "SLH-DSA-SHAKE-256f"
+.PD
+.PP
+In addition to this provider, all of these encoding algorithms are also
+available in the base provider. Some of these algorithms may be used in
+combination with the FIPS provider.
+.SS "Asymmetric Key Decoder"
+.IX Subsection "Asymmetric Key Decoder"
+.IP RSA 4
+.IX Item "RSA"
 .PD 0
-.IP "\s-1DH,\s0 see \s-1\fBOSSL_ENCODER\-DH\s0\fR\|(7)" 4
-.IX Item "DH, see OSSL_ENCODER-DH"
-.IP "\s-1DSA,\s0 see \s-1\fBOSSL_ENCODER\-DSA\s0\fR\|(7)" 4
-.IX Item "DSA, see OSSL_ENCODER-DSA"
-.IP "\s-1EC,\s0 see \s-1\fBOSSL_ENCODER\-EC\s0\fR\|(7)" 4
-.IX Item "EC, see OSSL_ENCODER-EC"
-.IP "X25519, see \s-1\fBOSSL_ENCODER\-X25519\s0\fR\|(7)" 4
-.IX Item "X25519, see OSSL_ENCODER-X25519"
-.IP "X448, see \s-1\fBOSSL_ENCODER\-X448\s0\fR\|(7)" 4
-.IX Item "X448, see OSSL_ENCODER-X448"
+.IP RSA-PSS 4
+.IX Item "RSA-PSS"
+.IP DH 4
+.IX Item "DH"
+.IP DHX 4
+.IX Item "DHX"
+.IP DSA 4
+.IX Item "DSA"
+.IP EC 4
+.IX Item "EC"
+.IP ED25519 4
+.IX Item "ED25519"
+.IP ED448 4
+.IX Item "ED448"
+.IP X25519 4
+.IX Item "X25519"
+.IP X448 4
+.IX Item "X448"
+.IP SM2 4
+.IX Item "SM2"
+.IP ML\-DSA\-44 4
+.IX Item "ML-DSA-44"
+.IP ML\-DSA\-65 4
+.IX Item "ML-DSA-65"
+.IP ML\-DSA\-87 4
+.IX Item "ML-DSA-87"
+.IP ML\-KEM\-512 4
+.IX Item "ML-KEM-512"
+.IP ML\-KEM\-768 4
+.IX Item "ML-KEM-768"
+.IP ML\-KEM\-1024 4
+.IX Item "ML-KEM-1024"
+.IP SLH\-DSA\-SHA2\-128s 4
+.IX Item "SLH-DSA-SHA2-128s"
+.IP SLH\-DSA\-SHA2\-128f 4
+.IX Item "SLH-DSA-SHA2-128f"
+.IP SLH\-DSA\-SHA2\-192s 4
+.IX Item "SLH-DSA-SHA2-192s"
+.IP SLH\-DSA\-SHA2\-192f 4
+.IX Item "SLH-DSA-SHA2-192f"
+.IP SLH\-DSA\-SHA2\-256s 4
+.IX Item "SLH-DSA-SHA2-256s"
+.IP SLH\-DSA\-SHA2\-256f 4
+.IX Item "SLH-DSA-SHA2-256f"
+.IP SLH\-DSA\-SHAKE\-128s 4
+.IX Item "SLH-DSA-SHAKE-128s"
+.IP SLH\-DSA\-SHAKE\-128f 4
+.IX Item "SLH-DSA-SHAKE-128f"
+.IP SLH\-DSA\-SHAKE\-192s 4
+.IX Item "SLH-DSA-SHAKE-192s"
+.IP SLH\-DSA\-SHAKE\-192f 4
+.IX Item "SLH-DSA-SHAKE-192f"
+.IP SLH\-DSA\-SHAKE\-256s 4
+.IX Item "SLH-DSA-SHAKE-256s"
+.IP SLH\-DSA\-SHAKE\-256f 4
+.IX Item "SLH-DSA-SHAKE-256f"
 .PD
+.PP
+In addition to this provider, all of these decoding algorithms are also
+available in the base provider. Some of these algorithms may be used in
+combination with the FIPS provider.
+.SS Stores
+.IX Subsection "Stores"
+.IP file 4
+.IX Item "file"
+.PD 0
+.IP "org.openssl.winstore, see \fBOSSL_STORE\-winstore\fR\|(7)" 4
+.IX Item "org.openssl.winstore, see OSSL_STORE-winstore"
+.PD
+.PP
+In addition to this provider, all of these store algorithms are also
+available in the base provider.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBopenssl\-core.h\fR\|(7), \fBopenssl\-core_dispatch.h\fR\|(7), \fBprovider\fR\|(7),
 \&\fBOSSL_PROVIDER\-base\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-The \s-1RIPEMD160\s0 digest was added to the default provider in OpenSSL 3.0.7.
+The RIPEMD160 digest was added to the default provider in OpenSSL 3.0.7.
 .PP
 All other functionality was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-legacy.7 b/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-legacy.7
index 61c168883137..a05c6c221ed2 100644
--- a/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-legacy.7
+++ b/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-legacy.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_PROVIDER-LEGACY 7ossl"
-.TH OSSL_PROVIDER-LEGACY 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_PROVIDER-LEGACY 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_PROVIDER\-legacy \- OpenSSL legacy provider
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The OpenSSL legacy provider supplies OpenSSL implementations of algorithms
 that have been deemed legacy.  Such algorithms have commonly fallen out of
@@ -146,13 +70,12 @@ use, have been deemed insecure by the cryptography community, or something
 similar.
 .PP
 We can consider this the retirement home of cryptographic algorithms.
-.SS "Properties"
+.SS Properties
 .IX Subsection "Properties"
 The implementations in this provider specifically has this property
 defined:
-.ie n .IP """provider=legacy""" 4
-.el .IP "``provider=legacy''" 4
-.IX Item "provider=legacy"
+.IP """provider=legacy""" 4
+.IX Item """provider=legacy"""
 .PP
 It may be used in a property query string with fetching functions such as
 \&\fBEVP_MD_fetch\fR\|(3) or \fBEVP_CIPHER_fetch\fR\|(3), as well as with other
@@ -166,64 +89,67 @@ make sure to get implementations of this provider and none other.
 The OpenSSL legacy provider supports these operations and algorithms:
 .SS "Hashing Algorithms / Message Digests"
 .IX Subsection "Hashing Algorithms / Message Digests"
-.IP "\s-1MD2,\s0 see \s-1\fBEVP_MD\-MD2\s0\fR\|(7)" 4
+.IP "MD2, see \fBEVP_MD\-MD2\fR\|(7)" 4
 .IX Item "MD2, see EVP_MD-MD2"
-.PD 0
-.IP "\s-1MD4,\s0 see \s-1\fBEVP_MD\-MD4\s0\fR\|(7)" 4
+Disabled by default. Use \fIenable\-md2\fR config option to enable.
+.IP "MD4, see \fBEVP_MD\-MD4\fR\|(7)" 4
 .IX Item "MD4, see EVP_MD-MD4"
-.IP "\s-1MDC2,\s0 see \s-1\fBEVP_MD\-MDC2\s0\fR\|(7)" 4
+.PD 0
+.IP "MDC2, see \fBEVP_MD\-MDC2\fR\|(7)" 4
 .IX Item "MDC2, see EVP_MD-MDC2"
-.IP "\s-1WHIRLPOOL,\s0 see \s-1\fBEVP_MD\-WHIRLPOOL\s0\fR\|(7)" 4
+.IP "WHIRLPOOL, see \fBEVP_MD\-WHIRLPOOL\fR\|(7)" 4
 .IX Item "WHIRLPOOL, see EVP_MD-WHIRLPOOL"
-.IP "\s-1RIPEMD160,\s0 see \s-1\fBEVP_MD\-RIPEMD160\s0\fR\|(7)" 4
+.IP "RIPEMD160, see \fBEVP_MD\-RIPEMD160\fR\|(7)" 4
 .IX Item "RIPEMD160, see EVP_MD-RIPEMD160"
 .PD
 .SS "Symmetric Ciphers"
 .IX Subsection "Symmetric Ciphers"
 Not all of these symmetric cipher algorithms are enabled by default.
-.IP "Blowfish, see \s-1\fBEVP_CIPHER\-BLOWFISH\s0\fR\|(7)" 4
+.IP "Blowfish, see \fBEVP_CIPHER\-BLOWFISH\fR\|(7)" 4
 .IX Item "Blowfish, see EVP_CIPHER-BLOWFISH"
 .PD 0
-.IP "\s-1CAST,\s0 see \s-1\fBEVP_CIPHER\-CAST\s0\fR\|(7)" 4
+.IP "CAST, see \fBEVP_CIPHER\-CAST\fR\|(7)" 4
 .IX Item "CAST, see EVP_CIPHER-CAST"
-.IP "\s-1DES,\s0 see \s-1\fBEVP_CIPHER\-DES\s0\fR\|(7)" 4
+.IP "DES, see \fBEVP_CIPHER\-DES\fR\|(7)" 4
 .IX Item "DES, see EVP_CIPHER-DES"
 .PD
-The algorithm names are: \s-1DES_ECB, DES_CBC, DES_OFB, DES_CFB, DES_CFB1, DES_CFB8\s0
-and \s-1DESX_CBC.\s0
-.IP "\s-1IDEA,\s0 see \s-1\fBEVP_CIPHER\-IDEA\s0\fR\|(7)" 4
+The algorithm names are: DES_ECB, DES_CBC, DES_OFB, DES_CFB, DES_CFB1, DES_CFB8
+and DESX_CBC.
+.IP "IDEA, see \fBEVP_CIPHER\-IDEA\fR\|(7)" 4
 .IX Item "IDEA, see EVP_CIPHER-IDEA"
 .PD 0
-.IP "\s-1RC2,\s0 see \s-1\fBEVP_CIPHER\-RC2\s0\fR\|(7)" 4
+.IP "RC2, see \fBEVP_CIPHER\-RC2\fR\|(7)" 4
 .IX Item "RC2, see EVP_CIPHER-RC2"
-.IP "\s-1RC4,\s0 see \s-1\fBEVP_CIPHER\-RC4\s0\fR\|(7)" 4
+.IP "RC4, see \fBEVP_CIPHER\-RC4\fR\|(7)" 4
 .IX Item "RC4, see EVP_CIPHER-RC4"
-.IP "\s-1RC5,\s0 see \s-1\fBEVP_CIPHER\-RC5\s0\fR\|(7)" 4
+.IP "RC5, see \fBEVP_CIPHER\-RC5\fR\|(7)" 4
 .IX Item "RC5, see EVP_CIPHER-RC5"
 .PD
 Disabled by default. Use \fIenable\-rc5\fR config option to enable.
-.IP "\s-1SEED,\s0 see \s-1\fBEVP_CIPHER\-SEED\s0\fR\|(7)" 4
+.IP "SEED, see \fBEVP_CIPHER\-SEED\fR\|(7)" 4
 .IX Item "SEED, see EVP_CIPHER-SEED"
-.SS "Key Derivation Function (\s-1KDF\s0)"
+.SS "Key Derivation Function (KDF)"
 .IX Subsection "Key Derivation Function (KDF)"
 .PD 0
-.IP "\s-1PBKDF1\s0" 4
+.IP PBKDF1 4
 .IX Item "PBKDF1"
+.IP PVKKDF 4
+.IX Item "PVKKDF"
 .PD
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBOSSL_PARAM\s0\fR\|(3),
+\&\fBOSSL_PARAM\fR\|(3),
 \&\fBopenssl\-core.h\fR\|(7),
 \&\fBopenssl\-core_dispatch.h\fR\|(7),
 \&\fBprovider\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 This functionality was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-null.7 b/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-null.7
index 16be0731b3ad..eb9a0f45b4c0 100644
--- a/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-null.7
+++ b/secure/lib/libcrypto/man/man7/OSSL_PROVIDER-null.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,83 +52,23 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_PROVIDER-NULL 7ossl"
-.TH OSSL_PROVIDER-NULL 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_PROVIDER-NULL 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 OSSL_PROVIDER\-null \- OpenSSL null provider
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The OpenSSL null provider supplies no algorithms.
 .PP
 It can used to guarantee that the default library context and a fallback
 provider will not be accidentally accessed.
-.SS "Properties"
+.SS Properties
 .IX Subsection "Properties"
 The null provider defines no properties.
 .SH "OPERATIONS AND ALGORITHMS"
@@ -153,14 +77,14 @@ The OpenSSL null provider supports no operations and algorithms.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 This functionality was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/OSSL_STORE-winstore.7 b/secure/lib/libcrypto/man/man7/OSSL_STORE-winstore.7
new file mode 100644
index 000000000000..fea2fcfc9468
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/OSSL_STORE-winstore.7
@@ -0,0 +1,123 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OSSL_STORE-WINSTORE 7ossl"
+.TH OSSL_STORE-WINSTORE 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+OSSL_STORE\-winstore \- OpenSSL built in OSSL_STORE for Windows
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+The OSSL_STORE implementation for Windows provides access to Windows' system
+\&\f(CW\*(C`ROOT\*(C'\fR certificate store through URIs, using the URI scheme
+\&\f(CW\*(C`org.openssl.winstore\*(C'\fR.
+.SS "Supported URIs"
+.IX Subsection "Supported URIs"
+There is only one supported URI:
+.PP
+.Vb 1
+\&  org.openssl.winstore:
+.Ve
+.PP
+No authority (host, etc), no path, no query, no fragment.
+.SS "Supported OSSL_STORE_SEARCH operations"
+.IX Subsection "Supported OSSL_STORE_SEARCH operations"
+.IP \fBOSSL_STORE_SEARCH_by_name\fR\|(3) 4
+.IX Item "OSSL_STORE_SEARCH_by_name"
+As a matter of fact, this must be used.  It is not possible to enumerate all
+available certificates in the store.
+.SS "Windows certificate store features"
+.IX Subsection "Windows certificate store features"
+Apart from diverse constraints present in the certificates themselves, the
+Windows certificate store also has the ability to associate additional
+constraining properties alongside a certificate in the store. This includes
+both documented and undocumented capabilities:
+.IP \(bu 4
+The documented capability to override EKU
+.IP \(bu 4
+The undocumented capability to add name constraints
+.IP \(bu 4
+The undocumented capability to override the certificate expiry date
+.PP
+\&\fISuch constraints are not checked by this OSSL_STORE implementation, and
+thereby not honoured\fR.
+.PP
+However, once extracted with \fBOSSL_STORE_load\fR\|(3), certificates that have
+constraints in their X.509 extensions will go through the usual constraint
+checks when used by OpenSSL, and are thereby honoured.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBossl_store\fR\|(7), \fBOSSL_STORE_open_ex\fR\|(3), \fBOSSL_STORE_SEARCH\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+The winstore (\f(CW\*(C`org.openssl.winstore\*(C'\fR) implementation was added in OpenSSL
+3.2.0.
+.SH NOTES
+.IX Header "NOTES"
+OpenSSL uses \fBOSSL_DECODER\fR\|(3) implementations under the hood.
+To influence what \fBOSSL_DECODER\fR\|(3) implementations are used, it's advisable
+to use \fBOSSL_STORE_open_ex\fR\|(3) and set the \fIpropq\fR argument.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/RAND.7 b/secure/lib/libcrypto/man/man7/RAND.7
index f2b8e4545944..f4e08aa1b066 100644
--- a/secure/lib/libcrypto/man/man7/RAND.7
+++ b/secure/lib/libcrypto/man/man7/RAND.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,91 +52,31 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "RAND 7ossl"
-.TH RAND 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH RAND 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 RAND
 \&\- the OpenSSL random generator
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 Random numbers are a vital part of cryptography, they are needed to provide
 unpredictability for tasks like key generation, creating salts, and many more.
 Software-based generators must be seeded with external randomness before they
 can be used as a cryptographically-secure pseudo-random number generator
-(\s-1CSPRNG\s0).
+(CSPRNG).
 The availability of common hardware with special instructions and
 modern operating systems, which may use items such as interrupt jitter
 and network packet timings, can be reasonable sources of seeding material.
 .PP
-OpenSSL comes with a default implementation of the \s-1RAND API\s0 which is based on
-the deterministic random bit generator (\s-1DRBG\s0) model as described in
-[\s-1NIST SP 800\-90A\s0 Rev. 1]. The default random generator will initialize
+OpenSSL comes with a default implementation of the RAND API which is based on
+the deterministic random bit generator (DRBG) model as described in
+[NIST SP 800\-90A Rev. 1]. The default random generator will initialize
 automatically on first use and will be fully functional without having
 to be initialized ('seeded') explicitly.
 It seeds and reseeds itself automatically using trusted random sources
@@ -165,46 +89,55 @@ return value of \fBRAND_bytes\fR\|(3) and do not take randomness for granted.
 Although (re\-)seeding is automatic, it can fail because no trusted random source
 is available or the trusted source(s) temporarily fail to provide sufficient
 random seed material.
-In this case the \s-1CSPRNG\s0 enters an error state and ceases to provide output,
+In this case the CSPRNG enters an error state and ceases to provide output,
 until it is able to recover from the error by reseeding itself.
-For more details on reseeding and error recovery, see \s-1\fBEVP_RAND\s0\fR\|(7).
+For more details on reseeding and error recovery, see \fBEVP_RAND\fR\|(7).
 .PP
 For values that should remain secret, you can use \fBRAND_priv_bytes\fR\|(3)
 instead.
 This method does not provide 'better' randomness, it uses the same type of
-\&\s-1CSPRNG.\s0
-The intention behind using a dedicated \s-1CSPRNG\s0 exclusively for private
+CSPRNG.
+The intention behind using a dedicated CSPRNG exclusively for private
 values is that none of its output should be visible to an attacker (e.g.,
 used as salt value), in order to reveal as little information as
-possible about its internal state, and that a compromise of the \*(L"public\*(R"
-\&\s-1CSPRNG\s0 instance will not affect the secrecy of these private values.
+possible about its internal state, and that a compromise of the "public"
+CSPRNG instance will not affect the secrecy of these private values.
 .PP
 In the rare case where the default implementation does not satisfy your special
-requirements, the default \s-1RAND\s0 internals can be replaced by your own
-\&\s-1\fBEVP_RAND\s0\fR\|(3) objects.
+requirements, the default RAND internals can be replaced by your own
+\&\fBEVP_RAND\fR\|(3) objects.
 .PP
 Changing the default random generator should be necessary
 only in exceptional cases and is not recommended, unless you have a profound
 knowledge of cryptographic principles and understand the implications of your
 changes.
+.PP
+Finally, it is possible for a provider to bypass the default RAND setup for
+\&\fBRAND_bytes\fR\|(3) and associated functions.  A provider can be specified as the
+single randomness source via the \fBRAND_set1_random_provider\fR\|(3) function or via
+configuration using the \fBrandom_provider\fR option in \fBconfig\fR\|(5).  Once specified,
+the nominated provider will be used directly when calling the \fBRAND_bytes\fR\|(3)
+family of functions.
 .SH "DEFAULT SETUP"
 .IX Header "DEFAULT SETUP"
-The default OpenSSL \s-1RAND\s0 method is based on the \s-1EVP_RAND\s0 deterministic random
-bit generator (\s-1DRBG\s0) classes.
-A \s-1DRBG\s0 is a certain type of cryptographically-secure pseudo-random
-number generator (\s-1CSPRNG\s0), which is described in [\s-1NIST SP 800\-90A\s0 Rev. 1].
+The default OpenSSL RAND method is based on the EVP_RAND deterministic random
+bit generator (DRBG) classes.
+A DRBG is a certain type of cryptographically-secure pseudo-random
+number generator (CSPRNG), which is described in [NIST SP 800\-90A Rev. 1].
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBRAND_bytes\fR\|(3),
 \&\fBRAND_priv_bytes\fR\|(3),
-\&\s-1\fBEVP_RAND\s0\fR\|(3),
+\&\fBEVP_RAND\fR\|(3),
 \&\fBRAND_get0_primary\fR\|(3),
-\&\s-1\fBEVP_RAND\s0\fR\|(7)
-.SH "COPYRIGHT"
+\&\fBconfig\fR\|(5),
+\&\fBEVP_RAND\fR\|(7),
+\&\fBRAND_set1_random_provider\fR\|(3).
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2018\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2018\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/RSA-PSS.7 b/secure/lib/libcrypto/man/man7/RSA-PSS.7
index c00f3087f404..80ded36b648e 100644
--- a/secure/lib/libcrypto/man/man7/RSA-PSS.7
+++ b/secure/lib/libcrypto/man/man7/RSA-PSS.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,107 +52,47 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "RSA-PSS 7ossl"
-.TH RSA-PSS 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH RSA-PSS 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 RSA\-PSS \- EVP_PKEY RSA\-PSS algorithm support
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \fBRSA-PSS\fR \s-1EVP_PKEY\s0 implementation is a restricted version of the \s-1RSA\s0
+The \fBRSA-PSS\fR EVP_PKEY implementation is a restricted version of the RSA
 algorithm which only supports signing, verification and key generation
-using \s-1PSS\s0 padding modes with optional parameter restrictions.
+using PSS padding modes with optional parameter restrictions.
 .PP
 It has associated private key and public key formats.
 .PP
-This algorithm shares several control operations with the \fB\s-1RSA\s0\fR algorithm
+This algorithm shares several control operations with the \fBRSA\fR algorithm
 but with some restrictions described below.
 .SS "Signing and Verification"
 .IX Subsection "Signing and Verification"
-Signing and verification is similar to the \fB\s-1RSA\s0\fR algorithm except the
-padding mode is always \s-1PSS.\s0 If the key in use has parameter restrictions then
+Signing and verification is similar to the \fBRSA\fR algorithm except the
+padding mode is always PSS. If the key in use has parameter restrictions then
 the corresponding signature parameters are set to the restrictions:
-for example, if the key can only be used with digest \s-1SHA256, MGF1 SHA256\s0
-and minimum salt length 32 then the digest, \s-1MGF1\s0 digest and salt length
-will be set to \s-1SHA256, SHA256\s0 and 32 respectively.
+for example, if the key can only be used with digest SHA256, MGF1 SHA256
+and minimum salt length 32 then the digest, MGF1 digest and salt length
+will be set to SHA256, SHA256 and 32 respectively.
 .SS "Key Generation"
 .IX Subsection "Key Generation"
 By default no parameter restrictions are placed on the generated key.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-The public key format is documented in \s-1RFC4055.\s0
+The public key format is documented in RFC4055.
 .PP
-The PKCS#8 private key format used for RSA-PSS keys is similar to the \s-1RSA\s0
-format except it uses the \fBid-RSASSA-PSS\fR \s-1OID\s0 and the parameters field, if
+The PKCS#8 private key format used for RSA-PSS keys is similar to the RSA
+format except it uses the \fBid-RSASSA-PSS\fR OID and the parameters field, if
 present, restricts the key parameters in the same way as the public key.
 .SH "CONFORMING TO"
 .IX Header "CONFORMING TO"
-\&\s-1RFC 4055\s0
+RFC 4055
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_PKEY_CTX_set_rsa_pss_keygen_md\fR\|(3),
@@ -177,11 +101,11 @@ present, restricts the key parameters in the same way as the public key.
 \&\fBEVP_PKEY_CTX_new\fR\|(3),
 \&\fBEVP_PKEY_CTX_ctrl_str\fR\|(3),
 \&\fBEVP_PKEY_derive\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/X25519.7 b/secure/lib/libcrypto/man/man7/X25519.7
index bf23c061e476..658f575865b8 100644
--- a/secure/lib/libcrypto/man/man7/X25519.7
+++ b/secure/lib/libcrypto/man/man7/X25519.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,89 +52,29 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X25519 7ossl"
-.TH X25519 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X25519 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 X25519,
 X448
 \&\- EVP_PKEY X25519 and X448 support
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \fBX25519\fR and \fBX448\fR \s-1EVP_PKEY\s0 implementation supports key generation and
+The \fBX25519\fR and \fBX448\fR EVP_PKEY implementation supports key generation and
 key derivation using \fBX25519\fR and \fBX448\fR. It has associated private and public
-key formats compatible with \s-1RFC 8410.\s0
+key formats compatible with RFC 8410.
 .PP
 No additional parameters can be set during key generation.
 .PP
 The peer public key must be set using \fBEVP_PKEY_derive_set_peer()\fR when
 performing key derivation.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 A context for the \fBX25519\fR algorithm can be obtained by calling:
 .PP
@@ -172,11 +96,11 @@ the associated public key.
 .PP
 X25519 or X448 public keys can be set directly using
 \&\fBEVP_PKEY_new_raw_public_key\fR\|(3) or loaded from a SubjectPublicKeyInfo
-structure in a \s-1PEM\s0 file using \fBPEM_read_bio_PUBKEY\fR\|(3) (or similar function).
-.SH "EXAMPLES"
+structure in a PEM file using \fBPEM_read_bio_PUBKEY\fR\|(3) (or similar function).
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 This example generates an \fBX25519\fR private key and writes it to standard
-output in \s-1PEM\s0 format:
+output in PEM format:
 .PP
 .Vb 9
 \& #include <openssl/evp.h>
@@ -198,11 +122,11 @@ The key derivation example in \fBEVP_PKEY_derive\fR\|(3) can be used with
 \&\fBEVP_PKEY_keygen\fR\|(3),
 \&\fBEVP_PKEY_derive\fR\|(3),
 \&\fBEVP_PKEY_derive_set_peer\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2017\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/bio.7 b/secure/lib/libcrypto/man/man7/bio.7
index 7db46aad4e68..c371acf5d7ed 100644
--- a/secure/lib/libcrypto/man/man7/bio.7
+++ b/secure/lib/libcrypto/man/man7/bio.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,124 +52,82 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "BIO 7ossl"
-.TH BIO 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH BIO 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 bio \- Basic I/O abstraction
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/bio.h>
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-A \s-1BIO\s0 is an I/O abstraction, it hides many of the underlying I/O
-details from an application. If an application uses a \s-1BIO\s0 for its
-I/O it can transparently handle \s-1SSL\s0 connections, unencrypted network
+A BIO is an I/O abstraction, it hides many of the underlying I/O
+details from an application. If an application uses a BIO for its
+I/O it can transparently handle SSL connections, unencrypted network
 connections and file I/O.
 .PP
-There are two types of \s-1BIO,\s0 a source/sink \s-1BIO\s0 and a filter \s-1BIO.\s0
+There are two types of BIO, a source/sink BIO and a filter BIO.
 .PP
-As its name implies a source/sink \s-1BIO\s0 is a source and/or sink of data,
-examples include a socket \s-1BIO\s0 and a file \s-1BIO.\s0
+As its name implies a source/sink BIO is a source and/or sink of data,
+examples include a socket BIO and a file BIO.
 .PP
-A filter \s-1BIO\s0 takes data from one \s-1BIO\s0 and passes it through to
+A filter BIO takes data from one BIO and passes it through to
 another, or the application. The data may be left unmodified (for
-example a message digest \s-1BIO\s0) or translated (for example an
-encryption \s-1BIO\s0). The effect of a filter \s-1BIO\s0 may change according
+example a message digest BIO) or translated (for example an
+encryption BIO). The effect of a filter BIO may change according
 to the I/O operation it is performing: for example an encryption
-\&\s-1BIO\s0 will encrypt data if it is being written to and decrypt data
+BIO will encrypt data if it is being written to and decrypt data
 if it is being read from.
 .PP
-BIOs can be joined together to form a chain (a single \s-1BIO\s0 is a chain
+BIOs can be joined together to form a chain (a single BIO is a chain
 with one component). A chain normally consists of one source/sink
-\&\s-1BIO\s0 and one or more filter BIOs. Data read from or written to the
-first \s-1BIO\s0 then traverses the chain to the end (normally a source/sink
-\&\s-1BIO\s0).
+BIO and one or more filter BIOs. Data read from or written to the
+first BIO then traverses the chain to the end (normally a source/sink
+BIO).
 .PP
 Some BIOs (such as memory BIOs) can be used immediately after calling
 \&\fBBIO_new()\fR. Others (such as file BIOs) need some additional initialization,
 and frequently a utility function exists to create and initialize such BIOs.
 .PP
-If \fBBIO_free()\fR is called on a \s-1BIO\s0 chain it will only free one \s-1BIO\s0 resulting
+If \fBBIO_free()\fR is called on a BIO chain it will only free one BIO resulting
 in a memory leak.
 .PP
-Calling \fBBIO_free_all()\fR on a single \s-1BIO\s0 has the same effect as calling
+Calling \fBBIO_free_all()\fR on a single BIO has the same effect as calling
 \&\fBBIO_free()\fR on it other than the discarded return value.
 .PP
 Normally the \fItype\fR argument is supplied by a function which returns a
-pointer to a \s-1BIO_METHOD.\s0 There is a naming convention for such functions:
-a source/sink \s-1BIO\s0 typically starts with \fIBIO_s_\fR and
-a filter \s-1BIO\s0 with \fIBIO_f_\fR.
-.SH "EXAMPLES"
+pointer to a BIO_METHOD. There is a naming convention for such functions:
+a source/sink BIO typically starts with \fIBIO_s_\fR and
+a filter BIO with \fIBIO_f_\fR.
+.SS "TCP Fast Open"
+.IX Subsection "TCP Fast Open"
+TCP Fast Open (RFC7413), abbreviated "TFO", is supported by the BIO
+interface since OpenSSL 3.2. TFO is supported in the following operating systems:
+.IP \(bu 4
+Linux kernel 3.13 and later, where TFO is enabled by default.
+.IP \(bu 4
+Linux kernel 4.11 and later, using TCP_FASTOPEN_CONNECT.
+.IP \(bu 4
+FreeBSD 10.3 to 11.4, supports server TFO only.
+.IP \(bu 4
+FreeBSD 12.0 and later, supports both client and server TFO.
+.IP \(bu 4
+macOS 10.14 and later.
+.PP
+Each operating system has a slightly different API for TFO. Please
+refer to the operating systems' API documentation when using
+sockets directly.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
-Create a memory \s-1BIO:\s0
+Create a memory BIO:
 .PP
 .Vb 1
 \& BIO *mem = BIO_new(BIO_s_mem());
@@ -197,7 +139,9 @@ Create a memory \s-1BIO:\s0
 \&\fBBIO_f_cipher\fR\|(3), \fBBIO_f_md\fR\|(3),
 \&\fBBIO_f_null\fR\|(3), \fBBIO_f_ssl\fR\|(3),
 \&\fBBIO_f_readbuffer\fR\|(3),
-\&\fBBIO_find_type\fR\|(3), \fBBIO_new\fR\|(3),
+\&\fBBIO_find_type\fR\|(3),
+\&\fBBIO_get_conn_mode\fR\|(3),
+\&\fBBIO_new\fR\|(3),
 \&\fBBIO_new_bio_pair\fR\|(3),
 \&\fBBIO_push\fR\|(3), \fBBIO_read_ex\fR\|(3),
 \&\fBBIO_s_accept\fR\|(3), \fBBIO_s_bio\fR\|(3),
@@ -205,12 +149,15 @@ Create a memory \s-1BIO:\s0
 \&\fBBIO_s_file\fR\|(3), \fBBIO_s_mem\fR\|(3),
 \&\fBBIO_s_null\fR\|(3), \fBBIO_s_socket\fR\|(3),
 \&\fBBIO_set_callback\fR\|(3),
+\&\fBBIO_set_conn_mode\fR\|(3),
+\&\fBBIO_set_tfo\fR\|(3),
+\&\fBBIO_set_tfo_accept\fR\|(3),
 \&\fBBIO_should_retry\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/crypto.7 b/secure/lib/libcrypto/man/man7/crypto.7
deleted file mode 100644
index 041c046d4b24..000000000000
--- a/secure/lib/libcrypto/man/man7/crypto.7
+++ /dev/null
@@ -1,687 +0,0 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
-.\"
-.\" Standard preamble:
-.\" ========================================================================
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Vb \" Begin verbatim text
-.ft CW
-.nf
-.ne \\$1
-..
-.de Ve \" End verbatim text
-.ft R
-.fi
-..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
-.ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
-.    ds C` ""
-.    ds C' ""
-'br\}
-.el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
-.    ds C`
-.    ds C'
-'br\}
-.\"
-.\" Escape single quotes in literal strings from groff's Unicode transform.
-.ie \n(.g .ds Aq \(aq
-.el       .ds Aq '
-.\"
-.\" If the F register is >0, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
-.\" entries marked with X<> in POD.  Of course, you'll have to process the
-.\" output yourself in some meaningful fashion.
-.\"
-.\" Avoid warning from groff about undefined register 'F'.
-.de IX
-..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{\
-.    if \nF \{\
-.        de IX
-.        tm Index:\\$1\t\\n%\t"\\$2"
-..
-.        if !\nF==2 \{\
-.            nr % 0
-.            nr F 2
-.        \}
-.    \}
-.\}
-.rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
-.\" ========================================================================
-.\"
-.IX Title "CRYPTO 7ossl"
-.TH CRYPTO 7ossl "2023-09-19" "3.0.11" "OpenSSL"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
-.\" way too many mistakes in technical documents.
-.if n .ad l
-.nh
-.SH "NAME"
-crypto \- OpenSSL cryptographic library
-.SH "SYNOPSIS"
-.IX Header "SYNOPSIS"
-See the individual manual pages for details.
-.SH "DESCRIPTION"
-.IX Header "DESCRIPTION"
-The OpenSSL crypto library (\f(CW\*(C`libcrypto\*(C'\fR) implements a wide range of
-cryptographic algorithms used in various Internet standards. The services
-provided by this library are used by the OpenSSL implementations of \s-1TLS\s0 and
-\&\s-1CMS,\s0 and they have also been used to implement many other third party products
-and protocols.
-.PP
-The functionality includes symmetric encryption, public key cryptography, key
-agreement, certificate handling, cryptographic hash functions, cryptographic
-pseudo-random number generators, message authentication codes (MACs), key
-derivation functions (KDFs), and various utilities.
-.SS "Algorithms"
-.IX Subsection "Algorithms"
-Cryptographic primitives such as the \s-1SHA256\s0 digest, or \s-1AES\s0 encryption are
-referred to in OpenSSL as \*(L"algorithms\*(R". Each algorithm may have multiple
-implementations available for use. For example the \s-1RSA\s0 algorithm is available as
-a \*(L"default\*(R" implementation suitable for general use, and a \*(L"fips\*(R" implementation
-which has been validated to \s-1FIPS\s0 standards for situations where that is
-important. It is also possible that a third party could add additional
-implementations such as in a hardware security module (\s-1HSM\s0).
-.SS "Operations"
-.IX Subsection "Operations"
-Different algorithms can be grouped together by their purpose. For example there
-are algorithms for encryption, and different algorithms for digesting data.
-These different groups are known as \*(L"operations\*(R" in OpenSSL. Each operation
-has a different set of functions associated with it. For example to perform an
-encryption operation using \s-1AES\s0 (or any other encryption algorithm) you would use
-the encryption functions detailed on the \fBEVP_EncryptInit\fR\|(3) page. Or to
-perform a digest operation using \s-1SHA256\s0 then you would use the digesting
-functions on the \fBEVP_DigestInit\fR\|(3) page.
-.SS "Providers"
-.IX Subsection "Providers"
-A provider in OpenSSL is a component that collects together algorithm
-implementations. In order to use an algorithm you must have at least one
-provider loaded that contains an implementation of it. OpenSSL comes with a
-number of providers and they may also be obtained from third parties. If you
-don't load a provider explicitly (either in program code or via config) then the
-OpenSSL built-in \*(L"default\*(R" provider will be automatically loaded.
-.SS "Library contexts"
-.IX Subsection "Library contexts"
-A library context can be thought of as a \*(L"scope\*(R" within which configuration
-options take effect. When a provider is loaded, it is only loaded within the
-scope of a given library context. In this way it is possible for different
-components of a complex application to each use a different library context and
-have different providers loaded with different configuration settings.
-.PP
-If an application does not explicitly create a library context then the
-\&\*(L"default\*(R" library context will be used.
-.PP
-Library contexts are represented by the \fB\s-1OSSL_LIB_CTX\s0\fR type. Many OpenSSL \s-1API\s0
-functions take a library context as a parameter. Applications can always pass
-\&\fB\s-1NULL\s0\fR for this parameter to just use the default library context.
-.PP
-The default library context is automatically created the first time it is
-needed. This will automatically load any available configuration file and will
-initialise OpenSSL for use. Unlike in earlier versions of OpenSSL (prior to
-1.1.0) no explicit initialisation steps need to be taken.
-.PP
-Similarly when the application exits the default library context is
-automatically destroyed. No explicit de-initialisation steps need to be taken.
-.PP
-See \s-1\fBOSSL_LIB_CTX\s0\fR\|(3) for more information about library contexts.
-See also \*(L"\s-1ALGORITHM FETCHING\*(R"\s0.
-.SS "Multi-threaded applications"
-.IX Subsection "Multi-threaded applications"
-As long as OpenSSL has been built with support for threads (the default case
-on most platforms) then most OpenSSL \fIfunctions\fR are thread-safe in the sense
-that it is safe to call the same function from multiple threads at the same
-time. However most OpenSSL \fIdata structures\fR are not thread-safe. For example
-the \fBBIO_write\fR\|(3) and \fBBIO_read\fR\|(3) functions are thread safe. However it
-would not be thread safe to call \fBBIO_write()\fR from one thread while calling
-\&\fBBIO_read()\fR in another where both functions are passed the same \fB\s-1BIO\s0\fR object
-since both of them may attempt to make changes to the same \fB\s-1BIO\s0\fR object.
-.PP
-There are exceptions to these rules. A small number of functions are not thread
-safe at all. Where this is the case this restriction should be noted in the
-documentation for the function. Similarly some data structures may be partially
-or fully thread safe. For example it is safe to use an \fB\s-1OSSL_LIB_CTX\s0\fR in
-multiple threads.
-.PP
-See \fBopenssl\-threads\fR\|(7) for a more detailed discussion on OpenSSL threading
-support.
-.SH "ALGORITHM FETCHING"
-.IX Header "ALGORITHM FETCHING"
-In order to use an algorithm an implementation for it must first be \*(L"fetched\*(R".
-Fetching is the process of looking through the available implementations,
-applying selection criteria (via a property query string), and finally choosing
-the implementation that will be used.
-.PP
-Two types of fetching are supported by OpenSSL \- explicit fetching and implicit
-fetching.
-.SS "Property query strings"
-.IX Subsection "Property query strings"
-When fetching an algorithm it is possible to specify a property query string to
-guide the selection process. For example a property query string of
-\&\*(L"provider=default\*(R" could be used to force the selection to only consider
-algorithm implementations in the default provider.
-.PP
-Property query strings can be specified explicitly as an argument to a function.
-It is also possible to specify a default property query string for the whole
-library context using the \fBEVP_set_default_properties\fR\|(3) or
-\&\fBEVP_default_properties_enable_fips\fR\|(3) functions. Where both
-default properties and function specific properties are specified then they are
-combined. Function specific properties will override default properties where
-there is a conflict.
-.PP
-See \fBproperty\fR\|(7) for more information about properties.
-.SS "Explicit fetching"
-.IX Subsection "Explicit fetching"
-Users of the OpenSSL libraries never query a provider directly for an algorithm
-implementation. Instead, the diverse OpenSSL APIs often have explicit fetching
-functions that do the work, and they return an appropriate algorithm object back
-to the user. These functions usually have the name \f(CW\*(C`APINAME_fetch\*(C'\fR, where
-\&\f(CW\*(C`APINAME\*(C'\fR is the name of the operation. For example \fBEVP_MD_fetch\fR\|(3) can
-be used to explicitly fetch a digest algorithm implementation. The user is
-responsible for freeing the object returned from the \f(CW\*(C`APINAME_fetch\*(C'\fR function
-using \f(CW\*(C`APINAME_free\*(C'\fR when it is no longer needed.
-.PP
-These fetching functions follow a fairly common pattern, where three
-arguments are passed:
-.IP "The library context" 4
-.IX Item "The library context"
-See \s-1\fBOSSL_LIB_CTX\s0\fR\|(3) for a more detailed description.
-This may be \s-1NULL\s0 to signify the default (global) library context, or a
-context created by the user. Only providers loaded in this library context (see
-\&\fBOSSL_PROVIDER_load\fR\|(3)) will be considered by the fetching function. In case
-no provider has been loaded in this library context then the default provider
-will be loaded as a fallback (see \fBOSSL_PROVIDER\-default\fR\|(7)).
-.IP "An identifier" 4
-.IX Item "An identifier"
-For all currently implemented fetching functions this is the algorithm name.
-.IP "A property query string" 4
-.IX Item "A property query string"
-The property query string used to guide selection of the algorithm
-implementation.
-.PP
-The algorithm implementation that is fetched can then be used with other diverse
-functions that use them. For example the \fBEVP_DigestInit_ex\fR\|(3) function takes
-as a parameter an \fB\s-1EVP_MD\s0\fR object which may have been returned from an earlier
-call to \fBEVP_MD_fetch\fR\|(3).
-.SS "Implicit fetching"
-.IX Subsection "Implicit fetching"
-OpenSSL has a number of functions that return an algorithm object with no
-associated implementation, such as \fBEVP_sha256\fR\|(3), \fBEVP_aes_128_cbc\fR\|(3),
-\&\fBEVP_get_cipherbyname\fR\|(3) or \fBEVP_get_digestbyname\fR\|(3). These are present for
-compatibility with OpenSSL before version 3.0 where explicit fetching was not
-available.
-.PP
-When they are used with functions like \fBEVP_DigestInit_ex\fR\|(3) or
-\&\fBEVP_CipherInit_ex\fR\|(3), the actual implementation to be used is
-fetched implicitly using default search criteria.
-.PP
-In some cases implicit fetching can also occur when a \s-1NULL\s0 algorithm parameter
-is supplied. In this case an algorithm implementation is implicitly fetched
-using default search criteria and an algorithm name that is consistent with
-the context in which it is being used.
-.PP
-Functions that revolve around \fB\s-1EVP_PKEY_CTX\s0\fR and \s-1\fBEVP_PKEY\s0\fR\|(3), such as
-\&\fBEVP_DigestSignInit\fR\|(3) and friends, all fetch the implementations
-implicitly.  Because these functions involve both an operation type (such as
-\&\s-1\fBEVP_SIGNATURE\s0\fR\|(3)) and an \s-1\fBEVP_KEYMGMT\s0\fR\|(3) for the \s-1\fBEVP_PKEY\s0\fR\|(3), they try
-the following:
-.IP "1." 4
-Fetch the operation type implementation from any provider given a library
-context and property string stored in the \fB\s-1EVP_PKEY_CTX\s0\fR.
-.Sp
-If the provider of the operation type implementation is different from the
-provider of the \s-1\fBEVP_PKEY\s0\fR\|(3)'s \s-1\fBEVP_KEYMGMT\s0\fR\|(3) implementation, try to
-fetch a \s-1\fBEVP_KEYMGMT\s0\fR\|(3) implementation in the same provider as the operation
-type implementation and export the \s-1\fBEVP_PKEY\s0\fR\|(3) to it (effectively making a
-temporary copy of the original key).
-.Sp
-If anything in this step fails, the next step is used as a fallback.
-.IP "2." 4
-As a fallback, try to fetch the operation type implementation from the same
-provider as the original \s-1\fBEVP_PKEY\s0\fR\|(3)'s \s-1\fBEVP_KEYMGMT\s0\fR\|(3), still using the
-property string from the \fB\s-1EVP_PKEY_CTX\s0\fR.
-.SS "Performance"
-.IX Subsection "Performance"
-If you perform the same operation many times then it is recommended to use
-\&\*(L"Explicit fetching\*(R" to prefetch an algorithm once initially,
-and then pass this created object to any operations that are currently
-using \*(L"Implicit fetching\*(R".
-See an example of Explicit fetching in \*(L"\s-1USING ALGORITHMS IN APPLICATIONS\*(R"\s0.
-.PP
-Prior to OpenSSL 3.0, constant method tables (such as \fBEVP_sha256()\fR) were used
-directly to access methods. If you pass one of these convenience functions
-to an operation the fixed methods are ignored, and only the name is used to
-internally fetch methods from a provider.
-.PP
-If the prefetched object is not passed to operations, then any implicit
-fetch will use the internally cached prefetched object, but it will
-still be slower than passing the prefetched object directly.
-.PP
-Fetching via a provider offers more flexibility, but it is slower than the
-old method, since it must search for the algorithm in all loaded providers,
-and then populate the method table using provider supplied methods.
-Internally OpenSSL caches similar algorithms on the first fetch
-(so loading a digest caches all digests).
-.PP
-The following methods can be used for prefetching:
-.IP "\fBEVP_MD_fetch\fR\|(3)" 4
-.IX Item "EVP_MD_fetch"
-.PD 0
-.IP "\fBEVP_CIPHER_fetch\fR\|(3)" 4
-.IX Item "EVP_CIPHER_fetch"
-.IP "\fBEVP_KDF_fetch\fR\|(3)" 4
-.IX Item "EVP_KDF_fetch"
-.IP "\fBEVP_MAC_fetch\fR\|(3)" 4
-.IX Item "EVP_MAC_fetch"
-.IP "\fBEVP_KEM_fetch\fR\|(3)" 4
-.IX Item "EVP_KEM_fetch"
-.IP "\fBOSSL_ENCODER_fetch\fR\|(3)" 4
-.IX Item "OSSL_ENCODER_fetch"
-.IP "\fBOSSL_DECODER_fetch\fR\|(3)" 4
-.IX Item "OSSL_DECODER_fetch"
-.IP "\fBEVP_RAND_fetch\fR\|(3)" 4
-.IX Item "EVP_RAND_fetch"
-.PD
-.PP
-The following methods are used internally when performing operations:
-.IP "\fBEVP_KEYMGMT_fetch\fR\|(3)" 4
-.IX Item "EVP_KEYMGMT_fetch"
-.PD 0
-.IP "\fBEVP_KEYEXCH_fetch\fR\|(3)" 4
-.IX Item "EVP_KEYEXCH_fetch"
-.IP "\fBEVP_SIGNATURE_fetch\fR\|(3)" 4
-.IX Item "EVP_SIGNATURE_fetch"
-.IP "\fBOSSL_STORE_LOADER_fetch\fR\|(3)" 4
-.IX Item "OSSL_STORE_LOADER_fetch"
-.PD
-.PP
-See \fBOSSL_PROVIDER\-default\fR\|(7), <\fBOSSL_PROVIDER\-fips\fR\|(7)> and
-<\fBOSSL_PROVIDER\-legacy\fR\|(7)>for a list of algorithm names that
-can be fetched.
-.SH "FETCHING EXAMPLES"
-.IX Header "FETCHING EXAMPLES"
-The following section provides a series of examples of fetching algorithm
-implementations.
-.PP
-Fetch any available implementation of \s-1SHA2\-256\s0 in the default context. Note
-that some algorithms have aliases. So \*(L"\s-1SHA256\*(R"\s0 and \*(L"\s-1SHA2\-256\*(R"\s0 are synonymous:
-.PP
-.Vb 3
-\& EVP_MD *md = EVP_MD_fetch(NULL, "SHA2\-256", NULL);
-\& ...
-\& EVP_MD_free(md);
-.Ve
-.PP
-Fetch any available implementation of \s-1AES\-128\-CBC\s0 in the default context:
-.PP
-.Vb 3
-\& EVP_CIPHER *cipher = EVP_CIPHER_fetch(NULL, "AES\-128\-CBC", NULL);
-\& ...
-\& EVP_CIPHER_free(cipher);
-.Ve
-.PP
-Fetch an implementation of \s-1SHA2\-256\s0 from the default provider in the default
-context:
-.PP
-.Vb 3
-\& EVP_MD *md = EVP_MD_fetch(NULL, "SHA2\-256", "provider=default");
-\& ...
-\& EVP_MD_free(md);
-.Ve
-.PP
-Fetch an implementation of \s-1SHA2\-256\s0 that is not from the default provider in the
-default context:
-.PP
-.Vb 3
-\& EVP_MD *md = EVP_MD_fetch(NULL, "SHA2\-256", "provider!=default");
-\& ...
-\& EVP_MD_free(md);
-.Ve
-.PP
-Fetch an implementation of \s-1SHA2\-256\s0 from the default provider in the specified
-context:
-.PP
-.Vb 3
-\& EVP_MD *md = EVP_MD_fetch(ctx, "SHA2\-256", "provider=default");
-\& ...
-\& EVP_MD_free(md);
-.Ve
-.PP
-Load the legacy provider into the default context and then fetch an
-implementation of \s-1WHIRLPOOL\s0 from it:
-.PP
-.Vb 2
-\& /* This only needs to be done once \- usually at application start up */
-\& OSSL_PROVIDER *legacy = OSSL_PROVIDER_load(NULL, "legacy");
-\&
-\& EVP_MD *md = EVP_MD_fetch(NULL, "WHIRLPOOL", "provider=legacy");
-\& ...
-\& EVP_MD_free(md);
-.Ve
-.PP
-Note that in the above example the property string \*(L"provider=legacy\*(R" is optional
-since, assuming no other providers have been loaded, the only implementation of
-the \*(L"whirlpool\*(R" algorithm is in the \*(L"legacy\*(R" provider. Also note that the
-default provider should be explicitly loaded if it is required in addition to
-other providers:
-.PP
-.Vb 3
-\& /* This only needs to be done once \- usually at application start up */
-\& OSSL_PROVIDER *legacy = OSSL_PROVIDER_load(NULL, "legacy");
-\& OSSL_PROVIDER *default = OSSL_PROVIDER_load(NULL, "default");
-\&
-\& EVP_MD *md_whirlpool = EVP_MD_fetch(NULL, "whirlpool", NULL);
-\& EVP_MD *md_sha256 = EVP_MD_fetch(NULL, "SHA2\-256", NULL);
-\& ...
-\& EVP_MD_free(md_whirlpool);
-\& EVP_MD_free(md_sha256);
-.Ve
-.SH "OPENSSL PROVIDERS"
-.IX Header "OPENSSL PROVIDERS"
-OpenSSL comes with a set of providers.
-.PP
-The algorithms available in each of these providers may vary due to build time
-configuration options. The \fBopenssl\-list\fR\|(1) command can be used to list the
-currently available algorithms.
-.PP
-The names of the algorithms shown from \fBopenssl\-list\fR\|(1) can be used as an
-algorithm identifier to the appropriate fetching function. Also see the provider
-specific manual pages linked below for further details about using the
-algorithms available in each of the providers.
-.PP
-As well as the OpenSSL providers third parties can also implement providers.
-For information on writing a provider see \fBprovider\fR\|(7).
-.SS "Default provider"
-.IX Subsection "Default provider"
-The default provider is built in as part of the \fIlibcrypto\fR library and
-contains all of the most commonly used algorithm implementations. Should it be
-needed (if other providers are loaded and offer implementations of the same
-algorithms), the property query string \*(L"provider=default\*(R" can be used as a
-search criterion for these implementations.  The default provider includes all
-of the functionality in the base provider below.
-.PP
-If you don't load any providers at all then the \*(L"default\*(R" provider will be
-automatically loaded. If you explicitly load any provider then the \*(L"default\*(R"
-provider would also need to be explicitly loaded if it is required.
-.PP
-See \fBOSSL_PROVIDER\-default\fR\|(7).
-.SS "Base provider"
-.IX Subsection "Base provider"
-The base provider is built in as part of the \fIlibcrypto\fR library and contains
-algorithm implementations for encoding and decoding for OpenSSL keys.
-Should it be needed (if other providers are loaded and offer
-implementations of the same algorithms), the property query string
-\&\*(L"provider=base\*(R" can be used as a search criterion for these implementations.
-Some encoding and decoding algorithm implementations are not \s-1FIPS\s0 algorithm
-implementations in themselves but support algorithms from the \s-1FIPS\s0 provider and
-are allowed for use in \*(L"\s-1FIPS\s0 mode\*(R". The property query string \*(L"fips=yes\*(R" can be
-used to select such algorithms.
-.PP
-See \fBOSSL_PROVIDER\-base\fR\|(7).
-.SS "\s-1FIPS\s0 provider"
-.IX Subsection "FIPS provider"
-The \s-1FIPS\s0 provider is a dynamically loadable module, and must therefore
-be loaded explicitly, either in code or through OpenSSL configuration
-(see \fBconfig\fR\|(5)). It contains algorithm implementations that have been
-validated according to the \s-1FIPS 140\-2\s0 standard. Should it be needed (if other
-providers are loaded and offer implementations of the same algorithms), the
-property query string \*(L"provider=fips\*(R" can be used as a search criterion for
-these implementations. All approved algorithm implementations in the \s-1FIPS\s0
-provider can also be selected with the property \*(L"fips=yes\*(R". The \s-1FIPS\s0 provider
-may also contain non-approved algorithm implementations and these can be
-selected with the property \*(L"fips=no\*(R".
-.PP
-See \s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7) and \fBfips_module\fR\|(7).
-.SS "Legacy provider"
-.IX Subsection "Legacy provider"
-The legacy provider is a dynamically loadable module, and must therefore
-be loaded explicitly, either in code or through OpenSSL configuration
-(see \fBconfig\fR\|(5)). It contains algorithm implementations that are considered
-insecure, or are no longer in common use such as \s-1MD2\s0 or \s-1RC4.\s0 Should it be needed
-(if other providers are loaded and offer implementations of the same algorithms),
-the property \*(L"provider=legacy\*(R" can be used as a search criterion for these
-implementations.
-.PP
-See \fBOSSL_PROVIDER\-legacy\fR\|(7).
-.SS "Null provider"
-.IX Subsection "Null provider"
-The null provider is built in as part of the \fIlibcrypto\fR library. It contains
-no algorithms in it at all. When fetching algorithms the default provider will
-be automatically loaded if no other provider has been explicitly loaded. To
-prevent that from happening you can explicitly load the null provider.
-.PP
-See \fBOSSL_PROVIDER\-null\fR\|(7).
-.SH "USING ALGORITHMS IN APPLICATIONS"
-.IX Header "USING ALGORITHMS IN APPLICATIONS"
-Cryptographic algorithms are made available to applications through use of the
-\&\*(L"\s-1EVP\*(R"\s0 APIs. Each of the various operations such as encryption, digesting,
-message authentication codes, etc., have a set of \s-1EVP\s0 function calls that can
-be invoked to use them. See the \fBevp\fR\|(7) page for further details.
-.PP
-Most of these follow a common pattern. A \*(L"context\*(R" object is first created. For
-example for a digest operation you would use an \fB\s-1EVP_MD_CTX\s0\fR, and for an
-encryption/decryption operation you would use an \fB\s-1EVP_CIPHER_CTX\s0\fR. The
-operation is then initialised ready for use via an \*(L"init\*(R" function \- optionally
-passing in a set of parameters (using the \s-1\fBOSSL_PARAM\s0\fR\|(3) type) to configure how
-the operation should behave. Next data is fed into the operation in a series of
-\&\*(L"update\*(R" calls. The operation is finalised using a \*(L"final\*(R" call which will
-typically provide some kind of output. Finally the context is cleaned up and
-freed.
-.PP
-The following shows a complete example for doing this process for digesting
-data using \s-1SHA256.\s0 The process is similar for other operations such as
-encryption/decryption, signatures, message authentication codes, etc.
-.PP
-.Vb 4
-\& #include <stdio.h>
-\& #include <openssl/evp.h>
-\& #include <openssl/bio.h>
-\& #include <openssl/err.h>
-\&
-\& int main(void)
-\& {
-\&     EVP_MD_CTX *ctx = NULL;
-\&     EVP_MD *sha256 = NULL;
-\&     const unsigned char msg[] = {
-\&         0x00, 0x01, 0x02, 0x03
-\&     };
-\&     unsigned int len = 0;
-\&     unsigned char *outdigest = NULL;
-\&     int ret = 1;
-\&
-\&     /* Create a context for the digest operation */
-\&     ctx = EVP_MD_CTX_new();
-\&     if (ctx == NULL)
-\&         goto err;
-\&
-\&     /*
-\&      * Fetch the SHA256 algorithm implementation for doing the digest. We\*(Aqre
-\&      * using the "default" library context here (first NULL parameter), and
-\&      * we\*(Aqre not supplying any particular search criteria for our SHA256
-\&      * implementation (second NULL parameter). Any SHA256 implementation will
-\&      * do.
-\&      * In a larger application this fetch would just be done once, and could
-\&      * be used for multiple calls to other operations such as EVP_DigestInit_ex().
-\&      */
-\&     sha256 = EVP_MD_fetch(NULL, "SHA256", NULL);
-\&     if (sha256 == NULL)
-\&         goto err;
-\&
-\&    /* Initialise the digest operation */
-\&    if (!EVP_DigestInit_ex(ctx, sha256, NULL))
-\&        goto err;
-\&
-\&     /*
-\&      * Pass the message to be digested. This can be passed in over multiple
-\&      * EVP_DigestUpdate calls if necessary
-\&      */
-\&     if (!EVP_DigestUpdate(ctx, msg, sizeof(msg)))
-\&         goto err;
-\&
-\&     /* Allocate the output buffer */
-\&     outdigest = OPENSSL_malloc(EVP_MD_get_size(sha256));
-\&     if (outdigest == NULL)
-\&         goto err;
-\&
-\&     /* Now calculate the digest itself */
-\&     if (!EVP_DigestFinal_ex(ctx, outdigest, &len))
-\&         goto err;
-\&
-\&     /* Print out the digest result */
-\&     BIO_dump_fp(stdout, outdigest, len);
-\&
-\&     ret = 0;
-\&
-\&  err:
-\&     /* Clean up all the resources we allocated */
-\&     OPENSSL_free(outdigest);
-\&     EVP_MD_free(sha256);
-\&     EVP_MD_CTX_free(ctx);
-\&     if (ret != 0)
-\&        ERR_print_errors_fp(stderr);
-\&     return ret;
-\& }
-.Ve
-.SH "CONFIGURATION"
-.IX Header "CONFIGURATION"
-By default OpenSSL will load a configuration file when it is first used. This
-will set up various configuration settings within the default library context.
-Applications that create their own library contexts may optionally configure
-them with a config file using the \fBOSSL_LIB_CTX_load_config\fR\|(3) function.
-.PP
-The configuration file can be used to automatically load providers and set up
-default property query strings.
-.PP
-For information on the OpenSSL configuration file format see \fBconfig\fR\|(5).
-.SH "ENCODING AND DECODING KEYS"
-.IX Header "ENCODING AND DECODING KEYS"
-Many algorithms require the use of a key. Keys can be generated dynamically
-using the \s-1EVP\s0 APIs (for example see \fBEVP_PKEY_Q_keygen\fR\|(3)). However it is often
-necessary to save or load keys (or their associated parameters) to or from some
-external format such as \s-1PEM\s0 or \s-1DER\s0 (see \fBopenssl\-glossary\fR\|(7)). OpenSSL uses
-encoders and decoders to perform this task.
-.PP
-Encoders and decoders are just algorithm implementations in the same way as
-any other algorithm implementation in OpenSSL. They are implemented by
-providers. The OpenSSL encoders and decoders are available in the default
-provider. They are also duplicated in the base provider.
-.PP
-For information about encoders see \fBOSSL_ENCODER_CTX_new_for_pkey\fR\|(3). For
-information about decoders see \fBOSSL_DECODER_CTX_new_for_pkey\fR\|(3).
-.SH "LIBRARY CONVENTIONS"
-.IX Header "LIBRARY CONVENTIONS"
-Many OpenSSL functions that \*(L"get\*(R" or \*(L"set\*(R" a value follow a naming convention
-using the numbers \fB0\fR and \fB1\fR, i.e. \*(L"get0\*(R", \*(L"get1\*(R", \*(L"set0\*(R" and \*(L"set1\*(R". This
-can also apply to some functions that \*(L"add\*(R" a value to an existing set, i.e.
-\&\*(L"add0\*(R" and \*(L"add1\*(R".
-.PP
-For example the functions:
-.PP
-.Vb 2
-\& int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev);
-\& int X509_add1_trust_object(X509 *x, const ASN1_OBJECT *obj);
-.Ve
-.PP
-In the \fB0\fR version the ownership of the object is passed to (for an add or set)
-or retained by (for a get) the parent object. For example after calling the
-\&\fBX509_CRL_add0_revoked()\fR function above, ownership of the \fIrev\fR object is passed
-to the \fIcrl\fR object. Therefore, after calling this function \fIrev\fR should not
-be freed directly. It will be freed implicitly when \fIcrl\fR is freed.
-.PP
-In the \fB1\fR version the ownership of the object is not passed to or retained by
-the parent object. Instead a copy or \*(L"up ref\*(R" of the object is performed. So
-after calling the \fBX509_add1_trust_object()\fR function above the application will
-still be responsible for freeing the \fIobj\fR value where appropriate.
-.SH "SEE ALSO"
-.IX Header "SEE ALSO"
-\&\fBopenssl\fR\|(1), \fBssl\fR\|(7), \fBevp\fR\|(7), \s-1\fBOSSL_LIB_CTX\s0\fR\|(3), \fBopenssl\-threads\fR\|(7),
-\&\fBproperty\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7), \fBOSSL_PROVIDER\-base\fR\|(7),
-\&\s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7), \fBOSSL_PROVIDER\-legacy\fR\|(7), \fBOSSL_PROVIDER\-null\fR\|(7),
-\&\fBopenssl\-glossary\fR\|(7), \fBprovider\fR\|(7)
-.SH "COPYRIGHT"
-.IX Header "COPYRIGHT"
-Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
-.PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
-this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
-<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/ct.7 b/secure/lib/libcrypto/man/man7/ct.7
index 6b73b9cd7cb5..71326af6b0a6 100644
--- a/secure/lib/libcrypto/man/man7/ct.7
+++ b/secure/lib/libcrypto/man/man7/ct.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,97 +52,37 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "CT 7ossl"
-.TH CT 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH CT 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ct \- Certificate Transparency
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/ct.h>
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-This library implements Certificate Transparency (\s-1CT\s0) verification for \s-1TLS\s0
-clients, as defined in \s-1RFC 6962.\s0 This verification can provide some confidence
-that a certificate has been publicly logged in a set of \s-1CT\s0 logs.
+This library implements Certificate Transparency (CT) verification for TLS
+clients, as defined in RFC 6962. This verification can provide some confidence
+that a certificate has been publicly logged in a set of CT logs.
 .PP
 By default, these checks are disabled. They can be enabled using
 \&\fBSSL_CTX_enable_ct\fR\|(3) or \fBSSL_enable_ct\fR\|(3).
 .PP
-This library can also be used to parse and examine \s-1CT\s0 data structures, such as
-Signed Certificate Timestamps (SCTs), or to read a list of \s-1CT\s0 logs. There are
+This library can also be used to parse and examine CT data structures, such as
+Signed Certificate Timestamps (SCTs), or to read a list of CT logs. There are
 functions for:
-\&\- decoding and encoding SCTs in \s-1DER\s0 and \s-1TLS\s0 wire format.
+\&\- decoding and encoding SCTs in DER and TLS wire format.
 \&\- printing SCTs.
 \&\- verifying the authenticity of SCTs.
-\&\- loading a \s-1CT\s0 log list from a \s-1CONF\s0 file.
+\&\- loading a CT log list from a CONF file.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBd2i_SCT_LIST\fR\|(3),
@@ -170,14 +94,14 @@ functions for:
 \&\fBSCT_validate\fR\|(3),
 \&\fBCT_POLICY_EVAL_CTX_new\fR\|(3),
 \&\fBSSL_CTX_set_ct_validation_callback\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The ct library was added in OpenSSL 1.1.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2016\-2017 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/des_modes.7 b/secure/lib/libcrypto/man/man7/des_modes.7
index 2caeffd12c9c..081810f71b96 100644
--- a/secure/lib/libcrypto/man/man7/des_modes.7
+++ b/secure/lib/libcrypto/man/man7/des_modes.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,206 +52,146 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "DES_MODES 7ossl"
-.TH DES_MODES 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH DES_MODES 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 des_modes \- the variants of DES and other crypto algorithms of OpenSSL
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 Several crypto algorithms for OpenSSL can be used in a number of modes.  Those
 are used for using block ciphers in a way similar to stream ciphers, among
 other things.
-.SH "OVERVIEW"
+.SH OVERVIEW
 .IX Header "OVERVIEW"
-.SS "Electronic Codebook Mode (\s-1ECB\s0)"
+.SS "Electronic Codebook Mode (ECB)"
 .IX Subsection "Electronic Codebook Mode (ECB)"
 Normally, this is found as the function \fIalgorithm\fR\fB_ecb_encrypt()\fR.
-.IP "\(bu" 2
+.IP \(bu 2
 64 bits are enciphered at a time.
-.IP "\(bu" 2
+.IP \(bu 2
 The order of the blocks can be rearranged without detection.
-.IP "\(bu" 2
+.IP \(bu 2
 The same plaintext block always produces the same ciphertext block
 (for the same key) making it vulnerable to a 'dictionary attack'.
-.IP "\(bu" 2
+.IP \(bu 2
 An error will only affect one ciphertext block.
-.SS "Cipher Block Chaining Mode (\s-1CBC\s0)"
+.SS "Cipher Block Chaining Mode (CBC)"
 .IX Subsection "Cipher Block Chaining Mode (CBC)"
 Normally, this is found as the function \fIalgorithm\fR\fB_cbc_encrypt()\fR.
-Be aware that \fBdes_cbc_encrypt()\fR is not really \s-1DES CBC\s0 (it does
-not update the \s-1IV\s0); use \fBdes_ncbc_encrypt()\fR instead.
-.IP "\(bu" 2
+Be aware that \fBdes_cbc_encrypt()\fR is not really DES CBC (it does
+not update the IV); use \fBdes_ncbc_encrypt()\fR instead.
+.IP \(bu 2
 a multiple of 64 bits are enciphered at a time.
-.IP "\(bu" 2
-The \s-1CBC\s0 mode produces the same ciphertext whenever the same
+.IP \(bu 2
+The CBC mode produces the same ciphertext whenever the same
 plaintext is encrypted using the same key and starting variable.
-.IP "\(bu" 2
+.IP \(bu 2
 The chaining operation makes the ciphertext blocks dependent on the
 current and all preceding plaintext blocks and therefore blocks can not
 be rearranged.
-.IP "\(bu" 2
+.IP \(bu 2
 The use of different starting variables prevents the same plaintext
 enciphering to the same ciphertext.
-.IP "\(bu" 2
+.IP \(bu 2
 An error will affect the current and the following ciphertext blocks.
-.SS "Cipher Feedback Mode (\s-1CFB\s0)"
+.SS "Cipher Feedback Mode (CFB)"
 .IX Subsection "Cipher Feedback Mode (CFB)"
 Normally, this is found as the function \fIalgorithm\fR\fB_cfb_encrypt()\fR.
-.IP "\(bu" 2
+.IP \(bu 2
 a number of bits (j) <= 64 are enciphered at a time.
-.IP "\(bu" 2
-The \s-1CFB\s0 mode produces the same ciphertext whenever the same
+.IP \(bu 2
+The CFB mode produces the same ciphertext whenever the same
 plaintext is encrypted using the same key and starting variable.
-.IP "\(bu" 2
+.IP \(bu 2
 The chaining operation makes the ciphertext variables dependent on the
 current and all preceding variables and therefore j\-bit variables are
 chained together and can not be rearranged.
-.IP "\(bu" 2
+.IP \(bu 2
 The use of different starting variables prevents the same plaintext
 enciphering to the same ciphertext.
-.IP "\(bu" 2
-The strength of the \s-1CFB\s0 mode depends on the size of k (maximal if
+.IP \(bu 2
+The strength of the CFB mode depends on the size of k (maximal if
 j == k).  In my implementation this is always the case.
-.IP "\(bu" 2
+.IP \(bu 2
 Selection of a small value for j will require more cycles through
 the encipherment algorithm per unit of plaintext and thus cause
 greater processing overheads.
-.IP "\(bu" 2
+.IP \(bu 2
 Only multiples of j bits can be enciphered.
-.IP "\(bu" 2
+.IP \(bu 2
 An error will affect the current and the following ciphertext variables.
-.SS "Output Feedback Mode (\s-1OFB\s0)"
+.SS "Output Feedback Mode (OFB)"
 .IX Subsection "Output Feedback Mode (OFB)"
 Normally, this is found as the function \fIalgorithm\fR\fB_ofb_encrypt()\fR.
-.IP "\(bu" 2
+.IP \(bu 2
 a number of bits (j) <= 64 are enciphered at a time.
-.IP "\(bu" 2
-The \s-1OFB\s0 mode produces the same ciphertext whenever the same
+.IP \(bu 2
+The OFB mode produces the same ciphertext whenever the same
 plaintext enciphered using the same key and starting variable.  More
-over, in the \s-1OFB\s0 mode the same key stream is produced when the same
+over, in the OFB mode the same key stream is produced when the same
 key and start variable are used.  Consequently, for security reasons
 a specific start variable should be used only once for a given key.
-.IP "\(bu" 2
-The absence of chaining makes the \s-1OFB\s0 more vulnerable to specific attacks.
-.IP "\(bu" 2
+.IP \(bu 2
+The absence of chaining makes the OFB more vulnerable to specific attacks.
+.IP \(bu 2
 The use of different start variables values prevents the same
 plaintext enciphering to the same ciphertext, by producing different
 key streams.
-.IP "\(bu" 2
+.IP \(bu 2
 Selection of a small value for j will require more cycles through
 the encipherment algorithm per unit of plaintext and thus cause
 greater processing overheads.
-.IP "\(bu" 2
+.IP \(bu 2
 Only multiples of j bits can be enciphered.
-.IP "\(bu" 2
-\&\s-1OFB\s0 mode of operation does not extend ciphertext errors in the
+.IP \(bu 2
+OFB mode of operation does not extend ciphertext errors in the
 resultant plaintext output.  Every bit error in the ciphertext causes
 only one bit to be in error in the deciphered plaintext.
-.IP "\(bu" 2
-\&\s-1OFB\s0 mode is not self-synchronizing.  If the two operation of
+.IP \(bu 2
+OFB mode is not self-synchronizing.  If the two operation of
 encipherment and decipherment get out of synchronism, the system needs
 to be re-initialized.
-.IP "\(bu" 2
+.IP \(bu 2
 Each re-initialization should use a value of the start variable
 different from the start variable values used before with the same
 key.  The reason for this is that an identical bit stream would be
 produced each time from the same parameters.  This would be
 susceptible to a 'known plaintext' attack.
-.SS "Triple \s-1ECB\s0 Mode"
+.SS "Triple ECB Mode"
 .IX Subsection "Triple ECB Mode"
 Normally, this is found as the function \fIalgorithm\fR\fB_ecb3_encrypt()\fR.
-.IP "\(bu" 2
+.IP \(bu 2
 Encrypt with key1, decrypt with key2 and encrypt with key3 again.
-.IP "\(bu" 2
-As for \s-1ECB\s0 encryption but increases the key length to 168 bits.
+.IP \(bu 2
+As for ECB encryption but increases the key length to 168 bits.
 There are theoretic attacks that can be used that make the effective
 key length 112 bits, but this attack also requires 2^56 blocks of
-memory, not very likely, even for the \s-1NSA.\s0
-.IP "\(bu" 2
+memory, not very likely, even for the NSA.
+.IP \(bu 2
 If both keys are the same it is equivalent to encrypting once with
 just one key.
-.IP "\(bu" 2
+.IP \(bu 2
 If the first and last key are the same, the key length is 112 bits.
 There are attacks that could reduce the effective key strength
 to only slightly more than 56 bits, but these require a lot of memory.
-.IP "\(bu" 2
+.IP \(bu 2
 If all 3 keys are the same, this is effectively the same as normal
 ecb mode.
-.SS "Triple \s-1CBC\s0 Mode"
+.SS "Triple CBC Mode"
 .IX Subsection "Triple CBC Mode"
 Normally, this is found as the function \fIalgorithm\fR\fB_ede3_cbc_encrypt()\fR.
-.IP "\(bu" 2
+.IP \(bu 2
 Encrypt with key1, decrypt with key2 and then encrypt with key3.
-.IP "\(bu" 2
-As for \s-1CBC\s0 encryption but increases the key length to 168 bits with
+.IP \(bu 2
+As for CBC encryption but increases the key length to 168 bits with
 the same restrictions as for triple ecb mode.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 This text was been written in large parts by Eric Young in his original
 documentation for SSLeay, the predecessor of OpenSSL.  In turn, he attributed
@@ -283,11 +207,11 @@ it to:
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBBF_encrypt\fR\|(3), \fBDES_crypt\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/evp.7 b/secure/lib/libcrypto/man/man7/evp.7
index 68d986344cf7..39a73cdf818e 100644
--- a/secure/lib/libcrypto/man/man7/evp.7
+++ b/secure/lib/libcrypto/man/man7/evp.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,137 +52,76 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "EVP 7ossl"
-.TH EVP 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH EVP 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 evp \- high\-level cryptographic functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/evp.h>
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1EVP\s0 library provides a high-level interface to cryptographic
+The EVP library provides a high-level interface to cryptographic
 functions.
 .PP
-The \fBEVP_Seal\fR\fI\s-1XXX\s0\fR and \fBEVP_Open\fR\fI\s-1XXX\s0\fR
-functions provide public key encryption and decryption to implement digital \*(L"envelopes\*(R".
+The \fBEVP_Seal\fR\fIXXX\fR and \fBEVP_Open\fR\fIXXX\fR
+functions provide public key encryption and decryption to implement digital "envelopes".
 .PP
-The \fBEVP_DigestSign\fR\fI\s-1XXX\s0\fR and
-\&\fBEVP_DigestVerify\fR\fI\s-1XXX\s0\fR functions implement
+The \fBEVP_DigestSign\fR\fIXXX\fR and
+\&\fBEVP_DigestVerify\fR\fIXXX\fR functions implement
 digital signatures and Message Authentication Codes (MACs). Also see the older
-\&\fBEVP_Sign\fR\fI\s-1XXX\s0\fR and \fBEVP_Verify\fR\fI\s-1XXX\s0\fR
+\&\fBEVP_Sign\fR\fIXXX\fR and \fBEVP_Verify\fR\fIXXX\fR
 functions.
 .PP
-Symmetric encryption is available with the \fBEVP_Encrypt\fR\fI\s-1XXX\s0\fR
-functions.  The \fBEVP_Digest\fR\fI\s-1XXX\s0\fR functions provide message digests.
+Symmetric encryption is available with the \fBEVP_Encrypt\fR\fIXXX\fR
+functions.  The \fBEVP_Digest\fR\fIXXX\fR functions provide message digests.
 .PP
-The \fB\s-1EVP_PKEY\s0\fR\fI\s-1XXX\s0\fR functions provide a high-level interface to
-asymmetric algorithms. To create a new \s-1EVP_PKEY\s0 see
+The \fBEVP_PKEY\fR\fIXXX\fR functions provide a high-level interface to
+asymmetric algorithms. To create a new EVP_PKEY see
 \&\fBEVP_PKEY_new\fR\|(3). EVP_PKEYs can be associated
 with a private key of a particular algorithm by using the functions
 described on the \fBEVP_PKEY_fromdata\fR\|(3) page, or
 new keys can be generated using \fBEVP_PKEY_keygen\fR\|(3).
 EVP_PKEYs can be compared using \fBEVP_PKEY_eq\fR\|(3), or printed using
 \&\fBEVP_PKEY_print_private\fR\|(3). \fBEVP_PKEY_todata\fR\|(3) can be used to convert a
-key back into an \s-1\fBOSSL_PARAM\s0\fR\|(3) array.
+key back into an \fBOSSL_PARAM\fR\|(3) array.
 .PP
-The \s-1EVP_PKEY\s0 functions support the full range of asymmetric algorithm operations:
+The EVP_PKEY functions support the full range of asymmetric algorithm operations:
 .IP "For key agreement see \fBEVP_PKEY_derive\fR\|(3)" 4
 .IX Item "For key agreement see EVP_PKEY_derive"
 .PD 0
 .IP "For signing and verifying see \fBEVP_PKEY_sign\fR\|(3), \fBEVP_PKEY_verify\fR\|(3) and \fBEVP_PKEY_verify_recover\fR\|(3). However, note that these functions do not perform a digest of the data to be signed. Therefore, normally you would use the \fBEVP_DigestSignInit\fR\|(3) functions for this purpose." 4
 .IX Item "For signing and verifying see EVP_PKEY_sign, EVP_PKEY_verify and EVP_PKEY_verify_recover. However, note that these functions do not perform a digest of the data to be signed. Therefore, normally you would use the EVP_DigestSignInit functions for this purpose."
-.ie n .IP "For encryption and decryption see \fBEVP_PKEY_encrypt\fR\|(3) and \fBEVP_PKEY_decrypt\fR\|(3) respectively. However, note that these functions perform encryption and decryption only. As public key encryption is an expensive operation, normally you would wrap an encrypted message in a ""digital envelope"" using the \fBEVP_SealInit\fR\|(3) and \fBEVP_OpenInit\fR\|(3) functions." 4
-.el .IP "For encryption and decryption see \fBEVP_PKEY_encrypt\fR\|(3) and \fBEVP_PKEY_decrypt\fR\|(3) respectively. However, note that these functions perform encryption and decryption only. As public key encryption is an expensive operation, normally you would wrap an encrypted message in a ``digital envelope'' using the \fBEVP_SealInit\fR\|(3) and \fBEVP_OpenInit\fR\|(3) functions." 4
-.IX Item "For encryption and decryption see EVP_PKEY_encrypt and EVP_PKEY_decrypt respectively. However, note that these functions perform encryption and decryption only. As public key encryption is an expensive operation, normally you would wrap an encrypted message in a digital envelope using the EVP_SealInit and EVP_OpenInit functions."
+.IP "For encryption and decryption see \fBEVP_PKEY_encrypt\fR\|(3) and \fBEVP_PKEY_decrypt\fR\|(3) respectively. However, note that these functions perform encryption and decryption only. As public key encryption is an expensive operation, normally you would wrap an encrypted message in a ""digital envelope"" using the \fBEVP_SealInit\fR\|(3) and \fBEVP_OpenInit\fR\|(3) functions." 4
+.IX Item "For encryption and decryption see EVP_PKEY_encrypt and EVP_PKEY_decrypt respectively. However, note that these functions perform encryption and decryption only. As public key encryption is an expensive operation, normally you would wrap an encrypted message in a ""digital envelope"" using the EVP_SealInit and EVP_OpenInit functions."
 .PD
 .PP
 The \fBEVP_BytesToKey\fR\|(3) function provides some limited support for password
-based encryption. Careful selection of the parameters will provide a PKCS#5 \s-1PBKDF1\s0 compatible
+based encryption. Careful selection of the parameters will provide a PKCS#5 PBKDF1 compatible
 implementation. However, new applications should not typically use this (preferring, for example,
-\&\s-1PBKDF2\s0 from PCKS#5).
+PBKDF2 from PCKS#5).
 .PP
-The \fBEVP_Encode\fR\fI\s-1XXX\s0\fR and
-\&\fBEVP_Decode\fR\fI\s-1XXX\s0\fR functions implement base 64 encoding
+The \fBEVP_Encode\fR\fIXXX\fR and
+\&\fBEVP_Decode\fR\fIXXX\fR functions implement base64 encoding
 and decoding.
 .PP
 All the symmetric algorithms (ciphers), digests and asymmetric algorithms
-(public key algorithms) can be replaced by \s-1ENGINE\s0 modules providing alternative
-implementations. If \s-1ENGINE\s0 implementations of ciphers or digests are registered
-as defaults, then the various \s-1EVP\s0 functions will automatically use those
+(public key algorithms) can be replaced by ENGINE modules providing alternative
+implementations. If ENGINE implementations of ciphers or digests are registered
+as defaults, then the various EVP functions will automatically use those
 implementations automatically in preference to built in software
 implementations. For more information, consult the \fBengine\fR\|(3) man page.
 .PP
 Although low-level algorithm specific functions exist for many algorithms
-their use is discouraged. They cannot be used with an \s-1ENGINE\s0 and \s-1ENGINE\s0
+their use is discouraged. They cannot be used with an ENGINE and ENGINE
 versions of new algorithms cannot be accessed using the low-level functions.
 Also makes code harder to adapt to new algorithms and some options are not
 cleanly supported at the low-level and some operations are more efficient
@@ -226,11 +149,11 @@ using the high-level interface.
 \&\fBEVP_PKEY_derive\fR\|(3),
 \&\fBEVP_BytesToKey\fR\|(3),
 \&\fBENGINE_by_id\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/fips_module.7 b/secure/lib/libcrypto/man/man7/fips_module.7
index 313d92e192b4..2584377e91a0 100644
--- a/secure/lib/libcrypto/man/man7/fips_module.7
+++ b/secure/lib/libcrypto/man/man7/fips_module.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,114 +52,54 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "FIPS_MODULE 7ossl"
-.TH FIPS_MODULE 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH FIPS_MODULE 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 fips_module \- OpenSSL fips module guide
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 See the individual manual pages for details.
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 This guide details different ways that OpenSSL can be used in conjunction
-with the \s-1FIPS\s0 module. Which is the correct approach to use will depend on your
+with the FIPS module. Which is the correct approach to use will depend on your
 own specific circumstances and what you are attempting to achieve.
 .PP
-For information related to installing the \s-1FIPS\s0 module see
+For information related to installing the FIPS module see
 <https://github.com/openssl/openssl/blob/master/README\-FIPS.md>.
 .PP
 Note that the old functions \fBFIPS_mode()\fR and \fBFIPS_mode_set()\fR are no longer
 present so you must remove them from your application if you use them.
 .PP
-Applications written to use the OpenSSL 3.0 \s-1FIPS\s0 module should not use any
-legacy APIs or features that avoid the \s-1FIPS\s0 module. Specifically this includes:
-.IP "\(bu" 4
-Low level cryptographic APIs (use the high level APIs, such as \s-1EVP,\s0 instead)
-.IP "\(bu" 4
+Applications written to use the OpenSSL 3.0 FIPS module should not use any
+legacy APIs or features that avoid the FIPS module. Specifically this includes:
+.IP \(bu 4
+Low level cryptographic APIs (use the high level APIs, such as EVP, instead)
+.IP \(bu 4
 Engines
-.IP "\(bu" 4
-Any functions that create or modify custom \*(L"\s-1METHODS\*(R"\s0 (for example
+.IP \(bu 4
+Any functions that create or modify custom "METHODS" (for example
 \&\fBEVP_MD_meth_new()\fR, \fBEVP_CIPHER_meth_new()\fR, \fBEVP_PKEY_meth_new()\fR, \fBRSA_meth_new()\fR,
 \&\fBEC_KEY_METHOD_new()\fR, etc.)
 .PP
 All of the above APIs are deprecated in OpenSSL 3.0 \- so a simple rule is to
-avoid using all deprecated functions. See \fBmigration_guide\fR\|(7) for a list of
+avoid using all deprecated functions. See \fBossl\-guide\-migration\fR\|(7) for a list of
 deprecated functions.
-.SS "Making all applications use the \s-1FIPS\s0 module by default"
+.SS "Making all applications use the FIPS module by default"
 .IX Subsection "Making all applications use the FIPS module by default"
 One simple approach is to cause all applications that are using OpenSSL to only
-use the \s-1FIPS\s0 module for cryptographic algorithms by default.
+use the FIPS module for cryptographic algorithms by default.
 .PP
 This approach can be done purely via configuration. As long as applications are
 built and linked against OpenSSL 3.0 and do not override the loading of the
 default config file or its settings then they can automatically start using the
-\&\s-1FIPS\s0 module without the need for any further code changes.
+FIPS module without the need for any further code changes.
 .PP
 To do this the default OpenSSL config file will have to be modified. The
 location of this config file will depend on the platform, and any options that
@@ -184,7 +108,7 @@ file by running this command:
 .PP
 .Vb 2
 \&    $ openssl version \-d
-\&    OPENSSLDIR: "/etc/ssl"
+\&    OPENSSLDIR: "/usr/local/ssl"
 .Ve
 .PP
 Caution: Many Operating Systems install OpenSSL by default. It is a common error
@@ -196,9 +120,9 @@ running an OpenSSL 3.0 version like this:
 \&    OpenSSL 3.0.0\-dev xx XXX xxxx (Library: OpenSSL 3.0.0\-dev xx XXX xxxx)
 .Ve
 .PP
-The \fB\s-1OPENSSLDIR\s0\fR value above gives the directory name for where the default
+The \fBOPENSSLDIR\fR value above gives the directory name for where the default
 config file is stored. So in this case the default config file will be called
-\&\fI/etc/ssl/openssl.cnf\fR.
+\&\fI/usr/local/ssl/openssl.cnf\fR.
 .PP
 Edit the config file to add the following lines near the beginning:
 .PP
@@ -206,10 +130,11 @@ Edit the config file to add the following lines near the beginning:
 \&    config_diagnostics = 1
 \&    openssl_conf = openssl_init
 \&
-\&    .include /etc/ssl/fipsmodule.cnf
+\&    .include /usr/local/ssl/fipsmodule.cnf
 \&
 \&    [openssl_init]
 \&    providers = provider_sect
+\&    alg_section = algorithm_sect
 \&
 \&    [provider_sect]
 \&    fips = fips_sect
@@ -217,53 +142,56 @@ Edit the config file to add the following lines near the beginning:
 \&
 \&    [base_sect]
 \&    activate = 1
+\&
+\&    [algorithm_sect]
+\&    default_properties = fips=yes
 .Ve
 .PP
 Obviously the include file location above should match the path and name of the
-\&\s-1FIPS\s0 module config file that you installed earlier.
+FIPS module config file that you installed earlier.
 See <https://github.com/openssl/openssl/blob/master/README\-FIPS.md>.
 .PP
-For \s-1FIPS\s0 usage, it is recommended that the \fBconfig_diagnostics\fR option is
+For FIPS usage, it is recommended that the \fBconfig_diagnostics\fR option is
 enabled to prevent accidental use of non-FIPS validated algorithms via broken
 or mistaken configuration.  See \fBconfig\fR\|(5).
 .PP
 Any applications that use OpenSSL 3.0 and are started after these changes are
-made will start using only the \s-1FIPS\s0 module unless those applications take
+made will start using only the FIPS module unless those applications take
 explicit steps to avoid this default behaviour. Note that this configuration
-also activates the \*(L"base\*(R" provider. The base provider does not include any
+also activates the "base" provider. The base provider does not include any
 cryptographic algorithms (and therefore does not impact the validation status of
 any cryptographic operations), but does include other supporting algorithms that
-may be required. It is designed to be used in conjunction with the \s-1FIPS\s0 module.
+may be required. It is designed to be used in conjunction with the FIPS module.
 .PP
 This approach has the primary advantage that it is simple, and no code changes
-are required in applications in order to benefit from the \s-1FIPS\s0 module. There are
+are required in applications in order to benefit from the FIPS module. There are
 some disadvantages to this approach:
-.IP "\(bu" 4
-You may not want all applications to use the \s-1FIPS\s0 module.
+.IP \(bu 4
+You may not want all applications to use the FIPS module.
 .Sp
 It may be the case that some applications should and some should not use the
-\&\s-1FIPS\s0 module.
-.IP "\(bu" 4
+FIPS module.
+.IP \(bu 4
 If applications take explicit steps to not load the default config file or
 set different settings.
 .Sp
 This method will not work for these cases.
-.IP "\(bu" 4
-The algorithms available in the \s-1FIPS\s0 module are a subset of the algorithms
+.IP \(bu 4
+The algorithms available in the FIPS module are a subset of the algorithms
 that are available in the default OpenSSL Provider.
 .Sp
 If any applications attempt to use any algorithms that are not present,
 then they will fail.
-.IP "\(bu" 4
-Usage of certain deprecated APIs avoids the use of the \s-1FIPS\s0 module.
+.IP \(bu 4
+Usage of certain deprecated APIs avoids the use of the FIPS module.
 .Sp
-If any applications use those APIs then the \s-1FIPS\s0 module will not be used.
-.SS "Selectively making applications use the \s-1FIPS\s0 module by default"
+If any applications use those APIs then the FIPS module will not be used.
+.SS "Selectively making applications use the FIPS module by default"
 .IX Subsection "Selectively making applications use the FIPS module by default"
 A variation on the above approach is to do the same thing on an individual
 application basis. The default OpenSSL config file depends on the compiled in
-value for \fB\s-1OPENSSLDIR\s0\fR as described in the section above. However it is also
-possible to override the config file to be used via the \fB\s-1OPENSSL_CONF\s0\fR
+value for \fBOPENSSLDIR\fR as described in the section above. However it is also
+possible to override the config file to be used via the \fBOPENSSL_CONF\fR
 environment variable. For example the following, on Unix, will cause the
 application to be executed with a non-standard config file location:
 .PP
@@ -272,26 +200,26 @@ application to be executed with a non-standard config file location:
 .Ve
 .PP
 Using this mechanism you can control which config file is loaded (and hence
-whether the \s-1FIPS\s0 module is loaded) on an application by application basis.
+whether the FIPS module is loaded) on an application by application basis.
 .PP
 This removes the disadvantage listed above that you may not want all
-applications to use the \s-1FIPS\s0 module. All the other advantages and disadvantages
+applications to use the FIPS module. All the other advantages and disadvantages
 still apply.
-.SS "Programmatically loading the \s-1FIPS\s0 module (default library context)"
+.SS "Programmatically loading the FIPS module (default library context)"
 .IX Subsection "Programmatically loading the FIPS module (default library context)"
-Applications may choose to load the \s-1FIPS\s0 provider explicitly rather than relying
+Applications may choose to load the FIPS provider explicitly rather than relying
 on config to do this. The config file is still necessary in order to hold the
-\&\s-1FIPS\s0 module config data (such as its self test status and integrity data). But
-in this case we do not automatically activate the \s-1FIPS\s0 provider via that config
+FIPS module config data (such as its self test status and integrity data). But
+in this case we do not automatically activate the FIPS provider via that config
 file.
 .PP
 To do things this way configure as per
-\&\*(L"Making all applications use the \s-1FIPS\s0 module by default\*(R" above, but edit the
+"Making all applications use the FIPS module by default" above, but edit the
 \&\fIfipsmodule.cnf\fR file to remove or comment out the line which says
 \&\f(CW\*(C`activate = 1\*(C'\fR (note that setting this value to 0 is \fInot\fR sufficient).
 This means all the required config information will be available to load the
-\&\s-1FIPS\s0 module, but it is not automatically loaded when the application starts. The
-\&\s-1FIPS\s0 provider can then be loaded programmatically like this:
+FIPS module, but it is not automatically loaded when the application starts. The
+FIPS provider can then be loaded programmatically like this:
 .PP
 .Vb 1
 \&    #include <openssl/provider.h>
@@ -325,31 +253,31 @@ Note that this should be one of the first things that you do in your
 application. If any OpenSSL functions get called that require the use of
 cryptographic functions before this occurs then, if no provider has yet been
 loaded, then the default provider will be automatically loaded. If you then
-later explicitly load the \s-1FIPS\s0 provider then you will have both the \s-1FIPS\s0 and the
-default provider loaded at the same time. It is undefined which implementation
+later explicitly load the FIPS provider then you will have both the FIPS and the
+default provider loaded at the same time. It is unspecified which implementation
 of an algorithm will be used if multiple implementations are available and you
 have not explicitly specified via a property query (see below) which one should
 be used.
 .PP
-Also note that in this example we have additionally loaded the \*(L"base\*(R" provider.
+Also note that in this example we have additionally loaded the "base" provider.
 This loads a sub-set of algorithms that are also available in the default
 provider \- specifically non cryptographic ones which may be used in conjunction
-with the \s-1FIPS\s0 provider. For example this contains algorithms for encoding and
+with the FIPS provider. For example this contains algorithms for encoding and
 decoding keys. If you decide not to load the default provider then you
 will usually want to load the base provider instead.
 .PP
-In this example we are using the \*(L"default\*(R" library context. OpenSSL functions
+In this example we are using the "default" library context. OpenSSL functions
 operate within the scope of a library context. If no library context is
 explicitly specified then the default library context is used. For further
-details about library contexts see the \s-1\fBOSSL_LIB_CTX\s0\fR\|(3) man page.
-.SS "Loading the \s-1FIPS\s0 module at the same time as other providers"
+details about library contexts see the \fBOSSL_LIB_CTX\fR\|(3) man page.
+.SS "Loading the FIPS module at the same time as other providers"
 .IX Subsection "Loading the FIPS module at the same time as other providers"
-It is possible to have the \s-1FIPS\s0 provider and other providers (such as the
+It is possible to have the FIPS provider and other providers (such as the
 default provider) all loaded at the same time into the same library context. You
 can use a property query string during algorithm fetches to specify which
 implementation you would like to use.
 .PP
-For example to fetch an implementation of \s-1SHA256\s0 which conforms to \s-1FIPS\s0
+For example to fetch an implementation of SHA256 which conforms to FIPS
 standards you can specify the property query \f(CW\*(C`fips=yes\*(C'\fR like this:
 .PP
 .Vb 1
@@ -359,10 +287,10 @@ standards you can specify the property query \f(CW\*(C`fips=yes\*(C'\fR like thi
 .Ve
 .PP
 If no property query is specified, or more than one implementation matches the
-property query then it is undefined which implementation of a particular
+property query then it is unspecified which implementation of a particular
 algorithm will be returned.
 .PP
-This example shows an explicit request for an implementation of \s-1SHA256\s0 from the
+This example shows an explicit request for an implementation of SHA256 from the
 default provider:
 .PP
 .Vb 1
@@ -386,29 +314,29 @@ same property name is specified in both.
 .PP
 There are two important built-in properties that you should be aware of:
 .PP
-The \*(L"provider\*(R" property enables you to specify which provider you want an
+The "provider" property enables you to specify which provider you want an
 implementation to be fetched from, e.g. \f(CW\*(C`provider=default\*(C'\fR or \f(CW\*(C`provider=fips\*(C'\fR.
 All algorithms implemented in a provider have this property set on them.
 .PP
-There is also the \f(CW\*(C`fips\*(C'\fR property. All \s-1FIPS\s0 algorithms match against the
+There is also the \f(CW\*(C`fips\*(C'\fR property. All FIPS algorithms match against the
 property query \f(CW\*(C`fips=yes\*(C'\fR. There are also some non-cryptographic algorithms
 available in the default and base providers that also have the \f(CW\*(C`fips=yes\*(C'\fR
 property defined for them. These are the encoder and decoder algorithms that
-can (for example) be used to write out a key generated in the \s-1FIPS\s0 provider to a
-file. The encoder and decoder algorithms are not in the \s-1FIPS\s0 module itself but
-are allowed to be used in conjunction with the \s-1FIPS\s0 algorithms.
+can (for example) be used to write out a key generated in the FIPS provider to a
+file. The encoder and decoder algorithms are not in the FIPS module itself but
+are allowed to be used in conjunction with the FIPS algorithms.
 .PP
 It is possible to specify default properties within a config file. For example
-the following config file automatically loads the default and \s-1FIPS\s0 providers and
+the following config file automatically loads the default and FIPS providers and
 sets the default property value to be \f(CW\*(C`fips=yes\*(C'\fR. Note that this config file
-does not load the \*(L"base\*(R" provider. All supporting algorithms that are in \*(L"base\*(R"
-are also in \*(L"default\*(R", so it is unnecessary in this case:
+does not load the "base" provider. All supporting algorithms that are in "base"
+are also in "default", so it is unnecessary in this case:
 .PP
 .Vb 2
 \&    config_diagnostics = 1
 \&    openssl_conf = openssl_init
 \&
-\&    .include /etc/ssl/fipsmodule.cnf
+\&    .include /usr/local/ssl/fipsmodule.cnf
 \&
 \&    [openssl_init]
 \&    providers = provider_sect
@@ -424,12 +352,12 @@ are also in \*(L"default\*(R", so it is unnecessary in this case:
 \&    [algorithm_sect]
 \&    default_properties = fips=yes
 .Ve
-.SS "Programmatically loading the \s-1FIPS\s0 module (nondefault library context)"
+.SS "Programmatically loading the FIPS module (nondefault library context)"
 .IX Subsection "Programmatically loading the FIPS module (nondefault library context)"
-In addition to using properties to separate usage of the \s-1FIPS\s0 module from other
+In addition to using properties to separate usage of the FIPS module from other
 usages this can also be achieved using library contexts. In this example we
 create two library contexts. In one we assume the existence of a config file
-called \fIopenssl\-fips.cnf\fR that automatically loads and configures the \s-1FIPS\s0 and
+called \fIopenssl\-fips.cnf\fR that automatically loads and configures the FIPS and
 base providers. The other library context will just use the default provider.
 .PP
 .Vb 4
@@ -459,6 +387,14 @@ base providers. The other library context will just use the default provider.
 \&        goto err;
 \&
 \&    /*
+\&     * Set the default property query on the FIPS library context to
+\&     * ensure that only FIPS algorithms can be used.  There are a few non\-FIPS
+\&     * approved algorithms in the FIPS provider for backward compatibility reasons.
+\&     */
+\&    if (!EVP_set_default_properties(fips_libctx, "fips=yes"))
+\&        goto err;
+\&
+\&    /*
 \&     * We don\*(Aqt need to do anything special to load the default
 \&     * provider into nonfips_libctx. This happens automatically if no
 \&     * other providers are loaded.
@@ -493,53 +429,53 @@ base providers. The other library context will just use the default provider.
 \&    return ret;
 .Ve
 .PP
-Note that we have made use of the special \*(L"null\*(R" provider here which we load
+Note that we have made use of the special "null" provider here which we load
 into the default library context. We could have chosen to use the default
-library context for \s-1FIPS\s0 usage, and just create one additional library context
+library context for FIPS usage, and just create one additional library context
 for other usages \- or vice versa. However if code has not been converted to use
 library contexts then the default library context will be automatically used.
 This could be the case for your own existing applications as well as certain
 parts of OpenSSL itself. Not all parts of OpenSSL are library context aware. If
-this happens then you could \*(L"accidentally\*(R" use the wrong library context for a
-particular operation. To be sure this doesn't happen you can load the \*(L"null\*(R"
+this happens then you could "accidentally" use the wrong library context for a
+particular operation. To be sure this doesn't happen you can load the "null"
 provider into the default library context. Because a provider has been
 explicitly loaded, the default provider will not automatically load. This means
 code using the default context by accident will fail because no algorithms will
 be available.
 .PP
-See \*(L"Library Context\*(R" in \fBmigration_guide\fR\|(7) for additional information about the
+See "Library Context" in \fBossl\-guide\-migration\fR\|(7) for additional information about the
 Library Context.
-.SS "Using Encoders and Decoders with the \s-1FIPS\s0 module"
+.SS "Using Encoders and Decoders with the FIPS module"
 .IX Subsection "Using Encoders and Decoders with the FIPS module"
 Encoders and decoders are used to read and write keys or parameters from or to
-some external format (for example a \s-1PEM\s0 file). If your application generates
-keys or parameters that then need to be written into \s-1PEM\s0 or \s-1DER\s0 format
+some external format (for example a PEM file). If your application generates
+keys or parameters that then need to be written into PEM or DER format
 then it is likely that you will need to use an encoder to do this. Similarly
 you need a decoder to read previously saved keys and parameters. In most cases
 this will be invisible to you if you are using APIs that existed in
 OpenSSL 1.1.1 or earlier such as \fBi2d_PrivateKey\fR\|(3). However the appropriate
 encoder/decoder will need to be available in the library context associated with
 the key or parameter object. The built-in OpenSSL encoders and decoders are
-implemented in both the default and base providers and are not in the \s-1FIPS\s0
+implemented in both the default and base providers and are not in the FIPS
 module boundary. However since they are not cryptographic algorithms themselves
-it is still possible to use them in conjunction with the \s-1FIPS\s0 module, and
+it is still possible to use them in conjunction with the FIPS module, and
 therefore these encoders/decoders have the \f(CW\*(C`fips=yes\*(C'\fR property against them.
 You should ensure that either the default or base provider is loaded into the
 library context in this case.
-.SS "Using the \s-1FIPS\s0 module in \s-1SSL/TLS\s0"
+.SS "Using the FIPS module in SSL/TLS"
 .IX Subsection "Using the FIPS module in SSL/TLS"
-Writing an application that uses libssl in conjunction with the \s-1FIPS\s0 module is
+Writing an application that uses libssl in conjunction with the FIPS module is
 much the same as writing a normal libssl application. If you are using global
-properties and the default library context to specify usage of \s-1FIPS\s0 validated
+properties and the default library context to specify usage of FIPS validated
 algorithms then this will happen automatically for all cryptographic algorithms
-in libssl. If you are using a nondefault library context to load the \s-1FIPS\s0
+in libssl. If you are using a nondefault library context to load the FIPS
 provider then you can supply this to libssl using the function
 \&\fBSSL_CTX_new_ex\fR\|(3). This works as a drop in replacement for the function
 \&\fBSSL_CTX_new\fR\|(3) except it provides you with the capability to specify the
 library context to be used. You can also use the same function to specify
 libssl specific properties to use.
 .PP
-In this first example we create two \s-1SSL_CTX\s0 objects using two different library
+In this first example we create two SSL_CTX objects using two different library
 contexts.
 .PP
 .Vb 11
@@ -547,7 +483,7 @@ contexts.
 \&     * We assume that a nondefault library context with the FIPS
 \&     * provider loaded has been created called fips_libctx.
 \&     */
-\&    SSL_CTX *fips_ssl_ctx = SSL_CTX_new_ex(fips_libctx, NULL, TLS_method());
+\&    SSL_CTX *fips_ssl_ctx = SSL_CTX_new_ex(fips_libctx, "fips=yes", TLS_method());
 \&    /*
 \&     * We assume that a nondefault library context with the default
 \&     * provider loaded has been created called non_fips_libctx.
@@ -556,8 +492,8 @@ contexts.
 \&                                               TLS_method());
 .Ve
 .PP
-In this second example we create two \s-1SSL_CTX\s0 objects using different properties
-to specify \s-1FIPS\s0 usage:
+In this second example we create two SSL_CTX objects using different properties
+to specify FIPS usage:
 .PP
 .Vb 10
 \&    /*
@@ -574,42 +510,132 @@ to specify \s-1FIPS\s0 usage:
 \&    SSL_CTX *non_fips_ssl_ctx = SSL_CTX_new_ex(NULL, "provider!=fips",
 \&                                               TLS_method());
 .Ve
-.SS "Confirming that an algorithm is being provided by the \s-1FIPS\s0 module"
+.SS "Confirming that an algorithm is being provided by the FIPS module"
 .IX Subsection "Confirming that an algorithm is being provided by the FIPS module"
 A chain of links needs to be followed to go from an algorithm instance to the
 provider that implements it. The process is similar for all algorithms. Here the
 example of a digest is used.
 .PP
-To go from an \fB\s-1EVP_MD_CTX\s0\fR to an \fB\s-1EVP_MD\s0\fR, use \fBEVP_MD_CTX_md\fR\|(3) .
-To go from the \fB\s-1EVP_MD\s0\fR to its \fB\s-1OSSL_PROVIDER\s0\fR,
+To go from an \fBEVP_MD_CTX\fR to an \fBEVP_MD\fR, use \fBEVP_MD_CTX_md\fR\|(3) .
+To go from the \fBEVP_MD\fR to its \fBOSSL_PROVIDER\fR,
 use \fBEVP_MD_get0_provider\fR\|(3).
-To extract the name from the \fB\s-1OSSL_PROVIDER\s0\fR, use
+To extract the name from the \fBOSSL_PROVIDER\fR, use
 \&\fBOSSL_PROVIDER_get0_name\fR\|(3).
-.SH "NOTES"
+.SS "FIPS indicators"
+.IX Subsection "FIPS indicators"
+FIPS indicators have been added to the FIPS provider in OpenSSL 3.4.
+FIPS 140\-3 requires indicators to be used if the FIPS provider allows non
+approved algorithms. An algorithm is approved if it passes all required checks
+such as minimum key size. By default an error will occur if any check fails.
+For backwards compatibility individual algorithms may override the checks by
+using either an option in the FIPS configuration (See
+"FIPS indicator options" in \fBfips_config\fR\|(5)) OR in code using an algorithm context
+setter. Overriding the check means that the algorithm is not FIPS compliant.
+\&\fBOSSL_INDICATOR_set_callback\fR\|(3) can be called to register a callback to log
+unapproved algorithms. At the end of any algorithm operation the approved status
+can be queried using an algorithm context getter to retrieve the indicator
+(e.g. "fips-indicator").
+An example of an algorithm context setter is "key-check"
+in "Supported parameters" in \fBEVP_KDF\-HKDF\fR\|(7).
+.PP
+The following algorithms use "fips-indicator" to query if the algorithm
+is approved:
+.IP "DSA Key generation" 4
+.IX Item "DSA Key generation"
+DSA Key generation is no longer approved.
+See "DSA parameters" in \fBEVP_PKEY\-DSA\fR\|(7)
+.IP "DSA Signatures" 4
+.IX Item "DSA Signatures"
+DSA Signature generation is no longer approved.
+See "Signature Parameters" in \fBEVP_SIGNATURE\-DSA\fR\|(7)
+.IP "ECDSA Signatures" 4
+.IX Item "ECDSA Signatures"
+See "ECDSA Signature Parameters" in \fBEVP_SIGNATURE\-ECDSA\fR\|(7)
+.IP "EC Key Generation" 4
+.IX Item "EC Key Generation"
+See "Common EC parameters" in \fBEVP_PKEY\-EC\fR\|(7)
+.IP "RSA Encryption" 4
+.IX Item "RSA Encryption"
+"pkcs1" padding is no longer approved.
+.Sp
+See "RSA Asymmetric Cipher parameters" in \fBEVP_ASYM_CIPHER\-RSA\fR\|(7) and
+"RSA KEM parameters" in \fBEVP_KEM\-RSA\fR\|(7)
+.IP "RSA Signatures" 4
+.IX Item "RSA Signatures"
+See "Signature Parameters" in \fBEVP_SIGNATURE\-RSA\fR\|(7)
+.IP DRBGS 4
+.IX Item "DRBGS"
+See "Supported parameters" in \fBEVP_RAND\-HASH\-DRBG\fR\|(7) and
+\&\fBEVP_RAND\-HMAC\-DRBG\fR\|(7)/Supported parameters>
+.IP DES 4
+.IX Item "DES"
+Triple-DES is not longer approved for encryption.
+See "Parameters" in \fBEVP_CIPHER\-DES\fR\|(7)
+.IP DH 4
+.IX Item "DH"
+See "DH and DHX key exchange parameters" in \fBEVP_KEYEXCH\-DH\fR\|(7)
+.IP ECDH 4
+.IX Item "ECDH"
+See "ECDH Key Exchange parameters" in \fBEVP_KEYEXCH\-ECDH\fR\|(7)
+.IP KDFS 4
+.IX Item "KDFS"
+See relevant KDF documentation e.g. "Supported parameters" in \fBEVP_KDF\-HKDF\fR\|(7)
+.IP "CMAC and KMAC" 4
+.IX Item "CMAC and KMAC"
+See "Supported parameters" in \fBEVP_MAC\-CMAC\fR\|(7) and
+"Supported parameters" in \fBEVP_MAC\-KMAC\fR\|(7)
+.PP
+The following FIPS algorithms are unapproved and use the "fips-indicator".
+.IP RAND-TEST-RAND 4
+.IX Item "RAND-TEST-RAND"
+See "Supported parameters" in \fBEVP_RAND\-TEST\-RAND\fR\|(7)
+The indicator callback is NOT triggered for this algorithm since it is used
+internally for non security purposes.
+.IP "X25519 and X448 Key Generation and Key Exchange" 4
+.IX Item "X25519 and X448 Key Generation and Key Exchange"
+.PP
+The unapproved (non FIPS validated) algorithms have a property query value of
+"fips=no".
+.PP
+The following algorithms use a unique indicator and do not trigger the
+indicator callback.
+.IP "AES-GCM ciphers support the indicator ""iv-generated""" 4
+.IX Item "AES-GCM ciphers support the indicator ""iv-generated"""
+See "PARAMETERS" in \fBEVP_EncryptInit\fR\|(3) for further information.
+.IP "ECDSA and RSA Signatures support the indicator ""verify-message""." 4
+.IX Item "ECDSA and RSA Signatures support the indicator ""verify-message""."
+See "ECDSA Signature Parameters" in \fBEVP_SIGNATURE\-ECDSA\fR\|(7) and
+"Signature Parameters" in \fBEVP_SIGNATURE\-RSA\fR\|(7) /for further information.
+.SH NOTES
 .IX Header "NOTES"
 Some released versions of OpenSSL do not include a validated
-\&\s-1FIPS\s0 provider.  To determine which versions have undergone
+FIPS provider.  To determine which versions have undergone
 the validation process, please refer to the
 OpenSSL Downloads page <https://www.openssl.org/source/>.  If you
-require FIPS-approved functionality, it is essential to build your \s-1FIPS\s0
+require FIPS-approved functionality, it is essential to build your FIPS
 provider using one of the validated versions listed there.  Normally,
-it is possible to utilize a \s-1FIPS\s0 provider constructed from one of the
+it is possible to utilize a FIPS provider constructed from one of the
 validated versions alongside \fIlibcrypto\fR and \fIlibssl\fR compiled from any
 release within the same major release series.  This flexibility enables
-you to address bug fixes and CVEs that fall outside the \s-1FIPS\s0 boundary.
+you to address bug fixes and CVEs that fall outside the FIPS boundary.
+.PP
+As the FIPS provider still supports non-FIPS validated algorithms,
+The property query \f(CW\*(C`fips=yes\*(C'\fR is mandatory for applications that
+want to operate in a FIPS approved manner.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBmigration_guide\fR\|(7), \fBcrypto\fR\|(7), \fBfips_config\fR\|(5),
+\&\fBossl\-guide\-migration\fR\|(7), \fBcrypto\fR\|(7), \fBfips_config\fR\|(5),
 <https://www.openssl.org/source/>
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-The \s-1FIPS\s0 module guide was created for use with the new \s-1FIPS\s0 provider
+The FIPS module guide was created for use with the new FIPS provider
 in OpenSSL 3.0.
-.SH "COPYRIGHT"
+FIPS indicators were added in OpenSSL 3.4.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2021\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/life_cycle-cipher.7 b/secure/lib/libcrypto/man/man7/life_cycle-cipher.7
index 73e9ba528c9a..20982d9729e3 100644
--- a/secure/lib/libcrypto/man/man7/life_cycle-cipher.7
+++ b/secure/lib/libcrypto/man/man7/life_cycle-cipher.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,90 +52,30 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "LIFE_CYCLE-CIPHER 7ossl"
-.TH LIFE_CYCLE-CIPHER 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH LIFE_CYCLE-CIPHER 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 life_cycle\-cipher \- The cipher algorithm life\-cycle
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All symmetric ciphers (CIPHERs) go through a number of stages in their
 life-cycle:
-.IP "start" 4
+.IP start 4
 .IX Item "start"
-This state represents the \s-1CIPHER\s0 before it has been allocated.  It is the
+This state represents the CIPHER before it has been allocated.  It is the
 starting state for any life-cycle transitions.
-.IP "newed" 4
+.IP newed 4
 .IX Item "newed"
-This state represents the \s-1CIPHER\s0 after it has been allocated.
-.IP "initialised" 4
+This state represents the CIPHER after it has been allocated.
+.IP initialised 4
 .IX Item "initialised"
-These states represent the \s-1CIPHER\s0 when it is set up and capable of processing
+These states represent the CIPHER when it is set up and capable of processing
 input.  There are three possible initialised states:
 .RS 4
 .IP "initialised using EVP_CipherInit" 4
@@ -164,23 +88,23 @@ input.  There are three possible initialised states:
 .RE
 .RS 4
 .RE
-.IP "updated" 4
+.IP updated 4
 .IX Item "updated"
 .PD
-These states represent the \s-1CIPHER\s0 when it is set up and capable of processing
+These states represent the CIPHER when it is set up and capable of processing
 additional input or generating output.  The three possible states directly
 correspond to those for initialised above.  The three different streams should
 not be mixed.
-.IP "finaled" 4
+.IP finaled 4
 .IX Item "finaled"
-This state represents the \s-1CIPHER\s0 when it has generated output.
-.IP "freed" 4
+This state represents the CIPHER when it has generated output.
+.IP freed 4
 .IX Item "freed"
-This state is entered when the \s-1CIPHER\s0 is freed.  It is the terminal state
+This state is entered when the CIPHER is freed.  It is the terminal state
 for all life-cycle transitions.
 .SS "State Transition Diagram"
 .IX Subsection "State Transition Diagram"
-The usual life-cycle of a \s-1CIPHER\s0 is illustrated:
+The usual life-cycle of a CIPHER is illustrated:
                                  +---------------------------+
                                  |                           |
                                  |           start           |
@@ -264,18 +188,18 @@ This is the canonical list.
                                                                                     decryption  decryption   encryption  encryption
  EVP_CIPHER_CTX_settable_params       newed    initialised   updated               initialised   updated    initialised   updated
                                                                                     decryption  decryption   encryption  encryption
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-At some point the \s-1EVP\s0 layer will begin enforcing the transitions described
+At some point the EVP layer will begin enforcing the transitions described
 herein.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\-cipher\fR\|(7), \fBEVP_EncryptInit\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/life_cycle-digest.7 b/secure/lib/libcrypto/man/man7/life_cycle-digest.7
index e5f890fa0179..eaf27a7178c0 100644
--- a/secure/lib/libcrypto/man/man7/life_cycle-digest.7
+++ b/secure/lib/libcrypto/man/man7/life_cycle-digest.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,166 +52,133 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "LIFE_CYCLE-DIGEST 7ossl"
-.TH LIFE_CYCLE-DIGEST 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH LIFE_CYCLE-DIGEST 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 life_cycle\-digest \- The digest algorithm life\-cycle
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All message digests (MDs) go through a number of stages in their life-cycle:
-.IP "start" 4
+.IP start 4
 .IX Item "start"
-This state represents the \s-1MD\s0 before it has been allocated.  It is the
+This state represents the MD before it has been allocated.  It is the
 starting state for any life-cycle transitions.
-.IP "newed" 4
+.IP newed 4
 .IX Item "newed"
-This state represents the \s-1MD\s0 after it has been allocated.
-.IP "initialised" 4
+This state represents the MD after it has been allocated.
+.IP initialised 4
 .IX Item "initialised"
-This state represents the \s-1MD\s0 when it is set up and capable of processing
+This state represents the MD when it is set up and capable of processing
 input.
-.IP "updated" 4
+.IP updated 4
 .IX Item "updated"
-This state represents the \s-1MD\s0 when it is set up and capable of processing
+This state represents the MD when it is set up and capable of processing
 additional input or generating output.
-.IP "finaled" 4
+.IP finaled 4
 .IX Item "finaled"
-This state represents the \s-1MD\s0 when it has generated output.
-.IP "freed" 4
+This state represents the MD when it has generated output.
+For an XOF digest, this state represents the MD when it has generated a
+single-shot output.
+.IP squeezed 4
+.IX Item "squeezed"
+For an XOF digest, this state represents the MD when it has generated output.
+It can be called multiple times to generate more output. The output length is
+variable for each call.
+.IP freed 4
 .IX Item "freed"
-This state is entered when the \s-1MD\s0 is freed.  It is the terminal state
+This state is entered when the MD is freed.  It is the terminal state
 for all life-cycle transitions.
 .SS "State Transition Diagram"
 .IX Subsection "State Transition Diagram"
-The usual life-cycle of a \s-1MD\s0 is illustrated:
-                     +-------------------+
-                     |       start       |
-                     +-------------------+
-                       |
-                       | EVP_MD_CTX_new
-                       v
-                     +-------------------+         EVP_MD_CTX_reset
-                     |       newed       | <------------------------------+
-                     +-------------------+                                |
-                       |                                                  |
-                       | EVP_DigestInit                                   |
-                       v                                                  |
-                     +-------------------+                                |
-                +--> |    initialised    | <+ EVP_DigestInit              |
-                |    +-------------------+  |                             |
-                |      |                    |      EVP_DigestUpdate       |
-                |      | EVP_DigestUpdate   |    +------------------+     |
-                |      v                    |    v                  |     |
-                |    +------------------------------------------------+   |
- EVP_DigestInit |    |                    updated                     | --+
-                |    +------------------------------------------------+   |
-                |      |                    |                             |
-                |      | EVP_DigestFinal    | EVP_DigestFinalXOF          |
-                |      v                    v                             |
-                |    +------------------------------------------------+   |
-                +--- |                    finaled                     | --+
-                     +------------------------------------------------+
-                       |
-                       | EVP_MD_CTX_free
-                       v
-                     +-------------------+
-                     |       freed       |
-                     +-------------------+
+The usual life-cycle of a MD is illustrated:
+                                  +--------------------+
+                                  |       start        |
+                                  +--------------------+
+                                    |                            EVP_MD_CTX_reset
+                                    | EVP_MD_CTX_new           +-------------------------------------------------+
+                                    v                          v                                                 |
+              EVP_MD_CTX_reset    + - - - - - - - - - - - - - - - - - - - - - - +    EVP_MD_CTX_reset            |
+            +-------------------> '                   newed                     ' <--------------------+         |
+            |                     + - - - - - - - - - - - - - - - - - - - - - - +                      |         |
+            |                       |                                                                  |         |
+            |                       | EVP_DigestInit                                                   |         |
+            |                       v                                                                  |         |
+            |   EVP_DigestInit    + - - - - - - - - - - - - - - - - - - - - - - +                      |         |
+       +----+-------------------> '                initialised                  ' <+  EVP_DigestInit   |         |
+       |    |                     + - - - - - - - - - - - - - - - - - - - - - - +  |                   |         |
+       |    |                       |                     ^                        |                   |         |
+       |    |                       | EVP_DigestUpdate    | EVP_DigestInit         |                   |         |
+       |    |                       v                     |                        |                   |         |
+       |    |                     +---------------------------------------------+  |                   |         |
+       |    +-------------------- |                                             |  |                   |         |
+       |                          |                                             |  |                   |         |
+       |      EVP_DigestUpdate    |                                             |  |                   |         |
+       |    +-------------------- |                                             |  |                   |         |
+       |    |                     |                   updated                   |  |                   |         |
+       |    +-------------------> |                                             |  |                   |         |
+       |                          |                                             |  |                   |         |
+       |                          |                                             |  |                   |         |
+  +----+------------------------- |                                             | -+-------------------+----+    |
+  |    |                          +---------------------------------------------+  |                   |    |    |
+  |    |                            |                                              |                   |    |    |
+  |    |                            | EVP_DigestSqueeze        +-------------------+                   |    |    |
+  |    |                            v                          |                                       |    |    |
+  |    |      EVP_DigestSqueeze   +---------------------------------------------+                      |    |    |
+  |    |    +-------------------- |                                             |                      |    |    |
+  |    |    |                     |                  squeezed                   |                      |    |    |
+  |    |    +-------------------> |                                             | ---------------------+    |    |
+  |    |                          +---------------------------------------------+                           |    |
+  |    |                                                       |                                            |    |
+  |    |                                                       +---------------------------------------+    |    |
+  |    |                                                                                               |    |    |
+  |    |                          +---------------------------------------------+  EVP_DigestFinalXOF  |    |    |
+  |    +------------------------- |             finaled                         | <--------------------+----+    |
+  |                               +---------------------------------------------+                      |         |
+  |   EVP_DigestFinal               ^                     |    |                                       |         |
+  +---------------------------------+                     |    | EVP_MD_CTX_free                       |         |
+                                                          |    v                                       |         |
+                                                          |  +------------------+  EVP_MD_CTX_free     |         |
+                                                          |  |      freed       | <--------------------+         |
+                                                          |  +------------------+                                |
+                                                          |                                                      |
+                                                          +------------------------------------------------------+
 .SS "Formal State Transitions"
 .IX Subsection "Formal State Transitions"
 This section defines all of the legal state transitions.
 This is the canonical list.
- Function Call                --------------------- Current State ----------------------
-                              start   newed    initialised   updated     finaled   freed
+ Function Call                --------------------- Current State -----------------------------------
+                              start   newed    initialised   updated     finaled     squeezed   freed
  EVP_MD_CTX_new               newed
- EVP_DigestInit                    initialised initialised initialised initialised
+ EVP_DigestInit                    initialised initialised initialised initialised  initialised
  EVP_DigestUpdate                                updated     updated
  EVP_DigestFinal                                             finaled
  EVP_DigestFinalXOF                                          finaled
+ EVP_DigestSqueeze                                           squeezed                squeezed
  EVP_MD_CTX_free              freed   freed       freed       freed       freed
  EVP_MD_CTX_reset                     newed       newed       newed       newed
  EVP_MD_CTX_get_params                newed    initialised   updated
  EVP_MD_CTX_set_params                newed    initialised   updated
  EVP_MD_CTX_gettable_params           newed    initialised   updated
  EVP_MD_CTX_settable_params           newed    initialised   updated
-.SH "NOTES"
+ EVP_MD_CTX_copy_ex                   newed    initialised   updated                 squeezed
+.SH NOTES
 .IX Header "NOTES"
-At some point the \s-1EVP\s0 layer will begin enforcing the transitions described
+At some point the EVP layer will begin enforcing the transitions described
 herein.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\-digest\fR\|(7), \fBEVP_DigestInit\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/life_cycle-kdf.7 b/secure/lib/libcrypto/man/man7/life_cycle-kdf.7
index 5e94195059d7..c532605518b5 100644
--- a/secure/lib/libcrypto/man/man7/life_cycle-kdf.7
+++ b/secure/lib/libcrypto/man/man7/life_cycle-kdf.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,98 +52,38 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "LIFE_CYCLE-KDF 7ossl"
-.TH LIFE_CYCLE-KDF 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH LIFE_CYCLE-KDF 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 life_cycle\-kdf \- The KDF algorithm life\-cycle
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All key derivation functions (KDFs) and pseudo random functions (PRFs)
 go through a number of stages in their life-cycle:
-.IP "start" 4
+.IP start 4
 .IX Item "start"
-This state represents the \s-1KDF/PRF\s0 before it has been allocated.  It is the
+This state represents the KDF/PRF before it has been allocated.  It is the
 starting state for any life-cycle transitions.
-.IP "newed" 4
+.IP newed 4
 .IX Item "newed"
-This state represents the \s-1KDF/PRF\s0 after it has been allocated.
-.IP "deriving" 4
+This state represents the KDF/PRF after it has been allocated.
+.IP deriving 4
 .IX Item "deriving"
-This state represents the \s-1KDF/PRF\s0 when it is set up and capable of generating
+This state represents the KDF/PRF when it is set up and capable of generating
 output.
-.IP "freed" 4
+.IP freed 4
 .IX Item "freed"
-This state is entered when the \s-1KDF/PRF\s0 is freed.  It is the terminal state
+This state is entered when the KDF/PRF is freed.  It is the terminal state
 for all life-cycle transitions.
 .SS "State Transition Diagram"
 .IX Subsection "State Transition Diagram"
-The usual life-cycle of a \s-1KDF/PRF\s0 is illustrated:
+The usual life-cycle of a KDF/PRF is illustrated:
                      +-------------------+
                      |       start       |
                      +-------------------+
@@ -197,21 +121,21 @@ This is the canonical list.
  EVP_KDF_CTX_set_params                      newed       deriving
  EVP_KDF_CTX_gettable_params                 newed       deriving
  EVP_KDF_CTX_settable_params                 newed       deriving
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-At some point the \s-1EVP\s0 layer will begin enforcing the transitions described
+At some point the EVP layer will begin enforcing the transitions described
 herein.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBprovider\-kdf\fR\|(7), \s-1\fBEVP_KDF\s0\fR\|(3).
-.SH "HISTORY"
+\&\fBprovider\-kdf\fR\|(7), \fBEVP_KDF\fR\|(3).
+.SH HISTORY
 .IX Header "HISTORY"
-The provider \s-1KDF\s0 interface was introduced in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The provider KDF interface was introduced in OpenSSL 3.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/life_cycle-mac.7 b/secure/lib/libcrypto/man/man7/life_cycle-mac.7
index 9a74f22e023c..284dcd24814a 100644
--- a/secure/lib/libcrypto/man/man7/life_cycle-mac.7
+++ b/secure/lib/libcrypto/man/man7/life_cycle-mac.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,105 +52,45 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "LIFE_CYCLE-MAC 7ossl"
-.TH LIFE_CYCLE-MAC 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH LIFE_CYCLE-MAC 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 life_cycle\-mac \- The MAC algorithm life\-cycle
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All message authentication codes (MACs)
 go through a number of stages in their life-cycle:
-.IP "start" 4
+.IP start 4
 .IX Item "start"
-This state represents the \s-1MAC\s0 before it has been allocated.  It is the
+This state represents the MAC before it has been allocated.  It is the
 starting state for any life-cycle transitions.
-.IP "newed" 4
+.IP newed 4
 .IX Item "newed"
-This state represents the \s-1MAC\s0 after it has been allocated.
-.IP "initialised" 4
+This state represents the MAC after it has been allocated.
+.IP initialised 4
 .IX Item "initialised"
-This state represents the \s-1MAC\s0 when it is set up and capable of processing
+This state represents the MAC when it is set up and capable of processing
 input.
-.IP "updated" 4
+.IP updated 4
 .IX Item "updated"
-This state represents the \s-1MAC\s0 when it is set up and capable of processing
+This state represents the MAC when it is set up and capable of processing
 additional input or generating output.
-.IP "finaled" 4
+.IP finaled 4
 .IX Item "finaled"
-This state represents the \s-1MAC\s0 when it has generated output.
-.IP "freed" 4
+This state represents the MAC when it has generated output.
+.IP freed 4
 .IX Item "freed"
-This state is entered when the \s-1MAC\s0 is freed.  It is the terminal state
+This state is entered when the MAC is freed.  It is the terminal state
 for all life-cycle transitions.
 .SS "State Transition Diagram"
 .IX Subsection "State Transition Diagram"
-The usual life-cycle of a \s-1MAC\s0 is illustrated:
+The usual life-cycle of a MAC is illustrated:
                  +-------------------+
                  |       start       |
                  +-------------------+
@@ -216,21 +140,21 @@ This is the canonical list.
  EVP_MAC_CTX_set_params                  newed    initialised   updated
  EVP_MAC_CTX_gettable_params             newed    initialised   updated
  EVP_MAC_CTX_settable_params             newed    initialised   updated
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-At some point the \s-1EVP\s0 layer will begin enforcing the transitions described
+At some point the EVP layer will begin enforcing the transitions described
 herein.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBprovider\-mac\fR\|(7), \s-1\fBEVP_MAC\s0\fR\|(3).
-.SH "HISTORY"
+\&\fBprovider\-mac\fR\|(7), \fBEVP_MAC\fR\|(3).
+.SH HISTORY
 .IX Header "HISTORY"
-The provider \s-1MAC\s0 interface was introduced in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The provider MAC interface was introduced in OpenSSL 3.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/life_cycle-pkey.7 b/secure/lib/libcrypto/man/man7/life_cycle-pkey.7
index ca028c5f2af8..a9559b28d155 100644
--- a/secure/lib/libcrypto/man/man7/life_cycle-pkey.7
+++ b/secure/lib/libcrypto/man/man7/life_cycle-pkey.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,126 +52,66 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "LIFE_CYCLE-PKEY 7ossl"
-.TH LIFE_CYCLE-PKEY 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH LIFE_CYCLE-PKEY 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 life_cycle\-pkey \- The PKEY algorithm life\-cycle
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All public keys (PKEYs) go through a number of stages in their life-cycle:
-.IP "start" 4
+.IP start 4
 .IX Item "start"
-This state represents the \s-1PKEY\s0 before it has been allocated.  It is the
+This state represents the PKEY before it has been allocated.  It is the
 starting state for any life-cycle transitions.
-.IP "newed" 4
+.IP newed 4
 .IX Item "newed"
-This state represents the \s-1PKEY\s0 after it has been allocated.
-.IP "decapsulate" 4
+This state represents the PKEY after it has been allocated.
+.IP decapsulate 4
 .IX Item "decapsulate"
-This state represents the \s-1PKEY\s0 when it is ready to perform a private key decapsulation
+This state represents the PKEY when it is ready to perform a private key decapsulation
 operation.
-.IP "decrypt" 4
+.IP decrypt 4
 .IX Item "decrypt"
-This state represents the \s-1PKEY\s0 when it is ready to decrypt some ciphertext.
-.IP "derive" 4
+This state represents the PKEY when it is ready to decrypt some ciphertext.
+.IP derive 4
 .IX Item "derive"
-This state represents the \s-1PKEY\s0 when it is ready to derive a shared secret.
+This state represents the PKEY when it is ready to derive a shared secret.
 .IP "digest sign" 4
 .IX Item "digest sign"
-This state represents the \s-1PKEY\s0 when it is ready to perform a private key signature
+This state represents the PKEY when it is ready to perform a private key signature
 operation.
-.IP "encapsulate" 4
+.IP encapsulate 4
 .IX Item "encapsulate"
-This state represents the \s-1PKEY\s0 when it is ready to perform a public key encapsulation
+This state represents the PKEY when it is ready to perform a public key encapsulation
 operation.
-.IP "encrypt" 4
+.IP encrypt 4
 .IX Item "encrypt"
-This state represents the \s-1PKEY\s0 when it is ready to encrypt some plaintext.
+This state represents the PKEY when it is ready to encrypt some plaintext.
 .IP "key generation" 4
 .IX Item "key generation"
-This state represents the \s-1PKEY\s0 when it is ready to generate a new public/private key.
+This state represents the PKEY when it is ready to generate a new public/private key.
 .IP "parameter generation" 4
 .IX Item "parameter generation"
-This state represents the \s-1PKEY\s0 when it is ready to generate key parameters.
-.IP "verify" 4
+This state represents the PKEY when it is ready to generate key parameters.
+.IP verify 4
 .IX Item "verify"
-This state represents the \s-1PKEY\s0 when it is ready to verify a public key signature.
+This state represents the PKEY when it is ready to verify a public key signature.
 .IP "verify recover" 4
 .IX Item "verify recover"
-This state represents the \s-1PKEY\s0 when it is ready to recover a public key signature data.
-.IP "freed" 4
+This state represents the PKEY when it is ready to recover a public key signature data.
+.IP freed 4
 .IX Item "freed"
-This state is entered when the \s-1PKEY\s0 is freed.  It is the terminal state
+This state is entered when the PKEY is freed.  It is the terminal state
 for all life-cycle transitions.
 .SS "State Transition Diagram"
 .IX Subsection "State Transition Diagram"
-The usual life-cycle of a \s-1PKEY\s0 object is illustrated:
+The usual life-cycle of a PKEY object is illustrated:
                                                    +-------------+
                                                    |             |
                                                    |    start    |
@@ -297,9 +221,9 @@ This is the canonical list.
  EVP_PKEY_CTX_settable_params           newed       digest       verify       verify       encrypt      decrypt      derive      encapsulate  decapsulate  parameter       key
                                                      sign                     recover                                                                      generation   generation
  EVP_PKEY_CTX_free             freed    freed        freed        freed        freed        freed        freed        freed        freed        freed        freed        freed
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-At some point the \s-1EVP\s0 layer will begin enforcing the transitions described
+At some point the EVP layer will begin enforcing the transitions described
 herein.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
@@ -307,14 +231,14 @@ herein.
 \&\fBEVP_PKEY_decapsulate\fR\|(3), \fBEVP_PKEY_decrypt\fR\|(3), \fBEVP_PKEY_encapsulate\fR\|(3),
 \&\fBEVP_PKEY_encrypt\fR\|(3), \fBEVP_PKEY_derive\fR\|(3), \fBEVP_PKEY_keygen\fR\|(3),
 \&\fBEVP_PKEY_sign\fR\|(3), \fBEVP_PKEY_verify\fR\|(3), \fBEVP_PKEY_verify_recover\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-The provider \s-1PKEY\s0 interface was introduced in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The provider PKEY interface was introduced in OpenSSL 3.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2021\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/life_cycle-rand.7 b/secure/lib/libcrypto/man/man7/life_cycle-rand.7
index ce292e717451..8653ece6cd72 100644
--- a/secure/lib/libcrypto/man/man7/life_cycle-rand.7
+++ b/secure/lib/libcrypto/man/man7/life_cycle-rand.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,103 +52,43 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "LIFE_CYCLE-RAND 7ossl"
-.TH LIFE_CYCLE-RAND 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH LIFE_CYCLE-RAND 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 life_cycle\-rand \- The RAND algorithm life\-cycle
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 All random number generator (RANDs)
 go through a number of stages in their life-cycle:
-.IP "start" 4
+.IP start 4
 .IX Item "start"
-This state represents the \s-1RAND\s0 before it has been allocated.  It is the
+This state represents the RAND before it has been allocated.  It is the
 starting state for any life-cycle transitions.
-.IP "newed" 4
+.IP newed 4
 .IX Item "newed"
-This state represents the \s-1RAND\s0 after it has been allocated but unable to
+This state represents the RAND after it has been allocated but unable to
 generate any output.
-.IP "instantiated" 4
+.IP instantiated 4
 .IX Item "instantiated"
-This state represents the \s-1RAND\s0 when it is set up and capable of generating
+This state represents the RAND when it is set up and capable of generating
 output.
-.IP "uninstantiated" 4
+.IP uninstantiated 4
 .IX Item "uninstantiated"
-This state represents the \s-1RAND\s0 when it has been shutdown and it is no longer
+This state represents the RAND when it has been shutdown and it is no longer
 capable of generating output.
-.IP "freed" 4
+.IP freed 4
 .IX Item "freed"
-This state is entered when the \s-1RAND\s0 is freed.  It is the terminal state
+This state is entered when the RAND is freed.  It is the terminal state
 for all life-cycle transitions.
 .SS "State Transition Diagram"
 .IX Subsection "State Transition Diagram"
-The usual life-cycle of a \s-1RAND\s0 is illustrated:
+The usual life-cycle of a RAND is illustrated:
                         +-------------------------+
                         |          start          |
                         +-------------------------+
@@ -209,21 +133,21 @@ This is the canonical list.
  EVP_RAND_CTX_set_params            newed   instantiated  uninstantiated  freed
  EVP_RAND_CTX_gettable_params       newed   instantiated  uninstantiated  freed
  EVP_RAND_CTX_settable_params       newed   instantiated  uninstantiated  freed
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-At some point the \s-1EVP\s0 layer will begin enforcing the transitions described
+At some point the EVP layer will begin enforcing the transitions described
 herein.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBprovider\-rand\fR\|(7), \s-1\fBEVP_RAND\s0\fR\|(3).
-.SH "HISTORY"
+\&\fBprovider\-rand\fR\|(7), \fBEVP_RAND\fR\|(3).
+.SH HISTORY
 .IX Header "HISTORY"
-The provider \s-1RAND\s0 interface was introduced in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The provider RAND interface was introduced in OpenSSL 3.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/openssl-core.h.7 b/secure/lib/libcrypto/man/man7/openssl-core.h.7
index 130ee67440b9..6128df9b2ed6 100644
--- a/secure/lib/libcrypto/man/man7/openssl-core.h.7
+++ b/secure/lib/libcrypto/man/man7/openssl-core.h.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,82 +52,22 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL-CORE.H 7ossl"
-.TH OPENSSL-CORE.H 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OPENSSL-CORE.H 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 openssl/core.h \- OpenSSL Core types
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/core.h>
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The \fI<openssl/core.h>\fR header defines a number of public types that
 are used to communicate between the OpenSSL libraries and
@@ -152,31 +76,31 @@ These types are designed to minimise the need for intimate knowledge
 of internal structures between the OpenSSL libraries and the providers.
 .PP
 The types are:
-.IP "\s-1\fBOSSL_DISPATCH\s0\fR\|(3)" 4
+.IP \fBOSSL_DISPATCH\fR\|(3) 4
 .IX Item "OSSL_DISPATCH"
 .PD 0
-.IP "\s-1\fBOSSL_ITEM\s0\fR\|(3)" 4
+.IP \fBOSSL_ITEM\fR\|(3) 4
 .IX Item "OSSL_ITEM"
-.IP "\s-1\fBOSSL_ALGORITHM\s0\fR\|(3)" 4
+.IP \fBOSSL_ALGORITHM\fR\|(3) 4
 .IX Item "OSSL_ALGORITHM"
-.IP "\s-1\fBOSSL_PARAM\s0\fR\|(3)" 4
+.IP \fBOSSL_PARAM\fR\|(3) 4
 .IX Item "OSSL_PARAM"
-.IP "\s-1\fBOSSL_CALLBACK\s0\fR\|(3)" 4
+.IP \fBOSSL_CALLBACK\fR\|(3) 4
 .IX Item "OSSL_CALLBACK"
-.IP "\s-1\fBOSSL_PASSPHRASE_CALLBACK\s0\fR\|(3)" 4
+.IP \fBOSSL_PASSPHRASE_CALLBACK\fR\|(3) 4
 .IX Item "OSSL_PASSPHRASE_CALLBACK"
 .PD
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBopenssl\-core_dispatch.h\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The types described here were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2019\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/openssl-core_dispatch.h.7 b/secure/lib/libcrypto/man/man7/openssl-core_dispatch.h.7
index 35bd0fbbda06..6392486dd719 100644
--- a/secure/lib/libcrypto/man/man7/openssl-core_dispatch.h.7
+++ b/secure/lib/libcrypto/man/man7/openssl-core_dispatch.h.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,83 +52,23 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL-CORE_DISPATCH.H 7ossl"
-.TH OPENSSL-CORE_DISPATCH.H 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OPENSSL-CORE_DISPATCH.H 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 openssl/core_dispatch.h
 \&\- OpenSSL provider dispatch numbers and function types
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/core_dispatch.h>
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The \fI<openssl/core_dispatch.h>\fR header defines all the operation
 numbers, dispatch numbers and provider interface function types
@@ -154,11 +78,11 @@ The operation and dispatch numbers are represented with macros, which
 are named as follows:
 .IP "operation numbers" 4
 .IX Item "operation numbers"
-These macros have the form \f(CW\*(C`OSSL_OP_\f(CIopname\f(CW\*(C'\fR.
+These macros have the form \f(CW\*(C`OSSL_OP_\fR\f(CIopname\fR\f(CW\*(C'\fR.
 .IP "dipatch numbers" 4
 .IX Item "dipatch numbers"
-These macros have the form \f(CW\*(C`OSSL_FUNC_\f(CIopname\f(CW_\f(CIfuncname\f(CW\*(C'\fR, where
-\&\f(CW\*(C`\f(CIopname\f(CW\*(C'\fR is the same as in the macro for the operation this
+These macros have the form \f(CW\*(C`OSSL_FUNC_\fR\f(CIopname\fR\f(CW_\fR\f(CIfuncname\fR\f(CW\*(C'\fR, where
+\&\f(CW\*(C`\fR\f(CIopname\fR\f(CW\*(C'\fR is the same as in the macro for the operation this
 function belongs to.
 .PP
 With every dispatch number, there is an associated function type.
@@ -167,14 +91,14 @@ For further information, please see the \fBprovider\fR\|(7)
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The types and macros described here were added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/openssl-core_names.h.7 b/secure/lib/libcrypto/man/man7/openssl-core_names.h.7
index 63fec33d7e30..0ecfa089b7a4 100644
--- a/secure/lib/libcrypto/man/man7/openssl-core_names.h.7
+++ b/secure/lib/libcrypto/man/man7/openssl-core_names.h.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,98 +52,38 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL-CORE_NAMES.H 7ossl"
-.TH OPENSSL-CORE_NAMES.H 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OPENSSL-CORE_NAMES.H 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 openssl/core_names.h \- OpenSSL provider parameter names
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/core_names.h>
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The \fI<openssl/core_names.h>\fR header defines a multitude of macros
-for \s-1\fBOSSL_PARAM\s0\fR\|(3) names, algorithm names and other known names used
+for \fBOSSL_PARAM\fR\|(3) names, algorithm names and other known names used
 with OpenSSL's providers, made available for practical purposes only.
 .PP
 Existing names are further described in the manuals for OpenSSL's
-providers (see \*(L"\s-1SEE ALSO\*(R"\s0) and the manuals for each algorithm they
+providers (see "SEE ALSO") and the manuals for each algorithm they
 provide (listed in those provider manuals).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBOSSL_PROVIDER\-default\fR\|(7), \s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7),
+\&\fBOSSL_PROVIDER\-default\fR\|(7), \fBOSSL_PROVIDER\-FIPS\fR\|(7),
 \&\fBOSSL_PROVIDER\-legacy\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The macros described here were added in OpenSSL 3.0.
-.SH "CAVEATS"
+.SH CAVEATS
 .IX Header "CAVEATS"
 \&\fIThis header file does not constitute a general registry of names\fR.
 Providers that implement new algorithms are to be responsible for
@@ -168,11 +92,11 @@ their own parameter names.
 However, authors of provider that implement their own variants of
 algorithms that OpenSSL providers support will want to pay attention
 to the names provided in this header to work in a compatible manner.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/openssl-env.7 b/secure/lib/libcrypto/man/man7/openssl-env.7
index 414ac2964ec0..8079d91a0f37 100644
--- a/secure/lib/libcrypto/man/man7/openssl-env.7
+++ b/secure/lib/libcrypto/man/man7/openssl-env.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,148 +52,179 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL-ENV 7ossl"
-.TH OPENSSL-ENV 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OPENSSL-ENV 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 openssl\-env \- OpenSSL environment variables
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 The OpenSSL libraries use environment variables to override the
 compiled-in default paths for various data.
 To avoid security risks, the environment is usually not consulted when
 the executable is set-user-ID or set-group-ID.
-.IP "\fB\s-1CTLOG_FILE\s0\fR" 4
+.IP \fBCTLOG_FILE\fR 4
 .IX Item "CTLOG_FILE"
 Specifies the path to a certificate transparency log list.
 See \fBCTLOG_STORE_new\fR\|(3).
-.IP "\fB\s-1OPENSSL\s0\fR" 4
+.IP \fBOPENSSL\fR 4
 .IX Item "OPENSSL"
 Specifies the path to the \fBopenssl\fR executable. Used by
-the \fBrehash\fR script (see \*(L"Script Configuration\*(R" in \fBopenssl\-rehash\fR\|(1))
-and by the \fB\s-1CA\s0.pl\fR script (see \*(L"\s-1NOTES\*(R"\s0 in \s-1\fBCA\s0.pl\fR\|(1)
-.IP "\fB\s-1OPENSSL_CONF\s0\fR, \fB\s-1OPENSSL_CONF_INCLUDE\s0\fR" 4
+the \fBrehash\fR script (see "Script Configuration" in \fBopenssl\-rehash\fR\|(1))
+and by the \fBCA.pl\fR script (see "NOTES" in \fBCA.pl\fR\|(1)
+.IP "\fBOPENSSL_CONF\fR, \fBOPENSSL_CONF_INCLUDE\fR" 4
 .IX Item "OPENSSL_CONF, OPENSSL_CONF_INCLUDE"
 Specifies the path to a configuration file and the directory for
 included files.
 See \fBconfig\fR\|(5).
-.IP "\fB\s-1OPENSSL_CONFIG\s0\fR" 4
+.IP \fBOPENSSL_CONFIG\fR 4
 .IX Item "OPENSSL_CONFIG"
 Specifies a configuration option and filename for the \fBreq\fR and \fBca\fR
-commands invoked by the \fB\s-1CA\s0.pl\fR script.
-See \s-1\fBCA\s0.pl\fR\|(1).
-.IP "\fB\s-1OPENSSL_ENGINES\s0\fR" 4
+commands invoked by the \fBCA.pl\fR script.
+See \fBCA.pl\fR\|(1).
+.IP \fBOPENSSL_ENGINES\fR 4
 .IX Item "OPENSSL_ENGINES"
 Specifies the directory from which dynamic engines are loaded.
 See \fBopenssl\-engine\fR\|(1).
-.IP "\fB\s-1OPENSSL_MALLOC_FD\s0\fR, \fB\s-1OPENSSL_MALLOC_FAILURES\s0\fR" 4
+.IP "\fBOPENSSL_MALLOC_FD\fR, \fBOPENSSL_MALLOC_FAILURES\fR" 4
 .IX Item "OPENSSL_MALLOC_FD, OPENSSL_MALLOC_FAILURES"
 If built with debugging, this allows memory allocation to fail.
 See \fBOPENSSL_malloc\fR\|(3).
-.IP "\fB\s-1OPENSSL_MODULES\s0\fR" 4
+.IP \fBOPENSSL_MODULES\fR 4
 .IX Item "OPENSSL_MODULES"
 Specifies the directory from which cryptographic providers are loaded.
 Equivalently, the generic \fB\-provider\-path\fR command-line option may be used.
-.IP "\fB\s-1OPENSSL_WIN32_UTF8\s0\fR" 4
+.IP \fBOPENSSL_TRACE\fR 4
+.IX Item "OPENSSL_TRACE"
+By default the OpenSSL trace feature is disabled statically.
+To enable it, OpenSSL must be built with tracing support,
+which may be configured like this: \f(CW\*(C`./config enable\-trace\*(C'\fR
+.Sp
+Unless OpenSSL tracing support is generally disabled,
+enable trace output of specific parts of OpenSSL libraries, by name.
+This output usually makes sense only if you know OpenSSL internals well.
+.Sp
+The value of this environment varialble is a comma-separated list of names,
+with the following available:
+.RS 4
+.IP \fBTRACE\fR 4
+.IX Item "TRACE"
+Traces the OpenSSL trace API itself.
+.IP \fBINIT\fR 4
+.IX Item "INIT"
+Traces OpenSSL library initialization and cleanup.
+.IP \fBTLS\fR 4
+.IX Item "TLS"
+Traces the TLS/SSL protocol.
+.IP \fBTLS_CIPHER\fR 4
+.IX Item "TLS_CIPHER"
+Traces the ciphers used by the TLS/SSL protocol.
+.IP \fBCONF\fR 4
+.IX Item "CONF"
+Show details about provider and engine configuration.
+.IP \fBENGINE_TABLE\fR 4
+.IX Item "ENGINE_TABLE"
+The function that is used by RSA, DSA (etc) code to select registered
+ENGINEs, cache defaults and functional references (etc), will generate
+debugging summaries.
+.IP \fBENGINE_REF_COUNT\fR 4
+.IX Item "ENGINE_REF_COUNT"
+Reference counts in the ENGINE structure will be monitored with a line
+of generated for each change.
+.IP \fBPKCS5V2\fR 4
+.IX Item "PKCS5V2"
+Traces PKCS#5 v2 key generation.
+.IP \fBPKCS12_KEYGEN\fR 4
+.IX Item "PKCS12_KEYGEN"
+Traces PKCS#12 key generation.
+.IP \fBPKCS12_DECRYPT\fR 4
+.IX Item "PKCS12_DECRYPT"
+Traces PKCS#12 decryption.
+.IP \fBX509V3_POLICY\fR 4
+.IX Item "X509V3_POLICY"
+Generates the complete policy tree at various points during X.509 v3
+policy evaluation.
+.IP \fBBN_CTX\fR 4
+.IX Item "BN_CTX"
+Traces BIGNUM context operations.
+.IP \fBCMP\fR 4
+.IX Item "CMP"
+Traces CMP client and server activity.
+.IP \fBSTORE\fR 4
+.IX Item "STORE"
+Traces STORE operations.
+.IP \fBDECODER\fR 4
+.IX Item "DECODER"
+Traces decoder operations.
+.IP \fBENCODER\fR 4
+.IX Item "ENCODER"
+Traces encoder operations.
+.IP \fBREF_COUNT\fR 4
+.IX Item "REF_COUNT"
+Traces decrementing certain ASN.1 structure references.
+.IP \fBHTTP\fR 4
+.IX Item "HTTP"
+Traces the HTTP client and server, such as messages being sent and received.
+.RE
+.RS 4
+.RE
+.IP \fBOPENSSL_WIN32_UTF8\fR 4
 .IX Item "OPENSSL_WIN32_UTF8"
-If set, then \fBUI_OpenSSL\fR\|(3) returns \s-1UTF\-8\s0 encoded strings, rather than
+If set, then \fBUI_OpenSSL\fR\|(3) returns UTF\-8 encoded strings, rather than
 ones encoded in the current code page, and
 the \fBopenssl\fR\|(1) program also transcodes the command-line parameters
-from the current code page to \s-1UTF\-8.\s0
+from the current code page to UTF\-8.
 This environment variable is only checked on Microsoft Windows platforms.
-.IP "\fB\s-1RANDFILE\s0\fR" 4
+.IP \fBRANDFILE\fR 4
 .IX Item "RANDFILE"
 The state file for the random number generator.
 This should not be needed in normal use.
 See \fBRAND_load_file\fR\|(3).
-.IP "\fB\s-1SSL_CERT_DIR\s0\fR, \fB\s-1SSL_CERT_FILE\s0\fR" 4
+.IP "\fBSSL_CERT_DIR\fR, \fBSSL_CERT_FILE\fR" 4
 .IX Item "SSL_CERT_DIR, SSL_CERT_FILE"
-Specify the default directory or file containing \s-1CA\s0 certificates.
+Specify the default directory or file containing CA certificates.
 See \fBSSL_CTX_load_verify_locations\fR\|(3).
-.IP "\fB\s-1TSGET\s0\fR" 4
+.IP \fBTSGET\fR 4
 .IX Item "TSGET"
 Additional arguments for the \fBtsget\fR\|(1) command.
-.IP "\fBOPENSSL_ia32cap\fR, \fBOPENSSL_sparcv9cap\fR, \fBOPENSSL_ppccap\fR, \fBOPENSSL_armcap\fR, \fBOPENSSL_s390xcap\fR" 4
-.IX Item "OPENSSL_ia32cap, OPENSSL_sparcv9cap, OPENSSL_ppccap, OPENSSL_armcap, OPENSSL_s390xcap"
+.IP "\fBOPENSSL_ia32cap\fR, \fBOPENSSL_sparcv9cap\fR, \fBOPENSSL_ppccap\fR, \fBOPENSSL_armcap\fR, \fBOPENSSL_s390xcap\fR, \fBOPENSSL_riscvcap\fR" 4
+.IX Item "OPENSSL_ia32cap, OPENSSL_sparcv9cap, OPENSSL_ppccap, OPENSSL_armcap, OPENSSL_s390xcap, OPENSSL_riscvcap"
 OpenSSL supports a number of different algorithm implementations for
 various machines and, by default, it determines which to use based on the
 processor capabilities and run time feature enquiry.  These environment
 variables can be used to exert more control over this selection process.
-See \fBOPENSSL_ia32cap\fR\|(3), \fBOPENSSL_s390xcap\fR\|(3).
-.IP "\fB\s-1NO_PROXY\s0\fR, \fB\s-1HTTPS_PROXY\s0\fR, \fB\s-1HTTP_PROXY\s0\fR" 4
+See \fBOPENSSL_ia32cap\fR\|(3), \fBOPENSSL_s390xcap\fR\|(3) and \fBOPENSSL_riscvcap\fR\|(3).
+.IP "\fBNO_PROXY\fR, \fBHTTPS_PROXY\fR, \fBHTTP_PROXY\fR" 4
 .IX Item "NO_PROXY, HTTPS_PROXY, HTTP_PROXY"
 Specify a proxy hostname.
 See \fBOSSL_HTTP_parse_url\fR\|(3).
-.SH "COPYRIGHT"
+.IP \fBQLOGDIR\fR 4
+.IX Item "QLOGDIR"
+Specifies a QUIC qlog output directory. See \fBopenssl\-qlog\fR\|(7).
+.IP \fBOSSL_QFILTER\fR 4
+.IX Item "OSSL_QFILTER"
+Used to set a QUIC qlog filter specification. See \fBopenssl\-qlog\fR\|(7).
+.IP \fBSSLKEYLOGFILE\fR 4
+.IX Item "SSLKEYLOGFILE"
+Used to produce the standard format output file for SSL key logging.  Optionally
+set this variable to a filename to log all secrets produced by SSL connections.
+Note, use of the environment variable is predicated on configuring OpenSSL at
+build time with the enable-sslkeylog feature.  The file format standard can be
+found at <https://datatracker.ietf.org/doc/draft\-ietf\-tls\-keylogfile/>.
+Note: the use of \fBSSLKEYLOGFILE\fR poses an explicit security risk.  By recording
+the exchanged keys during an SSL session, it allows any available party with
+read access to the file to decrypt application traffic sent over that session.
+Use of this feature should be restricted to test and debug environments only.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/openssl-glossary.7 b/secure/lib/libcrypto/man/man7/openssl-glossary.7
index 04183a5c672b..da829c86d7f9 100644
--- a/secure/lib/libcrypto/man/man7/openssl-glossary.7
+++ b/secure/lib/libcrypto/man/man7/openssl-glossary.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,88 +52,28 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL-GLOSSARY 7ossl"
-.TH OPENSSL-GLOSSARY 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OPENSSL-GLOSSARY 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 openssl\-glossary \- An OpenSSL Glossary
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-.IP "Algorithm" 4
+.IP Algorithm 4
 .IX Item "Algorithm"
-Cryptographic primitives such as the \s-1SHA256\s0 digest, or \s-1AES\s0 encryption are
-referred to in OpenSSL as \*(L"algorithms\*(R". There can be more than one
+Cryptographic primitives such as the SHA256 digest, or AES encryption are
+referred to in OpenSSL as "algorithms". There can be more than one
 implementation for any given algorithm available for use.
 .Sp
 \&\fBcrypto\fR\|(7)
-.IP "\s-1ASN.1, ASN1\s0" 4
+.IP "ASN.1, ASN1" 4
 .IX Item "ASN.1, ASN1"
-\&\s-1ASN.1\s0 (\*(L"Abstract Syntax Notation One\*(R") is a notation for describing abstract
+ASN.1 ("Abstract Syntax Notation One") is a notation for describing abstract
 types and values.  It is defined in the ITU-T documents X.680 to X.683:
 .Sp
 <https://www.itu.int/rec/T\-REC\-X.680>,
@@ -163,10 +87,10 @@ the algorithm implementations in the Base Provider are also available in the
 Default Provider.
 .Sp
 \&\fBOSSL_PROVIDER\-base\fR\|(7)
-.IP "Decoder" 4
+.IP Decoder 4
 .IX Item "Decoder"
 A decoder is a type of algorithm used for decoding keys and parameters from some
-external format such as \s-1PEM\s0 or \s-1DER.\s0
+external format such as PEM or DER.
 .Sp
 \&\fBOSSL_DECODER_CTX_new_for_pkey\fR\|(3)
 .IP "Default Provider" 4
@@ -177,20 +101,19 @@ the algorithm implementations in the Base Provider are also available in the
 Default Provider.
 .Sp
 \&\fBOSSL_PROVIDER\-default\fR\|(7)
-.ie n .IP "\s-1DER\s0 (""Distinguished Encoding Rules"")" 4
-.el .IP "\s-1DER\s0 (``Distinguished Encoding Rules'')" 4
-.IX Item "DER (Distinguished Encoding Rules)"
-\&\s-1DER\s0 is a binary encoding of data, structured according to an \s-1ASN.1\s0
+.IP "DER (""Distinguished Encoding Rules"")" 4
+.IX Item "DER (""Distinguished Encoding Rules"")"
+DER is a binary encoding of data, structured according to an ASN.1
 specification.  This is a common encoding used for cryptographic objects
 such as private and public keys, certificates, CRLs, ...
 .Sp
 It is defined in ITU-T document X.690:
 .Sp
 <https://www.itu.int/rec/T\-REC\-X.690>
-.IP "Encoder" 4
+.IP Encoder 4
 .IX Item "Encoder"
 An encoder is a type of algorithm used for encoding keys and parameters to some
-external format such as \s-1PEM\s0 or \s-1DER.\s0
+external format such as PEM or DER.
 .Sp
 \&\fBOSSL_ENCODER_CTX_new_for_pkey\fR\|(3)
 .IP "Explicit Fetching" 4
@@ -198,7 +121,7 @@ external format such as \s-1PEM\s0 or \s-1DER.\s0
 Explicit Fetching is a type of Fetching (see Fetching). Explicit Fetching is
 where a function call is made to obtain an algorithm object representing an
 implementation such as \fBEVP_MD_fetch\fR\|(3) or \fBEVP_CIPHER_fetch\fR\|(3)
-.IP "Fetching" 4
+.IP Fetching 4
 .IX Item "Fetching"
 Fetching is the process of looking through the available algorithm
 implementations, applying selection criteria (via a property query string), and
@@ -207,12 +130,12 @@ finally choosing the implementation that will be used.
 Also see Explicit Fetching and Implicit Fetching.
 .Sp
 \&\fBcrypto\fR\|(7)
-.IP "\s-1FIPS\s0 Provider" 4
+.IP "FIPS Provider" 4
 .IX Item "FIPS Provider"
 An OpenSSL Provider that contains OpenSSL algorithm implementations that have
-been validated according to the \s-1FIPS 140\-2\s0 standard.
+been validated according to the FIPS 140\-2 standard.
 .Sp
-\&\s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7)
+\&\fBOSSL_PROVIDER\-FIPS\fR\|(7)
 .IP "Implicit Fetching" 4
 .IX Item "Implicit Fetching"
 Implicit Fetching is a type of Fetching (see Fetching). Implicit Fetching is
@@ -228,16 +151,16 @@ insecure or are no longer in common use.
 \&\fBOSSL_PROVIDER\-legacy\fR\|(7)
 .IP "Library Context" 4
 .IX Item "Library Context"
-A Library Context in OpenSSL is represented by the type \fB\s-1OSSL_LIB_CTX\s0\fR. It can
+A Library Context in OpenSSL is represented by the type \fBOSSL_LIB_CTX\fR. It can
 be thought of as a scope within which configuration options apply. If an
-application does not explicitly create a library context then the \*(L"default\*(R"
+application does not explicitly create a library context then the "default"
 one is used. Many OpenSSL functions can take a library context as an argument.
-A \s-1NULL\s0 value can always be passed to indicate the default library context.
+A NULL value can always be passed to indicate the default library context.
 .Sp
-\&\s-1\fBOSSL_LIB_CTX\s0\fR\|(3)
-.IP "\s-1MSBLOB\s0" 4
+\&\fBOSSL_LIB_CTX\fR\|(3)
+.IP MSBLOB 4
 .IX Item "MSBLOB"
-\&\s-1MSBLOB\s0 is a Microsoft specific binary format for \s-1RSA\s0 and \s-1DSA\s0 keys, both
+MSBLOB is a Microsoft specific binary format for RSA and DSA keys, both
 private and public.  This form is never passphrase protected.
 .IP "Null Provider" 4
 .IX Item "Null Provider"
@@ -246,16 +169,15 @@ useful to prevent the default provider from being automatically loaded in a
 library context.
 .Sp
 \&\fBOSSL_PROVIDER\-null\fR\|(7)
-.IP "Operation" 4
+.IP Operation 4
 .IX Item "Operation"
 An operation is a group of OpenSSL functions with a common purpose such as
 encryption, or digesting.
 .Sp
 \&\fBcrypto\fR\|(7)
-.ie n .IP "\s-1PEM\s0 (""Privacy Enhanced Message"")" 4
-.el .IP "\s-1PEM\s0 (``Privacy Enhanced Message'')" 4
-.IX Item "PEM (Privacy Enhanced Message)"
-\&\s-1PEM\s0 is a format used for encoding of binary content into a mail and \s-1ASCII\s0
+.IP "PEM (""Privacy Enhanced Message"")" 4
+.IX Item "PEM (""Privacy Enhanced Message"")"
+PEM is a format used for encoding of binary content into a mail and ASCII
 friendly form.  The content is a series of base64\-encoded lines, surrounded
 by begin/end markers each on their own line.  For example:
 .Sp
@@ -269,28 +191,28 @@ by begin/end markers each on their own line.  For example:
 Optional header line(s) may appear after the begin line, and their existence
 depends on the type of object being written or read.
 .Sp
-For all OpenSSL uses, the binary content is expected to be a \s-1DER\s0 encoded
+For all OpenSSL uses, the binary content is expected to be a DER encoded
 structure.
 .Sp
-This is defined in \s-1IETF RFC 1421:\s0
+This is defined in IETF RFC 1421:
 .Sp
 <https://tools.ietf.org/html/rfc1421>
-.IP "PKCS#8" 4
+.IP PKCS#8 4
 .IX Item "PKCS#8"
-PKCS#8 is a specification of \s-1ASN.1\s0 structures that OpenSSL uses for storing
+PKCS#8 is a specification of ASN.1 structures that OpenSSL uses for storing
 or transmitting any private key in a key type agnostic manner.
 There are two structures worth noting for OpenSSL use, one that contains the
-key data in unencrypted form (known as \*(L"PrivateKeyInfo\*(R") and an encrypted
-wrapper structure (known as \*(L"EncryptedPrivateKeyInfo\*(R").
+key data in unencrypted form (known as "PrivateKeyInfo") and an encrypted
+wrapper structure (known as "EncryptedPrivateKeyInfo").
 .Sp
-This is specified in \s-1RFC 5208:\s0
+This is specified in RFC 5208:
 .Sp
 <https://tools.ietf.org/html/rfc5208>
-.IP "Property" 4
+.IP Property 4
 .IX Item "Property"
 A property is a way of classifying and selecting algorithm implementations.
 A property is a key/value pair expressed as a string. For example all algorithm
-implementations in the default provider have the property \*(L"provider=default\*(R".
+implementations in the default provider have the property "provider=default".
 An algorithm implementation can have multiple properties defined against it.
 .Sp
 Also see Property Query String.
@@ -300,38 +222,38 @@ Also see Property Query String.
 .IX Item "Property Query String"
 A property query string is a string containing a sequence of properties that
 can be used to select an algorithm implementation. For example the query string
-\&\*(L"provider=example,foo=bar\*(R" will select algorithms from the \*(L"example\*(R" provider
-that have a \*(L"foo\*(R" property defined for them with a value of \*(L"bar\*(R".
+"provider=example,foo=bar" will select algorithms from the "example" provider
+that have a "foo" property defined for them with a value of "bar".
 .Sp
 Property Query Strings are used during fetching. See Fetching.
 .Sp
 \&\fBproperty\fR\|(7)
-.IP "Provider" 4
+.IP Provider 4
 .IX Item "Provider"
 A provider in OpenSSL is a component that groups together algorithm
 implementations. Providers can come from OpenSSL itself or from third parties.
 .Sp
 \&\fBprovider\fR\|(7)
-.IP "\s-1PVK\s0" 4
+.IP PVK 4
 .IX Item "PVK"
-\&\s-1PVK\s0 is a Microsoft specific binary format for \s-1RSA\s0 and \s-1DSA\s0 private keys.
+PVK is a Microsoft specific binary format for RSA and DSA private keys.
 This form may be passphrase protected.
-.IP "SubjectPublicKeyInfo" 4
+.IP SubjectPublicKeyInfo 4
 .IX Item "SubjectPublicKeyInfo"
-SubjectPublicKeyInfo is an \s-1ASN.1\s0 structure that OpenSSL uses for storing and
+SubjectPublicKeyInfo is an ASN.1 structure that OpenSSL uses for storing and
 transmitting any public key in a key type agnostic manner.
 .Sp
-This is specified as part of the specification for certificates, \s-1RFC 5280:\s0
+This is specified as part of the specification for certificates, RFC 5280:
 .Sp
 <https://tools.ietf.org/html/rfc5280>
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 This glossary was added in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/openssl-qlog.7 b/secure/lib/libcrypto/man/man7/openssl-qlog.7
new file mode 100644
index 000000000000..51ee57488883
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/openssl-qlog.7
@@ -0,0 +1,274 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OPENSSL-QLOG 7ossl"
+.TH OPENSSL-QLOG 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+openssl\-qlog \- OpenSSL qlog tracing functionality
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+OpenSSL has unstable support for generating logs in the qlog logging format,
+which can be used to obtain diagnostic data for QUIC connections. The data
+generated includes information on packets sent and received and the frames
+contained within them, as well as loss detection and other events.
+.PP
+The qlog output generated by OpenSSL can be used to obtain diagnostic
+visualisations of a given QUIC connection using tools such as \fBqvis\fR.
+.PP
+\&\fBWARNING:\fR The output of OpenSSL's qlog functionality uses an unstable format
+based on a draft specification. qlog output is not subject to any format
+stability or compatibility guarantees at this time, and \fBwill\fR change in
+incompatible ways in future versions of OpenSSL. See \fBFORMAT STABILITY\fR below
+for details.
+.SH USAGE
+.IX Header "USAGE"
+When OpenSSL is built with qlog support, qlog is enabled at run time by setting
+the standard \fBQLOGDIR\fR environment variable to point to a directory where qlog
+files should be written. Once set, any QUIC connection established by OpenSSL
+will have a qlog file written automatically to the specified directory.
+.PP
+Log files are generated in the \fI.sqlog\fR format based on JSON-SEQ (RFC 7464).
+.PP
+The filenames of generated log files under the specified \fBQLOGDIR\fR use the
+following structure:
+.PP
+.Vb 1
+\&    {connection_odcid}_{vantage_point_type}.sqlog
+.Ve
+.PP
+where \fB{connection_odcid}\fR is the lowercase hexadecimal encoding of a QUIC
+connection's Original Destination Connection ID, which is the Destination
+Connection ID used in the header of the first Initial packet sent as part of the
+connection process, and \fB{vantage_point_type}\fR is either \f(CW\*(C`client\*(C'\fR or
+\&\f(CW\*(C`server\*(C'\fR, reflecting the perspective of the endpoint producing the qlog output.
+.PP
+The qlog functionality can be disabled at OpenSSL build time using the
+\&\fIno-unstable-qlog\fR configure flag.
+.SH "SUPPORTED EVENT TYPES"
+.IX Header "SUPPORTED EVENT TYPES"
+The following event types are currently supported:
+.IP \fBconnectivity:connection_started\fR 4
+.IX Item "connectivity:connection_started"
+.PD 0
+.IP \fBconnectivity:connection_state_updated\fR 4
+.IX Item "connectivity:connection_state_updated"
+.IP \fBconnectivity:connection_closed\fR 4
+.IX Item "connectivity:connection_closed"
+.IP \fBtransport:parameters_set\fR 4
+.IX Item "transport:parameters_set"
+.IP \fBtransport:packet_sent\fR 4
+.IX Item "transport:packet_sent"
+.IP \fBtransport:packet_received\fR 4
+.IX Item "transport:packet_received"
+.IP \fBrecovery:packet_lost\fR 4
+.IX Item "recovery:packet_lost"
+.PD
+.SH FILTERS
+.IX Header "FILTERS"
+By default, all supported event types are logged. The \fBOSSL_QFILTER\fR
+environment variable can be used to configure a filter specification which
+determines which event types are to be logged. Each event type can be turned on
+and off individually. The filter specification is a space-separated list of
+terms listing event types to enable or disable. The terms are applied in order,
+thus the effects of later terms override the effects of earlier terms.
+.SS Examples
+.IX Subsection "Examples"
+Here are some example filter specifications:
+.ie n .IP """*"" (or ""+*"")" 4
+.el .IP "\f(CW*\fR (or \f(CW+*\fR)" 4
+.IX Item "* (or +*)"
+Enable all supported qlog event types.
+.ie n .IP """\-*""" 4
+.el .IP \f(CW\-*\fR 4
+.IX Item "-*"
+Disable all qlog event types.
+.ie n .IP """* \-transport:packet_received""" 4
+.el .IP "\f(CW* \-transport:packet_received\fR" 4
+.IX Item "* -transport:packet_received"
+Enable all qlog event types, but disable the \fBtransport:packet_received\fR event
+type.
+.ie n .IP """\-* transport:packet_sent""" 4
+.el .IP "\f(CW\-* transport:packet_sent\fR" 4
+.IX Item "-* transport:packet_sent"
+Disable all qlog event types, except for the \fBtransport:packet_sent\fR event type.
+.ie n .IP """\-* connectivity:* transport:parameters_set""" 4
+.el .IP "\f(CW\-* connectivity:* transport:parameters_set\fR" 4
+.IX Item "-* connectivity:* transport:parameters_set"
+Disable all qlog event types, except for \fBtransport:parameters_set\fR and all
+supported event types in the \fBconnectivity\fR category.
+.SS "Filter Syntax Specification"
+.IX Subsection "Filter Syntax Specification"
+Formally, the format of the filter specification in ABNF is as follows:
+.PP
+.Vb 1
+\&    filter              = *filter\-term
+\&
+\&    filter\-term         = add\-sub\-term
+\&
+\&    add\-sub\-term        = ["\-" / "+"] specifier
+\&
+\&    specifier           = global\-specifier / qualified\-specifier
+\&
+\&    global\-specifier    = wildcard
+\&
+\&    qualified\-specifier = component\-specifier ":" component\-specifier
+\&
+\&    component\-specifier = name / wildcard
+\&
+\&    wildcard            = "*"
+\&
+\&    name                = 1*(ALPHA / DIGIT / "_" / "\-")
+.Ve
+.PP
+Filter terms are interpreted as follows:
+.ie n .IP """+*"" (or ""*"")" 4
+.el .IP "\f(CW+*\fR (or \f(CW*\fR)" 4
+.IX Item "+* (or *)"
+Enables all event types.
+.ie n .IP """\-*""" 4
+.el .IP \f(CW\-*\fR 4
+.IX Item "-*"
+Disables all event types.
+.ie n .IP """+foo:*"" (or ""foo:*"")" 4
+.el .IP "\f(CW+foo:*\fR (or \f(CWfoo:*\fR)" 4
+.IX Item "+foo:* (or foo:*)"
+Enables all event types in the \fBfoo\fR category.
+.ie n .IP """\-foo:*""" 4
+.el .IP \f(CW\-foo:*\fR 4
+.IX Item "-foo:*"
+Disables all event types in the \fBfoo\fR category.
+.ie n .IP """+foo:bar"" (or ""foo:bar"")" 4
+.el .IP "\f(CW+foo:bar\fR (or \f(CWfoo:bar\fR)" 4
+.IX Item "+foo:bar (or foo:bar)"
+Enables a specific event type \fBfoo:bar\fR.
+.ie n .IP """\-foo:bar""" 4
+.el .IP \f(CW\-foo:bar\fR 4
+.IX Item "-foo:bar"
+Disables a specific event type \fBfoo:bar\fR.
+.PP
+Partial wildcard matches are not supported at this time.
+.SS "Default Configuration"
+.IX Subsection "Default Configuration"
+If the \fBOSSL_QFILTER\fR environment variable is not set or set to the empty
+string, this is equivalent to enabling all event types (i.e., it is equivalent
+to a filter of \f(CW\*(C`*\*(C'\fR). Note that the \fBQLOGDIR\fR environment variable must also be
+set to enable qlog.
+.SH "FORMAT STABILITY"
+.IX Header "FORMAT STABILITY"
+The OpenSSL qlog functionality currently implements a draft version of the qlog
+specification. Future revisions to the qlog specification in advance of formal
+standardisation are expected to introduce incompatible and breaking changes to
+the qlog format. The OpenSSL qlog functionality will transition to producing
+output in this format in the future once standardisation is complete.
+.PP
+Because of this, the qlog output of OpenSSL \fBwill\fR change in incompatible and
+breaking ways in the future, including in non-major releases of OpenSSL. The
+qlog output of OpenSSL is considered unstable and not subject to any format
+stability or compatibility guarantees at this time.
+.PP
+Users of the OpenSSL qlog functionality must be aware that the output may change
+arbitrarily between releases and that the preservation of compatibility with any
+given tool between releases is not guaranteed.
+.SS Aims
+.IX Subsection "Aims"
+The OpenSSL draft qlog functionality is primarily intended for use in
+conjunction with the qvis tool <https://qvis.quictools.info/>. In terms of
+format compatibility, the output format of the OpenSSL qlog functionality is
+expected to track what is supported by qvis. As such, future changes to the
+output of the OpenSSL qlog functionality are expected to track changes in qvis
+as they occur, and reflect the versions of qlog currently supported by qvis.
+.PP
+This means that prior to the finalisation of the qlog standard, in the event of
+a disparity between the current draft and what qvis supports, the OpenSSL qlog
+functionality will generally aim for qvis compatibility over compliance with the
+latest draft.
+.PP
+As such, OpenSSL's qlog functionality currently implements qlog version 0.3 as
+defined in \fBdraft\-ietf\-quic\-qlog\-main\-schema\-05\fR and
+\&\fBdraft\-ietf\-quic\-qlog\-quic\-events\-04\fR. These revisions are intentionally used
+instead of more recent revisions due to their qvis compatibility.
+.SH LIMITATIONS
+.IX Header "LIMITATIONS"
+The OpenSSL implementation of qlog currently has the following limitations:
+.IP \(bu 4
+Not all event types defined by the draft specification are implemented.
+.IP \(bu 4
+Only the JSON-SEQ (\fB.sqlog\fR) output format is supported.
+.IP \(bu 4
+Only the \fBQLOGDIR\fR environment variable is supported for configuring the qlog
+output directory. The standard \fBQLOGFILE\fR environment variable is not
+supported.
+.IP \(bu 4
+There is no API for programmatically enabling or controlling the qlog
+functionality.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBopenssl\-quic\fR\|(7), \fBopenssl\-env\fR\|(7)
+.SH HISTORY
+.IX Header "HISTORY"
+This functionality was added in OpenSSL 3.3.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/openssl-quic-concurrency.7 b/secure/lib/libcrypto/man/man7/openssl-quic-concurrency.7
new file mode 100644
index 000000000000..723d31ec19e8
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/openssl-quic-concurrency.7
@@ -0,0 +1,316 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OPENSSL-QUIC-CONCURRENCY 7ossl"
+.TH OPENSSL-QUIC-CONCURRENCY 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+openssl\-quic\-concurrency \- OpenSSL QUIC Concurrency Model
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+A QUIC domain is a group of QUIC resources such as listeners (see
+\&\fBSSL_new_listener\fR\|(3)) and connections which share common event processing
+resources, such as internal pollers, timers and locks. All usage of OpenSSL QUIC
+happens inside a QUIC domain.
+.PP
+These resources can be accessed and used concurrently depending on the
+circumstances. This man page discusses the available concurrency models and how
+they can be used.
+.SH "EXPLICIT AND IMPLICIT QUIC DOMAINS"
+.IX Header "EXPLICIT AND IMPLICIT QUIC DOMAINS"
+A QUIC domain is instantiated either explicitly (\fBSSL_new_domain\fR\|(3)) or
+implicitly by calling \fBSSL_new\fR\|(3) or \fBSSL_new_listener\fR\|(3):
+.IP \(bu 4
+An explicit QUIC domain is created by and visible to the application as a QUIC
+domain SSL object and has other QUIC SSL objects created underneath it, such as
+listeners or connections.
+.IP \(bu 4
+An implicit QUIC domain is one which is created internally due to the direct
+creation of a QUIC connection or listener SSL object; the application does not
+explicitly create a QUIC domain SSL object and never directly references the
+domain.
+.PP
+Explicit creation of a QUIC domain provides the greatest level of control for an
+application. Applications can use an implicit QUIC domain for ease of use and to
+avoid needing to create a separate QUIC domain SSL object.
+.PP
+Regardless of whether a QUIC domain is explicitly created, the internal
+processing model is the same and the application must choose an appropriate
+concurrency model as discussed below.
+.SH "CONCURRENCY MODELS"
+.IX Header "CONCURRENCY MODELS"
+The OpenSSL QUIC implementation supports multiple concurrency models to support
+a wide variety of usage scenarios.
+.PP
+The available concurrency models are as follows:
+.IP \(bu 4
+The \fBSingle-Threaded Concurrency Model (SCM)\fR, which supports only
+application-synchronised single-threaded usage.
+.IP \(bu 4
+The \fBContentive Concurrency Model (CCM)\fR, which supports multi-threaded usage.
+.IP \(bu 4
+The \fBThread-Assisted Concurrency Model (TACM)\fR, which also supports
+multi-threaded usage and provides assistance to an application for handling QUIC
+timer events.
+.PP
+The merits of these models are as follows:
+.IP \(bu 4
+The \fBSingle-Threaded Concurrency Model (SCM)\fR performs no locking or
+synchronisation. It is entirely up to the application to synchronise access to
+the QUIC domain and its subsidiary SSL objects.
+.Sp
+This concurrency model is also useful for an application which wants to use the
+OpenSSL QUIC implementation as a pure state machine.
+.IP \(bu 4
+The \fBContentive Concurrency Model (CCM)\fR performs automatic locking when making
+API calls to SSL objects in a QUIC domain. This provides automatic
+synchronisation for multi-threaded usage of QUIC objects. For example, different
+QUIC stream SSL objects in the same QUIC connection can be safely accessed from
+different threads.
+.Sp
+This concurrency model adds the overhead of locking over the Single-Threaded
+Concurrency Model in order to support multi-threaded usage, but provides limited
+performance in highly contended multi-threaded usage due to its simple approach.
+However, it may still prove a good solution for a broad class of applications
+which spend the majority of their time in application logic and not in QUIC I/O
+processing.
+.Sp
+An advantage of this model relative to the more sophisticated concurrency models
+below is that it does not create any OS threads.
+.IP \(bu 4
+The \fBThread-Assisted Concurrency Model (TACM)\fR is identical to the Contentive
+Concurrency Model except that a thread is spun up in the background to ensure
+that QUIC timer events are handled in a timely fashion. This ensures that QUIC
+timeout events are handled even if an application does not periodically call
+into the QUIC domain to ensure that any outstanding QUIC-related timer or
+network I/O events are handled. The assist thread contends for the same
+resources like any other thread. However, handshake layer events (TLS) are never
+processed by the assist thread.
+.PP
+The default concurrency model is CCM or TACM, depending on the \fBSSL_METHOD\fR
+used with a \fBSSL_CTX\fR. Using \fBOSSL_QUIC_client_method\fR\|(3) results in a default
+concurrency model of CCM, whereas using \fBOSSL_QUIC_client_thread_method\fR\|(3)
+results in a default concurrency model of TACM.
+.PP
+Additional concurrency models may be offered in future releases of OpenSSL.
+.SH "BLOCKING I/O CAPABILITIES"
+.IX Header "BLOCKING I/O CAPABILITIES"
+All of the supported concurrency models are capable of supporting blocking I/O
+calls, where application-level I/O calls (for example, to \fBSSL_read_ex\fR\|(3) or
+\&\fBSSL_write_ex\fR\|(3) on a QUIC stream SSL object) block until the request can be
+serviced. This includes the use of \fBSSL_poll\fR\|(3) in a blocking fashion.
+.PP
+Supporting blocking API calls reliably with multi-threaded usage requires the
+creation of additional OS resources such as internal file descriptors to allow
+threads to be woken when necessary. This creation of internal OS resources is
+optional and may need to be explicitly requested by an application depending on
+the chosen concurrency model. If this functionality is disabled, depending on
+the chosen concurrency model, blocking API calls may not be available and calls
+to \fBSSL_set_blocking_mode\fR\|(3) attempting to enable blocking mode may fail,
+notwithstanding the following section.
+.SS "Legacy Blocking Support Compatibility"
+.IX Subsection "Legacy Blocking Support Compatibility"
+OpenSSL 3.2 and 3.3 contained a buggy implementation of blocking QUIC I/O calls
+which is only reliable under single-threaded usage. This functionality is always
+available in the Single-Threaded Concurrency Model (SCM), where it works
+reliably.
+.PP
+For compatibility reasons, this functionality is also available under the
+default concurrency model if the application does not explicitly specify a
+concurrency model or disable it. This is known as Legacy Blocking Compatibility
+Mode, and its usage is not recommended for multi-threaded applications.
+.SH "RECOMMENDED USAGE"
+.IX Header "RECOMMENDED USAGE"
+New applications are advised to choose a concurrency model as follows:
+.IP \(bu 4
+A purely single-threaded application, or an application which wishes to use
+OpenSSL QUIC as a state machine and manage synchronisation itself, should
+explicitly select the SCM concurrency model.
+.IP \(bu 4
+An application which wants to engage in multi-threaded usage of different QUIC
+connections or streams in the same QUIC domain should a) select the CCM or TACM
+concurrency model and b) explicitly opt in or out of blocking I/O support
+(depending on whether the application wishes to make blocking I/O calls),
+disabling Legacy Blocking Compatibility Mode.
+.Sp
+An application should select the CCM concurrency model if the application can
+guarantee that a QUIC domain will be serviced regularly (for example, because
+the application can guarantee that the timeout returned by
+\&\fBSSL_get_event_timeout\fR\|(3) will be handled). If an application is unable to do
+this, it should select the TACM concurrency model.
+.IP \(bu 4
+Applications should explicitly configure a concurrency model during
+initialisation.
+.SH "CONFIGURING A CONCURRENCY MODEL"
+.IX Header "CONFIGURING A CONCURRENCY MODEL"
+If using an explicit QUIC domain, a concurrency model is chosen when calling
+\&\fBSSL_new_domain\fR\|(3) by specifying zero or more of the following flags:
+.IP \fBSSL_DOMAIN_FLAG_SINGLE_THREAD\fR 4
+.IX Item "SSL_DOMAIN_FLAG_SINGLE_THREAD"
+Specifying this flag configures the Single-Threaded Concurrency Model (SCM).
+.IP \fBSSL_DOMAIN_FLAG_MULTI_THREAD\fR 4
+.IX Item "SSL_DOMAIN_FLAG_MULTI_THREAD"
+Speciyfing this flag configures the Contentive Concurrency Model (CCM) (unless
+\&\fBSSL_DOMAIN_FLAG_THREAD_ASSISTED\fR is also specified).
+.IP \fBSSL_DOMAIN_FLAG_THREAD_ASSISTED\fR 4
+.IX Item "SSL_DOMAIN_FLAG_THREAD_ASSISTED"
+Specifying this flag configures the Thread-Assisted Concurrency Model (TACM).
+It implies \fBSSL_DOMAIN_FLAG_MULTI_THREAD\fR.
+.IP \fBSSL_DOMAIN_FLAG_BLOCKING\fR 4
+.IX Item "SSL_DOMAIN_FLAG_BLOCKING"
+Enable reliable support for blocking I/O calls, allocating whatever OS resources
+are necessary to realise this. If this flag is specified,
+\&\fBSSL_DOMAIN_FLAG_LEGACY_BLOCKING\fR is ignored.
+.Sp
+Details on the allocated OS resources can be found under "CONSUMPTION OF OS
+RESOURCES" below.
+.IP \fBSSL_DOMAIN_FLAG_LEGACY_BLOCKING\fR 4
+.IX Item "SSL_DOMAIN_FLAG_LEGACY_BLOCKING"
+Enables legacy blocking compatibility mode. See "Legacy Blocking Support
+Compatibility".
+.PP
+Mutually exclusive flag combinations result in an error (for example, combining
+\&\fBSSL_DOMAIN_FLAG_SINGLE_THREAD\fR and \fBSSL_DOMAIN_FLAG_MULTI_THREADED\fR).
+.PP
+The concurrency model for a domain cannot be changed after the domain is
+created.
+.SS "Default Behaviour"
+.IX Subsection "Default Behaviour"
+If none of \fBSSL_DOMAIN_FLAG_SINGLE_THREAD\fR, \fBSSL_DOMAIN_FLAG_MULTI_THREAD\fR or
+\&\fBSSL_DOMAIN_FLAG_THREAD_ASSISTED\fR are provided to \fBSSL_new_domain\fR\|(3) or
+another constructor function which can accept the above flags, the default
+concurrency model set on the \fBSSL_CTX\fR is used. This default can be set and get
+using \fBSSL_CTX_set_domain_flags\fR\|(3) and \fBSSL_CTX_get_domain_flags\fR\|(3). Any
+additional flags provided (for example, \fBSSL_DOMAIN_FLAG_BLOCCKING\fR) are added
+to the set of inherited flags.
+.PP
+The default concurrency model set on a newly created \fBSSL_CTX\fR is determined as
+follows:
+.IP \(bu 4
+If an \fBSSL_METHOD\fR of \fBOSSL_QUIC_client_thread_method\fR\|(3) is used, the
+Thread-Assisted Concurrency Model (TACM) is used with the
+\&\fBSSL_DOMAIN_FLAG_BLOCKING\fR flag. This provides reliable blocking functionality.
+.IP \(bu 4
+Otherwise, if OpenSSL was built without threading support, the Single-Threaded
+Concurrency Model (SCM) is used, with the \fBSSL_DOMAIN_FLAG_LEGACY_BLOCKING\fR
+flag.
+.IP \(bu 4
+Otherwise, if an \fBSSL_METHOD\fR of \fBOSSL_QUIC_client_method\fR\|(3) is used, the
+Contentive Concurrency Model (CCM) is used with the
+\&\fBSSL_DOMAIN_FLAG_LEGACY_BLOCKING\fR flag.
+.IP \(bu 4
+Otherwise, the Contentive Concurrency Model (CCM) is used.
+.PP
+The default concurrency model may vary between releases of OpenSSL. An
+application may specify one or more of the domain flags above to ensure
+consistent usage of a specific concurrency model between releases.
+.SS "Configuration of Concurrency Models with Implicit QUIC Domains"
+.IX Subsection "Configuration of Concurrency Models with Implicit QUIC Domains"
+If an explicit QUIC domain is not explicitly created using \fBSSL_new_domain\fR\|(3),
+an implicit QUIC domain is created when calling \fBSSL_new_listener\fR\|(3) or
+\&\fBSSL_new\fR\|(3). Such a domain will use the default domain flags configured on the
+\&\fBSSL_CTX\fR as described above.
+.SH "CONSUMPTION OF OS RESOURCES"
+.IX Header "CONSUMPTION OF OS RESOURCES"
+If full blocking I/O support is selected using \fBSSL_DOMAIN_FLAG_BLOCKING\fR, at
+least one socket, socket-like OS handle or file descriptor must be allocated to
+allow one thread to wake other threads which may be blocking in calls to OS
+socket polling interfaces such as \fBselect\fR\|(2) or \fBpoll\fR\|(2). This is allocated
+automatically internally by OpenSSL.
+.PP
+If the Thread-Assisted Concurrency Model (TACM) is selected, a background thread
+is spawned. This also implies \fBSSL_DOMAIN_FLAG_BLOCKING\fR and the above.
+.PP
+The internal consumption by OpenSSL of mutexes, condition variables, spin locks
+or other similar thread synchronisation primitives is unspecified under all
+concurrency models.
+.PP
+The internal consumption by OpenSSL of threads is unspecified under the
+Thread-Assisted Concurrency Model.
+.PP
+The internal consumption by OpenSSL of sockets, socket-like OS handles or file
+descriptors, or other resources as needed to support inter-thread notification,
+is unspecified under the Thread-Assisted Concurrency Model or when using
+\&\fBSSL_DOMAIN_FLAG_BLOCKING\fR.
+.SH "BEHAVIOUR OF SSL OBJECTS"
+.IX Header "BEHAVIOUR OF SSL OBJECTS"
+A QUIC SSL object has blocking mode enabled by default where \fBall\fR of the
+following criteria are met:
+.IP \(bu 4
+\&\fBSSL_DOMAIN_FLAG_BLOCKING\fR or \fBSSL_DOMAIN_FLAG_LEGACY_BLOCKING\fR is enabled;
+and
+.IP \(bu 4
+The QUIC connection is being used with network read and write BIOs which expose
+supported poll descriptors. See \fBopenssl\-quic\fR\|(7) for details.
+.PP
+In all other cases, a QUIC SSL object has blocking mode disabled by default. The
+blocking mode can be changed explicitly using \fBSSL_set_blocking_mode\fR\|(3).
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBopenssl\-quic\fR\|(7), \fBSSL_handle_events\fR\|(3), \fBSSL_get_event_timeout\fR\|(3),
+\&\fBOSSL_QUIC_client_thread_method\fR\|(3), \fBSSL_CTX_set_domain_flags\fR\|(3),
+\&\fBSSL_new_domain\fR\|(3)
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2024\-2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/openssl-quic.7 b/secure/lib/libcrypto/man/man7/openssl-quic.7
new file mode 100644
index 000000000000..f715032a7a10
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/openssl-quic.7
@@ -0,0 +1,777 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OPENSSL-QUIC 7ossl"
+.TH OPENSSL-QUIC 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+openssl\-quic \- OpenSSL QUIC
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+OpenSSL 3.2 and later features support for the QUIC transport protocol.
+You can use OpenSSL's QUIC capabilities for both client and server applications.
+This man page describes how to let applications use the QUIC protocol using the
+libssl API.
+.PP
+The QUIC protocol maps to the standard SSL API. A QUIC connection is represented
+by an SSL object in the same way that a TLS connection is. Only minimal changes
+are needed to existing applications which use libssl API to bring QUIC protocol
+support in. QUIC clients can use \fBOSSL_QUIC_client_method\fR\|(3) or
+\&\fBOSSL_QUIC_client_thread_method\fR\|(3) with \fBSSL_CTX_new\fR\|(3). See below for more
+details about the difference between the two. For servers, there is only one
+option: SSL method \fBOSSL_QUIC_server_method\fR\|(3) with \fBSSL_CTX_new\fR\|(3).
+.PP
+The remainder of this man page discusses, in order:
+.IP \(bu 4
+Default stream mode versus multi-stream mode for clients;
+.IP \(bu 4
+The changes to existing libssl APIs which are driven by QUIC-related
+implementation requirements, which existing applications should bear in mind;
+.IP \(bu 4
+Aspects which must be considered by existing applications when adopting QUIC,
+including potential changes which may be needed.
+.IP \(bu 4
+Recommended usage approaches for new applications.
+.IP \(bu 4
+New, QUIC-specific APIs.
+.SH "CLIENT MODES OF OPERATION"
+.IX Header "CLIENT MODES OF OPERATION"
+When a client creates a QUIC connection, by default, it operates in default
+stream mode, which is intended to provide compatibility with existing non-QUIC
+application usage patterns. In this mode, the connection has a single stream
+associated with it. Calls to \fBSSL_read\fR\|(3) and \fBSSL_write\fR\|(3) on the QUIC
+connection SSL object read and write from that stream. Whether the stream is
+client-initiated or server-initiated from a QUIC perspective depends on whether
+\&\fBSSL_read\fR\|(3) or \fBSSL_write\fR\|(3) is called first.
+.PP
+Default stream mode is primarily for compatibility with existing applications.
+For new applications utilizing QUIC, it's recommended to disable this mode and
+instead adopt the multi-stream API. See the RECOMMENDATIONS FOR NEW APPLICATIONS
+section for more details.
+.SS "Default Stream Mode"
+.IX Subsection "Default Stream Mode"
+A QUIC client connection can be used in either default stream mode or
+multi-stream mode. By default, a newly created QUIC connection SSL object uses
+default stream mode.
+.PP
+In default stream mode, a stream is implicitly created and bound to the QUIC
+connection SSL object; \fBSSL_read\fR\|(3) and \fBSSL_write\fR\|(3) calls to the QUIC
+connection SSL object work by default and are mapped to that stream.
+.PP
+When default stream mode is used, any API function which can be called on a QUIC
+stream SSL object can also be called on a QUIC connection SSL object, in which
+case it affects the default stream bound to the connection.
+.PP
+The identity of a QUIC stream, including its stream ID, varies depending on
+whether a stream is client-initiated or server-initiated. In default stream
+mode, if a client application calls \fBSSL_read\fR\|(3) first before any call to
+\&\fBSSL_write\fR\|(3) on the connection, it is assumed that the application protocol
+is using a server-initiated stream, and the \fBSSL_read\fR\|(3) call will not
+complete (either blocking, or failing appropriately if nonblocking mode is
+configured) until the server initiates a stream. Conversely, if the client
+application calls \fBSSL_write\fR\|(3) before any call to \fBSSL_read\fR\|(3) on the
+connection, it is assumed that a client-initiated stream is to be used
+and such a stream is created automatically.
+.PP
+Default stream mode is intended to aid compatibility with legacy applications.
+New applications adopting QUIC should use multi-stream mode, described below,
+and avoid use of the default stream functionality.
+.PP
+It is possible to use additional streams in default stream mode using
+\&\fBSSL_new_stream\fR\|(3) and \fBSSL_accept_stream\fR\|(3); note that the default incoming
+stream policy will need to be changed using \fBSSL_set_incoming_stream_policy\fR\|(3)
+in order to use \fBSSL_accept_stream\fR\|(3) in this case. However, applications
+using additional streams are strongly recommended to use multi-stream mode
+instead.
+.PP
+Calling \fBSSL_new_stream\fR\|(3) or \fBSSL_accept_stream\fR\|(3) before a default stream
+has been associated with the QUIC connection SSL object will inhibit future
+creation of a default stream.
+.SS "Multi-Stream Mode"
+.IX Subsection "Multi-Stream Mode"
+The recommended usage mode for new applications adopting QUIC is multi-stream
+mode, in which no default stream is attached to the QUIC connection SSL object
+and attempts to call \fBSSL_read\fR\|(3) and \fBSSL_write\fR\|(3) on the QUIC connection
+SSL object fail. Instead, an application calls \fBSSL_new_stream\fR\|(3) or
+\&\fBSSL_accept_stream\fR\|(3) to create individual stream SSL objects for sending and
+receiving application data using \fBSSL_read\fR\|(3) and \fBSSL_write\fR\|(3).
+.PP
+To use multi-stream mode, call \fBSSL_set_default_stream_mode\fR\|(3) with an
+argument of \fBSSL_DEFAULT_STREAM_MODE_NONE\fR; this function must be called prior
+to initiating the connection. The default stream mode cannot be changed after
+initiating a connection.
+.PP
+When multi-stream mode is used, meaning that no default stream is associated
+with the connection, calls to API functions which are defined as operating on a
+QUIC stream fail if called on the QUIC connection SSL object. For example, calls
+such as \fBSSL_write\fR\|(3) or \fBSSL_get_stream_id\fR\|(3) will fail.
+.SH "CHANGES TO EXISTING APIS"
+.IX Header "CHANGES TO EXISTING APIS"
+Most SSL APIs, such as \fBSSL_read\fR\|(3) and \fBSSL_write\fR\|(3), function as they do
+for TLS connections and do not have changed semantics, with some exceptions. The
+changes to the semantics of existing APIs are as follows:
+.IP \(bu 4
+Since QUIC uses UDP, \fBSSL_set_bio\fR\|(3), \fBSSL_set0_rbio\fR\|(3) and
+\&\fBSSL_set0_wbio\fR\|(3) function as before, but must now receive a BIO with datagram
+semantics. There are broadly four options for applications to use as a network
+BIO:
+.RS 4
+.IP \(bu 4
+\&\fBBIO_s_datagram\fR\|(3), recommended for most applications, replaces
+\&\fBBIO_s_socket\fR\|(3) and provides a UDP socket.
+.IP \(bu 4
+\&\fBBIO_s_dgram_pair\fR\|(3) provides BIO pair-like functionality but with datagram
+semantics, and is recommended for existing applications which use a BIO pair or
+memory BIO to manage libssl's communication with the network.
+.IP \(bu 4
+\&\fBBIO_s_dgram_mem\fR\|(3) provides a simple memory BIO-like interface but with
+datagram semantics. Unlike \fBBIO_s_dgram_pair\fR\|(3), it is unidirectional.
+.IP \(bu 4
+An application may also choose to implement a custom BIO. The new
+\&\fBBIO_sendmmsg\fR\|(3) and \fBBIO_recvmmsg\fR\|(3) APIs must be supported.
+.RE
+.RS 4
+.RE
+.IP \(bu 4
+\&\fBSSL_set_fd\fR\|(3), \fBSSL_set_rfd\fR\|(3) and \fBSSL_set_wfd\fR\|(3) traditionally
+instantiate a \fBBIO_s_socket\fR\|(3). For QUIC, these functions instead instantiate
+a \fBBIO_s_datagram\fR\|(3). This is equivalent to instantiating a
+\&\fBBIO_s_datagram\fR\|(3) and using \fBSSL_set0_rbio\fR\|(3) and \fBSSL_set0_wbio\fR\|(3).
+.IP \(bu 4
+Traditionally, whether the application-level I/O APIs (such as \fBSSL_read\fR\|(3)
+and \fBSSL_write\fR\|(3) operated in a blocking fashion was directly correlated with
+whether the underlying network socket was configured in a blocking fashion. This
+is no longer the case; applications must explicitly configure the desired
+application-level blocking mode using \fBSSL_set_blocking_mode\fR\|(3). See
+\&\fBSSL_set_blocking_mode\fR\|(3) for details.
+.IP \(bu 4
+Network-level I/O must always be performed in a nonblocking manner. The
+application can still enjoy blocking semantics for calls to application-level
+I/O functions such as \fBSSL_read\fR\|(3) and \fBSSL_write\fR\|(3), but the underlying
+network BIO provided to QUIC (such as a \fBBIO_s_datagram\fR\|(3)) must be configured
+in nonblocking mode. For application-level blocking functionality, see
+\&\fBSSL_set_blocking_mode\fR\|(3).
+.IP \(bu 4
+\&\fBBIO_new_ssl_connect\fR\|(3) has been changed to automatically use a
+\&\fBBIO_s_datagram\fR\|(3) when used with QUIC, therefore applications which use this
+do not need to change the BIO they use.
+.IP \(bu 4
+\&\fBBIO_new_buffer_ssl_connect\fR\|(3) cannot be used with QUIC and applications must
+change to use \fBBIO_new_ssl_connect\fR\|(3) instead.
+.IP \(bu 4
+\&\fBSSL_shutdown\fR\|(3) has significant changes in relation to how QUIC connections
+must be shut down. In particular, applications should be advised that the full
+RFC-conformant QUIC shutdown process may take an extended amount of time. This
+may not be suitable for short-lived processes which should exit immediately
+after their usage of a QUIC connection is completed. A rapid shutdown mode
+is available for such applications. For details, see \fBSSL_shutdown\fR\|(3).
+.IP \(bu 4
+\&\fBSSL_want\fR\|(3), \fBSSL_want_read\fR\|(3) and \fBSSL_want_write\fR\|(3) no longer reflect
+the I/O state of the network BIO passed to the QUIC SSL object, but instead
+reflect the flow control state of the QUIC stream associated with the SSL
+object.
+.Sp
+When used in nonblocking mode, \fBSSL_ERROR_WANT_READ\fR indicates that the
+receive part of a QUIC stream does not currently have any more data available to
+be read, and \fBSSL_ERROR_WANT_WRITE\fR indicates that the stream's internal buffer
+is full.
+.Sp
+To determine if the QUIC implementation currently wishes to be informed of
+incoming network datagrams, use the new function \fBSSL_net_read_desired\fR\|(3);
+likewise, to determine if the QUIC implementation currently wishes to be
+informed when it is possible to transmit network datagrams, use the new function
+\&\fBSSL_net_write_desired\fR\|(3). Only applications which wish to manage their own event
+loops need to use these functions; see \fBAPPLICATION-DRIVEN EVENT LOOPS\fR for
+further discussion.
+.IP \(bu 4
+The use of ALPN is mandatory when using QUIC. Attempts to connect without
+configuring ALPN will fail. For information on how to configure ALPN, see
+\&\fBSSL_set_alpn_protos\fR\|(3).
+.IP \(bu 4
+Whether QUIC operates in a client or server mode is determined by the
+\&\fBSSL_METHOD\fR used, rather than by calls to \fBSSL_set_connect_state\fR\|(3) or
+\&\fBSSL_set_accept_state\fR\|(3). It is not necessary to call either of
+\&\fBSSL_set_connect_state\fR\|(3) or \fBSSL_set_accept_state\fR\|(3) before connecting, but
+if either of these are called, the function called must be congruent with the
+\&\fBSSL_METHOD\fR being used.
+.IP \(bu 4
+The \fBSSL_set_min_proto_version\fR\|(3) and \fBSSL_set_max_proto_version\fR\|(3) APIs are
+not used and the values passed to them are ignored, as OpenSSL QUIC currently
+always uses TLS 1.3.
+.IP \(bu 4
+The following libssl functionality is not available when used with QUIC.
+.RS 4
+.IP \(bu 4
+Async functionality
+.IP \(bu 4
+\&\fBSSL_MODE_AUTO_RETRY\fR
+.IP \(bu 4
+Record Padding and Fragmentation (\fBSSL_set_block_padding\fR\|(3), etc.)
+.IP \(bu 4
+\&\fBSSL_stateless\fR\|(3) support
+.IP \(bu 4
+SRTP functionality
+.IP \(bu 4
+TLSv1.3 Early Data
+.IP \(bu 4
+TLS Next Protocol Negotiation cannot be used and is superseded by ALPN, which
+must be used instead. The use of ALPN is mandatory with QUIC.
+.IP \(bu 4
+Post-Handshake Client Authentication is not available as QUIC prohibits its use.
+.IP \(bu 4
+QUIC requires the use of TLSv1.3 or later, therefore functionality only relevant
+to older TLS versions is not available.
+.IP \(bu 4
+Some cipher suites which are generally available for TLSv1.3 are not available
+for QUIC, such as \fBTLS_AES_128_CCM_8_SHA256\fR. Your application may need to
+adjust the list of acceptable cipher suites it passes to libssl.
+.IP \(bu 4
+CCM mode is not currently supported.
+.RE
+.RS 4
+.Sp
+The following libssl functionality is also not available when used with QUIC,
+but calls to the relevant functions are treated as no-ops:
+.IP \(bu 4
+Readahead (\fBSSL_set_read_ahead\fR\|(3), etc.)
+.RE
+.RS 4
+.RE
+.SH "CONSIDERATIONS FOR EXISTING APPLICATIONS"
+.IX Header "CONSIDERATIONS FOR EXISTING APPLICATIONS"
+Existing applications seeking to adopt QUIC should apply the following list to
+determine what changes they will need to make:
+.IP \(bu 4
+A client application wishing to use QUIC must use \fBOSSL_QUIC_client_method\fR\|(3)
+or \fBOSSL_QUIC_client_thread_method\fR\|(3) as its SSL method. For more information
+on the differences between these two methods, see
+\&\fBTHREAD ASSISTED MODE\fR.
+.IP \(bu 4
+A server application wishing to use QUIC must use \fBOSSL_QUIC_server_method\fR\|(3). 
+The server can then accept new connections with \fBSSL_accept_connection\fR\|(3).
+.IP \(bu 4
+Determine how to provide QUIC with network access. Determine which of the below
+apply for your application:
+.RS 4
+.IP \(bu 4
+Your application uses \fBBIO_s_socket\fR\|(3) to construct a BIO which is passed to
+the SSL object to provide it with network access.
+.Sp
+Changes needed: Change your application to use \fBBIO_s_datagram\fR\|(3) instead when
+using QUIC. The socket must be configured in nonblocking mode. You may or may
+not need to use \fBSSL_set1_initial_peer_addr\fR\|(3) to set the initial peer
+address; see the \fBQUIC-SPECIFIC APIS\fR section for details.
+.IP \(bu 4
+Your application uses \fBBIO_new_ssl_connect\fR\|(3) to
+construct a BIO which is passed to the SSL object to provide it with network
+access.
+.Sp
+Changes needed: No changes needed. Use of QUIC is detected automatically and a
+datagram socket is created instead of a normal TCP socket.
+.IP \(bu 4
+Your application uses any other I/O strategy in this list but combines it with a
+\&\fBBIO_f_buffer\fR\|(3), for example using \fBBIO_push\fR\|(3).
+.Sp
+Changes needed: Disable the usage of \fBBIO_f_buffer\fR\|(3) when using QUIC. Usage
+of such a buffer is incompatible with QUIC as QUIC requires datagram semantics
+in its interaction with the network.
+.IP \(bu 4
+Your application uses a BIO pair to cause the SSL object to read and write
+network traffic to a memory buffer. Your application manages the transmission
+and reception of buffered data itself in a way unknown to libssl.
+.Sp
+Changes needed: Switch from using a conventional BIO pair to using
+\&\fBBIO_s_dgram_pair\fR\|(3) instead, which has the necessary datagram semantics. You
+will need to modify your application to transmit and receive using a UDP socket
+and to use datagram semantics when interacting with the \fBBIO_s_dgram_pair\fR\|(3)
+instance.
+.IP \(bu 4
+Your application uses a custom BIO method to provide the SSL object with network
+access.
+.Sp
+Changes needed: The custom BIO must be re-architected to have datagram
+semantics. \fBBIO_sendmmsg\fR\|(3) and \fBBIO_recvmmsg\fR\|(3) must be implemented. These
+calls must operate in a nonblocking fashion. Optionally, implement the
+\&\fBBIO_get_rpoll_descriptor\fR\|(3) and \fBBIO_get_wpoll_descriptor\fR\|(3) methods if
+desired. Implementing these methods is required if blocking semantics at the SSL
+API level are desired.
+.RE
+.RS 4
+.RE
+.IP \(bu 4
+An application must explicitly configure whether it wishes to use the SSL APIs
+in blocking mode or not. Traditionally, an SSL object has automatically operated
+in blocking or nonblocking mode based on whether the underlying network BIO
+operates in blocking or nonblocking mode. QUIC requires the use of a
+nonblocking network BIO, therefore the blocking mode at the application level
+can be explicitly configured by the application using the new
+\&\fBSSL_set_blocking_mode\fR\|(3) API. The default mode is blocking. If an application
+wishes to use the SSL object APIs at application level in a nonblocking manner,
+it must add a call to \fBSSL_set_blocking_mode\fR\|(3) to disable blocking mode.
+.IP \(bu 4
+If your client application does not choose to use thread assisted mode, it must
+ensure that it calls an I/O function on the SSL object (for example,
+\&\fBSSL_read\fR\|(3) or \fBSSL_write\fR\|(3)), or the new function \fBSSL_handle_events\fR\|(3),
+regularly. If the SSL object is used in blocking mode, an ongoing blocking call
+to an I/O function satisfies this requirement. This is required to ensure that
+timer events required by QUIC are handled in a timely fashion.
+.Sp
+Most applications will service the SSL object by calling \fBSSL_read\fR\|(3) or
+\&\fBSSL_write\fR\|(3) regularly. If an application does not do this, it should ensure
+that \fBSSL_handle_events\fR\|(3) is called regularly.
+.Sp
+\&\fBSSL_get_event_timeout\fR\|(3) can be used to determine when
+\&\fBSSL_handle_events\fR\|(3) must next be called.
+.Sp
+If the SSL object is being used with an underlying network BIO which is pollable
+(such as \fBBIO_s_datagram\fR\|(3)), the application can use
+\&\fBSSL_get_rpoll_descriptor\fR\|(3), \fBSSL_get_wpoll_descriptor\fR\|(3) to obtain
+resources which can be used to determine when \fBSSL_handle_events\fR\|(3) should be
+called due to network I/O.
+.Sp
+Client applications which use thread assisted mode do not need to be concerned
+with this requirement, as the QUIC implementation ensures timeout events
+are handled in a timely manner. See \fBTHREAD ASSISTED MODE\fR for details.
+.IP \(bu 4
+Ensure that your usage of \fBSSL_want\fR\|(3), \fBSSL_want_read\fR\|(3) and
+\&\fBSSL_want_write\fR\|(3) reflects the API changes described in \fBCHANGES TO EXISTING
+APIS\fR. In particular, you should use these APIs to determine the ability of a
+QUIC stream to receive or provide application data, not to to determine if
+network I/O is required.
+.IP \(bu 4
+Evaluate your application's use of \fBSSL_shutdown\fR\|(3) in light of the changes
+discussed in \fBCHANGES TO EXISTING APIS\fR. Depending on whether your application
+wishes to prioritise RFC conformance or rapid shutdown, consider using the new
+\&\fBSSL_shutdown_ex\fR\|(3) API instead. See \fBQUIC-SPECIFIC APIS\fR for details.
+.SH "RECOMMENDED USAGE IN NEW APPLICATIONS"
+.IX Header "RECOMMENDED USAGE IN NEW APPLICATIONS"
+The recommended usage in new applications varies depending on three independent
+design decisions:
+.IP \(bu 4
+Whether the application will use blocking or nonblocking I/O at the application
+level (configured using \fBSSL_set_blocking_mode\fR\|(3)).
+.Sp
+If the application does nonblocking I/O at the application level it can choose
+to manage its own polling and event loop; see \fBAPPLICATION-DRIVEN EVENT LOOPS\fR.
+.IP \(bu 4
+Whether the application intends to give the QUIC implementation direct access to
+a network socket (e.g. via \fBBIO_s_datagram\fR\|(3)) or whether it intends to buffer
+transmitted and received datagrams via a \fBBIO_s_dgram_pair\fR\|(3) or custom BIO.
+.Sp
+The former is preferred where possible as it reduces latency to the network,
+which enables QUIC to achieve higher performance and more accurate connection
+round trip time (RTT) estimation.
+.IP \(bu 4
+Whether thread assisted mode will be used (see \fBTHREAD ASSISTED MODE\fR).
+.PP
+Simple demos for QUIC usage under these various scenarios can be found at
+<https://github.com/openssl/openssl/tree/master/doc/designs/ddd>.
+.PP
+Applications which wish to implement QUIC-specific protocols should be aware of
+the APIs listed under \fBQUIC-SPECIFIC APIS\fR which provide access to
+QUIC-specific functionality. For example, \fBSSL_stream_conclude\fR\|(3) can be used
+to indicate the end of the sending part of a stream, and \fBSSL_shutdown_ex\fR\|(3)
+can be used to provide a QUIC application error code when closing a connection.
+.PP
+Regardless of the design decisions chosen above, it is recommended that new
+applications avoid use of the default stream mode and use the multi-stream API
+by calling \fBSSL_set_default_stream_mode\fR\|(3); see the MODES OF OPERATION section
+for details.
+.SH "QUIC-SPECIFIC APIS"
+.IX Header "QUIC-SPECIFIC APIS"
+This section details new APIs which are directly or indirectly related to QUIC.
+For details on the operation of each API, see the referenced man pages.
+.PP
+The following SSL APIs are new but relevant to both QUIC and DTLS:
+.IP \fBSSL_get_event_timeout\fR\|(3) 4
+.IX Item "SSL_get_event_timeout"
+Determines when the QUIC implementation should next be woken up via a call to
+\&\fBSSL_handle_events\fR\|(3) (or another I/O function such as \fBSSL_read\fR\|(3) or
+\&\fBSSL_write\fR\|(3)), if ever.
+.Sp
+This can also be used with DTLS and supersedes \fBDTLSv1_get_timeout\fR\|(3) for new
+usage.
+.IP \fBSSL_handle_events\fR\|(3) 4
+.IX Item "SSL_handle_events"
+This is a non-specific I/O operation which makes a best effort attempt to
+perform any pending I/O or timeout processing. It can be used to advance the
+QUIC state machine by processing incoming network traffic, generating outgoing
+network traffic and handling any expired timeout events. Most other I/O
+functions on an SSL object, such as \fBSSL_read\fR\|(3) and \fBSSL_write\fR\|(3),
+implicitly perform event handling on the SSL object, so calling this function is
+only needed if no other I/O function is to be called.
+.Sp
+This can also be used with DTLS and supersedes \fBDTLSv1_handle_timeout\fR\|(3) for
+new usage.
+.PP
+The following SSL APIs are specific to QUIC:
+.IP \fBSSL_new_listener\fR\|(3) 4
+.IX Item "SSL_new_listener"
+Creates a listener SSL object, which differs from an ordinary SSL object in that
+it is used to provide an abstraction for the acceptance of network connections
+in a protocol-agnostic manner.
+.Sp
+Currently, listener SSL objects are only supported for QUIC server usage or
+client-only usage. The listener interface may expand to support additional
+protocols in the future.
+.IP \fBSSL_new_listener_from\fR\|(3) 4
+.IX Item "SSL_new_listener_from"
+Creates a listener SSL object which is subordinate to a QUIC domain SSL object
+\&\fIssl\fR. See \fBSSL_new_domain\fR\|(3) and \fBopenssl\-quic\-concurrency\fR\|(7) for details
+on QUIC domain SSL objects.
+.IP \fBSSL_is_listener\fR\|(3) 4
+.IX Item "SSL_is_listener"
+Returns 1 if and only if an SSL object is a listener SSL object.
+.IP \fBSSL_get0_listener\fR\|(3) 4
+.IX Item "SSL_get0_listener"
+Returns an SSL object pointer (potentially to the same object on which it is
+called) or NULL.
+.IP \fBSSL_listen\fR\|(3) 4
+.IX Item "SSL_listen"
+Begin listening after a listener has been created. It is ordinarily not needed
+to call this because it will be called automatically on the first call to
+\&\fBSSL_accept_connection\fR\|(3).
+.IP \fBSSL_accept_connection\fR\|(3) 4
+.IX Item "SSL_accept_connection"
+Accepts a new incoming connection for a listner SSL object. A new SSL object
+representing the accepted connection is created and returned on success. If no
+incoming connection is available and the listener SSL object is configured in
+nonblocking mode, NULL is returned.
+.IP \fBSSL_get_accept_connection_queue_len\fR\|(3) 4
+.IX Item "SSL_get_accept_connection_queue_len"
+Returns an informational value listing the number of connections waiting to be
+popped from the queue via calls to \fBSSL_accept_connection()\fR.
+.IP \fBSSL_new_from_listener\fR\|(3) 4
+.IX Item "SSL_new_from_listener"
+Creates a client connection under a given listener SSL object. For QUIC, it is
+also possible to use \fBSSL_new_from_listener()\fR in conjunction with a listener
+which does accept incoming connections (i.e., which was not created using
+\&\fBSSL_LISTENER_FLAG_NO_ACCEPT\fR), leading to a UDP network endpoint which has
+both incoming and outgoing connections.
+.IP \fBSSL_new_domain\fR\|(3) 4
+.IX Item "SSL_new_domain"
+Creates a new QUIC event domain, represented as an SSL object. This is known as
+a QUIC domain SSL object. The concept of a QUIC event domain is discussed in
+detail in \fBopenssl\-quic\-concurrency\fR\|(7).
+.IP \fBSSL_is_domain\fR\|(3) 4
+.IX Item "SSL_is_domain"
+Returns 1 if an SSL object is a QUIC domain SSL object.
+.IP \fBSSL_get0_domain\fR\|(3) 4
+.IX Item "SSL_get0_domain"
+\&\fBSSL_get0_domain()\fR obtains a pointer to the QUIC domain SSL object in an SSL
+object hierarchy (if any).
+.IP "\fBSSL_set_blocking_mode\fR\|(3), \fBSSL_get_blocking_mode\fR\|(3)" 4
+.IX Item "SSL_set_blocking_mode, SSL_get_blocking_mode"
+Configures whether blocking semantics are used at the application level. This
+determines whether calls to functions such as \fBSSL_read\fR\|(3) and \fBSSL_write\fR\|(3)
+will block.
+.IP "\fBSSL_get_rpoll_descriptor\fR\|(3), \fBSSL_get_wpoll_descriptor\fR\|(3)" 4
+.IX Item "SSL_get_rpoll_descriptor, SSL_get_wpoll_descriptor"
+These functions facilitate operation in nonblocking mode.
+.Sp
+When an SSL object is being used with an underlying network read BIO which
+supports polling, \fBSSL_get_rpoll_descriptor\fR\|(3) outputs an OS resource which
+can be used to synchronise on network readability events which should result in
+a call to \fBSSL_handle_events\fR\|(3). \fBSSL_get_wpoll_descriptor\fR\|(3) works in an
+analogous fashion for the underlying network write BIO.
+.Sp
+The poll descriptors provided by these functions should be used only when
+\&\fBSSL_net_read_desired\fR\|(3) and \fBSSL_net_write_desired\fR\|(3) return 1,
+respectively.
+.IP "\fBSSL_net_read_desired\fR\|(3), \fBSSL_net_write_desired\fR\|(3)" 4
+.IX Item "SSL_net_read_desired, SSL_net_write_desired"
+These functions facilitate operation in nonblocking mode and are used in
+conjunction with \fBSSL_get_rpoll_descriptor\fR\|(3) and
+\&\fBSSL_get_wpoll_descriptor\fR\|(3) respectively. They determine whether the
+respective poll descriptor is currently relevant for the purposes of polling.
+.IP \fBSSL_set1_initial_peer_addr\fR\|(3) 4
+.IX Item "SSL_set1_initial_peer_addr"
+This function can be used to set the initial peer address for an outgoing QUIC
+connection. This function must be used in the general case when creating an
+outgoing QUIC connection; however, the correct initial peer address can be
+autodetected in some cases. See \fBSSL_set1_initial_peer_addr\fR\|(3) for details.
+.IP \fBSSL_shutdown_ex\fR\|(3) 4
+.IX Item "SSL_shutdown_ex"
+This augments \fBSSL_shutdown\fR\|(3) by allowing an application error code to be
+specified. It also allows an application to decide how quickly it wants a
+shutdown to be performed, potentially by trading off strict RFC compliance.
+.IP \fBSSL_stream_conclude\fR\|(3) 4
+.IX Item "SSL_stream_conclude"
+This allows an application to indicate the normal end of the sending part of a
+QUIC stream. This corresponds to the FIN flag in the QUIC RFC. The receiving
+part of a stream remains usable.
+.IP \fBSSL_stream_reset\fR\|(3) 4
+.IX Item "SSL_stream_reset"
+This allows an application to indicate the non-normal termination of the sending
+part of a stream. This corresponds to the RESET_STREAM frame in the QUIC RFC.
+.IP "\fBSSL_get_stream_write_state\fR\|(3) and \fBSSL_get_stream_read_state\fR\|(3)" 4
+.IX Item "SSL_get_stream_write_state and SSL_get_stream_read_state"
+This allows an application to determine the current stream states for the
+sending and receiving parts of a stream respectively.
+.IP "\fBSSL_get_stream_write_error_code\fR\|(3) and \fBSSL_get_stream_read_error_code\fR\|(3)" 4
+.IX Item "SSL_get_stream_write_error_code and SSL_get_stream_read_error_code"
+This allows an application to determine the application error code which was
+signalled by a peer which has performed a non-normal stream termination of the
+respective sending or receiving part of a stream, if any.
+.IP \fBSSL_get_conn_close_info\fR\|(3) 4
+.IX Item "SSL_get_conn_close_info"
+This allows an application to determine the error code which was signalled when
+the local or remote endpoint terminated the QUIC connection.
+.IP \fBSSL_get0_connection\fR\|(3) 4
+.IX Item "SSL_get0_connection"
+Gets the QUIC connection SSL object from a QUIC stream SSL object.
+.IP \fBSSL_is_connection\fR\|(3) 4
+.IX Item "SSL_is_connection"
+Returns 1 if an SSL object is not a QUIC stream SSL object.
+.IP \fBSSL_get_stream_type\fR\|(3) 4
+.IX Item "SSL_get_stream_type"
+Provides information on the kind of QUIC stream which is attached
+to the SSL object.
+.IP \fBSSL_get_stream_id\fR\|(3) 4
+.IX Item "SSL_get_stream_id"
+Returns the QUIC stream ID which the QUIC protocol has associated with a QUIC
+stream.
+.IP \fBSSL_new_stream\fR\|(3) 4
+.IX Item "SSL_new_stream"
+Creates a new QUIC stream SSL object representing a new, locally-initiated QUIC
+stream.
+.IP \fBSSL_accept_stream\fR\|(3) 4
+.IX Item "SSL_accept_stream"
+Potentially yields a new QUIC stream SSL object representing a new
+remotely-initiated QUIC stream, blocking until one is available if the
+connection is configured to do so.
+.IP \fBSSL_get_accept_stream_queue_len\fR\|(3) 4
+.IX Item "SSL_get_accept_stream_queue_len"
+Provides information on the number of pending remotely-initiated streams.
+.IP \fBSSL_set_incoming_stream_policy\fR\|(3) 4
+.IX Item "SSL_set_incoming_stream_policy"
+Configures how incoming, remotely-initiated streams are handled. The incoming
+stream policy can be used to automatically reject streams created by the peer,
+or allow them to be handled using \fBSSL_accept_stream\fR\|(3).
+.IP \fBSSL_set_default_stream_mode\fR\|(3) 4
+.IX Item "SSL_set_default_stream_mode"
+Used to configure or disable default stream mode; see the MODES OF OPERATION
+section for details.
+.PP
+The following BIO APIs are not specific to QUIC but have been added to
+facilitate QUIC-specific requirements and are closely associated with its use:
+.IP \fBBIO_s_dgram_pair\fR\|(3) 4
+.IX Item "BIO_s_dgram_pair"
+This is a new BIO method which is similar to a conventional BIO pair but
+provides datagram semantics.
+.IP "\fBBIO_get_rpoll_descriptor\fR\|(3), \fBBIO_get_wpoll_descriptor\fR\|(3)" 4
+.IX Item "BIO_get_rpoll_descriptor, BIO_get_wpoll_descriptor"
+This is a new BIO API which allows a BIO to expose a poll descriptor. This API
+is used to implement the corresponding SSL APIs \fBSSL_get_rpoll_descriptor\fR\|(3)
+and \fBSSL_get_wpoll_descriptor\fR\|(3).
+.IP "\fBBIO_sendmmsg\fR\|(3), \fBBIO_recvmmsg\fR\|(3)" 4
+.IX Item "BIO_sendmmsg, BIO_recvmmsg"
+This is a new BIO API which can be implemented by BIOs which implement datagram
+semantics. It is implemented by \fBBIO_s_datagram\fR\|(3) and \fBBIO_s_dgram_pair\fR\|(3).
+It is used by the QUIC implementation to send and receive UDP datagrams.
+.IP "\fBBIO_dgram_set_no_trunc\fR\|(3), \fBBIO_dgram_get_no_trunc\fR\|(3)" 4
+.IX Item "BIO_dgram_set_no_trunc, BIO_dgram_get_no_trunc"
+By default, \fBBIO_s_dgram_pair\fR\|(3) has semantics comparable to those of Berkeley
+sockets being used with datagram semantics. This allows an alternative mode
+to be enabled in which datagrams will not be silently truncated if they are
+too large.
+.IP "\fBBIO_dgram_set_caps\fR\|(3), \fBBIO_dgram_get_caps\fR\|(3)" 4
+.IX Item "BIO_dgram_set_caps, BIO_dgram_get_caps"
+These functions are used to allow the user of one end of a
+\&\fBBIO_s_dgram_pair\fR\|(3) to indicate its capabilities to the other end of a
+\&\fBBIO_s_dgram_pair\fR\|(3). In particular, this allows an application to inform the
+QUIC implementation of whether it is prepared to handle local and/or peer
+addresses in transmitted datagrams and to provide the applicable information in
+received datagrams.
+.IP "\fBBIO_dgram_get_local_addr_cap\fR\|(3), \fBBIO_dgram_set_local_addr_enable\fR\|(3), \fBBIO_dgram_get_local_addr_enable\fR\|(3)" 4
+.IX Item "BIO_dgram_get_local_addr_cap, BIO_dgram_set_local_addr_enable, BIO_dgram_get_local_addr_enable"
+Local addressing support refers to the ability of a BIO with datagram semantics
+to allow a source address to be specified on transmission and to report the
+destination address on reception. These functions can be used to determine if a
+BIO can support local addressing and to enable local addressing support if it
+can.
+.IP \fBBIO_err_is_non_fatal\fR\|(3) 4
+.IX Item "BIO_err_is_non_fatal"
+This is used to determine if an error while calling \fBBIO_sendmmsg\fR\|(3) or
+\&\fBBIO_recvmmsg\fR\|(3) is ephemeral in nature, such as "would block" errors.
+.SH "THREAD ASSISTED MODE"
+.IX Header "THREAD ASSISTED MODE"
+The optional thread assisted mode for clients can be used with
+\&\fBOSSL_QUIC_client_thread_method\fR\|(3). In this mode, a background thread is
+created automatically. The OpenSSL QUIC implementation then takes responsibility
+for ensuring that timeout events are handled on a timely basis even if no SSL
+I/O function such as \fBSSL_read\fR\|(3) or \fBSSL_write\fR\|(3) is called by the
+application for a long time.
+.PP
+All necessary locking is handled automatically internally, but the thread safety
+guarantees for the public SSL API are unchanged. Therefore, an application must
+still do its own locking if it wishes to make concurrent use of the public SSL
+APIs.
+.PP
+Because this method relies on threads, it is not available on platforms where
+threading support is not available or not supported by OpenSSL. However, it
+does provide the simplest mode of usage for an application.
+.PP
+The implementation may or may not use a common thread or thread pool to service
+multiple SSL objects in the same \fBSSL_CTX\fR.
+.SH "APPLICATION-DRIVEN EVENT LOOPS"
+.IX Header "APPLICATION-DRIVEN EVENT LOOPS"
+OpenSSL's QUIC implementation is designed to facilitate applications which wish
+to use the SSL APIs in a blocking fashion, but is also designed to facilitate
+applications which wish to use the SSL APIs in a nonblocking fashion and manage
+their own event loops and polling directly. This is useful when it is desirable
+to host OpenSSL's QUIC implementation on top of an application's existing
+nonblocking I/O infrastructure.
+.PP
+This is supported via the concept of poll descriptors; see
+\&\fBBIO_get_rpoll_descriptor\fR\|(3) for details. Broadly, a \fBBIO_POLL_DESCRIPTOR\fR is
+a structure which expresses some kind of OS resource which can be used to
+synchronise on I/O events. The QUIC implementation provides a
+\&\fBBIO_POLL_DESCRIPTOR\fR based on the poll descriptor provided by the underlying
+network BIO. This is typically an OS socket handle, though custom BIOs could
+choose to implement their own custom poll descriptor format.
+.PP
+Broadly, an application which wishes to manage its own event loop should
+interact with the SSL object as follows:
+.IP \(bu 4
+It should provide read and write BIOs with nonblocking datagram semantics to
+the SSL object using \fBSSL_set0_rbio\fR\|(3) and \fBSSL_set0_wbio\fR\|(3). This could be
+a BIO abstracting a network socket such as \fBBIO_s_datagram\fR\|(3), or a BIO
+abstracting some kind of memory buffer such as \fBBIO_s_dgram_pair\fR\|(3). Use of a
+custom BIO is also possible.
+.IP \(bu 4
+It should configure the SSL object into nonblocking mode by calling
+\&\fBSSL_set_blocking_mode\fR\|(3).
+.IP \(bu 4
+It should configure the SSL object as desired, set an initial peer as needed
+using \fBSSL_set1_initial_peer_addr\fR\|(3), and trigger the connection process by
+calling \fBSSL_connect\fR\|(3).
+.IP \(bu 4
+If the network read and write BIOs provided were pollable (for example,
+a \fBBIO_s_datagram\fR\|(3), or a custom BIO which implements
+\&\fBBIO_get_rpoll_descriptor\fR\|(3) and \fBBIO_get_wpoll_descriptor\fR\|(3)), it should
+perform the following steps repeatedly:
+.RS 4
+.IP \(bu 4
+The application should call \fBSSL_get_rpoll_descriptor\fR\|(3) and
+\&\fBSSL_get_wpoll_descriptor\fR\|(3) to identify OS resources which can be used for
+synchronisation.
+.IP \(bu 4
+It should call \fBSSL_net_read_desired\fR\|(3) and \fBSSL_net_write_desired\fR\|(3) to determine
+whether the QUIC implementation is currently interested in readability and
+writability events on the underlying network BIO which was provided, and call
+\&\fBSSL_get_event_timeout\fR\|(3) to determine if any timeout event will become
+applicable in the future.
+.IP \(bu 4
+It should wait until one of the following events occurs:
+.RS 4
+.IP \(bu 4
+The poll descriptor returned by \fBSSL_get_rpoll_descriptor\fR\|(3) becomes readable
+(if \fBSSL_net_read_desired\fR\|(3) returned 1);
+.IP \(bu 4
+The poll descriptor returned by \fBSSL_get_wpoll_descriptor\fR\|(3) becomes writable
+(if \fBSSL_net_write_desired\fR\|(3) returned 1);
+.IP \(bu 4
+The timeout returned by \fBSSL_get_event_timeout\fR\|(3) (if any) expires.
+.RE
+.RS 4
+.Sp
+Once any of these events occurs, \fBSSL_handle_events\fR\|(3) should be called.
+.RE
+.RE
+.RS 4
+.RE
+.IP \(bu 4
+If the network read and write BIOs provided were not pollable (for example, in
+the case of \fBBIO_s_dgram_pair\fR\|(3)), the application is responsible for managing
+and synchronising network I/O. It should call \fBSSL_handle_events\fR\|(3) after it
+writes data to a \fBBIO_s_dgram_pair\fR\|(3) or otherwise takes action so that the
+QUIC implementation can read new datagrams via a call to \fBBIO_recvmmsg\fR\|(3) on
+the underlying network BIO. The QUIC implementation may output datagrams via a
+call to \fBBIO_sendmmsg\fR\|(3) and the application is responsible for ensuring these
+are transmitted.
+.Sp
+The application must call \fBSSL_get_event_timeout\fR\|(3) after every call to
+\&\fBSSL_handle_events\fR\|(3) (or another I/O function on the SSL object), and ensure
+that a call to \fBSSL_handle_events\fR\|(3) is performed after the specified timeout
+(if any).
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBSSL_handle_events\fR\|(3), \fBSSL_get_event_timeout\fR\|(3),
+\&\fBSSL_net_read_desired\fR\|(3), \fBSSL_net_write_desired\fR\|(3),
+\&\fBSSL_get_rpoll_descriptor\fR\|(3), \fBSSL_get_wpoll_descriptor\fR\|(3),
+\&\fBSSL_set_blocking_mode\fR\|(3), \fBSSL_shutdown_ex\fR\|(3),
+\&\fBSSL_set1_initial_peer_addr\fR\|(3), \fBSSL_stream_conclude\fR\|(3),
+\&\fBSSL_stream_reset\fR\|(3), \fBSSL_get_stream_read_state\fR\|(3),
+\&\fBSSL_get_stream_read_error_code\fR\|(3), \fBSSL_get_conn_close_info\fR\|(3),
+\&\fBSSL_get0_connection\fR\|(3), \fBSSL_get_stream_type\fR\|(3), \fBSSL_get_stream_id\fR\|(3),
+\&\fBSSL_new_stream\fR\|(3), \fBSSL_accept_stream\fR\|(3),
+\&\fBSSL_set_incoming_stream_policy\fR\|(3), \fBSSL_set_default_stream_mode\fR\|(3),
+\&\fBSSL_new_listener\fR\|(3), \fBSSL_new_listener_from\fR\|(3), \fBSSL_is_listener\fR\|(3),
+\&\fBSSL_get0_listener\fR\|(3), \fBSSL_listen\fR\|(3), \fBSSL_accept_connection\fR\|(3),
+\&\fBSSL_get_accept_connection_queue_len\fR\|(3), \fBSSL_new_domain\fR\|(3),
+\&\fBSSL_is_domain\fR\|(3), \fBSSL_get0_domain\fR\|(3)
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2022\-2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/openssl-threads.7 b/secure/lib/libcrypto/man/man7/openssl-threads.7
index c699373765e3..7b07a4378103 100644
--- a/secure/lib/libcrypto/man/man7/openssl-threads.7
+++ b/secure/lib/libcrypto/man/man7/openssl-threads.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,85 +52,25 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL-THREADS 7ossl"
-.TH OPENSSL-THREADS 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OPENSSL-THREADS 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 openssl\-threads \- Overview of thread safety in OpenSSL
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 In this man page, we use the term \fBthread-safe\fR to indicate that an
 object or function can be used by multiple threads at the same time.
 .PP
 OpenSSL can be built with or without threads support. The most important
 use of this support is so that OpenSSL itself can use a single consistent
-\&\s-1API,\s0 as shown in \*(L"\s-1EXAMPLES\*(R"\s0 in \fBCRYPTO_THREAD_run_once\fR\|(3).
-Multi-platform applications can also use this \s-1API.\s0
+API, as shown in "EXAMPLES" in \fBCRYPTO_THREAD_run_once\fR\|(3).
+Multi-platform applications can also use this API.
 .PP
 In particular, being configured for threads support does not imply that
 all OpenSSL objects are thread-safe.
@@ -154,18 +78,18 @@ To emphasize: \fImost objects are not safe for simultaneous use\fR.
 Exceptions to this should be documented on the specific manual pages, and
 some general high-level guidance is given here.
 .PP
-One major use of the OpenSSL thread \s-1API\s0 is to implement reference counting.
+One major use of the OpenSSL thread API is to implement reference counting.
 Many objects within OpenSSL are reference-counted, so resources are not
 released, until the last reference is removed.
 References are often increased automatically (such as when an \fBX509\fR
 certificate object is added into an \fBX509_STORE\fR trust store).
-There is often an \fB\f(BIobject\fB_up_ref\fR() function that can be used to increase
+There is often an \fR\f(BIobject\fR\fB_up_ref\fR() function that can be used to increase
 the reference count.
-Failure to match \fB\f(BIobject\fB_up_ref\fR() calls with the right number of
-\&\fB\f(BIobject\fB_free\fR() calls is a common source of memory leaks when a program
+Failure to match \fB\fR\f(BIobject\fR\fB_up_ref\fR() calls with the right number of
+\&\fB\fR\f(BIobject\fR\fB_free\fR() calls is a common source of memory leaks when a program
 exits.
 .PP
-Many objects have set and get \s-1API\s0's to set attributes in the object.
+Many objects have set and get API's to set attributes in the object.
 A \f(CW\*(C`set0\*(C'\fR passes ownership from the caller to the object and a
 \&\f(CW\*(C`get0\*(C'\fR returns a pointer but the attribute ownership
 remains with the object and a reference to it is returned.
@@ -182,38 +106,38 @@ Set methods, or modifying shared objects, are generally not thread-safe
 as discussed below.
 .PP
 Objects are thread-safe
-as long as the \s-1API\s0's being invoked don't modify the object; in this
-case the parameter is usually marked in the \s-1API\s0 as \f(CW\*(C`const\*(C'\fR.
+as long as the API's being invoked don't modify the object; in this
+case the parameter is usually marked in the API as \f(CW\*(C`const\*(C'\fR.
 Not all parameters are marked this way.
 Note that a \f(CW\*(C`const\*(C'\fR declaration does not mean immutable; for example
 \&\fBX509_cmp\fR\|(3) takes pointers to \f(CW\*(C`const\*(C'\fR objects, but the implementation
 uses a C cast to remove that so it can lock objects, generate and cache
-a \s-1DER\s0 encoding, and so on.
+a DER encoding, and so on.
 .PP
 Another instance of thread-safety is when updates to an object's
 internal state, such as cached values, are done with locks.
-One example of this is the reference counting \s-1API\s0's described above.
+One example of this is the reference counting API's described above.
 .PP
 In all cases, however, it is generally not safe for one thread to
 mutate an object, such as setting elements of a private or public key,
 while another thread is using that object, such as verifying a signature.
 .PP
-The same \s-1API\s0's can usually be used simultaneously on different objects
+The same API's can usually be used simultaneously on different objects
 without interference.
 For example, two threads can calculate a signature using two different
-\&\fB\s-1EVP_PKEY_CTX\s0\fR objects.
+\&\fBEVP_PKEY_CTX\fR objects.
 .PP
 For implicit global state or singletons, thread-safety depends on the facility.
-The \fBCRYPTO_secure_malloc\fR\|(3) and related \s-1API\s0's have their own lock,
+The \fBCRYPTO_secure_malloc\fR\|(3) and related API's have their own lock,
 while \fBCRYPTO_malloc\fR\|(3) assumes the underlying platform allocation
 will do any necessary locking.
-Some \s-1API\s0's, such as \fBNCONF_load\fR\|(3) and related, or \fBOBJ_create\fR\|(3)
-do no locking at all; this can be considered a bug.
+Some API's, such as \fBNCONF_load\fR\|(3) and related do no locking at all;
+this can be considered a bug.
 .PP
-A separate, although related, issue is modifying \*(L"factory\*(R" objects
+A separate, although related, issue is modifying "factory" objects
 when other objects have been created from that.
-For example, an \fB\s-1SSL_CTX\s0\fR object created by \fBSSL_CTX_new\fR\|(3) is used
-to create per-connection \fB\s-1SSL\s0\fR objects by calling \fBSSL_new\fR\|(3).
+For example, an \fBSSL_CTX\fR object created by \fBSSL_CTX_new\fR\|(3) is used
+to create per-connection \fBSSL\fR objects by calling \fBSSL_new\fR\|(3).
 In this specific case, and probably for factory methods in general, it is
 not safe to modify the factory object after it has been used to create
 other objects.
@@ -221,14 +145,14 @@ other objects.
 .IX Header "SEE ALSO"
 \&\fBCRYPTO_THREAD_run_once\fR\|(3),
 local system threads documentation.
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
 This page is admittedly very incomplete.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/openssl_user_macros.7 b/secure/lib/libcrypto/man/man7/openssl_user_macros.7
index f6fba37c9154..63e95d8edb9b 100644
--- a/secure/lib/libcrypto/man/man7/openssl_user_macros.7
+++ b/secure/lib/libcrypto/man/man7/openssl_user_macros.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,83 +52,23 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OPENSSL_USER_MACROS 7ossl"
-.TH OPENSSL_USER_MACROS 7ossl "2023-09-22" "3.0.11" "OpenSSL"
+.TH OPENSSL_USER_MACROS 7ossl 2025-07-24 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 openssl_user_macros, OPENSSL_API_COMPAT, OPENSSL_NO_DEPRECATED
 \&\- User defined macros
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 User defined macros allow the programmer to control certain aspects of
 what is exposed by the OpenSSL headers.
 .PP
-\&\fB\s-1NOTE:\s0\fR to be effective, a user defined macro \fImust be defined
+\&\fBNOTE:\fR to be effective, a user defined macro \fImust be defined
 before including any header file that depends on it\fR, either in the
 compilation command (\f(CW\*(C`cc \-DMACRO=value\*(C'\fR) or by defining the macro in
 source before including any headers.
@@ -153,12 +77,12 @@ Other manual pages may refer to this page when declarations depend on
 user defined macros.
 .SS "The macros"
 .IX Subsection "The macros"
-.IP "\fB\s-1OPENSSL_API_COMPAT\s0\fR" 4
+.IP \fBOPENSSL_API_COMPAT\fR 4
 .IX Item "OPENSSL_API_COMPAT"
 The value is a version number, given in one of the following two forms:
 .RS 4
 .ie n .IP """0xMNNFF000L""" 4
-.el .IP "\f(CW0xMNNFF000L\fR" 4
+.el .IP \f(CW0xMNNFF000L\fR 4
 .IX Item "0xMNNFF000L"
 This is the form supported for all versions up to 1.1.x, where \f(CW\*(C`M\*(C'\fR
 represents the major number, \f(CW\*(C`NN\*(C'\fR represents the minor number, and
@@ -188,7 +112,7 @@ feasible.  For example, \f(CW\*(C`0x60000000L\*(C'\fR will work as expected.
 However, it is recommended to start using the second form instead:
 .RE
 .ie n .IP """mmnnpp""" 4
-.el .IP "\f(CWmmnnpp\fR" 4
+.el .IP \f(CWmmnnpp\fR 4
 .IX Item "mmnnpp"
 This form is a simple decimal number calculated with this formula:
 .Sp
@@ -211,21 +135,21 @@ minor and patch components of the version number.  For example:
 .RS 4
 .PD
 .Sp
-If \fB\s-1OPENSSL_API_COMPAT\s0\fR is undefined, this default value is used in its
+If \fBOPENSSL_API_COMPAT\fR is undefined, this default value is used in its
 place:
-\&\f(CW30000\fR
+\&\f(CW30500\fR
 .RE
-.IP "\fB\s-1OPENSSL_NO_DEPRECATED\s0\fR" 4
+.IP \fBOPENSSL_NO_DEPRECATED\fR 4
 .IX Item "OPENSSL_NO_DEPRECATED"
 If this macro is defined, all deprecated public symbols in all OpenSSL
-versions up to and including the version given by \fB\s-1OPENSSL_API_COMPAT\s0\fR
-(or the default value given above, when \fB\s-1OPENSSL_API_COMPAT\s0\fR isn't defined)
+versions up to and including the version given by \fBOPENSSL_API_COMPAT\fR
+(or the default value given above, when \fBOPENSSL_API_COMPAT\fR isn't defined)
 will be hidden.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2018\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-introduction.7 b/secure/lib/libcrypto/man/man7/ossl-guide-introduction.7
new file mode 100644
index 000000000000..d75d44c34eca
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/ossl-guide-introduction.7
@@ -0,0 +1,160 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OSSL-GUIDE-INTRODUCTION 7ossl"
+.TH OSSL-GUIDE-INTRODUCTION 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+ossl\-guide\-introduction
+\&\- OpenSSL Guide: An introduction to OpenSSL
+.SH "WHAT IS OPENSSL?"
+.IX Header "WHAT IS OPENSSL?"
+OpenSSL is a robust, commercial-grade, full-featured toolkit for general-purpose
+cryptography and secure communication. Its features are made available via a
+command line application that enables users to perform various cryptography
+related functions such as generating keys and certificates. Additionally it
+supplies two libraries that application developers can use to implement
+cryptography based capabilities and to securely communicate across a network.
+Finally, it also has a set of providers that supply implementations of a broad
+set of cryptographic algorithms.
+.PP
+OpenSSL is fully open source. Version 3.0 and above are distributed under the
+Apache v2 license.
+.SH "GETTING AND INSTALLING OPENSSL"
+.IX Header "GETTING AND INSTALLING OPENSSL"
+The OpenSSL Project develops and distributes the source code for OpenSSL. You
+can obtain that source code via the OpenSSL website
+(<https://www.openssl.org/source>).
+.PP
+Many Operating Systems (notably Linux distributions) supply pre-built OpenSSL
+binaries either pre-installed or available via the package management system in
+use for that OS. It is worth checking whether this applies to you before
+attempting to build OpenSSL from the source code.
+.PP
+Some third parties also supply OpenSSL binaries (e.g. for Windows and some other
+platforms). The OpenSSL project maintains a list of these third parties at
+<https://github.com/openssl/openssl/wiki/Binaries>.
+.PP
+If you build and install OpenSSL from the source code then you should download
+the appropriate files for the version that you want to use from the link given
+above. Extract the contents of the \fBtar.gz\fR archive file that you downloaded
+into an appropriate directory. Inside that archive you will find a file named
+\&\fBINSTALL.md\fR which will supply detailed instructions on how to build and
+install OpenSSL from source. Make sure you read the contents of that file
+carefully in order to achieve a successful build. In the directory you will also
+find a set of \fBNOTES\fR files that provide further platform specific information.
+Make sure you carefully read the file appropriate to your platform. As well as
+the platform specific \fBNOTES\fR files there is also a \fBNOTES\-PERL.md\fR file that
+provides information about setting up Perl for use by the OpenSSL build system
+across multiple platforms.
+.PP
+Sometimes you may want to build and install OpenSSL from source on a system
+which already has a pre-built version of OpenSSL installed on it via the
+Operating System package management system (for example if you want to use a
+newer version of OpenSSL than the one supplied by your Operating System). In
+this case it is strongly recommended to install OpenSSL to a different location
+than where the pre-built version is installed. You should \fBnever\fR replace the
+pre-built version with a different version as this may break your system.
+.SH "CONTENTS OF THE OPENSSL GUIDE"
+.IX Header "CONTENTS OF THE OPENSSL GUIDE"
+The OpenSSL Guide is a series of documentation pages (starting with this one)
+that introduce some of the main concepts in OpenSSL. The guide can either be
+read end-to-end in order, or alternatively you can simply skip to the parts most
+applicable to your use case. Note however that later pages may depend on and
+assume knowledge from earlier pages.
+.PP
+The pages in the guide are as follows:
+.IP "\fBossl\-guide\-libraries\-introduction\fR\|(7): An introduction to the OpenSSL libraries" 4
+.IX Item "ossl-guide-libraries-introduction: An introduction to the OpenSSL libraries"
+.PD 0
+.IP "\fBossl\-guide\-libcrypto\-introduction\fR\|(7): An introduction to libcrypto" 4
+.IX Item "ossl-guide-libcrypto-introduction: An introduction to libcrypto"
+.IP "\fBossl\-guide\-libssl\-introduction\fR\|(7): An introduction to libssl" 4
+.IX Item "ossl-guide-libssl-introduction: An introduction to libssl"
+.IP "\fBossl\-guide\-tls\-introduction\fR\|(7): An introduction to SSL/TLS in OpenSSL" 4
+.IX Item "ossl-guide-tls-introduction: An introduction to SSL/TLS in OpenSSL"
+.IP "\fBossl\-guide\-tls\-client\-block\fR\|(7): Writing a simple blocking TLS client" 4
+.IX Item "ossl-guide-tls-client-block: Writing a simple blocking TLS client"
+.IP "\fBossl\-guide\-tls\-client\-non\-block\fR\|(7): Writing a simple nonblocking TLS client" 4
+.IX Item "ossl-guide-tls-client-non-block: Writing a simple nonblocking TLS client"
+.IP "\fBossl\-guide\-tls\-server\-block\fR\|(7): Writing a simple blocking TLS server" 4
+.IX Item "ossl-guide-tls-server-block: Writing a simple blocking TLS server"
+.IP "\fBossl\-guide\-quic\-introduction\fR\|(7): An introduction to QUIC in OpenSSL" 4
+.IX Item "ossl-guide-quic-introduction: An introduction to QUIC in OpenSSL"
+.IP "\fBossl\-guide\-quic\-client\-block\fR\|(7): Writing a simple blocking QUIC client" 4
+.IX Item "ossl-guide-quic-client-block: Writing a simple blocking QUIC client"
+.IP "\fBossl\-guide\-quic\-server\-block\fR\|(7): Writing a simple blocking QUIC server" 4
+.IX Item "ossl-guide-quic-server-block: Writing a simple blocking QUIC server"
+.IP "\fBossl\-guide\-quic\-multi\-stream\fR\|(7): Writing a simple multi-stream QUIC client" 4
+.IX Item "ossl-guide-quic-multi-stream: Writing a simple multi-stream QUIC client"
+.IP "\fBossl\-guide\-quic\-server\-non\-block\fR\|(7): Writing a simple nonblocking QUIC server" 4
+.IX Item "ossl-guide-quic-server-non-block: Writing a simple nonblocking QUIC server"
+.IP "\fBossl\-guide\-quic\-client\-non\-block\fR\|(7): Writing a simple nonblocking QUIC client" 4
+.IX Item "ossl-guide-quic-client-non-block: Writing a simple nonblocking QUIC client"
+.IP "\fBossl\-guide\-migration\fR\|(7): Migrating from older OpenSSL versions" 4
+.IX Item "ossl-guide-migration: Migrating from older OpenSSL versions"
+.PD
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2023\-2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-libcrypto-introduction.7 b/secure/lib/libcrypto/man/man7/ossl-guide-libcrypto-introduction.7
new file mode 100644
index 000000000000..ec0595388e9a
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/ossl-guide-libcrypto-introduction.7
@@ -0,0 +1,443 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OSSL-GUIDE-LIBCRYPTO-INTRODUCTION 7ossl"
+.TH OSSL-GUIDE-LIBCRYPTO-INTRODUCTION 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+ossl\-guide\-libcrypto\-introduction, crypto
+\&\- OpenSSL Guide: An introduction to libcrypto
+.SH INTRODUCTION
+.IX Header "INTRODUCTION"
+The OpenSSL cryptography library (\f(CW\*(C`libcrypto\*(C'\fR) enables access to a wide range
+of cryptographic algorithms used in various Internet standards. The services
+provided by this library are used by the OpenSSL implementations of TLS and
+CMS, and they have also been used to implement many other third party products
+and protocols.
+.PP
+The functionality includes symmetric encryption, public key cryptography, key
+agreement, certificate handling, cryptographic hash functions, cryptographic
+pseudo-random number generators, message authentication codes (MACs), key
+derivation functions (KDFs), and various utilities.
+.SS Algorithms
+.IX Subsection "Algorithms"
+Cryptographic primitives such as the SHA256 digest, or AES encryption are
+referred to in OpenSSL as "algorithms". Each algorithm may have multiple
+implementations available for use. For example the RSA algorithm is available as
+a "default" implementation suitable for general use, and a "fips" implementation
+which has been validated to FIPS 140 standards for situations where that is
+important. It is also possible that a third party could add additional
+implementations such as in a hardware security module (HSM).
+.PP
+Algorithms are implemented in providers. See
+\&\fBossl\-guide\-libraries\-introduction\fR\|(7) for information about providers.
+.SS Operations
+.IX Subsection "Operations"
+Different algorithms can be grouped together by their purpose. For example there
+are algorithms for encryption, and different algorithms for digesting data.
+These different groups are known as "operations" in OpenSSL. Each operation
+has a different set of functions associated with it. For example to perform an
+encryption operation using AES (or any other encryption algorithm) you would use
+the encryption functions detailed on the \fBEVP_EncryptInit\fR\|(3) page. Or to
+perform a digest operation using SHA256 then you would use the digesting
+functions on the \fBEVP_DigestInit\fR\|(3) page.
+.SH "ALGORITHM FETCHING"
+.IX Header "ALGORITHM FETCHING"
+In order to use an algorithm an implementation for it must first be "fetched".
+Fetching is the process of looking through the available implementations,
+applying selection criteria (via a property query string), and finally choosing
+the implementation that will be used.
+.PP
+Two types of fetching are supported by OpenSSL \- "Explicit fetching" and
+"Implicit fetching".
+.SS "Explicit fetching"
+.IX Subsection "Explicit fetching"
+Explicit fetching involves directly calling a specific API to fetch an algorithm
+implementation from a provider. This fetched object can then be passed to other
+APIs. These explicit fetching functions usually have the name \f(CW\*(C`APINAME_fetch\*(C'\fR,
+where \f(CW\*(C`APINAME\*(C'\fR is the name of the operation. For example \fBEVP_MD_fetch\fR\|(3)
+can be used to explicitly fetch a digest algorithm implementation. The user is
+responsible for freeing the object returned from the \f(CW\*(C`APINAME_fetch\*(C'\fR function
+using \f(CW\*(C`APINAME_free\*(C'\fR when it is no longer needed.
+.PP
+These fetching functions follow a fairly common pattern, where three
+arguments are passed:
+.IP "The library context" 4
+.IX Item "The library context"
+See \fBOSSL_LIB_CTX\fR\|(3) for a more detailed description.
+This may be NULL to signify the default (global) library context, or a
+context created by the user. Only providers loaded in this library context (see
+\&\fBOSSL_PROVIDER_load\fR\|(3)) will be considered by the fetching function. In case
+no provider has been loaded in this library context then the default provider
+will be loaded as a fallback (see \fBOSSL_PROVIDER\-default\fR\|(7)).
+.IP "An identifier" 4
+.IX Item "An identifier"
+For all currently implemented fetching functions this is the algorithm name.
+Each provider supports a list of algorithm implementations. See the provider
+specific documentation for information on the algorithm implementations
+available in each provider:
+"OPERATIONS AND ALGORITHMS" in \fBOSSL_PROVIDER\-default\fR\|(7),
+"OPERATIONS AND ALGORITHMS" in \fBOSSL_PROVIDER\-FIPS\fR\|(7),
+"OPERATIONS AND ALGORITHMS" in \fBOSSL_PROVIDER\-legacy\fR\|(7) and
+"OPERATIONS AND ALGORITHMS" in \fBOSSL_PROVIDER\-base\fR\|(7).
+.Sp
+Note, while providers may register algorithms against a list of names using a
+string with a colon separated list of names, fetching algorithms using that
+format is currently unsupported.
+.IP "A property query string" 4
+.IX Item "A property query string"
+The property query string used to guide selection of the algorithm
+implementation. See
+"PROPERTY QUERY STRINGS" in \fBossl\-guide\-libraries\-introduction\fR\|(7).
+.PP
+The algorithm implementation that is fetched can then be used with other diverse
+functions that use them. For example the \fBEVP_DigestInit_ex\fR\|(3) function takes
+as a parameter an \fBEVP_MD\fR object which may have been returned from an earlier
+call to \fBEVP_MD_fetch\fR\|(3).
+.SS "Implicit fetching"
+.IX Subsection "Implicit fetching"
+OpenSSL has a number of functions that return an algorithm object with no
+associated implementation, such as \fBEVP_sha256\fR\|(3), \fBEVP_aes_128_cbc\fR\|(3),
+\&\fBEVP_get_cipherbyname\fR\|(3) or \fBEVP_get_digestbyname\fR\|(3). These are present for
+compatibility with OpenSSL before version 3.0 where explicit fetching was not
+available.
+.PP
+When they are used with functions like \fBEVP_DigestInit_ex\fR\|(3) or
+\&\fBEVP_CipherInit_ex\fR\|(3), the actual implementation to be used is
+fetched implicitly using default search criteria (which uses NULL for the
+library context and property query string).
+.PP
+In some cases implicit fetching can also occur when a NULL algorithm parameter
+is supplied. In this case an algorithm implementation is implicitly fetched
+using default search criteria and an algorithm name that is consistent with
+the context in which it is being used.
+.PP
+Functions that use an \fBEVP_PKEY_CTX\fR or an \fBEVP_PKEY\fR\|(3), such as
+\&\fBEVP_DigestSignInit\fR\|(3), all fetch the implementations implicitly. Usually the
+algorithm to fetch is determined based on the type of key that is being used and
+the function that has been called.
+.SS Performance
+.IX Subsection "Performance"
+If you perform the same operation many times with the same algorithm then it is
+recommended to use a single explicit fetch of the algorithm and then reuse the
+explicitly fetched algorithm each subsequent time. This will typically be
+faster than implicitly fetching the algorithm every time you use it. See an
+example of Explicit fetching in "USING ALGORITHMS IN APPLICATIONS".
+.PP
+Prior to OpenSSL 3.0, functions such as \fBEVP_sha256()\fR which return a "const"
+object were used directly to indicate the algorithm to use in various function
+calls. If you pass the return value of one of these convenience functions to an
+operation then you are using implicit fetching. If you are converting an
+application that worked with an OpenSSL version prior to OpenSSL 3.0 then
+consider changing instances of implicit fetching to explicit fetching instead.
+.PP
+If an explicitly fetched object is not passed to an operation, then any implicit
+fetch will use an internally cached prefetched object, but it will
+still be slower than passing the explicitly fetched object directly.
+.PP
+The following functions can be used for explicit fetching:
+.IP \fBEVP_MD_fetch\fR\|(3) 4
+.IX Item "EVP_MD_fetch"
+Fetch a message digest/hashing algorithm implementation.
+.IP \fBEVP_CIPHER_fetch\fR\|(3) 4
+.IX Item "EVP_CIPHER_fetch"
+Fetch a symmetric cipher algorithm implementation.
+.IP \fBEVP_KDF_fetch\fR\|(3) 4
+.IX Item "EVP_KDF_fetch"
+Fetch a Key Derivation Function (KDF) algorithm implementation.
+.IP \fBEVP_MAC_fetch\fR\|(3) 4
+.IX Item "EVP_MAC_fetch"
+Fetch a Message Authentication Code (MAC) algorithm implementation.
+.IP \fBEVP_KEM_fetch\fR\|(3) 4
+.IX Item "EVP_KEM_fetch"
+Fetch a Key Encapsulation Mechanism (KEM) algorithm implementation
+.IP \fBOSSL_ENCODER_fetch\fR\|(3) 4
+.IX Item "OSSL_ENCODER_fetch"
+Fetch an encoder algorithm implementation (e.g. to encode keys to a specified
+format).
+.IP \fBOSSL_DECODER_fetch\fR\|(3) 4
+.IX Item "OSSL_DECODER_fetch"
+Fetch a decoder algorithm implementation (e.g. to decode keys from a specified
+format).
+.IP \fBEVP_RAND_fetch\fR\|(3) 4
+.IX Item "EVP_RAND_fetch"
+Fetch a Pseudo Random Number Generator (PRNG) algorithm implementation.
+.PP
+See "OPERATIONS AND ALGORITHMS" in \fBOSSL_PROVIDER\-default\fR\|(7),
+"OPERATIONS AND ALGORITHMS" in \fBOSSL_PROVIDER\-FIPS\fR\|(7),
+"OPERATIONS AND ALGORITHMS" in \fBOSSL_PROVIDER\-legacy\fR\|(7) and
+"OPERATIONS AND ALGORITHMS" in \fBOSSL_PROVIDER\-base\fR\|(7) for a list of algorithm names
+that can be fetched.
+.SH "FETCHING EXAMPLES"
+.IX Header "FETCHING EXAMPLES"
+The following section provides a series of examples of fetching algorithm
+implementations.
+.PP
+Fetch any available implementation of SHA2\-256 in the default context. Note
+that some algorithms have aliases. So "SHA256" and "SHA2\-256" are synonymous:
+.PP
+.Vb 3
+\& EVP_MD *md = EVP_MD_fetch(NULL, "SHA2\-256", NULL);
+\& ...
+\& EVP_MD_free(md);
+.Ve
+.PP
+Fetch any available implementation of AES\-128\-CBC in the default context:
+.PP
+.Vb 3
+\& EVP_CIPHER *cipher = EVP_CIPHER_fetch(NULL, "AES\-128\-CBC", NULL);
+\& ...
+\& EVP_CIPHER_free(cipher);
+.Ve
+.PP
+Fetch an implementation of SHA2\-256 from the default provider in the default
+context:
+.PP
+.Vb 3
+\& EVP_MD *md = EVP_MD_fetch(NULL, "SHA2\-256", "provider=default");
+\& ...
+\& EVP_MD_free(md);
+.Ve
+.PP
+Fetch an implementation of SHA2\-256 that is not from the default provider in the
+default context:
+.PP
+.Vb 3
+\& EVP_MD *md = EVP_MD_fetch(NULL, "SHA2\-256", "provider!=default");
+\& ...
+\& EVP_MD_free(md);
+.Ve
+.PP
+Fetch an implementation of SHA2\-256 that is preferably from the FIPS provider in
+the default context:
+.PP
+.Vb 3
+\& EVP_MD *md = EVP_MD_fetch(NULL, "SHA2\-256", "provider=?fips");
+\& ...
+\& EVP_MD_free(md);
+.Ve
+.PP
+Fetch an implementation of SHA2\-256 from the default provider in the specified
+library context:
+.PP
+.Vb 3
+\& EVP_MD *md = EVP_MD_fetch(libctx, "SHA2\-256", "provider=default");
+\& ...
+\& EVP_MD_free(md);
+.Ve
+.PP
+Load the legacy provider into the default context and then fetch an
+implementation of WHIRLPOOL from it:
+.PP
+.Vb 2
+\& /* This only needs to be done once \- usually at application start up */
+\& OSSL_PROVIDER *legacy = OSSL_PROVIDER_load(NULL, "legacy");
+\&
+\& EVP_MD *md = EVP_MD_fetch(NULL, "WHIRLPOOL", "provider=legacy");
+\& ...
+\& EVP_MD_free(md);
+.Ve
+.PP
+Note that in the above example the property string "provider=legacy" is optional
+since, assuming no other providers have been loaded, the only implementation of
+the "whirlpool" algorithm is in the "legacy" provider. Also note that the
+default provider should be explicitly loaded if it is required in addition to
+other providers:
+.PP
+.Vb 3
+\& /* This only needs to be done once \- usually at application start up */
+\& OSSL_PROVIDER *legacy = OSSL_PROVIDER_load(NULL, "legacy");
+\& OSSL_PROVIDER *default = OSSL_PROVIDER_load(NULL, "default");
+\&
+\& EVP_MD *md_whirlpool = EVP_MD_fetch(NULL, "whirlpool", NULL);
+\& EVP_MD *md_sha256 = EVP_MD_fetch(NULL, "SHA2\-256", NULL);
+\& ...
+\& EVP_MD_free(md_whirlpool);
+\& EVP_MD_free(md_sha256);
+.Ve
+.SH "USING ALGORITHMS IN APPLICATIONS"
+.IX Header "USING ALGORITHMS IN APPLICATIONS"
+Cryptographic algorithms are made available to applications through use of the
+"EVP" APIs. Each of the various operations such as encryption, digesting,
+message authentication codes, etc., have a set of EVP function calls that can
+be invoked to use them. See the \fBevp\fR\|(7) page for further details.
+.PP
+Most of these follow a common pattern. A "context" object is first created. For
+example for a digest operation you would use an \fBEVP_MD_CTX\fR, and for an
+encryption/decryption operation you would use an \fBEVP_CIPHER_CTX\fR. The
+operation is then initialised ready for use via an "init" function \- optionally
+passing in a set of parameters (using the \fBOSSL_PARAM\fR\|(3) type) to configure how
+the operation should behave. Next data is fed into the operation in a series of
+"update" calls. The operation is finalised using a "final" call which will
+typically provide some kind of output. Finally the context is cleaned up and
+freed.
+.PP
+The following shows a complete example for doing this process for digesting
+data using SHA256. The process is similar for other operations such as
+encryption/decryption, signatures, message authentication codes, etc. Additional
+examples can be found in the OpenSSL demos (see
+"DEMO APPLICATIONS" in \fBossl\-guide\-libraries\-introduction\fR\|(7)).
+.PP
+.Vb 4
+\& #include <stdio.h>
+\& #include <openssl/evp.h>
+\& #include <openssl/bio.h>
+\& #include <openssl/err.h>
+\&
+\& int main(void)
+\& {
+\&     EVP_MD_CTX *ctx = NULL;
+\&     EVP_MD *sha256 = NULL;
+\&     const unsigned char msg[] = {
+\&         0x00, 0x01, 0x02, 0x03
+\&     };
+\&     unsigned int len = 0;
+\&     unsigned char *outdigest = NULL;
+\&     int ret = 1;
+\&
+\&     /* Create a context for the digest operation */
+\&     ctx = EVP_MD_CTX_new();
+\&     if (ctx == NULL)
+\&         goto err;
+\&
+\&     /*
+\&      * Fetch the SHA256 algorithm implementation for doing the digest. We\*(Aqre
+\&      * using the "default" library context here (first NULL parameter), and
+\&      * we\*(Aqre not supplying any particular search criteria for our SHA256
+\&      * implementation (second NULL parameter). Any SHA256 implementation will
+\&      * do.
+\&      * In a larger application this fetch would just be done once, and could
+\&      * be used for multiple calls to other operations such as EVP_DigestInit_ex().
+\&      */
+\&     sha256 = EVP_MD_fetch(NULL, "SHA256", NULL);
+\&     if (sha256 == NULL)
+\&         goto err;
+\&
+\&    /* Initialise the digest operation */
+\&    if (!EVP_DigestInit_ex(ctx, sha256, NULL))
+\&        goto err;
+\&
+\&     /*
+\&      * Pass the message to be digested. This can be passed in over multiple
+\&      * EVP_DigestUpdate calls if necessary
+\&      */
+\&     if (!EVP_DigestUpdate(ctx, msg, sizeof(msg)))
+\&         goto err;
+\&
+\&     /* Allocate the output buffer */
+\&     outdigest = OPENSSL_malloc(EVP_MD_get_size(sha256));
+\&     if (outdigest == NULL)
+\&         goto err;
+\&
+\&     /* Now calculate the digest itself */
+\&     if (!EVP_DigestFinal_ex(ctx, outdigest, &len))
+\&         goto err;
+\&
+\&     /* Print out the digest result */
+\&     BIO_dump_fp(stdout, outdigest, len);
+\&
+\&     ret = 0;
+\&
+\&  err:
+\&     /* Clean up all the resources we allocated */
+\&     OPENSSL_free(outdigest);
+\&     EVP_MD_free(sha256);
+\&     EVP_MD_CTX_free(ctx);
+\&     if (ret != 0)
+\&        ERR_print_errors_fp(stderr);
+\&     return ret;
+\& }
+.Ve
+.SH "ENCODING AND DECODING KEYS"
+.IX Header "ENCODING AND DECODING KEYS"
+Many algorithms require the use of a key. Keys can be generated dynamically
+using the EVP APIs (for example see \fBEVP_PKEY_Q_keygen\fR\|(3)). However it is often
+necessary to save or load keys (or their associated parameters) to or from some
+external format such as PEM or DER (see \fBopenssl\-glossary\fR\|(7)). OpenSSL uses
+encoders and decoders to perform this task.
+.PP
+Encoders and decoders are just algorithm implementations in the same way as
+any other algorithm implementation in OpenSSL. They are implemented by
+providers. The OpenSSL encoders and decoders are available in the default
+provider. They are also duplicated in the base provider.
+.PP
+For information about encoders see \fBOSSL_ENCODER_CTX_new_for_pkey\fR\|(3). For
+information about decoders see \fBOSSL_DECODER_CTX_new_for_pkey\fR\|(3).
+.PP
+As well as using encoders/decoders directly there are also some helper functions
+that can be used for certain well known and commonly used formats. For example
+see \fBPEM_read_PrivateKey\fR\|(3) and \fBPEM_write_PrivateKey\fR\|(3) for information
+about reading and writing key data from PEM encoded files.
+.SH "FURTHER READING"
+.IX Header "FURTHER READING"
+See \fBossl\-guide\-libssl\-introduction\fR\|(7) for an introduction to using \f(CW\*(C`libssl\*(C'\fR.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBopenssl\fR\|(1), \fBssl\fR\|(7), \fBevp\fR\|(7), \fBOSSL_LIB_CTX\fR\|(3), \fBopenssl\-threads\fR\|(7),
+\&\fBproperty\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7), \fBOSSL_PROVIDER\-base\fR\|(7),
+\&\fBOSSL_PROVIDER\-FIPS\fR\|(7), \fBOSSL_PROVIDER\-legacy\fR\|(7), \fBOSSL_PROVIDER\-null\fR\|(7),
+\&\fBopenssl\-glossary\fR\|(7), \fBprovider\fR\|(7)
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-libraries-introduction.7 b/secure/lib/libcrypto/man/man7/ossl-guide-libraries-introduction.7
new file mode 100644
index 000000000000..03b11e16fe99
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/ossl-guide-libraries-introduction.7
@@ -0,0 +1,372 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OSSL-GUIDE-LIBRARIES-INTRODUCTION 7ossl"
+.TH OSSL-GUIDE-LIBRARIES-INTRODUCTION 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+ossl\-guide\-libraries\-introduction
+\&\- OpenSSL Guide: An introduction to the OpenSSL libraries
+.SH INTRODUCTION
+.IX Header "INTRODUCTION"
+OpenSSL supplies two libraries that can be used by applications known as
+\&\f(CW\*(C`libcrypto\*(C'\fR and \f(CW\*(C`libssl\*(C'\fR.
+.PP
+The \f(CW\*(C`libcrypto\*(C'\fR library provides APIs for general purpose cryptography such as
+encryption, digital signatures, hash functions, etc. It additionally supplies
+supporting APIs for cryptography related standards, e.g. for reading and writing
+digital certificates (also known as X.509 certificates). Finally it also
+supplies various additional supporting APIs that are not directly cryptography
+related but are nonetheless useful and depended upon by other APIs. For
+example the "BIO" functions provide capabilities for abstracting I/O, e.g. via a
+file or over a network.
+.PP
+The \f(CW\*(C`libssl\*(C'\fR library provides functions to perform secure communication between
+two peers across a network. Most significantly it implements support for the
+SSL/TLS, DTLS and QUIC standards.
+.PP
+The \f(CW\*(C`libssl\*(C'\fR library depends on and uses many of the capabilities supplied by
+\&\f(CW\*(C`libcrypto\*(C'\fR. Any application linked against \f(CW\*(C`libssl\*(C'\fR will also link against
+\&\f(CW\*(C`libcrypto\*(C'\fR, and most applications that do this will directly use API functions
+supplied by both libraries.
+.PP
+Applications may be written that only use \f(CW\*(C`libcrypto\*(C'\fR capabilities and do not
+link against \f(CW\*(C`libssl\*(C'\fR at all.
+.SH PROVIDERS
+.IX Header "PROVIDERS"
+As well as the two main libraries, OpenSSL also comes with a set of providers.
+.PP
+A provider in OpenSSL is a component that collects together algorithm
+implementations (for example an implementation of the symmetric encryption
+algorithm AES). In order to use an algorithm you must have at least one
+provider loaded that contains an implementation of it. OpenSSL comes with a
+number of providers and they may also be obtained from third parties.
+.PP
+Providers may either be "built-in" or in the form of a separate loadable module
+file (typically one ending in ".so" or ".dll" dependent on the platform). A
+built-in provider is one that is either already present in \f(CW\*(C`libcrypto\*(C'\fR or one
+that the application has supplied itself directly. Third parties can also supply
+providers in the form of loadable modules.
+.PP
+If you don't load a provider explicitly (either in program code or via config)
+then the OpenSSL built-in "default" provider will be automatically loaded.
+.PP
+See "OPENSSL PROVIDERS" below for a description of the providers that OpenSSL
+itself supplies.
+.PP
+Loading and unloading providers is quite an expensive operation. It is normally
+done once, early on in the application lifecycle and those providers are kept
+loaded for the duration of the application execution.
+.SH "LIBRARY CONTEXTS"
+.IX Header "LIBRARY CONTEXTS"
+Many OpenSSL API functions make use of a library context. A library context can
+be thought of as a "scope" within which configuration options take effect. When
+a provider is loaded, it is only loaded within the scope of a given library
+context. In this way it is possible for different components of a complex
+application to each use a different library context and have different providers
+loaded with different configuration settings.
+.PP
+If an application does not explicitly create a library context then the
+"default" library context will be used.
+.PP
+Library contexts are represented by the \fBOSSL_LIB_CTX\fR type. Many OpenSSL API
+functions take a library context as a parameter. Applications can always pass
+\&\fBNULL\fR for this parameter to just use the default library context.
+.PP
+The default library context is automatically created the first time it is
+needed. This will automatically load any available configuration file and will
+initialise OpenSSL for use. Unlike in earlier versions of OpenSSL (prior to
+1.1.0) no explicit initialisation steps need to be taken.
+.PP
+Similarly when the application exits, the default library context is
+automatically destroyed. No explicit de-initialisation steps need to be taken.
+.PP
+See \fBOSSL_LIB_CTX\fR\|(3) for more information about library contexts.
+See also "ALGORITHM FETCHING" in \fBossl\-guide\-libcrypto\-introduction\fR\|(7).
+.SH "PROPERTY QUERY STRINGS"
+.IX Header "PROPERTY QUERY STRINGS"
+In some cases the available providers may mean that more than one implementation
+of any given algorithm might be available. For example the OpenSSL FIPS provider
+supplies alternative implementations of many of the same algorithms that are
+available in the OpenSSL default provider.
+.PP
+The process of selecting an algorithm implementation is known as "fetching".
+When OpenSSL fetches an algorithm to use it is possible to specify a "property
+query string" to guide the selection process. For example a property query
+string of "provider=default" could be used to force the selection to only
+consider algorithm implementations in the default provider.
+.PP
+Property query strings can be specified explicitly as an argument to a function.
+It is also possible to specify a default property query string for the whole
+library context using the \fBEVP_set_default_properties\fR\|(3) or
+\&\fBEVP_default_properties_enable_fips\fR\|(3) functions. Where both
+default properties and function specific properties are specified then they are
+combined. Function specific properties will override default properties where
+there is a conflict.
+.PP
+See "ALGORITHM FETCHING" in \fBossl\-guide\-libcrypto\-introduction\fR\|(7) for more
+information about fetching. See \fBproperty\fR\|(7) for more information about
+properties.
+.SH "MULTI-THREADED APPLICATIONS"
+.IX Header "MULTI-THREADED APPLICATIONS"
+As long as OpenSSL has been built with support for threads (the default case
+on most platforms) then most OpenSSL \fIfunctions\fR are thread-safe in the sense
+that it is safe to call the same function from multiple threads at the same
+time. However most OpenSSL \fIdata structures\fR are not thread-safe. For example
+the \fBBIO_write\fR\|(3) and \fBBIO_read\fR\|(3) functions are thread safe. However it
+would not be thread safe to call \fBBIO_write()\fR from one thread while calling
+\&\fBBIO_read()\fR in another where both functions are passed the same \fBBIO\fR object
+since both of them may attempt to make changes to the same \fBBIO\fR object.
+.PP
+There are exceptions to these rules. A small number of functions are not thread
+safe at all. Where this is the case this restriction should be noted in the
+documentation for the function. Similarly some data structures may be partially
+or fully thread safe. For example it is always safe to use an \fBOSSL_LIB_CTX\fR in
+multiple threads.
+.PP
+See \fBopenssl\-threads\fR\|(7) for a more detailed discussion on OpenSSL threading
+support.
+.SH "ERROR HANDLING"
+.IX Header "ERROR HANDLING"
+Most OpenSSL functions will provide a return value indicating whether the
+function has been successful or not. It is considered best practice to always
+check the return value from OpenSSL functions (where one is available).
+.PP
+Most functions that return a pointer value will return NULL in the event of a
+failure.
+.PP
+Most functions that return an integer value will return a positive integer for
+success. Some of these functions will return 0 to indicate failure. Others may
+return 0 or a negative value for failure.
+.PP
+Some functions cannot fail and have a \fBvoid\fR return type. There are also a
+small number of functions that do not conform to the above conventions (e.g.
+they may return 0 to indicate success).
+.PP
+Due to the above variations in behaviour it is important to check the
+documentation for each function for information about how to interpret the
+return value for it.
+.PP
+It is sometimes necessary to get further information about the cause of a
+failure (e.g. for debugging or logging purposes). Many (but not all) functions
+will add further information about a failure to the OpenSSL error stack. By
+using the error stack you can find out information such as a reason code/string
+for the error as well as the exact file and source line within OpenSSL that
+emitted the error.
+.PP
+OpenSSL supplies a set of error handling functions to query the error stack. See
+\&\fBERR_get_error\fR\|(3) for information about the functions available for querying
+error data. Also see \fBERR_print_errors\fR\|(3) for information on some simple
+helper functions for printing error data. Finally look at \fBERR_clear_error\fR\|(3)
+for how to clear old errors from the error stack.
+.SH "OPENSSL PROVIDERS"
+.IX Header "OPENSSL PROVIDERS"
+OpenSSL comes with a set of providers.
+.PP
+The algorithms available in each of these providers may vary due to build time
+configuration options. The \fBopenssl\-list\fR\|(1) command can be used to list the
+currently available algorithms.
+.PP
+The names of the algorithms shown from \fBopenssl\-list\fR\|(1) can be used as an
+algorithm identifier to the appropriate fetching function. Also see the provider
+specific manual pages linked below for further details about using the
+algorithms available in each of the providers.
+.PP
+As well as the OpenSSL providers third parties can also implement providers.
+For information on writing a provider see \fBprovider\fR\|(7).
+.SS "Default provider"
+.IX Subsection "Default provider"
+The default provider is built-in as part of the \fIlibcrypto\fR library and
+contains all of the most commonly used algorithm implementations. Should it be
+needed (if other providers are loaded and offer implementations of the same
+algorithms), the property query string "provider=default" can be used as a
+search criterion for these implementations.  The default provider includes all
+of the functionality in the base provider below.
+.PP
+If you don't load any providers at all then the "default" provider will be
+automatically loaded. If you explicitly load any provider then the "default"
+provider would also need to be explicitly loaded if it is required.
+.PP
+See \fBOSSL_PROVIDER\-default\fR\|(7).
+.SS "Base provider"
+.IX Subsection "Base provider"
+The base provider is built in as part of the \fIlibcrypto\fR library and contains
+algorithm implementations for encoding and decoding of OpenSSL keys.
+Should it be needed (if other providers are loaded and offer
+implementations of the same algorithms), the property query string
+"provider=base" can be used as a search criterion for these implementations.
+Some encoding and decoding algorithm implementations are not FIPS algorithm
+implementations in themselves but support algorithms from the FIPS provider and
+are allowed for use in "FIPS mode". The property query string "fips=yes" can be
+used to select such algorithms.
+.PP
+See \fBOSSL_PROVIDER\-base\fR\|(7).
+.SS "FIPS provider"
+.IX Subsection "FIPS provider"
+The FIPS provider is a dynamically loadable module, and must therefore
+be loaded explicitly, either in code or through OpenSSL configuration
+(see \fBconfig\fR\|(5)). It contains algorithm implementations that have been
+validated according to FIPS standards. Should it be needed (if other
+providers are loaded and offer implementations of the same algorithms), the
+property query string "provider=fips" can be used as a search criterion for
+these implementations. All approved algorithm implementations in the FIPS
+provider can also be selected with the property "fips=yes". The FIPS provider
+may also contain non-approved algorithm implementations and these can be
+selected with the property "fips=no".
+.PP
+Typically the "Base provider" will also need to be loaded because the FIPS
+provider does not support the encoding or decoding of keys.
+.PP
+See \fBOSSL_PROVIDER\-FIPS\fR\|(7) and \fBfips_module\fR\|(7).
+.SS "Legacy provider"
+.IX Subsection "Legacy provider"
+The legacy provider is a dynamically loadable module, and must therefore
+be loaded explicitly, either in code or through OpenSSL configuration
+(see \fBconfig\fR\|(5)). It contains algorithm implementations that are considered
+insecure, or are no longer in common use such as MD2 or RC4. Should it be needed
+(if other providers are loaded and offer implementations of the same algorithms),
+the property "provider=legacy" can be used as a search criterion for these
+implementations.
+.PP
+See \fBOSSL_PROVIDER\-legacy\fR\|(7).
+.SS "Null provider"
+.IX Subsection "Null provider"
+The null provider is built in as part of the \fIlibcrypto\fR library. It contains
+no algorithms in it at all. When fetching algorithms the default provider will
+be automatically loaded if no other provider has been explicitly loaded. To
+prevent that from happening you can explicitly load the null provider.
+.PP
+You can use this if you create your own library context and want to ensure that
+all API calls have correctly passed the created library context and are not
+accidentally using the default library context. Load the null provider into the
+default library context so that the default library context has no algorithm
+implementations available.
+.PP
+See \fBOSSL_PROVIDER\-null\fR\|(7).
+.SH CONFIGURATION
+.IX Header "CONFIGURATION"
+By default OpenSSL will load a configuration file when it is first used. This
+will set up various configuration settings within the default library context.
+Applications that create their own library contexts may optionally configure
+them with a config file using the \fBOSSL_LIB_CTX_load_config\fR\|(3) function.
+.PP
+The configuration file can be used to automatically load providers and set up
+default property query strings.
+.PP
+For information on the OpenSSL configuration file format see \fBconfig\fR\|(5).
+.SH "LIBRARY CONVENTIONS"
+.IX Header "LIBRARY CONVENTIONS"
+Many OpenSSL functions that "get" or "set" a value follow a naming convention
+using the numbers \fB0\fR and \fB1\fR, i.e. "get0", "get1", "set0" and "set1". This
+can also apply to some functions that "add" a value to an existing set, i.e.
+"add0" and "add1".
+.PP
+For example the functions:
+.PP
+.Vb 2
+\& int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev);
+\& int X509_add1_trust_object(X509 *x, const ASN1_OBJECT *obj);
+.Ve
+.PP
+In the \fB0\fR version the ownership of the object is passed to (for an add or set)
+or retained by (for a get) the parent object. For example after calling the
+\&\fBX509_CRL_add0_revoked()\fR function above, ownership of the \fIrev\fR object is passed
+to the \fIcrl\fR object. Therefore, after calling this function \fIrev\fR should not
+be freed directly. It will be freed implicitly when \fIcrl\fR is freed.
+.PP
+In the \fB1\fR version the ownership of the object is not passed to or retained by
+the parent object. Instead a copy or "up ref" of the object is performed. So
+after calling the \fBX509_add1_trust_object()\fR function above the application will
+still be responsible for freeing the \fIobj\fR value where appropriate.
+.PP
+Many OpenSSL functions conform to a naming convention of the form
+\&\fBCLASSNAME_func_name()\fR. In this naming convention the \fBCLASSNAME\fR is the name
+of an OpenSSL data structure (given in capital letters) that the function is
+primarily operating on. The \fBfunc_name\fR portion of the name is usually in
+lowercase letters and indicates the purpose of the function.
+.SH "DEMO APPLICATIONS"
+.IX Header "DEMO APPLICATIONS"
+OpenSSL is distributed with a set of demo applications which provide some
+examples of how to use the various API functions. To look at them download the
+OpenSSL source code from the OpenSSL website
+(<https://www.openssl.org/source/>). Extract the downloaded \fB.tar.gz\fR file for
+the version of OpenSSL that you are using and look at the various files in the
+\&\fBdemos\fR sub-directory.
+.PP
+The Makefiles in the subdirectories give instructions on how to build and run
+the demo applications.
+.SH "FURTHER READING"
+.IX Header "FURTHER READING"
+See \fBossl\-guide\-libcrypto\-introduction\fR\|(7) for a more detailed introduction to
+using \f(CW\*(C`libcrypto\*(C'\fR and \fBossl\-guide\-libssl\-introduction\fR\|(7) for more information
+on \f(CW\*(C`libssl\*(C'\fR.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBopenssl\fR\|(1), \fBssl\fR\|(7), \fBevp\fR\|(7), \fBOSSL_LIB_CTX\fR\|(3), \fBopenssl\-threads\fR\|(7),
+\&\fBproperty\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7), \fBOSSL_PROVIDER\-base\fR\|(7),
+\&\fBOSSL_PROVIDER\-FIPS\fR\|(7), \fBOSSL_PROVIDER\-legacy\fR\|(7), \fBOSSL_PROVIDER\-null\fR\|(7),
+\&\fBopenssl\-glossary\fR\|(7), \fBprovider\fR\|(7)
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2000\-2023 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-libssl-introduction.7 b/secure/lib/libcrypto/man/man7/ossl-guide-libssl-introduction.7
new file mode 100644
index 000000000000..cf3c4d3a23a0
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/ossl-guide-libssl-introduction.7
@@ -0,0 +1,160 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OSSL-GUIDE-LIBSSL-INTRODUCTION 7ossl"
+.TH OSSL-GUIDE-LIBSSL-INTRODUCTION 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+ossl\-guide\-libssl\-introduction, ssl
+\&\- OpenSSL Guide: An introduction to libssl
+.SH INTRODUCTION
+.IX Header "INTRODUCTION"
+The OpenSSL \f(CW\*(C`libssl\*(C'\fR library provides implementations of several secure network
+communications protocols. Specifically it provides SSL/TLS (SSLv3, TLSv1,
+TLSv1.1, TLSv1.2 and TLSv1.3), DTLS (DTLSv1 and DTLSv1.2) and QUIC (client side
+only). The library depends on \f(CW\*(C`libcrypto\*(C'\fR for its underlying cryptographic
+operations (see \fBossl\-guide\-libcrypto\-introduction\fR\|(7)).
+.PP
+The set of APIs supplied by \f(CW\*(C`libssl\*(C'\fR is common across all of these different
+network protocols, so a developer familiar with writing applications using one
+of these protocols should be able to transition to using another with relative
+ease.
+.PP
+An application written to use \f(CW\*(C`libssl\*(C'\fR will include the \fI<openssl/ssl.h>\fR
+header file and will typically use two main data structures, i.e. \fBSSL\fR and
+\&\fBSSL_CTX\fR.
+.PP
+An \fBSSL\fR object is used to represent a connection to a remote peer. Once a
+connection with a remote peer has been established data can be exchanged with
+that peer.
+.PP
+When using DTLS any data that is exchanged uses "datagram" semantics, i.e.
+the packets of data can be delivered in any order, and they are not guaranteed
+to arrive at all. In this case the \fBSSL\fR object used for the connection is also
+used for exchanging data with the peer.
+.PP
+Both TLS and QUIC support the concept of a "stream" of data. Data sent via a
+stream is guaranteed to be delivered in order without any data loss. A stream
+can be uni\- or bi-directional.
+.PP
+SSL/TLS only supports one stream of data per connection and it is always
+bi-directional. In this case the \fBSSL\fR object used for the connection also
+represents that stream. See \fBossl\-guide\-tls\-introduction\fR\|(7) for more
+information.
+.PP
+The QUIC protocol can support multiple streams per connection and they can be
+uni\- or bi-directional. In this case an \fBSSL\fR object can represent the
+underlying connection, or a stream, or both. Where multiple streams are in use
+a separate \fBSSL\fR object is used for each one. See
+\&\fBossl\-guide\-quic\-introduction\fR\|(7) for more information.
+.PP
+An \fBSSL_CTX\fR object is used to create the \fBSSL\fR object for the underlying
+connection. A single \fBSSL_CTX\fR object can be used to create many connections
+(each represented by a separate \fBSSL\fR object). Many API functions in libssl
+exist in two forms: one that takes an \fBSSL_CTX\fR and one that takes an \fBSSL\fR.
+Typically settings that you apply to the \fBSSL_CTX\fR will then be inherited by
+any \fBSSL\fR object that you create from it. Alternatively you can apply settings
+directly to the \fBSSL\fR object without affecting other \fBSSL\fR objects. Note that
+you should not normally make changes to an \fBSSL_CTX\fR after the first \fBSSL\fR
+object has been created from it.
+.SH "DATA STRUCTURES"
+.IX Header "DATA STRUCTURES"
+As well as \fBSSL_CTX\fR and \fBSSL\fR there are a number of other data structures
+that an application may need to use. They are summarised below.
+.IP "\fBSSL_METHOD\fR (SSL Method)" 4
+.IX Item "SSL_METHOD (SSL Method)"
+This structure is used to indicate the kind of connection you want to make, e.g.
+whether it is to represent the client or the server, and whether it is to use
+SSL/TLS, DTLS or QUIC. It is passed as a parameter when creating
+the \fBSSL_CTX\fR.
+.IP "\fBSSL_SESSION\fR (SSL Session)" 4
+.IX Item "SSL_SESSION (SSL Session)"
+After establishing a connection with a peer the agreed cryptographic material
+can be reused to create future connections with the same peer more rapidly. The
+set of data used for such a future connection establishment attempt is collected
+together into an \fBSSL_SESSION\fR object. A single successful connection with a
+peer may generate zero or more such \fBSSL_SESSION\fR objects for use in future
+connection attempts.
+.IP "\fBSSL_CIPHER\fR (SSL Cipher)" 4
+.IX Item "SSL_CIPHER (SSL Cipher)"
+During connection establishment the client and server agree upon cryptographic
+algorithms they are going to use for encryption and other uses. A single set
+of cryptographic algorithms that are to be used together is known as a
+ciphersuite. Such a set is represented by an \fBSSL_CIPHER\fR object.
+.Sp
+The set of available ciphersuites that can be used are configured in the
+\&\fBSSL_CTX\fR or \fBSSL\fR.
+.SH "FURTHER READING"
+.IX Header "FURTHER READING"
+See \fBossl\-guide\-tls\-introduction\fR\|(7) for an introduction to the SSL/TLS
+protocol and \fBossl\-guide\-quic\-introduction\fR\|(7) for an introduction to QUIC.
+.PP
+See \fBossl\-guide\-libcrypto\-introduction\fR\|(7) for an introduction to \f(CW\*(C`libcrypto\*(C'\fR.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBossl\-guide\-libcrypto\-introduction\fR\|(7), \fBossl\-guide\-tls\-introduction\fR\|(7),
+\&\fBossl\-guide\-quic\-introduction\fR\|(7)
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2000\-2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/migration_guide.7 b/secure/lib/libcrypto/man/man7/ossl-guide-migration.7
index 642dc8f06499..9bec792f8539 100644
--- a/secure/lib/libcrypto/man/man7/migration_guide.7
+++ b/secure/lib/libcrypto/man/man7/ossl-guide-migration.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,86 +52,44 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "MIGRATION_GUIDE 7ossl"
-.TH MIGRATION_GUIDE 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.IX Title "OSSL-GUIDE-MIGRATION 7ossl"
+.TH OSSL-GUIDE-MIGRATION 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
-migration_guide \- OpenSSL migration guide
-.SH "SYNOPSIS"
+.SH NAME
+ossl\-guide\-migration, migration_guide
+\&\- OpenSSL Guide: Migrating from older OpenSSL versions
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 See the individual manual pages for details.
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 This guide details the changes required to migrate to new versions of OpenSSL.
-Currently this covers OpenSSL 3.0. For earlier versions refer to
+Currently this covers OpenSSL 3.0 & 3.1. For earlier versions refer to
 <https://github.com/openssl/openssl/blob/master/CHANGES.md>.
 For an overview of some of the key concepts introduced in OpenSSL 3.0 see
 \&\fBcrypto\fR\|(7).
+.SH "OPENSSL 3.1"
+.IX Header "OPENSSL 3.1"
+.SS "Main Changes from OpenSSL 3.0"
+.IX Subsection "Main Changes from OpenSSL 3.0"
+The FIPS provider in OpenSSL 3.1 includes some non-FIPS validated algorithms,
+consequently the property query \f(CW\*(C`fips=yes\*(C'\fR is mandatory for applications that
+want to operate in a FIPS approved manner.  The algorithms are:
+.IP "Triple DES ECB" 4
+.IX Item "Triple DES ECB"
+.PD 0
+.IP "Triple DES CBC" 4
+.IX Item "Triple DES CBC"
+.IP EdDSA 4
+.IX Item "EdDSA"
+.PD
+.PP
+There are no other changes requiring additional migration measures since OpenSSL 3.0.
 .SH "OPENSSL 3.0"
 .IX Header "OPENSSL 3.0"
 .SS "Main Changes from OpenSSL 1.1.1"
@@ -162,7 +104,7 @@ of applications will work unchanged with OpenSSL 3.0 if those applications
 previously worked with OpenSSL 1.1.1. However this is not guaranteed and some
 changes may be required in some cases. Changes may also be required if
 applications need to take advantage of some of the new features available in
-OpenSSL 3.0 such as the availability of the \s-1FIPS\s0 module.
+OpenSSL 3.0 such as the availability of the FIPS module.
 .PP
 \fILicense Change\fR
 .IX Subsection "License Change"
@@ -172,7 +114,7 @@ licenses <https://www.openssl.org/source/license-openssl-ssleay.txt>
 (both licenses apply). From OpenSSL 3.0 this is replaced by the
 Apache License v2 <https://www.openssl.org/source/apache-license-2.0.txt>.
 .PP
-\fIProviders and \s-1FIPS\s0 support\fR
+\fIProviders and FIPS support\fR
 .IX Subsection "Providers and FIPS support"
 .PP
 One of the key changes from OpenSSL 1.1.1 is the introduction of the Provider
@@ -182,42 +124,42 @@ config file, which providers you want to use for any given application.
 OpenSSL 3.0 comes with 5 different providers as standard. Over time third
 parties may distribute additional providers that can be plugged into OpenSSL.
 All algorithm implementations available via providers are accessed through the
-\&\*(L"high level\*(R" APIs (for example those functions prefixed with \f(CW\*(C`EVP\*(C'\fR). They cannot
-be accessed using the \*(L"Low Level APIs\*(R".
+"high level" APIs (for example those functions prefixed with \f(CW\*(C`EVP\*(C'\fR). They cannot
+be accessed using the "Low Level APIs".
 .PP
-One of the standard providers available is the \s-1FIPS\s0 provider. This makes
-available \s-1FIPS\s0 validated cryptographic algorithms.
-The \s-1FIPS\s0 provider is disabled by default and needs to be enabled explicitly
+One of the standard providers available is the FIPS provider. This makes
+available FIPS validated cryptographic algorithms.
+The FIPS provider is disabled by default and needs to be enabled explicitly
 at configuration time using the \f(CW\*(C`enable\-fips\*(C'\fR option. If it is enabled,
-the \s-1FIPS\s0 provider gets built and installed in addition to the other standard
+the FIPS provider gets built and installed in addition to the other standard
 providers. No separate installation procedure is necessary.
 There is however a dedicated \f(CW\*(C`install_fips\*(C'\fR make target, which serves the
-special purpose of installing only the \s-1FIPS\s0 provider into an existing
+special purpose of installing only the FIPS provider into an existing
 OpenSSL installation.
 .PP
 Not all algorithms may be available for the application at a particular moment.
-If the application code uses any digest or cipher algorithm via the \s-1EVP\s0 interface,
+If the application code uses any digest or cipher algorithm via the EVP interface,
 the application should verify the result of the \fBEVP_EncryptInit\fR\|(3),
 \&\fBEVP_EncryptInit_ex\fR\|(3), and \fBEVP_DigestInit\fR\|(3) functions. In case when
 the requested algorithm is not available, these functions will fail.
 .PP
-See also \*(L"Legacy Algorithms\*(R" for information on the legacy provider.
+See also "Legacy Algorithms" for information on the legacy provider.
 .PP
-See also \*(L"Completing the installation of the \s-1FIPS\s0 Module\*(R" and
-\&\*(L"Using the \s-1FIPS\s0 Module in applications\*(R".
+See also "Completing the installation of the FIPS Module" and
+"Using the FIPS Module in applications".
 .PP
 \fILow Level APIs\fR
 .IX Subsection "Low Level APIs"
 .PP
 OpenSSL has historically provided two sets of APIs for invoking cryptographic
-algorithms: the \*(L"high level\*(R" APIs (such as the \f(CW\*(C`EVP\*(C'\fR APIs) and the \*(L"low level\*(R"
+algorithms: the "high level" APIs (such as the \f(CW\*(C`EVP\*(C'\fR APIs) and the "low level"
 APIs. The high level APIs are typically designed to work across all algorithm
-types. The \*(L"low level\*(R" APIs are targeted at a specific algorithm implementation.
-For example, the \s-1EVP\s0 APIs provide the functions \fBEVP_EncryptInit_ex\fR\|(3),
+types. The "low level" APIs are targeted at a specific algorithm implementation.
+For example, the EVP APIs provide the functions \fBEVP_EncryptInit_ex\fR\|(3),
 \&\fBEVP_EncryptUpdate\fR\|(3) and \fBEVP_EncryptFinal\fR\|(3) to perform symmetric
-encryption. Those functions can be used with the algorithms \s-1AES, CHACHA, 3DES\s0 etc.
-On the other hand, to do \s-1AES\s0 encryption using the low level APIs you would have
-to call \s-1AES\s0 specific functions such as \fBAES_set_encrypt_key\fR\|(3),
+encryption. Those functions can be used with the algorithms AES, CHACHA, 3DES etc.
+On the other hand, to do AES encryption using the low level APIs you would have
+to call AES specific functions such as \fBAES_set_encrypt_key\fR\|(3),
 \&\fBAES_encrypt\fR\|(3), and so on. The functions for 3DES are different.
 Use of the low level APIs has been informally discouraged by the OpenSSL
 development team for a long time. However in OpenSSL 3.0 this is made more
@@ -227,112 +169,120 @@ compilation (dependent on compiler support for this). Deprecated APIs may be
 removed from future versions of OpenSSL so you are strongly encouraged to update
 your code to use the high level APIs instead.
 .PP
-This is described in more detail in \*(L"Deprecation of Low Level Functions\*(R"
+This is described in more detail in "Deprecation of Low Level Functions"
 .PP
 \fILegacy Algorithms\fR
 .IX Subsection "Legacy Algorithms"
 .PP
-Some cryptographic algorithms such as \fB\s-1MD2\s0\fR and \fB\s-1DES\s0\fR that were available via
-the \s-1EVP\s0 APIs are now considered legacy and their use is strongly discouraged.
-These legacy \s-1EVP\s0 algorithms are still available in OpenSSL 3.0 but not by
+Some cryptographic algorithms such as \fBMD2\fR and \fBDES\fR that were available via
+the EVP APIs are now considered legacy and their use is strongly discouraged.
+These legacy EVP algorithms are still available in OpenSSL 3.0 but not by
 default. If you want to use them then you must load the legacy provider.
 This can be as simple as a config file change, or can be done programmatically.
 See \fBOSSL_PROVIDER\-legacy\fR\|(7) for a complete list of algorithms.
-Applications using the \s-1EVP\s0 APIs to access these algorithms should instead use
+Applications using the EVP APIs to access these algorithms should instead use
 more modern algorithms. If that is not possible then these applications
 should ensure that the legacy provider has been loaded. This can be achieved
 either programmatically or via configuration. See \fBcrypto\fR\|(7) man page for
 more information about providers.
 .PP
-\fIEngines and \*(L"\s-1METHOD\*(R"\s0 APIs\fR
-.IX Subsection "Engines and METHOD APIs"
+\fIEngines and "METHOD" APIs\fR
+.IX Subsection "Engines and ""METHOD"" APIs"
 .PP
 The refactoring to support Providers conflicts internally with the APIs used to
-support engines, including the \s-1ENGINE API\s0 and any function that creates or
-modifies custom \*(L"\s-1METHODS\*(R"\s0 (for example \fBEVP_MD_meth_new\fR\|(3),
+support engines, including the ENGINE API and any function that creates or
+modifies custom "METHODS" (for example \fBEVP_MD_meth_new\fR\|(3),
 \&\fBEVP_CIPHER_meth_new\fR\|(3), \fBEVP_PKEY_meth_new\fR\|(3), \fBRSA_meth_new\fR\|(3),
 \&\fBEC_KEY_METHOD_new\fR\|(3), etc.). These functions are being deprecated in
 OpenSSL 3.0, and users of these APIs should know that their use can likely
 bypass provider selection and configuration, with unintended consequences.
 This is particularly relevant for applications written to use the OpenSSL 3.0
-\&\s-1FIPS\s0 module, as detailed below. Authors and maintainers of external engines are
+FIPS module, as detailed below. Authors and maintainers of external engines are
 strongly encouraged to refactor their code transforming engines into providers
-using the new Provider \s-1API\s0 and avoiding deprecated methods.
+using the new Provider API and avoiding deprecated methods.
 .PP
 \fISupport of legacy engines\fR
 .IX Subsection "Support of legacy engines"
 .PP
-If openssl is not built without engine support or deprecated \s-1API\s0 support, engines
+If openssl is not built without engine support or deprecated API support, engines
 will still work. However, their applicability will be limited.
 .PP
 New algorithms provided via engines will still work.
 .PP
-Engine-backed keys can be loaded via custom \fB\s-1OSSL_STORE\s0\fR implementation.
-In this case the \fB\s-1EVP_PKEY\s0\fR objects created via \fBENGINE_load_private_key\fR\|(3)
+Engine-backed keys can be loaded via custom \fBOSSL_STORE\fR implementation.
+In this case the \fBEVP_PKEY\fR objects created via \fBENGINE_load_private_key\fR\|(3)
 will be considered legacy and will continue to work.
 .PP
 To ensure the future compatibility, the engines should be turned to providers.
 To prefer the provider-based hardware offload, you can specify the default
 properties to prefer your provider.
 .PP
+Setting engine-based or application-based default low-level crypto method such
+as \fBRSA_METHOD\fR or \fBEC_KEY_METHOD\fR is still possible and keys inside the
+default provider will use the engine-based implementation for the crypto
+operations. However \fBEVP_PKEY\fRs created by decoding by using \fBOSSL_DECODER\fR,
+\&\fBPEM_\fR or \fBd2i_\fR APIs will be provider-based. To create a fully legacy
+\&\fBEVP_PKEY\fRs \fBEVP_PKEY_set1_RSA\fR\|(3), \fBEVP_PKEY_set1_EC_KEY\fR\|(3) or similar
+functions must be used.
+.PP
 \fIVersioning Scheme\fR
 .IX Subsection "Versioning Scheme"
 .PP
 The OpenSSL versioning scheme has changed with the OpenSSL 3.0 release. The new
 versioning scheme has this format:
 .PP
-\&\s-1MAJOR.MINOR.PATCH\s0
+MAJOR.MINOR.PATCH
 .PP
 For OpenSSL 1.1.1 and below, different patch levels were indicated by a letter
 at the end of the release version number. This will no longer be used and
 instead the patch level is indicated by the final number in the version. A
-change in the second (\s-1MINOR\s0) number indicates that new features may have been
-added. OpenSSL versions with the same major number are \s-1API\s0 and \s-1ABI\s0 compatible.
-If the major number changes then \s-1API\s0 and \s-1ABI\s0 compatibility is not guaranteed.
+change in the second (MINOR) number indicates that new features may have been
+added. OpenSSL versions with the same major number are API and ABI compatible.
+If the major number changes then API and ABI compatibility is not guaranteed.
 .PP
 For more information, see \fBOpenSSL_version\fR\|(3).
 .PP
 \fIOther major new features\fR
 .IX Subsection "Other major new features"
 .PP
-Certificate Management Protocol (\s-1CMP, RFC 4210\s0)
+Certificate Management Protocol (CMP, RFC 4210)
 .IX Subsection "Certificate Management Protocol (CMP, RFC 4210)"
 .PP
-This also covers \s-1CRMF\s0 (\s-1RFC 4211\s0) and \s-1HTTP\s0 transfer (\s-1RFC 6712\s0)
+This also covers CRMF (RFC 4211) and HTTP transfer (RFC 6712)
 See \fBopenssl\-cmp\fR\|(1) and \fBOSSL_CMP_exec_certreq\fR\|(3) as starting points.
 .PP
-\s-1HTTP\s0(S) client
+HTTP(S) client
 .IX Subsection "HTTP(S) client"
 .PP
-A proper \s-1HTTP\s0(S) client that supports \s-1GET\s0 and \s-1POST,\s0 redirection, plain and
-\&\s-1ASN\s0.1\-encoded contents, proxies, and timeouts.
+A proper HTTP(S) client that supports GET and POST, redirection, plain and
+ASN.1\-encoded contents, proxies, and timeouts.
 .PP
-Key Derivation Function \s-1API\s0 (\s-1EVP_KDF\s0)
+Key Derivation Function API (EVP_KDF)
 .IX Subsection "Key Derivation Function API (EVP_KDF)"
 .PP
-This simplifies the process of adding new \s-1KDF\s0 and \s-1PRF\s0 implementations.
+This simplifies the process of adding new KDF and PRF implementations.
 .PP
-Previously \s-1KDF\s0 algorithms had been shoe-horned into using the \s-1EVP_PKEY\s0 object
+Previously KDF algorithms had been shoe-horned into using the EVP_PKEY object
 which was not a logical mapping.
-Existing applications that use \s-1KDF\s0 algorithms using \s-1EVP_PKEY\s0
-(scrypt, \s-1TLS1 PRF\s0 and \s-1HKDF\s0) may be slower as they use an \s-1EVP_KDF\s0 bridge
+Existing applications that use KDF algorithms using EVP_PKEY
+(scrypt, TLS1 PRF and HKDF) may be slower as they use an EVP_KDF bridge
 internally.
-All new applications should use the new \s-1\fBEVP_KDF\s0\fR\|(3) interface.
-See also \*(L"Key Derivation Function (\s-1KDF\s0)\*(R" in \fBOSSL_PROVIDER\-default\fR\|(7) and
-\&\*(L"Key Derivation Function (\s-1KDF\s0)\*(R" in \s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7).
+All new applications should use the new \fBEVP_KDF\fR\|(3) interface.
+See also "Key Derivation Function (KDF)" in \fBOSSL_PROVIDER\-default\fR\|(7) and
+"Key Derivation Function (KDF)" in \fBOSSL_PROVIDER\-FIPS\fR\|(7).
 .PP
-Message Authentication Code \s-1API\s0 (\s-1EVP_MAC\s0)
+Message Authentication Code API (EVP_MAC)
 .IX Subsection "Message Authentication Code API (EVP_MAC)"
 .PP
-This simplifies the process of adding \s-1MAC\s0 implementations.
+This simplifies the process of adding MAC implementations.
 .PP
-This includes a generic \s-1EVP_PKEY\s0 to \s-1EVP_MAC\s0 bridge, to facilitate the continued
+This includes a generic EVP_PKEY to EVP_MAC bridge, to facilitate the continued
 use of MACs through raw private keys in functionality such as
 \&\fBEVP_DigestSign\fR\|(3) and \fBEVP_DigestVerify\fR\|(3).
 .PP
-All new applications should use the new \s-1\fBEVP_MAC\s0\fR\|(3) interface.
-See also \*(L"Message Authentication Code (\s-1MAC\s0)\*(R" in \fBOSSL_PROVIDER\-default\fR\|(7)
-and \*(L"Message Authentication Code (\s-1MAC\s0)\*(R" in \s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7).
+All new applications should use the new \fBEVP_MAC\fR\|(3) interface.
+See also "Message Authentication Code (MAC)" in \fBOSSL_PROVIDER\-default\fR\|(7)
+and "Message Authentication Code (MAC)" in \fBOSSL_PROVIDER\-FIPS\fR\|(7).
 .PP
 Algorithm Fetching
 .IX Subsection "Algorithm Fetching"
@@ -342,74 +292,74 @@ incur a performance penalty when using providers.
 Retrieving algorithms from providers involves searching for an algorithm by name.
 This is much slower than directly accessing a method table.
 It is recommended to prefetch algorithms if an algorithm is used many times.
-See \*(L"Performance\*(R" in \fBcrypto\fR\|(7), \*(L"Explicit fetching\*(R" in \fBcrypto\fR\|(7) and \*(L"Implicit fetching\*(R" in \fBcrypto\fR\|(7).
+See "Performance" in \fBcrypto\fR\|(7), "Explicit fetching" in \fBcrypto\fR\|(7) and "Implicit fetching" in \fBcrypto\fR\|(7).
 .PP
-Support for Linux Kernel \s-1TLS\s0
+Support for Linux Kernel TLS
 .IX Subsection "Support for Linux Kernel TLS"
 .PP
-In order to use \s-1KTLS,\s0 support for it must be compiled in using the
+In order to use KTLS, support for it must be compiled in using the
 \&\f(CW\*(C`enable\-ktls\*(C'\fR configuration option. It must also be enabled at run time using
-the \fB\s-1SSL_OP_ENABLE_KTLS\s0\fR option.
+the \fBSSL_OP_ENABLE_KTLS\fR option.
 .PP
 New Algorithms
 .IX Subsection "New Algorithms"
-.IP "\(bu" 4
-\&\s-1KDF\s0 algorithms \*(L"\s-1SINGLE STEP\*(R"\s0 and \*(L"\s-1SSH\*(R"\s0
+.IP \(bu 4
+KDF algorithms "SINGLE STEP" and "SSH"
 .Sp
-See \s-1\fBEVP_KDF\-SS\s0\fR\|(7) and \s-1\fBEVP_KDF\-SSHKDF\s0\fR\|(7)
-.IP "\(bu" 4
-\&\s-1MAC\s0 Algorithms \*(L"\s-1GMAC\*(R"\s0 and \*(L"\s-1KMAC\*(R"\s0
+See \fBEVP_KDF\-SS\fR\|(7) and \fBEVP_KDF\-SSHKDF\fR\|(7)
+.IP \(bu 4
+MAC Algorithms "GMAC" and "KMAC"
 .Sp
-See \s-1\fBEVP_MAC\-GMAC\s0\fR\|(7) and \s-1\fBEVP_MAC\-KMAC\s0\fR\|(7).
-.IP "\(bu" 4
-\&\s-1KEM\s0 Algorithm \*(L"\s-1RSASVE\*(R"\s0
+See \fBEVP_MAC\-GMAC\fR\|(7) and \fBEVP_MAC\-KMAC\fR\|(7).
+.IP \(bu 4
+KEM Algorithm "RSASVE"
 .Sp
-See \s-1\fBEVP_KEM\-RSA\s0\fR\|(7).
-.IP "\(bu" 4
-Cipher Algorithm \*(L"AES-SIV\*(R"
+See \fBEVP_KEM\-RSA\fR\|(7).
+.IP \(bu 4
+Cipher Algorithm "AES-SIV"
 .Sp
-See \*(L"\s-1SIV\s0 Mode\*(R" in \fBEVP_EncryptInit\fR\|(3).
-.IP "\(bu" 4
-\&\s-1AES\s0 Key Wrap inverse ciphers supported by \s-1EVP\s0 layer.
+See "SIV Mode" in \fBEVP_EncryptInit\fR\|(3).
+.IP \(bu 4
+AES Key Wrap inverse ciphers supported by EVP layer.
 .Sp
-The inverse ciphers use \s-1AES\s0 decryption for wrapping, and \s-1AES\s0 encryption for
-unwrapping. The algorithms are: \*(L"\s-1AES\-128\-WRAP\-INV\*(R", \*(L"AES\-192\-WRAP\-INV\*(R",
-\&\*(L"AES\-256\-WRAP\-INV\*(R", \*(L"AES\-128\-WRAP\-PAD\-INV\*(R", \*(L"AES\-192\-WRAP\-PAD\-INV\*(R"\s0 and
-\&\*(L"\s-1AES\-256\-WRAP\-PAD\-INV\*(R".\s0
-.IP "\(bu" 4
-\&\s-1CTS\s0 ciphers added to \s-1EVP\s0 layer.
+The inverse ciphers use AES decryption for wrapping, and AES encryption for
+unwrapping. The algorithms are: "AES\-128\-WRAP\-INV", "AES\-192\-WRAP\-INV",
+"AES\-256\-WRAP\-INV", "AES\-128\-WRAP\-PAD\-INV", "AES\-192\-WRAP\-PAD\-INV" and
+"AES\-256\-WRAP\-PAD\-INV".
+.IP \(bu 4
+CTS ciphers added to EVP layer.
 .Sp
-The algorithms are \*(L"\s-1AES\-128\-CBC\-CTS\*(R", \*(L"AES\-192\-CBC\-CTS\*(R", \*(L"AES\-256\-CBC\-CTS\*(R",
-\&\*(L"CAMELLIA\-128\-CBC\-CTS\*(R", \*(L"CAMELLIA\-192\-CBC\-CTS\*(R"\s0 and \*(L"\s-1CAMELLIA\-256\-CBC\-CTS\*(R".
-CS1, CS2\s0 and \s-1CS3\s0 variants are supported.
+The algorithms are "AES\-128\-CBC\-CTS", "AES\-192\-CBC\-CTS", "AES\-256\-CBC\-CTS",
+"CAMELLIA\-128\-CBC\-CTS", "CAMELLIA\-192\-CBC\-CTS" and "CAMELLIA\-256\-CBC\-CTS".
+CS1, CS2 and CS3 variants are supported.
 .PP
-\s-1CMS\s0 and PKCS#7 updates
+CMS and PKCS#7 updates
 .IX Subsection "CMS and PKCS#7 updates"
-.IP "\(bu" 4
+.IP \(bu 4
 Added CAdES-BES signature verification support.
-.IP "\(bu" 4
-Added CAdES-BES signature scheme and attributes support (\s-1RFC 5126\s0) to \s-1CMS API.\s0
-.IP "\(bu" 4
-Added AuthEnvelopedData content type structure (\s-1RFC 5083\s0) using \s-1AES_GCM\s0
+.IP \(bu 4
+Added CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API.
+.IP \(bu 4
+Added AuthEnvelopedData content type structure (RFC 5083) using AES_GCM
 .Sp
-This uses the AES-GCM parameter (\s-1RFC 5084\s0) for the Cryptographic Message Syntax.
+This uses the AES-GCM parameter (RFC 5084) for the Cryptographic Message Syntax.
 Its purpose is to support encryption and decryption of a digital envelope that
-is both authenticated and encrypted using \s-1AES GCM\s0 mode.
-.IP "\(bu" 4
+is both authenticated and encrypted using AES GCM mode.
+.IP \(bu 4
 \&\fBPKCS7_get_octet_string\fR\|(3) and \fBPKCS7_type_is_other\fR\|(3) were made public.
 .PP
-PKCS#12 \s-1API\s0 updates
+PKCS#12 API updates
 .IX Subsection "PKCS#12 API updates"
 .PP
 The default algorithms for pkcs12 creation with the \fBPKCS12_create()\fR function
-were changed to more modern \s-1PBKDF2\s0 and \s-1AES\s0 based algorithms. The default
-\&\s-1MAC\s0 iteration count was changed to \s-1PKCS12_DEFAULT_ITER\s0 to make it equal
+were changed to more modern PBKDF2 and AES based algorithms. The default
+MAC iteration count was changed to PKCS12_DEFAULT_ITER to make it equal
 with the password-based encryption iteration count. The default digest
-algorithm for the \s-1MAC\s0 computation was changed to \s-1SHA\-256.\s0 The pkcs12
+algorithm for the MAC computation was changed to SHA\-256. The pkcs12
 application now supports \-legacy option that restores the previous
 default algorithms to support interoperability with legacy systems.
 .PP
-Added enhanced PKCS#12 APIs which accept a library context \fB\s-1OSSL_LIB_CTX\s0\fR
+Added enhanced PKCS#12 APIs which accept a library context \fBOSSL_LIB_CTX\fR
 and (where relevant) a property query. Other APIs which handle PKCS#7 and
 PKCS#8 objects have also been enhanced where required. This includes:
 .PP
@@ -428,31 +378,31 @@ context and property query and will call an extended version of the key/IV
 derivation function which supports these parameters. This includes
 \&\fBEVP_PBE_CipherInit_ex\fR\|(3), \fBEVP_PBE_find_ex\fR\|(3) and \fBEVP_PBE_scrypt_ex\fR\|(3).
 .PP
-PKCS#12 \s-1KDF\s0 versus \s-1FIPS\s0
+PKCS#12 KDF versus FIPS
 .IX Subsection "PKCS#12 KDF versus FIPS"
 .PP
-Unlike in 1.x.y, the \s-1PKCS12KDF\s0 algorithm used when a PKCS#12 structure
-is created with a \s-1MAC\s0 that does not work with the \s-1FIPS\s0 provider as the \s-1PKCS12KDF\s0
-is not a \s-1FIPS\s0 approvable mechanism.
+Unlike in 1.x.y, the PKCS12KDF algorithm used when a PKCS#12 structure
+is created with a MAC that does not work with the FIPS provider as the PKCS12KDF
+is not a FIPS approvable mechanism.
 .PP
-See \s-1\fBEVP_KDF\-PKCS12KDF\s0\fR\|(7), \fBPKCS12_create\fR\|(3), \fBopenssl\-pkcs12\fR\|(1),
-\&\s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7).
+See \fBEVP_KDF\-PKCS12KDF\fR\|(7), \fBPKCS12_create\fR\|(3), \fBopenssl\-pkcs12\fR\|(1),
+\&\fBOSSL_PROVIDER\-FIPS\fR\|(7).
 .PP
 Windows thread synchronization changes
 .IX Subsection "Windows thread synchronization changes"
 .PP
 Windows thread synchronization uses read/write primitives (SRWLock) when
-supported by the \s-1OS,\s0 otherwise CriticalSection continues to be used.
+supported by the OS, otherwise CriticalSection continues to be used.
 .PP
-Trace \s-1API\s0
+Trace API
 .IX Subsection "Trace API"
 .PP
-A new generic trace \s-1API\s0 has been added which provides support for enabling
+A new generic trace API has been added which provides support for enabling
 instrumentation through trace output. This feature is mainly intended as an aid
 for developers and is disabled by default. To utilize it, OpenSSL needs to be
 configured with the \f(CW\*(C`enable\-trace\*(C'\fR option.
 .PP
-If the tracing \s-1API\s0 is enabled, the application can activate trace output by
+If the tracing API is enabled, the application can activate trace output by
 registering BIOs as trace channels for a number of tracing and debugging
 categories. See \fBOSSL_trace_enabled\fR\|(3).
 .PP
@@ -460,9 +410,9 @@ Key validation updates
 .IX Subsection "Key validation updates"
 .PP
 \&\fBEVP_PKEY_public_check\fR\|(3) and \fBEVP_PKEY_param_check\fR\|(3) now work for
-more key types. This includes \s-1RSA, DSA, ED25519, X25519, ED448\s0 and X448.
+more key types. This includes RSA, DSA, ED25519, X25519, ED448 and X448.
 Previously (in 1.1.1) they would return \-2. For key types that do not have
-parameters then \fBEVP_PKEY_param_check\fR\|(3) will always return 1.
+parameters \fBEVP_PKEY_param_check\fR\|(3) will always return 1.
 .PP
 \fIOther notable deprecations and changes\fR
 .IX Subsection "Other notable deprecations and changes"
@@ -472,18 +422,18 @@ The function code part of an OpenSSL error code is no longer relevant
 .PP
 This code is now always set to zero. Related functions are deprecated.
 .PP
-\s-1STACK\s0 and \s-1HASH\s0 macros have been cleaned up
+STACK and HASH macros have been cleaned up
 .IX Subsection "STACK and HASH macros have been cleaned up"
 .PP
 The type-safe wrappers are declared everywhere and implemented once.
-See \s-1\fBDEFINE_STACK_OF\s0\fR\|(3) and \s-1\fBDECLARE_LHASH_OF\s0\fR\|(3).
+See \fBDEFINE_STACK_OF\fR\|(3) and \fBDEFINE_LHASH_OF_EX\fR\|(3).
 .PP
-The \s-1RAND_DRBG\s0 subsystem has been removed
+The RAND_DRBG subsystem has been removed
 .IX Subsection "The RAND_DRBG subsystem has been removed"
 .PP
-The new \s-1\fBEVP_RAND\s0\fR\|(3) is a partial replacement: the \s-1DRBG\s0 callback framework is
-absent. The \s-1RAND_DRBG API\s0 did not fit well into the new provider concept as
-implemented by \s-1EVP_RAND\s0 and \s-1EVP_RAND_CTX.\s0
+The new \fBEVP_RAND\fR\|(3) is a partial replacement: the DRBG callback framework is
+absent. The RAND_DRBG API did not fit well into the new provider concept as
+implemented by EVP_RAND and EVP_RAND_CTX.
 .PP
 Removed \fBFIPS_mode()\fR and \fBFIPS_mode_set()\fR
 .IX Subsection "Removed FIPS_mode() and FIPS_mode_set()"
@@ -497,54 +447,54 @@ Key generation is slower
 .IX Subsection "Key generation is slower"
 .PP
 The Miller-Rabin test now uses 64 rounds, which is used for all prime generation,
-including \s-1RSA\s0 key generation. This affects the time for larger keys sizes.
+including RSA key generation. This affects the time for larger keys sizes.
 .PP
-The default key generation method for the regular 2\-prime \s-1RSA\s0 keys was changed
-to the \s-1FIPS186\-4 B.3.6\s0 method (Generation of Probable Primes with Conditions
+The default key generation method for the regular 2\-prime RSA keys was changed
+to the FIPS186\-4 B.3.6 method (Generation of Probable Primes with Conditions
 Based on Auxiliary Probable Primes). This method is slower than the original
 method.
 .PP
-Change \s-1PBKDF2\s0 to conform to \s-1SP800\-132\s0 instead of the older \s-1PKCS5 RFC2898\s0
+Change PBKDF2 to conform to SP800\-132 instead of the older PKCS5 RFC2898
 .IX Subsection "Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898"
 .PP
 This checks that the salt length is at least 128 bits, the derived key length is
 at least 112 bits, and that the iteration count is at least 1000.
 For backwards compatibility these checks are disabled by default in the
-default provider, but are enabled by default in the \s-1FIPS\s0 provider.
+default provider, but are enabled by default in the FIPS provider.
 .PP
-To enable or disable the checks see \fB\s-1OSSL_KDF_PARAM_PKCS5\s0\fR in
-\&\s-1\fBEVP_KDF\-PBKDF2\s0\fR\|(7). The parameter can be set using \fBEVP_KDF_derive\fR\|(3).
+To enable or disable the checks see \fBOSSL_KDF_PARAM_PKCS5\fR in
+\&\fBEVP_KDF\-PBKDF2\fR\|(7). The parameter can be set using \fBEVP_KDF_derive\fR\|(3).
 .PP
-Enforce a minimum \s-1DH\s0 modulus size of 512 bits
+Enforce a minimum DH modulus size of 512 bits
 .IX Subsection "Enforce a minimum DH modulus size of 512 bits"
 .PP
 Smaller sizes now result in an error.
 .PP
-\s-1SM2\s0 key changes
+SM2 key changes
 .IX Subsection "SM2 key changes"
 .PP
-\&\s-1EC\s0 EVP_PKEYs with the \s-1SM2\s0 curve have been reworked to automatically become
-\&\s-1EVP_PKEY_SM2\s0 rather than \s-1EVP_PKEY_EC.\s0
+EC EVP_PKEYs with the SM2 curve have been reworked to automatically become
+EVP_PKEY_SM2 rather than EVP_PKEY_EC.
 .PP
 Unlike in previous OpenSSL versions, this means that applications cannot
-call \f(CW\*(C`EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)\*(C'\fR to get \s-1SM2\s0 computations.
+call \fBEVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)\fR to get SM2 computations.
 .PP
 Parameter and key generation is also reworked to make it possible
-to generate \s-1EVP_PKEY_SM2\s0 parameters and keys. Applications must now generate
-\&\s-1SM2\s0 keys directly and must not create an \s-1EVP_PKEY_EC\s0 key first. It is no longer
-possible to import an \s-1SM2\s0 key with domain parameters other than the \s-1SM2\s0 elliptic
+to generate EVP_PKEY_SM2 parameters and keys. Applications must now generate
+SM2 keys directly and must not create an EVP_PKEY_EC key first. It is no longer
+possible to import an SM2 key with domain parameters other than the SM2 elliptic
 curve ones.
 .PP
-Validation of \s-1SM2\s0 keys has been separated from the validation of regular \s-1EC\s0
-keys, allowing to improve the \s-1SM2\s0 validation process to reject loaded private
-keys that are not conforming to the \s-1SM2 ISO\s0 standard.
+Validation of SM2 keys has been separated from the validation of regular EC
+keys, allowing to improve the SM2 validation process to reject loaded private
+keys that are not conforming to the SM2 ISO standard.
 In particular, a private scalar \fIk\fR outside the range \fI1 <= k < n\-1\fR is
 now correctly rejected.
 .PP
 \fBEVP_PKEY_set_alias_type()\fR method has been removed
 .IX Subsection "EVP_PKEY_set_alias_type() method has been removed"
 .PP
-This function made a \fB\s-1EVP_PKEY\s0\fR object mutable after it had been set up. In
+This function made a \fBEVP_PKEY\fR object mutable after it had been set up. In
 OpenSSL 3.0 it was decided that a provided key should not be able to change its
 type, so this function has been removed.
 .PP
@@ -555,10 +505,10 @@ Functions such as \fBEVP_PKEY_get0_RSA\fR\|(3) behave slightly differently in
 OpenSSL 3.0. Previously they returned a pointer to the low-level key used
 internally by libcrypto. From OpenSSL 3.0 this key may now be held in a
 provider. Calling these functions will only return a handle on the internal key
-where the \s-1EVP_PKEY\s0 was constructed using this key in the first place, for
+where the EVP_PKEY was constructed using this key in the first place, for
 example using a function or macro such as \fBEVP_PKEY_assign_RSA\fR\|(3),
 \&\fBEVP_PKEY_set1_RSA\fR\|(3), etc.
-Where the \s-1EVP_PKEY\s0 holds a provider managed key, then these functions now return
+Where the EVP_PKEY holds a provider managed key, then these functions now return
 a cached copy of the key. Changes to the internal provider key that take place
 after the first time the cached key is accessed will not be reflected back in
 the cached copy. Similarly any changes made to the cached copy by application
@@ -573,7 +523,7 @@ to refactor the code to avoid the use of these deprecated functions. Failing
 this the code should be modified to use a const pointer instead.
 The \fBEVP_PKEY_get1_RSA\fR\|(3), \fBEVP_PKEY_get1_DSA\fR\|(3), \fBEVP_PKEY_get1_EC_KEY\fR\|(3)
 and \fBEVP_PKEY_get1_DH\fR\|(3) functions continue to return a non-const pointer to
-enable them to be \*(L"freed\*(R". However they should also be treated as read-only.
+enable them to be "freed". However they should also be treated as read-only.
 .PP
 The public key check has moved from \fBEVP_PKEY_derive()\fR to \fBEVP_PKEY_derive_set_peer()\fR
 .IX Subsection "The public key check has moved from EVP_PKEY_derive() to EVP_PKEY_derive_set_peer()"
@@ -585,7 +535,7 @@ To disable this check use EVP_PKEY_derive_set_peer_ex(dh, peer, 0).
 The print format has cosmetic changes for some functions
 .IX Subsection "The print format has cosmetic changes for some functions"
 .PP
-The output from numerous \*(L"printing\*(R" functions such as \fBX509_signature_print\fR\|(3),
+The output from numerous "printing" functions such as \fBX509_signature_print\fR\|(3),
 \&\fBX509_print_ex\fR\|(3), \fBX509_CRL_print_ex\fR\|(3), and other similar functions has been
 amended such that there may be cosmetic differences between the output
 observed in 1.1.1 and 3.0. This also applies to the \fB\-text\fR output from the
@@ -602,19 +552,19 @@ The error return values from some control calls (ctrl) have changed
 One significant change is that controls which used to return \-2 for
 invalid inputs, now return \-1 indicating a generic error condition instead.
 .PP
-\s-1DH\s0 and \s-1DHX\s0 key types have different settable parameters
+DH and DHX key types have different settable parameters
 .IX Subsection "DH and DHX key types have different settable parameters"
 .PP
 Previously (in 1.1.1) these conflicting parameters were allowed, but will now
-result in errors. See \s-1\fBEVP_PKEY\-DH\s0\fR\|(7) for further details. This affects the
-behaviour of \fBopenssl\-genpkey\fR\|(1) for \s-1DH\s0 parameter generation.
+result in errors. See \fBEVP_PKEY\-DH\fR\|(7) for further details. This affects the
+behaviour of \fBopenssl\-genpkey\fR\|(1) for DH parameter generation.
 .PP
 \fBEVP_CIPHER_CTX_set_flags()\fR ordering change
 .IX Subsection "EVP_CIPHER_CTX_set_flags() ordering change"
 .PP
-If using a cipher from a provider the \fB\s-1EVP_CIPH_FLAG_LENGTH_BITS\s0\fR flag can only
+If using a cipher from a provider the \fBEVP_CIPH_FLAG_LENGTH_BITS\fR flag can only
 be set \fBafter\fR the cipher has been assigned to the cipher context.
-See \*(L"\s-1FLAGS\*(R"\s0 in \fBEVP_EncryptInit\fR\|(3) for more information.
+See "FLAGS" in \fBEVP_EncryptInit\fR\|(3) for more information.
 .PP
 Validation of operation context parameters
 .IX Subsection "Validation of operation context parameters"
@@ -626,28 +576,28 @@ when an operation parameter was set.
 .PP
 For example when setting an unsupported curve with
 \&\fBEVP_PKEY_CTX_set_ec_paramgen_curve_nid()\fR this function call will not fail
-but later keygen operations with the \s-1EVP_PKEY_CTX\s0 will fail.
+but later keygen operations with the EVP_PKEY_CTX will fail.
 .PP
 Removal of function code from the error codes
 .IX Subsection "Removal of function code from the error codes"
 .PP
 The function code part of the error code is now always set to 0. For that
-reason the \s-1\fBERR_GET_FUNC\s0()\fR macro was removed. Applications must resolve
+reason the \fBERR_GET_FUNC()\fR macro was removed. Applications must resolve
 the error codes only using the library number and the reason code.
 .PP
-ChaCha20\-Poly1305 cipher does not allow a truncated \s-1IV\s0 length to be used
+ChaCha20\-Poly1305 cipher does not allow a truncated IV length to be used
 .IX Subsection "ChaCha20-Poly1305 cipher does not allow a truncated IV length to be used"
 .PP
-In OpenSSL 3.0 setting the \s-1IV\s0 length to any value other than 12 will result in an
+In OpenSSL 3.0 setting the IV length to any value other than 12 will result in an
 error.
 Prior to OpenSSL 3.0 the ivlen could be smaller that the required 12 byte length,
-using EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CRTL_AEAD_SET_IVLEN,\s0 ivlen, \s-1NULL\s0). This resulted
-in an \s-1IV\s0 that had leading zero padding.
+using EVP_CIPHER_CTX_ctrl(ctx, EVP_CRTL_AEAD_SET_IVLEN, ivlen, NULL). This resulted
+in an IV that had leading zero padding.
 .SS "Installation and Compilation"
 .IX Subsection "Installation and Compilation"
-Please refer to the \s-1INSTALL\s0.md file in the top of the distribution for
+Please refer to the INSTALL.md file in the top of the distribution for
 instructions on how to build and install OpenSSL 3.0. Please also refer to the
-various platform specific \s-1NOTES\s0 files for your specific platform.
+various platform specific NOTES files for your specific platform.
 .SS "Upgrading from OpenSSL 1.1.1"
 .IX Subsection "Upgrading from OpenSSL 1.1.1"
 Upgrading to OpenSSL 3.0 from OpenSSL 1.1.1 should be relatively straight
@@ -655,11 +605,11 @@ forward in most cases. The most likely area where you will encounter problems
 is if you have used low level APIs in your code (as discussed above). In that
 case you are likely to start seeing deprecation warnings when compiling your
 application. If this happens you have 3 options:
-.IP "1." 4
+.IP 1. 4
 Ignore the warnings. They are just warnings. The deprecated functions are still present and you may still use them. However be aware that they may be removed from a future version of OpenSSL.
-.IP "2." 4
+.IP 2. 4
 Suppress the warnings. Refer to your compiler documentation on how to do this.
-.IP "3." 4
+.IP 3. 4
 Remove your usage of the low level APIs. In this case you will need to rewrite your code to use the high level APIs instead
 .PP
 \fIError code changes\fR
@@ -678,21 +628,21 @@ There may be more cases to treat specially, depending on the calling application
 .IX Subsection "Upgrading from OpenSSL 1.0.2"
 Upgrading to OpenSSL 3.0 from OpenSSL 1.0.2 is likely to be significantly more
 difficult. In addition to the issues discussed above in the section about
-\&\*(L"Upgrading from OpenSSL 1.1.1\*(R", the main things to be aware of are:
-.IP "1." 4
+"Upgrading from OpenSSL 1.1.1", the main things to be aware of are:
+.IP 1. 4
 The build and installation procedure has changed significantly.
 .Sp
-Check the file \s-1INSTALL\s0.md in the top of the installation for instructions on how
-to build and install OpenSSL for your platform. Also read the various \s-1NOTES\s0
+Check the file INSTALL.md in the top of the installation for instructions on how
+to build and install OpenSSL for your platform. Also read the various NOTES
 files in the same directory, as applicable for your platform.
-.IP "2." 4
+.IP 2. 4
 Many structures have been made opaque in OpenSSL 3.0.
 .Sp
 The structure definitions have been removed from the public header files and
 moved to internal header files. In practice this means that you can no longer
 stack allocate some structures. Instead they must be heap allocated through some
 function call (typically those function names have a \f(CW\*(C`_new\*(C'\fR suffix to them).
-Additionally you must use \*(L"setter\*(R" or \*(L"getter\*(R" functions to access the fields
+Additionally you must use "setter" or "getter" functions to access the fields
 within those structures.
 .Sp
 For example code that previously looked like this:
@@ -714,40 +664,40 @@ The code needs to be amended to look like this:
 \& ...
 \& EVP_MD_CTX_free(md_ctx);
 .Ve
-.IP "3." 4
+.IP 3. 4
 Support for TLSv1.3 has been added.
 .Sp
-This has a number of implications for \s-1SSL/TLS\s0 applications. See the
-\&\s-1TLS1.3\s0 page <https://wiki.openssl.org/index.php/TLS1.3> for further details.
+This has a number of implications for SSL/TLS applications. See the
+TLS1.3 page <https://github.com/openssl/openssl/wiki/TLS1.3> for further details.
 .PP
 More details about the breaking changes between OpenSSL versions 1.0.2 and 1.1.0
 can be found on the
-OpenSSL 1.1.0 Changes page <https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes>.
+OpenSSL 1.1.0 Changes page <https://github.com/openssl/openssl/wiki/OpenSSL_1.1.0_Changes>.
 .PP
-\fIUpgrading from the OpenSSL 2.0 \s-1FIPS\s0 Object Module\fR
+\fIUpgrading from the OpenSSL 2.0 FIPS Object Module\fR
 .IX Subsection "Upgrading from the OpenSSL 2.0 FIPS Object Module"
 .PP
-The OpenSSL 2.0 \s-1FIPS\s0 Object Module was a separate download that had to be built
+The OpenSSL 2.0 FIPS Object Module was a separate download that had to be built
 separately and then integrated into your main OpenSSL 1.0.2 build.
-In OpenSSL 3.0 the \s-1FIPS\s0 support is fully integrated into the mainline version of
+In OpenSSL 3.0 the FIPS support is fully integrated into the mainline version of
 OpenSSL and is no longer a separate download. For further information see
-\&\*(L"Completing the installation of the \s-1FIPS\s0 Module\*(R".
+"Completing the installation of the FIPS Module".
 .PP
 The function calls \fBFIPS_mode()\fR and \fBFIPS_mode_set()\fR have been removed
 from OpenSSL 3.0. You should rewrite your application to not use them.
-See \fBfips_module\fR\|(7) and \s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7) for details.
-.SS "Completing the installation of the \s-1FIPS\s0 Module"
+See \fBfips_module\fR\|(7) and \fBOSSL_PROVIDER\-FIPS\fR\|(7) for details.
+.SS "Completing the installation of the FIPS Module"
 .IX Subsection "Completing the installation of the FIPS Module"
-The \s-1FIPS\s0 Module will be built and installed automatically if \s-1FIPS\s0 support has
+The FIPS Module will be built and installed automatically if FIPS support has
 been configured. The current documentation can be found in the
 README-FIPS <https://github.com/openssl/openssl/blob/master/README-FIPS.md> file.
-.SS "Programming"
+.SS Programming
 .IX Subsection "Programming"
 Applications written to work with OpenSSL 1.1.1 will mostly just work with
 OpenSSL 3.0. However changes will be required if you want to take advantage of
 some of the new features that OpenSSL 3.0 makes available. In order to do that
 you need to understand some new concepts introduced in OpenSSL 3.0.
-Read \*(L"Library contexts\*(R" in \fBcrypto\fR\|(7) for further information.
+Read "Library contexts" in \fBcrypto\fR\|(7) for further information.
 .PP
 \fILibrary Context\fR
 .IX Subsection "Library Context"
@@ -755,9 +705,9 @@ Read \*(L"Library contexts\*(R" in \fBcrypto\fR\|(7) for further information.
 A library context allows different components of a complex application to each
 use a different library context and have different providers loaded with
 different configuration settings.
-See \*(L"Library contexts\*(R" in \fBcrypto\fR\|(7) for further info.
+See "Library contexts" in \fBcrypto\fR\|(7) for further info.
 .PP
-If the user creates an \fB\s-1OSSL_LIB_CTX\s0\fR via \fBOSSL_LIB_CTX_new\fR\|(3) then many
+If the user creates an \fBOSSL_LIB_CTX\fR via \fBOSSL_LIB_CTX_new\fR\|(3) then many
 functions may need to be changed to pass additional parameters to handle the
 library context.
 .PP
@@ -765,121 +715,121 @@ Using a Library Context \- Old functions that should be changed
 .IX Subsection "Using a Library Context - Old functions that should be changed"
 .PP
 If a library context is needed then all EVP_* digest functions that return a
-\&\fBconst \s-1EVP_MD\s0 *\fR such as \fBEVP_sha256()\fR should be replaced with a call to
-\&\fBEVP_MD_fetch\fR\|(3). See \*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7).
+\&\fBconst EVP_MD *\fR such as \fBEVP_sha256()\fR should be replaced with a call to
+\&\fBEVP_MD_fetch\fR\|(3). See "ALGORITHM FETCHING" in \fBcrypto\fR\|(7).
 .PP
 If a library context is needed then all EVP_* cipher functions that return a
-\&\fBconst \s-1EVP_CIPHER\s0 *\fR such as \fBEVP_aes_128_cbc()\fR should be replaced vith a call to
-\&\fBEVP_CIPHER_fetch\fR\|(3). See \*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7).
+\&\fBconst EVP_CIPHER *\fR such as \fBEVP_aes_128_cbc()\fR should be replaced vith a call to
+\&\fBEVP_CIPHER_fetch\fR\|(3). See "ALGORITHM FETCHING" in \fBcrypto\fR\|(7).
 .PP
 Some functions can be passed an object that has already been set up with a library
 context such as \fBd2i_X509\fR\|(3), \fBd2i_X509_CRL\fR\|(3), \fBd2i_X509_REQ\fR\|(3) and
-\&\fBd2i_X509_PUBKEY\fR\|(3). If \s-1NULL\s0 is passed instead then the created object will be
+\&\fBd2i_X509_PUBKEY\fR\|(3). If NULL is passed instead then the created object will be
 set up with the default library context. Use \fBX509_new_ex\fR\|(3),
 \&\fBX509_CRL_new_ex\fR\|(3), \fBX509_REQ_new_ex\fR\|(3) and \fBX509_PUBKEY_new_ex\fR\|(3) if a
 library context is required.
 .PP
-All functions listed below with a \fI\s-1NAME\s0\fR have a replacement function \fINAME_ex\fR
-that takes \fB\s-1OSSL_LIB_CTX\s0\fR as an additional argument. Functions that have other
+All functions listed below with a \fINAME\fR have a replacement function \fINAME_ex\fR
+that takes \fBOSSL_LIB_CTX\fR as an additional argument. Functions that have other
 mappings are listed along with the respective name.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBASN1_item_new\fR\|(3), \fBASN1_item_d2i\fR\|(3), \fBASN1_item_d2i_fp\fR\|(3),
 \&\fBASN1_item_d2i_bio\fR\|(3), \fBASN1_item_sign\fR\|(3) and \fBASN1_item_verify\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBBIO_new\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBb2i_RSA_PVK_bio()\fR and \fBi2b_PVK_bio()\fR
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBBN_CTX_new\fR\|(3) and \fBBN_CTX_secure_new\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBCMS_AuthEnvelopedData_create\fR\|(3), \fBCMS_ContentInfo_new\fR\|(3), \fBCMS_data_create\fR\|(3),
 \&\fBCMS_digest_create\fR\|(3), \fBCMS_EncryptedData_encrypt\fR\|(3), \fBCMS_encrypt\fR\|(3),
 \&\fBCMS_EnvelopedData_create\fR\|(3), \fBCMS_ReceiptRequest_create0\fR\|(3) and \fBCMS_sign\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBCONF_modules_load_file\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBCTLOG_new\fR\|(3), \fBCTLOG_new_from_base64\fR\|(3) and \fBCTLOG_STORE_new\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBCT_POLICY_EVAL_CTX_new\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBd2i_AutoPrivateKey\fR\|(3), \fBd2i_PrivateKey\fR\|(3) and \fBd2i_PUBKEY\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBd2i_PrivateKey_bio\fR\|(3) and \fBd2i_PrivateKey_fp\fR\|(3)
 .Sp
 Use \fBd2i_PrivateKey_ex_bio\fR\|(3) and \fBd2i_PrivateKey_ex_fp\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEC_GROUP_new\fR\|(3)
 .Sp
 Use \fBEC_GROUP_new_by_curve_name_ex\fR\|(3) or \fBEC_GROUP_new_from_params\fR\|(3).
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEVP_DigestSignInit\fR\|(3) and \fBEVP_DigestVerifyInit\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEVP_PBE_CipherInit\fR\|(3), \fBEVP_PBE_find\fR\|(3) and \fBEVP_PBE_scrypt\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBPKCS5_PBE_keyivgen\fR\|(3)
-.IP "\(bu" 4
-\&\s-1\fBEVP_PKCS82PKEY\s0\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
+\&\fBEVP_PKCS82PKEY\fR\|(3)
+.IP \(bu 4
 \&\fBEVP_PKEY_CTX_new_id\fR\|(3)
 .Sp
 Use \fBEVP_PKEY_CTX_new_from_name\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEVP_PKEY_derive_set_peer\fR\|(3), \fBEVP_PKEY_new_raw_private_key\fR\|(3)
 and \fBEVP_PKEY_new_raw_public_key\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEVP_SignFinal\fR\|(3) and \fBEVP_VerifyFinal\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBNCONF_new\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBOCSP_RESPID_match\fR\|(3) and \fBOCSP_RESPID_set_by_key\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBOPENSSL_thread_stop\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBOSSL_STORE_open\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBPEM_read_bio_Parameters\fR\|(3), \fBPEM_read_bio_PrivateKey\fR\|(3), \fBPEM_read_bio_PUBKEY\fR\|(3),
 \&\fBPEM_read_PrivateKey\fR\|(3) and \fBPEM_read_PUBKEY\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBPEM_write_bio_PrivateKey\fR\|(3), \fBPEM_write_bio_PUBKEY\fR\|(3), \fBPEM_write_PrivateKey\fR\|(3)
 and \fBPEM_write_PUBKEY\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBPEM_X509_INFO_read_bio\fR\|(3) and \fBPEM_X509_INFO_read\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBPKCS12_add_key\fR\|(3), \fBPKCS12_add_safe\fR\|(3), \fBPKCS12_add_safes\fR\|(3),
 \&\fBPKCS12_create\fR\|(3), \fBPKCS12_decrypt_skey\fR\|(3), \fBPKCS12_init\fR\|(3), \fBPKCS12_item_decrypt_d2i\fR\|(3),
 \&\fBPKCS12_item_i2d_encrypt\fR\|(3), \fBPKCS12_key_gen_asc\fR\|(3), \fBPKCS12_key_gen_uni\fR\|(3),
 \&\fBPKCS12_key_gen_utf8\fR\|(3), \fBPKCS12_pack_p7encdata\fR\|(3), \fBPKCS12_pbe_crypt\fR\|(3),
 \&\fBPKCS12_PBE_keyivgen\fR\|(3), \fBPKCS12_SAFEBAG_create_pkcs8_encrypt\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBPKCS5_pbe_set0_algor\fR\|(3), \fBPKCS5_pbe_set\fR\|(3), \fBPKCS5_pbe2_set_iv\fR\|(3),
 \&\fBPKCS5_pbkdf2_set\fR\|(3) and \fBPKCS5_v2_scrypt_keyivgen\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBPKCS7_encrypt\fR\|(3), \fBPKCS7_new\fR\|(3) and \fBPKCS7_sign\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBPKCS8_decrypt\fR\|(3), \fBPKCS8_encrypt\fR\|(3) and \fBPKCS8_set0_pbe\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBRAND_bytes\fR\|(3) and \fBRAND_priv_bytes\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBSMIME_write_ASN1\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBSSL_load_client_CA_file\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBSSL_CTX_new\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBTS_RESP_CTX_new\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBX509_CRL_new\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBX509_load_cert_crl_file\fR\|(3) and \fBX509_load_cert_file\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBX509_LOOKUP_by_subject\fR\|(3) and \fBX509_LOOKUP_ctrl\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBX509_NAME_hash\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBX509_new\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBX509_REQ_new\fR\|(3) and \fBX509_REQ_verify\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBX509_STORE_CTX_new\fR\|(3), \fBX509_STORE_set_default_paths\fR\|(3), \fBX509_STORE_load_file\fR\|(3),
 \&\fBX509_STORE_load_locations\fR\|(3) and \fBX509_STORE_load_store\fR\|(3)
 .PP
@@ -887,110 +837,110 @@ New functions that use a Library context
 .IX Subsection "New functions that use a Library context"
 .PP
 The following functions can be passed a library context if required.
-Passing \s-1NULL\s0 will use the default library context.
-.IP "\(bu" 4
+Passing NULL will use the default library context.
+.IP \(bu 4
 \&\fBBIO_new_from_core_bio\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEVP_ASYM_CIPHER_fetch\fR\|(3) and \fBEVP_ASYM_CIPHER_do_all_provided\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEVP_CIPHER_fetch\fR\|(3) and \fBEVP_CIPHER_do_all_provided\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEVP_default_properties_enable_fips\fR\|(3) and
 \&\fBEVP_default_properties_is_fips_enabled\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEVP_KDF_fetch\fR\|(3) and \fBEVP_KDF_do_all_provided\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEVP_KEM_fetch\fR\|(3) and \fBEVP_KEM_do_all_provided\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEVP_KEYEXCH_fetch\fR\|(3) and \fBEVP_KEYEXCH_do_all_provided\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEVP_KEYMGMT_fetch\fR\|(3) and \fBEVP_KEYMGMT_do_all_provided\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEVP_MAC_fetch\fR\|(3) and \fBEVP_MAC_do_all_provided\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEVP_MD_fetch\fR\|(3) and \fBEVP_MD_do_all_provided\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEVP_PKEY_CTX_new_from_pkey\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEVP_PKEY_Q_keygen\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEVP_Q_mac\fR\|(3) and \fBEVP_Q_digest\fR\|(3)
-.IP "\(bu" 4
-\&\s-1\fBEVP_RAND\s0\fR\|(3) and \fBEVP_RAND_do_all_provided\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
+\&\fBEVP_RAND\fR\|(3) and \fBEVP_RAND_do_all_provided\fR\|(3)
+.IP \(bu 4
 \&\fBEVP_set_default_properties\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEVP_SIGNATURE_fetch\fR\|(3) and \fBEVP_SIGNATURE_do_all_provided\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBOSSL_CMP_CTX_new\fR\|(3) and \fBOSSL_CMP_SRV_CTX_new\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBOSSL_CRMF_ENCRYPTEDVALUE_get1_encCert\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBOSSL_CRMF_MSG_create_popo\fR\|(3) and \fBOSSL_CRMF_MSGS_verify_popo\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBOSSL_CRMF_pbm_new\fR\|(3) and \fBOSSL_CRMF_pbmp_new\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBOSSL_DECODER_CTX_add_extra\fR\|(3) and \fBOSSL_DECODER_CTX_new_for_pkey\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBOSSL_DECODER_fetch\fR\|(3) and \fBOSSL_DECODER_do_all_provided\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBOSSL_ENCODER_CTX_add_extra\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBOSSL_ENCODER_fetch\fR\|(3) and \fBOSSL_ENCODER_do_all_provided\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBOSSL_LIB_CTX_free\fR\|(3), \fBOSSL_LIB_CTX_load_config\fR\|(3) and \fBOSSL_LIB_CTX_set0_default\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBOSSL_PROVIDER_add_builtin\fR\|(3), \fBOSSL_PROVIDER_available\fR\|(3),
 \&\fBOSSL_PROVIDER_do_all\fR\|(3), \fBOSSL_PROVIDER_load\fR\|(3),
 \&\fBOSSL_PROVIDER_set_default_search_path\fR\|(3) and \fBOSSL_PROVIDER_try_load\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBOSSL_SELF_TEST_get_callback\fR\|(3) and \fBOSSL_SELF_TEST_set_callback\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBOSSL_STORE_attach\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBOSSL_STORE_LOADER_fetch\fR\|(3) and \fBOSSL_STORE_LOADER_do_all_provided\fR\|(3)
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBRAND_get0_primary\fR\|(3), \fBRAND_get0_private\fR\|(3), \fBRAND_get0_public\fR\|(3),
 \&\fBRAND_set_DRBG_type\fR\|(3) and \fBRAND_set_seed_source_type\fR\|(3)
 .PP
 \fIProviders\fR
 .IX Subsection "Providers"
 .PP
-Providers are described in detail here \*(L"Providers\*(R" in \fBcrypto\fR\|(7).
-See also \*(L"\s-1OPENSSL PROVIDERS\*(R"\s0 in \fBcrypto\fR\|(7).
+Providers are described in detail here "Providers" in \fBcrypto\fR\|(7).
+See also "OPENSSL PROVIDERS" in \fBcrypto\fR\|(7).
 .PP
 \fIFetching algorithms and property queries\fR
 .IX Subsection "Fetching algorithms and property queries"
 .PP
 Implicit and Explicit Fetching is described in detail here
-\&\*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7).
+"ALGORITHM FETCHING" in \fBcrypto\fR\|(7).
 .PP
-\fIMapping \s-1EVP\s0 controls and flags to provider \s-1\f(BIOSSL_PARAM\s0\fI\|(3) parameters\fR
+\fIMapping EVP controls and flags to provider \fR\f(BIOSSL_PARAM\fR\fI\|(3) parameters\fR
 .IX Subsection "Mapping EVP controls and flags to provider OSSL_PARAM parameters"
 .PP
 The existing functions for controls (such as \fBEVP_CIPHER_CTX_ctrl\fR\|(3)) and
 manipulating flags (such as \fBEVP_MD_CTX_set_flags\fR\|(3))internally use
-\&\fB\s-1OSSL_PARAMS\s0\fR to pass information to/from provider objects.
-See \s-1\fBOSSL_PARAM\s0\fR\|(3) for additional information related to parameters.
+\&\fBOSSL_PARAMS\fR to pass information to/from provider objects.
+See \fBOSSL_PARAM\fR\|(3) for additional information related to parameters.
 .PP
-For ciphers see \*(L"\s-1CONTROLS\*(R"\s0 in \fBEVP_EncryptInit\fR\|(3), \*(L"\s-1FLAGS\*(R"\s0 in \fBEVP_EncryptInit\fR\|(3) and
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \fBEVP_EncryptInit\fR\|(3).
+For ciphers see "CONTROLS" in \fBEVP_EncryptInit\fR\|(3), "FLAGS" in \fBEVP_EncryptInit\fR\|(3) and
+"PARAMETERS" in \fBEVP_EncryptInit\fR\|(3).
 .PP
-For digests see \*(L"\s-1CONTROLS\*(R"\s0 in \fBEVP_DigestInit\fR\|(3), \*(L"\s-1FLAGS\*(R"\s0 in \fBEVP_DigestInit\fR\|(3) and
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \fBEVP_DigestInit\fR\|(3).
+For digests see "CONTROLS" in \fBEVP_DigestInit\fR\|(3), "FLAGS" in \fBEVP_DigestInit\fR\|(3) and
+"PARAMETERS" in \fBEVP_DigestInit\fR\|(3).
 .PP
 \fIDeprecation of Low Level Functions\fR
 .IX Subsection "Deprecation of Low Level Functions"
 .PP
 A significant number of APIs have been deprecated in OpenSSL 3.0.
 This section describes some common categories of deprecations.
-See \*(L"Deprecated function mappings\*(R" for the list of deprecated functions
+See "Deprecated function mappings" for the list of deprecated functions
 that refer to these categories.
 .PP
 Providers are a replacement for engines and low-level method overrides
 .IX Subsection "Providers are a replacement for engines and low-level method overrides"
 .PP
-Any accessor that uses an \s-1ENGINE\s0 is deprecated (such as \fBEVP_PKEY_set1_engine()\fR).
+Any accessor that uses an ENGINE is deprecated (such as \fBEVP_PKEY_set1_engine()\fR).
 Applications using engines should instead use providers.
 .PP
 Before providers were added algorithms were overridden by changing the methods
@@ -1001,30 +951,40 @@ Deprecated i2d and d2i functions for low-level key types
 .IX Subsection "Deprecated i2d and d2i functions for low-level key types"
 .PP
 Any i2d and d2i functions such as \fBd2i_DHparams()\fR that take a low-level key type
-have been deprecated. Applications should instead use the \s-1\fBOSSL_DECODER\s0\fR\|(3) and
-\&\s-1\fBOSSL_ENCODER\s0\fR\|(3) APIs to read and write files.
-See \*(L"Migration\*(R" in \fBd2i_RSAPrivateKey\fR\|(3) for further details.
+have been deprecated. Applications should instead use the \fBOSSL_DECODER\fR\|(3) and
+\&\fBOSSL_ENCODER\fR\|(3) APIs to read and write files.
+See "Migration" in \fBd2i_RSAPrivateKey\fR\|(3) for further details.
 .PP
 Deprecated low-level key object getters and setters
 .IX Subsection "Deprecated low-level key object getters and setters"
 .PP
 Applications that set or get low-level key objects (such as \fBEVP_PKEY_set1_DH()\fR
-or \fBEVP_PKEY_get0()\fR) should instead use the \s-1OSSL_ENCODER\s0
-(See \fBOSSL_ENCODER_to_bio\fR\|(3)) or \s-1OSSL_DECODER\s0 (See \fBOSSL_DECODER_from_bio\fR\|(3))
+or \fBEVP_PKEY_get0()\fR) should instead use the OSSL_ENCODER
+(See \fBOSSL_ENCODER_to_bio\fR\|(3)) or OSSL_DECODER (See \fBOSSL_DECODER_from_bio\fR\|(3))
 APIs, or alternatively use \fBEVP_PKEY_fromdata\fR\|(3) or \fBEVP_PKEY_todata\fR\|(3).
 .PP
 Deprecated low-level key parameter getters
 .IX Subsection "Deprecated low-level key parameter getters"
 .PP
 Functions that access low-level objects directly such as \fBRSA_get0_n\fR\|(3) are now
-deprecated. Applications should use one of \fBEVP_PKEY_get_bn_param\fR\|(3),
-\&\fBEVP_PKEY_get_int_param\fR\|(3), l<\fBEVP_PKEY_get_size_t_param\fR\|(3)>,
-\&\fBEVP_PKEY_get_utf8_string_param\fR\|(3), \fBEVP_PKEY_get_octet_string_param\fR\|(3) or
-\&\fBEVP_PKEY_get_params\fR\|(3) to access fields from an \s-1EVP_PKEY.\s0
-Gettable parameters are listed in \*(L"Common \s-1RSA\s0 parameters\*(R" in \s-1\fBEVP_PKEY\-RSA\s0\fR\|(7),
-\&\*(L"\s-1DH\s0 parameters\*(R" in \s-1\fBEVP_PKEY\-DH\s0\fR\|(7), \*(L"\s-1DSA\s0 parameters\*(R" in \s-1\fBEVP_PKEY\-DSA\s0\fR\|(7),
-\&\*(L"\s-1FFC\s0 parameters\*(R" in \s-1\fBEVP_PKEY\-FFC\s0\fR\|(7), \*(L"Common \s-1EC\s0 parameters\*(R" in \s-1\fBEVP_PKEY\-EC\s0\fR\|(7) and
-\&\*(L"Common X25519, X448, \s-1ED25519\s0 and \s-1ED448\s0 parameters\*(R" in \s-1\fBEVP_PKEY\-X25519\s0\fR\|(7).
+deprecated. Applications should use one of:
+\&\fBEVP_PKEY_get_bn_param\fR\|(3),
+\&\fBEVP_PKEY_get_int_param\fR\|(3),
+\&\fBEVP_PKEY_get_size_t_param\fR\|(3),
+\&\fBEVP_PKEY_get_utf8_string_param\fR\|(3),
+\&\fBEVP_PKEY_get_octet_string_param\fR\|(3), or
+\&\fBEVP_PKEY_get_params\fR\|(3),
+to access fields from an EVP_PKEY.
+Gettable parameters are listed in:
+"Common RSA parameters" in \fBEVP_PKEY\-RSA\fR\|(7),
+"Common EC parameters" in \fBEVP_PKEY\-EC\fR\|(7),
+"DSA parameters" in \fBEVP_PKEY\-DSA\fR\|(7),
+"DH parameters" in \fBEVP_PKEY\-DH\fR\|(7),
+"FFC parameters" in \fBEVP_PKEY\-FFC\fR\|(7),
+"Common X25519, X448, ED25519 and ED448 parameters" in \fBEVP_PKEY\-X25519\fR\|(7),
+"Common parameters" in \fBEVP_PKEY\-ML\-DSA\fR\|(7),
+and
+"Common parameters" in \fBEVP_PKEY\-ML\-KEM\fR\|(7).
 Applications may also use \fBEVP_PKEY_todata\fR\|(3) to return all fields.
 .PP
 Deprecated low-level key parameter setters
@@ -1035,8 +995,8 @@ are now deprecated. Applications should use \fBEVP_PKEY_fromdata\fR\|(3) to crea
 new keys from user provided key data. Keys should be immutable once they are
 created, so if required the user may use \fBEVP_PKEY_todata\fR\|(3), \fBOSSL_PARAM_merge\fR\|(3),
 and \fBEVP_PKEY_fromdata\fR\|(3) to create a modified key.
-See \*(L"Examples\*(R" in \s-1\fBEVP_PKEY\-DH\s0\fR\|(7) for more information.
-See \*(L"Deprecated low-level key generation functions\*(R" for information on
+See "Examples" in \fBEVP_PKEY\-DH\fR\|(7) for more information.
+See "Deprecated low-level key generation functions" for information on
 generating a key using parameters.
 .PP
 Deprecated low-level object creation
@@ -1044,21 +1004,21 @@ Deprecated low-level object creation
 .PP
 Low-level objects were created using methods such as \fBRSA_new\fR\|(3),
 \&\fBRSA_up_ref\fR\|(3) and \fBRSA_free\fR\|(3). Applications should instead use the
-high-level \s-1EVP_PKEY\s0 APIs, e.g. \fBEVP_PKEY_new\fR\|(3), \fBEVP_PKEY_up_ref\fR\|(3) and
+high-level EVP_PKEY APIs, e.g. \fBEVP_PKEY_new\fR\|(3), \fBEVP_PKEY_up_ref\fR\|(3) and
 \&\fBEVP_PKEY_free\fR\|(3).
 See also \fBEVP_PKEY_CTX_new_from_name\fR\|(3) and \fBEVP_PKEY_CTX_new_from_pkey\fR\|(3).
 .PP
 EVP_PKEYs may be created in a variety of ways:
-See also \*(L"Deprecated low-level key generation functions\*(R",
-\&\*(L"Deprecated low-level key reading and writing functions\*(R" and
-\&\*(L"Deprecated low-level key parameter setters\*(R".
+See also "Deprecated low-level key generation functions",
+"Deprecated low-level key reading and writing functions" and
+"Deprecated low-level key parameter setters".
 .PP
 Deprecated low-level encryption functions
 .IX Subsection "Deprecated low-level encryption functions"
 .PP
 Low-level encryption functions such as \fBAES_encrypt\fR\|(3) and \fBAES_decrypt\fR\|(3)
 have been informally discouraged from use for a long time. Applications should
-instead use the high level \s-1EVP\s0 APIs \fBEVP_EncryptInit_ex\fR\|(3),
+instead use the high level EVP APIs \fBEVP_EncryptInit_ex\fR\|(3),
 \&\fBEVP_EncryptUpdate\fR\|(3), and \fBEVP_EncryptFinal_ex\fR\|(3) or
 \&\fBEVP_DecryptInit_ex\fR\|(3), \fBEVP_DecryptUpdate\fR\|(3) and \fBEVP_DecryptFinal_ex\fR\|(3).
 .PP
@@ -1067,11 +1027,11 @@ Deprecated low-level digest functions
 .PP
 Use of low-level digest functions such as \fBSHA1_Init\fR\|(3) have been
 informally discouraged from use for a long time.  Applications should instead
-use the the high level \s-1EVP\s0 APIs \fBEVP_DigestInit_ex\fR\|(3), \fBEVP_DigestUpdate\fR\|(3)
+use the high level EVP APIs \fBEVP_DigestInit_ex\fR\|(3), \fBEVP_DigestUpdate\fR\|(3)
 and \fBEVP_DigestFinal_ex\fR\|(3), or the quick one-shot \fBEVP_Q_digest\fR\|(3).
 .PP
-Note that the functions \s-1\fBSHA1\s0\fR\|(3), \s-1\fBSHA224\s0\fR\|(3), \s-1\fBSHA256\s0\fR\|(3), \s-1\fBSHA384\s0\fR\|(3)
-and \s-1\fBSHA512\s0\fR\|(3) have changed to macros that use \fBEVP_Q_digest\fR\|(3).
+Note that the functions \fBSHA1\fR\|(3), \fBSHA224\fR\|(3), \fBSHA256\fR\|(3), \fBSHA384\fR\|(3)
+and \fBSHA512\fR\|(3) have changed to macros that use \fBEVP_Q_digest\fR\|(3).
 .PP
 Deprecated low-level signing functions
 .IX Subsection "Deprecated low-level signing functions"
@@ -1079,30 +1039,30 @@ Deprecated low-level signing functions
 Use of low-level signing functions such as \fBDSA_sign\fR\|(3) have been
 informally discouraged for a long time. Instead applications should use
 \&\fBEVP_DigestSign\fR\|(3) and \fBEVP_DigestVerify\fR\|(3).
-See also \s-1\fBEVP_SIGNATURE\-RSA\s0\fR\|(7), \s-1\fBEVP_SIGNATURE\-DSA\s0\fR\|(7),
-\&\s-1\fBEVP_SIGNATURE\-ECDSA\s0\fR\|(7) and \s-1\fBEVP_SIGNATURE\-ED25519\s0\fR\|(7).
+See also \fBEVP_SIGNATURE\-RSA\fR\|(7), \fBEVP_SIGNATURE\-DSA\fR\|(7),
+\&\fBEVP_SIGNATURE\-ECDSA\fR\|(7) and \fBEVP_SIGNATURE\-ED25519\fR\|(7).
 .PP
-Deprecated low-level \s-1MAC\s0 functions
+Deprecated low-level MAC functions
 .IX Subsection "Deprecated low-level MAC functions"
 .PP
 Low-level mac functions such as \fBCMAC_Init\fR\|(3) are deprecated.
-Applications should instead use the new \s-1\fBEVP_MAC\s0\fR\|(3) interface, using
+Applications should instead use the new \fBEVP_MAC\fR\|(3) interface, using
 \&\fBEVP_MAC_CTX_new\fR\|(3), \fBEVP_MAC_CTX_free\fR\|(3), \fBEVP_MAC_init\fR\|(3),
-\&\fBEVP_MAC_update\fR\|(3) and \fBEVP_MAC_final\fR\|(3) or the single-shot \s-1MAC\s0 function
+\&\fBEVP_MAC_update\fR\|(3) and \fBEVP_MAC_final\fR\|(3) or the single-shot MAC function
 \&\fBEVP_Q_mac\fR\|(3).
-See \s-1\fBEVP_MAC\s0\fR\|(3), \s-1\fBEVP_MAC\-HMAC\s0\fR\|(7), \s-1\fBEVP_MAC\-CMAC\s0\fR\|(7), \s-1\fBEVP_MAC\-GMAC\s0\fR\|(7),
-\&\s-1\fBEVP_MAC\-KMAC\s0\fR\|(7), \s-1\fBEVP_MAC\-BLAKE2\s0\fR\|(7), \fBEVP_MAC\-Poly1305\fR\|(7) and
+See \fBEVP_MAC\fR\|(3), \fBEVP_MAC\-HMAC\fR\|(7), \fBEVP_MAC\-CMAC\fR\|(7), \fBEVP_MAC\-GMAC\fR\|(7),
+\&\fBEVP_MAC\-KMAC\fR\|(7), \fBEVP_MAC\-BLAKE2\fR\|(7), \fBEVP_MAC\-Poly1305\fR\|(7) and
 \&\fBEVP_MAC\-Siphash\fR\|(7) for additional information.
 .PP
-Note that the one-shot method \s-1\fBHMAC\s0()\fR is still available for compatibility purposes,
-but this can also be replaced by using \s-1EVP_Q_MAC\s0 if a library context is required.
+Note that the one-shot method \fBHMAC()\fR is still available for compatibility purposes,
+but this can also be replaced by using EVP_Q_MAC if a library context is required.
 .PP
 Deprecated low-level validation functions
 .IX Subsection "Deprecated low-level validation functions"
 .PP
 Low-level validation functions such as \fBDH_check\fR\|(3) have been informally
 discouraged from use for a long time. Applications should instead use the high-level
-\&\s-1EVP_PKEY\s0 APIs such as \fBEVP_PKEY_check\fR\|(3), \fBEVP_PKEY_param_check\fR\|(3),
+EVP_PKEY APIs such as \fBEVP_PKEY_check\fR\|(3), \fBEVP_PKEY_param_check\fR\|(3),
 \&\fBEVP_PKEY_param_check_quick\fR\|(3), \fBEVP_PKEY_public_check\fR\|(3),
 \&\fBEVP_PKEY_public_check_quick\fR\|(3), \fBEVP_PKEY_private_check\fR\|(3),
 and \fBEVP_PKEY_pairwise_check\fR\|(3).
@@ -1112,22 +1072,22 @@ Deprecated low-level key exchange functions
 .PP
 Many low-level functions have been informally discouraged from use for a long
 time. Applications should instead use \fBEVP_PKEY_derive\fR\|(3).
-See \s-1\fBEVP_KEYEXCH\-DH\s0\fR\|(7), \s-1\fBEVP_KEYEXCH\-ECDH\s0\fR\|(7) and \s-1\fBEVP_KEYEXCH\-X25519\s0\fR\|(7).
+See \fBEVP_KEYEXCH\-DH\fR\|(7), \fBEVP_KEYEXCH\-ECDH\fR\|(7) and \fBEVP_KEYEXCH\-X25519\fR\|(7).
 .PP
 Deprecated low-level key generation functions
 .IX Subsection "Deprecated low-level key generation functions"
 .PP
 Many low-level functions have been informally discouraged from use for a long
 time. Applications should instead use \fBEVP_PKEY_keygen_init\fR\|(3) and
-\&\fBEVP_PKEY_generate\fR\|(3) as described in \s-1\fBEVP_PKEY\-DSA\s0\fR\|(7), \s-1\fBEVP_PKEY\-DH\s0\fR\|(7),
-\&\s-1\fBEVP_PKEY\-RSA\s0\fR\|(7), \s-1\fBEVP_PKEY\-EC\s0\fR\|(7) and \s-1\fBEVP_PKEY\-X25519\s0\fR\|(7).
+\&\fBEVP_PKEY_generate\fR\|(3) as described in \fBEVP_PKEY\-DSA\fR\|(7), \fBEVP_PKEY\-DH\fR\|(7),
+\&\fBEVP_PKEY\-RSA\fR\|(7), \fBEVP_PKEY\-EC\fR\|(7) and \fBEVP_PKEY\-X25519\fR\|(7).
 The 'quick' one-shot function \fBEVP_PKEY_Q_keygen\fR\|(3) and macros for the most
 common cases: <\fBEVP_RSA_gen\fR\|(3)> and \fBEVP_EC_gen\fR\|(3) may also be used.
 .PP
 Deprecated low-level key reading and writing functions
 .IX Subsection "Deprecated low-level key reading and writing functions"
 .PP
-Use of low-level objects (such as \s-1DSA\s0) has been informally discouraged from use
+Use of low-level objects (such as DSA) has been informally discouraged from use
 for a long time. Functions to read and write these low-level objects (such as
 \&\fBPEM_read_DSA_PUBKEY()\fR) should be replaced. Applications should instead use
 \&\fBOSSL_ENCODER_to_bio\fR\|(3) and \fBOSSL_DECODER_from_bio\fR\|(3).
@@ -1135,9 +1095,9 @@ for a long time. Functions to read and write these low-level objects (such as
 Deprecated low-level key printing functions
 .IX Subsection "Deprecated low-level key printing functions"
 .PP
-Use of low-level objects (such as \s-1DSA\s0) has been informally discouraged from use
+Use of low-level objects (such as DSA) has been informally discouraged from use
 for a long time. Functions to print these low-level objects such as
-\&\fBDSA_print()\fR should be replaced with the equivalent \s-1EVP_PKEY\s0 functions.
+\&\fBDSA_print()\fR should be replaced with the equivalent EVP_PKEY functions.
 Application should use one of \fBEVP_PKEY_print_public\fR\|(3),
 \&\fBEVP_PKEY_print_private\fR\|(3), \fBEVP_PKEY_print_params\fR\|(3),
 \&\fBEVP_PKEY_print_public_fp\fR\|(3), \fBEVP_PKEY_print_private_fp\fR\|(3) or
@@ -1148,92 +1108,92 @@ Application should use one of \fBEVP_PKEY_print_public\fR\|(3),
 .IX Subsection "Deprecated function mappings"
 .PP
 The following functions have been deprecated in 3.0.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBAES_bi_ige_encrypt()\fR and \fBAES_ige_encrypt()\fR
 .Sp
-There is no replacement for the \s-1IGE\s0 functions. New code should not use these modes.
-These undocumented functions were never integrated into the \s-1EVP\s0 layer.
-They implemented the \s-1AES\s0 Infinite Garble Extension (\s-1IGE\s0) mode and \s-1AES\s0
-Bi-directional \s-1IGE\s0 mode. These modes were never formally standardised and
+There is no replacement for the IGE functions. New code should not use these modes.
+These undocumented functions were never integrated into the EVP layer.
+They implemented the AES Infinite Garble Extension (IGE) mode and AES
+Bi-directional IGE mode. These modes were never formally standardised and
 usage of these functions is believed to be very small. In particular
-\&\fBAES_bi_ige_encrypt()\fR has a known bug. It accepts 2 \s-1AES\s0 keys, but only one
+\&\fBAES_bi_ige_encrypt()\fR has a known bug. It accepts 2 AES keys, but only one
 is ever used. The security implications are believed to be minimal, but
 this issue was never fixed for backwards compatibility reasons.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBAES_encrypt()\fR, \fBAES_decrypt()\fR, \fBAES_set_encrypt_key()\fR, \fBAES_set_decrypt_key()\fR,
 \&\fBAES_cbc_encrypt()\fR, \fBAES_cfb128_encrypt()\fR, \fBAES_cfb1_encrypt()\fR, \fBAES_cfb8_encrypt()\fR,
 \&\fBAES_ecb_encrypt()\fR, \fBAES_ofb128_encrypt()\fR
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBAES_unwrap_key()\fR, \fBAES_wrap_key()\fR
 .Sp
-See \*(L"Deprecated low-level encryption functions\*(R"
-.IP "\(bu" 4
+See "Deprecated low-level encryption functions"
+.IP \(bu 4
 \&\fBAES_options()\fR
 .Sp
-There is no replacement. It returned a string indicating if the \s-1AES\s0 code was unrolled.
-.IP "\(bu" 4
+There is no replacement. It returned a string indicating if the AES code was unrolled.
+.IP \(bu 4
 \&\fBASN1_digest()\fR, \fBASN1_sign()\fR, \fBASN1_verify()\fR
 .Sp
 There are no replacements. These old functions are not used, and could be
-disabled with the macro \s-1NO_ASN1_OLD\s0 since OpenSSL 0.9.7.
-.IP "\(bu" 4
+disabled with the macro NO_ASN1_OLD since OpenSSL 0.9.7.
+.IP \(bu 4
 \&\fBASN1_STRING_length_set()\fR
 .Sp
 Use \fBASN1_STRING_set\fR\|(3) or \fBASN1_STRING_set0\fR\|(3) instead.
 This was a potentially unsafe function that could change the bounds of a
 previously passed in pointer.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBBF_encrypt()\fR, \fBBF_decrypt()\fR, \fBBF_set_key()\fR, \fBBF_cbc_encrypt()\fR, \fBBF_cfb64_encrypt()\fR,
 \&\fBBF_ecb_encrypt()\fR, \fBBF_ofb64_encrypt()\fR
 .Sp
-See \*(L"Deprecated low-level encryption functions\*(R".
+See "Deprecated low-level encryption functions".
 The Blowfish algorithm has been moved to the Legacy Provider.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBBF_options()\fR
 .Sp
 There is no replacement. This option returned a constant string.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBBIO_get_callback()\fR, \fBBIO_set_callback()\fR, \fBBIO_debug_callback()\fR
 .Sp
 Use the respective non-deprecated \fB_ex()\fR functions.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBBN_is_prime_ex()\fR, \fBBN_is_prime_fasttest_ex()\fR
 .Sp
 Use \fBBN_check_prime\fR\|(3) which avoids possible misuse and always uses at least
 64 rounds of the Miller-Rabin primality test.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBBN_pseudo_rand()\fR, \fBBN_pseudo_rand_range()\fR
 .Sp
 Use \fBBN_rand\fR\|(3) and \fBBN_rand_range\fR\|(3).
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBBN_X931_derive_prime_ex()\fR, \fBBN_X931_generate_prime_ex()\fR, \fBBN_X931_generate_Xpq()\fR
 .Sp
 There are no replacements for these low-level functions. They were used internally
 by \fBRSA_X931_derive_ex()\fR and \fBRSA_X931_generate_key_ex()\fR which are also deprecated.
 Use \fBEVP_PKEY_keygen\fR\|(3) instead.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBCamellia_encrypt()\fR, \fBCamellia_decrypt()\fR, \fBCamellia_set_key()\fR,
 \&\fBCamellia_cbc_encrypt()\fR, \fBCamellia_cfb128_encrypt()\fR, \fBCamellia_cfb1_encrypt()\fR,
 \&\fBCamellia_cfb8_encrypt()\fR, \fBCamellia_ctr128_encrypt()\fR, \fBCamellia_ecb_encrypt()\fR,
 \&\fBCamellia_ofb128_encrypt()\fR
 .Sp
-See \*(L"Deprecated low-level encryption functions\*(R".
-.IP "\(bu" 4
+See "Deprecated low-level encryption functions".
+.IP \(bu 4
 \&\fBCAST_encrypt()\fR, \fBCAST_decrypt()\fR, \fBCAST_set_key()\fR, \fBCAST_cbc_encrypt()\fR,
 \&\fBCAST_cfb64_encrypt()\fR, \fBCAST_ecb_encrypt()\fR, \fBCAST_ofb64_encrypt()\fR
 .Sp
-See \*(L"Deprecated low-level encryption functions\*(R".
-The \s-1CAST\s0 algorithm has been moved to the Legacy Provider.
-.IP "\(bu" 4
+See "Deprecated low-level encryption functions".
+The CAST algorithm has been moved to the Legacy Provider.
+.IP \(bu 4
 \&\fBCMAC_CTX_new()\fR, \fBCMAC_CTX_cleanup()\fR, \fBCMAC_CTX_copy()\fR, \fBCMAC_CTX_free()\fR,
 \&\fBCMAC_CTX_get0_cipher_ctx()\fR
 .Sp
-See \*(L"Deprecated low-level \s-1MAC\s0 functions\*(R".
-.IP "\(bu" 4
+See "Deprecated low-level MAC functions".
+.IP \(bu 4
 \&\fBCMAC_Init()\fR, \fBCMAC_Update()\fR, \fBCMAC_Final()\fR, \fBCMAC_resume()\fR
 .Sp
-See \*(L"Deprecated low-level \s-1MAC\s0 functions\*(R".
-.IP "\(bu" 4
+See "Deprecated low-level MAC functions".
+.IP \(bu 4
 \&\fBCRYPTO_mem_ctrl()\fR, \fBCRYPTO_mem_debug_free()\fR, \fBCRYPTO_mem_debug_malloc()\fR,
 \&\fBCRYPTO_mem_debug_pop()\fR, \fBCRYPTO_mem_debug_push()\fR, \fBCRYPTO_mem_debug_realloc()\fR,
 \&\fBCRYPTO_mem_leaks()\fR, \fBCRYPTO_mem_leaks_cb()\fR, \fBCRYPTO_mem_leaks_fp()\fR,
@@ -1241,7 +1201,7 @@ See \*(L"Deprecated low-level \s-1MAC\s0 functions\*(R".
 .Sp
 Memory-leak checking has been deprecated in favor of more modern development
 tools, such as compiler memory and leak sanitizers or Valgrind.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBCRYPTO_cts128_encrypt_block()\fR, \fBCRYPTO_cts128_encrypt()\fR,
 \&\fBCRYPTO_cts128_decrypt_block()\fR, \fBCRYPTO_cts128_decrypt()\fR,
 \&\fBCRYPTO_nistcts128_encrypt_block()\fR, \fBCRYPTO_nistcts128_encrypt()\fR,
@@ -1249,22 +1209,27 @@ tools, such as compiler memory and leak sanitizers or Valgrind.
 .Sp
 Use the higher level functions \fBEVP_CipherInit_ex2()\fR, \fBEVP_CipherUpdate()\fR and
 \&\fBEVP_CipherFinal_ex()\fR instead.
-See the \*(L"cts_mode\*(R" parameter in
-\&\*(L"Gettable and Settable \s-1EVP_CIPHER_CTX\s0 parameters\*(R" in \fBEVP_EncryptInit\fR\|(3).
-See \*(L"\s-1EXAMPLES\*(R"\s0 in \fBEVP_EncryptInit\fR\|(3) for a \s-1AES\-256\-CBC\-CTS\s0 example.
-.IP "\(bu" 4
+See the "cts_mode" parameter in
+"Gettable and Settable EVP_CIPHER_CTX parameters" in \fBEVP_EncryptInit\fR\|(3).
+See "EXAMPLES" in \fBEVP_EncryptInit\fR\|(3) for a AES\-256\-CBC\-CTS example.
+.IP \(bu 4
 \&\fBd2i_DHparams()\fR, \fBd2i_DHxparams()\fR, \fBd2i_DSAparams()\fR, \fBd2i_DSAPrivateKey()\fR,
 \&\fBd2i_DSAPrivateKey_bio()\fR, \fBd2i_DSAPrivateKey_fp()\fR, \fBd2i_DSA_PUBKEY()\fR,
 \&\fBd2i_DSA_PUBKEY_bio()\fR, \fBd2i_DSA_PUBKEY_fp()\fR, \fBd2i_DSAPublicKey()\fR,
 \&\fBd2i_ECParameters()\fR, \fBd2i_ECPrivateKey()\fR, \fBd2i_ECPrivateKey_bio()\fR,
 \&\fBd2i_ECPrivateKey_fp()\fR, \fBd2i_EC_PUBKEY()\fR, \fBd2i_EC_PUBKEY_bio()\fR,
-\&\fBd2i_EC_PUBKEY_fp()\fR, \fBo2i_ECPublicKey()\fR, \fBd2i_RSAPrivateKey()\fR,
+\&\fBd2i_EC_PUBKEY_fp()\fR, \fBd2i_RSAPrivateKey()\fR,
 \&\fBd2i_RSAPrivateKey_bio()\fR, \fBd2i_RSAPrivateKey_fp()\fR, \fBd2i_RSA_PUBKEY()\fR,
 \&\fBd2i_RSA_PUBKEY_bio()\fR, \fBd2i_RSA_PUBKEY_fp()\fR, \fBd2i_RSAPublicKey()\fR,
 \&\fBd2i_RSAPublicKey_bio()\fR, \fBd2i_RSAPublicKey_fp()\fR
 .Sp
-See \*(L"Deprecated i2d and d2i functions for low-level key types\*(R"
-.IP "\(bu" 4
+See "Deprecated i2d and d2i functions for low-level key types"
+.IP \(bu 4
+\&\fBo2i_ECPublicKey()\fR
+.Sp
+Use \fBEVP_PKEY_set1_encoded_public_key\fR\|(3).
+See "Deprecated low-level key parameter setters"
+.IP \(bu 4
 \&\fBDES_crypt()\fR, \fBDES_fcrypt()\fR, \fBDES_encrypt1()\fR, \fBDES_encrypt2()\fR, \fBDES_encrypt3()\fR,
 \&\fBDES_decrypt3()\fR, \fBDES_ede3_cbc_encrypt()\fR, \fBDES_ede3_cfb64_encrypt()\fR,
 \&\fBDES_ede3_cfb_encrypt()\fR,\fBDES_ede3_ofb64_encrypt()\fR,
@@ -1275,281 +1240,281 @@ DES_cfb64_encrypt \fBDES_cfb_encrypt()\fR, \fBDES_cbc_encrypt()\fR, \fBDES_ncbc_
 \&\fBDES_random_key()\fR, \fBDES_set_key()\fR, \fBDES_set_key_checked()\fR, \fBDES_set_key_unchecked()\fR,
 \&\fBDES_set_odd_parity()\fR, \fBDES_string_to_2keys()\fR, \fBDES_string_to_key()\fR
 .Sp
-See \*(L"Deprecated low-level encryption functions\*(R".
-Algorithms for \*(L"DESX-CBC\*(R", \*(L"DES-ECB\*(R", \*(L"DES-CBC\*(R", \*(L"DES-OFB\*(R", \*(L"DES-CFB\*(R",
-\&\*(L"\s-1DES\-CFB1\*(R"\s0 and \*(L"\s-1DES\-CFB8\*(R"\s0 have been moved to the Legacy Provider.
-.IP "\(bu" 4
+See "Deprecated low-level encryption functions".
+Algorithms for "DESX-CBC", "DES-ECB", "DES-CBC", "DES-OFB", "DES-CFB",
+"DES\-CFB1" and "DES\-CFB8" have been moved to the Legacy Provider.
+.IP \(bu 4
 \&\fBDH_bits()\fR, \fBDH_security_bits()\fR, \fBDH_size()\fR
 .Sp
 Use \fBEVP_PKEY_get_bits\fR\|(3), \fBEVP_PKEY_get_security_bits\fR\|(3) and
 \&\fBEVP_PKEY_get_size\fR\|(3).
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBDH_check()\fR, \fBDH_check_ex()\fR, \fBDH_check_params()\fR, \fBDH_check_params_ex()\fR,
 \&\fBDH_check_pub_key()\fR, \fBDH_check_pub_key_ex()\fR
 .Sp
-See \*(L"Deprecated low-level validation functions\*(R"
-.IP "\(bu" 4
+See "Deprecated low-level validation functions"
+.IP \(bu 4
 \&\fBDH_clear_flags()\fR, \fBDH_test_flags()\fR, \fBDH_set_flags()\fR
 .Sp
-The \fB\s-1DH_FLAG_CACHE_MONT_P\s0\fR flag has been deprecated without replacement.
-The \fB\s-1DH_FLAG_TYPE_DH\s0\fR and \fB\s-1DH_FLAG_TYPE_DHX\s0\fR have been deprecated.
+The \fBDH_FLAG_CACHE_MONT_P\fR flag has been deprecated without replacement.
+The \fBDH_FLAG_TYPE_DH\fR and \fBDH_FLAG_TYPE_DHX\fR have been deprecated.
 Use \fBEVP_PKEY_is_a()\fR to determine the type of a key.
 There is no replacement for setting these flags.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBDH_compute_key()\fR \fBDH_compute_key_padded()\fR
 .Sp
-See \*(L"Deprecated low-level key exchange functions\*(R".
-.IP "\(bu" 4
+See "Deprecated low-level key exchange functions".
+.IP \(bu 4
 \&\fBDH_new()\fR, \fBDH_new_by_nid()\fR, \fBDH_free()\fR, \fBDH_up_ref()\fR
 .Sp
-See \*(L"Deprecated low-level object creation\*(R"
-.IP "\(bu" 4
+See "Deprecated low-level object creation"
+.IP \(bu 4
 \&\fBDH_generate_key()\fR, \fBDH_generate_parameters_ex()\fR
 .Sp
-See \*(L"Deprecated low-level key generation functions\*(R".
-.IP "\(bu" 4
+See "Deprecated low-level key generation functions".
+.IP \(bu 4
 \&\fBDH_get0_pqg()\fR, \fBDH_get0_p()\fR, \fBDH_get0_q()\fR, \fBDH_get0_g()\fR, \fBDH_get0_key()\fR,
 \&\fBDH_get0_priv_key()\fR, \fBDH_get0_pub_key()\fR, \fBDH_get_length()\fR, \fBDH_get_nid()\fR
 .Sp
-See \*(L"Deprecated low-level key parameter getters\*(R"
-.IP "\(bu" 4
+See "Deprecated low-level key parameter getters"
+.IP \(bu 4
 \&\fBDH_get_1024_160()\fR, \fBDH_get_2048_224()\fR, \fBDH_get_2048_256()\fR
 .Sp
-Applications should instead set the \fB\s-1OSSL_PKEY_PARAM_GROUP_NAME\s0\fR as specified in
-\&\*(L"\s-1DH\s0 parameters\*(R" in \s-1\fBEVP_PKEY\-DH\s0\fR\|(7)) to one of \*(L"dh_1024_160\*(R", \*(L"dh_2048_224\*(R" or
-\&\*(L"dh_2048_256\*(R" when generating a \s-1DH\s0 key.
-.IP "\(bu" 4
-\&\s-1\fBDH_KDF_X9_42\s0()\fR
+Applications should instead set the \fBOSSL_PKEY_PARAM_GROUP_NAME\fR as specified in
+"DH parameters" in \fBEVP_PKEY\-DH\fR\|(7)) to one of "dh_1024_160", "dh_2048_224" or
+"dh_2048_256" when generating a DH key.
+.IP \(bu 4
+\&\fBDH_KDF_X9_42()\fR
 .Sp
 Applications should use \fBEVP_PKEY_CTX_set_dh_kdf_type\fR\|(3) instead.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBDH_get_default_method()\fR, \fBDH_get0_engine()\fR, DH_meth_*(), \fBDH_new_method()\fR,
 \&\fBDH_OpenSSL()\fR, \fBDH_get_ex_data()\fR, \fBDH_set_default_method()\fR, \fBDH_set_method()\fR,
 \&\fBDH_set_ex_data()\fR
 .Sp
-See \*(L"Providers are a replacement for engines and low-level method overrides\*(R"
-.IP "\(bu" 4
+See "Providers are a replacement for engines and low-level method overrides"
+.IP \(bu 4
 \&\fBDHparams_print()\fR, \fBDHparams_print_fp()\fR
 .Sp
-See \*(L"Deprecated low-level key printing functions\*(R"
-.IP "\(bu" 4
+See "Deprecated low-level key printing functions"
+.IP \(bu 4
 \&\fBDH_set0_key()\fR, \fBDH_set0_pqg()\fR, \fBDH_set_length()\fR
 .Sp
-See \*(L"Deprecated low-level key parameter setters\*(R"
-.IP "\(bu" 4
+See "Deprecated low-level key parameter setters"
+.IP \(bu 4
 \&\fBDSA_bits()\fR, \fBDSA_security_bits()\fR, \fBDSA_size()\fR
 .Sp
 Use \fBEVP_PKEY_get_bits\fR\|(3), \fBEVP_PKEY_get_security_bits\fR\|(3) and
 \&\fBEVP_PKEY_get_size\fR\|(3).
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBDHparams_dup()\fR, \fBDSA_dup_DH()\fR
 .Sp
 There is no direct replacement. Applications may use \fBEVP_PKEY_copy_parameters\fR\|(3)
 and \fBEVP_PKEY_dup\fR\|(3) instead.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBDSA_generate_key()\fR, \fBDSA_generate_parameters_ex()\fR
 .Sp
-See \*(L"Deprecated low-level key generation functions\*(R".
-.IP "\(bu" 4
+See "Deprecated low-level key generation functions".
+.IP \(bu 4
 \&\fBDSA_get0_engine()\fR, \fBDSA_get_default_method()\fR, \fBDSA_get_ex_data()\fR,
 \&\fBDSA_get_method()\fR, DSA_meth_*(), \fBDSA_new_method()\fR, \fBDSA_OpenSSL()\fR,
 \&\fBDSA_set_default_method()\fR, \fBDSA_set_ex_data()\fR, \fBDSA_set_method()\fR
 .Sp
-See \*(L"Providers are a replacement for engines and low-level method overrides\*(R".
-.IP "\(bu" 4
+See "Providers are a replacement for engines and low-level method overrides".
+.IP \(bu 4
 \&\fBDSA_get0_p()\fR, \fBDSA_get0_q()\fR, \fBDSA_get0_g()\fR, \fBDSA_get0_pqg()\fR, \fBDSA_get0_key()\fR,
 \&\fBDSA_get0_priv_key()\fR, \fBDSA_get0_pub_key()\fR
 .Sp
-See \*(L"Deprecated low-level key parameter getters\*(R".
-.IP "\(bu" 4
+See "Deprecated low-level key parameter getters".
+.IP \(bu 4
 \&\fBDSA_new()\fR, \fBDSA_free()\fR, \fBDSA_up_ref()\fR
 .Sp
-See \*(L"Deprecated low-level object creation\*(R"
-.IP "\(bu" 4
+See "Deprecated low-level object creation"
+.IP \(bu 4
 \&\fBDSAparams_dup()\fR
 .Sp
 There is no direct replacement. Applications may use \fBEVP_PKEY_copy_parameters\fR\|(3)
 and \fBEVP_PKEY_dup\fR\|(3) instead.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBDSAparams_print()\fR, \fBDSAparams_print_fp()\fR, \fBDSA_print()\fR, \fBDSA_print_fp()\fR
 .Sp
-See \*(L"Deprecated low-level key printing functions\*(R"
-.IP "\(bu" 4
+See "Deprecated low-level key printing functions"
+.IP \(bu 4
 \&\fBDSA_set0_key()\fR, \fBDSA_set0_pqg()\fR
 .Sp
-See \*(L"Deprecated low-level key parameter setters\*(R"
-.IP "\(bu" 4
+See "Deprecated low-level key parameter setters"
+.IP \(bu 4
 \&\fBDSA_set_flags()\fR, \fBDSA_clear_flags()\fR, \fBDSA_test_flags()\fR
 .Sp
-The \fB\s-1DSA_FLAG_CACHE_MONT_P\s0\fR flag has been deprecated without replacement.
-.IP "\(bu" 4
+The \fBDSA_FLAG_CACHE_MONT_P\fR flag has been deprecated without replacement.
+.IP \(bu 4
 \&\fBDSA_sign()\fR, \fBDSA_do_sign()\fR, \fBDSA_sign_setup()\fR, \fBDSA_verify()\fR, \fBDSA_do_verify()\fR
 .Sp
-See \*(L"Deprecated low-level signing functions\*(R".
-.IP "\(bu" 4
+See "Deprecated low-level signing functions".
+.IP \(bu 4
 \&\fBECDH_compute_key()\fR
 .Sp
-See \*(L"Deprecated low-level key exchange functions\*(R".
-.IP "\(bu" 4
-\&\s-1\fBECDH_KDF_X9_62\s0()\fR
+See "Deprecated low-level key exchange functions".
+.IP \(bu 4
+\&\fBECDH_KDF_X9_62()\fR
 .Sp
 Applications may either set this using the helper function
-\&\fBEVP_PKEY_CTX_set_ecdh_kdf_type\fR\|(3) or by setting an \s-1\fBOSSL_PARAM\s0\fR\|(3) using the
-\&\*(L"kdf-type\*(R" as shown in \*(L"\s-1EXAMPLES\*(R"\s0 in \s-1\fBEVP_KEYEXCH\-ECDH\s0\fR\|(7)
-.IP "\(bu" 4
+\&\fBEVP_PKEY_CTX_set_ecdh_kdf_type\fR\|(3) or by setting an \fBOSSL_PARAM\fR\|(3) using the
+"kdf-type" as shown in "EXAMPLES" in \fBEVP_KEYEXCH\-ECDH\fR\|(7)
+.IP \(bu 4
 \&\fBECDSA_sign()\fR, \fBECDSA_sign_ex()\fR, \fBECDSA_sign_setup()\fR, \fBECDSA_do_sign()\fR,
 \&\fBECDSA_do_sign_ex()\fR, \fBECDSA_verify()\fR, \fBECDSA_do_verify()\fR
 .Sp
-See \*(L"Deprecated low-level signing functions\*(R".
-.IP "\(bu" 4
+See "Deprecated low-level signing functions".
+.IP \(bu 4
 \&\fBECDSA_size()\fR
 .Sp
 Applications should use \fBEVP_PKEY_get_size\fR\|(3).
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEC_GF2m_simple_method()\fR, \fBEC_GFp_mont_method()\fR, \fBEC_GFp_nist_method()\fR,
 \&\fBEC_GFp_nistp224_method()\fR, \fBEC_GFp_nistp256_method()\fR, \fBEC_GFp_nistp521_method()\fR,
 \&\fBEC_GFp_simple_method()\fR
 .Sp
 There are no replacements for these functions. Applications should rely on the
-library automatically assigning a suitable method internally when an \s-1EC_GROUP\s0
+library automatically assigning a suitable method internally when an EC_GROUP
 is constructed.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEC_GROUP_clear_free()\fR
 .Sp
 Use \fBEC_GROUP_free\fR\|(3) instead.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEC_GROUP_get_curve_GF2m()\fR, \fBEC_GROUP_get_curve_GFp()\fR, \fBEC_GROUP_set_curve_GF2m()\fR,
 \&\fBEC_GROUP_set_curve_GFp()\fR
 .Sp
 Applications should use \fBEC_GROUP_get_curve\fR\|(3) and \fBEC_GROUP_set_curve\fR\|(3).
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEC_GROUP_have_precompute_mult()\fR, \fBEC_GROUP_precompute_mult()\fR,
 \&\fBEC_KEY_precompute_mult()\fR
 .Sp
 These functions are not widely used. Applications should instead switch to
 named curves which OpenSSL has hardcoded lookup tables for.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEC_GROUP_new()\fR, \fBEC_GROUP_method_of()\fR, \fBEC_POINT_method_of()\fR
 .Sp
-\&\s-1EC_METHOD\s0 is now an internal-only concept and a suitable \s-1EC_METHOD\s0 is assigned
+EC_METHOD is now an internal-only concept and a suitable EC_METHOD is assigned
 internally without application intervention.
 Users of \fBEC_GROUP_new()\fR should switch to a different suitable constructor.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEC_KEY_can_sign()\fR
 .Sp
 Applications should use \fBEVP_PKEY_can_sign\fR\|(3) instead.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEC_KEY_check_key()\fR
 .Sp
-See \*(L"Deprecated low-level validation functions\*(R"
-.IP "\(bu" 4
+See "Deprecated low-level validation functions"
+.IP \(bu 4
 \&\fBEC_KEY_set_flags()\fR, \fBEC_KEY_get_flags()\fR, \fBEC_KEY_clear_flags()\fR
 .Sp
-See \*(L"Common \s-1EC\s0 parameters\*(R" in \s-1\fBEVP_PKEY\-EC\s0\fR\|(7) which handles flags as separate
-parameters for \fB\s-1OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT\s0\fR,
-\&\fB\s-1OSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE\s0\fR, \fB\s-1OSSL_PKEY_PARAM_EC_ENCODING\s0\fR,
-\&\fB\s-1OSSL_PKEY_PARAM_USE_COFACTOR_ECDH\s0\fR and
-\&\fB\s-1OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC\s0\fR.
-See also \*(L"\s-1EXAMPLES\*(R"\s0 in \s-1\fBEVP_PKEY\-EC\s0\fR\|(7)
-.IP "\(bu" 4
+See "Common EC parameters" in \fBEVP_PKEY\-EC\fR\|(7) which handles flags as separate
+parameters for \fBOSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT\fR,
+\&\fBOSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE\fR, \fBOSSL_PKEY_PARAM_EC_ENCODING\fR,
+\&\fBOSSL_PKEY_PARAM_USE_COFACTOR_ECDH\fR and
+\&\fBOSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC\fR.
+See also "EXAMPLES" in \fBEVP_PKEY\-EC\fR\|(7)
+.IP \(bu 4
 \&\fBEC_KEY_dup()\fR, \fBEC_KEY_copy()\fR
 .Sp
 There is no direct replacement. Applications may use \fBEVP_PKEY_copy_parameters\fR\|(3)
 and \fBEVP_PKEY_dup\fR\|(3) instead.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEC_KEY_decoded_from_explicit_params()\fR
 .Sp
 There is no replacement.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEC_KEY_generate_key()\fR
 .Sp
-See \*(L"Deprecated low-level key generation functions\*(R".
-.IP "\(bu" 4
+See "Deprecated low-level key generation functions".
+.IP \(bu 4
 \&\fBEC_KEY_get0_group()\fR, \fBEC_KEY_get0_private_key()\fR, \fBEC_KEY_get0_public_key()\fR,
 \&\fBEC_KEY_get_conv_form()\fR, \fBEC_KEY_get_enc_flags()\fR
 .Sp
-See \*(L"Deprecated low-level key parameter getters\*(R".
-.IP "\(bu" 4
+See "Deprecated low-level key parameter getters".
+.IP \(bu 4
 \&\fBEC_KEY_get0_engine()\fR, \fBEC_KEY_get_default_method()\fR, \fBEC_KEY_get_method()\fR,
 \&\fBEC_KEY_new_method()\fR, \fBEC_KEY_get_ex_data()\fR, \fBEC_KEY_OpenSSL()\fR,
 \&\fBEC_KEY_set_ex_data()\fR, \fBEC_KEY_set_default_method()\fR, EC_KEY_METHOD_*(),
 \&\fBEC_KEY_set_method()\fR
 .Sp
-See \*(L"Providers are a replacement for engines and low-level method overrides\*(R"
-.IP "\(bu" 4
+See "Providers are a replacement for engines and low-level method overrides"
+.IP \(bu 4
 \&\fBEC_METHOD_get_field_type()\fR
 .Sp
 Use \fBEC_GROUP_get_field_type\fR\|(3) instead.
-See \*(L"Providers are a replacement for engines and low-level method overrides\*(R"
-.IP "\(bu" 4
+See "Providers are a replacement for engines and low-level method overrides"
+.IP \(bu 4
 \&\fBEC_KEY_key2buf()\fR, \fBEC_KEY_oct2key()\fR, \fBEC_KEY_oct2priv()\fR, \fBEC_KEY_priv2buf()\fR,
 \&\fBEC_KEY_priv2oct()\fR
 .Sp
 There are no replacements for these.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEC_KEY_new()\fR, \fBEC_KEY_new_by_curve_name()\fR, \fBEC_KEY_free()\fR, \fBEC_KEY_up_ref()\fR
 .Sp
-See \*(L"Deprecated low-level object creation\*(R"
-.IP "\(bu" 4
+See "Deprecated low-level object creation"
+.IP \(bu 4
 \&\fBEC_KEY_print()\fR, \fBEC_KEY_print_fp()\fR
 .Sp
-See \*(L"Deprecated low-level key printing functions\*(R"
-.IP "\(bu" 4
+See "Deprecated low-level key printing functions"
+.IP \(bu 4
 \&\fBEC_KEY_set_asn1_flag()\fR, \fBEC_KEY_set_conv_form()\fR, \fBEC_KEY_set_enc_flags()\fR
 .Sp
-See \*(L"Deprecated low-level key parameter setters\*(R".
-.IP "\(bu" 4
+See "Deprecated low-level key parameter setters".
+.IP \(bu 4
 \&\fBEC_KEY_set_group()\fR, \fBEC_KEY_set_private_key()\fR, \fBEC_KEY_set_public_key()\fR,
 \&\fBEC_KEY_set_public_key_affine_coordinates()\fR
 .Sp
-See \*(L"Deprecated low-level key parameter setters\*(R".
-.IP "\(bu" 4
+See "Deprecated low-level key parameter setters".
+.IP \(bu 4
 \&\fBECParameters_print()\fR, \fBECParameters_print_fp()\fR, \fBECPKParameters_print()\fR,
 \&\fBECPKParameters_print_fp()\fR
 .Sp
-See \*(L"Deprecated low-level key printing functions\*(R"
-.IP "\(bu" 4
+See "Deprecated low-level key printing functions"
+.IP \(bu 4
 \&\fBEC_POINT_bn2point()\fR, \fBEC_POINT_point2bn()\fR
 .Sp
-These functions were not particularly useful, since \s-1EC\s0 point serialization
+These functions were not particularly useful, since EC point serialization
 formats are not individual big-endian integers.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEC_POINT_get_affine_coordinates_GF2m()\fR, \fBEC_POINT_get_affine_coordinates_GFp()\fR,
 \&\fBEC_POINT_set_affine_coordinates_GF2m()\fR, \fBEC_POINT_set_affine_coordinates_GFp()\fR
 .Sp
 Applications should use \fBEC_POINT_get_affine_coordinates\fR\|(3) and
 \&\fBEC_POINT_set_affine_coordinates\fR\|(3) instead.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEC_POINT_get_Jprojective_coordinates_GFp()\fR, \fBEC_POINT_set_Jprojective_coordinates_GFp()\fR
 .Sp
 These functions are not widely used. Applications should instead use the
 \&\fBEC_POINT_set_affine_coordinates\fR\|(3) and \fBEC_POINT_get_affine_coordinates\fR\|(3)
 functions.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEC_POINT_make_affine()\fR, \fBEC_POINTs_make_affine()\fR
 .Sp
 There is no replacement. These functions were not widely used, and OpenSSL
 automatically performs this conversion when needed.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEC_POINT_set_compressed_coordinates_GF2m()\fR, \fBEC_POINT_set_compressed_coordinates_GFp()\fR
 .Sp
 Applications should use \fBEC_POINT_set_compressed_coordinates\fR\|(3) instead.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEC_POINTs_mul()\fR
 .Sp
 This function is not widely used. Applications should instead use the
 \&\fBEC_POINT_mul\fR\|(3) function.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBENGINE_*()\fR
 .Sp
 All engine functions are deprecated. An engine should be rewritten as a provider.
-See \*(L"Providers are a replacement for engines and low-level method overrides\*(R".
-.IP "\(bu" 4
+See "Providers are a replacement for engines and low-level method overrides".
+.IP \(bu 4
 \&\fBERR_load_*()\fR, \fBERR_func_error_string()\fR, \fBERR_get_error_line()\fR,
 \&\fBERR_get_error_line_data()\fR, \fBERR_get_state()\fR
 .Sp
 OpenSSL now loads error strings automatically so these functions are not needed.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBERR_peek_error_line_data()\fR, \fBERR_peek_last_error_line_data()\fR
 .Sp
 The new functions are \fBERR_peek_error_func\fR\|(3), \fBERR_peek_last_error_func\fR\|(3),
@@ -1558,179 +1523,184 @@ The new functions are \fBERR_peek_error_func\fR\|(3), \fBERR_peek_last_error_fun
 Applications should use \fBERR_get_error_all\fR\|(3), or pick information
 with ERR_peek functions and finish off with getting the error code by using
 \&\fBERR_get_error\fR\|(3).
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEVP_CIPHER_CTX_iv()\fR, \fBEVP_CIPHER_CTX_iv_noconst()\fR, \fBEVP_CIPHER_CTX_original_iv()\fR
 .Sp
 Applications should instead use \fBEVP_CIPHER_CTX_get_updated_iv\fR\|(3),
 \&\fBEVP_CIPHER_CTX_get_updated_iv\fR\|(3) and \fBEVP_CIPHER_CTX_get_original_iv\fR\|(3)
 respectively.
 See \fBEVP_CIPHER_CTX_get_original_iv\fR\|(3) for further information.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEVP_CIPHER_meth_*()\fR, \fBEVP_MD_CTX_set_update_fn()\fR, \fBEVP_MD_CTX_update_fn()\fR,
 \&\fBEVP_MD_meth_*()\fR
 .Sp
-See \*(L"Providers are a replacement for engines and low-level method overrides\*(R".
-.IP "\(bu" 4
-\&\s-1\fBEVP_PKEY_CTRL_PKCS7_ENCRYPT\s0()\fR, \s-1\fBEVP_PKEY_CTRL_PKCS7_DECRYPT\s0()\fR,
-\&\s-1\fBEVP_PKEY_CTRL_PKCS7_SIGN\s0()\fR, \s-1\fBEVP_PKEY_CTRL_CMS_ENCRYPT\s0()\fR,
-\&\s-1\fBEVP_PKEY_CTRL_CMS_DECRYPT\s0()\fR, and \s-1\fBEVP_PKEY_CTRL_CMS_SIGN\s0()\fR
+See "Providers are a replacement for engines and low-level method overrides".
+.IP \(bu 4
+\&\fBEVP_PKEY_CTRL_PKCS7_ENCRYPT()\fR, \fBEVP_PKEY_CTRL_PKCS7_DECRYPT()\fR,
+\&\fBEVP_PKEY_CTRL_PKCS7_SIGN()\fR, \fBEVP_PKEY_CTRL_CMS_ENCRYPT()\fR,
+\&\fBEVP_PKEY_CTRL_CMS_DECRYPT()\fR, and \fBEVP_PKEY_CTRL_CMS_SIGN()\fR
 .Sp
 These control operations are not invoked by the OpenSSL library anymore and
 are replaced by direct checks of the key operation against the key type
 when the operation is initialized.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEVP_PKEY_CTX_get0_dh_kdf_ukm()\fR, \fBEVP_PKEY_CTX_get0_ecdh_kdf_ukm()\fR
 .Sp
-See the \*(L"kdf-ukm\*(R" item in \*(L"\s-1DH\s0 key exchange parameters\*(R" in \s-1\fBEVP_KEYEXCH\-DH\s0\fR\|(7) and
-\&\*(L"\s-1ECDH\s0 Key Exchange parameters\*(R" in \s-1\fBEVP_KEYEXCH\-ECDH\s0\fR\|(7).
+See the "kdf-ukm" item in "DH key exchange parameters" in \fBEVP_KEYEXCH\-DH\fR\|(7) and
+"ECDH Key Exchange parameters" in \fBEVP_KEYEXCH\-ECDH\fR\|(7).
 These functions are obsolete and should not be required.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEVP_PKEY_CTX_set_rsa_keygen_pubexp()\fR
 .Sp
 Applications should use \fBEVP_PKEY_CTX_set1_rsa_keygen_pubexp\fR\|(3) instead.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEVP_PKEY_cmp()\fR, \fBEVP_PKEY_cmp_parameters()\fR
 .Sp
 Applications should use \fBEVP_PKEY_eq\fR\|(3) and \fBEVP_PKEY_parameters_eq\fR\|(3) instead.
 See \fBEVP_PKEY_copy_parameters\fR\|(3) for further details.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEVP_PKEY_encrypt_old()\fR, \fBEVP_PKEY_decrypt_old()\fR,
 .Sp
 Applications should use \fBEVP_PKEY_encrypt_init\fR\|(3) and \fBEVP_PKEY_encrypt\fR\|(3) or
 \&\fBEVP_PKEY_decrypt_init\fR\|(3) and \fBEVP_PKEY_decrypt\fR\|(3) instead.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEVP_PKEY_get0()\fR
 .Sp
-This function returns \s-1NULL\s0 if the key comes from a provider.
-.IP "\(bu" 4
+This function returns NULL if the key comes from a provider.
+.IP \(bu 4
 \&\fBEVP_PKEY_get0_DH()\fR, \fBEVP_PKEY_get0_DSA()\fR, \fBEVP_PKEY_get0_EC_KEY()\fR, \fBEVP_PKEY_get0_RSA()\fR,
 \&\fBEVP_PKEY_get1_DH()\fR, \fBEVP_PKEY_get1_DSA()\fR, EVP_PKEY_get1_EC_KEY and \fBEVP_PKEY_get1_RSA()\fR,
 \&\fBEVP_PKEY_get0_hmac()\fR, \fBEVP_PKEY_get0_poly1305()\fR, \fBEVP_PKEY_get0_siphash()\fR
 .Sp
-See \*(L"Functions that return an internal key should be treated as read only\*(R".
-.IP "\(bu" 4
+See "Functions that return an internal key should be treated as read only".
+.IP \(bu 4
 \&\fBEVP_PKEY_meth_*()\fR
 .Sp
-See \*(L"Providers are a replacement for engines and low-level method overrides\*(R".
-.IP "\(bu" 4
+See "Providers are a replacement for engines and low-level method overrides".
+.IP \(bu 4
 \&\fBEVP_PKEY_new_CMAC_key()\fR
 .Sp
-See \*(L"Deprecated low-level \s-1MAC\s0 functions\*(R".
-.IP "\(bu" 4
+See "Deprecated low-level MAC functions".
+.IP \(bu 4
 \&\fBEVP_PKEY_assign()\fR, \fBEVP_PKEY_set1_DH()\fR, \fBEVP_PKEY_set1_DSA()\fR,
 \&\fBEVP_PKEY_set1_EC_KEY()\fR, \fBEVP_PKEY_set1_RSA()\fR
 .Sp
-See \*(L"Deprecated low-level key object getters and setters\*(R"
-.IP "\(bu" 4
+See "Deprecated low-level key object getters and setters"
+.IP \(bu 4
 \&\fBEVP_PKEY_set1_tls_encodedpoint()\fR \fBEVP_PKEY_get1_tls_encodedpoint()\fR
 .Sp
 These functions were previously used by libssl to set or get an encoded public
-key into/from an \s-1EVP_PKEY\s0 object. With OpenSSL 3.0 these are replaced by the more
+key into/from an EVP_PKEY object. With OpenSSL 3.0 these are replaced by the more
 generic functions \fBEVP_PKEY_set1_encoded_public_key\fR\|(3) and
 \&\fBEVP_PKEY_get1_encoded_public_key\fR\|(3).
 The old versions have been converted to deprecated macros that just call the
 new functions.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBEVP_PKEY_set1_engine()\fR, \fBEVP_PKEY_get0_engine()\fR
 .Sp
-See \*(L"Providers are a replacement for engines and low-level method overrides\*(R".
-.IP "\(bu" 4
+See "Providers are a replacement for engines and low-level method overrides".
+.IP \(bu 4
 \&\fBEVP_PKEY_set_alias_type()\fR
 .Sp
 This function has been removed. There is no replacement.
-See \*(L"\fBEVP_PKEY_set_alias_type()\fR method has been removed\*(R"
-.IP "\(bu" 4
+See "\fBEVP_PKEY_set_alias_type()\fR method has been removed"
+.IP \(bu 4
 \&\fBHMAC_Init_ex()\fR, \fBHMAC_Update()\fR, \fBHMAC_Final()\fR, \fBHMAC_size()\fR
 .Sp
-See \*(L"Deprecated low-level \s-1MAC\s0 functions\*(R".
-.IP "\(bu" 4
+See "Deprecated low-level MAC functions".
+.IP \(bu 4
 \&\fBHMAC_CTX_new()\fR, \fBHMAC_CTX_free()\fR, \fBHMAC_CTX_copy()\fR, \fBHMAC_CTX_reset()\fR,
 \&\fBHMAC_CTX_set_flags()\fR, \fBHMAC_CTX_get_md()\fR
 .Sp
-See \*(L"Deprecated low-level \s-1MAC\s0 functions\*(R".
-.IP "\(bu" 4
+See "Deprecated low-level MAC functions".
+.IP \(bu 4
 \&\fBi2d_DHparams()\fR, \fBi2d_DHxparams()\fR
 .Sp
-See \*(L"Deprecated low-level key reading and writing functions\*(R"
-and \*(L"Migration\*(R" in \fBd2i_RSAPrivateKey\fR\|(3)
-.IP "\(bu" 4
+See "Deprecated low-level key reading and writing functions"
+and "Migration" in \fBd2i_RSAPrivateKey\fR\|(3)
+.IP \(bu 4
 \&\fBi2d_DSAparams()\fR, \fBi2d_DSAPrivateKey()\fR, \fBi2d_DSAPrivateKey_bio()\fR,
 \&\fBi2d_DSAPrivateKey_fp()\fR, \fBi2d_DSA_PUBKEY()\fR, \fBi2d_DSA_PUBKEY_bio()\fR,
 \&\fBi2d_DSA_PUBKEY_fp()\fR, \fBi2d_DSAPublicKey()\fR
 .Sp
-See \*(L"Deprecated low-level key reading and writing functions\*(R"
-and \*(L"Migration\*(R" in \fBd2i_RSAPrivateKey\fR\|(3)
-.IP "\(bu" 4
+See "Deprecated low-level key reading and writing functions"
+and "Migration" in \fBd2i_RSAPrivateKey\fR\|(3)
+.IP \(bu 4
 \&\fBi2d_ECParameters()\fR, \fBi2d_ECPrivateKey()\fR, \fBi2d_ECPrivateKey_bio()\fR,
 \&\fBi2d_ECPrivateKey_fp()\fR, \fBi2d_EC_PUBKEY()\fR, \fBi2d_EC_PUBKEY_bio()\fR,
-\&\fBi2d_EC_PUBKEY_fp()\fR, \fBi2o_ECPublicKey()\fR
+\&\fBi2d_EC_PUBKEY_fp()\fR
+.Sp
+See "Deprecated low-level key reading and writing functions"
+and "Migration" in \fBd2i_RSAPrivateKey\fR\|(3)
+.IP \(bu 4
+\&\fBi2o_ECPublicKey()\fR
 .Sp
-See \*(L"Deprecated low-level key reading and writing functions\*(R"
-and \*(L"Migration\*(R" in \fBd2i_RSAPrivateKey\fR\|(3)
-.IP "\(bu" 4
+Use \fBEVP_PKEY_get1_encoded_public_key\fR\|(3).
+See "Deprecated low-level key parameter getters"
+.IP \(bu 4
 \&\fBi2d_RSAPrivateKey()\fR, \fBi2d_RSAPrivateKey_bio()\fR, \fBi2d_RSAPrivateKey_fp()\fR,
 \&\fBi2d_RSA_PUBKEY()\fR, \fBi2d_RSA_PUBKEY_bio()\fR, \fBi2d_RSA_PUBKEY_fp()\fR,
 \&\fBi2d_RSAPublicKey()\fR, \fBi2d_RSAPublicKey_bio()\fR, \fBi2d_RSAPublicKey_fp()\fR
 .Sp
-See \*(L"Deprecated low-level key reading and writing functions\*(R"
-and \*(L"Migration\*(R" in \fBd2i_RSAPrivateKey\fR\|(3)
-.IP "\(bu" 4
+See "Deprecated low-level key reading and writing functions"
+and "Migration" in \fBd2i_RSAPrivateKey\fR\|(3)
+.IP \(bu 4
 \&\fBIDEA_encrypt()\fR, \fBIDEA_set_decrypt_key()\fR, \fBIDEA_set_encrypt_key()\fR,
 \&\fBIDEA_cbc_encrypt()\fR, \fBIDEA_cfb64_encrypt()\fR, \fBIDEA_ecb_encrypt()\fR,
 \&\fBIDEA_ofb64_encrypt()\fR
 .Sp
-See \*(L"Deprecated low-level encryption functions\*(R".
-\&\s-1IDEA\s0 has been moved to the Legacy Provider.
-.IP "\(bu" 4
+See "Deprecated low-level encryption functions".
+IDEA has been moved to the Legacy Provider.
+.IP \(bu 4
 \&\fBIDEA_options()\fR
 .Sp
 There is no replacement. This function returned a constant string.
-.IP "\(bu" 4
-\&\s-1\fBMD2\s0()\fR, \fBMD2_Init()\fR, \fBMD2_Update()\fR, \fBMD2_Final()\fR
+.IP \(bu 4
+\&\fBMD2()\fR, \fBMD2_Init()\fR, \fBMD2_Update()\fR, \fBMD2_Final()\fR
 .Sp
-See \*(L"Deprecated low-level encryption functions\*(R".
-\&\s-1MD2\s0 has been moved to the Legacy Provider.
-.IP "\(bu" 4
+See "Deprecated low-level encryption functions".
+MD2 has been moved to the Legacy Provider.
+.IP \(bu 4
 \&\fBMD2_options()\fR
 .Sp
 There is no replacement. This function returned a constant string.
-.IP "\(bu" 4
-\&\s-1\fBMD4\s0()\fR, \fBMD4_Init()\fR, \fBMD4_Update()\fR, \fBMD4_Final()\fR, \fBMD4_Transform()\fR
+.IP \(bu 4
+\&\fBMD4()\fR, \fBMD4_Init()\fR, \fBMD4_Update()\fR, \fBMD4_Final()\fR, \fBMD4_Transform()\fR
 .Sp
-See \*(L"Deprecated low-level encryption functions\*(R".
-\&\s-1MD4\s0 has been moved to the Legacy Provider.
-.IP "\(bu" 4
-\&\s-1\fBMDC2\s0()\fR, \fBMDC2_Init()\fR, \fBMDC2_Update()\fR, \fBMDC2_Final()\fR
+See "Deprecated low-level encryption functions".
+MD4 has been moved to the Legacy Provider.
+.IP \(bu 4
+\&\fBMDC2()\fR, \fBMDC2_Init()\fR, \fBMDC2_Update()\fR, \fBMDC2_Final()\fR
 .Sp
-See \*(L"Deprecated low-level encryption functions\*(R".
-\&\s-1MDC2\s0 has been moved to the Legacy Provider.
-.IP "\(bu" 4
-\&\s-1\fBMD5\s0()\fR, \fBMD5_Init()\fR, \fBMD5_Update()\fR, \fBMD5_Final()\fR, \fBMD5_Transform()\fR
+See "Deprecated low-level encryption functions".
+MDC2 has been moved to the Legacy Provider.
+.IP \(bu 4
+\&\fBMD5()\fR, \fBMD5_Init()\fR, \fBMD5_Update()\fR, \fBMD5_Final()\fR, \fBMD5_Transform()\fR
 .Sp
-See \*(L"Deprecated low-level encryption functions\*(R".
-.IP "\(bu" 4
-\&\s-1\fBNCONF_WIN32\s0()\fR
+See "Deprecated low-level encryption functions".
+.IP \(bu 4
+\&\fBNCONF_WIN32()\fR
 .Sp
 This undocumented function has no replacement.
-See \*(L"\s-1HISTORY\*(R"\s0 in \fBconfig\fR\|(5) for more details.
-.IP "\(bu" 4
+See "HISTORY" in \fBconfig\fR\|(5) for more details.
+.IP \(bu 4
 \&\fBOCSP_parse_url()\fR
 .Sp
 Use \fBOSSL_HTTP_parse_url\fR\|(3) instead.
-.IP "\(bu" 4
-\&\fB\s-1OCSP_REQ_CTX\s0\fR type and \fBOCSP_REQ_CTX_*()\fR functions
+.IP \(bu 4
+\&\fBOCSP_REQ_CTX\fR type and \fBOCSP_REQ_CTX_*()\fR functions
 .Sp
-These methods were used to collect all necessary data to form a \s-1HTTP\s0 request,
-and to perform the \s-1HTTP\s0 transfer with that request.  With OpenSSL 3.0, the
-type is \fB\s-1OSSL_HTTP_REQ_CTX\s0\fR, and the deprecated functions are replaced
-with \fBOSSL_HTTP_REQ_CTX_*()\fR. See \s-1\fBOSSL_HTTP_REQ_CTX\s0\fR\|(3) for additional
+These methods were used to collect all necessary data to form a HTTP request,
+and to perform the HTTP transfer with that request.  With OpenSSL 3.0, the
+type is \fBOSSL_HTTP_REQ_CTX\fR, and the deprecated functions are replaced
+with \fBOSSL_HTTP_REQ_CTX_*()\fR. See \fBOSSL_HTTP_REQ_CTX\fR\|(3) for additional
 details.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBOPENSSL_fork_child()\fR, \fBOPENSSL_fork_parent()\fR, \fBOPENSSL_fork_prepare()\fR
 .Sp
 There is no replacement for these functions. These pthread fork support methods
 were unused by OpenSSL.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBOSSL_STORE_ctrl()\fR, \fBOSSL_STORE_do_all_loaders()\fR, \fBOSSL_STORE_LOADER_get0_engine()\fR,
 \&\fBOSSL_STORE_LOADER_get0_scheme()\fR, \fBOSSL_STORE_LOADER_new()\fR,
 \&\fBOSSL_STORE_LOADER_set_attach()\fR, \fBOSSL_STORE_LOADER_set_close()\fR,
@@ -1744,7 +1714,7 @@ were unused by OpenSSL.
 These functions helped applications and engines create loaders for
 schemes they supported.  These are all deprecated and discouraged in favour of
 provider implementations, see \fBprovider\-storemgmt\fR\|(7).
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBPEM_read_DHparams()\fR, \fBPEM_read_bio_DHparams()\fR,
 \&\fBPEM_read_DSAparams()\fR, \fBPEM_read_bio_DSAparams()\fR,
 \&\fBPEM_read_DSAPrivateKey()\fR, \fBPEM_read_DSA_PUBKEY()\fR,
@@ -1762,145 +1732,145 @@ PEM_read_bio_DSAPrivateKey and \fBPEM_read_bio_DSA_PUBKEY()\fR,
 \&\fBPEM_write_bio_RSAPrivateKey()\fR, \fBPEM_write_bio_RSA_PUBKEY()\fR,
 \&\fBPEM_write_bio_RSAPublicKey()\fR,
 .Sp
-See \*(L"Deprecated low-level key reading and writing functions\*(R"
-.IP "\(bu" 4
-\&\s-1\fBPKCS1_MGF1\s0()\fR
+See "Deprecated low-level key reading and writing functions"
+.IP \(bu 4
+\&\fBPKCS1_MGF1()\fR
 .Sp
-See \*(L"Deprecated low-level encryption functions\*(R".
-.IP "\(bu" 4
+See "Deprecated low-level encryption functions".
+.IP \(bu 4
 \&\fBRAND_get_rand_method()\fR, \fBRAND_set_rand_method()\fR, \fBRAND_OpenSSL()\fR,
 \&\fBRAND_set_rand_engine()\fR
 .Sp
 Applications should instead use \fBRAND_set_DRBG_type\fR\|(3),
-\&\s-1\fBEVP_RAND\s0\fR\|(3) and \s-1\fBEVP_RAND\s0\fR\|(7).
+\&\fBEVP_RAND\fR\|(3) and \fBEVP_RAND\fR\|(7).
 See \fBRAND_set_rand_method\fR\|(3) for more details.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBRC2_encrypt()\fR, \fBRC2_decrypt()\fR, \fBRC2_set_key()\fR, \fBRC2_cbc_encrypt()\fR, \fBRC2_cfb64_encrypt()\fR,
 \&\fBRC2_ecb_encrypt()\fR, \fBRC2_ofb64_encrypt()\fR,
-\&\s-1\fBRC4\s0()\fR, \fBRC4_set_key()\fR, \fBRC4_options()\fR,
+\&\fBRC4()\fR, \fBRC4_set_key()\fR, \fBRC4_options()\fR,
 \&\fBRC5_32_encrypt()\fR, \fBRC5_32_set_key()\fR, \fBRC5_32_decrypt()\fR, \fBRC5_32_cbc_encrypt()\fR,
 \&\fBRC5_32_cfb64_encrypt()\fR, \fBRC5_32_ecb_encrypt()\fR, \fBRC5_32_ofb64_encrypt()\fR
 .Sp
-See \*(L"Deprecated low-level encryption functions\*(R".
-The Algorithms \*(L"\s-1RC2\*(R", \*(L"RC4\*(R"\s0 and \*(L"\s-1RC5\*(R"\s0 have been moved to the Legacy Provider.
-.IP "\(bu" 4
-\&\s-1\fBRIPEMD160\s0()\fR, \fBRIPEMD160_Init()\fR, \fBRIPEMD160_Update()\fR, \fBRIPEMD160_Final()\fR,
+See "Deprecated low-level encryption functions".
+The Algorithms "RC2", "RC4" and "RC5" have been moved to the Legacy Provider.
+.IP \(bu 4
+\&\fBRIPEMD160()\fR, \fBRIPEMD160_Init()\fR, \fBRIPEMD160_Update()\fR, \fBRIPEMD160_Final()\fR,
 \&\fBRIPEMD160_Transform()\fR
 .Sp
-See \*(L"Deprecated low-level digest functions\*(R".
-The \s-1RIPE\s0 algorithm has been moved to the Legacy Provider.
-.IP "\(bu" 4
+See "Deprecated low-level digest functions".
+The RIPE algorithm has been moved to the Legacy Provider.
+.IP \(bu 4
 \&\fBRSA_bits()\fR, \fBRSA_security_bits()\fR, \fBRSA_size()\fR
 .Sp
 Use \fBEVP_PKEY_get_bits\fR\|(3), \fBEVP_PKEY_get_security_bits\fR\|(3) and
 \&\fBEVP_PKEY_get_size\fR\|(3).
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBRSA_check_key()\fR, \fBRSA_check_key_ex()\fR
 .Sp
-See \*(L"Deprecated low-level validation functions\*(R"
-.IP "\(bu" 4
+See "Deprecated low-level validation functions"
+.IP \(bu 4
 \&\fBRSA_clear_flags()\fR, \fBRSA_flags()\fR, \fBRSA_set_flags()\fR, \fBRSA_test_flags()\fR,
 \&\fBRSA_setup_blinding()\fR, \fBRSA_blinding_off()\fR, \fBRSA_blinding_on()\fR
 .Sp
-All of these \s-1RSA\s0 flags have been deprecated without replacement:
+All of these RSA flags have been deprecated without replacement:
 .Sp
-\&\fB\s-1RSA_FLAG_BLINDING\s0\fR, \fB\s-1RSA_FLAG_CACHE_PRIVATE\s0\fR, \fB\s-1RSA_FLAG_CACHE_PUBLIC\s0\fR,
-\&\fB\s-1RSA_FLAG_EXT_PKEY\s0\fR, \fB\s-1RSA_FLAG_NO_BLINDING\s0\fR, \fB\s-1RSA_FLAG_THREAD_SAFE\s0\fR
-\&\fB\s-1RSA_METHOD_FLAG_NO_CHECK\s0\fR
-.IP "\(bu" 4
+\&\fBRSA_FLAG_BLINDING\fR, \fBRSA_FLAG_CACHE_PRIVATE\fR, \fBRSA_FLAG_CACHE_PUBLIC\fR,
+\&\fBRSA_FLAG_EXT_PKEY\fR, \fBRSA_FLAG_NO_BLINDING\fR, \fBRSA_FLAG_THREAD_SAFE\fR
+\&\fBRSA_METHOD_FLAG_NO_CHECK\fR
+.IP \(bu 4
 \&\fBRSA_generate_key_ex()\fR, \fBRSA_generate_multi_prime_key()\fR
 .Sp
-See \*(L"Deprecated low-level key generation functions\*(R".
-.IP "\(bu" 4
+See "Deprecated low-level key generation functions".
+.IP \(bu 4
 \&\fBRSA_get0_engine()\fR
 .Sp
-See \*(L"Providers are a replacement for engines and low-level method overrides\*(R"
-.IP "\(bu" 4
+See "Providers are a replacement for engines and low-level method overrides"
+.IP \(bu 4
 \&\fBRSA_get0_crt_params()\fR, \fBRSA_get0_d()\fR, \fBRSA_get0_dmp1()\fR, \fBRSA_get0_dmq1()\fR,
 \&\fBRSA_get0_e()\fR, \fBRSA_get0_factors()\fR, \fBRSA_get0_iqmp()\fR, \fBRSA_get0_key()\fR,
 \&\fBRSA_get0_multi_prime_crt_params()\fR, \fBRSA_get0_multi_prime_factors()\fR, \fBRSA_get0_n()\fR,
 \&\fBRSA_get0_p()\fR, \fBRSA_get0_pss_params()\fR, \fBRSA_get0_q()\fR,
 \&\fBRSA_get_multi_prime_extra_count()\fR
 .Sp
-See \*(L"Deprecated low-level key parameter getters\*(R"
-.IP "\(bu" 4
+See "Deprecated low-level key parameter getters"
+.IP \(bu 4
 \&\fBRSA_new()\fR, \fBRSA_free()\fR, \fBRSA_up_ref()\fR
 .Sp
-See \*(L"Deprecated low-level object creation\*(R".
-.IP "\(bu" 4
+See "Deprecated low-level object creation".
+.IP \(bu 4
 \&\fBRSA_get_default_method()\fR, RSA_get_ex_data and \fBRSA_get_method()\fR
 .Sp
-See \*(L"Providers are a replacement for engines and low-level method overrides\*(R".
-.IP "\(bu" 4
+See "Providers are a replacement for engines and low-level method overrides".
+.IP \(bu 4
 \&\fBRSA_get_version()\fR
 .Sp
 There is no replacement.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBRSA_meth_*()\fR, \fBRSA_new_method()\fR, RSA_null_method and \fBRSA_PKCS1_OpenSSL()\fR
 .Sp
-See \*(L"Providers are a replacement for engines and low-level method overrides\*(R".
-.IP "\(bu" 4
+See "Providers are a replacement for engines and low-level method overrides".
+.IP \(bu 4
 \&\fBRSA_padding_add_*()\fR, \fBRSA_padding_check_*()\fR
 .Sp
-See \*(L"Deprecated low-level signing functions\*(R" and
-\&\*(L"Deprecated low-level encryption functions\*(R".
-.IP "\(bu" 4
+See "Deprecated low-level signing functions" and
+"Deprecated low-level encryption functions".
+.IP \(bu 4
 \&\fBRSA_print()\fR, \fBRSA_print_fp()\fR
 .Sp
-See \*(L"Deprecated low-level key printing functions\*(R"
-.IP "\(bu" 4
+See "Deprecated low-level key printing functions"
+.IP \(bu 4
 \&\fBRSA_public_encrypt()\fR, \fBRSA_private_decrypt()\fR
 .Sp
-See \*(L"Deprecated low-level encryption functions\*(R"
-.IP "\(bu" 4
+See "Deprecated low-level encryption functions"
+.IP \(bu 4
 \&\fBRSA_private_encrypt()\fR, \fBRSA_public_decrypt()\fR
 .Sp
 This is equivalent to doing sign and verify recover operations (with a padding
-mode of none). See \*(L"Deprecated low-level signing functions\*(R".
-.IP "\(bu" 4
+mode of none). See "Deprecated low-level signing functions".
+.IP \(bu 4
 \&\fBRSAPrivateKey_dup()\fR, \fBRSAPublicKey_dup()\fR
 .Sp
 There is no direct replacement. Applications may use \fBEVP_PKEY_dup\fR\|(3).
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBRSAPublicKey_it()\fR, \fBRSAPrivateKey_it()\fR
 .Sp
-See \*(L"Deprecated low-level key reading and writing functions\*(R"
-.IP "\(bu" 4
+See "Deprecated low-level key reading and writing functions"
+.IP \(bu 4
 \&\fBRSA_set0_crt_params()\fR, \fBRSA_set0_factors()\fR, \fBRSA_set0_key()\fR,
 \&\fBRSA_set0_multi_prime_params()\fR
 .Sp
-See \*(L"Deprecated low-level key parameter setters\*(R".
-.IP "\(bu" 4
+See "Deprecated low-level key parameter setters".
+.IP \(bu 4
 \&\fBRSA_set_default_method()\fR, \fBRSA_set_method()\fR, \fBRSA_set_ex_data()\fR
 .Sp
-See \*(L"Providers are a replacement for engines and low-level method overrides\*(R"
-.IP "\(bu" 4
+See "Providers are a replacement for engines and low-level method overrides"
+.IP \(bu 4
 \&\fBRSA_sign()\fR, \fBRSA_sign_ASN1_OCTET_STRING()\fR, \fBRSA_verify()\fR,
 \&\fBRSA_verify_ASN1_OCTET_STRING()\fR, \fBRSA_verify_PKCS1_PSS()\fR,
 \&\fBRSA_verify_PKCS1_PSS_mgf1()\fR
 .Sp
-See \*(L"Deprecated low-level signing functions\*(R".
-.IP "\(bu" 4
+See "Deprecated low-level signing functions".
+.IP \(bu 4
 \&\fBRSA_X931_derive_ex()\fR, \fBRSA_X931_generate_key_ex()\fR, \fBRSA_X931_hash_id()\fR
 .Sp
 There are no replacements for these functions.
-X931 padding can be set using \*(L"Signature Parameters\*(R" in \s-1\fBEVP_SIGNATURE\-RSA\s0\fR\|(7).
-See \fB\s-1OSSL_SIGNATURE_PARAM_PAD_MODE\s0\fR.
-.IP "\(bu" 4
+X931 padding can be set using "Signature Parameters" in \fBEVP_SIGNATURE\-RSA\fR\|(7).
+See \fBOSSL_SIGNATURE_PARAM_PAD_MODE\fR.
+.IP \(bu 4
 \&\fBSEED_encrypt()\fR, \fBSEED_decrypt()\fR, \fBSEED_set_key()\fR, \fBSEED_cbc_encrypt()\fR,
 \&\fBSEED_cfb128_encrypt()\fR, \fBSEED_ecb_encrypt()\fR, \fBSEED_ofb128_encrypt()\fR
 .Sp
-See \*(L"Deprecated low-level encryption functions\*(R".
-The \s-1SEED\s0 algorithm has been moved to the Legacy Provider.
-.IP "\(bu" 4
+See "Deprecated low-level encryption functions".
+The SEED algorithm has been moved to the Legacy Provider.
+.IP \(bu 4
 \&\fBSHA1_Init()\fR, \fBSHA1_Update()\fR, \fBSHA1_Final()\fR, \fBSHA1_Transform()\fR,
 \&\fBSHA224_Init()\fR, \fBSHA224_Update()\fR, \fBSHA224_Final()\fR,
 \&\fBSHA256_Init()\fR, \fBSHA256_Update()\fR, \fBSHA256_Final()\fR, \fBSHA256_Transform()\fR,
 \&\fBSHA384_Init()\fR, \fBSHA384_Update()\fR, \fBSHA384_Final()\fR,
 \&\fBSHA512_Init()\fR, \fBSHA512_Update()\fR, \fBSHA512_Final()\fR, \fBSHA512_Transform()\fR
 .Sp
-See \*(L"Deprecated low-level digest functions\*(R".
-.IP "\(bu" 4
+See "Deprecated low-level digest functions".
+.IP \(bu 4
 \&\fBSRP_Calc_A()\fR, \fBSRP_Calc_B()\fR, \fBSRP_Calc_client_key()\fR, \fBSRP_Calc_server_key()\fR,
 \&\fBSRP_Calc_u()\fR, \fBSRP_Calc_x()\fR, \fBSRP_check_known_gN_param()\fR, \fBSRP_create_verifier()\fR,
 \&\fBSRP_create_verifier_BN()\fR, \fBSRP_get_default_gN()\fR, \fBSRP_user_pwd_free()\fR, \fBSRP_user_pwd_new()\fR,
@@ -1908,67 +1878,67 @@ See \*(L"Deprecated low-level digest functions\*(R".
 \&\fBSRP_VBASE_add0_user()\fR, \fBSRP_VBASE_free()\fR, \fBSRP_VBASE_get1_by_user()\fR, \fBSRP_VBASE_init()\fR,
 \&\fBSRP_VBASE_new()\fR, \fBSRP_Verify_A_mod_N()\fR, \fBSRP_Verify_B_mod_N()\fR
 .Sp
-There are no replacements for the \s-1SRP\s0 functions.
-.IP "\(bu" 4
+There are no replacements for the SRP functions.
+.IP \(bu 4
 \&\fBSSL_CTX_set_tmp_dh_callback()\fR, \fBSSL_set_tmp_dh_callback()\fR,
 \&\fBSSL_CTX_set_tmp_dh()\fR, \fBSSL_set_tmp_dh()\fR
 .Sp
-These are used to set the Diffie-Hellman (\s-1DH\s0) parameters that are to be used by
-servers requiring ephemeral \s-1DH\s0 keys. Instead applications should consider using
-the built-in \s-1DH\s0 parameters that are available by calling \fBSSL_CTX_set_dh_auto\fR\|(3)
+These are used to set the Diffie-Hellman (DH) parameters that are to be used by
+servers requiring ephemeral DH keys. Instead applications should consider using
+the built-in DH parameters that are available by calling \fBSSL_CTX_set_dh_auto\fR\|(3)
 or \fBSSL_set_dh_auto\fR\|(3). If custom parameters are necessary then applications can
 use the alternative functions \fBSSL_CTX_set0_tmp_dh_pkey\fR\|(3) and
-\&\fBSSL_set0_tmp_dh_pkey\fR\|(3). There is no direct replacement for the \*(L"callback\*(R"
+\&\fBSSL_set0_tmp_dh_pkey\fR\|(3). There is no direct replacement for the "callback"
 functions. The callback was originally useful in order to have different
 parameters for export and non-export ciphersuites. Export ciphersuites are no
 longer supported by OpenSSL. Use of the callback functions should be replaced
 by one of the other methods described above.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBSSL_CTX_set_tlsext_ticket_key_cb()\fR
 .Sp
 Use the new \fBSSL_CTX_set_tlsext_ticket_key_evp_cb\fR\|(3) function instead.
-.IP "\(bu" 4
-\&\s-1\fBWHIRLPOOL\s0()\fR, \fBWHIRLPOOL_Init()\fR, \fBWHIRLPOOL_Update()\fR, \fBWHIRLPOOL_Final()\fR,
+.IP \(bu 4
+\&\fBWHIRLPOOL()\fR, \fBWHIRLPOOL_Init()\fR, \fBWHIRLPOOL_Update()\fR, \fBWHIRLPOOL_Final()\fR,
 \&\fBWHIRLPOOL_BitUpdate()\fR
 .Sp
-See \*(L"Deprecated low-level digest functions\*(R".
+See "Deprecated low-level digest functions".
 The Whirlpool algorithm has been moved to the Legacy Provider.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBX509_certificate_type()\fR
 .Sp
 This was an undocumented function. Applications can use \fBX509_get0_pubkey\fR\|(3)
 and \fBX509_get0_signature\fR\|(3) instead.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBX509_http_nbio()\fR, \fBX509_CRL_http_nbio()\fR
 .Sp
 Use \fBX509_load_http\fR\|(3) and \fBX509_CRL_load_http\fR\|(3) instead.
 .PP
-\fI\s-1NID\s0 handling for provided keys and algorithms\fR
+\fINID handling for provided keys and algorithms\fR
 .IX Subsection "NID handling for provided keys and algorithms"
 .PP
-The following functions for \s-1NID\s0 (numeric id) handling have changed semantics.
-.IP "\(bu" 4
+The following functions for NID (numeric id) handling have changed semantics.
+.IP \(bu 4
 \&\fBEVP_PKEY_id()\fR, \fBEVP_PKEY_get_id()\fR
 .Sp
-This function was previously used to reliably return the \s-1NID\s0 of
-an \s-1EVP_PKEY\s0 object, e.g., to look up the name of the algorithm of
-such \s-1EVP_PKEY\s0 by calling \fBOBJ_nid2sn\fR\|(3). With the introduction
+This function was previously used to reliably return the NID of
+an EVP_PKEY object, e.g., to look up the name of the algorithm of
+such EVP_PKEY by calling \fBOBJ_nid2sn\fR\|(3). With the introduction
 of \fBprovider\fR\|(7)s \fBEVP_PKEY_id()\fR or its new equivalent
 \&\fBEVP_PKEY_get_id\fR\|(3) might now also return the value \-1
-(\fB\s-1EVP_PKEY_KEYMGMT\s0\fR) indicating the use of a provider to
-implement the \s-1EVP_PKEY\s0 object. Therefore, the use of
+(\fBEVP_PKEY_KEYMGMT\fR) indicating the use of a provider to
+implement the EVP_PKEY object. Therefore, the use of
 \&\fBEVP_PKEY_get0_type_name\fR\|(3) is recommended for retrieving
-the name of the \s-1EVP_PKEY\s0 algorithm.
-.SS "Using the \s-1FIPS\s0 Module in applications"
+the name of the EVP_PKEY algorithm.
+.SS "Using the FIPS Module in applications"
 .IX Subsection "Using the FIPS Module in applications"
-See \fBfips_module\fR\|(7) and \s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7) for details.
+See \fBfips_module\fR\|(7) and \fBOSSL_PROVIDER\-FIPS\fR\|(7) for details.
 .SS "OpenSSL command line application changes"
 .IX Subsection "OpenSSL command line application changes"
 \fINew applications\fR
 .IX Subsection "New applications"
 .PP
-\&\fBopenssl kdf\fR uses the new \s-1\fBEVP_KDF\s0\fR\|(3) \s-1API.\s0
-\&\fBopenssl kdf\fR uses the new \s-1\fBEVP_MAC\s0\fR\|(3) \s-1API.\s0
+\&\fBopenssl kdf\fR uses the new \fBEVP_KDF\fR\|(3) API.
+\&\fBopenssl kdf\fR uses the new \fBEVP_MAC\fR\|(3) API.
 .PP
 \fIAdded options\fR
 .IX Subsection "Added options"
@@ -1983,7 +1953,7 @@ The \fBlist\fR app has many new options. See \fBopenssl\-list\fR\|(1) for more
 information.
 .PP
 \&\fB\-crl_lastupdate\fR and \fB\-crl_nextupdate\fR used by \fBopenssl ca\fR allows
-explicit setting of fields in the generated \s-1CRL.\s0
+explicit setting of fields in the generated CRL.
 .PP
 \fIRemoved options\fR
 .IX Subsection "Removed options"
@@ -2000,28 +1970,28 @@ The \fB\-c\fR option used by \fBopenssl x509\fR, \fBopenssl dhparam\fR,
 The output of Command line applications may have minor changes.
 These are primarily changes in capitalisation and white space.  However, in some
 cases, there are additional differences.
-For example, the \s-1DH\s0 parameters output from \fBopenssl dhparam\fR now lists 'P',
+For example, the DH parameters output from \fBopenssl dhparam\fR now lists 'P',
 \&'Q', 'G' and 'pcounter' instead of 'prime', 'generator', 'subgroup order' and
 \&'counter' respectively.
 .PP
 The \fBopenssl\fR commands that read keys, certificates, and CRLs now
-automatically detect the \s-1PEM\s0 or \s-1DER\s0 format of the input files so it is not
+automatically detect the PEM or DER format of the input files so it is not
 necessary to explicitly specify the input format anymore. However if the
 input format option is used the specified format will be required.
 .PP
-\&\fBopenssl speed\fR no longer uses low-level \s-1API\s0 calls.
+\&\fBopenssl speed\fR no longer uses low-level API calls.
 This implies some of the performance numbers might not be comparable with the
 previous releases due to higher overhead. This applies particularly to
 measuring performance on smaller data chunks.
 .PP
 b<openssl dhparam>, \fBopenssl dsa\fR, \fBopenssl gendsa\fR, \fBopenssl dsaparam\fR,
-\&\fBopenssl genrsa\fR and \fBopenssl rsa\fR have been modified to use \s-1PKEY\s0 APIs.
-\&\fBopenssl genrsa\fR and \fBopenssl rsa\fR now write \s-1PKCS\s0 #8 keys by default.
+\&\fBopenssl genrsa\fR and \fBopenssl rsa\fR have been modified to use PKEY APIs.
+\&\fBopenssl genrsa\fR and \fBopenssl rsa\fR now write PKCS #8 keys by default.
 .PP
 \fIDefault settings\fR
 .IX Subsection "Default settings"
 .PP
-\&\*(L"\s-1SHA256\*(R"\s0 is now the default digest for \s-1TS\s0 query used by \fBopenssl ts\fR.
+"SHA256" is now the default digest for TS query used by \fBopenssl ts\fR.
 .PP
 \fIDeprecated apps\fR
 .IX Subsection "Deprecated apps"
@@ -2030,119 +2000,119 @@ b<openssl dhparam>, \fBopenssl dsa\fR, \fBopenssl gendsa\fR, \fBopenssl dsaparam
 \&\fBopenssl dhparam\fR, \fBopenssl dsa\fR, \fBopenssl gendsa\fR, \fBopenssl dsaparam\fR,
 \&\fBopenssl genrsa\fR, \fBopenssl rsa\fR, \fBopenssl genrsa\fR and \fBopenssl rsa\fR are
 now in maintenance mode and no new features will be added to them.
-.SS "\s-1TLS\s0 Changes"
+.SS "TLS Changes"
 .IX Subsection "TLS Changes"
-.IP "\(bu" 4
-\&\s-1TLS 1.3 FFDHE\s0 key exchange support added
+.IP \(bu 4
+TLS 1.3 FFDHE key exchange support added
 .Sp
-This uses \s-1DH\s0 safe prime named groups.
-.IP "\(bu" 4
-Support for fully \*(L"pluggable\*(R" TLSv1.3 groups.
+This uses DH safe prime named groups.
+.IP \(bu 4
+Support for fully "pluggable" TLSv1.3 groups.
 .Sp
 This means that providers may supply their own group implementations (using
-either the \*(L"key exchange\*(R" or the \*(L"key encapsulation\*(R" methods) which will
+either the "key exchange" or the "key encapsulation" methods) which will
 automatically be detected and used by libssl.
-.IP "\(bu" 4
-\&\s-1SSL\s0 and \s-1SSL_CTX\s0 options are now 64 bit instead of 32 bit.
+.IP \(bu 4
+SSL and SSL_CTX options are now 64 bit instead of 32 bit.
 .Sp
-The signatures of the functions to get and set options on \s-1SSL\s0 and
-\&\s-1SSL_CTX\s0 objects changed from \*(L"unsigned long\*(R" to \*(L"uint64_t\*(R" type.
+The signatures of the functions to get and set options on SSL and
+SSL_CTX objects changed from "unsigned long" to "uint64_t" type.
 .Sp
 This may require source code changes. For example it is no longer possible
-to use the \fB\s-1SSL_OP_\s0\fR macro values in preprocessor \f(CW\*(C`#if\*(C'\fR conditions.
+to use the \fBSSL_OP_\fR macro values in preprocessor \f(CW\*(C`#if\*(C'\fR conditions.
 However it is still possible to test whether these macros are defined or not.
 .Sp
 See \fBSSL_CTX_get_options\fR\|(3), \fBSSL_CTX_set_options\fR\|(3),
 \&\fBSSL_get_options\fR\|(3) and \fBSSL_set_options\fR\|(3).
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fBSSL_set1_host()\fR and \fBSSL_add1_host()\fR Changes
 .Sp
-These functions now take \s-1IP\s0 literal addresses as well as actual hostnames.
-.IP "\(bu" 4
-Added \s-1SSL\s0 option \s-1SSL_OP_CLEANSE_PLAINTEXT\s0
+These functions now take IP literal addresses as well as actual hostnames.
+.IP \(bu 4
+Added SSL option SSL_OP_CLEANSE_PLAINTEXT
 .Sp
 If the option is set, openssl cleanses (zeroizes) plaintext bytes from
 internal buffers after delivering them to the application. Note,
 the application is still responsible for cleansing other copies
 (e.g.: data received by \fBSSL_read\fR\|(3)).
-.IP "\(bu" 4
+.IP \(bu 4
 Client-initiated renegotiation is disabled by default.
 .Sp
 To allow it, use the \fB\-client_renegotiation\fR option,
-the \fB\s-1SSL_OP_ALLOW_CLIENT_RENEGOTIATION\s0\fR flag, or the \f(CW\*(C`ClientRenegotiation\*(C'\fR
+the \fBSSL_OP_ALLOW_CLIENT_RENEGOTIATION\fR flag, or the \f(CW\*(C`ClientRenegotiation\*(C'\fR
 config parameter as appropriate.
-.IP "\(bu" 4
-Secure renegotiation is now required by default for \s-1TLS\s0 connections
+.IP \(bu 4
+Secure renegotiation is now required by default for TLS connections
 .Sp
-Support for \s-1RFC 5746\s0 secure renegotiation is now required by default for
-\&\s-1SSL\s0 or \s-1TLS\s0 connections to succeed.  Applications that require the ability
+Support for RFC 5746 secure renegotiation is now required by default for
+SSL or TLS connections to succeed.  Applications that require the ability
 to connect to legacy peers will need to explicitly set
-\&\s-1SSL_OP_LEGACY_SERVER_CONNECT.\s0  Accordingly, \s-1SSL_OP_LEGACY_SERVER_CONNECT\s0
-is no longer set as part of \s-1SSL_OP_ALL.\s0
-.IP "\(bu" 4
+SSL_OP_LEGACY_SERVER_CONNECT.  Accordingly, SSL_OP_LEGACY_SERVER_CONNECT
+is no longer set as part of SSL_OP_ALL.
+.IP \(bu 4
 Combining the Configure options no-ec and no-dh no longer disables TLSv1.3
 .Sp
-Typically if OpenSSL has no \s-1EC\s0 or \s-1DH\s0 algorithms then it cannot support
-connections with TLSv1.3. However OpenSSL now supports \*(L"pluggable\*(R" groups
+Typically if OpenSSL has no EC or DH algorithms then it cannot support
+connections with TLSv1.3. However OpenSSL now supports "pluggable" groups
 through providers. Therefore third party providers may supply group
 implementations even where there are no built-in ones. Attempting to create
-\&\s-1TLS\s0 connections in such a build without also disabling TLSv1.3 at run time or
+TLS connections in such a build without also disabling TLSv1.3 at run time or
 using third party provider groups may result in handshake failures. TLSv1.3
-can be disabled at compile time using the \*(L"no\-tls1_3\*(R" Configure option.
-.IP "\(bu" 4
+can be disabled at compile time using the "no\-tls1_3" Configure option.
+.IP \(bu 4
 \&\fBSSL_CTX_set_ciphersuites()\fR and \fBSSL_set_ciphersuites()\fR changes.
 .Sp
 The methods now ignore unknown ciphers.
-.IP "\(bu" 4
+.IP \(bu 4
 Security callback change.
 .Sp
 The security callback, which can be customised by application code, supports
-the security operation \s-1SSL_SECOP_TMP_DH.\s0 This is defined to take an \s-1EVP_PKEY\s0
-in the \*(L"other\*(R" parameter. In most places this is what is passed. All these
+the security operation SSL_SECOP_TMP_DH. This is defined to take an EVP_PKEY
+in the "other" parameter. In most places this is what is passed. All these
 places occur server side. However there was one client side call of this
-security operation and it passed a \s-1DH\s0 object instead. This is incorrect
-according to the definition of \s-1SSL_SECOP_TMP_DH,\s0 and is inconsistent with all
+security operation and it passed a DH object instead. This is incorrect
+according to the definition of SSL_SECOP_TMP_DH, and is inconsistent with all
 of the other locations. Therefore this client side call has been changed to
-pass an \s-1EVP_PKEY\s0 instead.
-.IP "\(bu" 4
-New \s-1SSL\s0 option \s-1SSL_OP_IGNORE_UNEXPECTED_EOF\s0
+pass an EVP_PKEY instead.
+.IP \(bu 4
+New SSL option SSL_OP_IGNORE_UNEXPECTED_EOF
 .Sp
-The \s-1SSL\s0 option \s-1SSL_OP_IGNORE_UNEXPECTED_EOF\s0 is introduced. If that option
-is set, an unexpected \s-1EOF\s0 is ignored, it pretends a close notify was received
-instead and so the returned error becomes \s-1SSL_ERROR_ZERO_RETURN.\s0
-.IP "\(bu" 4
-The security strength of \s-1SHA1\s0 and \s-1MD5\s0 based signatures in \s-1TLS\s0 has been reduced.
+The SSL option SSL_OP_IGNORE_UNEXPECTED_EOF is introduced. If that option
+is set, an unexpected EOF is ignored, it pretends a close notify was received
+instead and so the returned error becomes SSL_ERROR_ZERO_RETURN.
+.IP \(bu 4
+The security strength of SHA1 and MD5 based signatures in TLS has been reduced.
 .Sp
-This results in \s-1SSL 3, TLS 1.0, TLS 1.1\s0 and \s-1DTLS 1.0\s0 no longer
+This results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer
 working at the default security level of 1 and instead requires security
 level 0. The security level can be changed either using the cipher string
 with \f(CW@SECLEVEL\fR, or calling \fBSSL_CTX_set_security_level\fR\|(3). This also means
 that where the signature algorithms extension is missing from a ClientHello
-then the handshake will fail in \s-1TLS 1.2\s0 at security level 1. This is because,
+then the handshake will fail in TLS 1.2 at security level 1. This is because,
 although this extension is optional, failing to provide one means that
 OpenSSL will fallback to a default set of signature algorithms. This default
-set requires the availability of \s-1SHA1.\s0
-.IP "\(bu" 4
-X509 certificates signed using \s-1SHA1\s0 are no longer allowed at security level 1 and above.
+set requires the availability of SHA1.
+.IP \(bu 4
+X509 certificates signed using SHA1 are no longer allowed at security level 1 and above.
 .Sp
-In \s-1TLS/SSL\s0 the default security level is 1. It can be set either using the cipher
+In TLS/SSL the default security level is 1. It can be set either using the cipher
 string with \f(CW@SECLEVEL\fR, or calling \fBSSL_CTX_set_security_level\fR\|(3). If the
-leaf certificate is signed with \s-1SHA\-1,\s0 a call to \fBSSL_CTX_use_certificate\fR\|(3)
+leaf certificate is signed with SHA\-1, a call to \fBSSL_CTX_use_certificate\fR\|(3)
 will fail if the security level is not lowered first.
-Outside \s-1TLS/SSL,\s0 the default security level is \-1 (effectively 0). It can
+Outside TLS/SSL, the default security level is \-1 (effectively 0). It can
 be set using \fBX509_VERIFY_PARAM_set_auth_level\fR\|(3) or using the \fB\-auth_level\fR
 options of the commands.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBfips_module\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The migration guide was created for OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2021\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-quic-client-block.7 b/secure/lib/libcrypto/man/man7/ossl-guide-quic-client-block.7
new file mode 100644
index 000000000000..7cd93a86544f
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/ossl-guide-quic-client-block.7
@@ -0,0 +1,461 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OSSL-GUIDE-QUIC-CLIENT-BLOCK 7ossl"
+.TH OSSL-GUIDE-QUIC-CLIENT-BLOCK 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+ossl\-guide\-quic\-client\-block
+\&\- OpenSSL Guide: Writing a simple blocking QUIC client
+.SH "SIMPLE BLOCKING QUIC CLIENT EXAMPLE"
+.IX Header "SIMPLE BLOCKING QUIC CLIENT EXAMPLE"
+This page will present various source code samples demonstrating how to write
+a simple blocking QUIC client application which connects to a server, sends an
+HTTP/1.0 request to it, and reads back the response. Note that HTTP/1.0 over
+QUIC is non-standard and will not be supported by real world servers. This is
+for demonstration purposes only.
+.PP
+We assume that you already have OpenSSL installed on your system; that you
+already have some fundamental understanding of OpenSSL concepts, TLS and QUIC
+(see \fBossl\-guide\-libraries\-introduction\fR\|(7), \fBossl\-guide\-tls\-introduction\fR\|(7)
+and \fBossl\-guide\-quic\-introduction\fR\|(7)); and that you know how to
+write and build C code and link it against the libcrypto and libssl libraries
+that are provided by OpenSSL. It also assumes that you have a basic
+understanding of UDP/IP and sockets. The example code that we build in this
+tutorial will amend the blocking TLS client example that is covered in
+\&\fBossl\-guide\-tls\-client\-block\fR\|(7). Only the differences between that client and
+this one will be discussed so we also assume that you have run through and
+understand that tutorial.
+.PP
+For this tutorial our client will be using a single QUIC stream. A subsequent
+tutorial will discuss how to write a multi-stream client (see
+\&\fBossl\-guide\-quic\-multi\-stream\fR\|(7)).
+.PP
+The complete source code for this example blocking QUIC client is available in
+the \f(CW\*(C`demos/guide\*(C'\fR directory of the OpenSSL source distribution in the file
+\&\f(CW\*(C`quic\-client\-block.c\*(C'\fR. It is also available online at
+<https://github.com/openssl/openssl/blob/master/demos/guide/quic\-client\-block.c>.
+.SS "Creating the SSL_CTX and SSL objects"
+.IX Subsection "Creating the SSL_CTX and SSL objects"
+In the TLS tutorial (\fBossl\-guide\-tls\-client\-block\fR\|(7)) we created an \fBSSL_CTX\fR
+object for our client and used it to create an \fBSSL\fR object to represent the
+TLS connection. A QUIC connection works in exactly the same way. We first create
+an \fBSSL_CTX\fR object and then use it to create an \fBSSL\fR object to represent the
+QUIC connection.
+.PP
+As in the TLS example the first step is to create an \fBSSL_CTX\fR object for our
+client. This is done in the same way as before except that we use a different
+"method". OpenSSL offers two different QUIC client methods, i.e.
+\&\fBOSSL_QUIC_client_method\fR\|(3) and \fBOSSL_QUIC_client_thread_method\fR\|(3).
+.PP
+The first one is the equivalent of \fBTLS_client_method\fR\|(3) but for the QUIC
+protocol. The second one is the same, but it will additionally create a
+background thread for handling time based events (known as "thread assisted
+mode", see \fBossl\-guide\-quic\-introduction\fR\|(7)). For this tutorial we will be
+using \fBOSSL_QUIC_client_method\fR\|(3) because we will not be leaving the QUIC
+connection idle in our application and so thread assisted mode is not needed.
+.PP
+.Vb 10
+\&    /*
+\&     * Create an SSL_CTX which we can use to create SSL objects from. We
+\&     * want an SSL_CTX for creating clients so we use OSSL_QUIC_client_method()
+\&     * here.
+\&     */
+\&    ctx = SSL_CTX_new(OSSL_QUIC_client_method());
+\&    if (ctx == NULL) {
+\&        printf("Failed to create the SSL_CTX\en");
+\&        goto end;
+\&    }
+.Ve
+.PP
+The other setup steps that we applied to the \fBSSL_CTX\fR for TLS also apply to
+QUIC except for restricting the TLS versions that we are willing to accept. The
+QUIC protocol implementation in OpenSSL currently only supports TLSv1.3. There
+is no need to call \fBSSL_CTX_set_min_proto_version\fR\|(3) or
+\&\fBSSL_CTX_set_max_proto_version\fR\|(3) in an OpenSSL QUIC application, and any such
+call will be ignored.
+.PP
+Once the \fBSSL_CTX\fR is created, the \fBSSL\fR object is constructed in exactly the
+same way as for the TLS application.
+.SS "Creating the socket and BIO"
+.IX Subsection "Creating the socket and BIO"
+A major difference between TLS and QUIC is the underlying transport protocol.
+TLS uses TCP while QUIC uses UDP. The way that the QUIC socket is created in our
+example code is much the same as for TLS. We use the \fBBIO_lookup_ex\fR\|(3) and
+\&\fBBIO_socket\fR\|(3) helper functions as we did in the previous tutorial except that
+we pass \fBSOCK_DGRAM\fR as an argument to indicate UDP (instead of \fBSOCK_STREAM\fR
+for TCP).
+.PP
+.Vb 6
+\&    /*
+\&     * Lookup IP address info for the server.
+\&     */
+\&    if (!BIO_lookup_ex(hostname, port, BIO_LOOKUP_CLIENT, family, SOCK_DGRAM, 0,
+\&                       &res))
+\&        return NULL;
+\&
+\&    /*
+\&     * Loop through all the possible addresses for the server and find one
+\&     * we can connect to.
+\&     */
+\&    for (ai = res; ai != NULL; ai = BIO_ADDRINFO_next(ai)) {
+\&        /*
+\&         * Create a TCP socket. We could equally use non\-OpenSSL calls such
+\&         * as "socket" here for this and the subsequent connect and close
+\&         * functions. But for portability reasons and also so that we get
+\&         * errors on the OpenSSL stack in the event of a failure we use
+\&         * OpenSSL\*(Aqs versions of these functions.
+\&         */
+\&        sock = BIO_socket(BIO_ADDRINFO_family(ai), SOCK_DGRAM, 0, 0);
+\&        if (sock == \-1)
+\&            continue;
+\&
+\&        /* Connect the socket to the server\*(Aqs address */
+\&        if (!BIO_connect(sock, BIO_ADDRINFO_address(ai), 0)) {
+\&            BIO_closesocket(sock);
+\&            sock = \-1;
+\&            continue;
+\&        }
+\&
+\&        /* Set to nonblocking mode */
+\&        if (!BIO_socket_nbio(sock, 1)) {
+\&            BIO_closesocket(sock);
+\&            sock = \-1;
+\&            continue;
+\&        }
+\&
+\&        break;
+\&    }
+\&
+\&    if (sock != \-1) {
+\&        *peer_addr = BIO_ADDR_dup(BIO_ADDRINFO_address(ai));
+\&        if (*peer_addr == NULL) {
+\&            BIO_closesocket(sock);
+\&            return NULL;
+\&        }
+\&    }
+\&
+\&    /* Free the address information resources we allocated earlier */
+\&    BIO_ADDRINFO_free(res);
+.Ve
+.PP
+You may notice a couple of other differences between this code and the version
+that we used for TLS.
+.PP
+Firstly, we set the socket into nonblocking mode. This must always be done for
+an OpenSSL QUIC application. This may be surprising considering that we are
+trying to write a blocking client. Despite this the \fBSSL\fR object will still
+have blocking behaviour. See \fBossl\-guide\-quic\-introduction\fR\|(7) for further
+information on this.
+.PP
+Secondly, we take note of the IP address of the peer that we are connecting to.
+We store that information away. We will need it later.
+.PP
+See \fBBIO_lookup_ex\fR\|(3), \fBBIO_socket\fR\|(3), \fBBIO_connect\fR\|(3),
+\&\fBBIO_closesocket\fR\|(3), \fBBIO_ADDRINFO_next\fR\|(3), \fBBIO_ADDRINFO_address\fR\|(3),
+\&\fBBIO_ADDRINFO_free\fR\|(3) and \fBBIO_ADDR_dup\fR\|(3) for further information on the
+functions used here. In the above example code the \fBhostname\fR and \fBport\fR
+variables are strings, e.g. "www.example.com" and "443".
+.PP
+As for our TLS client, once the socket has been created and connected we need to
+associate it with a BIO object:
+.PP
+.Vb 1
+\&    BIO *bio;
+\&
+\&    /* Create a BIO to wrap the socket */
+\&    bio = BIO_new(BIO_s_datagram());
+\&    if (bio == NULL) {
+\&        BIO_closesocket(sock);
+\&        return NULL;
+\&    }
+\&
+\&    /*
+\&     * Associate the newly created BIO with the underlying socket. By
+\&     * passing BIO_CLOSE here the socket will be automatically closed when
+\&     * the BIO is freed. Alternatively you can use BIO_NOCLOSE, in which
+\&     * case you must close the socket explicitly when it is no longer
+\&     * needed.
+\&     */
+\&    BIO_set_fd(bio, sock, BIO_CLOSE);
+.Ve
+.PP
+Note the use of \fBBIO_s_datagram\fR\|(3) here as opposed to \fBBIO_s_socket\fR\|(3) that
+we used for our TLS client. This is again due to the fact that QUIC uses UDP
+instead of TCP for its transport layer. See \fBBIO_new\fR\|(3), \fBBIO_s_datagram\fR\|(3)
+and \fBBIO_set_fd\fR\|(3) for further information on these functions.
+.SS "Setting the server's hostname"
+.IX Subsection "Setting the server's hostname"
+As in the TLS tutorial we need to set the server's hostname both for SNI (Server
+Name Indication) and for certificate validation purposes. The steps for this are
+identical to the TLS tutorial and won't be repeated here.
+.SS "Setting the ALPN"
+.IX Subsection "Setting the ALPN"
+ALPN (Application-Layer Protocol Negotiation) is a feature of TLS that enables
+the application to negotiate which protocol will be used over the connection.
+For example, if you intend to use HTTP/3 over the connection then the ALPN value
+for that is "h3" (see
+<https://www.iana.org/assignments/tls\-extensiontype\-values/tls\-extensiontype\-values.xml#alpn\-protocol\-ids>).
+OpenSSL provides the ability for a client to specify the ALPN to use via the
+\&\fBSSL_set_alpn_protos\fR\|(3) function. This is optional for a TLS client and so our
+simple client that we developed in \fBossl\-guide\-tls\-client\-block\fR\|(7) did not use
+it. However QUIC mandates that the TLS handshake used in establishing a QUIC
+connection must use ALPN.
+.PP
+.Vb 1
+\&    unsigned char alpn[] = { 8, \*(Aqh\*(Aq, \*(Aqt\*(Aq, \*(Aqt\*(Aq, \*(Aqp\*(Aq, \*(Aq/\*(Aq, \*(Aq1\*(Aq, \*(Aq.\*(Aq, \*(Aq0\*(Aq };
+\&
+\&    /* SSL_set_alpn_protos returns 0 for success! */
+\&    if (SSL_set_alpn_protos(ssl, alpn, sizeof(alpn)) != 0) {
+\&        printf("Failed to set the ALPN for the connection\en");
+\&        goto end;
+\&    }
+.Ve
+.PP
+The ALPN is specified using a length prefixed array of unsigned chars (it is not
+a NUL terminated string). Our original TLS blocking client demo was using
+HTTP/1.0. We will use the same for this example. Unlike most OpenSSL functions
+\&\fBSSL_set_alpn_protos\fR\|(3) returns zero for success and nonzero for failure.
+.SS "Setting the peer address"
+.IX Subsection "Setting the peer address"
+An OpenSSL QUIC application must specify the target address of the server that
+is being connected to. In "Creating the socket and BIO" above we saved that
+address away for future use. Now we need to use it via the
+\&\fBSSL_set1_initial_peer_addr\fR\|(3) function.
+.PP
+.Vb 5
+\&    /* Set the IP address of the remote peer */
+\&    if (!SSL_set1_initial_peer_addr(ssl, peer_addr)) {
+\&        printf("Failed to set the initial peer address\en");
+\&        goto end;
+\&    }
+.Ve
+.PP
+Note that we will need to free the \fBpeer_addr\fR value that we allocated via
+\&\fBBIO_ADDR_dup\fR\|(3) earlier:
+.PP
+.Vb 1
+\&    BIO_ADDR_free(peer_addr);
+.Ve
+.SS "The handshake and application data transfer"
+.IX Subsection "The handshake and application data transfer"
+Once initial setup of the \fBSSL\fR object is complete then we perform the
+handshake via \fBSSL_connect\fR\|(3) in exactly the same way as we did for the TLS
+client, so we won't repeat it here.
+.PP
+We can also perform data transfer using a default QUIC stream that is
+automatically associated with the \fBSSL\fR object for us. We can transmit data
+using \fBSSL_write_ex\fR\|(3), and receive data using \fBSSL_read_ex\fR\|(3) in the same
+way as for TLS. The main difference is that we have to account for failures
+slightly differently. With QUIC the stream can be reset by the peer (which is
+fatal for that stream), but the underlying connection itself may still be
+healthy.
+.PP
+First, we write the entire request to the stream. We also must make sure to
+signal to the server that we have finished writing. This can be done by passing
+the SSL_WRITE_FLAG_CONCLUDE flag to \fBSSL_write_ex2\fR\|(3) or by calling
+\&\fBSSL_stream_conclude\fR\|(3). Since the first way is more efficient, we choose to
+do that.
+.PP
+.Vb 10
+\&    /* Write an HTTP GET request to the peer */
+\&    if (!SSL_write_ex(ssl, request_start, strlen(request_start), &written)) {
+\&        printf("Failed to write start of HTTP request\en");
+\&        goto end;
+\&    }
+\&    if (!SSL_write_ex(ssl, hostname, strlen(hostname), &written)) {
+\&        printf("Failed to write hostname in HTTP request\en");
+\&        goto end;
+\&    }
+\&    if (!SSL_write_ex2(ssl, request_end, strlen(request_end),
+\&        SSL_WRITE_FLAG_CONCLUDE, &written)) {
+\&        printf("Failed to write end of HTTP request\en");
+\&        goto end;
+\&    }
+.Ve
+.PP
+Then, we read the response from the server.
+.PP
+.Vb 10
+\&    /*
+\&     * Get up to sizeof(buf) bytes of the response. We keep reading until the
+\&     * server closes the connection.
+\&     */
+\&    while (SSL_read_ex(ssl, buf, sizeof(buf), &readbytes)) {
+\&        /*
+\&        * OpenSSL does not guarantee that the returned data is a string or
+\&        * that it is NUL terminated so we use fwrite() to write the exact
+\&        * number of bytes that we read. The data could be non\-printable or
+\&        * have NUL characters in the middle of it. For this simple example
+\&        * we\*(Aqre going to print it to stdout anyway.
+\&        */
+\&        fwrite(buf, 1, readbytes, stdout);
+\&    }
+\&    /* In case the response didn\*(Aqt finish with a newline we add one now */
+\&    printf("\en");
+\&
+\&    /*
+\&     * Check whether we finished the while loop above normally or as the
+\&     * result of an error. The 0 argument to SSL_get_error() is the return
+\&     * code we received from the SSL_read_ex() call. It must be 0 in order
+\&     * to get here. Normal completion is indicated by SSL_ERROR_ZERO_RETURN. In
+\&     * QUIC terms this means that the peer has sent FIN on the stream to
+\&     * indicate that no further data will be sent.
+\&     */
+\&    switch (SSL_get_error(ssl, 0)) {
+\&    case SSL_ERROR_ZERO_RETURN:
+\&        /* Normal completion of the stream */
+\&        break;
+\&
+\&    case SSL_ERROR_SSL:
+\&        /*
+\&         * Some stream fatal error occurred. This could be because of a stream
+\&         * reset \- or some failure occurred on the underlying connection.
+\&         */
+\&        switch (SSL_get_stream_read_state(ssl)) {
+\&        case SSL_STREAM_STATE_RESET_REMOTE:
+\&            printf("Stream reset occurred\en");
+\&            /* The stream has been reset but the connection is still healthy. */
+\&            break;
+\&
+\&        case SSL_STREAM_STATE_CONN_CLOSED:
+\&            printf("Connection closed\en");
+\&            /* Connection is already closed. Skip SSL_shutdown() */
+\&            goto end;
+\&
+\&        default:
+\&            printf("Unknown stream failure\en");
+\&            break;
+\&        }
+\&        break;
+\&
+\&    default:
+\&        /* Some other unexpected error occurred */
+\&        printf ("Failed reading remaining data\en");
+\&        break;
+\&    }
+.Ve
+.PP
+In the above code example you can see that \fBSSL_ERROR_SSL\fR indicates a stream
+fatal error. We can use \fBSSL_get_stream_read_state\fR\|(3) to determine whether the
+stream has been reset, or if some other fatal error has occurred.
+.SS "Shutting down the connection"
+.IX Subsection "Shutting down the connection"
+In the TLS tutorial we knew that the server had finished sending data because
+\&\fBSSL_read_ex\fR\|(3) returned 0, and \fBSSL_get_error\fR\|(3) returned
+\&\fBSSL_ERROR_ZERO_RETURN\fR. The same is true with QUIC except that
+\&\fBSSL_ERROR_ZERO_RETURN\fR should be interpreted slightly differently. With TLS
+we knew that this meant that the server had sent a "close_notify" alert. No
+more data will be sent from the server on that connection.
+.PP
+With QUIC it means that the server has indicated "FIN" on the stream, meaning
+that it will no longer send any more data on that stream. However this only
+gives us information about the stream itself and does not tell us anything about
+the underlying connection. More data could still be sent from the server on some
+other stream. Additionally, although the server will not send any more data to
+the client, it does not prevent the client from sending more data to the server.
+.PP
+In this tutorial, once we have finished reading data from the server on the one
+stream that we are using, we will close the connection down. As before we do
+this via the \fBSSL_shutdown\fR\|(3) function. This example for QUIC is very similar
+to the TLS version. However the \fBSSL_shutdown\fR\|(3) function will need to be
+called more than once:
+.PP
+.Vb 11
+\&    /*
+\&     * Repeatedly call SSL_shutdown() until the connection is fully
+\&     * closed.
+\&     */
+\&    do {
+\&        ret = SSL_shutdown(ssl);
+\&        if (ret < 0) {
+\&            printf("Error shutting down: %d\en", ret);
+\&            goto end;
+\&        }
+\&    } while (ret != 1);
+.Ve
+.PP
+The shutdown process is in two stages. In the first stage we wait until all the
+data we have buffered for sending on any stream has been successfully sent and
+acknowledged by the peer, and then we send a CONNECTION_CLOSE to the peer to
+indicate that the connection is no longer usable. This immediately closes the
+connection and no more data can be sent or received. \fBSSL_shutdown\fR\|(3) returns
+0 once the first stage has been completed.
+.PP
+In the second stage the connection enters a "closing" state. Application data
+cannot be sent or received in this state, but late arriving packets coming from
+the peer will be handled appropriately. Once this stage has completed
+successfully \fBSSL_shutdown\fR\|(3) will return 1 to indicate success.
+.SH "FURTHER READING"
+.IX Header "FURTHER READING"
+See \fBossl\-guide\-quic\-multi\-stream\fR\|(7) to read a tutorial on how to modify the
+client developed on this page to support multiple streams.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBossl\-guide\-introduction\fR\|(7), \fBossl\-guide\-libraries\-introduction\fR\|(7),
+\&\fBossl\-guide\-libssl\-introduction\fR\|(7), \fBossl\-guide\-tls\-introduction\fR\|(7),
+\&\fBossl\-guide\-tls\-client\-block\fR\|(7), \fBossl\-guide\-quic\-introduction\fR\|(7)
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2023\-2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-quic-client-non-block.7 b/secure/lib/libcrypto/man/man7/ossl-guide-quic-client-non-block.7
new file mode 100644
index 000000000000..cf99b69caa9e
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/ossl-guide-quic-client-non-block.7
@@ -0,0 +1,528 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OSSL-GUIDE-QUIC-CLIENT-NON-BLOCK 7ossl"
+.TH OSSL-GUIDE-QUIC-CLIENT-NON-BLOCK 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+ossl\-guide\-quic\-client\-non\-block
+\&\- OpenSSL Guide: Writing a simple nonblocking QUIC client
+.SH "SIMPLE NONBLOCKING QUIC CLIENT EXAMPLE"
+.IX Header "SIMPLE NONBLOCKING QUIC CLIENT EXAMPLE"
+This page will build on the example developed on the
+\&\fBossl\-guide\-quic\-client\-block\fR\|(7) page which demonstrates how to write a simple
+blocking QUIC client. On this page we will amend that demo code so that it
+supports nonblocking functionality.
+.PP
+The complete source code for this example nonblocking QUIC client is available
+in the \fBdemos/guide\fR directory of the OpenSSL source distribution in the file
+\&\fBquic\-client\-non\-block.c\fR. It is also available online at
+<https://github.com/openssl/openssl/blob/master/demos/guide/quic\-client\-non\-block.c>.
+.PP
+As we saw in the previous example an OpenSSL QUIC application always uses a
+nonblocking socket. However, despite this, the \fBSSL\fR object still has blocking
+behaviour. When the \fBSSL\fR object has blocking behaviour then this means that
+it waits (blocks) until data is available to read if you attempt to read from
+it when there is no data yet. Similarly it waits when writing if the \fBSSL\fR
+object is currently unable to write at the moment. This can simplify the
+development of code because you do not have to worry about what to do in these
+cases. The execution of the code will simply stop until it is able to continue.
+However in many cases you do not want this behaviour. Rather than stopping and
+waiting your application may need to go and do other tasks whilst the \fBSSL\fR
+object is unable to read/write, for example updating a GUI or performing
+operations on some other connection or stream.
+.PP
+We will see later in this tutorial how to change the \fBSSL\fR object so that it
+has nonblocking behaviour. With a nonblocking \fBSSL\fR object, functions such as
+\&\fBSSL_read_ex\fR\|(3) or \fBSSL_write_ex\fR\|(3) will return immediately with a non-fatal
+error if they are currently unable to read or write respectively.
+.PP
+Since this page is building on the example developed on the
+\&\fBossl\-guide\-quic\-client\-block\fR\|(7) page we assume that you are familiar with it
+and we only explain how this example differs.
+.SS "Performing work while waiting for the socket"
+.IX Subsection "Performing work while waiting for the socket"
+In a nonblocking application you will need work to perform in the event that
+we want to read or write to the \fBSSL\fR object but we are currently unable to.
+In fact this is the whole point of using a nonblocking \fBSSL\fR object, i.e. to
+give the application the opportunity to do something else. Whatever it is that
+the application has to do, it must also be prepared to come back and retry the
+operation that it previously attempted periodically to see if it can now
+complete. Ideally it would only do this in the event that something has changed
+such that it might succeed on the retry attempt, but this does not have to be
+the case. It can retry at any time.
+.PP
+Note that it is important that you retry exactly the same operation that you
+tried last time. You cannot start something new. For example if you were
+attempting to write the text "Hello World" and the operation failed because the
+\&\fBSSL\fR object is currently unable to write, then you cannot then attempt to
+write some other text when you retry the operation.
+.PP
+In this demo application we will create a helper function which simulates doing
+other work. In fact, for the sake of simplicity, it will do nothing except wait
+for the state of the underlying socket to change or until a timeout expires
+after which the state of the \fBSSL\fR object might have changed. We will call our
+function \f(CWwait_for_activity()\fR.
+.PP
+.Vb 6
+\&    static void wait_for_activity(SSL *ssl)
+\&    {
+\&        fd_set wfds, rfds;
+\&        int width, sock, isinfinite;
+\&        struct timeval tv;
+\&        struct timeval *tvp = NULL;
+\&
+\&        /* Get hold of the underlying file descriptor for the socket */
+\&        sock = SSL_get_fd(ssl);
+\&
+\&        FD_ZERO(&wfds);
+\&        FD_ZERO(&rfds);
+\&
+\&        /*
+\&         * Find out if we would like to write to the socket, or read from it (or
+\&         * both)
+\&         */
+\&        if (SSL_net_write_desired(ssl))
+\&            FD_SET(sock, &wfds);
+\&        if (SSL_net_read_desired(ssl))
+\&            FD_SET(sock, &rfds);
+\&        width = sock + 1;
+\&
+\&        /*
+\&         * Find out when OpenSSL would next like to be called, regardless of
+\&         * whether the state of the underlying socket has changed or not.
+\&         */
+\&        if (SSL_get_event_timeout(ssl, &tv, &isinfinite) && !isinfinite)
+\&            tvp = &tv;
+\&
+\&        /*
+\&         * Wait until the socket is writeable or readable. We use select here
+\&         * for the sake of simplicity and portability, but you could equally use
+\&         * poll/epoll or similar functions
+\&         *
+\&         * NOTE: For the purposes of this demonstration code this effectively
+\&         * makes this demo block until it has something more useful to do. In a
+\&         * real application you probably want to go and do other work here (e.g.
+\&         * update a GUI, or service other connections).
+\&         *
+\&         * Let\*(Aqs say for example that you want to update the progress counter on
+\&         * a GUI every 100ms. One way to do that would be to use the timeout in
+\&         * the last parameter to "select" below. If the tvp value is greater
+\&         * than 100ms then use 100ms instead. Then, when select returns, you
+\&         * check if it did so because of activity on the file descriptors or
+\&         * because of the timeout. If the 100ms GUI timeout has expired but the
+\&         * tvp timeout has not then go and update the GUI and then restart the
+\&         * "select" (with updated timeouts).
+\&         */
+\&
+\&        select(width, &rfds, &wfds, NULL, tvp);
+\&}
+.Ve
+.PP
+If you are familiar with how to write nonblocking applications in OpenSSL for
+TLS (see \fBossl\-guide\-tls\-client\-non\-block\fR\|(7)) then you should note that there
+is an important difference here between the way a QUIC application and a TLS
+application works. With a TLS application if we try to read or write something
+to the \fBSSL\fR object and we get a "retry" response (\fBSSL_ERROR_WANT_READ\fR or
+\&\fBSSL_ERROR_WANT_WRITE\fR) then we can assume that is because OpenSSL attempted to
+read or write to the underlying socket and the socket signalled the "retry".
+With QUIC that is not the case. OpenSSL may signal retry as a result of an
+\&\fBSSL_read_ex\fR\|(3) or \fBSSL_write_ex\fR\|(3) (or similar) call which indicates the
+state of the stream. This is entirely independent of whether the underlying
+socket needs to retry or not.
+.PP
+To determine whether OpenSSL currently wants to read or write to the underlying
+socket for a QUIC application we must call the \fBSSL_net_read_desired\fR\|(3) and
+\&\fBSSL_net_write_desired\fR\|(3) functions.
+.PP
+It is also important with QUIC that we periodically call an I/O function (or
+otherwise call the \fBSSL_handle_events\fR\|(3) function) to ensure that the QUIC
+connection remains healthy. This is particularly important with a nonblocking
+application because you are likely to leave the \fBSSL\fR object idle for a while
+while the application goes off to do other work. The \fBSSL_get_event_timeout\fR\|(3)
+function can be used to determine what the deadline is for the next time we need
+to call an I/O function (or call \fBSSL_handle_events\fR\|(3)).
+.PP
+An alternative to using \fBSSL_get_event_timeout\fR\|(3) to find the next deadline
+that OpenSSL must be called again by is to use "thread assisted" mode. In
+"thread assisted" mode OpenSSL spawns an additional thread which will
+periodically call \fBSSL_handle_events\fR\|(3) automatically, meaning that the
+application can leave the connection idle safe in the knowledge that the
+connection will still be maintained in a healthy state. See
+"Creating the SSL_CTX and SSL objects" below for further details about this.
+.PP
+In this example we are using the \f(CW\*(C`select\*(C'\fR function to check the
+readability/writeability of the socket because it is very simple to use and is
+available on most Operating Systems. However you could use any other similar
+function to do the same thing. \f(CW\*(C`select\*(C'\fR waits for the state of the underlying
+socket(s) to become readable/writeable or until the timeout has expired before
+returning.
+.SS "Handling errors from OpenSSL I/O functions"
+.IX Subsection "Handling errors from OpenSSL I/O functions"
+A QUIC application that has been configured for nonblocking behaviour will need
+to be prepared to handle errors returned from OpenSSL I/O functions such as
+\&\fBSSL_read_ex\fR\|(3) or \fBSSL_write_ex\fR\|(3). Errors may be fatal for the stream (for
+example because the stream has been reset or because the underlying connection
+has failed), or non-fatal (for example because we are trying to read from the
+stream but no data has not yet arrived from the peer for that stream).
+.PP
+\&\fBSSL_read_ex\fR\|(3) and \fBSSL_write_ex\fR\|(3) will return 0 to indicate an error and
+\&\fBSSL_read\fR\|(3) and \fBSSL_write\fR\|(3) will return 0 or a negative value to indicate
+an error. \fBSSL_shutdown\fR\|(3) will return a negative value to incidate an error.
+.PP
+In the event of an error an application should call \fBSSL_get_error\fR\|(3) to find
+out what type of error has occurred. If the error is non-fatal and can be
+retried then \fBSSL_get_error\fR\|(3) will return \fBSSL_ERROR_WANT_READ\fR or
+\&\fBSSL_ERROR_WANT_WRITE\fR depending on whether OpenSSL wanted to read to or write
+from the stream but was unable to. Note that a call to \fBSSL_read_ex\fR\|(3) or
+\&\fBSSL_read\fR\|(3) can still generate \fBSSL_ERROR_WANT_WRITE\fR. Similarly calls to
+\&\fBSSL_write_ex\fR\|(3) or \fBSSL_write\fR\|(3) might generate \fBSSL_ERROR_WANT_READ\fR.
+.PP
+Another type of non-fatal error that may occur is \fBSSL_ERROR_ZERO_RETURN\fR. This
+indicates an EOF (End-Of-File) which can occur if you attempt to read data from
+an \fBSSL\fR object but the peer has indicated that it will not send any more data
+on the stream. In this case you may still want to write data to the stream but
+you will not receive any more data.
+.PP
+Fatal errors that may occur are \fBSSL_ERROR_SYSCALL\fR and \fBSSL_ERROR_SSL\fR. These
+indicate that the stream is no longer usable. For example, this could be because
+the stream has been reset by the peer, or because the underlying connection has
+failed. You can consult the OpenSSL error stack for further details (for example
+by calling \fBERR_print_errors\fR\|(3) to print out details of errors that have
+occurred). You can also consult the return value of
+\&\fBSSL_get_stream_read_state\fR\|(3) to determine whether the error is local to the
+stream, or whether the underlying connection has also failed. A return value
+of \fBSSL_STREAM_STATE_RESET_REMOTE\fR tells you that the stream has been reset by
+the peer and \fBSSL_STREAM_STATE_CONN_CLOSED\fR tells you that the underlying
+connection has closed.
+.PP
+In our demo application we will write a function to handle these errors from
+OpenSSL I/O functions:
+.PP
+.Vb 8
+\&    static int handle_io_failure(SSL *ssl, int res)
+\&    {
+\&        switch (SSL_get_error(ssl, res)) {
+\&        case SSL_ERROR_WANT_READ:
+\&        case SSL_ERROR_WANT_WRITE:
+\&            /* Temporary failure. Wait until we can read/write and try again */
+\&            wait_for_activity(ssl);
+\&            return 1;
+\&
+\&        case SSL_ERROR_ZERO_RETURN:
+\&            /* EOF */
+\&            return 0;
+\&
+\&        case SSL_ERROR_SYSCALL:
+\&            return \-1;
+\&
+\&        case SSL_ERROR_SSL:
+\&            /*
+\&             * Some stream fatal error occurred. This could be because of a
+\&             * stream reset \- or some failure occurred on the underlying
+\&             * connection.
+\&             */
+\&            switch (SSL_get_stream_read_state(ssl)) {
+\&            case SSL_STREAM_STATE_RESET_REMOTE:
+\&                printf("Stream reset occurred\en");
+\&                /*
+\&                 * The stream has been reset but the connection is still
+\&                 * healthy.
+\&                 */
+\&                break;
+\&
+\&            case SSL_STREAM_STATE_CONN_CLOSED:
+\&                printf("Connection closed\en");
+\&                /* Connection is already closed. */
+\&                break;
+\&
+\&            default:
+\&                printf("Unknown stream failure\en");
+\&                break;
+\&            }
+\&            /*
+\&             * If the failure is due to a verification error we can get more
+\&             * information about it from SSL_get_verify_result().
+\&             */
+\&            if (SSL_get_verify_result(ssl) != X509_V_OK)
+\&                printf("Verify error: %s\en",
+\&                    X509_verify_cert_error_string(SSL_get_verify_result(ssl)));
+\&            return \-1;
+\&
+\&        default:
+\&            return \-1;
+\&        }
+\&    }
+.Ve
+.PP
+This function takes as arguments the \fBSSL\fR object that represents the
+connection, as well as the return code from the I/O function that failed. In
+the event of a non-fatal failure, it waits until a retry of the I/O operation
+might succeed (by using the \f(CWwait_for_activity()\fR function that we developed
+in the previous section). It returns 1 in the event of a non-fatal error
+(except EOF), 0 in the event of EOF, or \-1 if a fatal error occurred.
+.SS "Creating the SSL_CTX and SSL objects"
+.IX Subsection "Creating the SSL_CTX and SSL objects"
+In order to connect to a server we must create \fBSSL_CTX\fR and \fBSSL\fR objects for
+this. Most of the steps to do this are the same as for a blocking client and are
+explained on the \fBossl\-guide\-quic\-client\-block\fR\|(7) page. We won't repeat that
+information here.
+.PP
+One key difference is that we must put the \fBSSL\fR object into nonblocking mode
+(the default is blocking mode). To do that we use the
+\&\fBSSL_set_blocking_mode\fR\|(3) function:
+.PP
+.Vb 9
+\&    /*
+\&     * The underlying socket is always nonblocking with QUIC, but the default
+\&     * behaviour of the SSL object is still to block. We set it for nonblocking
+\&     * mode in this demo.
+\&     */
+\&    if (!SSL_set_blocking_mode(ssl, 0)) {
+\&        printf("Failed to turn off blocking mode\en");
+\&        goto end;
+\&    }
+.Ve
+.PP
+Although the demo application that we are developing here does not use it, it is
+possible to use "thread assisted mode" when developing QUIC applications.
+Normally, when writing an OpenSSL QUIC application, it is important that
+\&\fBSSL_handle_events\fR\|(3) (or alternatively any I/O function) is called on the
+connection \fBSSL\fR object periodically to maintain the connection in a healthy
+state. See "Performing work while waiting for the socket" for more discussion
+on this. This is particularly important to keep in mind when writing a
+nonblocking QUIC application because it is common to leave the \fBSSL\fR connection
+object idle for some time when using nonblocking mode. By using "thread assisted
+mode" a separate thread is created by OpenSSL to do this automatically which
+means that the application developer does not need to handle this aspect. To do
+this we must use \fBOSSL_QUIC_client_thread_method\fR\|(3) when we construct the
+\&\fBSSL_CTX\fR as shown below:
+.PP
+.Vb 5
+\&    ctx = SSL_CTX_new(OSSL_QUIC_client_thread_method());
+\&    if (ctx == NULL) {
+\&        printf("Failed to create the SSL_CTX\en");
+\&        goto end;
+\&    }
+.Ve
+.SS "Performing the handshake"
+.IX Subsection "Performing the handshake"
+As in the demo for a blocking QUIC client we use the \fBSSL_connect\fR\|(3) function
+to perform the handshake with the server. Since we are using a nonblocking
+\&\fBSSL\fR object it is very likely that calls to this function will fail with a
+non-fatal error while we are waiting for the server to respond to our handshake
+messages. In such a case we must retry the same \fBSSL_connect\fR\|(3) call at a
+later time. In this demo we do this in a loop:
+.PP
+.Vb 7
+\&    /* Do the handshake with the server */
+\&    while ((ret = SSL_connect(ssl)) != 1) {
+\&        if (handle_io_failure(ssl, ret) == 1)
+\&            continue; /* Retry */
+\&        printf("Failed to connect to server\en");
+\&        goto end; /* Cannot retry: error */
+\&    }
+.Ve
+.PP
+We continually call \fBSSL_connect\fR\|(3) until it gives us a success response.
+Otherwise we use the \f(CWhandle_io_failure()\fR function that we created earlier to
+work out what we should do next. Note that we do not expect an EOF to occur at
+this stage, so such a response is treated in the same way as a fatal error.
+.SS "Sending and receiving data"
+.IX Subsection "Sending and receiving data"
+As with the blocking QUIC client demo we use the \fBSSL_write_ex\fR\|(3) function to
+send data to the server. As with \fBSSL_connect\fR\|(3) above, because we are using
+a nonblocking \fBSSL\fR object, this call could fail with a non-fatal error. In
+that case we should retry exactly the same \fBSSL_write_ex\fR\|(3) call again. Note
+that the parameters must be \fIexactly\fR the same, i.e. the same pointer to the
+buffer to write with the same length. You must not attempt to send different
+data on a retry. An optional mode does exist
+(\fBSSL_MODE_ACCEPT_MOVING_WRITE_BUFFER\fR) which will configure OpenSSL to allow
+the buffer being written to change from one retry to the next. However, in this
+case, you must still retry exactly the same data \- even though the buffer that
+contains that data may change location. See \fBSSL_CTX_set_mode\fR\|(3) for further
+details. As in the TLS tutorials (\fBossl\-guide\-tls\-client\-block\fR\|(7)) we write
+the request in three chunks.
+.PP
+First, we write the entire request to the stream. We also must make sure to
+signal to the server that we have finished writing. This can be done by passing
+the SSL_WRITE_FLAG_CONCLUDE flag to \fBSSL_write_ex2\fR\|(3) or by calling
+\&\fBSSL_stream_conclude\fR\|(3). Since the first way is more efficient, we choose to
+do that.
+.PP
+.Vb 10
+\&    /* Write an HTTP GET request to the peer */
+\&    while (!SSL_write_ex(ssl, request_start, strlen(request_start), &written)) {
+\&        if (handle_io_failure(ssl, 0) == 1)
+\&            continue; /* Retry */
+\&        printf("Failed to write start of HTTP request\en");
+\&        goto end; /* Cannot retry: error */
+\&    }
+\&    while (!SSL_write_ex(ssl, hostname, strlen(hostname), &written)) {
+\&        if (handle_io_failure(ssl, 0) == 1)
+\&            continue; /* Retry */
+\&        printf("Failed to write hostname in HTTP request\en");
+\&        goto end; /* Cannot retry: error */
+\&    }
+\&    while (!SSL_write_ex2(ssl, request_end, strlen(request_end),
+\&           SSL_WRITE_FLAG_CONCLUDE, &written)) {
+\&        if (handle_io_failure(ssl, 0) == 1)
+\&            continue; /* Retry */
+\&        printf("Failed to write end of HTTP request\en");
+\&        goto end; /* Cannot retry: error */
+\&    }
+.Ve
+.PP
+On a write we do not expect to see an EOF response so we treat that case in the
+same way as a fatal error.
+.PP
+Reading a response back from the server is similar:
+.PP
+.Vb 10
+\&    do {
+\&        /*
+\&         * Get up to sizeof(buf) bytes of the response. We keep reading until
+\&         * the server closes the connection.
+\&         */
+\&        while (!eof && !SSL_read_ex(ssl, buf, sizeof(buf), &readbytes)) {
+\&            switch (handle_io_failure(ssl, 0)) {
+\&            case 1:
+\&                continue; /* Retry */
+\&            case 0:
+\&                eof = 1;
+\&                continue;
+\&            case \-1:
+\&            default:
+\&                printf("Failed reading remaining data\en");
+\&                goto end; /* Cannot retry: error */
+\&            }
+\&        }
+\&        /*
+\&         * OpenSSL does not guarantee that the returned data is a string or
+\&         * that it is NUL terminated so we use fwrite() to write the exact
+\&         * number of bytes that we read. The data could be non\-printable or
+\&         * have NUL characters in the middle of it. For this simple example
+\&         * we\*(Aqre going to print it to stdout anyway.
+\&         */
+\&        if (!eof)
+\&            fwrite(buf, 1, readbytes, stdout);
+\&    } while (!eof);
+\&    /* In case the response didn\*(Aqt finish with a newline we add one now */
+\&    printf("\en");
+.Ve
+.PP
+The main difference this time is that it is valid for us to receive an EOF
+response when trying to read data from the server. This will occur when the
+server closes down the connection after sending all the data in its response.
+.PP
+In this demo we just print out all the data we've received back in the response
+from the server. We continue going around the loop until we either encounter a
+fatal error, or we receive an EOF (indicating a graceful finish).
+.SS "Shutting down the connection"
+.IX Subsection "Shutting down the connection"
+As in the QUIC blocking example we must shutdown the connection when we are
+finished with it.
+.PP
+Even though we have received EOF on the stream that we were reading from above,
+this tell us nothing about the state of the underlying connection. Our demo
+application will initiate the connection shutdown process via
+\&\fBSSL_shutdown\fR\|(3).
+.PP
+Since our application is initiating the shutdown then we might expect to see
+\&\fBSSL_shutdown\fR\|(3) give a return value of 0, and then we should continue to call
+it until we receive a return value of 1 (meaning we have successfully completed
+the shutdown). Since we are using a nonblocking \fBSSL\fR object we might expect to
+have to retry this operation several times. If \fBSSL_shutdown\fR\|(3) returns a
+negative result then we must call \fBSSL_get_error\fR\|(3) to work out what to do
+next. We use our \fBhandle_io_failure()\fR function that we developed earlier for
+this:
+.PP
+.Vb 8
+\&    /*
+\&     * Repeatedly call SSL_shutdown() until the connection is fully
+\&     * closed.
+\&     */
+\&    while ((ret = SSL_shutdown(ssl)) != 1) {
+\&        if (ret < 0 && handle_io_failure(ssl, ret) == 1)
+\&            continue; /* Retry */
+\&    }
+.Ve
+.SS "Final clean up"
+.IX Subsection "Final clean up"
+As with the blocking QUIC client example, once our connection is finished with
+we must free it. The steps to do this for this example are the same as for the
+blocking example, so we won't repeat it here.
+.SH "FURTHER READING"
+.IX Header "FURTHER READING"
+See \fBossl\-guide\-quic\-client\-block\fR\|(7) to read a tutorial on how to write a
+blocking QUIC client. See \fBossl\-guide\-quic\-multi\-stream\fR\|(7) to see how to write
+a multi-stream QUIC client.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBossl\-guide\-introduction\fR\|(7), \fBossl\-guide\-libraries\-introduction\fR\|(7),
+\&\fBossl\-guide\-libssl\-introduction\fR\|(7), \fBossl\-guide\-quic\-introduction\fR\|(7),
+\&\fBossl\-guide\-quic\-client\-block\fR\|(7), \fBossl\-guide\-quic\-multi\-stream\fR\|(7)
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2023\-2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-quic-introduction.7 b/secure/lib/libcrypto/man/man7/ossl-guide-quic-introduction.7
new file mode 100644
index 000000000000..452aa59a5f74
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/ossl-guide-quic-introduction.7
@@ -0,0 +1,232 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OSSL-GUIDE-QUIC-INTRODUCTION 7ossl"
+.TH OSSL-GUIDE-QUIC-INTRODUCTION 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+ossl\-guide\-quic\-introduction
+\&\- OpenSSL Guide: An introduction to QUIC in OpenSSL
+.SH INTRODUCTION
+.IX Header "INTRODUCTION"
+This page will provide an introduction to some basic QUIC concepts and
+background and how it is used within OpenSSL. It assumes that you have a basic
+understanding of UDP/IP and sockets. It also assumes that you are familiar with
+some OpenSSL and TLS fundamentals (see \fBossl\-guide\-libraries\-introduction\fR\|(7)
+and \fBossl\-guide\-tls\-introduction\fR\|(7)).
+.SH "WHAT IS QUIC?"
+.IX Header "WHAT IS QUIC?"
+QUIC is a general purpose protocol for enabling applications to securely
+communicate over a network. It is defined in RFC9000 (see
+<https://datatracker.ietf.org/doc/rfc9000/>). QUIC integrates parts of the
+TLS protocol for connection establishment but independently protects packets.
+It provides similar security guarantees to TLS such as confidentiality,
+integrity and authentication (see \fBossl\-guide\-tls\-introduction\fR\|(7)).
+.PP
+QUIC delivers a number of advantages:
+.IP "Multiple streams" 4
+.IX Item "Multiple streams"
+It supports multiple streams of communication (see "QUIC STREAMS" below),
+allowing application protocols built on QUIC to create arbitrarily many
+bytestreams for communication between a client and server. This allows an
+application protocol to avoid problems where one packet of data is held up
+waiting on another packet being delivered (commonly referred to as
+"head-of-line blocking"). It also enables an application to open additional
+logical streams without requiring a round-trip exchange of packets between the
+client and server as is required when opening an additional TLS/TCP
+connection.
+.IP HTTP/3 4
+.IX Item "HTTP/3"
+Since QUIC is the basis of HTTP/3, support for QUIC also enables applications
+to use HTTP/3 using a suitable third-party library.
+.IP "Fast connection initiation" 4
+.IX Item "Fast connection initiation"
+Future versions of OpenSSL will offer support for 0\-RTT connection initiation,
+allowing a connection to be initiated to a server and application data to be
+transmitted without any waiting time. This is similar to TLS 1.3's 0\-RTT
+functionality but also avoids the round trip needed to open a TCP socket; thus,
+it is similar to a combination of TLS 1.3 0\-RTT and TCP Fast Open.
+.IP "Connection migration" 4
+.IX Item "Connection migration"
+Future versions of OpenSSL will offer support for connection migration, allowing
+connections to seamlessly survive IP address changes.
+.IP "Datagram based use cases" 4
+.IX Item "Datagram based use cases"
+Future versions of OpenSSL will offer support for the QUIC datagram extension,
+allowing support for both TLS and DTLS-style use cases on a single connection.
+.IP "Implemented as application library" 4
+.IX Item "Implemented as application library"
+Because most QUIC implementations, including OpenSSL's implementation, are
+implemented as an application library rather than by an operating system, an
+application can gain the benefit of QUIC without needing to wait for an OS
+update to be deployed. Future evolutions and enhancements to the QUIC protocol
+can be delivered as quickly as an application can be updated without dependency
+on an OS update cadence.
+.IP "Multiplexing over a single UDP socket" 4
+.IX Item "Multiplexing over a single UDP socket"
+Because QUIC is UDP-based, it is possible to multiplex a QUIC connection on the
+same UDP socket as some other UDP-based protocols, such as RTP.
+.SH "QUIC TIME BASED EVENTS"
+.IX Header "QUIC TIME BASED EVENTS"
+A key difference between the TLS implementation and the QUIC implementation in
+OpenSSL is how time is handled. The QUIC protocol requires various actions to be
+performed on a regular basis regardless of whether application data is being
+transmitted or received.
+.PP
+OpenSSL introduces a new function \fBSSL_handle_events\fR\|(3) that will
+automatically process any outstanding time based events that must be handled.
+Alternatively calling any I/O function such as \fBSSL_read_ex\fR\|(3) or
+\&\fBSSL_write_ex\fR\|(3) will also process these events. There is also
+\&\fBSSL_get_event_timeout\fR\|(3) which tells an application the amount of time that
+remains until \fBSSL_handle_events\fR\|(3) (or any I/O function) must be called.
+.PP
+Fortunately a blocking application that does not leave the QUIC connection idle,
+and is regularly calling I/O functions does not typically need to worry about
+this. However if you are developing a nonblocking application or one that may
+leave the QUIC connection idle for a period of time then you will need to
+arrange to call these functions.
+.PP
+OpenSSL provides an optional "thread assisted mode" that will automatically
+create a background thread and will regularly call \fBSSL_handle_events\fR\|(3) in a
+thread safe manner. This provides a simple way for an application to satisfy the
+QUIC requirements for time based events without having to implement special
+logic to accomplish it.
+.SH "QUIC AND TLS"
+.IX Header "QUIC AND TLS"
+QUIC reuses parts of the TLS protocol in its implementation. Specifically the
+TLS handshake also exists in QUIC. The TLS handshake messages are wrapped up in
+QUIC protocol messages in order to send them to the peer. Once the TLS handshake
+is complete all application data is sent entirely using QUIC protocol messages
+without using TLS \- although some TLS handshake messages may still be sent in
+some circumstances.
+.PP
+This relationship between QUIC and TLS means that many of the API functions in
+OpenSSL that apply to TLS connections also apply to QUIC connections and
+applications can use them in exactly the same way. Some functions do not apply
+to QUIC at all, and others have altered semantics. You should refer to the
+documentation pages for each function for information on how it applies to QUIC.
+Typically if QUIC is not mentioned in the manual pages then the functions apply
+to both TLS and QUIC.
+.SH "QUIC STREAMS"
+.IX Header "QUIC STREAMS"
+QUIC introduces the concept of "streams". A stream provides a reliable
+mechanism for sending and receiving application data between the endpoints. The
+bytes transmitted are guaranteed to be received in the same order they were sent
+without any loss of data or reordering of the bytes. A TLS application
+effectively has one bi-directional stream available to it per TLS connection. A
+QUIC application can have multiple uni-directional or bi-directional streams
+available to it for each connection.
+.PP
+In OpenSSL an \fBSSL\fR object is used to represent both connections and streams.
+A QUIC application creates an initial \fBSSL\fR object to represent the connection
+(known as the connection \fBSSL\fR object). Once the connection is complete
+additional \fBSSL\fR objects can be created to represent streams (known as stream
+\&\fBSSL\fR objects). Unless configured otherwise, a "default" stream is also
+associated with the connection \fBSSL\fR object so you can still write data and
+read data to/from it. Some OpenSSL API functions can only be used with
+connection \fBSSL\fR objects, and some can only be used with stream \fBSSL\fR objects.
+Check the documentation for each function to confirm what type of \fBSSL\fR object
+can be used in any particular context. A connection \fBSSL\fR object that has a
+default stream attached to it can be used in contexts that require a connection
+\&\fBSSL\fR object or in contexts that require a stream \fBSSL\fR object.
+.SH "SOCKETS AND BLOCKING"
+.IX Header "SOCKETS AND BLOCKING"
+TLS assumes "stream" type semantics for its underlying transport layer protocol
+(usually achieved by using TCP). However QUIC assumes "datagram" type semantics
+by using UDP. An OpenSSL application using QUIC is responsible for creating a
+BIO to represent the underlying transport layer. This BIO must support datagrams
+and is typically \fBBIO_s_datagram\fR\|(3), but other \fBBIO\fR choices are available.
+See \fBbio\fR\|(7) for an introduction to OpenSSL's \fBBIO\fR concept.
+.PP
+A significant difference between OpenSSL TLS applications and OpenSSL QUIC
+applications is the way that blocking is implemented. In TLS if your application
+expects blocking behaviour then you configure the underlying socket for
+blocking. Conversely if your application wants nonblocking behaviour then the
+underlying socket is configured to be nonblocking.
+.PP
+With an OpenSSL QUIC application the underlying socket must always be configured
+to be nonblocking. Howevever the \fBSSL\fR object will, by default, still operate
+in blocking mode. So, from an application's perspective, calls to functions such
+as \fBSSL_read_ex\fR\|(3), \fBSSL_write_ex\fR\|(3) and other I/O functions will still
+block. OpenSSL itself provides that blocking capability for QUIC instead of the
+socket. If nonblocking behaviour is desired then the application must call
+\&\fBSSL_set_blocking_mode\fR\|(3).
+.SH "FURTHER READING"
+.IX Header "FURTHER READING"
+See \fBossl\-guide\-quic\-client\-block\fR\|(7) to see an example of applying these
+concepts in order to write a simple blocking QUIC client.
+.PP
+See \fBossl\-guide\-quic\-server\-block\fR\|(7) to see an example of applying these
+concepts in order to write a simple blocking QUIC server.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBossl\-guide\-introduction\fR\|(7), \fBossl\-guide\-libraries\-introduction\fR\|(7),
+\&\fBossl\-guide\-libssl\-introduction\fR\|(7), \fBossl\-guide\-tls\-introduction\fR\|(7),
+\&\fBossl\-guide\-tls\-client\-block\fR\|(7), \fBossl\-guide\-quic\-client\-block\fR\|(7),
+\&\fBossl\-guide\-quic\-client\-non\-block\fR\|(7), \fBossl\-guide\-quic\-multi\-stream\fR\|(7),
+\&\fBossl\-guide\-quic\-server\-block\fR\|(7), \fBossl\-guide\-quic\-server\-non\-block\fR\|(7),
+\&\fBbio\fR\|(7),
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2023\-2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-quic-multi-stream.7 b/secure/lib/libcrypto/man/man7/ossl-guide-quic-multi-stream.7
new file mode 100644
index 000000000000..1e89f09846f9
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/ossl-guide-quic-multi-stream.7
@@ -0,0 +1,453 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OSSL-GUIDE-QUIC-MULTI-STREAM 7ossl"
+.TH OSSL-GUIDE-QUIC-MULTI-STREAM 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+ossl\-guide\-quic\-multi\-stream
+\&\- OpenSSL Guide: Writing a simple multi\-stream QUIC client
+.SH INTRODUCTION
+.IX Header "INTRODUCTION"
+This page will introduce some important concepts required to write a simple
+QUIC multi-stream application. It assumes a basic understanding of QUIC and how
+it is used in OpenSSL. See \fBossl\-guide\-quic\-introduction\fR\|(7) and
+\&\fBossl\-guide\-quic\-client\-block\fR\|(7).
+.SH "QUIC STREAMS"
+.IX Header "QUIC STREAMS"
+In a QUIC multi-stream application we separate out the concepts of a QUIC
+"connection" and a QUIC "stream". A connection object represents the overarching
+details of the connection between a client and a server including all its
+negotiated and configured parameters. We use the \fBSSL\fR object for that in an
+OpenSSL application (known as the connection \fBSSL\fR object). It is created by an
+application calling \fBSSL_new\fR\|(3).
+.PP
+Separately a connection can have zero or more streams associated with it
+(although a connection with zero streams is probably not very useful, so
+normally you would have at least one). A stream is used to send and receive
+data between the two peers. Each stream is also represented by an \fBSSL\fR
+object. A stream is logically independent of all the other streams associated
+with the same connection. Data sent on a stream is guaranteed to be delivered
+in the order that it was sent within that stream. The same is not true across
+streams, e.g. if an application sends data on stream 1 first and then sends some
+more data on stream 2 second, then the remote peer may receive the data sent on
+stream 2 before it receives the data sent on stream 1.
+.PP
+Once the connection \fBSSL\fR object has completed its handshake (i.e.
+\&\fBSSL_connect\fR\|(3) has returned 1), stream \fBSSL\fR objects are created by the
+application calling \fBSSL_new_stream\fR\|(3) or \fBSSL_accept_stream\fR\|(3) (see
+"CREATING NEW STREAMS" below).
+.PP
+The same threading rules apply to \fBSSL\fR objects as for most OpenSSL objects
+(see \fBossl\-guide\-libraries\-introduction\fR\|(7)). In particular most OpenSSL
+functions are thread safe, but the \fBSSL\fR object is not. This means that you can
+use an \fBSSL\fR object representing one stream at the same time as another thread
+is using a different \fBSSL\fR object for a different stream on the same
+connection. But you cannot use the same \fBSSL\fR object on two different threads
+at the same time (without additional application level locking).
+.SH "THE DEFAULT STREAM"
+.IX Header "THE DEFAULT STREAM"
+A connection \fBSSL\fR object may also (optionally) be associated with a stream.
+This stream is known as the default stream. The default stream is automatically
+created and associated with the \fBSSL\fR object when the application calls
+\&\fBSSL_read_ex\fR\|(3), \fBSSL_read\fR\|(3), \fBSSL_write_ex\fR\|(3) or \fBSSL_write\fR\|(3) and
+passes the connection \fBSSL\fR object as a parameter.
+.PP
+If a client application calls \fBSSL_write_ex\fR\|(3) or \fBSSL_write\fR\|(3) first then
+(by default) the default stream will be a client-initiated bi-directional
+stream. If a client application calls \fBSSL_read_ex\fR\|(3) or \fBSSL_read\fR\|(3)
+first then the first stream initiated by the server will be used as the default
+stream (whether it is bi-directional or uni-directional).
+.PP
+This behaviour can be controlled via the default stream mode. See
+\&\fBSSL_set_default_stream_mode\fR\|(3) for further details.
+.PP
+It is recommended that new multi-stream applications should not use a default
+stream at all and instead should use a separate stream \fBSSL\fR object for each
+stream that is used. This requires calling \fBSSL_set_default_stream_mode\fR\|(3)
+and setting the mode to \fBSSL_DEFAULT_STREAM_MODE_NONE\fR.
+.SH "CREATING NEW STREAMS"
+.IX Header "CREATING NEW STREAMS"
+An endpoint can create a new stream by calling \fBSSL_new_stream\fR\|(3). This
+creates a locally initiated stream. In order to do so you must pass the QUIC
+connection \fBSSL\fR object as a parameter. You can also specify whether you want a
+bi-directional or a uni-directional stream.
+.PP
+The function returns a new QUIC stream \fBSSL\fR object for sending and receiving
+data on that stream.
+.PP
+The peer may also initiate streams. An application can use the function
+\&\fBSSL_get_accept_stream_queue_len\fR\|(3) to determine the number of streams that
+the peer has initiated that are waiting for the application to handle. An
+application can call \fBSSL_accept_stream\fR\|(3) to create a new \fBSSL\fR object for
+a remotely initiated stream. If the peer has not initiated any then this call
+will block until one is available if the connection object is in blocking mode
+(see \fBSSL_set_blocking_mode\fR\|(3)).
+.PP
+When using a default stream OpenSSL will prevent new streams from being
+accepted. To override this behaviour you must call
+\&\fBSSL_set_incoming_stream_policy\fR\|(3) to set the policy to
+\&\fBSSL_INCOMING_STREAM_POLICY_ACCEPT\fR. See the man page for further details. This
+is not relevant if the default stream has been disabled as described in
+"THE DEFAULT STREAM" above.
+.PP
+Any stream may be bi-directional or uni-directional. If it is uni-directional
+then the initiator can write to it but not read from it, and vice-versa for the
+peer. You can determine what type of stream an \fBSSL\fR object represents by
+calling \fBSSL_get_stream_type\fR\|(3). See the man page for further details.
+.SH "USING A STREAM TO SEND AND RECEIVE DATA"
+.IX Header "USING A STREAM TO SEND AND RECEIVE DATA"
+Once you have a stream \fBSSL\fR object (which includes the connection \fBSSL\fR
+object if a default stream is in use) then you can send and receive data over it
+using the \fBSSL_write_ex\fR\|(3), \fBSSL_write\fR\|(3), \fBSSL_read_ex\fR\|(3) or
+\&\fBSSL_read\fR\|(3) functions. See the man pages for further details.
+.PP
+In the event of one of these functions not returning a success code then
+you should call \fBSSL_get_error\fR\|(3) to find out further details about the error.
+In blocking mode this will either be a fatal error (e.g. \fBSSL_ERROR_SYSCALL\fR
+or \fBSSL_ERROR_SSL\fR), or it will be \fBSSL_ERROR_ZERO_RETURN\fR which can occur
+when attempting to read data from a stream and the peer has indicated that the
+stream is concluded (i.e. "FIN" has been signalled on the stream). This means
+that the peer will send no more data on that stream. Note that the
+interpretation of \fBSSL_ERROR_ZERO_RETURN\fR is slightly different for a QUIC
+application compared to a TLS application. In TLS it occurs when the connection
+has been shutdown by the peer. In QUIC this only tells you that the current
+stream has been concluded by the peer. It tells you nothing about the underlying
+connection. If the peer has concluded the stream then no more data will be
+received on it, however an application can still send data to the peer until
+the send side of the stream has also been concluded. This can happen by the
+application calling \fBSSL_stream_conclude\fR\|(3). It is an error to attempt to
+send more data on a stream after \fBSSL_stream_conclude\fR\|(3) has been called.
+.PP
+It is also possible to abandon a stream abnormally by calling
+\&\fBSSL_stream_reset\fR\|(3).
+.PP
+Once a stream object is no longer needed it should be freed via a call to
+\&\fBSSL_free\fR\|(3). An application should not call \fBSSL_shutdown\fR\|(3) on it since
+this is only meaningful for connection level \fBSSL\fR objects. Freeing the stream
+will automatically signal STOP_SENDING to the peer.
+.SH "STREAMS AND CONNECTIONS"
+.IX Header "STREAMS AND CONNECTIONS"
+Given a stream object it is possible to get the \fBSSL\fR object corresponding to
+the connection via a call to \fBSSL_get0_connection\fR\|(3). Multi-threaded
+restrictions apply so care should be taken when using the returned connection
+object. Specifically, if you are handling each of your stream objects in a
+different thread and call \fBSSL_get0_connection\fR\|(3) from within that thread then
+you must be careful to not to call any function that uses the connection object
+at the same time as one of the other threads is also using that connection
+object (with the exception of \fBSSL_accept_stream\fR\|(3) and
+\&\fBSSL_get_accept_stream_queue_len\fR\|(3) which are thread-safe).
+.PP
+A stream object does not inherit all its settings and values from its parent
+\&\fBSSL\fR connection object. Therefore certain function calls that are relevant to
+the connection as a whole will not work on a stream. For example the function
+\&\fBSSL_get_certificate\fR\|(3) can be used to obtain a handle on the peer certificate
+when called with a connection \fBSSL\fR object. When called with a stream \fBSSL\fR
+object it will return NULL.
+.SH "SIMPLE MULTI-STREAM QUIC CLIENT EXAMPLE"
+.IX Header "SIMPLE MULTI-STREAM QUIC CLIENT EXAMPLE"
+This section will present various source code samples demonstrating how to write
+a simple multi-stream QUIC client application which connects to a server, send
+some HTTP/1.0 requests to it, and read back the responses. Note that HTTP/1.0
+over QUIC is non-standard and will not be supported by real world servers. This
+is for demonstration purposes only.
+.PP
+We will build on the example code for the simple blocking QUIC client that is
+covered on the \fBossl\-guide\-quic\-client\-block\fR\|(7) page and we assume that you
+are familiar with it. We will only describe the differences between the simple
+blocking QUIC client and the multi-stream QUIC client. Although the example code
+uses blocking \fBSSL\fR objects, you can equally use nonblocking \fBSSL\fR objects.
+See \fBossl\-guide\-quic\-client\-non\-block\fR\|(7) for more information about writing a
+nonblocking QUIC client.
+.PP
+The complete source code for this example multi-stream QUIC client is available
+in the \f(CW\*(C`demos/guide\*(C'\fR directory of the OpenSSL source distribution in the file
+\&\f(CW\*(C`quic\-multi\-stream.c\*(C'\fR. It is also available online at
+<https://github.com/openssl/openssl/blob/master/demos/guide/quic\-multi\-stream.c>.
+.SS "Disabling the default stream"
+.IX Subsection "Disabling the default stream"
+As discussed above in "THE DEFAULT STREAM" we will follow the recommendation
+to disable the default stream for our multi-stream client. To do this we call
+the \fBSSL_set_default_stream_mode\fR\|(3) function and pass in our connection \fBSSL\fR
+object and the value \fBSSL_DEFAULT_STREAM_MODE_NONE\fR.
+.PP
+.Vb 8
+\&    /*
+\&     * We will use multiple streams so we will disable the default stream mode.
+\&     * This is not a requirement for using multiple streams but is recommended.
+\&     */
+\&    if (!SSL_set_default_stream_mode(ssl, SSL_DEFAULT_STREAM_MODE_NONE)) {
+\&        printf("Failed to disable the default stream mode\en");
+\&        goto end;
+\&    }
+.Ve
+.SS "Creating the request streams"
+.IX Subsection "Creating the request streams"
+For the purposes of this example we will create two different streams to send
+two different HTTP requests to the server. For the purposes of demonstration the
+first of these will be a bi-directional stream and the second one will be a
+uni-directional one:
+.PP
+.Vb 10
+\&    /*
+\&     * We create two new client initiated streams. The first will be
+\&     * bi\-directional, and the second will be uni\-directional.
+\&     */
+\&    stream1 = SSL_new_stream(ssl, 0);
+\&    stream2 = SSL_new_stream(ssl, SSL_STREAM_FLAG_UNI);
+\&    if (stream1 == NULL || stream2 == NULL) {
+\&        printf("Failed to create streams\en");
+\&        goto end;
+\&    }
+.Ve
+.SS "Writing data to the streams"
+.IX Subsection "Writing data to the streams"
+Once the streams are successfully created we can start writing data to them. In
+this example we will be sending a different HTTP request on each stream. To
+avoid repeating too much code we write a simple helper function to send an HTTP
+request to a stream:
+.PP
+.Vb 5
+\&    int write_a_request(SSL *stream, const char *request_start,
+\&                        const char *hostname)
+\&    {
+\&        const char *request_end = "\er\en\er\en";
+\&        size_t written;
+\&
+\&        if (!SSL_write_ex(stream, request_start, strlen(request_start), &written))
+\&            return 0;
+\&        if (!SSL_write_ex(stream, hostname, strlen(hostname), &written))
+\&            return 0;
+\&        if (!SSL_write_ex(stream, request_end, strlen(request_end), &written))
+\&            return 0;
+\&
+\&        return 1;
+\&    }
+.Ve
+.PP
+We assume the strings \fBrequest1_start\fR and \fBrequest2_start\fR hold the
+appropriate HTTP requests. We can then call our helper function above to send
+the requests on the two streams. For the sake of simplicity this example does
+this sequentially, writing to \fBstream1\fR first and, when this is successful,
+writing to \fBstream2\fR second. Remember that our client is blocking so these
+calls will only return once they have been successfully completed. A real
+application would not need to do these writes sequentially or in any particular
+order. For example we could start two threads (one for each stream) and write
+the requests to each stream simultaneously.
+.PP
+.Vb 5
+\&    /* Write an HTTP GET request on each of our streams to the peer */
+\&    if (!write_a_request(stream1, request1_start, hostname)) {
+\&        printf("Failed to write HTTP request on stream 1\en");
+\&        goto end;
+\&    }
+\&
+\&    if (!write_a_request(stream2, request2_start, hostname)) {
+\&        printf("Failed to write HTTP request on stream 2\en");
+\&        goto end;
+\&    }
+.Ve
+.SS "Reading data from a stream"
+.IX Subsection "Reading data from a stream"
+In this example \fBstream1\fR is a bi-directional stream so, once we have sent the
+request on it, we can attempt to read the response from the server back. Here
+we just repeatedly call \fBSSL_read_ex\fR\|(3) until that function fails (indicating
+either that there has been a problem, or that the peer has signalled the stream
+as concluded).
+.PP
+.Vb 10
+\&    printf("Stream 1 data:\en");
+\&    /*
+\&     * Get up to sizeof(buf) bytes of the response from stream 1 (which is a
+\&     * bidirectional stream). We keep reading until the server closes the
+\&     * connection.
+\&     */
+\&    while (SSL_read_ex(stream1, buf, sizeof(buf), &readbytes)) {
+\&        /*
+\&        * OpenSSL does not guarantee that the returned data is a string or
+\&        * that it is NUL terminated so we use fwrite() to write the exact
+\&        * number of bytes that we read. The data could be non\-printable or
+\&        * have NUL characters in the middle of it. For this simple example
+\&        * we\*(Aqre going to print it to stdout anyway.
+\&        */
+\&        fwrite(buf, 1, readbytes, stdout);
+\&    }
+\&    /* In case the response didn\*(Aqt finish with a newline we add one now */
+\&    printf("\en");
+.Ve
+.PP
+In a blocking application like this one calls to \fBSSL_read_ex\fR\|(3) will either
+succeed immediately returning data that is already available, or they will block
+waiting for more data to become available and return it when it is, or they will
+fail with a 0 response code.
+.PP
+Once we exit the while loop above we know that the last call to
+\&\fBSSL_read_ex\fR\|(3) gave a 0 response code so we call the \fBSSL_get_error\fR\|(3)
+function to find out more details. Since this is a blocking application this
+will either return \fBSSL_ERROR_SYSCALL\fR or \fBSSL_ERROR_SSL\fR indicating a
+fundamental problem, or it will return \fBSSL_ERROR_ZERO_RETURN\fR indicating that
+the stream is concluded and there will be no more data available to read from
+it. Care must be taken to distinguish between an error at the stream level (i.e.
+a stream reset) and an error at the connection level (i.e. a connection closed).
+The \fBSSL_get_stream_read_state\fR\|(3) function can be used to distinguish between
+these different cases.
+.PP
+.Vb 12
+\&    /*
+\&     * Check whether we finished the while loop above normally or as the
+\&     * result of an error. The 0 argument to SSL_get_error() is the return
+\&     * code we received from the SSL_read_ex() call. It must be 0 in order
+\&     * to get here. Normal completion is indicated by SSL_ERROR_ZERO_RETURN. In
+\&     * QUIC terms this means that the peer has sent FIN on the stream to
+\&     * indicate that no further data will be sent.
+\&     */
+\&    switch (SSL_get_error(stream1, 0)) {
+\&    case SSL_ERROR_ZERO_RETURN:
+\&        /* Normal completion of the stream */
+\&        break;
+\&
+\&    case SSL_ERROR_SSL:
+\&        /*
+\&         * Some stream fatal error occurred. This could be because of a stream
+\&         * reset \- or some failure occurred on the underlying connection.
+\&         */
+\&        switch (SSL_get_stream_read_state(stream1)) {
+\&        case SSL_STREAM_STATE_RESET_REMOTE:
+\&            printf("Stream reset occurred\en");
+\&            /* The stream has been reset but the connection is still healthy. */
+\&            break;
+\&
+\&        case SSL_STREAM_STATE_CONN_CLOSED:
+\&            printf("Connection closed\en");
+\&            /* Connection is already closed. Skip SSL_shutdown() */
+\&            goto end;
+\&
+\&        default:
+\&            printf("Unknown stream failure\en");
+\&            break;
+\&        }
+\&        break;
+\&
+\&    default:
+\&        /* Some other unexpected error occurred */
+\&        printf ("Failed reading remaining data\en");
+\&        break;
+\&    }
+.Ve
+.SS "Accepting an incoming stream"
+.IX Subsection "Accepting an incoming stream"
+Our \fBstream2\fR object that we created above was a uni-directional stream so it
+cannot be used to receive data from the server. In this hypothetical example
+we assume that the server initiates a new stream to send us back the data that
+we requested. To do that we call \fBSSL_accept_stream\fR\|(3). Since this is a
+blocking application this will wait indefinitely until the new stream has
+arrived and is available for us to accept. In the event of an error it will
+return \fBNULL\fR.
+.PP
+.Vb 10
+\&    /*
+\&     * In our hypothetical HTTP/1.0 over QUIC protocol that we are using we
+\&     * assume that the server will respond with a server initiated stream
+\&     * containing the data requested in our uni\-directional stream. This doesn\*(Aqt
+\&     * really make sense to do in a real protocol, but its just for
+\&     * demonstration purposes.
+\&     *
+\&     * We\*(Aqre using blocking mode so this will block until a stream becomes
+\&     * available. We could override this behaviour if we wanted to by setting
+\&     * the SSL_ACCEPT_STREAM_NO_BLOCK flag in the second argument below.
+\&     */
+\&    stream3 = SSL_accept_stream(ssl, 0);
+\&    if (stream3 == NULL) {
+\&        printf("Failed to accept a new stream\en");
+\&        goto end;
+\&    }
+.Ve
+.PP
+We can now read data from the stream in the same way that we did for \fBstream1\fR
+above. We won't repeat that here.
+.SS "Cleaning up the streams"
+.IX Subsection "Cleaning up the streams"
+Once we have finished using our streams we can simply free them by calling
+\&\fBSSL_free\fR\|(3). Optionally we could call \fBSSL_stream_conclude\fR\|(3) on them if
+we want to indicate to the peer that we won't be sending them any more data, but
+we don't do that in this example because we assume that the HTTP application
+protocol supplies sufficient information for the peer to know when we have
+finished sending request data.
+.PP
+We should not call \fBSSL_shutdown\fR\|(3) or \fBSSL_shutdown_ex\fR\|(3) on the stream
+objects since those calls should not be used for streams.
+.PP
+.Vb 3
+\&    SSL_free(stream1);
+\&    SSL_free(stream2);
+\&    SSL_free(stream3);
+.Ve
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBossl\-guide\-introduction\fR\|(7), \fBossl\-guide\-libraries\-introduction\fR\|(7),
+\&\fBossl\-guide\-libssl\-introduction\fR\|(7) \fBossl\-guide\-quic\-introduction\fR\|(7),
+\&\fBossl\-guide\-quic\-client\-block\fR\|(7)
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-quic-server-block.7 b/secure/lib/libcrypto/man/man7/ossl-guide-quic-server-block.7
new file mode 100644
index 000000000000..22aa9616ae0a
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/ossl-guide-quic-server-block.7
@@ -0,0 +1,355 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OSSL-GUIDE-QUIC-SERVER-BLOCK 7ossl"
+.TH OSSL-GUIDE-QUIC-SERVER-BLOCK 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+ossl\-guide\-quic\-server\-block
+\&\- OpenSSL Guide: Writing a simple blocking QUIC server
+.SH "SIMPLE BLOCKING QUIC SERVER EXAMPLE"
+.IX Header "SIMPLE BLOCKING QUIC SERVER EXAMPLE"
+This page will present various source code samples demonstrating how to write a
+simple, non-concurrent, QUIC "echo" server application which accepts one client
+connection at a time, echoing input from the client back to the same client.
+Once the current client disconnects, the next client connection is accepted.
+.PP
+The server only accepts HTTP/1.0 requests, which is non-standard and will not
+be supported by real world servers.  This is for demonstration purposes only.
+.PP
+Both the accepting socket and client connections are "blocking".  A more typical
+server might use nonblocking sockets with an event loop and callbacks for I/O
+events.
+.PP
+The complete source code for this example blocking QUIC server is available in
+the \fBdemos/guide\fR directory of the OpenSSL source distribution in the file
+\&\fBquic\-server\-block.c\fR.  It is also available online at
+<https://github.com/openssl/openssl/blob/master/demos/guide/quic\-server\-block.c>.
+.PP
+We assume that you already have OpenSSL installed on your system; that you
+already have some fundamental understanding of OpenSSL concepts and QUIC (see
+\&\fBossl\-guide\-libraries\-introduction\fR\|(7) and \fBossl\-guide\-quic\-introduction\fR\|(7));
+and that you know how to write and build C code and link it against the
+libcrypto and libssl libraries that are provided by OpenSSL. It also assumes
+that you have a basic understanding of UDP/IP and sockets.
+.SS "Creating the SSL_CTX and SSL objects"
+.IX Subsection "Creating the SSL_CTX and SSL objects"
+The first step is to create an \fBSSL_CTX\fR object for our server. We use the
+\&\fBSSL_CTX_new\fR\|(3) function for this purpose.  We pass as an argument the return
+value of the function \fBOSSL_QUIC_server_method\fR\|(3).  You should use this method
+whenever you are writing a QUIC server.
+.PP
+.Vb 8
+\&    /*
+\&     * An SSL_CTX holds shared configuration information for multiple
+\&     * subsequent per\-client SSL connections. We specifically load a QUIC
+\&     * server method here.
+\&     */
+\&    ctx = SSL_CTX_new(OSSL_QUIC_server_method());
+\&    if (ctx == NULL)
+\&        goto err;
+.Ve
+.PP
+Servers need a private key and certificate.  Intermediate issuer CA
+certificates are often required, and both the server (end-entity or EE)
+certificate and the issuer ("chain") certificates are most easily configured in
+a single "chain file".  Below we load such a chain file (the EE certificate
+must appear first), and then load the corresponding private key, checking that
+it matches the server certificate.  No checks are performed to check the
+integrity of the chain (CA signatures or certificate expiration dates, for
+example), but we do verify the consistency of the private key with the
+corresponding certificate.
+.PP
+.Vb 10
+\&    /*
+\&     * Load the server\*(Aqs certificate *chain* file (PEM format), which includes
+\&     * not only the leaf (end\-entity) server certificate, but also any
+\&     * intermediate issuer\-CA certificates.  The leaf certificate must be the
+\&     * first certificate in the file.
+\&     *
+\&     * In advanced use\-cases this can be called multiple times, once per public
+\&     * key algorithm for which the server has a corresponding certificate.
+\&     * However, the corresponding private key (see below) must be loaded first,
+\&     * *before* moving on to the next chain file.
+\&     */
+\&    if (SSL_CTX_use_certificate_chain_file(ctx, cert_path) <= 0) {
+\&        fprintf(stderr, "couldn\*(Aqt load certificate file: %s\en", cert_path);
+\&        goto err;
+\&    }
+\&
+\&    /*
+\&     * Load the corresponding private key, this also checks that the private
+\&     * key matches the just loaded end\-entity certificate.  It does not check
+\&     * whether the certificate chain is valid, the certificates could be
+\&     * expired, or may otherwise fail to form a chain that a client can
+\&     * validate.
+\&     */
+\&    if (SSL_CTX_use_PrivateKey_file(ctx, key_path, SSL_FILETYPE_PEM) <= 0) {
+\&        fprintf(stderr, "couldn\*(Aqt load key file: %s\en", key_path);
+\&        goto err;
+\&    }
+.Ve
+.PP
+Most servers, including this one, do not solicit client certificates.  We
+therefore do not need a "trust store" and allow the handshake to complete even
+when the client does not present a certificate.  Note: Even if a client did
+present a trusted certificate, for it to be useful, the server application
+would still need custom code to use the verified identity to grant nondefault
+access to that particular client.  Some servers grant access to all clients
+with certificates from a private CA, this then requires processing of
+certificate revocation lists to deauthorise a client.  It is often simpler and
+more secure to instead keep a list of authorised public keys.
+.PP
+Though this is the default setting, we explicitly call the
+\&\fBSSL_CTX_set_verify\fR\|(3) function and pass the \fBSSL_VERIFY_NONE\fR value to it.
+The final argument to this function is a callback that you can optionally
+supply to override the default handling for certificate verification.  Most
+applications do not need to do this so this can safely be set to NULL to get
+the default handling.
+.PP
+.Vb 12
+\&    /*
+\&     * Clients rarely employ certificate\-based authentication, and so we don\*(Aqt
+\&     * require "mutual" TLS authentication (indeed there\*(Aqs no way to know
+\&     * whether or how the client authenticated the server, so the term "mutual"
+\&     * is potentially misleading).
+\&     *
+\&     * Since we\*(Aqre not soliciting or processing client certificates, we don\*(Aqt
+\&     * need to configure a trusted\-certificate store, so no call to
+\&     * SSL_CTX_set_default_verify_paths() is needed.  The server\*(Aqs own
+\&     * certificate chain is assumed valid.
+\&     */
+\&    SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
+.Ve
+.PP
+QUIC also dictates using Application-Layer Protocol Negotiation (ALPN) to select
+an application protocol.  We use \fBSSL_CTX_set_alpn_select_cb\fR\|(3) for this
+purpose.  We can pass a callback which will be called for each connection to
+select an ALPN the server considers acceptable.
+.PP
+.Vb 2
+\&    /* Setup ALPN negotiation callback to decide which ALPN is accepted. */
+\&    SSL_CTX_set_alpn_select_cb(ctx, select_alpn, NULL);
+.Ve
+.PP
+In this case, we only accept "http/1.0" and "hq-interop".
+.PP
+.Vb 8
+\&    /*
+\&    * ALPN strings for TLS handshake. Only \*(Aqhttp/1.0\*(Aq and \*(Aqhq\-interop\*(Aq
+\&    * are accepted.
+\&    */
+\&    static const unsigned char alpn_ossltest[] = {
+\&        8,  \*(Aqh\*(Aq, \*(Aqt\*(Aq, \*(Aqt\*(Aq, \*(Aqp\*(Aq, \*(Aq/\*(Aq, \*(Aq1\*(Aq, \*(Aq.\*(Aq, \*(Aq0\*(Aq,
+\&        10, \*(Aqh\*(Aq, \*(Aqq\*(Aq, \*(Aq\-\*(Aq, \*(Aqi\*(Aq, \*(Aqn\*(Aq, \*(Aqt\*(Aq, \*(Aqe\*(Aq, \*(Aqr\*(Aq, \*(Aqo\*(Aq, \*(Aqp\*(Aq,
+\&    };
+\&
+\&    static int select_alpn(SSL *ssl, const unsigned char **out,
+\&                           unsigned char *out_len, const unsigned char *in,
+\&                           unsigned int in_len, void *arg)
+\&    {
+\&        if (SSL_select_next_proto((unsigned char **)out, out_len, alpn_ossltest,
+\&                                  sizeof(alpn_ossltest), in,
+\&                                  in_len) == OPENSSL_NPN_NEGOTIATED)
+\&            return SSL_TLSEXT_ERR_OK;
+\&        return SSL_TLSEXT_ERR_ALERT_FATAL;
+\&    }
+.Ve
+.PP
+That is all the setup that we need to do for the \fBSSL_CTX\fR.  Next, we create a
+UDP socket and bind to it on localhost.
+.PP
+.Vb 5
+\&    /* Retrieve the file descriptor for a new UDP socket */
+\&    if ((fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0) {
+\&        fprintf(stderr, "cannot create socket");
+\&        goto err;
+\&    }
+\&
+\&    sa.sin_family = AF_INET;
+\&    sa.sin_port = htons(port);
+\&
+\&    /* Bind to the new UDP socket on localhost */
+\&    if (bind(fd, (const struct sockaddr *)&sa, sizeof(sa)) < 0) {
+\&        fprintf(stderr, "cannot bind to %u\en", port);
+\&        BIO_closesocket(fd);
+\&        goto err;
+\&    }
+.Ve
+.PP
+To run the QUIC server, we create an \fBSSL_LISTENER\fR to listen for incoming
+connections.  We provide it with the bound UDP port to then explicitly begin
+listening for new connections.
+.PP
+.Vb 8
+\&    /*
+\&     * Create a new QUIC listener. Listeners, and other QUIC objects, default
+\&     * to operating in blocking mode. The configured behaviour is inherited by
+\&     * child objects.
+\&     */
+\&    if ((listener = SSL_new_listener(ctx, 0)) == NULL) {
+\&        goto err;
+\&    }
+\&
+\&    /* Provide the listener with our UDP socket. */
+\&    if (!SSL_set_fd(listener, fd))
+\&        goto err;
+\&
+\&    /* Begin listening. */
+\&    if (!SSL_listen(listener))
+\&        goto err;
+.Ve
+.SS "Server loop"
+.IX Subsection "Server loop"
+The server now enters a "forever" loop, handling one client connection at a
+time.  Before each connection, we clear the OpenSSL error stack so that any
+error reports are related to just the new connection.
+.PP
+.Vb 2
+\&    /* Pristine error stack for each new connection */
+\&    ERR_clear_error();
+.Ve
+.PP
+At this point, the server blocks to accept the next client.
+\&\fBSSL_accept_connection\fR\|(3) will return an accepted connection within a fresh
+SSL, in which the handshake will have already occurred.
+.PP
+.Vb 6
+\&    /* Block while waiting for a client connection */
+\&    conn = SSL_accept_connection(listener, 0);
+\&    if (conn == NULL) {
+\&        fprintf(stderr, "error while accepting connection\en");
+\&        goto err;
+\&    }
+.Ve
+.PP
+With the handshake complete, the server echoes client input back to the client
+in a loop.
+.PP
+.Vb 8
+\&    while (SSL_read_ex(conn, buf, sizeof(buf), &nread) > 0) {
+\&        if (SSL_write_ex(conn, buf, nread, &nwritten) > 0 &&
+\&            nwritten == nread) {
+\&            continue;
+\&        }
+\&        fprintf(stderr, "Error echoing client input");
+\&        break;
+\&    }
+.Ve
+.PP
+Once the client closes its connection, we signal the end of the stream by using
+\&\fBSSL_stream_conclude\fR\|(3).  This will send a final Finished packet to the
+client.
+.PP
+.Vb 6
+\&    /* Signal the end of the stream. */
+\&    if (SSL_stream_conclude(conn, 0) != 1) {
+\&        fprintf(stderr, "Unable to conclude stream\en");
+\&        SSL_free(conn);
+\&        goto err;
+\&    }
+.Ve
+.PP
+We then shut down the connection with \fBSSL_shutdown_ex\fR\|(3), which may need
+to be called multiple times to ensure the connection is shutdown completely.
+.PP
+.Vb 4
+\&    while (SSL_shutdown_ex(conn, 0, &shutdown_args,
+\&                           sizeof(SSL_SHUTDOWN_EX_ARGS)) != 1) {
+\&        fprintf(stderr, "Re\-attempting SSL shutdown\en");
+\&    }
+.Ve
+.PP
+Finally, we free the SSL connection, and the server is now ready to accept the
+next client connection.
+.PP
+.Vb 1
+\&    SSL_free(conn);
+.Ve
+.SS "Final clean up"
+.IX Subsection "Final clean up"
+If the server somehow manages to break out of the infinite loop and
+be ready to exit, it would deallocate the constructed \fBSSL\fR.
+.PP
+.Vb 1
+\&    SSL_free(listener);
+.Ve
+.PP
+And in the main function, it would deallocate the constructed \fBSSL_CTX\fR.
+.PP
+.Vb 4
+\&    SSL_CTX_free(ctx);
+\&    BIO_closesocket(fd);
+\&    res = EXIT_SUCCESS;
+\&    return res;
+.Ve
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBossl\-guide\-introduction\fR\|(7), \fBossl\-guide\-libraries\-introduction\fR\|(7),
+\&\fBossl\-guide\-libssl\-introduction\fR\|(7), \fBossl\-guide\-quic\-introduction\fR\|(7),
+\&\fBossl\-guide\-quic\-client\-non\-block\fR\|(7), \fBossl\-guide\-quic\-client\-block\fR\|(7),
+\&\fBossl\-guide\-tls\-server\-block\fR\|(7), \fBossl\-guide\-quic\-server\-non\-block\fR\|(7)
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2024\-2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-quic-server-non-block.7 b/secure/lib/libcrypto/man/man7/ossl-guide-quic-server-non-block.7
new file mode 100644
index 000000000000..72bc39fb092f
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/ossl-guide-quic-server-non-block.7
@@ -0,0 +1,447 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OSSL-GUIDE-QUIC-SERVER-NON-BLOCK 7ossl"
+.TH OSSL-GUIDE-QUIC-SERVER-NON-BLOCK 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+ossl\-guide\-quic\-server\-non\-block
+\&\- OpenSSL Guide: Writing a simple nonblocking QUIC server
+.SH "SIMPLE NONBLOCKING QUIC SERVER EXAMPLE"
+.IX Header "SIMPLE NONBLOCKING QUIC SERVER EXAMPLE"
+This page presents various source code samples demonstrating how to write a
+simple, non-concurrent, QUIC "echo" server application which accepts one client
+connection at a time, echoing input from the client back to the same client.
+Once the current client disconnects, the next client connection is accepted.
+.PP
+The server only accepts \f(CW\*(C`http/1.0\*(C'\fR and \f(CW\*(C`hq\-interop\*(C'\fR ALPN's and doesn't actually
+implement HTTP but only does a simple echo.  This is non-standard and will not
+be supported by real world servers.  This is for demonstration purposes only.
+.PP
+There are various methods to test this server: \fBquic\-client\-block.c\fR and
+\&\fBquic\-client\-non\-block.c\fR will send a basic HTTP/1.0 request, which the server
+will echo back.  You can also test this server by running
+\&\f(CW\*(C`openssl s_client \-connect localhost:4443 \-4 \-quic \-alpn http/1.0\*(C'\fR and entering
+text that will be echoed back by the server.
+.PP
+Both the listening socket and connected socket are "nonblocking".  However,
+we use \fBselect()\fR to make the listening socket block when it cannot read/write.
+Rather than stopping and waiting, your application may need to go and do other
+tasks whilst the \fBSSL\fR object is unable to read/write.  For example: updating a
+GUI or performing operations on some other connection or stream.
+.PP
+The complete source code for this example nonblocking QUIC server is available
+in the \fBdemos/guide\fR directory of the OpenSSL source distribution in the file
+\&\fBquic\-server\-non\-block.c\fR.  It is also available online at
+<https://github.com/openssl/openssl/blob/master/demos/guide/quic\-server\-non\-block.c>.
+.PP
+We assume that you already have OpenSSL installed on your system; that you
+already have some fundamental understanding of OpenSSL concepts and QUIC (see
+\&\fBossl\-guide\-libraries\-introduction\fR\|(7) and \fBossl\-guide\-quic\-introduction\fR\|(7));
+and that you know how to write and build C code and link it against the
+libcrypto and libssl libraries that are provided by OpenSSL.  It also assumes
+that you have a basic understanding of UDP/IP and sockets.
+.SS "Creating the SSL_CTX and SSL objects"
+.IX Subsection "Creating the SSL_CTX and SSL objects"
+The first step is to create an \fBSSL_CTX\fR object for our server.  We use the
+\&\fBSSL_CTX_new\fR\|(3) function for this purpose.  We pass as an argument the return
+value of the function \fBOSSL_QUIC_server_method\fR\|(3).  You should use this method
+whenever you are writing a QUIC server.
+.PP
+.Vb 8
+\&    /*
+\&     * An SSL_CTX holds shared configuration information for multiple
+\&     * subsequent per\-client SSL connections. We specifically load a QUIC
+\&     * server method here.
+\&     */
+\&    ctx = SSL_CTX_new(OSSL_QUIC_server_method());
+\&    if (ctx == NULL)
+\&        goto err;
+.Ve
+.PP
+Servers need a private key and certificate.  Intermediate issuer CA
+certificates are often required, and both the server (end-entity or EE)
+certificate and the issuer ("chain") certificates are most easily configured in
+a single "chain file".  Below we load such a chain file (the EE certificate
+must appear first), and then load the corresponding private key, checking that
+it matches the server certificate.  No checks are performed to check the
+integrity of the chain (CA signatures or certificate expiration dates, for
+example), but we do verify the consistency of the private key with the
+corresponding certificate.
+.PP
+.Vb 10
+\&    /*
+\&     * Load the server\*(Aqs certificate *chain* file (PEM format), which includes
+\&     * not only the leaf (end\-entity) server certificate, but also any
+\&     * intermediate issuer\-CA certificates.  The leaf certificate must be the
+\&     * first certificate in the file.
+\&     *
+\&     * In advanced use\-cases this can be called multiple times, once per public
+\&     * key algorithm for which the server has a corresponding certificate.
+\&     * However, the corresponding private key (see below) must be loaded first,
+\&     * *before* moving on to the next chain file.
+\&     */
+\&    if (SSL_CTX_use_certificate_chain_file(ctx, cert_path) <= 0) {
+\&        fprintf(stderr, "couldn\*(Aqt load certificate file: %s\en", cert_path);
+\&        goto err;
+\&    }
+\&
+\&    /*
+\&     * Load the corresponding private key, this also checks that the private
+\&     * key matches the just loaded end\-entity certificate.  It does not check
+\&     * whether the certificate chain is valid, the certificates could be
+\&     * expired, or may otherwise fail to form a chain that a client can
+\&     * validate.
+\&     */
+\&    if (SSL_CTX_use_PrivateKey_file(ctx, key_path, SSL_FILETYPE_PEM) <= 0) {
+\&        fprintf(stderr, "couldn\*(Aqt load key file: %s\en", key_path);
+\&        goto err;
+\&    }
+.Ve
+.PP
+Most servers, including this one, do not solicit client certificates.  We
+therefore do not need a "trust store" and allow the handshake to complete even
+when the client does not present a certificate.  Note: Even if a client did
+present a trusted certificate, for it to be useful, the server application
+would still need custom code to use the verified identity to grant nondefault
+access to that particular client.  Some servers grant access to all clients
+with certificates from a private CA, this then requires processing of
+certificate revocation lists to deauthorise a client.  It is often simpler and
+more secure to instead keep a list of authorised public keys.
+.PP
+Though this is the default setting, we explicitly call the
+\&\fBSSL_CTX_set_verify\fR\|(3) function and pass the \fBSSL_VERIFY_NONE\fR value to it.
+The final argument to this function is a callback that you can optionally
+supply to override the default handling for certificate verification.  Most
+applications do not need to do this so this can safely be set to NULL to get
+the default handling.
+.PP
+.Vb 12
+\&    /*
+\&     * Clients rarely employ certificate\-based authentication, and so we don\*(Aqt
+\&     * require "mutual" TLS authentication (indeed there\*(Aqs no way to know
+\&     * whether or how the client authenticated the server, so the term "mutual"
+\&     * is potentially misleading).
+\&     *
+\&     * Since we\*(Aqre not soliciting or processing client certificates, we don\*(Aqt
+\&     * need to configure a trusted\-certificate store, so no call to
+\&     * SSL_CTX_set_default_verify_paths() is needed.  The server\*(Aqs own
+\&     * certificate chain is assumed valid.
+\&     */
+\&    SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
+.Ve
+.PP
+QUIC also dictates using Application-Layer Protocol Negotiation (ALPN) to select
+an application protocol.  We use \fBSSL_CTX_set_alpn_select_cb\fR\|(3) for this
+purpose.  We can pass a callback which will be called for each connection to
+select an ALPN the server considers acceptable.
+.PP
+.Vb 2
+\&    /* Setup ALPN negotiation callback to decide which ALPN is accepted. */
+\&    SSL_CTX_set_alpn_select_cb(ctx, select_alpn, NULL);
+.Ve
+.PP
+In this case, we only accept "http/1.0" and "hq-interop".
+.PP
+.Vb 8
+\&    /*
+\&    * ALPN strings for TLS handshake. Only \*(Aqhttp/1.0\*(Aq and \*(Aqhq\-interop\*(Aq
+\&    * are accepted.
+\&    */
+\&    static const unsigned char alpn_ossltest[] = {
+\&        8,  \*(Aqh\*(Aq, \*(Aqt\*(Aq, \*(Aqt\*(Aq, \*(Aqp\*(Aq, \*(Aq/\*(Aq, \*(Aq1\*(Aq, \*(Aq.\*(Aq, \*(Aq0\*(Aq,
+\&        10, \*(Aqh\*(Aq, \*(Aqq\*(Aq, \*(Aq\-\*(Aq, \*(Aqi\*(Aq, \*(Aqn\*(Aq, \*(Aqt\*(Aq, \*(Aqe\*(Aq, \*(Aqr\*(Aq, \*(Aqo\*(Aq, \*(Aqp\*(Aq,
+\&    };
+\&
+\&    static int select_alpn(SSL *ssl, const unsigned char **out,
+\&                           unsigned char *out_len, const unsigned char *in,
+\&                           unsigned int in_len, void *arg)
+\&    {
+\&        if (SSL_select_next_proto((unsigned char **)out, out_len, alpn_ossltest,
+\&                                  sizeof(alpn_ossltest), in,
+\&                                  in_len) == OPENSSL_NPN_NEGOTIATED)
+\&            return SSL_TLSEXT_ERR_OK;
+\&        return SSL_TLSEXT_ERR_ALERT_FATAL;
+\&    }
+.Ve
+.PP
+That is all the setup that we need to do for the \fBSSL_CTX\fR.  Next, we create a
+UDP socket and bind to it on localhost.
+.PP
+.Vb 5
+\&    /* Retrieve the file descriptor for a new UDP socket */
+\&    if ((fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0) {
+\&        fprintf(stderr, "cannot create socket");
+\&        return \-1;
+\&    }
+\&
+\&    sa.sin_family = AF_INET;
+\&    sa.sin_port = htons(port);
+\&
+\&    /* Bind to the new UDP socket on localhost */
+\&    if (bind(fd, (const struct sockaddr *)&sa, sizeof(sa)) < 0) {
+\&        fprintf(stderr, "cannot bind to %u\en", port);
+\&        BIO_closesocket(fd);
+\&        return \-1;
+\&    }
+\&
+\&    /* Set port to nonblocking mode */
+\&    if (BIO_socket_nbio(fd, 1) <= 0) {
+\&        fprintf(stderr, "Unable to set port to nonblocking mode");
+\&        BIO_closesocket(fd);
+\&        return \-1;
+\&    }
+.Ve
+.PP
+To run the QUIC server, we create an \fBSSL_LISTENER\fR to listen for incoming
+connections.  We provide it with the bound UDP port to then explicitly begin
+listening for new connections.
+.PP
+.Vb 3
+\&    /* Create a new QUIC listener */
+\&    if ((listener = SSL_new_listener(ctx, 0)) == NULL)
+\&        goto err;
+\&
+\&    /* Provide the listener with our UDP socket. */
+\&    if (!SSL_set_fd(listener, fd))
+\&        goto err;
+\&
+\&    /* Set the listener mode to nonblocking, which is inherited by
+\&     * child objects.
+\&     */
+\&    if (!SSL_set_blocking_mode(listener, 0))
+\&        goto err;
+\&
+\&    /*
+\&     * Begin listening. Note that is not usually needed as SSL_accept_connection
+\&     * will implicitly start listening. It is only needed if a server wishes to
+\&     * ensure it has started to accept incoming connections but does not wish to
+\&     * actually call SSL_accept_connection yet.
+\&     */
+\&    if (!SSL_listen(listener))
+\&        goto err;
+.Ve
+.SS "Server loop"
+.IX Subsection "Server loop"
+The server now enters a "forever" loop, handling one client connection at a
+time.  Before each connection, we clear the OpenSSL error stack so that any
+error reports are related to just the new connection.
+.PP
+.Vb 2
+\&    /* Pristine error stack for each new connection */
+\&    ERR_clear_error();
+.Ve
+.PP
+We then wait until a connection is ready for reading.
+It uses the select function to wait until the socket is either readable
+or writable, depending on what the SSL connection requires.
+.PP
+We then accept a new connection in which the handshake will have already
+occurred. However, since we are in nonblocking mode, \fBSSL_accept_connection\fR\|(3)
+will return immediately. Therefore, we use a helper function to essentially
+block until a connection is established.
+.PP
+.Vb 5
+\&    printf("Waiting for connection\en");
+\&    while ((conn = SSL_accept_connection(listener, 0)) == NULL) {
+\&        wait_for_activity(listener);
+\&    }
+\&    printf("Accepted new connection\en");
+.Ve
+.PP
+The helper function wait_for_activity uses \fBselect()\fR to block until the file
+descriptor belonging to the passed SSL object is readable. As mentioned earlier,
+a more real-world application would likely use this time to perform other tasks.
+.PP
+.Vb 3
+\&    /* Initialize the fd_set structure */
+\&    FD_ZERO(&read_fd);
+\&    FD_ZERO(&write_fd);
+\&
+\&    /*
+\&     * Determine if we would like to write to the socket, read from it, or both.
+\&     */
+\&    if (SSL_net_write_desired(ssl))
+\&        FD_SET(sock, &write_fd);
+\&    if (SSL_net_read_desired(ssl))
+\&        FD_SET(sock, &read_fd);
+\&
+\&    /*
+\&     * Find out when OpenSSL would next like to be called, regardless of
+\&     * whether the state of the underlying socket has changed or not.
+\&     */
+\&    if (SSL_get_event_timeout(ssl, &tv, &isinfinite) && !isinfinite)
+\&        tvp = &tv;
+\&
+\&    /*
+\&     * Wait until the socket is writeable or readable. We use select here
+\&     * for the sake of simplicity and portability, but you could equally use
+\&     * poll/epoll or similar functions
+\&     *
+\&     * NOTE: For the purposes of this demonstration code this effectively
+\&     * makes this demo block until it has something more useful to do. In a
+\&     * real application you probably want to go and do other work here (e.g.
+\&     * update a GUI, or service other connections).
+\&     *
+\&     * Let\*(Aqs say for example that you want to update the progress counter on
+\&     * a GUI every 100ms. One way to do that would be to use the timeout in
+\&     * the last parameter to "select" below. If the tvp value is greater
+\&     * than 100ms then use 100ms instead. Then, when select returns, you
+\&     * check if it did so because of activity on the file descriptors or
+\&     * because of the timeout. If the 100ms GUI timeout has expired but the
+\&     * tvp timeout has not then go and update the GUI and then restart the
+\&     * "select" (with updated timeouts).
+\&     */
+\&
+\&    select(sock + 1, &read_fd, &write_fd, NULL, tvp);
+.Ve
+.PP
+With the handshake complete, the server reads all the client input.
+.PP
+.Vb 10
+\&    /* Read from client until the client sends a end of stream packet */
+\&    while (!eof) {
+\&        ret = SSL_read_ex(conn, buf + total_read, sizeof(buf) \- total_read,
+\&                          &nread);
+\&        total_read += nread;
+\&        if (total_read >= 8192) {
+\&            fprintf(stderr, "Could not fit all data into buffer\en");
+\&            goto err;
+\&        }
+\&        switch (handle_io_failure(conn, ret)) {
+\&        case 1:
+\&            continue; /* Retry */
+\&        case 0:
+\&            /* Reached end of stream */
+\&            if (!SSL_has_pending(conn))
+\&                eof = 1;
+\&            break;
+\&        default:
+\&            fprintf(stderr, "Failed reading remaining data\en");
+\&            goto err;
+\&        }
+\&    }
+.Ve
+.PP
+Finally, we echo the received data back to the client.  We can use
+\&\fBSSL_write_ex2\fR\|(3) to pass in a special flag SSL_WRITE_FLAG_CONCLUDE that will
+send a FIN packet once the write has successfully finished writing all the data
+to the peer.
+.PP
+.Vb 9
+\&    /* Echo client input */
+\&    while (!SSL_write_ex2(conn, buf,
+\&                          total_read,
+\&                          SSL_WRITE_FLAG_CONCLUDE, &total_written)) {
+\&        if (handle_io_failure(conn, 0) == 1)
+\&            continue;
+\&        fprintf(stderr, "Failed to write data\en");
+\&        goto err;
+\&    }
+.Ve
+.PP
+We then shut down the connection with \fBSSL_shutdown\fR\|(3), which may need
+to be called multiple times to ensure the connection is shutdown completely.
+.PP
+.Vb 8
+\&    /*
+\&     * Shut down the connection. We may need to call this multiple times
+\&     * to ensure the connection is shutdown completely.
+\&     */
+\&    while ((ret = SSL_shutdown(conn)) != 1) {
+\&        if (ret < 0 && handle_io_failure(conn, ret) == 1)
+\&            continue; /* Retry */
+\&    }
+.Ve
+.PP
+Finally, we free the SSL connection, and the server is now ready to accept the
+next client connection.
+.PP
+.Vb 1
+\&    SSL_free(conn);
+.Ve
+.SS "Final clean up"
+.IX Subsection "Final clean up"
+If the server somehow manages to break out of the infinite loop and
+be ready to exit, it would deallocate the constructed \fBSSL\fR.
+.PP
+.Vb 1
+\&    SSL_free(listener);
+.Ve
+.PP
+And in the main function, it would deallocate the constructed \fBSSL_CTX\fR.
+.PP
+.Vb 2
+\&    SSL_CTX_free(ctx);
+\&    BIO_closesocket(fd);
+.Ve
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBossl\-guide\-introduction\fR\|(7), \fBossl\-guide\-libraries\-introduction\fR\|(7),
+\&\fBossl\-guide\-libssl\-introduction\fR\|(7), \fBossl\-guide\-quic\-introduction\fR\|(7),
+\&\fBossl\-guide\-quic\-client\-non\-block\fR\|(7), \fBossl\-guide\-quic\-client\-block\fR\|(7),
+\&\fBossl\-guide\-tls\-server\-block\fR\|(7), \fBossl\-guide\-quic\-server\-block\fR\|(7)
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2024\-2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-tls-client-block.7 b/secure/lib/libcrypto/man/man7/ossl-guide-tls-client-block.7
new file mode 100644
index 000000000000..663d5adfb9cd
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/ossl-guide-tls-client-block.7
@@ -0,0 +1,652 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OSSL-GUIDE-TLS-CLIENT-BLOCK 7ossl"
+.TH OSSL-GUIDE-TLS-CLIENT-BLOCK 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+ossl\-guide\-tls\-client\-block
+\&\- OpenSSL Guide: Writing a simple blocking TLS client
+.SH "SIMPLE BLOCKING TLS CLIENT EXAMPLE"
+.IX Header "SIMPLE BLOCKING TLS CLIENT EXAMPLE"
+This page will present various source code samples demonstrating how to write
+a simple TLS client application which connects to a server, sends an HTTP/1.0
+request to it, and reads back the response.
+.PP
+We use a blocking socket for the purposes of this example. This means that
+attempting to read data from a socket that has no data available on it to read
+will block (and the function will not return), until data becomes available.
+For example, this can happen if we have sent our request, but we are still
+waiting for the server's response. Similarly any attempts to write to a socket
+that is not able to write at the moment will block until writing is possible.
+.PP
+This blocking behaviour simplifies the implementation of a client because you do
+not have to worry about what happens if data is not yet available. The
+application will simply wait until it is available.
+.PP
+The complete source code for this example blocking TLS client is available in
+the \fBdemos/guide\fR directory of the OpenSSL source distribution in the file
+\&\fBtls\-client\-block.c\fR. It is also available online at
+<https://github.com/openssl/openssl/blob/master/demos/guide/tls\-client\-block.c>.
+.PP
+We assume that you already have OpenSSL installed on your system; that you
+already have some fundamental understanding of OpenSSL concepts and TLS (see
+\&\fBossl\-guide\-libraries\-introduction\fR\|(7) and \fBossl\-guide\-tls\-introduction\fR\|(7));
+and that you know how to write and build C code and link it against the
+libcrypto and libssl libraries that are provided by OpenSSL. It also assumes
+that you have a basic understanding of TCP/IP and sockets.
+.SS "Creating the SSL_CTX and SSL objects"
+.IX Subsection "Creating the SSL_CTX and SSL objects"
+The first step is to create an \fBSSL_CTX\fR object for our client. We use the
+\&\fBSSL_CTX_new\fR\|(3) function for this purpose. We could alternatively use
+\&\fBSSL_CTX_new_ex\fR\|(3) if we want to associate the \fBSSL_CTX\fR with a particular
+\&\fBOSSL_LIB_CTX\fR (see \fBossl\-guide\-libraries\-introduction\fR\|(7) to learn about
+\&\fBOSSL_LIB_CTX\fR). We pass as an argument the return value of the function
+\&\fBTLS_client_method\fR\|(3). You should use this method whenever you are writing a
+TLS client. This method will automatically use TLS version negotiation to select
+the highest version of the protocol that is mutually supported by both the
+client and the server.
+.PP
+.Vb 10
+\&    /*
+\&     * Create an SSL_CTX which we can use to create SSL objects from. We
+\&     * want an SSL_CTX for creating clients so we use TLS_client_method()
+\&     * here.
+\&     */
+\&    ctx = SSL_CTX_new(TLS_client_method());
+\&    if (ctx == NULL) {
+\&        printf("Failed to create the SSL_CTX\en");
+\&        goto end;
+\&    }
+.Ve
+.PP
+Since we are writing a client we must ensure that we verify the server's
+certificate. We do this by calling the \fBSSL_CTX_set_verify\fR\|(3) function and
+pass the \fBSSL_VERIFY_PEER\fR value to it. The final argument to this function
+is a callback that you can optionally supply to override the default handling
+for certificate verification. Most applications do not need to do this so this
+can safely be set to NULL to get the default handling.
+.PP
+.Vb 6
+\&    /*
+\&     * Configure the client to abort the handshake if certificate
+\&     * verification fails. Virtually all clients should do this unless you
+\&     * really know what you are doing.
+\&     */
+\&    SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
+.Ve
+.PP
+In order for certificate verification to be successful you must have configured
+where the trusted certificate store to be used is located (see
+\&\fBossl\-guide\-tls\-introduction\fR\|(7)). In most cases you just want to use the
+default store so we call \fBSSL_CTX_set_default_verify_paths\fR\|(3).
+.PP
+.Vb 5
+\&    /* Use the default trusted certificate store */
+\&    if (!SSL_CTX_set_default_verify_paths(ctx)) {
+\&        printf("Failed to set the default trusted certificate store\en");
+\&        goto end;
+\&    }
+.Ve
+.PP
+We would also like to restrict the TLS versions that we are willing to accept to
+TLSv1.2 or above. TLS protocol versions earlier than that are generally to be
+avoided where possible. We can do that using
+\&\fBSSL_CTX_set_min_proto_version\fR\|(3):
+.PP
+.Vb 8
+\&    /*
+\&     * TLSv1.1 or earlier are deprecated by IETF and are generally to be
+\&     * avoided if possible. We require a minimum TLS version of TLSv1.2.
+\&     */
+\&    if (!SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION)) {
+\&        printf("Failed to set the minimum TLS protocol version\en");
+\&        goto end;
+\&    }
+.Ve
+.PP
+That is all the setup that we need to do for the \fBSSL_CTX\fR, so next we need to
+create an \fBSSL\fR object to represent the TLS connection. In a real application
+we might expect to be creating more than one TLS connection over time. In that
+case we would expect to reuse the \fBSSL_CTX\fR that we already created each time.
+There is no need to repeat those steps. In fact it is best not to since certain
+internal resources are cached in the \fBSSL_CTX\fR. You will get better performance
+by reusing an existing \fBSSL_CTX\fR instead of creating a new one each time.
+.PP
+Creating the \fBSSL\fR object is a simple matter of calling the \fBSSL_new\|(3)\fR
+function and passing the \fBSSL_CTX\fR we created as an argument.
+.PP
+.Vb 6
+\&    /* Create an SSL object to represent the TLS connection */
+\&    ssl = SSL_new(ctx);
+\&    if (ssl == NULL) {
+\&        printf("Failed to create the SSL object\en");
+\&        goto end;
+\&    }
+.Ve
+.SS "Creating the socket and BIO"
+.IX Subsection "Creating the socket and BIO"
+TLS data is transmitted over an underlying transport layer. Normally a TCP
+socket. It is the application's responsibility for ensuring that the socket is
+created and associated with an SSL object (via a BIO).
+.PP
+Socket creation for use by a client is typically a 2 step process, i.e.
+constructing the socket; and connecting the socket.
+.PP
+How to construct a socket is platform specific \- but most platforms (including
+Windows) provide a POSIX compatible interface via the \fIsocket\fR function, e.g.
+to create an IPv4 TCP socket:
+.PP
+.Vb 1
+\&    int sock;
+\&
+\&    sock = socket(AF_INET, SOCK_STREAM, 0);
+\&    if (sock == \-1)
+\&        return NULL;
+.Ve
+.PP
+Once the socket is constructed it must be connected to the remote server. Again
+the details are platform specific but most platforms (including Windows)
+provide the POSIX compatible \fIconnect\fR function. For example:
+.PP
+.Vb 2
+\&    struct sockaddr_in serveraddr;
+\&    struct hostent *server;
+\&
+\&    server = gethostbyname("www.openssl.org");
+\&    if (server == NULL) {
+\&        close(sock);
+\&        return NULL;
+\&    }
+\&
+\&    memset(&serveraddr, 0, sizeof(serveraddr));
+\&    serveraddr.sin_family = server\->h_addrtype;
+\&    serveraddr.sin_port = htons(443);
+\&    memcpy(&serveraddr.sin_addr.s_addr, server\->h_addr, server\->h_length);
+\&
+\&    if (connect(sock, (struct sockaddr *)&serveraddr,
+\&                sizeof(serveraddr)) == \-1) {
+\&        close(sock);
+\&        return NULL;
+\&    }
+.Ve
+.PP
+OpenSSL provides portable helper functions to do these tasks which also
+integrate into the OpenSSL error system to log error data, e.g.
+.PP
+.Vb 3
+\&    int sock = \-1;
+\&    BIO_ADDRINFO *res;
+\&    const BIO_ADDRINFO *ai = NULL;
+\&
+\&    /*
+\&     * Lookup IP address info for the server.
+\&     */
+\&    if (!BIO_lookup_ex(hostname, port, BIO_LOOKUP_CLIENT, family, SOCK_STREAM, 0,
+\&                       &res))
+\&        return NULL;
+\&
+\&    /*
+\&     * Loop through all the possible addresses for the server and find one
+\&     * we can connect to.
+\&     */
+\&    for (ai = res; ai != NULL; ai = BIO_ADDRINFO_next(ai)) {
+\&        /*
+\&         * Create a TCP socket. We could equally use non\-OpenSSL calls such
+\&         * as "socket" here for this and the subsequent connect and close
+\&         * functions. But for portability reasons and also so that we get
+\&         * errors on the OpenSSL stack in the event of a failure we use
+\&         * OpenSSL\*(Aqs versions of these functions.
+\&         */
+\&        sock = BIO_socket(BIO_ADDRINFO_family(ai), SOCK_STREAM, 0, 0);
+\&        if (sock == \-1)
+\&            continue;
+\&
+\&        /* Connect the socket to the server\*(Aqs address */
+\&        if (!BIO_connect(sock, BIO_ADDRINFO_address(ai), BIO_SOCK_NODELAY)) {
+\&            BIO_closesocket(sock);
+\&            sock = \-1;
+\&            continue;
+\&        }
+\&
+\&        /* We have a connected socket so break out of the loop */
+\&        break;
+\&    }
+\&
+\&    /* Free the address information resources we allocated earlier */
+\&    BIO_ADDRINFO_free(res);
+.Ve
+.PP
+See \fBBIO_lookup_ex\fR\|(3), \fBBIO_socket\fR\|(3), \fBBIO_connect\fR\|(3),
+\&\fBBIO_closesocket\fR\|(3), \fBBIO_ADDRINFO_next\fR\|(3), \fBBIO_ADDRINFO_address\fR\|(3) and
+\&\fBBIO_ADDRINFO_free\fR\|(3) for further information on the functions used here. In
+the above example code the \fBhostname\fR and \fBport\fR variables are strings, e.g.
+"www.example.com" and "443".  Note also the use of the family variable, which
+can take the values of AF_INET or AF_INET6 based on the command line \-6 option,
+to allow specific connections to an ipv4 or ipv6 enabled host.
+.PP
+Sockets created using the methods described above will automatically be blocking
+sockets \- which is exactly what we want for this example.
+.PP
+Once the socket has been created and connected we need to associate it with a
+BIO object:
+.PP
+.Vb 1
+\&    BIO *bio;
+\&
+\&    /* Create a BIO to wrap the socket */
+\&    bio = BIO_new(BIO_s_socket());
+\&    if (bio == NULL) {
+\&        BIO_closesocket(sock);
+\&        return NULL;
+\&    }
+\&
+\&    /*
+\&     * Associate the newly created BIO with the underlying socket. By
+\&     * passing BIO_CLOSE here the socket will be automatically closed when
+\&     * the BIO is freed. Alternatively you can use BIO_NOCLOSE, in which
+\&     * case you must close the socket explicitly when it is no longer
+\&     * needed.
+\&     */
+\&    BIO_set_fd(bio, sock, BIO_CLOSE);
+.Ve
+.PP
+See \fBBIO_new\fR\|(3), \fBBIO_s_socket\fR\|(3) and \fBBIO_set_fd\fR\|(3) for further
+information on these functions.
+.PP
+Finally we associate the \fBSSL\fR object we created earlier with the \fBBIO\fR using
+the \fBSSL_set_bio\fR\|(3) function. Note that this passes ownership of the \fBBIO\fR
+object to the \fBSSL\fR object. Once ownership is passed the SSL object is
+responsible for its management and will free it automatically when the \fBSSL\fR is
+freed. So, once \fBSSL_set_bio\fR\|(3) has been been called, you should not call
+\&\fBBIO_free\fR\|(3) on the \fBBIO\fR.
+.PP
+.Vb 1
+\&    SSL_set_bio(ssl, bio, bio);
+.Ve
+.SS "Setting the server's hostname"
+.IX Subsection "Setting the server's hostname"
+We have already connected our underlying socket to the server, but the client
+still needs to know the server's hostname. It uses this information for 2 key
+purposes and we need to set the hostname for each one.
+.PP
+Firstly, the server's hostname is included in the initial ClientHello message
+sent by the client. This is known as the Server Name Indication (SNI). This is
+important because it is common for multiple hostnames to be fronted by a single
+server that handles requests for all of them. In other words a single server may
+have multiple hostnames associated with it and it is important to indicate which
+one we want to connect to. Without this information we may get a handshake
+failure, or we may get connected to the "default" server which may not be the
+one we were expecting.
+.PP
+To set the SNI hostname data we call the \fBSSL_set_tlsext_host_name\fR\|(3) function
+like this:
+.PP
+.Vb 8
+\&    /*
+\&     * Tell the server during the handshake which hostname we are attempting
+\&     * to connect to in case the server supports multiple hosts.
+\&     */
+\&    if (!SSL_set_tlsext_host_name(ssl, hostname)) {
+\&        printf("Failed to set the SNI hostname\en");
+\&        goto end;
+\&    }
+.Ve
+.PP
+Here the \f(CW\*(C`hostname\*(C'\fR argument is a string representing the hostname of the
+server, e.g. "www.example.com".
+.PP
+Secondly, we need to tell OpenSSL what hostname we expect to see in the
+certificate coming back from the server. This is almost always the same one that
+we asked for in the original request. This is important because, without this,
+we do not verify that the hostname in the certificate is what we expect it to be
+and any certificate is acceptable unless your application explicitly checks this
+itself. We do this via the \fBSSL_set1_host\fR\|(3) function:
+.PP
+.Vb 10
+\&    /*
+\&     * Ensure we check during certificate verification that the server has
+\&     * supplied a certificate for the hostname that we were expecting.
+\&     * Virtually all clients should do this unless you really know what you
+\&     * are doing.
+\&     */
+\&    if (!SSL_set1_host(ssl, hostname)) {
+\&        printf("Failed to set the certificate verification hostname");
+\&        goto end;
+\&    }
+.Ve
+.PP
+All of the above steps must happen before we attempt to perform the handshake
+otherwise they will have no effect.
+.SS "Performing the handshake"
+.IX Subsection "Performing the handshake"
+Before we can start sending or receiving application data over a TLS connection
+the TLS handshake must be performed. We can do this explicitly via the
+\&\fBSSL_connect\fR\|(3) function.
+.PP
+.Vb 12
+\&    /* Do the handshake with the server */
+\&    if (SSL_connect(ssl) < 1) {
+\&        printf("Failed to connect to the server\en");
+\&        /*
+\&         * If the failure is due to a verification error we can get more
+\&         * information about it from SSL_get_verify_result().
+\&         */
+\&        if (SSL_get_verify_result(ssl) != X509_V_OK)
+\&            printf("Verify error: %s\en",
+\&                X509_verify_cert_error_string(SSL_get_verify_result(ssl)));
+\&        goto end;
+\&    }
+.Ve
+.PP
+The \fBSSL_connect\fR\|(3) function can return 1, 0 or less than 0. Only a return
+value of 1 is considered a success. For a simple blocking client we only need
+to concern ourselves with whether the call was successful or not. Anything else
+indicates that we have failed to connect to the server.
+.PP
+A common cause of failures at this stage is due to a problem verifying the
+server's certificate. For example if the certificate has expired, or it is not
+signed by a CA in our trusted certificate store. We can use the
+\&\fBSSL_get_verify_result\fR\|(3) function to find out more information about the
+verification failure. A return value of \fBX509_V_OK\fR indicates that the
+verification was successful (so the connection error must be due to some other
+cause). Otherwise we use the \fBX509_verify_cert_error_string\fR\|(3) function to get
+a human readable error message.
+.SS "Sending and receiving data"
+.IX Subsection "Sending and receiving data"
+Once the handshake is complete we are able to send and receive application data.
+Exactly what data is sent and in what order is usually controlled by some
+application level protocol. In this example we are using HTTP 1.0 which is a
+very simple request and response protocol. The client sends a request to the
+server. The server sends the response data and then immediately closes down the
+connection.
+.PP
+To send data to the server we use the \fBSSL_write_ex\fR\|(3) function and to receive
+data from the server we use the \fBSSL_read_ex\fR\|(3) function. In HTTP 1.0 the
+client always writes data first. Our HTTP request will include the hostname that
+we are connecting to. For simplicity, we write the HTTP request in three
+chunks. First we write the start of the request. Secondly we write the hostname
+we are sending the request to. Finally we send the end of the request.
+.PP
+.Vb 3
+\&    size_t written;
+\&    const char *request_start = "GET / HTTP/1.0\er\enConnection: close\er\enHost: ";
+\&    const char *request_end = "\er\en\er\en";
+\&
+\&    /* Write an HTTP GET request to the peer */
+\&    if (!SSL_write_ex(ssl, request_start, strlen(request_start), &written)) {
+\&        printf("Failed to write start of HTTP request\en");
+\&        goto end;
+\&    }
+\&    if (!SSL_write_ex(ssl, hostname, strlen(hostname), &written)) {
+\&        printf("Failed to write hostname in HTTP request\en");
+\&        goto end;
+\&    }
+\&    if (!SSL_write_ex(ssl, request_end, strlen(request_end), &written)) {
+\&        printf("Failed to write end of HTTP request\en");
+\&        goto end;
+\&    }
+.Ve
+.PP
+The \fBSSL_write_ex\fR\|(3) function returns 0 if it fails and 1 if it is successful.
+If it is successful then we can proceed to waiting for a response from the
+server.
+.PP
+.Vb 2
+\&    size_t readbytes;
+\&    char buf[160];
+\&
+\&    /*
+\&     * Get up to sizeof(buf) bytes of the response. We keep reading until the
+\&     * server closes the connection.
+\&     */
+\&    while (SSL_read_ex(ssl, buf, sizeof(buf), &readbytes)) {
+\&        /*
+\&        * OpenSSL does not guarantee that the returned data is a string or
+\&        * that it is NUL terminated so we use fwrite() to write the exact
+\&        * number of bytes that we read. The data could be non\-printable or
+\&        * have NUL characters in the middle of it. For this simple example
+\&        * we\*(Aqre going to print it to stdout anyway.
+\&        */
+\&        fwrite(buf, 1, readbytes, stdout);
+\&    }
+\&    /* In case the response didn\*(Aqt finish with a newline we add one now */
+\&    printf("\en");
+.Ve
+.PP
+We use the \fBSSL_read_ex\fR\|(3) function to read the response. We don't know
+exactly how much data we are going to receive back so we enter a loop reading
+blocks of data from the server and printing each block that we receive to the
+screen. The loop ends as soon as \fBSSL_read_ex\fR\|(3) returns 0 \- meaning that it
+failed to read any data.
+.PP
+A failure to read data could mean that there has been some error, or it could
+simply mean that server has sent all the data that it wants to send and has
+indicated that it has finished by sending a "close_notify" alert. This alert is
+a TLS protocol level message indicating that the endpoint has finished sending
+all of its data and it will not send any more. Both of these conditions result
+in a 0 return value from \fBSSL_read_ex\fR\|(3) and we need to use the function
+\&\fBSSL_get_error\fR\|(3) to determine the cause of the 0 return value.
+.PP
+.Vb 10
+\&    /*
+\&     * Check whether we finished the while loop above normally or as the
+\&     * result of an error. The 0 argument to SSL_get_error() is the return
+\&     * code we received from the SSL_read_ex() call. It must be 0 in order
+\&     * to get here. Normal completion is indicated by SSL_ERROR_ZERO_RETURN.
+\&     */
+\&    if (SSL_get_error(ssl, 0) != SSL_ERROR_ZERO_RETURN) {
+\&        /*
+\&         * Some error occurred other than a graceful close down by the
+\&         * peer
+\&         */
+\&        printf ("Failed reading remaining data\en");
+\&        goto end;
+\&    }
+.Ve
+.PP
+If \fBSSL_get_error\fR\|(3) returns \fBSSL_ERROR_ZERO_RETURN\fR then we know that the
+server has finished sending its data. Otherwise an error has occurred.
+.SS "Shutting down the connection"
+.IX Subsection "Shutting down the connection"
+Once we have finished reading data from the server then we are ready to close
+the connection down. We do this via the \fBSSL_shutdown\fR\|(3) function which has
+the effect of sending a TLS protocol level message (a "close_notify" alert) to
+the server saying that we have finished writing data:
+.PP
+.Vb 10
+\&    /*
+\&     * The peer already shutdown gracefully (we know this because of the
+\&     * SSL_ERROR_ZERO_RETURN above). We should do the same back.
+\&     */
+\&    ret = SSL_shutdown(ssl);
+\&    if (ret < 1) {
+\&        /*
+\&         * ret < 0 indicates an error. ret == 0 would be unexpected here
+\&         * because that means "we\*(Aqve sent a close_notify and we\*(Aqre waiting
+\&         * for one back". But we already know we got one from the peer
+\&         * because of the SSL_ERROR_ZERO_RETURN above.
+\&         */
+\&        printf("Error shutting down\en");
+\&        goto end;
+\&    }
+.Ve
+.PP
+The \fBSSL_shutdown\fR\|(3) function will either return 1, 0, or less than 0. A
+return value of 1 is a success, and a return value less than 0 is an error. More
+precisely a return value of 1 means that we have sent a "close_notify" alert to
+the server, and that we have also received one back. A return value of 0 means
+that we have sent a "close_notify" alert to the server, but we have not yet
+received one back. Usually in this scenario you would call \fBSSL_shutdown\fR\|(3)
+again which (with a blocking socket) would block until the "close_notify" is
+received. However in this case we already know that the server has sent us a
+"close_notify" because of the SSL_ERROR_ZERO_RETURN that we received from the
+call to \fBSSL_read_ex\fR\|(3). So this scenario should never happen in practice. We
+just treat it as an error in this example.
+.SS "Final clean up"
+.IX Subsection "Final clean up"
+Before the application exits we have to clean up some memory that we allocated.
+If we are exiting due to an error we might also want to display further
+information about that error if it is available to the user:
+.PP
+.Vb 10
+\&    /* Success! */
+\&    res = EXIT_SUCCESS;
+\& end:
+\&    /*
+\&     * If something bad happened then we will dump the contents of the
+\&     * OpenSSL error stack to stderr. There might be some useful diagnostic
+\&     * information there.
+\&     */
+\&    if (res == EXIT_FAILURE)
+\&        ERR_print_errors_fp(stderr);
+\&
+\&    /*
+\&     * Free the resources we allocated. We do not free the BIO object here
+\&     * because ownership of it was immediately transferred to the SSL object
+\&     * via SSL_set_bio(). The BIO will be freed when we free the SSL object.
+\&     */
+\&    SSL_free(ssl);
+\&    SSL_CTX_free(ctx);
+\&    return res;
+.Ve
+.PP
+To display errors we make use of the \fBERR_print_errors_fp\fR\|(3) function which
+simply dumps out the contents of any errors on the OpenSSL error stack to the
+specified location (in this case \fIstderr\fR).
+.PP
+We need to free up the \fBSSL\fR object that we created for the connection via the
+\&\fBSSL_free\fR\|(3) function. Also, since we are not going to be creating any more
+TLS connections we must also free up the \fBSSL_CTX\fR via a call to
+\&\fBSSL_CTX_free\fR\|(3).
+.SH TROUBLESHOOTING
+.IX Header "TROUBLESHOOTING"
+There are a number of things that might go wrong when running the demo
+application. This section describes some common things you might encounter.
+.SS "Failure to connect the underlying socket"
+.IX Subsection "Failure to connect the underlying socket"
+This could occur for numerous reasons. For example if there is a problem in the
+network route between the client and the server; or a firewall is blocking the
+communication; or the server is not in DNS. Check the network configuration.
+.SS "Verification failure of the server certificate"
+.IX Subsection "Verification failure of the server certificate"
+A verification failure of the server certificate would result in a failure when
+running the \fBSSL_connect\fR\|(3) function. \fBERR_print_errors_fp\fR\|(3) would display
+an error which would look something like this:
+.PP
+.Vb 2
+\& Verify error: unable to get local issuer certificate
+\& 40E74AF1F47F0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2069:
+.Ve
+.PP
+A server certificate verification failure could be caused for a number of
+reasons. For example
+.IP "Failure to correctly setup the trusted certificate store" 4
+.IX Item "Failure to correctly setup the trusted certificate store"
+See the page \fBossl\-guide\-tls\-introduction\fR\|(7) and check that your trusted
+certificate store is correctly configured
+.IP "Unrecognised CA" 4
+.IX Item "Unrecognised CA"
+If the CA used by the server's certificate is not in the trusted certificate
+store for the client then this will cause a verification failure during
+connection. Often this can occur if the server is using a self-signed
+certificate (i.e. a test certificate that has not been signed by a CA at all).
+.IP "Missing intermediate CAs" 4
+.IX Item "Missing intermediate CAs"
+This is a server misconfiguration where the client has the relevant root CA in
+its trust store, but the server has not supplied all of the intermediate CA
+certificates between that root CA and the server's own certificate. Therefore
+a trust chain cannot be established.
+.IP "Mismatched hostname" 4
+.IX Item "Mismatched hostname"
+If for some reason the hostname of the server that the client is expecting does
+not match the hostname in the certificate then this will cause verification to
+fail.
+.IP "Expired certificate" 4
+.IX Item "Expired certificate"
+The date that the server's certificate is valid to has passed.
+.PP
+The "unable to get local issuer certificate" we saw in the example above means
+that we have been unable to find the issuer of the server's certificate (or one
+of its intermediate CA certificates) in our trusted certificate store (e.g.
+because the trusted certificate store is misconfigured, or there are missing
+intermediate CAs, or the issuer is simply unrecognised).
+.SH "FURTHER READING"
+.IX Header "FURTHER READING"
+See \fBossl\-guide\-tls\-client\-non\-block\fR\|(7) to read a tutorial on how to modify
+the client developed on this page to support a nonblocking socket.
+.PP
+See \fBossl\-guide\-tls\-server\-block\fR\|(7) for a tutorial on how to implement a
+simple TLS server handling one client at a time over a blocking socket.
+.PP
+See \fBossl\-guide\-quic\-client\-block\fR\|(7) to read a tutorial on how to modify the
+client developed on this page to support QUIC instead of TLS.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBossl\-guide\-introduction\fR\|(7), \fBossl\-guide\-libraries\-introduction\fR\|(7),
+\&\fBossl\-guide\-libssl\-introduction\fR\|(7), \fBossl\-guide\-tls\-introduction\fR\|(7),
+\&\fBossl\-guide\-tls\-client\-non\-block\fR\|(7), \fBossl\-guide\-quic\-client\-block\fR\|(7)
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2023\-2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-tls-client-non-block.7 b/secure/lib/libcrypto/man/man7/ossl-guide-tls-client-non-block.7
new file mode 100644
index 000000000000..f6fe1b1881e7
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/ossl-guide-tls-client-non-block.7
@@ -0,0 +1,435 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OSSL-GUIDE-TLS-CLIENT-NON-BLOCK 7ossl"
+.TH OSSL-GUIDE-TLS-CLIENT-NON-BLOCK 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+ossl\-guide\-tls\-client\-non\-block
+\&\- OpenSSL Guide: Writing a simple nonblocking TLS client
+.SH "SIMPLE NONBLOCKING TLS CLIENT EXAMPLE"
+.IX Header "SIMPLE NONBLOCKING TLS CLIENT EXAMPLE"
+This page will build on the example developed on the
+\&\fBossl\-guide\-tls\-client\-block\fR\|(7) page which demonstrates how to write a simple
+blocking TLS client. On this page we will amend that demo code so that it
+supports a nonblocking socket.
+.PP
+The complete source code for this example nonblocking TLS client is available
+in the \fBdemos/guide\fR directory of the OpenSSL source distribution in the file
+\&\fBtls\-client\-non\-block.c\fR. It is also available online at
+<https://github.com/openssl/openssl/blob/master/demos/guide/tls\-client\-non\-block.c>.
+.PP
+As we saw in the previous example a blocking socket is one which waits (blocks)
+until data is available to read if you attempt to read from it when there is no
+data yet. Similarly it waits when writing if the socket is currently unable to
+write at the moment. This can simplify the development of code because you do
+not have to worry about what to do in these cases. The execution of the code
+will simply stop until it is able to continue. However in many cases you do not
+want this behaviour. Rather than stopping and waiting your application may need
+to go and do other tasks whilst the socket is unable to read/write, for example
+updating a GUI or performing operations on some other socket.
+.PP
+With a nonblocking socket attempting to read or write to a socket that is
+currently unable to read or write will return immediately with a non-fatal
+error. Although OpenSSL does the reading/writing to the socket this nonblocking
+behaviour is propagated up to the application so that OpenSSL I/O functions such
+as \fBSSL_read_ex\fR\|(3) or \fBSSL_write_ex\fR\|(3) will not block.
+.PP
+Since this page is building on the example developed on the
+\&\fBossl\-guide\-tls\-client\-block\fR\|(7) page we assume that you are familiar with it
+and we only explain how this example differs.
+.SS "Setting the socket to be nonblocking"
+.IX Subsection "Setting the socket to be nonblocking"
+The first step in writing an application that supports nonblocking is to set
+the socket into nonblocking mode. A socket will be default be blocking. The
+exact details on how to do this can differ from one platform to another.
+Fortunately OpenSSL offers a portable function that will do this for you:
+.PP
+.Vb 5
+\&    /* Set to nonblocking mode */
+\&    if (!BIO_socket_nbio(sock, 1)) {
+\&        sock = \-1;
+\&        continue;
+\&    }
+.Ve
+.PP
+You do not have to use OpenSSL's function for this. You can of course directly
+call whatever functions that your Operating System provides for this purpose on
+your platform.
+.SS "Performing work while waiting for the socket"
+.IX Subsection "Performing work while waiting for the socket"
+In a nonblocking application you will need work to perform in the event that
+we want to read or write to the socket, but we are currently unable to. In fact
+this is the whole point of using a nonblocking socket, i.e. to give the
+application the opportunity to do something else. Whatever it is that the
+application has to do, it must also be prepared to come back and retry the
+operation that it previously attempted periodically to see if it can now
+complete. Ideally it would only do this in the event that the state of the
+underlying socket has actually changed (e.g. become readable where it wasn't
+before), but this does not have to be the case. It can retry at any time.
+.PP
+Note that it is important that you retry exactly the same operation that you
+tried last time. You cannot start something new. For example if you were
+attempting to write the text "Hello World" and the operation failed because the
+socket is currently unable to write, then you cannot then attempt to write
+some other text when you retry the operation.
+.PP
+In this demo application we will create a helper function which simulates doing
+other work. In fact, for the sake of simplicity, it will do nothing except wait
+for the state of the socket to change.
+.PP
+We call our function \f(CWwait_for_activity()\fR because all it does is wait until
+the underlying socket has become readable or writeable when it wasn't before.
+.PP
+.Vb 4
+\&    static void wait_for_activity(SSL *ssl, int write)
+\&    {
+\&        fd_set fds;
+\&        int width, sock;
+\&
+\&        /* Get hold of the underlying file descriptor for the socket */
+\&        sock = SSL_get_fd(ssl);
+\&
+\&        FD_ZERO(&fds);
+\&        FD_SET(sock, &fds);
+\&        width = sock + 1;
+\&
+\&        /*
+\&         * Wait until the socket is writeable or readable. We use select here
+\&         * for the sake of simplicity and portability, but you could equally use
+\&         * poll/epoll or similar functions
+\&         *
+\&         * NOTE: For the purposes of this demonstration code this effectively
+\&         * makes this demo block until it has something more useful to do. In a
+\&         * real application you probably want to go and do other work here (e.g.
+\&         * update a GUI, or service other connections).
+\&         *
+\&         * Let\*(Aqs say for example that you want to update the progress counter on
+\&         * a GUI every 100ms. One way to do that would be to add a 100ms timeout
+\&         * in the last parameter to "select" below. Then, when select returns,
+\&         * you check if it did so because of activity on the file descriptors or
+\&         * because of the timeout. If it is due to the timeout then update the
+\&         * GUI and then restart the "select".
+\&         */
+\&        if (write)
+\&            select(width, NULL, &fds, NULL, NULL);
+\&        else
+\&            select(width, &fds, NULL, NULL, NULL);
+\&    }
+.Ve
+.PP
+In this example we are using the \f(CW\*(C`select\*(C'\fR function because it is very simple
+to use and is available on most Operating Systems. However you could use any
+other similar function to do the same thing. \f(CW\*(C`select\*(C'\fR waits for the state of
+the underlying socket(s) to become readable/writeable before returning. It also
+supports a "timeout" (as do most other similar functions) so in your own
+applications you can make use of this to periodically wake up and perform work
+while waiting for the socket state to change. But we don't use that timeout
+capability in this example for the sake of simplicity.
+.SS "Handling errors from OpenSSL I/O functions"
+.IX Subsection "Handling errors from OpenSSL I/O functions"
+An application that uses a nonblocking socket will need to be prepared to
+handle errors returned from OpenSSL I/O functions such as \fBSSL_read_ex\fR\|(3) or
+\&\fBSSL_write_ex\fR\|(3). Errors may be fatal (for example because the underlying
+connection has failed), or non-fatal (for example because we are trying to read
+from the underlying socket but the data has not yet arrived from the peer).
+.PP
+\&\fBSSL_read_ex\fR\|(3) and \fBSSL_write_ex\fR\|(3) will return 0 to indicate an error and
+\&\fBSSL_read\fR\|(3) and \fBSSL_write\fR\|(3) will return 0 or a negative value to indicate
+an error. \fBSSL_shutdown\fR\|(3) will return a negative value to incidate an error.
+.PP
+In the event of an error an application should call \fBSSL_get_error\fR\|(3) to find
+out what type of error has occurred. If the error is non-fatal and can be
+retried then \fBSSL_get_error\fR\|(3) will return \fBSSL_ERROR_WANT_READ\fR or
+\&\fBSSL_ERROR_WANT_WRITE\fR depending on whether OpenSSL wanted to read to or write
+from the socket but was unable to. Note that a call to \fBSSL_read_ex\fR\|(3) or
+\&\fBSSL_read\fR\|(3) can still generate \fBSSL_ERROR_WANT_WRITE\fR because OpenSSL
+may need to write protocol messages (such as to update cryptographic keys) even
+if the application is only trying to read data. Similarly calls to
+\&\fBSSL_write_ex\fR\|(3) or \fBSSL_write\fR\|(3) might generate \fBSSL_ERROR_WANT_READ\fR.
+.PP
+Another type of non-fatal error that may occur is \fBSSL_ERROR_ZERO_RETURN\fR. This
+indicates an EOF (End-Of-File) which can occur if you attempt to read data from
+an \fBSSL\fR object but the peer has indicated that it will not send any more data
+on it. In this case you may still want to write data to the connection but you
+will not receive any more data.
+.PP
+Fatal errors that may occur are \fBSSL_ERROR_SYSCALL\fR and \fBSSL_ERROR_SSL\fR. These
+indicate that the underlying connection has failed. You should not attempt to
+shut it down with \fBSSL_shutdown\fR\|(3). \fBSSL_ERROR_SYSCALL\fR indicates that
+OpenSSL attempted to make a syscall that failed. You can consult \fBerrno\fR for
+further details. \fBSSL_ERROR_SSL\fR indicates that some OpenSSL error occurred. You
+can consult the OpenSSL error stack for further details (for example by calling
+\&\fBERR_print_errors\fR\|(3) to print out details of errors that have occurred).
+.PP
+In our demo application we will write a function to handle these errors from
+OpenSSL I/O functions:
+.PP
+.Vb 7
+\&    static int handle_io_failure(SSL *ssl, int res)
+\&    {
+\&        switch (SSL_get_error(ssl, res)) {
+\&        case SSL_ERROR_WANT_READ:
+\&            /* Temporary failure. Wait until we can read and try again */
+\&            wait_for_activity(ssl, 0);
+\&            return 1;
+\&
+\&        case SSL_ERROR_WANT_WRITE:
+\&            /* Temporary failure. Wait until we can write and try again */
+\&            wait_for_activity(ssl, 1);
+\&            return 1;
+\&
+\&        case SSL_ERROR_ZERO_RETURN:
+\&            /* EOF */
+\&            return 0;
+\&
+\&        case SSL_ERROR_SYSCALL:
+\&            return \-1;
+\&
+\&        case SSL_ERROR_SSL:
+\&            /*
+\&            * If the failure is due to a verification error we can get more
+\&            * information about it from SSL_get_verify_result().
+\&            */
+\&            if (SSL_get_verify_result(ssl) != X509_V_OK)
+\&                printf("Verify error: %s\en",
+\&                    X509_verify_cert_error_string(SSL_get_verify_result(ssl)));
+\&            return \-1;
+\&
+\&        default:
+\&            return \-1;
+\&        }
+\&    }
+.Ve
+.PP
+This function takes as arguments the \fBSSL\fR object that represents the
+connection, as well as the return code from the I/O function that failed. In
+the event of a non-fatal failure, it waits until a retry of the I/O operation
+might succeed (by using the \f(CWwait_for_activity()\fR function that we developed
+in the previous section). It returns 1 in the event of a non-fatal error
+(except EOF), 0 in the event of EOF, or \-1 if a fatal error occurred.
+.SS "Creating the SSL_CTX and SSL objects"
+.IX Subsection "Creating the SSL_CTX and SSL objects"
+In order to connect to a server we must create \fBSSL_CTX\fR and \fBSSL\fR objects for
+this. The steps do this are the same as for a blocking client and are explained
+on the \fBossl\-guide\-tls\-client\-block\fR\|(7) page. We won't repeat that information
+here.
+.SS "Performing the handshake"
+.IX Subsection "Performing the handshake"
+As in the demo for a blocking TLS client we use the \fBSSL_connect\fR\|(3) function
+to perform the TLS handshake with the server. Since we are using a nonblocking
+socket it is very likely that calls to this function will fail with a non-fatal
+error while we are waiting for the server to respond to our handshake messages.
+In such a case we must retry the same \fBSSL_connect\fR\|(3) call at a later time.
+In this demo we this in a loop:
+.PP
+.Vb 7
+\&    /* Do the handshake with the server */
+\&    while ((ret = SSL_connect(ssl)) != 1) {
+\&        if (handle_io_failure(ssl, ret) == 1)
+\&            continue; /* Retry */
+\&        printf("Failed to connect to server\en");
+\&        goto end; /* Cannot retry: error */
+\&    }
+.Ve
+.PP
+We continually call \fBSSL_connect\fR\|(3) until it gives us a success response.
+Otherwise we use the \f(CWhandle_io_failure()\fR function that we created earlier to
+work out what we should do next. Note that we do not expect an EOF to occur at
+this stage, so such a response is treated in the same way as a fatal error.
+.SS "Sending and receiving data"
+.IX Subsection "Sending and receiving data"
+As with the blocking TLS client demo we use the \fBSSL_write_ex\fR\|(3) function to
+send data to the server. As with \fBSSL_connect\fR\|(3) above, because we are using
+a nonblocking socket, this call could fail with a non-fatal error. In that case
+we should retry exactly the same \fBSSL_write_ex\fR\|(3) call again. Note that the
+parameters must be \fIexactly\fR the same, i.e. the same pointer to the buffer to
+write with the same length. You must not attempt to send different data on a
+retry. An optional mode does exist (\fBSSL_MODE_ACCEPT_MOVING_WRITE_BUFFER\fR)
+which will configure OpenSSL to allow the buffer being written to change from
+one retry to the next. However, in this case, you must still retry exactly the
+same data \- even though the buffer that contains that data may change location.
+See \fBSSL_CTX_set_mode\fR\|(3) for further details. As in the TLS client
+blocking tutorial (\fBossl\-guide\-tls\-client\-block\fR\|(7)) we write the request
+in three chunks.
+.PP
+.Vb 10
+\&    /* Write an HTTP GET request to the peer */
+\&    while (!SSL_write_ex(ssl, request_start, strlen(request_start), &written)) {
+\&        if (handle_io_failure(ssl, 0) == 1)
+\&            continue; /* Retry */
+\&        printf("Failed to write start of HTTP request\en");
+\&        goto end; /* Cannot retry: error */
+\&    }
+\&    while (!SSL_write_ex(ssl, hostname, strlen(hostname), &written)) {
+\&        if (handle_io_failure(ssl, 0) == 1)
+\&            continue; /* Retry */
+\&        printf("Failed to write hostname in HTTP request\en");
+\&        goto end; /* Cannot retry: error */
+\&    }
+\&    while (!SSL_write_ex(ssl, request_end, strlen(request_end), &written)) {
+\&        if (handle_io_failure(ssl, 0) == 1)
+\&            continue; /* Retry */
+\&        printf("Failed to write end of HTTP request\en");
+\&        goto end; /* Cannot retry: error */
+\&    }
+.Ve
+.PP
+On a write we do not expect to see an EOF response so we treat that case in the
+same way as a fatal error.
+.PP
+Reading a response back from the server is similar:
+.PP
+.Vb 10
+\&    do {
+\&        /*
+\&         * Get up to sizeof(buf) bytes of the response. We keep reading until
+\&         * the server closes the connection.
+\&         */
+\&        while (!eof && !SSL_read_ex(ssl, buf, sizeof(buf), &readbytes)) {
+\&            switch (handle_io_failure(ssl, 0)) {
+\&            case 1:
+\&                continue; /* Retry */
+\&            case 0:
+\&                eof = 1;
+\&                continue;
+\&            case \-1:
+\&            default:
+\&                printf("Failed reading remaining data\en");
+\&                goto end; /* Cannot retry: error */
+\&            }
+\&        }
+\&        /*
+\&         * OpenSSL does not guarantee that the returned data is a string or
+\&         * that it is NUL terminated so we use fwrite() to write the exact
+\&         * number of bytes that we read. The data could be non\-printable or
+\&         * have NUL characters in the middle of it. For this simple example
+\&         * we\*(Aqre going to print it to stdout anyway.
+\&         */
+\&        if (!eof)
+\&            fwrite(buf, 1, readbytes, stdout);
+\&    } while (!eof);
+\&    /* In case the response didn\*(Aqt finish with a newline we add one now */
+\&    printf("\en");
+.Ve
+.PP
+The main difference this time is that it is valid for us to receive an EOF
+response when trying to read data from the server. This will occur when the
+server closes down the connection after sending all the data in its response.
+.PP
+In this demo we just print out all the data we've received back in the response
+from the server. We continue going around the loop until we either encounter a
+fatal error, or we receive an EOF (indicating a graceful finish).
+.SS "Shutting down the connection"
+.IX Subsection "Shutting down the connection"
+As in the TLS blocking example we must shutdown the connection when we are
+finished with it.
+.PP
+If our application was initiating the shutdown then we would expect to see
+\&\fBSSL_shutdown\fR\|(3) give a return value of 0, and then we would continue to call
+it until we received a return value of 1 (meaning we have successfully completed
+the shutdown). In this particular example we don't expect \fBSSL_shutdown()\fR to
+return 0 because we have already received EOF from the server indicating that it
+has shutdown already. So we just keep calling it until \fBSSL_shutdown()\fR returns 1.
+Since we are using a nonblocking socket we might expect to have to retry this
+operation several times. If \fBSSL_shutdown\fR\|(3) returns a negative result then we
+must call \fBSSL_get_error\fR\|(3) to work out what to do next. We use our
+\&\fBhandle_io_failure()\fR function that we developed earlier for this:
+.PP
+.Vb 10
+\&    /*
+\&     * The peer already shutdown gracefully (we know this because of the
+\&     * SSL_ERROR_ZERO_RETURN (i.e. EOF) above). We should do the same back.
+\&     */
+\&    while ((ret = SSL_shutdown(ssl)) != 1) {
+\&        if (ret < 0 && handle_io_failure(ssl, ret) == 1)
+\&            continue; /* Retry */
+\&        /*
+\&         * ret == 0 is unexpected here because that means "we\*(Aqve sent a
+\&         * close_notify and we\*(Aqre waiting for one back". But we already know
+\&         * we got one from the peer because of the SSL_ERROR_ZERO_RETURN
+\&         * (i.e. EOF) above.
+\&         */
+\&        printf("Error shutting down\en");
+\&        goto end; /* Cannot retry: error */
+\&    }
+.Ve
+.SS "Final clean up"
+.IX Subsection "Final clean up"
+As with the blocking TLS client example, once our connection is finished with we
+must free it. The steps to do this for this example are the same as for the
+blocking example, so we won't repeat it here.
+.SH "FURTHER READING"
+.IX Header "FURTHER READING"
+See \fBossl\-guide\-tls\-client\-block\fR\|(7) to read a tutorial on how to write a
+blocking TLS client. See \fBossl\-guide\-quic\-client\-block\fR\|(7) to see how to do the
+same thing for a QUIC client.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBossl\-guide\-introduction\fR\|(7), \fBossl\-guide\-libraries\-introduction\fR\|(7),
+\&\fBossl\-guide\-libssl\-introduction\fR\|(7), \fBossl\-guide\-tls\-introduction\fR\|(7),
+\&\fBossl\-guide\-tls\-client\-block\fR\|(7), \fBossl\-guide\-quic\-client\-block\fR\|(7)
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-tls-introduction.7 b/secure/lib/libcrypto/man/man7/ossl-guide-tls-introduction.7
new file mode 100644
index 000000000000..81bca6199722
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/ossl-guide-tls-introduction.7
@@ -0,0 +1,376 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OSSL-GUIDE-TLS-INTRODUCTION 7ossl"
+.TH OSSL-GUIDE-TLS-INTRODUCTION 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+ossl\-guide\-tls\-introduction
+\&\- OpenSSL Guide: An introduction to SSL/TLS in OpenSSL
+.SH INTRODUCTION
+.IX Header "INTRODUCTION"
+This page will provide an introduction to some basic SSL/TLS concepts and
+background and how it is used within OpenSSL. It assumes that you have a basic
+understanding of TCP/IP and sockets.
+.SH "WHAT IS TLS?"
+.IX Header "WHAT IS TLS?"
+TLS stands for Transport Layer Security. TLS allows applications to securely
+communicate with each other across a network such that the confidentiality of
+the information exchanged is protected (i.e. it prevents eavesdroppers from
+listening in to the communication). Additionally it protects the integrity of
+the information exchanged to prevent an attacker from changing it. Finally it
+provides authentication so that one or both parties can be sure that they are
+talking to who they think they are talking to and not some imposter.
+.PP
+Sometimes TLS is referred to by its predecessor's name SSL (Secure Sockets
+Layer). OpenSSL dates from a time when the SSL name was still in common use and
+hence many of the functions and names used by OpenSSL contain the "SSL"
+abbreviation. Nonetheless OpenSSL contains a fully fledged TLS implementation.
+.PP
+TLS is based on a client/server model. The application that initiates a
+communication is known as the client. The application that responds to a
+remotely initiated communication is the server. The term "endpoint" refers to
+either of the client or the server in a communication. The term "peer" refers to
+the endpoint at the other side of the communication that we are currently
+referring to. So if we are currently talking about the client then the peer
+would be the server.
+.PP
+TLS is a standardised protocol and there are numerous different implementations
+of it. Due to the standards an OpenSSL client or server is able to communicate
+seamlessly with an application using some different implementation of TLS. TLS
+(and its predecessor SSL) have been around for a significant period of time and
+the protocol has undergone various changes over the years. Consequently there
+are different versions of the protocol available. TLS includes the ability to
+perform version negotiation so that the highest protocol version that the client
+and server share in common is used.
+.PP
+TLS acts as a security layer over some lower level transport protocol. Typically
+the transport layer will be TCP.
+.SH "SSL AND TLS VERSIONS"
+.IX Header "SSL AND TLS VERSIONS"
+SSL was initially developed by Netscape Communications and its first publicly
+released version was SSLv2 in 1995. Note that SSLv1 was never publicly released.
+SSLv3 came along quickly afterwards in 1996. Subsequently development of the
+protocol moved to the IETF which released the first version of TLS (TLSv1.0) in
+1999 as RFC2246. TLSv1.1 was released in 2006 as RFC4346 and TLSv1.2 came along
+in 2008 as RFC5246. The most recent version of the standard is TLSv1.3 which
+was released in 2018 as RFC8446.
+.PP
+Today TLSv1.3 and TLSv1.2 are the most commonly deployed versions of the
+protocol. The IETF have formally deprecated TLSv1.1 and TLSv1.0, so anything
+below TLSv1.2 should be avoided since the older protocol versions are
+susceptible to security problems.
+.PP
+OpenSSL does not support SSLv2 (it was removed in OpenSSL 1.1.0). Support for
+SSLv3 is available as a compile time option \- but it is not built by default.
+Support for TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3 are all available by default
+in a standard build of OpenSSL. However special run-time configuration is
+required in order to make TLSv1.0 and TLSv1.1 work successfully.
+.PP
+OpenSSL will always try to negotiate the highest protocol version that it has
+been configured to support. In most cases this will mean either TLSv1.3 or
+TLSv1.2 is chosen.
+.SH CERTIFICATES
+.IX Header "CERTIFICATES"
+In order for a client to establish a connection to a server it must authenticate
+the identity of that server, i.e. it needs to confirm that the server is really
+the server that it claims to be and not some imposter. In order to do this the
+server will send to the client a digital certificate (also commonly referred to
+as an X.509 certificate). The certificate contains various information about the
+server including its full DNS hostname. Also within the certificate is the
+server's public key. The server operator will have a private key which is
+linked to the public key and must not be published.
+.PP
+Along with the certificate the server will also send to the client proof that it
+knows the private key associated with the public key in the certificate. It does
+this by digitally signing a message to the client using that private key. The
+client can verify the signature using the public key from the certificate. If
+the signature verifies successfully then the client knows that the server is in
+possession of the correct private key.
+.PP
+The certificate that the server sends will also be signed by a Certificate
+Authority. The Certificate Authority (commonly known as a CA) is a third party
+organisation that is responsible for verifying the information in the server's
+certificate (including its DNS hostname). The CA should only sign the
+certificate if it has been able to confirm that the server operator does indeed
+have control of the server associated with its DNS hostname and that the server
+operator has control of the private key.
+.PP
+In this way, if the client trusts the CA that has signed the server's
+certificate and it can verify that the server has the right private key then it
+can trust that the server truly does represent the DNS hostname given in the
+certificate. The client must also verify that the hostname given in the
+certificate matches the hostname that it originally sent the request to.
+.PP
+Once all of these checks have been done the client has successfully verified the
+identify of the server. OpenSSL can perform all of these checks automatically
+but it must be provided with certain information in order to do so, i.e. the set
+of CAs that the client trusts as well as the DNS hostname for the server that
+this client is trying to connect to.
+.PP
+Note that it is common for certificates to be built up into a chain. For example
+a server's certificate may be signed by a key owned by a an intermediate CA.
+That intermediate CA also has a certificate containing its public key which is
+in turn signed by a key owned by a root CA. The client may only trust the root
+CA, but if the server sends both its own certificate and the certificate for the
+intermediate CA then the client can still successfully verify the identity of
+the server. There is a chain of trust between the root CA and the server.
+.PP
+By default it is only the client that authenticates the server using this
+method. However it is also possible to set things up such that the server
+additionally authenticates the client. This is known as "client authentication".
+In this approach the client will still authenticate the server in the same way,
+but the server will request a certificate from the client. The client sends the
+server its certificate and the server authenticates it in the same way that the
+client does.
+.SH "TRUSTED CERTIFICATE STORE"
+.IX Header "TRUSTED CERTIFICATE STORE"
+The system described above only works if a chain of trust can be built between
+the set of CAs that the endpoint trusts and the certificate that the peer is
+using. The endpoint must therefore have a set of certificates for CAs that it
+trusts before any communication can take place. OpenSSL itself does not provide
+such a set of certificates. Therefore you will need to make sure you have them
+before you start if you are going to be verifying certificates (i.e. always if
+the endpoint is a client, and only if client authentication is in use for a
+server).
+.PP
+Fortunately other organisations do maintain such a set of certificates. If you
+have obtained your copy of OpenSSL from an Operating System (OS) vendor (e.g. a
+Linux distribution) then normally the set of CA certificates will also be
+distributed with that copy.
+.PP
+You can check this by running the OpenSSL command line application like this:
+.PP
+.Vb 1
+\& openssl version \-d
+.Ve
+.PP
+This will display a value for \fBOPENSSLDIR\fR. Look in the \fBcerts\fR sub directory
+of \fBOPENSSLDIR\fR and check its contents. For example if \fBOPENSSLDIR\fR is
+"/usr/local/ssl", then check the contents of the "/usr/local/ssl/certs"
+directory.
+.PP
+You are expecting to see a list of files, typically with the suffix ".pem" or
+".0". If they exist then you already have a suitable trusted certificate store.
+.PP
+If you are running your version of OpenSSL on Windows then OpenSSL (from version
+3.2 onwards) will use the default Windows set of trusted CAs.
+.PP
+If you have built your version of OpenSSL from source, or obtained it from some
+other location and it does not have a set of trusted CA certificates then you
+will have to obtain them yourself. One such source is the Curl project. See the
+page <https://curl.se/docs/caextract.html> where you can download trusted
+certificates in a single file. Rename the file to "cert.pem" and store it
+directly in \fBOPENSSLDIR\fR. For example if \fBOPENSSLDIR\fR is "/usr/local/ssl",
+then save it as "/usr/local/ssl/cert.pem".
+.PP
+You can also use environment variables to override the default location that
+OpenSSL will look for its trusted certificate store. Set the \fBSSL_CERT_PATH\fR
+environment variable to give the directory where OpenSSL should looks for its
+certificates or the \fBSSL_CERT_FILE\fR environment variable to give the name of
+a single file containing all of the certificates. See \fBopenssl\-env\fR\|(7) for
+further details about OpenSSL environment variables. For example you could use
+this capability to have multiple versions of OpenSSL all installed on the same
+system using different values for \fBOPENSSLDIR\fR but all using the same
+trusted certificate store.
+.PP
+You can test that your trusted certificate store is setup correctly by using it
+via the OpenSSL command line. Use the following command to connect to a TLS
+server:
+.PP
+.Vb 1
+\& openssl s_client www.openssl.org:443
+.Ve
+.PP
+Once the command has connected type the letter "Q" followed by "<enter>" to exit
+the session. This will print a lot of information on the screen about the
+connection. Look for a block of text like this:
+.PP
+.Vb 2
+\& SSL handshake has read 4584 bytes and written 403 bytes
+\& Verification: OK
+.Ve
+.PP
+Hopefully if everything has worked then the "Verification" line will say "OK".
+If its not working as expected then you might see output like this instead:
+.PP
+.Vb 2
+\& SSL handshake has read 4584 bytes and written 403 bytes
+\& Verification error: unable to get local issuer certificate
+.Ve
+.PP
+The "unable to get local issuer certificate" error means that OpenSSL has been
+unable to find a trusted CA for the chain of certificates provided by the server
+in its trusted certificate store. Check your trusted certificate store
+configuration again.
+.PP
+Note that s_client is a testing tool and will still allow you to connect to the
+TLS server regardless of the verification error. Most applications should not do
+this and should abort the connection in the event of a verification error.
+.SH "IMPORTANT OBJECTS FOR AN OPENSSL TLS APPLICATION"
+.IX Header "IMPORTANT OBJECTS FOR AN OPENSSL TLS APPLICATION"
+A TLS connection is represented by the \fBSSL\fR object in an OpenSSL based
+application. Once a connection with a remote peer has been established an
+endpoint can "write" data to the \fBSSL\fR object to send data to the peer, or
+"read" data from it to receive data from the server.
+.PP
+A new \fBSSL\fR object is created from an \fBSSL_CTX\fR object. Think of an \fBSSL_CTX\fR
+as a "factory" for creating \fBSSL\fR objects. You can create a single \fBSSL_CTX\fR
+object and then create multiple connections (i.e. \fBSSL\fR objects) from it.
+Typically you can set up common configuration options on the \fBSSL_CTX\fR so that
+all the \fBSSL\fR object created from it inherit the same configuration options.
+.PP
+Note that internally to OpenSSL various items that are shared between multiple
+\&\fBSSL\fR objects are cached in the \fBSSL_CTX\fR for performance reasons. Therefore
+it is considered best practice to create one \fBSSL_CTX\fR for use by multiple
+\&\fBSSL\fR objects instead of having one \fBSSL_CTX\fR for each \fBSSL\fR object that you
+create.
+.PP
+Each \fBSSL\fR object is also associated with two \fBBIO\fR objects. A \fBBIO\fR object
+is used for sending or receiving data from the underlying transport layer. For
+example you might create a \fBBIO\fR to represent a TCP socket. The \fBSSL\fR object
+uses one \fBBIO\fR for reading data and one \fBBIO\fR for writing data. In most cases
+you would use the same \fBBIO\fR for each direction but there could be some
+circumstances where you want them to be different.
+.PP
+It is up to the application programmer to create the \fBBIO\fR objects that are
+needed and supply them to the \fBSSL\fR object. See
+\&\fBossl\-guide\-tls\-client\-block\fR\|(7) and \fBossl\-guide\-tls\-server\-block\fR\|(7) for
+usage examples.
+.PP
+Finally, an endpoint can establish a "session" with its peer. The session holds
+various TLS parameters about the connection between the client and the server.
+The session details can then be reused in a subsequent connection attempt to
+speed up the process of connecting. This is known as "resumption". Sessions are
+represented in OpenSSL by the \fBSSL_SESSION\fR object. In TLSv1.2 there is always
+exactly one session per connection. In TLSv1.3 there can be any number per
+connection including none.
+.SH "PHASES OF A TLS CONNECTION"
+.IX Header "PHASES OF A TLS CONNECTION"
+A TLS connection starts with an initial "set up" phase. The endpoint creates the
+\&\fBSSL_CTX\fR (if one has not already been created) and configures it.
+.PP
+A client then creates an \fBSSL\fR object to represent the new TLS connection. Any
+connection specific configuration parameters are then applied and the underlying
+socket is created and associated with the \fBSSL\fR via \fBBIO\fR objects.
+.PP
+A server will create a socket for listening for incoming connection attempts
+from clients. Once a connection attempt is made the server will create an \fBSSL\fR
+object in the same way as for a client and associate it with a \fBBIO\fR for the
+newly created incoming socket.
+.PP
+After set up is complete the TLS "handshake" phase begins. A TLS handshake
+consists of the client and server exchanging a series of TLS handshake messages
+to establish the connection. The client starts by sending a "ClientHello"
+handshake message and the server responds with a "ServerHello". The handshake is
+complete once an endpoint has sent its last message (known as the "Finished"
+message) and received a Finished message from its peer. Note that this might
+occur at slightly different times for each peer. For example in TLSv1.3 the
+server always sends its Finished message before the client. The client later
+responds with its Finished message. At this point the client has completed the
+handshake because it has both sent and received a Finished message. The server
+has sent its Finished message but the Finished message from the client may still
+be in-flight, so the server is still in the handshake phase. It is even possible
+that the server will fail to complete the handshake (if it considers there is
+some problem with the messages sent from the client), even though the client may
+have already progressed to sending application data. In TLSv1.2 this can happen
+the other way around, i.e. the server finishes first and the client finishes
+second.
+.PP
+Once the handshake is complete the application data transfer phase begins.
+Strictly speaking there are some situations where the client can start sending
+application data even earlier (using the TLSv1.3 "early data" capability) \- but
+we're going to skip over that for this basic introduction.
+.PP
+During application data transfer the client and server can read and write data
+to the connection freely. The details of this are typically left to some higher
+level application protocol (for example HTTP). Not all information exchanged
+during this phase is application data. Some protocol level messages may still
+be exchanged \- so it is not necessarily the case that, just because the
+underlying socket is "readable", that application data will be available to read.
+.PP
+When the connection is no longer required then it should be shutdown. A shutdown
+may be initiated by either the client or the server via a message known as a
+"close_notify" alert. The client or server that receives a close_notify may
+respond with one and then the connection is fully closed and application data
+can no longer be sent or received.
+.PP
+Once shutdown is complete a TLS application must clean up by freeing the SSL
+object.
+.SH "FURTHER READING"
+.IX Header "FURTHER READING"
+See \fBossl\-guide\-tls\-client\-block\fR\|(7) for an example of how to apply these
+concepts in order to write a simple TLS client based on a blocking socket.
+See \fBossl\-guide\-tls\-server\-block\fR\|(7) for an example of how to apply these
+concepts in order to write a simple TLS server handling one client at a time
+over a blocking socket.
+See \fBossl\-guide\-quic\-introduction\fR\|(7) for an introduction to QUIC in OpenSSL.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBossl\-guide\-introduction\fR\|(7), \fBossl\-guide\-libraries\-introduction\fR\|(7),
+\&\fBossl\-guide\-libssl\-introduction\fR\|(7), \fBossl\-guide\-tls\-client\-block\fR\|(7),
+\&\fBossl\-guide\-tls\-server\-block\fR\|(7), \fBossl\-guide\-quic\-introduction\fR\|(7)
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2023\-2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/ossl-guide-tls-server-block.7 b/secure/lib/libcrypto/man/man7/ossl-guide-tls-server-block.7
new file mode 100644
index 000000000000..bcb0631a798d
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/ossl-guide-tls-server-block.7
@@ -0,0 +1,405 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "OSSL-GUIDE-TLS-SERVER-BLOCK 7ossl"
+.TH OSSL-GUIDE-TLS-SERVER-BLOCK 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+ossl\-guide\-tls\-server\-block
+\&\- OpenSSL Guide: Writing a simple blocking TLS server
+.SH "SIMPLE BLOCKING TLS SERVER EXAMPLE"
+.IX Header "SIMPLE BLOCKING TLS SERVER EXAMPLE"
+This page will present various source code samples demonstrating how to write a
+simple, non-concurrent, TLS "echo" server application which accepts one client
+connection at a time, echoing input from the client back to the same client.
+Once the current client disconnects, the next client connection is accepted.
+.PP
+Both the acceptor socket and client connections are "blocking".  A more typical
+server might use nonblocking sockets with an event loop and callbacks for I/O
+events.
+.PP
+The complete source code for this example blocking TLS server is available in
+the \fBdemos/guide\fR directory of the OpenSSL source distribution in the file
+\&\fBtls\-server\-block.c\fR. It is also available online at
+<https://github.com/openssl/openssl/blob/master/demos/guide/tls\-server\-block.c>.
+.PP
+We assume that you already have OpenSSL installed on your system; that you
+already have some fundamental understanding of OpenSSL concepts and TLS (see
+\&\fBossl\-guide\-libraries\-introduction\fR\|(7) and \fBossl\-guide\-tls\-introduction\fR\|(7));
+and that you know how to write and build C code and link it against the
+libcrypto and libssl libraries that are provided by OpenSSL. It also assumes
+that you have a basic understanding of TCP/IP and sockets.
+.SS "Creating the SSL_CTX and SSL objects"
+.IX Subsection "Creating the SSL_CTX and SSL objects"
+The first step is to create an \fBSSL_CTX\fR object for our server. We use the
+\&\fBSSL_CTX_new\fR\|(3) function for this purpose. We could alternatively use
+\&\fBSSL_CTX_new_ex\fR\|(3) if we want to associate the \fBSSL_CTX\fR with a particular
+\&\fBOSSL_LIB_CTX\fR (see \fBossl\-guide\-libraries\-introduction\fR\|(7) to learn about
+\&\fBOSSL_LIB_CTX\fR). We pass as an argument the return value of the function
+\&\fBTLS_server_method\fR\|(3). You should use this method whenever you are writing a
+TLS server. This method will automatically use TLS version negotiation to select
+the highest version of the protocol that is mutually supported by both the
+server and the client.
+.PP
+.Vb 9
+\&    /*
+\&     * An SSL_CTX holds shared configuration information for multiple
+\&     * subsequent per\-client SSL connections.
+\&     */
+\&    ctx = SSL_CTX_new(TLS_server_method());
+\&    if (ctx == NULL) {
+\&        ERR_print_errors_fp(stderr);
+\&        errx(res, "Failed to create server SSL_CTX");
+\&    }
+.Ve
+.PP
+We would also like to restrict the TLS versions that we are willing to accept to
+TLSv1.2 or above. TLS protocol versions earlier than that are generally to be
+avoided where possible. We can do that using
+\&\fBSSL_CTX_set_min_proto_version\fR\|(3):
+.PP
+.Vb 9
+\&    /*
+\&     * TLS versions older than TLS 1.2 are deprecated by IETF and SHOULD
+\&     * be avoided if possible.
+\&     */
+\&    if (!SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION)) {
+\&        SSL_CTX_free(ctx);
+\&        ERR_print_errors_fp(stderr);
+\&        errx(res, "Failed to set the minimum TLS protocol version");
+\&    }
+.Ve
+.PP
+Next we configure some option flags, see \fBSSL_CTX_set_options\fR\|(3) for details:
+.PP
+.Vb 6
+\&    /*
+\&     * Tolerate clients hanging up without a TLS "shutdown".  Appropriate in all
+\&     * application protocols which perform their own message "framing", and
+\&     * don\*(Aqt rely on TLS to defend against "truncation" attacks.
+\&     */
+\&    opts = SSL_OP_IGNORE_UNEXPECTED_EOF;
+\&
+\&    /*
+\&     * Block potential CPU\-exhaustion attacks by clients that request frequent
+\&     * renegotiation.  This is of course only effective if there are existing
+\&     * limits on initial full TLS handshake or connection rates.
+\&     */
+\&    opts |= SSL_OP_NO_RENEGOTIATION;
+\&
+\&    /*
+\&     * Most servers elect to use their own cipher preference rather than that of
+\&     * the client.
+\&     */
+\&    opts |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+\&
+\&    /* Apply the selection options */
+\&    SSL_CTX_set_options(ctx, opts);
+.Ve
+.PP
+Servers need a private key and certificate.  Though anonymous ciphers (no
+server certificate) are possible in TLS 1.2, they are rarely applicable, and
+are not currently defined for TLS 1.3.  Additional intermediate issuer CA
+certificates are often also required, and both the server (end-entity or EE)
+certificate and the issuer ("chain") certificates are most easily configured in
+a single "chain file".  Below we load such a chain file (the EE certificate
+must appear first), and then load the corresponding private key, checking that
+it matches the server certificate.  No checks are performed to check the
+integrity of the chain (CA signatures or certificate expiration dates, for
+example).
+.PP
+.Vb 10
+\&    /*
+\&     * Load the server\*(Aqs certificate *chain* file (PEM format), which includes
+\&     * not only the leaf (end\-entity) server certificate, but also any
+\&     * intermediate issuer\-CA certificates.  The leaf certificate must be the
+\&     * first certificate in the file.
+\&     *
+\&     * In advanced use\-cases this can be called multiple times, once per public
+\&     * key algorithm for which the server has a corresponding certificate.
+\&     * However, the corresponding private key (see below) must be loaded first,
+\&     * *before* moving on to the next chain file.
+\&     */
+\&    if (SSL_CTX_use_certificate_chain_file(ctx, "chain.pem") <= 0) {
+\&        SSL_CTX_free(ctx);
+\&        ERR_print_errors_fp(stderr);
+\&        errx(res, "Failed to load the server certificate chain file");
+\&    }
+\&
+\&    /*
+\&     * Load the corresponding private key, this also checks that the private
+\&     * key matches the just loaded end\-entity certificate.  It does not check
+\&     * whether the certificate chain is valid, the certificates could be
+\&     * expired, or may otherwise fail to form a chain that a client can validate.
+\&     */
+\&    if (SSL_CTX_use_PrivateKey_file(ctx, "pkey.pem", SSL_FILETYPE_PEM) <= 0) {
+\&        SSL_CTX_free(ctx);
+\&        ERR_print_errors_fp(stderr);
+\&        errx(res, "Error loading the server private key file, "
+\&                  "possible key/cert mismatch???");
+\&    }
+.Ve
+.PP
+Next we enable session caching, which makes it possible for clients to more
+efficiently make additional TLS connections after completing an initial full
+TLS handshake.  With TLS 1.3, session resumption typically still performs a fresh
+key agreement, but the certificate exchange is avoided.
+.PP
+.Vb 7
+\&    /*
+\&     * Servers that want to enable session resumption must specify a cache id
+\&     * byte array, that identifies the server application, and reduces the
+\&     * chance of inappropriate cache sharing.
+\&     */
+\&    SSL_CTX_set_session_id_context(ctx, (void *)cache_id, sizeof(cache_id));
+\&    SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER);
+\&
+\&    /*
+\&     * How many client TLS sessions to cache.  The default is
+\&     * SSL_SESSION_CACHE_MAX_SIZE_DEFAULT (20k in recent OpenSSL versions),
+\&     * which may be too small or too large.
+\&     */
+\&    SSL_CTX_sess_set_cache_size(ctx, 1024);
+\&
+\&    /*
+\&     * Sessions older than this are considered a cache miss even if still in
+\&     * the cache.  The default is two hours.  Busy servers whose clients make
+\&     * many connections in a short burst may want a shorter timeout, on lightly
+\&     * loaded servers with sporadic connections from any given client, a longer
+\&     * time may be appropriate.
+\&     */
+\&    SSL_CTX_set_timeout(ctx, 3600);
+.Ve
+.PP
+Most servers, including this one, do not solicit client certificates.  We
+therefore do not need a "trust store" and allow the handshake to complete even
+when the client does not present a certificate.  Note: Even if a client did
+present a trusted ceritificate, for it to be useful, the server application
+would still need custom code to use the verified identity to grant nondefault
+access to that particular client.  Some servers grant access to all clients
+with certificates from a private CA, this then requires processing of
+certificate revocation lists to deauthorise a client.  It is often simpler and
+more secure to instead keep a list of authorised public keys.
+.PP
+Though this is the default setting, we explicitly call the
+\&\fBSSL_CTX_set_verify\fR\|(3) function and pass the \fBSSL_VERIFY_NONE\fR value to it.
+The final argument to this function is a callback that you can optionally
+supply to override the default handling for certificate verification. Most
+applications do not need to do this so this can safely be set to NULL to get
+the default handling.
+.PP
+.Vb 12
+\&    /*
+\&     * Clients rarely employ certificate\-based authentication, and so we don\*(Aqt
+\&     * require "mutual" TLS authentication (indeed there\*(Aqs no way to know
+\&     * whether or how the client authenticated the server, so the term "mutual"
+\&     * is potentially misleading).
+\&     *
+\&     * Since we\*(Aqre not soliciting or processing client certificates, we don\*(Aqt
+\&     * need to configure a trusted\-certificate store, so no call to
+\&     * SSL_CTX_set_default_verify_paths() is needed.  The server\*(Aqs own
+\&     * certificate chain is assumed valid.
+\&     */
+\&    SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
+.Ve
+.PP
+That is all the setup that we need to do for the \fBSSL_CTX\fR.  Next we create an
+acceptor BIO on which to accept client connections.  This just records the
+intended port (and optional "host:" prefix), without actually creating the
+socket.  This delayed processing allows the programmer to specify additional
+behaviours before the listening socket is actually created.
+.PP
+.Vb 10
+\&    /*
+\&     * Create a listener socket wrapped in a BIO.
+\&     * The first call to BIO_do_accept() initialises the socket
+\&     */
+\&    acceptor_bio = BIO_new_accept(hostport);
+\&    if (acceptor_bio == NULL) {
+\&        SSL_CTX_free(ctx);
+\&        ERR_print_errors_fp(stderr);
+\&        errx(res, "Error creating acceptor bio");
+\&    }
+.Ve
+.PP
+Servers almost always want to use the "SO_REUSEADDR" option to avoid startup
+failures if there are still lingering client connections, so we do that before
+making the \fBfirst\fR call to \fBBIO_do_accept\fR\|(3) which creates the listening
+socket, without accepting a client connection.  Subsequent calls to the same
+function will accept new connections.
+.PP
+.Vb 6
+\&    BIO_set_bind_mode(acceptor_bio, BIO_BIND_REUSEADDR);
+\&    if (BIO_do_accept(acceptor_bio) <= 0) {
+\&        SSL_CTX_free(ctx);
+\&        ERR_print_errors_fp(stderr);
+\&        errx(res, "Error setting up acceptor socket");
+\&    }
+.Ve
+.SS "Server loop"
+.IX Subsection "Server loop"
+The server now enters a "forever" loop handling one client connection at a
+time.  Before each connection we clear the OpenSSL error stack, so that any
+error reports are related to just the new connection.
+.PP
+.Vb 2
+\&    /* Pristine error stack for each new connection */
+\&    ERR_clear_error();
+.Ve
+.PP
+At this point the server blocks to accept the next client:
+.PP
+.Vb 5
+\&    /* Wait for the next client to connect */
+\&    if (BIO_do_accept(acceptor_bio) <= 0) {
+\&        /* Client went away before we accepted the connection */
+\&        continue;
+\&    }
+.Ve
+.PP
+On success the accepted client connection has been wrapped in a fresh BIO and
+pushed onto the end of the acceptor BIO chain.  We pop it off returning the
+acceptor BIO to its initial state.
+.PP
+.Vb 3
+\&    /* Pop the client connection from the BIO chain */
+\&    client_bio = BIO_pop(acceptor_bio);
+\&    fprintf(stderr, "New client connection accepted\en");
+.Ve
+.PP
+Next, we create an \fBSSL\fR object by calling the \fBSSL_new\|(3)\fR function and
+passing the \fBSSL_CTX\fR we created as an argument.  The client connection BIO is
+configured as the I/O conduit for this SSL handle.  SSL_set_bio transfers
+ownership of the BIO or BIOs involved (our \fBclient_bio\fR) to the SSL handle.
+.PP
+.Vb 8
+\&    /* Associate a new SSL handle with the new connection */
+\&    if ((ssl = SSL_new(ctx)) == NULL) {
+\&        ERR_print_errors_fp(stderr);
+\&        warnx("Error creating SSL handle for new connection");
+\&        BIO_free(client_bio);
+\&        continue;
+\&    }
+\&    SSL_set_bio(ssl, client_bio, client_bio);
+.Ve
+.PP
+And now we're ready to attempt the SSL handshake.  With a blocking socket
+OpenSSL will perform all the read and write operations required to complete the
+handshake (or detect and report a failure) before returning.
+.PP
+.Vb 7
+\&    /* Attempt an SSL handshake with the client */
+\&    if (SSL_accept(ssl) <= 0) {
+\&        ERR_print_errors_fp(stderr);
+\&        warnx("Error performing SSL handshake with client");
+\&        SSL_free(ssl);
+\&        continue;
+\&    }
+.Ve
+.PP
+With the handshake complete, the server loops echoing client input back to the
+client:
+.PP
+.Vb 9
+\&    while (SSL_read_ex(ssl, buf, sizeof(buf), &nread) > 0) {
+\&        if (SSL_write_ex(ssl, buf, nread, &nwritten) > 0 &&
+\&            nwritten == nread) {
+\&            total += nwritten;
+\&            continue;
+\&        }
+\&        warnx("Error echoing client input");
+\&        break;
+\&    }
+.Ve
+.PP
+Once the client closes its connection, we report the number of bytes sent to
+\&\fBstderr\fR and free the SSL handle, which also frees the \fBclient_bio\fR and
+closes the underlying socket.
+.PP
+.Vb 2
+\&    fprintf(stderr, "Client connection closed, %zu bytes sent\en", total);
+\&    SSL_free(ssl);
+.Ve
+.PP
+The server is now ready to accept the next client connection.
+.SS "Final clean up"
+.IX Subsection "Final clean up"
+If the server could somehow manage to break out of the infinite loop, and
+be ready to exit, it would first deallocate the constructed \fBSSL_CTX\fR.
+.PP
+.Vb 5
+\&    /*
+\&     * Unreachable placeholder cleanup code, the above loop runs forever.
+\&     */
+\&    SSL_CTX_free(ctx);
+\&    return EXIT_SUCCESS;
+.Ve
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBossl\-guide\-introduction\fR\|(7), \fBossl\-guide\-libraries\-introduction\fR\|(7),
+\&\fBossl\-guide\-libssl\-introduction\fR\|(7), \fBossl\-guide\-tls\-introduction\fR\|(7),
+\&\fBossl\-guide\-tls\-client\-non\-block\fR\|(7), \fBossl\-guide\-quic\-client\-block\fR\|(7)
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/ossl_store-file.7 b/secure/lib/libcrypto/man/man7/ossl_store-file.7
index 937f7f9d7dd7..aa9599f4d30c 100644
--- a/secure/lib/libcrypto/man/man7/ossl_store-file.7
+++ b/secure/lib/libcrypto/man/man7/ossl_store-file.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,108 +52,48 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_STORE-FILE 7ossl"
-.TH OSSL_STORE-FILE 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_STORE-FILE 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ossl_store\-file \- The store 'file' scheme loader
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 #include <openssl/store.h>
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 Support for the 'file' scheme is built into \f(CW\*(C`libcrypto\*(C'\fR.
 Since files come in all kinds of formats and content types, the 'file'
-scheme has its own layer of functionality called \*(L"file handlers\*(R",
+scheme has its own layer of functionality called "file handlers",
 which are used to try to decode diverse types of file contents.
 .PP
-In case a file is formatted as \s-1PEM,\s0 each called file handler receives
-the \s-1PEM\s0 name (everything following any '\f(CW\*(C`\-\-\-\-\-BEGIN \*(C'\fR') as well as
-possible \s-1PEM\s0 headers, together with the decoded \s-1PEM\s0 body.  Since \s-1PEM\s0
+In case a file is formatted as PEM, each called file handler receives
+the PEM name (everything following any '\f(CW\*(C`\-\-\-\-\-BEGIN \*(C'\fR') as well as
+possible PEM headers, together with the decoded PEM body.  Since PEM
 formatted files can contain more than one object, the file handlers
 are called upon for each such object.
 .PP
-If the file isn't determined to be formatted as \s-1PEM,\s0 the content is
+If the file isn't determined to be formatted as PEM, the content is
 loaded in raw form in its entirety and passed to the available file
-handlers as is, with no \s-1PEM\s0 name or headers.
+handlers as is, with no PEM name or headers.
 .PP
-Each file handler is expected to handle \s-1PEM\s0 and non-PEM content as
+Each file handler is expected to handle PEM and non-PEM content as
 appropriate.  Some may refuse non-PEM content for the sake of
 determinism (for example, there are keys out in the wild that are
-represented as an \s-1ASN.1 OCTET STRING.\s0  In raw form, it's not easily
-possible to distinguish those from any other data coming as an \s-1ASN.1
-OCTET STRING,\s0 so such keys would naturally be accepted as \s-1PEM\s0 files
+represented as an ASN.1 OCTET STRING.  In raw form, it's not easily
+possible to distinguish those from any other data coming as an ASN.1
+OCTET STRING, so such keys would naturally be accepted as PEM files
 only).
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 When needed, the 'file' scheme loader will require a pass phrase by
-using the \fB\s-1UI_METHOD\s0\fR that was passed via \fBOSSL_STORE_open()\fR.
-This pass phrase is expected to be \s-1UTF\-8\s0 encoded, anything else will
+using the \fBUI_METHOD\fR that was passed via \fBOSSL_STORE_open()\fR.
+This pass phrase is expected to be UTF\-8 encoded, anything else will
 give an undefined result.
 The files made accessible through this loader are expected to be
 standard compliant with regards to pass phrase encoding.
@@ -179,11 +103,11 @@ See \fBpassphrase\-encoding\fR\|(7) for more information.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBossl_store\fR\|(7), \fBpassphrase\-encoding\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/ossl_store.7 b/secure/lib/libcrypto/man/man7/ossl_store.7
index 6a4d5c499cc9..3e8ad176fd01 100644
--- a/secure/lib/libcrypto/man/man7/ossl_store.7
+++ b/secure/lib/libcrypto/man/man7/ossl_store.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,112 +52,56 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "OSSL_STORE 7ossl"
-.TH OSSL_STORE 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH OSSL_STORE 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 ossl_store \- Store retrieval functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 #include <openssl/store.h>
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-.SS "General"
+.SS General
 .IX Subsection "General"
-A \s-1STORE\s0 is a layer of functionality to retrieve a number of supported
+A STORE is a layer of functionality to retrieve a number of supported
 objects from a repository of any kind, addressable as a filename or
-as a \s-1URI.\s0
+as a URI.
 .PP
-The functionality supports the pattern \*(L"open a channel to the
-repository\*(R", \*(L"loop and retrieve one object at a time\*(R", and \*(L"finish up
-by closing the channel\*(R".
+The functionality supports the pattern "open a channel to the
+repository", "loop and retrieve one object at a time", and "finish up
+by closing the channel".
 .PP
-The retrieved objects are returned as a wrapper type \fB\s-1OSSL_STORE_INFO\s0\fR,
+The retrieved objects are returned as a wrapper type \fBOSSL_STORE_INFO\fR,
 from which an OpenSSL type can be retrieved.
-.SS "\s-1URI\s0 schemes and loaders"
+.SS "URI schemes and loaders"
 .IX Subsection "URI schemes and loaders"
-Support for a \s-1URI\s0 scheme is called a \s-1STORE\s0 \*(L"loader\*(R", and can be added
+Support for a URI scheme is called a STORE "loader", and can be added
 dynamically from the calling application or from a loadable engine.
 .PP
 Support for the 'file' scheme is built into \f(CW\*(C`libcrypto\*(C'\fR.
 See \fBossl_store\-file\fR\|(7) for more information.
-.SS "\s-1UI_METHOD\s0 and pass phrases"
+.SS "UI_METHOD and pass phrases"
 .IX Subsection "UI_METHOD and pass phrases"
-The \fB\s-1OSS_STORE\s0\fR \s-1API\s0 does nothing to enforce any specific format or
-encoding on the pass phrase that the \fB\s-1UI_METHOD\s0\fR provides.  However,
-the pass phrase is expected to be \s-1UTF\-8\s0 encoded.  The result of any
+The \fBOSS_STORE\fR API does nothing to enforce any specific format or
+encoding on the pass phrase that the \fBUI_METHOD\fR provides.  However,
+the pass phrase is expected to be UTF\-8 encoded.  The result of any
 other encoding is undefined.
-.SH "EXAMPLES"
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 .SS "A generic call"
 .IX Subsection "A generic call"
-.Vb 1
-\& OSSL_STORE_CTX *ctx = OSSL_STORE_open("file:/foo/bar/data.pem");
+.Vb 2
+\& #include <openssl/ui.h> /* for UI_get_default_method */
+\& #include <openssl/store.h>
+\&
+\& OSSL_STORE_CTX *ctx = OSSL_STORE_open("file:/foo/bar/data.pem",
+\&                        UI_get_default_method(), NULL, NULL, NULL);
 \&
 \& /*
 \&  * OSSL_STORE_eof() simulates file semantics for any repository to signal
@@ -194,20 +122,21 @@ other encoding is undefined.
 \&         PEM_write_X509(stdout, OSSL_STORE_INFO_get0_CERT(info));
 \&         break;
 \&     }
+\&     OSSL_STORE_INFO_free(info);
 \& }
 \&
 \& OSSL_STORE_close(ctx);
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\s-1\fBOSSL_STORE_INFO\s0\fR\|(3), \s-1\fBOSSL_STORE_LOADER\s0\fR\|(3),
+\&\fBOSSL_STORE_INFO\fR\|(3), \fBOSSL_STORE_LOADER\fR\|(3),
 \&\fBOSSL_STORE_open\fR\|(3), \fBOSSL_STORE_expect\fR\|(3),
-\&\s-1\fBOSSL_STORE_SEARCH\s0\fR\|(3)
-.SH "COPYRIGHT"
+\&\fBOSSL_STORE_SEARCH\fR\|(3)
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2016\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/passphrase-encoding.7 b/secure/lib/libcrypto/man/man7/passphrase-encoding.7
index 2e0394073cee..ef8ac85fdba5 100644
--- a/secure/lib/libcrypto/man/man7/passphrase-encoding.7
+++ b/secure/lib/libcrypto/man/man7/passphrase-encoding.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PASSPHRASE-ENCODING 7ossl"
-.TH PASSPHRASE-ENCODING 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PASSPHRASE-ENCODING 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 passphrase\-encoding
 \&\- How diverse parts of OpenSSL treat pass phrases character encoding
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 In a modern world with all sorts of character encodings, the treatment of pass
 phrases has become increasingly complex.
@@ -151,31 +75,31 @@ The OpenSSL library doesn't treat pass phrases in any special way as a general
 rule, and trusts the application or user to choose a suitable character set
 and stick to that throughout the lifetime of affected objects.
 This means that for an object that was encrypted using a pass phrase encoded in
-\&\s-1ISO\-8859\-1,\s0 that object needs to be decrypted using a pass phrase encoded in
-\&\s-1ISO\-8859\-1.\s0
+ISO\-8859\-1, that object needs to be decrypted using a pass phrase encoded in
+ISO\-8859\-1.
 Using the wrong encoding is expected to cause a decryption failure.
-.SS "PKCS#12"
+.SS PKCS#12
 .IX Subsection "PKCS#12"
 PKCS#12 is a bit different regarding pass phrase encoding.
-The standard stipulates that the pass phrase shall be encoded as an \s-1ASN.1\s0
+The standard stipulates that the pass phrase shall be encoded as an ASN.1
 BMPString, which consists of the code points of the basic multilingual plane,
-encoded in big endian (\s-1UCS\-2 BE\s0).
+encoded in big endian (UCS\-2 BE).
 .PP
 OpenSSL tries to adapt to this requirements in one of the following manners:
-.IP "1." 4
-Treats the received pass phrase as \s-1UTF\-8\s0 encoded and tries to re-encode it to
-\&\s-1UTF\-16\s0 (which is the same as \s-1UCS\-2\s0 for characters U+0000 to U+D7FF and U+E000
+.IP 1. 4
+Treats the received pass phrase as UTF\-8 encoded and tries to re-encode it to
+UTF\-16 (which is the same as UCS\-2 for characters U+0000 to U+D7FF and U+E000
 to U+FFFF, but becomes an expansion for any other character), or failing that,
 proceeds with step 2.
-.IP "2." 4
-Assumes that the pass phrase is encoded in \s-1ASCII\s0 or \s-1ISO\-8859\-1\s0 and
-opportunistically prepends each byte with a zero byte to obtain the \s-1UCS\-2\s0
+.IP 2. 4
+Assumes that the pass phrase is encoded in ASCII or ISO\-8859\-1 and
+opportunistically prepends each byte with a zero byte to obtain the UCS\-2
 encoding of the characters, which it stores as a BMPString.
 .Sp
-Note that since there is no check of your locale, this may produce \s-1UCS\-2 /
-UTF\-16\s0 characters that do not correspond to the original pass phrase characters
-for other character sets, such as any \s-1ISO\-8859\-X\s0 encoding other than
-\&\s-1ISO\-8859\-1\s0 (or for Windows, \s-1CP 1252\s0 with exception for the extra \*(L"graphical\*(R"
+Note that since there is no check of your locale, this may produce UCS\-2 /
+UTF\-16 characters that do not correspond to the original pass phrase characters
+for other character sets, such as any ISO\-8859\-X encoding other than
+ISO\-8859\-1 (or for Windows, CP 1252 with exception for the extra "graphical"
 characters in the 0x80\-0x9F range).
 .PP
 OpenSSL versions older than 1.1.0 do variant 2 only, and that is the reason why
@@ -183,12 +107,12 @@ OpenSSL still does this, to be able to read files produced with older versions.
 .PP
 It should be noted that this approach isn't entirely fault free.
 .PP
-A pass phrase encoded in \s-1ISO\-8859\-2\s0 could very well have a sequence such as
-0xC3 0xAF (which is the two characters \*(L"\s-1LATIN CAPITAL LETTER A WITH BREVE\*(R"\s0
-and \*(L"\s-1LATIN CAPITAL LETTER Z WITH DOT ABOVE\*(R"\s0 in \s-1ISO\-8859\-2\s0 encoding), but would
-be misinterpreted as the perfectly valid \s-1UTF\-8\s0 encoded code point U+00EF (\s-1LATIN
-SMALL LETTER I WITH DIAERESIS\s0) \fIif the pass phrase doesn't contain anything that
-would be invalid \s-1UTF\-8\s0\fR.
+A pass phrase encoded in ISO\-8859\-2 could very well have a sequence such as
+0xC3 0xAF (which is the two characters "LATIN CAPITAL LETTER A WITH BREVE"
+and "LATIN CAPITAL LETTER Z WITH DOT ABOVE" in ISO\-8859\-2 encoding), but would
+be misinterpreted as the perfectly valid UTF\-8 encoded code point U+00EF (LATIN
+SMALL LETTER I WITH DIAERESIS) \fIif the pass phrase doesn't contain anything that
+would be invalid UTF\-8\fR.
 A pass phrase that contains this kind of byte sequence will give a different
 outcome in OpenSSL 1.1.0 and newer than in OpenSSL older than 1.1.0.
 .PP
@@ -197,26 +121,26 @@ outcome in OpenSSL 1.1.0 and newer than in OpenSSL older than 1.1.0.
 \& 0x00 0xEF                              # OpenSSL 1.1.0 and newer
 .Ve
 .PP
-On the same accord, anything encoded in \s-1UTF\-8\s0 that was given to OpenSSL older
-than 1.1.0 was misinterpreted as \s-1ISO\-8859\-1\s0 sequences.
-.SS "\s-1OSSL_STORE\s0"
+On the same accord, anything encoded in UTF\-8 that was given to OpenSSL older
+than 1.1.0 was misinterpreted as ISO\-8859\-1 sequences.
+.SS OSSL_STORE
 .IX Subsection "OSSL_STORE"
 \&\fBossl_store\fR\|(7) acts as a general interface to access all kinds of objects,
-potentially protected with a pass phrase, a \s-1PIN\s0 or something else.
-This \s-1API\s0 stipulates that pass phrases should be \s-1UTF\-8\s0 encoded, and that any
+potentially protected with a pass phrase, a PIN or something else.
+This API stipulates that pass phrases should be UTF\-8 encoded, and that any
 other pass phrase encoding may give undefined results.
-This \s-1API\s0 relies on the application to ensure \s-1UTF\-8\s0 encoding, and doesn't check
+This API relies on the application to ensure UTF\-8 encoding, and doesn't check
 that this is the case, so what it gets, it will also pass to the underlying
 loader.
-.SH "RECOMMENDATIONS"
+.SH RECOMMENDATIONS
 .IX Header "RECOMMENDATIONS"
 This section assumes that you know what pass phrase was used for encryption,
 but that it may have been encoded in a different character encoding than the
 one used by your current input method.
 For example, the pass phrase may have been used at a time when your default
-encoding was \s-1ISO\-8859\-1\s0 (i.e. \*(L"nai\*:ve\*(R" resulting in the byte sequence 0x6E 0x61
+encoding was ISO\-8859\-1 (i.e. "naïve" resulting in the byte sequence 0x6E 0x61
 0xEF 0x76 0x65), and you're now in an environment where your default encoding
-is \s-1UTF\-8\s0 (i.e. \*(L"nai\*:ve\*(R" resulting in the byte sequence 0x6E 0x61 0xC3 0xAF 0x76
+is UTF\-8 (i.e. "naïve" resulting in the byte sequence 0x6E 0x61 0xC3 0xAF 0x76
 0x65).
 Whenever it's mentioned that you should use a certain character encoding, it
 should be understood that you either change the input method to use the
@@ -233,12 +157,12 @@ byte sequence as it is.
 .SS "Creating new objects"
 .IX Subsection "Creating new objects"
 For creating new pass phrase protected objects, make sure the pass phrase is
-encoded using \s-1UTF\-8.\s0
+encoded using UTF\-8.
 This is default on most modern Unixes, but may involve an effort on other
 platforms.
 Specifically for Windows, setting the environment variable
-\&\fB\s-1OPENSSL_WIN32_UTF8\s0\fR will have anything entered on [Windows] console prompt
-converted to \s-1UTF\-8\s0 (command line and separately prompted pass phrases alike).
+\&\fBOPENSSL_WIN32_UTF8\fR will have anything entered on [Windows] console prompt
+converted to UTF\-8 (command line and separately prompted pass phrases alike).
 .SS "Opening existing objects"
 .IX Subsection "Opening existing objects"
 For opening pass phrase protected objects where you know what character
@@ -248,24 +172,24 @@ encoding again.
 For opening pass phrase protected objects where the character encoding that was
 used is unknown, or where the producing application is unknown, try one of the
 following:
-.IP "1." 4
+.IP 1. 4
 Try the pass phrase that you have as it is in the character encoding of your
 environment.
 It's possible that its byte sequence is exactly right.
-.IP "2." 4
-Convert the pass phrase to \s-1UTF\-8\s0 and try with the result.
+.IP 2. 4
+Convert the pass phrase to UTF\-8 and try with the result.
 Specifically with PKCS#12, this should open up any object that was created
 according to the specification.
-.IP "3." 4
-Do a nai\*:ve (i.e. purely mathematical) \s-1ISO\-8859\-1\s0 to \s-1UTF\-8\s0 conversion and try
+.IP 3. 4
+Do a naïve (i.e. purely mathematical) ISO\-8859\-1 to UTF\-8 conversion and try
 with the result.
-This differs from the previous attempt because \s-1ISO\-8859\-1\s0 maps directly to
+This differs from the previous attempt because ISO\-8859\-1 maps directly to
 U+0000 to U+00FF, which other non\-UTF\-8 character sets do not.
 .Sp
-This also takes care of the case when a \s-1UTF\-8\s0 encoded string was used with
+This also takes care of the case when a UTF\-8 encoded string was used with
 OpenSSL older than 1.1.0.
-(for example, \f(CW\*(C`i\*:\*(C'\fR, which is 0xC3 0xAF when encoded in \s-1UTF\-8,\s0 would become 0xC3
-0x83 0xC2 0xAF when re-encoded in the nai\*:ve manner.
+(for example, \f(CW\*(C`ï\*(C'\fR, which is 0xC3 0xAF when encoded in UTF\-8, would become 0xC3
+0x83 0xC2 0xAF when re-encoded in the naïve manner.
 The conversion to BMPString would then yield 0x00 0xC3 0x00 0xA4 0x00 0x00, the
 erroneous/non\-compliant encoding used by OpenSSL older than 1.1.0)
 .SH "SEE ALSO"
@@ -276,11 +200,11 @@ erroneous/non\-compliant encoding used by OpenSSL older than 1.1.0)
 \&\fBPEM_do_header\fR\|(3),
 \&\fBPKCS12_parse\fR\|(3), \fBPKCS12_newpass\fR\|(3),
 \&\fBd2i_PKCS8PrivateKey_bio\fR\|(3)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2018\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/property.7 b/secure/lib/libcrypto/man/man7/property.7
index 691741356a6e..02838850cadd 100644
--- a/secure/lib/libcrypto/man/man7/property.7
+++ b/secure/lib/libcrypto/man/man7/property.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PROPERTY 7ossl"
-.TH PROPERTY 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PROPERTY 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 property \- Properties, a selection mechanism for algorithm implementations
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 As of OpenSSL 3.0, a new method has been introduced to decide which of
 multiple implementations of an algorithm will be used.
@@ -171,29 +95,29 @@ property names like
 \&  <provider_name>.<property_name>
 \&  <provider_name>.<algorithm_name>.<property_name>
 .Ve
-.SS "Properties"
+.SS Properties
 .IX Subsection "Properties"
 A \fIproperty\fR is a \fIname=value\fR pair.
 A \fIproperty definition\fR is a sequence of comma separated properties.
 There can be any number of properties in a definition, however each name must
 be unique.
-For example: "\*(L" defines an empty property definition (i.e., no restriction);
-\&\*(R"my.foo=bar" defines a property named \fImy.foo\fR which has a string value \fIbar\fR
-and \*(L"iteration.count=3\*(R" defines a property named \fIiteration.count\fR which
+For example: "" defines an empty property definition (i.e., no restriction);
+"my.foo=bar" defines a property named \fImy.foo\fR which has a string value \fIbar\fR
+and "iteration.count=3" defines a property named \fIiteration.count\fR which
 has a numeric value of \fI3\fR.
 The full syntax for property definitions appears below.
-.SS "Implementations"
+.SS Implementations
 .IX Subsection "Implementations"
 Each implementation of an algorithm can define any number of
 properties.
 For example, the default provider defines the property \fIprovider=default\fR
 for all of its algorithms.
-Likewise, OpenSSL's \s-1FIPS\s0 provider defines \fIprovider=fips\fR and the legacy
+Likewise, OpenSSL's FIPS provider defines \fIprovider=fips\fR and the legacy
 provider defines \fIprovider=legacy\fR for all of their algorithms.
-.SS "Queries"
+.SS Queries
 .IX Subsection "Queries"
 A \fIproperty query clause\fR is a single conditional test.
-For example, \*(L"fips=yes\*(R", \*(L"provider!=default\*(R" or \*(L"?iteration.count=3\*(R".
+For example, "fips=yes", "provider!=default" or "?iteration.count=3".
 The first two represent mandatory clauses, such clauses \fBmust\fR match
 for any algorithm to even be under consideration.
 The third clause represents an optional clause.
@@ -204,23 +128,23 @@ A \fIproperty query\fR is a sequence of comma separated property query clauses.
 It is an error if a property name appears in more than one query clause.
 The full syntax for property queries appears below, but the available syntactic
 features are:
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fB=\fR is an infix operator providing an equality test.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fB!=\fR is an infix operator providing an inequality test.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fB?\fR is a prefix operator that means that the following clause is optional
 but preferred.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fB\-\fR is a prefix operator that means any global query clause involving the
 following property name should be ignored.
-.IP "\(bu" 4
-\&\fB\*(L"...\*(R"\fR is a quoted string.
+.IP \(bu 4
+\&\fB"..."\fR is a quoted string.
 The quotes are not included in the body of the string.
-.IP "\(bu" 4
+.IP \(bu 4
 \&\fB'...'\fR is a quoted string.
 The quotes are not included in the body of the string.
-.SS "Lookups"
+.SS Lookups
 .IX Subsection "Lookups"
 When an algorithm is looked up, a property query is used to determine
 the best matching algorithm.
@@ -230,11 +154,11 @@ clauses will be used.
 If there is more than one such optimal candidate, the result will be
 chosen from amongst those in an indeterminate way.
 Ordering of optional clauses is not significant.
-.SS "Shortcut"
+.SS Shortcut
 .IX Subsection "Shortcut"
 In order to permit a more concise expression of boolean properties, there
-is one short cut: a property name alone (e.g. \*(L"my.property\*(R") is
-exactly equivalent to \*(L"my.property=yes\*(R" in both definitions and queries.
+is one short cut: a property name alone (e.g. "my.property") is
+exactly equivalent to "my.property=yes" in both definitions and queries.
 .SS "Global and Local"
 .IX Subsection "Global and Local"
 Two levels of property query are supported.
@@ -245,18 +169,18 @@ the local clause overrides the context clause.
 .PP
 It is possible for a local property query to remove a clause in the context
 property query by preceding the property name with a '\-'.
-For example, a context property query that contains \*(L"fips=yes\*(R" would normally
-result in implementations that have \*(L"fips=yes\*(R".
+For example, a context property query that contains "fips=yes" would normally
+result in implementations that have "fips=yes".
 .PP
-However, if the setting of the \*(L"fips\*(R" property is irrelevant to the
+However, if the setting of the "fips" property is irrelevant to the
 operations being performed, the local property query can include the
-clause \*(L"\-fips\*(R".
-Note that the local property query could not use \*(L"fips=no\*(R" because that would
-disallow any implementations with \*(L"fips=yes\*(R" rather than not caring about the
+clause "\-fips".
+Note that the local property query could not use "fips=no" because that would
+disallow any implementations with "fips=yes" rather than not caring about the
 setting.
-.SH "SYNTAX"
+.SH SYNTAX
 .IX Header "SYNTAX"
-The lexical syntax in \s-1EBNF\s0 is given by:
+The lexical syntax in EBNF is given by:
 .PP
 .Vb 11
 \& Definition     ::= PropertyName ( \*(Aq=\*(Aq Value )?
@@ -272,16 +196,16 @@ The lexical syntax in \s-1EBNF\s0 is given by:
 \& PropertyName   ::= [A\-Za\-z] [A\-Za\-z0\-9_]* ( \*(Aq.\*(Aq [A\-Za\-z] [A\-Za\-z0\-9_]* )*
 .Ve
 .PP
-The flavour of \s-1EBNF\s0 being used is defined by:
+The flavour of EBNF being used is defined by:
 <https://www.w3.org/TR/2010/REC\-xquery\-20101214/#EBNFNotation>.
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 Properties were added in OpenSSL 3.0
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2019\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/provider-asym_cipher.7 b/secure/lib/libcrypto/man/man7/provider-asym_cipher.7
index 1c647936d89b..48ec1e424338 100644
--- a/secure/lib/libcrypto/man/man7/provider-asym_cipher.7
+++ b/secure/lib/libcrypto/man/man7/provider-asym_cipher.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PROVIDER-ASYM_CIPHER 7ossl"
-.TH PROVIDER-ASYM_CIPHER 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PROVIDER-ASYM_CIPHER 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 provider\-asym_cipher \- The asym_cipher library <\-> provider functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 2
 \& #include <openssl/core_dispatch.h>
@@ -175,28 +99,28 @@ provider\-asym_cipher \- The asym_cipher library <\-> provider functions
 \& int OSSL_FUNC_asym_cipher_set_ctx_params(void *ctx, const OSSL_PARAM params[]);
 \& const OSSL_PARAM *OSSL_FUNC_asym_cipher_settable_ctx_params(void *provctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 This documentation is primarily aimed at provider authors. See \fBprovider\fR\|(7)
 for further information.
 .PP
-The asymmetric cipher (\s-1OSSL_OP_ASYM_CIPHER\s0) operation enables providers to
+The asymmetric cipher (OSSL_OP_ASYM_CIPHER) operation enables providers to
 implement asymmetric cipher algorithms and make them available to applications
-via the \s-1API\s0 functions \fBEVP_PKEY_encrypt\fR\|(3),
+via the API functions \fBEVP_PKEY_encrypt\fR\|(3),
 \&\fBEVP_PKEY_decrypt\fR\|(3) and
 other related functions).
 .PP
-All \*(L"functions\*(R" mentioned here are passed as function pointers between
-\&\fIlibcrypto\fR and the provider in \s-1\fBOSSL_DISPATCH\s0\fR\|(3) arrays via
-\&\s-1\fBOSSL_ALGORITHM\s0\fR\|(3) arrays that are returned by the provider's
+All "functions" mentioned here are passed as function pointers between
+\&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via
+\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's
 \&\fBprovider_query_operation()\fR function
-(see \*(L"Provider Functions\*(R" in \fBprovider\-base\fR\|(7)).
+(see "Provider Functions" in \fBprovider\-base\fR\|(7)).
 .PP
-All these \*(L"functions\*(R" have a corresponding function type definition
+All these "functions" have a corresponding function type definition
 named \fBOSSL_FUNC_{name}_fn\fR, and a helper function to retrieve the
-function pointer from an \s-1\fBOSSL_DISPATCH\s0\fR\|(3) element named
+function pointer from an \fBOSSL_DISPATCH\fR\|(3) element named
 \&\fBOSSL_FUNC_{name}\fR.
-For example, the \*(L"function\*(R" \fBOSSL_FUNC_asym_cipher_newctx()\fR has these:
+For example, the "function" \fBOSSL_FUNC_asym_cipher_newctx()\fR has these:
 .PP
 .Vb 3
 \& typedef void *(OSSL_FUNC_asym_cipher_newctx_fn)(void *provctx);
@@ -204,7 +128,7 @@ For example, the \*(L"function\*(R" \fBOSSL_FUNC_asym_cipher_newctx()\fR has the
 \&     OSSL_FUNC_asym_cipher_newctx(const OSSL_DISPATCH *opf);
 .Ve
 .PP
-\&\s-1\fBOSSL_DISPATCH\s0\fR\|(3) arrays are indexed by numbers that are provided as
+\&\fBOSSL_DISPATCH\fR\|(3) arrays are indexed by numbers that are provided as
 macros in \fBopenssl\-core_dispatch.h\fR\|(7), as follows:
 .PP
 .Vb 3
@@ -237,7 +161,7 @@ Similarly, OSSL_FUNC_asym_cipher_set_ctx_params is optional but if it is present
 so must OSSL_FUNC_asym_cipher_settable_ctx_params.
 .PP
 An asymmetric cipher algorithm must also implement some mechanism for generating,
-loading or importing keys via the key management (\s-1OSSL_OP_KEYMGMT\s0) operation.
+loading or importing keys via the key management (OSSL_OP_KEYMGMT) operation.
 See \fBprovider\-keymgmt\fR\|(7) for further details.
 .SS "Context Management Functions"
 .IX Subsection "Context Management Functions"
@@ -259,30 +183,30 @@ context in the \fIctx\fR parameter and return the duplicate copy.
 \&\fBOSSL_FUNC_asym_cipher_encrypt_init()\fR initialises a context for an asymmetric encryption
 given a provider side asymmetric cipher context in the \fIctx\fR parameter, and a
 pointer to a provider key object in the \fIprovkey\fR parameter.
-The \fIparams\fR, if not \s-1NULL,\s0 should be set on the context in a manner similar to
+The \fIparams\fR, if not NULL, should be set on the context in a manner similar to
 using \fBOSSL_FUNC_asym_cipher_set_ctx_params()\fR.
 The key object should have been previously generated, loaded or imported into
-the provider using the key management (\s-1OSSL_OP_KEYMGMT\s0) operation (see \fBprovider\-keymgmt\fR\|(7)).
+the provider using the key management (OSSL_OP_KEYMGMT) operation (see \fBprovider\-keymgmt\fR\|(7)).
 \&\fBOSSL_FUNC_asym_cipher_encrypt()\fR performs the actual encryption itself.
 A previously initialised asymmetric cipher context is passed in the \fIctx\fR
 parameter.
 The data to be encrypted is pointed to by the \fIin\fR parameter which is \fIinlen\fR
 bytes long.
-Unless \fIout\fR is \s-1NULL,\s0 the encrypted data should be written to the location
+Unless \fIout\fR is NULL, the encrypted data should be written to the location
 pointed to by the \fIout\fR parameter and it should not exceed \fIoutsize\fR bytes in
 length.
 The length of the encrypted data should be written to \fI*outlen\fR.
-If \fIout\fR is \s-1NULL\s0 then the maximum length of the encrypted data should be
+If \fIout\fR is NULL then the maximum length of the encrypted data should be
 written to \fI*outlen\fR.
 .SS "Decryption Functions"
 .IX Subsection "Decryption Functions"
 \&\fBOSSL_FUNC_asym_cipher_decrypt_init()\fR initialises a context for an asymmetric decryption
 given a provider side asymmetric cipher context in the \fIctx\fR parameter, and a
 pointer to a provider key object in the \fIprovkey\fR parameter.
-The \fIparams\fR, if not \s-1NULL,\s0 should be set on the context in a manner similar to
+The \fIparams\fR, if not NULL, should be set on the context in a manner similar to
 using \fBOSSL_FUNC_asym_cipher_set_ctx_params()\fR.
 The key object should have been previously generated, loaded or imported into
-the provider using the key management (\s-1OSSL_OP_KEYMGMT\s0) operation (see
+the provider using the key management (OSSL_OP_KEYMGMT) operation (see
 \&\fBprovider\-keymgmt\fR\|(7)).
 .PP
 \&\fBOSSL_FUNC_asym_cipher_decrypt()\fR performs the actual decryption itself.
@@ -290,102 +214,117 @@ A previously initialised asymmetric cipher context is passed in the \fIctx\fR
 parameter.
 The data to be decrypted is pointed to by the \fIin\fR parameter which is \fIinlen\fR
 bytes long.
-Unless \fIout\fR is \s-1NULL,\s0 the decrypted data should be written to the location
+Unless \fIout\fR is NULL, the decrypted data should be written to the location
 pointed to by the \fIout\fR parameter and it should not exceed \fIoutsize\fR bytes in
 length.
 The length of the decrypted data should be written to \fI*outlen\fR.
-If \fIout\fR is \s-1NULL\s0 then the maximum length of the decrypted data should be
+If \fIout\fR is NULL then the maximum length of the decrypted data should be
 written to \fI*outlen\fR.
 .SS "Asymmetric Cipher Parameters"
 .IX Subsection "Asymmetric Cipher Parameters"
-See \s-1\fBOSSL_PARAM\s0\fR\|(3) for further details on the parameters structure used by
+See \fBOSSL_PARAM\fR\|(3) for further details on the parameters structure used by
 the \fBOSSL_FUNC_asym_cipher_get_ctx_params()\fR and \fBOSSL_FUNC_asym_cipher_set_ctx_params()\fR
 functions.
 .PP
 \&\fBOSSL_FUNC_asym_cipher_get_ctx_params()\fR gets asymmetric cipher parameters associated
 with the given provider side asymmetric cipher context \fIctx\fR and stores them in
 \&\fIparams\fR.
-Passing \s-1NULL\s0 for \fIparams\fR should return true.
+Passing NULL for \fIparams\fR should return true.
 .PP
 \&\fBOSSL_FUNC_asym_cipher_set_ctx_params()\fR sets the asymmetric cipher parameters associated
 with the given provider side asymmetric cipher context \fIctx\fR to \fIparams\fR.
 Any parameter settings are additional to any that were previously set.
-Passing \s-1NULL\s0 for \fIparams\fR should return true.
+Passing NULL for \fIparams\fR should return true.
 .PP
 Parameters currently recognised by built-in asymmetric cipher algorithms are as
 follows.
 Not all parameters are relevant to, or are understood by all asymmetric cipher
 algorithms:
-.ie n .IP """pad-mode"" (\fB\s-1OSSL_ASYM_CIPHER_PARAM_PAD_MODE\s0\fR) <\s-1UTF8\s0 string> \s-1OR\s0 <integer>" 4
-.el .IP "``pad-mode'' (\fB\s-1OSSL_ASYM_CIPHER_PARAM_PAD_MODE\s0\fR) <\s-1UTF8\s0 string> \s-1OR\s0 <integer>" 4
-.IX Item "pad-mode (OSSL_ASYM_CIPHER_PARAM_PAD_MODE) <UTF8 string> OR <integer>"
+.IP """pad-mode"" (\fBOSSL_ASYM_CIPHER_PARAM_PAD_MODE\fR) <UTF8 string> OR <integer>" 4
+.IX Item """pad-mode"" (OSSL_ASYM_CIPHER_PARAM_PAD_MODE) <UTF8 string> OR <integer>"
 The type of padding to be used. The interpretation of this value will depend
 on the algorithm in use.
-.ie n .IP """digest"" (\fB\s-1OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST) <UTF8 string>"
-Gets or sets the name of the \s-1OAEP\s0 digest algorithm used when \s-1OAEP\s0 padding is in
+.IP """digest"" (\fBOSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST) <UTF8 string>"
+Gets or sets the name of the OAEP digest algorithm used when OAEP padding is in
 use.
-.ie n .IP """digest"" (\fB\s-1OSSL_ASYM_CIPHER_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_ASYM_CIPHER_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_ASYM_CIPHER_PARAM_DIGEST) <UTF8 string>"
+.IP """digest"" (\fBOSSL_ASYM_CIPHER_PARAM_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_ASYM_CIPHER_PARAM_DIGEST) <UTF8 string>"
 Gets or sets the name of the digest algorithm used by the algorithm (where
 applicable).
-.ie n .IP """digest-props"" (\fB\s-1OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest-props'' (\fB\s-1OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest-props (OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS) <UTF8 string>"
-Gets or sets the properties to use when fetching the \s-1OAEP\s0 digest algorithm.
-.ie n .IP """digest-props"" (\fB\s-1OSSL_ASYM_CIPHER_PARAM_DIGEST_PROPS\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest-props'' (\fB\s-1OSSL_ASYM_CIPHER_PARAM_DIGEST_PROPS\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest-props (OSSL_ASYM_CIPHER_PARAM_DIGEST_PROPS) <UTF8 string>"
+.IP """digest-props"" (\fBOSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS\fR) <UTF8 string>" 4
+.IX Item """digest-props"" (OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST_PROPS) <UTF8 string>"
+Gets or sets the properties to use when fetching the OAEP digest algorithm.
+.IP """digest-props"" (\fBOSSL_ASYM_CIPHER_PARAM_DIGEST_PROPS\fR) <UTF8 string>" 4
+.IX Item """digest-props"" (OSSL_ASYM_CIPHER_PARAM_DIGEST_PROPS) <UTF8 string>"
 Gets or sets the properties to use when fetching the cipher digest algorithm.
-.ie n .IP """mgf1\-digest"" (\fB\s-1OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``mgf1\-digest'' (\fB\s-1OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "mgf1-digest (OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST) <UTF8 string>"
-Gets or sets the name of the \s-1MGF1\s0 digest algorithm used when \s-1OAEP\s0 or \s-1PSS\s0 padding
+.IP """mgf1\-digest"" (\fBOSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST\fR) <UTF8 string>" 4
+.IX Item """mgf1-digest"" (OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST) <UTF8 string>"
+Gets or sets the name of the MGF1 digest algorithm used when OAEP or PSS padding
 is in use.
-.ie n .IP """mgf1\-digest\-props"" (\fB\s-1OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST_PROPS\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``mgf1\-digest\-props'' (\fB\s-1OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST_PROPS\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "mgf1-digest-props (OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST_PROPS) <UTF8 string>"
-Gets or sets the properties to use when fetching the \s-1MGF1\s0 digest algorithm.
-.ie n .IP """oaep-label"" (\fB\s-1OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL\s0\fR) <octet string ptr>" 4
-.el .IP "``oaep-label'' (\fB\s-1OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL\s0\fR) <octet string ptr>" 4
-.IX Item "oaep-label (OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL) <octet string ptr>"
-Gets the \s-1OAEP\s0 label used when \s-1OAEP\s0 padding is in use.
-.ie n .IP """oaep-label"" (\fB\s-1OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL\s0\fR) <octet string>" 4
-.el .IP "``oaep-label'' (\fB\s-1OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL\s0\fR) <octet string>" 4
-.IX Item "oaep-label (OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL) <octet string>"
-Sets the \s-1OAEP\s0 label used when \s-1OAEP\s0 padding is in use.
-.ie n .IP """tls-client-version"" (\fB\s-1OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION\s0\fR) <unsigned integer>" 4
-.el .IP "``tls-client-version'' (\fB\s-1OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION\s0\fR) <unsigned integer>" 4
-.IX Item "tls-client-version (OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION) <unsigned integer>"
-The \s-1TLS\s0 protocol version first requested by the client.
-.ie n .IP """tls-negotiated-version"" (\fB\s-1OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION\s0\fR) <unsigned integer>" 4
-.el .IP "``tls-negotiated-version'' (\fB\s-1OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION\s0\fR) <unsigned integer>" 4
-.IX Item "tls-negotiated-version (OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION) <unsigned integer>"
-The negotiated \s-1TLS\s0 protocol version.
+.IP """mgf1\-digest\-props"" (\fBOSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST_PROPS\fR) <UTF8 string>" 4
+.IX Item """mgf1-digest-props"" (OSSL_ASYM_CIPHER_PARAM_MGF1_DIGEST_PROPS) <UTF8 string>"
+Gets or sets the properties to use when fetching the MGF1 digest algorithm.
+.IP """oaep-label"" (\fBOSSL_ASYM_CIPHER_PARAM_OAEP_LABEL\fR) <octet string ptr>" 4
+.IX Item """oaep-label"" (OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL) <octet string ptr>"
+Gets the OAEP label used when OAEP padding is in use.
+.IP """oaep-label"" (\fBOSSL_ASYM_CIPHER_PARAM_OAEP_LABEL\fR) <octet string>" 4
+.IX Item """oaep-label"" (OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL) <octet string>"
+Sets the OAEP label used when OAEP padding is in use.
+.IP """tls-client-version"" (\fBOSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION\fR) <unsigned integer>" 4
+.IX Item """tls-client-version"" (OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION) <unsigned integer>"
+The TLS protocol version first requested by the client.
+.IP """tls-negotiated-version"" (\fBOSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION\fR) <unsigned integer>" 4
+.IX Item """tls-negotiated-version"" (OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION) <unsigned integer>"
+The negotiated TLS protocol version.
+.IP """implicit-rejection"" (\fBOSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION\fR) <unsigned integer>" 4
+.IX Item """implicit-rejection"" (OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION) <unsigned integer>"
+Gets or sets the use of the implicit rejection mechanism for RSA PKCS#1 v1.5
+decryption. When set (non zero value), the decryption API will return
+a deterministically random value if the PKCS#1 v1.5 padding check fails.
+This makes exploitation of the Bleichenbacher significantly harder, even
+if the code using the RSA decryption API is not implemented in side-channel
+free manner. Set by default in OpenSSL providers.
+.PP
+The OpenSSL FIPS provider also supports the following parameters:
+.IP """fips-indicator"" (\fBOSSL_ASYM_CIPHER_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_ASYM_CIPHER_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+A getter that returns 1 if the operation is FIPS approved, or 0 otherwise.
+This may be used after calling either \fBOSSL_FUNC_asym_cipher_encrypt()\fR or
+\&\fBOSSL_FUNC_asym_cipher_decrypt()\fR. It may return 0 if "key-check" is set to 0.
+.IP """key-check"" (\fBOSSL_ASYM_CIPHER_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4
+.IX Item """key-check"" (OSSL_ASYM_CIPHER_PARAM_FIPS_KEY_CHECK) <integer>"
+If required this parameter should be set using either
+\&\fBOSSL_FUNC_asym_cipher_encrypt_init()\fR or \fBOSSL_FUNC_asym_cipher_decrypt_init()\fR.
+The default value of 1 causes an error during the init if the key is not FIPS
+approved (e.g. The key has a security strength of less than 112 bits). Setting
+this to 0 will ignore the error and set the approved "fips-indicator" to 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
 .PP
 \&\fBOSSL_FUNC_asym_cipher_gettable_ctx_params()\fR and \fBOSSL_FUNC_asym_cipher_settable_ctx_params()\fR
-get a constant \s-1\fBOSSL_PARAM\s0\fR\|(3) array that describes the gettable and settable
+get a constant \fBOSSL_PARAM\fR\|(3) array that describes the gettable and settable
 parameters, i.e. parameters that can be used with \fBOSSL_FUNC_asym_cipherget_ctx_params()\fR
 and \fBOSSL_FUNC_asym_cipher_set_ctx_params()\fR respectively.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBOSSL_FUNC_asym_cipher_newctx()\fR and \fBOSSL_FUNC_asym_cipher_dupctx()\fR should return the newly
-created provider side asymmetric cipher context, or \s-1NULL\s0 on failure.
+created provider side asymmetric cipher context, or NULL on failure.
 .PP
 All other functions should return 1 for success or 0 on error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-The provider \s-1ASYM_CIPHER\s0 interface was introduced in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The provider ASYM_CIPHER interface was introduced in OpenSSL 3.0.
+The Asymmetric Cipher Parameters "fips-indicator" and "key-check"
+were added in OpenSSL 3.4.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/provider-base.7 b/secure/lib/libcrypto/man/man7/provider-base.7
index 89a9c99b6d9b..a7a3f1e008a1 100644
--- a/secure/lib/libcrypto/man/man7/provider-base.7
+++ b/secure/lib/libcrypto/man/man7/provider-base.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PROVIDER-BASE 7ossl"
-.TH PROVIDER-BASE 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PROVIDER-BASE 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 provider\-base
 \&\- The basic OpenSSL library <\-> provider functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/core_dispatch.h>
@@ -211,13 +135,23 @@ provider\-base
 \& size_t get_entropy(const OSSL_CORE_HANDLE *handle,
 \&                    unsigned char **pout, int entropy,
 \&                    size_t min_len, size_t max_len);
+\& size_t get_user_entropy(const OSSL_CORE_HANDLE *handle,
+\&                         unsigned char **pout, int entropy,
+\&                         size_t min_len, size_t max_len);
 \& void cleanup_entropy(const OSSL_CORE_HANDLE *handle,
 \&                      unsigned char *buf, size_t len);
+\& void cleanup_user_entropy(const OSSL_CORE_HANDLE *handle,
+\&                           unsigned char *buf, size_t len);
 \& size_t get_nonce(const OSSL_CORE_HANDLE *handle,
 \&                  unsigned char **pout, size_t min_len, size_t max_len,
 \&                  const void *salt, size_t salt_len);
+\& size_t get_user_nonce(const OSSL_CORE_HANDLE *handle,
+\&                       unsigned char **pout, size_t min_len, size_t max_len,
+\&                       const void *salt, size_t salt_len);
 \& void cleanup_nonce(const OSSL_CORE_HANDLE *handle,
 \&                    unsigned char *buf, size_t len);
+\& void cleanup_user_nonce(const OSSL_CORE_HANDLE *handle,
+\&                         unsigned char *buf, size_t len);
 \&
 \& /* Functions for querying the providers in the application library context */
 \& int provider_register_child_cb(const OSSL_CORE_HANDLE *handle,
@@ -248,18 +182,18 @@ provider\-base
 \&                               OSSL_CALLBACK *cb, void *arg);
 \& int provider_self_test(void *provctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-All \*(L"functions\*(R" mentioned here are passed as function pointers between
-\&\fIlibcrypto\fR and the provider in \s-1\fBOSSL_DISPATCH\s0\fR\|(3) arrays, in the call
-of the provider initialization function.  See \*(L"Provider\*(R" in \fBprovider\fR\|(7)
-for a description of the initialization function. They are known as \*(L"upcalls\*(R".
+All "functions" mentioned here are passed as function pointers between
+\&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays, in the call
+of the provider initialization function.  See "Provider" in \fBprovider\fR\|(7)
+for a description of the initialization function. They are known as "upcalls".
 .PP
-All these \*(L"functions\*(R" have a corresponding function type definition
+All these "functions" have a corresponding function type definition
 named \fBOSSL_FUNC_{name}_fn\fR, and a helper function to retrieve the
-function pointer from a \s-1\fBOSSL_DISPATCH\s0\fR\|(3) element named
+function pointer from a \fBOSSL_DISPATCH\fR\|(3) element named
 \&\fBOSSL_FUNC_{name}\fR.
-For example, the \*(L"function\*(R" \fBcore_gettable_params()\fR has these:
+For example, the "function" \fBcore_gettable_params()\fR has these:
 .PP
 .Vb 4
 \& typedef OSSL_PARAM *
@@ -268,10 +202,10 @@ For example, the \*(L"function\*(R" \fBcore_gettable_params()\fR has these:
 \&     OSSL_FUNC_core_gettable_params(const OSSL_DISPATCH *opf);
 .Ve
 .PP
-\&\s-1\fBOSSL_DISPATCH\s0\fR\|(3) arrays are indexed by numbers that are provided as
+\&\fBOSSL_DISPATCH\fR\|(3) arrays are indexed by numbers that are provided as
 macros in \fBopenssl\-core_dispatch.h\fR\|(7), as follows:
 .PP
-For \fIin\fR (the \s-1\fBOSSL_DISPATCH\s0\fR\|(3) array passed from \fIlibcrypto\fR to the
+For \fIin\fR (the \fBOSSL_DISPATCH\fR\|(3) array passed from \fIlibcrypto\fR to the
 provider):
 .PP
 .Vb 10
@@ -309,9 +243,13 @@ provider):
 \& OPENSSL_cleanse                OSSL_FUNC_OPENSSL_CLEANSE
 \& OSSL_SELF_TEST_set_callback    OSSL_FUNC_SELF_TEST_CB
 \& ossl_rand_get_entropy          OSSL_FUNC_GET_ENTROPY
+\& ossl_rand_get_user_entropy     OSSL_FUNC_GET_USER_ENTROPY
 \& ossl_rand_cleanup_entropy      OSSL_FUNC_CLEANUP_ENTROPY
+\& ossl_rand_cleanup_user_entropy OSSL_FUNC_CLEANUP_USER_ENTROPY
 \& ossl_rand_get_nonce            OSSL_FUNC_GET_NONCE
+\& ossl_rand_get_user_nonce       OSSL_FUNC_GET_USER_NONCE
 \& ossl_rand_cleanup_nonce        OSSL_FUNC_CLEANUP_NONCE
+\& ossl_rand_cleanup_user_nonce   OSSL_FUNC_CLEANUP_USER_NONCE
 \& provider_register_child_cb     OSSL_FUNC_PROVIDER_REGISTER_CHILD_CB
 \& provider_deregister_child_cb   OSSL_FUNC_PROVIDER_DEREGISTER_CHILD_CB
 \& provider_name                  OSSL_FUNC_PROVIDER_NAME
@@ -321,7 +259,7 @@ provider):
 \& provider_free                  OSSL_FUNC_PROVIDER_FREE
 .Ve
 .PP
-For \fI*out\fR (the \s-1\fBOSSL_DISPATCH\s0\fR\|(3) array passed from the provider to
+For \fI*out\fR (the \fBOSSL_DISPATCH\fR\|(3) array passed from the provider to
 \&\fIlibcrypto\fR):
 .PP
 .Vb 8
@@ -337,10 +275,10 @@ For \fI*out\fR (the \s-1\fBOSSL_DISPATCH\s0\fR\|(3) array passed from the provid
 .SS "Core functions"
 .IX Subsection "Core functions"
 \&\fBcore_gettable_params()\fR returns a constant array of descriptor
-\&\s-1\fBOSSL_PARAM\s0\fR\|(3), for parameters that \fBcore_get_params()\fR can handle.
+\&\fBOSSL_PARAM\fR\|(3), for parameters that \fBcore_get_params()\fR can handle.
 .PP
 \&\fBcore_get_params()\fR retrieves parameters from the core for the given \fIhandle\fR.
-See \*(L"Core parameters\*(R" below for a description of currently known
+See "Core parameters" below for a description of currently known
 parameters.
 .PP
 The \fBcore_thread_start()\fR function informs the core that the provider has stated
@@ -355,21 +293,21 @@ freeing thread local variables.
 \&\fBcore_get_libctx()\fR retrieves the core context in which the library
 object for the current provider is stored, accessible through the \fIhandle\fR.
 This function is useful only for built-in providers such as the default
-provider. Never cast this to \s-1OSSL_LIB_CTX\s0 in a provider that is not
-built-in as the \s-1OSSL_LIB_CTX\s0 of the library loading the provider might be
-a completely different structure than the \s-1OSSL_LIB_CTX\s0 of the library the
+provider. Never cast this to OSSL_LIB_CTX in a provider that is not
+built-in as the OSSL_LIB_CTX of the library loading the provider might be
+a completely different structure than the OSSL_LIB_CTX of the library the
 provider is linked to. Use  \fBOSSL_LIB_CTX_new_child\fR\|(3) instead to obtain
 a proper library context that is linked to the application library context.
 .PP
 \&\fBcore_new_error()\fR, \fBcore_set_error_debug()\fR and \fBcore_vset_error()\fR are
 building blocks for reporting an error back to the core, with
 reference to the \fIhandle\fR.
-.IP "\fBcore_new_error()\fR" 4
+.IP \fBcore_new_error()\fR 4
 .IX Item "core_new_error()"
 allocates a new thread specific error record.
 .Sp
 This corresponds to the OpenSSL function \fBERR_new\fR\|(3).
-.IP "\fBcore_set_error_debug()\fR" 4
+.IP \fBcore_set_error_debug()\fR 4
 .IX Item "core_set_error_debug()"
 sets debugging information in the current thread specific error
 record.
@@ -377,7 +315,7 @@ The debugging information includes the name of the file \fIfile\fR, the
 line \fIline\fR and the function name \fIfunc\fR where the error occurred.
 .Sp
 This corresponds to the OpenSSL function \fBERR_set_debug\fR\|(3).
-.IP "\fBcore_vset_error()\fR" 4
+.IP \fBcore_vset_error()\fR 4
 .IX Item "core_vset_error()"
 sets the \fIreason\fR for the error, along with any addition data.
 The \fIreason\fR is a number defined by the provider and used to index
@@ -391,14 +329,13 @@ error occurred or was reported.
 .Sp
 This corresponds to the OpenSSL function \fBERR_vset_error\fR\|(3).
 .PP
-The \fBcore_obj_create()\fR function registers a new \s-1OID\s0 and associated short name
+The \fBcore_obj_create()\fR function registers a new OID and associated short name
 \&\fIsn\fR and long name \fIln\fR for the given \fIhandle\fR. It is similar to the OpenSSL
 function \fBOBJ_create\fR\|(3) except that it returns 1 on success or 0 on failure.
-It will treat as success the case where the \s-1OID\s0 already exists (even if the
+It will treat as success the case where the OID already exists (even if the
 short name \fIsn\fR or long name \fIln\fR provided as arguments differ from those
-associated with the existing \s-1OID,\s0 in which case the new names are not
+associated with the existing OID, in which case the new names are not
 associated).
-This function is not thread safe.
 .PP
 The \fBcore_obj_add_sigid()\fR function registers a new composite signature algorithm
 (\fIsign_name\fR) consisting of an underlying signature algorithm (\fIpkey_name\fR)
@@ -407,13 +344,12 @@ the OIDs for the composite signature algorithm as well as for the underlying
 signature and digest algorithms are either already known to OpenSSL or have been
 registered via a call to \fBcore_obj_create()\fR. It corresponds to the OpenSSL
 function \fBOBJ_add_sigid\fR\|(3), except that the objects are identified by name
-rather than a numeric \s-1NID.\s0 Any name (\s-1OID,\s0 short name or long name) can be used
+rather than a numeric NID. Any name (OID, short name or long name) can be used
 to identify the object. It will treat as success the case where the composite
 signature algorithm already exists (even if registered against a different
-underlying signature or digest algorithm). For \fIdigest_name\fR, \s-1NULL\s0 or an
+underlying signature or digest algorithm). For \fIdigest_name\fR, NULL or an
 empty string is permissible for signature algorithms that do not need a digest
 to operate correctly. The function returns 1 on success or 0 on failure.
-This function is not thread safe.
 .PP
 \&\fBCRYPTO_malloc()\fR, \fBCRYPTO_zalloc()\fR, \fBCRYPTO_free()\fR, \fBCRYPTO_clear_free()\fR,
 \&\fBCRYPTO_realloc()\fR, \fBCRYPTO_clear_realloc()\fR, \fBCRYPTO_secure_malloc()\fR,
@@ -423,9 +359,9 @@ This function is not thread safe.
 \&\fBBIO_free()\fR, \fBBIO_vprintf()\fR, \fBBIO_vsnprintf()\fR, \fBBIO_gets()\fR, \fBBIO_puts()\fR,
 \&\fBBIO_ctrl()\fR, \fBOPENSSL_cleanse()\fR and
 \&\fBOPENSSL_hexstr2buf()\fR correspond exactly to the public functions with
-the same name.  As a matter of fact, the pointers in the \s-1\fBOSSL_DISPATCH\s0\fR\|(3)
-array are typically direct pointers to those public functions. Note that the \s-1BIO\s0
-functions take an \fB\s-1OSSL_CORE_BIO\s0\fR type rather than the standard \fB\s-1BIO\s0\fR
+the same name.  As a matter of fact, the pointers in the \fBOSSL_DISPATCH\fR\|(3)
+array are typically direct pointers to those public functions. Note that the BIO
+functions take an \fBOSSL_CORE_BIO\fR type rather than the standard \fBBIO\fR
 type. This is to ensure that a provider does not mix BIOs from the core
 with BIOs used on the provider side (the two are not compatible).
 \&\fBOSSL_SELF_TEST_set_callback()\fR is used to set an optional callback that can be
@@ -437,9 +373,17 @@ output will have at least \fImin_len\fR and at most \fImax_len\fR bytes.
 The buffer address is stored in \fI*pout\fR and the buffer length is
 returned to the caller.  On error, zero is returned.
 .PP
+\&\fBget_user_entropy()\fR is the same as \fBget_entropy()\fR except that it will
+attempt to gather seed material via the seed source specified by a call to
+\&\fBRAND_set_seed_source_type\fR\|(3) or via "Random Configuration" in \fBconfig\fR\|(5).
+.PP
 \&\fBcleanup_entropy()\fR is used to clean up and free the buffer returned by
-\&\fBget_entropy()\fR.  The entropy pointer returned by \fBget_entropy()\fR is passed in
-\&\fBbuf\fR and its length in \fBlen\fR.
+\&\fBget_entropy()\fR.  The entropy pointer returned by \fBget_entropy()\fR
+is passed in \fBbuf\fR and its length in \fBlen\fR.
+.PP
+\&\fBcleanup_user_entropy()\fR is used to clean up and free the buffer returned by
+\&\fBget_user_entropy()\fR.  The entropy pointer returned by \fBget_user_entropy()\fR
+is passed in \fBbuf\fR and its length in \fBlen\fR.
 .PP
 \&\fBget_nonce()\fR retrieves a nonce using the passed \fIsalt\fR parameter
 of length \fIsalt_len\fR and operating system specific information.
@@ -449,9 +393,17 @@ The output is stored in a buffer which contains at least \fImin_len\fR and at
 most \fImax_len\fR bytes.  The buffer address is stored in \fI*pout\fR and the
 buffer length returned to the caller.  On error, zero is returned.
 .PP
+\&\fBget_user_nonce()\fR is the same as \fBget_nonce()\fR except that it will attempt
+to gather seed material via the seed source specified by a call to
+\&\fBRAND_set_seed_source_type\fR\|(3) or via "Random Configuration" in \fBconfig\fR\|(5).
+.PP
 \&\fBcleanup_nonce()\fR is used to clean up and free the buffer returned by
-\&\fBget_nonce()\fR.  The nonce pointer returned by \fBget_nonce()\fR is passed in
-\&\fBbuf\fR and its length in \fBlen\fR.
+\&\fBget_nonce()\fR.  The nonce pointer returned by \fBget_nonce()\fR
+is passed in \fBbuf\fR and its length in \fBlen\fR.
+.PP
+\&\fBcleanup_user_nonce()\fR is used to clean up and free the buffer returned by
+\&\fBget_user_nonce()\fR.  The nonce pointer returned by \fBget_user_nonce()\fR
+is passed in \fBbuf\fR and its length in \fBlen\fR.
 .PP
 \&\fBprovider_register_child_cb()\fR registers callbacks for being informed about the
 loading and unloading of providers in the application's library context.
@@ -459,7 +411,7 @@ loading and unloading of providers in the application's library context.
 that will be passed back to the callbacks. It returns 1 on success or 0
 otherwise. These callbacks may be called while holding locks in libcrypto. In
 order to avoid deadlocks the callback implementation must not be long running
-and must not call other OpenSSL \s-1API\s0 functions or upcalls.
+and must not call other OpenSSL API functions or upcalls.
 .PP
 \&\fIcreate_cb\fR is a callback that will be called when a new provider is loaded
 into the application's library context. It is also called for any providers that
@@ -504,13 +456,13 @@ from the core's provider store.
 It must free the passed \fIprovctx\fR.
 .PP
 \&\fBprovider_gettable_params()\fR should return a constant array of
-descriptor \s-1\fBOSSL_PARAM\s0\fR\|(3), for parameters that \fBprovider_get_params()\fR
+descriptor \fBOSSL_PARAM\fR\|(3), for parameters that \fBprovider_get_params()\fR
 can handle.
 .PP
-\&\fBprovider_get_params()\fR should process the \s-1\fBOSSL_PARAM\s0\fR\|(3) array
+\&\fBprovider_get_params()\fR should process the \fBOSSL_PARAM\fR\|(3) array
 \&\fIparams\fR, setting the values of the parameters it understands.
 .PP
-\&\fBprovider_query_operation()\fR should return a constant \s-1\fBOSSL_ALGORITHM\s0\fR\|(3)
+\&\fBprovider_query_operation()\fR should return a constant \fBOSSL_ALGORITHM\fR\|(3)
 that corresponds to the given \fIoperation_id\fR.
 It should indicate if the core may store a reference to this array by
 setting \fI*no_store\fR to 0 (core may store a reference) or 1 (core may
@@ -521,18 +473,18 @@ not store a reference).
 pointers have been copied.  The \fIoperation_id\fR should match that passed to
 \&\fBprovider_query_operation()\fR and \fIalgs\fR should be its return value.
 .PP
-\&\fBprovider_get_reason_strings()\fR should return a constant \s-1\fBOSSL_ITEM\s0\fR\|(3)
+\&\fBprovider_get_reason_strings()\fR should return a constant \fBOSSL_ITEM\fR\|(3)
 array that provides reason strings for reason codes the provider may
 use when reporting errors using \fBcore_put_error()\fR.
 .PP
 The \fBprovider_get_capabilities()\fR function should call the callback \fIcb\fR passing
-it a set of \s-1\fBOSSL_PARAM\s0\fR\|(3)s and the caller supplied argument \fIarg\fR. The
-\&\s-1\fBOSSL_PARAM\s0\fR\|(3)s should provide details about the capability with the name given
+it a set of \fBOSSL_PARAM\fR\|(3)s and the caller supplied argument \fIarg\fR. The
+\&\fBOSSL_PARAM\fR\|(3)s should provide details about the capability with the name given
 in the \fIcapability\fR argument relevant for the provider context \fIprovctx\fR. If a
 provider supports multiple capabilities with the given name then it may call the
 callback multiple times (one for each capability). Capabilities can be useful for
 describing the services that a provider can offer. For further details see the
-\&\*(L"\s-1CAPABILITIES\*(R"\s0 section below. It should return 1 on success or 0 on error.
+"CAPABILITIES" section below. It should return 1 on success or 0 on error.
 .PP
 The \fBprovider_self_test()\fR function should perform known answer tests on a subset
 of the algorithms that it uses, and may also verify the integrity of the
@@ -546,25 +498,21 @@ useless without at least \fBprovider_query_operation()\fR, and
 .SS "Provider parameters"
 .IX Subsection "Provider parameters"
 \&\fBprovider_get_params()\fR can return the following provider parameters to the core:
-.ie n .IP """name"" (\fB\s-1OSSL_PROV_PARAM_NAME\s0\fR) <\s-1UTF8\s0 ptr>" 4
-.el .IP "``name'' (\fB\s-1OSSL_PROV_PARAM_NAME\s0\fR) <\s-1UTF8\s0 ptr>" 4
-.IX Item "name (OSSL_PROV_PARAM_NAME) <UTF8 ptr>"
+.IP """name"" (\fBOSSL_PROV_PARAM_NAME\fR) <UTF8 ptr>" 4
+.IX Item """name"" (OSSL_PROV_PARAM_NAME) <UTF8 ptr>"
 This points to a string that should give a unique name for the provider.
-.ie n .IP """version"" (\fB\s-1OSSL_PROV_PARAM_VERSION\s0\fR) <\s-1UTF8\s0 ptr>" 4
-.el .IP "``version'' (\fB\s-1OSSL_PROV_PARAM_VERSION\s0\fR) <\s-1UTF8\s0 ptr>" 4
-.IX Item "version (OSSL_PROV_PARAM_VERSION) <UTF8 ptr>"
+.IP """version"" (\fBOSSL_PROV_PARAM_VERSION\fR) <UTF8 ptr>" 4
+.IX Item """version"" (OSSL_PROV_PARAM_VERSION) <UTF8 ptr>"
 This points to a string that is a version number associated with this provider.
-OpenSSL in-built providers use \s-1OPENSSL_VERSION_STR,\s0 but this may be different
+OpenSSL in-built providers use OPENSSL_VERSION_STR, but this may be different
 for any third party provider. This string is for informational purposes only.
-.ie n .IP """buildinfo"" (\fB\s-1OSSL_PROV_PARAM_BUILDINFO\s0\fR) <\s-1UTF8\s0 ptr>" 4
-.el .IP "``buildinfo'' (\fB\s-1OSSL_PROV_PARAM_BUILDINFO\s0\fR) <\s-1UTF8\s0 ptr>" 4
-.IX Item "buildinfo (OSSL_PROV_PARAM_BUILDINFO) <UTF8 ptr>"
+.IP """buildinfo"" (\fBOSSL_PROV_PARAM_BUILDINFO\fR) <UTF8 ptr>" 4
+.IX Item """buildinfo"" (OSSL_PROV_PARAM_BUILDINFO) <UTF8 ptr>"
 This points to a string that is a build information associated with this provider.
-OpenSSL in-built providers use \s-1OPENSSL_FULL_VERSION_STR,\s0 but this may be
+OpenSSL in-built providers use OPENSSL_FULL_VERSION_STR, but this may be
 different for any third party provider.
-.ie n .IP """status"" (\fB\s-1OSSL_PROV_PARAM_STATUS\s0\fR) <unsigned integer>" 4
-.el .IP "``status'' (\fB\s-1OSSL_PROV_PARAM_STATUS\s0\fR) <unsigned integer>" 4
-.IX Item "status (OSSL_PROV_PARAM_STATUS) <unsigned integer>"
+.IP """status"" (\fBOSSL_PROV_PARAM_STATUS\fR) <unsigned integer>" 4
+.IX Item """status"" (OSSL_PROV_PARAM_STATUS) <unsigned integer>"
 This returns 0 if the provider has entered an error state, otherwise it returns
 1.
 .PP
@@ -572,18 +520,15 @@ This returns 0 if the provider has entered an error state, otherwise it returns
 .SS "Core parameters"
 .IX Subsection "Core parameters"
 \&\fBcore_get_params()\fR can retrieve the following core parameters for each provider:
-.ie n .IP """openssl-version"" (\fB\s-1OSSL_PROV_PARAM_CORE_VERSION\s0\fR) <\s-1UTF8\s0 string ptr>" 4
-.el .IP "``openssl-version'' (\fB\s-1OSSL_PROV_PARAM_CORE_VERSION\s0\fR) <\s-1UTF8\s0 string ptr>" 4
-.IX Item "openssl-version (OSSL_PROV_PARAM_CORE_VERSION) <UTF8 string ptr>"
+.IP """openssl-version"" (\fBOSSL_PROV_PARAM_CORE_VERSION\fR) <UTF8 string ptr>" 4
+.IX Item """openssl-version"" (OSSL_PROV_PARAM_CORE_VERSION) <UTF8 string ptr>"
 This points to the OpenSSL libraries' full version string, i.e. the string
-expanded from the macro \fB\s-1OPENSSL_VERSION_STR\s0\fR.
-.ie n .IP """provider-name"" (\fB\s-1OSSL_PROV_PARAM_CORE_PROV_NAME\s0\fR) <\s-1UTF8\s0 string ptr>" 4
-.el .IP "``provider-name'' (\fB\s-1OSSL_PROV_PARAM_CORE_PROV_NAME\s0\fR) <\s-1UTF8\s0 string ptr>" 4
-.IX Item "provider-name (OSSL_PROV_PARAM_CORE_PROV_NAME) <UTF8 string ptr>"
+expanded from the macro \fBOPENSSL_VERSION_STR\fR.
+.IP """provider-name"" (\fBOSSL_PROV_PARAM_CORE_PROV_NAME\fR) <UTF8 string ptr>" 4
+.IX Item """provider-name"" (OSSL_PROV_PARAM_CORE_PROV_NAME) <UTF8 string ptr>"
 This points to the OpenSSL libraries' idea of what the calling provider is named.
-.ie n .IP """module-filename"" (\fB\s-1OSSL_PROV_PARAM_CORE_MODULE_FILENAME\s0\fR) <\s-1UTF8\s0 string ptr>" 4
-.el .IP "``module-filename'' (\fB\s-1OSSL_PROV_PARAM_CORE_MODULE_FILENAME\s0\fR) <\s-1UTF8\s0 string ptr>" 4
-.IX Item "module-filename (OSSL_PROV_PARAM_CORE_MODULE_FILENAME) <UTF8 string ptr>"
+.IP """module-filename"" (\fBOSSL_PROV_PARAM_CORE_MODULE_FILENAME\fR) <UTF8 string ptr>" 4
+.IX Item """module-filename"" (OSSL_PROV_PARAM_CORE_MODULE_FILENAME) <UTF8 string ptr>"
 This points to a string containing the full filename of the providers
 module file.
 .PP
@@ -615,120 +560,234 @@ For example, let's say we have the following config example:
 .Ve
 .PP
 The provider will have these additional parameters available:
-.ie n .IP """activate""" 4
-.el .IP "``activate''" 4
-.IX Item "activate"
-pointing at the string \*(L"1\*(R"
-.ie n .IP """data1""" 4
-.el .IP "``data1''" 4
-.IX Item "data1"
-pointing at the string \*(L"2\*(R"
-.ie n .IP """data2""" 4
-.el .IP "``data2''" 4
-.IX Item "data2"
-pointing at the string \*(L"str\*(R"
-.ie n .IP """more.data3""" 4
-.el .IP "``more.data3''" 4
-.IX Item "more.data3"
-pointing at the string \*(L"foo,bar\*(R"
-.PP
-For more information on handling parameters, see \s-1\fBOSSL_PARAM\s0\fR\|(3) as
+.IP """activate""" 4
+.IX Item """activate"""
+pointing at the string "1"
+.IP """data1""" 4
+.IX Item """data1"""
+pointing at the string "2"
+.IP """data2""" 4
+.IX Item """data2"""
+pointing at the string "str"
+.IP """more.data3""" 4
+.IX Item """more.data3"""
+pointing at the string "foo,bar"
+.PP
+For more information on handling parameters, see \fBOSSL_PARAM\fR\|(3) as
 \&\fBOSSL_PARAM_int\fR\|(3).
-.SH "CAPABILITIES"
+.SH CAPABILITIES
 .IX Header "CAPABILITIES"
 Capabilities describe some of the services that a provider can offer.
 Applications can query the capabilities to discover those services.
 .PP
-\fI\*(L"TLS-GROUP\*(R" Capability\fR
-.IX Subsection "TLS-GROUP Capability"
+\fI"TLS-GROUP" Capability\fR
+.IX Subsection """TLS-GROUP"" Capability"
 .PP
-The \*(L"TLS-GROUP\*(R" capability can be queried by libssl to discover the list of
-\&\s-1TLS\s0 groups that a provider can support. Each group supported can be used for
-\&\fIkey exchange\fR (\s-1KEX\s0) or \fIkey encapsulation method\fR (\s-1KEM\s0) during a \s-1TLS\s0
+The "TLS-GROUP" capability can be queried by libssl to discover the list of
+TLS groups that a provider can support. Each group supported can be used for
+\&\fIkey exchange\fR (KEX) or \fIkey encapsulation method\fR (KEM) during a TLS
 handshake.
-\&\s-1TLS\s0 clients can advertise the list of \s-1TLS\s0 groups they support in the
-supported_groups extension, and \s-1TLS\s0 servers can select a group from the offered
+TLS clients can advertise the list of TLS groups they support in the
+supported_groups extension, and TLS servers can select a group from the offered
 list that they also support. In this way a provider can add to the list of
 groups that libssl already supports with additional ones.
 .PP
-Each \s-1TLS\s0 group that a provider supports should be described via the callback
+Each TLS group that a provider supports should be described via the callback
 passed in through the provider_get_capabilities function. Each group should have
 the following details supplied (all are mandatory, except
-\&\fB\s-1OSSL_CAPABILITY_TLS_GROUP_IS_KEM\s0\fR):
-.ie n .IP """tls-group-name"" (\fB\s-1OSSL_CAPABILITY_TLS_GROUP_NAME\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``tls-group-name'' (\fB\s-1OSSL_CAPABILITY_TLS_GROUP_NAME\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "tls-group-name (OSSL_CAPABILITY_TLS_GROUP_NAME) <UTF8 string>"
-The name of the group as given in the \s-1IANA TLS\s0 Supported Groups registry
+\&\fBOSSL_CAPABILITY_TLS_GROUP_IS_KEM\fR):
+.IP """tls-group-name"" (\fBOSSL_CAPABILITY_TLS_GROUP_NAME\fR) <UTF8 string>" 4
+.IX Item """tls-group-name"" (OSSL_CAPABILITY_TLS_GROUP_NAME) <UTF8 string>"
+The name of the group as given in the IANA TLS Supported Groups registry
 <https://www.iana.org/assignments/tls\-parameters/tls\-parameters.xhtml#tls\-parameters\-8>.
-.ie n .IP """tls-group-name-internal"" (\fB\s-1OSSL_CAPABILITY_TLS_GROUP_NAME_INTERNAL\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``tls-group-name-internal'' (\fB\s-1OSSL_CAPABILITY_TLS_GROUP_NAME_INTERNAL\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "tls-group-name-internal (OSSL_CAPABILITY_TLS_GROUP_NAME_INTERNAL) <UTF8 string>"
+.IP """tls-group-name-internal"" (\fBOSSL_CAPABILITY_TLS_GROUP_NAME_INTERNAL\fR) <UTF8 string>" 4
+.IX Item """tls-group-name-internal"" (OSSL_CAPABILITY_TLS_GROUP_NAME_INTERNAL) <UTF8 string>"
 The name of the group as known by the provider. This could be the same as the
-\&\*(L"tls-group-name\*(R", but does not have to be.
-.ie n .IP """tls-group-id"" (\fB\s-1OSSL_CAPABILITY_TLS_GROUP_ID\s0\fR) <unsigned integer>" 4
-.el .IP "``tls-group-id'' (\fB\s-1OSSL_CAPABILITY_TLS_GROUP_ID\s0\fR) <unsigned integer>" 4
-.IX Item "tls-group-id (OSSL_CAPABILITY_TLS_GROUP_ID) <unsigned integer>"
-The \s-1TLS\s0 group id value as given in the \s-1IANA TLS\s0 Supported Groups registry.
-.ie n .IP """tls-group-alg"" (\fB\s-1OSSL_CAPABILITY_TLS_GROUP_ALG\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``tls-group-alg'' (\fB\s-1OSSL_CAPABILITY_TLS_GROUP_ALG\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "tls-group-alg (OSSL_CAPABILITY_TLS_GROUP_ALG) <UTF8 string>"
+"tls-group-name", but does not have to be.
+.IP """tls-group-id"" (\fBOSSL_CAPABILITY_TLS_GROUP_ID\fR) <unsigned integer>" 4
+.IX Item """tls-group-id"" (OSSL_CAPABILITY_TLS_GROUP_ID) <unsigned integer>"
+The TLS group id value as given in the IANA TLS Supported Groups registry.
+.Sp
+It is possible to register the same group id from within different
+providers. Users should note that if no property query is specified, or
+more than one implementation matches the property query then it is
+unspecified which implementation for a particular group id will be used.
+.IP """tls-group-alg"" (\fBOSSL_CAPABILITY_TLS_GROUP_ALG\fR) <UTF8 string>" 4
+.IX Item """tls-group-alg"" (OSSL_CAPABILITY_TLS_GROUP_ALG) <UTF8 string>"
 The name of a Key Management algorithm that the provider offers and that should
 be used with this group. Keys created should be able to support \fIkey exchange\fR
-or \fIkey encapsulation method\fR (\s-1KEM\s0), as implied by the optional
-\&\fB\s-1OSSL_CAPABILITY_TLS_GROUP_IS_KEM\s0\fR flag.
+or \fIkey encapsulation method\fR (KEM), as implied by the optional
+\&\fBOSSL_CAPABILITY_TLS_GROUP_IS_KEM\fR flag.
 The algorithm must support key and parameter generation as well as the
-key/parameter generation parameter, \fB\s-1OSSL_PKEY_PARAM_GROUP_NAME\s0\fR. The group
-name given via \*(L"tls-group-name-internal\*(R" above will be passed via
-\&\fB\s-1OSSL_PKEY_PARAM_GROUP_NAME\s0\fR when libssl wishes to generate keys/parameters.
-.ie n .IP """tls-group-sec-bits"" (\fB\s-1OSSL_CAPABILITY_TLS_GROUP_SECURITY_BITS\s0\fR) <unsigned integer>" 4
-.el .IP "``tls-group-sec-bits'' (\fB\s-1OSSL_CAPABILITY_TLS_GROUP_SECURITY_BITS\s0\fR) <unsigned integer>" 4
-.IX Item "tls-group-sec-bits (OSSL_CAPABILITY_TLS_GROUP_SECURITY_BITS) <unsigned integer>"
+key/parameter generation parameter, \fBOSSL_PKEY_PARAM_GROUP_NAME\fR. The group
+name given via "tls-group-name-internal" above will be passed via
+\&\fBOSSL_PKEY_PARAM_GROUP_NAME\fR when libssl wishes to generate keys/parameters.
+.IP """tls-group-sec-bits"" (\fBOSSL_CAPABILITY_TLS_GROUP_SECURITY_BITS\fR) <unsigned integer>" 4
+.IX Item """tls-group-sec-bits"" (OSSL_CAPABILITY_TLS_GROUP_SECURITY_BITS) <unsigned integer>"
 The number of bits of security offered by keys in this group. The number of bits
-should be comparable with the ones given in table 2 and 3 of the \s-1NIST SP800\-57\s0
+should be comparable with the ones given in table 2 and 3 of the NIST SP800\-57
 document.
-.ie n .IP """tls-group-is-kem"" (\fB\s-1OSSL_CAPABILITY_TLS_GROUP_IS_KEM\s0\fR) <unsigned integer>" 4
-.el .IP "``tls-group-is-kem'' (\fB\s-1OSSL_CAPABILITY_TLS_GROUP_IS_KEM\s0\fR) <unsigned integer>" 4
-.IX Item "tls-group-is-kem (OSSL_CAPABILITY_TLS_GROUP_IS_KEM) <unsigned integer>"
-Boolean flag to describe if the group should be used in \fIkey exchange\fR (\s-1KEX\s0)
-mode (0, default) or in \fIkey encapsulation method\fR (\s-1KEM\s0) mode (1).
+.IP """tls-group-is-kem"" (\fBOSSL_CAPABILITY_TLS_GROUP_IS_KEM\fR) <unsigned integer>" 4
+.IX Item """tls-group-is-kem"" (OSSL_CAPABILITY_TLS_GROUP_IS_KEM) <unsigned integer>"
+Boolean flag to describe if the group should be used in \fIkey exchange\fR (KEX)
+mode (0, default) or in \fIkey encapsulation method\fR (KEM) mode (1).
 .Sp
-This parameter is optional: if not specified, \s-1KEX\s0 mode is assumed as the default
+This parameter is optional: if not specified, KEX mode is assumed as the default
 mode for the group.
 .Sp
-In \s-1KEX\s0 mode, in a typical Diffie-Hellman fashion, both sides execute \fIkeygen\fR
-then \fIderive\fR against the peer public key. To operate in \s-1KEX\s0 mode, the group
+In KEX mode, in a typical Diffie-Hellman fashion, both sides execute \fIkeygen\fR
+then \fIderive\fR against the peer public key. To operate in KEX mode, the group
 implementation must support the provider functions as described in
 \&\fBprovider\-keyexch\fR\|(7).
 .Sp
-In \s-1KEM\s0 mode, the client executes \fIkeygen\fR and sends its public key, the server
+In KEM mode, the client executes \fIkeygen\fR and sends its public key, the server
 executes \fIencapsulate\fR using the client's public key and sends back the
 resulting \fIciphertext\fR, finally the client executes \fIdecapsulate\fR to retrieve
 the same \fIshared secret\fR generated by the server's \fIencapsulate\fR. To operate
-in \s-1KEM\s0 mode, the group implementation must support the provider functions as
+in KEM mode, the group implementation must support the provider functions as
 described in \fBprovider\-kem\fR\|(7).
 .Sp
-Both in \s-1KEX\s0 and \s-1KEM\s0 mode, the resulting \fIshared secret\fR is then used according
+Both in KEX and KEM mode, the resulting \fIshared secret\fR is then used according
 to the protocol specification.
-.ie n .IP """tls-min-tls"" (\fB\s-1OSSL_CAPABILITY_TLS_GROUP_MIN_TLS\s0\fR) <integer>" 4
-.el .IP "``tls-min-tls'' (\fB\s-1OSSL_CAPABILITY_TLS_GROUP_MIN_TLS\s0\fR) <integer>" 4
-.IX Item "tls-min-tls (OSSL_CAPABILITY_TLS_GROUP_MIN_TLS) <integer>"
+.IP """tls-min-tls"" (\fBOSSL_CAPABILITY_TLS_GROUP_MIN_TLS\fR) <integer>" 4
+.IX Item """tls-min-tls"" (OSSL_CAPABILITY_TLS_GROUP_MIN_TLS) <integer>"
 .PD 0
-.ie n .IP """tls-max-tls"" (\fB\s-1OSSL_CAPABILITY_TLS_GROUP_MAX_TLS\s0\fR) <integer>" 4
-.el .IP "``tls-max-tls'' (\fB\s-1OSSL_CAPABILITY_TLS_GROUP_MAX_TLS\s0\fR) <integer>" 4
-.IX Item "tls-max-tls (OSSL_CAPABILITY_TLS_GROUP_MAX_TLS) <integer>"
-.ie n .IP """tls-min-dtls"" (\fB\s-1OSSL_CAPABILITY_TLS_GROUP_MIN_DTLS\s0\fR) <integer>" 4
-.el .IP "``tls-min-dtls'' (\fB\s-1OSSL_CAPABILITY_TLS_GROUP_MIN_DTLS\s0\fR) <integer>" 4
-.IX Item "tls-min-dtls (OSSL_CAPABILITY_TLS_GROUP_MIN_DTLS) <integer>"
-.ie n .IP """tls-max-dtls"" (\fB\s-1OSSL_CAPABILITY_TLS_GROUP_MAX_DTLS\s0\fR) <integer>" 4
-.el .IP "``tls-max-dtls'' (\fB\s-1OSSL_CAPABILITY_TLS_GROUP_MAX_DTLS\s0\fR) <integer>" 4
-.IX Item "tls-max-dtls (OSSL_CAPABILITY_TLS_GROUP_MAX_DTLS) <integer>"
+.IP """tls-max-tls"" (\fBOSSL_CAPABILITY_TLS_GROUP_MAX_TLS\fR) <integer>" 4
+.IX Item """tls-max-tls"" (OSSL_CAPABILITY_TLS_GROUP_MAX_TLS) <integer>"
+.IP """tls-min-dtls"" (\fBOSSL_CAPABILITY_TLS_GROUP_MIN_DTLS\fR) <integer>" 4
+.IX Item """tls-min-dtls"" (OSSL_CAPABILITY_TLS_GROUP_MIN_DTLS) <integer>"
+.IP """tls-max-dtls"" (\fBOSSL_CAPABILITY_TLS_GROUP_MAX_DTLS\fR) <integer>" 4
+.IX Item """tls-max-dtls"" (OSSL_CAPABILITY_TLS_GROUP_MAX_DTLS) <integer>"
 .PD
-These parameters can be used to describe the minimum and maximum \s-1TLS\s0 and \s-1DTLS\s0
+These parameters can be used to describe the minimum and maximum TLS and DTLS
 versions supported by the group. The values equate to the on-the-wire encoding
-of the various \s-1TLS\s0 versions. For example TLSv1.3 is 0x0304 (772 decimal), and
+of the various TLS versions. For example TLSv1.3 is 0x0304 (772 decimal), and
 TLSv1.2 is 0x0303 (771 decimal). A 0 indicates that there is no defined minimum
 or maximum. A \-1 indicates that the group should not be used in that protocol.
-.SH "EXAMPLES"
+.PP
+\fI"TLS-SIGALG" Capability\fR
+.IX Subsection """TLS-SIGALG"" Capability"
+.PP
+The "TLS-SIGALG" capability can be queried by libssl to discover the list of
+TLS signature algorithms that a provider can support. Each signature supported
+can be used for client\- or server-authentication in addition to the built-in
+signature algorithms.
+TLS1.3 clients can advertise the list of TLS signature algorithms they support
+in the signature_algorithms extension, and TLS servers can select an algorithm
+from the offered list that they also support. In this way a provider can add
+to the list of signature algorithms that libssl already supports with
+additional ones.
+.PP
+Each TLS signature algorithm that a provider supports should be described via
+the callback passed in through the provider_get_capabilities function. Each
+algorithm can have the following details supplied:
+.IP """iana-name"" (\fBOSSL_CAPABILITY_TLS_SIGALG_IANA_NAME\fR) <UTF8 string>" 4
+.IX Item """iana-name"" (OSSL_CAPABILITY_TLS_SIGALG_IANA_NAME) <UTF8 string>"
+The name of the signature algorithm as given in the IANA TLS Signature Scheme
+registry as "Description":
+<https://www.iana.org/assignments/tls\-parameters/tls\-parameters.xhtml#tls\-signaturescheme>.
+This value must be supplied.
+.IP """iana-code-point"" (\fBOSSL_CAPABILITY_TLS_SIGALG_CODE_POINT\fR) <unsigned integer>" 4
+.IX Item """iana-code-point"" (OSSL_CAPABILITY_TLS_SIGALG_CODE_POINT) <unsigned integer>"
+The TLS algorithm ID value as given in the IANA TLS SignatureScheme registry.
+This value must be supplied.
+.Sp
+It is possible to register the same code point from within different
+providers. Users should note that if no property query is specified, or
+more than one implementation matches the property query then it is
+unspecified which implementation for a particular code point will be used.
+.IP """sigalg-name"" (\fBOSSL_CAPABILITY_TLS_SIGALG_NAME\fR) <UTF8 string>" 4
+.IX Item """sigalg-name"" (OSSL_CAPABILITY_TLS_SIGALG_NAME) <UTF8 string>"
+A name for the full (possibly composite hash-and-signature) signature
+algorithm.
+The provider may, but is not obligated to, provide a signature implementation
+with this name; if it doesn't, this is assumed to be a composite of a pure
+signature algorithm and a hash algorithm, which must be given with the
+parameters "sig-name" and "hash-name".
+This value must be supplied.
+.IP """sigalg-oid"" (\fBOSSL_CAPABILITY_TLS_SIGALG_OID\fR) <UTF8 string>" 4
+.IX Item """sigalg-oid"" (OSSL_CAPABILITY_TLS_SIGALG_OID) <UTF8 string>"
+The OID of the "sigalg-name" algorithm in canonical numeric text form. If
+this parameter is given, \fBOBJ_create()\fR will be used to create an OBJ and
+a NID for this OID, using the "sigalg-name" parameter for its (short) name.
+Otherwise, it's assumed to already exist in the object database, possibly
+done by the provider with the \fBcore_obj_create()\fR upcall.
+This value is optional.
+.IP """sig-name"" (\fBOSSL_CAPABILITY_TLS_SIGALG_SIG_NAME\fR) <UTF8 string>" 4
+.IX Item """sig-name"" (OSSL_CAPABILITY_TLS_SIGALG_SIG_NAME) <UTF8 string>"
+The name of the pure signature algorithm that is part of a composite
+"sigalg-name". If "sigalg-name" is implemented by the provider, this
+parameter is redundant and must not be given.
+This value is optional.
+.IP """sig-oid"" (\fBOSSL_CAPABILITY_TLS_SIGALG_SIG_OID\fR) <UTF8 string>" 4
+.IX Item """sig-oid"" (OSSL_CAPABILITY_TLS_SIGALG_SIG_OID) <UTF8 string>"
+The OID of the "sig-name" algorithm in canonical numeric text form. If
+this parameter is given, \fBOBJ_create()\fR will be used to create an OBJ and
+a NID for this OID, using the "sig-name" parameter for its (short) name.
+Otherwise, it is assumed to already exist in the object database. This
+can be done by the provider using the \fBcore_obj_create()\fR upcall.
+This value is optional.
+.IP """hash-name"" (\fBOSSL_CAPABILITY_TLS_SIGALG_HASH_NAME\fR) <UTF8 string>" 4
+.IX Item """hash-name"" (OSSL_CAPABILITY_TLS_SIGALG_HASH_NAME) <UTF8 string>"
+The name of the hash algorithm that is part of a composite "sigalg-name".
+If "sigalg-name" is implemented by the provider, this parameter is redundant
+and must not be given.
+This value is optional.
+.IP """hash-oid"" (\fBOSSL_CAPABILITY_TLS_SIGALG_HASH_OID\fR) <UTF8 string>" 4
+.IX Item """hash-oid"" (OSSL_CAPABILITY_TLS_SIGALG_HASH_OID) <UTF8 string>"
+The OID of the "hash-name" algorithm in canonical numeric text form. If
+this parameter is given, \fBOBJ_create()\fR will be used to create an OBJ and
+a NID for this OID, using the "hash-name" parameter for its (short) name.
+Otherwise, it's assumed to already exist in the object database, possibly
+done by the provider with the \fBcore_obj_create()\fR upcall.
+This value is optional.
+.IP """key-type"" (\fBOSSL_CAPABILITY_TLS_SIGALG_KEYTYPE\fR) <UTF8 string>" 4
+.IX Item """key-type"" (OSSL_CAPABILITY_TLS_SIGALG_KEYTYPE) <UTF8 string>"
+The key type of the public key of applicable certificates. If this parameter
+isn't present, it's assumed to be the same as "sig-name" if that's present,
+otherwise "sigalg-name".
+This value is optional.
+.IP """key-type-oid"" (\fBOSSL_CAPABILITY_TLS_SIGALG_KEYTYPE_OID\fR) <UTF8 string>" 4
+.IX Item """key-type-oid"" (OSSL_CAPABILITY_TLS_SIGALG_KEYTYPE_OID) <UTF8 string>"
+The OID of the "key-type" in canonical numeric text form. If
+this parameter is given, \fBOBJ_create()\fR will be used to create an OBJ and
+a NID for this OID, using the "key-type" parameter for its (short) name.
+Otherwise, it's assumed to already exist in the object database, possibly
+done by the provider with the \fBcore_obj_create()\fR upcall.
+This value is optional.
+.IP """sec-bits"" (\fBOSSL_CAPABILITY_TLS_SIGALG_SECURITY_BITS\fR) <unsigned integer>" 4
+.IX Item """sec-bits"" (OSSL_CAPABILITY_TLS_SIGALG_SECURITY_BITS) <unsigned integer>"
+The number of bits of security offered by keys of this algorithm. The number
+of bits should be comparable with the ones given in table 2 and 3 of the NIST
+SP800\-57 document. This number is used to determine the security strength of
+the algorithm if no digest algorithm has been registered that otherwise
+defines the security strength. If the signature algorithm implements its own
+digest internally, this value needs to be set to properly reflect the overall
+security strength.
+This value must be supplied.
+.IP """tls-min-tls"" (\fBOSSL_CAPABILITY_TLS_SIGALG_MIN_TLS\fR) <integer>" 4
+.IX Item """tls-min-tls"" (OSSL_CAPABILITY_TLS_SIGALG_MIN_TLS) <integer>"
+.PD 0
+.IP """tls-max-tls"" (\fBOSSL_CAPABILITY_TLS_SIGALG_MAX_TLS\fR) <integer>" 4
+.IX Item """tls-max-tls"" (OSSL_CAPABILITY_TLS_SIGALG_MAX_TLS) <integer>"
+.IP """tls-min-dtls"" (\fBOSSL_CAPABILITY_TLS_SIGALG_MIN_DTLS\fR) <integer>" 4
+.IX Item """tls-min-dtls"" (OSSL_CAPABILITY_TLS_SIGALG_MIN_DTLS) <integer>"
+.IP """tls-max-dtls"" (\fBOSSL_CAPABILITY_TLS_SIGALG_MAX_DTLS\fR) <integer>" 4
+.IX Item """tls-max-dtls"" (OSSL_CAPABILITY_TLS_SIGALG_MAX_DTLS) <integer>"
+.PD
+These parameters can be used to describe the minimum and maximum TLS and DTLS
+versions supported by the signature algorithm. The values equate to the
+on-the-wire encoding of the various TLS versions. For example TLSv1.3 is
+0x0304 (772 decimal), and TLSv1.2 is 0x0303 (771 decimal). A 0 indicates that
+there is no defined minimum or maximum. A \-1 in either the min or max field
+indicates that the signature algorithm should not be used in that protocol.
+Presently, provider signature algorithms are used only with TLS 1.3, if
+that's enclosed in the specified range.
+.SH NOTES
+.IX Header "NOTES"
+The \fBcore_obj_create()\fR and \fBcore_obj_add_sigid()\fR functions were not thread safe
+in OpenSSL 3.0.
+.SH EXAMPLES
 .IX Header "EXAMPLES"
 This is an example of a simple provider made available as a
 dynamically loadable module.
@@ -745,7 +804,7 @@ operation \f(CW\*(C`BAR\*(C'\fR.
 \&
 \& static const OSSL_ITEM reasons[] = {
 \&     { E_MALLOC, "memory allocation failure" }.
-\&     { 0, NULL } /* Termination */
+\&     OSSL_DISPATCH_END
 \& };
 \&
 \& /*
@@ -825,7 +884,7 @@ operation \f(CW\*(C`BAR\*(C'\fR.
 \&     { OSSL_FUNC_BAR_INIT, (void (*)(void))foo_init },
 \&     { OSSL_FUNC_BAR_UPDATE, (void (*)(void))foo_update },
 \&     { OSSL_FUNC_BAR_FINAL, (void (*)(void))foo_final },
-\&     { 0, NULL }
+\&     OSSL_DISPATCH_END
 \& };
 \&
 \& static const OSSL_ALGORITHM bars[] = {
@@ -857,7 +916,7 @@ operation \f(CW\*(C`BAR\*(C'\fR.
 \&     { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))p_teardown },
 \&     { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))p_query },
 \&     { OSSL_FUNC_PROVIDER_GET_REASON_STRINGS, (void (*)(void))p_reasons },
-\&     { 0, NULL }
+\&     OSSL_DISPATCH_END
 \& };
 \&
 \& int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
@@ -923,15 +982,21 @@ This relies on a few things existing in \fIopenssl/core_dispatch.h\fR:
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The concept of providers and everything surrounding them was
 introduced in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.PP
+Definitions for
+\&\fBOSSL_CAPABILITY_TLS_SIGALG_MIN_DTLS\fR
+and
+\&\fBOSSL_CAPABILITY_TLS_SIGALG_MAX_DTLS\fR
+were added in OpenSSL 3.5.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/provider-cipher.7 b/secure/lib/libcrypto/man/man7/provider-cipher.7
index ade5ddc28cdb..f89c6515c3f2 100644
--- a/secure/lib/libcrypto/man/man7/provider-cipher.7
+++ b/secure/lib/libcrypto/man/man7/provider-cipher.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PROVIDER-CIPHER 7ossl"
-.TH PROVIDER-CIPHER 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PROVIDER-CIPHER 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 provider\-cipher \- The cipher library <\-> provider functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 2
 \& #include <openssl/core_dispatch.h>
@@ -162,6 +86,12 @@ provider\-cipher \- The cipher library <\-> provider functions
 \& int OSSL_FUNC_cipher_decrypt_init(void *cctx, const unsigned char *key,
 \&                                   size_t keylen, const unsigned char *iv,
 \&                                   size_t ivlen, const OSSL_PARAM params[]);
+\& int OSSL_FUNC_cipher_encrypt_skey_init(void *cctx, void *skeydata,
+\&                                        const unsigned char *iv, size_t ivlen,
+\&                                        const OSSL_PARAM params[]);
+\& int OSSL_FUNC_cipher_encrypt_skey_init(void *cctx, void *skeydata,
+\&                                        const unsigned char *iv, size_t ivlen,
+\&                                        const OSSL_PARAM params[]);
 \& int OSSL_FUNC_cipher_update(void *cctx, unsigned char *out, size_t *outl,
 \&                             size_t outsize, const unsigned char *in, size_t inl);
 \& int OSSL_FUNC_cipher_final(void *cctx, unsigned char *out, size_t *outl,
@@ -169,6 +99,23 @@ provider\-cipher \- The cipher library <\-> provider functions
 \& int OSSL_FUNC_cipher_cipher(void *cctx, unsigned char *out, size_t *outl,
 \&                             size_t outsize, const unsigned char *in, size_t inl);
 \&
+\& /* Encryption/decryption using cipher pipeline */
+\& int OSSL_FUNC_cipher_pipeline_encrypt_init(void *cctx, const unsigned char *key,
+\&                                            size_t keylen, size_t numpipes,
+\&                                            const unsigned char **iv, size_t ivlen,
+\&                                            const OSSL_PARAM params[]))
+\& int OSSL_FUNC_cipher_pipeline_decrypt_init(void *cctx, const unsigned char *key,
+\&                                            size_t keylen, size_t numpipes,
+\&                                            const unsigned char **iv, size_t ivlen,
+\&                                            const OSSL_PARAM params[]))
+\& int OSSL_FUNC_cipher_pipeline_update(void *cctx, size_t numpipes,
+\&                                      unsigned char **out, size_t *outl,
+\&                                      const size_t *outsize,
+\&                                      const unsigned char **in, const size_t *inl))
+\& int OSSL_FUNC_cipher_pipeline_final(void *cctx, size_t numpipes,
+\&                                     unsigned char **out, size_t *outl,
+\&                                     const size_t *outsize))
+\&
 \& /* Cipher parameter descriptors */
 \& const OSSL_PARAM *OSSL_FUNC_cipher_gettable_params(void *provctx);
 \&
@@ -185,27 +132,27 @@ provider\-cipher \- The cipher library <\-> provider functions
 \& int OSSL_FUNC_cipher_get_ctx_params(void *cctx, OSSL_PARAM params[]);
 \& int OSSL_FUNC_cipher_set_ctx_params(void *cctx, const OSSL_PARAM params[]);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 This documentation is primarily aimed at provider authors. See \fBprovider\fR\|(7)
 for further information.
 .PP
-The \s-1CIPHER\s0 operation enables providers to implement cipher algorithms and make
-them available to applications via the \s-1API\s0 functions \fBEVP_EncryptInit_ex\fR\|(3),
+The CIPHER operation enables providers to implement cipher algorithms and make
+them available to applications via the API functions \fBEVP_EncryptInit_ex\fR\|(3),
 \&\fBEVP_EncryptUpdate\fR\|(3) and \fBEVP_EncryptFinal\fR\|(3) (as well as the decrypt
 equivalents and other related functions).
 .PP
-All \*(L"functions\*(R" mentioned here are passed as function pointers between
-\&\fIlibcrypto\fR and the provider in \s-1\fBOSSL_DISPATCH\s0\fR\|(3) arrays via
-\&\s-1\fBOSSL_ALGORITHM\s0\fR\|(3) arrays that are returned by the provider's
+All "functions" mentioned here are passed as function pointers between
+\&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via
+\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's
 \&\fBprovider_query_operation()\fR function
-(see \*(L"Provider Functions\*(R" in \fBprovider\-base\fR\|(7)).
+(see "Provider Functions" in \fBprovider\-base\fR\|(7)).
 .PP
-All these \*(L"functions\*(R" have a corresponding function type definition
+All these "functions" have a corresponding function type definition
 named \fBOSSL_FUNC_{name}_fn\fR, and a helper function to retrieve the
-function pointer from an \s-1\fBOSSL_DISPATCH\s0\fR\|(3) element named
+function pointer from an \fBOSSL_DISPATCH\fR\|(3) element named
 \&\fBOSSL_FUNC_{name}\fR.
-For example, the \*(L"function\*(R" \fBOSSL_FUNC_cipher_newctx()\fR has these:
+For example, the "function" \fBOSSL_FUNC_cipher_newctx()\fR has these:
 .PP
 .Vb 3
 \& typedef void *(OSSL_FUNC_cipher_newctx_fn)(void *provctx);
@@ -213,35 +160,43 @@ For example, the \*(L"function\*(R" \fBOSSL_FUNC_cipher_newctx()\fR has these:
 \&     OSSL_FUNC_cipher_newctx(const OSSL_DISPATCH *opf);
 .Ve
 .PP
-\&\s-1\fBOSSL_DISPATCH\s0\fR\|(3) arrays are indexed by numbers that are provided as
+\&\fBOSSL_DISPATCH\fR\|(3) arrays are indexed by numbers that are provided as
 macros in \fBopenssl\-core_dispatch.h\fR\|(7), as follows:
 .PP
 .Vb 3
-\& OSSL_FUNC_cipher_newctx               OSSL_FUNC_CIPHER_NEWCTX
-\& OSSL_FUNC_cipher_freectx              OSSL_FUNC_CIPHER_FREECTX
-\& OSSL_FUNC_cipher_dupctx               OSSL_FUNC_CIPHER_DUPCTX
+\& OSSL_FUNC_cipher_newctx                    OSSL_FUNC_CIPHER_NEWCTX
+\& OSSL_FUNC_cipher_freectx                   OSSL_FUNC_CIPHER_FREECTX
+\& OSSL_FUNC_cipher_dupctx                    OSSL_FUNC_CIPHER_DUPCTX
 \&
-\& OSSL_FUNC_cipher_encrypt_init         OSSL_FUNC_CIPHER_ENCRYPT_INIT
-\& OSSL_FUNC_cipher_decrypt_init         OSSL_FUNC_CIPHER_DECRYPT_INIT
-\& OSSL_FUNC_cipher_update               OSSL_FUNC_CIPHER_UPDATE
-\& OSSL_FUNC_cipher_final                OSSL_FUNC_CIPHER_FINAL
-\& OSSL_FUNC_cipher_cipher               OSSL_FUNC_CIPHER_CIPHER
+\& OSSL_FUNC_cipher_encrypt_init              OSSL_FUNC_CIPHER_ENCRYPT_INIT
+\& OSSL_FUNC_cipher_decrypt_init              OSSL_FUNC_CIPHER_DECRYPT_INIT
+\& OSSL_FUNC_cipher_encrypt_skey_init         OSSL_FUNC_CIPHER_ENCRYPT_SKEY_INIT
+\& OSSL_FUNC_cipher_decrypt_skey_init         OSSL_FUNC_CIPHER_DECRYPT_SKEY_INIT
+\& OSSL_FUNC_cipher_update                    OSSL_FUNC_CIPHER_UPDATE
+\& OSSL_FUNC_cipher_final                     OSSL_FUNC_CIPHER_FINAL
+\& OSSL_FUNC_cipher_cipher                    OSSL_FUNC_CIPHER_CIPHER
 \&
-\& OSSL_FUNC_cipher_get_params           OSSL_FUNC_CIPHER_GET_PARAMS
-\& OSSL_FUNC_cipher_get_ctx_params       OSSL_FUNC_CIPHER_GET_CTX_PARAMS
-\& OSSL_FUNC_cipher_set_ctx_params       OSSL_FUNC_CIPHER_SET_CTX_PARAMS
+\& OSSL_FUNC_cipher_pipeline_encrypt_init     OSSL_FUNC_CIPHER_PIPELINE_ENCRYPT_INIT
+\& OSSL_FUNC_cipher_pipeline_decrypt_init     OSSL_FUNC_CIPHER_PIPELINE_DECRYPT_INIT
+\& OSSL_FUNC_cipher_pipeline_update           OSSL_FUNC_CIPHER_PIPELINE_UPDATE
+\& OSSL_FUNC_cipher_pipeline_final            OSSL_FUNC_CIPHER_PIPELINE_FINAL
 \&
-\& OSSL_FUNC_cipher_gettable_params      OSSL_FUNC_CIPHER_GETTABLE_PARAMS
-\& OSSL_FUNC_cipher_gettable_ctx_params  OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS
-\& OSSL_FUNC_cipher_settable_ctx_params  OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS
+\& OSSL_FUNC_cipher_get_params                OSSL_FUNC_CIPHER_GET_PARAMS
+\& OSSL_FUNC_cipher_get_ctx_params            OSSL_FUNC_CIPHER_GET_CTX_PARAMS
+\& OSSL_FUNC_cipher_set_ctx_params            OSSL_FUNC_CIPHER_SET_CTX_PARAMS
+\&
+\& OSSL_FUNC_cipher_gettable_params           OSSL_FUNC_CIPHER_GETTABLE_PARAMS
+\& OSSL_FUNC_cipher_gettable_ctx_params       OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS
+\& OSSL_FUNC_cipher_settable_ctx_params       OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS
 .Ve
 .PP
 A cipher algorithm implementation may not implement all of these functions.
 In order to be a consistent set of functions there must at least be a complete
-set of \*(L"encrypt\*(R" functions, or a complete set of \*(L"decrypt\*(R" functions, or a
-single \*(L"cipher\*(R" function.
-In all cases both the OSSL_FUNC_cipher_newctx and OSSL_FUNC_cipher_freectx functions must be
-present.
+set of "encrypt" functions, or a complete set of "decrypt" functions, or a
+single "cipher" function. Similarly, there can be a complete set of pipeline
+"encrypt" functions, and/or a complete set of pipeline "decrypt" functions.
+In all cases the OSSL_FUNC_cipher_get_params and both OSSL_FUNC_cipher_newctx
+and OSSL_FUNC_cipher_freectx functions must be present.
 All other functions are optional.
 .SS "Context Management Functions"
 .IX Subsection "Context Management Functions"
@@ -263,12 +218,17 @@ This function should free any resources associated with that context.
 \&\fBOSSL_FUNC_cipher_encrypt_init()\fR initialises a cipher operation for encryption given a
 newly created provider side cipher context in the \fIcctx\fR parameter.
 The key to be used is given in \fIkey\fR which is \fIkeylen\fR bytes long.
-The \s-1IV\s0 to be used is given in \fIiv\fR which is \fIivlen\fR bytes long.
-The \fIparams\fR, if not \s-1NULL,\s0 should be set on the context in a manner similar to
+The IV to be used is given in \fIiv\fR which is \fIivlen\fR bytes long.
+The \fIparams\fR, if not NULL, should be set on the context in a manner similar to
 using \fBOSSL_FUNC_cipher_set_ctx_params()\fR.
 .PP
-\&\fBOSSL_FUNC_cipher_decrypt_init()\fR is the same as \fBOSSL_FUNC_cipher_encrypt_init()\fR except that it
-initialises the context for a decryption operation.
+\&\fBOSSL_FUNC_cipher_decrypt_init()\fR is the same as \fBOSSL_FUNC_cipher_encrypt_init()\fR
+except that it initialises the context for a decryption operation.
+.PP
+\&\fBOSSL_FUNC_cipher_encrypt_skey_init()\fR and
+\&\fBOSSL_FUNC_cipher_decrypt_skey_init()\fR are variants of
+\&\fBOSSL_FUNC_cipher_encrypt_init()\fR and \fBOSSL_FUNC_cipher_decrypt_init()\fR for working with
+opaque objects containing provider-specific key handles instead of raw bytes.
 .PP
 \&\fBOSSL_FUNC_cipher_update()\fR is called to supply data to be encrypted/decrypted as part of
 a previously initialised cipher operation.
@@ -283,9 +243,13 @@ It is the responsibility of the cipher implementation to handle input lengths
 that are not multiples of the block length.
 In such cases a cipher implementation will typically cache partial blocks of
 input data until a complete block is obtained.
-\&\fIout\fR may be the same location as \fIin\fR but it should not partially overlap.
-The same expectations apply to \fIoutsize\fR as documented for
-\&\fBEVP_EncryptUpdate\fR\|(3) and \fBEVP_DecryptUpdate\fR\|(3).
+The pointers \fIout\fR and \fIin\fR may point to the same location, in which
+case the encryption must be done in-place. If \fIout\fR and \fIin\fR point to different
+locations, the requirements of \fBEVP_EncryptUpdate\fR\|(3) and \fBEVP_DecryptUpdate\fR\|(3)
+guarantee that the two buffers are disjoint.
+Similarly, the requirements of \fBEVP_EncryptUpdate\fR\|(3) and \fBEVP_DecryptUpdate\fR\|(3)
+ensure that the buffer pointed to by \fIout\fR contains sufficient room for the
+operation being performed.
 .PP
 \&\fBOSSL_FUNC_cipher_final()\fR completes an encryption or decryption started through previous
 \&\fBOSSL_FUNC_cipher_encrypt_init()\fR or \fBOSSL_FUNC_cipher_decrypt_init()\fR, and \fBOSSL_FUNC_cipher_update()\fR
@@ -309,9 +273,19 @@ in length.
 The output from the encryption/decryption should be stored in \fIout\fR and the
 amount of data stored should be put in \fI*outl\fR which should be no more than
 \&\fIoutsize\fR bytes.
+.PP
+\&\fBOSSL_FUNC_cipher_pipeline_encrypt_init()\fR, \fBOSSL_FUNC_cipher_pipeline_decrypt_init()\fR
+\&\fBOSSL_FUNC_cipher_pipeline_update()\fR, and \fBOSSL_FUNC_cipher_pipeline_final()\fR are similar to
+the non-pipeline variants, but are used when the application is using cipher pipelining.
+The \fInumpipes\fR parameter is the number of pipes in the pipeline. The \fIiv\fR parameter
+is an array of buffers with IVs, each \fIivlen\fR bytes long. The \fIin\fR and \fIout\fR are
+arrays of buffer pointers. The \fIinl\fR and \fIoutl\fR, \fIoutsize\fR are arrays of size_t
+representing corresponding buffer length as similar to the non-pipeline variants.
+All arrays are of length \fInumpipes\fR. See \fBEVP_CipherPipelineEncryptInit\fR\|(3) for more
+information.
 .SS "Cipher Parameters"
 .IX Subsection "Cipher Parameters"
-See \s-1\fBOSSL_PARAM\s0\fR\|(3) for further details on the parameters structure used by
+See \fBOSSL_PARAM\fR\|(3) for further details on the parameters structure used by
 these functions.
 .PP
 \&\fBOSSL_FUNC_cipher_get_params()\fR gets details of the algorithm implementation
@@ -320,56 +294,63 @@ and stores them in \fIparams\fR.
 \&\fBOSSL_FUNC_cipher_set_ctx_params()\fR sets cipher operation parameters for the
 provider side cipher context \fIcctx\fR to \fIparams\fR.
 Any parameter settings are additional to any that were previously set.
-Passing \s-1NULL\s0 for \fIparams\fR should return true.
+Passing NULL for \fIparams\fR should return true.
 .PP
 \&\fBOSSL_FUNC_cipher_get_ctx_params()\fR gets cipher operation details details from
 the given provider side cipher context \fIcctx\fR and stores them in \fIparams\fR.
-Passing \s-1NULL\s0 for \fIparams\fR should return true.
+Passing NULL for \fIparams\fR should return true.
 .PP
 \&\fBOSSL_FUNC_cipher_gettable_params()\fR, \fBOSSL_FUNC_cipher_gettable_ctx_params()\fR,
-and \fBOSSL_FUNC_cipher_settable_ctx_params()\fR all return constant \s-1\fBOSSL_PARAM\s0\fR\|(3)
+and \fBOSSL_FUNC_cipher_settable_ctx_params()\fR all return constant \fBOSSL_PARAM\fR\|(3)
 arrays as descriptors of the parameters that \fBOSSL_FUNC_cipher_get_params()\fR,
 \&\fBOSSL_FUNC_cipher_get_ctx_params()\fR, and \fBOSSL_FUNC_cipher_set_ctx_params()\fR
 can handle, respectively.  \fBOSSL_FUNC_cipher_gettable_ctx_params()\fR and
 \&\fBOSSL_FUNC_cipher_settable_ctx_params()\fR will return the parameters associated
 with the provider side context \fIcctx\fR in its current state if it is
-not \s-1NULL.\s0  Otherwise, they return the parameters associated with the
+not NULL.  Otherwise, they return the parameters associated with the
 provider side algorithm \fIprovctx\fR.
 .PP
 Parameters currently recognised by built-in ciphers are listed in
-\&\*(L"\s-1PARAMETERS\*(R"\s0 in \fBEVP_EncryptInit\fR\|(3).
+"PARAMETERS" in \fBEVP_EncryptInit\fR\|(3).
 Not all parameters are relevant to, or are understood by all ciphers.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBOSSL_FUNC_cipher_newctx()\fR and \fBOSSL_FUNC_cipher_dupctx()\fR should return the newly created
-provider side cipher context, or \s-1NULL\s0 on failure.
+provider side cipher context, or NULL on failure.
 .PP
 \&\fBOSSL_FUNC_cipher_encrypt_init()\fR, \fBOSSL_FUNC_cipher_decrypt_init()\fR, \fBOSSL_FUNC_cipher_update()\fR,
-\&\fBOSSL_FUNC_cipher_final()\fR, \fBOSSL_FUNC_cipher_cipher()\fR, \fBOSSL_FUNC_cipher_get_params()\fR,
-\&\fBOSSL_FUNC_cipher_get_ctx_params()\fR and \fBOSSL_FUNC_cipher_set_ctx_params()\fR should return 1 for
+\&\fBOSSL_FUNC_cipher_final()\fR, \fBOSSL_FUNC_cipher_cipher()\fR,
+\&\fBOSSL_FUNC_cipher_encrypt_skey_init()\fR, \fBOSSL_FUNC_cipher_decrypt_skey_init()\fR,
+\&\fBOSSL_FUNC_cipher_pipeline_encrypt_init()\fR, \fBOSSL_FUNC_cipher_pipeline_decrypt_init()\fR,
+\&\fBOSSL_FUNC_cipher_pipeline_update()\fR, \fBOSSL_FUNC_cipher_pipeline_final()\fR,
+\&\fBOSSL_FUNC_cipher_get_params()\fR, \fBOSSL_FUNC_cipher_get_ctx_params()\fR and
+\&\fBOSSL_FUNC_cipher_set_ctx_params()\fR should return 1 for
 success or 0 on error.
 .PP
 \&\fBOSSL_FUNC_cipher_gettable_params()\fR, \fBOSSL_FUNC_cipher_gettable_ctx_params()\fR and
-\&\fBOSSL_FUNC_cipher_settable_ctx_params()\fR should return a constant \s-1\fBOSSL_PARAM\s0\fR\|(3)
-array, or \s-1NULL\s0 if none is offered.
+\&\fBOSSL_FUNC_cipher_settable_ctx_params()\fR should return a constant \fBOSSL_PARAM\fR\|(3)
+array, or NULL if none is offered.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBprovider\fR\|(7), \s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7),
+\&\fBprovider\fR\|(7), \fBOSSL_PROVIDER\-FIPS\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7),
 \&\fBOSSL_PROVIDER\-legacy\fR\|(7),
-\&\s-1\fBEVP_CIPHER\-AES\s0\fR\|(7), \s-1\fBEVP_CIPHER\-ARIA\s0\fR\|(7), \s-1\fBEVP_CIPHER\-BLOWFISH\s0\fR\|(7),
-\&\s-1\fBEVP_CIPHER\-CAMELLIA\s0\fR\|(7), \s-1\fBEVP_CIPHER\-CAST\s0\fR\|(7), \s-1\fBEVP_CIPHER\-CHACHA\s0\fR\|(7),
-\&\s-1\fBEVP_CIPHER\-DES\s0\fR\|(7), \s-1\fBEVP_CIPHER\-IDEA\s0\fR\|(7), \s-1\fBEVP_CIPHER\-RC2\s0\fR\|(7),
-\&\s-1\fBEVP_CIPHER\-RC4\s0\fR\|(7), \s-1\fBEVP_CIPHER\-RC5\s0\fR\|(7), \s-1\fBEVP_CIPHER\-SEED\s0\fR\|(7),
-\&\s-1\fBEVP_CIPHER\-SM4\s0\fR\|(7), \s-1\fBEVP_CIPHER\-NULL\s0\fR\|(7),
+\&\fBEVP_CIPHER\-AES\fR\|(7), \fBEVP_CIPHER\-ARIA\fR\|(7), \fBEVP_CIPHER\-BLOWFISH\fR\|(7),
+\&\fBEVP_CIPHER\-CAMELLIA\fR\|(7), \fBEVP_CIPHER\-CAST\fR\|(7), \fBEVP_CIPHER\-CHACHA\fR\|(7),
+\&\fBEVP_CIPHER\-DES\fR\|(7), \fBEVP_CIPHER\-IDEA\fR\|(7), \fBEVP_CIPHER\-RC2\fR\|(7),
+\&\fBEVP_CIPHER\-RC4\fR\|(7), \fBEVP_CIPHER\-RC5\fR\|(7), \fBEVP_CIPHER\-SEED\fR\|(7),
+\&\fBEVP_CIPHER\-SM4\fR\|(7), \fBEVP_CIPHER\-NULL\fR\|(7),
 \&\fBlife_cycle\-cipher\fR\|(7), \fBEVP_EncryptInit\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-The provider \s-1CIPHER\s0 interface was introduced in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The provider CIPHER interface was introduced in OpenSSL 3.0.
+.PP
+The \fBOSSL_FUNC_cipher_encrypt_skey_init()\fR and
+\&\fBOSSL_FUNC_cipher_decrypt_skey_init()\fR were introduced in OpenSSL 3.5.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/provider-decoder.7 b/secure/lib/libcrypto/man/man7/provider-decoder.7
index fc37d6066958..e6361c2f4cc1 100644
--- a/secure/lib/libcrypto/man/man7/provider-decoder.7
+++ b/secure/lib/libcrypto/man/man7/provider-decoder.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PROVIDER-DECODER 7ossl"
-.TH PROVIDER-DECODER 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PROVIDER-DECODER 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 provider\-decoder \- The OSSL_DECODER library <\-> provider functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/core_dispatch.h>
@@ -174,44 +98,44 @@ provider\-decoder \- The OSSL_DECODER library <\-> provider functions
 \&                                       OSSL_CALLBACK *export_cb,
 \&                                       void *export_cbarg);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fIThe term \*(L"decode\*(R" is used throughout this manual.  This includes but is
+\&\fIThe term "decode" is used throughout this manual.  This includes but is
 not limited to deserialization as individual decoders can also do
 decoding into intermediate data formats.\fR
 .PP
-The \s-1DECODER\s0 operation is a generic method to create a provider-native
+The DECODER operation is a generic method to create a provider-native
 object reference or intermediate decoded data from an encoded form
-read from the given \fB\s-1OSSL_CORE_BIO\s0\fR. If the caller wants to decode
-data from memory, it should provide a \fBBIO_s_mem\fR\|(3) \fB\s-1BIO\s0\fR. The decoded
+read from the given \fBOSSL_CORE_BIO\fR. If the caller wants to decode
+data from memory, it should provide a \fBBIO_s_mem\fR\|(3) \fBBIO\fR. The decoded
 data or object reference is passed along with eventual metadata
-to the \fImetadata_cb\fR as \s-1\fBOSSL_PARAM\s0\fR\|(3) parameters.
+to the \fImetadata_cb\fR as \fBOSSL_PARAM\fR\|(3) parameters.
 .PP
-The decoder doesn't need to know more about the \fB\s-1OSSL_CORE_BIO\s0\fR
-pointer than being able to pass it to the appropriate \s-1BIO\s0 upcalls (see
-\&\*(L"Core functions\*(R" in \fBprovider\-base\fR\|(7)).
+The decoder doesn't need to know more about the \fBOSSL_CORE_BIO\fR
+pointer than being able to pass it to the appropriate BIO upcalls (see
+"Core functions" in \fBprovider\-base\fR\|(7)).
 .PP
-The \s-1DECODER\s0 implementation may be part of a chain, where data is
+The DECODER implementation may be part of a chain, where data is
 passed from one to the next.  For example, there may be an
-implementation to decode an object from \s-1PEM\s0 to \s-1DER,\s0 and another one
-that decodes \s-1DER\s0 to a provider-native object.
+implementation to decode an object from PEM to DER, and another one
+that decodes DER to a provider-native object.
 .PP
 The last decoding step in the decoding chain is usually supposed to create
 a provider-native object referenced by an object reference. To import
 that object into a different provider the \fBOSSL_FUNC_decoder_export_object()\fR
 can be called as the final step of the decoding process.
 .PP
-All \*(L"functions\*(R" mentioned here are passed as function pointers between
-\&\fIlibcrypto\fR and the provider in \s-1\fBOSSL_DISPATCH\s0\fR\|(3) arrays via
-\&\s-1\fBOSSL_ALGORITHM\s0\fR\|(3) arrays that are returned by the provider's
+All "functions" mentioned here are passed as function pointers between
+\&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via
+\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's
 \&\fBprovider_query_operation()\fR function
-(see \*(L"Provider Functions\*(R" in \fBprovider\-base\fR\|(7)).
+(see "Provider Functions" in \fBprovider\-base\fR\|(7)).
 .PP
-All these \*(L"functions\*(R" have a corresponding function type definition
+All these "functions" have a corresponding function type definition
 named \fBOSSL_FUNC_{name}_fn\fR, and a helper function to retrieve the
-function pointer from an \s-1\fBOSSL_DISPATCH\s0\fR\|(3) element named
+function pointer from an \fBOSSL_DISPATCH\fR\|(3) element named
 \&\fBOSSL_FUNC_{name}\fR.
-For example, the \*(L"function\*(R" \fBOSSL_FUNC_decoder_decode()\fR has these:
+For example, the "function" \fBOSSL_FUNC_decoder_decode()\fR has these:
 .PP
 .Vb 7
 \& typedef int
@@ -223,7 +147,7 @@ For example, the \*(L"function\*(R" \fBOSSL_FUNC_decoder_decode()\fR has these:
 \&     OSSL_FUNC_decoder_decode(const OSSL_DISPATCH *opf);
 .Ve
 .PP
-\&\s-1\fBOSSL_DISPATCH\s0\fR\|(3) arrays are indexed by numbers that are provided as
+\&\fBOSSL_DISPATCH\fR\|(3) arrays are indexed by numbers that are provided as
 macros in \fBopenssl\-core_dispatch.h\fR\|(7), as follows:
 .PP
 .Vb 2
@@ -244,12 +168,14 @@ macros in \fBopenssl\-core_dispatch.h\fR\|(7), as follows:
 .SS "Names and properties"
 .IX Subsection "Names and properties"
 The name of an implementation should match the target type of object
-it decodes. For example, an implementation that decodes an \s-1RSA\s0 key
-should be named \*(L"\s-1RSA\*(R".\s0 Likewise, an implementation that decodes \s-1DER\s0 data
-from \s-1PEM\s0 input should be named \*(L"\s-1DER\*(R".\s0
+it decodes. For example, an implementation that decodes an RSA key
+should be named "RSA". Likewise, an implementation that decodes DER data
+from PEM input should be named "DER".
 .PP
-Properties can be used to further specify details about an implementation:
-.IP "input" 4
+Properties, as defined in the \fBOSSL_ALGORITHM\fR\|(3) array element of each
+decoder implementation, can be used to further specify details about an
+implementation:
+.IP input 4
 .IX Item "input"
 This property is used to specify what format of input the implementation
 can decode.
@@ -258,22 +184,22 @@ This property is \fImandatory\fR.
 .Sp
 OpenSSL providers recognize the following input types:
 .RS 4
-.IP "pem" 4
+.IP pem 4
 .IX Item "pem"
-An implementation with that input type decodes \s-1PEM\s0 formatted data.
-.IP "der" 4
+An implementation with that input type decodes PEM formatted data.
+.IP der 4
 .IX Item "der"
-An implementation with that input type decodes \s-1DER\s0 formatted data.
-.IP "msblob" 4
+An implementation with that input type decodes DER formatted data.
+.IP msblob 4
 .IX Item "msblob"
-An implementation with that input type decodes \s-1MSBLOB\s0 formatted data.
-.IP "pvk" 4
+An implementation with that input type decodes MSBLOB formatted data.
+.IP pvk 4
 .IX Item "pvk"
-An implementation with that input type decodes \s-1PVK\s0 formatted data.
+An implementation with that input type decodes PVK formatted data.
 .RE
 .RS 4
 .RE
-.IP "structure" 4
+.IP structure 4
 .IX Item "structure"
 This property is used to specify the structure that the decoded data is
 expected to have.
@@ -282,18 +208,15 @@ This property is \fIoptional\fR.
 .Sp
 Structures currently recognised by built-in decoders:
 .RS 4
-.ie n .IP """type-specific""" 4
-.el .IP "``type-specific''" 4
-.IX Item "type-specific"
+.IP """type-specific""" 4
+.IX Item """type-specific"""
 Type specific structure.
-.ie n .IP """pkcs8""" 4
-.el .IP "``pkcs8''" 4
-.IX Item "pkcs8"
+.IP """pkcs8""" 4
+.IX Item """pkcs8"""
 Structure according to the PKCS#8 specification.
-.ie n .IP """SubjectPublicKeyInfo""" 4
-.el .IP "``SubjectPublicKeyInfo''" 4
-.IX Item "SubjectPublicKeyInfo"
-Encoding of public keys according to the Subject Public Key Info of \s-1RFC 5280.\s0
+.IP """SubjectPublicKeyInfo""" 4
+.IX Item """SubjectPublicKeyInfo"""
+Encoding of public keys according to the Subject Public Key Info of RFC 5280.
 .RE
 .RS 4
 .RE
@@ -309,8 +232,8 @@ be decoded, with a set of bits \fIselection\fR that are passed in an \fBint\fR.
 .PP
 This set of bits depend entirely on what kind of provider-side object is
 to be decoded.  For example, those bits are assumed to be the same as those
-used with \fBprovider\-keymgmt\fR\|(7) (see \*(L"Key Objects\*(R" in \fBprovider\-keymgmt\fR\|(7)) when
-the object is an asymmetric keypair \- e.g., \fB\s-1OSSL_KEYMGMT_SELECT_PRIVATE_KEY\s0\fR
+used with \fBprovider\-keymgmt\fR\|(7) (see "Key Objects" in \fBprovider\-keymgmt\fR\|(7)) when
+the object is an asymmetric keypair \- e.g., \fBOSSL_KEYMGMT_SELECT_PRIVATE_KEY\fR
 if the object to be decoded is supposed to contain private key components.
 .PP
 \&\fBOSSL_FUNC_decoder_does_selection()\fR should tell if a particular implementation
@@ -326,13 +249,13 @@ the functions.
 \&\fBOSSL_FUNC_decoder_set_ctx_params()\fR sets context data according to parameters
 from \fIparams\fR that it recognises.  Unrecognised parameters should be
 ignored.
-Passing \s-1NULL\s0 for \fIparams\fR should return true.
+Passing NULL for \fIparams\fR should return true.
 .PP
-\&\fBOSSL_FUNC_decoder_settable_ctx_params()\fR returns a constant \s-1\fBOSSL_PARAM\s0\fR\|(3)
+\&\fBOSSL_FUNC_decoder_settable_ctx_params()\fR returns a constant \fBOSSL_PARAM\fR\|(3)
 array describing the parameters that \fBOSSL_FUNC_decoder_set_ctx_params()\fR
 can handle.
 .PP
-See \s-1\fBOSSL_PARAM\s0\fR\|(3) for further details on the parameters structure used by
+See \fBOSSL_PARAM\fR\|(3) for further details on the parameters structure used by
 \&\fBOSSL_FUNC_decoder_set_ctx_params()\fR and \fBOSSL_FUNC_decoder_settable_ctx_params()\fR.
 .SS "Export function"
 .IX Subsection "Export function"
@@ -342,17 +265,17 @@ exporting the object into that foreign provider if the foreign provider
 supports the type of the object and provides an import function.
 .PP
 \&\fBOSSL_FUNC_decoder_export_object()\fR should export the object of size \fIobjref_sz\fR
-referenced by \fIobjref\fR as an \s-1\fBOSSL_PARAM\s0\fR\|(3) array and pass that into the
+referenced by \fIobjref\fR as an \fBOSSL_PARAM\fR\|(3) array and pass that into the
 \&\fIexport_cb\fR as well as the given \fIexport_cbarg\fR.
 .SS "Decoding functions"
 .IX Subsection "Decoding functions"
 \&\fBOSSL_FUNC_decoder_decode()\fR should decode the data as read from
-the \fB\s-1OSSL_CORE_BIO\s0\fR \fIin\fR to produce decoded data or an object to be
-passed as reference in an \s-1\fBOSSL_PARAM\s0\fR\|(3) array along with possible other
-metadata that was decoded from the input. This \s-1\fBOSSL_PARAM\s0\fR\|(3) array is
+the \fBOSSL_CORE_BIO\fR \fIin\fR to produce decoded data or an object to be
+passed as reference in an \fBOSSL_PARAM\fR\|(3) array along with possible other
+metadata that was decoded from the input. This \fBOSSL_PARAM\fR\|(3) array is
 then passed to the \fIdata_cb\fR callback.  The \fIselection\fR bits,
 if relevant, should determine what the input data should contain.
-The decoding functions also take an \s-1\fBOSSL_PASSPHRASE_CALLBACK\s0\fR\|(3) function
+The decoding functions also take an \fBOSSL_PASSPHRASE_CALLBACK\fR\|(3) function
 pointer along with a pointer to application data \fIcbarg\fR, which should be
 used when a pass phrase prompt is needed.
 .PP
@@ -360,7 +283,7 @@ It's important to understand that the return value from this function is
 interpreted as follows:
 .IP "True (1)" 4
 .IX Item "True (1)"
-This means \*(L"carry on the decoding process\*(R", and is meaningful even though
+This means "carry on the decoding process", and is meaningful even though
 this function couldn't decode the input into anything, because there may be
 another decoder implementation that can decode it into something.
 .Sp
@@ -368,7 +291,7 @@ The \fIdata_cb\fR callback should never be called when this function can't
 decode the input into anything.
 .IP "False (0)" 4
 .IX Item "False (0)"
-This means \*(L"stop the decoding process\*(R", and is meaningful when the input
+This means "stop the decoding process", and is meaningful when the input
 could be decoded into some sort of object that this function understands,
 but further treatment of that object results into errors that won't be
 possible for some other decoder implementation to get a different result.
@@ -381,22 +304,21 @@ There are currently no operation parameters currently recognised by the
 built-in decoders.
 .PP
 Parameters currently recognised by the built-in pass phrase callback:
-.ie n .IP """info"" (\fB\s-1OSSL_PASSPHRASE_PARAM_INFO\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``info'' (\fB\s-1OSSL_PASSPHRASE_PARAM_INFO\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "info (OSSL_PASSPHRASE_PARAM_INFO) <UTF8 string>"
+.IP """info"" (\fBOSSL_PASSPHRASE_PARAM_INFO\fR) <UTF8 string>" 4
+.IX Item """info"" (OSSL_PASSPHRASE_PARAM_INFO) <UTF8 string>"
 A string of information that will become part of the pass phrase
 prompt.  This could be used to give the user information on what kind
 of object it's being prompted for.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBOSSL_FUNC_decoder_newctx()\fR returns a pointer to a context, or \s-1NULL\s0 on
+\&\fBOSSL_FUNC_decoder_newctx()\fR returns a pointer to a context, or NULL on
 failure.
 .PP
 \&\fBOSSL_FUNC_decoder_set_ctx_params()\fR returns 1, unless a recognised
 parameter was invalid or caused an error, for which 0 is returned.
 .PP
 \&\fBOSSL_FUNC_decoder_settable_ctx_params()\fR returns a pointer to an array of
-constant \s-1\fBOSSL_PARAM\s0\fR\|(3) elements.
+constant \fBOSSL_PARAM\fR\|(3) elements.
 .PP
 \&\fBOSSL_FUNC_decoder_does_selection()\fR returns 1 if the decoder implementation
 supports any of the \fIselection\fR bits, otherwise 0.
@@ -406,14 +328,14 @@ should continue, or 0 to signal that it should stop.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-The \s-1DECODER\s0 interface was introduced in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The DECODER interface was introduced in OpenSSL 3.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/provider-digest.7 b/secure/lib/libcrypto/man/man7/provider-digest.7
index ecb25762cc4f..40eed947f3d7 100644
--- a/secure/lib/libcrypto/man/man7/provider-digest.7
+++ b/secure/lib/libcrypto/man/man7/provider-digest.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PROVIDER-DIGEST 7ossl"
-.TH PROVIDER-DIGEST 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PROVIDER-DIGEST 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 provider\-digest \- The digest library <\-> provider functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 2
 \& #include <openssl/core_dispatch.h>
@@ -153,6 +77,7 @@ provider\-digest \- The digest library <\-> provider functions
 \& void *OSSL_FUNC_digest_newctx(void *provctx);
 \& void OSSL_FUNC_digest_freectx(void *dctx);
 \& void *OSSL_FUNC_digest_dupctx(void *dctx);
+\& void OSSL_FUNC_digest_copyctx(void *voutctx, void *vinctx);
 \&
 \& /* Digest generation */
 \& int OSSL_FUNC_digest_init(void *dctx, const OSSL_PARAM params[]);
@@ -178,26 +103,26 @@ provider\-digest \- The digest library <\-> provider functions
 \& int OSSL_FUNC_digest_set_ctx_params(void *dctx, const OSSL_PARAM params[]);
 \& int OSSL_FUNC_digest_get_ctx_params(void *dctx, OSSL_PARAM params[]);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 This documentation is primarily aimed at provider authors. See \fBprovider\fR\|(7)
 for further information.
 .PP
-The \s-1DIGEST\s0 operation enables providers to implement digest algorithms and make
-them available to applications via the \s-1API\s0 functions \fBEVP_DigestInit_ex\fR\|(3),
+The DIGEST operation enables providers to implement digest algorithms and make
+them available to applications via the API functions \fBEVP_DigestInit_ex\fR\|(3),
 \&\fBEVP_DigestUpdate\fR\|(3) and \fBEVP_DigestFinal\fR\|(3) (and other related functions).
 .PP
-All \*(L"functions\*(R" mentioned here are passed as function pointers between
-\&\fIlibcrypto\fR and the provider in \s-1\fBOSSL_DISPATCH\s0\fR\|(3) arrays via
-\&\s-1\fBOSSL_ALGORITHM\s0\fR\|(3) arrays that are returned by the provider's
+All "functions" mentioned here are passed as function pointers between
+\&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via
+\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's
 \&\fBprovider_query_operation()\fR function
-(see \*(L"Provider Functions\*(R" in \fBprovider\-base\fR\|(7)).
+(see "Provider Functions" in \fBprovider\-base\fR\|(7)).
 .PP
-All these \*(L"functions\*(R" have a corresponding function type definition
+All these "functions" have a corresponding function type definition
 named \fBOSSL_FUNC_{name}_fn\fR, and a helper function to retrieve the
-function pointer from an \s-1\fBOSSL_DISPATCH\s0\fR\|(3) element named
+function pointer from an \fBOSSL_DISPATCH\fR\|(3) element named
 \&\fBOSSL_FUNC_{name}\fR.
-For example, the \*(L"function\*(R" \fBOSSL_FUNC_digest_newctx()\fR has these:
+For example, the "function" \fBOSSL_FUNC_digest_newctx()\fR has these:
 .PP
 .Vb 3
 \& typedef void *(OSSL_FUNC_digest_newctx_fn)(void *provctx);
@@ -205,13 +130,14 @@ For example, the \*(L"function\*(R" \fBOSSL_FUNC_digest_newctx()\fR has these:
 \&     OSSL_FUNC_digest_newctx(const OSSL_DISPATCH *opf);
 .Ve
 .PP
-\&\s-1\fBOSSL_DISPATCH\s0\fR\|(3) arrays are indexed by numbers that are provided as
+\&\fBOSSL_DISPATCH\fR\|(3) arrays are indexed by numbers that are provided as
 macros in \fBopenssl\-core_dispatch.h\fR\|(7), as follows:
 .PP
-.Vb 3
+.Vb 4
 \& OSSL_FUNC_digest_newctx               OSSL_FUNC_DIGEST_NEWCTX
 \& OSSL_FUNC_digest_freectx              OSSL_FUNC_DIGEST_FREECTX
 \& OSSL_FUNC_digest_dupctx               OSSL_FUNC_DIGEST_DUPCTX
+\& OSSL_FUNC_digest_copyctx              OSSL_FUNC_DIGEST_COPYCTX
 \&
 \& OSSL_FUNC_digest_init                 OSSL_FUNC_DIGEST_INIT
 \& OSSL_FUNC_digest_update               OSSL_FUNC_DIGEST_UPDATE
@@ -229,7 +155,8 @@ macros in \fBopenssl\-core_dispatch.h\fR\|(7), as follows:
 .PP
 A digest algorithm implementation may not implement all of these functions.
 In order to be usable all or none of OSSL_FUNC_digest_newctx, OSSL_FUNC_digest_freectx,
-OSSL_FUNC_digest_init, OSSL_FUNC_digest_update and OSSL_FUNC_digest_final should be implemented.
+OSSL_FUNC_digest_init, OSSL_FUNC_digest_update, OSSL_FUNC_digest_final
+and OSSL_FUNC_digest_get_params should be implemented.
 All other functions are optional.
 .SS "Context Management Functions"
 .IX Subsection "Context Management Functions"
@@ -246,11 +173,19 @@ This function should free any resources associated with that context.
 .PP
 \&\fBOSSL_FUNC_digest_dupctx()\fR should duplicate the provider side digest context in the
 \&\fIdctx\fR parameter and return the duplicate copy.
+.PP
+\&\fBOSSL_FUNC_digest_copyctx()\fR should copy the provider side digest context in the
+\&\fIvinctx\fR parameter to the \fIvoutctx\fR parameter which is the another provider side
+context.
+The OSSL_FUNC_digest_copyctx function is used in the EVP_MD_CTX_copy_ex function to
+speed up HMAC operations in the PBKDF2.
+This function is optional, and dupctx will be used if there is no EVP_MD_CTX_copy_ex
+function.
 .SS "Digest Generation Functions"
 .IX Subsection "Digest Generation Functions"
 \&\fBOSSL_FUNC_digest_init()\fR initialises a digest operation given a newly created
 provider side digest context in the \fIdctx\fR parameter.
-The \fIparams\fR, if not \s-1NULL,\s0 should be set on the context in a manner similar to
+The \fIparams\fR, if not NULL, should be set on the context in a manner similar to
 using \fBOSSL_FUNC_digest_set_ctx_params()\fR.
 .PP
 \&\fBOSSL_FUNC_digest_update()\fR is called to supply data to be digested as part of a
@@ -268,7 +203,7 @@ The digest should be written to \fI*out\fR and the length of the digest to
 \&\fI*outl\fR.
 The digest should not exceed \fIoutsz\fR bytes.
 .PP
-\&\fBOSSL_FUNC_digest_digest()\fR is a \*(L"oneshot\*(R" digest function.
+\&\fBOSSL_FUNC_digest_digest()\fR is a "oneshot" digest function.
 No provider side digest context is used.
 Instead the provider context that was created during provider initialisation is
 passed in the \fIprovctx\fR parameter (see \fBprovider\fR\|(7)).
@@ -277,7 +212,7 @@ passed in the \fIprovctx\fR parameter (see \fBprovider\fR\|(7)).
 exceed \fIoutsz\fR bytes.
 .SS "Digest Parameters"
 .IX Subsection "Digest Parameters"
-See \s-1\fBOSSL_PARAM\s0\fR\|(3) for further details on the parameters structure used by
+See \fBOSSL_PARAM\fR\|(3) for further details on the parameters structure used by
 these functions.
 .PP
 \&\fBOSSL_FUNC_digest_get_params()\fR gets details of the algorithm implementation
@@ -286,69 +221,65 @@ and stores them in \fIparams\fR.
 \&\fBOSSL_FUNC_digest_set_ctx_params()\fR sets digest operation parameters for the
 provider side digest context \fIdctx\fR to \fIparams\fR.
 Any parameter settings are additional to any that were previously set.
-Passing \s-1NULL\s0 for \fIparams\fR should return true.
+Passing NULL for \fIparams\fR should return true.
 .PP
 \&\fBOSSL_FUNC_digest_get_ctx_params()\fR gets digest operation details details from
 the given provider side digest context \fIdctx\fR and stores them in \fIparams\fR.
-Passing \s-1NULL\s0 for \fIparams\fR should return true.
+Passing NULL for \fIparams\fR should return true.
 .PP
-\&\fBOSSL_FUNC_digest_gettable_params()\fR returns a constant \s-1\fBOSSL_PARAM\s0\fR\|(3) array
+\&\fBOSSL_FUNC_digest_gettable_params()\fR returns a constant \fBOSSL_PARAM\fR\|(3) array
 containing descriptors of the parameters that \fBOSSL_FUNC_digest_get_params()\fR
 can handle.
 .PP
 \&\fBOSSL_FUNC_digest_gettable_ctx_params()\fR and
 \&\fBOSSL_FUNC_digest_settable_ctx_params()\fR both return constant
-\&\s-1\fBOSSL_PARAM\s0\fR\|(3) arrays as descriptors of the parameters that
+\&\fBOSSL_PARAM\fR\|(3) arrays as descriptors of the parameters that
 \&\fBOSSL_FUNC_digest_get_ctx_params()\fR and \fBOSSL_FUNC_digest_set_ctx_params()\fR
 can handle, respectively.  The array is based on the current state of
-the provider side context if \fIdctx\fR is not \s-1NULL\s0 and on the provider
+the provider side context if \fIdctx\fR is not NULL and on the provider
 side algorithm \fIprovctx\fR otherwise.
 .PP
 Parameters currently recognised by built-in digests with this function
 are as follows. Not all parameters are relevant to, or are understood
 by all digests:
-.ie n .IP """blocksize"" (\fB\s-1OSSL_DIGEST_PARAM_BLOCK_SIZE\s0\fR) <unsigned integer>" 4
-.el .IP "``blocksize'' (\fB\s-1OSSL_DIGEST_PARAM_BLOCK_SIZE\s0\fR) <unsigned integer>" 4
-.IX Item "blocksize (OSSL_DIGEST_PARAM_BLOCK_SIZE) <unsigned integer>"
+.IP """blocksize"" (\fBOSSL_DIGEST_PARAM_BLOCK_SIZE\fR) <unsigned integer>" 4
+.IX Item """blocksize"" (OSSL_DIGEST_PARAM_BLOCK_SIZE) <unsigned integer>"
 The digest block size.
-The length of the \*(L"blocksize\*(R" parameter should not exceed that of a \fBsize_t\fR.
-.ie n .IP """size"" (\fB\s-1OSSL_DIGEST_PARAM_SIZE\s0\fR) <unsigned integer>" 4
-.el .IP "``size'' (\fB\s-1OSSL_DIGEST_PARAM_SIZE\s0\fR) <unsigned integer>" 4
-.IX Item "size (OSSL_DIGEST_PARAM_SIZE) <unsigned integer>"
+The length of the "blocksize" parameter should not exceed that of a \fBsize_t\fR.
+.IP """size"" (\fBOSSL_DIGEST_PARAM_SIZE\fR) <unsigned integer>" 4
+.IX Item """size"" (OSSL_DIGEST_PARAM_SIZE) <unsigned integer>"
 The digest output size.
-The length of the \*(L"size\*(R" parameter should not exceed that of a \fBsize_t\fR.
-.ie n .IP """flags"" (\fB\s-1OSSL_DIGEST_PARAM_FLAGS\s0\fR) <unsigned integer>" 4
-.el .IP "``flags'' (\fB\s-1OSSL_DIGEST_PARAM_FLAGS\s0\fR) <unsigned integer>" 4
-.IX Item "flags (OSSL_DIGEST_PARAM_FLAGS) <unsigned integer>"
+The length of the "size" parameter should not exceed that of a \fBsize_t\fR.
+.IP """flags"" (\fBOSSL_DIGEST_PARAM_FLAGS\fR) <unsigned integer>" 4
+.IX Item """flags"" (OSSL_DIGEST_PARAM_FLAGS) <unsigned integer>"
 Diverse flags that describe exceptional behaviour for the digest:
 .RS 4
-.IP "\fB\s-1EVP_MD_FLAG_ONESHOT\s0\fR" 4
+.IP \fBEVP_MD_FLAG_ONESHOT\fR 4
 .IX Item "EVP_MD_FLAG_ONESHOT"
 This digest method can only handle one block of input.
-.IP "\fB\s-1EVP_MD_FLAG_XOF\s0\fR" 4
+.IP \fBEVP_MD_FLAG_XOF\fR 4
 .IX Item "EVP_MD_FLAG_XOF"
-This digest method is an extensible-output function (\s-1XOF\s0) and supports
-setting the \fB\s-1OSSL_DIGEST_PARAM_XOFLEN\s0\fR parameter.
-.IP "\fB\s-1EVP_MD_FLAG_DIGALGID_NULL\s0\fR" 4
+This digest method is an extensible-output function (XOF).
+.IP \fBEVP_MD_FLAG_DIGALGID_NULL\fR 4
 .IX Item "EVP_MD_FLAG_DIGALGID_NULL"
 When setting up a DigestAlgorithmIdentifier, this flag will have the
-parameter set to \s-1NULL\s0 by default.  Use this for PKCS#1.  \fINote: if
-combined with \s-1EVP_MD_FLAG_DIGALGID_ABSENT,\s0 the latter will override.\fR
-.IP "\fB\s-1EVP_MD_FLAG_DIGALGID_ABSENT\s0\fR" 4
+parameter set to NULL by default.  Use this for PKCS#1.  \fINote: if
+combined with EVP_MD_FLAG_DIGALGID_ABSENT, the latter will override.\fR
+.IP \fBEVP_MD_FLAG_DIGALGID_ABSENT\fR 4
 .IX Item "EVP_MD_FLAG_DIGALGID_ABSENT"
 When setting up a DigestAlgorithmIdentifier, this flag will have the
 parameter be left absent by default.  \fINote: if combined with
-\&\s-1EVP_MD_FLAG_DIGALGID_NULL,\s0 the latter will be overridden.\fR
-.IP "\fB\s-1EVP_MD_FLAG_DIGALGID_CUSTOM\s0\fR" 4
+EVP_MD_FLAG_DIGALGID_NULL, the latter will be overridden.\fR
+.IP \fBEVP_MD_FLAG_DIGALGID_CUSTOM\fR 4
 .IX Item "EVP_MD_FLAG_DIGALGID_CUSTOM"
 Custom DigestAlgorithmIdentifier handling via ctrl, with
-\&\fB\s-1EVP_MD_FLAG_DIGALGID_ABSENT\s0\fR as default.  \fINote: if combined with
-\&\s-1EVP_MD_FLAG_DIGALGID_NULL,\s0 the latter will be overridden.\fR
+\&\fBEVP_MD_FLAG_DIGALGID_ABSENT\fR as default.  \fINote: if combined with
+EVP_MD_FLAG_DIGALGID_NULL, the latter will be overridden.\fR
 Currently unused.
 .RE
 .RS 4
 .Sp
-The length of the \*(L"flags\*(R" parameter should equal that of an
+The length of the "flags" parameter should equal that of an
 \&\fBunsigned long int\fR.
 .RE
 .SS "Digest Context Parameters"
@@ -356,16 +287,16 @@ The length of the \*(L"flags\*(R" parameter should equal that of an
 \&\fBOSSL_FUNC_digest_set_ctx_params()\fR sets digest parameters associated with the
 given provider side digest context \fIdctx\fR to \fIparams\fR.
 Any parameter settings are additional to any that were previously set.
-See \s-1\fBOSSL_PARAM\s0\fR\|(3) for further details on the parameters structure.
+See \fBOSSL_PARAM\fR\|(3) for further details on the parameters structure.
 .PP
 \&\fBOSSL_FUNC_digest_get_ctx_params()\fR gets details of currently set parameters
 values associated with the give provider side digest context \fIdctx\fR
 and stores them in \fIparams\fR.
-See \s-1\fBOSSL_PARAM\s0\fR\|(3) for further details on the parameters structure.
+See \fBOSSL_PARAM\fR\|(3) for further details on the parameters structure.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBOSSL_FUNC_digest_newctx()\fR and \fBOSSL_FUNC_digest_dupctx()\fR should return the newly created
-provider side digest context, or \s-1NULL\s0 on failure.
+provider side digest context, or NULL on failure.
 .PP
 \&\fBOSSL_FUNC_digest_init()\fR, \fBOSSL_FUNC_digest_update()\fR, \fBOSSL_FUNC_digest_final()\fR, \fBOSSL_FUNC_digest_digest()\fR,
 \&\fBOSSL_FUNC_digest_set_params()\fR and \fBOSSL_FUNC_digest_get_params()\fR should return 1 for success or
@@ -375,30 +306,31 @@ provider side digest context, or \s-1NULL\s0 on failure.
 .PP
 \&\fBOSSL_FUNC_digest_block_size()\fR should return the block size of the underlying digest
 algorithm.
-.SH "BUGS"
+.SH BUGS
 .IX Header "BUGS"
-The \fBEVP_Q_digest()\fR, \fBEVP_Digest()\fR and \fBEVP_DigestFinal_ex()\fR \s-1API\s0 calls do not
-expect the digest size to be larger than \s-1EVP_MAX_MD_SIZE.\s0 Any algorithm which
-produces larger digests is unusable with those \s-1API\s0 calls.
+The \fBEVP_Q_digest()\fR, \fBEVP_Digest()\fR and \fBEVP_DigestFinal_ex()\fR API calls do not
+expect the digest size to be larger than EVP_MAX_MD_SIZE. Any algorithm which
+produces larger digests is unusable with those API calls.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBprovider\fR\|(7), \s-1\fBOSSL_PROVIDER\-FIPS\s0\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7),
+\&\fBprovider\fR\|(7), \fBOSSL_PROVIDER\-FIPS\fR\|(7), \fBOSSL_PROVIDER\-default\fR\|(7),
 \&\fBOSSL_PROVIDER\-legacy\fR\|(7),
-\&\fBEVP_MD\-common\fR\|(7), \s-1\fBEVP_MD\-BLAKE2\s0\fR\|(7), \s-1\fBEVP_MD\-MD2\s0\fR\|(7),
-\&\s-1\fBEVP_MD\-MD4\s0\fR\|(7), \s-1\fBEVP_MD\-MD5\s0\fR\|(7), \s-1\fBEVP_MD\-MD5\-SHA1\s0\fR\|(7),
-\&\s-1\fBEVP_MD\-MDC2\s0\fR\|(7), \s-1\fBEVP_MD\-RIPEMD160\s0\fR\|(7), \s-1\fBEVP_MD\-SHA1\s0\fR\|(7),
-\&\s-1\fBEVP_MD\-SHA2\s0\fR\|(7), \s-1\fBEVP_MD\-SHA3\s0\fR\|(7), \s-1\fBEVP_MD\-SHAKE\s0\fR\|(7),
-\&\s-1\fBEVP_MD\-SM3\s0\fR\|(7), \s-1\fBEVP_MD\-WHIRLPOOL\s0\fR\|(7),
-\&\s-1\fBEVP_MD\-NULL\s0\fR\|(7),
+\&\fBEVP_MD\-common\fR\|(7), \fBEVP_MD\-BLAKE2\fR\|(7), \fBEVP_MD\-MD2\fR\|(7),
+\&\fBEVP_MD\-MD4\fR\|(7), \fBEVP_MD\-MD5\fR\|(7), \fBEVP_MD\-MD5\-SHA1\fR\|(7),
+\&\fBEVP_MD\-MDC2\fR\|(7), \fBEVP_MD\-RIPEMD160\fR\|(7), \fBEVP_MD\-SHA1\fR\|(7),
+\&\fBEVP_MD\-SHA2\fR\|(7), \fBEVP_MD\-SHA3\fR\|(7), \fBEVP_MD\-KECCAK\fR\|(7)
+\&\fBEVP_MD\-SHAKE\fR\|(7), \fBEVP_MD\-SM3\fR\|(7), \fBEVP_MD\-WHIRLPOOL\fR\|(7),
+\&\fBEVP_MD\-NULL\fR\|(7),
 \&\fBlife_cycle\-digest\fR\|(7), \fBEVP_DigestInit\fR\|(3)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-The provider \s-1DIGEST\s0 interface was introduced in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The provider DIGEST interface was introduced in OpenSSL 3.0.
+\&\fBOSSL_FUNC_digest_copyctx()\fR was added in 3.5 version.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/provider-encoder.7 b/secure/lib/libcrypto/man/man7/provider-encoder.7
index 76d00e0ad3e9..2cc7602d8172 100644
--- a/secure/lib/libcrypto/man/man7/provider-encoder.7
+++ b/secure/lib/libcrypto/man/man7/provider-encoder.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PROVIDER-ENCODER 7ossl"
-.TH PROVIDER-ENCODER 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PROVIDER-ENCODER 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 provider\-encoder \- The OSSL_ENCODER library <\-> provider functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/core_dispatch.h>
@@ -175,48 +99,48 @@ provider\-encoder \- The OSSL_ENCODER library <\-> provider functions
 \&                                       const OSSL_PARAM params[]);
 \& void OSSL_FUNC_encoder_free_object(void *obj);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-\&\fIWe use the wide term \*(L"encode\*(R" in this manual.  This includes but is
+\&\fIWe use the wide term "encode" in this manual.  This includes but is
 not limited to serialization.\fR
 .PP
-The \s-1ENCODER\s0 operation is a generic method to encode a provider-native
+The ENCODER operation is a generic method to encode a provider-native
 object (\fIobj_raw\fR) or an object abstraction (\fIobject_abstract\fR, see
 \&\fBprovider\-object\fR\|(7)) into an encoded form, and write the result to
-the given \s-1OSSL_CORE_BIO.\s0  If the caller wants to get the encoded
-stream to memory, it should provide a \fBBIO_s_mem\fR\|(3) \fB\s-1BIO\s0\fR.
+the given OSSL_CORE_BIO.  If the caller wants to get the encoded
+stream to memory, it should provide a \fBBIO_s_mem\fR\|(3) \fBBIO\fR.
 .PP
-The encoder doesn't need to know more about the \fB\s-1OSSL_CORE_BIO\s0\fR
-pointer than being able to pass it to the appropriate \s-1BIO\s0 upcalls (see
-\&\*(L"Core functions\*(R" in \fBprovider\-base\fR\|(7)).
+The encoder doesn't need to know more about the \fBOSSL_CORE_BIO\fR
+pointer than being able to pass it to the appropriate BIO upcalls (see
+"Core functions" in \fBprovider\-base\fR\|(7)).
 .PP
-The \s-1ENCODER\s0 implementation may be part of a chain, where data is
+The ENCODER implementation may be part of a chain, where data is
 passed from one to the next.  For example, there may be an
-implementation to encode an object to \s-1DER\s0 (that object is assumed to
+implementation to encode an object to DER (that object is assumed to
 be provider-native and thereby passed via \fIobj_raw\fR), and another one
-that encodes \s-1DER\s0 to \s-1PEM\s0 (that one would receive the \s-1DER\s0 encoding via
+that encodes DER to PEM (that one would receive the DER encoding via
 \&\fIobj_abstract\fR).
 .PP
-The encoding using the \s-1\fBOSSL_PARAM\s0\fR\|(3) array form allows a
+The encoding using the \fBOSSL_PARAM\fR\|(3) array form allows a
 encoder to be used for data that's been exported from another
 provider, and thereby allow them to exist independently of each
 other.
 .PP
 The encoding using a provider side object can only be safely used
 with provider data coming from the same provider, for example keys
-with the \s-1KEYMGMT\s0 provider.
+with the KEYMGMT provider.
 .PP
-All \*(L"functions\*(R" mentioned here are passed as function pointers between
-\&\fIlibcrypto\fR and the provider in \s-1\fBOSSL_DISPATCH\s0\fR\|(3) arrays via
-\&\s-1\fBOSSL_ALGORITHM\s0\fR\|(3) arrays that are returned by the provider's
+All "functions" mentioned here are passed as function pointers between
+\&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via
+\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's
 \&\fBprovider_query_operation()\fR function
-(see \*(L"Provider Functions\*(R" in \fBprovider\-base\fR\|(7)).
+(see "Provider Functions" in \fBprovider\-base\fR\|(7)).
 .PP
-All these \*(L"functions\*(R" have a corresponding function type definition
+All these "functions" have a corresponding function type definition
 named \fBOSSL_FUNC_{name}_fn\fR, and a helper function to retrieve the
-function pointer from an \s-1\fBOSSL_DISPATCH\s0\fR\|(3) element named
+function pointer from an \fBOSSL_DISPATCH\fR\|(3) element named
 \&\fBOSSL_FUNC_{name}\fR.
-For example, the \*(L"function\*(R" \fBOSSL_FUNC_encoder_encode()\fR has these:
+For example, the "function" \fBOSSL_FUNC_encoder_encode()\fR has these:
 .PP
 .Vb 8
 \& typedef int
@@ -229,7 +153,7 @@ For example, the \*(L"function\*(R" \fBOSSL_FUNC_encoder_encode()\fR has these:
 \&     OSSL_FUNC_encoder_encode(const OSSL_DISPATCH *opf);
 .Ve
 .PP
-\&\s-1\fBOSSL_DISPATCH\s0\fR\|(3) arrays are indexed by numbers that are provided as
+\&\fBOSSL_DISPATCH\fR\|(3) arrays are indexed by numbers that are provided as
 macros in \fBopenssl\-core_dispatch.h\fR\|(7), as follows:
 .PP
 .Vb 2
@@ -251,11 +175,13 @@ macros in \fBopenssl\-core_dispatch.h\fR\|(7), as follows:
 .SS "Names and properties"
 .IX Subsection "Names and properties"
 The name of an implementation should match the type of object it handles.
-For example, an implementation that encodes an \s-1RSA\s0 key should be named \*(L"\s-1RSA\*(R".\s0
-Likewise, an implementation that further encodes \s-1DER\s0 should be named \*(L"\s-1DER\*(R".\s0
+For example, an implementation that encodes an RSA key should be named "RSA".
+Likewise, an implementation that further encodes DER should be named "DER".
 .PP
-Properties can be used to further specify details about an implementation:
-.IP "output" 4
+Properties, as defined in the \fBOSSL_ALGORITHM\fR\|(3) array element of each
+decoder implementation, can be used to further specify details about an
+implementation:
+.IP output 4
 .IX Item "output"
 This property is used to specify what type of output the implementation
 produces.
@@ -264,27 +190,27 @@ This property is \fImandatory\fR.
 .Sp
 OpenSSL providers recognize the following output types:
 .RS 4
-.IP "text" 4
+.IP text 4
 .IX Item "text"
 An implementation with that output type outputs human readable text, making
 that implementation suitable for \f(CW\*(C`\-text\*(C'\fR output in diverse \fBopenssl\fR\|(1)
 commands.
-.IP "pem" 4
+.IP pem 4
 .IX Item "pem"
-An implementation with that output type outputs \s-1PEM\s0 formatted data.
-.IP "der" 4
+An implementation with that output type outputs PEM formatted data.
+.IP der 4
 .IX Item "der"
-An implementation with that output type outputs \s-1DER\s0 formatted data.
-.IP "msblob" 4
+An implementation with that output type outputs DER formatted data.
+.IP msblob 4
 .IX Item "msblob"
-An implementation with that output type outputs \s-1MSBLOB\s0 formatted data.
-.IP "pvk" 4
+An implementation with that output type outputs MSBLOB formatted data.
+.IP pvk 4
 .IX Item "pvk"
-An implementation with that output type outputs \s-1PVK\s0 formatted data.
+An implementation with that output type outputs PVK formatted data.
 .RE
 .RS 4
 .RE
-.IP "structure" 4
+.IP structure 4
 .IX Item "structure"
 This property is used to specify the structure that is used for the encoded
 object.  An example could be \f(CW\*(C`pkcs8\*(C'\fR, to specify explicitly that an object
@@ -304,10 +230,10 @@ be encoded, with a set of bits \fIselection\fR that are passed in an \fBint\fR.
 .PP
 This set of bits depend entirely on what kind of provider-side object is
 passed.  For example, those bits are assumed to be the same as those used
-with \fBprovider\-keymgmt\fR\|(7) (see \*(L"Key Objects\*(R" in \fBprovider\-keymgmt\fR\|(7)) when
+with \fBprovider\-keymgmt\fR\|(7) (see "Key Objects" in \fBprovider\-keymgmt\fR\|(7)) when
 the object is an asymmetric keypair.
 .PP
-\&\s-1ENCODER\s0 implementations are free to regard the \fIselection\fR as a set of
+ENCODER implementations are free to regard the \fIselection\fR as a set of
 hints, but must do so with care.  In the end, the output must make sense,
 and if there's a corresponding decoder, the resulting decoded object must
 match the original object that was encoded.
@@ -325,20 +251,20 @@ the functions.
 \&\fBOSSL_FUNC_encoder_set_ctx_params()\fR sets context data according to parameters
 from \fIparams\fR that it recognises.  Unrecognised parameters should be
 ignored.
-Passing \s-1NULL\s0 for \fIparams\fR should return true.
+Passing NULL for \fIparams\fR should return true.
 .PP
-\&\fBOSSL_FUNC_encoder_settable_ctx_params()\fR returns a constant \s-1\fBOSSL_PARAM\s0\fR\|(3)
+\&\fBOSSL_FUNC_encoder_settable_ctx_params()\fR returns a constant \fBOSSL_PARAM\fR\|(3)
 array describing the parameters that \fBOSSL_FUNC_encoder_set_ctx_params()\fR
 can handle.
 .PP
-See \s-1\fBOSSL_PARAM\s0\fR\|(3) for further details on the parameters structure used by
+See \fBOSSL_PARAM\fR\|(3) for further details on the parameters structure used by
 \&\fBOSSL_FUNC_encoder_set_ctx_params()\fR and \fBOSSL_FUNC_encoder_settable_ctx_params()\fR.
 .SS "Import functions"
 .IX Subsection "Import functions"
 A provider-native object may be associated with a foreign provider, and may
-therefore be unsuitable for direct use with a given \s-1ENCODER\s0 implementation.
+therefore be unsuitable for direct use with a given ENCODER implementation.
 Provided that the foreign provider's implementation to handle the object has
-a function to export that object in \s-1\fBOSSL_PARAM\s0\fR\|(3) array form, the \s-1ENCODER\s0
+a function to export that object in \fBOSSL_PARAM\fR\|(3) array form, the ENCODER
 implementation should be able to import that array and create a suitable
 object to be passed to \fBOSSL_FUNC_encoder_encode()\fR's \fIobj_raw\fR.
 .PP
@@ -352,18 +278,17 @@ passed as \fIobj_raw\fR to \fBOSSL_FUNC_encoder_encode()\fR.
 .IX Subsection "Encoding functions"
 \&\fBOSSL_FUNC_encoder_encode()\fR should take a provider-native object (in
 \&\fIobj_raw\fR) or an object abstraction (in \fIobj_abstract\fR), and should output
-the object in encoded form to the \fB\s-1OSSL_CORE_BIO\s0\fR.  The \fIselection\fR bits,
+the object in encoded form to the \fBOSSL_CORE_BIO\fR.  The \fIselection\fR bits,
 if relevant, should determine in greater detail what will be output.
-The encoding functions also take an \s-1\fBOSSL_PASSPHRASE_CALLBACK\s0\fR\|(3) function
+The encoding functions also take an \fBOSSL_PASSPHRASE_CALLBACK\fR\|(3) function
 pointer along with a pointer to application data \fIcbarg\fR, which should be
 used when a pass phrase prompt is needed.
 .SS "Encoder operation parameters"
 .IX Subsection "Encoder operation parameters"
 Operation parameters currently recognised by built-in encoders are as
 follows:
-.ie n .IP """cipher"" (\fB\s-1OSSL_ENCODER_PARAM_CIPHER\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``cipher'' (\fB\s-1OSSL_ENCODER_PARAM_CIPHER\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "cipher (OSSL_ENCODER_PARAM_CIPHER) <UTF8 string>"
+.IP """cipher"" (\fBOSSL_ENCODER_PARAM_CIPHER\fR) <UTF8 string>" 4
+.IX Item """cipher"" (OSSL_ENCODER_PARAM_CIPHER) <UTF8 string>"
 The name of the encryption cipher to be used when generating encrypted
 encoding.  This is used when encoding private keys, as well as
 other objects that need protection.
@@ -372,41 +297,38 @@ If this name is invalid for the encoding implementation, the
 implementation should refuse to perform the encoding, i.e.
 \&\fBOSSL_FUNC_encoder_encode_data()\fR and \fBOSSL_FUNC_encoder_encode_object()\fR
 should return an error.
-.ie n .IP """properties"" (\fB\s-1OSSL_ENCODER_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``properties'' (\fB\s-1OSSL_ENCODER_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "properties (OSSL_ENCODER_PARAM_PROPERTIES) <UTF8 string>"
+.IP """properties"" (\fBOSSL_ENCODER_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_ENCODER_PARAM_PROPERTIES) <UTF8 string>"
 The properties to be queried when trying to fetch the algorithm given
-with the \*(L"cipher\*(R" parameter.
-This must be given together with the \*(L"cipher\*(R" parameter to be
+with the "cipher" parameter.
+This must be given together with the "cipher" parameter to be
 considered valid.
 .Sp
 The encoding implementation isn't obligated to use this value.
 However, it is recommended that implementations that do not handle
 property strings return an error on receiving this parameter unless
-its value \s-1NULL\s0 or the empty string.
-.ie n .IP """save-parameters"" (\fB\s-1OSSL_ENCODER_PARAM_SAVE_PARAMETERS\s0\fR) <integer>" 4
-.el .IP "``save-parameters'' (\fB\s-1OSSL_ENCODER_PARAM_SAVE_PARAMETERS\s0\fR) <integer>" 4
-.IX Item "save-parameters (OSSL_ENCODER_PARAM_SAVE_PARAMETERS) <integer>"
+its value NULL or the empty string.
+.IP """save-parameters"" (\fBOSSL_ENCODER_PARAM_SAVE_PARAMETERS\fR) <integer>" 4
+.IX Item """save-parameters"" (OSSL_ENCODER_PARAM_SAVE_PARAMETERS) <integer>"
 If set to 0 disables saving of key domain parameters. Default is 1.
-It currently has an effect only on \s-1DSA\s0 keys.
+It currently has an effect only on DSA keys.
 .PP
 Parameters currently recognised by the built-in pass phrase callback:
-.ie n .IP """info"" (\fB\s-1OSSL_PASSPHRASE_PARAM_INFO\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``info'' (\fB\s-1OSSL_PASSPHRASE_PARAM_INFO\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "info (OSSL_PASSPHRASE_PARAM_INFO) <UTF8 string>"
+.IP """info"" (\fBOSSL_PASSPHRASE_PARAM_INFO\fR) <UTF8 string>" 4
+.IX Item """info"" (OSSL_PASSPHRASE_PARAM_INFO) <UTF8 string>"
 A string of information that will become part of the pass phrase
 prompt.  This could be used to give the user information on what kind
 of object it's being prompted for.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
-\&\fBOSSL_FUNC_encoder_newctx()\fR returns a pointer to a context, or \s-1NULL\s0 on
+\&\fBOSSL_FUNC_encoder_newctx()\fR returns a pointer to a context, or NULL on
 failure.
 .PP
 \&\fBOSSL_FUNC_encoder_set_ctx_params()\fR returns 1, unless a recognised
 parameter was invalid or caused an error, for which 0 is returned.
 .PP
 \&\fBOSSL_FUNC_encoder_settable_ctx_params()\fR returns a pointer to an array of
-constant \s-1\fBOSSL_PARAM\s0\fR\|(3) elements.
+constant \fBOSSL_PARAM\fR\|(3) elements.
 .PP
 \&\fBOSSL_FUNC_encoder_does_selection()\fR returns 1 if the encoder implementation
 supports any of the \fIselection\fR bits, otherwise 0.
@@ -415,14 +337,14 @@ supports any of the \fIselection\fR bits, otherwise 0.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-The \s-1ENCODER\s0 interface was introduced in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The ENCODER interface was introduced in OpenSSL 3.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/provider-kdf.7 b/secure/lib/libcrypto/man/man7/provider-kdf.7
index 8a56362b13eb..6c76b682da28 100644
--- a/secure/lib/libcrypto/man/man7/provider-kdf.7
+++ b/secure/lib/libcrypto/man/man7/provider-kdf.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PROVIDER-KDF 7ossl"
-.TH PROVIDER-KDF 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PROVIDER-KDF 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 provider\-kdf \- The KDF library <\-> provider functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 2
 \& #include <openssl/core_dispatch.h>
@@ -170,26 +94,26 @@ provider\-kdf \- The KDF library <\-> provider functions
 \& int OSSL_FUNC_kdf_get_ctx_params(void *kctx, OSSL_PARAM params[]);
 \& int OSSL_FUNC_kdf_set_ctx_params(void *kctx, const OSSL_PARAM params[]);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 This documentation is primarily aimed at provider authors. See \fBprovider\fR\|(7)
 for further information.
 .PP
-The \s-1KDF\s0 operation enables providers to implement \s-1KDF\s0 algorithms and make
-them available to applications via the \s-1API\s0 functions \fBEVP_KDF_CTX_reset\fR\|(3),
+The KDF operation enables providers to implement KDF algorithms and make
+them available to applications via the API functions \fBEVP_KDF_CTX_reset\fR\|(3),
 and \fBEVP_KDF_derive\fR\|(3).
 .PP
-All \*(L"functions\*(R" mentioned here are passed as function pointers between
-\&\fIlibcrypto\fR and the provider in \s-1\fBOSSL_DISPATCH\s0\fR\|(3) arrays via
-\&\s-1\fBOSSL_ALGORITHM\s0\fR\|(3) arrays that are returned by the provider's
+All "functions" mentioned here are passed as function pointers between
+\&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via
+\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's
 \&\fBprovider_query_operation()\fR function
-(see \*(L"Provider Functions\*(R" in \fBprovider\-base\fR\|(7)).
+(see "Provider Functions" in \fBprovider\-base\fR\|(7)).
 .PP
-All these \*(L"functions\*(R" have a corresponding function type definition
+All these "functions" have a corresponding function type definition
 named \fBOSSL_FUNC_{name}_fn\fR, and a helper function to retrieve the
-function pointer from an \s-1\fBOSSL_DISPATCH\s0\fR\|(3) element named
+function pointer from an \fBOSSL_DISPATCH\fR\|(3) element named
 \&\fBOSSL_FUNC_{name}\fR.
-For example, the \*(L"function\*(R" \fBOSSL_FUNC_kdf_newctx()\fR has these:
+For example, the "function" \fBOSSL_FUNC_kdf_newctx()\fR has these:
 .PP
 .Vb 3
 \& typedef void *(OSSL_FUNC_kdf_newctx_fn)(void *provctx);
@@ -197,7 +121,7 @@ For example, the \*(L"function\*(R" \fBOSSL_FUNC_kdf_newctx()\fR has these:
 \&     OSSL_FUNC_kdf_newctx(const OSSL_DISPATCH *opf);
 .Ve
 .PP
-\&\s-1\fBOSSL_DISPATCH\s0\fR\|(3) array entries are identified by numbers that are provided as
+\&\fBOSSL_DISPATCH\fR\|(3) array entries are identified by numbers that are provided as
 macros in \fBopenssl\-core_dispatch.h\fR\|(7), as follows:
 .PP
 .Vb 3
@@ -217,7 +141,7 @@ macros in \fBopenssl\-core_dispatch.h\fR\|(7), as follows:
 \& OSSL_FUNC_kdf_settable_ctx_params  OSSL_FUNC_KDF_SETTABLE_CTX_PARAMS
 .Ve
 .PP
-A \s-1KDF\s0 algorithm implementation may not implement all of these functions.
+A KDF algorithm implementation may not implement all of these functions.
 In order to be a consistent set of functions, at least the following functions
 must be implemented: \fBOSSL_FUNC_kdf_newctx()\fR, \fBOSSL_FUNC_kdf_freectx()\fR,
 \&\fBOSSL_FUNC_kdf_set_ctx_params()\fR, \fBOSSL_FUNC_kdf_derive()\fR.
@@ -225,115 +149,103 @@ All other functions are optional.
 .SS "Context Management Functions"
 .IX Subsection "Context Management Functions"
 \&\fBOSSL_FUNC_kdf_newctx()\fR should create and return a pointer to a provider side
-structure for holding context information during a \s-1KDF\s0 operation.
-A pointer to this context will be passed back in a number of the other \s-1KDF\s0
+structure for holding context information during a KDF operation.
+A pointer to this context will be passed back in a number of the other KDF
 operation function calls.
 The parameter \fIprovctx\fR is the provider context generated during provider
 initialisation (see \fBprovider\fR\|(7)).
 .PP
-\&\fBOSSL_FUNC_kdf_freectx()\fR is passed a pointer to the provider side \s-1KDF\s0 context in
+\&\fBOSSL_FUNC_kdf_freectx()\fR is passed a pointer to the provider side KDF context in
 the \fIkctx\fR parameter.
-If it receives \s-1NULL\s0 as \fIkctx\fR value, it should not do anything other than
+If it receives NULL as \fIkctx\fR value, it should not do anything other than
 return.
 This function should free any resources associated with that context.
 .PP
-\&\fBOSSL_FUNC_kdf_dupctx()\fR should duplicate the provider side \s-1KDF\s0 context in the
+\&\fBOSSL_FUNC_kdf_dupctx()\fR should duplicate the provider side KDF context in the
 \&\fIkctx\fR parameter and return the duplicate copy.
 .SS "Encryption/Decryption Functions"
 .IX Subsection "Encryption/Decryption Functions"
-\&\fBOSSL_FUNC_kdf_reset()\fR initialises a \s-1KDF\s0 operation given a provider
-side \s-1KDF\s0 context in the \fIkctx\fR parameter.
+\&\fBOSSL_FUNC_kdf_reset()\fR initialises a KDF operation given a provider
+side KDF context in the \fIkctx\fR parameter.
 .PP
-\&\fBOSSL_FUNC_kdf_derive()\fR performs the \s-1KDF\s0 operation after processing the
+\&\fBOSSL_FUNC_kdf_derive()\fR performs the KDF operation after processing the
 \&\fIparams\fR as per \fBOSSL_FUNC_kdf_set_ctx_params()\fR.
 The \fIkctx\fR parameter contains a pointer to the provider side context.
 The resulting key of the desired \fIkeylen\fR should be written to \fIkey\fR.
 If the algorithm does not support the requested \fIkeylen\fR the function must
 return error.
-.SS "\s-1KDF\s0 Parameters"
+.SS "KDF Parameters"
 .IX Subsection "KDF Parameters"
-See \s-1\fBOSSL_PARAM\s0\fR\|(3) for further details on the parameters structure used by
+See \fBOSSL_PARAM\fR\|(3) for further details on the parameters structure used by
 these functions.
 .PP
 \&\fBOSSL_FUNC_kdf_get_params()\fR gets details of parameter values associated with the
 provider algorithm and stores them in \fIparams\fR.
 .PP
-\&\fBOSSL_FUNC_kdf_set_ctx_params()\fR sets \s-1KDF\s0 parameters associated with the given
-provider side \s-1KDF\s0 context \fIkctx\fR to \fIparams\fR.
+\&\fBOSSL_FUNC_kdf_set_ctx_params()\fR sets KDF parameters associated with the given
+provider side KDF context \fIkctx\fR to \fIparams\fR.
 Any parameter settings are additional to any that were previously set.
-Passing \s-1NULL\s0 for \fIparams\fR should return true.
+Passing NULL for \fIparams\fR should return true.
 .PP
 \&\fBOSSL_FUNC_kdf_get_ctx_params()\fR retrieves gettable parameter values associated
-with the given provider side \s-1KDF\s0 context \fIkctx\fR and stores them in \fIparams\fR.
-Passing \s-1NULL\s0 for \fIparams\fR should return true.
+with the given provider side KDF context \fIkctx\fR and stores them in \fIparams\fR.
+Passing NULL for \fIparams\fR should return true.
 .PP
 \&\fBOSSL_FUNC_kdf_gettable_params()\fR, \fBOSSL_FUNC_kdf_gettable_ctx_params()\fR,
-and \fBOSSL_FUNC_kdf_settable_ctx_params()\fR all return constant \s-1\fBOSSL_PARAM\s0\fR\|(3)
+and \fBOSSL_FUNC_kdf_settable_ctx_params()\fR all return constant \fBOSSL_PARAM\fR\|(3)
 arrays as descriptors of the parameters that \fBOSSL_FUNC_kdf_get_params()\fR,
 \&\fBOSSL_FUNC_kdf_get_ctx_params()\fR, and \fBOSSL_FUNC_kdf_set_ctx_params()\fR
 can handle, respectively.  \fBOSSL_FUNC_kdf_gettable_ctx_params()\fR and
 \&\fBOSSL_FUNC_kdf_settable_ctx_params()\fR will return the parameters associated
 with the provider side context \fIkctx\fR in its current state if it is
-not \s-1NULL.\s0  Otherwise, they return the parameters associated with the
+not NULL.  Otherwise, they return the parameters associated with the
 provider side algorithm \fIprovctx\fR.
 .PP
 Parameters currently recognised by built-in KDFs are as follows. Not all
 parameters are relevant to, or are understood by all KDFs:
-.ie n .IP """size"" (\fB\s-1OSSL_KDF_PARAM_SIZE\s0\fR) <unsigned integer>" 4
-.el .IP "``size'' (\fB\s-1OSSL_KDF_PARAM_SIZE\s0\fR) <unsigned integer>" 4
-.IX Item "size (OSSL_KDF_PARAM_SIZE) <unsigned integer>"
-Gets the output size from the associated \s-1KDF\s0 ctx.
-If the algorithm produces a variable amount of output, \s-1SIZE_MAX\s0 should be
+.IP """size"" (\fBOSSL_KDF_PARAM_SIZE\fR) <unsigned integer>" 4
+.IX Item """size"" (OSSL_KDF_PARAM_SIZE) <unsigned integer>"
+Gets the output size from the associated KDF ctx.
+If the algorithm produces a variable amount of output, SIZE_MAX should be
 returned.
 If the input parameters required to calculate the fixed output size have not yet
 been supplied, 0 should be returned indicating an error.
-.ie n .IP """key"" (\fB\s-1OSSL_KDF_PARAM_KEY\s0\fR) <octet string>" 4
-.el .IP "``key'' (\fB\s-1OSSL_KDF_PARAM_KEY\s0\fR) <octet string>" 4
-.IX Item "key (OSSL_KDF_PARAM_KEY) <octet string>"
-Sets the key in the associated \s-1KDF\s0 ctx.
-.ie n .IP """secret"" (\fB\s-1OSSL_KDF_PARAM_SECRET\s0\fR) <octet string>" 4
-.el .IP "``secret'' (\fB\s-1OSSL_KDF_PARAM_SECRET\s0\fR) <octet string>" 4
-.IX Item "secret (OSSL_KDF_PARAM_SECRET) <octet string>"
-Sets the secret in the associated \s-1KDF\s0 ctx.
-.ie n .IP """pass"" (\fB\s-1OSSL_KDF_PARAM_PASSWORD\s0\fR) <octet string>" 4
-.el .IP "``pass'' (\fB\s-1OSSL_KDF_PARAM_PASSWORD\s0\fR) <octet string>" 4
-.IX Item "pass (OSSL_KDF_PARAM_PASSWORD) <octet string>"
-Sets the password in the associated \s-1KDF\s0 ctx.
-.ie n .IP """cipher"" (\fB\s-1OSSL_KDF_PARAM_CIPHER\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``cipher'' (\fB\s-1OSSL_KDF_PARAM_CIPHER\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "cipher (OSSL_KDF_PARAM_CIPHER) <UTF8 string>"
+.IP """key"" (\fBOSSL_KDF_PARAM_KEY\fR) <octet string>" 4
+.IX Item """key"" (OSSL_KDF_PARAM_KEY) <octet string>"
+Sets the key in the associated KDF ctx.
+.IP """secret"" (\fBOSSL_KDF_PARAM_SECRET\fR) <octet string>" 4
+.IX Item """secret"" (OSSL_KDF_PARAM_SECRET) <octet string>"
+Sets the secret in the associated KDF ctx.
+.IP """pass"" (\fBOSSL_KDF_PARAM_PASSWORD\fR) <octet string>" 4
+.IX Item """pass"" (OSSL_KDF_PARAM_PASSWORD) <octet string>"
+Sets the password in the associated KDF ctx.
+.IP """cipher"" (\fBOSSL_KDF_PARAM_CIPHER\fR) <UTF8 string>" 4
+.IX Item """cipher"" (OSSL_KDF_PARAM_CIPHER) <UTF8 string>"
 .PD 0
-.ie n .IP """digest"" (\fB\s-1OSSL_KDF_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_KDF_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_KDF_PARAM_DIGEST) <UTF8 string>"
-.ie n .IP """mac"" (\fB\s-1OSSL_KDF_PARAM_MAC\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``mac'' (\fB\s-1OSSL_KDF_PARAM_MAC\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "mac (OSSL_KDF_PARAM_MAC) <UTF8 string>"
+.IP """digest"" (\fBOSSL_KDF_PARAM_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_KDF_PARAM_DIGEST) <UTF8 string>"
+.IP """mac"" (\fBOSSL_KDF_PARAM_MAC\fR) <UTF8 string>" 4
+.IX Item """mac"" (OSSL_KDF_PARAM_MAC) <UTF8 string>"
 .PD
-Sets the name of the underlying cipher, digest or \s-1MAC\s0 to be used.
-It must name a suitable algorithm for the \s-1KDF\s0 that's being used.
-.ie n .IP """maclen"" (\fB\s-1OSSL_KDF_PARAM_MAC_SIZE\s0\fR) <octet string>" 4
-.el .IP "``maclen'' (\fB\s-1OSSL_KDF_PARAM_MAC_SIZE\s0\fR) <octet string>" 4
-.IX Item "maclen (OSSL_KDF_PARAM_MAC_SIZE) <octet string>"
-Sets the length of the \s-1MAC\s0 in the associated \s-1KDF\s0 ctx.
-.ie n .IP """properties"" (\fB\s-1OSSL_KDF_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``properties'' (\fB\s-1OSSL_KDF_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "properties (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
+Sets the name of the underlying cipher, digest or MAC to be used.
+It must name a suitable algorithm for the KDF that's being used.
+.IP """maclen"" (\fBOSSL_KDF_PARAM_MAC_SIZE\fR) <octet string>" 4
+.IX Item """maclen"" (OSSL_KDF_PARAM_MAC_SIZE) <octet string>"
+Sets the length of the MAC in the associated KDF ctx.
+.IP """properties"" (\fBOSSL_KDF_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_KDF_PARAM_PROPERTIES) <UTF8 string>"
 Sets the properties to be queried when trying to fetch the underlying algorithm.
 This must be given together with the algorithm naming parameter to be
 considered valid.
-.ie n .IP """iter"" (\fB\s-1OSSL_KDF_PARAM_ITER\s0\fR) <unsigned integer>" 4
-.el .IP "``iter'' (\fB\s-1OSSL_KDF_PARAM_ITER\s0\fR) <unsigned integer>" 4
-.IX Item "iter (OSSL_KDF_PARAM_ITER) <unsigned integer>"
-Sets the number of iterations in the associated \s-1KDF\s0 ctx.
-.ie n .IP """mode"" (\fB\s-1OSSL_KDF_PARAM_MODE\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``mode'' (\fB\s-1OSSL_KDF_PARAM_MODE\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "mode (OSSL_KDF_PARAM_MODE) <UTF8 string>"
-Sets the mode in the associated \s-1KDF\s0 ctx.
-.ie n .IP """pkcs5"" (\fB\s-1OSSL_KDF_PARAM_PKCS5\s0\fR) <integer>" 4
-.el .IP "``pkcs5'' (\fB\s-1OSSL_KDF_PARAM_PKCS5\s0\fR) <integer>" 4
-.IX Item "pkcs5 (OSSL_KDF_PARAM_PKCS5) <integer>"
-Enables or disables the \s-1SP800\-132\s0 compliance checks.
+.IP """iter"" (\fBOSSL_KDF_PARAM_ITER\fR) <unsigned integer>" 4
+.IX Item """iter"" (OSSL_KDF_PARAM_ITER) <unsigned integer>"
+Sets the number of iterations in the associated KDF ctx.
+.IP """mode"" (\fBOSSL_KDF_PARAM_MODE\fR) <UTF8 string>" 4
+.IX Item """mode"" (OSSL_KDF_PARAM_MODE) <UTF8 string>"
+Sets the mode in the associated KDF ctx.
+.IP """pkcs5"" (\fBOSSL_KDF_PARAM_PKCS5\fR) <integer>" 4
+.IX Item """pkcs5"" (OSSL_KDF_PARAM_PKCS5) <integer>"
+Enables or disables the SP800\-132 compliance checks.
 A mode of 0 enables the compliance checks.
 .Sp
 The checks performed are:
@@ -348,133 +260,117 @@ The checks performed are:
 .RE
 .RS 4
 .RE
-.ie n .IP """ukm"" (\fB\s-1OSSL_KDF_PARAM_UKM\s0\fR) <octet string>" 4
-.el .IP "``ukm'' (\fB\s-1OSSL_KDF_PARAM_UKM\s0\fR) <octet string>" 4
-.IX Item "ukm (OSSL_KDF_PARAM_UKM) <octet string>"
+.IP """ukm"" (\fBOSSL_KDF_PARAM_UKM\fR) <octet string>" 4
+.IX Item """ukm"" (OSSL_KDF_PARAM_UKM) <octet string>"
 .PD
 Sets an optional random string that is provided by the sender called
-\&\*(L"partyAInfo\*(R".  In \s-1CMS\s0 this is the user keying material.
-.ie n .IP """cekalg"" (\fB\s-1OSSL_KDF_PARAM_CEK_ALG\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``cekalg'' (\fB\s-1OSSL_KDF_PARAM_CEK_ALG\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "cekalg (OSSL_KDF_PARAM_CEK_ALG) <UTF8 string>"
-Sets the \s-1CEK\s0 wrapping algorithm name in the associated \s-1KDF\s0 ctx.
-.ie n .IP """n"" (\fB\s-1OSSL_KDF_PARAM_SCRYPT_N\s0\fR) <unsigned integer>" 4
-.el .IP "``n'' (\fB\s-1OSSL_KDF_PARAM_SCRYPT_N\s0\fR) <unsigned integer>" 4
-.IX Item "n (OSSL_KDF_PARAM_SCRYPT_N) <unsigned integer>"
-Sets the scrypt work factor parameter N in the associated \s-1KDF\s0 ctx.
-.ie n .IP """r"" (\fB\s-1OSSL_KDF_PARAM_SCRYPT_R\s0\fR) <unsigned integer>" 4
-.el .IP "``r'' (\fB\s-1OSSL_KDF_PARAM_SCRYPT_R\s0\fR) <unsigned integer>" 4
-.IX Item "r (OSSL_KDF_PARAM_SCRYPT_R) <unsigned integer>"
-Sets the scrypt work factor parameter r in the associated \s-1KDF\s0 ctx.
-.ie n .IP """p"" (\fB\s-1OSSL_KDF_PARAM_SCRYPT_P\s0\fR) <unsigned integer>" 4
-.el .IP "``p'' (\fB\s-1OSSL_KDF_PARAM_SCRYPT_P\s0\fR) <unsigned integer>" 4
-.IX Item "p (OSSL_KDF_PARAM_SCRYPT_P) <unsigned integer>"
-Sets the scrypt work factor parameter p in the associated \s-1KDF\s0 ctx.
-.ie n .IP """maxmem_bytes"" (\fB\s-1OSSL_KDF_PARAM_SCRYPT_MAXMEM\s0\fR) <unsigned integer>" 4
-.el .IP "``maxmem_bytes'' (\fB\s-1OSSL_KDF_PARAM_SCRYPT_MAXMEM\s0\fR) <unsigned integer>" 4
-.IX Item "maxmem_bytes (OSSL_KDF_PARAM_SCRYPT_MAXMEM) <unsigned integer>"
-Sets the scrypt work factor parameter maxmem in the associated \s-1KDF\s0 ctx.
-.ie n .IP """prefix"" (\fB\s-1OSSL_KDF_PARAM_PREFIX\s0\fR) <octet string>" 4
-.el .IP "``prefix'' (\fB\s-1OSSL_KDF_PARAM_PREFIX\s0\fR) <octet string>" 4
-.IX Item "prefix (OSSL_KDF_PARAM_PREFIX) <octet string>"
-Sets the prefix string using by the \s-1TLS 1.3\s0 version of \s-1HKDF\s0 in the
-associated \s-1KDF\s0 ctx.
-.ie n .IP """label"" (\fB\s-1OSSL_KDF_PARAM_LABEL\s0\fR) <octet string>" 4
-.el .IP "``label'' (\fB\s-1OSSL_KDF_PARAM_LABEL\s0\fR) <octet string>" 4
-.IX Item "label (OSSL_KDF_PARAM_LABEL) <octet string>"
-Sets the label string using by the \s-1TLS 1.3\s0 version of \s-1HKDF\s0 in the
-associated \s-1KDF\s0 ctx.
-.ie n .IP """data"" (\fB\s-1OSSL_KDF_PARAM_DATA\s0\fR) <octet string>" 4
-.el .IP "``data'' (\fB\s-1OSSL_KDF_PARAM_DATA\s0\fR) <octet string>" 4
-.IX Item "data (OSSL_KDF_PARAM_DATA) <octet string>"
-Sets the context string using by the \s-1TLS 1.3\s0 version of \s-1HKDF\s0 in the
-associated \s-1KDF\s0 ctx.
-.ie n .IP """info"" (\fB\s-1OSSL_KDF_PARAM_INFO\s0\fR) <octet string>" 4
-.el .IP "``info'' (\fB\s-1OSSL_KDF_PARAM_INFO\s0\fR) <octet string>" 4
-.IX Item "info (OSSL_KDF_PARAM_INFO) <octet string>"
-Sets the optional shared info in the associated \s-1KDF\s0 ctx.
-.ie n .IP """seed"" (\fB\s-1OSSL_KDF_PARAM_SEED\s0\fR) <octet string>" 4
-.el .IP "``seed'' (\fB\s-1OSSL_KDF_PARAM_SEED\s0\fR) <octet string>" 4
-.IX Item "seed (OSSL_KDF_PARAM_SEED) <octet string>"
-Sets the \s-1IV\s0 in the associated \s-1KDF\s0 ctx.
-.ie n .IP """xcghash"" (\fB\s-1OSSL_KDF_PARAM_SSHKDF_XCGHASH\s0\fR) <octet string>" 4
-.el .IP "``xcghash'' (\fB\s-1OSSL_KDF_PARAM_SSHKDF_XCGHASH\s0\fR) <octet string>" 4
-.IX Item "xcghash (OSSL_KDF_PARAM_SSHKDF_XCGHASH) <octet string>"
-Sets the xcghash in the associated \s-1KDF\s0 ctx.
-.ie n .IP """session_id"" (\fB\s-1OSSL_KDF_PARAM_SSHKDF_SESSION_ID\s0\fR) <octet string>" 4
-.el .IP "``session_id'' (\fB\s-1OSSL_KDF_PARAM_SSHKDF_SESSION_ID\s0\fR) <octet string>" 4
-.IX Item "session_id (OSSL_KDF_PARAM_SSHKDF_SESSION_ID) <octet string>"
-Sets the session \s-1ID\s0 in the associated \s-1KDF\s0 ctx.
-.ie n .IP """type"" (\fB\s-1OSSL_KDF_PARAM_SSHKDF_TYPE\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``type'' (\fB\s-1OSSL_KDF_PARAM_SSHKDF_TYPE\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "type (OSSL_KDF_PARAM_SSHKDF_TYPE) <UTF8 string>"
-Sets the \s-1SSH KDF\s0 type parameter in the associated \s-1KDF\s0 ctx.
+"partyAInfo".  In CMS this is the user keying material.
+.IP """cekalg"" (\fBOSSL_KDF_PARAM_CEK_ALG\fR) <UTF8 string>" 4
+.IX Item """cekalg"" (OSSL_KDF_PARAM_CEK_ALG) <UTF8 string>"
+Sets the CEK wrapping algorithm name in the associated KDF ctx.
+.IP """n"" (\fBOSSL_KDF_PARAM_SCRYPT_N\fR) <unsigned integer>" 4
+.IX Item """n"" (OSSL_KDF_PARAM_SCRYPT_N) <unsigned integer>"
+Sets the scrypt work factor parameter N in the associated KDF ctx.
+.IP """r"" (\fBOSSL_KDF_PARAM_SCRYPT_R\fR) <unsigned integer>" 4
+.IX Item """r"" (OSSL_KDF_PARAM_SCRYPT_R) <unsigned integer>"
+Sets the scrypt work factor parameter r in the associated KDF ctx.
+.IP """p"" (\fBOSSL_KDF_PARAM_SCRYPT_P\fR) <unsigned integer>" 4
+.IX Item """p"" (OSSL_KDF_PARAM_SCRYPT_P) <unsigned integer>"
+Sets the scrypt work factor parameter p in the associated KDF ctx.
+.IP """maxmem_bytes"" (\fBOSSL_KDF_PARAM_SCRYPT_MAXMEM\fR) <unsigned integer>" 4
+.IX Item """maxmem_bytes"" (OSSL_KDF_PARAM_SCRYPT_MAXMEM) <unsigned integer>"
+Sets the scrypt work factor parameter maxmem in the associated KDF ctx.
+.IP """prefix"" (\fBOSSL_KDF_PARAM_PREFIX\fR) <octet string>" 4
+.IX Item """prefix"" (OSSL_KDF_PARAM_PREFIX) <octet string>"
+Sets the prefix string using by the TLS 1.3 version of HKDF in the
+associated KDF ctx.
+.IP """label"" (\fBOSSL_KDF_PARAM_LABEL\fR) <octet string>" 4
+.IX Item """label"" (OSSL_KDF_PARAM_LABEL) <octet string>"
+Sets the label string using by the TLS 1.3 version of HKDF in the
+associated KDF ctx.
+.IP """data"" (\fBOSSL_KDF_PARAM_DATA\fR) <octet string>" 4
+.IX Item """data"" (OSSL_KDF_PARAM_DATA) <octet string>"
+Sets the context string using by the TLS 1.3 version of HKDF in the
+associated KDF ctx.
+.IP """info"" (\fBOSSL_KDF_PARAM_INFO\fR) <octet string>" 4
+.IX Item """info"" (OSSL_KDF_PARAM_INFO) <octet string>"
+Sets the optional shared info in the associated KDF ctx.
+.IP """seed"" (\fBOSSL_KDF_PARAM_SEED\fR) <octet string>" 4
+.IX Item """seed"" (OSSL_KDF_PARAM_SEED) <octet string>"
+Sets the IV in the associated KDF ctx.
+.IP """xcghash"" (\fBOSSL_KDF_PARAM_SSHKDF_XCGHASH\fR) <octet string>" 4
+.IX Item """xcghash"" (OSSL_KDF_PARAM_SSHKDF_XCGHASH) <octet string>"
+Sets the xcghash in the associated KDF ctx.
+.IP """session_id"" (\fBOSSL_KDF_PARAM_SSHKDF_SESSION_ID\fR) <octet string>" 4
+.IX Item """session_id"" (OSSL_KDF_PARAM_SSHKDF_SESSION_ID) <octet string>"
+Sets the session ID in the associated KDF ctx.
+.IP """type"" (\fBOSSL_KDF_PARAM_SSHKDF_TYPE\fR) <UTF8 string>" 4
+.IX Item """type"" (OSSL_KDF_PARAM_SSHKDF_TYPE) <UTF8 string>"
+Sets the SSH KDF type parameter in the associated KDF ctx.
 There are six supported types:
 .RS 4
-.IP "\s-1EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV\s0" 4
+.IP EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 4
 .IX Item "EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV"
-The Initial \s-1IV\s0 from client to server.
-A single char of value 65 (\s-1ASCII\s0 char 'A').
-.IP "\s-1EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI\s0" 4
+The Initial IV from client to server.
+A single char of value 65 (ASCII char 'A').
+.IP EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 4
 .IX Item "EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI"
-The Initial \s-1IV\s0 from server to client
-A single char of value 66 (\s-1ASCII\s0 char 'B').
-.IP "\s-1EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV\s0" 4
+The Initial IV from server to client
+A single char of value 66 (ASCII char 'B').
+.IP EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 4
 .IX Item "EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV"
 The Encryption Key from client to server
-A single char of value 67 (\s-1ASCII\s0 char 'C').
-.IP "\s-1EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_SRV_TO_CLI\s0" 4
+A single char of value 67 (ASCII char 'C').
+.IP EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_SRV_TO_CLI 4
 .IX Item "EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_SRV_TO_CLI"
 The Encryption Key from server to client
-A single char of value 68 (\s-1ASCII\s0 char 'D').
-.IP "\s-1EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV\s0" 4
+A single char of value 68 (ASCII char 'D').
+.IP EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV 4
 .IX Item "EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV"
 The Integrity Key from client to server
-A single char of value 69 (\s-1ASCII\s0 char 'E').
-.IP "\s-1EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI\s0" 4
+A single char of value 69 (ASCII char 'E').
+.IP EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI 4
 .IX Item "EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI"
 The Integrity Key from client to server
-A single char of value 70 (\s-1ASCII\s0 char 'F').
+A single char of value 70 (ASCII char 'F').
 .RE
 .RS 4
 .RE
-.ie n .IP """constant"" (\fB\s-1OSSL_KDF_PARAM_CONSTANT\s0\fR) <octet string>" 4
-.el .IP "``constant'' (\fB\s-1OSSL_KDF_PARAM_CONSTANT\s0\fR) <octet string>" 4
-.IX Item "constant (OSSL_KDF_PARAM_CONSTANT) <octet string>"
-Sets the constant value in the associated \s-1KDF\s0 ctx.
-.ie n .IP """id"" (\fB\s-1OSSL_KDF_PARAM_PKCS12_ID\s0\fR) <integer>" 4
-.el .IP "``id'' (\fB\s-1OSSL_KDF_PARAM_PKCS12_ID\s0\fR) <integer>" 4
-.IX Item "id (OSSL_KDF_PARAM_PKCS12_ID) <integer>"
-Sets the intended usage of the output bits in the associated \s-1KDF\s0 ctx.
-It is defined as per \s-1RFC 7292\s0 section B.3.
+.IP """constant"" (\fBOSSL_KDF_PARAM_CONSTANT\fR) <octet string>" 4
+.IX Item """constant"" (OSSL_KDF_PARAM_CONSTANT) <octet string>"
+Sets the constant value in the associated KDF ctx.
+.IP """id"" (\fBOSSL_KDF_PARAM_PKCS12_ID\fR) <integer>" 4
+.IX Item """id"" (OSSL_KDF_PARAM_PKCS12_ID) <integer>"
+Sets the intended usage of the output bits in the associated KDF ctx.
+It is defined as per RFC 7292 section B.3.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBOSSL_FUNC_kdf_newctx()\fR and \fBOSSL_FUNC_kdf_dupctx()\fR should return the newly created
-provider side \s-1KDF\s0 context, or \s-1NULL\s0 on failure.
+provider side KDF context, or NULL on failure.
 .PP
 \&\fBOSSL_FUNC_kdf_derive()\fR, \fBOSSL_FUNC_kdf_get_params()\fR,
 \&\fBOSSL_FUNC_kdf_get_ctx_params()\fR and \fBOSSL_FUNC_kdf_set_ctx_params()\fR should return 1 for
 success or 0 on error.
 .PP
 \&\fBOSSL_FUNC_kdf_gettable_params()\fR, \fBOSSL_FUNC_kdf_gettable_ctx_params()\fR and
-\&\fBOSSL_FUNC_kdf_settable_ctx_params()\fR should return a constant \s-1\fBOSSL_PARAM\s0\fR\|(3)
-array, or \s-1NULL\s0 if none is offered.
-.SH "NOTES"
+\&\fBOSSL_FUNC_kdf_settable_ctx_params()\fR should return a constant \fBOSSL_PARAM\fR\|(3)
+array, or NULL if none is offered.
+.SH NOTES
 .IX Header "NOTES"
-The \s-1KDF\s0 life-cycle is described in \fBlife_cycle\-kdf\fR\|(7).  Providers should
+The KDF life-cycle is described in \fBlife_cycle\-kdf\fR\|(7).  Providers should
 ensure that the various transitions listed there are supported.  At some point
-the \s-1EVP\s0 layer will begin enforcing the listed transitions.
+the EVP layer will begin enforcing the listed transitions.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBprovider\fR\|(7), \fBlife_cycle\-kdf\fR\|(7), \s-1\fBEVP_KDF\s0\fR\|(3).
-.SH "HISTORY"
+\&\fBprovider\fR\|(7), \fBlife_cycle\-kdf\fR\|(7), \fBEVP_KDF\fR\|(3).
+.SH HISTORY
 .IX Header "HISTORY"
-The provider \s-1KDF\s0 interface was introduced in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The provider KDF interface was introduced in OpenSSL 3.0.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/provider-kem.7 b/secure/lib/libcrypto/man/man7/provider-kem.7
index 2a93622f1508..74523f30b077 100644
--- a/secure/lib/libcrypto/man/man7/provider-kem.7
+++ b/secure/lib/libcrypto/man/man7/provider-kem.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PROVIDER-KEM 7ossl"
-.TH PROVIDER-KEM 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PROVIDER-KEM 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 provider\-kem \- The kem library <\-> provider functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 2
 \& #include <openssl/core_dispatch.h>
@@ -156,13 +80,19 @@ provider\-kem \- The kem library <\-> provider functions
 \& void *OSSL_FUNC_kem_dupctx(void *ctx);
 \&
 \& /* Encapsulation */
-\& int OSSL_FUNC_kem_encapsulate_init(void *ctx, void *provkey, const char *name,
+\& int OSSL_FUNC_kem_encapsulate_init(void *ctx, void *provkey,
 \&                                    const OSSL_PARAM params[]);
+\& int OSSL_FUNC_kem_auth_encapsulate_init(void *ctx, void *provkey,
+\&                                         void *provauthkey,
+\&                                         const OSSL_PARAM params[]);
 \& int OSSL_FUNC_kem_encapsulate(void *ctx, unsigned char *out, size_t *outlen,
 \&                               unsigned char *secret, size_t *secretlen);
 \&
 \& /* Decapsulation */
-\& int OSSL_FUNC_kem_decapsulate_init(void *ctx, void *provkey, const char *name);
+\& int OSSL_FUNC_kem_decapsulate_init(void *ctx, void *provkey);
+\& int OSSL_FUNC_kem_auth_decapsulate_init(void *ctx, void *provkey,
+\&                                         void *provauthkey,
+\&                                         const OSSL_PARAM params[]);
 \& int OSSL_FUNC_kem_decapsulate(void *ctx, unsigned char *out, size_t *outlen,
 \&                               const unsigned char *in, size_t inlen);
 \&
@@ -172,27 +102,27 @@ provider\-kem \- The kem library <\-> provider functions
 \& int OSSL_FUNC_kem_set_ctx_params(void *ctx, const OSSL_PARAM params[]);
 \& const OSSL_PARAM *OSSL_FUNC_kem_settable_ctx_params(void *ctx, void *provctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 This documentation is primarily aimed at provider authors. See \fBprovider\fR\|(7)
 for further information.
 .PP
-The asymmetric kem (\s-1OSSL_OP_KEM\s0) operation enables providers to
+The asymmetric kem (OSSL_OP_KEM) operation enables providers to
 implement asymmetric kem algorithms and make them available to applications
-via the \s-1API\s0 functions \fBEVP_PKEY_encapsulate\fR\|(3),
+via the API functions \fBEVP_PKEY_encapsulate\fR\|(3),
 \&\fBEVP_PKEY_decapsulate\fR\|(3) and other related functions.
 .PP
-All \*(L"functions\*(R" mentioned here are passed as function pointers between
-\&\fIlibcrypto\fR and the provider in \s-1\fBOSSL_DISPATCH\s0\fR\|(3) arrays via
-\&\s-1\fBOSSL_ALGORITHM\s0\fR\|(3) arrays that are returned by the provider's
+All "functions" mentioned here are passed as function pointers between
+\&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via
+\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's
 \&\fBprovider_query_operation()\fR function
-(see \*(L"Provider Functions\*(R" in \fBprovider\-base\fR\|(7)).
+(see "Provider Functions" in \fBprovider\-base\fR\|(7)).
 .PP
-All these \*(L"functions\*(R" have a corresponding function type definition
+All these "functions" have a corresponding function type definition
 named \fBOSSL_FUNC_{name}_fn\fR, and a helper function to retrieve the
-function pointer from an \s-1\fBOSSL_DISPATCH\s0\fR\|(3) element named
+function pointer from an \fBOSSL_DISPATCH\fR\|(3) element named
 \&\fBOSSL_FUNC_{name}\fR.
-For example, the \*(L"function\*(R" \fBOSSL_FUNC_kem_newctx()\fR has these:
+For example, the "function" \fBOSSL_FUNC_kem_newctx()\fR has these:
 .PP
 .Vb 3
 \& typedef void *(OSSL_FUNC_kem_newctx_fn)(void *provctx);
@@ -200,24 +130,26 @@ For example, the \*(L"function\*(R" \fBOSSL_FUNC_kem_newctx()\fR has these:
 \&     OSSL_FUNC_kem_newctx(const OSSL_DISPATCH *opf);
 .Ve
 .PP
-\&\s-1\fBOSSL_DISPATCH\s0\fR\|(3) arrays are indexed by numbers that are provided as
+\&\fBOSSL_DISPATCH\fR\|(3) arrays are indexed by numbers that are provided as
 macros in \fBopenssl\-core_dispatch.h\fR\|(7), as follows:
 .PP
 .Vb 3
-\& OSSL_FUNC_kem_newctx               OSSL_FUNC_KEM_NEWCTX
-\& OSSL_FUNC_kem_freectx              OSSL_FUNC_KEM_FREECTX
-\& OSSL_FUNC_kem_dupctx               OSSL_FUNC_KEM_DUPCTX
+\& OSSL_FUNC_kem_newctx                OSSL_FUNC_KEM_NEWCTX
+\& OSSL_FUNC_kem_freectx               OSSL_FUNC_KEM_FREECTX
+\& OSSL_FUNC_kem_dupctx                OSSL_FUNC_KEM_DUPCTX
 \&
-\& OSSL_FUNC_kem_encapsulate_init     OSSL_FUNC_KEM_ENCAPSULATE_INIT
-\& OSSL_FUNC_kem_encapsulate          OSSL_FUNC_KEM_ENCAPSULATE
+\& OSSL_FUNC_kem_encapsulate_init      OSSL_FUNC_KEM_ENCAPSULATE_INIT
+\& OSSL_FUNC_kem_auth_encapsulate_init OSSL_FUNC_KEM_AUTH_ENCAPSULATE_INIT
+\& OSSL_FUNC_kem_encapsulate           OSSL_FUNC_KEM_ENCAPSULATE
 \&
-\& OSSL_FUNC_kem_decapsulate_init     OSSL_FUNC_KEM_DECAPSULATE_INIT
-\& OSSL_FUNC_kem_decapsulate          OSSL_FUNC_KEM_DECAPSULATE
+\& OSSL_FUNC_kem_decapsulate_init      OSSL_FUNC_KEM_DECAPSULATE_INIT
+\& OSSL_FUNC_kem_auth_decapsulate_init OSSL_FUNC_KEM_AUTH_DECAPSULATE_INIT
+\& OSSL_FUNC_kem_decapsulate           OSSL_FUNC_KEM_DECAPSULATE
 \&
-\& OSSL_FUNC_kem_get_ctx_params       OSSL_FUNC_KEM_GET_CTX_PARAMS
-\& OSSL_FUNC_kem_gettable_ctx_params  OSSL_FUNC_KEM_GETTABLE_CTX_PARAMS
-\& OSSL_FUNC_kem_set_ctx_params       OSSL_FUNC_KEM_SET_CTX_PARAMS
-\& OSSL_FUNC_kem_settable_ctx_params  OSSL_FUNC_KEM_SETTABLE_CTX_PARAMS
+\& OSSL_FUNC_kem_get_ctx_params        OSSL_FUNC_KEM_GET_CTX_PARAMS
+\& OSSL_FUNC_kem_gettable_ctx_params   OSSL_FUNC_KEM_GETTABLE_CTX_PARAMS
+\& OSSL_FUNC_kem_set_ctx_params        OSSL_FUNC_KEM_SET_CTX_PARAMS
+\& OSSL_FUNC_kem_settable_ctx_params   OSSL_FUNC_KEM_SETTABLE_CTX_PARAMS
 .Ve
 .PP
 An asymmetric kem algorithm implementation may not implement all of these
@@ -227,13 +159,15 @@ OSSL_FUNC_kem_newctx and OSSL_FUNC_kem_freectx.
 It must also implement both of OSSL_FUNC_kem_encapsulate_init and
 OSSL_FUNC_kem_encapsulate, or both of OSSL_FUNC_kem_decapsulate_init and
 OSSL_FUNC_kem_decapsulate.
+OSSL_FUNC_kem_auth_encapsulate_init is optional but if it is present then so
+must OSSL_FUNC_kem_auth_decapsulate_init.
 OSSL_FUNC_kem_get_ctx_params is optional but if it is present then so must
 OSSL_FUNC_kem_gettable_ctx_params.
 Similarly, OSSL_FUNC_kem_set_ctx_params is optional but if it is present then
-so must OSSL_FUNC_kem_settable_ctx_params.
+OSSL_FUNC_kem_settable_ctx_params must also be present.
 .PP
 An asymmetric kem algorithm must also implement some mechanism for generating,
-loading or importing keys via the key management (\s-1OSSL_OP_KEYMGMT\s0) operation.
+loading or importing keys via the key management (OSSL_OP_KEYMGMT) operation.
 See \fBprovider\-keymgmt\fR\|(7) for further details.
 .SS "Context Management Functions"
 .IX Subsection "Context Management Functions"
@@ -256,23 +190,27 @@ context in the \fIctx\fR parameter and return the duplicate copy.
 encapsulation given a provider side asymmetric kem context in the \fIctx\fR
 parameter, a pointer to a provider key object in the \fIprovkey\fR parameter and
 the \fIname\fR of the algorithm.
-The \fIparams\fR, if not \s-1NULL,\s0 should be set on the context in a manner similar to
+The \fIparams\fR, if not NULL, should be set on the context in a manner similar to
 using \fBOSSL_FUNC_kem_set_ctx_params()\fR.
 The key object should have been previously generated, loaded or imported into
-the provider using the key management (\s-1OSSL_OP_KEYMGMT\s0) operation (see
+the provider using the key management (OSSL_OP_KEYMGMT) operation (see
 \&\fBprovider\-keymgmt\fR\|(7)>.
 .PP
+\&\fBOSSL_FUNC_kem_auth_encapsulate_init()\fR is similar to
+\&\fBOSSL_FUNC_kem_encapsulate_init()\fR, but also passes an additional authentication
+key \fIprovauthkey\fR which cannot be NULL.
+.PP
 \&\fBOSSL_FUNC_kem_encapsulate()\fR performs the actual encapsulation itself.
 A previously initialised asymmetric kem context is passed in the \fIctx\fR
 parameter.
-Unless \fIout\fR is \s-1NULL,\s0 the data to be encapsulated is internally generated,
+Unless \fIout\fR is NULL, the data to be encapsulated is internally generated,
 and returned into the buffer pointed to by the \fIsecret\fR parameter and the
 encapsulated data should also be written to the location pointed to by the
 \&\fIout\fR parameter. The length of the encapsulated data should be written to
 \&\fI*outlen\fR and the length of the generated secret should be written to
 \&\fI*secretlen\fR.
 .PP
-If \fIout\fR is \s-1NULL\s0 then the maximum length of the encapsulated data should be
+If \fIout\fR is NULL then the maximum length of the encapsulated data should be
 written to \fI*outlen\fR, and the maximum length of the generated secret should be
 written to \fI*secretlen\fR.
 .SS "Decapsulation Functions"
@@ -282,58 +220,85 @@ decapsulation given a provider side asymmetric kem context in the \fIctx\fR
 parameter, a pointer to a provider key object in the \fIprovkey\fR parameter, and
 a \fIname\fR of the algorithm.
 The key object should have been previously generated, loaded or imported into
-the provider using the key management (\s-1OSSL_OP_KEYMGMT\s0) operation (see
+the provider using the key management (OSSL_OP_KEYMGMT) operation (see
 \&\fBprovider\-keymgmt\fR\|(7)>.
 .PP
+\&\fBOSSL_FUNC_kem_auth_decapsulate_init()\fR is similar to
+\&\fBOSSL_FUNC_kem_decapsulate_init()\fR, but also passes an additional authentication
+key \fIprovauthkey\fR which cannot be NULL.
+.PP
 \&\fBOSSL_FUNC_kem_decapsulate()\fR performs the actual decapsulation itself.
 A previously initialised asymmetric kem context is passed in the \fIctx\fR
 parameter.
 The data to be decapsulated is pointed to by the \fIin\fR parameter which is \fIinlen\fR
 bytes long.
-Unless \fIout\fR is \s-1NULL,\s0 the decapsulated data should be written to the location
+Unless \fIout\fR is NULL, the decapsulated data should be written to the location
 pointed to by the \fIout\fR parameter.
 The length of the decapsulated data should be written to \fI*outlen\fR.
-If \fIout\fR is \s-1NULL\s0 then the maximum length of the decapsulated data should be
+If \fIout\fR is NULL then the maximum length of the decapsulated data should be
 written to \fI*outlen\fR.
 .SS "Asymmetric Key Encapsulation Parameters"
 .IX Subsection "Asymmetric Key Encapsulation Parameters"
-See \s-1\fBOSSL_PARAM\s0\fR\|(3) for further details on the parameters structure used by
+See \fBOSSL_PARAM\fR\|(3) for further details on the parameters structure used by
 the \fBOSSL_FUNC_kem_get_ctx_params()\fR and \fBOSSL_FUNC_kem_set_ctx_params()\fR
 functions.
 .PP
-\&\fBOSSL_FUNC_kem_get_ctx_params()\fR gets asymmetric kem parameters associated
+The OpenSSL FIPS provider also supports the following parameters:
+.IP """fips-indicator"" (\fBOSSL_KEM_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_KEM_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+A getter that returns 1 if the operation is FIPS approved, or 0 otherwise.
+This may be used after calling either \fBOSSL_FUNC_kem_encapsulate()\fR or 
+\&\fBOSSL_FUNC_kem_decapsulate()\fR. It may return 0 if the "key-check" is set to 0.
+.IP """key-check"" (\fBOSSL_KEM_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4
+.IX Item """key-check"" (OSSL_KEM_PARAM_FIPS_KEY_CHECK) <integer>"
+If required this parameter should be set using \fBOSSL_FUNC_kem_encapsulate_init()\fR
+or \fBOSSL_FUNC_kem_decapsulate_init()\fR.
+The default value of 1 causes an error during the init if the key is not FIPS
+approved (e.g. The key has a security strength of less than 112 bits). Setting
+this to 0 will ignore the error and set the approved "fips-indicator" to 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
+.SS "Asymmetric Key Encapsulation Parameter Functions"
+.IX Subsection "Asymmetric Key Encapsulation Parameter Functions"
+\&\fBOSSL_FUNC_kem_get_ctx_params()\fR gets asymmetric KEM parameters associated
 with the given provider side asymmetric kem context \fIctx\fR and stores them in
 \&\fIparams\fR.
-Passing \s-1NULL\s0 for \fIparams\fR should return true.
+Passing NULL for \fIparams\fR should return true.
 .PP
-\&\fBOSSL_FUNC_kem_set_ctx_params()\fR sets the asymmetric kem parameters associated
+\&\fBOSSL_FUNC_kem_set_ctx_params()\fR sets the asymmetric KEM parameters associated
 with the given provider side asymmetric kem context \fIctx\fR to \fIparams\fR.
 Any parameter settings are additional to any that were previously set.
-Passing \s-1NULL\s0 for \fIparams\fR should return true.
+Passing NULL for \fIparams\fR should return true.
 .PP
 No parameters are currently recognised by built-in asymmetric kem algorithms.
 .PP
 \&\fBOSSL_FUNC_kem_gettable_ctx_params()\fR and \fBOSSL_FUNC_kem_settable_ctx_params()\fR
-get a constant \s-1\fBOSSL_PARAM\s0\fR\|(3) array that describes the gettable and settable
+get a constant \fBOSSL_PARAM\fR\|(3) array that describes the gettable and settable
 parameters, i.e. parameters that can be used with \fBOSSL_FUNC_kem_get_ctx_params()\fR
 and \fBOSSL_FUNC_kem_set_ctx_params()\fR respectively.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBOSSL_FUNC_kem_newctx()\fR and \fBOSSL_FUNC_kem_dupctx()\fR should return the newly
-created provider side asymmetric kem context, or \s-1NULL\s0 on failure.
+created provider side asymmetric kem context, or NULL on failure.
 .PP
 All other functions should return 1 for success or 0 on error.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-The provider \s-1KEM\s0 interface was introduced in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The provider KEM interface was introduced in OpenSSL 3.0.
+.PP
+\&\fBOSSL_FUNC_kem_auth_encapsulate_init()\fR and \fBOSSL_FUNC_kem_auth_decapsulate_init()\fR
+were added in OpenSSL 3.2.
+.PP
+The Asymmetric Key Encapsulation Parameters "fips-indicator" and "key-check"
+were added in OpenSSL 3.4.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/provider-keyexch.7 b/secure/lib/libcrypto/man/man7/provider-keyexch.7
index 0c9acd85eefd..eeb7f84852c0 100644
--- a/secure/lib/libcrypto/man/man7/provider-keyexch.7
+++ b/secure/lib/libcrypto/man/man7/provider-keyexch.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PROVIDER-KEYEXCH 7ossl"
-.TH PROVIDER-KEYEXCH 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PROVIDER-KEYEXCH 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 provider\-keyexch \- The keyexch library <\-> provider functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 2
 \& #include <openssl/core_dispatch.h>
@@ -170,27 +94,27 @@ provider\-keyexch \- The keyexch library <\-> provider functions
 \& const OSSL_PARAM *OSSL_FUNC_keyexch_gettable_ctx_params(void *ctx,
 \&                                                         void *provctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 This documentation is primarily aimed at provider authors. See \fBprovider\fR\|(7)
 for further information.
 .PP
-The key exchange (\s-1OSSL_OP_KEYEXCH\s0) operation enables providers to implement key
+The key exchange (OSSL_OP_KEYEXCH) operation enables providers to implement key
 exchange algorithms and make them available to applications via
 \&\fBEVP_PKEY_derive\fR\|(3) and
 other related functions).
 .PP
-All \*(L"functions\*(R" mentioned here are passed as function pointers between
-\&\fIlibcrypto\fR and the provider in \s-1\fBOSSL_DISPATCH\s0\fR\|(3) arrays via
-\&\s-1\fBOSSL_ALGORITHM\s0\fR\|(3) arrays that are returned by the provider's
+All "functions" mentioned here are passed as function pointers between
+\&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via
+\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's
 \&\fBprovider_query_operation()\fR function
-(see \*(L"Provider Functions\*(R" in \fBprovider\-base\fR\|(7)).
+(see "Provider Functions" in \fBprovider\-base\fR\|(7)).
 .PP
-All these \*(L"functions\*(R" have a corresponding function type definition
+All these "functions" have a corresponding function type definition
 named \fBOSSL_FUNC_{name}_fn\fR, and a helper function to retrieve the
-function pointer from an \s-1\fBOSSL_DISPATCH\s0\fR\|(3) element named
+function pointer from an \fBOSSL_DISPATCH\fR\|(3) element named
 \&\fBOSSL_FUNC_{name}\fR.
-For example, the \*(L"function\*(R" \fBOSSL_FUNC_keyexch_newctx()\fR has these:
+For example, the "function" \fBOSSL_FUNC_keyexch_newctx()\fR has these:
 .PP
 .Vb 3
 \& typedef void *(OSSL_FUNC_keyexch_newctx_fn)(void *provctx);
@@ -198,7 +122,7 @@ For example, the \*(L"function\*(R" \fBOSSL_FUNC_keyexch_newctx()\fR has these:
 \&     OSSL_FUNC_keyexch_newctx(const OSSL_DISPATCH *opf);
 .Ve
 .PP
-\&\s-1\fBOSSL_DISPATCH\s0\fR\|(3) arrays are indexed by numbers that are provided as
+\&\fBOSSL_DISPATCH\fR\|(3) arrays are indexed by numbers that are provided as
 macros in \fBopenssl\-core_dispatch.h\fR\|(7), as follows:
 .PP
 .Vb 3
@@ -222,7 +146,7 @@ OSSL_FUNC_keyexch_newctx, OSSL_FUNC_keyexch_freectx, OSSL_FUNC_keyexch_init and
 All other functions are optional.
 .PP
 A key exchange algorithm must also implement some mechanism for generating,
-loading or importing keys via the key management (\s-1OSSL_OP_KEYMGMT\s0) operation.
+loading or importing keys via the key management (OSSL_OP_KEYMGMT) operation.
 See \fBprovider\-keymgmt\fR\|(7) for further details.
 .SS "Context Management Functions"
 .IX Subsection "Context Management Functions"
@@ -244,18 +168,18 @@ the \fIctx\fR parameter and return the duplicate copy.
 \&\fBOSSL_FUNC_keyexch_init()\fR initialises a key exchange operation given a provider side key
 exchange context in the \fIctx\fR parameter, and a pointer to a provider key object
 in the \fIprovkey\fR parameter.
-The \fIparams\fR, if not \s-1NULL,\s0 should be set on the context in a manner similar to
+The \fIparams\fR, if not NULL, should be set on the context in a manner similar to
 using \fBOSSL_FUNC_keyexch_set_params()\fR.
 The key object should have been previously
 generated, loaded or imported into the provider using the key management
-(\s-1OSSL_OP_KEYMGMT\s0) operation (see \fBprovider\-keymgmt\fR\|(7)>.
+(OSSL_OP_KEYMGMT) operation (see \fBprovider\-keymgmt\fR\|(7)>.
 .PP
 \&\fBOSSL_FUNC_keyexch_set_peer()\fR is called to supply the peer's public key (in the
 \&\fIprovkey\fR parameter) to be used when deriving the shared secret.
 It is also passed a previously initialised key exchange context in the \fIctx\fR
 parameter.
 The key object should have been previously generated, loaded or imported into
-the provider using the key management (\s-1OSSL_OP_KEYMGMT\s0) operation (see
+the provider using the key management (OSSL_OP_KEYMGMT) operation (see
 \&\fBprovider\-keymgmt\fR\|(7)>.
 .PP
 \&\fBOSSL_FUNC_keyexch_derive()\fR performs the actual key exchange itself by deriving a shared
@@ -265,27 +189,27 @@ parameter.
 The derived secret should be written to the location \fIsecret\fR which should not
 exceed \fIoutlen\fR bytes.
 The length of the shared secret should be written to \fI*secretlen\fR.
-If \fIsecret\fR is \s-1NULL\s0 then the maximum length of the shared secret should be
+If \fIsecret\fR is NULL then the maximum length of the shared secret should be
 written to \fI*secretlen\fR.
 .SS "Key Exchange Parameters Functions"
 .IX Subsection "Key Exchange Parameters Functions"
 \&\fBOSSL_FUNC_keyexch_set_ctx_params()\fR sets key exchange parameters associated with the
 given provider side key exchange context \fIctx\fR to \fIparams\fR,
-see \*(L"Common Key Exchange parameters\*(R".
+see "Common Key Exchange parameters".
 Any parameter settings are additional to any that were previously set.
-Passing \s-1NULL\s0 for \fIparams\fR should return true.
+Passing NULL for \fIparams\fR should return true.
 .PP
 \&\fBOSSL_FUNC_keyexch_get_ctx_params()\fR gets key exchange parameters associated with the
 given provider side key exchange context \fIctx\fR into \fIparams\fR,
-see \*(L"Common Key Exchange parameters\*(R".
-Passing \s-1NULL\s0 for \fIparams\fR should return true.
+see "Common Key Exchange parameters".
+Passing NULL for \fIparams\fR should return true.
 .PP
-\&\fBOSSL_FUNC_keyexch_settable_ctx_params()\fR yields a constant \s-1\fBOSSL_PARAM\s0\fR\|(3) array that
+\&\fBOSSL_FUNC_keyexch_settable_ctx_params()\fR yields a constant \fBOSSL_PARAM\fR\|(3) array that
 describes the settable parameters, i.e. parameters that can be used with
 \&\fBOP_signature_set_ctx_params()\fR.
 If \fBOSSL_FUNC_keyexch_settable_ctx_params()\fR is present, \fBOSSL_FUNC_keyexch_set_ctx_params()\fR must
 also be present, and vice versa.
-Similarly, \fBOSSL_FUNC_keyexch_gettable_ctx_params()\fR yields a constant \s-1\fBOSSL_PARAM\s0\fR\|(3)
+Similarly, \fBOSSL_FUNC_keyexch_gettable_ctx_params()\fR yields a constant \fBOSSL_PARAM\fR\|(3)
 array that describes the gettable parameters, i.e. parameters that can be
 handled by \fBOP_signature_get_ctx_params()\fR.
 If \fBOSSL_FUNC_keyexch_gettable_ctx_params()\fR is present, \fBOSSL_FUNC_keyexch_get_ctx_params()\fR must
@@ -294,68 +218,88 @@ also be present, and vice versa.
 Notice that not all settable parameters are also gettable, and vice versa.
 .SS "Common Key Exchange parameters"
 .IX Subsection "Common Key Exchange parameters"
-See \s-1\fBOSSL_PARAM\s0\fR\|(3) for further details on the parameters structure used by
+See \fBOSSL_PARAM\fR\|(3) for further details on the parameters structure used by
 the \fBOSSL_FUNC_keyexch_set_ctx_params()\fR and \fBOSSL_FUNC_keyexch_get_ctx_params()\fR functions.
 .PP
 Common parameters currently recognised by built-in key exchange algorithms are
 as follows.
-.ie n .IP """kdf-type"" (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_TYPE\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``kdf-type'' (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_TYPE\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "kdf-type (OSSL_EXCHANGE_PARAM_KDF_TYPE) <UTF8 string>"
+.IP """kdf-type"" (\fBOSSL_EXCHANGE_PARAM_KDF_TYPE\fR) <UTF8 string>" 4
+.IX Item """kdf-type"" (OSSL_EXCHANGE_PARAM_KDF_TYPE) <UTF8 string>"
 Sets or gets the Key Derivation Function type to apply within the associated key
 exchange ctx.
-.ie n .IP """kdf-digest"" (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``kdf-digest'' (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "kdf-digest (OSSL_EXCHANGE_PARAM_KDF_DIGEST) <UTF8 string>"
+.IP """kdf-digest"" (\fBOSSL_EXCHANGE_PARAM_KDF_DIGEST\fR) <UTF8 string>" 4
+.IX Item """kdf-digest"" (OSSL_EXCHANGE_PARAM_KDF_DIGEST) <UTF8 string>"
 Sets or gets the Digest algorithm to be used as part of the Key Derivation Function
 associated with the given key exchange ctx.
-.ie n .IP """kdf-digest-props"" (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``kdf-digest-props'' (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "kdf-digest-props (OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS) <UTF8 string>"
+.IP """kdf-digest-props"" (\fBOSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS\fR) <UTF8 string>" 4
+.IX Item """kdf-digest-props"" (OSSL_EXCHANGE_PARAM_KDF_DIGEST_PROPS) <UTF8 string>"
 Sets properties to be used upon look up of the implementation for the selected
 Digest algorithm for the Key Derivation Function associated with the given key
 exchange ctx.
-.ie n .IP """kdf-outlen"" (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_OUTLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``kdf-outlen'' (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_OUTLEN\s0\fR) <unsigned integer>" 4
-.IX Item "kdf-outlen (OSSL_EXCHANGE_PARAM_KDF_OUTLEN) <unsigned integer>"
+.IP """kdf-outlen"" (\fBOSSL_EXCHANGE_PARAM_KDF_OUTLEN\fR) <unsigned integer>" 4
+.IX Item """kdf-outlen"" (OSSL_EXCHANGE_PARAM_KDF_OUTLEN) <unsigned integer>"
 Sets or gets the desired size for the output of the chosen Key Derivation Function
 associated with the given key exchange ctx.
-The length of the \*(L"kdf-outlen\*(R" parameter should not exceed that of a \fBsize_t\fR.
-.ie n .IP """kdf-ukm"" (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_UKM\s0\fR) <octet string>" 4
-.el .IP "``kdf-ukm'' (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_UKM\s0\fR) <octet string>" 4
-.IX Item "kdf-ukm (OSSL_EXCHANGE_PARAM_KDF_UKM) <octet string>"
+The length of the "kdf-outlen" parameter should not exceed that of a \fBsize_t\fR.
+.IP """kdf-ukm"" (\fBOSSL_EXCHANGE_PARAM_KDF_UKM\fR) <octet string>" 4
+.IX Item """kdf-ukm"" (OSSL_EXCHANGE_PARAM_KDF_UKM) <octet string>"
 Sets the User Key Material to be used as part of the selected Key Derivation
 Function associated with the given key exchange ctx.
-.ie n .IP """kdf-ukm"" (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_UKM\s0\fR) <octet string ptr>" 4
-.el .IP "``kdf-ukm'' (\fB\s-1OSSL_EXCHANGE_PARAM_KDF_UKM\s0\fR) <octet string ptr>" 4
-.IX Item "kdf-ukm (OSSL_EXCHANGE_PARAM_KDF_UKM) <octet string ptr>"
+.IP """kdf-ukm"" (\fBOSSL_EXCHANGE_PARAM_KDF_UKM\fR) <octet string ptr>" 4
+.IX Item """kdf-ukm"" (OSSL_EXCHANGE_PARAM_KDF_UKM) <octet string ptr>"
 Gets a pointer to the User Key Material to be used as part of the selected
 Key Derivation Function associated with the given key exchange ctx. Providers
 usually do not need to support this gettable parameter as its sole purpose
 is to support functionality of the deprecated \fBEVP_PKEY_CTX_get0_ecdh_kdf_ukm()\fR
 and \fBEVP_PKEY_CTX_get0_dh_kdf_ukm()\fR functions.
+.PP
+The OpenSSL FIPS provider also supports the following parameters:
+.IP """fips-indicator"" (\fBOSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_EXCHANGE_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+A getter that returns 1 if the operation is FIPS approved, or 0 otherwise.
+This may be used after calling \fBOSSL_FUNC_keyexch_derive()\fR. It may
+return 0 if either the "digest-check" or the "key-check" are set to 0.
+.IP """key-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4
+.IX Item """key-check"" (OSSL_EXCHANGE_PARAM_FIPS_KEY_CHECK) <integer>"
+If required this parameter should be set using \fBOSSL_FUNC_keyexch_init()\fR.
+The default value of 1 causes an error during the init if the key is not FIPS
+approved (e.g. The key has a security strength of less than 112 bits). Setting
+this to 0 will ignore the error and set the approved "fips-indicator" to 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
+.IP """digest-check"" (\fBOSSL_EXCHANGE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4
+.IX Item """digest-check"" (OSSL_EXCHANGE_PARAM_FIPS_DIGEST_CHECK) <integer>"
+If required this parameter should be set before any optional digest is set.
+The default value of 1 causes an error when the digest is set if the digest is
+not FIPS approved. Setting this to 0 will ignore the error and set the
+approved "fips-indicator" to 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBOSSL_FUNC_keyexch_newctx()\fR and \fBOSSL_FUNC_keyexch_dupctx()\fR should return the newly created
-provider side key exchange context, or \s-1NULL\s0 on failure.
+provider side key exchange context, or NULL on failure.
 .PP
 \&\fBOSSL_FUNC_keyexch_init()\fR, \fBOSSL_FUNC_keyexch_set_peer()\fR, \fBOSSL_FUNC_keyexch_derive()\fR,
 \&\fBOSSL_FUNC_keyexch_set_params()\fR, and \fBOSSL_FUNC_keyexch_get_params()\fR should return 1 for success
 or 0 on error.
 .PP
 \&\fBOSSL_FUNC_keyexch_settable_ctx_params()\fR and \fBOSSL_FUNC_keyexch_gettable_ctx_params()\fR should
-always return a constant \s-1\fBOSSL_PARAM\s0\fR\|(3) array.
+always return a constant \fBOSSL_PARAM\fR\|(3) array.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-The provider \s-1KEYEXCH\s0 interface was introduced in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The provider KEYEXCH interface was introduced in OpenSSL 3.0.
+.PP
+The Key Exchange Parameters "fips-indicator", "key-check" and "digest-check"
+were added in OpenSSL 3.4.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/provider-keymgmt.7 b/secure/lib/libcrypto/man/man7/provider-keymgmt.7
index 56e06deb3e42..030b8d2a6042 100644
--- a/secure/lib/libcrypto/man/man7/provider-keymgmt.7
+++ b/secure/lib/libcrypto/man/man7/provider-keymgmt.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PROVIDER-KEYMGMT 7ossl"
-.TH PROVIDER-KEYMGMT 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PROVIDER-KEYMGMT 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 provider\-keymgmt \- The KEYMGMT library <\-> provider functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/core_dispatch.h>
@@ -157,14 +81,17 @@ provider\-keymgmt \- The KEYMGMT library <\-> provider functions
 \& void *OSSL_FUNC_keymgmt_gen_init(void *provctx, int selection,
 \&                                  const OSSL_PARAM params[]);
 \& int OSSL_FUNC_keymgmt_gen_set_template(void *genctx, void *template);
+\& int OSSL_FUNC_keymgmt_gen_get_params(void *genctx, OSSL_PARAM params[]);
 \& int OSSL_FUNC_keymgmt_gen_set_params(void *genctx, const OSSL_PARAM params[]);
+\& const OSSL_PARAM *OSSL_FUNC_keymgmt_gen_gettable_params(void *genctx,
+\&                                                         void *provctx);
 \& const OSSL_PARAM *OSSL_FUNC_keymgmt_gen_settable_params(void *genctx,
 \&                                                         void *provctx);
 \& void *OSSL_FUNC_keymgmt_gen(void *genctx, OSSL_CALLBACK *cb, void *cbarg);
 \& void OSSL_FUNC_keymgmt_gen_cleanup(void *genctx);
 \&
 \& /* Key loading by object reference, also a constructor */
-\& void *OSSL_FUNC_keymgmt_load(const void *reference, size_t *reference_sz);
+\& void *OSSL_FUNC_keymgmt_load(const void *reference, size_t reference_sz);
 \&
 \& /* Key object information */
 \& int OSSL_FUNC_keymgmt_get_params(void *keydata, OSSL_PARAM params[]);
@@ -183,9 +110,11 @@ provider\-keymgmt \- The KEYMGMT library <\-> provider functions
 \& /* Key object import and export functions */
 \& int OSSL_FUNC_keymgmt_import(void *keydata, int selection, const OSSL_PARAM params[]);
 \& const OSSL_PARAM *OSSL_FUNC_keymgmt_import_types(int selection);
+\& const OSSL_PARAM *OSSL_FUNC_keymgmt_import_types_ex(void *provctx, int selection);
 \& int OSSL_FUNC_keymgmt_export(void *keydata, int selection,
 \&                              OSSL_CALLBACK *param_cb, void *cbarg);
 \& const OSSL_PARAM *OSSL_FUNC_keymgmt_export_types(int selection);
+\& const OSSL_PARAM *OSSL_FUNC_keymgmt_export_types_ex(void *provctx, int selection);
 \&
 \& /* Key object duplication, a constructor */
 \& void *OSSL_FUNC_keymgmt_dup(const void *keydata_from, int selection);
@@ -193,30 +122,30 @@ provider\-keymgmt \- The KEYMGMT library <\-> provider functions
 \& /* Key object validation */
 \& int OSSL_FUNC_keymgmt_validate(const void *keydata, int selection, int checktype);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1KEYMGMT\s0 operation doesn't have much public visibility in OpenSSL
+The KEYMGMT operation doesn't have much public visibility in OpenSSL
 libraries, it's rather an internal operation that's designed to work
 in tandem with operations that use private/public key pairs.
 .PP
-Because the \s-1KEYMGMT\s0 operation shares knowledge with the operations it
+Because the KEYMGMT operation shares knowledge with the operations it
 works with in tandem, they must belong to the same provider.
 The OpenSSL libraries will ensure that they do.
 .PP
-The primary responsibility of the \s-1KEYMGMT\s0 operation is to hold the
-provider side key data for the OpenSSL library \s-1EVP_PKEY\s0 structure.
+The primary responsibility of the KEYMGMT operation is to hold the
+provider side key data for the OpenSSL library EVP_PKEY structure.
 .PP
-All \*(L"functions\*(R" mentioned here are passed as function pointers between
-\&\fIlibcrypto\fR and the provider in \s-1\fBOSSL_DISPATCH\s0\fR\|(3) arrays via
-\&\s-1\fBOSSL_ALGORITHM\s0\fR\|(3) arrays that are returned by the provider's
+All "functions" mentioned here are passed as function pointers between
+\&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via
+\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's
 \&\fBprovider_query_operation()\fR function
-(see \*(L"Provider Functions\*(R" in \fBprovider\-base\fR\|(7)).
+(see "Provider Functions" in \fBprovider\-base\fR\|(7)).
 .PP
-All these \*(L"functions\*(R" have a corresponding function type definition
+All these "functions" have a corresponding function type definition
 named \fBOSSL_FUNC_{name}_fn\fR, and a helper function to retrieve the
-function pointer from a \s-1\fBOSSL_DISPATCH\s0\fR\|(3) element named
+function pointer from a \fBOSSL_DISPATCH\fR\|(3) element named
 \&\fBOSSL_FUNC_{name}\fR.
-For example, the \*(L"function\*(R" \fBOSSL_FUNC_keymgmt_new()\fR has these:
+For example, the "function" \fBOSSL_FUNC_keymgmt_new()\fR has these:
 .PP
 .Vb 3
 \& typedef void *(OSSL_FUNC_keymgmt_new_fn)(void *provctx);
@@ -224,7 +153,7 @@ For example, the \*(L"function\*(R" \fBOSSL_FUNC_keymgmt_new()\fR has these:
 \&     OSSL_FUNC_keymgmt_new(const OSSL_DISPATCH *opf);
 .Ve
 .PP
-\&\s-1\fBOSSL_DISPATCH\s0\fR\|(3) arrays are indexed by numbers that are provided as
+\&\fBOSSL_DISPATCH\fR\|(3) arrays are indexed by numbers that are provided as
 macros in \fBopenssl\-core_dispatch.h\fR\|(7), as follows:
 .PP
 .Vb 2
@@ -233,6 +162,8 @@ macros in \fBopenssl\-core_dispatch.h\fR\|(7), as follows:
 \&
 \& OSSL_FUNC_keymgmt_gen_init             OSSL_FUNC_KEYMGMT_GEN_INIT
 \& OSSL_FUNC_keymgmt_gen_set_template     OSSL_FUNC_KEYMGMT_GEN_SET_TEMPLATE
+\& OSSL_FUNC_keymgmt_gen_get_params       OSSL_FUNC_KEYMGMT_GEN_GET_PARAMS
+\& OSSL_FUNC_keymgmt_gen_gettable_params  OSSL_FUNC_KEYMGMT_GEN_GETTABLE_PARAMS
 \& OSSL_FUNC_keymgmt_gen_set_params       OSSL_FUNC_KEYMGMT_GEN_SET_PARAMS
 \& OSSL_FUNC_keymgmt_gen_settable_params  OSSL_FUNC_KEYMGMT_GEN_SETTABLE_PARAMS
 \& OSSL_FUNC_keymgmt_gen                  OSSL_FUNC_KEYMGMT_GEN
@@ -253,8 +184,10 @@ macros in \fBopenssl\-core_dispatch.h\fR\|(7), as follows:
 \&
 \& OSSL_FUNC_keymgmt_import               OSSL_FUNC_KEYMGMT_IMPORT
 \& OSSL_FUNC_keymgmt_import_types         OSSL_FUNC_KEYMGMT_IMPORT_TYPES
+\& OSSL_FUNC_keymgmt_import_types_ex      OSSL_FUNC_KEYMGMT_IMPORT_TYPES_EX
 \& OSSL_FUNC_keymgmt_export               OSSL_FUNC_KEYMGMT_EXPORT
 \& OSSL_FUNC_keymgmt_export_types         OSSL_FUNC_KEYMGMT_EXPORT_TYPES
+\& OSSL_FUNC_keymgmt_export_types_ex      OSSL_FUNC_KEYMGMT_EXPORT_TYPES_EX
 \&
 \& OSSL_FUNC_keymgmt_dup                  OSSL_FUNC_KEYMGMT_DUP
 .Ve
@@ -266,27 +199,27 @@ represented as \fIkeydata\fR in this manual.
 The exact contents of a key object are defined by the provider, and it
 is assumed that different operations in one and the same provider use
 the exact same structure to represent this collection of data, so that
-for example, a key object that has been created using the \s-1KEYMGMT\s0
+for example, a key object that has been created using the KEYMGMT
 interface that we document here can be passed as is to other provider
 operations, such as \fBOP_signature_sign_init()\fR (see
 \&\fBprovider\-signature\fR\|(7)).
 .PP
-With some of the \s-1KEYMGMT\s0 functions, it's possible to select a specific
+With some of the KEYMGMT functions, it's possible to select a specific
 subset of data to handle, governed by the bits in a \fIselection\fR
 indicator.  The bits are:
-.IP "\fB\s-1OSSL_KEYMGMT_SELECT_PRIVATE_KEY\s0\fR" 4
+.IP \fBOSSL_KEYMGMT_SELECT_PRIVATE_KEY\fR 4
 .IX Item "OSSL_KEYMGMT_SELECT_PRIVATE_KEY"
 Indicating that the private key data in a key object should be
 considered.
-.IP "\fB\s-1OSSL_KEYMGMT_SELECT_PUBLIC_KEY\s0\fR" 4
+.IP \fBOSSL_KEYMGMT_SELECT_PUBLIC_KEY\fR 4
 .IX Item "OSSL_KEYMGMT_SELECT_PUBLIC_KEY"
 Indicating that the public key data in a key object should be
 considered.
-.IP "\fB\s-1OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS\s0\fR" 4
+.IP \fBOSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS\fR 4
 .IX Item "OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS"
 Indicating that the domain parameters in a key object should be
 considered.
-.IP "\fB\s-1OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS\s0\fR" 4
+.IP \fBOSSL_KEYMGMT_SELECT_OTHER_PARAMETERS\fR 4
 .IX Item "OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS"
 Indicating that other parameters in a key object should be
 considered.
@@ -296,21 +229,21 @@ classification.  In other words, this particular selector bit works as
 a last resort bit bucket selector.
 .PP
 Some selector bits have also been combined for easier use:
-.IP "\fB\s-1OSSL_KEYMGMT_SELECT_ALL_PARAMETERS\s0\fR" 4
+.IP \fBOSSL_KEYMGMT_SELECT_ALL_PARAMETERS\fR 4
 .IX Item "OSSL_KEYMGMT_SELECT_ALL_PARAMETERS"
 Indicating that all key object parameters should be considered,
 regardless of their more granular classification.
 .Sp
-This is a combination of \fB\s-1OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS\s0\fR and
-\&\fB\s-1OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS\s0\fR.
-.IP "\fB\s-1OSSL_KEYMGMT_SELECT_KEYPAIR\s0\fR" 4
+This is a combination of \fBOSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS\fR and
+\&\fBOSSL_KEYMGMT_SELECT_OTHER_PARAMETERS\fR.
+.IP \fBOSSL_KEYMGMT_SELECT_KEYPAIR\fR 4
 .IX Item "OSSL_KEYMGMT_SELECT_KEYPAIR"
 Indicating that both the whole key pair in a key object should be
 considered, i.e. the combination of public and private key.
 .Sp
-This is a combination of \fB\s-1OSSL_KEYMGMT_SELECT_PRIVATE_KEY\s0\fR and
-\&\fB\s-1OSSL_KEYMGMT_SELECT_PUBLIC_KEY\s0\fR.
-.IP "\fB\s-1OSSL_KEYMGMT_SELECT_ALL\s0\fR" 4
+This is a combination of \fBOSSL_KEYMGMT_SELECT_PRIVATE_KEY\fR and
+\&\fBOSSL_KEYMGMT_SELECT_PUBLIC_KEY\fR.
+.IP \fBOSSL_KEYMGMT_SELECT_ALL\fR 4
 .IX Item "OSSL_KEYMGMT_SELECT_ALL"
 Indicating that everything in a key object should be considered.
 .PP
@@ -331,6 +264,7 @@ key object, but that is not mandatory.
 \&\fBOSSL_FUNC_keymgmt_free()\fR should free the passed \fIkeydata\fR.
 .PP
 \&\fBOSSL_FUNC_keymgmt_gen_init()\fR, \fBOSSL_FUNC_keymgmt_gen_set_template()\fR,
+\&\fBOSSL_FUNC_keymgmt_gen_get_params()\fR, \fBOSSL_FUNC_keymgmt_gen_gettable_params()\fR,
 \&\fBOSSL_FUNC_keymgmt_gen_set_params()\fR, \fBOSSL_FUNC_keymgmt_gen_settable_params()\fR,
 \&\fBOSSL_FUNC_keymgmt_gen()\fR and \fBOSSL_FUNC_keymgmt_gen_cleanup()\fR work together as a
 more elaborate context based key object constructor.
@@ -338,21 +272,28 @@ more elaborate context based key object constructor.
 \&\fBOSSL_FUNC_keymgmt_gen_init()\fR should create the key object generation context
 and initialize it with \fIselections\fR, which will determine what kind
 of contents the key object to be generated should get.
-The \fIparams\fR, if not \s-1NULL,\s0 should be set on the context in a manner similar to
+The \fIparams\fR, if not NULL, should be set on the context in a manner similar to
 using \fBOSSL_FUNC_keymgmt_set_params()\fR.
 .PP
 \&\fBOSSL_FUNC_keymgmt_gen_set_template()\fR should add \fItemplate\fR to the context
 \&\fIgenctx\fR.  The \fItemplate\fR is assumed to be a key object constructed
-with the same \s-1KEYMGMT,\s0 and from which content that the implementation
+with the same KEYMGMT, and from which content that the implementation
 chooses can be used as a template for the key object to be generated.
-Typically, the generation of a \s-1DSA\s0 or \s-1DH\s0 key would get the domain
+Typically, the generation of a DSA or DH key would get the domain
 parameters from this \fItemplate\fR.
 .PP
+\&\fBOSSL_FUNC_keymgmt_gen_get_params()\fR should retrieve parameters into
+\&\fIparams\fR in the key object generation context \fIgenctx\fR.
+.PP
+\&\fBOSSL_FUNC_keymgmt_gen_gettable_params()\fR should return a constant array of
+descriptor \fBOSSL_PARAM\fR\|(3), for parameters that
+\&\fBOSSL_FUNC_keymgmt_gen_get_params()\fR can handle.
+.PP
 \&\fBOSSL_FUNC_keymgmt_gen_set_params()\fR should set additional parameters from
 \&\fIparams\fR in the key object generation context \fIgenctx\fR.
 .PP
 \&\fBOSSL_FUNC_keymgmt_gen_settable_params()\fR should return a constant array of
-descriptor \s-1\fBOSSL_PARAM\s0\fR\|(3), for parameters that \fBOSSL_FUNC_keymgmt_gen_set_params()\fR
+descriptor \fBOSSL_PARAM\fR\|(3), for parameters that \fBOSSL_FUNC_keymgmt_gen_set_params()\fR
 can handle.
 .PP
 \&\fBOSSL_FUNC_keymgmt_gen()\fR should perform the key object generation itself, and
@@ -376,20 +317,20 @@ present as well.
 .SS "Key Object Information Functions"
 .IX Subsection "Key Object Information Functions"
 \&\fBOSSL_FUNC_keymgmt_get_params()\fR should extract information data associated
-with the given \fIkeydata\fR, see \*(L"Common Information Parameters\*(R".
+with the given \fIkeydata\fR, see "Common Information Parameters".
 .PP
 \&\fBOSSL_FUNC_keymgmt_gettable_params()\fR should return a constant array of
-descriptor \s-1\fBOSSL_PARAM\s0\fR\|(3), for parameters that \fBOSSL_FUNC_keymgmt_get_params()\fR
+descriptor \fBOSSL_PARAM\fR\|(3), for parameters that \fBOSSL_FUNC_keymgmt_get_params()\fR
 can handle.
 .PP
 If \fBOSSL_FUNC_keymgmt_gettable_params()\fR is present, \fBOSSL_FUNC_keymgmt_get_params()\fR
 must also be present, and vice versa.
 .PP
 \&\fBOSSL_FUNC_keymgmt_set_params()\fR should update information data associated
-with the given \fIkeydata\fR, see \*(L"Common Information Parameters\*(R".
+with the given \fIkeydata\fR, see "Common Information Parameters".
 .PP
 \&\fBOSSL_FUNC_keymgmt_settable_params()\fR should return a constant array of
-descriptor \s-1\fBOSSL_PARAM\s0\fR\|(3), for parameters that \fBOSSL_FUNC_keymgmt_set_params()\fR
+descriptor \fBOSSL_PARAM\fR\|(3), for parameters that \fBOSSL_FUNC_keymgmt_set_params()\fR
 can handle.
 .PP
 If \fBOSSL_FUNC_keymgmt_settable_params()\fR is present, \fBOSSL_FUNC_keymgmt_set_params()\fR
@@ -400,7 +341,7 @@ must also be present, and vice versa.
 supported algorithm for the operation \fIoperation_id\fR.  This is
 similar to \fBprovider_query_operation()\fR (see \fBprovider\-base\fR\|(7)),
 but only works as an advisory.  If this function is not present, or
-returns \s-1NULL,\s0 the caller is free to assume that there's an algorithm
+returns NULL, the caller is free to assume that there's an algorithm
 from the same provider, of the same name as the one used to fetch the
 keymgmt and try to use that.
 .PP
@@ -409,24 +350,24 @@ of data indicated by the \fIselector\fR.  A combination of several
 selector bits must consider all those subsets, not just one.  An
 implementation is, however, free to consider an empty subset of data
 to still be a valid subset. For algorithms where some selection is
-not meaningful such as \fB\s-1OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS\s0\fR for
-\&\s-1RSA\s0 keys the function should just return 1 as the selected subset
+not meaningful such as \fBOSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS\fR for
+RSA keys the function should just return 1 as the selected subset
 is not really missing in the key.
 .PP
 \&\fBOSSL_FUNC_keymgmt_validate()\fR should check if the \fIkeydata\fR contains valid
 data subsets indicated by \fIselection\fR.  Some combined selections of
 data subsets may cause validation of the combined data.
-For example, the combination of \fB\s-1OSSL_KEYMGMT_SELECT_PRIVATE_KEY\s0\fR and
-\&\fB\s-1OSSL_KEYMGMT_SELECT_PUBLIC_KEY\s0\fR (or \fB\s-1OSSL_KEYMGMT_SELECT_KEYPAIR\s0\fR
+For example, the combination of \fBOSSL_KEYMGMT_SELECT_PRIVATE_KEY\fR and
+\&\fBOSSL_KEYMGMT_SELECT_PUBLIC_KEY\fR (or \fBOSSL_KEYMGMT_SELECT_KEYPAIR\fR
 for short) is expected to check that the pairwise consistency of
 \&\fIkeydata\fR is valid. The \fIchecktype\fR parameter controls what type of check is
 performed on the subset of data. Two types of check are defined:
-\&\fB\s-1OSSL_KEYMGMT_VALIDATE_FULL_CHECK\s0\fR and \fB\s-1OSSL_KEYMGMT_VALIDATE_QUICK_CHECK\s0\fR.
+\&\fBOSSL_KEYMGMT_VALIDATE_FULL_CHECK\fR and \fBOSSL_KEYMGMT_VALIDATE_QUICK_CHECK\fR.
 The interpretation of how much checking is performed in a full check versus a
 quick check is key type specific. Some providers may have no distinction
 between a full check and a quick check. For algorithms where some selection is
-not meaningful such as \fB\s-1OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS\s0\fR for
-\&\s-1RSA\s0 keys the function should just return 1 as there is nothing to validate for
+not meaningful such as \fBOSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS\fR for
+RSA keys the function should just return 1 as there is nothing to validate for
 that selection.
 .PP
 \&\fBOSSL_FUNC_keymgmt_match()\fR should check if the data subset indicated by
@@ -436,56 +377,67 @@ by the implementation of this function.
 .SS "Key Object Import, Export and Duplication Functions"
 .IX Subsection "Key Object Import, Export and Duplication Functions"
 \&\fBOSSL_FUNC_keymgmt_import()\fR should import data indicated by \fIselection\fR into
-\&\fIkeydata\fR with values taken from the \s-1\fBOSSL_PARAM\s0\fR\|(3) array \fIparams\fR.
+\&\fIkeydata\fR with values taken from the \fBOSSL_PARAM\fR\|(3) array \fIparams\fR.
 .PP
 \&\fBOSSL_FUNC_keymgmt_export()\fR should extract values indicated by \fIselection\fR
-from \fIkeydata\fR, create an \s-1\fBOSSL_PARAM\s0\fR\|(3) array with them and call
+from \fIkeydata\fR, create an \fBOSSL_PARAM\fR\|(3) array with them and call
 \&\fIparam_cb\fR with that array as well as the given \fIcbarg\fR.
 .PP
-\&\fBOSSL_FUNC_keymgmt_import_types()\fR should return a constant array of descriptor
-\&\s-1\fBOSSL_PARAM\s0\fR\|(3) for data indicated by \fIselection\fR, for parameters that
+\&\fBOSSL_FUNC_keymgmt_import_types()\fR and \fBOSSL_FUNC_keymgmt_import_types_ex()\fR
+should return a constant array of descriptor
+\&\fBOSSL_PARAM\fR\|(3) for data indicated by \fIselection\fR, for parameters that
 \&\fBOSSL_FUNC_keymgmt_import()\fR can handle.
-.PP
-\&\fBOSSL_FUNC_keymgmt_export_types()\fR should return a constant array of descriptor
-\&\s-1\fBOSSL_PARAM\s0\fR\|(3) for data indicated by \fIselection\fR, that the
+Either \fBOSSL_FUNC_keymgmt_import_types()\fR or \fBOSSL_FUNC_keymgmt_import_types_ex()\fR,
+must be implemented, if \fBOSSL_FUNC_keymgmt_import_types_ex()\fR is implemented, then
+it is preferred over \fBOSSL_FUNC_keymgmt_import_types()\fR.
+Providers that are supposed to be backward compatible with OpenSSL 3.0 or 3.1
+must continue to implement \fBOSSL_FUNC_keymgmt_import_types()\fR.
+.PP
+\&\fBOSSL_FUNC_keymgmt_export_types()\fR and \fBOSSL_FUNC_keymgmt_export_types_ex()\fR
+should return a constant array of descriptor
+\&\fBOSSL_PARAM\fR\|(3) for data indicated by \fIselection\fR, that the
 \&\fBOSSL_FUNC_keymgmt_export()\fR callback can expect to receive.
+Either \fBOSSL_FUNC_keymgmt_export_types()\fR or \fBOSSL_FUNC_keymgmt_export_types_ex()\fR,
+must be implemented, if \fBOSSL_FUNC_keymgmt_export_types_ex()\fR is implemented, then
+it is preferred over \fBOSSL_FUNC_keymgmt_export_types()\fR.
+Providers that are supposed to be backward compatible with OpenSSL 3.0 or 3.1
+must continue to implement \fBOSSL_FUNC_keymgmt_export_types()\fR.
 .PP
 \&\fBOSSL_FUNC_keymgmt_dup()\fR should duplicate data subsets indicated by
 \&\fIselection\fR or the whole key data \fIkeydata_from\fR and create a new
 provider side key object with the data.
 .SS "Common Information Parameters"
 .IX Subsection "Common Information Parameters"
-See \s-1\fBOSSL_PARAM\s0\fR\|(3) for further details on the parameters structure.
+See \fBOSSL_PARAM\fR\|(3) for further details on the parameters structure.
 .PP
 Common information parameters currently recognised by all built-in
 keymgmt algorithms are as follows:
-.ie n .IP """bits"" (\fB\s-1OSSL_PKEY_PARAM_BITS\s0\fR) <integer>" 4
-.el .IP "``bits'' (\fB\s-1OSSL_PKEY_PARAM_BITS\s0\fR) <integer>" 4
-.IX Item "bits (OSSL_PKEY_PARAM_BITS) <integer>"
+.IP """bits"" (\fBOSSL_PKEY_PARAM_BITS\fR) <integer>" 4
+.IX Item """bits"" (OSSL_PKEY_PARAM_BITS) <integer>"
 The value should be the cryptographic length of the cryptosystem to
 which the key belongs, in bits.  The definition of cryptographic
 length is specific to the key cryptosystem.
-.ie n .IP """max-size"" (\fB\s-1OSSL_PKEY_PARAM_MAX_SIZE\s0\fR) <integer>" 4
-.el .IP "``max-size'' (\fB\s-1OSSL_PKEY_PARAM_MAX_SIZE\s0\fR) <integer>" 4
-.IX Item "max-size (OSSL_PKEY_PARAM_MAX_SIZE) <integer>"
+.IP """max-size"" (\fBOSSL_PKEY_PARAM_MAX_SIZE\fR) <integer>" 4
+.IX Item """max-size"" (OSSL_PKEY_PARAM_MAX_SIZE) <integer>"
 The value should be the maximum size that a caller should allocate to
 safely store a signature (called \fIsig\fR in \fBprovider\-signature\fR\|(7)),
-the result of asymmmetric encryption / decryption (\fIout\fR in
+the result of asymmetric encryption / decryption (\fIout\fR in
 \&\fBprovider\-asym_cipher\fR\|(7), a derived secret (\fIsecret\fR in
 \&\fBprovider\-keyexch\fR\|(7), and similar data).
 .Sp
-Because an \s-1EVP_KEYMGMT\s0 method is always tightly bound to another method
+Providers need to implement this parameter
+in order to properly support various use cases such as CMS signing.
+.Sp
+Because an EVP_KEYMGMT method is always tightly bound to another method
 (signature, asymmetric cipher, key exchange, ...) and must be of the
 same provider, this number only needs to be synchronised with the
 dimensions handled in the rest of the same provider.
-.ie n .IP """security-bits"" (\fB\s-1OSSL_PKEY_PARAM_SECURITY_BITS\s0\fR) <integer>" 4
-.el .IP "``security-bits'' (\fB\s-1OSSL_PKEY_PARAM_SECURITY_BITS\s0\fR) <integer>" 4
-.IX Item "security-bits (OSSL_PKEY_PARAM_SECURITY_BITS) <integer>"
+.IP """security-bits"" (\fBOSSL_PKEY_PARAM_SECURITY_BITS\fR) <integer>" 4
+.IX Item """security-bits"" (OSSL_PKEY_PARAM_SECURITY_BITS) <integer>"
 The value should be the number of security bits of the given key.
-Bits of security is defined in \s-1SP800\-57.\s0
-.ie n .IP """mandatory-digest"" (\fB\s-1OSSL_PKEY_PARAM_MANDATORY_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``mandatory-digest'' (\fB\s-1OSSL_PKEY_PARAM_MANDATORY_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "mandatory-digest (OSSL_PKEY_PARAM_MANDATORY_DIGEST) <UTF8 string>"
+Bits of security is defined in SP800\-57.
+.IP """mandatory-digest"" (\fBOSSL_PKEY_PARAM_MANDATORY_DIGEST\fR) <UTF8 string>" 4
+.IX Item """mandatory-digest"" (OSSL_PKEY_PARAM_MANDATORY_DIGEST) <UTF8 string>"
 If there is a mandatory digest for performing a signature operation with
 keys from this keymgmt, this parameter should get its name as value.
 .Sp
@@ -496,15 +448,14 @@ If the keymgmt implementation fills in the value \f(CW""\fR or \f(CW"UNDEF"\fR,
 \&\fBEVP_PKEY_get_default_digest_name\fR\|(3) will place the string \f(CW"UNDEF"\fR into
 its argument \fImdname\fR.  This signifies that no digest should be specified
 with the corresponding signature operation.
-.ie n .IP """default-digest"" (\fB\s-1OSSL_PKEY_PARAM_DEFAULT_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``default-digest'' (\fB\s-1OSSL_PKEY_PARAM_DEFAULT_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "default-digest (OSSL_PKEY_PARAM_DEFAULT_DIGEST) <UTF8 string>"
+.IP """default-digest"" (\fBOSSL_PKEY_PARAM_DEFAULT_DIGEST\fR) <UTF8 string>" 4
+.IX Item """default-digest"" (OSSL_PKEY_PARAM_DEFAULT_DIGEST) <UTF8 string>"
 If there is a default digest for performing a signature operation with
 keys from this keymgmt, this parameter should get its name as value.
 .Sp
 When \fBEVP_PKEY_get_default_digest_name\fR\|(3) queries this parameter and it's
 filled in by the implementation, its return value will be 1.  Note that if
-\&\fB\s-1OSSL_PKEY_PARAM_MANDATORY_DIGEST\s0\fR is responded to as well,
+\&\fBOSSL_PKEY_PARAM_MANDATORY_DIGEST\fR is responded to as well,
 \&\fBEVP_PKEY_get_default_digest_name\fR\|(3) ignores the response to this
 parameter.
 .Sp
@@ -513,10 +464,35 @@ If the keymgmt implementation fills in the value \f(CW""\fR or \f(CW"UNDEF"\fR,
 its argument \fImdname\fR.  This signifies that no digest has to be specified
 with the corresponding signature operation, but may be specified as an
 option.
+.PP
+The OpenSSL FIPS provider also supports the following parameters:
+.IP """fips-indicator"" (\fBOSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_PKEY_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+A getter that returns 1 if the operation is FIPS approved, or 0 otherwise.
+This may be used after calling \fBOSSL_FUNC_keymgmt_gen()\fR function. It may
+return 0 if either the "key-check", or "sign-check" are set to 0.
+.IP """key-check"" (\fBOSSL_PKEY_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4
+.IX Item """key-check"" (OSSL_PKEY_PARAM_FIPS_KEY_CHECK) <integer>"
+If required this parameter should be set using \fBOSSL_FUNC_keymgmt_gen_set_params()\fR
+or \fBOSSL_FUNC_keymgmt_gen_init()\fR.
+The default value of 1 causes an error during the init if the key is not FIPS
+approved (e.g. The key has a security strength of less than 112 bits). Setting
+this to 0 will ignore the error and set the approved "fips-indicator" to 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
+.IP """sign-check"" (\fBOSSL_PKEY_PARAM_FIPS_SIGN_CHECK\fR) <integer>" 4
+.IX Item """sign-check"" (OSSL_PKEY_PARAM_FIPS_SIGN_CHECK) <integer>"
+If required this parameter should be set before the \fBOSSL_FUNC_keymgmt_gen()\fR
+function. This value is not supported by all keygen algorithms.
+The default value of 1 will cause an error if the generated key is not
+allowed to be used for signing.
+Setting this to 0 will ignore the error and set the approved "fips-indicator" to 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBOSSL_FUNC_keymgmt_new()\fR and \fBOSSL_FUNC_keymgmt_dup()\fR should return a valid
-reference to the newly created provider side key object, or \s-1NULL\s0 on failure.
+reference to the newly created provider side key object, or NULL on failure.
 .PP
 \&\fBOSSL_FUNC_keymgmt_import()\fR, \fBOSSL_FUNC_keymgmt_export()\fR, \fBOSSL_FUNC_keymgmt_get_params()\fR and
 \&\fBOSSL_FUNC_keymgmt_set_params()\fR should return 1 for success or 0 on error.
@@ -528,27 +504,49 @@ failure.
 in the given \fIkeydata\fR or 0 otherwise.
 .PP
 \&\fBOSSL_FUNC_keymgmt_query_operation_name()\fR should return a pointer to a string matching
-the requested operation, or \s-1NULL\s0 if the same name used to fetch the keymgmt
+the requested operation, or NULL if the same name used to fetch the keymgmt
 applies.
 .PP
 \&\fBOSSL_FUNC_keymgmt_gettable_params()\fR and \fBOSSL_FUNC_keymgmt_settable_params()\fR
-\&\fBOSSL_FUNC_keymgmt_import_types()\fR, \fBOSSL_FUNC_keymgmt_export_types()\fR
+\&\fBOSSL_FUNC_keymgmt_import_types()\fR, \fBOSSL_FUNC_keymgmt_import_types_ex()\fR,
+\&\fBOSSL_FUNC_keymgmt_export_types()\fR, \fBOSSL_FUNC_keymgmt_export_types_ex()\fR
 should
-always return a constant \s-1\fBOSSL_PARAM\s0\fR\|(3) array.
+always return a constant \fBOSSL_PARAM\fR\|(3) array.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
+\&\fBEVP_PKEY_get_size\fR\|(3),
+\&\fBEVP_PKEY_get_bits\fR\|(3),
+\&\fBEVP_PKEY_get_security_bits\fR\|(3),
 \&\fBprovider\fR\|(7),
-\&\s-1\fBEVP_PKEY\-X25519\s0\fR\|(7), \s-1\fBEVP_PKEY\-X448\s0\fR\|(7), \s-1\fBEVP_PKEY\-ED25519\s0\fR\|(7),
-\&\s-1\fBEVP_PKEY\-ED448\s0\fR\|(7), \s-1\fBEVP_PKEY\-EC\s0\fR\|(7), \s-1\fBEVP_PKEY\-RSA\s0\fR\|(7),
-\&\s-1\fBEVP_PKEY\-DSA\s0\fR\|(7), \s-1\fBEVP_PKEY\-DH\s0\fR\|(7)
-.SH "HISTORY"
+\&\fBEVP_PKEY\-X25519\fR\|(7),
+\&\fBEVP_PKEY\-X448\fR\|(7),
+\&\fBEVP_PKEY\-ED25519\fR\|(7),
+\&\fBEVP_PKEY\-ED448\fR\|(7),
+\&\fBEVP_PKEY\-EC\fR\|(7),
+\&\fBEVP_PKEY\-RSA\fR\|(7),
+\&\fBEVP_PKEY\-DSA\fR\|(7),
+\&\fBEVP_PKEY\-DH\fR\|(7),
+\&\fBEVP_PKEY\-ML\-DSA\fR\|(7),
+\&\fBEVP_PKEY\-ML\-KEM\fR\|(7),
+\&\fBEVP_PKEY\-SLH\-DSA\fR\|(7).
+.SH HISTORY
 .IX Header "HISTORY"
-The \s-1KEYMGMT\s0 interface was introduced in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The KEYMGMT interface was introduced in OpenSSL 3.0.
+.PP
+Functions \fBOSSL_FUNC_keymgmt_import_types_ex()\fR, and \fBOSSL_FUNC_keymgmt_export_types_ex()\fR
+were added with OpenSSL 3.2.
+.PP
+The functions \fBOSSL_FUNC_keymgmt_gen_get_params()\fR and
+\&\fBOSSL_FUNC_keymgmt_gen_gettable_params()\fR were added in OpenSSL 3.4.
+.PP
+The parameters "sign-check" and "fips-indicator" were added in OpenSSL 3.4.
+.PP
+Support for the \fBML-DSA\fR, \fBML-KEM\fR and \fBSLH-DSA\fR algorithms was added in OpenSSL 3.5.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/provider-mac.7 b/secure/lib/libcrypto/man/man7/provider-mac.7
index be69d8099f4f..d19644bd3601 100644
--- a/secure/lib/libcrypto/man/man7/provider-mac.7
+++ b/secure/lib/libcrypto/man/man7/provider-mac.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PROVIDER-MAC 7ossl"
-.TH PROVIDER-MAC 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PROVIDER-MAC 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 provider\-mac \- The mac library <\-> provider functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 2
 \& #include <openssl/core_dispatch.h>
@@ -158,6 +82,7 @@ provider\-mac \- The mac library <\-> provider functions
 \& /* Encryption/decryption */
 \& int OSSL_FUNC_mac_init(void *mctx, unsigned char *key, size_t keylen,
 \&                        const OSSL_PARAM params[]);
+\& int OSSL_FUNC_mac_init_skey(void *mctx, const void *key, const OSSL_PARAM params[]);
 \& int OSSL_FUNC_mac_update(void *mctx, const unsigned char *in, size_t inl);
 \& int OSSL_FUNC_mac_final(void *mctx, unsigned char *out, size_t *outl, size_t outsize);
 \&
@@ -171,26 +96,26 @@ provider\-mac \- The mac library <\-> provider functions
 \& int OSSL_FUNC_mac_get_ctx_params(void *mctx, OSSL_PARAM params[]);
 \& int OSSL_FUNC_mac_set_ctx_params(void *mctx, const OSSL_PARAM params[]);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 This documentation is primarily aimed at provider authors. See \fBprovider\fR\|(7)
 for further information.
 .PP
-The \s-1MAC\s0 operation enables providers to implement mac algorithms and make
-them available to applications via the \s-1API\s0 functions \fBEVP_MAC_init\fR\|(3),
+The MAC operation enables providers to implement mac algorithms and make
+them available to applications via the API functions \fBEVP_MAC_init\fR\|(3),
 \&\fBEVP_MAC_update\fR\|(3) and \fBEVP_MAC_final\fR\|(3).
 .PP
-All \*(L"functions\*(R" mentioned here are passed as function pointers between
-\&\fIlibcrypto\fR and the provider in \s-1\fBOSSL_DISPATCH\s0\fR\|(3) arrays via
-\&\s-1\fBOSSL_ALGORITHM\s0\fR\|(3) arrays that are returned by the provider's
+All "functions" mentioned here are passed as function pointers between
+\&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via
+\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's
 \&\fBprovider_query_operation()\fR function
-(see \*(L"Provider Functions\*(R" in \fBprovider\-base\fR\|(7)).
+(see "Provider Functions" in \fBprovider\-base\fR\|(7)).
 .PP
-All these \*(L"functions\*(R" have a corresponding function type definition
+All these "functions" have a corresponding function type definition
 named \fBOSSL_FUNC_{name}_fn\fR, and a helper function to retrieve the
-function pointer from an \s-1\fBOSSL_DISPATCH\s0\fR\|(3) element named
+function pointer from an \fBOSSL_DISPATCH\fR\|(3) element named
 \&\fBOSSL_FUNC_{name}\fR.
-For example, the \*(L"function\*(R" \fBOSSL_FUNC_mac_newctx()\fR has these:
+For example, the "function" \fBOSSL_FUNC_mac_newctx()\fR has these:
 .PP
 .Vb 3
 \& typedef void *(OSSL_FUNC_mac_newctx_fn)(void *provctx);
@@ -198,7 +123,7 @@ For example, the \*(L"function\*(R" \fBOSSL_FUNC_mac_newctx()\fR has these:
 \&     OSSL_FUNC_mac_newctx(const OSSL_DISPATCH *opf);
 .Ve
 .PP
-\&\s-1\fBOSSL_DISPATCH\s0\fR\|(3) arrays are indexed by numbers that are provided as
+\&\fBOSSL_DISPATCH\fR\|(3) arrays are indexed by numbers that are provided as
 macros in \fBopenssl\-core_dispatch.h\fR\|(7), as follows:
 .PP
 .Vb 3
@@ -207,6 +132,7 @@ macros in \fBopenssl\-core_dispatch.h\fR\|(7), as follows:
 \& OSSL_FUNC_mac_dupctx               OSSL_FUNC_MAC_DUPCTX
 \&
 \& OSSL_FUNC_mac_init                 OSSL_FUNC_MAC_INIT
+\& OSSL_FUNC_mac_init_skey            OSSL_FUNC_MAC_INIT_SKEY
 \& OSSL_FUNC_mac_update               OSSL_FUNC_MAC_UPDATE
 \& OSSL_FUNC_mac_final                OSSL_FUNC_MAC_FINAL
 \&
@@ -221,7 +147,8 @@ macros in \fBopenssl\-core_dispatch.h\fR\|(7), as follows:
 .PP
 A mac algorithm implementation may not implement all of these functions.
 In order to be a consistent set of functions, at least the following functions
-must be implemented: \fBOSSL_FUNC_mac_newctx()\fR, \fBOSSL_FUNC_mac_freectx()\fR, \fBOSSL_FUNC_mac_init()\fR,
+must be implemented: \fBOSSL_FUNC_mac_newctx()\fR, \fBOSSL_FUNC_mac_freectx()\fR,
+at least one of \fBOSSL_FUNC_mac_init()\fR or \fBOSSL_FUNC_mac_init_skey()\fR,
 \&\fBOSSL_FUNC_mac_update()\fR, \fBOSSL_FUNC_mac_final()\fR.
 All other functions are optional.
 .SS "Context Management Functions"
@@ -235,7 +162,7 @@ initialisation (see \fBprovider\fR\|(7)).
 .PP
 \&\fBOSSL_FUNC_mac_freectx()\fR is passed a pointer to the provider side mac context in
 the \fImctx\fR parameter.
-If it receives \s-1NULL\s0 as \fImctx\fR value, it should not do anything other than
+If it receives NULL as \fImctx\fR value, it should not do anything other than
 return.
 This function should free any resources associated with that context.
 .PP
@@ -245,24 +172,27 @@ This function should free any resources associated with that context.
 .IX Subsection "Encryption/Decryption Functions"
 \&\fBOSSL_FUNC_mac_init()\fR initialises a mac operation given a newly created provider
 side mac context in the \fImctx\fR parameter.  The \fIparams\fR are set before setting
-the \s-1MAC\s0 \fIkey\fR of \fIkeylen\fR bytes.
+the MAC \fIkey\fR of \fIkeylen\fR bytes.
+.PP
+\&\fBOSSL_FUNC_mac_init_skey()\fR is similar but uses an opaque provider-specific object
+to initialize the MAC context.
 .PP
-\&\fBOSSL_FUNC_mac_update()\fR is called to supply data for \s-1MAC\s0 computation of a previously
+\&\fBOSSL_FUNC_mac_update()\fR is called to supply data for MAC computation of a previously
 initialised mac operation.
 The \fImctx\fR parameter contains a pointer to a previously initialised provider
 side context.
 \&\fBOSSL_FUNC_mac_update()\fR may be called multiple times for a single mac operation.
 .PP
-\&\fBOSSL_FUNC_mac_final()\fR completes the \s-1MAC\s0 computation started through previous
+\&\fBOSSL_FUNC_mac_final()\fR completes the MAC computation started through previous
 \&\fBOSSL_FUNC_mac_init()\fR and \fBOSSL_FUNC_mac_update()\fR calls.
 The \fImctx\fR parameter contains a pointer to the provider side context.
-The resulting \s-1MAC\s0 should be written to \fIout\fR and the amount of data written
+The resulting MAC should be written to \fIout\fR and the amount of data written
 to \fI*outl\fR, which should not exceed \fIoutsize\fR bytes.
 The same expectations apply to \fIoutsize\fR as documented for
 \&\fBEVP_MAC_final\fR\|(3).
 .SS "Mac Parameters"
 .IX Subsection "Mac Parameters"
-See \s-1\fBOSSL_PARAM\s0\fR\|(3) for further details on the parameters structure used by
+See \fBOSSL_PARAM\fR\|(3) for further details on the parameters structure used by
 these functions.
 .PP
 \&\fBOSSL_FUNC_mac_get_params()\fR gets details of parameter values associated with the
@@ -271,33 +201,32 @@ provider algorithm and stores them in \fIparams\fR.
 \&\fBOSSL_FUNC_mac_set_ctx_params()\fR sets mac parameters associated with the given
 provider side mac context \fImctx\fR to \fIparams\fR.
 Any parameter settings are additional to any that were previously set.
-Passing \s-1NULL\s0 for \fIparams\fR should return true.
+Passing NULL for \fIparams\fR should return true.
 .PP
 \&\fBOSSL_FUNC_mac_get_ctx_params()\fR gets details of currently set parameter values
 associated with the given provider side mac context \fImctx\fR and stores them
 in \fIparams\fR.
-Passing \s-1NULL\s0 for \fIparams\fR should return true.
+Passing NULL for \fIparams\fR should return true.
 .PP
 \&\fBOSSL_FUNC_mac_gettable_params()\fR, \fBOSSL_FUNC_mac_gettable_ctx_params()\fR,
-and \fBOSSL_FUNC_mac_settable_ctx_params()\fR all return constant \s-1\fBOSSL_PARAM\s0\fR\|(3)
+and \fBOSSL_FUNC_mac_settable_ctx_params()\fR all return constant \fBOSSL_PARAM\fR\|(3)
 arrays as descriptors of the parameters that \fBOSSL_FUNC_mac_get_params()\fR,
 \&\fBOSSL_FUNC_mac_get_ctx_params()\fR, and \fBOSSL_FUNC_mac_set_ctx_params()\fR
 can handle, respectively.  \fBOSSL_FUNC_mac_gettable_ctx_params()\fR and
 \&\fBOSSL_FUNC_mac_settable_ctx_params()\fR will return the parameters associated
 with the provider side context \fImctx\fR in its current state if it is
-not \s-1NULL.\s0  Otherwise, they return the parameters associated with the
+not NULL.  Otherwise, they return the parameters associated with the
 provider side algorithm \fIprovctx\fR.
 .PP
-All \s-1MAC\s0 implementations are expected to handle the following parameters:
+All MAC implementations are expected to handle the following parameters:
 .IP "with \fBOSSL_FUNC_set_ctx_params()\fR:" 4
 .IX Item "with OSSL_FUNC_set_ctx_params():"
 .RS 4
 .PD 0
-.ie n .IP """key"" (\fB\s-1OSSL_MAC_PARAM_KEY\s0\fR) <octet string>" 4
-.el .IP "``key'' (\fB\s-1OSSL_MAC_PARAM_KEY\s0\fR) <octet string>" 4
-.IX Item "key (OSSL_MAC_PARAM_KEY) <octet string>"
+.IP """key"" (\fBOSSL_MAC_PARAM_KEY\fR) <octet string>" 4
+.IX Item """key"" (OSSL_MAC_PARAM_KEY) <octet string>"
 .PD
-Sets the key in the associated \s-1MAC\s0 ctx.  This is identical to passing a \fIkey\fR
+Sets the key in the associated MAC ctx.  This is identical to passing a \fIkey\fR
 argument to the \fBOSSL_FUNC_mac_init()\fR function.
 .RE
 .RS 4
@@ -306,56 +235,81 @@ argument to the \fBOSSL_FUNC_mac_init()\fR function.
 .IX Item "with OSSL_FUNC_get_params():"
 .RS 4
 .PD 0
-.ie n .IP """size"" (\fB\s-1OSSL_MAC_PARAM_SIZE\s0\fR) <integer>" 4
-.el .IP "``size'' (\fB\s-1OSSL_MAC_PARAM_SIZE\s0\fR) <integer>" 4
-.IX Item "size (OSSL_MAC_PARAM_SIZE) <integer>"
+.IP """size"" (\fBOSSL_MAC_PARAM_SIZE\fR) <integer>" 4
+.IX Item """size"" (OSSL_MAC_PARAM_SIZE) <integer>"
 .PD
-Can be used to get the default \s-1MAC\s0 size (which might be the only allowable
-\&\s-1MAC\s0 size for the implementation).
+Can be used to get the default MAC size (which might be the only allowable
+MAC size for the implementation).
 .Sp
-Note that some implementations allow setting the size that the resulting \s-1MAC\s0
+Note that some implementations allow setting the size that the resulting MAC
 should have as well, see the documentation of the implementation.
 .RE
 .RS 4
-.ie n .IP """size"" (\fB\s-1OSSL_MAC_PARAM_BLOCK_SIZE\s0\fR) <integer>" 4
-.el .IP "``size'' (\fB\s-1OSSL_MAC_PARAM_BLOCK_SIZE\s0\fR) <integer>" 4
-.IX Item "size (OSSL_MAC_PARAM_BLOCK_SIZE) <integer>"
-Can be used to get the \s-1MAC\s0 block size (if supported by the algorithm).
+.IP """size"" (\fBOSSL_MAC_PARAM_BLOCK_SIZE\fR) <integer>" 4
+.IX Item """size"" (OSSL_MAC_PARAM_BLOCK_SIZE) <integer>"
+Can be used to get the MAC block size (if supported by the algorithm).
 .RE
 .RS 4
 .RE
-.SH "NOTES"
+.PP
+The OpenSSL FIPS provider may support the following parameters:
+.IP """fips-indicator"" (\fBOSSL_MAC_PARAM_FIPS_APPROVED_INDICATOR\fR) <int>" 4
+.IX Item """fips-indicator"" (OSSL_MAC_PARAM_FIPS_APPROVED_INDICATOR) <int>"
+A getter that returns 1 if the operation is FIPS approved, or 0 otherwise.
+This may be used after calling the final function. It may return 0 if
+either "no-short-mac" or "key-check" are set to 0.
+.IP """no-short-mac"" (\fBOSSL_MAC_PARAM_FIPS_NO_SHORT_MAC\fR) <integer>" 4
+.IX Item """no-short-mac"" (OSSL_MAC_PARAM_FIPS_NO_SHORT_MAC) <integer>"
+If required this parameter should be set early via an init function.
+The default value of 1 causes an error when too short MAC output is
+asked for.  Setting this to 0 will ignore the error and set the approved
+"fips-indicator" to 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
+.IP """key-check"" (\fBOSSL_MAC_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4
+.IX Item """key-check"" (OSSL_MAC_PARAM_FIPS_KEY_CHECK) <integer>"
+If required this parameter should be set before OSSL_FUNC_mac_init.
+The default value of 1 causes an error when small key sizes are
+asked for.  Setting this to 0 will ignore the error and set the approved
+"fips-indicator" to 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
+.SH NOTES
 .IX Header "NOTES"
-The \s-1MAC\s0 life-cycle is described in \fBlife_cycle\-rand\fR\|(7).  Providers should
+The MAC life-cycle is described in \fBlife_cycle\-rand\fR\|(7).  Providers should
 ensure that the various transitions listed there are supported.  At some point
-the \s-1EVP\s0 layer will begin enforcing the listed transitions.
+the EVP layer will begin enforcing the listed transitions.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBOSSL_FUNC_mac_newctx()\fR and \fBOSSL_FUNC_mac_dupctx()\fR should return the newly created
-provider side mac context, or \s-1NULL\s0 on failure.
+provider side mac context, or NULL on failure.
 .PP
-\&\fBOSSL_FUNC_mac_init()\fR, \fBOSSL_FUNC_mac_update()\fR, \fBOSSL_FUNC_mac_final()\fR, \fBOSSL_FUNC_mac_get_params()\fR,
+\&\fBOSSL_FUNC_mac_init()\fR, \fBOSSL_FUNC_mac_init_skey()\fR,
+\&\fBOSSL_FUNC_mac_update()\fR, \fBOSSL_FUNC_mac_final()\fR, \fBOSSL_FUNC_mac_get_params()\fR,
 \&\fBOSSL_FUNC_mac_get_ctx_params()\fR and \fBOSSL_FUNC_mac_set_ctx_params()\fR should return 1 for
 success or 0 on error.
 .PP
 \&\fBOSSL_FUNC_mac_gettable_params()\fR, \fBOSSL_FUNC_mac_gettable_ctx_params()\fR and
-\&\fBOSSL_FUNC_mac_settable_ctx_params()\fR should return a constant \s-1\fBOSSL_PARAM\s0\fR\|(3)
-array, or \s-1NULL\s0 if none is offered.
+\&\fBOSSL_FUNC_mac_settable_ctx_params()\fR should return a constant \fBOSSL_PARAM\fR\|(3)
+array, or NULL if none is offered.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\fR\|(7),
-\&\s-1\fBEVP_MAC\-BLAKE2\s0\fR\|(7), \s-1\fBEVP_MAC\-CMAC\s0\fR\|(7), \s-1\fBEVP_MAC\-GMAC\s0\fR\|(7),
-\&\s-1\fBEVP_MAC\-HMAC\s0\fR\|(7), \s-1\fBEVP_MAC\-KMAC\s0\fR\|(7), \fBEVP_MAC\-Poly1305\fR\|(7),
+\&\fBEVP_MAC\-BLAKE2\fR\|(7), \fBEVP_MAC\-CMAC\fR\|(7), \fBEVP_MAC\-GMAC\fR\|(7),
+\&\fBEVP_MAC\-HMAC\fR\|(7), \fBEVP_MAC\-KMAC\fR\|(7), \fBEVP_MAC\-Poly1305\fR\|(7),
 \&\fBEVP_MAC\-Siphash\fR\|(7),
-\&\fBlife_cycle\-mac\fR\|(7), \s-1\fBEVP_MAC\s0\fR\|(3)
-.SH "HISTORY"
+\&\fBlife_cycle\-mac\fR\|(7), \fBEVP_MAC\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
-The provider \s-1MAC\s0 interface was introduced in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The provider MAC interface was introduced in OpenSSL 3.0.
+The parameters "no-short-mac" and "fips-indicator" were added in OpenSSL 3.4.
+.PP
+The function \fBOSSL_FUNC_mac_init_skey()\fR was introduced in OpenSSL 3.5.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/provider-object.7 b/secure/lib/libcrypto/man/man7/provider-object.7
index bc7e9327f135..48c2c9b38d96 100644
--- a/secure/lib/libcrypto/man/man7/provider-object.7
+++ b/secure/lib/libcrypto/man/man7/provider-object.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,85 +52,25 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PROVIDER-OBJECT 7ossl"
-.TH PROVIDER-OBJECT 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PROVIDER-OBJECT 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 provider\-object \- A specification for a provider\-native object abstraction
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 2
 \& #include <openssl/core_object.h>
 \& #include <openssl/core_names.h>
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The provider-native object abstraction is a set of \s-1\fBOSSL_PARAM\s0\fR\|(3) keys and
+The provider-native object abstraction is a set of \fBOSSL_PARAM\fR\|(3) keys and
 values that can be used to pass provider-native objects to OpenSSL library
 code or between different provider operation implementations with the help
 of OpenSSL library code.
@@ -155,30 +79,30 @@ The intention is that certain provider-native operations can pass any sort
 of object that belong with other operations, or with OpenSSL library code.
 .PP
 An object may be passed in the following manners:
-.IP "1." 4
+.IP 1. 4
 \&\fIBy value\fR
 .Sp
-This means that the \fIobject data\fR is passed as an octet string or an \s-1UTF8\s0
+This means that the \fIobject data\fR is passed as an octet string or an UTF8
 string, which can be handled in diverse ways by other provided implementations.
 The encoding of the object depends on the context it's used in; for example,
-\&\s-1\fBOSSL_DECODER\s0\fR\|(3) allows multiple encodings, depending on existing decoders.
+\&\fBOSSL_DECODER\fR\|(3) allows multiple encodings, depending on existing decoders.
 If central OpenSSL library functionality is to handle the data directly, it
-\&\fBmust\fR be encoded in \s-1DER\s0 for all object types except for \fB\s-1OSSL_OBJECT_NAME\s0\fR
-(see \*(L"Parameter reference\*(R" below), where it's assumed to a plain \s-1UTF8\s0 string.
-.IP "2." 4
+\&\fBmust\fR be encoded in DER for all object types except for \fBOSSL_OBJECT_NAME\fR
+(see "Parameter reference" below), where it's assumed to a plain UTF8 string.
+.IP 2. 4
 \&\fIBy reference\fR
 .Sp
 This means that the \fIobject data\fR isn't passed directly, an \fIobject
 reference\fR is passed instead.  It's an octet string that only the correct
 provider understands correctly.
 .PP
-Objects \fIby value\fR can be used by anything that handles \s-1DER\s0 encoded
+Objects \fIby value\fR can be used by anything that handles DER encoded
 objects.
 .PP
 Objects \fIby reference\fR need a higher level of cooperation from the
 implementation where the object originated (let's call it X) and its target
 implementation (let's call it Y):
-.IP "1." 4
+.IP 1. 4
 \&\fIAn object loading function in the target implementation\fR
 .Sp
 The target implementation (Y) may have a function that can take an \fIobject
@@ -188,48 +112,45 @@ same provider as the one originating the object abstraction in question (X).
 The exact target implementation to use is determined from the \fIobject type\fR
 and possibly the \fIobject data type\fR.
 For example, when the OpenSSL library receives an object abstraction with the
-\&\fIobject type\fR \fB\s-1OSSL_OBJECT_PKEY\s0\fR, it will fetch a \fBprovider\-keymgmt\fR\|(7)
+\&\fIobject type\fR \fBOSSL_OBJECT_PKEY\fR, it will fetch a \fBprovider\-keymgmt\fR\|(7)
 using the \fIobject data type\fR as its key type (the second argument in
 \&\fBEVP_KEYMGMT_fetch\fR\|(3)).
-.IP "2." 4
+.IP 2. 4
 \&\fIAn object exporter in the originating implementation\fR
 .Sp
 The originating implementation (X) may have an exporter function.  This
-exporter function can be used to export the object in \s-1\fBOSSL_PARAM\s0\fR\|(3) form,
+exporter function can be used to export the object in \fBOSSL_PARAM\fR\|(3) form,
 that can then be imported by the target implementation's imported function.
 .Sp
 This can be used when it's not possible to fetch the target implementation
 (Y) from the same provider.
 .SS "Parameter reference"
 .IX Subsection "Parameter reference"
-A provider-native object abstraction is an \s-1\fBOSSL_PARAM\s0\fR\|(3) with a selection
+A provider-native object abstraction is an \fBOSSL_PARAM\fR\|(3) with a selection
 of the following parameters:
-.ie n .IP """data"" (\fB\s-1OSSL_OBJECT_PARAM_DATA\s0\fR) <octet string> or <\s-1UTF8\s0 string>" 4
-.el .IP "``data'' (\fB\s-1OSSL_OBJECT_PARAM_DATA\s0\fR) <octet string> or <\s-1UTF8\s0 string>" 4
-.IX Item "data (OSSL_OBJECT_PARAM_DATA) <octet string> or <UTF8 string>"
+.IP """data"" (\fBOSSL_OBJECT_PARAM_DATA\fR) <octet string> or <UTF8 string>" 4
+.IX Item """data"" (OSSL_OBJECT_PARAM_DATA) <octet string> or <UTF8 string>"
 The object data \fIpassed by value\fR.
-.ie n .IP """reference"" (\fB\s-1OSSL_OBJECT_PARAM_REFERENCE\s0\fR) <octet string>" 4
-.el .IP "``reference'' (\fB\s-1OSSL_OBJECT_PARAM_REFERENCE\s0\fR) <octet string>" 4
-.IX Item "reference (OSSL_OBJECT_PARAM_REFERENCE) <octet string>"
+.IP """reference"" (\fBOSSL_OBJECT_PARAM_REFERENCE\fR) <octet string>" 4
+.IX Item """reference"" (OSSL_OBJECT_PARAM_REFERENCE) <octet string>"
 The object data \fIpassed by reference\fR.
-.ie n .IP """type"" (\fB\s-1OSSL_OBJECT_PARAM_TYPE\s0\fR) <integer>" 4
-.el .IP "``type'' (\fB\s-1OSSL_OBJECT_PARAM_TYPE\s0\fR) <integer>" 4
-.IX Item "type (OSSL_OBJECT_PARAM_TYPE) <integer>"
+.IP """type"" (\fBOSSL_OBJECT_PARAM_TYPE\fR) <integer>" 4
+.IX Item """type"" (OSSL_OBJECT_PARAM_TYPE) <integer>"
 The \fIobject type\fR, a number that may have any of the following values (all
 defined in \fI<openssl/core_object.h>\fR):
 .RS 4
-.IP "\fB\s-1OSSL_OBJECT_NAME\s0\fR" 4
+.IP \fBOSSL_OBJECT_NAME\fR 4
 .IX Item "OSSL_OBJECT_NAME"
-The object data may only be \fIpassed by value\fR, and should be a \s-1UTF8\s0
+The object data may only be \fIpassed by value\fR, and should be a UTF8
 string.
 .Sp
-This is useful for \fBprovider\-storemgmt\fR\|(7) when a \s-1URI\s0 load results in new
+This is useful for \fBprovider\-storemgmt\fR\|(7) when a URI load results in new
 URIs.
-.IP "\fB\s-1OSSL_OBJECT_PKEY\s0\fR" 4
+.IP \fBOSSL_OBJECT_PKEY\fR 4
 .IX Item "OSSL_OBJECT_PKEY"
-The object data is suitable as provider-native \fB\s-1EVP_PKEY\s0\fR key data.  The
+The object data is suitable as provider-native \fBEVP_PKEY\fR key data.  The
 object data may be \fIpassed by value\fR or \fIpassed by reference\fR.
-.IP "\fB\s-1OSSL_OBJECT_CERT\s0\fR" 4
+.IP \fBOSSL_OBJECT_CERT\fR 4
 .IX Item "OSSL_OBJECT_CERT"
 The object data is suitable as \fBX509\fR data.  The object data for this
 object type can only be \fIpassed by value\fR, and should be an octet string.
@@ -237,54 +158,51 @@ object type can only be \fIpassed by value\fR, and should be an octet string.
 Since there's no provider-native X.509 object, OpenSSL libraries that
 receive this object abstraction are expected to convert the data to a
 \&\fBX509\fR object with \fBd2i_X509()\fR.
-.IP "\fB\s-1OSSL_OBJECT_CRL\s0\fR" 4
+.IP \fBOSSL_OBJECT_CRL\fR 4
 .IX Item "OSSL_OBJECT_CRL"
 The object data is suitable as \fBX509_CRL\fR data.  The object data can
 only be \fIpassed by value\fR, and should be an octet string.
 .Sp
-Since there's no provider-native X.509 \s-1CRL\s0 object, OpenSSL libraries that
+Since there's no provider-native X.509 CRL object, OpenSSL libraries that
 receive this object abstraction are expected to convert the data to a
 \&\fBX509_CRL\fR object with \fBd2i_X509_CRL()\fR.
 .RE
 .RS 4
 .RE
-.ie n .IP """data-type"" (\fB\s-1OSSL_OBJECT_PARAM_DATA_TYPE\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``data-type'' (\fB\s-1OSSL_OBJECT_PARAM_DATA_TYPE\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "data-type (OSSL_OBJECT_PARAM_DATA_TYPE) <UTF8 string>"
+.IP """data-type"" (\fBOSSL_OBJECT_PARAM_DATA_TYPE\fR) <UTF8 string>" 4
+.IX Item """data-type"" (OSSL_OBJECT_PARAM_DATA_TYPE) <UTF8 string>"
 The specific type of the object content.  Legitimate values depend on the
-object type; if it is \fB\s-1OSSL_OBJECT_PKEY\s0\fR, the data type is expected to be a
+object type; if it is \fBOSSL_OBJECT_PKEY\fR, the data type is expected to be a
 key type suitable for fetching a \fBprovider\-keymgmt\fR\|(7) that can handle the
 data.
-.ie n .IP """data-structure"" (\fB\s-1OSSL_OBJECT_PARAM_DATA_STRUCTURE\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``data-structure'' (\fB\s-1OSSL_OBJECT_PARAM_DATA_STRUCTURE\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "data-structure (OSSL_OBJECT_PARAM_DATA_STRUCTURE) <UTF8 string>"
+.IP """data-structure"" (\fBOSSL_OBJECT_PARAM_DATA_STRUCTURE\fR) <UTF8 string>" 4
+.IX Item """data-structure"" (OSSL_OBJECT_PARAM_DATA_STRUCTURE) <UTF8 string>"
 The outermost structure of the object content.  Legitimate values depend on
 the object type.
-.ie n .IP """desc"" (\fB\s-1OSSL_OBJECT_PARAM_DESC\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``desc'' (\fB\s-1OSSL_OBJECT_PARAM_DESC\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "desc (OSSL_OBJECT_PARAM_DESC) <UTF8 string>"
+.IP """desc"" (\fBOSSL_OBJECT_PARAM_DESC\fR) <UTF8 string>" 4
+.IX Item """desc"" (OSSL_OBJECT_PARAM_DESC) <UTF8 string>"
 A human readable text that describes extra details on the object.
 .PP
 When a provider-native object abstraction is used, it \fImust\fR contain object
-data in at least one form (object data \fIpassed by value\fR, i.e. the \*(L"data\*(R"
-item, or object data \fIpassed by reference\fR, i.e. the \*(L"reference\*(R" item).
+data in at least one form (object data \fIpassed by value\fR, i.e. the "data"
+item, or object data \fIpassed by reference\fR, i.e. the "reference" item).
 Both may be present at once, in which case the OpenSSL library code that
 receives this will use the most optimal variant.
 .PP
-For objects with the object type \fB\s-1OSSL_OBJECT_NAME\s0\fR, that object type
+For objects with the object type \fBOSSL_OBJECT_NAME\fR, that object type
 \&\fImust\fR be given.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBprovider\fR\|(7), \s-1\fBOSSL_DECODER\s0\fR\|(3)
-.SH "HISTORY"
+\&\fBprovider\fR\|(7), \fBOSSL_DECODER\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
 The concept of providers and everything surrounding them was
 introduced in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/provider-rand.7 b/secure/lib/libcrypto/man/man7/provider-rand.7
index 68a3f5551101..38ac453e6caa 100644
--- a/secure/lib/libcrypto/man/man7/provider-rand.7
+++ b/secure/lib/libcrypto/man/man7/provider-rand.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,78 +52,18 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PROVIDER-RAND 7ossl"
-.TH PROVIDER-RAND 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PROVIDER-RAND 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 provider\-rand \- The random number generation library <\-> provider
 functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 2
 \& #include <openssl/core_dispatch.h>
@@ -195,14 +119,14 @@ functions
 \& int OSSL_FUNC_rand_get_ctx_params(void *ctx, OSSL_PARAM params[]);
 \& int OSSL_FUNC_rand_set_ctx_params(void *ctx, const OSSL_PARAM params[]);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 This documentation is primarily aimed at provider authors. See \fBprovider\fR\|(7)
 for further information.
 .PP
-The \s-1RAND\s0 operation enables providers to implement random number generation
+The RAND operation enables providers to implement random number generation
 algorithms and random number sources and make
-them available to applications via the \s-1API\s0 function \s-1\fBEVP_RAND\s0\fR\|(3).
+them available to applications via the API function \fBEVP_RAND\fR\|(3).
 .SS "Context Management Functions"
 .IX Subsection "Context Management Functions"
 \&\fBOSSL_FUNC_rand_newctx()\fR should create and return a pointer to a provider side
@@ -212,31 +136,31 @@ operation function calls.
 The parameter \fIprovctx\fR is the provider context generated during provider
 initialisation (see \fBprovider\fR\|(7)).
 The parameter \fIparent\fR specifies another rand instance to be used for
-seeding purposes.  If \s-1NULL\s0 and the specific instance supports it, the
+seeding purposes.  If NULL and the specific instance supports it, the
 operating system will be used for seeding.
 The parameter \fIparent_calls\fR points to the dispatch table for \fIparent\fR.
 Thus, the parent need not be from the same provider as the new instance.
 .PP
 \&\fBOSSL_FUNC_rand_freectx()\fR is passed a pointer to the provider side rand context in
 the \fImctx\fR parameter.
-If it receives \s-1NULL\s0 as \fIctx\fR value, it should not do anything other than
+If it receives NULL as \fIctx\fR value, it should not do anything other than
 return.
 This function should free any resources associated with that context.
-.SS "Random Number Generator Functions: \s-1NIST\s0"
+.SS "Random Number Generator Functions: NIST"
 .IX Subsection "Random Number Generator Functions: NIST"
-These functions correspond to those defined in \s-1NIST SP 800\-90A\s0 and \s-1SP 800\-90C.\s0
+These functions correspond to those defined in NIST SP 800\-90A and SP 800\-90C.
 .PP
-\&\fBOSSL_FUNC_rand_instantiate()\fR is used to instantiate the \s-1DRBG\s0 \fIctx\fR at a requested
+\&\fBOSSL_FUNC_rand_instantiate()\fR is used to instantiate the DRBG \fIctx\fR at a requested
 security \fIstrength\fR.  In addition, \fIprediction_resistance\fR can be requested.
 Additional input \fIaddin\fR of length \fIaddin_len\fR bytes can optionally
-be provided.  The parameters specified in \fIparams\fR configure the \s-1DRBG\s0 and these
+be provided.  The parameters specified in \fIparams\fR configure the DRBG and these
 should be processed before instantiation.
 .PP
-\&\fBOSSL_FUNC_rand_uninstantiate()\fR is used to uninstantiate the \s-1DRBG\s0 \fIctx\fR.  After being
-uninstantiated, a \s-1DRBG\s0 is unable to produce output until it is instantiated
+\&\fBOSSL_FUNC_rand_uninstantiate()\fR is used to uninstantiate the DRBG \fIctx\fR.  After being
+uninstantiated, a DRBG is unable to produce output until it is instantiated
 anew.
 .PP
-\&\fBOSSL_FUNC_rand_generate()\fR is used to generate random bytes from the \s-1DRBG\s0 \fIctx\fR.
+\&\fBOSSL_FUNC_rand_generate()\fR is used to generate random bytes from the DRBG \fIctx\fR.
 It will generate \fIoutlen\fR bytes placing them into the buffer pointed to by
 \&\fIout\fR.  The generated bytes will meet the specified security \fIstrength\fR and,
 if \fIprediction_resistance\fR is true, the bytes will be produced after reseeding
@@ -246,7 +170,7 @@ bytes can optionally be provided.
 .IX Subsection "Random Number Generator Functions: Additional"
 \&\fBOSSL_FUNC_rand_nonce()\fR is used to generate a nonce of the given \fIstrength\fR with a
 length from \fImin_noncelen\fR to \fImax_noncelen\fR. If the output buffer \fIout\fR is
-\&\s-1NULL,\s0 the length of the nonce should be returned.
+NULL, the length of the nonce should be returned.
 .PP
 \&\fBOSSL_FUNC_rand_get_seed()\fR is used by deterministic generators to obtain their
 seeding material from their parent.  The seed bytes will meet the specified
@@ -261,7 +185,7 @@ freed by a later call to \fBOSSL_FUNC_rand_clear_seed()\fR.
 which was previously allocated by \fBOSSL_FUNC_rand_get_seed()\fR.
 .PP
 \&\fBOSSL_FUNC_rand_verify_zeroization()\fR is used to determine if the internal state of the
-\&\s-1DRBG\s0 is zero.  This capability is mandated by \s-1NIST\s0 as part of the self
+DRBG is zero.  This capability is mandated by NIST as part of the self
 tests, it is unlikely to be useful in other circumstances.
 .SS "Context Locking"
 .IX Subsection "Context Locking"
@@ -269,17 +193,17 @@ When DRBGs are used by multiple threads, there must be locking employed to
 ensure their proper operation.  Because locking introduces an overhead, it
 is disabled by default.
 .PP
-\&\fBOSSL_FUNC_rand_enable_locking()\fR allows locking to be turned on for a \s-1DRBG\s0 and all of
-its parent DRBGs.  From this call onwards, the \s-1DRBG\s0 can be used in a thread
+\&\fBOSSL_FUNC_rand_enable_locking()\fR allows locking to be turned on for a DRBG and all of
+its parent DRBGs.  From this call onwards, the DRBG can be used in a thread
 safe manner.
 .PP
-\&\fBOSSL_FUNC_rand_lock()\fR is used to lock a \s-1DRBG.\s0  Once locked, exclusive access
+\&\fBOSSL_FUNC_rand_lock()\fR is used to lock a DRBG.  Once locked, exclusive access
 is guaranteed.
 .PP
-\&\fBOSSL_FUNC_rand_unlock()\fR is used to unlock a \s-1DRBG.\s0
+\&\fBOSSL_FUNC_rand_unlock()\fR is used to unlock a DRBG.
 .SS "Rand Parameters"
 .IX Subsection "Rand Parameters"
-See \s-1\fBOSSL_PARAM\s0\fR\|(3) for further details on the parameters structure used by
+See \fBOSSL_PARAM\fR\|(3) for further details on the parameters structure used by
 these functions.
 .PP
 \&\fBOSSL_FUNC_rand_get_params()\fR gets details of parameter values associated with the
@@ -288,113 +212,117 @@ provider algorithm and stores them in \fIparams\fR.
 \&\fBOSSL_FUNC_rand_set_ctx_params()\fR sets rand parameters associated with the given
 provider side rand context \fIctx\fR to \fIparams\fR.
 Any parameter settings are additional to any that were previously set.
-Passing \s-1NULL\s0 for \fIparams\fR should return true.
+Passing NULL for \fIparams\fR should return true.
 .PP
 \&\fBOSSL_FUNC_rand_get_ctx_params()\fR gets details of currently set parameter values
 associated with the given provider side rand context \fIctx\fR and stores them
 in \fIparams\fR.
-Passing \s-1NULL\s0 for \fIparams\fR should return true.
+Passing NULL for \fIparams\fR should return true.
 .PP
 \&\fBOSSL_FUNC_rand_gettable_params()\fR, \fBOSSL_FUNC_rand_gettable_ctx_params()\fR,
-and \fBOSSL_FUNC_rand_settable_ctx_params()\fR all return constant \s-1\fBOSSL_PARAM\s0\fR\|(3)
+and \fBOSSL_FUNC_rand_settable_ctx_params()\fR all return constant \fBOSSL_PARAM\fR\|(3)
 arrays as descriptors of the parameters that \fBOSSL_FUNC_rand_get_params()\fR,
 \&\fBOSSL_FUNC_rand_get_ctx_params()\fR, and \fBOSSL_FUNC_rand_set_ctx_params()\fR
 can handle, respectively.  \fBOSSL_FUNC_rand_gettable_ctx_params()\fR
 and \fBOSSL_FUNC_rand_settable_ctx_params()\fR will return the parameters
 associated with the provider side context \fIctx\fR in its current state
-if it is not \s-1NULL.\s0  Otherwise, they return the parameters associated
+if it is not NULL.  Otherwise, they return the parameters associated
 with the provider side algorithm \fIprovctx\fR.
 .PP
 Parameters currently recognised by built-in rands are as follows. Not all
 parameters are relevant to, or are understood by all rands:
-.ie n .IP """state"" (\fB\s-1OSSL_RAND_PARAM_STATE\s0\fR) <integer>" 4
-.el .IP "``state'' (\fB\s-1OSSL_RAND_PARAM_STATE\s0\fR) <integer>" 4
-.IX Item "state (OSSL_RAND_PARAM_STATE) <integer>"
+.IP """state"" (\fBOSSL_RAND_PARAM_STATE\fR) <integer>" 4
+.IX Item """state"" (OSSL_RAND_PARAM_STATE) <integer>"
 Returns the state of the random number generator.
-.ie n .IP """strength"" (\fB\s-1OSSL_RAND_PARAM_STRENGTH\s0\fR) <unsigned integer>" 4
-.el .IP "``strength'' (\fB\s-1OSSL_RAND_PARAM_STRENGTH\s0\fR) <unsigned integer>" 4
-.IX Item "strength (OSSL_RAND_PARAM_STRENGTH) <unsigned integer>"
+.IP """strength"" (\fBOSSL_RAND_PARAM_STRENGTH\fR) <unsigned integer>" 4
+.IX Item """strength"" (OSSL_RAND_PARAM_STRENGTH) <unsigned integer>"
 Returns the bit strength of the random number generator.
+.IP """fips-indicator"" (\fBOSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+A getter that returns 1 if the operation is FIPS approved, or 0 otherwise.
+This option is used by the OpenSSL FIPS provider and is not supported
+by all EVP_RAND sources.
 .PP
 For rands that are also deterministic random bit generators (DRBGs), these
 additional parameters are recognised. Not all
-parameters are relevant to, or are understood by all \s-1DRBG\s0 rands:
-.ie n .IP """reseed_requests"" (\fB\s-1OSSL_DRBG_PARAM_RESEED_REQUESTS\s0\fR) <unsigned integer>" 4
-.el .IP "``reseed_requests'' (\fB\s-1OSSL_DRBG_PARAM_RESEED_REQUESTS\s0\fR) <unsigned integer>" 4
-.IX Item "reseed_requests (OSSL_DRBG_PARAM_RESEED_REQUESTS) <unsigned integer>"
+parameters are relevant to, or are understood by all DRBG rands:
+.IP """reseed_requests"" (\fBOSSL_DRBG_PARAM_RESEED_REQUESTS\fR) <unsigned integer>" 4
+.IX Item """reseed_requests"" (OSSL_DRBG_PARAM_RESEED_REQUESTS) <unsigned integer>"
 Reads or set the number of generate requests before reseeding the
-associated \s-1RAND\s0 ctx.
-.ie n .IP """reseed_time_interval"" (\fB\s-1OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL\s0\fR) <integer>" 4
-.el .IP "``reseed_time_interval'' (\fB\s-1OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL\s0\fR) <integer>" 4
-.IX Item "reseed_time_interval (OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL) <integer>"
+associated RAND ctx.
+.IP """reseed_time_interval"" (\fBOSSL_DRBG_PARAM_RESEED_TIME_INTERVAL\fR) <integer>" 4
+.IX Item """reseed_time_interval"" (OSSL_DRBG_PARAM_RESEED_TIME_INTERVAL) <integer>"
 Reads or set the number of elapsed seconds before reseeding the
-associated \s-1RAND\s0 ctx.
-.ie n .IP """max_request"" (\fB\s-1OSSL_DRBG_PARAM_RESEED_REQUESTS\s0\fR) <unsigned integer>" 4
-.el .IP "``max_request'' (\fB\s-1OSSL_DRBG_PARAM_RESEED_REQUESTS\s0\fR) <unsigned integer>" 4
-.IX Item "max_request (OSSL_DRBG_PARAM_RESEED_REQUESTS) <unsigned integer>"
+associated RAND ctx.
+.IP """max_request"" (\fBOSSL_DRBG_PARAM_RESEED_REQUESTS\fR) <unsigned integer>" 4
+.IX Item """max_request"" (OSSL_DRBG_PARAM_RESEED_REQUESTS) <unsigned integer>"
 Specifies the maximum number of bytes that can be generated in a single
 call to OSSL_FUNC_rand_generate.
-.ie n .IP """min_entropylen"" (\fB\s-1OSSL_DRBG_PARAM_MIN_ENTROPYLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``min_entropylen'' (\fB\s-1OSSL_DRBG_PARAM_MIN_ENTROPYLEN\s0\fR) <unsigned integer>" 4
-.IX Item "min_entropylen (OSSL_DRBG_PARAM_MIN_ENTROPYLEN) <unsigned integer>"
+.IP """min_entropylen"" (\fBOSSL_DRBG_PARAM_MIN_ENTROPYLEN\fR) <unsigned integer>" 4
+.IX Item """min_entropylen"" (OSSL_DRBG_PARAM_MIN_ENTROPYLEN) <unsigned integer>"
 .PD 0
-.ie n .IP """max_entropylen"" (\fB\s-1OSSL_DRBG_PARAM_MAX_ENTROPYLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``max_entropylen'' (\fB\s-1OSSL_DRBG_PARAM_MAX_ENTROPYLEN\s0\fR) <unsigned integer>" 4
-.IX Item "max_entropylen (OSSL_DRBG_PARAM_MAX_ENTROPYLEN) <unsigned integer>"
+.IP """max_entropylen"" (\fBOSSL_DRBG_PARAM_MAX_ENTROPYLEN\fR) <unsigned integer>" 4
+.IX Item """max_entropylen"" (OSSL_DRBG_PARAM_MAX_ENTROPYLEN) <unsigned integer>"
 .PD
 Specify the minimum and maximum number of bytes of random material that
-can be used to seed the \s-1DRBG.\s0
-.ie n .IP """min_noncelen"" (\fB\s-1OSSL_DRBG_PARAM_MIN_NONCELEN\s0\fR) <unsigned integer>" 4
-.el .IP "``min_noncelen'' (\fB\s-1OSSL_DRBG_PARAM_MIN_NONCELEN\s0\fR) <unsigned integer>" 4
-.IX Item "min_noncelen (OSSL_DRBG_PARAM_MIN_NONCELEN) <unsigned integer>"
+can be used to seed the DRBG.
+.IP """min_noncelen"" (\fBOSSL_DRBG_PARAM_MIN_NONCELEN\fR) <unsigned integer>" 4
+.IX Item """min_noncelen"" (OSSL_DRBG_PARAM_MIN_NONCELEN) <unsigned integer>"
 .PD 0
-.ie n .IP """max_noncelen"" (\fB\s-1OSSL_DRBG_PARAM_MAX_NONCELEN\s0\fR) <unsigned integer>" 4
-.el .IP "``max_noncelen'' (\fB\s-1OSSL_DRBG_PARAM_MAX_NONCELEN\s0\fR) <unsigned integer>" 4
-.IX Item "max_noncelen (OSSL_DRBG_PARAM_MAX_NONCELEN) <unsigned integer>"
+.IP """max_noncelen"" (\fBOSSL_DRBG_PARAM_MAX_NONCELEN\fR) <unsigned integer>" 4
+.IX Item """max_noncelen"" (OSSL_DRBG_PARAM_MAX_NONCELEN) <unsigned integer>"
 .PD
 Specify the minimum and maximum number of bytes of nonce that can be used to
-instantiate the \s-1DRBG.\s0
-.ie n .IP """max_perslen"" (\fB\s-1OSSL_DRBG_PARAM_MAX_PERSLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``max_perslen'' (\fB\s-1OSSL_DRBG_PARAM_MAX_PERSLEN\s0\fR) <unsigned integer>" 4
-.IX Item "max_perslen (OSSL_DRBG_PARAM_MAX_PERSLEN) <unsigned integer>"
+instantiate the DRBG.
+.IP """max_perslen"" (\fBOSSL_DRBG_PARAM_MAX_PERSLEN\fR) <unsigned integer>" 4
+.IX Item """max_perslen"" (OSSL_DRBG_PARAM_MAX_PERSLEN) <unsigned integer>"
 .PD 0
-.ie n .IP """max_adinlen"" (\fB\s-1OSSL_DRBG_PARAM_MAX_ADINLEN\s0\fR) <unsigned integer>" 4
-.el .IP "``max_adinlen'' (\fB\s-1OSSL_DRBG_PARAM_MAX_ADINLEN\s0\fR) <unsigned integer>" 4
-.IX Item "max_adinlen (OSSL_DRBG_PARAM_MAX_ADINLEN) <unsigned integer>"
+.IP """max_adinlen"" (\fBOSSL_DRBG_PARAM_MAX_ADINLEN\fR) <unsigned integer>" 4
+.IX Item """max_adinlen"" (OSSL_DRBG_PARAM_MAX_ADINLEN) <unsigned integer>"
 .PD
 Specify the minimum and maximum number of bytes of personalisation string
-that can be used with the \s-1DRBG.\s0
-.ie n .IP """reseed_counter"" (\fB\s-1OSSL_DRBG_PARAM_RESEED_COUNTER\s0\fR) <unsigned integer>" 4
-.el .IP "``reseed_counter'' (\fB\s-1OSSL_DRBG_PARAM_RESEED_COUNTER\s0\fR) <unsigned integer>" 4
-.IX Item "reseed_counter (OSSL_DRBG_PARAM_RESEED_COUNTER) <unsigned integer>"
-Specifies the number of times the \s-1DRBG\s0 has been seeded or reseeded.
-.ie n .IP """digest"" (\fB\s-1OSSL_DRBG_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_DRBG_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_DRBG_PARAM_DIGEST) <UTF8 string>"
+that can be used with the DRBG.
+.IP """reseed_counter"" (\fBOSSL_DRBG_PARAM_RESEED_COUNTER\fR) <unsigned integer>" 4
+.IX Item """reseed_counter"" (OSSL_DRBG_PARAM_RESEED_COUNTER) <unsigned integer>"
+Specifies the number of times the DRBG has been seeded or reseeded.
+.IP """digest"" (\fBOSSL_DRBG_PARAM_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_DRBG_PARAM_DIGEST) <UTF8 string>"
 .PD 0
-.ie n .IP """cipher"" (\fB\s-1OSSL_DRBG_PARAM_CIPHER\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``cipher'' (\fB\s-1OSSL_DRBG_PARAM_CIPHER\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "cipher (OSSL_DRBG_PARAM_CIPHER) <UTF8 string>"
-.ie n .IP """mac"" (\fB\s-1OSSL_DRBG_PARAM_MAC\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``mac'' (\fB\s-1OSSL_DRBG_PARAM_MAC\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "mac (OSSL_DRBG_PARAM_MAC) <UTF8 string>"
+.IP """cipher"" (\fBOSSL_DRBG_PARAM_CIPHER\fR) <UTF8 string>" 4
+.IX Item """cipher"" (OSSL_DRBG_PARAM_CIPHER) <UTF8 string>"
+.IP """mac"" (\fBOSSL_DRBG_PARAM_MAC\fR) <UTF8 string>" 4
+.IX Item """mac"" (OSSL_DRBG_PARAM_MAC) <UTF8 string>"
 .PD
-Sets the name of the underlying cipher, digest or \s-1MAC\s0 to be used.
-It must name a suitable algorithm for the \s-1DRBG\s0 that's being used.
-.ie n .IP """properties"" (\fB\s-1OSSL_DRBG_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``properties'' (\fB\s-1OSSL_DRBG_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "properties (OSSL_DRBG_PARAM_PROPERTIES) <UTF8 string>"
+Sets the name of the underlying cipher, digest or MAC to be used.
+It must name a suitable algorithm for the DRBG that's being used.
+.IP """properties"" (\fBOSSL_DRBG_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_DRBG_PARAM_PROPERTIES) <UTF8 string>"
 Sets the properties to be queried when trying to fetch an underlying algorithm.
 This must be given together with the algorithm naming parameter to be
 considered valid.
+.PP
+The OpenSSL FIPS provider also supports the following parameters:
+.IP """fips-indicator"" (\fBOSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_DRBG_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+A getter that returns 1 if the operation is FIPS approved, or 0 otherwise.
+This may be used after calling \fBOSSL_FUNC_rand_generate()\fR. It may
+return 0 if the "digest-check" is set to 0.
+.IP """digest-check"" (\fBOSSL_DRBG_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4
+.IX Item """digest-check"" (OSSL_DRBG_PARAM_FIPS_DIGEST_CHECK) <integer>"
+If required this parameter should be set before the digest is set.
+The default value of 1 causes an error when the digest is set if the digest is
+not FIPS approved (e.g. truncated digests). Setting this to 0 will ignore
+the error and set the approved "fips-indicator" to 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBOSSL_FUNC_rand_newctx()\fR should return the newly created
-provider side rand context, or \s-1NULL\s0 on failure.
+provider side rand context, or NULL on failure.
 .PP
 \&\fBOSSL_FUNC_rand_gettable_params()\fR, \fBOSSL_FUNC_rand_gettable_ctx_params()\fR and
-\&\fBOSSL_FUNC_rand_settable_ctx_params()\fR should return a constant \s-1\fBOSSL_PARAM\s0\fR\|(3)
-array, or \s-1NULL\s0 if none is offered.
+\&\fBOSSL_FUNC_rand_settable_ctx_params()\fR should return a constant \fBOSSL_PARAM\fR\|(3)
+array, or NULL if none is offered.
 .PP
 \&\fBOSSL_FUNC_rand_nonce()\fR returns the size of the generated nonce, or 0 on error.
 .PP
@@ -402,26 +330,28 @@ array, or \s-1NULL\s0 if none is offered.
 error.
 .PP
 All of the remaining functions should return 1 for success or 0 on error.
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
-The \s-1RAND\s0 life-cycle is described in \fBlife_cycle\-rand\fR\|(7).  Providers should
+The RAND life-cycle is described in \fBlife_cycle\-rand\fR\|(7).  Providers should
 ensure that the various transitions listed there are supported.  At some point
-the \s-1EVP\s0 layer will begin enforcing the listed transitions.
+the EVP layer will begin enforcing the listed transitions.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\fR\|(7),
-\&\s-1\fBRAND\s0\fR\|(7),
-\&\s-1\fBEVP_RAND\s0\fR\|(7),
+\&\fBRAND\fR\|(7),
+\&\fBEVP_RAND\fR\|(7),
 \&\fBlife_cycle\-rand\fR\|(7),
-\&\s-1\fBEVP_RAND\s0\fR\|(3)
-.SH "HISTORY"
+\&\fBEVP_RAND\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
-The provider \s-1RAND\s0 interface was introduced in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The provider RAND interface was introduced in OpenSSL 3.0.
+The Rand Parameters "fips-indicator" and "digest-check" were added in
+OpenSSL 3.4.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2024 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/provider-signature.7 b/secure/lib/libcrypto/man/man7/provider-signature.7
index a103884360b7..4cacfd81d8a4 100644
--- a/secure/lib/libcrypto/man/man7/provider-signature.7
+++ b/secure/lib/libcrypto/man/man7/provider-signature.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PROVIDER-SIGNATURE 7ossl"
-.TH PROVIDER-SIGNATURE 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PROVIDER-SIGNATURE 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 provider\-signature \- The signature library <\-> provider functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 2
 \& #include <openssl/core_dispatch.h>
@@ -155,17 +79,36 @@ provider\-signature \- The signature library <\-> provider functions
 \& void OSSL_FUNC_signature_freectx(void *ctx);
 \& void *OSSL_FUNC_signature_dupctx(void *ctx);
 \&
+\& /* Get the key types that a signature algorithm supports */
+\& const char **OSSL_FUNC_signature_query_key_types(void);
+\&
 \& /* Signing */
 \& int OSSL_FUNC_signature_sign_init(void *ctx, void *provkey,
 \&                                   const OSSL_PARAM params[]);
 \& int OSSL_FUNC_signature_sign(void *ctx, unsigned char *sig, size_t *siglen,
 \&                              size_t sigsize, const unsigned char *tbs, size_t tbslen);
+\& int OSSL_FUNC_signature_sign_message_init(void *ctx, void *provkey,
+\&                                           const OSSL_PARAM params[]);
+\& int OSSL_FUNC_signature_sign_message_update(void *ctx, const unsigned char *in,
+\&                                             size_t inlen);
+\& int OSSL_FUNC_signature_sign_message_final(void *ctx, unsigned char *sig,
+\&                                            size_t *siglen, size_t sigsize);
 \&
 \& /* Verifying */
 \& int OSSL_FUNC_signature_verify_init(void *ctx, void *provkey,
 \&                                     const OSSL_PARAM params[]);
 \& int OSSL_FUNC_signature_verify(void *ctx, const unsigned char *sig, size_t siglen,
 \&                                const unsigned char *tbs, size_t tbslen);
+\& int OSSL_FUNC_signature_verify_message_init(void *ctx, void *provkey,
+\&                                             const OSSL_PARAM params[]);
+\& int OSSL_FUNC_signature_verify_message_update(void *ctx, const unsigned char *in,
+\&                                               size_t inlen);
+\& /*
+\&  * OSSL_FUNC_signature_verify_message_final requires that the signature to be
+\&  * verified is specified via a "signature" OSSL_PARAM, which is given with a
+\&  * previous call of OSSL_FUNC_signature_set_ctx_params().
+\&  */
+\& int OSSL_FUNC_signature_verify_message_final(void *ctx);
 \&
 \& /* Verify Recover */
 \& int OSSL_FUNC_signature_verify_recover_init(void *ctx, void *provkey,
@@ -183,7 +126,7 @@ provider\-signature \- The signature library <\-> provider functions
 \& int OSSL_FUNC_signature_digest_sign_final(void *ctx, unsigned char *sig,
 \&                                           size_t *siglen, size_t sigsize);
 \& int OSSL_FUNC_signature_digest_sign(void *ctx,
-\&                              unsigned char *sigret, size_t *siglen,
+\&                              unsigned char *sig, size_t *siglen,
 \&                              size_t sigsize, const unsigned char *tbs,
 \&                              size_t tbslen);
 \&
@@ -213,29 +156,27 @@ provider\-signature \- The signature library <\-> provider functions
 \& int OSSL_FUNC_signature_set_ctx_md_params(void *ctx, const OSSL_PARAM params[]);
 \& const OSSL_PARAM * OSSL_FUNC_signature_settable_ctx_md_params(void *ctx);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 This documentation is primarily aimed at provider authors. See \fBprovider\fR\|(7)
 for further information.
 .PP
-The signature (\s-1OSSL_OP_SIGNATURE\s0) operation enables providers to implement
-signature algorithms and make them available to applications via the \s-1API\s0
-functions \fBEVP_PKEY_sign\fR\|(3),
-\&\fBEVP_PKEY_verify\fR\|(3),
-and \fBEVP_PKEY_verify_recover\fR\|(3) (as well
-as other related functions).
+The signature (OSSL_OP_SIGNATURE) operation enables providers to implement
+signature algorithms and make them available to applications via the API
+functions \fBEVP_PKEY_sign\fR\|(3), \fBEVP_PKEY_verify\fR\|(3),
+and \fBEVP_PKEY_verify_recover\fR\|(3) (as well as other related functions).
 .PP
-All \*(L"functions\*(R" mentioned here are passed as function pointers between
-\&\fIlibcrypto\fR and the provider in \s-1\fBOSSL_DISPATCH\s0\fR\|(3) arrays via
-\&\s-1\fBOSSL_ALGORITHM\s0\fR\|(3) arrays that are returned by the provider's
+All "functions" mentioned here are passed as function pointers between
+\&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via
+\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's
 \&\fBprovider_query_operation()\fR function
-(see \*(L"Provider Functions\*(R" in \fBprovider\-base\fR\|(7)).
+(see "Provider Functions" in \fBprovider\-base\fR\|(7)).
 .PP
-All these \*(L"functions\*(R" have a corresponding function type definition
+All these "functions" have a corresponding function type definition
 named \fBOSSL_FUNC_{name}_fn\fR, and a helper function to retrieve the
-function pointer from an \s-1\fBOSSL_DISPATCH\s0\fR\|(3) element named
+function pointer from an \fBOSSL_DISPATCH\fR\|(3) element named
 \&\fBOSSL_FUNC_{name}\fR.
-For example, the \*(L"function\*(R" \fBOSSL_FUNC_signature_newctx()\fR has these:
+For example, the "function" \fBOSSL_FUNC_signature_newctx()\fR has these:
 .PP
 .Vb 3
 \& typedef void *(OSSL_FUNC_signature_newctx_fn)(void *provctx, const char *propq);
@@ -243,7 +184,7 @@ For example, the \*(L"function\*(R" \fBOSSL_FUNC_signature_newctx()\fR has these
 \&     OSSL_FUNC_signature_newctx(const OSSL_DISPATCH *opf);
 .Ve
 .PP
-\&\s-1\fBOSSL_DISPATCH\s0\fR\|(3) arrays are indexed by numbers that are provided as
+\&\fBOSSL_DISPATCH\fR\|(3) arrays are indexed by numbers that are provided as
 macros in \fBopenssl\-core_dispatch.h\fR\|(7), as follows:
 .PP
 .Vb 3
@@ -251,11 +192,19 @@ macros in \fBopenssl\-core_dispatch.h\fR\|(7), as follows:
 \& OSSL_FUNC_signature_freectx                OSSL_FUNC_SIGNATURE_FREECTX
 \& OSSL_FUNC_signature_dupctx                 OSSL_FUNC_SIGNATURE_DUPCTX
 \&
+\& OSSL_FUNC_signature_query_key_types        OSSL_FUNC_SIGNATURE_QUERY_KEY_TYPES
+\&
 \& OSSL_FUNC_signature_sign_init              OSSL_FUNC_SIGNATURE_SIGN_INIT
 \& OSSL_FUNC_signature_sign                   OSSL_FUNC_SIGNATURE_SIGN
+\& OSSL_FUNC_signature_sign_message_init      OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_INIT
+\& OSSL_FUNC_signature_sign_message_update    OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_UPDATE
+\& OSSL_FUNC_signature_sign_message_final     OSSL_FUNC_SIGNATURE_SIGN_MESSAGE_FINAL
 \&
 \& OSSL_FUNC_signature_verify_init            OSSL_FUNC_SIGNATURE_VERIFY_INIT
 \& OSSL_FUNC_signature_verify                 OSSL_FUNC_SIGNATURE_VERIFY
+\& OSSL_FUNC_signature_verify_message_init    OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_INIT
+\& OSSL_FUNC_signature_verify_message_update  OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_UPDATE
+\& OSSL_FUNC_signature_verify_message_final   OSSL_FUNC_SIGNATURE_VERIFY_MESSAGE_FINAL
 \&
 \& OSSL_FUNC_signature_verify_recover_init    OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT
 \& OSSL_FUNC_signature_verify_recover         OSSL_FUNC_SIGNATURE_VERIFY_RECOVER
@@ -284,12 +233,20 @@ macros in \fBopenssl\-core_dispatch.h\fR\|(7), as follows:
 A signature algorithm implementation may not implement all of these functions.
 In order to be a consistent set of functions we must have at least a set of
 context functions (OSSL_FUNC_signature_newctx and OSSL_FUNC_signature_freectx) as well as a
-set of \*(L"signature\*(R" functions, i.e. at least one of:
+set of "signature" functions, i.e. at least one of:
 .IP "OSSL_FUNC_signature_sign_init and OSSL_FUNC_signature_sign" 4
 .IX Item "OSSL_FUNC_signature_sign_init and OSSL_FUNC_signature_sign"
 .PD 0
+.IP "OSSL_FUNC_signature_sign_message_init and OSSL_FUNC_signature_sign" 4
+.IX Item "OSSL_FUNC_signature_sign_message_init and OSSL_FUNC_signature_sign"
+.IP "OSSL_FUNC_signature_sign_message_init, OSSL_FUNC_signature_sign_message_update and OSSL_FUNC_signature_sign_message_final" 4
+.IX Item "OSSL_FUNC_signature_sign_message_init, OSSL_FUNC_signature_sign_message_update and OSSL_FUNC_signature_sign_message_final"
 .IP "OSSL_FUNC_signature_verify_init and OSSL_FUNC_signature_verify" 4
 .IX Item "OSSL_FUNC_signature_verify_init and OSSL_FUNC_signature_verify"
+.IP "OSSL_FUNC_signature_verify_message_init and OSSL_FUNC_signature_verify" 4
+.IX Item "OSSL_FUNC_signature_verify_message_init and OSSL_FUNC_signature_verify"
+.IP "OSSL_FUNC_signature_verify_message_init, OSSL_FUNC_signature_verify_message_update and OSSL_FUNC_signature_verify_message_final" 4
+.IX Item "OSSL_FUNC_signature_verify_message_init, OSSL_FUNC_signature_verify_message_update and OSSL_FUNC_signature_verify_message_final"
 .IP "OSSL_FUNC_signature_verify_recover_init and OSSL_FUNC_signature_verify_recover" 4
 .IX Item "OSSL_FUNC_signature_verify_recover_init and OSSL_FUNC_signature_verify_recover"
 .IP "OSSL_FUNC_signature_digest_sign_init, OSSL_FUNC_signature_digest_sign_update and OSSL_FUNC_signature_digest_sign_final" 4
@@ -302,13 +259,25 @@ set of \*(L"signature\*(R" functions, i.e. at least one of:
 .IX Item "OSSL_FUNC_signature_digest_verify_init and OSSL_FUNC_signature_digest_verify"
 .PD
 .PP
-OSSL_FUNC_signature_set_ctx_params and OSSL_FUNC_signature_settable_ctx_params are optional,
-but if one of them is present then the other one must also be present. The same
-applies to OSSL_FUNC_signature_get_ctx_params and OSSL_FUNC_signature_gettable_ctx_params, as
-well as the \*(L"md_params\*(R" functions. The OSSL_FUNC_signature_dupctx function is optional.
+The \fBOSSL_FUNC_signature_set_ctx_params()\fR and
+\&\fBOSSL_FUNC_signature_settable_ctx_params()\fR functions are optional,
+but if one of them is provided then the other one must also be provided.
+The same applies to the \fBOSSL_FUNC_signature_get_ctx_params()\fR and
+\&\fBOSSL_FUNC_signature_gettable_ctx_params()\fR functions,
+as well as the "md_params" functions.
+.PP
+The \fBOSSL_FUNC_signature_dupctx()\fR function is optional.
+It is not yet used by OpenSSL.
+.PP
+The \fBOSSL_FUNC_signature_query_key_types()\fR function is optional.
+When present, it should return a NULL-terminated array of strings
+indicating the key types supported by the provider for signature operations.
+Otherwise the signature algorithm name must match the given key
+or match the default signature algorithm name of the key,
+both checked using \fBEVP_SIGNATURE_is_a\fR\|(3).
 .PP
 A signature algorithm must also implement some mechanism for generating,
-loading or importing keys via the key management (\s-1OSSL_OP_KEYMGMT\s0) operation.
+loading or importing keys via the key management (OSSL_OP_KEYMGMT) operation.
 See \fBprovider\-keymgmt\fR\|(7) for further details.
 .SS "Context Management Functions"
 .IX Subsection "Context Management Functions"
@@ -318,7 +287,7 @@ A pointer to this context will be passed back in a number of the other signature
 operation function calls.
 The parameter \fIprovctx\fR is the provider context generated during provider
 initialisation (see \fBprovider\fR\|(7)). The \fIpropq\fR parameter is a property query
-string that may be (optionally) used by the provider during any \*(L"fetches\*(R" that
+string that may be (optionally) used by the provider during any "fetches" that
 it may perform (if it performs any).
 .PP
 \&\fBOSSL_FUNC_signature_freectx()\fR is passed a pointer to the provider side signature
@@ -332,32 +301,63 @@ the \fIctx\fR parameter and return the duplicate copy.
 \&\fBOSSL_FUNC_signature_sign_init()\fR initialises a context for signing given a provider side
 signature context in the \fIctx\fR parameter, and a pointer to a provider key object
 in the \fIprovkey\fR parameter.
-The \fIparams\fR, if not \s-1NULL,\s0 should be set on the context in a manner similar to
+The \fIparams\fR, if not NULL, should be set on the context in a manner similar to
 using \fBOSSL_FUNC_signature_set_ctx_params()\fR.
 The key object should have been previously generated, loaded or imported into
-the provider using the key management (\s-1OSSL_OP_KEYMGMT\s0) operation (see
-\&\fBprovider\-keymgmt\fR\|(7)>.
+the provider using the key management (OSSL_OP_KEYMGMT) operation (see
+\&\fBprovider\-keymgmt\fR\|(7)).
 .PP
 \&\fBOSSL_FUNC_signature_sign()\fR performs the actual signing itself.
 A previously initialised signature context is passed in the \fIctx\fR
 parameter.
 The data to be signed is pointed to be the \fItbs\fR parameter which is \fItbslen\fR
 bytes long.
-Unless \fIsig\fR is \s-1NULL,\s0 the signature should be written to the location pointed
+Unless \fIsig\fR is NULL, the signature should be written to the location pointed
 to by the \fIsig\fR parameter and it should not exceed \fIsigsize\fR bytes in length.
 The length of the signature should be written to \fI*siglen\fR.
-If \fIsig\fR is \s-1NULL\s0 then the maximum length of the signature should be written to
+If \fIsig\fR is NULL then the maximum length of the signature should be written to
+\&\fI*siglen\fR.
+.SS "Message Signing Functions"
+.IX Subsection "Message Signing Functions"
+These functions are suitable for providers that implement algorithms that
+accumulate a full message and sign the result of that accumulation, such as
+RSA\-SHA256.
+.PP
+\&\fBOSSL_FUNC_signature_sign_message_init()\fR initialises a context for signing a
+message given a provider side signature context in the \fIctx\fR parameter, and a
+pointer to a provider key object in the \fIprovkey\fR parameter.
+The \fIparams\fR, if not NULL, should be set on the context in a manner similar to
+using \fBOSSL_FUNC_signature_set_ctx_params()\fR.
+The key object should have been previously generated, loaded or imported into
+the provider using the key management (OSSL_OP_KEYMGMT) operation (see
+\&\fBprovider\-keymgmt\fR\|(7)).
+.PP
+\&\fBOSSL_FUNC_signature_sign_message_update()\fR gathers the data pointed at by
+\&\fIin\fR, which is \fIinlen\fR bytes long.
+.PP
+\&\fBOSSL_FUNC_signature_sign_message_final()\fR performs the actual signing on the
+data that was gathered with \fBOSSL_FUNC_signature_sign_message_update()\fR.
+.PP
+\&\fBOSSL_FUNC_signature_sign()\fR can be used for one-shot signature calls.  In that
+case, \fItbs\fR is expected to be the whole message to be signed, \fItbslen\fR bytes
+long.
+.PP
+For both \fBOSSL_FUNC_signature_sign_message_final()\fR and \fBOSSL_FUNC_signature_sign()\fR,
+if \fIsig\fR is not NULL, the signature should be written to the location pointed
+to by \fIsig\fR, and it should not exceed \fIsigsize\fR bytes in length.
+The length of the signature should be written to \fI*siglen\fR.
+If \fIsig\fR is NULL then the maximum length of the signature should be written to
 \&\fI*siglen\fR.
 .SS "Verify Functions"
 .IX Subsection "Verify Functions"
 \&\fBOSSL_FUNC_signature_verify_init()\fR initialises a context for verifying a signature given
 a provider side signature context in the \fIctx\fR parameter, and a pointer to a
 provider key object in the \fIprovkey\fR parameter.
-The \fIparams\fR, if not \s-1NULL,\s0 should be set on the context in a manner similar to
+The \fIparams\fR, if not NULL, should be set on the context in a manner similar to
 using \fBOSSL_FUNC_signature_set_ctx_params()\fR.
 The key object should have been previously generated, loaded or imported into
-the provider using the key management (\s-1OSSL_OP_KEYMGMT\s0) operation (see
-\&\fBprovider\-keymgmt\fR\|(7)>.
+the provider using the key management (OSSL_OP_KEYMGMT) operation (see
+\&\fBprovider\-keymgmt\fR\|(7)).
 .PP
 \&\fBOSSL_FUNC_signature_verify()\fR performs the actual verification itself.
 A previously initialised signature context is passed in the \fIctx\fR parameter.
@@ -365,37 +365,64 @@ The data that the signature covers is pointed to be the \fItbs\fR parameter whic
 is \fItbslen\fR bytes long.
 The signature is pointed to by the \fIsig\fR parameter which is \fIsiglen\fR bytes
 long.
+.SS "Message Verify Functions"
+.IX Subsection "Message Verify Functions"
+These functions are suitable for providers that implement algorithms that
+accumulate a full message and verify a signature on the result of that
+accumulation, such as RSA\-SHA256.
+.PP
+\&\fBOSSL_FUNC_signature_verify_message_init()\fR initialises a context for verifying
+a signature on a message given a provider side signature context in the \fIctx\fR
+parameter, and a pointer to a provider key object in the \fIprovkey\fR parameter.
+The \fIparams\fR, if not NULL, should be set on the context in a manner similar to
+using \fBOSSL_FUNC_signature_set_ctx_params()\fR.
+The key object should have been previously generated, loaded or imported into
+the provider using the key management (OSSL_OP_KEYMGMT) operation (see
+\&\fBprovider\-keymgmt\fR\|(7)).
+.PP
+\&\fBOSSL_FUNC_signature_verify_message_update()\fR gathers the data pointed at by
+\&\fIin\fR, which is \fIinlen\fR bytes long.
+.PP
+\&\fBOSSL_FUNC_signature_verify_message_final()\fR performs the actual verification on
+the data that was gathered with \fBOSSL_FUNC_signature_verify_message_update()\fR.
+The signature itself must have been passed through the "signature"
+(\fBOSSL_SIGNATURE_PARAM_SIGNATURE\fR) Signature parameter
+before this function is called.
+.PP
+\&\fBOSSL_FUNC_signature_verify()\fR can be used for one-shot verification calls.  In
+that case, \fItbs\fR is expected to be the whole message to be verified on,
+\&\fItbslen\fR bytes long.
 .SS "Verify Recover Functions"
 .IX Subsection "Verify Recover Functions"
 \&\fBOSSL_FUNC_signature_verify_recover_init()\fR initialises a context for recovering the
 signed data given a provider side signature context in the \fIctx\fR parameter, and
 a pointer to a provider key object in the \fIprovkey\fR parameter.
-The \fIparams\fR, if not \s-1NULL,\s0 should be set on the context in a manner similar to
+The \fIparams\fR, if not NULL, should be set on the context in a manner similar to
 using \fBOSSL_FUNC_signature_set_ctx_params()\fR.
 The key object should have been previously generated, loaded or imported into
-the provider using the key management (\s-1OSSL_OP_KEYMGMT\s0) operation (see
-\&\fBprovider\-keymgmt\fR\|(7)>.
+the provider using the key management (OSSL_OP_KEYMGMT) operation (see
+\&\fBprovider\-keymgmt\fR\|(7)).
 .PP
 \&\fBOSSL_FUNC_signature_verify_recover()\fR performs the actual verify recover itself.
 A previously initialised signature context is passed in the \fIctx\fR parameter.
 The signature is pointed to by the \fIsig\fR parameter which is \fIsiglen\fR bytes
 long.
-Unless \fIrout\fR is \s-1NULL,\s0 the recovered data should be written to the location
+Unless \fIrout\fR is NULL, the recovered data should be written to the location
 pointed to by \fIrout\fR which should not exceed \fIroutsize\fR bytes in length.
 The length of the recovered data should be written to \fI*routlen\fR.
-If \fIrout\fR is \s-1NULL\s0 then the maximum size of the output buffer is written to
+If \fIrout\fR is NULL then the maximum size of the output buffer is written to
 the \fIroutlen\fR parameter.
 .SS "Digest Sign Functions"
 .IX Subsection "Digest Sign Functions"
-\&\fBOSSL_FUNC_signature_digeset_sign_init()\fR initialises a context for signing given a
+\&\fBOSSL_FUNC_signature_digest_sign_init()\fR initialises a context for signing given a
 provider side signature context in the \fIctx\fR parameter, and a pointer to a
 provider key object in the \fIprovkey\fR parameter.
-The \fIparams\fR, if not \s-1NULL,\s0 should be set on the context in a manner similar to
+The \fIparams\fR, if not NULL, should be set on the context in a manner similar to
 using \fBOSSL_FUNC_signature_set_ctx_params()\fR and
 \&\fBOSSL_FUNC_signature_set_ctx_md_params()\fR.
 The key object should have been
 previously generated, loaded or imported into the provider using the
-key management (\s-1OSSL_OP_KEYMGMT\s0) operation (see \fBprovider\-keymgmt\fR\|(7)>.
+key management (OSSL_OP_KEYMGMT) operation (see \fBprovider\-keymgmt\fR\|(7)).
 The name of the digest to be used will be in the \fImdname\fR parameter.
 .PP
 \&\fBOSSL_FUNC_signature_digest_sign_update()\fR provides data to be signed in the \fIdata\fR
@@ -407,31 +434,31 @@ multiple times to cumulatively add data to be signed.
 started through \fBOSSL_FUNC_signature_digest_sign_init()\fR and
 \&\fBOSSL_FUNC_signature_digest_sign_update()\fR calls. Once finalised no more data will be
 added through \fBOSSL_FUNC_signature_digest_sign_update()\fR. A previously initialised
-signature context is passed in the \fIctx\fR parameter. Unless \fIsig\fR is \s-1NULL,\s0 the
+signature context is passed in the \fIctx\fR parameter. Unless \fIsig\fR is NULL, the
 signature should be written to the location pointed to by the \fIsig\fR parameter
 and it should not exceed \fIsigsize\fR bytes in length. The length of the signature
-should be written to \fI*siglen\fR. If \fIsig\fR is \s-1NULL\s0 then the maximum length of
+should be written to \fI*siglen\fR. If \fIsig\fR is NULL then the maximum length of
 the signature should be written to \fI*siglen\fR.
 .PP
-\&\fBOSSL_FUNC_signature_digest_sign()\fR implements a \*(L"one shot\*(R" digest sign operation
-previously started through \fBOSSL_FUNC_signature_digeset_sign_init()\fR. A previously
+\&\fBOSSL_FUNC_signature_digest_sign()\fR implements a "one shot" digest sign operation
+previously started through \fBOSSL_FUNC_signature_digest_sign_init()\fR. A previously
 initialised signature context is passed in the \fIctx\fR parameter. The data to be
-signed is in \fItbs\fR which should be \fItbslen\fR bytes long. Unless \fIsig\fR is \s-1NULL,\s0
+signed is in \fItbs\fR which should be \fItbslen\fR bytes long. Unless \fIsig\fR is NULL,
 the signature should be written to the location pointed to by the \fIsig\fR
 parameter and it should not exceed \fIsigsize\fR bytes in length. The length of the
-signature should be written to \fI*siglen\fR. If \fIsig\fR is \s-1NULL\s0 then the maximum
+signature should be written to \fI*siglen\fR. If \fIsig\fR is NULL then the maximum
 length of the signature should be written to \fI*siglen\fR.
 .SS "Digest Verify Functions"
 .IX Subsection "Digest Verify Functions"
-\&\fBOSSL_FUNC_signature_digeset_verify_init()\fR initialises a context for verifying given a
+\&\fBOSSL_FUNC_signature_digest_verify_init()\fR initialises a context for verifying given a
 provider side verification context in the \fIctx\fR parameter, and a pointer to a
 provider key object in the \fIprovkey\fR parameter.
-The \fIparams\fR, if not \s-1NULL,\s0 should be set on the context in a manner similar to
+The \fIparams\fR, if not NULL, should be set on the context in a manner similar to
 \&\fBOSSL_FUNC_signature_set_ctx_params()\fR and
 \&\fBOSSL_FUNC_signature_set_ctx_md_params()\fR.
 The key object should have been
 previously generated, loaded or imported into the provider using the
-key management (\s-1OSSL_OP_KEYMGMT\s0) operation (see \fBprovider\-keymgmt\fR\|(7)>.
+key management (OSSL_OP_KEYMGMT) operation (see \fBprovider\-keymgmt\fR\|(7)).
 The name of the digest to be used will be in the \fImdname\fR parameter.
 .PP
 \&\fBOSSL_FUNC_signature_digest_verify_update()\fR provides data to be verified in the \fIdata\fR
@@ -446,51 +473,75 @@ added through \fBOSSL_FUNC_signature_digest_verify_update()\fR. A previously ini
 verification context is passed in the \fIctx\fR parameter. The signature to be
 verified is in \fIsig\fR which is \fIsiglen\fR bytes long.
 .PP
-\&\fBOSSL_FUNC_signature_digest_verify()\fR implements a \*(L"one shot\*(R" digest verify operation
-previously started through \fBOSSL_FUNC_signature_digeset_verify_init()\fR. A previously
+\&\fBOSSL_FUNC_signature_digest_verify()\fR implements a "one shot" digest verify operation
+previously started through \fBOSSL_FUNC_signature_digest_verify_init()\fR. A previously
 initialised verification context is passed in the \fIctx\fR parameter. The data to be
 verified is in \fItbs\fR which should be \fItbslen\fR bytes long. The signature to be
 verified is in \fIsig\fR which is \fIsiglen\fR bytes long.
 .SS "Signature parameters"
 .IX Subsection "Signature parameters"
-See \s-1\fBOSSL_PARAM\s0\fR\|(3) for further details on the parameters structure used by
+See \fBOSSL_PARAM\fR\|(3) for further details on the parameters structure used by
 the \fBOSSL_FUNC_signature_get_ctx_params()\fR and \fBOSSL_FUNC_signature_set_ctx_params()\fR functions.
 .PP
 \&\fBOSSL_FUNC_signature_get_ctx_params()\fR gets signature parameters associated with the
 given provider side signature context \fIctx\fR and stored them in \fIparams\fR.
-Passing \s-1NULL\s0 for \fIparams\fR should return true.
+Passing NULL for \fIparams\fR should return true.
 .PP
 \&\fBOSSL_FUNC_signature_set_ctx_params()\fR sets the signature parameters associated with the
 given provider side signature context \fIctx\fR to \fIparams\fR.
 Any parameter settings are additional to any that were previously set.
-Passing \s-1NULL\s0 for \fIparams\fR should return true.
+Passing NULL for \fIparams\fR should return true.
 .PP
 Common parameters currently recognised by built-in signature algorithms are as
 follows.
-.ie n .IP """digest"" (\fB\s-1OSSL_SIGNATURE_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_SIGNATURE_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_SIGNATURE_PARAM_DIGEST) <UTF8 string>"
+.IP """digest"" (\fBOSSL_SIGNATURE_PARAM_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_SIGNATURE_PARAM_DIGEST) <UTF8 string>"
 Get or sets the name of the digest algorithm used for the input to the
-signature functions. It is required in order to calculate the \*(L"algorithm-id\*(R".
-.ie n .IP """properties"" (\fB\s-1OSSL_SIGNATURE_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``properties'' (\fB\s-1OSSL_SIGNATURE_PARAM_PROPERTIES\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "properties (OSSL_SIGNATURE_PARAM_PROPERTIES) <UTF8 string>"
-Sets the name of the property query associated with the \*(L"digest\*(R" algorithm.
-\&\s-1NULL\s0 is used if this optional value is not set.
-.ie n .IP """digest-size"" (\fB\s-1OSSL_SIGNATURE_PARAM_DIGEST_SIZE\s0\fR) <unsigned integer>" 4
-.el .IP "``digest-size'' (\fB\s-1OSSL_SIGNATURE_PARAM_DIGEST_SIZE\s0\fR) <unsigned integer>" 4
-.IX Item "digest-size (OSSL_SIGNATURE_PARAM_DIGEST_SIZE) <unsigned integer>"
+signature functions. It is required in order to calculate the "algorithm-id".
+.IP """properties"" (\fBOSSL_SIGNATURE_PARAM_PROPERTIES\fR) <UTF8 string>" 4
+.IX Item """properties"" (OSSL_SIGNATURE_PARAM_PROPERTIES) <UTF8 string>"
+Sets the name of the property query associated with the "digest" algorithm.
+NULL is used if this optional value is not set.
+.PP
+Note that when implementing a signature algorithm that gathers a full message,
+like RSA\-SHA256, the "digest" and "properties" parameters should not be used.
+For such implementations, it's acceptable to simply ignore them if they happen
+to be passed in a call to \fBOSSL_FUNC_signature_set_ctx_params()\fR.  For such
+implementations, however, it is not acceptable to have them in the \fBOSSL_PARAM\fR
+array that's returned by \fBOSSL_FUNC_signature_settable_ctx_params()\fR.
+.IP """signature"" (\fBOSSL_SIGNATURE_PARAM_SIGNATURE\fR) <octet string>" 4
+.IX Item """signature"" (OSSL_SIGNATURE_PARAM_SIGNATURE) <octet string>"
+Sets the signature to verify, specifically when
+\&\fBOSSL_FUNC_signature_verify_message_final()\fR is used.
+.IP """digest-size"" (\fBOSSL_SIGNATURE_PARAM_DIGEST_SIZE\fR) <unsigned integer>" 4
+.IX Item """digest-size"" (OSSL_SIGNATURE_PARAM_DIGEST_SIZE) <unsigned integer>"
 Gets or sets the output size of the digest algorithm used for the input to the
 signature functions.
-The length of the \*(L"digest-size\*(R" parameter should not exceed that of a \fBsize_t\fR.
-.ie n .IP """algorithm-id"" (\fB\s-1OSSL_SIGNATURE_PARAM_ALGORITHM_ID\s0\fR) <octet string>" 4
-.el .IP "``algorithm-id'' (\fB\s-1OSSL_SIGNATURE_PARAM_ALGORITHM_ID\s0\fR) <octet string>" 4
-.IX Item "algorithm-id (OSSL_SIGNATURE_PARAM_ALGORITHM_ID) <octet string>"
-Gets the \s-1DER\s0 encoded AlgorithmIdentifier that corresponds to the combination of
-signature algorithm and digest algorithm for the signature operation.
-.ie n .IP """kat"" (\fB\s-1OSSL_SIGNATURE_PARAM_KAT\s0\fR) <unsigned integer>" 4
-.el .IP "``kat'' (\fB\s-1OSSL_SIGNATURE_PARAM_KAT\s0\fR) <unsigned integer>" 4
-.IX Item "kat (OSSL_SIGNATURE_PARAM_KAT) <unsigned integer>"
+The length of the "digest-size" parameter should not exceed that of a \fBsize_t\fR.
+.IP """algorithm-id"" (\fBOSSL_SIGNATURE_PARAM_ALGORITHM_ID\fR) <octet string>" 4
+.IX Item """algorithm-id"" (OSSL_SIGNATURE_PARAM_ALGORITHM_ID) <octet string>"
+Gets the DER-encoded AlgorithmIdentifier for the signature operation.
+This typically corresponds to the combination of a digest algorithm
+with a purely asymmetric signature algorithm, such as SHA256WithECDSA.
+.Sp
+The \fBASN1_item_sign_ctx\fR\|(3) function relies on this operation and is used by
+many other functions that sign ASN.1 structures such as X.509 certificates,
+certificate requests, and CRLs, as well as OCSP, CMP, and CMS messages.
+.IP """nonce-type"" (\fBOSSL_SIGNATURE_PARAM_NONCE_TYPE\fR) <unsigned integer>" 4
+.IX Item """nonce-type"" (OSSL_SIGNATURE_PARAM_NONCE_TYPE) <unsigned integer>"
+Set this to 1 to use deterministic digital signature generation with
+ECDSA or DSA, as defined in RFC 6979 (see Section 3.2 "Generation of
+k").  In this case, the "digest" parameter must be explicitly set
+(otherwise, deterministic nonce generation will fail).  Before using
+deterministic digital signature generation, please read RFC 6979
+Section 4 "Security Considerations".  The default value for
+"nonce-type" is 0 and results in a random value being used for the
+nonce \fBk\fR as defined in FIPS 186\-4 Section 6.3 "Secret Number
+Generation".
+.Sp
+The FIPS provider does not support deterministic digital signature generation.
+.IP """kat"" (\fBOSSL_SIGNATURE_PARAM_KAT\fR) <unsigned integer>" 4
+.IX Item """kat"" (OSSL_SIGNATURE_PARAM_KAT) <unsigned integer>"
 Sets a flag to modify the sign operation to return an error if the initial
 calculated signature is invalid.
 In the normal mode of operation \- new random values are chosen until the
@@ -502,55 +553,114 @@ was successful.
 Known answer tests can be performed if the random generator is overridden to
 supply known values that either pass or fail.
 .PP
+The following parameters are used by the OpenSSL FIPS provider:
+.IP """fips-indicator"" (\fBOSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR\fR) <integer>" 4
+.IX Item """fips-indicator"" (OSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR) <integer>"
+A getter that returns 1 if the operation is FIPS approved, or 0 otherwise.
+This may be used after calling either the sign or verify final functions. It may
+return 0 if either the "digest-check", "key-check", or "sign-check" are set to 0.
+.IP """verify-message"" (\fBOSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE\fR <integer>" 4
+.IX Item """verify-message"" (OSSL_SIGNATURE_PARAM_FIPS_VERIFY_MESSAGE <integer>"
+A getter that returns 1 if a signature verification operation acted on
+a raw message, or 0 if it verified a predigested message.  A value of 0
+indicates likely non-approved usage of the FIPS provider.  This flag is
+set when any signature verification initialisation function is called.
+It is also set to 1 when any signing operation is performed to signify
+compliance.  See FIPS 140\-3 IG 2.4.B for further information.
+.IP """key-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK\fR) <integer>" 4
+.IX Item """key-check"" (OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK) <integer>"
+If required this parameter should be set early via an init function
+(e.g. \fBOSSL_FUNC_signature_sign_init()\fR or \fBOSSL_FUNC_signature_verify_init()\fR).
+The default value of 1 causes an error during the init if the key is not FIPS
+approved (e.g. The key has a security strength of less than 112 bits).
+Setting this to 0 will ignore the error and set the approved "indicator" to 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
+.IP """digest-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK\fR) <integer>" 4
+.IX Item """digest-check"" (OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK) <integer>"
+If required this parameter should be set before the signature digest is set.
+The default value of 1 causes an error when the digest is set if the digest is
+not FIPS approved (e.g. SHA1 is used for signing). Setting this to 0 will ignore
+the error and set the approved "fips-indicator" to 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
+.IP """sign-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_SIGN_CHECK\fR) <integer>" 4
+.IX Item """sign-check"" (OSSL_SIGNATURE_PARAM_FIPS_SIGN_CHECK) <integer>"
+If required this parameter should be set early via an init function.
+The default value of 1 causes an error when a signing algorithm is used. (This
+is triggered by deprecated signing algorithms).
+Setting this to 0 will ignore the error and set the approved "fips-indicator" to 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator" to
+return 0.
+.IP """sign\-x931\-pad\-check"" (\fBOSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK\fR) <integer>" 4
+.IX Item """sign-x931-pad-check"" (OSSL_SIGNATURE_PARAM_FIPS_SIGN_X931_PAD_CHECK) <integer>"
+If required this parameter should be set before the padding mode is set.
+The default value of 1 causes an error if the padding mode is set to X9.31 padding
+for a RSA signing operation. Setting this to 0 will ignore the error and set the
+approved "fips-indicator" to 0.
+This option breaks FIPS compliance if it causes the approved "fips-indicator"
+to return 0.
+.PP
 \&\fBOSSL_FUNC_signature_gettable_ctx_params()\fR and \fBOSSL_FUNC_signature_settable_ctx_params()\fR get a
-constant \s-1\fBOSSL_PARAM\s0\fR\|(3) array that describes the gettable and settable parameters,
+constant \fBOSSL_PARAM\fR\|(3) array that describes the gettable and settable parameters,
 i.e. parameters that can be used with \fBOSSL_FUNC_signature_get_ctx_params()\fR and
 \&\fBOSSL_FUNC_signature_set_ctx_params()\fR respectively.
-.SS "\s-1MD\s0 parameters"
+.SS "MD parameters"
 .IX Subsection "MD parameters"
-See \s-1\fBOSSL_PARAM\s0\fR\|(3) for further details on the parameters structure used by
+See \fBOSSL_PARAM\fR\|(3) for further details on the parameters structure used by
 the \fBOSSL_FUNC_signature_get_md_ctx_params()\fR and \fBOSSL_FUNC_signature_set_md_ctx_params()\fR
 functions.
 .PP
 \&\fBOSSL_FUNC_signature_get_md_ctx_params()\fR gets digest parameters associated with the
 given provider side digest signature context \fIctx\fR and stores them in \fIparams\fR.
-Passing \s-1NULL\s0 for \fIparams\fR should return true.
+Passing NULL for \fIparams\fR should return true.
 .PP
 \&\fBOSSL_FUNC_signature_set_ms_ctx_params()\fR sets the digest parameters associated with the
 given provider side digest signature context \fIctx\fR to \fIparams\fR.
 Any parameter settings are additional to any that were previously set.
-Passing \s-1NULL\s0 for \fIparams\fR should return true.
+Passing NULL for \fIparams\fR should return true.
 .PP
 Parameters currently recognised by built-in signature algorithms are the same
 as those for built-in digest algorithms. See
-\&\*(L"Digest Parameters\*(R" in \fBprovider\-digest\fR\|(7) for further information.
+"Digest Parameters" in \fBprovider\-digest\fR\|(7) for further information.
 .PP
 \&\fBOSSL_FUNC_signature_gettable_md_ctx_params()\fR and \fBOSSL_FUNC_signature_settable_md_ctx_params()\fR
-get a constant \s-1\fBOSSL_PARAM\s0\fR\|(3) array that describes the gettable and settable
+get a constant \fBOSSL_PARAM\fR\|(3) array that describes the gettable and settable
 digest parameters, i.e. parameters that can be used with
 \&\fBOSSL_FUNC_signature_get_md_ctx_params()\fR and \fBOSSL_FUNC_signature_set_md_ctx_params()\fR
 respectively.
 .SH "RETURN VALUES"
 .IX Header "RETURN VALUES"
 \&\fBOSSL_FUNC_signature_newctx()\fR and \fBOSSL_FUNC_signature_dupctx()\fR should return the newly created
-provider side signature context, or \s-1NULL\s0 on failure.
+provider side signature context, or NULL on failure.
 .PP
 \&\fBOSSL_FUNC_signature_gettable_ctx_params()\fR, \fBOSSL_FUNC_signature_settable_ctx_params()\fR,
 \&\fBOSSL_FUNC_signature_gettable_md_ctx_params()\fR and \fBOSSL_FUNC_signature_settable_md_ctx_params()\fR,
-return the gettable or settable parameters in a constant \s-1\fBOSSL_PARAM\s0\fR\|(3) array.
+return the gettable or settable parameters in a constant \fBOSSL_PARAM\fR\|(3) array.
+.PP
+\&\fBOSSL_FUNC_signature_query_key_types()\fR should return a NULL-terminated array of strings.
+.PP
+All verification functions should return 1 for success,
+0 for a non-matching signature, and a negative value for operation failure.
 .PP
-All other functions should return 1 for success or 0 on error.
+All other functions should return 1 for success
+and 0 or a negative value for failure.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fBprovider\fR\|(7)
-.SH "HISTORY"
+\&\fBprovider\fR\|(7), "Provider Functions" in \fBprovider\-base\fR\|(7),
+\&\fBOSSL_PARAM\fR\|(3), \fBOSSL_DISPATCH\fR\|(3), \fBOSSL_ALGORITHM\fR\|(3),
+\&\fBEVP_PKEY_sign\fR\|(3), \fBEVP_PKEY_verify\fR\|(3), \fBEVP_PKEY_verify_recover\fR\|(3),
+\&\fBEVP_SIGNATURE_is_a\fR\|(3), \fBASN1_item_sign_ctx\fR\|(3)
+.SH HISTORY
 .IX Header "HISTORY"
-The provider \s-1SIGNATURE\s0 interface was introduced in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The provider SIGNATURE interface was introduced in OpenSSL 3.0.
+The Signature Parameters "fips-indicator", "key-check" and "digest-check"
+were added in OpenSSL 3.4.
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2025 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/provider-skeymgmt.7 b/secure/lib/libcrypto/man/man7/provider-skeymgmt.7
new file mode 100644
index 000000000000..0574431e9c92
--- /dev/null
+++ b/secure/lib/libcrypto/man/man7/provider-skeymgmt.7
@@ -0,0 +1,232 @@
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
+.ie n \{\
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds C`
+.    ds C'
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\"
+.\" If the F register is >0, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
+..
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{\
+.    if \nF \{\
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
+..
+.        if !\nF==2 \{\
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
+.\}
+.rr rF
+.\" ========================================================================
+.\"
+.IX Title "PROVIDER-SKEYMGMT 7ossl"
+.TH PROVIDER-SKEYMGMT 7ossl 2025-07-01 3.5.1 OpenSSL
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH NAME
+provider\-skeymgmt \- The SKEYMGMT library <\-> provider functions
+.SH SYNOPSIS
+.IX Header "SYNOPSIS"
+.Vb 1
+\& #include <openssl/core_dispatch.h>
+\&
+\& /*
+\&  * None of these are actual functions, but are displayed like this for
+\&  * the function signatures for functions that are offered as function
+\&  * pointers in OSSL_DISPATCH arrays.
+\&  */
+\&
+\& /* Key object destruction */
+\& void OSSL_FUNC_skeymgmt_free(void *keydata);
+\&
+\& /* Key object import and export functions */
+\& void *OSSL_FUNC_skeymgmt_import(void *provctx, int selection,
+\&                                 const OSSL_PARAM params[]);
+\& int OSSL_FUNC_skeymgmt_export(void *keydata, int selection,
+\&                               OSSL_CALLBACK *param_cb, void *cbarg);
+\& void *OSSL_FUNC_skeymgmt_generate(void *provctx,
+\&                                   const OSSL_PARAM params[]);
+\& const OSSL_PARAM *OSSL_FUNC_skeymgmt_gen_settable_params(void *provctx);
+\& const OSSL_PARAM *OSSL_FUNC_skeymgmt_imp_settable_params(void *provctx);
+\& const char *OSSL_FUNC_skeymgmt_get_key_id(void *keydata);
+.Ve
+.SH DESCRIPTION
+.IX Header "DESCRIPTION"
+The SKEYMGMT operation doesn't have much public visibility in the OpenSSL
+libraries, rather it is an internal operation that is designed to work
+with operations that use opaque symmetric keys objects.
+.PP
+The SKEYMGMT operation shares knowledge with the operations it works with,
+therefore the SKEYMGMT and the algorithms which use it must belong to the same
+provider.  The OpenSSL libraries will ensure that they do.
+.PP
+The primary responsibility of the SKEYMGMT operation is to hold the
+provider side key data for the OpenSSL library EVP_SKEY structure.
+.PP
+All "functions" mentioned here are passed as function pointers between
+\&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via
+\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's
+\&\fBprovider_query_operation()\fR function
+(see "Provider Functions" in \fBprovider\-base\fR\|(7)).
+.PP
+All these "functions" have a corresponding function type definition
+named \fBOSSL_FUNC_{name}_fn\fR, and a helper function to retrieve the
+function pointer from a \fBOSSL_DISPATCH\fR\|(3) element named
+\&\fBOSSL_FUNC_{name}\fR.
+.PP
+\&\fBOSSL_DISPATCH\fR\|(3) arrays are indexed by numbers that are provided as
+macros in \fBopenssl\-core_dispatch.h\fR\|(7), as follows:
+.PP
+.Vb 1
+\& OSSL_FUNC_skeymgmt_free                 OSSL_FUNC_SKEYMGMT_FREE
+\&
+\& OSSL_FUNC_skeymgmt_import               OSSL_FUNC_SKEYMGMT_IMPORT
+\& OSSL_FUNC_skeymgmt_export               OSSL_FUNC_SKEYMGMT_EXPORT
+\&
+\& OSSL_FUNC_skeymgmt_generate             OSSL_FUNC_SKEYMGMT_GENERATE
+\&
+\& OSSL_FUNC_skeymgmt_get_key_id           OSSL_FUNC_SKEYMGMT_GET_KEY_ID
+\& OSSL_FUNC_skeymgmt_imp_settable_params  OSSL_FUNC_SKEYMGMT_IMP_SETTABLE_PARAMS
+\& OSSL_FUNC_skeymgmt_gen_settable_params  OSSL_FUNC_SKEYMGMT_GEN_SETTABLE_PARAMS
+.Ve
+.PP
+The SKEYMGMT management is inspired by KEYMGMT but is simpler.
+.SS "Key Objects"
+.IX Subsection "Key Objects"
+A key object is a collection of data for an symmetric key, and is
+represented as \fIkeydata\fR in this manual.
+.PP
+The exact contents of a key object are defined by the provider, and it
+is assumed that different operations in one and the same provider use
+the exact same structure to represent this collection of data, so that
+for example, a key object that has been created using the SKEYMGMT
+interface can be passed as is to other algorithms from the same provider
+operations, such as \fBOSSL_FUNC_mac_init_opaque()\fR (see
+\&\fBprovider\-mac\fR\|(7)).
+.PP
+With the export SKEYMGMT function, it's possible to select a specific
+subset of data to handle, governed by the bits in a \fIselection\fR
+indicator.  The bits are:
+.IP \fBOSSL_SKEYMGMT_SELECT_SECRET_KEY\fR 4
+.IX Item "OSSL_SKEYMGMT_SELECT_SECRET_KEY"
+Indicating that the secret key raw bytes in a key object should be
+included.
+.IP \fBOSSL_SKEYMGMT_SELECT_PARAMETERS\fR 4
+.IX Item "OSSL_SKEYMGMT_SELECT_PARAMETERS"
+Indicating that the parameters in a key object should be
+included.
+.PP
+Combined selector bits are also defined for easier use:
+.IP \fBOSSL_SKEYMGMT_SELECT_ALL\fR 4
+.IX Item "OSSL_SKEYMGMT_SELECT_ALL"
+Indicating that everything in a key object should be included.
+.PP
+The exact interpretation of those bits or how they combine is left to
+each function where you can specify a selector.
+.SS "Destructing Function"
+.IX Subsection "Destructing Function"
+\&\fBOSSL_FUNC_skeymgmt_free()\fR should free the passed \fIkeydata\fR.
+.SS "Key Object Import and Export Functions"
+.IX Subsection "Key Object Import and Export Functions"
+\&\fBOSSL_FUNC_skeymgmt_import()\fR should import data into \fIkeydata\fR with values
+taken from the \fBOSSL_PARAM\fR\|(3) array \fIparams\fR. It allocates the \fIkeydata\fR
+object (there is no separate allocation function).
+.PP
+\&\fBOSSL_FUNC_skeymgmt_imp_settable_params()\fR returns a list of parameters that can
+be provided to the \fBOSSL_FUNC_skeymgmt_import()\fR function.
+.PP
+\&\fBOSSL_FUNC_skeymgmt_export()\fR should extract values indicated by \fIselection\fR
+from \fIkeydata\fR, create an \fBOSSL_PARAM\fR\|(3) array with them and call
+\&\fIparam_cb\fR with that array as well as the given \fIcbarg\fR.
+The passed \fBOSSL_PARAM\fR\|(3) array is transient and is freed upon the return from \fIparam_cb\fR.
+.SS "Key Object Generation Functions"
+.IX Subsection "Key Object Generation Functions"
+\&\fBOSSL_FUNC_skeymgmt_generate()\fR creates a new key according to the values
+taken from the \fBOSSL_PARAM\fR\|(3) array \fIparams\fR. It allocates the \fIkeydata\fR
+object.
+.PP
+\&\fBOSSL_FUNC_skeymgmt_gen_settable_params()\fR returns a list of parameters that can
+be provided to the \fBOSSL_FUNC_skeymgmt_generate()\fR function.
+.SS "Key Object Information functions"
+.IX Subsection "Key Object Information functions"
+\&\fBOSSL_FUNC_skeymgmt_get_key_id()\fR returns a NUL-terminated string identifying the
+particular key. The returned string will be freed by a call to \fBEVP_SKEY_free()\fR
+so callers need to copy it themselves if they want to preserve the value past
+the key lifetime.  The purpose of this function is providing a printable string
+that can help users to access the specific key.  The content of this string is
+provider-specific.
+.SS "Common Import and Export Parameters"
+.IX Subsection "Common Import and Export Parameters"
+See \fBOSSL_PARAM\fR\|(3) for further details on the parameters structure.
+.PP
+Common information parameters currently recognised by built-in
+skeymgmt algorithms are as follows:
+.IP """raw-bytes"" (\fBSKEY_PARAM_RAW_BYTES\fR) <octet string>" 4
+.IX Item """raw-bytes"" (SKEY_PARAM_RAW_BYTES) <octet string>"
+The value represents symmetric key as a byte array.
+.IP """key-length"" (\fBSKEY_PARAM_KEY_LENGTH\fR) <integer>" 4
+.IX Item """key-length"" (SKEY_PARAM_KEY_LENGTH) <integer>"
+The value is the byte length of the given key.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+\&\fBOSSL_FUNC_skeymgmt_import()\fR and \fBOSSL_FUNC_skeymgmt_generate()\fR return a pointer
+to an allocated object on success and NULL on error.
+.PP
+\&\fBOSSL_FUNC_skeymgmt_export()\fR returns 1 for success or 0 on error.
+.PP
+\&\fBOSSL_FUNC_skeymgmt_get_key_id()\fR returns a pointer to a 0\-terminated string or NULL.
+.PP
+\&\fBOSSL_FUNC_skeymgmt_gen_settable_params()\fR and \fBOSSL_FUNC_skeymgmt_imp_settable_params()\fR
+return references to an array of \fBOSSL_PARAM\fR which can be NULL if there are
+no settable parameters.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fBprovider\fR\|(7), \fBEVP_SKEY\fR\|(3), \fBEVP_KEYMGMT\fR\|(3)
+.SH HISTORY
+.IX Header "HISTORY"
+The SKEYMGMT interface was introduced in OpenSSL 3.5.
+.SH COPYRIGHT
+.IX Header "COPYRIGHT"
+Copyright 2024\-2025 The OpenSSL Project Authors. All Rights Reserved.
+.PP
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/provider-storemgmt.7 b/secure/lib/libcrypto/man/man7/provider-storemgmt.7
index 11ccf5ec4fbb..fc857e8855be 100644
--- a/secure/lib/libcrypto/man/man7/provider-storemgmt.7
+++ b/secure/lib/libcrypto/man/man7/provider-storemgmt.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,77 +52,17 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PROVIDER-STOREMGMT 7ossl"
-.TH PROVIDER-STOREMGMT 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PROVIDER-STOREMGMT 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 provider\-storemgmt \- The OSSL_STORE library <\-> provider functions
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/core_dispatch.h>
@@ -162,13 +86,21 @@ provider\-storemgmt \- The OSSL_STORE library <\-> provider functions
 \& int OSSL_FUNC_store_export_object
 \&     (void *loaderctx, const void *objref, size_t objref_sz,
 \&      OSSL_CALLBACK *export_cb, void *export_cbarg);
+\& void *OSSL_FUNC_store_open_ex(void *provctx, const char *uri,
+\&                               const OSSL_PARAM params[],
+\&                               OSSL_PASSPHRASE_CALLBACK *pw_cb,
+\&                               void *pw_cbarg);
+\&
+\& int OSSL_FUNC_store_delete(void *provctx, const char *uri,
+\&                    const OSSL_PARAM params[],
+\&                    OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg);
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-The \s-1STORE\s0 operation is the provider side of the \fBossl_store\fR\|(7) \s-1API.\s0
+The STORE operation is the provider side of the \fBossl_store\fR\|(7) API.
 .PP
-The primary responsibility of the \s-1STORE\s0 operation is to load all sorts
-of objects from a container indicated by \s-1URI.\s0  These objects are given
+The primary responsibility of the STORE operation is to load all sorts
+of objects from a container indicated by URI.  These objects are given
 to the OpenSSL library in provider-native object abstraction form (see
 \&\fBprovider\-object\fR\|(7)).  The OpenSSL library is then responsible for
 passing on that abstraction to suitable provided functions.
@@ -178,16 +110,16 @@ include \fBOSSL_FUNC_keymgmt_load()\fR (\fBprovider\-keymgmt\fR\|(7)),
 \&\fBOSSL_FUNC_store_export_object()\fR (which exports the object in parameterized
 form).
 .PP
-All \*(L"functions\*(R" mentioned here are passed as function pointers between
-\&\fIlibcrypto\fR and the provider in \s-1\fBOSSL_DISPATCH\s0\fR\|(3) arrays via
-\&\s-1\fBOSSL_ALGORITHM\s0\fR\|(3) arrays that are returned by the provider's
+All "functions" mentioned here are passed as function pointers between
+\&\fIlibcrypto\fR and the provider in \fBOSSL_DISPATCH\fR\|(3) arrays via
+\&\fBOSSL_ALGORITHM\fR\|(3) arrays that are returned by the provider's
 \&\fBprovider_query_operation()\fR function
-(see \*(L"Provider Functions\*(R" in \fBprovider\-base\fR\|(7)).
+(see "Provider Functions" in \fBprovider\-base\fR\|(7)).
 .PP
-All these \*(L"functions\*(R" have a corresponding function type definition named
+All these "functions" have a corresponding function type definition named
 \&\fBOSSL_FUNC_{name}_fn\fR, and a helper function to retrieve the function pointer
-from a \s-1\fBOSSL_DISPATCH\s0\fR\|(3) element named \fBOSSL_get_{name}\fR.
-For example, the \*(L"function\*(R" \fBOSSL_FUNC_store_attach()\fR has these:
+from a \fBOSSL_DISPATCH\fR\|(3) element named \fBOSSL_get_{name}\fR.
+For example, the "function" \fBOSSL_FUNC_store_attach()\fR has these:
 .PP
 .Vb 4
 \& typedef void *(OSSL_FUNC_store_attach_fn)(void *provctx,
@@ -196,10 +128,10 @@ For example, the \*(L"function\*(R" \fBOSSL_FUNC_store_attach()\fR has these:
 \&     OSSL_FUNC_store_attach(const OSSL_DISPATCH *opf);
 .Ve
 .PP
-\&\s-1\fBOSSL_DISPATCH\s0\fR\|(3) arrays are indexed by numbers that are provided as macros
+\&\fBOSSL_DISPATCH\fR\|(3) arrays are indexed by numbers that are provided as macros
 in \fBopenssl\-core_dispatch.h\fR\|(7), as follows:
 .PP
-.Vb 8
+.Vb 10
 \& OSSL_FUNC_store_open                 OSSL_FUNC_STORE_OPEN
 \& OSSL_FUNC_store_attach               OSSL_FUNC_STORE_ATTACH
 \& OSSL_FUNC_store_settable_ctx_params  OSSL_FUNC_STORE_SETTABLE_CTX_PARAMS
@@ -208,28 +140,30 @@ in \fBopenssl\-core_dispatch.h\fR\|(7), as follows:
 \& OSSL_FUNC_store_eof                  OSSL_FUNC_STORE_EOF
 \& OSSL_FUNC_store_close                OSSL_FUNC_STORE_CLOSE
 \& OSSL_FUNC_store_export_object        OSSL_FUNC_STORE_EXPORT_OBJECT
+\& OSSL_FUNC_store_delete               OSSL_FUNC_STORE_DELETE
+\& OSSL_FUNC_store_open_ex              OSSL_FUNC_STORE_OPEN_EX
 .Ve
-.SS "Functions"
+.SS Functions
 .IX Subsection "Functions"
 \&\fBOSSL_FUNC_store_open()\fR should create a provider side context with data based
 on the input \fIuri\fR.  The implementation is entirely responsible for the
-interpretation of the \s-1URI.\s0
+interpretation of the URI.
 .PP
 \&\fBOSSL_FUNC_store_attach()\fR should create a provider side context with the core
-\&\fB\s-1BIO\s0\fR \fIbio\fR attached.  This is an alternative to using a \s-1URI\s0 to find storage,
+\&\fBBIO\fR \fIbio\fR attached.  This is an alternative to using a URI to find storage,
 supporting \fBOSSL_STORE_attach\fR\|(3).
 .PP
 \&\fBOSSL_FUNC_store_settable_ctx_params()\fR should return a constant array of
-descriptor \s-1\fBOSSL_PARAM\s0\fR\|(3), for parameters that \fBOSSL_FUNC_store_set_ctx_params()\fR
+descriptor \fBOSSL_PARAM\fR\|(3), for parameters that \fBOSSL_FUNC_store_set_ctx_params()\fR
 can handle.
 .PP
 \&\fBOSSL_FUNC_store_set_ctx_params()\fR should set additional parameters, such as what
 kind of data to expect, search criteria, and so on.  More on those below, in
-\&\*(L"Load Parameters\*(R".  Whether unrecognised parameters are an error or simply
+"Load Parameters".  Whether unrecognised parameters are an error or simply
 ignored is at the implementation's discretion.
-Passing \s-1NULL\s0 for \fIparams\fR should return true.
+Passing NULL for \fIparams\fR should return true.
 .PP
-\&\fBOSSL_FUNC_store_load()\fR loads the next object from the \s-1URI\s0 opened by
+\&\fBOSSL_FUNC_store_load()\fR loads the next object from the URI opened by
 \&\fBOSSL_FUNC_store_open()\fR, creates an object abstraction for it (see
 \&\fBprovider\-object\fR\|(7)), and calls \fIobject_cb\fR with it as well as
 \&\fIobject_cbarg\fR.  \fIobject_cb\fR will then interpret the object abstraction
@@ -238,7 +172,7 @@ case a passphrase needs to be prompted to unlock an object, \fIpw_cb\fR should
 be called.
 .PP
 \&\fBOSSL_FUNC_store_eof()\fR indicates if the end of the set of objects from the
-\&\s-1URI\s0 has been reached.  When that happens, there's no point trying to do any
+URI has been reached.  When that happens, there's no point trying to do any
 further loading.
 .PP
 \&\fBOSSL_FUNC_store_close()\fR frees the provider side context \fIctx\fR.
@@ -249,13 +183,24 @@ exporting the object to that foreign provider if the foreign provider
 supports the type of the object and provides an import function.
 .PP
 \&\fBOSSL_FUNC_store_export_object()\fR should export the object of size \fIobjref_sz\fR
-referenced by \fIobjref\fR as an \s-1\fBOSSL_PARAM\s0\fR\|(3) array and pass that to the
+referenced by \fIobjref\fR as an \fBOSSL_PARAM\fR\|(3) array and pass that to the
 \&\fIexport_cb\fR as well as the given \fIexport_cbarg\fR.
+.PP
+\&\fBOSSL_FUNC_store_delete()\fR deletes the object identified by the \fIuri\fR. The
+implementation is entirely responsible for the interpretation of the URI.  In
+case a passphrase needs to be prompted to remove an object, \fIpw_cb\fR should be
+called.
+.PP
+\&\fBOSSL_FUNC_store_open_ex()\fR is an extended variant of \fBOSSL_FUNC_store_open()\fR. If
+the provider does not implement this function the code internally falls back to
+use the original \fBOSSL_FUNC_store_open()\fR.
+This variant additionally accepts an \fBOSSL_PARAM\fR\|(3) object and a \fIpw_cb\fR
+callback that can be used to request a passphrase in cases where the whole
+store needs to be unlocked before performing any load operation.
 .SS "Load Parameters"
 .IX Subsection "Load Parameters"
-.ie n .IP """expect"" (\fB\s-1OSSL_STORE_PARAM_EXPECT\s0\fR) <integer>" 4
-.el .IP "``expect'' (\fB\s-1OSSL_STORE_PARAM_EXPECT\s0\fR) <integer>" 4
-.IX Item "expect (OSSL_STORE_PARAM_EXPECT) <integer>"
+.IP """expect"" (\fBOSSL_STORE_PARAM_EXPECT\fR) <integer>" 4
+.IX Item """expect"" (OSSL_STORE_PARAM_EXPECT) <integer>"
 Is a hint of what type of data the OpenSSL library expects to get.
 This is only useful for optimization, as the library will check that the
 object types match the expectation too.
@@ -263,68 +208,62 @@ object types match the expectation too.
 The number that can be given through this parameter is found in
 \&\fI<openssl/store.h>\fR, with the macros having names starting with
 \&\f(CW\*(C`OSSL_STORE_INFO_\*(C'\fR.  These are further described in
-\&\*(L"\s-1SUPPORTED OBJECTS\*(R"\s0 in \s-1\fBOSSL_STORE_INFO\s0\fR\|(3).
-.ie n .IP """subject"" (\fB\s-1OSSL_STORE_PARAM_SUBJECT\s0\fR) <octet string>" 4
-.el .IP "``subject'' (\fB\s-1OSSL_STORE_PARAM_SUBJECT\s0\fR) <octet string>" 4
-.IX Item "subject (OSSL_STORE_PARAM_SUBJECT) <octet string>"
+"SUPPORTED OBJECTS" in \fBOSSL_STORE_INFO\fR\|(3).
+.IP """subject"" (\fBOSSL_STORE_PARAM_SUBJECT\fR) <octet string>" 4
+.IX Item """subject"" (OSSL_STORE_PARAM_SUBJECT) <octet string>"
 Indicates that the caller wants to search for an object with the given
 subject associated.  This can be used to select specific certificates
 by subject.
 .Sp
-The contents of the octet string is expected to be in \s-1DER\s0 form.
-.ie n .IP """issuer"" (\fB\s-1OSSL_STORE_PARAM_ISSUER\s0\fR) <octet string>" 4
-.el .IP "``issuer'' (\fB\s-1OSSL_STORE_PARAM_ISSUER\s0\fR) <octet string>" 4
-.IX Item "issuer (OSSL_STORE_PARAM_ISSUER) <octet string>"
+The contents of the octet string is expected to be in DER form.
+.IP """issuer"" (\fBOSSL_STORE_PARAM_ISSUER\fR) <octet string>" 4
+.IX Item """issuer"" (OSSL_STORE_PARAM_ISSUER) <octet string>"
 Indicates that the caller wants to search for an object with the given
 issuer associated.  This can be used to select specific certificates
 by issuer.
 .Sp
-The contents of the octet string is expected to be in \s-1DER\s0 form.
-.ie n .IP """serial"" (\fB\s-1OSSL_STORE_PARAM_SERIAL\s0\fR) <integer>" 4
-.el .IP "``serial'' (\fB\s-1OSSL_STORE_PARAM_SERIAL\s0\fR) <integer>" 4
-.IX Item "serial (OSSL_STORE_PARAM_SERIAL) <integer>"
+The contents of the octet string is expected to be in DER form.
+.IP """serial"" (\fBOSSL_STORE_PARAM_SERIAL\fR) <integer>" 4
+.IX Item """serial"" (OSSL_STORE_PARAM_SERIAL) <integer>"
 Indicates that the caller wants to search for an object with the given
 serial number associated.
-.ie n .IP """digest"" (\fB\s-1OSSL_STORE_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``digest'' (\fB\s-1OSSL_STORE_PARAM_DIGEST\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "digest (OSSL_STORE_PARAM_DIGEST) <UTF8 string>"
+.IP """digest"" (\fBOSSL_STORE_PARAM_DIGEST\fR) <UTF8 string>" 4
+.IX Item """digest"" (OSSL_STORE_PARAM_DIGEST) <UTF8 string>"
 .PD 0
-.ie n .IP """fingerprint"" (\fB\s-1OSSL_STORE_PARAM_FINGERPRINT\s0\fR) <octet string>" 4
-.el .IP "``fingerprint'' (\fB\s-1OSSL_STORE_PARAM_FINGERPRINT\s0\fR) <octet string>" 4
-.IX Item "fingerprint (OSSL_STORE_PARAM_FINGERPRINT) <octet string>"
+.IP """fingerprint"" (\fBOSSL_STORE_PARAM_FINGERPRINT\fR) <octet string>" 4
+.IX Item """fingerprint"" (OSSL_STORE_PARAM_FINGERPRINT) <octet string>"
 .PD
 Indicates that the caller wants to search for an object with the given
 fingerprint, computed with the given digest.
-.ie n .IP """alias"" (\fB\s-1OSSL_STORE_PARAM_ALIAS\s0\fR) <\s-1UTF8\s0 string>" 4
-.el .IP "``alias'' (\fB\s-1OSSL_STORE_PARAM_ALIAS\s0\fR) <\s-1UTF8\s0 string>" 4
-.IX Item "alias (OSSL_STORE_PARAM_ALIAS) <UTF8 string>"
+.IP """alias"" (\fBOSSL_STORE_PARAM_ALIAS\fR) <UTF8 string>" 4
+.IX Item """alias"" (OSSL_STORE_PARAM_ALIAS) <UTF8 string>"
 Indicates that the caller wants to search for an object with the given
-alias (some call it a \*(L"friendly name\*(R").
-.ie n .IP """properties"" (\fB\s-1OSSL_STORE_PARAM_PROPERTIES\s0) <utf8 string\fR" 4
-.el .IP "``properties'' (\fB\s-1OSSL_STORE_PARAM_PROPERTIES\s0) <utf8 string\fR" 4
-.IX Item "properties (OSSL_STORE_PARAM_PROPERTIES) <utf8 string"
-Property string to use when querying for algorithms such as the \fB\s-1OSSL_DECODER\s0\fR
+alias (some call it a "friendly name").
+.IP """properties"" (\fBOSSL_STORE_PARAM_PROPERTIES\fR) <utf8 string>" 4
+.IX Item """properties"" (OSSL_STORE_PARAM_PROPERTIES) <utf8 string>"
+Property string to use when querying for algorithms such as the \fBOSSL_DECODER\fR
 decoder implementations.
-.ie n .IP """input-type"" (\fB\s-1OSSL_STORE_PARAM_INPUT_TYPE\s0) <utf8 string\fR" 4
-.el .IP "``input-type'' (\fB\s-1OSSL_STORE_PARAM_INPUT_TYPE\s0) <utf8 string\fR" 4
-.IX Item "input-type (OSSL_STORE_PARAM_INPUT_TYPE) <utf8 string"
+.IP """input-type"" (\fBOSSL_STORE_PARAM_INPUT_TYPE\fR) <utf8 string>" 4
+.IX Item """input-type"" (OSSL_STORE_PARAM_INPUT_TYPE) <utf8 string>"
 Type of the input format as a hint to use when decoding the objects in the
 store.
 .PP
 Several of these search criteria may be combined.  For example, to
-search for a certificate by issuer+serial, both the \*(L"issuer\*(R" and the
-\&\*(L"serial\*(R" parameters will be given.
+search for a certificate by issuer+serial, both the "issuer" and the
+"serial" parameters will be given.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBprovider\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
-The \s-1STORE\s0 interface was introduced in OpenSSL 3.0.
-.SH "COPYRIGHT"
+The STORE interface was introduced in OpenSSL 3.0.
+.PP
+\&\fBOSSL_FUNC_store_delete()\fR callback was added in OpenSSL 3.2
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2020\-2022 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020\-2023 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/provider.7 b/secure/lib/libcrypto/man/man7/provider.7
index 23a4ea979ce5..1870b49e57d9 100644
--- a/secure/lib/libcrypto/man/man7/provider.7
+++ b/secure/lib/libcrypto/man/man7/provider.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,82 +52,22 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PROVIDER 7ossl"
-.TH PROVIDER 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PROVIDER 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 provider \- OpenSSL operation implementation providers
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 #include <openssl/provider.h>
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-.SS "General"
+.SS General
 .IX Subsection "General"
 This page contains information useful to provider authors.
 .PP
@@ -152,7 +76,7 @@ or more implementations for various operations for diverse algorithms
 that one might want to perform.
 .PP
 An \fIoperation\fR is something one wants to do, such as encryption and
-decryption, key derivation, \s-1MAC\s0 calculation, signing and verification,
+decryption, key derivation, MAC calculation, signing and verification,
 etc.
 .PP
 An \fIalgorithm\fR is a named method to perform an operation.
@@ -161,11 +85,11 @@ but may also revolve around other types of operation, such as managing
 certain types of objects.
 .PP
 See \fBcrypto\fR\|(7) for further details.
-.SS "Provider"
+.SS Provider
 .IX Subsection "Provider"
 A \fIprovider\fR offers an initialization function, as a set of base
-functions in the form of an \s-1\fBOSSL_DISPATCH\s0\fR\|(3) array, and by extension,
-a set of \s-1\fBOSSL_ALGORITHM\s0\fR\|(3)s (see \fBopenssl\-core.h\fR\|(7)).
+functions in the form of an \fBOSSL_DISPATCH\fR\|(3) array, and by extension,
+a set of \fBOSSL_ALGORITHM\fR\|(3)s (see \fBopenssl\-core.h\fR\|(7)).
 It may be a dynamically loadable module, or may be built-in, in
 OpenSSL libraries or in the application.
 If it's a dynamically loadable module, the initialization function
@@ -207,7 +131,7 @@ the initialization function has completed and returned successfully.
 One of the functions the provider offers to the OpenSSL libraries is
 the central mechanism for the OpenSSL libraries to get access to
 operation implementations for diverse algorithms.
-Its referred to with the number \fB\s-1OSSL_FUNC_PROVIDER_QUERY_OPERATION\s0\fR
+Its referred to with the number \fBOSSL_FUNC_PROVIDER_QUERY_OPERATION\fR
 and has the following signature:
 .PP
 .Vb 3
@@ -219,18 +143,18 @@ and has the following signature:
 \&\fIprovctx\fR is the provider specific context that was passed back by
 the initialization function.
 .PP
-\&\fIoperation_id\fR is an operation identity (see \*(L"Operations\*(R" below).
+\&\fIoperation_id\fR is an operation identity (see "Operations" below).
 .PP
 \&\fIno_store\fR is a flag back to the OpenSSL libraries which, when
 nonzero, signifies that the OpenSSL libraries will not store a
 reference to the returned data in their internal store of
 implementations.
 .PP
-The returned \s-1\fBOSSL_ALGORITHM\s0\fR\|(3) is the foundation of any OpenSSL
-library \s-1API\s0 that uses providers for their implementation, most
+The returned \fBOSSL_ALGORITHM\fR\|(3) is the foundation of any OpenSSL
+library API that uses providers for their implementation, most
 commonly in the \fIfetching\fR type of functions
-(see \*(L"\s-1ALGORITHM FETCHING\*(R"\s0 in \fBcrypto\fR\|(7)).
-.SS "Operations"
+(see "ALGORITHM FETCHING" in \fBcrypto\fR\|(7)).
+.SS Operations
 .IX Subsection "Operations"
 Operations are referred to with numbers, via macros with names
 starting with \f(CW\*(C`OSSL_OP_\*(C'\fR.
@@ -239,85 +163,85 @@ With each operation comes a set of defined function types that a
 provider may or may not offer, depending on its needs.
 .PP
 Currently available operations are:
-.IP "Digests" 4
+.IP Digests 4
 .IX Item "Digests"
 In the OpenSSL libraries, the corresponding method object is
-\&\fB\s-1EVP_MD\s0\fR.
-The number for this operation is \fB\s-1OSSL_OP_DIGEST\s0\fR.
+\&\fBEVP_MD\fR.
+The number for this operation is \fBOSSL_OP_DIGEST\fR.
 The functions the provider can offer are described in
 \&\fBprovider\-digest\fR\|(7).
 .IP "Symmetric ciphers" 4
 .IX Item "Symmetric ciphers"
 In the OpenSSL libraries, the corresponding method object is
-\&\fB\s-1EVP_CIPHER\s0\fR.
-The number for this operation is \fB\s-1OSSL_OP_CIPHER\s0\fR.
+\&\fBEVP_CIPHER\fR.
+The number for this operation is \fBOSSL_OP_CIPHER\fR.
 The functions the provider can offer are described in
 \&\fBprovider\-cipher\fR\|(7).
-.IP "Message Authentication Code (\s-1MAC\s0)" 4
+.IP "Message Authentication Code (MAC)" 4
 .IX Item "Message Authentication Code (MAC)"
 In the OpenSSL libraries, the corresponding method object is
-\&\fB\s-1EVP_MAC\s0\fR.
-The number for this operation is \fB\s-1OSSL_OP_MAC\s0\fR.
+\&\fBEVP_MAC\fR.
+The number for this operation is \fBOSSL_OP_MAC\fR.
 The functions the provider can offer are described in
 \&\fBprovider\-mac\fR\|(7).
-.IP "Key Derivation Function (\s-1KDF\s0)" 4
+.IP "Key Derivation Function (KDF)" 4
 .IX Item "Key Derivation Function (KDF)"
 In the OpenSSL libraries, the corresponding method object is
-\&\fB\s-1EVP_KDF\s0\fR.
-The number for this operation is \fB\s-1OSSL_OP_KDF\s0\fR.
+\&\fBEVP_KDF\fR.
+The number for this operation is \fBOSSL_OP_KDF\fR.
 The functions the provider can offer are described in
 \&\fBprovider\-kdf\fR\|(7).
 .IP "Key Exchange" 4
 .IX Item "Key Exchange"
 In the OpenSSL libraries, the corresponding method object is
-\&\fB\s-1EVP_KEYEXCH\s0\fR.
-The number for this operation is \fB\s-1OSSL_OP_KEYEXCH\s0\fR.
+\&\fBEVP_KEYEXCH\fR.
+The number for this operation is \fBOSSL_OP_KEYEXCH\fR.
 The functions the provider can offer are described in
 \&\fBprovider\-keyexch\fR\|(7).
 .IP "Asymmetric Ciphers" 4
 .IX Item "Asymmetric Ciphers"
 In the OpenSSL libraries, the corresponding method object is
-\&\fB\s-1EVP_ASYM_CIPHER\s0\fR.
-The number for this operation is \fB\s-1OSSL_OP_ASYM_CIPHER\s0\fR.
+\&\fBEVP_ASYM_CIPHER\fR.
+The number for this operation is \fBOSSL_OP_ASYM_CIPHER\fR.
 The functions the provider can offer are described in
 \&\fBprovider\-asym_cipher\fR\|(7).
 .IP "Asymmetric Key Encapsulation" 4
 .IX Item "Asymmetric Key Encapsulation"
-In the OpenSSL libraries, the corresponding method object is \fB\s-1EVP_KEM\s0\fR.
-The number for this operation is \fB\s-1OSSL_OP_KEM\s0\fR.
+In the OpenSSL libraries, the corresponding method object is \fBEVP_KEM\fR.
+The number for this operation is \fBOSSL_OP_KEM\fR.
 The functions the provider can offer are described in \fBprovider\-kem\fR\|(7).
-.IP "Encoding" 4
+.IP Encoding 4
 .IX Item "Encoding"
 In the OpenSSL libraries, the corresponding method object is
-\&\fB\s-1OSSL_ENCODER\s0\fR.
-The number for this operation is \fB\s-1OSSL_OP_ENCODER\s0\fR.
+\&\fBOSSL_ENCODER\fR.
+The number for this operation is \fBOSSL_OP_ENCODER\fR.
 The functions the provider can offer are described in
 \&\fBprovider\-encoder\fR\|(7).
-.IP "Decoding" 4
+.IP Decoding 4
 .IX Item "Decoding"
 In the OpenSSL libraries, the corresponding method object is
-\&\fB\s-1OSSL_DECODER\s0\fR.
-The number for this operation is \fB\s-1OSSL_OP_DECODER\s0\fR.
+\&\fBOSSL_DECODER\fR.
+The number for this operation is \fBOSSL_OP_DECODER\fR.
 The functions the provider can offer are described in
 \&\fBprovider\-decoder\fR\|(7).
 .IP "Random Number Generation" 4
 .IX Item "Random Number Generation"
-The number for this operation is \fB\s-1OSSL_OP_RAND\s0\fR.
+The number for this operation is \fBOSSL_OP_RAND\fR.
 The functions the provider can offer for random number generation are described
 in \fBprovider\-rand\fR\|(7).
 .IP "Key Management" 4
 .IX Item "Key Management"
-The number for this operation is \fB\s-1OSSL_OP_KEYMGMT\s0\fR.
+The number for this operation is \fBOSSL_OP_KEYMGMT\fR.
 The functions the provider can offer for key management are described in
 \&\fBprovider\-keymgmt\fR\|(7).
 .IP "Signing and Signature Verification" 4
 .IX Item "Signing and Signature Verification"
-The number for this operation is \fB\s-1OSSL_OP_SIGNATURE\s0\fR.
+The number for this operation is \fBOSSL_OP_SIGNATURE\fR.
 The functions the provider can offer for digital signatures are described in
 \&\fBprovider\-signature\fR\|(7).
 .IP "Store Management" 4
 .IX Item "Store Management"
-The number for this operation is \fB\s-1OSSL_OP_STORE\s0\fR.
+The number for this operation is \fBOSSL_OP_STORE\fR.
 The functions the provider can offer for store management are described in
 \&\fBprovider\-storemgmt\fR\|(7).
 .PP
@@ -328,21 +252,44 @@ Algorithm names are case insensitive. Any particular algorithm can have multiple
 aliases associated with it. The canonical OpenSSL naming scheme follows this
 format:
 .PP
-ALGNAME[\s-1VERSION\s0?][\-SUBNAME[\s-1VERSION\s0?]?][\-SIZE?][\-MODE?]
+ALGNAME[VERSION?][\-SUBNAME[VERSION?]?][\-SIZE?][\-MODE?]
 .PP
-\&\s-1VERSION\s0 is only present if there are multiple versions of an algorithm (e.g.
-\&\s-1MD2, MD4, MD5\s0).  It may be omitted if there is only one version.
+VERSION is only present if there are multiple versions of an algorithm (e.g.
+MD2, MD4, MD5).  It may be omitted if there is only one version.
 .PP
-\&\s-1SUBNAME\s0 may be present where multiple algorithms are combined together,
-e.g. \s-1MD5\-SHA1.\s0
+SUBNAME may be present where multiple algorithms are combined together,
+e.g. MD5\-SHA1.
 .PP
-\&\s-1SIZE\s0 is only present if multiple versions of an algorithm exist with different
-sizes (e.g. \s-1AES\-128\-CBC, AES\-256\-CBC\s0)
+SIZE is only present if multiple versions of an algorithm exist with different
+sizes (e.g. AES\-128\-CBC, AES\-256\-CBC)
 .PP
-\&\s-1MODE\s0 is only present where applicable.
+MODE is only present where applicable.
 .PP
 Other aliases may exist for example where standards bodies or common practice
 use alternative names or names that OpenSSL has used historically.
+.PP
+\fIProvider dependencies\fR
+.IX Subsection "Provider dependencies"
+.PP
+Providers may depend for their proper operation on the availability of
+(functionality implemented in) other providers. As there is no mechanism to
+express such dependencies towards the OpenSSL core, provider authors must
+take care that such dependencies are either completely avoided or made visible
+to users, e.g., by documentation and/or defensive programming, e.g.,
+outputting error messages if required external dependencies are not available,
+e.g., when no provider implementing the required functionality has been
+activated. In particular, provider initialization should not depend on other
+providers already having been initialized.
+.PP
+\fINote on naming clashes\fR
+.IX Subsection "Note on naming clashes"
+.PP
+It is possible to register the same algorithm name from within different
+providers. Users should note that if no property query is specified, or
+more than one implementation matches the property query then it is
+unspecified which implementation of a particular algorithm will be returned.
+Such naming clashes may also occur if algorithms only differ in
+capitalization as "Algorithm naming" is case insensitive.
 .SH "OPENSSL PROVIDERS"
 .IX Header "OPENSSL PROVIDERS"
 OpenSSL provides a number of its own providers. These are the default, base,
@@ -351,7 +298,7 @@ providers.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBEVP_DigestInit_ex\fR\|(3), \fBEVP_EncryptInit_ex\fR\|(3),
-\&\s-1\fBOSSL_LIB_CTX\s0\fR\|(3),
+\&\fBOSSL_LIB_CTX\fR\|(3),
 \&\fBEVP_set_default_properties\fR\|(3),
 \&\fBEVP_MD_fetch\fR\|(3),
 \&\fBEVP_CIPHER_fetch\fR\|(3),
@@ -361,15 +308,15 @@ providers.
 \&\fBprovider\-digest\fR\|(7),
 \&\fBprovider\-cipher\fR\|(7),
 \&\fBprovider\-keyexch\fR\|(7)
-.SH "HISTORY"
+.SH HISTORY
 .IX Header "HISTORY"
 The concept of providers and everything surrounding them was
 introduced in OpenSSL 3.0.
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2019\-2022 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/proxy-certificates.7 b/secure/lib/libcrypto/man/man7/proxy-certificates.7
index 7eae21849f5b..a24e8b9ac0bc 100644
--- a/secure/lib/libcrypto/man/man7/proxy-certificates.7
+++ b/secure/lib/libcrypto/man/man7/proxy-certificates.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,93 +52,33 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PROXY-CERTIFICATES 7ossl"
-.TH PROXY-CERTIFICATES 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PROXY-CERTIFICATES 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 proxy\-certificates \- Proxy certificates in OpenSSL
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Proxy certificates are defined in \s-1RFC 3820.\s0  They are used to
+Proxy certificates are defined in RFC 3820.  They are used to
 extend rights to some other entity (a computer process, typically, or
 sometimes to the user itself).  This allows the entity to perform
-operations on behalf of the owner of the \s-1EE\s0 (End Entity) certificate.
+operations on behalf of the owner of the EE (End Entity) certificate.
 .PP
 The requirements for a valid proxy certificate are:
-.IP "\(bu" 4
-They are issued by an End Entity, either a normal \s-1EE\s0 certificate, or
+.IP \(bu 4
+They are issued by an End Entity, either a normal EE certificate, or
 another proxy certificate.
-.IP "\(bu" 4
+.IP \(bu 4
 They must not have the \fBsubjectAltName\fR or \fBissuerAltName\fR
 extensions.
-.IP "\(bu" 4
+.IP \(bu 4
 They must have the \fBproxyCertInfo\fR extension.
-.IP "\(bu" 4
+.IP \(bu 4
 They must have the subject of their issuer, with one \fBcommonName\fR
 added.
 .SS "Enabling proxy certificate verification"
@@ -173,7 +97,7 @@ or
 \&    X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_ALLOW_PROXY_CERTS);
 .Ve
 .PP
-See \*(L"\s-1NOTES\*(R"\s0 for a discussion on this requirement.
+See "NOTES" for a discussion on this requirement.
 .SS "Creating proxy certificates"
 .IX Subsection "Creating proxy certificates"
 Creating proxy certificates can be done using the \fBopenssl\-x509\fR\|(1)
@@ -203,14 +127,14 @@ It's also possible to specify the proxy extension in a separate section:
 The policy value has a specific syntax, \fIsyntag\fR:\fIstring\fR, where the
 \&\fIsyntag\fR determines what will be done with the string.  The following
 \&\fIsyntag\fRs are recognised:
-.IP "\fBtext\fR" 4
+.IP \fBtext\fR 4
 .IX Item "text"
 indicates that the string is a byte sequence, without any encoding:
 .Sp
 .Vb 1
-\&    policy=text:ra\*:ksmo\*:rga\*os
+\&    policy=text:räksmörgås
 .Ve
-.IP "\fBhex\fR" 4
+.IP \fBhex\fR 4
 .IX Item "hex"
 indicates the string is encoded hexadecimal encoded binary data, with
 colons between each byte (every second hex digit):
@@ -218,11 +142,11 @@ colons between each byte (every second hex digit):
 .Vb 1
 \&    policy=hex:72:E4:6B:73:6D:F6:72:67:E5:73
 .Ve
-.IP "\fBfile\fR" 4
+.IP \fBfile\fR 4
 .IX Item "file"
 indicates that the text of the policy should be taken from a file.
 The string is then a filename.  This is useful for policies that are
-more than a few lines, such as \s-1XML\s0 or other markup.
+more than a few lines, such as XML or other markup.
 .PP
 Note that the proxy policy value is what determines the rights granted
 to the process during the proxy certificate, and it is up to the
@@ -259,24 +183,24 @@ configuration section for the proxy extensions:
 To interpret proxy policies, the application would normally start with
 some default rights (perhaps none at all), then compute the resulting
 rights by checking the rights against the chain of proxy certificates,
-user certificate and \s-1CA\s0 certificates.
+user certificate and CA certificates.
 .PP
 The complicated part is figuring out how to pass data between your
 application and the certificate validation procedure.
 .PP
 The following ingredients are needed for such processing:
-.IP "\(bu" 4
+.IP \(bu 4
 a callback function that will be called for every certificate being
 validated.  The callback is called several times for each certificate,
 so you must be careful to do the proxy policy interpretation at the
-right time.  You also need to fill in the defaults when the \s-1EE\s0
+right time.  You also need to fill in the defaults when the EE
 certificate is checked.
-.IP "\(bu" 4
+.IP \(bu 4
 a data structure that is shared between your application code and the
 callback.
-.IP "\(bu" 4
+.IP \(bu 4
 a wrapper function that sets it all up.
-.IP "\(bu" 4
+.IP \(bu 4
 an ex_data index function that creates an index into the generic
 ex_data store that is attached to an X509 validation context.
 .PP
@@ -368,7 +292,7 @@ The following skeleton code can be used as a starting point:
 \&                     * another, temporary bit array and fill it with
 \&                     * the rights granted by the current proxy
 \&                     * certificate, then use it as a mask on the
-\&                     * accumulated rights bit array, and voila\*`, you
+\&                     * accumulated rights bit array, and voilà, you
 \&                     * now have a new accumulated rights bit array.
 \&                     */
 \&                    {
@@ -436,14 +360,14 @@ The following skeleton code can be used as a starting point:
 \&    }
 .Ve
 .PP
-If you use \s-1SSL\s0 or \s-1TLS,\s0 you can easily set up a callback to have the
+If you use SSL or TLS, you can easily set up a callback to have the
 certificates checked properly, using the code above:
 .PP
 .Vb 2
 \&    SSL_CTX_set_cert_verify_callback(s_ctx, my_X509_verify_cert,
 \&                                     &needed_rights);
 .Ve
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 To this date, it seems that proxy certificates have only been used in
 environments that are aware of them, and no one seems to have
@@ -463,12 +387,12 @@ the same as the issuer, with one commonName added on.
 \&\fBX509_VERIFY_PARAM_set_flags\fR\|(3),
 \&\fBSSL_CTX_set_cert_verify_callback\fR\|(3),
 \&\fBopenssl\-req\fR\|(1), \fBopenssl\-x509\fR\|(1),
-\&\s-1RFC 3820\s0 <https://tools.ietf.org/html/rfc3820>
-.SH "COPYRIGHT"
+RFC 3820 <https://tools.ietf.org/html/rfc3820>
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/ssl.7 b/secure/lib/libcrypto/man/man7/ssl.7
deleted file mode 100644
index 054e78e2452a..000000000000
--- a/secure/lib/libcrypto/man/man7/ssl.7
+++ /dev/null
@@ -1,227 +0,0 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
-.\"
-.\" Standard preamble:
-.\" ========================================================================
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Vb \" Begin verbatim text
-.ft CW
-.nf
-.ne \\$1
-..
-.de Ve \" End verbatim text
-.ft R
-.fi
-..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
-.ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
-.    ds C` ""
-.    ds C' ""
-'br\}
-.el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
-.    ds C`
-.    ds C'
-'br\}
-.\"
-.\" Escape single quotes in literal strings from groff's Unicode transform.
-.ie \n(.g .ds Aq \(aq
-.el       .ds Aq '
-.\"
-.\" If the F register is >0, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
-.\" entries marked with X<> in POD.  Of course, you'll have to process the
-.\" output yourself in some meaningful fashion.
-.\"
-.\" Avoid warning from groff about undefined register 'F'.
-.de IX
-..
-.nr rF 0
-.if \n(.g .if rF .nr rF 1
-.if (\n(rF:(\n(.g==0)) \{\
-.    if \nF \{\
-.        de IX
-.        tm Index:\\$1\t\\n%\t"\\$2"
-..
-.        if !\nF==2 \{\
-.            nr % 0
-.            nr F 2
-.        \}
-.    \}
-.\}
-.rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
-.\" ========================================================================
-.\"
-.IX Title "SSL 7ossl"
-.TH SSL 7ossl "2023-09-19" "3.0.11" "OpenSSL"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
-.\" way too many mistakes in technical documents.
-.if n .ad l
-.nh
-.SH "NAME"
-ssl \- OpenSSL SSL/TLS library
-.SH "SYNOPSIS"
-.IX Header "SYNOPSIS"
-See the individual manual pages for details.
-.SH "DESCRIPTION"
-.IX Header "DESCRIPTION"
-The OpenSSL \fBssl\fR library implements several versions of the
-Secure Sockets Layer, Transport Layer Security, and Datagram Transport Layer
-Security protocols.
-This page gives a brief overview of the extensive \s-1API\s0 and data types
-provided by the library.
-.PP
-An \fB\s-1SSL_CTX\s0\fR object is created as a framework to establish
-\&\s-1TLS/SSL\s0 enabled connections (see \fBSSL_CTX_new\fR\|(3)).
-Various options regarding certificates, algorithms etc. can be set
-in this object.
-.PP
-When a network connection has been created, it can be assigned to an
-\&\fB\s-1SSL\s0\fR object. After the \fB\s-1SSL\s0\fR object has been created using
-\&\fBSSL_new\fR\|(3), \fBSSL_set_fd\fR\|(3) or
-\&\fBSSL_set_bio\fR\|(3) can be used to associate the network
-connection with the object.
-.PP
-When the \s-1TLS/SSL\s0 handshake is performed using
-\&\fBSSL_accept\fR\|(3) or \fBSSL_connect\fR\|(3)
-respectively.
-\&\fBSSL_read_ex\fR\|(3), \fBSSL_read\fR\|(3), \fBSSL_write_ex\fR\|(3) and \fBSSL_write\fR\|(3) are
-used to read and write data on the \s-1TLS/SSL\s0 connection.
-\&\fBSSL_shutdown\fR\|(3) can be used to shut down the
-\&\s-1TLS/SSL\s0 connection.
-.SH "DATA STRUCTURES"
-.IX Header "DATA STRUCTURES"
-Here are some of the main data structures in the library.
-.IP "\fB\s-1SSL_METHOD\s0\fR (\s-1SSL\s0 Method)" 4
-.IX Item "SSL_METHOD (SSL Method)"
-This is a dispatch structure describing the internal \fBssl\fR library
-methods/functions which implement the various protocol versions (SSLv3
-TLSv1, ...). It's needed to create an \fB\s-1SSL_CTX\s0\fR.
-.IP "\fB\s-1SSL_CIPHER\s0\fR (\s-1SSL\s0 Cipher)" 4
-.IX Item "SSL_CIPHER (SSL Cipher)"
-This structure holds the algorithm information for a particular cipher which
-are a core part of the \s-1SSL/TLS\s0 protocol. The available ciphers are configured
-on a \fB\s-1SSL_CTX\s0\fR basis and the actual ones used are then part of the
-\&\fB\s-1SSL_SESSION\s0\fR.
-.IP "\fB\s-1SSL_CTX\s0\fR (\s-1SSL\s0 Context)" 4
-.IX Item "SSL_CTX (SSL Context)"
-This is the global context structure which is created by a server or client
-once per program life-time and which holds mainly default values for the
-\&\fB\s-1SSL\s0\fR structures which are later created for the connections.
-.IP "\fB\s-1SSL_SESSION\s0\fR (\s-1SSL\s0 Session)" 4
-.IX Item "SSL_SESSION (SSL Session)"
-This is a structure containing the current \s-1TLS/SSL\s0 session details for a
-connection: \fB\s-1SSL_CIPHER\s0\fRs, client and server certificates, keys, etc.
-.IP "\fB\s-1SSL\s0\fR (\s-1SSL\s0 Connection)" 4
-.IX Item "SSL (SSL Connection)"
-This is the main \s-1SSL/TLS\s0 structure which is created by a server or client per
-established connection. This actually is the core structure in the \s-1SSL API.\s0
-At run-time the application usually deals with this structure which has
-links to mostly all other structures.
-.SH "HEADER FILES"
-.IX Header "HEADER FILES"
-Currently the OpenSSL \fBssl\fR library provides the following C header files
-containing the prototypes for the data structures and functions:
-.IP "\fI<openssl/ssl.h>\fR" 4
-.IX Item "<openssl/ssl.h>"
-This is the common header file for the \s-1SSL/TLS API.\s0  Include it into your
-program to make the \s-1API\s0 of the \fBssl\fR library available. It internally
-includes both more private \s-1SSL\s0 headers and headers from the \fBcrypto\fR library.
-Whenever you need hard-core details on the internals of the \s-1SSL API,\s0 look
-inside this header file.
-This file also includes the others listed below.
-.IP "\fI<openssl/ssl2.h>\fR" 4
-.IX Item "<openssl/ssl2.h>"
-Unused. Present for backwards compatibility only.
-.IP "\fI<openssl/ssl3.h>\fR" 4
-.IX Item "<openssl/ssl3.h>"
-This is the sub header file dealing with the SSLv3 protocol only.
-.IP "\fI<openssl/tls1.h>\fR" 4
-.IX Item "<openssl/tls1.h>"
-This is the sub header file dealing with the TLSv1 protocol only.
-.SH "COPYRIGHT"
-.IX Header "COPYRIGHT"
-Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
-.PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
-this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
-<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/x509.7 b/secure/lib/libcrypto/man/man7/x509.7
index 5a5967daf3da..43e475903f08 100644
--- a/secure/lib/libcrypto/man/man7/x509.7
+++ b/secure/lib/libcrypto/man/man7/x509.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,93 +52,33 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "X509 7ossl"
-.TH X509 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH X509 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 x509 \- X.509 certificate handling
-.SH "SYNOPSIS"
+.SH SYNOPSIS
 .IX Header "SYNOPSIS"
 .Vb 1
 \& #include <openssl/x509.h>
 .Ve
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
 An X.509 certificate is a structured grouping of information about
-an individual, a device, or anything one can imagine.  An X.509 \s-1CRL\s0
+an individual, a device, or anything one can imagine.  An X.509 CRL
 (certificate revocation list) is a tool to help determine if a
 certificate is still valid.  The exact definition of those can be
-found in the X.509 document from ITU-T, or in \s-1RFC3280\s0 from \s-1PKIX.\s0
+found in the X.509 document from ITU-T, or in RFC3280 from PKIX.
 In OpenSSL, the type X509 is used to express such a certificate, and
-the type X509_CRL is used to express a \s-1CRL.\s0
+the type X509_CRL is used to express a CRL.
 .PP
 A related structure is a certificate request, defined in PKCS#10 from
-\&\s-1RSA\s0 Security, Inc, also reflected in \s-1RFC2896.\s0  In OpenSSL, the type
+RSA Security, Inc, also reflected in RFC2896.  In OpenSSL, the type
 X509_REQ is used to express such a certificate request.
 .PP
 To handle some complex parts of a certificate, there are the types
@@ -162,23 +86,23 @@ X509_NAME (to express a certificate name), X509_ATTRIBUTE (to express
 a certificate attribute), X509_EXTENSION (to express a certificate
 extension) and a few more.
 .PP
-Finally, there's the supertype X509_INFO, which can contain a \s-1CRL,\s0 a
+Finally, there's the supertype X509_INFO, which can contain a CRL, a
 certificate and a corresponding private key.
 .PP
-\&\fBX509_\fR\fI\s-1XXX\s0\fR, \fBd2i_X509_\fR\fI\s-1XXX\s0\fR, and \fBi2d_X509_\fR\fI\s-1XXX\s0\fR functions
+\&\fBX509_\fR\fIXXX\fR, \fBd2i_X509_\fR\fIXXX\fR, and \fBi2d_X509_\fR\fIXXX\fR functions
 handle X.509 certificates, with some exceptions, shown below.
 .PP
-\&\fBX509_CRL_\fR\fI\s-1XXX\s0\fR, \fBd2i_X509_CRL_\fR\fI\s-1XXX\s0\fR, and \fBi2d_X509_CRL_\fR\fI\s-1XXX\s0\fR
+\&\fBX509_CRL_\fR\fIXXX\fR, \fBd2i_X509_CRL_\fR\fIXXX\fR, and \fBi2d_X509_CRL_\fR\fIXXX\fR
 functions handle X.509 CRLs.
 .PP
-\&\fBX509_REQ_\fR\fI\s-1XXX\s0\fR, \fBd2i_X509_REQ_\fR\fI\s-1XXX\s0\fR, and \fBi2d_X509_REQ_\fR\fI\s-1XXX\s0\fR
+\&\fBX509_REQ_\fR\fIXXX\fR, \fBd2i_X509_REQ_\fR\fIXXX\fR, and \fBi2d_X509_REQ_\fR\fIXXX\fR
 functions handle PKCS#10 certificate requests.
 .PP
-\&\fBX509_NAME_\fR\fI\s-1XXX\s0\fR functions handle certificate names.
+\&\fBX509_NAME_\fR\fIXXX\fR functions handle certificate names.
 .PP
-\&\fBX509_ATTRIBUTE_\fR\fI\s-1XXX\s0\fR functions handle certificate attributes.
+\&\fBX509_ATTRIBUTE_\fR\fIXXX\fR functions handle certificate attributes.
 .PP
-\&\fBX509_EXTENSION_\fR\fI\s-1XXX\s0\fR functions handle certificate extensions.
+\&\fBX509_EXTENSION_\fR\fIXXX\fR functions handle certificate extensions.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fBX509_NAME_ENTRY_get_object\fR\|(3),
@@ -194,11 +118,11 @@ functions handle PKCS#10 certificate requests.
 \&\fBd2i_X509_REQ\fR\|(3),
 \&\fBd2i_X509_SIG\fR\|(3),
 \&\fBcrypto\fR\|(7)
-.SH "COPYRIGHT"
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
 Copyright 2003\-2021 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.